Graphics Programs Reference
In-Depth Information
23/tcp open telnet
24/tcp open priv-mail
25/tcp open smtp
[ output trimmed ]
32780/tcp open sometimes-rpc23
32786/tcp open sometimes-rpc25
32787/tcp open sometimes-rpc27
43188/tcp open reachout
44442/tcp open coldfusion-auth
44443/tcp open coldfusion-auth
47557/tcp open dbbrowse
49400/tcp open compaqdiag
54320/tcp open bo2k
61439/tcp open netprowler-manager
61440/tcp open netprowler-manager2
61441/tcp open netprowler-sensor
65301/tcp open pcanywhere
Nmap run completed -- 1 IP address (1 host up) scanned in 37 seconds
matrix@euclid:~ $
The only service that is actually running is ssh on port 22, but it is hidden
in a sea of false positives. A dedicated attacker could simply telnet to every
port to check the banners, but this technique could easily be expanded to
spoof banners also.
0x480
Reach Out and Hack Someone
Network programming tends to move many chunks of memory around and is
heavy in typecasting. You've seen for yourself how crazy some of the typecasts
can get. Mistakes thrive in this type of chaos. And since many network pro-
grams need to run as root, these little mistakes can become critical vulner-
abilities. One such vulnerability exists in the code from this chapter. Did you
notice it?
From hacking-network.h
/* This function accepts a socket FD and a ptr to a destination
* buffer. It will receive from the socket until the EOL byte
* sequence in seen. The EOL bytes are read from the socket, but
* the destination buffer is terminated before these bytes.
* Returns the size of the read line (without EOL bytes).
*/
int recv_line(int sockfd, unsigned char *dest_buffer) {
#define EOL "\r\n" // End-of-line byte sequence
#define EOL_SIZE 2
unsigned char *ptr;
int eol_matched = 0;
ptr = dest_buffer;
