1: /*
2: *
3: * libnet 1.1
4: * Build a TFTP scanner using payload
5: *
6: * Copyright (c) 2003 Frédéric Raynal <pappy@security-labs.org>
7: * All rights reserved.
8: *
9: * Ex:
10: * ./tftp -s 192.168.0.1 -d 192.168.0.66 -p plop
11: *
12: *
13: * Redistribution and use in source and binary forms, with or without
14: * modification, are permitted provided that the following conditions
15: * are met:
16: * 1. Redistributions of source code must retain the above copyright
17: * notice, this list of conditions and the following disclaimer.
18: * 2. Redistributions in binary form must reproduce the above copyright
19: * notice, this list of conditions and the following disclaimer in the
20: * documentation and/or other materials provided with the distribution.
21: *
22: * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
23: * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24: * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25: * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
26: * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27: * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28: * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30: * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31: * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32: * SUCH DAMAGE.
33: *
34: */
35: #if (HAVE_CONFIG_H)
36: #include "../include/config.h"
37: #endif
38: #include "./libnet_test.h"
39:
40:
41: int
42: main(int argc, char *argv[])
43: {
44: int c;
45: libnet_t *l;
46: u_long src_ip, dst_ip;
47: char errbuf[LIBNET_ERRBUF_SIZE];
48: libnet_ptag_t udp = 0, ip = 0;
49: char *filename = "/etc/passwd";
50: char mode[] = "netascii";
51: u_char *payload = NULL;
52: uint32_t payload_s = 0;
53:
54:
55: printf("libnet 1.1 packet shaping: UDP + payload[raw] == TFTP\n");
56:
57: /*
58: * Initialize the library. Root priviledges are required.
59: */
60: l = libnet_init(
61: LIBNET_RAW4, /* injection type */
62: NULL, /* network interface */
63: errbuf); /* error buffer */
64:
65: if (l == NULL)
66: {
67: fprintf(stderr, "libnet_init() failed: %s", errbuf);
68: exit(EXIT_FAILURE);
69: }
70:
71: src_ip = 0;
72: dst_ip = 0;
73: while ((c = getopt(argc, argv, "d:s:p:")) != EOF)
74: {
75: switch (c)
76: {
77: /*
78: * We expect the input to be of the form `ip.ip.ip.ip.port`. We
79: * point cp to the last dot of the IP address/port string and
80: * then seperate them with a NULL byte. The optarg now points to
81: * just the IP address, and cp points to the port.
82: */
83: case 'd':
84: if ((dst_ip = libnet_name2addr4(l, optarg, LIBNET_RESOLVE)) == -1)
85: {
86: fprintf(stderr, "Bad destination IP address: %s\n", optarg);
87: goto bad;
88: }
89: break;
90:
91: case 's':
92: if ((src_ip = libnet_name2addr4(l, optarg, LIBNET_RESOLVE)) == -1)
93: {
94: fprintf(stderr, "Bad source IP address: %s\n", optarg);
95: goto bad;
96: }
97: break;
98:
99: case 'p':
100: filename = optarg;
101: break;
102:
103: default:
104: fprintf(stderr, "unkown option [%s]: bye bye\n", optarg);
105: goto bad;
106:
107: }
108: }
109:
110: if (!src_ip || !dst_ip)
111: {
112: usage(argv[0]);
113: exit(EXIT_FAILURE);
114: }
115:
116: /*
117: * build payload
118: *
119: * 2 bytes string 1 byte string 1 byte
120: * ------------------------------------------------
121: * | Opcode | Filename | 0 | Mode | 0 |
122: * ------------------------------------------------
123: *
124: */
125: payload_s = 2 + strlen(filename) + 1 + strlen(mode) + 1;
126: payload = malloc(sizeof(char)*payload_s);
127: if (!payload)
128: {
129: fprintf(stderr, "malloc error for payload\n");
130: goto bad;
131: }
132: memset(payload, 0, payload_s);
133: payload[1] = 1; /* opcode - GET */
134: memcpy(payload + 2, filename, strlen(filename));
135: memcpy(payload + 2 + strlen(filename) + 1 , mode, strlen(mode));
136:
137: /*
138: * Build pblocks
139: */
140: udp = libnet_build_udp(
141: 0x1234, /* source port */
142: 69, /* destination port */
143: LIBNET_UDP_H + payload_s, /* packet length */
144: 0, /* checksum */
145: payload, /* payload */
146: payload_s, /* payload size */
147: l, /* libnet handle */
148: 0); /* libnet id */
149: if (udp == -1)
150: {
151: fprintf(stderr, "Can't build UDP header: %s\n", libnet_geterror(l));
152: goto bad;
153: }
154:
155: ip = libnet_build_ipv4(
156: LIBNET_IPV4_H + LIBNET_UDP_H + payload_s, /* length - dont forget the UDP's payload */
157: 0, /* TOS */
158: 0x4242, /* IP ID */
159: 0, /* IP Frag */
160: 0x42, /* TTL */
161: IPPROTO_UDP, /* protocol */
162: 0, /* checksum */
163: src_ip, /* source IP */
164: dst_ip, /* destination IP */
165: NULL, /* payload (already in UDP) */
166: 0, /* payload size */
167: l, /* libnet handle */
168: 0); /* libnet id */
169: if (ip == -1)
170: {
171: fprintf(stderr, "Can't build IP header: %s\n", libnet_geterror(l));
172: goto bad;
173: }
174:
175: /*
176: * Write it to the wire.
177: */
178: c = libnet_write(l);
179: if (c == -1)
180: {
181: fprintf(stderr, "Write error: %s\n", libnet_geterror(l));
182: goto bad;
183: }
184: else
185: {
186: fprintf(stderr, "Wrote %d byte TFTP packet; check the wire.\n", c);
187: }
188:
189: libnet_destroy(l);
190: free(payload);
191: return (EXIT_SUCCESS);
192: bad:
193: libnet_destroy(l);
194: free(payload);
195: return (EXIT_FAILURE);
196: }
197:
198: void
199: usage(char *name)
200: {
201: fprintf(stderr,
202: "usage: %s -s source_ip -d destination_ip"
203: " [-p payload] [-t|u|i] \n",
204: name);
205: }
206:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to tftp.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / libnet / sample