Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)

From: Tillmann Werner <tillmann.werner () gmx de>
Date: Fri, 11 Nov 2011 09:17:48 +0100
    def callback(self, hdr, data):
        # Parse the Ethernet packet
        decoder = ImpactDecoder.EthDecoder()
        ether = decoder.decode(data)
        # Parse the IP packet inside the Ethernet packet, typep
        iphdr = ether.child()
        udphdr = iphdr.child()

        # First check that the packets are not comming from the local host
        # Then check that it is a UDP packet (incase you changed the BPF) also
        # Check that the destination port for the packet is a closed
port on the host
        if (iphdr.get_ip_src() != self.ip):
            self.refresh_portlist()
            if (iphdr.get_ip_p() == ImpactPacket.UDP.protocol and
udphdr.get_uh_dport() not in self.portlist):
                if self.called == 0:
                    self.callonce()
                print "Incoming UDP packet from %s"%iphdr.get_ip_src()
                self.dumper.dump(hdr, data)

    def refresh_portlist(self):
        # bash script to get all the open and listening UDP ports
        # used in the callback function as criteria for logging traffic
        output = os.popen("./getports.sh")
        pl = output.readlines()
        self.portlist = []
        for p in pl:
            self.portlist.append(int(p))


Seriously? popen()ing a bash script that calls netstat and awk twice for
every packet?

Tillmann

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: