tags:

views:

67

answers:

2
Q: 

Passing the shell-command to RSH daemon inside an "ACK" packet.

Hello. Writing a program on C, using libnet and libpcap to impersonate an RSH client and inject my own command on the server machine, running RSHD.

As I understood, the command should be in the 'payload' of the ACK packet, but in the format, that RSHD will pass it to the shell.

How should I assemble the packet to achieve this?

+1  A: 

Try to get a dump of network packets (with tcpdump, tshark, etc) from normal rsh client.

osgx  2010-03-31 22:39:11
I did that, but my problem that I don't want to simulate normal rsh client session - I would like to include the command in the ack packet, during the tcp handshake with server.
Hippopotamus  2010-04-01 07:28:28
Format of packet payload you can get from tcpdump. ACK is just a flag in packet header
osgx  2010-04-01 11:42:33
A: 

To whom it may concern.

After establishing the connection(syn-syn,ack-ack) via the rsh, the connection comes to the ESTABLISH state, and all the requests will be moved to another port(so the rshd can further handle more connections).

My problem was on how to pass the command in the last "ack" packet. The "ack" packet is itself a data packet so the command can be transfered in the "payload" field.

a bit of quotes from "man rshd":

      The server reads characters from the socket up to a NUL (`\0') byte.
      The resultant string is interpreted as an ASCII number, base 10.

 3.   If the number received in step 2 is non-zero, it is interpreted as
      the port number of a secondary stream to be used for the stderr.  A
      second connection is then created to the specified port on the
      client's machine.
      ...
 5.   A null terminated user name of at most 16 characters is retrieved on
      the initial socket.  This user name is interpreted as the user iden-
      tity on the client's machine.

 6.   A null terminated user name of at most 16 characters is retrieved on
      the initial socket.  This user name is interpreted as a user iden-
      tity to use on the server's machine.

 7.   A null terminated command to be passed to a shell is retrieved on
      the initial socket.  The length of the command is limited by the
      upper bound on the size of the system's argument list.

So. In #3 it is said that the first characters up to a NUL byte are interpreted as port number for secondary connection. But I didn't need the secondary connection, so I put "0\0" in the beginning of the command. Next #5 and #6 specify the usernames of the client's machine and the server's machine, separated by NUL's. So I put "0\0username1\0username1\0" And in the #7 it is said that there a null terminated command can be, so my command in the end was "0\0username1\0username2\0command\0".

Hippopotamus  2010-04-02 11:19:27

related questions

any good tool for makefile generation?
How do you pass a function as a parameter in C?
Where should a veteran C programmer start in order to master Java ?
Any good book on best practice and guidelines in developing a SDK in C?
How do you determine the size of a file in C?
Decoding printf statements in C (Printf Primer)
Shift operator in C
How to avoid redefining VERSION, PACKAGE, etc.
Alpha blending sprites in Nintendo DS Homebrew
When should I use type abstraction in embedded systems
How to implement continuations?
What are the barriers to understanding pointers and what can be done to overcome them?
Anyone have experience creating a shared library in MATLAB?
String.indexOf function in C
Passing multidimensional arrays as function arguments in C
C/C++ library for reading MIDI signals from a USB MIDI device
Choosing a static code analysis tool
How do you printf an unsigned long long int?
Good STL-like library for C.
Rockbox audio format
Why am I getting a malloc: double free error with realloc()?
Should I learn C?
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?
How to use the C socket API in C++ on z/OS