home *** CD-ROM | disk | FTP | other *** search
/ Power Hacker 2003 / Power_Hacker_2003.iso / E-zine / Magazines / crh / freebsd / rootkit / sniffit.0.3.5 / sniffit.0.3.5.patch.1 < prev    next >
Encoding:
Text File  |  2002-05-27  |  6.6 KB  |  217 lines
  1. *** sn_defines.h    Fri Apr 18 11:33:58 1997
  2. --- sn_defines.h    Thu Jul 24 16:02:16 1997
  3. ***************
  4. *** 80,90 ****
  5.   #define SYN 2
  6.   #define FIN 1
  7.   
  8. ! #define NO_IP   0
  9. ! #define NO_IP_4 1000
  10. ! #define ICMP    1                       /* Protocol Numbers */
  11. ! #define TCP     6
  12. ! #define UDP     17
  13.   
  14.   #define ICMP_HEADLENGTH 4               /* fixed ICMP header length */
  15.   #define UDP_HEADLENGTH  8               /* fixed UDP header length */
  16. --- 80,91 ----
  17.   #define SYN 2
  18.   #define FIN 1
  19.   
  20. ! #define NO_IP       0
  21. ! #define NO_IP_4     1000
  22. ! #define CORRUPT_IP    1001
  23. ! #define ICMP        1                       /* Protocol Numbers */
  24. ! #define TCP         6
  25. ! #define UDP         17
  26.   
  27.   #define ICMP_HEADLENGTH 4               /* fixed ICMP header length */
  28.   #define UDP_HEADLENGTH  8               /* fixed UDP header length */
  29. *** sn_packets.c    Fri Apr 18 11:33:58 1997
  30. --- sn_packets.c    Thu Aug 22 19:18:51 1985
  31. ***************
  32. *** 43,48 ****
  33. --- 43,49 ----
  34.       struct UDP_header UDPhead;
  35.   
  36.       int i;
  37. +      short int dummy; /* 2 bytes, important */
  38.   
  39.       memcpy(&IPhead,(sp+PROTO_HEAD),sizeof(struct IP_header));
  40.                                                     /* IP header Conversion */
  41. ***************
  42. *** 51,56 ****
  43. --- 52,58 ----
  44.       unwrapped->TCP_len = 0;             /* Reset structure NEEDED!!! */
  45.       unwrapped->UDP_len = 0;
  46.       unwrapped->DATA_len = 0;
  47. +     unwrapped->FRAG_nf = 0;
  48.           
  49.       if(NO_CHKSUM == 0)
  50.           {
  51. ***************
  52. *** 75,106 ****
  53.                       /* restore orig buffer      */
  54.                            /* general programming rule */
  55.           }
  56.       if(IPhead.protocol == TCP )                     /* TCP */
  57.           {
  58. !         memcpy(&TCPhead,(sp+PROTO_HEAD+(unwrapped->IP_len)),
  59.                           sizeof(struct TCP_header));
  60. !         unwrapped->TCP_len = ntohs(TCPhead.offset_flag) & 0xF000;
  61. !         unwrapped->TCP_len >>= 10; 
  62. !         unwrapped->DATA_len = ntohs(IPhead.length) -
  63.                   (unwrapped->IP_len) - (unwrapped->TCP_len); 
  64.           return TCP;
  65.           }
  66.       if(IPhead.protocol == ICMP )                     /* ICMP */
  67.           {
  68. !         memcpy(&ICMPhead,(sp+PROTO_HEAD+(unwrapped->IP_len)),
  69.                           sizeof(struct ICMP_header));
  70. !         unwrapped->ICMP_len = ICMP_HEADLENGTH;
  71. !         unwrapped->DATA_len = ntohs(IPhead.length) -
  72.                   (unwrapped->IP_len) - (unwrapped->ICMP_len); 
  73. !         return ICMP; 
  74.           }
  75.       if(IPhead.protocol == UDP )                       /* UDP */
  76.           {
  77. !         memcpy(&UDPhead,(sp+PROTO_HEAD+(unwrapped->IP_len)),
  78.                           sizeof(struct UDP_header));
  79. !         unwrapped->UDP_len = UDP_HEADLENGTH;
  80. !         unwrapped->DATA_len = ntohs(IPhead.length) -
  81.                   (unwrapped->IP_len) - (unwrapped->UDP_len); 
  82.           return UDP; 
  83.           }
  84.       return -1; 
  85. --- 77,150 ----
  86.                       /* restore orig buffer      */
  87.                            /* general programming rule */
  88.           }
  90. + #ifdef DEBUG_ONSCREEN
  91. +     printf("IPheadlen: %d   total length: %d\n", unwrapped->IP_len,
  92. +                             ntohs(IPhead.length)); 
  93. + #endif
  95. +         dummy=ntohs(IPhead.flag_offset); dummy<<=3;
  96. +         if( dummy!=0 )                            /* we have offset */
  97. +         {
  98. +         unwrapped->FRAG_nf = 1;
  99. +                 }
  101.       if(IPhead.protocol == TCP )                     /* TCP */
  102.           {
  103. !                 if(unwrapped->FRAG_nf == 0)
  104. !                   {  
  105. !           if( (ntohs(IPhead.length)-(unwrapped->IP_len))<20 )
  106. !             {return CORRUPT_IP;};
  108. !           memcpy(&TCPhead,(sp+PROTO_HEAD+(unwrapped->IP_len)),
  109.                           sizeof(struct TCP_header));
  110. !           unwrapped->TCP_len = ntohs(TCPhead.offset_flag) & 0xF000;
  111. !           unwrapped->TCP_len >>= 10; 
  112. !           unwrapped->DATA_len = ntohs(IPhead.length) -
  113.                   (unwrapped->IP_len) - (unwrapped->TCP_len); 
  114. +                   }
  115. +                 else
  116. +                   {
  117. +           unwrapped->DATA_len = ntohs(IPhead.length) - (unwrapped->IP_len);
  118. +                   }
  119.           return TCP;
  120.           }
  121.       if(IPhead.protocol == ICMP )                     /* ICMP */
  122.           {
  123. !                 if(unwrapped->FRAG_nf == 0)
  124. !                   {  
  125. !           if( (ntohs(IPhead.length)-(unwrapped->IP_len))<4 )
  126. !             {return CORRUPT_IP;};
  128. !           memcpy(&ICMPhead,(sp+PROTO_HEAD+(unwrapped->IP_len)),
  129.                           sizeof(struct ICMP_header));
  130. !           unwrapped->ICMP_len = ICMP_HEADLENGTH;
  131. !           unwrapped->DATA_len = ntohs(IPhead.length) -
  132.                   (unwrapped->IP_len) - (unwrapped->ICMP_len); 
  133. !           return ICMP;
  134. !           }
  135. !                 else
  136. !                   {
  137. !                   return -1; /* don't handle fragmented ICMP */
  138. !                   } 
  139.           }
  140.       if(IPhead.protocol == UDP )                       /* UDP */
  141.           {
  142. !                 if(unwrapped->FRAG_nf == 0)
  143. !                   {  
  144. !           if( (ntohs(IPhead.length)-(unwrapped->IP_len))<8 )
  145. !             {return CORRUPT_IP;};
  147. !             memcpy(&UDPhead,(sp+PROTO_HEAD+(unwrapped->IP_len)),
  148.                           sizeof(struct UDP_header));
  149. !           unwrapped->UDP_len = UDP_HEADLENGTH;
  150. !           unwrapped->DATA_len = ntohs(IPhead.length) -
  151.                   (unwrapped->IP_len) - (unwrapped->UDP_len); 
  152. +           }
  153. +                 else
  154. +           {
  155. +           unwrapped->DATA_len = ntohs(IPhead.length)-(unwrapped->IP_len); 
  156. +           }
  157.           return UDP; 
  158.           }
  159.       return -1; 
  160. *** sn_packetstructs.h    Fri Apr 18 11:33:58 1997
  161. --- sn_packetstructs.h    Thu Jul 24 16:17:20 1997
  162. ***************
  163. *** 44,51 ****
  164.       unsigned short length, checksum;
  165.   };
  166.   
  167. ! struct unwrap                                           /* some extra info */
  168.   {
  169.       int IP_len, TCP_len, ICMP_len, UDP_len;         /* header lengths */ 
  170.       int DATA_len;
  171.   };
  172. --- 44,52 ----
  173.       unsigned short length, checksum;
  174.   };
  175.   
  176. ! struct unwrap                                          /* some extra info */
  177.   {
  178.       int IP_len, TCP_len, ICMP_len, UDP_len;         /* header lengths */ 
  179.       int DATA_len;
  180. +     char FRAG_nf;                           /* not the first fragment */
  181.   };
  182. *** sniffit.0.3.5.c    Fri Apr 18 11:33:58 1997
  183. --- sniffit.0.3.5.c    Thu Aug 22 19:19:49 1985
  184. ***************
  185. *** 411,421 ****
  186. --- 411,427 ----
  187.       proto=unwrap_packet(sp, info); 
  188.       if(proto == NO_IP)    return DONT_EXAMINE; /* no use in trying */
  189.       if(proto == NO_IP_4)    return DONT_EXAMINE; /* no use in trying */
  190. +     if(proto == CORRUPT_IP)    
  191. +       {printf("Suspicious Packet detected... (Split header)\n");
  192. +        return DONT_EXAMINE;}
  193.   
  194.           memcpy(&iphead,(sp+PROTO_HEAD),sizeof(struct IP_header));
  195.       so=(unsigned char *)&(iphead.source);
  196.              dest=(unsigned char *)&(iphead.destination);
  197.   
  198. +     if(info->FRAG_nf!=0)
  199. +       {printf("Fragment Skipped...\n"); return DONT_EXAMINE; };
  201.       if((proto==TCP)&&(PROTOCOLS&F_TCP)) 
  202.           {
  203.   #ifdef DEBUG_ONSCREEN
  204. ***************
  205. *** 1220,1225 ****
  206. --- 1226,1235 ----
  207.       proto=unwrap_packet(sp, info);
  208.       if(proto == NO_IP)    return DONT_EXAMINE; /* no use in trying */
  209.       if(proto == NO_IP_4)    return DONT_EXAMINE; /* no use in trying */
  210. +     if(proto == CORRUPT_IP)    return DONT_EXAMINE; /* no use in trying */
  212. +     if(info->FRAG_nf!=0)
  213. +       {return DONT_EXAMINE; };
  214.   
  215.       (*IP_nr_of_packets)++;
  216.       if(proto==ICMP)  
  217.