[21723] in bugtraq
CodeRed worm honeypot & reverse-tester (in Java)
daemon@ATHENA.MIT.EDU (Chad Loder)
Fri Jul 20 11:19:09 2001
Message-Id: <5.1.0.14.2.20010720000427.03a2f440@pop-server.socal.rr.com>
Date: Fri, 20 Jul 2001 00:25:49 -0700
To: bugtraq@securityfocus.com
From: Chad Loder <cloder@acm.org>
Mime-Version: 1.0
Content-Type: multipart/mixed;
boundary="=====================_210094109==_"
--=====================_210094109==_
Content-Type: text/plain; charset="us-ascii"; format=flowed
For shits and giggles, I whipped up a
little Java program that serves two functions:
- when invoked with a single argument,
it connects to that host on port 80,
issues an IDQ-style request according
to Chris St. Clair's recently posted
testing methodology (only tested on IIS/5.0),
and tells you if the server appears to
be vulnerable or not
for example:
$ javac CodeRedLogger.java
$ java CodeRedLogger infected.system.com
- when invoked with no arguments, it
turns into a little multithreaded
web server on port 80, which for
each client connect, sees if the client
sends the attack signature, and if
so, connects back to the client on port
80 and performs the test mentioned above
for example:
$ javac CodeRedLogger.java
$ java CodeRedLogger
(sit back and wait)
I just wrote this off the top of my head and
tested it on a few servers.
Maybe someone wants to modify the tests
to handle IIS 4.0 servers. :)
The typical disclaimer for exploit code applies:
don't use it unless you're allowed to.
I wouldn't run this on a public server, and I
certainly wouldn't try to reverse-connect and
inject the lyseine deficiency via shellcode
(although I bet it would be easy). :)
I also would not recommend trying to do a WHOIS or
trying to send email to the server's sysadmin, because
that could just burden the infected systems even more.
Again, I just wrote it for shits and giggles. I
redirected port 80 on my firewall at home to go
to my home PC, and then have been running it on my
home PC, so I can watch worm requests come in
through my cable modem. :)
I've compiled and tested this under Sun JDK 1.2,
it should work on any 1.2 and later JDK.
Chad Loder
Principal Engineer
Rapid 7, Inc.
http://www.rapid7.com
--=====================_210094109==_
Content-Type: application/octet-stream; name="CodeRedLogger.java"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="CodeRedLogger.java"
aW1wb3J0IGphdmEubmV0Lio7CmltcG9ydCBqYXZhLmlvLio7CgpwdWJsaWMgY2xhc3MgQ29kZVJl
ZExvZ2dlcgp7CiAgIHB1YmxpYyBzdGF0aWMgdm9pZCBtYWluKFN0cmluZ1tdIGFyZ3MpCiAgIHsK
ICAgICAgdHJ5CiAgICAgIHsKICAgICAgICAgaWYgKGFyZ3MubGVuZ3RoID09IDApCiAgICAgICAg
IHsKICAgICAgICAgICAgQ29kZVJlZExvZ2dlciBsb2dnZXIgPSBuZXcgQ29kZVJlZExvZ2dlcigp
OwogICAgICAgICAgICBsb2dnZXIuZG9TZXJ2ZXIoKTsKICAgICAgICAgfQogICAgICAgICBlbHNl
CiAgICAgICAgIHsKICAgICAgICAgICAgaW50IGluZiA9IHRlc3RJbmZlY3RlZChJbmV0QWRkcmVz
cy5nZXRCeU5hbWUoYXJnc1swXSkpOwogICAgICAgICAgICBwcmludFJlc3VsdHMoaW5mLCBhcmdz
WzBdKTsKICAgICAgICAgfQogICAgICB9CiAgICAgIGNhdGNoIChUaHJvd2FibGUgdCkKICAgICAg
ewogICAgICAgICB0LnByaW50U3RhY2tUcmFjZSgpOwogICAgICB9CiAgIH0KCiAgIHB1YmxpYyB2
b2lkIGRvU2VydmVyKCkKICAgICAgdGhyb3dzIElPRXhjZXB0aW9uCiAgIHsKICAgICAgU2VydmVy
U29ja2V0IHNzID0gbmV3IFNlcnZlclNvY2tldCg4MCk7CiAgICAgIHdoaWxlICh0cnVlKQogICAg
ICB7CiAgICAgICAgIHRyeQogICAgICAgICB7CiAgICAgICAgICAgIFNvY2tldCBjbGllbnQgPSBz
cy5hY2NlcHQoKTsKICAgICAgICAgICAgU3lzdGVtLm91dC5wcmludGxuKCJcdC4uLmNvbm5lY3Qg
ZnJvbTogIiArIGNsaWVudC5nZXRJbmV0QWRkcmVzcygpKTsKICAgICAgICAgICAgbmV3IENsaWVu
dFRocmVhZChjbGllbnQpLnJ1bigpOwogICAgICAgICB9CiAgICAgICAgIGNhdGNoIChJT0V4Y2Vw
dGlvbiBlKQogICAgICAgICB7CiAgICAgICAgICAgIFN5c3RlbS5lcnIucHJpbnRsbigiXHQuLi5l
eGNlcHRpb246ICIgKyBlLnRvU3RyaW5nKCkpOwogICAgICAgICB9CiAgICAgIH0KICAgfQoKICAg
Y2xhc3MgQ2xpZW50VGhyZWFkIGV4dGVuZHMgVGhyZWFkCiAgIHsKICAgICAgcHVibGljIENsaWVu
dFRocmVhZChTb2NrZXQgY2xpZW50KSB7IG1fY2xpZW50ID0gY2xpZW50OyB9CgogICAgICBwdWJs
aWMgdm9pZCBydW4oKSB7CiAgICAgICAgIHRyeQogICAgICAgICB7CiAgICAgICAgICAgIG1fY2xp
ZW50LnNldFNvVGltZW91dCg2MDAwMCk7IC8vIHJlYWQgdGltZW91dCBvZiAxIG1pbnV0ZQogICAg
ICAgICAgICBCdWZmZXJlZFJlYWRlciByZHIgPSBuZXcgQnVmZmVyZWRSZWFkZXIobmV3IElucHV0
U3RyZWFtUmVhZGVyKAogICAgICAgICAgICAgICBtX2NsaWVudC5nZXRJbnB1dFN0cmVhbSgpLCAi
VVRGLTgiKSk7CgogICAgICAgICAgICBTdHJpbmcgYXR0YWNrID0gcmRyLnJlYWRMaW5lKCk7CiAg
ICAgICAgICAgIGlmIChhdHRhY2sgPT0gbnVsbCkKICAgICAgICAgICAgICAgcmV0dXJuOwoKICAg
ICAgICAgICAgU3lzdGVtLm91dC5wcmludGxuKCJcdC4uLiIgKyBtX2NsaWVudC5nZXRJbmV0QWRk
cmVzcygpICsgIjogIiArIGF0dGFjayk7CgogICAgICAgICAgICBpZiAoIWF0dGFjay50b1VwcGVy
Q2FzZSgpLnN0YXJ0c1dpdGgoIkdFVCAvREVGQVVMVC5JREE/IikpCiAgICAgICAgICAgIHsKICAg
ICAgICAgICAgICAgcmV0dXJuOwogICAgICAgICAgICB9CgogICAgICAgICAgICByZHIuY2xvc2Uo
KTsKICAgICAgICAgICAgbV9jbGllbnQuY2xvc2UoKTsKCiAgICAgICAgICAgIGludCBpbmYgPSB0
ZXN0SW5mZWN0ZWQobV9jbGllbnQuZ2V0SW5ldEFkZHJlc3MoKSk7CiAgICAgICAgICAgIHByaW50
UmVzdWx0cyhpbmYsIG1fY2xpZW50LmdldEluZXRBZGRyZXNzKCkudG9TdHJpbmcoKSk7CiAgICAg
ICAgIH0KICAgICAgICAgY2F0Y2ggKFRocm93YWJsZSB0KQogICAgICAgICB7CiAgICAgICAgICAg
IFN5c3RlbS5vdXQucHJpbnRsbigiXHQuLi4iICsgbV9jbGllbnQuZ2V0SW5ldEFkZHJlc3MoKSAr
ICI6ICIgKyB0LnRvU3RyaW5nKCkpOwogICAgICAgICB9CiAgICAgICAgIGZpbmFsbHkKICAgICAg
ICAgewogICAgICAgICAgICBTeXN0ZW0ub3V0LnByaW50bG4oIlx0Li4uIiArIG1fY2xpZW50Lmdl
dEluZXRBZGRyZXNzKCkgKyAiIGZpbmlzaGVkIik7CiAgICAgICAgICAgIHRyeSAgeyBtX2NsaWVu
dC5jbG9zZSgpOyB9IGNhdGNoIChJT0V4Y2VwdGlvbiBlKSB7IC8qIGlnbm9yZSAqLyB9CiAgICAg
ICAgIH0KICAgICAgfQoKICAgICAgcHJpdmF0ZSBTb2NrZXQgbV9jbGllbnQ7CiAgIH0KCiAgIHBy
aXZhdGUgc3RhdGljIHZvaWQgcHJpbnRSZXN1bHRzKGludCBpbmYsIFN0cmluZyBzdHIpCiAgIHsK
ICAgICAgaWYgKGluZiA9PSAxKQogICAgICAgICBTeXN0ZW0ub3V0LnByaW50bG4oc3RyICsgIjog
VlVMTkVSQUJMRSIpOwogICAgICBlbHNlIGlmIChpbmYgPT0gMCkKICAgICAgICAgU3lzdGVtLm91
dC5wcmludGxuKHN0ciArICI6IFBBVENIRUQiKTsKICAgICAgZWxzZSBpZiAoaW5mID09IC0xKQog
ICAgICAgICBTeXN0ZW0ub3V0LnByaW50bG4oc3RyICsgIjogQ09VTEQgTk9UIENPTk5FQ1QiKTsK
ICAgICAgZWxzZSBpZiAoaW5mID09IC0yKQogICAgICAgICBTeXN0ZW0ub3V0LnByaW50bG4oc3Ry
ICsgIjogVU5LTk9XTiIpOwogICAgICBlbHNlCiAgICAgICAgIFN5c3RlbS5vdXQucHJpbnRsbihz
dHIgKyAiOiA/Pz8iKTsKICAgfQoKICAgcHJpdmF0ZSBzdGF0aWMgaW50IHRlc3RJbmZlY3RlZChJ
bmV0QWRkcmVzcyBhZGRyKQogICAgICB0aHJvd3MgSU9FeGNlcHRpb24KICAgewogICAgICAvLyB0
cnkgdG8gY29ubmVjdCBiYWNrIHRvIHRoZSBjbGllbnQgb24gcG9ydCA4MCwgc2VlIGlmIHRoZXkn
cmUgdnVsbmVyYWJsZQogICAgICBTeXN0ZW0ub3V0LnByaW50bG4oIlx0Li4uY29ubmVjdGluZyB0
bzogIiArIGFkZHIpOwogICAgICBTb2NrZXQgcmV2ZXJzZTsKICAgICAgdHJ5CiAgICAgIHsKICAg
ICAgICAgcmV2ZXJzZSA9IG5ldyBTb2NrZXQoYWRkciwgODApOwogICAgICB9CiAgICAgIGNhdGNo
IChUaHJvd2FibGUgdCkKICAgICAgewogICAgICAgICByZXR1cm4gLTE7IC8vIGNvdWxkbid0IGNv
bm5lY3QKICAgICAgfQoKICAgICAgdHJ5CiAgICAgIHsKICAgICAgICAgcmV2ZXJzZS5zZXRTb1Rp
bWVvdXQoNjAwMDApOwogICAgICAgICBXcml0ZXIgdyA9IG5ldyBPdXRwdXRTdHJlYW1Xcml0ZXIo
cmV2ZXJzZS5nZXRPdXRwdXRTdHJlYW0oKSwgIlVURi04Iik7CiAgICAgICAgIHcud3JpdGUoIkdF
VCAvTlVMTC5pZGE/Iik7CiAgICAgICAgIHcud3JpdGUobXNfcmV2ZXJzZVJlcXVlc3QpOwogICAg
ICAgICB3LndyaXRlKCI9eCBIVFRQLzEuMFxyXG5cclxuIik7CiAgICAgICAgIHcuZmx1c2goKTsK
ICAgICAgICAgU3lzdGVtLm91dC5wcmludGxuKCJcdC4uLnNlbnQgcmVxdWVzdCB0bzogIiArIGFk
ZHIpOwoKICAgICAgICAgQnVmZmVyZWRSZWFkZXIgcmV2UmRyID0gbmV3IEJ1ZmZlcmVkUmVhZGVy
KG5ldyBJbnB1dFN0cmVhbVJlYWRlcigKICAgICAgICAgICAgcmV2ZXJzZS5nZXRJbnB1dFN0cmVh
bSgpLCAiVVRGLTgiKSk7CgogICAgICAgICBTdHJpbmcgbGluZSA9IHJldlJkci5yZWFkTGluZSgp
OwogICAgICAgICBmb3IgKGludCBpID0gMDsgaSA8IDMwICYmIGxpbmUgIT0gbnVsbDsgaSsrKQog
ICAgICAgICB7CiAgICAgICAgICAgIC8vIFN5c3RlbS5vdXQucHJpbnRsbihsaW5lKTsKICAgICAg
ICAgICAgbGluZSA9IHJldlJkci5yZWFkTGluZSgpOwogICAgICAgICAgICBpZiAobGluZS5pbmRl
eE9mKCJUaGUgSURRIGZpbGUgTlVMTC5pZGEgY291bGQgbm90IGJlIGZvdW5kLiIpID49IDApCiAg
ICAgICAgICAgICAgIHJldHVybiAxOyAvLyB1bnBhdGNoZWQKICAgICAgICAgICAgZWxzZSBpZiAo
bGluZS5pbmRleE9mKCJFcnJvciAweDgwMDQwZTE0IGNhdWdodCB3aGlsZSBwcm9jZXNzaW5nIHF1
ZXJ5IikgPj0gMCkKICAgICAgICAgICAgICAgcmV0dXJuIDA7IC8vIHBhdGNoZWQKICAgICAgICAg
fQoKICAgICAgICAgcmV0dXJuIC0yOyAvLyB3aG8ga25vd3MKICAgICAgfQogICAgICBmaW5hbGx5
CiAgICAgIHsKICAgICAgICAgcmV2ZXJzZS5jbG9zZSgpOwogICAgICB9CiAgIH0KCiAgIHByaXZh
dGUgc3RhdGljIFN0cmluZyBtc19yZXZlcnNlUmVxdWVzdDsKICAgc3RhdGljCiAgIHsKICAgICAg
U3RyaW5nQnVmZmVyIGJ1ZmYgPSBuZXcgU3RyaW5nQnVmZmVyKDIwMCk7CiAgICAgIGZvciAoaW50
IGkgPSAwOyBpIDwgMjAwOyBpKyspCiAgICAgIHsKICAgICAgICAgYnVmZi5hcHBlbmQoJ3gnKTsK
ICAgICAgfQoKICAgICAgbXNfcmV2ZXJzZVJlcXVlc3QgPSBidWZmLnRvU3RyaW5nKCk7CiAgIH0K
fQ==
--=====================_210094109==_
Content-Type: text/plain; charset="us-ascii"; format=flowed
--=====================_210094109==_--
