|
Packit Service |
b25606 |
/*
|
|
Packit Service |
b25606 |
*
|
|
Packit Service |
b25606 |
* libnet 1.1
|
|
Packit Service |
b25606 |
* Build a TFTP scanner using payload
|
|
Packit Service |
b25606 |
*
|
|
Packit Service |
b25606 |
* Copyright (c) 2003 Frédéric Raynal <pappy@security-labs.org>
|
|
Packit Service |
b25606 |
* All rights reserved.
|
|
Packit Service |
b25606 |
*
|
|
Packit Service |
b25606 |
* Ex:
|
|
Packit Service |
b25606 |
* ./tftp -s 192.168.0.1 -d 192.168.0.66 -p plop
|
|
Packit Service |
b25606 |
*
|
|
Packit Service |
b25606 |
*
|
|
Packit Service |
b25606 |
* Redistribution and use in source and binary forms, with or without
|
|
Packit Service |
b25606 |
* modification, are permitted provided that the following conditions
|
|
Packit Service |
b25606 |
* are met:
|
|
Packit Service |
b25606 |
* 1. Redistributions of source code must retain the above copyright
|
|
Packit Service |
b25606 |
* notice, this list of conditions and the following disclaimer.
|
|
Packit Service |
b25606 |
* 2. Redistributions in binary form must reproduce the above copyright
|
|
Packit Service |
b25606 |
* notice, this list of conditions and the following disclaimer in the
|
|
Packit Service |
b25606 |
* documentation and/or other materials provided with the distribution.
|
|
Packit Service |
b25606 |
*
|
|
Packit Service |
b25606 |
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
Packit Service |
b25606 |
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
Packit Service |
b25606 |
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
Packit Service |
b25606 |
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
Packit Service |
b25606 |
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
Packit Service |
b25606 |
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
Packit Service |
b25606 |
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
Packit Service |
b25606 |
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
Packit Service |
b25606 |
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
Packit Service |
b25606 |
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
Packit Service |
b25606 |
* SUCH DAMAGE.
|
|
Packit Service |
b25606 |
*
|
|
Packit Service |
b25606 |
*/
|
|
Packit Service |
b25606 |
#if (HAVE_CONFIG_H)
|
|
Packit Service |
b25606 |
#include "../include/config.h"
|
|
Packit Service |
b25606 |
#endif
|
|
Packit Service |
b25606 |
#include "./libnet_test.h"
|
|
Packit Service |
b25606 |
|
|
Packit Service |
b25606 |
|
|
Packit Service |
b25606 |
int
|
|
Packit Service |
b25606 |
main(int argc, char *argv[])
|
|
Packit Service |
b25606 |
{
|
|
Packit Service |
b25606 |
int c;
|
|
Packit Service |
b25606 |
libnet_t *l;
|
|
Packit Service |
b25606 |
u_long src_ip, dst_ip;
|
|
Packit Service |
b25606 |
char errbuf[LIBNET_ERRBUF_SIZE];
|
|
Packit Service |
b25606 |
libnet_ptag_t udp = 0, ip = 0;
|
|
Packit Service |
b25606 |
char *filename = "/etc/passwd";
|
|
Packit Service |
b25606 |
char mode[] = "netascii";
|
|
Packit Service |
b25606 |
u_char *payload = NULL;
|
|
Packit Service |
b25606 |
uint payload_s = 0;
|
|
Packit Service |
b25606 |
|
|
Packit Service |
b25606 |
|
|
Packit Service |
b25606 |
printf("libnet 1.1 packet shaping: UDP + payload[raw] == TFTP\n");
|
|
Packit Service |
b25606 |
|
|
Packit Service |
b25606 |
/*
|
|
Packit Service |
b25606 |
* Initialize the library. Root priviledges are required.
|
|
Packit Service |
b25606 |
*/
|
|
Packit Service |
b25606 |
l = libnet_init(
|
|
Packit Service |
b25606 |
LIBNET_RAW4, /* injection type */
|
|
Packit Service |
b25606 |
NULL, /* network interface */
|
|
Packit Service |
b25606 |
errbuf); /* error buffer */
|
|
Packit Service |
b25606 |
|
|
Packit Service |
b25606 |
if (l == NULL)
|
|
Packit Service |
b25606 |
{
|
|
Packit Service |
b25606 |
fprintf(stderr, "libnet_init() failed: %s", errbuf);
|
|
Packit Service |
b25606 |
exit(EXIT_FAILURE);
|
|
Packit Service |
b25606 |
}
|
|
Packit Service |
b25606 |
|
|
Packit Service |
b25606 |
src_ip = 0;
|
|
Packit Service |
b25606 |
dst_ip = 0;
|
|
Packit Service |
b25606 |
while ((c = getopt(argc, argv, "d:s:p:")) != EOF)
|
|
Packit Service |
b25606 |
{
|
|
Packit Service |
b25606 |
switch (c)
|
|
Packit Service |
b25606 |
{
|
|
Packit Service |
b25606 |
/*
|
|
Packit Service |
b25606 |
* We expect the input to be of the form `ip.ip.ip.ip.port`. We
|
|
Packit Service |
b25606 |
* point cp to the last dot of the IP address/port string and
|
|
Packit Service |
b25606 |
* then seperate them with a NULL byte. The optarg now points to
|
|
Packit Service |
b25606 |
* just the IP address, and cp points to the port.
|
|
Packit Service |
b25606 |
*/
|
|
Packit Service |
b25606 |
case 'd':
|
|
Packit Service |
b25606 |
if ((dst_ip = libnet_name2addr4(l, optarg, LIBNET_RESOLVE)) == -1)
|
|
Packit Service |
b25606 |
{
|
|
Packit Service |
b25606 |
fprintf(stderr, "Bad destination IP address: %s\n", optarg);
|
|
Packit Service |
b25606 |
goto bad;
|
|
Packit Service |
b25606 |
}
|
|
Packit Service |
b25606 |
break;
|
|
Packit Service |
b25606 |
|
|
Packit Service |
b25606 |
case 's':
|
|
Packit Service |
b25606 |
if ((src_ip = libnet_name2addr4(l, optarg, LIBNET_RESOLVE)) == -1)
|
|
Packit Service |
b25606 |
{
|
|
Packit Service |
b25606 |
fprintf(stderr, "Bad source IP address: %s\n", optarg);
|
|
Packit Service |
b25606 |
goto bad;
|
|
Packit Service |
b25606 |
}
|
|
Packit Service |
b25606 |
break;
|
|
Packit Service |
b25606 |
|
|
Packit Service |
b25606 |
case 'p':
|
|
Packit Service |
b25606 |
filename = optarg;
|
|
Packit Service |
b25606 |
break;
|
|
Packit Service |
b25606 |
|
|
Packit Service |
b25606 |
default:
|
|
Packit Service |
b25606 |
fprintf(stderr, "unkown option [%s]: bye bye\n", optarg);
|
|
Packit Service |
b25606 |
goto bad;
|
|
Packit Service |
b25606 |
|
|
Packit Service |
b25606 |
}
|
|
Packit Service |
b25606 |
}
|
|
Packit Service |
b25606 |
|
|
Packit Service |
b25606 |
if (!src_ip || !dst_ip)
|
|
Packit Service |
b25606 |
{
|
|
Packit Service |
b25606 |
usage(argv[0]);
|
|
Packit Service |
b25606 |
exit(EXIT_FAILURE);
|
|
Packit Service |
b25606 |
}
|
|
Packit Service |
b25606 |
|
|
Packit Service |
b25606 |
/*
|
|
Packit Service |
b25606 |
* build payload
|
|
Packit Service |
b25606 |
*
|
|
Packit Service |
b25606 |
* 2 bytes string 1 byte string 1 byte
|
|
Packit Service |
b25606 |
* ------------------------------------------------
|
|
Packit Service |
b25606 |
* | Opcode | Filename | 0 | Mode | 0 |
|
|
Packit Service |
b25606 |
* ------------------------------------------------
|
|
Packit Service |
b25606 |
*
|
|
Packit Service |
b25606 |
*/
|
|
Packit Service |
b25606 |
payload_s = 2 + strlen(filename) + 1 + strlen(mode) + 1;
|
|
Packit Service |
b25606 |
payload = malloc(sizeof(char)*payload_s);
|
|
Packit Service |
b25606 |
if (!payload)
|
|
Packit Service |
b25606 |
{
|
|
Packit Service |
b25606 |
fprintf(stderr, "malloc error for payload\n");
|
|
Packit Service |
b25606 |
goto bad;
|
|
Packit Service |
b25606 |
}
|
|
Packit Service |
b25606 |
memset(payload, 0, payload_s);
|
|
Packit Service |
b25606 |
payload[1] = 1; /* opcode - GET */
|
|
Packit Service |
b25606 |
memcpy(payload + 2, filename, strlen(filename));
|
|
Packit Service |
b25606 |
memcpy(payload + 2 + strlen(filename) + 1 , mode, strlen(mode));
|
|
Packit Service |
b25606 |
|
|
Packit Service |
b25606 |
/*
|
|
Packit Service |
b25606 |
* Build pblocks
|
|
Packit Service |
b25606 |
*/
|
|
Packit Service |
b25606 |
udp = libnet_build_udp(
|
|
Packit Service |
b25606 |
0x1234, /* source port */
|
|
Packit Service |
b25606 |
69, /* destination port */
|
|
Packit Service |
b25606 |
LIBNET_UDP_H + payload_s, /* packet length */
|
|
Packit Service |
b25606 |
0, /* checksum */
|
|
Packit Service |
b25606 |
payload, /* payload */
|
|
Packit Service |
b25606 |
payload_s, /* payload size */
|
|
Packit Service |
b25606 |
l, /* libnet handle */
|
|
Packit Service |
b25606 |
0); /* libnet id */
|
|
Packit Service |
b25606 |
if (udp == -1)
|
|
Packit Service |
b25606 |
{
|
|
Packit Service |
b25606 |
fprintf(stderr, "Can't build UDP header: %s\n", libnet_geterror(l));
|
|
Packit Service |
b25606 |
goto bad;
|
|
Packit Service |
b25606 |
}
|
|
Packit Service |
b25606 |
|
|
Packit Service |
b25606 |
ip = libnet_build_ipv4(
|
|
Packit Service |
b25606 |
LIBNET_IPV4_H + LIBNET_UDP_H + payload_s, /* length - dont forget the UDP's payload */
|
|
Packit Service |
b25606 |
0, /* TOS */
|
|
Packit Service |
b25606 |
0x4242, /* IP ID */
|
|
Packit Service |
b25606 |
0, /* IP Frag */
|
|
Packit Service |
b25606 |
0x42, /* TTL */
|
|
Packit Service |
b25606 |
IPPROTO_UDP, /* protocol */
|
|
Packit Service |
b25606 |
0, /* checksum */
|
|
Packit Service |
b25606 |
src_ip, /* source IP */
|
|
Packit Service |
b25606 |
dst_ip, /* destination IP */
|
|
Packit Service |
b25606 |
NULL, /* payload (already in UDP) */
|
|
Packit Service |
b25606 |
0, /* payload size */
|
|
Packit Service |
b25606 |
l, /* libnet handle */
|
|
Packit Service |
b25606 |
0); /* libnet id */
|
|
Packit Service |
b25606 |
if (ip == -1)
|
|
Packit Service |
b25606 |
{
|
|
Packit Service |
b25606 |
fprintf(stderr, "Can't build IP header: %s\n", libnet_geterror(l));
|
|
Packit Service |
b25606 |
goto bad;
|
|
Packit Service |
b25606 |
}
|
|
Packit Service |
b25606 |
|
|
Packit Service |
b25606 |
/*
|
|
Packit Service |
b25606 |
* Write it to the wire.
|
|
Packit Service |
b25606 |
*/
|
|
Packit Service |
b25606 |
c = libnet_write(l);
|
|
Packit Service |
b25606 |
if (c == -1)
|
|
Packit Service |
b25606 |
{
|
|
Packit Service |
b25606 |
fprintf(stderr, "Write error: %s\n", libnet_geterror(l));
|
|
Packit Service |
b25606 |
goto bad;
|
|
Packit Service |
b25606 |
}
|
|
Packit Service |
b25606 |
else
|
|
Packit Service |
b25606 |
{
|
|
Packit Service |
b25606 |
fprintf(stderr, "Wrote %d byte TFTP packet; check the wire.\n", c);
|
|
Packit Service |
b25606 |
}
|
|
Packit Service |
b25606 |
|
|
Packit Service |
b25606 |
libnet_destroy(l);
|
|
Packit Service |
b25606 |
free(payload);
|
|
Packit Service |
b25606 |
return (EXIT_SUCCESS);
|
|
Packit Service |
b25606 |
bad:
|
|
Packit Service |
b25606 |
libnet_destroy(l);
|
|
Packit Service |
b25606 |
free(payload);
|
|
Packit Service |
b25606 |
return (EXIT_FAILURE);
|
|
Packit Service |
b25606 |
}
|
|
Packit Service |
b25606 |
|
|
Packit Service |
b25606 |
void
|
|
Packit Service |
b25606 |
usage(char *name)
|
|
Packit Service |
b25606 |
{
|
|
Packit Service |
b25606 |
fprintf(stderr,
|
|
Packit Service |
b25606 |
"usage: %s -s source_ip -d destination_ip"
|
|
Packit Service |
b25606 |
" [-p payload] [-t|u|i] \n",
|
|
Packit Service |
b25606 |
name);
|
|
Packit Service |
b25606 |
}
|
|
Packit Service |
b25606 |
|
|
Packit Service |
b25606 |
/* EOF */
|