Nmap Announce mailing list archives
IP fragment overwriting bug exploitation
From: Lamont Granquist <lamontg () raven genome washington edu>
Date: Tue, 21 Sep 1999 17:57:58 -0700
So, here's another patch to NMAP which *MIGHT* work. I don't currently have the setup to test it. It is supposed to exploit: http://www.dataprotect.com/ipchains/ To bypass firewall rules. It will not run on 2.0.36 kernels that return EPERM errors for 8-byte fragments. It does, however, run on the RH6.0 2.2.5 kernel, which aren't broken in this way (and *BSD?). I need another 6.0 box that I can setup with CONFIG_IP_ALWAYS_DEFRAG *off* and the ipchains rule to pass non-first fragments. Since I don't have one, I have no klew if this works or not. To use: ./nmap -vdd -l80 -sS -P0 -p 111 repeatmasker.genome This fakes port 80 through the firewall in order to scan port 111 If anyone can get this to work that'd be great. It'd also be nice to check if the RH kernel errata fixed this bug or not. -- Lamont Granquist lamontg () genome washington edu Dept. of Molecular Biotechnology (206)616-5735 fax: (206)685-7344 Box 352145 / University of Washington / Seattle, WA 98195 PGP pubkey: finger lamontg () raven genome washington edu | pgp -fka
Attachment:
overwrite-patch
Description:
Current thread:
- Re: Examples of legit nmap usage?, (continued)
- Re: Examples of legit nmap usage? David Carmean (Sep 17)
- Re: Examples of legit nmap usage? Joel Eriksson (Sep 18)
- Re: Examples of legit nmap usage? Bennett Todd (Sep 20)
- Re: Examples of legit nmap usage? Andreas Kostyrka (Sep 20)
- Re: Examples of legit nmap usage? Bennett Todd (Sep 20)
- Re: Examples of legit nmap usage? Lamont Granquist (Sep 20)
- Re: Examples of legit nmap usage? Max Vision (Sep 21)
- IP fragment overwriting bug exploitation Lamont Granquist (Sep 21)
- reverse frag scanning patch Lamont Granquist (Sep 22)