分享
 
 
 

Building Into The Linux Network Layer

王朝system·作者佚名  2008-06-01
窄屏简体版  字體: |||超大  

-------[ Phrack Magazine --- Vol. 9 Issue 55 --- 09.09.99 --- 12 of 19 ]

-------------------------[ Building Into The Linux Network Layer ]

--------[ kossak <kossak@hackers-pt.org>, lifeline <arai@hackers-pt.org> ]

----[ IntrodUCtion

As we all know, the Linux kernel has a monolithic architecture. That basically

means that every piece of code that is executed by the kernel has to be loaded

into kernel memory. To prevent having to rebuild the kernel every time new

hardware is added (to add drivers for it), Mr. Linus Torvalds and the gang

came up with the loadable module concept that we all came to love: the linux

kernel modules (lkm's for short). This article begins by pointing out yet more

interesting things that can be done using lkm's in the networking layer, and

finishes by trying to provide a solution to kernel backdooring.

----[ Socket Kernel Buffers

TCP/IP is a layered set of protocols. This means that the kernel needs to use

several routine functions to process the different packet layers in order to

fully "understand" the packet and connect it to a socket, etc. First, it

needs a routine to handle the link-layer header and, once processed there, the

packet is passed to the IP-layer handling routine(s), then to the transport-

layer routine(s) and so on. Well, the different protocols need a way

to communicate with each other as the packets are being processed. Under Linux

the answer to this are socket kernel buffers (or sk_buff's). These are used to

pass data between the different protocol layers (handling routines) and

the network device drivers.

The sk_buff{} structure (only the most important items are presented, see

linux/include/linux/skbuff.h for more):

sk_buff{}

--------+

next

--------

prev

--------

dev

--------

--------

head ---+

--------

data ------+

--------

tail ---------+

--------

end ------------+

--------<--+

--------<------+

Packet

being

handled

--------<----------+

--------+<--------------+

next: pointer to the next sk_buff{}.

prev: pointer to the previous sk_buff{}.

dev: device we are currently using.

head: pointer to beginning of buffer which holds our packet.

data: pointer to the actual start of the protocol data. This may vary

depending of the protocol layer we are on.

tail: pointer to the end of protocol data, also varies depending of the

protocol layer using he sk_buff.

end: points to the end of the buffer holding our packet. Fixed value.

For further enlightenment, imagine this:

- host A sends a packet to host B

- host B receives the packet through the appropriate network device.

- the network device converts the received data into sk_buff data structures.

- those data structures are added to the backlog queue.

- the scheduler then determines which protocol layer to pass the received

packets to.

Thus, our next question arises... How does the scheduler determine which

protocol to pass the data to? Well, each protocol is registered in a

packet_type{} data structure which is held by either the ptype_all list or

the ptype_base hash table. The packet_type{} data structure holds information

on protocol type, network device, pointer to the protocol's receive data

processing routine and a pointer to the next packet_type{} structure. The

network handler matches the protocol types of the incoming packets (sk_buff's)

with the ones in one or more packet_type{} structures. The sk_buff is then

passed to the matching protocol's handling routine(s).

----[ The Hack

What we do is code our own kernel module that registers our packet_type{}

data structure to handle all incoming packets (sk_buff's) right after they

come out of the device driver. This is easier than it seems. We simply fill

in a packet_type{} structure and register it by using a kernel eXPorted

function called dev_add_pack(). Our handler will then sit between the device

driver and the next (previously the first) routine handler. This means that

every sk_buff that arrives from the device driver has to pass first through our

packet handler.

----[ The Examples

We present you with three real-world examples, a protocol "mutation" layer,

a kernel-level packet bouncer, and a kernel-level packet sniffer.

----[ OTP (Obscure Transport Protocol)

The first one is really simple (and fun too), it works in a client-server

paradigm, meaning that you need to have two modules loaded, one on the client

and one on the server (duh). The client module catches every TCP packet with

the SYN flag on and swaps it with a FIN flag. The server module does exactly

the opposite, swaps the FIN for a SYN. I find this particularly fun since both

sides behave like a regular connection is undergoing, but if you watch it on

the wire it will seem totally absurd. This can also do the same for ports and

source address. Let's look at an example taken right from the wire.

Imagine the following scenario, we have host 'douBT' who wishes to make a

telnet connection to host 'hardbitten'. We load the module in both sides

telling it to swap port 23 for 80 and to swap a SYN for a FIN and vice-versa.

[lifeline@doubt 99vP]$ telnet hardbitten

A regular connection (without the modules loaded) looks like this:

03:29:56.766445 doubt.1025 > hardbitten.23: tcp (SYN)

03:29:56.766580 hardbitten.23 > doubt.1025: tcp (SYN ACK)

03:29:56.766637 doubt.1025 > hardbitten.23: tcp (ACK)

(we only look at the initial connection request, the 3-way handshake)

Now we load the modules and repeat the procedure. If we look at the wire the

connection looks like the following:

03:35:30.576331 doubt.1025 > hardbitten.80: tcp (FIN)

03:35:30.576440 hardbitten.80 > doubt.1025: tcp (FIN ACK)

03:35:30.576587 doubt.1025 > hardbitten.80: tcp (ACK)

When, what is happening in fact, is that 'doubt' is (successfully) requesting a

telnet session to host 'hardbitten'. This is a nice way to evade IDSes and

many firewall policies. It is also very funny. :-)

Ah, There is a problem with this, when closing a TCP connection the FIN's are

replaced by SYN's because of the reasons stated above, there is, however, an

easy way to get around this, is to tell our lkm just to swap the flags when the

socket is in TCP_LISTEN, TCP_SYN_SENT or TCP_SYN_RECV states. I have not

implemented this partly to avoid misuse by "script kiddies", partly because of

laziness and partly because I'm just too busy. However, it is not hard to do

this, go ahead and try it, I trust you.

----[ A Kernel Traff

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有