Navigation

← Previous Changeset
Next Changeset →

Changeset 336

Timestamp:

02/20/06 10:38:38 (3 years ago)

Author:

common

Message:

[x] nepenthes 0.1.4 commit
once again, unpacked the package to trunk ... commit to svn ...
this is really not boring

Files:

nepenthes/trunk/CHANGES (modified) (1 diff)
nepenthes/trunk/configure (modified) (10 diffs)
nepenthes/trunk/configure.ac (modified) (2 diffs)
nepenthes/trunk/modules/Makefile.in (modified) (1 diff)
nepenthes/trunk/modules/dnsresolve-adns/dnsresolve-adns.cpp (modified) (1 diff)
nepenthes/trunk/modules/download-nepenthes/DownloadNepenthesDialogue.cpp (modified) (1 diff)
nepenthes/trunk/modules/geolocation-ip2location/Makefile.am (modified) (1 diff)
nepenthes/trunk/modules/geolocation-ip2location/Makefile.in (modified) (5 diffs)
nepenthes/trunk/modules/geolocation-ip2location/geolocation-ip2location.cpp (modified) (5 diffs)
nepenthes/trunk/modules/geolocation-ip2location/geolocation-ip2location.hpp (modified) (2 diffs)
nepenthes/trunk/modules/log-surfnet/log-surfnet.cpp (modified) (1 diff)
nepenthes/trunk/modules/shellcode-generic/sch_generic_cmd.cpp (modified) (1 diff)
nepenthes/trunk/modules/shellcode-generic/sch_generic_unicode.cpp (modified) (2 diffs)
nepenthes/trunk/modules/shellcode-generic/sch_generic_xor.cpp (modified) (9 diffs)
nepenthes/trunk/modules/shellcode-generic/sch_generic_xor.hpp (modified) (3 diffs)
nepenthes/trunk/modules/shellcode-generic/shellcode-generic.conf.dist (modified) (1 diff)
nepenthes/trunk/modules/submit-xmlrpc/XMLRPCParser.cpp (modified) (1 diff)
nepenthes/trunk/modules/vuln-dcom/vuln-dcom.cpp (modified) (1 diff)
nepenthes/trunk/nepenthes-core/Makefile.in (modified) (1 diff)
nepenthes/trunk/nepenthes-core/include/FileLogger.hpp (modified) (1 diff)
nepenthes/trunk/nepenthes-core/include/Makefile.in (modified) (1 diff)
nepenthes/trunk/nepenthes-core/src/Config.cpp (modified) (1 diff)
nepenthes/trunk/nepenthes-core/src/FileLogger.cpp (modified) (2 diffs)
nepenthes/trunk/nepenthes-core/src/RingFileLogger.cpp (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

nepenthes/trunk/CHANGES

r332	r336
	1	Version 0.1.4
	2	=============
	3	Bugfix release/minor features.
	4
	5	Nepenthes
	6	FIXES and ADDITIONS
	7	-----
	8	* FileLogger logged to somewhere after config file was deleted as he lacked a valid path
	9
	10
	11	Modules
	12	FIXES and ADDITIONS
	13	-----
	14	* download-nepenthes
	15	* NULL pointer bug fixed
	16
	17	* shellcode-generic
	18	* rewrapped xor code,
	19	* added some bindshell codes
	20	* parthenstein
	21	* wackerow
	22	* kaltenborn
	23
	24	* geolocation-ip2location
	25	* now makes use of the real ip2location c api you can download on their homepage,
	26	setting the lib up sucks, but it works
	27
	28	* log-surfnet
	29	* moduledescription changed, as we log to postgres, not to mysql
	30
	31	* dnsresolve-adns
	32	* added modulename and description
	33
	34
	35
	36
1	37	Version 0.1.3
2	38	=============

nepenthes/trunk/configure

r332	r336
1	1	#! /bin/sh
2		# From configure.ac Id: configure.ac 21~~72 2005-11-22 14:07:02~~Z common .
	2	# From configure.ac Id: configure.ac 2195 2005-12-01 20:23:46Z common .
3	3	# Guess values for system-dependent variables and create Makefiles.
4		# Generated by GNU Autoconf 2.59 for nepenthes 0.1.3.
	4	# Generated by GNU Autoconf 2.59 for nepenthes 0.1.4.
5	5	#
6	6	# Report bugs to <dornseif@informatik.rwth-aachen.de>.
…	…
425	425	PACKAGE_NAME='nepenthes'
426	426	PACKAGE_TARNAME='nepenthes'
427		PACKAGE_VERSION='0.1.3'
428		PACKAGE_STRING='nepenthes 0.1.3'
	427	PACKAGE_VERSION='0.1.4'
	428	PACKAGE_STRING='nepenthes 0.1.4'
429	429	PACKAGE_BUGREPORT='dornseif@informatik.rwth-aachen.de'
430	430
…	…
957	957	# This message is too long to be a string in the A/UX 3.1 sh.
958	958	cat <<_ACEOF
959		\`configure' configures nepenthes 0.1.3 to adapt to many kinds of systems.
	959	\`configure' configures nepenthes 0.1.4 to adapt to many kinds of systems.
960	960
961	961	Usage: $0 [OPTION]... [VAR=VALUE]...
…	…
1023	1023	if test -n "$ac_init_help"; then
1024	1024	case $ac_init_help in
1025		short \| recursive ) echo "Configuration of nepenthes 0.1.3:";;
	1025	short \| recursive ) echo "Configuration of nepenthes 0.1.4:";;
1026	1026	esac
1027	1027	cat <<\_ACEOF
…	…
1061	1061	--with-mysql-lib=PATH specify path to MySQL client library
1062	1062	--with-mysql-include=PATH specify path to MySQL include files
1063		--with-postgre-lib=PATH specify path to ~~MySQL~~ client library
1064		--with-postgre-include=PATH specify path to ~~MySQL~~ include files
	1063	--with-postgre-lib=PATH specify path to PostGRE client library
	1064	--with-postgre-include=PATH specify path to PostGRE include files
1065	1065	--with-geoip-include=PATH specify path to GeoIP include files
1066	1066	--with-geoip-lib=PATH specify path to GeoIP client library
…	…
1181	1181	if $ac_init_version; then
1182	1182	cat <<\_ACEOF
1183		nepenthes configure 0.1.3
	1183	nepenthes configure 0.1.4
1184	1184	generated by GNU Autoconf 2.59
1185	1185
…	…
1195	1195	running configure, to aid debugging if configure makes a mistake.
1196	1196
1197		It was created by nepenthes $as_me 0.1.3, which was
	1197	It was created by nepenthes $as_me 0.1.4, which was
1198	1198	generated by GNU Autoconf 2.59. Invocation command line was
1199	1199
…	…
1838	1838	# Define the identity of the package.
1839	1839	PACKAGE=nepenthes
1840		VERSION=0.1.3
	1840	VERSION=0.1.4
1841	1841
1842	1842
…	…
25764	25764	cat >&5 <<_CSEOF
25765	25765
25766		This file was extended by nepenthes $as_me 0.1.3, which was
	25766	This file was extended by nepenthes $as_me 0.1.4, which was
25767	25767	generated by GNU Autoconf 2.59. Invocation command line was
25768	25768
…	…
25827	25827	cat >>$CONFIG_STATUS <<_ACEOF
25828	25828	ac_cs_version="\\
25829		nepenthes config.status 0.1.3
	25829	nepenthes config.status 0.1.4
25830	25830	configured by $0, generated by GNU Autoconf 2.59,
25831	25831	with options \\"`echo "$ac_configure_args" \| sed 's/[\\""\`\$]/\\\\&/g'`\\"

nepenthes/trunk/configure.ac

r332	r336
7	7
8	8	AC_PREREQ(2.59)
9		AC_INIT([nepenthes], [0.1.3], [dornseif@informatik.rwth-aachen.de])
10		AM_INIT_AUTOMAKE([nepenthes], [0.1.3])
	9	AC_INIT([nepenthes], [0.1.4], [dornseif@informatik.rwth-aachen.de])
	10	AM_INIT_AUTOMAKE([nepenthes], [0.1.4])
11	11	AC_REVISION([$Id$])
12	12
…	…
336	336
337	337	AC_ARG_WITH(postgre-lib,
338		[ --with-postgre-lib=PATH specify path to ~~MySQL~~ client library],
	338	[ --with-postgre-lib=PATH specify path to PostGRE client library],
339	339	[postgre_lib=$withval],
340	340	[postgre_lib=no])
341	341	AC_ARG_WITH(postgre-include,
342		[ --with-postgre-include=PATH specify path to ~~MySQL~~ include files],
	342	[ --with-postgre-include=PATH specify path to PostGRE include files],
343	343	[postgre_inc=$withval],
344	344	[postgre_inc=no])

nepenthes/trunk/modules/Makefile.in

r332	r336
193	193	esac; \
194	194	done; \
195		echo ' cd $(top_srcdir) && $(AUTOMAKE) --~~foreign~~ modules/Makefile'; \
	195	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/Makefile'; \
196	196	cd $(top_srcdir) && \
197		$(AUTOMAKE) --~~foreign~~ modules/Makefile
	197	$(AUTOMAKE) --gnu modules/Makefile
198	198	.PRECIOUS: Makefile
199	199	Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status

nepenthes/trunk/modules/dnsresolve-adns/dnsresolve-adns.cpp

r332	r336
57	57	DNSResolverADNS::DNSResolverADNS(Nepenthes *nepenthes)
58	58	{
	59	m_ModuleName = "dnsresolve-adns";
	60	m_ModuleDescription = "resolve dns async";
	61	m_ModuleRevision = "$rev$";
	62
59	63	m_DNSHandlerName = "DNSResolverADNS";
60	64	m_Queue = 0;

nepenthes/trunk/modules/download-nepenthes/DownloadNepenthesDialogue.cpp

r332	r336
202	202	ConsumeLevel DownloadNepenthesDialogue::connectionShutdown(Message *msg)
203	203	{
204		// the download is done, check if the md5sum matches the md5sum we were given;
205		string md5sum = g_Nepenthes->getUtilities()->md5sum(
206		m_Download->getDownloadBuffer()->getData(),
207		m_Download->getDownloadBuffer()->getSize());
208
209		if (strncmp(m_MD5Sum.c_str(),md5sum.c_str(),32) != 0)
210		{
211		logInfo("file does not match its md5sum (%s <-> %s) \n",md5sum.c_str(),m_MD5Sum.c_str());
	204	if ( m_Download != NULL )
	205	{
	206
	207	// the download is done, check if the md5sum matches the md5sum we were given;
	208	string md5sum = g_Nepenthes->getUtilities()->md5sum(
	209	m_Download->getDownloadBuffer()->getData(),
	210	m_Download->getDownloadBuffer()->getSize());
	211
	212	if ( strncmp(m_MD5Sum.c_str(),md5sum.c_str(),32) != 0 )
	213	{
	214	logInfo("file does not match its md5sum (%s <-> %s) \n",md5sum.c_str(),m_MD5Sum.c_str());
	215	} else
	216	{
	217	logInfo("new file %s is done\n",m_MD5Sum.c_str());
	218	g_Nepenthes->getSubmitMgr()->addSubmission(m_Download);
	219	}
212	220	}else
213	221	{
214		~~logInfo("new file %s is done\n",m_MD5Sum.c_str()~~);
215		~~g_Nepenthes->getSubmitMgr()->addSubmission(m_Download~~);
	222	uint32_t remotehost = msg->getRemoteHost();
	223	logCrit(" %s tried to fool download-nepenthes (connected without sending data)\n",inet_ntoa((in_addr )&remotehost));
216	224	}
217	225	return CL_DROP;

nepenthes/trunk/modules/geolocation-ip2location/Makefile.am

r332	r336
11	11	pkglib_LTLIBRARIES = geolocationip2location.la
12	12
13		geolocationip2location_la_SOURCES = geolocation-ip2location.cpp geolocation-ip2location.hpp ~~Ip2Location.c Ip2Location.h~~
	13	geolocationip2location_la_SOURCES = geolocation-ip2location.cpp geolocation-ip2location.hpp
14	14
15	15	geolocationip2location_la_LDFLAGS = -module -no-undefined -avoid-version

nepenthes/trunk/modules/geolocation-ip2location/Makefile.in

r332	r336
60	60	LTLIBRARIES = $(pkglib_LTLIBRARIES)
61	61	geolocationip2location_la_LIBADD =
62		am_geolocationip2location_la_OBJECTS = geolocation-ip2location.lo \
63		Ip2Location.lo
	62	am_geolocationip2location_la_OBJECTS = geolocation-ip2location.lo
64	63	geolocationip2location_la_OBJECTS = \
65	64	$(am_geolocationip2location_la_OBJECTS)
…	…
67	66	depcomp = $(SHELL) $(top_srcdir)/depcomp
68	67	am__depfiles_maybe = depfiles
	68	CXXCOMPILE = $(CXX) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
	69	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CXXFLAGS) $(CXXFLAGS)
	70	LTCXXCOMPILE = $(LIBTOOL) --tag=CXX --mode=compile $(CXX) $(DEFS) \
	71	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
	72	$(AM_CXXFLAGS) $(CXXFLAGS)
	73	CXXLD = $(CXX)
	74	CXXLINK = $(LIBTOOL) --tag=CXX --mode=link $(CXXLD) $(AM_CXXFLAGS) \
	75	$(CXXFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
69	76	COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
70	77	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
…	…
75	82	LINK = $(LIBTOOL) --tag=CC --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
76	83	$(AM_LDFLAGS) $(LDFLAGS) -o $@
77		~~CXXCOMPILE = $(CXX) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \~~
78		~~$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CXXFLAGS) $(CXXFLAGS)~~
79		~~LTCXXCOMPILE = $(LIBTOOL) --tag=CXX --mode=compile $(CXX) $(DEFS) \~~
80		~~$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \~~
81		~~$(AM_CXXFLAGS) $(CXXFLAGS)~~
82		~~CXXLD = $(CXX)~~
83		~~CXXLINK = $(LIBTOOL) --tag=CXX --mode=link $(CXXLD) $(AM_CXXFLAGS) \~~
84		~~$(CXXFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@~~
85	84	SOURCES = $(geolocationip2location_la_SOURCES)
86	85	DIST_SOURCES = $(geolocationip2location_la_SOURCES)
…	…
197	196	AM_LDFLAGS = $IP2LOCATION_LIBS
198	197	pkglib_LTLIBRARIES = geolocationip2location.la
199		geolocationip2location_la_SOURCES = geolocation-ip2location.cpp geolocation-ip2location.hpp ~~Ip2Location.c Ip2Location.h~~
	198	geolocationip2location_la_SOURCES = geolocation-ip2location.cpp geolocation-ip2location.hpp
200	199	geolocationip2location_la_LDFLAGS = -module -no-undefined -avoid-version
201	200	all: all-am
202	201
203	202	.SUFFIXES:
204		.SUFFIXES: .c .cpp .lo .o .obj
	203	.SUFFIXES: .cpp .lo .o .obj
205	204	$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
206	205	@for dep in $?; do \
…	…
268	267	-rm -f *.tab.c
269	268
270		~~@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/Ip2Location.Plo@am__quote@~~
271	269	@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/geolocation-ip2location.Plo@am__quote@
272
273		~~.c.o:~~
274		~~@am__fastdepCC_TRUE@ if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \~~
275		~~@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/$.Tpo" "$(DEPDIR)/$.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi~~
276		~~@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@~~
277		~~@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@~~
278		~~@am__fastdepCC_FALSE@ $(COMPILE) -c $<~~
279
280		~~.c.obj:~~
281		~~@am__fastdepCC_TRUE@ if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ `$(CYGPATH_W) '$<'`; \~~
282		~~@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/$.Tpo" "$(DEPDIR)/$.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi~~
283		~~@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@~~
284		~~@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@~~
285		~~@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'`~~
286
287		~~.c.lo:~~
288		~~@am__fastdepCC_TRUE@ if $(LTCOMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \~~
289		~~@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/$.Tpo" "$(DEPDIR)/$.Plo"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi~~
290		~~@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@~~
291		~~@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@~~
292		~~@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $<~~
293	270
294	271	.cpp.o:

nepenthes/trunk/modules/geolocation-ip2location/geolocation-ip2location.cpp

r332	r336
113	113	bool GeoLocationIp2Location::Init()
114	114	{
115		//#ifdef HAVE_LIBIP2LOCATION_H
	115	#ifdef HAVE_LIBIP2LOCATION
116	116
117	117	if ( m_Config == NULL )
…	…
131	131	}
132	132
133		if ( (m_Ip2Location = ~~ip2l~~ocation_open((char *)path.c_str())) == NULL)
	133	if ( (m_Ip2Location = IP2Location_open((char *)path.c_str())) == NULL)
134	134	{
135	135	logCrit("Could not open ip2Location Database in Path %s\n",path.c_str());
136	136	}
137		ip2location_initialize(m_Ip2Location);
	137
138	138
139	139	if ( g_Nepenthes->getGeoMgr()->registerGeolocationHandler(this) == false)
…	…
143	143	}
144	144	return true;
145		/*#else
	145	#else
146	146	logCrit("%s","Module compiled without libgeoip installed, wont work\n");
147	147	return false;
148	148	#endif
149		*/
	149
150	150	}
151	151
…	…
158	158	bool GeoLocationIp2Location::geoLocate(GeoLocationQuery *query)
159	159	{
160		//#ifdef HAVE_LIBIP2LOCATION
	160	#ifdef HAVE_LIBIP2LOCATION
161	161	uint32_t ip = query->getAddress();
162	162
163	163	char host = inet_ntoa((in_addr *)&ip);
164		Ip2LocationRecord *record;
165		if ( (record = get_record(m_Ip2Location, (char *)host,ALL)) != NULL)
	164	IP2LocationRecord *record;
	165	if ( (record = IP2Location_get_record(m_Ip2Location, (char *)host,ALL)) != NULL)
166	166	{
167	167	GeoLocationResult *geo = new GeoLocationResult(ip,record->longitude,record->latitude,record->country_long,record->country_short,record->city,query->getObject());
168	168	query->getCallback()->locationSuccess(geo);
169		free_record(record);
	169	IP2Location_free_record(record);
170	170	delete geo;
171	171	}
…	…
173	173	delete query;
174	174	return true;
175		//#else
176		// return false;
177		//#endif
	175	#else
	176	return false;
	177	#endif
178	178	}
179	179

nepenthes/trunk/modules/geolocation-ip2location/geolocation-ip2location.hpp

r332	r336
33	33	#ifdef HAVE_GEOLOCATION
34	34
35		#ifdef HAVE_LIBIP2LOCATION_H
36		#include <Ip2Location.h>
	35	#ifdef HAVE_LIBIP2LOCATION
	36	#include <IP2Location.h>
37	37	#endif
38
39		~~extern "C"~~
40		{
41		~~#include "Ip2Location.h"~~
42		}
43	38
44	39	#include "Module.hpp"
…	…
68	63
69	64	private:
70		//#ifdef HAVE_LIBIP2LOCATION_H
71		Ip2Location *m_Ip2Location;
72		//#endif
	65	#ifdef HAVE_LIBIP2LOCATION
	66	IP2Location *m_Ip2Location;
	67	#endif
73	68
74	69	};

nepenthes/trunk/modules/log-surfnet/log-surfnet.cpp

r332	r336
75	75	{
76	76	m_ModuleName = "log-surfnet";
77		m_ModuleDescription = "log various malicious events to mysql";
	77	m_ModuleDescription = "log various malicious events to postgresql";
78	78	m_ModuleRevision = "$Rev$";
79	79	m_Nepenthes = nepenthes;

nepenthes/trunk/modules/shellcode-generic/sch_generic_cmd.cpp

r332	r336
64	64	bool GenericCMD::Init()
65	65	{
66		const char createprocesspcre = ".(cmd./.\\x00).*";
	66	const char createprocesspcre = ".(cmd.* /.\\x00).";
67	67	const char * pcreEerror;
68	68	int32_t pcreErrorPos;

nepenthes/trunk/modules/shellcode-generic/sch_generic_unicode.cpp

r332	r336
128	128
129	129
130		~~logSpam("Got %i 00 %i -> %i bytes \n",maxuni,maxstart,maxstopp);~~
	130
131	131
132	132	if ( maxuni > 2000 )
133	133	{
134
	134	logInfo("Got unicode Exploit %i 00 %i -> %i bytes \n",maxuni,maxstart,maxstopp);
135	135
136	136	byte *output;
…	…
139	139	unicodeTryDecode(shellcode, len, &output, &outputLen);
140	140
	141	// g_Nepenthes->getUtilities()->hexdump(l_crit, output, outputLen);
141	142
142	143	Message newMessage = new Message((char )output, outputLen, (msg)->getLocalPort(), (msg)->getRemotePort(),

nepenthes/trunk/modules/shellcode-generic/sch_generic_xor.cpp

r332	r336
87	87	int32_t pcreErrorPos;
88	88
89		const char *test[]=
90		{
91		"\\xEB\\x02\\xEB\\x05\\xE8\\xF9\\xFF\\xFF\\xFF\\x5B\\x31\\xC9\\x66\\xB9(.)\\xFF\\x80\\x73\\x0E(.)\\x43\\xE2\\xF9(.*)$", // rbot 64k
92		"\\xEB\\x02\\xEB\\x05\\xE8\\xF9\\xFF\\xFF\\xFF\\x5B\\x31\\xC9\\xB1(.)\\x80\\x73\\x0C(.)\\x43\\xE2\\xF9(.*)$", // rbot 265 byte
93		"\\xEB.\\xEB.\\xE8.\\xB1(.).\\x80..(.).\\xE2.(.)$", // generic mwcollect
94		"\\xEB\\x10\\x5A\\x4A\\x33\\xC9\\x66\\xB9(..)\\x80\\x34\\x0A(.)\\xE2\\xFA\\xEB\\x05\\xE8\\xEB\\xFF\\xFF\\xFF(.*)$", // bielefeld
95		"\\xEB\\x02\\xEB\\x05\\xE8\\xF9\\xFF\\xFF\\xFF\\x5B\\x31\\xC9\\x66\\xB9(..)\\x80\\x73\\x0E(.)\\x43\\xE2\\xF9(.*)$", // halle
96		// "\\xEB\\x19\\x5E\\x31\\xC9\\x81\\xE9(....)\\x81\\x36(....)\\x81\\xEE\\xFC\\xFF\\xFF\\xFF\\xE2\\xF2\\xEB\\x05\\xE8\\xE2\\xFF\\xFF\\xFF(.*)$", // adenau xor
97
98		NULL
	89	XORPcreHelper test[7]=
	90	{
	91	{
	92	"(.)(\\xEB\\x02\\xEB\\x05\\xE8\\xF9\\xFF\\xFF\\xFF\\x5B\\x31\\xC9\\x66\\xB9(.)\\xFF\\x80\\x73\\x0E(.)\\x43\\xE2\\xF9)(.)$",
	93	"rbot 64k",
	94	23
	95	},
	96	{
	97	"(.)(\\xEB\\x02\\xEB\\x05\\xE8\\xF9\\xFF\\xFF\\xFF\\x5B\\x31\\xC9\\xB1(.)\\x80\\x73\\x0C(.)\\x43\\xE2\\xF9)(.)$",
	98	"rbot 265 byte",
	99	21
	100	},
	101	{
	102	"(.)(\\xEB\\x10\\x5A\\x4A\\x33\\xC9\\x66\\xB9(..)\\x80\\x34\\x0A(.)\\xE2\\xFA\\xEB\\x05\\xE8\\xEB\\xFF\\xFF\\xFF)(.)$",
	103	"bielefeld",
	104	14
	105	},
	106	{
	107	"(.)(\\xEB\\x02\\xEB\\x05\\xE8\\xF9\\xFF\\xFF\\xFF\\x5B\\x31\\xC9\\x66\\xB9(..)\\x80\\x73\\x0E(.)\\x43\\xE2\\xF9)(.)$",
	108	"halle",
	109	23
	110	},
	111	{
	112	"(.)(\\xEB\\x19\\x5E\\x31\\xC9\\x81\\xE9(....)\\x81\\x36(....)\\x81\\xEE\\xFC\\xFF\\xFF\\xFF\\xE2\\xF2\\xEB\\x05\\xE8\\xE2\\xFF\\xFF\\xFF)(.)$",
	113	"adenau xor"
	114	},
	115
	116	{
	117	"(.)(\\xEB\\x03\\x5D\\xEB\\x05\\xE8\\xF8\\xFF\\xFF\\xFF\\x8B\\xC5\\x83\\xC0\\x11\\x33\\xC9\\x66\\xB9(..)\\x80\\x30(.)\\x40\\xE2\\xFA)(.)$",
	118	"kaltenborn xor",
	119	27
	120	},
	121	{
	122	"(.)(\\xEB.\\xEB.\\xE8.\\xB1(.).\\x80..(.).\\xE2.)(.*)$",
	123	"generic mwcollect",
	124	20
	125
	126	}
99	127	};
100	128
101		for( uint32_t i = 0; ~~test[i]~~; i++ )
	129	for( uint32_t i = 0; i <= 6; i++ )
102	130	{
103	131	pcre *mypcre;
104		if((mypcre = pcre_compile(test[i], PCRE_DOTALL, &pcreEerror, &pcreErrorPos, 0)) == NULL)
	132	if((mypcre = pcre_compile(test[i].m_PCRE, PCRE_DOTALL, &pcreEerror, &pcreErrorPos, 0)) == NULL)
105	133	{
106	134	logCrit("GenericXOR could not compile pattern %i\n\t\"%s\"\n\t Error:\"%s\" at Position %u", i,
…	…
109	137	}else
110	138	{
111		m_Pcres.push_back(mypcre);
	139	logDebug("Adding %s \n",test[i].m_Name);
	140	XORPcreContext *ctx = new XORPcreContext;
	141	ctx->m_Pcre = mypcre;
	142	ctx->m_Name = test[i].m_Name;
	143	ctx->m_Options = test[i].m_Options;
	144	m_Pcres.push_back(ctx);
	145
112	146	logSpam("PCRE %i compiled \n",i);
113	147	}
…	…
121	155	while(m_Pcres.size()>0)
122	156	{
123		pcre_free(m_Pcres.front());
	157
	158	pcre_free(m_Pcres.front()->m_Pcre);
	159	delete m_Pcres.front();
124	160	m_Pcres.pop_front();
125	161	}
…	…
138	174	int32_t output[10 * 3];
139	175
140		list <~~pcre~~ *>::iterator it;
	176	list <XORPcreContext *>::iterator it;
141	177	uint32_t i;
142	178	for (it=m_Pcres.begin(), i=0; it != m_Pcres.end();it++,i++)
143	179	{
144	180	int32_t result=0;
145		if((result = pcre_exec(it, 0, (char ) shellcode, len, 0, 0, output, sizeof(output)/sizeof(int32_t))) > 0)
	181	if((result = pcre_exec((it)->m_Pcre, 0, (char ) shellcode, len, 0, 0, output, sizeof(output)/sizeof(int32_t))) > 0)
146	182	{
147	183	// logSpam("PCRE %i %x matches %i \n",i,*it,result);
	184	const char *preload;
	185	uint32_t preloadSize;
	186	preloadSize = pcre_get_substring((char *) shellcode, output, result, 1, &preload);
	187
	188
	189	const char *xordecoder;
	190	uint32_t xordecoderSize;
	191	xordecoderSize = pcre_get_substring((char *) shellcode, output, result, 2, &xordecoder);
	192
148	193
149	194	const char *match;
…	…
153	198	uint32_t codesize = 0, codesizeLen, totalsize;
154	199
155		codesizeLen = pcre_get_substring((char *) shellcode, output, result, 1, &match);
	200	codesizeLen = pcre_get_substring((char *) shellcode, output, result, 3, &match);
156	201	switch (codesizeLen )
157	202	{
…	…
174	219
175	220
176		keysize = pcre_get_substring((char *) shellcode, output, result, 2, &match);
	221	keysize = pcre_get_substring((char *) shellcode, output, result, 4, &match);
177	222
178	223	switch(keysize)
…	…
194	239
195	240
196		totalsize = pcre_get_substring((char *) shellcode, output, result, 3, &match);
	241	totalsize = pcre_get_substring((char *) shellcode, output, result, 5, &match);
197	242	byte decodedMessage = (byte )malloc(totalsize);
198	243	memcpy(decodedMessage, match, totalsize);
199	244	pcre_free_substring(match);
200	245
201		logInfo("Detected generic XOR decoder #%i size length has %d bytes, size is %d, totalsize %d.\n",i, codesizeLen, codesize, totalsize);
202
	246	logInfo("Detected generic XOR decoder %s size length has %d bytes, size is %d, totalsize %d.\n",(*it)->m_Name.c_str(), codesizeLen, codesize, totalsize);
	247
	248
203	249
204	250	switch(keysize)
…	…
224	270	}
225	271
226
227
228		Message newMessage = new Message((char )decodedMessage, totalsize, (msg)->getLocalPort(), (msg)->getRemotePort(),
	272	char newshellcode = (char )malloc(len*sizeof(char));
	273	memset(newshellcode,0x90,len);
	274	memcpy(newshellcode,preload,preloadSize);
	275
	276	memcpy(newshellcode+preloadSize+xordecoderSize,decodedMessage,totalsize);
	277
	278	pcre_free_substring(preload);
	279	pcre_free_substring(xordecoder);
	280
	281	// g_Nepenthes->getUtilities()->hexdump(l_crit,(byte *)newshellcode, len);
	282
	283	Message newMessage = new Message((char )newshellcode, len, (msg)->getLocalPort(), (msg)->getRemotePort(),
229	284	(msg)->getLocalHost(), (msg)->getRemoteHost(), (msg)->getResponder(), (msg)->getSocket());
230	285
…	…
234	289
235	290	free(decodedMessage);
	291	free(newshellcode);
236	292	return SCH_REPROCESS;
237	293	}

nepenthes/trunk/modules/shellcode-generic/sch_generic_xor.hpp

r318	r336
31	31	#define HAVE_GENERICXOR_HPP
32	32
	33	#include <stdint.h>
33	34	#include <pcre.h>
34	35	#include "ShellcodeHandler.hpp"
…	…
37	38	namespace nepenthes
38	39	{
	40	struct XORPcreHelper
	41	{
	42	char *m_PCRE;
	43	char *m_Name;
	44	uint16_t m_Options; // will use this later
	45
	46	};
	47
	48
	49	struct XORPcreContext
	50	{
	51	pcre *m_Pcre;
	52	string m_Name;
	53	uint16_t m_Options; //
	54	};
	55
39	56	class GenericXOR : public ShellcodeHandler
40	57	{
…	…
46	63	bool Exit();
47	64	protected:
48		list <~~pcre~~*> m_Pcres;
	65	list <XORPcreContext *> m_Pcres;
49	66	};
50	67	}

nepenthes/trunk/modules/shellcode-generic/shellcode-generic.conf.dist

r332	r336
8	8	"adenauBind",
9	9	"\\x83\\xEC\\x34\\x8B\\xF4\\xE8\\x47\\x01\\x00\\x00\\x89\\x06\\xFF\\x36\\x68\\x8E\\x4E\\x0E\\xEC\\xE8\\x61\\x01\\x00\\x00\\x89\\x46\\x08\\xFF\\x36\\x68\\xAD\\xD9\\x05\\xCE\\xE8\\x52\\x01\\x00\\x00\\x89\\x46\\x0C\\x68\\x6C\\x6C\\x00\\x00\\x68\\x33\\x32\\x2E\\x64\\x68\\x77\\x73\\x32\\x5F\\x54\\xFF\\x56\\x08\\x89\\x46\\x04\\xFF\\x36\\x68\\x72\\xFE\\xB3\\x16\\xE8\\x2D\\x01\\x00\\x00\\x89\\x46\\x10\\xFF\\x36\\x68\\x7E\\xD8\\xE2\\x73\\xE8\\x1E\\x01\\x00\\x00\\x89\\x46\\x14\\xFF\\x76\\x04\\x68\\xCB\\xED\\xFC\\x3B\\xE8\\x0E\\x01\\x00\\x00\\x89\\x46\\x18\\xFF\\x76\\x04\\x68\\xD9\\x09\\xF5\\xAD\\xE8\\xFE\\x00\\x00\\x00\\x89\\x46\\x1C\\xFF\\x76\\x04\\x68\\xA4\\x1A\\x70\\xC7\\xE8\\xEE\\x00\\x00\\x00\\x89\\x46\\x20\\xFF\\x76\\x04\\x68\\xA4\\xAD\\x2E\\xE9\\xE8\\xDE\\x00\\x00\\x00\\x89\\x46\\x24\\xFF\\x76\\x04\\x68\\xE5\\x49\\x86\\x49\\xE8\\xCE\\x00\\x00\\x00\\x89\\x46\\x28\\xFF\\x76\\x04\\x68\\xE7\\x79\\xC6\\x79\\xE8\\xBE\\x00\\x00\\x00\\x89\\x46\\x2C\\x33\\xFF\\x81\\xEC\\x90\\x01\\x00\\x00\\x54\\x68\\x01\\x01\\x00\\x00\\xFF\\x56\\x18\\x50\\x50\\x50\\x50\\x40\\x50\\x40\\x50\\xFF\\x56\\x1C\\x8B\\xD8\\x57\\x57\\x68\\x02\\x00(..)\\x8B\\xCC\\x6A\\x16\\x51\\x53\\xFF\\x56\\x20\\x57\\x53\\xFF\\x56\\x24\\x57\\x51\\x53\\xFF\\x56\\x28\\x8B\\xD0\\x68\\x65\\x78\\x65\\x00\\x68\\x63\\x6D\\x64\\x2E\\x89\\x66\\x30\\x83\\xEC\\x54\\x8D\\x3C\\x24\\x33\\xC0",
	10
	11	"kaltenbornBind"
	12	"\\xFF\\x56\\xF4\\x50\\x50\\x50\\x50\\x40\\x50\\x40\\x50\\xFF\\x56\\xF0\\x8B\\xD8\\x57\\x57\\x68\\x02\\x00(..)\\x8B\\xCC\\x6A\\x16\\x51\\x53\\xFF\\x56\\xEC\\x57\\x53\\xFF\\x56\\xE8\\x33\\xFF\\x57\\x51\\x53\\xFF\\x56\\xE2\\x8B\\xD0\\x89\\x46\\xBE\\x68\\x63\\x6D\\x64\\x00\\x89\\x66\\xC2\\x83\\xC4\\xAC\\x8D\\x3C\\x24\\x33\\xC0\\x33\\xC9\\x80\\xC1\\x15\\xAB\\xE2\\xFD\\xC6\\x44\\x24\\x10\\x44\\xFE\\x44\\x24\\x3D\\x89\\x54\\x24\\x48\\x89\\x54\\x24\\x4C\\x89\\x54\\x24\\x50\\x8D\\x44\\x24\\x10\\x54\\x50\\x51\\x51\\x51\\x41\\x51\\x49\\x51\\x51\\xFF\\x76\\xC2\\x51\\xFF\\x56\\xCE\\x8B\\xCC\\x6A\\xFF\\xFF\\x31\\xFF\\x56\\xD2\\x8B\\xC8\\xFF\\x76\\xBE\\xFF\\x56\\xD6\\xEB\\x9E\\xFF\\x56\\x14"
	13
	14	"wackerowBind"
	15	"\\xE8\\x7C\\x00\\x00\\x00\\x83\\xC6\\x0D\\x52\\x56\\xFF\\x57\\xFC\\x5A\\x8B\\xD8\\x6A\\x04\\x59\\xE8\\x69\\x00\\x00\\x00\\x50\\x50\\x50\\x50\\x6A\\x01\\x6A\\x02\\xFF\\x57\\xF0\\x8B\\xD8\\xC7\\x07\\x02\\x00(..)\\x33\\xC0\\x89\\x47\\x04\\x6A\\x10\\x57\\x53\\xFF\\x57\\xF4\\x6A\\x01\\x53\\xFF\\x57\\xF8\\x50\\x50\\x53\\xFF\\x57\\xFC\\x83\\xEC\\x44\\x8B\\xF4\\x33\\xDB\\x6A\\x10\\x59\\x89\\x1C\\x8E\\xE2\\xFB\\x89\\x46\\x38\\x89\\x46\\x3C\\x89\\x46\\x40\\xC7\\x46\\x2C\\x01\\x01\\x00\\x00\\x8D\\x47\\x10\\x50\\x56\\x53\\x53\\x53\\x6A\\x01\\x53\\x53\\xC7\\x47\\x3C\\x63\\x6D\\x64\\x00\\x8D\\x47\\x3C\\x50\\x53\\xFF\\x57\\xE4\\x50\\xFF\\x57\\xE8"
	16
	17	"parthensteinBind"
	18	"\\xFF\\x56\\x18\\x50\\x50\\x50\\x50\\x40\\x50\\x40\\x50\\xFF\\x56\\x1C\\x8B\\xD8\\x57\\x57\\x68\\x02\\x00(..)\\x8B\\xCC\\x6A\\x16\\x51\\x53\\xFF\\x56\\x20\\x57\\x53\\xFF\\x56\\x24\\x57\\x51\\x53\\xFF\\x56\\x28\\x8B\\xD0\\x68\\x65\\x78\\x65\\x00\\x68\\x63\\x6D\\x64\\x2E\\x89\\x66\\x30\\x83\\xEC\\x54\\x8D\\x3C\\x24\\x33\\xC0\\x33\\xC9\\x83\\xC1\\x15\\xAB\\xE2\\xFD\\xC6\\x44\\x24\\x10\\x44\\xFE\\x44\\x24\\x3D\\x89\\x54\\x24\\x48\\x89\\x54\\x24\\x4C\\x89\\x54\\x24\\x50\\x8D\\x44\\x24\\x10\\x54\\x50\\x51\\x51\\x51\\x6A\\x01\\x51\\x51\\xFF\\x76\\x30\\x51\\xFF\\x56\\x10\\x8B\\xCC\\x6A\\xFF\\xFF\\x31\\xFF\\x56\\x0C\\x8B\\xC8\\x57\\xFF\\x56\\x2C\\xFF\\x56\\x14"
10	19	);
11	20

nepenthes/trunk/modules/submit-xmlrpc/XMLRPCParser.cpp

r332 r336

39 39 #include <ctype.h>
40 40 #include <stdint.h>
41 #include <~~malloc~~.h>
41 #include <stdlib.h>
42 42 #include <string.h>
43 43

nepenthes/trunk/modules/vuln-dcom/vuln-dcom.cpp

r321	r336
111	111	// m_ShellcodeHandlers.push_back( new SOL2KBind (m_Nepenthes->getShellcodeMgr()));
112	112	// m_ShellcodeHandlers.push_back( new SOL2KConnect (m_Nepenthes->getShellcodeMgr()));
113		m_ShellcodeHandlers.push_back( new OC192Bind (m_Nepenthes->getShellcodeMgr()));
	113
	114	// replaced by adenau xor & Parthenstein Bind
	115	// m_ShellcodeHandlers.push_back( new OC192Bind (m_Nepenthes->getShellcodeMgr()));
114	116
115	117

nepenthes/trunk/nepenthes-core/Makefile.in

r330	r336
178	178	esac; \
179	179	done; \
180		echo ' cd $(top_srcdir) && $(AUTOMAKE) --~~foreign~~ nepenthes-core/Makefile'; \
	180	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu nepenthes-core/Makefile'; \
181	181	cd $(top_srcdir) && \
182		$(AUTOMAKE) --~~foreign~~ nepenthes-core/Makefile
	182	$(AUTOMAKE) --gnu nepenthes-core/Makefile
183	183	.PRECIOUS: Makefile
184	184	Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status

nepenthes/trunk/nepenthes-core/include/FileLogger.hpp

r321	r336
48	48
49	49	private:
50		c~~onst c~~har *m_Filename;
	50	char *m_Filename;
51	51	};
52	52

nepenthes/trunk/nepenthes-core/include/Makefile.in

r332	r336
190	190	esac; \
191	191	done; \
192		echo ' cd $(top_srcdir) && $(AUTOMAKE) --~~foreign~~ nepenthes-core/include/Makefile'; \
	192	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu nepenthes-core/include/Makefile'; \
193	193	cd $(top_srcdir) && \
194		$(AUTOMAKE) --~~foreign~~ nepenthes-core/include/Makefile
	194	$(AUTOMAKE) --gnu nepenthes-core/include/Makefile
195	195	.PRECIOUS: Makefile
196	196	Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status

nepenthes/trunk/nepenthes-core/src/Config.cpp

r332 r336

30 30 #include <stdlib.h>
31 31 #include <ctype.h>
32 #include <stdio.h>
32 33
33 34 #include "Config.hpp"

nepenthes/trunk/nepenthes-core/src/FileLogger.cpp

r321	r336
52	52	FileLogger::~FileLogger()
53	53	{
	54	if( m_Filename != NULL)
	55	free(m_Filename);
	56
54	57	}
55	58
…	…
57	60	void FileLogger::setLogFile(const char *filename)
58	61	{
59		m_Filename = filename;
	62	if( m_Filename != NULL)
	63	free(m_Filename);
	64
	65	m_Filename = strdup(filename);
60	66	}
61	67

nepenthes/trunk/nepenthes-core/src/RingFileLogger.cpp

r332	r336
58	58	RingFileLogger::~RingFileLogger()
59	59	{
60		free(m_FirstFile);
	60	if (m_FileFormat != NULL)
	61	{
	62	free(m_FileFormat);
	63	}
	64
	65	if (m_FirstFile != NULL)
	66	{
	67	free(m_FirstFile);
	68	}
61	69	}
62	70
…	…
64	72	void RingFileLogger::setLogFileFormat(char *fmt)
65	73	{
66		m_FileFormat = fmt;
67		free(m_FirstFile);
	74	if (m_FileFormat != NULL)
	75	{
	76	free(m_FileFormat);
	77	}
	78	m_FileFormat = strdup(fmt);
	79
	80
	81	if (m_FirstFile != NULL)
	82	{
	83	free(m_FirstFile);
	84	}
68	85	asprintf(&m_FirstFile, m_FileFormat, 0);
69	86	}

r332	r336
39	39	#include <ctype.h>
40	40	#include <stdint.h>
41		#include <~~malloc~~.h>
	41	#include <stdlib.h>
42	42	#include <string.h>
43	43

r332	r336
30	30	#include <stdlib.h>
31	31	#include <ctype.h>
	32	#include <stdio.h>
32	33
33	34	#include "Config.hpp"

Navigation

Changeset 336

Legend:

Download in other formats: