Ʀ²Ë 
¼¶±ð£º¹ÜÀíÔ±
ÍþÍû£º9
¾Ñ飺18
»õ±Ò£º99999
ÌåÁ¦£º
À´Ô´£º²»ÖªµÀ
×Ü·¢ÌûÊý£º2602
×¢²áÈÕÆÚ£º2001-04-13
|
|
 ²é¿´¡¡ Óʼþ¡¡ Ö÷Ò³¡¡ QQ¡¡ ÏûÏ¢¡¡ ÒýÓá¡ ¸´ÖÆ¡¡ ÏÂÔØ¡¡
¸Â¸Â ½â³ý¸öºÜ´óµÄ·³ÄÕ ¹þ¹þ
SPARC/Solaris 8Ï¿ìËÙÖÕ½áTCPÓÐÏÞ״̬»úµÄTIME_WAIT״̬
×÷ÕߣºNSFocus
Security Team <security@nsfocus.com>
Ö÷Ò³£ºhttp://www.nsfocus.com
ÈÕÆÚ£º2002-07-17
ÎÒÃÇÕâÀïÌÖÂÛµÄÊÇÔÚ³ÌÐò²»¿É¿ØµÄÇé¿öÏ£¬±ÈÈç±ðÈ˵ijÌÐò£¬ÓÖδʹÓÃSO_REUSEADDRÑ¡ÏÈçºÎ¿ìËÙÖÕ½áTCPÓÐÏÞ״̬»úµÄTIME_WAIT״̬¡£
²Î¿´Õâ¸öÁ´½Ó"closing half-open connections"
http://www-mice.cs.ucl.ac.uk/multimedia/misc/tcp_ip/8707.mm.www/0009.html
1987Äê10ÔÂ1ÈÕ(¿ÉÕæ¹»ÔçµÄ)cdjohns@nswc-g.arpaÌṩÁËÒ»¸öshell script£¬ÓÃÓÚ
SunOS 4.xϵͳÏ¿ìËÙÖÕ½áTCPÓÐÏÞ״̬»úµÄTIME_WAIT״̬¡£ºÜÆæ¹Ö£¬Õâ¸ö½Å±¾²¢Î´
µÃµ½ÈËÃǵÄ×ã¹»ÖØÊÓ²¢¹ã·ºÁ÷´«£¬Ö±µ½SunOS 4.xÍ˳öÀúÊ·Îę̀£¬ËüÒ²¾ÍÏúÉùÄä¼£ÁË¡£
×òÌì±»backend´Ó¹ÊÖ½¶ÑÀï·Á˳öÀ´£¬ÎÒÃǾͳûúÒÆÖ²µ½SPARC/Solaris 8ÏÂÀ´¡£
²Î¿´UNP
ͼ2.4Á˽âTCPÓÐÏÞ״̬»úµÄ±äǨ¹ý³Ì¡£
/usr/include/netinetÀïµÄÎļþ¶àÊÇΪÓû§¿Õ¼ä±à³Ì×¼±¸µÄ£¬/usr/include/inetÀï
µÄÎļþ¶àÊÇΪÄں˿ռä±à³Ì×¼±¸µÄ¡£ÏÂÃæÄÚÈÝÈ¡×ÔSPARC/Solaris 8
--------------------------------------------------------------------------
/*
* /usr/include/inet/tcp.h
*/
/*
* TCP
states
*/
#define TCPS_CLOSED -6
#define TCPS_IDLE -5 /*
idle (opened, but not bound) */
#define TCPS_BOUND -4 /* bound,
ready to connect or accept */
#define TCPS_LISTEN -3 /*
listening for connection */
#define TCPS_SYN_SENT -2 /* active,
have sent syn */
#define TCPS_SYN_RCVD -1 /* have received syn
(and sent ours) */
/*
* states < TCPS_ESTABLISHED are
those where connections not established
*/
#define
TCPS_ESTABLISHED 0 /* established */
#define TCPS_CLOSE_WAIT 1
/* rcvd fin, waiting for close */
/*
* states >
TCPS_CLOSE_WAIT are those where user has closed
*/
#define
TCPS_FIN_WAIT_1 2 /* have closed and sent fin */
#define
TCPS_CLOSING 3 /* closed, xchd FIN, await FIN ACK */
#define
TCPS_LAST_ACK 4 /* had fin and close; await FIN ACK */
/*
*
states > TCPS_CLOSE_WAIT && < TCPS_FIN_WAIT_2 await
ACK of FIN
*/
#define TCPS_FIN_WAIT_2 5 /* have closed, fin
is acked */
#define TCPS_TIME_WAIT 6 /* in 2*msl quiet wait
after close */
#if (defined(_KERNEL) || defined(_KMEMUSER))
/*
* If the information represented by the field is
required even in the
* TIME_WAIT state, it must be part of
tcpb_t. Otherwise it must be part
* of tcp_t. In other words,
the tcp_t captures the information that is
* not required, after
a connection has entered the TIME_WAIT state.
*/
typedef
struct tcp_base_s
{
struct tcp_base_s *tcpb_bind_hash; /*
Bind hash chain */
struct tcp_base_s **tcpb_ptpbhn; /* Pointer
to previous bind hash next. */
struct tcp_base_s
*tcpb_conn_hash; /* Connect hash chain */
struct tcp_base_s
**tcpb_ptpchn; /* Pointer to previous conn hash next. */
struct
tcp_base_s *tcpb_time_wait_next; /* Pointer to next T/W block */
struct tcp_base_s *tcpb_time_wait_prev; /* Pointer to previous
T/W next */
/*
* /usr/include/sys/types.h
* typedef long
clock_t;
* offset: 8 * 6 -> 48 -> 0x30£¬clock_tÕ¼8¸ö×Ö½Ú(64-bit
kernel mode)
*/
clock_t tcpb_time_wait_expire; /* time in hz
when t/w expires */
clock_t tcpb_last_rcv_lbolt; /* lbolt on
last packet, used for PAWS */
/*
* offset: 0x40
*/
int32_t tcpb_state;
int32_t tcpb_rcv_ws; /* My window scale
power */
int32_t tcpb_snd_ws; /* Sender's window scale power */
uint32_t tcpb_ts_recent; /* Timestamp of earliest unacked */
/*
* data segment
* offset: 0x50
*/
clock_t
tcpb_rto; /* Round trip timeout */
uint32_t tcpb_snd_ts_ok : 1,
tcpb_snd_ws_ok : 1,
tcpb_is_secure : 1,
tcpb_reuseaddr :
1, /* SO_REUSEADDR "socket" option. */
tcpb_exclbind : 1, /*
********exclusive'' binding */
tcpb_junk_fill_thru_bit_31 : 27;
/*
* offset: 0x5c
*/
uint32_t tcpb_snxt; /* Senders
next seq num */
uint32_t tcpb_swnd; /* Senders window (relative
to suna) */
uint32_t tcpb_mss; /* Max segment size */
uint32_t tcpb_iss; /* Initial send seq num */
/*
*
offset: 0x6c
*/
uint32_t tcpb_rnxt; /* Seq we expect to recv
next */
uint32_t tcpb_rwnd; /* Current receive window */
/*
* /usr/include/sys/mutex.h
* ÎÞÂÛ64-bit»¹ÊÇ32-bit kernel
mode£¬kmutex_t¶¼Õ¼8×ֽڿռ䣬ÕâÀïÐèÒª¶Ô
* ÆëÔÚÊý¾ÝÀàÐÍ×ÔÈ»Á¬½çÉÏ£¬0x6c + 8 ->
0x74²»ÔÚkmutex_t×ÔÈ»±ß½çÉÏ£¬¼Ì
* ÐøºóÒÆ4¸ö×Ö½Ú
*
* offset: 0x78
*/
kmutex_t tcpb_reflock; /* Protects tcp_refcnt */
/*
*
offset: 0x80
*/
ushort_t tcpb_refcnt; /* Number of pending
upstream msg */
union
{
struct
{
uchar_t v4_ttl;
/* Dup of tcp_ipha.iph_type_of_service */
uchar_t v4_tos; /* Dup
of tcp_ipha.iph_ttl */
} v4_hdr_info;
struct
{
/*
* ¶ÔÆëÔÚuint_tµÄ×ÔÈ»±ß½çÉÏ
* offset: 0x84
*/
uint_t v6_vcf;
/* Dup of tcp_ip6h.ip6h_vcf */
/*
* offset: 0x88
*/
uchar_t v6_hops; /* Dup of tcp_ip6h.ip6h_hops */
}
v6_hdr_info;
} tcpb_hdr_info;
#define tcpb_ttl
tcpb_hdr_info.v4_hdr_info.v4_ttl
#define tcpb_tos
tcpb_hdr_info.v4_hdr_info.v4_tos
#define tcpb_ip6_vcf
tcpb_hdr_info.v6_hdr_info.v6_vcf
#define tcpb_ip6_hops
tcpb_hdr_info.v6_hdr_info.v6_hops
/*
* offset:
0x8c£¬ÏÈÊÇÔ¶¶ËµØÖ·£¬ºóÊDZ¾µØµØÖ·
* /usr/include/netinet/in.h
*
in6_addr_t³¤16×Ö½Ú£¬ÔÚÄں˿ռäÀïÕâ¸ö½á¹¹¶ÔÆëÔÚuint32_tµÄ×ÔÈ»±ß½çÉÏ
*/
in6_addr_t
tcpb_remote_v6; /* true remote address - needed for */
/* source
routing. */
in6_addr_t tcpb_bound_source_v6; /* IP address in
bind_req */
/*
* offset: 0xac
*/
in6_addr_t
tcpb_ip_src_v6; /* same as tcp_iph.iph_src. */
#ifdef
_KERNEL
/*
* Note: V4_PART_OF_V6 is meant to be used only
for _KERNEL defined stuff
*/
#define tcpb_remote
V4_PART_OF_V6(tcpb_remote_v6)
#define tcpb_bound_source
V4_PART_OF_V6(tcpb_bound_source_v6)
#define tcpb_ip_src
V4_PART_OF_V6(tcpb_ip_src_v6)
#endif /* _KERNEL */
/*
* These fields contain the same information as
tcp_tcph->th_*port.
* However, the lookup functions can not
use the header fields
* since during IP option manipulation the
tcp_tcph pointer
* changes.
*/
/*
* offset:
0xbc£¬ÏÈÊÇÔ¶¶Ë¶Ë¿Ú£¬ºóÊDZ¾µØ¶Ë¿Ú
*/
union
{
struct
{
in_port_t tcpu_fport; /* Remote port */
in_port_t
tcpu_lport; /* Local port */
} tcpu_ports1;
uint32_t
tcpu_ports2; /* Rem port, local port */
/*
* Used for
TCP_MATCH performance
*/
} tcpb_tcpu;
#define tcpb_fport
tcpb_tcpu.tcpu_ports1.tcpu_fport
#define tcpb_lport
tcpb_tcpu.tcpu_ports1.tcpu_lport
#define tcpb_ports
tcpb_tcpu.tcpu_ports2
/*
* IP sends back 2 mblks with the
unbind ACK for handling
* IPSEC policy for detached connections.
Following two fields
* are initialized then.
*/
mblk_t
*tcpb_ipsec_out;
mblk_t *tcpb_ipsec_req_in;
/*
* offset:
0xd0
*/
tcp_t *tcpb_tcp;
/*
* offset: 0xd8
*/
/*
* IP format that packets transmitted from this struct
should use.
* Value can be IPV4_VERSION or IPV6_VERSION.
Determines whether
* IP+TCP header template above stores an IPv4
or IPv6 header.
*/
ushort_t tcpb_ipversion;
uint_t
tcpb_bound_if; /* IPV6_BOUND_IF */
uid_t tcpb_ownerid; /* uid of
process that did open */
#define tcp_bind_hash
tcp_base->tcpb_bind_hash
#define tcp_ptpbhn
tcp_base->tcpb_ptpbhn
#define tcp_conn_hash
tcp_base->tcpb_conn_hash
#define tcp_ptpchn
tcp_base->tcpb_ptpchn
#define tcp_time_wait_next
tcp_base->tcpb_time_wait_next
#define tcp_time_wait_prev
tcp_base->tcpb_time_wait_prev
#define tcp_time_wait_expire
tcp_base->tcpb_time_wait_expire
#define tcp_last_rcv_lbolt
tcp_base->tcpb_last_rcv_lbolt
#define tcp_state
tcp_base->tcpb_state
#define tcp_rcv_ws
tcp_base->tcpb_rcv_ws
#define tcp_snd_ws
tcp_base->tcpb_snd_ws
#define tcp_ts_recent
tcp_base->tcpb_ts_recent
#define tcp_rto
tcp_base->tcpb_rto
#define tcp_snd_ts_ok
tcp_base->tcpb_snd_ts_ok
#define tcp_snd_ws_ok
tcp_base->tcpb_snd_ws_ok
#define tcp_is_secure
tcp_base->tcpb_is_secure
#define tcp_snxt
tcp_base->tcpb_snxt
#define tcp_swnd tcp_base->tcpb_swnd
#define tcp_mss tcp_base->tcpb_mss
#define tcp_iss
tcp_base->tcpb_iss
#define tcp_rnxt tcp_base->tcpb_rnxt
#define tcp_rwnd tcp_base->tcpb_rwnd
#define tcp_reflock
tcp_base->tcpb_reflock
#define tcp_refcnt
tcp_base->tcpb_refcnt
#define tcp_remote_v6
tcp_base->tcpb_remote_v6
#define tcp_remote
tcp_base->tcpb_remote
#define tcp_bound_source_v6
tcp_base->tcpb_bound_source_v6
#define tcp_bound_source
tcp_base->tcpb_bound_source
#define tcp_lport
tcp_base->tcpb_tcpu.tcpu_ports1.tcpu_lport
#define tcp_fport
tcp_base->tcpb_tcpu.tcpu_ports1.tcpu_fport
#define tcp_ports
tcp_base->tcpb_tcpu.tcpu_ports2
#define tcp_ipsec_out
tcp_base->tcpb_ipsec_out
#define tcp_ipsec_req_in
tcp_base->tcpb_ipsec_req_in
#define tcp_ipversion
tcp_base->tcpb_ipversion
#define tcp_bound_if
tcp_base->tcpb_bound_if
#define tcp_reuseaddr
tcp_base->tcpb_reuseaddr
#define tcp_exclbind
tcp_base->tcpb_exclbind
#define tcp_ownerid
tcp_base->tcpb_ownerid
} tcpb_t;
#endif /*
(defined(_KERNEL) || defined(_KMEMUSER)) */
--------------------------------------------------------------------------
ÏÂÃæÕâÁ½ÌõÃüÁîÆäʵÊÇÓ÷ֺÅÁ¬ÔÚÒ»ÆðÖ´Ðеģ¬·ñÔòÇ°ºóÊý¾Ý²»¶ÔÓ¦£¬ÎÒÊÇtelnetÉÏ
È¥Ö´ÐÐÃüÁî¡£
# ndd /dev/tcp tcp_status | grep ESTABLISHED
TCPB dest
snxt suna swnd rnxt rack rwnd rto mss w sw rw t recent [lport,fport]
state
30000cc21d0 ::ffff:192.168.5.8 8e0e46dc 8e0e46da
0000064010 3d49e751 3d49e751 0000024820 00583 01460 0 00 00 0
00000000 [23, 4613] TCP_ESTABLISHED
# skd64 0x30000cc21d0 256
byteArray [ 256 bytes ] ---->
0000000000000000 00 00 03
00 00 47 C1 80-00 00 00 00 10 48 18 88 .....GÁ€.....H.?
0000000000000010 00 00 00 00 00 00 00 00-00 00 03 00 00 3A 60 80
.............:****€
0000000000000020 00 00 00 00 00 00 00 00-00
00 00 00 00 00 00 00 ................
0000000000000030 00 00 00
00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0000000000000040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
................
0000000000000050 00 00 00 00 00 00 02 47-10 00
00 00 8E 0E 46 DC .......G....?F?
0000000000000060 00 00 FA 0A
00 00 05 B4-8E 0B 77 07 3D 49 E7 51 ..?...´Ž.w.=IçQ
0000000000000070 00 00 60 F4 00 00 00 00-00 00 00 00 00 00 00 00
..****?...........
0000000000000080 00 01 00 00 3C 00 00 00-3C
00 00 00 00 00 00 00 ....<...<.......
0000000000000090 00
00 00 00 00 00 FF FF-C0 A8 05 08 00 00 00 00 ......ÿÿÀ¨......
00000000000000A0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
................
00000000000000B0 00 00 00 00 00 00 FF FF-C0 A8
05 82 12 05 00 17 ......ÿÿÀ¨.?...
00000000000000C0 00 00 00 00 00
00 00 00-00 00 00 00 00 00 00 00 ................
00000000000000D0 00 00 03 00 00 BB 6F D0-00 04 00 00 00 00 00 00
.....»o?.......
00000000000000E0 00 00 00 00 00 00 00 00-00 00 00
00 00 00 00 00 ................
00000000000000F0 00 00 03 00 00
08 2B 68-00 00 00 00 00 00 00 00 ......+h........
#
ÏÔÈ»0x30000cc21d0¶ÔÓ¦×ÅÒ»¸ötcpb_t½á¹¹¡£
# adb -k /dev/ksyms
/dev/mem
physmem 3b68
0x30000cc21d0$<tcpb
30000cc21d0: tcp_bind_hash tcp_ptpbhn tcp_conn_hash
3000047c180 10481888 0
30000cc21e8: tcp_ptpchn
time_wait_next time_wait_prev
300003a6080 0 0
30000cc2200:
time_wait_expir last_rcv_lbolt tcp_state
0 0 0
30000cc2214:
tcp_rcv_ws tcp_snd_ws tcp_ts_recent
0 0 0
30000cc2220:
tcp_rto
24c
snd_ts_ok 0
snd_ws_ok 0
is_secure 0
reuseaddr 1
exclbind 0
30000cc222c: tcp_snxt
tcp_swnd tcp_mss
8e176ce4 f8dc 5b4
30000cc2238: tcp_iss
tcp_rnxt tcp_rwnd
8e0b7707 3d49ecf0 60f4
30000cc2248:
tcpb_reflock
30000cc2248: owner/waiters
0
30000cc2250: tcp_refcnt tcpb_vcf tcpb_hops
1
3c000000 3c
30000cc225c: tcpb_remote_v6
30000cc225c: 0 0
ffff c0a80508
30000cc226c: tcpb_bound_source_v6
30000cc226c: 0 0 0 0
30000cc227c: tcpb_ip_src_v6
30000cc227c: 0 0 ffff c0a80582
30000cc228c:
tcpu_fport tcpu_lport ipsec_out
1205 17 0
30000cc2298:
ipsec_req_in tcpb_tcp tcpb_ipversion
0 30000bb6fd0 4
30000cc22ac: bound_if ownerid
0 0
$q
#
ÓÚÊÇÎÒÃÇ¿ÉÒÔдÕâÑùÒ»¸ö½Å±¾kill_timewait.sh
--------------------------------------------------------------------------
#! /sbin/sh
#
#
# @(#)kill_timewait.sh
2002-07-07 NSFocus Copyleft 2002-2012
#
# Notice here is
copyleft but not copyright, enjoy it by yourself.
#
#
------------------------------------------------------------------------
# File : kill_timewait.sh
# Platform : SPARC/Solaris 8
64-bit kernel mode
# Author : NSFocus Security Team
<security@nsfocus.com>
# : http://www.nsfocus.com
#
Date : 2002-07-07 12:27
# Modify :
# Thanks :
cdjohns@nswc-g.arpa for SunOS 4.x implementation
#
netstat -na -P tcp -f inet | grep TIME_WAIT
echo
echo 'TCPB dest [lport,fport] state'
echo
ndd /dev/tcp
tcp_status | nawk '{print $1 " " $2 " " $16 $17 " " $18}' | egrep
'TIME_WAIT'
echo
/usr/bin/echo 'TCPB address to
terminate: \c'
read tcpb_addr
echo
adb -k /dev/ksyms
/dev/mem << NSFOCUS_EOF
$tcpb_addr\$</usr/lib/adb/sparcv9/tcpb
\$q
NSFOCUS_EOF
#
# Check to see if this was the correct
address and TCPB. state should be 6
#
echo
echo
'tcp_state = 6 = TCPS_TIME_WAIT'
/usr/bin/echo 'Is this the
correct TCPB (y/n)? \c'
read answer
echo
case $answer in
[Yy]*)
;;
*)
echo 'No Changes.'
exit
;;
esac
#
# Kernel Hacking, please. These value are
expressed in hexadecimal.
#
TIME_WAIT_EXPIRE_OFFSET=0x30
STATE_OFFSET=0x40
#
# This value is expressed in
decimal and must be greater than zero.
#
TIME_WAIT_EXPIRE=0t06
#
# Use adb on kernel to set
the tcpb_time_wait_expire=6 and
# tcpb_state=TCPS_CLOSED (-6)
#
adb -kw /dev/ksyms /dev/mem << NSFOCUS_EOF
$tcpb_addr+$TIME_WAIT_EXPIRE_OFFSET/Z $TIME_WAIT_EXPIRE
$tcpb_addr+$STATE_OFFSET/W -6
\$q
NSFOCUS_EOF
echo
echo "TIME_WAIT state will disappear."
echo
netstat -na -P tcp -f inet | grep TIME_WAIT
--------------------------------------------------------------------------
²»ÒªÉèÖÃtcpb_time_wait_expire³ÉÁ㣬ֻҪÊÇÒ»¸öºÜСµÄÖµ¾Í¿ÉÒÔÁË¡£ÕâÀï±ØÐëͬ
ʱÉèÖÃtcpb_time_wait_expireºÍtcpb_state£¬Ö»ÉèÖÃÆäÖÐÒ»¸ö´ï²»µ½Ð§¹û¡£
ÀûÓÃadb´ÓTCPS_ESTABLISHED±äΪTCPS_CLOSE_WAIT£¬¿ÉÒÔʹһÌõTCPÁ¬½Ó²»ÔÙ¹¤×÷£¬
µ«ÕâÌõÁ¬½Ó²¢Î´Ïú»Ù£¬tcpb_t½á¹¹Ò²Î´É¾³ý¡£
ÀûÓÃadb´ÓTCPS_ESTABLISHED±äΪTCPS_CLOSED£¬»áµ¼ÖÂÕû¸ö²Ù×÷ϵͳ±ÀÀ£¡£¿ÉÄÜÊÇÏÂ
²ãtcpb_t½á¹¹±»É¾³ý£¬¶øÉϲãsocket²¢²»Á˽⣬³öÏÖ·Ç·¨Ö¸Õë¡£
¼ò»¯Ò»ÏÂkill_timewait.sh
--------------------------------------------------------------------------
#! /sbin/sh
ndd /dev/tcp tcp_status | nawk '{print $1 "
" $2 " " $16 $17 " " $18}' | egrep 'TIME_WAIT'
echo
/usr/bin/echo 'TCPB address to terminate: \c'
read tcpb_addr
echo
adb -kw /dev/ksyms /dev/mem << NSFOCUS_EOF
$tcpb_addr+0x30/Z 0t6
$tcpb_addr+0x40/W -6
\$q
NSFOCUS_EOF
--------------------------------------------------------------------------
»¹¿ÉÒÔдһ¸ö½Å±¾×Ô¶¯Çå³ýËùÓÐTIME_WAIT״̬TCPÁ¬½Ó
--------------------------------------------------------------------------
#! /sbin/sh
ndd /dev/tcp tcp_status | nawk '{print $1 "
" $2 " " $16 $17 " " $18}' | \
egrep 'TIME_WAIT' | cut -d' ' -f1
| while read tcpb_addr
do
adb -kw /dev/ksyms /dev/mem
<< NSFOCUS_EOF
$tcpb_addr+0x30/Z 0t6
$tcpb_addr+0x40/W
-6
\$q
NSFOCUS_EOF
done
---------------------------------------------------------------------- |
Ê×Ò³ 
СéÅÈí¼þʵÑéÊÒ 
µ¶¹âÑ©Ó° 
SPARC/Solaris 8Ï¿ìËÙÖÕ½áTCPÓÐÏÞ״̬»úµÄ... 
½«´ËÒ³·¢¸øÄúµÄÅóÓÑ
±à¼
ɾ³ý
·¢±íÓÚ 2002-08-02.15:36:32¡¡
IP:
