Skip to content

Commit

Permalink
Revert "better math"
Browse files Browse the repository at this point in the history
This reverts commit db7e390.
  • Loading branch information
zakird committed Sep 15, 2015
1 parent db7e390 commit 3e2fa4a
Showing 1 changed file with 4 additions and 5 deletions.
9 changes: 4 additions & 5 deletions src/probe_modules/module_tcp_cisco_backdoor.c
Original file line number Diff line number Diff line change
Expand Up @@ -57,10 +57,9 @@ static int synscan_init_perthread(void* buf, macaddr_t *src,
// be set to 0xC123D. Also the ACK number doesn’t need to be zero.


#define BACKDOOR_SEQ 0x000C123D
#define BACKDOOR_ACK 0x0
#define EXPECTED_RESPONSE_SEQ 0
#define EXPECTED_RESPONSE_ACK 0x000C123E
#define BACKDOOR_SEQ 0x0000FFFF
#define BACKDOOR_ACK (BACKDOOR_SEQ + 0xC123D)
#define EXPECTED_RESPONSE_SEQ BACKDOOR_ACK

static int synscan_make_packet(void *buf, ipaddr_n_t src_ip, ipaddr_n_t dst_ip,
uint32_t *validation, int probe_num, __attribute__((unused)) void *arg)
Expand Down Expand Up @@ -151,7 +150,7 @@ static void synscan_process_packet(const u_char *packet,
if (tcp->th_flags & TH_RST) { // RST packet
fs_add_string(fs, "classification", (char*) "rst", 0);
fs_add_uint64(fs, "success", 0);
} else if (tcp->th_ack == EXPECTED_RESPONSE_ACK && tcp->th_seq == EXPECTED_RESPONSE_SEQ && tcp->th_urp == 0x0001) {
} else if ((tcp->th_ack - tcp->th_seq) == 0xC123E && tcp->th_seq == EXPECTED_RESPONSE_SEQ) {
fs_add_string(fs, "classification", (char*) "backdoor", 0);
fs_add_uint64(fs, "success", 1);
} else { // SYNACK packet
Expand Down

0 comments on commit 3e2fa4a

Please sign in to comment.