Full Disclosure: Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)

[Tillmann Werner <tillmann.werner () gmx de>]

>     def callback(self, hdr, data):
>         # Parse the Ethernet packet
>         decoder = ImpactDecoder.EthDecoder()
>         ether = decoder.decode(data)
>         # Parse the IP packet inside the Ethernet packet, typep
>         iphdr = ether.child()
>         udphdr = iphdr.child()
>
>         # First check that the packets are not comming from the local host
>         # Then check that it is a UDP packet (incase you changed the BPF) also
>         # Check that the destination port for the packet is a closed
> port on the host
>         if (iphdr.get_ip_src() != self.ip):
>             self.refresh_portlist()
>             if (iphdr.get_ip_p() == ImpactPacket.UDP.protocol and
> udphdr.get_uh_dport() not in self.portlist):
>                 if self.called == 0:
>                     self.callonce()
>                 print "Incoming UDP packet from %s"%iphdr.get_ip_src()
>                 self.dumper.dump(hdr, data)
>
>     def refresh_portlist(self):
>         # bash script to get all the open and listening UDP ports
>         # used in the callback function as criteria for logging traffic
>         output = os.popen("./getports.sh")
>         pl = output.readlines()
>         self.portlist = []
>         for p in pl:
>             self.portlist.append(int(p))
Seriously? popen()ing a bash script that calls netstat and awk twice for
every packet?

Tillmann

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/