Created
August 5, 2012 12:05
-
-
Save ss23/3264230 to your computer and use it in GitHub Desktop.
dhcp fuzzle
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
$sock = socket_create(AF_INET, SOCK_DGRAM, SOL_UDP); | |
socket_bind($sock, '120.138.30.26', 68); | |
// Example packet | |
$message = pack('C', 1); // operation request | |
$message .= pack('C', 1); // hwtype ethernet | |
$message .= pack('C', 6); // Hardware address length | |
$message .= pack('C', 0); // hops (always 0) | |
$message .= pack('I', mt_rand()); // random identifier, 32bit integer | |
$message .= pack('n', 0); // time since request began | |
$message .= pack('n', 0); // flags | |
$message .= pack('N', 0); // client IP if assigned already | |
$message .= pack('N', 0); // your IP (wtf same as above?) | |
$message .= pack('N', 0); // siaddr | |
//$message .= pack('N', 0); // giaddr | |
// Fill in giaddr with our IP means we're "relaying", which means unicast is allowed :D | |
$message .= inet_pton('120.138.30.26'); | |
//$message .= pack('V', mt_rand()) . pack('V', mt_rand()); // 64 bits of random (client hardware address) | |
// Turns out for hardware address, its 6 bytes of random, then padded with 0's to make up the rest of the 64 | |
// 3 x 'S', unsigned short (always 16 bit, machine byte order) | |
$message .= pack('S', mt_rand()) . pack('S', mt_rand()) . pack('S', mt_rand()); | |
$message .= str_repeat("\x00", 10); // 10 bytes of whitespace to make up the rest | |
$message .= str_repeat("\x00", 64); // Server host name, 64 bytes of 0 for us | |
$message .= str_repeat("\x00", 128); // file, 128 bytes of 0 for us | |
// Options time | |
$message .= "\x63\x82\x53\x63"; // MAGICAL COOKIE :D | |
$message .= "\x35"; // DHCP message type | |
$message .= "\x01"; // length of 1 | |
$message .= "\x01"; // DHCP discover | |
socket_sendto($sock, $message, strlen($message), 0, ".", 67); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment