Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Hackers: IP fragment overwriting bug exploitation

IP fragment overwriting bug exploitation

From: Lamont Granquist <lamontg_at_raven.genome.washington.edu>
Date: Tue, 21 Sep 1999 17:57:58 -0700

So, here's another patch to NMAP which *MIGHT* work. I don't currently
have the setup to test it. It is supposed to exploit:

http://www.dataprotect.com/ipchains/

To bypass firewall rules. It will not run on 2.0.36 kernels that return
EPERM errors for 8-byte fragments. It does, however, run on the RH6.0
2.2.5 kernel, which aren't broken in this way (and *BSD?). I need another
6.0 box that I can setup with CONFIG_IP_ALWAYS_DEFRAG *off* and the
ipchains rule to pass non-first fragments. Since I don't have one, I have
no klew if this works or not.

To use:

./nmap -vdd -l80 -sS -P0 -p 111 repeatmasker.genome

This fakes port 80 through the firewall in order to scan port 111

If anyone can get this to work that'd be great. It'd also be nice to
check if the RH kernel errata fixed this bug or not. 

-- 
Lamont Granquist                       lamontg_at_genome.washington.edu
Dept. of Molecular Biotechnology       (206)616-5735  fax: (206)685-7344
Box 352145 / University of Washington / Seattle, WA 98195
PGP pubkey: finger lamontg_at_raven.genome.washington.edu | pgp -fka

Received on Sep 21 1999
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]