Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
From: xD 0x41 <secn3t () gmail com>
Date: Fri, 11 Nov 2011 21:43:44 +1100

btw, you do realise, it is doing exactly what it is meant to , right >?
it is called a honeypot sir... try figure out WHY it is looping...
then maybe, the code is nicer yes...
i dont really care for it...  i am, making the proper.cpp scanner.
nothing more interests me about it, and, nothing else, i need others
to tell me, thx. I have done this my own b4, please, dont try holding
any hands.
I will only, cut off your feet ;)
later


On 11 November 2011 19:17, Tillmann Werner <tillmann.werner () gmx de> wrote:
    def callback(self, hdr, data):
        # Parse the Ethernet packet
        decoder = ImpactDecoder.EthDecoder()
        ether = decoder.decode(data)
        # Parse the IP packet inside the Ethernet packet, typep
        iphdr = ether.child()
        udphdr = iphdr.child()

        # First check that the packets are not comming from the local host
        # Then check that it is a UDP packet (incase you changed the BPF) also
        # Check that the destination port for the packet is a closed
port on the host
        if (iphdr.get_ip_src() != self.ip):
            self.refresh_portlist()
            if (iphdr.get_ip_p() == ImpactPacket.UDP.protocol and
udphdr.get_uh_dport() not in self.portlist):
                if self.called == 0:
                    self.callonce()
                print "Incoming UDP packet from %s"%iphdr.get_ip_src()
                self.dumper.dump(hdr, data)

    def refresh_portlist(self):
        # bash script to get all the open and listening UDP ports
        # used in the callback function as criteria for logging traffic
        output = os.popen("./getports.sh")
        pl = output.readlines()
        self.portlist = []
        for p in pl:
            self.portlist.append(int(p))

Seriously? popen()ing a bash script that calls netstat and awk twice for
every packet?

Tillmann

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]