[dorqus maximus wrote]
|
| This oshare.c code may have crashed our Checkpoint Firewall-1, version 3.0b,
| Build Number: 3083. (Sun Sparc, Solaris 2.5.1)
Sending 10,000 (not really --see below) of these `oshare` packets failed
to do anything to the following machines:
OpenBSD 2.4
FreeBSD 3.0
Solaris 2.7
Linux 2.1.124 SMP
Windows 98
A cursory glance at the code reveals two noteworthy things:
1. There is no pause during packet injection. This results in a large
amount of dropped packets. Your results will vary, but on my 100Mb
ethernet, I saw about a 30% - 40% packet loss.
2. The packet is built inside a 40 byte buffer, yet is assigned a size
of 44 bytes (and a header length of 44 bytes). The checksum is also
computed across this phantom 44 byte size. When injecting into the
network, however, only the original 40 bytes are written (anything
larger, of course, would likely end up SIGSEGVing). The end result is
a bad checksum on the other end.
Finally, in closing, allow me to shamelessly plug libnet. Again. Libnet,
simply put, is a C library for portable packet creation. The above
`exploit` under libnet, can be rewritten portably in minutes. Beyond that
(especially when combined with libpcap) it can be used to build powerful
network applications without worrying about low-level packet interface
nuances. Soon to be released version .10 offers numerous bug and
portability fixes, several new utility and packet building modules, as
well as additions to the FreeBSD and OpenBSD Ports collection.
http://www.infonexus.com/~daemon9/Libnet
--
I live a world of paradox... My willingness to destroy is your chance for
improvement, my hate is your faith -- my failure is your victory, a victory
that won't last.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:31:29 PDT