views:

67

answers:

2

Hello. Writing a program on C, using libnet and libpcap to impersonate an RSH client and inject my own command on the server machine, running RSHD.

As I understood, the command should be in the 'payload' of the ACK packet, but in the format, that RSHD will pass it to the shell.

How should I assemble the packet to achieve this?

+1  A: 

Try to get a dump of network packets (with tcpdump, tshark, etc) from normal rsh client.

osgx
I did that, but my problem that I don't want to simulate normal rsh client session - I would like to include the command in the ack packet, during the tcp handshake with server.
Hippopotamus
Format of packet payload you can get from tcpdump. ACK is just a flag in packet header
osgx
A: 

To whom it may concern.

After establishing the connection(syn-syn,ack-ack) via the rsh, the connection comes to the ESTABLISH state, and all the requests will be moved to another port(so the rshd can further handle more connections).

My problem was on how to pass the command in the last "ack" packet. The "ack" packet is itself a data packet so the command can be transfered in the "payload" field.

a bit of quotes from "man rshd":

      The server reads characters from the socket up to a NUL (`\0') byte.
      The resultant string is interpreted as an ASCII number, base 10.

 3.   If the number received in step 2 is non-zero, it is interpreted as
      the port number of a secondary stream to be used for the stderr.  A
      second connection is then created to the specified port on the
      client's machine.
      ...
 5.   A null terminated user name of at most 16 characters is retrieved on
      the initial socket.  This user name is interpreted as the user iden-
      tity on the client's machine.

 6.   A null terminated user name of at most 16 characters is retrieved on
      the initial socket.  This user name is interpreted as a user iden-
      tity to use on the server's machine.

 7.   A null terminated command to be passed to a shell is retrieved on
      the initial socket.  The length of the command is limited by the
      upper bound on the size of the system's argument list.

So. In #3 it is said that the first characters up to a NUL byte are interpreted as port number for secondary connection. But I didn't need the secondary connection, so I put "0\0" in the beginning of the command. Next #5 and #6 specify the usernames of the client's machine and the server's machine, separated by NUL's. So I put "0\0username1\0username1\0" And in the #7 it is said that there a null terminated command can be, so my command in the end was "0\0username1\0username2\0command\0".

Hippopotamus