39 #include <arpa/inet.h>
44 #include <sys/param.h>
48 #include <netinet/in.h>
51 #include "../misc/bpf_share.h"
52 #include "../misc/pcap_openvas.h"
53 #include "../misc/plugutils.h"
66 #include <netinet/icmp6.h>
70 #ifdef BSD_BYTE_ORDERING
74 #define FIX(n) htons (n)
75 #define UNFIX(n) ntohs (n)
87 register u_short answer = 0;
88 register long sum = 0;
100 *(u_char *) (&odd_byte) = *(u_char *) p;
104 sum = (sum >> 16) + (sum & 0xffff);
125 struct in6_addr *dst_addr;
134 if (dst_addr == NULL || (IN6_IS_ADDR_V4MAPPED (dst_addr) == 1))
141 retc->
size =
sizeof (
struct ip6_hdr) + data_len;
143 pkt = (
struct ip6_hdr *) g_malloc0 (
sizeof (
struct ip6_hdr) + data_len);
150 pkt->ip6_ctlun.ip6_un1.ip6_un1_flow = version | tc | fl;
152 pkt->ip6_plen =
FIX (data_len);
159 inet_pton (AF_INET6, s, &pkt->ip6_src);
164 inet_pton (AF_INET6, s, &pkt->ip6_dst);
166 pkt->ip6_dst = *dst_addr;
170 bcopy (data, retc->
x.
str_val + sizeof (
struct ip6_hdr), data_len);
193 char ret_ascii[INET6_ADDRSTRLEN];
199 nasl_perror (lexic,
"get_ipv6_element : no valid 'ip' argument!\n");
205 nasl_perror (lexic,
"get_ipv6_element : no valid 'element' argument!\n");
209 if (!strcmp (element,
"ip6_v"))
211 ret_int = (ip6->ip6_flow & 0x3ffff);
214 else if (!strcmp (element,
"ip6_tc"))
216 ret_int = (ip6->ip6_flow >> 20) & 0xff;
219 else if (!strcmp (element,
"ip6_fl"))
221 ret_int = ip6->ip6_flow >> 28;
224 else if (!strcmp (element,
"ip6_plen"))
226 ret_int = (ip6->ip6_plen);
229 else if (!strcmp (element,
"ip6_nxt"))
231 ret_int = (ip6->ip6_nxt);
234 else if (!strcmp (element,
"ip6_hlim"))
236 ret_int = (ip6->ip6_hlim);
247 if (!strcmp (element,
"ip6_src"))
249 inet_ntop (AF_INET6, &ip6->ip6_src, ret_ascii, sizeof (ret_ascii));
252 else if (!strcmp (element,
"ip6_dst"))
254 inet_ntop (AF_INET6, &ip6->ip6_dst, ret_ascii, sizeof (ret_ascii));
260 printf (
"%s : unknown element\n", element);
265 retc->
size = strlen (ret_ascii);
266 retc->
x.
str_val = g_strdup (ret_ascii);
289 nasl_perror (lexic,
"set_ip_elements: missing <ip> field\n");
293 pkt = (
struct ip6_hdr *) g_malloc0 (size);
294 bcopy (o_pkt, pkt, size);
302 inet_pton (AF_INET6, s, &pkt->ip6_src);
322 char addr[INET6_ADDRSTRLEN];
333 printf (
"\tip6_v : %d\n", ip6->ip6_flow >> 28);
334 printf (
"\tip6_tc: %d\n", (ip6->ip6_flow >> 20) & 0xff);
335 printf (
"\tip6_fl: %d\n", (ip6->ip6_flow) & 0x3ffff);
336 printf (
"\tip6_plen: %d\n",
UNFIX (ip6->ip6_plen));
337 printf (
"\tip6_nxt : %d\n", ntohs (ip6->ip6_nxt));
338 printf (
"\tip6_hlim : %d\n", ntohs (ip6->ip6_hlim));
339 switch (ip6->ip6_ctlun.ip6_un1.ip6_un1_nxt)
342 printf (
"\tip6_nxt : IPPROTO_TCP (%d)\n", ip6->ip6_nxt);
345 printf (
"\tip6_nxt : IPPROTO_UDP (%d)\n", ip6->ip6_nxt);
348 printf (
"\tip6_nxt : IPPROTO_ICMP (%d)\n", ip6->ip6_nxt);
351 printf (
"\tip6_nxt : %d\n", ip6->ip6_nxt);
354 printf (
"\tip6_src: %s\n",
355 inet_ntop (AF_INET6, &ip6->ip6_src, addr, sizeof (addr)));
356 printf (
"\tip6_dst: %s\n",
357 inet_ntop (AF_INET6, &ip6->ip6_dst, addr, sizeof (addr)));
374 struct ip6_hdr *new_packet;
377 u_char uc_code, uc_len;
385 nasl_perror (lexic,
"Usage : insert_ipv6_options(ip6:<ip6>, code:<code>, "
386 "length:<len>, value:<value>\n");
390 pad_len = 4 - ((
sizeof (uc_code) +
sizeof (uc_len) + value_size) % 4);
394 pl = 40 <
UNFIX (ip6->ip6_plen) ? 40 :
UNFIX (ip6->ip6_plen);
395 new_packet = g_malloc0 (size + 4 + value_size + pad_len);
396 bcopy (ip6, new_packet, pl);
398 uc_code = (u_char)
code;
399 uc_len = (u_char) len;
401 p = (
char *) new_packet;
402 bcopy (&uc_code, p + pl,
sizeof (uc_code));
403 bcopy (&uc_len, p + pl +
sizeof (uc_code),
sizeof (uc_len));
404 bcopy (value, p + pl +
sizeof (uc_code) +
sizeof (uc_len), value_size);
407 for (i = 0; i < pad_len; i++)
410 p + pl +
sizeof (uc_code) +
sizeof (uc_len) + value_size + i, 1);
416 + (
sizeof (uc_code) +
sizeof (uc_len) + value_size + pad_len) + pl,
419 new_packet->ip6_plen =
420 FIX (size +
sizeof (uc_code) +
sizeof (uc_len) + value_size + pad_len);
423 retc->
size = size + value_size +
sizeof (uc_code) +
sizeof (uc_len) + pad_len;
424 retc->
x.
str_val = (
char *) new_packet;
456 struct ip6_hdr *ip6, *tcp_packet;
464 "forge_tcp_packet : You must supply the 'ip' argument !");
479 (
struct ip6_hdr *) g_malloc0 (ipsz +
sizeof (
struct tcphdr) + len);
480 retc->
x.
str_val = (
char *) tcp_packet;
482 bcopy (ip6, tcp_packet, ipsz);
484 tcp_packet->ip6_ctlun.ip6_un1.ip6_un1_plen =
485 FIX (
sizeof (
struct tcphdr) + len);
486 tcp = (
struct tcphdr *) ((
char *) tcp_packet + 40);
500 bcopy (data, (
char *) tcp +
sizeof (
struct tcphdr), len);
505 char *tcpsumdata = g_malloc0 (
sizeof (
struct v6pseudohdr) + len + 1);
507 bzero (&pseudoheader, 38 +
sizeof (
struct tcphdr));
508 memcpy (&pseudoheader.
s6addr, &ip6->ip6_src, sizeof (
struct in6_addr));
509 memcpy (&pseudoheader.
d6addr, &ip6->ip6_dst, sizeof (
struct in6_addr));
511 pseudoheader.
protocol = IPPROTO_TCP;
512 pseudoheader.
length = htons (
sizeof (
struct tcphdr) + len);
513 bcopy ((
char *) tcp, (
char *) &pseudoheader.
tcpheader,
514 sizeof (
struct tcphdr));
516 bcopy ((
char *) &pseudoheader, tcpsumdata,
sizeof (
struct v6pseudohdr));
518 bcopy ((
char *) data, tcpsumdata +
sizeof (
struct v6pseudohdr), len);
519 tcp->th_sum =
np_in_cksum ((
unsigned short *) tcpsumdata,
520 38 +
sizeof (
struct tcphdr) + len);
524 retc->
size = ipsz +
sizeof (
struct tcphdr) + len;
551 "get_tcp_element : Error ! No valid 'tcp' argument !\n");
555 ip6 = (
struct ip6_hdr *) packet;
558 if (
UNFIX (ip6->ip6_plen) > ipsz)
561 tcp = (
struct tcphdr *) (packet + 40);
567 "get_tcp_element : Error ! No valid 'element' argument !\n");
571 if (!strcmp (element,
"th_sport"))
572 ret = ntohs (tcp->th_sport);
573 else if (!strcmp (element,
"th_dsport"))
574 ret = ntohs (tcp->th_dport);
575 else if (!strcmp (element,
"th_seq"))
576 ret = ntohl (tcp->th_seq);
577 else if (!strcmp (element,
"th_ack"))
578 ret = ntohl (tcp->th_ack);
579 else if (!strcmp (element,
"th_x2"))
581 else if (!strcmp (element,
"th_off"))
583 else if (!strcmp (element,
"th_flags"))
585 else if (!strcmp (element,
"th_win"))
586 ret = ntohs (tcp->th_win);
587 else if (!strcmp (element,
"th_sum"))
589 else if (!strcmp (element,
"th_urp"))
591 else if (!strcmp (element,
"data"))
594 retc->
size =
UNFIX (ip6->ip6_plen) - tcp->th_off * 4;
595 if (retc->
size <= 0 || retc->
size > ipsz - 40 - tcp->th_off * 4)
602 bcopy ((
char *) tcp + tcp->th_off * 4, retc->
x.
str_val, retc->
size);
607 nasl_perror (lexic,
"Unknown tcp field %s\n", element);
627 struct ip6_hdr *ip6 = (
struct ip6_hdr *) pkt;
638 "set_tcp_elements : Invalid value for the argument 'tcp'\n");
642 tcp = (
struct tcphdr *) (pkt + 40);
644 if (pktsz <
UNFIX (ip6->ip6_plen))
649 data_len =
UNFIX (ip6->ip6_plen) - (tcp->th_off * 4);
650 data = (
char *) ((
char *) tcp + tcp->th_off * 4);
653 npkt = g_malloc0 (40 + tcp->th_off * 4 + data_len);
654 bcopy (pkt, npkt,
UNFIX (ip6->ip6_plen) + 40);
656 ip6 = (
struct ip6_hdr *) (npkt);
657 tcp = (
struct tcphdr *) (npkt + 40);
675 bcopy (data, (
char *) tcp + tcp->th_off * 4, data_len);
679 ip6->ip6_plen = tcp->th_off * 4 + data_len;
682 if (tcp->th_sum == 0)
685 char *tcpsumdata = g_malloc0 (
sizeof (
struct v6pseudohdr) + data_len + 1);
687 bzero (&pseudoheader, 38 +
sizeof (
struct tcphdr));
688 memcpy (&pseudoheader.
s6addr, &ip6->ip6_src, sizeof (
struct in6_addr));
689 memcpy (&pseudoheader.
d6addr, &ip6->ip6_dst, sizeof (
struct in6_addr));
691 pseudoheader.
protocol = IPPROTO_TCP;
692 pseudoheader.
length = htons (
sizeof (
struct tcphdr) + data_len);
693 bcopy ((
char *) tcp, (
char *) &pseudoheader.
tcpheader,
694 sizeof (
struct tcphdr));
696 bcopy ((
char *) &pseudoheader, tcpsumdata,
sizeof (
struct v6pseudohdr));
698 bcopy ((
char *) data, tcpsumdata +
sizeof (
struct v6pseudohdr),
700 tcp->th_sum =
np_in_cksum ((
unsigned short *) tcpsumdata,
701 38 +
sizeof (
struct tcphdr) + data_len);
706 retc->
size = 40 + (tcp->th_off * 4) + data_len;
727 struct ip6_hdr *ip6 = (
struct ip6_hdr *) pkt;
728 struct tcphdr *tcp = (
struct tcphdr *) (pkt + 40);
736 printf (
"\tth_sport : %d\n", ntohs (tcp->th_sport));
737 printf (
"\tth_dport : %d\n", ntohs (tcp->th_dport));
738 printf (
"\tth_seq : %u\n", (
unsigned int) ntohl (tcp->th_seq));
739 printf (
"\tth_ack : %u\n", (
unsigned int) ntohl (tcp->th_ack));
740 printf (
"\tth_x2 : %d\n", tcp->th_x2);
741 printf (
"\tth_off : %d\n", tcp->th_off);
742 printf (
"\tth_flags : ");
743 if (tcp->th_flags & TH_FIN)
748 if (tcp->th_flags & TH_SYN)
755 if (tcp->th_flags & TH_RST)
762 if (tcp->th_flags & TH_PUSH)
769 if (tcp->th_flags & TH_ACK)
776 if (tcp->th_flags & TH_URG)
786 printf (
" (%d)", tcp->th_flags);
788 printf (
"\tth_win : %d\n", ntohs (tcp->th_win));
789 printf (
"\tth_sum : 0x%x\n", tcp->th_sum);
790 printf (
"\tth_urp : %d\n", tcp->th_urp);
791 printf (
"\tData : ");
792 c = (
char *) ((
char *) tcp +
sizeof (
struct tcphdr));
793 if (
UNFIX (ip6->ip6_plen)
794 > (sizeof (
struct ip6_hdr) +
sizeof (
struct tcphdr)))
796 j <
UNFIX (ip6->ip6_plen) -
sizeof (
struct tcphdr) && j < limit;
798 printf (
"%c", isprint (c[j]) ? c[j] :
'.');
837 struct ip6_hdr *udp_packet;
840 pkt = g_malloc0 (
sizeof (
struct udphdr) + 40 + data_len);
841 udp_packet = (
struct ip6_hdr *) pkt;
842 udp = (
struct udphdr *) (pkt + 40);
845 bcopy ((
char *) ip6, pkt, 40);
850 lexic,
"uh_ulen", data_len +
sizeof (
struct udphdr)));
852 if (data_len != 0 && data != NULL)
853 bcopy (data, (pkt + 40 +
sizeof (
struct udphdr)), data_len);
862 memcpy (&
pseudohdr.s6addr, &ip6->ip6_src, sizeof (
struct in6_addr));
863 memcpy (&
pseudohdr.d6addr, &ip6->ip6_dst, sizeof (
struct in6_addr));
866 pseudohdr.len = htons (
sizeof (
struct udphdr) + data_len);
867 bcopy ((
char *) udp, (
char *) &
pseudohdr.udpheader,
868 sizeof (
struct udphdr));
872 bcopy ((
char *) data, udpsumdata +
sizeof (
pseudohdr), data_len);
874 udp->uh_sum =
np_in_cksum ((
unsigned short *) udpsumdata,
875 38 +
sizeof (
struct udphdr) + data_len);
879 if (
UNFIX (udp_packet->ip6_ctlun.ip6_un1.ip6_un1_plen) <= 40)
884 udp_packet->ip6_ctlun.ip6_un1.ip6_un1_plen =
885 FIX (ntohs (udp->uh_ulen));
891 retc->
size = 8 + 40 + data_len;
896 printf (
"Error ! You must supply the 'ip6' argument !\n");
915 struct udphdr *udphdr;
922 if (udp == NULL || element == NULL)
924 printf (
"get_udp_v6_element() usage :\n");
925 printf (
"element = get_udp_v6_element(udp:<udp>,element:<element>\n");
929 if (40 +
sizeof (
struct udphdr) > ipsz)
932 udphdr = (
struct udphdr *) (udp + 40);
933 if (!strcmp (element,
"uh_sport"))
934 ret = ntohs (udphdr->uh_sport);
935 else if (!strcmp (element,
"uh_dport"))
936 ret = ntohs (udphdr->uh_dport);
937 else if (!strcmp (element,
"uh_ulen"))
938 ret = ntohs (udphdr->uh_ulen);
939 else if (!strcmp (element,
"uh_sum"))
940 ret = ntohs (udphdr->uh_sum);
941 else if (!strcmp (element,
"data"))
945 sz = ntohs (udphdr->uh_ulen) -
sizeof (
struct udphdr);
947 if (ntohs (udphdr->uh_ulen) - 40 - sizeof (
struct udphdr) > ipsz)
948 sz = ipsz - 40 -
sizeof (
struct udphdr);
952 bcopy (udp + 40 +
sizeof (
struct udphdr), retc->
x.
str_val, sz);
957 printf (
"%s is not a value of a udp packet\n", element);
988 if (40 +
sizeof (
struct udphdr) > sz)
994 sz = 40 +
sizeof (
struct udphdr) + data_len;
995 pkt = g_malloc0 (sz);
996 bcopy (ip6, pkt, 40 +
sizeof (
struct udphdr));
1000 pkt = g_malloc0 (sz);
1001 bcopy (ip6, pkt, sz);
1004 ip6 = (
struct ip6_hdr *) pkt;
1007 ip6->ip6_ctlun.ip6_un1.ip6_un1_plen =
FIX (sz - 40);
1009 udp = (
struct udphdr *) (pkt + 40);
1016 old_len = ntohs (udp->uh_ulen);
1023 bcopy (data, pkt + 40 +
sizeof (
struct udphdr), data_len);
1024 udp->uh_ulen = htons (
sizeof (
struct udphdr) + data_len);
1030 int len = old_len -
sizeof (
struct udphdr);
1041 ptr = (
char *) udp +
sizeof (
struct udphdr);
1048 pseudohdr.len = htons (
sizeof (
struct udphdr) + data_len);
1049 bcopy ((
char *) udp, (
char *) &
pseudohdr.udpheader,
1050 sizeof (
struct udphdr));
1051 memcpy (&
pseudohdr.s6addr, &ip6->ip6_src, sizeof (
struct in6_addr));
1052 memcpy (&
pseudohdr.d6addr, &ip6->ip6_dst, sizeof (
struct in6_addr));
1056 bcopy ((
char *) ptr, udpsumdata +
sizeof (
pseudohdr), data_len);
1058 udp->uh_sum =
np_in_cksum ((
unsigned short *) udpsumdata,
1059 38 +
sizeof (
struct udphdr)
1060 + ((len % 2) ? len + 1 : len));
1061 g_free (udpsumdata);
1069 printf (
"Error ! You must supply the 'udp' argument !\n");
1088 struct udphdr *udp = (
struct udphdr *) (pkt +
sizeof (
struct ip6_hdr));
1092 printf (
"------\n");
1093 printf (
"\tuh_sport : %d\n", ntohs (udp->uh_sport));
1094 printf (
"\tuh_dport : %d\n", ntohs (udp->uh_dport));
1095 printf (
"\tuh_sum : 0x%x\n", udp->uh_sum);
1096 printf (
"\tuh_ulen : %d\n", ntohs (udp->uh_ulen));
1097 printf (
"\tdata : ");
1099 if (udp->uh_ulen > sizeof (
struct udphdr))
1100 for (j =
sizeof (
struct udphdr); j < ntohs (udp->uh_ulen) && j < limit;
1102 printf (
"%c", isprint (c[j]) ? c[j] :
'.');
1134 struct ip6_hdr *ip6;
1135 struct ip6_hdr *ip6_icmp;
1136 int ip6_sz, size = 0, sz = 0;
1137 struct icmp6_hdr *icmp;
1138 struct nd_router_solicit *routersolicit = NULL;
1139 struct nd_router_advert *routeradvert = NULL;
1140 struct nd_neighbor_solicit *neighborsolicit = NULL;
1141 struct nd_neighbor_advert *neighboradvert = NULL;
1160 pkt = g_malloc0 (ip6_sz + 8 + len);
1161 ip6_icmp = (
struct ip6_hdr *) pkt;
1163 bcopy (ip6, ip6_icmp, ip6_sz);
1164 p = (
char *) (pkt + ip6_sz);
1166 icmp = (
struct icmp6_hdr *) p;
1169 icmp->icmp6_type = t;
1173 case ICMP6_ECHO_REQUEST:
1176 bcopy (data, &(p[8]), len);
1179 size = ip6_sz + 8 + len;
1183 case ND_ROUTER_SOLICIT:
1186 bcopy (data, &(p[8]), len);
1187 routersolicit = g_malloc0 (
sizeof (
struct nd_router_solicit));
1189 g_realloc (pkt, ip6_sz +
sizeof (
struct nd_router_solicit) + len);
1190 ip6_icmp = (
struct ip6_hdr *) pkt;
1191 p = (
char *) (pkt + ip6_sz);
1192 struct icmp6_hdr *rs = &routersolicit->nd_rs_hdr;
1193 routersolicit = (
struct nd_router_solicit *) p;
1194 rs->icmp6_type = icmp->icmp6_type;
1195 rs->icmp6_code = icmp->icmp6_code;
1196 rs->icmp6_cksum = icmp->icmp6_cksum;
1197 size = ip6_sz +
sizeof (
struct nd_router_solicit) + len;
1201 case ND_ROUTER_ADVERT:
1204 bcopy (data, &(p[8]), len);
1205 routeradvert = g_malloc0 (
sizeof (
struct nd_router_advert));
1209 ip6_sz +
sizeof (
struct nd_router_advert) - 8
1211 ip6_icmp = (
struct ip6_hdr *) pkt;
1212 p = (
char *) (pkt + ip6_sz);
1213 struct icmp6_hdr *ra = &routeradvert->nd_ra_hdr;
1214 routeradvert = (
struct nd_router_advert *) p;
1215 ra->icmp6_type = icmp->icmp6_type;
1216 ra->icmp6_code = icmp->icmp6_code;
1217 ra->icmp6_cksum = icmp->icmp6_cksum;
1218 routeradvert->nd_ra_reachable =
1220 routeradvert->nd_ra_retransmit =
1222 routeradvert->nd_ra_curhoplimit = ip6_icmp->ip6_hlim;
1223 routeradvert->nd_ra_flags_reserved =
1225 size = ip6_sz +
sizeof (
struct nd_router_advert) - 8
1231 case ND_NEIGHBOR_SOLICIT:
1233 neighborsolicit = g_malloc0 (
sizeof (
struct nd_neighbor_solicit));
1234 pkt = g_realloc (pkt, ip6_sz +
sizeof (
struct nd_neighbor_solicit)
1236 ip6_icmp = (
struct ip6_hdr *) pkt;
1237 p = (
char *) (pkt + ip6_sz);
1238 struct icmp6_hdr *ns = &neighborsolicit->nd_ns_hdr;
1239 neighborsolicit = (
struct nd_neighbor_solicit *) p;
1241 bcopy (data, &(p[24]), len);
1242 ns->icmp6_type = icmp->icmp6_type;
1243 ns->icmp6_code = icmp->icmp6_code;
1244 ns->icmp6_cksum = icmp->icmp6_cksum;
1245 memcpy (&neighborsolicit->nd_ns_target, &ip6_icmp->ip6_dst,
1246 sizeof (
struct in6_addr));
1247 size = ip6_sz +
sizeof (
struct nd_neighbor_solicit) + len;
1251 case ND_NEIGHBOR_ADVERT:
1253 neighboradvert = g_malloc0 (
sizeof (
struct nd_neighbor_advert));
1254 pkt = g_realloc (pkt,
1255 ip6_sz +
sizeof (
struct nd_neighbor_advert) + len);
1256 ip6_icmp = (
struct ip6_hdr *) pkt;
1257 p = (
char *) (pkt + 40);
1258 struct icmp6_hdr *na = &neighboradvert->nd_na_hdr;
1259 neighboradvert = (
struct nd_neighbor_advert *) p;
1260 na->icmp6_type = icmp->icmp6_type;
1261 na->icmp6_code = icmp->icmp6_code;
1262 na->icmp6_cksum = icmp->icmp6_cksum;
1263 neighboradvert->nd_na_flags_reserved =
1265 if (neighboradvert->nd_na_flags_reserved & 0x00000020)
1267 &neighboradvert->nd_na_target, &ip6_icmp->ip6_src,
1268 sizeof (
struct in6_addr));
1273 &neighboradvert->nd_na_target);
1277 "forge_icmp_v6_packet: missing 'target' "
1278 "parameter required for constructing response "
1279 "to a Neighbor Solicitation\n");
1284 size = ip6_sz +
sizeof (
struct nd_neighbor_advert) + len;
1290 nasl_perror (lexic,
"forge_icmp_v6_packet: unknown type\n");
1294 if (
UNFIX (ip6_icmp->ip6_ctlun.ip6_un1.ip6_un1_plen) <= 40)
1298 ip6_icmp->ip6_ctlun.ip6_un1.ip6_un1_plen =
FIX (size - ip6_sz);
1308 memcpy (&
pseudohdr.s6addr, &ip6->ip6_src, sizeof (
struct in6_addr));
1309 memcpy (&
pseudohdr.d6addr, &ip6->ip6_dst, sizeof (
struct in6_addr));
1313 bcopy ((
char *) icmp, (
char *) &
pseudohdr.icmpheader, sz);
1316 bcopy ((
char *) data, icmpsumdata +
sizeof (
pseudohdr),
len);
1318 np_in_cksum ((
unsigned short *) icmpsumdata, size);
1319 g_free (icmpsumdata);
1326 case ICMP6_ECHO_REQUEST:
1328 case ND_ROUTER_SOLICIT:
1330 routersolicit->nd_rs_hdr.icmp6_cksum = icmp->icmp6_cksum;
1333 case ND_ROUTER_ADVERT:
1335 routeradvert->nd_ra_hdr.icmp6_cksum = icmp->icmp6_cksum;
1338 case ND_NEIGHBOR_SOLICIT:
1340 neighborsolicit->nd_ns_hdr.icmp6_cksum = icmp->icmp6_cksum;
1343 case ND_NEIGHBOR_ADVERT:
1345 neighboradvert->nd_na_hdr.icmp6_cksum = icmp->icmp6_cksum;
1357 nasl_perror (lexic,
"forge_icmp_v6_packet: missing 'ip6' parameter\n");
1372 struct icmp6_hdr *icmp;
1381 icmp = (
struct icmp6_hdr *) (p + 40);
1386 else if (!strcmp (elem,
"icmp_code"))
1387 value = icmp->icmp6_code;
1388 else if (!strcmp (elem,
"icmp_type"))
1389 value = icmp->icmp6_type;
1390 else if (!strcmp (elem,
"icmp_cksum"))
1391 value = ntohs (icmp->icmp6_cksum);
1392 else if (!strcmp (elem,
"icmp_id"))
1393 value = ntohs (icmp->icmp6_id);
1394 else if (!strcmp (elem,
"icmp_seq"))
1395 value = ntohs (icmp->icmp6_seq);
1396 else if (!strcmp (elem,
"data"))
1401 retc->
x.
str_val = g_memdup (&(p[40 + 8]), retc->
size + 1);
1449 u_char *pkt = g_malloc0 (
sizeof (
struct igmp6_hdr) + 40 + len);
1450 struct ip6_hdr *ip6_igmp = (
struct ip6_hdr *) pkt;
1457 bcopy (ip6, ip6_igmp, ipsz);
1459 if (
UNFIX (ip6_igmp->ip6_ctlun.ip6_un1.ip6_un1_plen) <= 40)
1464 ip6_igmp->ip6_ctlun.ip6_un1.ip6_un1_plen =
1468 p = (
char *) (pkt + 40);
1477 inet_pton (AF_INET6, grp, &
igmp->
group);
1483 char *p = (
char *) (pkt + 40 +
sizeof (
struct igmp6_hdr));
1484 bcopy (p, data, len);
1507 u_char packet[
sizeof (
struct ip6_hdr) + sizeof (struct tcphdr)];
1509 struct ip6_hdr *ip = (
struct ip6_hdr *) packet;
1510 struct tcphdr *tcp = (
struct tcphdr *) (packet +
sizeof (
struct ip6_hdr));
1513 struct in6_addr source;
1514 struct sockaddr_in6 soca;
1524 #define rnd_tcp_port() (rand () % 65535 + 1024)
1525 int sports[] = {0, 0, 0, 0, 0, 1023, 0, 0, 0, 0, 0, 0, 0, 0, 0,
1526 0, 0, 0, 0, 0, 53, 0, 0, 20, 0, 25, 0, 0, 0};
1527 int ports[] = {139, 135, 445, 80, 22, 515, 23, 21, 6000, 1025,
1528 25, 111, 1028, 9100, 1029, 79, 497, 548, 5000, 1917,
1529 53, 161, 9001, 65535, 443, 113, 993, 8080, 0};
1530 char addr[INET6_ADDRSTRLEN];
1532 if (!destination || (IN6_IS_ADDR_V4MAPPED (destination) == 1))
1535 for (i = 0; i <
sizeof (sports) /
sizeof (
int); i++)
1541 soc = socket (AF_INET6, SOCK_RAW, IPPROTO_RAW);
1545 if (setsockopt (soc, IPPROTO_IPV6, IP_HDRINCL, (
char *) &opt,
sizeof (opt))
1547 perror (
"setsockopt");
1553 source = *destination;
1556 bzero (&source,
sizeof (source));
1560 snprintf (filter,
sizeof (filter),
"ip6 and src host %s",
1561 inet_ntop (AF_INET6, destination, addr,
sizeof (addr)));
1568 unsigned int num_ports =
sizeof (sports) /
sizeof (
int);
1569 for (i = 0; i < num_ports && !flag; i++)
1571 bzero (packet,
sizeof (packet));
1573 int version = 0x60, tc = 0, fl = 0;
1574 ip->ip6_ctlun.ip6_un1.ip6_un1_flow = version | tc | fl;
1575 ip->ip6_nxt = 0x06, ip->ip6_hlim = 0x40, ip->ip6_src = source;
1576 ip->ip6_dst = *destination;
1577 ip->ip6_ctlun.ip6_un1.ip6_un1_plen =
FIX (
sizeof (
struct tcphdr));
1580 tcp->th_sport = port ? htons (
rnd_tcp_port ()) : htons (sports[i]);
1581 tcp->th_flags = TH_SYN;
1582 tcp->th_dport = port ? htons (port) : htons (ports[i]);
1583 tcp->th_seq = rand ();
1587 tcp->th_win = htons (512);
1595 bzero (&pseudoheader, 38 +
sizeof (
struct tcphdr));
1596 memcpy (&pseudoheader.
s6addr, &ip->ip6_src,
1597 sizeof (
struct in6_addr));
1598 memcpy (&pseudoheader.
d6addr, &ip->ip6_dst,
1599 sizeof (
struct in6_addr));
1601 pseudoheader.
protocol = IPPROTO_TCP;
1602 pseudoheader.
length = htons (
sizeof (
struct tcphdr));
1603 bcopy ((
char *) tcp, (
char *) &pseudoheader.
tcpheader,
1604 sizeof (
struct tcphdr));
1605 tcp->th_sum =
np_in_cksum ((
unsigned short *) &pseudoheader,
1606 38 +
sizeof (
struct tcphdr));
1609 bzero (&soca,
sizeof (soca));
1610 soca.sin6_family = AF_INET6;
1611 soca.sin6_addr = ip->ip6_dst;
1612 if (sendto (soc, (
const void *) ip,
1613 sizeof (
struct tcphdr) +
sizeof (
struct ip6_hdr), 0,
1614 (
struct sockaddr *) &soca,
sizeof (
struct sockaddr_in6))
1621 tv.tv_usec = 100000;
1649 struct sockaddr_in6 sockaddr;
1651 struct ip6_hdr *sip = NULL;
1652 int vi = 0, b = 0, len = 0;
1661 char name[INET6_ADDRSTRLEN];
1663 if (dstip == NULL || (IN6_IS_ADDR_V4MAPPED (dstip) == 1))
1665 soc = socket (AF_INET6, SOCK_RAW, IPPROTO_RAW);
1669 if (setsockopt (soc, IPPROTO_IPV6, IP_HDRINCL, (
char *) &offset,
1672 perror (
"setsockopt");
1678 if ((
unsigned int) sz <
sizeof (
struct ip6_hdr))
1680 nasl_perror (lexic,
"send_packet(): packet is too short!\n");
1684 sip = (
struct ip6_hdr *) ip;
1685 if (use_pcap != 0 && bpf < 0)
1688 bzero (&sockaddr,
sizeof (
struct sockaddr_in6));
1689 sockaddr.sin6_family = AF_INET6;
1690 sockaddr.sin6_addr = sip->ip6_dst;
1691 if (dstip != NULL && !IN6_ARE_ADDR_EQUAL (&sockaddr.sin6_addr, dstip))
1693 char txt1[64], txt2[64];
1696 inet_ntop (AF_INET6, &sockaddr.sin6_addr,
name, INET6_ADDRSTRLEN),
1698 txt1[
sizeof (txt1) - 1] =
'\0';
1699 strncpy (txt2, inet_ntop (AF_INET6, dstip,
name, INET6_ADDRSTRLEN),
1701 txt2[
sizeof (txt2) - 1] =
'\0';
1703 "send_packet: malicious or buggy script is trying to "
1704 "send packet to %s instead of designated target %s\n",
1712 if (dfl_len > 0 && dfl_len < sz)
1717 b = sendto (soc, (u_char *) ip, len, 0, (
struct sockaddr *) &sockaddr,
1718 sizeof (
struct sockaddr_in6));
1720 if (b >= 0 && use_pcap != 0 && bpf >= 0)
1727 && (!memcmp (answer, (
char *) ip,
sizeof (
struct ip6_hdr))))
1742 retc->
size = answer_sz;