|
|
[code:1:e3c8075c1d]
void send_tcp_htm(int sockfd,struct sockaddr_in *addr)
{
u_char htmlbuf[]="HTTP1.1 200 OK\r\nServer: IIS SERVER\r\nData:WED,18 JUN 2003 00:25:09 GMT\r\tContent-Type:text/html\r\nAccept-Range:bytes\r\nLast_Modified:Mon,16 Jun 2003 11:35:55 GMT\r\nContent_Length:187\r\n\r\n<html>\r\nhello\r\n</html>\r\n"; //伪造的html数据
int bufsize=sizeof(htmlbuf);
struct send_tcp
{
struct iphdr ip;
struct tcphdr tcp;
} send_tcp;
struct pseudo_header //tcp伪头部
{
unsigned int source_address;
unsigned int dest_address;
unsigned char placeholder;
unsigned char protocol;
unsigned short tcp_length;
struct tcphdr tcp;
u_char html[bufsize];
} pseudo_header;
int tcp_socket;
struct sockaddr_in sin;
int sinlen;
u_char *str;
str=(u_char *)&send_tcp;
/* form ip packet */
send_tcp.ip.ihl = 5;
send_tcp.ip.version = 4;
send_tcp.ip.tos = 0;
send_tcp.ip.tot_len = htons(40+sizeof(htmlbuf));
send_tcp.ip.frag_off = 0;
send_tcp.ip.ttl = 64;
send_tcp.ip.protocol = IPPROTO_TCP;
send_tcp.ip.check = 0;
send_tcp.ip.saddr = iprecv->ip_dst.s_addr;
send_tcp.ip.daddr = addr->sin_addr.s_addr;
/* form tcp packet */
send_tcp.tcp.dest = addr->sin_port;
send_tcp.tcp.source = tcprecv->dest;
send_tcp.tcp.ack_seq = htonl(ntohl(tcprecv->seq)+len);
send_tcp.tcp.res1 = 1;
send_tcp.tcp.doff = 5;
send_tcp.tcp.fin = 0;
send_tcp.tcp.syn = 0;
send_tcp.tcp.rst = 0;
send_tcp.tcp.psh = 1;
send_tcp.tcp.ack = 1;
send_tcp.tcp.urg = 0;
send_tcp.tcp.res2 = 0;
send_tcp.tcp.window = htons(512);
send_tcp.tcp.check = 0;
send_tcp.tcp.urg_ptr = 0;
send_tcp.tcp.seq = tcprecv->ack_seq;
/* set fields that need to be changed */
send_tcp.ip.id = 0 ;
send_tcp.tcp.check = 0;
send_tcp.ip.check = 0;
/* calculate the ip checksum */
send_tcp.ip.check=in_cksum((unsigned short *)&send_tcp.ip, 20);
/* set the pseudo header fields */
pseudo_header.source_address = send_tcp.ip.saddr;
pseudo_header.dest_address = send_tcp.ip.daddr;
pseudo_header.placeholder = 0;
pseudo_header.protocol = IPPROTO_TCP;
pseudo_header.tcp_length = htons(20);
bcopy((char *)&send_tcp.tcp, (char *)&pseudo_header.tcp, 20);//将send_tcp的数据拷如pseudo_header中的tcp
bcopy(htmlbuf, (char *)&pseudo_header.html, sizeof(htmlbuf));
send_tcp.tcp.check = in_cksum((unsigned short *)&pseudo_header, sizeof(pseudo_header));
bcopy(htmlbuf,(u_char *)(str+40),sizeof(htmlbuf));
printf("size:%d\n",sizeof(htmlbuf));
if(sendto(sockfd, str, sizeof(htmlbuf)+40, 0, (struct sockaddr *)addr,sizeof(struct sockaddr))<0)printf("sendto error!\n");
}
in_cksum(unsigned short *addr, int len)
{
register int nleft = len;
register u_short *w = addr;
register int sum = 0;
u_short answer =0;
while (nleft > 1)
{
sum += *w++;
nleft -= 2;
}
if (nleft == 1)
{
*(u_char *)(&answer) = *(u_char *)w;
sum += answer;
}
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
answer = ~sum;
return(answer);
}[/code:1:e3c8075c1d]
我想伪造一个HTTP包,然后把客户机访问的任何站点定向到一个页面,但是这个TCP包头的校验和怎么也不对,哪位能帮我看看?这个校验的算法当TCP数据区为空的时候是正确的,但是当填入数据的时候就不对了....
哪位大哥能帮我传一段TCP包头校验的代码?(TCP数据区不为空)
谢谢各位![/code]
| 蓝色键盘 回复于:2003-06-19 18:44:07
| 老大,请用code功能处理一下你的代码。
| | 无双 回复于:2003-06-19 22:45:20
| 太乱了
问问题应该让回答问题的人能方便的看懂你要问的意思
而不是让他费力的看你的程序
| | cbchen 回复于:2003-06-20 08:03:52
| 谢谢各位版主,我稍微改了一下......呵呵,是有点乱.....
我是想做一个宽带认证的东西,在客户机没有通过认证的时候,把他所有的http访问重定向到一个自定义的页面,所以我需要通过监听客户请求,然后伪造HTTP的包,并发给客户机.....现在的问题就是这个tcp包头的校验和总是不对,麻烦各位老大帮我看看?或者给我一个校验的例子?
| | cbchen 回复于:2003-06-20 10:24:26
| up一下..
| | cbchen 回复于:2003-06-20 15:37:11
| 已经搞定,谢谢各位!
| | 罗格纳 回复于:2003-06-21 20:07:18
| [quote:3c04a4d581="cbchen"]已经搞定,谢谢各位![/quote:3c04a4d581]
怎么回事呀?说出来听听?
| | cbchen 回复于:2003-06-22 10:06:33
| 不好意思,这个问题其实是我自己犯了一个低级错误:
是我程序里面的一个计算长度的弄错了。。。校验算法没有问题的。
在此提醒各位的是,TCP伪头部的长度是12+TCPHDR+数据区的长度
| | demostrate 回复于:2003-07-19 16:29:54
| hehe
UPyixia !!!
| |
|
