FreeBSD ipfw+ECE proof of concept code
--------------------------------------

Code written by Plathond (jacques4i@yahoo.com) for Sensepost:
(info@sensepost.com, http://sensepost.com)
Original bug found by: Aragon Gouveia <aragon@phat.za.net>

How it works:
-------------
Using FreeBSD divert rule, all outgoing traffic (or as specified in
ipfw rule) will be diverted to the ecepass process - the ECE flag will 
be added. Traffic directed to hosts behind ipfw-based firewall will be 
passed, rendering the firewall useless if it makes use of the "allow 
all from any to any established" rule.

How to use:
-----------
1. Make sure your kernel is compiled with the following options:
 options         IPDIVERT
 options         IPFIREWALL

2. gcc -o ecepass ecepass.c

3. ./ecepass &
 
4. ipfw add 5 divert 7000 tcp from any to any

5. All TCP traffic will now have the ECE flag added to it.


PS1: obviously you need to make sure that the last ipfw rule allows 
     traffic e.g.:
     00001 divert 7000 tcp from any to any
     65535 allow ip from any to any

PS2: as the exploit uses "ipfw divert" it only works on FreeBSD. 
     Ironic eh?



spidermark: sensepostdata ece