![..[ Phrack Magazine ]..](../../images/phrack-logo.jpg){kind=logo}
.:: Distributed Tools ::.
Issues:
[ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ 13 ] [ 14 ] [ 15 ] [ 16 ] [ 17 ] [ 18 ] [ 19 ] [ 20 ] [ 21 ] [ 22 ] [ 23 ] [ 24 ] [ 25 ] [ 26 ] [ 27 ] [ 28 ] [ 29 ] [ 30 ] [ 31 ] [ 32 ] [ 33 ] [ 34 ] [ 35 ] [ 36 ] [ 37 ] [ 38 ] [ 39 ] [ 40 ] [ 41 ] [ 42 ] [ 43 ] [ 44 ] [ 45 ] [ 46 ] [ 47 ] [ 48 ] [ 49 ] [ 50 ] [ 51 ] [ 52 ] [ 53 ] [ 54 ] [ 55 ] [ 56 ] [ 57 ] [ 58 ] [ 59 ] [ 60 ] [ 61 ] [ 62 ] [ 63 ] [ 64 ] [ 65 ] [ 66 ] [ 67 ] [ 68 ] [ 69 ] [ 70 ]
Current issue : #56 | Release date : 2000-01-05 | Editor : route
| Introduction | Phrack Staff |
| Phrack Loopback | Phrack Staff |
| Phrack Line Noise | various |
| Phrack Prophile | Phrack Staff |
| Bypassing StackGuard and StackShield | Kil3r & Bulba |
| Project Area52 | Irib & Simple Nomad & Jitsu-Disk |
| Shared Library Redirection via ELF PLT Infection | Silvio |
| Smashing C++ VPTRs | rix |
| Backdooring binary objects | klog |
| Things To Do in Cisco Land When You're Dead | gaius |
| A Strict Anomaly Detection Model for IDS | beetle & sasha |
| Distributed Tools | lifeline & sasha |
| Introduction to PAM | Bryan Ericson |
| Exploiting Non-adjacent Memory Spaces | twitch |
| Writing MIPS/Irix shellcode | scut |
| Phrack Magazine Extraction Utility | Phrack Staff |
Title : Distributed Tools
Author : lifeline & sasha
- P H R A C K M A G A Z I N E -
Volume 0xa Issue 0x38
05.01.2000
0x0c[0x10]
|----------------------------- DISTRIBUTED TOOLS -----------------------------|
|-----------------------------------------------------------------------------|
|----------------------------- sasha / lifeline ------------------------------|
"The COAST approach has been to look at limits and underlying problems and see
what we can do to change the paradigm. We don't start with the view that
'well, the system gives us X and we know Y, so what can we find using that?'
Instead, we ask questions about the whole process of intrusion and misuse,
and try to find new ideas there."
- Gene Spafford
----| Distributed Denial of Service Attacks
It is perhaps prophetic that the first CERT advisory of the 21st century
should concern a distributed Denial of Service attack (see CA-2000-01 [1]).
In November 1999, CERT even held a 'Distributed-Systems Intruder Tools
Workshop' [2], to discuss "the threat" of distributed DoS (Denial of Service)
tools.
Briefly: in a distributed DoS attack, daemons are installed on multiple
compromised hosts; a client is used to identify a target to the daemons who
each then launch a DoS attack (usually using flood-like attacks i.e. UDP,
ICMP, SYN). The unified and sustained nature of attacks generated by multiple
daemons can often cripple a target network/host.
Some good work has been done on analysis of current distributed DoS tools, and
we direct the interested reader to the work of David Dittrich [3].
----| Applications of a Distributed Approach
It is somewhat depressing that DoS is very often the first application of any
new idea which can be utilized in a security context, and this is especially
true of distributed techniques, since the distributed 'philosophy' is
applicable to many facets of computer network penetration.
Below, we describe two examples of the distributed approach applied to very
familiar tasks: port scanning and password sniffing. Source code for an
example distributed port scanner implementation is included at the end of the
article.
----| Port Scanning
In P55-09 - 'Distributed Information Gathering' [4], the advantages in using
a distributed network information gathering approach are described, namely:
I. Stealth
By employing co-operation, time dilation, and randomization techniques we hope
to elude NIDS (network-based intrusion detection systems).
II. Correlation Information
The acquisition of multiple 'points of view' of a target enables a more
complete model of the target to be constructed, including multiple route and
timing information.
III. Pervasive Information Gathering
The countermeasures which some N-IDS can employ, such as injecting a 'deny
rule' into a firewall (for example, using an OPSEC API [5]), become less
effective at stopping ongoing information gathering.
----| Distributed Port Scan Detection
To detect a distributed port scan in which multiple hosts are being used to
distribute and "share the work" of information gathering, the functionality
must exist in a detection system to analyze a recorded event (for example - a
SYN packet sent to a port) in context, i.e. using circumstantial information.
The difficulty lies in knowing which information it is valuable to keep; you
may throw away the one byte which unlocks the puzzle! Resource starvation
and state-holding attacks then become applicable, since the resources
available to the detection system are unlikely to be infinite.
Assuming no pathologically obvious variations of information gathering
techniques are used (e.g. SYN+RST), a detection system must almost ignore
source IP addresses when performing analysis, since by definition, multiple
source hosts can distribute the set of probes to be performed.
For example, if you receive a connect to each port from 1 to 1024 over the
duration of a week, from multiple hosts, you are likely to have been port
scanned; however, the set of ports an individual is interested in determining
are open on your machine (or network), is unlikely to be as easy to recognize
as 1-1024.
There obviously exists an opportunity to perform much more research in
the area of programmatically identifying distributed attacks.
----| Password Sniffing
In P55-16 - 'Distributed Metastasis' [6], the advantages associated with using
a distributed model for password sniffing are described; briefly, the two
primary advantages are in removing the need to revisit a compromised host to
collect sniffer logs, and to increase the speed with which the sniffed
information is made available so that the penetration can be immediately
continued/deepened.
----| The Implementation
An implementation of a distributed port scanner is provided for illustrative
purposes.
DPS (Distributed Port Scanner) consists of a client working in conjunction with
agents located on multiple remote hosts.
The communication between the client and the agents is provided via some basic
commands encapsulated in ICMP_ECHO_REQUEST/REPLY packets, thus providing a
fairly covert channel. Strong data payload encryption is planned for a later
release.
The port scan request is done by the client; the agents perform the port scan
itself, and then report the results back to the client.
Imagine that we have 4 agents, located on 4 different hosts: 'hardbitten',
'doubt', 'ketamine' and 'neurosponge'. Our goal is to obtain the status of
ports 21, 22, 23, 80 and 143 on 10.0.2.10. The client is located on the host
'implode' and agents.txt is a file containing a list of agents.
[root@implode dps]# ./client 10.0.2.10 21-23,80,143 agents.txt eth0
packet sent. 1 of 1
Using device eth0
21 iz open
23 iz open
80 iz open
[root@implode dps]#
The client distributes the "workload" (the set of ports) between the different
agents; each agent scans the target host for a subset of the total ports,
then reports the results back to the client.
This isn't by any means a finished product - it is proof-of-concept. Planned
features for future releases include: distributed password sniffing,
distributed remote OS detection, strong crypto, multi-threaded agents, and
other ideas that people have been throwing seen this project was begun. Stay
tuned. Take your time to browse through the source code. Both Libnet and
Libpcap are needed by both the agent and the client.
----| Conclusions
It is interesting to see historically the wave-like effect that exists between
centralized and distributed computing: mainframe, client/server, thin-client
(such as Windows Terminal Server and the JavaStation Network Computer), etc.
This same effect has not yet been fully witnessed in computer security (the
Morris Worm [7] is an obvious exception).
Conversely, the concept of 'remote control' is not new to security; Loki [8],
Back Orifice [9], and NetBus [10] all provide client/server style remote
control functionality.
To conclude, the key to the distributed 'philosophy', is the _combination_
of the above two concepts.
----| References
[1] CERT Advisory CA-2000-01 - Denial-of-Service Developments, CERT/CC and
FedCIRC, January 3, 2000,
http://www.cert.org/advisories/CA-2000-01.html
[2] Results of the Distributed-Systems Intruder Tools Workshop,
Pittsburgh, Pennsylvania USA, November 2-4, 1999, Published at
the CERT Coordination Center, Software Engineering Institute,
Carnegie Mellon University, Pittsburgh, PA, 15213, December 7,
1999, http://www.cert.org/reports/dsit_workshop.pdf
[3] The Dos Project's "trinoo" distributed denial of service attack tool,
The "Tribal Flood Network" distributed denial of service attack tool,
The "stacheldraht" distributed denial of service attack tool, David
Dittrich, University of Washington, December 31, 1999,
http://www.washington.edu/People/dad/
[4] Distributed Information Gathering, hybrid, Phrack Magazine, Vol. 9,
Issue 55, Article 9 of 16, 09.09.99,
http://www.phrack.com/search.phtml?view&article=p55-9
[5] Check Point Open Platform for Security (OPSEC), Check Point Software
Technologies Ltd, 1999, http://www.opsec.com
[6] Distributed Metastasis: A Computer Network Penetration Methodology,
Andrew J. Stewart, Phrack Magazine Vol. 9, Issue 55, Article 16 of 19,
09.09.99, http://www.phrack.com/search.phtml?view&article=p55-16
[7] The Internet Worm Program: An Analysis, Eugene H. Spafford, Purdue
University, 1998,
http://www.cerias.purdue.edu/coast/archive/data/categ29.html
[8] Project Loki, daemon9 & alhambra, Phrack Magazine Vol. 7, Issue 49,
Article 06 of 19, August 1996,
http://www.phrack.com/search.phtml?view&article=p49-6
[9] Back Orifice 2000, Cult of the Dead Cow, http://www.b02k.com
[10] http://www.netbus.org
----| Source Code
<++> p56/dps/Makefile !5f996922
CC = gcc
CFLAGS = -O3 -DDEBUG
LIBS = -lnet -lpcap
CLI_OBJECTS = source/clt_main.o source/clt_packet_injection.o source/clt_wait.o
AGT_OBJECTS = source/agt_main.o source/agt_pscan.o
DPS_OBJECTS = source/dps_helper.o source/dps_pcap.o
.c.o:
$(CC) $(CFLAGS) $(DEFINES) -c $< -o $@
common: $(DPS_OBJECTS)
client: $(CLI_OBJECTS) $(DPS_OBJECTS)
$(CC) $(DPS_OBJECTS) $(CLI_OBJECTS) $(LIBS) -o client
strip client
agent: $(AGT_OBJECTS) $(DPS_OBJECTS)
$(CC) $(DPS_OBJECTS) $(AGT_OBJECTS) $(LIBS) -o agent
strip agent
clean:
rm -f source/*.o core
<-->
<++> p56/dps/README !6dab2725
dps 1.0
dps is a distributed portscanning tool. It consists in a client working
in conjuction with agents located in several remote hosts thus providing
'many-to-one' and 'many-to-many' portscanning.
The communication between the client and the agents is provided via some
basic commands encapsulated in ICMP ECHO_REQUEST/ECHO_REPLY packets this way
providing a fairly covert channel.
Data payload encryptation is also available
using the most popular symmetric-key algorithms (except for DES due to the
pathetic export restrictions is U.S.).
(*not* yet implemented)
The portscan request is done by the client, being the portscan itself done by
the agents which then report back to the client the results obtained.
Compilation notes:
1. make client
2. make agent
and that'z it!
<-->
<++> p56/dps/agents.txt !96b84d09
foo
bar
neuro.somewieirddomain.org
10.0.2.10
<-->
<++> p56/dps/localtest.txt !ea0d9aae
127.0.0.1
<-->
<++> p56/dps/include/config.h !5d33c259
#define MAGIC "lifeline" /* magic string, only alphanumerical
characters please. Btw, you will
become an idiot if you don't change this.
*/
#define BLOWFISH_KEY "lifelinerox"
#define MAX_HOST_SIZE 64 /* maximum hostname size allowed */
#define MAX_ICMP_PAYLOAD_SIZE 56 /* ok, this one is tricky. A maximum payload
of 56 bytes is recommended is you want
the packets to seem real. But 56 may not
be enough to store all the port
information, in this case the program
will split up in various ICMP packets,
however in the case that the port
information may be really large it will
cause a tremendous ICMP flood in the
network, so deal with it and use the
option that fits you best.
*/
<-->
<++> p56/dps/include/dps_pcap.h !3dca6d72
#ifndef DPS_PCAP
#define DPS_PCAP
#ifdef SOLARIS
#include "./solaris.h"
#endif
#include <pcap.h>
#define LOOPBACK_OFFSET 4
#define ETHERNET_OFFSET 14
#define SLIP_PPP_OFFSET 24
char errbuf[PCAP_ERRBUF_SIZE];
void
dps_pcap_err(
char *,
char *
);
pcap_t *
dps_pcap_prep(
int,
char *,
char *
);
int
dps_pcap_datalink(
pcap_t *
);
void *
dps_pcap_next(
pcap_t *
);
#endif /* DPS_PCAP */
/* EOF */
<-->
<++> p56/dps/include/prototypes.h !f50ce3e5
#include <linux/types.h>
extern char *itoa(int);
struct agentnfo {
u_long address; /* agent's IP address */
u_long victim; /* victim's IP address */
char *ports; /* ports to scan separated by comas(",") and minus("-"); */
struct agentnfo *next; /* next agent in list, this is a linked list */
};
struct scannfo {
u_long victim;
u_long cli_addr;
char *ports;
};
struct sp_header {
char magic[8];
__u8 plus:1,
res2:1,
res3:1,
res4:1,
res5:1,
res6:1,
res7:1,
res8:1;
};
extern short int inject(struct agentnfo *, char *);
<-->
<++> p56/dps/include/solaris.h !acb0956b
#ifndef SOLARIS_H
#define SOLARIS_H
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <ctype.h>
#include <strings.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip_var.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#endif /* SOLARIS_H */
/* EOF */
<-->
<++> p56/dps/source/agt_main.c !aaf7e1ae
#include <stdio.h>
#include <stdlib.h>
#include <pcap.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <netinet/ip_icmp.h>
#include <asm/types.h>
#include "../include/config.h"
#include "../include/prototypes.h"
#define SNAPLEN 64
#define ETHHDR 14
void pkt_analyser_func(char *, char *);
/* Global variables */
unsigned int dlink_s;
const u_char *snapend;
int main(int argc, char **argv) {
pkt_analyser_func(argv[1], MAGIC);
}
void pkt_analyser_func(char *dev, char *magic) {
pcap_t *pd;
char *data;
struct pcap_pkthdr h;
struct iphdr *iph;
char *payload;
int x;
struct sp_header *head;
struct scannfo *scan;
if(!dev) {
if(!(dev = pcap_lookupdev(NULL))) {
perror("pcap_lookupdev");
exit(1);
}
}
printf("Using device %s\n", dev);
pd = pcap_open_live(dev, SNAPLEN, 0, 10, NULL);
switch(pcap_datalink(pd)) {
case DLT_EN10MB:
case DLT_IEEE802:
dlink_s = ETHHDR;
break;
case DLT_NULL:
dlink_s = 4;
break;
default:
perror("unknown datalink header");
exit(0);
break;
}
for(;;) {
data = pcap_next(pd, &h);
iph = (struct iphdr *)(data + dlink_s);
if(iph->protocol == IPPROTO_ICMP) {
struct icmphdr *icmph = (struct icmphdr *)(data + dlink_s + iph->ihl*4);
if(icmph->type == 8 && icmph->code == 0) {
payload = malloc(MAX_ICMP_PAYLOAD_SIZE);
memcpy(payload, data + dlink_s + iph->ihl*4 + 8, MAX_ICMP_PAYLOAD_SIZE);
/*
for(x = 0; x <= MAX_ICMP_PAYLOAD_SIZE; x++)
printf("%c", *(payload+x));
printf("\n");
*/
if (!(strncmp(MAGIC, payload, strlen(MAGIC)))) {
head = malloc(16);
memcpy(head, payload, 16);
if (!(head->plus)) {
scan = malloc(sizeof(struct scannfo));
memcpy(scan, payload + 16 + sizeof(u_long), sizeof(u_long));
memcpy(scan + sizeof(u_long), payload + 16, sizeof(u_long));
scan->ports = malloc(strlen(payload + 16 + 2*sizeof(u_long)) + 1);
memset(scan->ports, '\0', strlen(payload + 16 + 2*sizeof(u_long)) + 1);
memcpy(scan->ports, payload + 16 + 2*sizeof(u_long), strlen(payload + 16 + 2*sizeof(u_long)));
pscan(scan, pd, dev);
}
}
}
}
}
}
<-->
<++> p56/dps/source/agt_pscan.c !6b34db79
#include <libnet.h>
#include <pcap.h>
#include "../include/prototypes.h"
#include "../include/config.h"
#define SNAPLEN 64
#define ETHHDR 14
int pscan(struct scannfo *scan, pcap_t *pd, char *dev) {
extern unsigned int dlink_s;
int i, timeout = 10;
char *port, *ebuf;
int c, sock;
char *buf;
u_long src_ip, dst_ip;
int p;
u_char *data;
struct iphdr *iph;
struct tcphdr *tcph;
struct pcap_pkthdr h;
time_t utime;
srandom(time(NULL));
if(!(buf = malloc(IP_MAXPACKET))) {
return 0;
}
if(!(sock = open_raw_sock(IPPROTO_RAW))) {
return 0;
}
src_ip = htonl(get_ipaddr(NULL, dev, ebuf));
dst_ip = scan->victim;
libnet_build_ip(TCP_H, 0, random() % 65536, 0, 64, IPPROTO_TCP,
src_ip, dst_ip, NULL, 0, buf);
// sleep(2);
port = strtok(scan->ports, ",");
p = atoi(port);
while (port) {
libnet_build_tcp(1030, p, 11111, 99999, TH_SYN,
1024, 0, NULL, 0, buf + IP_H);
libnet_do_checksum(buf, IPPROTO_TCP, TCP_H);
c = libnet_write_ip(sock, buf, TCP_H + IP_H);
// sleep(2);
i = 1;
utime = time(NULL);
while ((time(NULL) - utime) <= timeout && i) {
data = (u_char *)pcap_next(pd, &h);
iph = (struct iphdr *)(data + dlink_s);
if (iph->saddr == dst_ip && iph->daddr == src_ip) {
if (iph->protocol == IPPROTO_TCP) {
tcph = (struct tcphdr *)(data + dlink_s + iph->ihl*4);
if (tcph->th_sport == htons(p) && tcph->th_dport == htons(1030)) {
if ((tcph->th_flags & (TH_SYN|TH_ACK)) == (TH_SYN|TH_ACK)) { send_result(p, scan->cli_addr); }
// if (tcph->th_flags & TH_RST)printf("%d it'z closed\n", p);
i = 0;
}
}
}
}
port = strtok('\0', ",");
if(!port) return 0;
p = atoi(port);
}
free(buf);
return 1;
}
int send_result(int p, u_long dst_ip) {
char *buf;
int c, sock;
u_long src_ip;
src_ip = libnet_name_resolve("127.0.0.1", 1);
if(!(sock = open_raw_sock(IPPROTO_RAW))) {
return 0;
}
buf = malloc(IP_MAXPACKET);
memset(buf, '\0', IP_MAXPACKET);
libnet_build_ip(ICMP_ECHO_H + sizeof(int) + strlen(MAGIC),
0,
random() % 65535,
0,
32,
IPPROTO_ICMP,
src_ip,
dst_ip,
NULL,
0,
buf);
libnet_build_icmp_echo(ICMP_ECHO, 0, 440, 1, NULL, 0, buf + IP_H);
memcpy(buf + IP_H + ICMP_ECHO_H, "araiarai", strlen(MAGIC));
memcpy(buf + IP_H + ICMP_ECHO_H + strlen(MAGIC), &p, sizeof(int));
if (libnet_do_checksum(buf, IPPROTO_ICMP, ICMP_ECHO_H + strlen(MAGIC) + sizeof(int)) == -1) {
return -1;
}
c = libnet_write_ip(sock, buf, ICMP_ECHO_H + IP_H + strlen(MAGIC) + sizeof(int));
if (c < ICMP_ECHO_H + IP_H + strlen(MAGIC) + sizeof(int)) {
// printf("Error writing to network\n");
return -1;
}
// printf("wrote %d bytes.\n", c);
return 1;
}
<-->
<++> p56/dps/source/clt_main.c !6b6e9348
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include "../include/config.h"
#include "../include/prototypes.h"
void usage(char *);
int main(int argc, char **argv) {
int x, round;
FILE *agentsfd;
struct agentnfo *agent, *first_agent;
char *temp, *ports;
u_char buf2[MAX_HOST_SIZE], *buf3;
u_long address;
u_short begin_port, end_port;
char *sequence;
if (getuid() || geteuid()) {
fprintf(stderr, "You need to be root to run dps.\n");
exit(0);
}
if (argc != 5) usage(argv[0]);
if ((agentsfd = fopen(argv[3], "r")) == NULL) {
fprintf(stderr, "Error opening %s.\n", argv[3]);
exit(0);
}
round = 0;
while ((fgets(buf2, MAX_HOST_SIZE, agentsfd)) != NULL) {
buf3 = malloc(strlen(buf2));
memset(buf3, '\0', strlen(buf2));
memcpy(buf3, buf2, strlen(buf2) - 1);
if ((address = libnet_name_resolve(buf3, 1)) == -1) {
fprintf(stderr, "Error resolving %s\n", buf3);
fclose(agentsfd);
exit(0);
}
free(buf3);
if (!round) {
agent = malloc(sizeof(struct agentnfo));
first_agent = agent;
round = 1;
}
else {
agent->next = malloc(sizeof(struct agentnfo));
agent = agent->next;
}
memcpy((struct agentnfo *)agent, &address, sizeof(u_long));
agent->victim = libnet_name_resolve(argv[1], 1);
agent->ports = NULL;
agent->next = NULL;
}
fclose(agentsfd);
agent = first_agent;
ports = strtok(argv[2], ",");
if (strrchr(ports, '-')) {
if (strchr(ports, '-')) {
sequence = malloc(strchr(ports, '-') - ports);
memcpy(sequence, ports, strchr(ports, '-') - ports);
begin_port = atoi(sequence);
sequence = malloc(strlen(ports) - (strchr(ports, '-')-ports));
memcpy(sequence, strchr(ports, '-') + 1, strlen(ports) - (strchr(ports, '-')-ports));
end_port = atoi(sequence);
for (x = begin_port ; x <= end_port ; x++) {
if (agent->next == NULL || x == begin_port) {
agent = first_agent;
}
else
agent = agent->next;
if (agent->ports == NULL) {
agent->ports = malloc(strlen(ports) + 2);
memset(agent->ports, '\0', strlen(ports) + 2);
}
else {
temp = malloc(strlen(agent->ports) + strlen(ports) + 2);
memset(temp, '\0', strlen(agent->ports) + strlen(ports) + 2);
memcpy(temp, agent->ports, strlen(agent->ports));
free(agent->ports);
agent->ports = temp;
}
memcpy(agent->ports + strlen(agent->ports), itoa(x), strlen(ports));
memcpy(agent->ports + strlen(agent->ports), ",", 1);
}
}
}
else {
agent->ports = malloc(strlen(ports) + 2);
memset(agent->ports, '\0', strlen(ports) + 2);
memcpy(agent->ports, ports, strlen(ports));
memcpy(agent->ports + strlen(ports), ",", 1);
}
while (ports) {
ports = strtok('\0', ",");
if (ports) {
if (strchr(ports, '-')) {
seq:
sequence = malloc(strchr(ports, '-') - ports);
memcpy(sequence, ports, strchr(ports, '-') - ports);
begin_port = atoi(sequence);
sequence = malloc(strlen(ports) - (strchr(ports, '-')-ports));
memcpy(sequence, strchr(ports, '-') + 1, strlen(ports) - (strchr(ports, '-')-ports));
end_port = atoi(sequence);
for (x = begin_port ; x <= end_port ; x++) {
if (agent->next == NULL)
agent = first_agent;
else
agent = agent->next;
if (agent->ports == NULL) {
agent->ports = malloc(strlen(ports) + 2);
memset(agent->ports, '\0', strlen(ports) + 2);
}
else {
temp = malloc(strlen(agent->ports) + strlen(ports) + 2);
memset(temp, '\0', strlen(agent->ports) + strlen(ports) + 2);
memcpy(temp, agent->ports, strlen(agent->ports));
free(agent->ports);
agent->ports = temp;
}
memcpy(agent->ports + strlen(agent->ports), itoa(x), strlen(ports));
memcpy(agent->ports + strlen(agent->ports), ",", 1);
}
}
else {
if (agent->next == NULL)
agent = first_agent;
else
agent = agent->next;
if (agent->ports == NULL) {
agent->ports = malloc(strlen(ports) + 2);
memset(agent->ports, '\0', strlen(ports) + 2);
}
else {
temp = malloc(strlen(agent->ports) + strlen(ports) + 2);
memset(temp, '\0', strlen(agent->ports) + strlen(ports) + 2);
memcpy(temp, agent->ports, strlen(agent->ports));
free(agent->ports);
agent->ports = temp;
}
memcpy(agent->ports + strlen(agent->ports), ports, strlen(ports));
memcpy(agent->ports + strlen(agent->ports), ",", 1);
}
}
}
#ifdef DEBUG
for (agent = first_agent; agent != NULL; agent = agent->next) {
printf("%ld -> %s\t%p\t%ld\n", agent->address, agent->ports, agent->ports, agent->victim);
}
#endif
printf("elite\n");
// free(temp);
// free(sequence);
printf("ultra-elite\n");
if(inject(first_agent, argv[4]) != 1) {
printf("Error in packet injection\n");
}
wait_results(argv[4]);
exit(1);
}
void usage(char *exec) {
printf("dps - lifeline <lifeline@against.org>\n");
printf("%s <target_host> <ports to scan> <agents file> <device>\n", exec);
exit(1);
}
<-->
<++> p56/dps/source/clt_packet_injection.c !cbbedc0d
#include <libnet.h>
#include "../include/config.h"
#include "../include/prototypes.h"
#define MAGIC "lifeline"
#define AGENT "doubt"
#define SOURCE "hardbitten"
/*
*
* Packet injection routines.
*
*/
short int inject (struct agentnfo *first_agent, char *dev) {
struct agentnfo *agent;
struct sp_header *head;
int sock, x, c, offset, y;
unsigned int each_p, info_s, packets_n;
char *pload, *buf, *ebuf;
u_long src_ip, dst_ip, cli_addr;
cli_addr = src_ip = htonl(get_ipaddr(NULL, dev, ebuf));
/* dps control header construction */
head = malloc(16);
memset(head, '\0', 16);
memcpy(head, &MAGIC, 8);/* MAGIC string should be no longer than 8 chars */
sock = libnet_open_raw_sock(IPPROTO_RAW);
if (sock == -1) return -1;
for (agent = first_agent ; agent != NULL ; agent = agent->next) {
/*
* First let'z take care of our special payload.
*
* -------------------------
* | MAGIC |+|R|R|R|R|R|R|R|
* -------------------------------------
* cli_addr | victim_addr | ports_info |
* -------------------------------------
*/
/* Space available in each packet */
each_p = MAX_ICMP_PAYLOAD_SIZE - 16;
/* Total information size */
info_s = 2*sizeof(u_long) + strlen(agent->ports);
/* Calculate the number of packets needed for all the info. */
packets_n = (info_s % each_p ? info_s / each_p + 1 : info_s / each_p);
/* Allocate memory */
pload = malloc(MAX_ICMP_PAYLOAD_SIZE + 1);
memset(pload, '\0', MAX_ICMP_PAYLOAD_SIZE + 1);
buf = malloc(IP_H + ICMP_ECHO_H + MAX_ICMP_PAYLOAD_SIZE + 1);
memset(buf, '\0', IP_H + ICMP_ECHO_H + MAX_ICMP_PAYLOAD_SIZE + 1);
dst_ip = agent->address;
libnet_build_ip(MAX_ICMP_PAYLOAD_SIZE,
0,
random() % 65535,
0,
32,
IPPROTO_ICMP,
src_ip,
dst_ip,
NULL,
0,
buf);
offset = 0;
for (x = 1 ; x <= packets_n ; x++) {
if (x < packets_n) {
head->plus = 1;
memset(pload, '\0', MAX_ICMP_PAYLOAD_SIZE + 1);
memcpy(pload, head, 16);
memcpy(pload + 16, agent->ports + offset, MAX_ICMP_PAYLOAD_SIZE - 16);
// memcpy(pload + 16, agent->ports + offset, strlen(agent->ports));
offset =+ (MAX_ICMP_PAYLOAD_SIZE - 16);
}
else {
head->plus = 0;
memset(pload, '\0', MAX_ICMP_PAYLOAD_SIZE + 1);
memcpy(pload, head, 16);
memcpy(pload + 16, &cli_addr, sizeof(u_long));
memcpy(pload + 16 + sizeof(u_long), &(agent->victim), sizeof(u_long));
memcpy(pload + 16 + 2*sizeof(u_long), agent->ports + offset, strlen(agent->ports));
// memset(pload + 16 + 2*sizeof(u_long) + strlen(agent->ports + offset), 'A', MAX_ICMP_PAYLOAD_SIZE - (16 + 2*sizeof(u_long) + strlen(agent->ports + offset)));
}
libnet_build_icmp_echo(ICMP_ECHO, 0, 440, 1, NULL, 0, buf + IP_H);
memset(buf + IP_H + ICMP_ECHO_H, '\0', MAX_ICMP_PAYLOAD_SIZE + 1);
memcpy(buf + IP_H + ICMP_ECHO_H, pload, MAX_ICMP_PAYLOAD_SIZE);
if (libnet_do_checksum(buf, IPPROTO_ICMP, ICMP_ECHO_H + MAX_ICMP_PAYLOAD_SIZE) == -1) {
return -1;
}
/*
for (y = 0 ; y <= 64 ; y++)
printf("%c", *(buf + 28 + y));
printf("\n");
*/
c = libnet_write_ip(sock, buf, ICMP_ECHO_H + IP_H + MAX_ICMP_PAYLOAD_SIZE);
if (c < ICMP_ECHO_H + IP_H + MAX_ICMP_PAYLOAD_SIZE) {
printf("Error writing to network\n");
return -1;
}
printf("packet sent. %d of %d\n", x, packets_n);
}
}
free(buf);
return 1;
}
<-->
<++> p56/dps/source/clt_wait.c !cd679af6
#include <stdio.h>
#include <stdlib.h>
#include <pcap.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <netinet/ip_icmp.h>
#include <asm/types.h>
#include "../include/config.h"
#include "../include/prototypes.h"
#define SNAPLEN 64
#define ETHHDR 14
/* Global variables */
unsigned int dlink_s;
const u_char *snapend;
int wait_results(char *dev) {
pcap_t *pd;
char *data;
struct pcap_pkthdr h;
struct iphdr *iph;
char *payload;
int x;
if(!dev) {
if(!(dev = pcap_lookupdev(NULL))) {
perror("pcap_lookupdev");
exit(1);
}
}
printf("Using device %s\n", dev);
pd = pcap_open_live(dev, SNAPLEN, 0, 10, NULL);
switch(pcap_datalink(pd)) {
case DLT_EN10MB:
case DLT_IEEE802:
dlink_s = ETHHDR;
break;
case DLT_NULL:
dlink_s = 4;
break;
default:
perror("unknown datalink header");
exit(0);
break;
}
for(;;) {
data = pcap_next(pd, &h);
iph = (struct iphdr *)(data + dlink_s);
if(iph->protocol == IPPROTO_ICMP) {
struct icmphdr *icmph = (struct icmphdr *)(data + dlink_s + iph->ihl*4);
if(icmph->type == 8 && icmph->code == 0) {
payload = malloc(MAX_ICMP_PAYLOAD_SIZE);
memcpy(payload, data + dlink_s + iph->ihl*4 + 8, MAX_ICMP_PAYLOAD_SIZE);
if (!(strncmp("araiarai", payload, strlen(MAGIC)))) {
memcpy(&x, payload + strlen(MAGIC), sizeof(int));
printf("%d iz open\n", x);
}
}
}
}
}
<-->
<++> p56/dps/source/dps_helper.c !a6720d71
/*
* dps
* ---
* helper functions
*
* lifeline
*
*/
char s[];
char *itoa (int n) {
int i, sign, x, y, z;
if ((sign = n) < 0)
n = -n;
i = 0;
do {
s[i++] = n % 10 + '0';
} while ((n /= 10) > 0);
if (sign < 0)
s[i++] = '-';
s[i] = '\0';
for (y = 0, z = strlen(s)-1 ; y < z ; y++, z--) {
x = s[y];
s[y] = s[z];
s[z] = x;
}
return s;
}
<-->
<++> p56/dps/source/dps_pcap.c !dfe55d3e
#include "../include/dps_pcap.h"
void
dps_pcap_err(char *function, char *error)
{
fprintf(stderr, "%s: %s\n", function, error);
exit (1);
}
pcap_t *
dps_pcap_prep(int snaplen, char *filter, char *device)
{
pcap_t *pd;
bpf_u_int32 localnet, netmask;
struct bpf_program fcode;
if(!device) {
if ((device = pcap_lookupdev(errbuf)) == NULL)
{
dps_pcap_err("pcap_lookupdev", errbuf);
}
}
if ((pd = pcap_open_live(device, snaplen, 1, 500, errbuf)) == NULL)
{
dps_pcap_err("pcap_open_live", errbuf);
}
if (pcap_lookupnet(device, &localnet, &netmask, errbuf) == -1)
{
dps_pcap_err("pcap_lookupnet", errbuf);
}
if (pcap_compile(pd, &fcode, filter, 1, netmask) == -1)
{
dps_pcap_err("pcap_compile", errbuf);
}
if (pcap_setfilter(pd, &fcode) == -1)
{
dps_pcap_err("pcap_setfilter", errbuf);
}
return (pd);
}
int
dps_pcap_datalink(pcap_t *pd)
{
int offset;
switch (pcap_datalink(pd))
{
/* There'z no such DLT in OpenBSD, I'm changing to NULL, should work
on solaris.
*/
case DLT_NULL:
offset = LOOPBACK_OFFSET;
break;
case DLT_SLIP:
case DLT_PPP:
offset = SLIP_PPP_OFFSET;
break;
case DLT_EN10MB:
default:
offset = ETHERNET_OFFSET;
break;
}
return (offset);
}
void *
dps_pcap_next(pcap_t *pd)
{
void *ptr;
struct pcap_pkthdr hdr;
while ((ptr = (void *)pcap_next(pd, &hdr)) == NULL);
return (ptr);
}
/* EOF */
<-->
|EOF|-------------------------------------------------------------------------|
© Copyleft 1985-2021, Phrack Magazine.