This is a PoC demonstrating techniques exploiting CVE-2016-5696 Off-Path TCP Exploits: Global Rate Limit Considered Dangerous. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/cao
The specification is faithfully implemented in Linux kernel version 3.6 (from 2012) and beyond, and affects a wide range of devices and hosts. In a nutshell, the vulnerability allows a blind off-path attacker to infer if any two arbitrary hosts on the Internet are communicating using a TCP connection. Further, if the connection is present, such an off-path attacker can also infer the TCP sequence numbers in use, from both sides of the connection; this in turn allows the attacker to cause connection termination and perform data injection attacks. We illustrate how the attack can be leveraged to disrupt or degrade the privacy guarantees of an anonymity network such as Tor, and perform web connection hijacking. Through extensive experiments, we show that the attack is fast and reliable. On average, it takes about 40 to 60 seconds to finish and the success rate is 88% to 97%. Finally, we propose changes to both the TCP specification and implementation to eliminate the root cause of the problem.
Usage and DOwnload from git:
git clone https://github.com/Gnoxter/mountain_goat && cd mountain_goat
gcc -g -o mountain_goat mountain_goat.c layers.c -l pcap -std=gnu99
THE SOFTWARE IS FOR EDUCATIONAL AND RESEARCH PURPOSES. IT MAY CAUSE UNEXPECTED AND UNDESIRABLE BEHAVIOUR TO OCCUR AND MAY DISTRUPT NORMAL OPERATION OF MACHINES AND NETWORK EQUIPMENT. IT IS THE USERS RESPONSIBILITY TO ENSURE AN EDQUATE ENVIRONMENT THAT DOES NOT AFFECT ANY THIRD PARTY.