I am currently trying to solve a Capture The Flag challenge that involves trying to escalate privileges by taking advantage of an exploit in a bash script.
The script first does the following to get all sockets with TCP protocol in the LISTEN state:
output=$ ($ _netstat -ntpl 2> /dev/null | $ _egrep '^t')
and then it parses the output line by line. One of the things it does for each line is this:
if [[ "$ cur_syn" == "0" || "$ max_syn" != "$ cur_syn" ]] then continue fi
$ cur_syn is the value of the
Recv-Q column as returned by netstat, and
$ max_syn is the value of the
So, only a socket that is in the LISTEN state and with Recv-Q != 0 and Recv-Q==Send-Q will pass these checks.
netstat‘s man states that:
Recv-Q Established: The count of bytes not copied by the user program connected to this socket. Listening: Since Kernel 2.6.18 this column contains the current syn backlog.
Send-Q Established: The count of bytes not acknowledged by the remote host. Listening: Since Kernel 2.6.18 this column contains the maximum size of the syn backlog.
The thing is, I seem not to be able to create a socket that has a Send-Q different from 0.
If my interpretation is correct, the Send-Q value for a socket that is listening is the max size of the backlog, which is the
backlog param in C’s listen(2) function. But even when I create a listening server socket with a backlog of size 3,
netstat still reports the Send-Q as being 0! What am I doing wrong?
FYI, I have managed to make the
Recv-Q change by having multiple clients connect to a server socket that has received a SIGSTOP.
Recv-Q goes up all the way to
maximum size of the syn backlog + 1, and then all connections are refused. But alas,
Send-Q remains unchanged.