dhcp fuzzle

gistfile1.php

<?php

$sock = socket_create(AF_INET, SOCK_DGRAM, SOL_UDP);
socket_bind($sock, '120.138.30.26', 68);

// Example packet
$message = pack('C', 1); // operation request
$message .= pack('C', 1); // hwtype ethernet
$message .= pack('C', 6); // Hardware address length
$message .= pack('C', 0); // hops (always 0)
$message .= pack('I', mt_rand()); // random identifier, 32bit integer
$message .= pack('n', 0); // time since request began
$message .= pack('n', 0); // flags
$message .= pack('N', 0); // client IP if assigned already
$message .= pack('N', 0); // your IP (wtf same as above?)
$message .= pack('N', 0); // siaddr
//$message .= pack('N', 0); // giaddr
// Fill in giaddr with our IP means we're "relaying", which means unicast is allowed :D
$message .= inet_pton('120.138.30.26');
//$message .= pack('V', mt_rand()) . pack('V', mt_rand()); // 64 bits of random (client hardware address)
// Turns out for hardware address, its 6 bytes of random, then padded with 0's to make up the rest of the 64
// 3 x 'S', unsigned short (always 16 bit, machine byte order)
$message .= pack('S', mt_rand()) . pack('S', mt_rand()) . pack('S', mt_rand());
$message .= str_repeat("\x00", 10); // 10 bytes of whitespace to make up the rest
$message .= str_repeat("\x00", 64); // Server host name, 64 bytes of 0 for us
$message .= str_repeat("\x00", 128); // file, 128 bytes of 0 for us
// Options time
$message .= "\x63\x82\x53\x63"; // MAGICAL COOKIE :D
$message .= "\x35"; // DHCP message type
$message .= "\x01"; // length of 1
$message .= "\x01"; // DHCP discover

socket_sendto($sock, $message, strlen($message), 0, ".", 67);