|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Roelof Temmingh (roelof
SENSEPOST.COM)Date: Thu Jan 25 2001 - 07:04:30 CST
An all ZA production...;)
FreeBSD ipfw+ECE proof of concept code
--------------------------------------
Code written by:
Plathond (jacques4iyahoo.com) for Sensepost (http://www.sensepost.com,
infosensepost.com)
More info on the problem:
http://packetstorm.securify.com/advisories/freebsd/FreeBSD-SA-01:08.ipfw
Original problem found by:
Aragon Gouveia <aragonphat.za.net>
How it works:
-------------
Using FreeBSD divert rule, all outgoing traffic (or as specified in
ipfw rule) will be diverted to the ecepass process - the ECE flag will
be added. Traffic directed to hosts behind ipfw-based firewall will be
passed, rendering the firewall useless if it makes use of the "allow
all from any to any established" rule. Tried & tested...
How to use:
-----------
1. Make sure your kernel is compiled with the following options:
options IPDIVERT
options IPFIREWALL
2. gcc -o ecepass ecepass.c
3. ./ecepass &
4. ipfw add 5 divert 7000 tcp from any to any
5. All TCP traffic will now have the ECE flag added to it.
PS1: obviously you need to make sure that the last ipfw rule allows
traffic e.g.:
00001 divert 7000 tcp from any to any
65535 allow ip from any to any
PS2: as the exploit uses "ipfw divert" it only works on FreeBSD.
Ironic eh?
spidermark: sensepostdata ece
Regards,
Roelof.
------------------------------------------------------
Roelof W Temmingh SensePost IT security
roelofsensepost.com +27 83 448 6996
http://www.sensepost.com
- APPLICATION/octet-stream attachment: ecepass.tgz
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]