I haven't written a diary for a long time, and the TCP scanning program in the previous days has not been summed up, and I have some garbage, or write a diary vent.
This is too much to learn to learn, 80386 manual, shellcode, Linux kernel, and yesterday's TCP wearing a double NAT, today's IP fragments wear firewall (depressed), and httptunel ,,, in fact I have a good compilation, and I have been mostly half.
I listened to JKlee to give IP fragment attack, but through the information, he said the kind of old set ,,,, then you will be shaped, with IP fraction, only the first piece of other ICMP, TCP, UDP header information ,,, the latter only IP head, then the data is, ,,,
This way I think of a method of passing through the firewall, such as a firewall only allows 80 ports to enter, and we want to access 23, then in the TCP head in the first IP slice, but film The length is 24 bytes (must be a multiple of 8), and IP headers are generally 20 bytes, but up to 32-bit (8-bytes) options ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,
But now, I want to be wrong, because IP_offset is calculated from the IP header, the IP option is only 4 bytes, and the IP fragment ip_offset is at least 1, and 8 bytes. , Just included the destination port number: (But if IP_offset is 0, from the TCP / IP source code under Linux, 0 is definitely not, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
However, I didn't take into account these. At the time, I thought it was inserting the IP head. If this is, OFFSET is 3, the IP option is 4 bytes, so that the destination and source ports are all out, The data of the next IP fragmentation begins to cover from the 24th byte, so that the destination port is covered, filled into 23, the firewall only checks the first IP film, so it will be cheated, We have visited 23
:) ---- This is fantasy ,,,,,
People said, there is indeed this vulnerability, but it was found early: (depressed
It seems that I don't want to do anything, I can't see it, now I can't see it. ! !
This is the article later.
http://blog.9cbs.net/collide/archive/2004/09/29/121051.aspx
