lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200308141539.24727.sflist@digitaloffense.net>
Date: Thu, 14 Aug 2003 15:39:24 -0500
From: H D Moore <sflist@...italoffense.net>
To: "Rolles, Rolf" <rolf.rolles@....edu>, bugtraq@...urityfocus.com
Subject: Re: MSBlast complete recode / analysis


On Thursday 14 August 2003 01:19 am, Rolf Rolles wrote:
> MSBlast was compiled with LCC 1.x, which made it particularly easy to
> analyze. The exploit encrypts itself via XOR.  A few simple
> modifications to the "Ripper" IDC on datarescue's site takes care of
> this "protection".

The "encryption" only exists to prevent certain characters from ending up 
in the payload. The source code for the xor encoder is public and part of 
the Pex.pm module in the Releases section of the metasploit.com web site.

> The shellcode binds cmd.exe to 135, and the attacker sends the

Not so, the shellcode creates a new socket on port 4444 and binds cmd.exe.

> And the analysis of the exploit itself:  (the comments became sparse
> when I realized that the code was ripped from HalVar (URL is below)). 

The code was not ripped from HalVar, but the universal loader code was 
borrowed from a friend (and tweaked). As you can see from the comments 
below, the ScanForApi stuff wasn't originally from HalVar or even LSD. 
The hashing algorithm I use has four-byte keys, HalVar used two-byte 
keys. There are a number of other huge differences in the bindshell code 
(since I wrote mine from scratch). 

----
.FindKernel32Base:
    mov         eax, [fs:ecx]           
; find kernelbase
    mov         eax,[eax+0x0C]          
; stolen from LSD who stole it from VX... it's a pity
----

The shellcode and xor encoder source code is available from the 
metasploit.com web site. The relevant URL's are:

(slightly different from the version used in dcom.c)
http://www.metasploit.com/sc/win32_bind.asm

(the LongXorDecoder routine)
http://www.metasploit.com/tools/Pex.pm

Blah. Worms suck.

-HD


On Thursday 14 August 2003 11:49 am, Rolles, Rolf wrote:
> since bugtraq is slow in accepting this, here it is.\
>
> Rolf



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ