Long story short...

File: 'connect.over' contains

#include <netinet/in.h>

override(`connect', `
  {
    // code to inject before the connect() call is actually made
  }
')

Output is 'connect.so' which overrides libc's connect function.

% LD_PRELOAD=./connect.so nc google.com 80
stream connect: fd=3 host=64.233.187.99:80
% LD_PRELOAD=./connect.so nc -u 129.21.60.9 53 
dgram connect: fd=3 host=129.21.60.9:53
% LD_PRELOAD=./connect.so ssh scorn           
stream connect: fd=3 host=129.21.60.26:22
stream connect: fd=4 host=109.112.47.115:12148
scorn(~) %

The output by nc was due to my function above outputting this.

The strange ssh connection on fd=4 above is seemingly due to ssh calling connect() on a tty? fstat says:

jls      ssh         3221    4 /dev        122 crw--w----   ttypd rw

inode 122 on /dev is /dev/ttypd.

The 'CiscoGate" talk just wrapped up.

I was at Defcon 13 when the Cisco/ISS fiasco was going on, but all I had heard was rumors and gossip about what was going on. The talk had some really good content and filled in lots of gaps in information for me. Interesting to see how insane the problem (dealing with Cisco/ISS/FBI/etc) was and that it took 5 months after the event until the problem was fully resolved (the data was finally cleaned up to Cisco's satisfaction).

I tried to attend Bruce Potter's talk but it seems his popularity is too much as a speaker, and we got booted out because there were too many people. Guess I'll have to wait for the video.

I've also been working on some new shared library overriding code that I'll get around to describing later.