Home page logo

Nmap Announce mailing list archives

IP fragment overwriting bug exploitation
From: Lamont Granquist <lamontg () raven genome washington edu>
Date: Tue, 21 Sep 1999 17:57:58 -0700

So, here's another patch to NMAP which *MIGHT* work.  I don't currently
have the setup to test it.  It is supposed to exploit:


To bypass firewall rules.  It will not run on 2.0.36 kernels that return
EPERM errors for 8-byte fragments.  It does, however, run on the RH6.0
2.2.5 kernel, which aren't broken in this way (and *BSD?).  I need another
6.0 box that I can setup with CONFIG_IP_ALWAYS_DEFRAG *off* and the
ipchains rule to pass non-first fragments.  Since I don't have one, I have
no klew if this works or not.

To use:

./nmap -vdd -l80 -sS -P0 -p 111 repeatmasker.genome

This fakes port 80 through the firewall in order to scan port 111

If anyone can get this to work that'd be great.  It'd also be nice to
check if the RH kernel errata fixed this bug or not.

Lamont Granquist                       lamontg () genome washington edu
Dept. of Molecular Biotechnology       (206)616-5735  fax: (206)685-7344
Box 352145 / University of Washington / Seattle, WA 98195
PGP pubkey: finger lamontg () raven genome washington edu | pgp -fka

Attachment: overwrite-patch

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]