Navigation

← Previous Changeset
Next Changeset →

Changeset 428

Timestamp:

03/26/06 01:05:12 (3 years ago)

Author:

common

Message:

shellcode-signatures
- namespace bindshell
- namespace connectback
added

- sch_namespace_xor works now (the debug statements stay for now, i need them)

seems like most shellcode mappings in the signature file are broken :\ ...

Files:

nepenthes/trunk/modules/shellcode-signatures/Makefile.am (modified) (1 diff)
nepenthes/trunk/modules/shellcode-signatures/parser.h (modified) (1 diff)
nepenthes/trunk/modules/shellcode-signatures/parser.l (modified) (1 diff)
nepenthes/trunk/modules/shellcode-signatures/parser.y (modified) (4 diffs)
nepenthes/trunk/modules/shellcode-signatures/sch_namespace_bindshell.cpp (added)
nepenthes/trunk/modules/shellcode-signatures/sch_namespace_bindshell.hpp (added)
nepenthes/trunk/modules/shellcode-signatures/sch_namespace_connectbackshell.cpp (added)
nepenthes/trunk/modules/shellcode-signatures/sch_namespace_connectbackshell.hpp (added)
nepenthes/trunk/modules/shellcode-signatures/sch_namespace_xor.cpp (modified) (10 diffs)
nepenthes/trunk/modules/shellcode-signatures/shellcode-signatures.cpp (modified) (3 diffs)
nepenthes/trunk/modules/shellcode-signatures/shellcode-signatures.sc (modified) (19 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

nepenthes/trunk/modules/shellcode-signatures/Makefile.am

r424	r428
16	16	shellcodesignatures_la_SOURCES += shellcode-signatures.cpp shellcode-signatures.hpp
17	17	shellcodesignatures_la_SOURCES += sch_namespace_xor.cpp sch_namespace_xor.hpp
18
	18	shellcodesignatures_la_SOURCES += sch_namespace_bindshell.cpp sch_namespace_bindshell.hpp
	19	shellcodesignatures_la_SOURCES += sch_namespace_connectbackshell.cpp sch_namespace_connectbackshell.hpp
19	20
20	21	shellcodesignatures_la_LDFLAGS = -module -no-undefined -avoid-version

nepenthes/trunk/modules/shellcode-signatures/parser.h

r426 r428

30 30 sc_pcre,
31 31 sc_pre,
32 sc_post
32 sc_post,
33 sc_none
33 34 };
34 35

nepenthes/trunk/modules/shellcode-signatures/parser.l

r426	r428
64	64	"pcre" { return SC_PCRE; }
65	65	"pre" { return SC_PRELOAD; }
66		"post" { return SC_PRELOAD; }
	66	"post" { return SC_POSTLOAD; }
	67
67	68
68	69	{LETTER}({LETTER}\|{DIGIT}\|"_")* { string_append(yytext, strlen(yytext)); return SC_ID; }

nepenthes/trunk/modules/shellcode-signatures/parser.y

r426	r428
51	51	{
52	52	int i;
53
	53	/*
54	54	printf("shellcode:\n");
55	55
…	…
66	66
67	67	printf("\n\n");
68
	68	*/
69	69	/* prepare for the next one */
70	70	init_shellcode();
…	…
217	217	{
218	218	shellcodes->map[shellcodes->map_items++] = sc_post;
	219	}
	220	\| SC_NONE
	221	{
	222	shellcodes->map[shellcodes->map_items++] = sc_none;
219	223	}
220	224
…	…
288	292	"pcre",
289	293	"pre",
290		"post"
	294	"post",
	295	"none"
291	296	};
292	297	if ( num > sizeof(mapmapping)/sizeof(char *) )

nepenthes/trunk/modules/shellcode-signatures/sch_namespace_xor.cpp

r427	r428
32	32	#include "Nepenthes.hpp"
33	33	#include "Message.hpp"
34		#include "Message.cpp"
	34
35	35	#include "LogManager.hpp"
36	36	#include "Utilities.hpp"
…	…
126	126	if ( (matchCount = pcre_exec(m_Pcre, 0, (char ) shellcode, len, 0, 0, (int )ovec, sizeof(ovec)/sizeof(int32_t))) > 0 )
127	127	{
128		logCrit("MATCH %s~~\n",m_ShellcodeHandlerName.c_str()~~);
	128	logCrit("MATCH %s matchCount %i map_items %i \n",m_ShellcodeHandlerName.c_str(), matchCount, m_Shellcode->map_items);
129	129	int32_t i;
130		for ( i=0; i== m_Shellcode->map_items; i++ )
	130	for ( i=0; i < m_Shellcode->map_items; i++ )
131	131	{
	132	if (m_Shellcode->map[i] == sc_none)
	133	continue;
	134
	135	logInfo(" i = %i map_items %i , map = %s\n",i,m_Shellcode->map_items, sc_get_mapping_by_numeric(m_Shellcode->map[i]));
132	136	const char *match = NULL;
133	137	int matchSize = pcre_get_substring((char ) shellcode, (int )ovec, (int)matchCount, i, &match);
…	…
135	139	switch ( m_Shellcode->map[i] )
136	140	{
137
	141
138	142	case sc_pre:
139	143	preMatch = match;
140	144	preSize = matchSize;
	145	logSpam("sc_pre %i\n",matchSize);
141	146	break;
142	147
…	…
144	149	decoderMatch = match;
145	150	decoderSize = matchSize;
	151	logSpam("sc_pcre %i\n",matchSize);
146	152	break;
147	153
…	…
149	155	case sc_size:
150	156	sizeMatch = match;
	157	logSpam("sc_size %i\n",matchSize);
151	158	switch ( matchSize )
152	159	{
153	160	case 4:
154	161	codeSize = (uint32_t)((uint32_t )match);
155		break;
	162	break;
156	163
157	164	case 2:
158	165	codeSize = (uint32_t)((uint16_t )match);
	166	break;
159	167
160	168	case 1:
…	…
162	170	break;
163	171	}
	172	logSpam("\tnumeric %i\n",codeSize);
164	173	break;
165	174
166	175
167	176	case sc_sizeinvert:
	177	logSpam("sc_sizeinvert %i\n",matchSize);
168	178	sizeMatch = match;
169	179	switch ( matchSize )
…	…
177	187	break;
178	188	}
	189	logSpam("\tnumeric %i\n",codeSize);
179	190	break;
180	191
181	192	case sc_key:
	193	logSpam("sc_key %i\n",matchSize);
182	194	keyMatch = match;
183	195	keySize = matchSize;
…	…
186	198	case 1:
187	199	byteKey = ((byte )match);
	200	logSpam("\tnumeric %1x\n",(unsigned int)byteKey);
188	201	break;
189	202
190	203	case 4:
191		intKey = ((uint32_t )match);
	204	intKey = ((uint32_t )match);
	205	logSpam("\tnumeric %x\n",(unsigned int)intKey);
192	206	break;
193	207
…	…
196	210
197	211	case sc_post:
	212	logSpam("sc_post %i\n",matchSize);
198	213	postMatch = match;
199	214	postSize = matchSize;
200	215	break;
201	216
	217
202	218	default:
203		logCrit("~~not used mapping %s\n",~~sc_get_mapping_by_numeric(m_Shellcode->map[i]));
	219	logCrit("%s not used mapping %s\n",m_ShellcodeHandlerName.c_str(), sc_get_mapping_by_numeric(m_Shellcode->map[i]));
204	220	}
205	221	}
	222
206	223
207	224	// create buffer for decoding part of the message
…	…
242	259	memcpy(newshellcode+preSize+decoderSize ,decodedMessage ,postSize);
243	260
	261	g_Nepenthes->getUtilities()->hexdump(l_crit,(byte *)newshellcode, len);
	262
244	263	Message newMessage = new Message((char )newshellcode, len, (msg)->getLocalPort(), (msg)->getRemotePort(),
245	264	(msg)->getLocalHost(), (msg)->getRemoteHost(), (msg)->getResponder(), (msg)->getSocket());

nepenthes/trunk/modules/shellcode-signatures/shellcode-signatures.cpp

r426	r428
40	40
41	41	#include "sch_namespace_xor.hpp"
	42	#include "sch_namespace_bindshell.hpp"
	43	#include "sch_namespace_connectbackshell.hpp"
42	44
43	45	#include "ShellcodeManager.hpp"
44	46	#include "Nepenthes.hpp"
45	47	#include "LogManager.hpp"
	48
	49	#include "Message.cpp"
46	50
47	51	#ifdef STDTAGS
…	…
137	141
138	142	case sc_connectbackshell:
	143	sch = new NamespaceConnectbackShell(sc);
139	144	break;
140	145
…	…
143	148
144	149	case sc_bindshell:
	150	sch = new NamespaceBindShell(sc);
145	151	break;
146	152

nepenthes/trunk/modules/shellcode-signatures/shellcode-signatures.sc

r425	r428
43	43	"(.*)(\\xEB\\x02\\xEB\\x05\\xE8\\xF9\\xFF\\xFF\\xFF\\x5B\\x31\\xC9\\x66\\xB9(.)"
44	44	"\\xFF\\x80\\x73\\x0E(.)\\x43\\xE2\\xF9)(.*)$";
45		mapping (~~pre,pcre,key,size~~,post);
	45	mapping (none,pre,pcre,size,key,post);
46	46	};
47	47
…	…
53	53	"(.*)(\\xEB\\x02\\xEB\\x05\\xE8\\xF9\\xFF\\xFF\\xFF\\x5B\\x31\\xC9\\xB1(.)\\x80"
54	54	"\\x73\\x0C(.)\\x43\\xE2\\xF9)(.*)$";
55		mapping (~~pre,pcre,key,size~~,post);
	55	mapping (none,pre,pcre,size,key,post);
56	56	};
57	57
…	…
61	61	"(.*)(\\xEB\\x10\\x5A\\x4A\\x33\\xC9\\x66\\xB9(..)\\x80\\x34\\x0A(.)\\xE2\\xFA"
62	62	"\\xEB\\x05\\xE8\\xEB\\xFF\\xFF\\xFF)(.*)$";
63		mapping (~~pre,pcre,key,size~~,post);
	63	mapping (none,pre,pcre,size,key,post);
64	64	};
65	65
…	…
69	69	"(.*)(\\xEB\\x02\\xEB\\x05\\xE8\\xF9\\xFF\\xFF\\xFF\\x5B\\x31\\xC9\\x66\\xB9(..)"
70	70	"\\x80\\x73\\x0E(.)\\x43\\xE2\\xF9)(.*)$";
71		mapping (~~pre,pcre,key,size~~,post);
	71	mapping (none,pre,pcre,size,key,post);
72	72	};
73	73
…	…
78	78	"(.*)(\\xEB\\x19\\x5E\\x31\\xC9\\x81\\xE9(....)\\x81\\x36(....)\\x81\\xEE\\xFC"
79	79	"\\xFF\\xFF\\xFF\\xE2\\xF2\\xEB\\x05\\xE8\\xE2\\xFF\\xFF\\xFF)(.*)$";
80		mapping (~~pre,pcre,key,sizeinvert~~,post);
	80	mapping (none,pre,pcre,sizeinvert,key,post);
81	81	};
82	82
…	…
88	88	"(.*)(\\xEB\\x03\\x5D\\xEB\\x05\\xE8\\xF8\\xFF\\xFF\\xFF\\x8B\\xC5\\x83\\xC0\\x11"
89	89	"\\x33\\xC9\\x66\\xB9(..)\\x80\\x30(.)\\x40\\xE2\\xFA)(.*)$";
90		mapping (~~pre,pcre,key,size~~,post);
	90	mapping (none,pre,pcre,size,key,post);
91	91	};
92	92
…	…
96	96	"(.*)(\\xEB\\x10\\x5A\\x4A\\x31\\xC9\\x66\\xB9\(..)\\x80\\x34\\x0A(.)\\xE2\\xFA"
97	97	"\\xEB\\x05\\xE8\\xEB\\xFF\\xFF\\xFF)(.*)$";
98		mapping (~~pre,pcre,key,size~~,post);
	98	mapping (none,pre,pcre,size,key,post);
99	99	};
100	100
…	…
105	105	"(.*)(\\xEB\\x0F\\x5B\\x33\\xC9\\x66\\xB9(..)\\x80\\x33(.)\\x43\\xE2\\xFA\\xEB"
106	106	"\\x05\\xE8\\xEC\\xFF\\xFF\\xFF)(.*)$";
107		mapping (~~pre,pcre,key,size~~,post);
	107	mapping (none,pre,pcre,size,key,post);
108	108	};
109	109
…	…
113	113	"(.*)(\\xEB\\x03\\x5D\\xEB\\x05\\xE8\\xF8\\xFF\\xFF\\xFF\\x83\\xC5\\x15\\x90\\x90"
114	114	"\\x90\\x8B\\xC5\\x33\\xC9\\x66\\xB9(..)\\x50\\x80\\x30(.)\\x40\\xE2\\xFA)(.*)$";
115		mapping (~~pre,pcre,key,size~~,post);
	115	mapping (none,pre,pcre,size,key,post);
116	116	};
117	117
…	…
121	121	"(.*)(\\x31\\xC9\\x83\\xE9(.)\\xD9\\xEE\\xD9\\x74\\x24\\xF4\\x5B\\x81\\x73\\x13(....)"
122	122	"\\x83\\xEB\\xFC\\xE2\\xF4)(.*)$";
123		mapping (pre,pcre,key,sizeinvert,post);
	123	mapping (none,pre,pcre,key,sizeinvert,post);
124	124	};
125	125
…	…
129	129	"(.*)(\\x33\\xC0\\xF7\\xD0\\x8B\\xFC\\xF2\\xAF\\x57\\x33\\xC9\\xB1(.)\\x90\\x90\\x90"
130	130	"\\x90\\x80\\x37(.)\\x47\\xE2\\xFA.\\xFF\\xFF\\xFF\\xFF)(.)$";
131		mapping (~~pre,pcre,key,size~~,post);
	131	mapping (none,pre,pcre,size,key,post);
132	132	};
133	133
…	…
137	137	"(.*)(\\xEB\\x0F\\x8B\\x34\\x24\\x33\\xC9\\x80\\xC1(.)\\x80\\x36(.)\\x46\\xE2\\xFA"
138	138	"\\xC3\\xE8\\xEC\\xFF\\xFF\\xFF)(.*)$";
139		mapping (~~pre,pcre,key,size~~,post);
	139	mapping (none,pre,pcre,size,key,post);
140	140	};
141	141
…	…
147	147	"\\x01\\xFC\\xFF\\xFF\\x83\\xE4\\xFC\\x8B\\xEC\\x33\\xC9\\x66\\xB9(..)\\x80\\x30(.)"
148	148	"\\x40\\xE2\\xFA)(.*)$";
149		mapping (~~pre,pcre,key,size~~,post);
	149	mapping (none,pre,pcre,size,key,post);
150	150	};
151	151
…	…
155	155	"(.*)(\\xC9\\x83\\xE9(.)\\xD9\\xEE\\xD9\\x74\\x24\\xF4\\x5B\\x81\\x73\\x13(....)\\x83"
156	156	"\\xEB\\xFC\\xE2\\xF4)(.*)$";
157		mapping (pre,pcre,key,sizeinvert,post);
	157	mapping (none,pre,pcre,key,sizeinvert,post);
158	158	};
159	159
…	…
164	164	"(.*)(\\x2B\\xC9\\x83\\xE9(.)\\xE8\\xFF\\xFF\\xFF\\xFF\\xC0\\x5E\\x81\\x76\\x0E(....)"
165	165	"\\x83\\xEE\\xFC\\xE2\\xF4)(.*)$";
166		mapping (~~pre,pcre,key,sizeinvert~~,post);
	166	mapping (none,pre,pcre,sizeinvert,key,post);
167	167	};
168	168
…	…
173	173	"(.*)(\\xEB\\x0E\\x5B\\x4B\\x33\\xC9\\xB1(.)\\x80\\x34\\x0B(.)\\xE2\\xFA\\xEB\\x05\\xE8"
174	174	"\\xED\\xFF\\xFF\\xFF)(.*)$";
175		mapping (~~pre,pcre,key,size~~,post);
	175	mapping (none,pre,pcre,size,key,post);
176	176	};
177	177
…	…
180	180	pattern
181	181	"(.)(\\xEB.\\xEB.\\xE8.\\xB1(.).\\x80..(.).\\xE2.)(.*)$";
182		mapping (~~pre,pcre,key,size~~,post);
	182	mapping (none,pre,pcre,size,key,post);
183	183	};
184	184
…	…
248	248	{
249	249	pattern
	250
	251	"\\x83\\xEC\\x34\\x8B\\xF4\\xE8\\x47\\x01\\x00\\x00\\x89\\x06\\xFF\\x36\\x68\\x8E\\x4E\\x0E"
	252	"\\xEC\\xE8\\x61\\x01\\x00\\x00\\x89\\x46\\x08\\xFF\\x36\\x68\\xAD\\xD9\\x05\\xCE\\xE8\\x52"
	253	"\\x01\\x00\\x00\\x89\\x46\\x0C\\x68\\x6C\\x6C\\x00\\x00\\x68\\x33\\x32\\x2E\\x64\\x68\\x77"
	254	"\\x73\\x32\\x5F\\x54\\xFF\\x56\\x08\\x89\\x46\\x04\\xFF\\x36\\x68\\x72\\xFE\\xB3\\x16\\xE8"
	255	"\\x2D\\x01\\x00\\x00\\x89\\x46\\x10\\xFF\\x36\\x68\\x7E\\xD8\\xE2\\x73\\xE8\\x1E\\x01\\x00"
	256	"\\x00\\x89\\x46\\x14\\xFF\\x76\\x04\\x68\\xCB\\xED\\xFC\\x3B\\xE8\\x0E\\x01\\x00\\x00\\x89"
	257	"\\x46\\x18\\xFF\\x76\\x04\\x68\\xD9\\x09\\xF5\\xAD\\xE8\\xFE\\x00\\x00\\x00\\x89\\x46\\x1C"
	258	"\\xFF\\x76\\x04\\x68\\xA4\\x1A\\x70\\xC7\\xE8\\xEE\\x00\\x00\\x00\\x89\\x46\\x20\\xFF\\x76"
	259	"\\x04\\x68\\xA4\\xAD\\x2E\\xE9\\xE8\\xDE\\x00\\x00\\x00\\x89\\x46\\x24\\xFF\\x76\\x04\\x68"
	260	"\\xE5\\x49\\x86\\x49\\xE8\\xCE\\x00\\x00\\x00\\x89\\x46\\x28\\xFF\\x76\\x04\\x68\\xE7\\x79"
	261	"\\xC6\\x79\\xE8\\xBE\\x00\\x00\\x00\\x89\\x46\\x2C\\x33\\xFF\\x81\\xEC\\x90\\x01\\x00\\x00"
	262	"\\x54\\x68\\x01\\x01\\x00\\x00\\xFF\\x56\\x18\\x50\\x50\\x50\\x50\\x40\\x50\\x40\\x50\\xFF"
	263	"\\x56\\x1C\\x8B\\xD8\\x57\\x57\\x68\\x02\\x00(..)\\x8B\\xCC\\x6A\\x16\\x51\\x53\\xFF\\x56"
	264	"\\x20\\x57\\x53\\xFF\\x56\\x24\\x57\\x51\\x53\\xFF\\x56\\x28\\x8B\\xD0\\x68\\x65\\x78\\x65"
	265	"\\x00\\x68\\x63\\x6D\\x64\\x2E\\x89\\x66\\x30\\x83\\xEC\\x54\\x8D\\x3C\\x24\\x33\\xC0";
	266
	267
	268	/*
250	269	"\\x83\\xEC\\x34\\x8B\\xF4\\xE8\\x47\\x01\\x00\\x00\\x89\\x06\\xFF\\x36\\x68\\x8E\\x4E\\x0E\\xEC\\xE8"
251	270	"\\x61\\x01\\x00\\x00\\x89\\x46\\x08\\xFF\\x36\\x68\\xAD\\xD9\\x05\\xCE\\xE8\\x52\\x01\\x00\\x00\\x89"
…	…
262	281	"\\x57\\x51\\x53\\xFF\\x56\\x28\\x8B\\xD0\\x68\\x65\\x78\\x65\\x00\\x68\\x63\\x6D\\x64\\x2E\\x89\\x66"
263	282	"\\x30\\x83\\xEC\\x54\\x8D\\x3C\\x24\\x33\\xC0";
264
	283	*/
265	284	mapping (port);
266	285	};

r426	r428
30	30	sc_pcre,
31	31	sc_pre,
32		sc_post
	32	sc_post,
	33	sc_none
33	34	};
34	35