CHANGES

Revision 1549, 21.1 kB (checked in by common, 9 months ago)

nepenthes

0.2.2 version bump
update CHANGES and configure.ac

Property svn:keywords set to id rev

Line
1	Version 0.2.2
2	==================
3
4	This release has been overdue for a long time.
5	It should compile using g++4.2 (and automake 1.10).
6
7	Nepenthes
8	FIXES and ADDITIONS
9	-----
10	* DownloadManager
11	* 0.0.0.0 is local
12	* if replace_local_ips is not set, local downloads will be dropped
13
14	* SocketManager
15	* adding sockets during send or recv increases the .size() of m_Sockets,
16	therefore the pollfd set is read beyond its borders, prevent this
17
18
19	Modules
20	FIXES and ADDITIONS
21	-----
22	* submit-norman
23	* submit to cwsandbox too, add a new config var urls,
24	which is a list of urls to post to
25
26	* download-ftp
27	* big endian fixes (rui)
28
29	* shellcode-signatures
30	* sparc64 fixes (rui
31
32
33	* log-prelude
34	* various fixes (yoann)
35
36	* sqlhandler-postgres
37	* support options
38
39
40	* submit-norman
41	* use captchaless url
42
43
44	* log-surfnet
45	* prevent attack insert failures from messing up following attacks using the same socket ptr
46	* update attack severity for delayed attacks
47	* erase closed sockets from the socket tracker if there is no outstanding query to process
48
49	* download-curl
50	* new curl api
51
52	NEW
53	---
54	* vuln-sav
55	* added
56
57	* log-hexdump
58	* added, external module now
59	* compile with --enable-debug-logging and load loghexdump.so
60
61
62	* sumbit-mwserv
63	* added (oxff)
64
65
66
67	* submit-http
68	* added (Niklas Schiffler)
69
70
71	* module-honeytrap
72	* added
73
74	Version 0.2.0
75	==================
76
77	Indepent from the codebase, we cleaned up the compile process,
78	now every module is linked only on the libraries it relies on.
79
80
81	Nepenthes
82	FIXES and ADDITIONS
83	-----
84	* Nepenthes
85	* check for nepenthes in signal handler before logging
86	* dont handle SIGUSR1/2
87	* create LogManager in constructor, so we can use it right from the beginning to the bitter end
88	* added mips & arm to MY_ARCHES
89	* handle SIGCHLD & SIGPIPE
90	* add -D daemonize flag for start as daemon
91	* use proper types for uid/gid
92	* dont change user/group if not necessary
93	* clean up startup code
94
95	* GeoLocationManager
96	* removed
97
98	* UploadManager
99	* removed
100
101
102	* LogManager
103	* clear() loggers on destruction
104	* check for registerd loggers before logging, if no handlers re registerd, log using printf
105
106	* Socket
107	* allow hw address lookup using /proc/net/arp in Socket::getRemoteHWA(string *address)
108
109	* UDPSocket
110	* fix source based routing for udp, bind local address for connect' connections
111	* memset() our sockaddr_in before we use em
112
113	* TCPSocket
114	* add event on binding a port
115	* memset() our sockaddr_in before we use em
116
117
118	* SQLManager
119	* added
120
121	* ModuleManager
122	* unload modules in reverse order
123
124	* LogHandler
125	* added setOwnership()
126
127	* LogManager
128	* added bool LogManager::delLogger(LogHandler *lh), return true on success, false else
129
130
131	Modules
132	FIXES and ADDITIONS
133	-----
134	* shellcode-signatures
135	* changed the build process to use the yacc & flex files
136	* fix bug in sch_namespace_base64, credits go to Nelson William for pointing this out
137
138	* log-prelude
139	* fixes & classification changes by Harald Lampesberger
140	* should produce valid idmef now
141
142	* vuln-bagle
143	* fixed endless loop on closed connection
144
145	* vuln-mydoom
146	* fixed endless loop on closed connection
147
148
149	* log-irc
150	* can set filters now
151	* use LogManager::delLogger(LogHandler *lh) on ::Exit
152
153	* shellemu-winnt
154	* improve ftp.exe commandline parsing
155	problem was, when the host/anonymous flag was specified on the command line,
156	after the script
157
158
159	* log-surfnet
160	* log remote mac address to table if its availible
161	* use sqlhandler-postgres, to offer autoreconnect etc etc etc
162
163	* download-ftp
164	* workaround problems with PORTs command where the virus would parse the wrong port
165
166	* download-creceive
167	* fix a bug where the downloads source is equal to the downloads destionation
168
169
170	* vuln-mydoom
171	* fix destionation ip
172	* proper url
173
174	* submit-norman
175	* submit to cwsandbox too, add a new config var urls,
176	which is a list of urls to post to
177
178	NEW
179	---
180	* vuln-realvnc
181	* handles alphanumeric keystrokes
182	* clipboard actions
183
184	* module-honeytrap
185	* idea is taken from honeytrap.sf.net by Werner Tillmann
186	* detect incoming connections using pcap/ipq/ipfw
187	* bind unbound ports
188	* create a mirror connection between to the attacker to "emulate" the vuln using the attackers own weakness
189	* able to log incoming connections as pcap files
190
191	* module-bridge
192	* basic exploit & command detection to the accept() Dialogue,
193	* handle recognized attacks, downloads what has to be downloaded
194
195
196	* sqlhandler-postgres
197	* can use domains
198	* nonblocking, even in conjunction with domains
199	* autoreconnect
200
201	* x-9
202	* example on the sqlmanager/handler
203
204
205	* submit-postgres
206	* submit samples & context information to a postgres database
207	* requires the sqlhandler-postgres
208	* compatible to libpq 7.4 and 8.x
209	* spooling with bencoded files
210
211
212	* module-peiros
213	* 'construction site'
214
215
216	GONE WITH THE WIND
217	------------------
218	*
219	* geolocation-*
220	* x-8 (geolocation example)
221	* upload-http
222	* submit-xmlrpc
223
224
225
226
227	Version 0.1.7
228	==================
229
230
231
232	Nepenthes
233	FIXES and ADDITIONS
234	-----
235	* Nepenthes
236	* default install wont spam the console, use --enable-debug-logging if you want the console spam pary
237	* --version dumps information about operating system
238	* --help is better
239	* log exit reason to file
240	* prevent crash on startup when running in changeroot
241	without changing process user and/or group id, -> changeroot _after_ we
242	chowned the logfiles
243	* support for linux capabilities
244
245
246	* SocketManager
247	* support for if:ethN for default bind address by interface
248	* removed RAWSocket
249
250	* GeolocatioManager
251	* add return value in Exit()
252
253	* UploadHandler
254	* g++ 4.1 fixes
255
256	* DownloadHandler
257	* g++ 4.1 fixes
258
259	* ModuleManager
260	* use dlopen() with RTLD_LOCAL, osx has RTLD_GLOBAL as default and
261	segfaults therefore when unloading modules
262
263
264
265	Modules
266	FIXES and ADDITIONS
267	-----
268	* vuln-ftpd
269	* can handle NAT for active ftp
270
271	* vuln-kuang
272	* log remote ip, not local ip
273
274	* x-6
275	* free the mallocs
276
277	* module-portwatch
278	* removed port 21 from portwatch list
279	* added 25 to portwatch list
280
281	* shellcode-generic
282	* detect wget in xmlrpc exploit attempts
283
284	* log-irc
285	* send irc server pass
286	* infinite retries to resolve server/tor domain
287
288	* x-7
289	* dropped
290
291	* dnsresolve-adns
292	* g++ 4.1 fixes
293
294	* submit-norman
295	* g++ 4.1 fixes
296
297	* download-curl
298	* g++ 4.1 fixes
299
300	* vuln-netdde
301	* removed shellcodehandler, moved to shellcode-signatures
302
303	* vuln-msmq
304	* removed shellcodehandler, moved to shellcode-signatures
305
306	* vuln-dcom
307	* removed shellcodehandler, moved to shellcode-signatures
308
309	* vuln-asn1
310	* removed shellcodehandler, moved to shellcode-signatures
311
312	* vuln-sasserftpd
313	* removed shellcodehandler, moved to shellcode-signatures
314
315	* vuln-wins
316	* removed shellcodehandler, moved to shellcode-signatures
317
318	* vuln-iis
319	* removed shellcodehandler, moved to shellcode-signatures
320
321	* vuln-lsass
322	* removed shellcodehandler, moved to shellcode-signatures
323
324
325	* vuln-mydoom
326	* use CL_ASSIGN_AND_DONE when done (for log-surfnet)
327
328	* vuln-bagle
329	* use CL_ASSIGN_AND_DONE when done (for log-surfnet)
330
331
332	NEW
333	---
334	* submit-gotek
335	* submit files to the mwcollect alliance via the gotek 1 protocol
336
337	* log-prelude
338	* fixed by Harald Lampesberger
339
340	* vuln-ftpd
341	* emulation for various bugs in windows ftp daemons
342	* contributed by Harald Lampesberger
343
344
345	* shellcode-signatures
346	* ported almost _all_ shellcodes from shellcode-generic
347
348
349
350
351
352
353	Version 0.1.6
354	=============
355
356
357	We made sure the source compiles on
358	* cygwin
359	* linux (tested debian on x86, fedora core 3 on amd64, suse 9 enterprise server on powerpc)
360	* openbsd (tested on openbsd 3.8 on x86)
361	* netbsd (tested on netbsd 2.0.2 on x86)
362
363	For cygwin we had to cast many int32_t to int, and many int32_t * to int too (104 times)... and include sys/socket.h (26 times)
364	OpenBSD enforced including sys/types.h nearly everywhere (37 times)
365	64bit fedora made us use intptr_t instead of int to point to memory (19 times)
366
367	The other focus was adding some new shellcode handlers,
368	and we added a new download handler for the broken by design rcp protocol
369
370
371	Nepenthes
372	FIXES and ADDITIONS
373	-----
374	* DownloadManager
375	* as long as BIG_ENDIAN is not coverd by autoconf, dont rely it on here.
376
377	* UploadManager
378	* fixed includes
379	* DNSManager
380	* errno fix
381
382	* DownloadUrl
383	* fixed inclues
384
385	* Buffer
386	* casting int for amd64
387
388	* Nepenthes
389	* getopt int casting
390	* no logfiles chown own cygwin
391	* no filetype on cygwin, dont rely on it
392	* cygwin needs int main()
393	* no signals for cygwin (yet)
394
395	* SocketManager
396	* interface to request tcp connect sockets with provided local port ( for download-rcp )
397	* TCPSocket
398	* new constructor for connect sockets which allows setting a local port
399
400
401	Modules
402	FIXES and ADDITIONS
403	-----
404	* many modules
405	* fixed wrong module names/descriptions
406
407	* shellcode-generic (picchio contributed the analysis for them, we are really glad about his work)
408	* added sch_generic_winexec
409	* pinnebergConnect added
410	* sch_generic_xor schoenberg xor added
411	* schoenenberg bind added
412	* ravensburg bind added
413	* rosengarten xor added
414	* schauenburg bind added
415	* schauenburg xor added
416	* leimbach xor family added
417	* lichtenfels xor & connectback
418
419	* submit-xmlrpc
420	* using geolocation submit-xmlrpc resolved the locals geolocation,
421	now we resolve the remotes
422
423	* log-irc
424	* channel pass fix
425	* upon request - reply nepenthes version to !version
426
427	* shellemu-winnt
428	* added VFSCommandRCP for rcp.exe
429
430
431	NEW
432	---
433	* download-rcp
434	* created, downloads files via the undocumented rcp protcoll
435
436
437
438
439
440
441	Version 0.1.5
442	=============
443	Bugfix release/minor features.
444
445
446	Nepenthes
447	FIXES and ADDITIONS
448	-----
449	* none
450
451
452
453
454	Modules
455	FIXES and ADDITIONS
456	-----
457	* shellcode-generic
458	* sch_generic_cmd added \r\n as lineterminator
459	* shellcode-generic.conf.dist langenfeldConnect pcre added
460	* sch_generic_xor
461	* deggendorf & langenfeld xor added,
462	* removed possible off by n <=3 byte in the 4 byte xor
463
464
465	* vuln-dcom
466	* made it less aggressive, if it does not look like dcom, dont handle it
467
468
469	* shellemu-winnt
470	* VFSCommandSTART added
471	* VFSCommandTFTP proper var checks added
472	* added handling of the escape var ^ for the shell
473	* VFSCommandFTP can download >1 file per batch now
474	* VFSCommandFTP can handle "cd" now
475
476	* download-http
477	* handle downloads with 0 byte bodysize as broken
478
479	* download-ftp
480	* can send CWD now
481	* fixed missing \r on sending RETR
482
483	* geolocation-hostip
484	* the address to look the address up changed, so we adjusted it
485
486
487	* geolocation-ip2location
488	* tarball lacked config file
489
490
491	NEW
492	---
493	* vuln-msdtc
494	* emulation for the ms05-051 exploit by swan
495
496
497	Version 0.1.4
498	=============
499	Bugfix release/minor features.
500
501	Nepenthes
502	FIXES and ADDITIONS
503	-----
504	* FileLogger logged to somewhere after config file was deleted as he lacked a valid path
505
506
507	Modules
508	FIXES and ADDITIONS
509	-----
510	* download-nepenthes
511	* NULL pointer bug fixed
512
513	* shellcode-generic
514	* rewrapped xor code,
515	* added some bindshell codes
516	* parthenstein
517	* wackerow
518	* kaltenborn
519
520	* geolocation-ip2location
521	* now makes use of the real ip2location c api you can download on their homepage,
522	setting the lib up sucks, but it works
523
524	* log-surfnet
525	* moduledescription changed, as we log to postgres, not to mysql
526
527	* dnsresolve-adns
528	* added modulename and description
529
530
531
532
533	Version 0.1.3
534	=============
535	Bugfix release/minor features.
536	FIXME
537
538	* fixed some g++ 3.2 include issues
539
540
541	* Autoconf
542	* improved configure.ac
543	* added --enable-* to configure
544	* geolocation is optional
545	* dump ./configure configuration to stdout
546
547
548
549	* Nepenthes core
550
551
552
553	* DownloadManager & Download & DownloadCallback
554	* changed structure so we can specify a DownloadCallback for internal downloads
555	* intrested in a downloads result, ask the downloadmanager to download it, provide a DownloadCallback
556	the DownloadManager will pass the information encapsulated in a Download to its DownloadHandler
557	the DownloadHandler will try to download it and pass the Download as result to the DownloadCallback
558
559
560
561
562
563	* DNSManager DNSQuery DNSHandler DNSResult DNSCallback
564	* made DNSResolver Service modular, only module so far availible is dnsresolve-adns
565	* now modules providing resolver capabilties are now called 'DNSHandler'
566	anything which is intrested in its dns resolution result is a DNSCallback now
567	(before there was no DNSCallback, no modularity, and we called classes intrested in DNS DNSHandler)
568	* intrested in resolving some domain, ask the DNSManager and provide a DNSCallback
569	the DNSManager will form a DNSQuery from the request, pass it to its DNSHandler
570	the DNSHandler will try to resolve the domain and pass result as a DNSResult to the
571	DNSCallback
572
573	* Event
574	* use uint8_t as Eventid instead of event_type
575	* added ShellcodeEvent & DialogueEvent
576
577
578	* EventManager
579	* allow internal Event registration
580
581
582	* GeoLocationManager GeoLocationQuery GeoLocationHandler GeoLocationResult GeoLocationCallback
583	* created
584	* GeoLocationHandler register with the GeoLocationManager
585	* intrested in GeoLocation lookups, ask the GeoLocationManager and provide a GeoLocationCallback
586	the GeoLocationManager will form a GeoLocationQuery from the request, pass it to its GeoLocationHandler
587	the GeoLocationHandler will try to resolve it and pass the GeoLocationResult to the GeoLocationCallback
588	* added caching of results
589
590
591
592	* LogManager
593	* filelogger is the default logger again, so logrotate can do its job
594	* force ringbuffer logger usage with -R
595
596
597	* log-ringbuffer
598	* added
599	stop wasting diskspace with logs
600	* sets correct permissions on destination files
601	* uses path to log to from nepenthes.logmanager.ring_logger_file
602
603
604	* log-file
605	* uses path to log to from nepenthes.logmanager.file_logger_file
606
607
608	* Nepenthes
609	* improved the init, better errorhandling
610	* -f can do dirs
611
612
613	* ShellcodeManager
614	* hooks a ShellcodeEvent on success
615
616
617
618	* SocketManager TCPSocket UDPSocket RAWSocketListener
619	* decreased poll timeout
620	* moved ports to uint16_t
621	* use nepenthes.socketmanager.bind_address instead of binding INADDR_ANY for bind & connect
622	(suggested by Michael H. Warfield)
623
624
625	* TCPSocket
626	* hooks a DialogueEvent on success
627
628
629
630	* UploadManager UploadQuery UploadHandler UploadResult UploadCallback
631	* created
632	* intrested in uploading something to somewhere, ask the UploadManager and provide a UploadCallback
633	the UploadManager will form a UploadQuery from the request, pass it to its UploadHandler
634	the UploadHandler will try to upload the data it and pass reply to the UploadResult to the
635	UploadCallback
636
637
638
639	* Utilities
640	* added escapeXMLString(char *)
641
642
643
644	* Modules
645	FIXES and ADDITIONS
646	-----
647	* shellemu-winnt
648	* fixed sending shell header on accept shells
649	* VFSCommandFTP handle -A flag for anonymous logins
650	* fixed crash with -f flag for checking dumps
651	* batch file handling
652
653
654	* vuln-mssql
655	* fixed tcp socket instead of udp
656
657
658	* download-ftp
659	* fixed quiting loop
660
661	* dnsmanager, dnsquery, dnsresult
662	* TXT record added
663
664
665	* x-2
666	* fix memleak
667
668	* x-5
669	* now registers its own event to show hiw this works
670
671
672	* x-6
673	* 'txt <domain>' will resolve the txt record now
674
675
676	* submit-xmlrpc
677	* can use geolocation services now
678	* fixes some xml parsing
679
680
681	* download-ftp
682	* send LOGIN after 220 Welcome
683
684
685	* download-curl
686	* add internal download capabilities
687
688
689	* shellcode-generic
690	* sch_generic_link_xor
691	* improve bad length handling
692	* added adenau xor
693	* added adenau connectback
694	* added unicode decoder
695	* sch_generic_url
696	* added - to allowed chars
697
698
699	NEW
700	---
701
702	* dnsresolve-adns
703	* made it a module
704	* fixes some memoryleaks we saw before
705
706	* download-http
707	* written as download-curl replacement
708
709	* geolocation-hostip
710	* resolve geolocations via hostip.info
711
712	* geolocation-geoip
713	* resolve geolocations via maxminds geoip library
714
715	* geolocation-ip2location
716	* resolve geolocations via maxminds geoip library
717
718	* log-surfnet
719	* log to surfnet ids database
720	http://ids.surfnet.nl
721
722
723	* vuln-ssh
724	* created,
725	* works for ssh logins, fails for ssh worms :\
726
727	* x-8
728	* added example how to use geolocation services
729
730
731	* Other
732	* phpxmlrpc_server
733	* added
734
735	* doxygen docu
736	* added
737
738
739
740	Version 0.1.2
741	=============
742	Bugfix release/minor features.
743
744	* Utilities
745	* hexdump uses nepenthes.utilites.hexdump_path as pathinfo now
746
747	* shellemu-wint
748	* VFSCommandFTP uses new DownloadFlags
749
750	* Download
751	* added DownloadFlags so we can handle broken ftpds better
752	* added ::addFlag(uint8_t ) & ::getFlags()
753
754	* DownloadManager
755	* download() now takes uint8_t downloadflags as argument
756
757	* download-ftp
758	* bind to port 0 to avoid collision
759	* rewrote quite everything to handle broken ftp daemons better, including the new DownloadFlags
760
761	* Socket
762	* changed SS_NULL to SS_CONNECTED
763	* added SS_CONNECTING
764
765
766	* TCPSocket
767	* set localip on accept() Sockets, so we can use this info further
768	* bind ConnectSockets before connecting, so we use the same ip for reverseconnect shells
769	* uses SS_CONNECTING for connect sockets
770	* overloads setState(), so if they are in state SS_CONNECTING and goto SS_CONNECTED they
771	can call Dialogue::connectionEstablished() for their dialogues
772
773	* some changes in the TCPSockets internal Dialogue handling prevent nepenthes recognizing
774	the same shellcode in more than one dialogue, resulting in more than one download per exploit
775
776
777	* vuln-dameware
778	* created
779
780	* Dialogue
781	* added ::dump()
782	* added ::connectionEstablished()
783
784
785	* many vuln-* modules
786	* added CL_ASSIGN_AND_DONE handling
787
788
789	* many shellcodehandlers using downloadhandler
790	* added valid downloadflag usage
791
792
793
794	Version 0.1.1
795	=============
796	Bugfix release/minor features.
797
798	This is the first release featuring auto(conf\|make\|broken\|whatever) support.
799	Maximillian Dornseif had enough time to burn to write configure.whatever
800	and such stuff for everything so far.
801
802
803	* Compile fixes for
804	* Mac OSX
805	* FreeBSD
806
807	* Nepenthes
808	* Added functionality for -d and -l command line options (log filtering).
809	* Handle SIGINT on -f (command line) usage.
810	* -V is now version.
811	* -v is now verbose, useful for -f when debugging new shellcodehandlers.
812	* DownloadBuffer now features cutFront(unsigned int len)
813
814	* Veritas Backup Exec Exploit for port 10000 added.
815	* shellcode-generic
816	* Konstanz XOR added as sch_generic_konstanz_xor.
817	* Konstanz connectback shell pattern added to shellcode-generic.conf.dist.
818	* Removed VERITASDialogue for port 10000 hexdump, added shellcodehandling.
819
820
821	* shellcode-generic
822	* Fixed sch_generic_connect.
823	* Added sch_generic_connect_trans and Halle PCRE.
824	* Added sch_generic_xor Halle.
825
826	* vuln-dcom
827	* Fixed oc192 PCRE.
828	* Removed SOL2k shellcode handler, as they were never seen during the last two months.
829
830	* download-csend
831	* the atoi(url->path) is cut from the download buffer to be able to use csend with halle
832
833	* vuln-iis
834	* Handle NULL if binding the socket fails in a useful manner
835
836	* vuln-pnp
837	* added
838	* handles the MS05-039 exploit by houseofdabus
839
840	* vuln-lsass
841	* fixed some lines to work properly with vuln-pnp
842
843	* Utilities
844	* sha512 added
845
846	* shellemu-wint
847	* VFSCommandCMD
848	the first command after the /c has to be readded to the StdIn queue, like we did before,
849	but we have to add a delimiter '&' so we dont break our own parsing.
850
851	* Download
852	* added SHA512 get & set methods
853
854	* SubmitManager
855	* set SHA512 for downloads
856
857	* tools/rpcxmlxfer
858	* there is an early implementation of an central collection and
859	logging protocol called rpcxmlxfer in this release. The prototype is
860	implemented as an external script. Just add something like
861	/5 * * * nobody /opt/nepenthes/bin/rpcxmlxfer-client -q
862	to your /etc/crontab to try it.
863
864	* download-ftp
865	* bind to port 0 to avoid collision
866
867	* Socket
868	* changed SS_NULL to SS_CONNECTED
869	* added SS_CONNECTING
870
871	* TCPSocket
872	* set localip on accept() Sockets, so we can use this info further
873	* bind ConnectSockets before connecting, so we use the same ip for reverseconnect shells
874	* uses SS_CONNECTING for connect sockets
875	* overloads setState(), so if they are in state SS_CONNECTING and goto SS_CONNECTED they
876	can call Dialogue::connectionEstablished() for their dialogues
877
878
879	* submit-xmlrpc
880	* created
881	* depends on vuln-lsass
882
883	* vuln-dameware
884	* created
885
886	* Dialogue
887	* added dump()
888	* added connectionEstablished
889
890
891	Version 0.1.0
892	=============
893	Initial release.

Note: See TracBrowser for help on using the browser.

Download in other formats:

Original Format