| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: DDoS on the 16th - Fail if no DNS resolution? "Chris Eagle" <cseagle@...shift.com> wrote: > Yes I have looked at the code, no it doesn't exit. It simply directs the SYN > packet at 255.255.255.255, i.e. it ignores the fact that the lookup failed > and returned -1 and uses -1 as the destination IP. Hmmmmm -- that's odd... The MSDN/SDK dox for gethostbyname says this about return values: If no error occurs, gethostbyname returns a pointer to the HOSTENT structure described above. Otherwise, it returns a NULL pointer and a specific error number can be retrieved by calling WSAGetLastError. And in my disasm the worm writer seems to have taken this into account: .text:00401EA4 call gethostbyname .text:00401EA9 mov esi, eax .text:00401EAB or esi, esi .text:00401EAD jnz short loc_401EB4 .text:00401EAF or eax, 0FFFFFFFFh .text:00401EB2 jmp short loc_401EBD .text:00401EB4 loc_401EB4: .text:00401EB4 mov eax, [esi+0Ch] .text:00401EB7 mov eax, [eax] .text:00401EB9 mov edi, [eax] .text:00401EBB .text:00401EBB loc_401EBB: .text:00401EBB mov eax, edi .text:00401EBD .text:00401EBD loc_401EBD: .text:00401EBD pop edi .text:00401EBE pop esi .text:00401EBF pop ebp .text:00401EC0 retn ...by testing for a null return and OR'ing FFFFFFFFh with EAX if it was null. Thus it is the worm's checking and post-processing of the gethostbyname result that returns "-1" (or the equivalent of 255.255.255.255) from the "get DoS victim IP" sub-routine. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854
Powered by blists - more mailing lists