|
Nmap Announce
mailing list archives
IP fragment overwriting bug exploitation
From: Lamont Granquist <lamontg () raven genome washington edu>
Date: Tue, 21 Sep 1999 17:57:58 -0700
So, here's another patch to NMAP which *MIGHT* work. I don't currently
have the setup to test it. It is supposed to exploit:
http://www.dataprotect.com/ipchains/
To bypass firewall rules. It will not run on 2.0.36 kernels that return
EPERM errors for 8-byte fragments. It does, however, run on the RH6.0
2.2.5 kernel, which aren't broken in this way (and *BSD?). I need another
6.0 box that I can setup with CONFIG_IP_ALWAYS_DEFRAG *off* and the
ipchains rule to pass non-first fragments. Since I don't have one, I have
no klew if this works or not.
To use:
./nmap -vdd -l80 -sS -P0 -p 111 repeatmasker.genome
This fakes port 80 through the firewall in order to scan port 111
If anyone can get this to work that'd be great. It'd also be nice to
check if the RH kernel errata fixed this bug or not.
--
Lamont Granquist lamontg () genome washington edu
Dept. of Molecular Biotechnology (206)616-5735 fax: (206)685-7344
Box 352145 / University of Washington / Seattle, WA 98195
PGP pubkey: finger lamontg () raven genome washington edu | pgp -fka
Attachment:
overwrite-patch
Description:
 By Date 
By Thread
Current thread:
- Re: Examples of legit nmap usage?, (continued)
Re: Examples of legit nmap usage? Thomas Reinke (Sep 18)
Re: Examples of legit nmap usage? Ben Harris (Sep 18)
Re: Examples of legit nmap usage? Max Vision (Sep 18)
RE: Examples of legit nmap usage? Rob Shein (Sep 17)
RE: Examples of legit nmap usage? Scott Hardy (Sep 20)
Re: Examples of legit nmap usage? Foust, Adam G. (Sep 21)
|
