39 #include <arpa/inet.h> 46 #include <netinet/icmp6.h> 48 #include "../misc/bpf_share.h" 49 #include "../misc/pcap_openvas.h" 50 #include "../misc/plugutils.h" 68 #ifdef BSD_BYTE_ORDERING 72 #define FIX(n) htons(n) 73 #define UNFIX(n) ntohs(n) 87 register u_short answer = 0;
88 register long sum = 0;
100 *(u_char *) (&odd_byte) = *(u_char *) p;
104 sum = (sum >> 16) + (sum & 0xffff);
126 struct in6_addr *dst_addr;
135 if (dst_addr == NULL || (IN6_IS_ADDR_V4MAPPED (dst_addr) == 1))
143 retc->
size =
sizeof (
struct ip6_hdr) + data_len;
145 pkt = (
struct ip6_hdr *) g_malloc0 (
sizeof (
struct ip6_hdr) + data_len);
152 pkt->ip6_ctlun.ip6_un1.ip6_un1_flow = version | tc | fl;
154 pkt->ip6_plen =
FIX (data_len);
161 inet_pton (AF_INET6, s, &pkt->ip6_src);
166 inet_pton (AF_INET6, s, &pkt->ip6_dst);
168 pkt->ip6_dst = *dst_addr;
172 bcopy (data, retc->
x.
str_val + sizeof (
struct ip6_hdr), data_len);
193 struct ip6_hdr *ip6 =
196 char ret_ascii[INET6_ADDRSTRLEN];
202 nasl_perror (lexic,
"get_ipv6_element : no valid 'ip' argument!\n");
208 nasl_perror (lexic,
"get_ipv6_element : no valid 'element' argument!\n");
212 if (!strcmp (element,
"ip6_v"))
214 ret_int = (ip6->ip6_flow & 0x3ffff);
217 else if (!strcmp (element,
"ip6_tc"))
219 ret_int = (ip6->ip6_flow >> 20) & 0xff;
222 else if (!strcmp (element,
"ip6_fl"))
224 ret_int = ip6->ip6_flow >> 28;
227 else if (!strcmp (element,
"ip6_plen"))
229 ret_int = (ip6->ip6_plen);
232 else if (!strcmp (element,
"ip6_nxt"))
234 ret_int = (ip6->ip6_nxt);
237 else if (!strcmp (element,
"ip6_hlim"))
239 ret_int = (ip6->ip6_hlim);
251 if (!strcmp (element,
"ip6_src"))
253 inet_ntop (AF_INET6, &ip6->ip6_src, ret_ascii, sizeof (ret_ascii));
256 else if (!strcmp (element,
"ip6_dst"))
258 inet_ntop (AF_INET6, &ip6->ip6_dst, ret_ascii, sizeof (ret_ascii));
264 printf (
"%s : unknown element\n", element);
270 retc->
size = strlen (ret_ascii);
271 retc->
x.
str_val = g_strdup (ret_ascii);
286 struct ip6_hdr *o_pkt =
295 nasl_perror (lexic,
"set_ip_elements: missing <ip> field\n");
299 pkt = (
struct ip6_hdr *) g_malloc0 (size);
300 bcopy (o_pkt, pkt, size);
308 inet_pton (AF_INET6, s, &pkt->ip6_src);
328 char addr[INET6_ADDRSTRLEN];
339 printf (
"\tip6_v : %d\n", ip6->ip6_flow >> 28);
340 printf (
"\tip6_tc: %d\n", (ip6->ip6_flow >> 20) & 0xff);
341 printf (
"\tip6_fl: %d\n", (ip6->ip6_flow) & 0x3ffff);
342 printf (
"\tip6_plen: %d\n",
UNFIX (ip6->ip6_plen));
343 printf (
"\tip6_nxt : %d\n", ntohs (ip6->ip6_nxt));
344 printf (
"\tip6_hlim : %d\n", ntohs (ip6->ip6_hlim));
345 switch (ip6->ip6_ctlun.ip6_un1.ip6_un1_nxt)
348 printf (
"\tip6_nxt : IPPROTO_TCP (%d)\n", ip6->ip6_nxt);
351 printf (
"\tip6_nxt : IPPROTO_UDP (%d)\n", ip6->ip6_nxt);
354 printf (
"\tip6_nxt : IPPROTO_ICMP (%d)\n", ip6->ip6_nxt);
357 printf (
"\tip6_nxt : %d\n", ip6->ip6_nxt);
360 printf (
"\tip6_src: %s\n",
361 inet_ntop (AF_INET6, &ip6->ip6_src, addr, sizeof (addr)));
362 printf (
"\tip6_dst: %s\n",
363 inet_ntop (AF_INET6, &ip6->ip6_dst, addr, sizeof (addr)));
374 struct ip6_hdr *ip6 =
381 struct ip6_hdr *new_packet;
384 u_char uc_code, uc_len;
393 "Usage : insert_ipv6_options(ip6:<ip6>, code:<code>, length:<len>, value:<value>\n");
397 pad_len = 4 - ((
sizeof (uc_code) +
sizeof (uc_len) + value_size) % 4);
401 pl = 40 <
UNFIX (ip6->ip6_plen) ? 40 :
UNFIX (ip6->ip6_plen);
402 new_packet = g_malloc0 (size + 4 + value_size + pad_len);
403 bcopy (ip6, new_packet, pl);
405 uc_code = (u_char)
code;
406 uc_len = (u_char) len;
409 p = (
char *) new_packet;
410 bcopy (&uc_code, p + pl,
sizeof (uc_code));
411 bcopy (&uc_len, p + pl +
sizeof (uc_code),
sizeof (uc_len));
412 bcopy (value, p + pl +
sizeof (uc_code) +
sizeof (uc_len), value_size);
415 for (i = 0; i < pad_len; i++)
418 p + pl +
sizeof (uc_code) +
sizeof (uc_len) + value_size + i, 1);
424 new_packet + (
sizeof (uc_code) +
sizeof (uc_len) + value_size +
425 pad_len) + pl, size - pl);
428 new_packet->ip6_plen =
429 FIX (size +
sizeof (uc_code) +
sizeof (uc_len) + value_size + pad_len);
433 retc->
size = size + value_size +
sizeof (uc_code) +
sizeof (uc_len) + pad_len;
434 retc->
x.
str_val = (
char *) new_packet;
476 "forge_tcp_packet : You must supply the 'ip' argument !");
491 tcp_packet = (
struct ip6_hdr *) g_malloc0 (ipsz +
sizeof (
struct tcphdr) + len);
497 FIX (
sizeof (
struct tcphdr) + len);
498 tcp = (
struct tcphdr *) ((
char *)
tcp_packet + 40);
512 bcopy (data, (
char *) tcp +
sizeof (
struct tcphdr), len);
517 char *tcpsumdata = g_malloc0 (
sizeof (
struct v6pseudohdr) + len + 1);
519 bzero (&pseudoheader, 38 +
sizeof (
struct tcphdr));
520 memcpy (&pseudoheader.
s6addr, &ip6->ip6_src, sizeof (
struct in6_addr));
521 memcpy (&pseudoheader.
d6addr, &ip6->ip6_dst, sizeof (
struct in6_addr));
523 pseudoheader.
protocol = IPPROTO_TCP;
524 pseudoheader.
length = htons (
sizeof (
struct tcphdr) + len);
525 bcopy ((
char *) tcp, (
char *) &pseudoheader.
tcpheader,
526 sizeof (
struct tcphdr));
528 bcopy ((
char *) &pseudoheader, tcpsumdata,
sizeof (
struct v6pseudohdr));
530 bcopy ((
char *) data, tcpsumdata +
sizeof (
struct v6pseudohdr), len);
532 np_in_cksum ((
unsigned short *) tcpsumdata,
533 38 +
sizeof (
struct tcphdr) + len);
537 retc->
size = ipsz +
sizeof (
struct tcphdr) + len;
564 "get_tcp_element : Error ! No valid 'tcp' argument !\n");
568 ip6 = (
struct ip6_hdr *) packet;
571 if (
UNFIX (ip6->ip6_plen) > ipsz)
574 tcp = (
struct tcphdr *) (packet + 40);
580 "get_tcp_element : Error ! No valid 'element' argument !\n");
584 if (!strcmp (element,
"th_sport"))
585 ret = ntohs (tcp->th_sport);
586 else if (!strcmp (element,
"th_dsport"))
587 ret = ntohs (tcp->th_dport);
588 else if (!strcmp (element,
"th_seq"))
589 ret = ntohl (tcp->th_seq);
590 else if (!strcmp (element,
"th_ack"))
591 ret = ntohl (tcp->th_ack);
592 else if (!strcmp (element,
"th_x2"))
594 else if (!strcmp (element,
"th_off"))
596 else if (!strcmp (element,
"th_flags"))
598 else if (!strcmp (element,
"th_win"))
599 ret = ntohs (tcp->th_win);
600 else if (!strcmp (element,
"th_sum"))
602 else if (!strcmp (element,
"th_urp"))
604 else if (!strcmp (element,
"data"))
608 retc->
size =
UNFIX (ip6->ip6_plen) - ntohl (tcp->th_off) * 4;
610 bcopy (tcp + ntohl (tcp->th_off) * 4, retc->
x.
str_val, retc->
size);
615 nasl_perror (lexic,
"Unknown tcp field %s\n", element);
636 struct ip6_hdr *ip6 = (
struct ip6_hdr *) pkt;
647 "set_tcp_elements : Invalid value for the argument 'tcp'\n");
651 tcp = (
struct tcphdr *) (pkt + 40);
653 if (pktsz <
UNFIX (ip6->ip6_plen))
658 data_len =
UNFIX (ip6->ip6_plen) - (tcp->th_off * 4);
659 data = (
char *) ((
char *) tcp + tcp->th_off * 4);
662 npkt = g_malloc0 (40 + tcp->th_off * 4 + data_len);
663 bcopy (pkt, npkt,
UNFIX (ip6->ip6_plen) + 40);
665 ip6 = (
struct ip6_hdr *) (npkt);
666 tcp = (
struct tcphdr *) (npkt + 40);
670 (lexic,
"th_sport", ntohs (tcp->th_sport)));
673 (lexic,
"th_dport", ntohs (tcp->th_dport)));
686 bcopy (data, (
char *) tcp + tcp->th_off * 4, data_len);
690 ip6->ip6_plen = tcp->th_off * 4 + data_len;
693 if (tcp->th_sum == 0)
696 char *tcpsumdata = g_malloc0 (
sizeof (
struct v6pseudohdr) + data_len + 1);
698 bzero (&pseudoheader, 38 +
sizeof (
struct tcphdr));
699 memcpy (&pseudoheader.
s6addr, &ip6->ip6_src, sizeof (
struct in6_addr));
700 memcpy (&pseudoheader.
d6addr, &ip6->ip6_dst, sizeof (
struct in6_addr));
702 pseudoheader.
protocol = IPPROTO_TCP;
703 pseudoheader.
length = htons (
sizeof (
struct tcphdr) + data_len);
704 bcopy ((
char *) tcp, (
char *) &pseudoheader.
tcpheader,
705 sizeof (
struct tcphdr));
707 bcopy ((
char *) &pseudoheader, tcpsumdata,
sizeof (
struct v6pseudohdr));
709 bcopy ((
char *) data, tcpsumdata +
sizeof (
struct v6pseudohdr),
712 np_in_cksum ((
unsigned short *) tcpsumdata,
713 38 +
sizeof (
struct tcphdr) + data_len);
719 retc->
size = 40 + (tcp->th_off * 4) + data_len;
740 struct ip6_hdr *ip6 = (
struct ip6_hdr *) pkt;
741 struct tcphdr *tcp = (
struct tcphdr *) (pkt + 40);
749 printf (
"\tth_sport : %d\n", ntohs (tcp->th_sport));
750 printf (
"\tth_dport : %d\n", ntohs (tcp->th_dport));
751 printf (
"\tth_seq : %u\n", (
unsigned int) ntohl (tcp->th_seq));
752 printf (
"\tth_ack : %u\n", (
unsigned int) ntohl (tcp->th_ack));
753 printf (
"\tth_x2 : %d\n", tcp->th_x2);
754 printf (
"\tth_off : %d\n", tcp->th_off);
755 printf (
"\tth_flags : ");
756 if (tcp->th_flags & TH_FIN)
761 if (tcp->th_flags & TH_SYN)
768 if (tcp->th_flags & TH_RST)
775 if (tcp->th_flags & TH_PUSH)
782 if (tcp->th_flags & TH_ACK)
789 if (tcp->th_flags & TH_URG)
799 printf (
" (%d)", tcp->th_flags);
801 printf (
"\tth_win : %d\n", ntohs (tcp->th_win));
802 printf (
"\tth_sum : 0x%x\n", tcp->th_sum);
803 printf (
"\tth_urp : %d\n", tcp->th_urp);
804 printf (
"\tData : ");
805 c = (
char *) ((
char *) tcp +
sizeof (
struct tcphdr));
806 if (
UNFIX (ip6->ip6_plen) >
807 (sizeof (
struct ip6_hdr) +
sizeof (
struct tcphdr)))
809 j <
UNFIX (ip6->ip6_plen) -
sizeof (
struct tcphdr) && j < limit;
811 printf (
"%c", isprint (c[j]) ? c[j] :
'.');
844 struct ip6_hdr *ip6 =
852 struct ip6_hdr *udp_packet;
855 pkt = g_malloc0 (
sizeof (
struct udphdr) + 40 + data_len);
856 udp_packet = (
struct ip6_hdr *) pkt;
857 udp = (
struct udphdr *) (pkt + 40);
860 bcopy ((
char *) ip6, pkt, 40);
866 (lexic,
"uh_ulen", data_len +
sizeof (
struct udphdr)));
868 if (data_len != 0 && data != NULL)
869 bcopy (data, (pkt + 40 +
sizeof (
struct udphdr)), data_len);
878 memcpy (&
pseudohdr.s6addr, &ip6->ip6_src, sizeof (
struct in6_addr));
879 memcpy (&
pseudohdr.d6addr, &ip6->ip6_dst, sizeof (
struct in6_addr));
882 pseudohdr.len = htons (
sizeof (
struct udphdr) + data_len);
883 bcopy ((
char *) udp, (
char *) &
pseudohdr.udpheader,
884 sizeof (
struct udphdr));
888 bcopy ((
char *) data, udpsumdata +
sizeof (
pseudohdr), data_len);
891 np_in_cksum ((
unsigned short *) udpsumdata,
892 38 +
sizeof (
struct udphdr) + data_len);
897 if (
UNFIX (udp_packet->ip6_ctlun.ip6_un1.ip6_un1_plen) <= 40)
902 udp_packet->ip6_ctlun.ip6_un1.ip6_un1_plen =
903 FIX (ntohs (udp->uh_ulen));
910 retc->
size = 8 + 40 + data_len;
915 printf (
"Error ! You must supply the 'ip6' argument !\n");
935 struct udphdr *udphdr;
942 if (udp == NULL || element == NULL)
944 printf (
"get_udp_v6_element() usage :\n");
945 printf (
"element = get_udp_v6_element(udp:<udp>,element:<element>\n");
949 if (40 +
sizeof (
struct udphdr) > ipsz)
952 udphdr = (
struct udphdr *) (udp + 40);
953 if (!strcmp (element,
"uh_sport"))
954 ret = ntohs (udphdr->uh_sport);
955 else if (!strcmp (element,
"uh_dport"))
956 ret = ntohs (udphdr->uh_dport);
957 else if (!strcmp (element,
"uh_ulen"))
958 ret = ntohs (udphdr->uh_ulen);
959 else if (!strcmp (element,
"uh_sum"))
960 ret = ntohs (udphdr->uh_sum);
961 else if (!strcmp (element,
"data"))
966 sz = ntohs (udphdr->uh_ulen) -
sizeof (
struct udphdr);
968 if (ntohs (udphdr->uh_ulen) - 40 - sizeof (
struct udphdr) > ipsz)
969 sz = ipsz - 40 -
sizeof (
struct udphdr);
973 bcopy (udp + 40 +
sizeof (
struct udphdr), retc->
x.
str_val, sz);
978 printf (
"%s is not a value of a udp packet\n", element);
999 struct ip6_hdr *ip6 =
1012 if (40 +
sizeof (
struct udphdr) > sz)
1018 sz = 40 +
sizeof (
struct udphdr) + data_len;
1019 pkt = g_malloc0 (sz);
1020 bcopy (ip6, pkt, 40 +
sizeof (
struct udphdr));
1024 pkt = g_malloc0 (sz);
1025 bcopy (ip6, pkt, sz);
1028 ip6 = (
struct ip6_hdr *) pkt;
1031 ip6->ip6_ctlun.ip6_un1.ip6_un1_plen =
FIX (sz - 40);
1033 udp = (
struct udphdr *) (pkt + 40);
1037 (lexic,
"uh_sport", ntohs (udp->uh_sport)));
1040 (lexic,
"uh_dport", ntohs (udp->uh_dport)));
1042 old_len = ntohs (udp->uh_ulen);
1045 (lexic,
"uh_ulen", ntohs (udp->uh_ulen)));
1050 bcopy (data, pkt + 40 +
sizeof (
struct udphdr), data_len);
1051 udp->uh_ulen = htons (
sizeof (
struct udphdr) + data_len);
1057 int len = old_len -
sizeof (
struct udphdr);
1068 ptr = (
char *) udp +
sizeof (
struct udphdr);
1075 pseudohdr.len = htons (
sizeof (
struct udphdr) + data_len);
1076 bcopy ((
char *) udp, (
char *) &
pseudohdr.udpheader,
1077 sizeof (
struct udphdr));
1078 memcpy (&
pseudohdr.s6addr, &ip6->ip6_src, sizeof (
struct in6_addr));
1079 memcpy (&
pseudohdr.d6addr, &ip6->ip6_dst, sizeof (
struct in6_addr));
1083 bcopy ((
char *) ptr, udpsumdata +
sizeof (
pseudohdr), data_len);
1086 np_in_cksum ((
unsigned short *) udpsumdata,
1087 38 +
sizeof (
struct udphdr)
1088 + ((len % 2) ? len + 1 : len));
1089 g_free (udpsumdata);
1098 printf (
"Error ! You must supply the 'udp' argument !\n");
1118 struct udphdr *udp = (
struct udphdr *) (pkt +
sizeof (
struct ip6_hdr));
1122 printf (
"------\n");
1123 printf (
"\tuh_sport : %d\n", ntohs (udp->uh_sport));
1124 printf (
"\tuh_dport : %d\n", ntohs (udp->uh_dport));
1125 printf (
"\tuh_sum : 0x%x\n", udp->uh_sum);
1126 printf (
"\tuh_ulen : %d\n", ntohs (udp->uh_ulen));
1127 printf (
"\tdata : ");
1128 c = (
char *) (udp +
sizeof (
struct udphdr));
1129 if (udp->uh_ulen > sizeof (
struct udphdr))
1131 j < (ntohs (udp->uh_ulen) -
sizeof (
struct udphdr)) && j < limit;
1133 printf (
"%c", isprint (c[j]) ? c[j] :
'.');
1167 struct ip6_hdr *ip6;
1168 struct ip6_hdr *ip6_icmp;
1169 int ip6_sz, size = 0, sz = 0;
1170 struct icmp6_hdr *icmp;
1171 struct nd_router_solicit *routersolicit = NULL;
1172 struct nd_router_advert *routeradvert = NULL;
1173 struct nd_neighbor_solicit *neighborsolicit = NULL;
1174 struct nd_neighbor_advert *neighboradvert = NULL;
1194 pkt = g_malloc0 (ip6_sz + 8 + len);
1195 ip6_icmp = (
struct ip6_hdr *) pkt;
1197 bcopy (ip6, ip6_icmp, ip6_sz);
1198 p = (
char *) (pkt + ip6_sz);
1200 icmp = (
struct icmp6_hdr *) p;
1203 icmp->icmp6_type = t;
1207 case ICMP6_ECHO_REQUEST:
1210 bcopy (data, &(p[8]), len);
1213 size = ip6_sz + 8 + len;
1217 case ND_ROUTER_SOLICIT:
1220 bcopy (data, &(p[8]), len);
1221 routersolicit = g_malloc0 (
sizeof (
struct nd_router_solicit));
1223 g_realloc (pkt, ip6_sz +
sizeof (
struct nd_router_solicit) + len);
1224 ip6_icmp = (
struct ip6_hdr *) pkt;
1225 p = (
char *) (pkt + ip6_sz);
1226 struct icmp6_hdr *rs = &routersolicit->nd_rs_hdr;
1227 routersolicit = (
struct nd_router_solicit *) p;
1228 rs->icmp6_type = icmp->icmp6_type;
1229 rs->icmp6_code = icmp->icmp6_code;
1230 rs->icmp6_cksum = icmp->icmp6_cksum;
1231 size = ip6_sz +
sizeof (
struct nd_router_solicit) + len;
1235 case ND_ROUTER_ADVERT:
1238 bcopy (data, &(p[8]), len);
1239 routeradvert = g_malloc0 (
sizeof (
struct nd_router_advert));
1241 pkt = g_realloc (pkt, ip6_sz +
sizeof (
struct nd_router_advert) - 8 + len);
1242 ip6_icmp = (
struct ip6_hdr *) pkt;
1243 p = (
char *) (pkt + ip6_sz);
1244 struct icmp6_hdr *ra = &routeradvert->nd_ra_hdr;
1245 routeradvert = (
struct nd_router_advert *) p;
1246 ra->icmp6_type = icmp->icmp6_type;
1247 ra->icmp6_code = icmp->icmp6_code;
1248 ra->icmp6_cksum = icmp->icmp6_cksum;
1249 routeradvert->nd_ra_reachable =
1251 routeradvert->nd_ra_retransmit =
1253 routeradvert->nd_ra_curhoplimit = ip6_icmp->ip6_hlim;
1254 routeradvert->nd_ra_flags_reserved =
1256 size = ip6_sz +
sizeof (
struct nd_router_advert) - 8 + len;
1260 case ND_NEIGHBOR_SOLICIT:
1262 neighborsolicit = g_malloc0 (
sizeof (
struct nd_neighbor_solicit));
1264 g_realloc (pkt, ip6_sz +
sizeof (
struct nd_neighbor_solicit) + len);
1265 ip6_icmp = (
struct ip6_hdr *) pkt;
1266 p = (
char *) (pkt + ip6_sz);
1267 struct icmp6_hdr *ns = &neighborsolicit->nd_ns_hdr;
1268 neighborsolicit = (
struct nd_neighbor_solicit *) p;
1270 bcopy (data, &(p[24]), len);
1271 ns->icmp6_type = icmp->icmp6_type;
1272 ns->icmp6_code = icmp->icmp6_code;
1273 ns->icmp6_cksum = icmp->icmp6_cksum;
1274 memcpy (&neighborsolicit->nd_ns_target, &ip6_icmp->ip6_dst, sizeof (
struct in6_addr));
1275 size = ip6_sz +
sizeof (
struct nd_neighbor_solicit) + len;
1279 case ND_NEIGHBOR_ADVERT:
1281 neighboradvert = g_malloc0 (
sizeof (
struct nd_neighbor_advert));
1283 g_realloc (pkt, ip6_sz +
sizeof (
struct nd_neighbor_advert) + len);
1284 ip6_icmp = (
struct ip6_hdr *) pkt;
1285 p = (
char *) (pkt + 40);
1286 struct icmp6_hdr *na = &neighboradvert->nd_na_hdr;
1287 neighboradvert = (
struct nd_neighbor_advert *) p;
1288 na->icmp6_type = icmp->icmp6_type;
1289 na->icmp6_code = icmp->icmp6_code;
1290 na->icmp6_cksum = icmp->icmp6_cksum;
1291 neighboradvert->nd_na_flags_reserved =
1293 if (neighboradvert->nd_na_flags_reserved & 0x00000020)
1294 memcpy (&neighboradvert->nd_na_target, &ip6_icmp->ip6_src, sizeof (
struct in6_addr));
1298 inet_pton (AF_INET6,
1300 &neighboradvert->nd_na_target);
1304 "forge_icmp_v6_packet: missing 'target' parameter required for constructing response to a Neighbor Solicitation\n");
1309 size = ip6_sz +
sizeof (
struct nd_neighbor_advert) + len;
1315 nasl_perror (lexic,
"forge_icmp_v6_packet: unknown type\n");
1319 if (
UNFIX (ip6_icmp->ip6_ctlun.ip6_un1.ip6_un1_plen) <= 40)
1323 ip6_icmp->ip6_ctlun.ip6_un1.ip6_un1_plen =
FIX (size - ip6_sz);
1333 memcpy (&
pseudohdr.s6addr, &ip6->ip6_src, sizeof (
struct in6_addr));
1334 memcpy (&
pseudohdr.d6addr, &ip6->ip6_dst, sizeof (
struct in6_addr));
1338 bcopy ((
char *) icmp, (
char *) &
pseudohdr.icmpheader, sz);
1341 bcopy ((
char *) data, icmpsumdata +
sizeof (
pseudohdr),
len);
1343 np_in_cksum ((
unsigned short *) icmpsumdata, size);
1344 g_free (icmpsumdata);
1351 case ICMP6_ECHO_REQUEST:
1353 case ND_ROUTER_SOLICIT:
1355 routersolicit->nd_rs_hdr.icmp6_cksum = icmp->icmp6_cksum;
1358 case ND_ROUTER_ADVERT:
1360 routeradvert->nd_ra_hdr.icmp6_cksum = icmp->icmp6_cksum;
1363 case ND_NEIGHBOR_SOLICIT:
1365 neighborsolicit->nd_ns_hdr.icmp6_cksum = icmp->icmp6_cksum;
1368 case ND_NEIGHBOR_ADVERT:
1370 neighboradvert->nd_na_hdr.icmp6_cksum = icmp->icmp6_cksum;
1382 nasl_perror (lexic,
"forge_icmp_v6_packet: missing 'ip6' parameter\n");
1398 struct icmp6_hdr *icmp;
1408 icmp = (
struct icmp6_hdr *) (p + 40);
1413 else if (!strcmp (elem,
"icmp_code"))
1414 value = icmp->icmp6_code;
1415 else if (!strcmp (elem,
"icmp_type"))
1416 value = icmp->icmp6_type;
1417 else if (!strcmp (elem,
"icmp_cksum"))
1418 value = ntohs (icmp->icmp6_cksum);
1419 else if (!strcmp (elem,
"icmp_id"))
1420 value = ntohs (icmp->icmp6_id);
1421 else if (!strcmp (elem,
"icmp_seq"))
1422 value = ntohs (icmp->icmp6_seq);
1423 else if (!strcmp (elem,
"data"))
1429 retc->
x.
str_val = g_memdup (&(p[40 + 8]), retc->
size + 1);
1474 struct ip6_hdr *ip6 =
1481 u_char *pkt = g_malloc0 (
sizeof (
struct igmp6_hdr) + 40 + len);
1482 struct ip6_hdr *ip6_igmp = (
struct ip6_hdr *) pkt;
1489 bcopy (ip6, ip6_igmp, ipsz);
1492 if (
UNFIX (ip6_igmp->ip6_ctlun.ip6_un1.ip6_un1_plen) <= 40)
1497 ip6_igmp->ip6_ctlun.ip6_un1.ip6_un1_plen =
1501 p = (
char *) (pkt + 40);
1510 inet_pton (AF_INET6, grp, &
igmp->
group);
1516 char *p = (
char *) (pkt + 40 +
sizeof (
struct igmp6_hdr));
1517 bcopy (p, data, len);
1542 u_char packet[
sizeof (
struct ip6_hdr) + sizeof (struct tcphdr)];
1544 struct ip6_hdr *ip = (
struct ip6_hdr *) packet;
1545 struct tcphdr *tcp = (
struct tcphdr *) (packet +
sizeof (
struct ip6_hdr));
1548 struct in6_addr src;
1549 struct sockaddr_in6 soca;
1559 #define rnd_tcp_port() (rand() % 65535 + 1024) 1561 { 0, 0, 0, 0, 0, 1023, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 53, 0, 0,
1562 20, 0, 25, 0, 0, 0 };
1564 { 139, 135, 445, 80, 22, 515, 23, 21, 6000, 1025, 25, 111, 1028, 9100, 1029,
1565 79, 497, 548, 5000, 1917, 53, 161, 9001, 65535, 443, 113, 993, 8080, 0 };
1567 char addr[INET6_ADDRSTRLEN];
1569 if (dst == NULL || (IN6_IS_ADDR_V4MAPPED (dst) == 1))
1572 for (i = 0; i <
sizeof (sports) /
sizeof (
int); i++)
1578 for (i = 0; ports[i]; i++)
1581 soc = socket (AF_INET6, SOCK_RAW, IPPROTO_RAW);
1585 if (setsockopt (soc, IPPROTO_IPV6, IP_HDRINCL, (
char *) &opt,
sizeof (opt)) <
1587 perror (
"setsockopt");
1596 bzero (&src,
sizeof (src));
1600 snprintf (filter,
sizeof (filter),
"ip6 and src host %s", inet_ntop (AF_INET6, dst, addr,
sizeof (addr)));
1607 for (i = 0; i <
sizeof (sports) /
sizeof (
int) && !flag; i++)
1609 bzero (packet,
sizeof (packet));
1611 int version = 0x60, tc = 0, fl = 0;
1612 ip->ip6_ctlun.ip6_un1.ip6_un1_flow = version | tc | fl;
1613 ip->ip6_nxt = 0x06, ip->ip6_hlim = 0x40, ip->ip6_src = src;
1615 ip->ip6_ctlun.ip6_un1.ip6_un1_plen =
FIX (
sizeof (
struct tcphdr));
1619 port ? htons (
rnd_tcp_port ()) : htons (sports[i % num_ports]);
1620 tcp->th_flags = TH_SYN;
1621 tcp->th_dport = port ? htons (port) : htons (ports[i % num_ports]);
1622 tcp->th_seq = rand ();
1626 tcp->th_win = htons (512);
1634 bzero (&pseudoheader, 38 +
sizeof (
struct tcphdr));
1635 memcpy (&pseudoheader.
s6addr, &ip->ip6_src,
1636 sizeof (
struct in6_addr));
1637 memcpy (&pseudoheader.
d6addr, &ip->ip6_dst,
1638 sizeof (
struct in6_addr));
1640 pseudoheader.
protocol = IPPROTO_TCP;
1641 pseudoheader.
length = htons (
sizeof (
struct tcphdr));
1642 bcopy ((
char *) tcp, (
char *) &pseudoheader.
tcpheader,
1643 sizeof (
struct tcphdr));
1645 np_in_cksum ((
unsigned short *) &pseudoheader,
1646 38 +
sizeof (
struct tcphdr));
1649 bzero (&soca,
sizeof (soca));
1650 soca.sin6_family = AF_INET6;
1651 soca.sin6_addr = ip->ip6_dst;
1652 sendto (soc, (
const void *) ip,
1653 sizeof (
struct tcphdr) +
sizeof (
struct ip6_hdr), 0,
1654 (
struct sockaddr *) &soca,
sizeof (
struct sockaddr_in6));
1656 tv.tv_usec = 100000;
1685 struct sockaddr_in6 sockaddr;
1687 struct ip6_hdr *sip = NULL;
1688 int vi = 0, b = 0, len = 0;
1697 char name[INET6_ADDRSTRLEN];
1699 if (dstip == NULL || (IN6_IS_ADDR_V4MAPPED (dstip) == 1))
1701 soc = socket (AF_INET6, SOCK_RAW, IPPROTO_RAW);
1706 (soc, IPPROTO_IPV6, IP_HDRINCL, (
char *) &offset,
sizeof (offset)) < 0)
1707 perror (
"setsockopt");
1713 if (sz <
sizeof (
struct ip6_hdr))
1715 nasl_perror (lexic,
"send_packet(): packet is too short!\n");
1719 sip = (
struct ip6_hdr *) ip;
1720 if (use_pcap != 0 && bpf < 0)
1723 bzero (&sockaddr,
sizeof (
struct sockaddr_in6));
1724 sockaddr.sin6_family = AF_INET6;
1725 sockaddr.sin6_addr = sip->ip6_dst;
1726 if (dstip != NULL && !IN6_ARE_ADDR_EQUAL (&sockaddr.sin6_addr, dstip))
1728 char txt1[64], txt2[64];
1730 inet_ntop (AF_INET6, &sockaddr.sin6_addr,
name,
1731 INET6_ADDRSTRLEN), sizeof (txt1));
1732 txt1[
sizeof (txt1) - 1] =
'\0';
1733 strncpy (txt2, inet_ntop (AF_INET6, dstip,
name, INET6_ADDRSTRLEN),
1735 txt2[
sizeof (txt2) - 1] =
'\0';
1737 "send_packet: malicious or buggy script is trying to send packet to %s instead of designated target %s\n",
1745 if (dfl_len > 0 && dfl_len < sz)
1751 sendto (soc, (u_char *) ip, len, 0, (
struct sockaddr *) &sockaddr,
1752 sizeof (
struct sockaddr_in6));
1754 if (b >= 0 && use_pcap != 0 && bpf >= 0)
1759 while (answer != NULL
1761 (!memcmp (answer, (
char *) ip,
sizeof (
struct ip6_hdr))))
1777 retc->
size = answer_sz;
int v6_islocalhost(struct in6_addr *addr)
Tests whether a packet sent to IP is LIKELY to route through the kernel localhost interface...
tree_cell * set_udp_v6_elements(lex_ctxt *lexic)
tree_cell * forge_igmp_v6_packet(lex_ctxt *lexic)
tree_cell * get_ipv6_element(lex_ctxt *lexic)
Obtain IPv6 header element.
char * v6_routethrough(struct in6_addr *dest, struct in6_addr *source)
An awesome function to determine what interface a packet to a given destination should be routed thro...
tree_cell * get_tcp_v6_element(lex_ctxt *lexic)
Get TCP Header element.
tree_cell * set_tcp_v6_elements(lex_ctxt *lexic)
Set TCP Header element.
tree_cell * insert_ipv6_options(lex_ctxt *lexic)
tree_cell * nasl_send_v6packet(lex_ctxt *lexic)
Send forged IPv6 Packet.
tree_cell * forge_tcp_v6_packet(lex_ctxt *lexic)
Forge TCP packet.
struct icmp6_hdr icmpheader
long int get_int_local_var_by_name(lex_ctxt *, const char *, int)
tree_cell * get_icmp_v6_element(lex_ctxt *lexic)
int get_local_var_size_by_name(lex_ctxt *, const char *)
char * get_str_local_var_by_name(lex_ctxt *, const char *)
tree_cell * forge_udp_v6_packet(lex_ctxt *lexic)
tree_cell * set_ipv6_elements(lex_ctxt *lexic)
Set IPv6 header element.
int get_var_size_by_num(lex_ctxt *, int)
struct in6_addr * plug_get_host_ip(struct arglist *desc)
tree_cell * forge_ipv6_packet(lex_ctxt *lexic)
Forge IPv6 packet.
tree_cell * get_udp_v6_element(lex_ctxt *lexic)
void nasl_perror(lex_ctxt *lexic, char *msg,...)
char * get_str_var_by_num(lex_ctxt *, int)
tree_cell * nasl_tcp_v6_ping(lex_ctxt *lexic)
Performs TCP Connect to test if host is alive.
struct timeval timeval(unsigned long val)
tree_cell * dump_ipv6_packet(lex_ctxt *lexic)
Print IPv6 Header.
int init_v6_capture_device(struct in6_addr src, struct in6_addr dst, char *filter)
tree_cell * alloc_tree_cell(int lnb, char *s)
struct ip6_hdr * capture_next_v6_packet(int bpf, int timeout, int *sz)
unsigned int plug_get_host_open_port(struct arglist *desc)
tree_cell * forge_icmp_v6_packet(lex_ctxt *lexic)
struct arglist * script_infos
u_char * bpf_next_tv(int bpf, int *caplen, struct timeval *tv)
tree_cell * dump_tcp_v6_packet(lex_ctxt *lexic)
Print TCP/IPv6 packet.
int get_var_size_by_name(lex_ctxt *, const char *)
tree_cell * dump_udp_v6_packet(lex_ctxt *lexic)