Home page logo

bugtraq logo Bugtraq mailing list archives

ecepass - proof of concept code for FreeBSD ipfw bypass
From: Roelof Temmingh <roelof () SENSEPOST COM>
Date: Thu, 25 Jan 2001 15:04:30 +0200

An all ZA production...;)

FreeBSD ipfw+ECE proof of concept code

Code written by:
Plathond (jacques4i () yahoo com) for Sensepost (http://www.sensepost.com,
info () sensepost com)

More info on the problem:

Original problem found by:
Aragon Gouveia <aragon () phat za net>

How it works:
Using FreeBSD divert rule, all outgoing traffic (or as specified in
ipfw rule) will be diverted to the ecepass process - the ECE flag will
be added. Traffic directed to hosts behind ipfw-based firewall will be
passed, rendering the firewall useless if it makes use of the "allow
all from any to any established" rule. Tried & tested...

How to use:
1. Make sure your kernel is compiled with the following options:
 options         IPDIVERT
 options         IPFIREWALL

2. gcc -o ecepass ecepass.c

3. ./ecepass &

4. ipfw add 5 divert 7000 tcp from any to any

5. All TCP traffic will now have the ECE flag added to it.

PS1: obviously you need to make sure that the last ipfw rule allows
     traffic e.g.:
     00001 divert 7000 tcp from any to any
     65535 allow ip from any to any

PS2: as the exploit uses "ipfw divert" it only works on FreeBSD.
     Ironic eh?

spidermark: sensepostdata ece


Roelof W Temmingh               SensePost IT security
roelof () sensepost com         +27 83 448 6996

Attachment: ecepass.tgz

  By Date           By Thread  

Current thread:
  • ecepass - proof of concept code for FreeBSD ipfw bypass Roelof Temmingh (Jan 25)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]