OpenVAS Libraries  9.0.3
nasl_packet_forgery.h File Reference
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Functions

tree_cellforge_ip_packet (lex_ctxt *)
 
tree_cellset_ip_elements (lex_ctxt *)
 
tree_cellget_ip_element (lex_ctxt *)
 
tree_celldump_ip_packet (lex_ctxt *)
 
tree_cellinsert_ip_options (lex_ctxt *)
 
tree_cellforge_tcp_packet (lex_ctxt *)
 
tree_cellget_tcp_element (lex_ctxt *)
 
tree_cellset_tcp_elements (lex_ctxt *)
 
tree_celldump_tcp_packet (lex_ctxt *)
 
tree_cellforge_udp_packet (lex_ctxt *)
 
tree_cellset_udp_elements (lex_ctxt *)
 
tree_celldump_udp_packet (lex_ctxt *)
 
tree_cellget_udp_element (lex_ctxt *)
 
tree_cellforge_icmp_packet (lex_ctxt *)
 
tree_cellget_icmp_element (lex_ctxt *)
 
tree_cellforge_igmp_packet (lex_ctxt *)
 
tree_cellnasl_tcp_ping (lex_ctxt *)
 
tree_cellnasl_send_packet (lex_ctxt *)
 
tree_cellnasl_pcap_next (lex_ctxt *)
 
tree_cellnasl_send_capture (lex_ctxt *)
 

Function Documentation

◆ dump_ip_packet()

tree_cell* dump_ip_packet ( lex_ctxt )

Definition at line 404 of file nasl_packet_forgery.c.

405 {
406  int i;
407 
408  for (i = 0;; i++)
409  {
410  struct ip *ip = (struct ip *) get_str_var_by_num (lexic, i);
411  if (ip == NULL)
412  break;
413  else
414  {
415  printf ("------\n");
416  printf ("\tip_hl : %d\n", ip->ip_hl);
417  printf ("\tip_v : %d\n", ip->ip_v);
418  printf ("\tip_tos: %d\n", ip->ip_tos);
419  printf ("\tip_len: %d\n", UNFIX (ip->ip_len));
420  printf ("\tip_id : %d\n", ntohs (ip->ip_id));
421  printf ("\tip_off: %d\n", UNFIX (ip->ip_off));
422  printf ("\tip_ttl: %d\n", ip->ip_ttl);
423  switch (ip->ip_p)
424  {
425  case IPPROTO_TCP:
426  printf ("\tip_p : IPPROTO_TCP (%d)\n", ip->ip_p);
427  break;
428  case IPPROTO_UDP:
429  printf ("\tip_p : IPPROTO_UDP (%d)\n", ip->ip_p);
430  break;
431  case IPPROTO_ICMP:
432  printf ("\tip_p : IPPROTO_ICMP (%d)\n", ip->ip_p);
433  break;
434  default:
435  printf ("\tip_p : %d\n", ip->ip_p);
436  break;
437  }
438  printf ("\tip_sum: 0x%x\n", ntohs (ip->ip_sum));
439  printf ("\tip_src: %s\n", inet_ntoa (ip->ip_src));
440  printf ("\tip_dst: %s\n", inet_ntoa (ip->ip_dst));
441  printf ("\n");
442  }
443  }
444 
445  return FAKE_CELL;
446 }
#define FAKE_CELL
Definition: nasl_tree.h:120
#define UNFIX(n)
char * get_str_var_by_num(lex_ctxt *, int)
Definition: nasl_var.c:1248

References FAKE_CELL, get_str_var_by_num(), and UNFIX.

Here is the call graph for this function:

◆ dump_tcp_packet()

tree_cell* dump_tcp_packet ( lex_ctxt )

Definition at line 742 of file nasl_packet_forgery.c.

743 {
744  int i = 0;
745  u_char *pkt;
746  while ((pkt = (u_char *) get_str_var_by_num (lexic, i++)) != NULL)
747  {
748  int a = 0;
749  struct ip *ip = (struct ip *) pkt;
750  struct tcphdr *tcp = (struct tcphdr *) (pkt + ip->ip_hl * 4);
751  int j;
752  int limit;
753  char *c;
754  limit = get_var_size_by_num (lexic, i - 1);
755  printf ("------\n");
756  printf ("\tth_sport : %d\n", ntohs (tcp->th_sport));
757  printf ("\tth_dport : %d\n", ntohs (tcp->th_dport));
758  printf ("\tth_seq : %u\n", (unsigned int) ntohl (tcp->th_seq));
759  printf ("\tth_ack : %u\n", (unsigned int) ntohl (tcp->th_ack));
760  printf ("\tth_x2 : %d\n", tcp->th_x2);
761  printf ("\tth_off : %d\n", tcp->th_off);
762  printf ("\tth_flags : ");
763  if (tcp->th_flags & TH_FIN)
764  {
765  printf ("TH_FIN");
766  a++;
767  }
768  if (tcp->th_flags & TH_SYN)
769  {
770  if (a)
771  printf ("|");
772  printf ("TH_SYN");
773  a++;
774  }
775  if (tcp->th_flags & TH_RST)
776  {
777  if (a)
778  printf ("|");
779  printf ("TH_RST");
780  a++;
781  }
782  if (tcp->th_flags & TH_PUSH)
783  {
784  if (a)
785  printf ("|");
786  printf ("TH_PUSH");
787  a++;
788  }
789  if (tcp->th_flags & TH_ACK)
790  {
791  if (a)
792  printf ("|");
793  printf ("TH_ACK");
794  a++;
795  }
796  if (tcp->th_flags & TH_URG)
797  {
798  if (a)
799  printf ("|");
800  printf ("TH_URG");
801  a++;
802  }
803  if (!a)
804  printf ("0");
805  else
806  printf (" (%d)", tcp->th_flags);
807  printf ("\n");
808  printf ("\tth_win : %d\n", ntohs (tcp->th_win));
809  printf ("\tth_sum : 0x%x\n", tcp->th_sum);
810  printf ("\tth_urp : %d\n", tcp->th_urp);
811  printf ("\tData : ");
812  c = (char *) ((char *) tcp + sizeof (struct tcphdr));
813  if (UNFIX (ip->ip_len) > (sizeof (struct ip) + sizeof (struct tcphdr)))
814  for (j = 0;
815  j <
816  UNFIX (ip->ip_len) - sizeof (struct ip) - sizeof (struct tcphdr)
817  && j < limit; j++)
818  printf ("%c", isprint (c[j]) ? c[j] : '.');
819  printf ("\n");
820 
821  printf ("\n");
822 
823  }
824  return NULL;
825 }
#define UNFIX(n)
int get_var_size_by_num(lex_ctxt *, int)
Definition: nasl_var.c:1305
char * get_str_var_by_num(lex_ctxt *, int)
Definition: nasl_var.c:1248

References get_str_var_by_num(), get_var_size_by_num(), and UNFIX.

Here is the call graph for this function:

◆ dump_udp_packet()

tree_cell* dump_udp_packet ( lex_ctxt )

Definition at line 1115 of file nasl_packet_forgery.c.

1116 {
1117  int i = 0;
1118  u_char *pkt;
1119  while ((pkt = (u_char *) get_str_var_by_num (lexic, i++)) != NULL)
1120  {
1121  struct udphdr *udp = (struct udphdr *) (pkt + sizeof (struct ip));
1122  int j;
1123  char *c;
1124  int limit = get_var_size_by_num (lexic, i - 1);
1125  printf ("------\n");
1126  printf ("\tuh_sport : %d\n", ntohs (udp->uh_sport));
1127  printf ("\tuh_dport : %d\n", ntohs (udp->uh_dport));
1128  printf ("\tuh_sum : 0x%x\n", udp->uh_sum);
1129  printf ("\tuh_ulen : %d\n", ntohs (udp->uh_ulen));
1130  printf ("\tdata : ");
1131  c = (char *) (udp + sizeof (struct udphdr));
1132  if (udp->uh_ulen > sizeof (struct udphdr))
1133  for (j = 0;
1134  j < (ntohs (udp->uh_ulen) - sizeof (struct udphdr)) && j < limit;
1135  j++)
1136  printf ("%c", isprint (c[j]) ? c[j] : '.');
1137 
1138  printf ("\n");
1139  }
1140  return NULL;
1141 }
int get_var_size_by_num(lex_ctxt *, int)
Definition: nasl_var.c:1305
char * get_str_var_by_num(lex_ctxt *, int)
Definition: nasl_var.c:1248

References get_str_var_by_num(), and get_var_size_by_num().

Here is the call graph for this function:

◆ forge_icmp_packet()

tree_cell* forge_icmp_packet ( lex_ctxt )

Definition at line 1146 of file nasl_packet_forgery.c.

1147 {
1148  tree_cell *retc = NULL;
1149  struct ip *ip;
1150  struct ip *ip_icmp;
1151  int ip_sz;
1152  struct icmp *icmp;
1153  char *data, *p;
1154  int len;
1155  u_char *pkt;
1156  int t;
1157 
1158  ip = (struct ip *) get_str_local_var_by_name (lexic, "ip");
1159  ip_sz = get_local_var_size_by_name (lexic, "ip");
1160  if (ip != NULL)
1161  {
1162  data = get_str_local_var_by_name (lexic, "data");
1163  len = data == NULL ? 0 : get_var_size_by_name (lexic, "data");
1164 
1165 
1166  t = get_int_local_var_by_name (lexic, "icmp_type", 0);
1167  if (t == 13 || t == 14)
1168  len += 3 * sizeof (time_t);
1169 
1170  if (ip->ip_hl * 4 > ip_sz)
1171  return NULL;
1172 
1173  pkt = g_malloc0 (sizeof (struct icmp) + ip_sz + len);
1174  ip_icmp = (struct ip *) pkt;
1175 
1176 
1177  bcopy (ip, ip_icmp, ip_sz);
1178  if (UNFIX (ip_icmp->ip_len) <= (ip_icmp->ip_hl * 4))
1179  {
1180  if (get_int_local_var_by_name (lexic, "update_ip_len", 1) != 0)
1181  {
1182  ip_icmp->ip_len = FIX (ip->ip_hl * 4 + 8 + len);
1183  ip_icmp->ip_sum = 0;
1184  ip_icmp->ip_sum =
1185  np_in_cksum ((u_short *) ip_icmp, ip->ip_hl * 4);
1186  }
1187  }
1188  p = (char *) (pkt + (ip->ip_hl * 4));
1189  icmp = (struct icmp *) p;
1190 
1191  icmp->icmp_code = get_int_local_var_by_name (lexic, "icmp_code", 0);
1192  icmp->icmp_type = t;
1193  icmp->icmp_seq = htons (get_int_local_var_by_name (lexic, "icmp_seq", 0));
1194  icmp->icmp_id = htons (get_int_local_var_by_name (lexic, "icmp_id", 0));
1195 
1196  if (data != NULL)
1197  bcopy (data, &(p[8]), len);
1198 
1199  if (get_int_local_var_by_name (lexic, "icmp_cksum", -1) == -1)
1200  icmp->icmp_cksum = np_in_cksum ((u_short *) icmp, len + 8);
1201  else
1202  icmp->icmp_cksum =
1203  htons (get_int_local_var_by_name (lexic, "icmp_cksum", 0));
1204 
1205 
1206  retc = alloc_tree_cell (0, NULL);
1207  retc->type = CONST_DATA;
1208  retc->x.str_val = (char *) pkt;
1209  retc->size = ip_sz + len + 8;
1210  }
1211  else
1212  nasl_perror (lexic, "forge_icmp_packet: missing 'ip' parameter\n");
1213 
1214  return retc;
1215 }
#define FIX(n)
#define UNFIX(n)
short type
Definition: nasl_tree.h:107
char * str_val
Definition: nasl_tree.h:113
long int get_int_local_var_by_name(lex_ctxt *, const char *, int)
Definition: nasl_var.c:1240
int get_local_var_size_by_name(lex_ctxt *, const char *)
Definition: nasl_var.c:1298
char * get_str_local_var_by_name(lex_ctxt *, const char *)
Definition: nasl_var.c:1262
union TC::@7 x
Definition: nasl_tree.h:105
void nasl_perror(lex_ctxt *lexic, char *msg,...)
Definition: nasl_debug.c:94
tree_cell * alloc_tree_cell(int lnb, char *s)
Definition: nasl_tree.c:37
int get_var_size_by_name(lex_ctxt *, const char *)
Definition: nasl_var.c:1291
int size
Definition: nasl_tree.h:110

References FIX, get_int_local_var_by_name(), get_local_var_size_by_name(), get_str_local_var_by_name(), get_var_size_by_name(), and UNFIX.

Here is the call graph for this function:

◆ forge_igmp_packet()

tree_cell* forge_igmp_packet ( lex_ctxt )

Definition at line 1300 of file nasl_packet_forgery.c.

1301 {
1302  struct ip *ip = (struct ip *) get_str_local_var_by_name (lexic, "ip");
1303 
1304  if (ip != NULL)
1305  {
1306  char *data = get_str_local_var_by_name (lexic, "data");
1307  int len = data ? get_local_var_size_by_name (lexic, "data") : 0;
1308  u_char *pkt = g_malloc0 (sizeof (struct igmp) + ip->ip_hl * 4 + len);
1309  struct ip *ip_igmp = (struct ip *) pkt;
1310  struct igmp *igmp;
1311  char *p;
1312  char *grp;
1313  tree_cell *retc;
1314  int ipsz = get_local_var_size_by_name (lexic, "ip");
1315 
1316  bcopy (ip, ip_igmp, ipsz);
1317 
1318 
1319  if (UNFIX (ip_igmp->ip_len) <= ip_igmp->ip_hl * 4)
1320  {
1321  int v = get_int_local_var_by_name (lexic, "update_ip_len", 1);
1322  if (v != 0)
1323  {
1324  ip_igmp->ip_len =
1325  FIX (ip->ip_hl * 4 + sizeof (struct igmp) + len);
1326  ip_igmp->ip_sum = 0;
1327  ip_igmp->ip_sum =
1328  np_in_cksum ((u_short *) ip_igmp, ip->ip_hl * 4);
1329  }
1330  }
1331  p = (char *) (pkt + ip_igmp->ip_hl * 4);
1332  igmp = (struct igmp *) p;
1333 
1334  igmp->code = get_int_local_var_by_name (lexic, "code", 0);
1335  igmp->type = get_int_local_var_by_name (lexic, "type", 0);
1336  grp = get_str_local_var_by_name (lexic, "group");
1337 
1338  if (grp != NULL)
1339  {
1340  inet_aton (grp, &igmp->group);
1341  }
1342 
1343  igmp->cksum = np_in_cksum ((u_short *) igmp, sizeof (struct igmp));
1344  if (data != NULL)
1345  {
1346  char *p = (char *) (pkt + ip->ip_hl * 4 + sizeof (struct igmp));
1347  bcopy (p, data, len);
1348  }
1349  retc = alloc_tree_cell (0, NULL);
1350  retc->type = CONST_DATA;
1351  retc->x.str_val = (char *) pkt;
1352  retc->size = ip->ip_hl * 4 + sizeof (struct igmp) + len;
1353  return retc;
1354  }
1355 
1356  return NULL;
1357 }
unsigned char code
#define FIX(n)
unsigned short cksum
#define UNFIX(n)
short type
Definition: nasl_tree.h:107
char * str_val
Definition: nasl_tree.h:113
long int get_int_local_var_by_name(lex_ctxt *, const char *, int)
Definition: nasl_var.c:1240
int get_local_var_size_by_name(lex_ctxt *, const char *)
Definition: nasl_var.c:1298
char * get_str_local_var_by_name(lex_ctxt *, const char *)
Definition: nasl_var.c:1262
union TC::@7 x
struct in_addr group
Definition: nasl_tree.h:105
tree_cell * alloc_tree_cell(int lnb, char *s)
Definition: nasl_tree.c:37
unsigned char type
int size
Definition: nasl_tree.h:110

References FIX, get_int_local_var_by_name(), get_local_var_size_by_name(), get_str_local_var_by_name(), and UNFIX.

Here is the call graph for this function:

◆ forge_ip_packet()

tree_cell* forge_ip_packet ( lex_ctxt )

Definition at line 99 of file nasl_packet_forgery.c.

100 {
101  tree_cell *retc;
102  struct ip *pkt;
103  char *s;
104  struct arglist *script_infos = lexic->script_infos;
105  struct in6_addr *dst_addr;
106  char *data;
107  int data_len;
108 
109  dst_addr = plug_get_host_ip (script_infos);
110 
111  if (dst_addr == NULL || (IN6_IS_ADDR_V4MAPPED (dst_addr) != 1))
112  return NULL;
113 
114  data = get_str_local_var_by_name (lexic, "data");
115  data_len = get_local_var_size_by_name (lexic, "data");
116 
117  retc = alloc_tree_cell (0, NULL);
118  retc->type = CONST_DATA;
119  retc->size = sizeof (struct ip) + data_len;
120 
121  pkt = (struct ip *) g_malloc0 (sizeof (struct ip) + data_len);
122  retc->x.str_val = (char *) pkt;
123 
124  pkt->ip_hl = get_int_local_var_by_name (lexic, "ip_hl", 5);
125  pkt->ip_v = get_int_local_var_by_name (lexic, "ip_v", 4);
126  pkt->ip_tos = get_int_local_var_by_name (lexic, "ip_tos", 0);
127  /* pkt->ip_len = FIX(get_int_local_var_by_name(lexic, "ip_len", 20 + data_len)); */
128 
129  pkt->ip_len = FIX (20 + data_len);
130 
131  pkt->ip_id = htons (get_int_local_var_by_name (lexic, "ip_id", rand ()));
132  pkt->ip_off = get_int_local_var_by_name (lexic, "ip_off", 0);
133  pkt->ip_off = FIX (pkt->ip_off);
134  pkt->ip_ttl = get_int_local_var_by_name (lexic, "ip_ttl", 64);
135  pkt->ip_p = get_int_local_var_by_name (lexic, "ip_p", 0);
136  pkt->ip_sum = htons (get_int_local_var_by_name (lexic, "ip_sum", 0));
137  /* source */
138  s = get_str_local_var_by_name (lexic, "ip_src");
139  if (s != NULL)
140  inet_aton (s, &pkt->ip_src);
141  /* else this host address? */
142 
143  /* I know that this feature looks dangerous, but anybody can edit an IP
144  * packet with the string functions */
145  s = get_str_local_var_by_name (lexic, "ip_dst");
146  if (s != NULL)
147  inet_aton (s, &pkt->ip_dst);
148  else
149  pkt->ip_dst.s_addr = dst_addr->s6_addr32[3];
150 
151  if (data != NULL)
152  {
153  bcopy (data, retc->x.str_val + sizeof (struct ip), data_len);
154  }
155 
156 
157  if (!pkt->ip_sum)
158  {
159  if (get_int_local_var_by_name (lexic, "ip_sum", -1) < 0)
160  pkt->ip_sum = np_in_cksum ((u_short *) pkt, sizeof (struct ip));
161  }
162 
163  return retc;
164 }
#define FIX(n)
short type
Definition: nasl_tree.h:107
char * str_val
Definition: nasl_tree.h:113
long int get_int_local_var_by_name(lex_ctxt *, const char *, int)
Definition: nasl_var.c:1240
int get_local_var_size_by_name(lex_ctxt *, const char *)
Definition: nasl_var.c:1298
char * get_str_local_var_by_name(lex_ctxt *, const char *)
Definition: nasl_var.c:1262
union TC::@7 x
Definition: nasl_tree.h:105
struct in6_addr * plug_get_host_ip(struct arglist *desc)
Definition: plugutils.c:216
tree_cell * alloc_tree_cell(int lnb, char *s)
Definition: nasl_tree.c:37
int size
Definition: nasl_tree.h:110

References alloc_tree_cell(), CONST_DATA, FIX, get_int_local_var_by_name(), get_local_var_size_by_name(), get_str_local_var_by_name(), plug_get_host_ip(), struct_lex_ctxt::script_infos, TC::size, TC::str_val, TC::type, and TC::x.

Here is the call graph for this function:

◆ forge_tcp_packet()

tree_cell* forge_tcp_packet ( lex_ctxt )

Definition at line 461 of file nasl_packet_forgery.c.

462 {
463  tree_cell *retc;
464  char *data;
465  int len;
466  struct ip *ip, *tcp_packet;
467  struct tcphdr *tcp;
468  int ipsz;
469 
470 
471  ip = (struct ip *) get_str_local_var_by_name (lexic, "ip");
472  if (ip == NULL)
473  {
474  nasl_perror (lexic,
475  "forge_tcp_packet : You must supply the 'ip' argument !");
476  return NULL;
477  }
478 
479  ipsz = get_local_var_size_by_name (lexic, "ip");
480  if (ipsz > ip->ip_hl * 4)
481  ipsz = ip->ip_hl * 4;
482 
483 
484 
485  data = get_str_local_var_by_name (lexic, "data");
486  len = data == NULL ? 0 : get_var_size_by_name (lexic, "data");
487 
488  retc = alloc_tree_cell (0, NULL);
489  retc->type = CONST_DATA;
490  tcp_packet = (struct ip *) g_malloc0 (ipsz + sizeof (struct tcphdr) + len);
491  retc->x.str_val = (char *) tcp_packet;
492 
493  bcopy (ip, tcp_packet, ipsz);
494  /* recompute the ip checksum, because the ip length changed */
495  if (UNFIX (tcp_packet->ip_len) <= tcp_packet->ip_hl * 4)
496  {
497  if (get_int_local_var_by_name (lexic, "update_ip_len", 1))
498  {
499  tcp_packet->ip_len =
500  FIX (tcp_packet->ip_hl * 4 + sizeof (struct tcphdr) + len);
501  tcp_packet->ip_sum = 0;
502  tcp_packet->ip_sum =
503  np_in_cksum ((u_short *) tcp_packet, sizeof (struct ip));
504  }
505  }
506  tcp = (struct tcphdr *) ((char *) tcp_packet + tcp_packet->ip_hl * 4);
507 
508  tcp->th_sport = ntohs (get_int_local_var_by_name (lexic, "th_sport", 0));
509  tcp->th_dport = ntohs (get_int_local_var_by_name (lexic, "th_dport", 0));
510  tcp->th_seq = htonl (get_int_local_var_by_name (lexic, "th_seq", rand ()));
511  tcp->th_ack = htonl (get_int_local_var_by_name (lexic, "th_ack", 0));
512  tcp->th_x2 = get_int_local_var_by_name (lexic, "th_x2", 0);
513  tcp->th_off = get_int_local_var_by_name (lexic, "th_off", 5);
514  tcp->th_flags = get_int_local_var_by_name (lexic, "th_flags", 0);
515  tcp->th_win = htons (get_int_local_var_by_name (lexic, "th_win", 0));
516  tcp->th_sum = get_int_local_var_by_name (lexic, "th_sum", 0);
517  tcp->th_urp = get_int_local_var_by_name (lexic, "th_urp", 0);
518 
519  if (data != NULL)
520  bcopy (data, (char *) tcp + sizeof (struct tcphdr), len);
521 
522 
523  if (!tcp->th_sum)
524  {
525  struct pseudohdr pseudoheader;
526  char *tcpsumdata = g_malloc0 (sizeof (struct pseudohdr) + len + 1);
527  struct in_addr source, dest;
528 
529  source.s_addr = ip->ip_src.s_addr;
530  dest.s_addr = ip->ip_dst.s_addr;
531 
532  bzero (&pseudoheader, 12 + sizeof (struct tcphdr));
533  pseudoheader.saddr.s_addr = source.s_addr;
534  pseudoheader.daddr.s_addr = dest.s_addr;
535 
536  pseudoheader.protocol = IPPROTO_TCP;
537  pseudoheader.length = htons (sizeof (struct tcphdr) + len);
538  bcopy ((char *) tcp, (char *) &pseudoheader.tcpheader,
539  sizeof (struct tcphdr));
540  /* fill tcpsumdata with data to checksum */
541  bcopy ((char *) &pseudoheader, tcpsumdata, sizeof (struct pseudohdr));
542  if (data != NULL)
543  bcopy ((char *) data, tcpsumdata + sizeof (struct pseudohdr), len);
544  tcp->th_sum =
545  np_in_cksum ((unsigned short *) tcpsumdata,
546  12 + sizeof (struct tcphdr) + len);
547  g_free (tcpsumdata);
548  }
549 
550 
551 
552  retc->size = ipsz + sizeof (struct tcphdr) + len;
553  return retc;
554 }
#define FIX(n)
#define UNFIX(n)
short type
Definition: nasl_tree.h:107
char * str_val
Definition: nasl_tree.h:113
long int get_int_local_var_by_name(lex_ctxt *, const char *, int)
Definition: nasl_var.c:1240
int get_local_var_size_by_name(lex_ctxt *, const char *)
Definition: nasl_var.c:1298
char * get_str_local_var_by_name(lex_ctxt *, const char *)
Definition: nasl_var.c:1262
union TC::@7 x
Definition: nasl_tree.h:105
void nasl_perror(lex_ctxt *lexic, char *msg,...)
Definition: nasl_debug.c:94
tree_cell * alloc_tree_cell(int lnb, char *s)
Definition: nasl_tree.c:37
int get_var_size_by_name(lex_ctxt *, const char *)
Definition: nasl_var.c:1291
int size
Definition: nasl_tree.h:110

References alloc_tree_cell(), CONST_DATA, FIX, get_int_local_var_by_name(), get_local_var_size_by_name(), get_str_local_var_by_name(), get_var_size_by_name(), nasl_perror(), TC::str_val, TC::type, UNFIX, and TC::x.

Here is the call graph for this function:

◆ forge_udp_packet()

tree_cell* forge_udp_packet ( lex_ctxt )

Definition at line 840 of file nasl_packet_forgery.c.

841 {
842  tree_cell *retc;
843  struct ip *ip = (struct ip *) get_str_local_var_by_name (lexic, "ip");
844 
845  if (ip != NULL)
846  {
847  char *data = get_str_local_var_by_name (lexic, "data");
848  int data_len = get_local_var_size_by_name (lexic, "data");
849  u_char *pkt;
850  struct ip *udp_packet;
851  struct udphdr *udp;
852 
853  pkt = g_malloc0 (sizeof (struct udphdr) + ip->ip_hl * 4 +
854  sizeof (struct udphdr) + data_len);
855 
856  udp_packet = (struct ip *) pkt;
857  udp = (struct udphdr *) (pkt + ip->ip_hl * 4);
858 
859 
860  udp->uh_sport = htons (get_int_local_var_by_name (lexic, "uh_sport", 0));
861  udp->uh_dport = htons (get_int_local_var_by_name (lexic, "uh_dport", 0));
862  udp->uh_ulen =
864  (lexic, "uh_ulen", data_len + sizeof (struct udphdr)));
865 
866 
867  /* printf("len : %d %s\n", len, data); */
868  if (data_len != 0 && data != NULL)
869  bcopy (data, (pkt + ip->ip_hl * 4 + sizeof (struct udphdr)), data_len);
870 
871  udp->uh_sum = get_int_local_var_by_name (lexic, "uh_sum", 0);
872  bcopy ((char *) ip, pkt, ip->ip_hl * 4);
873  if (udp->uh_sum == 0)
874  {
875  struct pseudo_udp_hdr pseudohdr;
876  struct in_addr source, dest;
877  char *udpsumdata = g_malloc0 (sizeof (struct pseudo_udp_hdr) +
878  data_len + 1);
879 
880  source.s_addr = ip->ip_src.s_addr;
881  dest.s_addr = ip->ip_dst.s_addr;
882 
883  bzero (&pseudohdr, sizeof (struct pseudo_udp_hdr));
884  pseudohdr.saddr.s_addr = source.s_addr;
885  pseudohdr.daddr.s_addr = dest.s_addr;
886 
887  pseudohdr.proto = IPPROTO_UDP;
888  pseudohdr.len = htons (sizeof (struct udphdr) + data_len);
889  bcopy ((char *) udp, (char *) &pseudohdr.udpheader,
890  sizeof (struct udphdr));
891  bcopy ((char *) &pseudohdr, udpsumdata, sizeof (pseudohdr));
892  if (data != NULL)
893  {
894  bcopy ((char *) data, udpsumdata + sizeof (pseudohdr), data_len);
895  }
896  udp->uh_sum =
897  np_in_cksum ((unsigned short *) udpsumdata,
898  12 + sizeof (struct udphdr) + data_len);
899  g_free (udpsumdata);
900  }
901 
902 
903  if (UNFIX (udp_packet->ip_len) <= udp_packet->ip_hl * 4)
904  {
905  int v = get_int_local_var_by_name (lexic, "update_ip_len", 1);
906  if (v != 0)
907  {
908  udp_packet->ip_len =
909  FIX (ntohs (udp->uh_ulen) + (udp_packet->ip_hl * 4));
910  udp_packet->ip_sum = 0;
911  udp_packet->ip_sum =
912  np_in_cksum ((u_short *) udp_packet, udp_packet->ip_hl * 4);
913  }
914  }
915 
916  retc = alloc_tree_cell (0, NULL);
917  retc->type = CONST_DATA;
918  retc->x.str_val = (char *) pkt;
919  retc->size = 8 + ip->ip_hl * 4 + data_len;
920  return retc;
921  }
922  else
923  printf ("Error ! You must supply the 'ip' argument !\n");
924 
925  return NULL;
926 }
#define FIX(n)
#define UNFIX(n)
short type
Definition: nasl_tree.h:107
struct in_addr saddr
Definition: ids_send.c:132
char * str_val
Definition: nasl_tree.h:113
long int get_int_local_var_by_name(lex_ctxt *, const char *, int)
Definition: nasl_var.c:1240
struct in_addr daddr
Definition: ids_send.c:133
int get_local_var_size_by_name(lex_ctxt *, const char *)
Definition: nasl_var.c:1298
char * get_str_local_var_by_name(lex_ctxt *, const char *)
Definition: nasl_var.c:1262
union TC::@7 x
Definition: nasl_tree.h:105
tree_cell * alloc_tree_cell(int lnb, char *s)
Definition: nasl_tree.c:37
int size
Definition: nasl_tree.h:110

References pseudohdr::daddr, get_int_local_var_by_name(), get_local_var_size_by_name(), get_str_local_var_by_name(), and pseudohdr::saddr.

Here is the call graph for this function:

◆ get_icmp_element()

tree_cell* get_icmp_element ( lex_ctxt )

Definition at line 1218 of file nasl_packet_forgery.c.

1219 {
1220  struct icmp *icmp;
1221  char *p;
1222 
1223 
1224  if ((p = get_str_local_var_by_name (lexic, "icmp")) != NULL)
1225  {
1226  char *elem = get_str_local_var_by_name (lexic, "element");
1227  int value;
1228  struct ip *ip = (struct ip *) p;
1229  tree_cell *retc;
1230 
1231  icmp = (struct icmp *) (p + ip->ip_hl * 4);
1232 
1233  if (elem == NULL)
1234  return NULL;
1235 
1236  if (!strcmp (elem, "icmp_id"))
1237  value = ntohs (icmp->icmp_id);
1238  else if (!strcmp (elem, "icmp_code"))
1239  value = icmp->icmp_code;
1240  else if (!strcmp (elem, "icmp_type"))
1241  value = icmp->icmp_type;
1242  else if (!strcmp (elem, "icmp_seq"))
1243  value = ntohs (icmp->icmp_seq);
1244  else if (!strcmp (elem, "icmp_cksum"))
1245  value = ntohs (icmp->icmp_cksum);
1246  else if (!strcmp (elem, "data"))
1247  {
1248  retc = alloc_tree_cell (0, NULL);
1249  retc->type = CONST_DATA;
1250  retc->size =
1251  get_var_size_by_name (lexic, "icmp") - (ip->ip_hl * 4) - 8;
1252  if (retc->size > 0)
1253  retc->x.str_val =
1254  g_memdup (&(p[ip->ip_hl * 4 + 8]), retc->size + 1);
1255  else
1256  {
1257  retc->x.str_val = NULL;
1258  retc->size = 0;
1259  }
1260  return retc;
1261  }
1262  else
1263  return NULL;
1264 
1265  retc = alloc_tree_cell (0, NULL);
1266  retc->type = CONST_INT;
1267  retc->x.i_val = value;
1268  return retc;
1269  }
1270 
1271  return NULL;
1272 }
short type
Definition: nasl_tree.h:107
char * str_val
Definition: nasl_tree.h:113
char * get_str_local_var_by_name(lex_ctxt *, const char *)
Definition: nasl_var.c:1262
union TC::@7 x
Definition: nasl_tree.h:105
long int i_val
Definition: nasl_tree.h:114
tree_cell * alloc_tree_cell(int lnb, char *s)
Definition: nasl_tree.c:37
int get_var_size_by_name(lex_ctxt *, const char *)
Definition: nasl_var.c:1291
int size
Definition: nasl_tree.h:110

References alloc_tree_cell(), CONST_DATA, CONST_INT, get_str_local_var_by_name(), get_var_size_by_name(), TC::i_val, TC::size, TC::str_val, TC::type, and TC::x.

Here is the call graph for this function:

◆ get_ip_element()

tree_cell* get_ip_element ( lex_ctxt )

Definition at line 168 of file nasl_packet_forgery.c.

169 {
170  tree_cell *retc;
171  struct ip *ip = (struct ip *) get_str_local_var_by_name (lexic, "ip");
172  char *element = get_str_local_var_by_name (lexic, "element");
173  char ret_ascii[32];
174  int ret_int = 0;
175  int flag = 0;
176 
177  if (ip == NULL)
178  {
179  nasl_perror (lexic, "get_ip_element : no valid 'ip' argument!\n");
180  return NULL;
181  }
182 
183  if (element == NULL)
184  {
185  nasl_perror (lexic, "get_ip_element : no valid 'element' argument!\n");
186  return NULL;
187  }
188 
189  if (!strcmp (element, "ip_v"))
190  {
191  ret_int = ip->ip_v;
192  flag++;
193  }
194  else if (!strcmp (element, "ip_id"))
195  {
196  ret_int = UNFIX (ip->ip_id);
197  flag++;
198  }
199  else if (!strcmp (element, "ip_hl"))
200  {
201  ret_int = ip->ip_hl;
202  flag++;
203  }
204  else if (!strcmp (element, "ip_tos"))
205  {
206  ret_int = ip->ip_tos;
207  flag++;
208  }
209  else if (!strcmp (element, "ip_len"))
210  {
211  ret_int = UNFIX (ip->ip_len);
212  flag++;
213  }
214  else if (!strcmp (element, "ip_off"))
215  {
216  ret_int = UNFIX (ip->ip_off);
217  flag++;
218  }
219  else if (!strcmp (element, "ip_ttl"))
220  {
221  ret_int = ip->ip_ttl;
222  flag++;
223  }
224  else if (!strcmp (element, "ip_p"))
225  {
226  ret_int = ip->ip_p;
227  flag++;
228  }
229  else if (!strcmp (element, "ip_sum"))
230  {
231  ret_int = UNFIX (ip->ip_sum);
232  flag++;
233  }
234 
235  if (flag != 0)
236  {
237  retc = alloc_tree_cell (0, NULL);
238  retc->type = CONST_INT;
239  retc->x.i_val = ret_int;
240  return retc;
241  }
242 
243 
244 
245  if (!strcmp (element, "ip_src"))
246  {
247  snprintf (ret_ascii, sizeof (ret_ascii), "%s", inet_ntoa (ip->ip_src));
248  flag++;
249  }
250  else if (!strcmp (element, "ip_dst"))
251  {
252  snprintf (ret_ascii, sizeof (ret_ascii), "%s", inet_ntoa (ip->ip_dst));
253  flag++;
254  }
255 
256 
257  if (flag == 0)
258  {
259  printf ("%s : unknown element\n", element);
260  return NULL;
261  }
262 
263  retc = alloc_tree_cell (0, NULL);
264  retc->type = CONST_DATA;
265  retc->size = strlen (ret_ascii);
266  retc->x.str_val = g_strdup (ret_ascii);
267 
268  return retc;
269 }
#define UNFIX(n)
short type
Definition: nasl_tree.h:107
char * str_val
Definition: nasl_tree.h:113
char * get_str_local_var_by_name(lex_ctxt *, const char *)
Definition: nasl_var.c:1262
union TC::@7 x
Definition: nasl_tree.h:105
void nasl_perror(lex_ctxt *lexic, char *msg,...)
Definition: nasl_debug.c:94
long int i_val
Definition: nasl_tree.h:114
tree_cell * alloc_tree_cell(int lnb, char *s)
Definition: nasl_tree.c:37
int size
Definition: nasl_tree.h:110

References alloc_tree_cell(), CONST_DATA, CONST_INT, get_str_local_var_by_name(), TC::i_val, nasl_perror(), TC::size, TC::str_val, TC::type, UNFIX, and TC::x.

Here is the call graph for this function:

◆ get_tcp_element()

tree_cell* get_tcp_element ( lex_ctxt )

Definition at line 557 of file nasl_packet_forgery.c.

558 {
559  u_char *packet = (u_char *) get_str_local_var_by_name (lexic, "tcp");
560  struct ip *ip;
561  int ipsz;
562  struct tcphdr *tcp;
563  char *element;
564  int ret;
565  tree_cell *retc;
566 
567 
568  ipsz = get_local_var_size_by_name (lexic, "tcp");
569 
570 
571  if (packet == NULL)
572  {
573  nasl_perror (lexic,
574  "get_tcp_element : Error ! No valid 'tcp' argument !\n");
575  return NULL;
576  }
577 
578  ip = (struct ip *) packet;
579 
580  if (ip->ip_hl * 4 > ipsz)
581  return NULL; /* Invalid packet */
582 
583  if (UNFIX (ip->ip_len) > ipsz)
584  return NULL; /* Invalid packet */
585 
586  tcp = (struct tcphdr *) (packet + ip->ip_hl * 4);
587 
588  element = get_str_local_var_by_name (lexic, "element");
589  if (!element)
590  {
591  nasl_perror (lexic,
592  "get_tcp_element : Error ! No valid 'element' argument !\n");
593  return NULL;
594  }
595 
596 
597  if (!strcmp (element, "th_sport"))
598  ret = ntohs (tcp->th_sport);
599  else if (!strcmp (element, "th_dsport"))
600  ret = ntohs (tcp->th_dport);
601  else if (!strcmp (element, "th_seq"))
602  ret = ntohl (tcp->th_seq);
603  else if (!strcmp (element, "th_ack"))
604  ret = ntohl (tcp->th_ack);
605  else if (!strcmp (element, "th_x2"))
606  ret = tcp->th_x2;
607  else if (!strcmp (element, "th_off"))
608  ret = tcp->th_off;
609  else if (!strcmp (element, "th_flags"))
610  ret = tcp->th_flags;
611  else if (!strcmp (element, "th_win"))
612  ret = ntohs (tcp->th_win);
613  else if (!strcmp (element, "th_sum"))
614  ret = tcp->th_sum;
615  else if (!strcmp (element, "th_urp"))
616  ret = tcp->th_urp;
617  else if (!strcmp (element, "data"))
618  {
619  retc = alloc_tree_cell (0, NULL);
620  retc->type = CONST_DATA;
621  retc->size = UNFIX (ip->ip_len) - ntohl (tcp->th_off) * 4;
622  retc->x.str_val = g_malloc0 (retc->size);
623  bcopy (tcp + ntohl (tcp->th_off) * 4, retc->x.str_val, retc->size);
624  return retc;
625  }
626  else
627  {
628  nasl_perror (lexic, "Unknown tcp field %s\n", element);
629  return NULL;
630  }
631 
632  retc = alloc_tree_cell (0, NULL);
633  retc->type = CONST_INT;
634  retc->x.i_val = ret;
635  return retc;
636 }
#define UNFIX(n)
short type
Definition: nasl_tree.h:107
char * str_val
Definition: nasl_tree.h:113
int get_local_var_size_by_name(lex_ctxt *, const char *)
Definition: nasl_var.c:1298
char * get_str_local_var_by_name(lex_ctxt *, const char *)
Definition: nasl_var.c:1262
union TC::@7 x
Definition: nasl_tree.h:105
void nasl_perror(lex_ctxt *lexic, char *msg,...)
Definition: nasl_debug.c:94
long int i_val
Definition: nasl_tree.h:114
tree_cell * alloc_tree_cell(int lnb, char *s)
Definition: nasl_tree.c:37
int size
Definition: nasl_tree.h:110

References alloc_tree_cell(), CONST_DATA, CONST_INT, get_local_var_size_by_name(), get_str_local_var_by_name(), TC::i_val, nasl_perror(), TC::size, TC::str_val, TC::type, UNFIX, and TC::x.

Here is the call graph for this function:

◆ get_udp_element()

tree_cell* get_udp_element ( lex_ctxt )

Definition at line 930 of file nasl_packet_forgery.c.

931 {
932  tree_cell *retc;
933  char *udp;
934  char *element;
935  struct ip *ip;
936  int ipsz;
937  struct udphdr *udphdr;
938  int ret;
939 
940 
941  udp = get_str_local_var_by_name (lexic, "udp");
942  ipsz = get_local_var_size_by_name (lexic, "udp");
943 
944 
945  element = get_str_local_var_by_name (lexic, "element");
946  if (udp == NULL || element == NULL)
947  {
948  printf ("get_udp_element() usage :\n");
949  printf ("element = get_udp_element(udp:<udp>,element:<element>\n");
950  return NULL;
951  }
952  ip = (struct ip *) udp;
953 
954  if (ip->ip_hl * 4 + sizeof (struct udphdr) > ipsz)
955  return NULL;
956 
957 
958  udphdr = (struct udphdr *) (udp + ip->ip_hl * 4);
959  if (!strcmp (element, "uh_sport"))
960  ret = ntohs (udphdr->uh_sport);
961  else if (!strcmp (element, "uh_dport"))
962  ret = ntohs (udphdr->uh_dport);
963  else if (!strcmp (element, "uh_ulen"))
964  ret = ntohs (udphdr->uh_ulen);
965  else if (!strcmp (element, "uh_sum"))
966  ret = ntohs (udphdr->uh_sum);
967  else if (!strcmp (element, "data"))
968  {
969  int sz;
970  retc = alloc_tree_cell (0, NULL);
971  retc->type = CONST_DATA;
972  sz = ntohs (udphdr->uh_ulen) - sizeof (struct udphdr);
973 
974 
975  if (ntohs (udphdr->uh_ulen) - ip->ip_hl * 4 - sizeof (struct udphdr) >
976  ipsz)
977  sz = ipsz - ip->ip_hl * 4 - sizeof (struct udphdr);
978 
979  retc->x.str_val = g_malloc0 (sz);
980  retc->size = sz;
981  bcopy (udp + ip->ip_hl * 4 + sizeof (struct udphdr), retc->x.str_val, sz);
982  return retc;
983  }
984  else
985  {
986  printf ("%s is not a value of a udp packet\n", element);
987  return NULL;
988  }
989 
990  retc = alloc_tree_cell (0, NULL);
991  retc->type = CONST_INT;
992  retc->x.i_val = ret;
993  return retc;
994 }
short type
Definition: nasl_tree.h:107
char * str_val
Definition: nasl_tree.h:113
int get_local_var_size_by_name(lex_ctxt *, const char *)
Definition: nasl_var.c:1298
char * get_str_local_var_by_name(lex_ctxt *, const char *)
Definition: nasl_var.c:1262
union TC::@7 x
Definition: nasl_tree.h:105
long int i_val
Definition: nasl_tree.h:114
tree_cell * alloc_tree_cell(int lnb, char *s)
Definition: nasl_tree.c:37
int size
Definition: nasl_tree.h:110

References alloc_tree_cell(), CONST_DATA, CONST_INT, get_local_var_size_by_name(), get_str_local_var_by_name(), TC::i_val, TC::size, TC::str_val, TC::type, and TC::x.

Here is the call graph for this function:

◆ insert_ip_options()

tree_cell* insert_ip_options ( lex_ctxt )

Definition at line 321 of file nasl_packet_forgery.c.

322 {
323  struct ip *ip = (struct ip *) get_str_local_var_by_name (lexic, "ip");
324  int code = get_int_local_var_by_name (lexic, "code", 0);
325  int len = get_int_local_var_by_name (lexic, "length", 0);
326  char *value = get_str_local_var_by_name (lexic, "value");
327  int value_size = get_var_size_by_name (lexic, "value");
328  tree_cell *retc;
329  struct ip *new_packet;
330  char *p;
331  int size = get_var_size_by_name (lexic, "ip");
332  u_char uc_code, uc_len;
333  int pad_len;
334  char zero = '0';
335  int i;
336  int hl;
337 
338 
339 
340 
341  if (ip == NULL)
342  {
343  nasl_perror (lexic,
344  "Usage : insert_ip_options(ip:<ip>, code:<code>, length:<len>, value:<value>\n");
345  return NULL;
346  }
347 
348  pad_len = 4 - ((sizeof (uc_code) + sizeof (uc_len) + value_size) % 4);
349  if (pad_len == 4)
350  pad_len = 0;
351 
352  hl = ip->ip_hl * 4 < UNFIX (ip->ip_len) ? ip->ip_hl * 4 : UNFIX (ip->ip_len);
353  new_packet = g_malloc0 (size + 4 + value_size + pad_len);
354  bcopy (ip, new_packet, hl);
355 
356  uc_code = (u_char) code;
357  uc_len = (u_char) len;
358 
359 
360  p = (char *) new_packet;
361  bcopy (&uc_code, p + hl, sizeof (uc_code));
362  bcopy (&uc_len, p + hl + sizeof (uc_code), sizeof (uc_len));
363  bcopy (value, p + hl + sizeof (uc_code) + sizeof (uc_len), value_size);
364 
365 
366 
367  zero = 0;
368  for (i = 0; i < pad_len; i++)
369  {
370  bcopy (&zero,
371  p + hl + sizeof (uc_code) + sizeof (uc_len) + value_size + i, 1);
372  }
373 
374 
375  p = (char *) ip;
376  bcopy (p + hl,
377  new_packet + (sizeof (uc_code) + sizeof (uc_len) + value_size +
378  pad_len) + hl, size - hl);
379 
380 
381  new_packet->ip_hl =
382  (hl + (sizeof (uc_code) + sizeof (uc_len) + value_size + pad_len)) / 4;
383  new_packet->ip_len =
384  FIX (size + sizeof (uc_code) + sizeof (uc_len) + value_size + pad_len);
385  new_packet->ip_sum = 0;
386  new_packet->ip_sum =
387  np_in_cksum ((u_short *) new_packet,
388  new_packet->ip_hl * 4 >
389  UNFIX (new_packet->ip_len) ? UNFIX (new_packet->
390  ip_len) : new_packet->
391  ip_hl * 4);
392 
393  retc = alloc_tree_cell (0, NULL);
394  retc->type = CONST_DATA;
395  retc->size = size + value_size + sizeof (uc_code) + sizeof (uc_len) + pad_len;
396  retc->x.str_val = (char *) new_packet;
397 
398  return retc;
399 }
#define FIX(n)
#define UNFIX(n)
short type
Definition: nasl_tree.h:107
char * str_val
Definition: nasl_tree.h:113
long int get_int_local_var_by_name(lex_ctxt *, const char *, int)
Definition: nasl_var.c:1240
char * get_str_local_var_by_name(lex_ctxt *, const char *)
Definition: nasl_var.c:1262
union TC::@7 x
Definition: nasl_tree.h:105
void nasl_perror(lex_ctxt *lexic, char *msg,...)
Definition: nasl_debug.c:94
tree_cell * alloc_tree_cell(int lnb, char *s)
Definition: nasl_tree.c:37
#define code
int get_var_size_by_name(lex_ctxt *, const char *)
Definition: nasl_var.c:1291
int size
Definition: nasl_tree.h:110

References code, FIX, get_int_local_var_by_name(), get_str_local_var_by_name(), get_var_size_by_name(), nasl_perror(), and UNFIX.

Here is the call graph for this function:

◆ nasl_pcap_next()

tree_cell* nasl_pcap_next ( lex_ctxt )

Definition at line 1629 of file nasl_packet_forgery.c.

1630 {
1631  char *interface = get_str_local_var_by_name (lexic, "interface");
1632  int bpf = -1;
1633  static char errbuf[PCAP_ERRBUF_SIZE];
1634  int is_ip = 0;
1635  struct ip *ret = NULL;
1636  struct ip6_hdr *ret6 = NULL;
1637  char *filter = get_str_local_var_by_name (lexic, "pcap_filter");
1638  int timeout = get_int_local_var_by_name (lexic, "timeout", 5);
1639  tree_cell *retc;
1640  int sz;
1641  struct in6_addr *dst = plug_get_host_ip (lexic->script_infos);
1642  struct in_addr inaddr;
1643 
1644  if (dst == NULL)
1645  {
1646  return NULL;
1647  }
1648  int v4_addr = IN6_IS_ADDR_V4MAPPED (dst);
1649  if (interface == NULL)
1650  {
1651  if (v4_addr)
1652  {
1653  struct in_addr src;
1654  bzero (&src, sizeof (src));
1655  inaddr.s_addr = dst->s6_addr32[3];
1656  interface = routethrough (&inaddr, &src);
1657  }
1658  else
1659  {
1660  struct in6_addr src;
1661  bzero (&src, sizeof (src));
1662  interface = v6_routethrough (dst, &src);
1663  }
1664  if (interface == NULL)
1665  interface = pcap_lookupdev (errbuf);
1666  }
1667 
1668  if (interface != NULL)
1669  {
1670  bpf = bpf_open_live (interface, filter);
1671  }
1672  if (bpf < 0)
1673  {
1674  nasl_perror (lexic, "pcap_next: Could not get a bpf\n");
1675  return NULL;
1676  }
1677  else
1678  {
1679  int len;
1680  int dl_len = get_datalink_size (bpf_datalink (bpf));
1681  char *packet;
1682  struct timeval then, now;
1683 
1684 
1685  gettimeofday (&then, NULL);
1686  for (;;)
1687  {
1688  packet = (char *) bpf_next (bpf, &len);
1689 
1690  if (packet != NULL)
1691  break;
1692 
1693  if (timeout != 0)
1694  {
1695  gettimeofday (&now, NULL);
1696  if (now.tv_sec - then.tv_sec >= timeout)
1697  {
1698  break;
1699  }
1700  }
1701  }
1702 
1703  if (packet)
1704  {
1705  if (v4_addr)
1706  {
1707  struct ip *ip;
1708  ip = (struct ip *) (packet + dl_len);
1709  sz = UNFIX (ip->ip_len);
1710  ret = g_malloc0 (sz);
1711 
1712  is_ip = (ip->ip_v == 4);
1713 
1714  if (is_ip)
1715  {
1716  bcopy (ip, ret, sz);
1717  }
1718  else
1719  {
1720  sz = len - dl_len;
1721  bcopy (ip, ret, sz);
1722  }
1723  }
1724  else
1725  {
1726  struct ip6_hdr *ip;
1727  ip = (struct ip6_hdr *) (packet + dl_len);
1728  sz = UNFIX (ip->ip6_plen);
1729  ret6 = g_malloc0 (sz);
1730 
1731  is_ip = ((ip->ip6_flow & 0x3ffff) == 96);
1732  if (is_ip)
1733  {
1734  bcopy (ip, ret6, sz);
1735  }
1736  else
1737  {
1738  sz = len - dl_len;
1739  bcopy (ip, ret6, sz);
1740  }
1741 
1742  }
1743  }
1744  else
1745  {
1746  bpf_close (bpf);
1747  return NULL;
1748  }
1749  }
1750  bpf_close (bpf);
1751  retc = alloc_tree_cell (0, NULL);
1752 
1753  retc->type = CONST_DATA;
1754  if (v4_addr)
1755  retc->x.str_val = (char *) ret;
1756  else
1757  retc->x.str_val = (char *) ret6;
1758  retc->size = sz;
1759 
1760  return retc;
1761 }
char * v6_routethrough(struct in6_addr *dest, struct in6_addr *source)
An awesome function to determine what interface a packet to a given destination should be routed thro...
Definition: pcap.c:1061
#define UNFIX(n)
short type
Definition: nasl_tree.h:107
char * str_val
Definition: nasl_tree.h:113
void bpf_close(int bpf)
Definition: bpf_share.c:153
long int get_int_local_var_by_name(lex_ctxt *, const char *, int)
Definition: nasl_var.c:1240
int get_datalink_size(int datalink)
Definition: pcap.c:442
char * get_str_local_var_by_name(lex_ctxt *, const char *)
Definition: nasl_var.c:1262
union TC::@7 x
int bpf_datalink(int bpf)
Definition: bpf_share.c:146
Definition: nasl_tree.h:105
int bpf_open_live(char *iface, char *filter)
Definition: bpf_share.c:40
struct in6_addr * plug_get_host_ip(struct arglist *desc)
Definition: plugutils.c:216
void nasl_perror(lex_ctxt *lexic, char *msg,...)
Definition: nasl_debug.c:94
struct timeval timeval(unsigned long val)
char * routethrough(struct in_addr *dest, struct in_addr *source)
An awesome function to determine what interface a packet to a given destination should be routed thro...
Definition: pcap.c:1244
tree_cell * alloc_tree_cell(int lnb, char *s)
Definition: nasl_tree.c:37
u_char * bpf_next(int bpf, int *caplen)
Definition: bpf_share.c:137
int size
Definition: nasl_tree.h:110

References alloc_tree_cell(), bpf_close(), bpf_datalink(), bpf_next(), bpf_open_live(), CONST_DATA, get_datalink_size(), get_int_local_var_by_name(), get_str_local_var_by_name(), nasl_perror(), plug_get_host_ip(), routethrough(), TC::size, TC::str_val, timeval(), TC::type, UNFIX, v6_routethrough(), and TC::x.

Here is the call graph for this function:

◆ nasl_send_capture()

tree_cell* nasl_send_capture ( lex_ctxt )

Definition at line 1765 of file nasl_packet_forgery.c.

1766 {
1767  char *interface = get_str_local_var_by_name (lexic, "interface");
1768  int bpf = -1;
1769  static char errbuf[PCAP_ERRBUF_SIZE];
1770  int is_ip = 0;
1771  struct ip *ret = NULL;
1772  struct ip6_hdr *ret6 = NULL;
1773  char *filter = get_str_local_var_by_name (lexic, "pcap_filter");
1774  int timeout = get_int_local_var_by_name (lexic, "timeout", 5);
1775  tree_cell *retc;
1776  int sz;
1777  struct in6_addr *dst = plug_get_host_ip (lexic->script_infos);
1778  struct in_addr inaddr;
1779 
1780  if (dst == NULL)
1781  return NULL;
1782 
1783  int v4_addr = IN6_IS_ADDR_V4MAPPED (dst);
1784  if (interface == NULL)
1785  {
1786  if (v4_addr)
1787  {
1788  struct in_addr src;
1789  bzero (&src, sizeof (src));
1790  inaddr.s_addr = dst->s6_addr32[3];
1791  interface = routethrough (&inaddr, &src);
1792  }
1793  else
1794  {
1795  struct in6_addr src;
1796  bzero (&src, sizeof (src));
1797  interface = v6_routethrough (dst, &src);
1798  }
1799  if (interface == NULL)
1800  interface = pcap_lookupdev (errbuf);
1801  }
1802 
1803  if (interface != NULL)
1804  bpf = bpf_open_live (interface, filter);
1805 
1806  if (bpf < 0)
1807  {
1808  nasl_perror (lexic, "pcap_next: Could not get a bpf\n");
1809  return NULL;
1810  }
1811  else
1812  {
1813  int len;
1814  int dl_len = get_datalink_size (bpf_datalink (bpf));
1815  char *packet;
1816  struct timeval then, now;
1817 
1818  retc = nasl_send (lexic);
1819  g_free (retc);
1820 
1821  gettimeofday (&then, NULL);
1822  for (;;)
1823  {
1824  packet = (char *) bpf_next (bpf, &len);
1825 
1826  if (packet != NULL)
1827  break;
1828 
1829  if (timeout != 0)
1830  {
1831  gettimeofday (&now, NULL);
1832  if (now.tv_sec - then.tv_sec >= timeout)
1833  break;
1834  }
1835  }
1836 
1837  if (packet)
1838  {
1839  if (v4_addr)
1840  {
1841  struct ip *ip;
1842  ip = (struct ip *) (packet + dl_len);
1843  sz = UNFIX (ip->ip_len);
1844  ret = g_malloc0 (sz);
1845 
1846  is_ip = (ip->ip_v == 4);
1847  if (is_ip)
1848  {
1849  bcopy (ip, ret, sz);
1850  }
1851  else
1852  {
1853  sz = len - dl_len;
1854  bcopy (ip, ret, sz);
1855  }
1856  }
1857  else
1858  {
1859  struct ip6_hdr *ip;
1860  ip = (struct ip6_hdr *) (packet + dl_len);
1861  sz = UNFIX (ip->ip6_plen);
1862  ret6 = g_malloc0 (sz);
1863  is_ip = ((ip->ip6_flow & 0x3ffff) == 96);
1864  if (is_ip)
1865  {
1866  bcopy (ip, ret6, sz);
1867  }
1868  else
1869  {
1870  sz = len - dl_len;
1871  bcopy (ip, ret6, sz);
1872  }
1873  }
1874  }
1875  else
1876  {
1877  bpf_close (bpf);
1878  return NULL;
1879  }
1880  }
1881  bpf_close (bpf);
1882  retc = alloc_tree_cell (0, NULL);
1883 
1884  retc->type = CONST_DATA;
1885  if (v4_addr)
1886  retc->x.str_val = (char *) ret;
1887  else
1888  retc->x.str_val = (char *) ret6;
1889  retc->size = sz;
1890 
1891  return retc;
1892 }
char * v6_routethrough(struct in6_addr *dest, struct in6_addr *source)
An awesome function to determine what interface a packet to a given destination should be routed thro...
Definition: pcap.c:1061
#define UNFIX(n)
tree_cell * nasl_send(lex_ctxt *lexic)
Definition: nasl_socket.c:899
void bpf_close(int bpf)
Definition: bpf_share.c:153
long int get_int_local_var_by_name(lex_ctxt *, const char *, int)
Definition: nasl_var.c:1240
int get_datalink_size(int datalink)
Definition: pcap.c:442
char * get_str_local_var_by_name(lex_ctxt *, const char *)
Definition: nasl_var.c:1262
int bpf_datalink(int bpf)
Definition: bpf_share.c:146
Definition: nasl_tree.h:105
int bpf_open_live(char *iface, char *filter)
Definition: bpf_share.c:40
struct in6_addr * plug_get_host_ip(struct arglist *desc)
Definition: plugutils.c:216
void nasl_perror(lex_ctxt *lexic, char *msg,...)
Definition: nasl_debug.c:94
struct timeval timeval(unsigned long val)
char * routethrough(struct in_addr *dest, struct in_addr *source)
An awesome function to determine what interface a packet to a given destination should be routed thro...
Definition: pcap.c:1244
tree_cell * alloc_tree_cell(int lnb, char *s)
Definition: nasl_tree.c:37
u_char * bpf_next(int bpf, int *caplen)
Definition: bpf_share.c:137

References alloc_tree_cell(), bpf_close(), bpf_datalink(), bpf_next(), bpf_open_live(), CONST_DATA, get_datalink_size(), get_int_local_var_by_name(), get_str_local_var_by_name(), nasl_perror(), nasl_send(), plug_get_host_ip(), routethrough(), TC::size, TC::str_val, timeval(), TC::type, UNFIX, v6_routethrough(), and TC::x.

Here is the call graph for this function:

◆ nasl_send_packet()

tree_cell* nasl_send_packet ( lex_ctxt )

Definition at line 1512 of file nasl_packet_forgery.c.

1513 {
1514  tree_cell *retc = FAKE_CELL;
1515  int bpf = -1;
1516  u_char *answer;
1517  int answer_sz;
1518  struct sockaddr_in sockaddr;
1519  char *ip = NULL;
1520  struct ip *sip = NULL;
1521  int vi = 0, b, len = 0;
1522  int soc;
1523  int use_pcap = get_int_local_var_by_name (lexic, "pcap_active", 1);
1524  int to = get_int_local_var_by_name (lexic, "pcap_timeout", 5);
1525  char *filter = get_str_local_var_by_name (lexic, "pcap_filter");
1526  int dfl_len = get_int_local_var_by_name (lexic, "length", -1);
1527  int i = 1;
1528  struct arglist *script_infos = lexic->script_infos;
1529  struct in6_addr *dstip = plug_get_host_ip (script_infos);
1530  struct in_addr inaddr;
1531 
1532 
1533  if (dstip == NULL || (IN6_IS_ADDR_V4MAPPED (dstip) != 1))
1534  return NULL;
1535  inaddr.s_addr = dstip->s6_addr32[3];
1536  soc = socket (AF_INET, SOCK_RAW, IPPROTO_RAW);
1537  if (soc < 0)
1538  return NULL;
1539  if (setsockopt (soc, IPPROTO_IP, IP_HDRINCL, (char *) &i, sizeof (i)) < 0)
1540  perror ("setsockopt ");
1541 
1542  while ((ip = get_str_var_by_num (lexic, vi)) != NULL)
1543  {
1544  int sz = get_var_size_by_num (lexic, vi);
1545  vi++;
1546 
1547  if (sz < sizeof (struct ip))
1548  {
1549  nasl_perror (lexic, "send_packet(): packet is too short!\n");
1550  continue;
1551  }
1552 
1553  sip = (struct ip *) ip;
1554  if (use_pcap != 0 && bpf < 0)
1555  bpf = init_capture_device (sip->ip_dst, sip->ip_src, filter);
1556 
1557 
1558  bzero (&sockaddr, sizeof (struct sockaddr_in));
1559  sockaddr.sin_family = AF_INET;
1560  sockaddr.sin_addr = sip->ip_dst;
1561  if (sockaddr.sin_addr.s_addr != inaddr.s_addr)
1562  {
1563  char txt1[64], txt2[64];
1564  strncpy (txt1, inet_ntoa (sockaddr.sin_addr), sizeof (txt1));
1565  txt1[sizeof (txt1) - 1] = '\0';
1566  strncpy (txt2, inet_ntoa (inaddr), sizeof (txt2));
1567  txt2[sizeof (txt2) - 1] = '\0';
1568  nasl_perror (lexic,
1569  "send_packet: malicious or buggy script is trying to send packet to %s instead of designated target %s\n",
1570  txt1, txt2);
1571 #if 1
1572  if (bpf >= 0)
1573  bpf_close (bpf);
1574  close (soc);
1575  return NULL;
1576 #else
1577  sip->ip_dst = inaddr;
1578  sip->ip_sum = np_in_cksum ((u_short *) sip, sizeof (struct ip));
1579 #endif
1580  }
1581 
1582  if (dfl_len > 0 && dfl_len < sz)
1583  len = dfl_len;
1584  else
1585  len = sz;
1586 
1587 
1588 
1589  b =
1590  sendto (soc, (u_char *) ip, len, 0, (struct sockaddr *) &sockaddr,
1591  sizeof (sockaddr));
1592  /* if(b < 0) perror("sendto "); */
1593  if (b >= 0 && use_pcap != 0 && bpf >= 0)
1594  {
1595  if (islocalhost (&sip->ip_dst))
1596  {
1597  answer = (u_char *) capture_next_packet (bpf, to, &answer_sz);
1598  while (answer != NULL
1599  && (!memcmp (answer, (char *) ip, sizeof (struct ip))))
1600  {
1601  g_free (answer);
1602  answer = (u_char *) capture_next_packet (bpf, to, &answer_sz);
1603  }
1604 
1605  }
1606  else
1607  answer = (u_char *) capture_next_packet (bpf, to, &answer_sz);
1608 
1609  if (answer)
1610  {
1611  retc = alloc_tree_cell (0, NULL);
1612  retc->type = CONST_DATA;
1613  retc->x.str_val = (char *) answer;
1614  retc->size = answer_sz;
1615  break;
1616  }
1617  }
1618  }
1619  if (bpf >= 0)
1620  bpf_close (bpf);
1621  close (soc);
1622  return retc;
1623 }
#define FAKE_CELL
Definition: nasl_tree.h:120
short type
Definition: nasl_tree.h:107
char * str_val
Definition: nasl_tree.h:113
int islocalhost(struct in_addr *addr)
Tests whether a packet sent to IP is LIKELY to route through the kernel localhost interface.
Definition: pcap.c:415
void bpf_close(int bpf)
Definition: bpf_share.c:153
long int get_int_local_var_by_name(lex_ctxt *, const char *, int)
Definition: nasl_var.c:1240
char * get_str_local_var_by_name(lex_ctxt *, const char *)
Definition: nasl_var.c:1262
union TC::@7 x
Definition: nasl_tree.h:105
int get_var_size_by_num(lex_ctxt *, int)
Definition: nasl_var.c:1305
struct in6_addr * plug_get_host_ip(struct arglist *desc)
Definition: plugutils.c:216
void nasl_perror(lex_ctxt *lexic, char *msg,...)
Definition: nasl_debug.c:94
struct ip * capture_next_packet(int bpf, int timeout, int *sz)
char * get_str_var_by_num(lex_ctxt *, int)
Definition: nasl_var.c:1248
tree_cell * alloc_tree_cell(int lnb, char *s)
Definition: nasl_tree.c:37
int init_capture_device(struct in_addr src, struct in_addr dst, char *filter)
Set up the pcap filter, and select the correct interface.
int size
Definition: nasl_tree.h:110

References bpf_close(), FAKE_CELL, get_int_local_var_by_name(), get_str_local_var_by_name(), get_str_var_by_num(), get_var_size_by_num(), init_capture_device(), nasl_perror(), plug_get_host_ip(), and struct_lex_ctxt::script_infos.

Here is the call graph for this function:

◆ nasl_tcp_ping()

tree_cell* nasl_tcp_ping ( lex_ctxt )

Definition at line 1363 of file nasl_packet_forgery.c.

1364 {
1365  struct arglist *script_infos = lexic->script_infos;
1366  struct in6_addr *dst = plug_get_host_ip (script_infos);
1367  if (IN6_IS_ADDR_V4MAPPED (dst) != 1)
1368  {
1369  tree_cell *retc = nasl_tcp_v6_ping (lexic);
1370  return retc;
1371  }
1372  int port;
1373  u_char packet[sizeof (struct ip) + sizeof (struct tcphdr)];
1374  int soc;
1375  struct ip *ip = (struct ip *) packet;
1376  struct tcphdr *tcp = (struct tcphdr *) (packet + sizeof (struct ip));
1377  struct in_addr src;
1378  struct sockaddr_in soca;
1379  int flag = 0;
1380  int i = 0;
1381  int bpf;
1382  char filter[255];
1383  tree_cell *retc;
1384  int opt = 1;
1385  struct timeval tv;
1386  int len;
1387 #define rnd_tcp_port() (rand() % 65535 + 1024)
1388  int sports[] =
1389  { 0, 0, 0, 0, 0, 1023, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 53, 0, 0,
1390 20, 0, 25, 0, 0, 0 };
1391  int ports[] =
1392  { 139, 135, 445, 80, 22, 515, 23, 21, 6000, 1025, 25, 111, 1028, 9100, 1029,
1393 79, 497, 548, 5000, 1917, 53, 161, 9001, 65535, 443, 113, 993, 8080, 0 };
1394  int num_ports = 0;
1395  struct in_addr inaddr;
1396 
1397  if (dst == NULL || (IN6_IS_ADDR_V4MAPPED (dst) != 1))
1398  return NULL;
1399  inaddr.s_addr = dst->s6_addr32[3];
1400  for (i = 0; i < sizeof (sports) / sizeof (int); i++)
1401  {
1402  if (sports[i] == 0)
1403  sports[i] = rnd_tcp_port ();
1404  }
1405 
1406 
1407  for (i = 0; ports[i]; i++)
1408  num_ports++;
1409 
1410  soc = socket (AF_INET, SOCK_RAW, IPPROTO_RAW);
1411  if (soc < 0)
1412  return NULL;
1413  if (setsockopt (soc, IPPROTO_IP, IP_HDRINCL, (char *) &opt, sizeof (opt)) < 0)
1414  perror ("setsockopt ");
1415 
1416  port = get_int_local_var_by_name (lexic, "port", -1);
1417  if (port == -1)
1418  port = plug_get_host_open_port (script_infos);
1419 
1420  if (islocalhost (&inaddr) > 0)
1421  src.s_addr = dst->s6_addr32[3];
1422  else
1423  {
1424  bzero (&src, sizeof (src));
1425  routethrough (&inaddr, &src);
1426  }
1427 
1428  snprintf (filter, sizeof (filter), "ip and src host %s", inet_ntoa (inaddr));
1429  bpf = init_capture_device (inaddr, src, filter);
1430 
1431 
1432  if (islocalhost (&inaddr) != 0)
1433  flag++;
1434  else
1435  {
1436  for (i = 0; i < sizeof (sports) / sizeof (int) && !flag; i++)
1437  {
1438  bzero (packet, sizeof (packet));
1439  /* IP */
1440  ip->ip_hl = 5;
1441  ip->ip_off = FIX (0);
1442  ip->ip_v = 4;
1443  ip->ip_len = FIX (40);
1444  ip->ip_tos = 0;
1445  ip->ip_p = IPPROTO_TCP;
1446  ip->ip_id = rand ();
1447  ip->ip_ttl = 0x40;
1448  ip->ip_src = src;
1449  ip->ip_dst = inaddr;
1450  ip->ip_sum = 0;
1451  ip->ip_sum = np_in_cksum ((u_short *) ip, 20);
1452 
1453 
1454  /* TCP */
1455  tcp->th_sport =
1456  port ? htons (rnd_tcp_port ()) : htons (sports[i % num_ports]);
1457  tcp->th_flags = TH_SYN;
1458  tcp->th_dport = port ? htons (port) : htons (ports[i % num_ports]);
1459  tcp->th_seq = rand ();
1460  tcp->th_ack = 0;
1461  tcp->th_x2 = 0;
1462  tcp->th_off = 5;
1463  tcp->th_win = 2048;
1464  tcp->th_urp = 0;
1465  tcp->th_sum = 0;
1466 
1467  /* CKsum */
1468  {
1469  struct in_addr source, dest;
1470  struct pseudohdr pseudoheader;
1471  source.s_addr = ip->ip_src.s_addr;
1472  dest.s_addr = ip->ip_dst.s_addr;
1473 
1474  bzero (&pseudoheader, 12 + sizeof (struct tcphdr));
1475  pseudoheader.saddr.s_addr = source.s_addr;
1476  pseudoheader.daddr.s_addr = dest.s_addr;
1477 
1478  pseudoheader.protocol = 6;
1479  pseudoheader.length = htons (sizeof (struct tcphdr));
1480  bcopy ((char *) tcp, (char *) &pseudoheader.tcpheader,
1481  sizeof (struct tcphdr));
1482  tcp->th_sum =
1483  np_in_cksum ((unsigned short *) &pseudoheader,
1484  12 + sizeof (struct tcphdr));
1485  }
1486 
1487  bzero (&soca, sizeof (soca));
1488  soca.sin_family = AF_INET;
1489  soca.sin_addr = ip->ip_dst;
1490  sendto (soc, (const void *) ip, 40, 0, (struct sockaddr *) &soca,
1491  sizeof (soca));
1492  tv.tv_sec = 0;
1493  tv.tv_usec = 100000;
1494  if (bpf >= 0 && bpf_next_tv (bpf, &len, &tv))
1495  flag++;
1496  }
1497  }
1498 
1499 
1500  retc = alloc_tree_cell (0, NULL);
1501  retc->type = CONST_INT;
1502  retc->x.i_val = flag;
1503  if (bpf >= 0)
1504  bpf_close (bpf);
1505  close (soc);
1506  return retc;
1507 }
#define FIX(n)
short type
Definition: nasl_tree.h:107
int islocalhost(struct in_addr *addr)
Tests whether a packet sent to IP is LIKELY to route through the kernel localhost interface.
Definition: pcap.c:415
void bpf_close(int bpf)
Definition: bpf_share.c:153
long int get_int_local_var_by_name(lex_ctxt *, const char *, int)
Definition: nasl_var.c:1240
union TC::@7 x
Definition: nasl_tree.h:105
struct in6_addr * plug_get_host_ip(struct arglist *desc)
Definition: plugutils.c:216
tree_cell * nasl_tcp_v6_ping(lex_ctxt *lexic)
Performs TCP Connect to test if host is alive.
struct timeval timeval(unsigned long val)
long int i_val
Definition: nasl_tree.h:114
char * routethrough(struct in_addr *dest, struct in_addr *source)
An awesome function to determine what interface a packet to a given destination should be routed thro...
Definition: pcap.c:1244
tree_cell * alloc_tree_cell(int lnb, char *s)
Definition: nasl_tree.c:37
#define rnd_tcp_port()
unsigned int plug_get_host_open_port(struct arglist *desc)
Definition: plugutils.c:917
u_char * bpf_next_tv(int bpf, int *caplen, struct timeval *tv)
Definition: bpf_share.c:104
int init_capture_device(struct in_addr src, struct in_addr dst, char *filter)
Set up the pcap filter, and select the correct interface.

References FIX, get_int_local_var_by_name(), init_capture_device(), islocalhost(), nasl_tcp_v6_ping(), plug_get_host_ip(), plug_get_host_open_port(), rnd_tcp_port, routethrough(), struct_lex_ctxt::script_infos, and timeval().

Referenced by nasl_end_denial(), and nasl_start_denial().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ set_ip_elements()

tree_cell* set_ip_elements ( lex_ctxt )

Definition at line 273 of file nasl_packet_forgery.c.

274 {
275  struct ip *o_pkt = (struct ip *) get_str_local_var_by_name (lexic, "ip");
276  int size = get_var_size_by_name (lexic, "ip");
277  tree_cell *retc = alloc_tree_cell (0, NULL);
278  struct ip *pkt;
279  char *s;
280 
281 
282 
283  if (o_pkt == NULL)
284  {
285  nasl_perror (lexic, "set_ip_elements: missing <ip> field\n");
286  return NULL;
287  }
288 
289  pkt = (struct ip *) g_malloc0 (size);
290  bcopy (o_pkt, pkt, size);
291 
292 
293  pkt->ip_hl = get_int_local_var_by_name (lexic, "ip_hl", pkt->ip_hl);
294  pkt->ip_v = get_int_local_var_by_name (lexic, "ip_v", pkt->ip_v);
295  pkt->ip_tos = get_int_local_var_by_name (lexic, "ip_tos", pkt->ip_tos);
296  pkt->ip_len =
297  FIX (get_int_local_var_by_name (lexic, "ip_len", UNFIX (pkt->ip_len)));
298  pkt->ip_id = htons (get_int_local_var_by_name (lexic, "ip_id", pkt->ip_id));
299  pkt->ip_off =
300  FIX (get_int_local_var_by_name (lexic, "ip_off", UNFIX (pkt->ip_off)));
301  pkt->ip_ttl = get_int_local_var_by_name (lexic, "ip_ttl", pkt->ip_ttl);
302  pkt->ip_p = get_int_local_var_by_name (lexic, "ip_p", pkt->ip_p);
303 
304  s = get_str_local_var_by_name (lexic, "ip_src");
305  if (s != NULL)
306  inet_aton (s, &pkt->ip_src);
307 
308  pkt->ip_sum = htons (get_int_local_var_by_name (lexic, "ip_sum", 0));
309  if (pkt->ip_sum == 0)
310  pkt->ip_sum = np_in_cksum ((u_short *) pkt, sizeof (struct ip));
311 
312  retc->type = CONST_DATA;
313  retc->size = size;
314  retc->x.str_val = (char *) pkt;
315 
316  return retc;
317 }
#define FIX(n)
#define UNFIX(n)
short type
Definition: nasl_tree.h:107
char * str_val
Definition: nasl_tree.h:113
long int get_int_local_var_by_name(lex_ctxt *, const char *, int)
Definition: nasl_var.c:1240
char * get_str_local_var_by_name(lex_ctxt *, const char *)
Definition: nasl_var.c:1262
union TC::@7 x
Definition: nasl_tree.h:105
void nasl_perror(lex_ctxt *lexic, char *msg,...)
Definition: nasl_debug.c:94
tree_cell * alloc_tree_cell(int lnb, char *s)
Definition: nasl_tree.c:37
int get_var_size_by_name(lex_ctxt *, const char *)
Definition: nasl_var.c:1291
int size
Definition: nasl_tree.h:110

References alloc_tree_cell(), FIX, get_int_local_var_by_name(), get_str_local_var_by_name(), get_var_size_by_name(), nasl_perror(), and UNFIX.

Here is the call graph for this function:

◆ set_tcp_elements()

tree_cell* set_tcp_elements ( lex_ctxt )

Definition at line 639 of file nasl_packet_forgery.c.

640 {
641  char *pkt = get_str_local_var_by_name (lexic, "tcp");
642  struct ip *ip = (struct ip *) pkt;
643  int pktsz = get_local_var_size_by_name (lexic, "tcp");
644  struct tcphdr *tcp;
645  tree_cell *retc;
646  char *data = get_str_local_var_by_name (lexic, "data");
647  int data_len = get_local_var_size_by_name (lexic, "data");
648  char *npkt;
649 
650  if (!ip)
651  {
652  nasl_perror (lexic,
653  "set_tcp_elements : Invalid value for the argument 'tcp'\n");
654  return NULL;
655  }
656 
657  if (ip->ip_hl * 4 > pktsz)
658  tcp = (struct tcphdr *) (pkt + 20); /* ip->ip_hl is bogus, we work around that */
659  else
660  tcp = (struct tcphdr *) (pkt + ip->ip_hl * 4);
661 
662 
663  if (pktsz < UNFIX (ip->ip_len))
664  return NULL;
665 
666 
667  if (data_len == 0)
668  {
669  data_len = UNFIX (ip->ip_len) - (ip->ip_hl * 4) - (tcp->th_off * 4);
670  data = (char *) ((char *) tcp + tcp->th_off * 4);
671  }
672 
673  npkt = g_malloc0 (ip->ip_hl * 4 + tcp->th_off * 4 + data_len);
674  bcopy (pkt, npkt, UNFIX (ip->ip_len));
675 
676  ip = (struct ip *) (npkt);
677  tcp = (struct tcphdr *) (npkt + ip->ip_hl * 4);
678 
679  tcp->th_sport =
681  (lexic, "th_sport", ntohs (tcp->th_sport)));
682  tcp->th_dport =
684  (lexic, "th_dport", ntohs (tcp->th_dport)));
685  tcp->th_seq =
686  htonl (get_int_local_var_by_name (lexic, "th_seq", ntohl (tcp->th_seq)));
687  tcp->th_ack =
688  htonl (get_int_local_var_by_name (lexic, "th_ack", ntohl (tcp->th_ack)));
689  tcp->th_x2 = get_int_local_var_by_name (lexic, "th_x2", tcp->th_x2);
690  tcp->th_off = get_int_local_var_by_name (lexic, "th_off", tcp->th_off);
691  tcp->th_flags = get_int_local_var_by_name (lexic, "th_flags", tcp->th_flags);
692  tcp->th_win =
693  htons (get_int_local_var_by_name (lexic, "th_win", ntohs (tcp->th_win)));
694  tcp->th_sum = get_int_local_var_by_name (lexic, "th_sum", 0);
695  tcp->th_urp = get_int_local_var_by_name (lexic, "th_urp", tcp->th_urp);
696  bcopy (data, (char *) tcp + tcp->th_off * 4, data_len);
697 
698  if (get_int_local_var_by_name (lexic, "update_ip_len", 1) != 0)
699  {
700  ip->ip_len = ip->ip_hl * 4 + tcp->th_off * 4 + data_len;
701  ip->ip_sum = 0;
702  ip->ip_sum = np_in_cksum ((u_short *) pkt, ip->ip_hl * 4);
703  }
704 
705  if (tcp->th_sum == 0)
706  {
707  struct pseudohdr pseudoheader;
708  char *tcpsumdata =
709  g_malloc0 (sizeof (struct pseudohdr) + data_len + 1);
710  struct in_addr source, dest;
711 
712  source.s_addr = ip->ip_src.s_addr;
713  dest.s_addr = ip->ip_dst.s_addr;
714 
715  bzero (&pseudoheader, sizeof (pseudoheader));
716  pseudoheader.saddr.s_addr = source.s_addr;
717  pseudoheader.daddr.s_addr = dest.s_addr;
718 
719  pseudoheader.protocol = IPPROTO_TCP;
720  pseudoheader.length = htons (sizeof (struct tcphdr) + data_len);
721  bcopy ((char *) tcp, (char *) &pseudoheader.tcpheader,
722  sizeof (struct tcphdr));
723  /* fill tcpsumdata with data to checksum */
724  bcopy ((char *) &pseudoheader, tcpsumdata, sizeof (struct pseudohdr));
725  bcopy ((char *) data, tcpsumdata + sizeof (struct pseudohdr), data_len);
726  tcp->th_sum =
727  np_in_cksum ((unsigned short *) tcpsumdata,
728  sizeof (pseudoheader) + data_len);
729  g_free (tcpsumdata);
730  }
731 
732  retc = alloc_tree_cell (0, NULL);
733  retc->type = CONST_DATA;
734  retc->size = (ip->ip_hl * 4) + (tcp->th_off * 4) + data_len;
735  retc->x.str_val = npkt;
736  return retc;
737 }
#define UNFIX(n)
short type
Definition: nasl_tree.h:107
char * str_val
Definition: nasl_tree.h:113
long int get_int_local_var_by_name(lex_ctxt *, const char *, int)
Definition: nasl_var.c:1240
int get_local_var_size_by_name(lex_ctxt *, const char *)
Definition: nasl_var.c:1298
char * get_str_local_var_by_name(lex_ctxt *, const char *)
Definition: nasl_var.c:1262
union TC::@7 x
Definition: nasl_tree.h:105
void nasl_perror(lex_ctxt *lexic, char *msg,...)
Definition: nasl_debug.c:94
tree_cell * alloc_tree_cell(int lnb, char *s)
Definition: nasl_tree.c:37
int size
Definition: nasl_tree.h:110

References get_int_local_var_by_name(), get_local_var_size_by_name(), get_str_local_var_by_name(), nasl_perror(), and UNFIX.

Here is the call graph for this function:

◆ set_udp_elements()

tree_cell* set_udp_elements ( lex_ctxt )

Definition at line 999 of file nasl_packet_forgery.c.

1000 {
1001  struct ip *ip = (struct ip *) get_str_local_var_by_name (lexic, "udp");
1002  int sz = get_local_var_size_by_name (lexic, "udp");
1003  char *data = get_str_local_var_by_name (lexic, "data");
1004  int data_len = get_local_var_size_by_name (lexic, "data");
1005 
1006  if (ip != NULL)
1007  {
1008  char *pkt;
1009  struct udphdr *udp;
1010  tree_cell *retc;
1011  int old_len;
1012 
1013 
1014  if (ip->ip_hl * 4 + sizeof (struct udphdr) > sz)
1015  return NULL;
1016 
1017  if (data != NULL)
1018  {
1019  sz = ip->ip_hl * 4 + sizeof (struct udphdr) + data_len;
1020  pkt = g_malloc0 (sz);
1021  bcopy (ip, pkt, ip->ip_hl * 4 + sizeof (struct udphdr));
1022  }
1023  else
1024  {
1025  pkt = g_malloc0 (sz);
1026  bcopy (ip, pkt, sz);
1027  }
1028 
1029 
1030 
1031  ip = (struct ip *) pkt;
1032  if (data != NULL)
1033  {
1034  ip->ip_len = FIX (sz);
1035  ip->ip_sum = 0;
1036  ip->ip_sum = np_in_cksum ((u_short *) ip, ip->ip_hl * 4);
1037  }
1038  udp = (struct udphdr *) (pkt + ip->ip_hl * 4);
1039 
1040 
1041  udp->uh_sport =
1043  (lexic, "uh_sport", ntohs (udp->uh_sport)));
1044  udp->uh_dport =
1046  (lexic, "uh_dport", ntohs (udp->uh_dport)));
1047  old_len = ntohs (udp->uh_ulen);
1048  udp->uh_ulen =
1050  (lexic, "uh_ulen", ntohs (udp->uh_ulen)));
1051  udp->uh_sum = get_int_local_var_by_name (lexic, "uh_sum", 0);
1052 
1053  if (data != NULL)
1054  {
1055  bcopy (data, pkt + ip->ip_hl * 4 + sizeof (struct udphdr), data_len);
1056  udp->uh_ulen = htons (sizeof (struct udphdr) + data_len);
1057  }
1058 
1059  if (udp->uh_sum == 0)
1060  {
1061  struct pseudo_udp_hdr pseudohdr;
1062  struct in_addr source, dest;
1063  int len = old_len - sizeof (struct udphdr);
1064  char *udpsumdata;
1065  char *ptr = NULL;
1066 
1067  if (data != NULL)
1068  {
1069  len = data_len;
1070  }
1071 
1072  if (len > 0)
1073  {
1074  ptr = (char *) udp + sizeof (struct udphdr);
1075  }
1076 
1077 
1078  udpsumdata = g_malloc0 (sizeof (struct pseudo_udp_hdr) + len + 1);
1079 
1080  source.s_addr = ip->ip_src.s_addr;
1081  dest.s_addr = ip->ip_dst.s_addr;
1082 
1083  bzero (&pseudohdr, sizeof (struct pseudo_udp_hdr));
1084  pseudohdr.saddr.s_addr = source.s_addr;
1085  pseudohdr.daddr.s_addr = dest.s_addr;
1086 
1087  pseudohdr.proto = IPPROTO_UDP;
1088  pseudohdr.len = htons (sizeof (struct udphdr) + len);
1089  bcopy ((char *) udp, (char *) &pseudohdr.udpheader,
1090  sizeof (struct udphdr));
1091  bcopy ((char *) &pseudohdr, udpsumdata, sizeof (pseudohdr));
1092  if (ptr != NULL)
1093  {
1094  bcopy ((char *) ptr, udpsumdata + sizeof (pseudohdr), len);
1095  }
1096  udp->uh_sum =
1097  np_in_cksum ((unsigned short *) udpsumdata,
1098  12 + sizeof (struct udphdr) + len);
1099  g_free (udpsumdata);
1100  }
1101  retc = alloc_tree_cell (0, NULL);
1102  retc->type = CONST_DATA;
1103  retc->size = sz;
1104  retc->x.str_val = pkt;
1105  return retc;
1106  }
1107  else
1108  printf ("Error ! You must supply the 'udp' argument !\n");
1109 
1110  return NULL;
1111 }
#define FIX(n)
short type
Definition: nasl_tree.h:107
struct in_addr saddr
Definition: ids_send.c:132
char * str_val
Definition: nasl_tree.h:113
long int get_int_local_var_by_name(lex_ctxt *, const char *, int)
Definition: nasl_var.c:1240
struct in_addr daddr
Definition: ids_send.c:133
int get_local_var_size_by_name(lex_ctxt *, const char *)
Definition: nasl_var.c:1298
char * get_str_local_var_by_name(lex_ctxt *, const char *)
Definition: nasl_var.c:1262
union TC::@7 x
Definition: nasl_tree.h:105
tree_cell * alloc_tree_cell(int lnb, char *s)
Definition: nasl_tree.c:37
int size
Definition: nasl_tree.h:110

References FIX, get_local_var_size_by_name(), and get_str_local_var_by_name().

Here is the call graph for this function: