Navigation

← Previous Changeset
Next Changeset →

Changeset 429

Timestamp:

03/26/06 03:41:42 (3 years ago)

Author:

common

Message:

shellcode-signatures
- fixed 2 xor:: patterns in signature file, i hope they are all ready now
- namespace url:: added
- namespace execute:: added

Files:

nepenthes/trunk/modules/shellcode-signatures/Makefile.am (modified) (1 diff)
nepenthes/trunk/modules/shellcode-signatures/lex.yy.c (modified) (5 diffs)
nepenthes/trunk/modules/shellcode-signatures/sch_namespace_execute.cpp (added)
nepenthes/trunk/modules/shellcode-signatures/sch_namespace_execute.hpp (added)
nepenthes/trunk/modules/shellcode-signatures/sch_namespace_url.cpp (added)
nepenthes/trunk/modules/shellcode-signatures/sch_namespace_url.hpp (added)
nepenthes/trunk/modules/shellcode-signatures/sch_namespace_xor.cpp (modified) (1 diff)
nepenthes/trunk/modules/shellcode-signatures/shellcode-signatures.cpp (modified) (3 diffs)
nepenthes/trunk/modules/shellcode-signatures/shellcode-signatures.sc (modified) (3 diffs)
nepenthes/trunk/modules/shellcode-signatures/y.tab.c (modified) (18 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

nepenthes/trunk/modules/shellcode-signatures/Makefile.am

r428	r429
18	18	shellcodesignatures_la_SOURCES += sch_namespace_bindshell.cpp sch_namespace_bindshell.hpp
19	19	shellcodesignatures_la_SOURCES += sch_namespace_connectbackshell.cpp sch_namespace_connectbackshell.hpp
	20	shellcodesignatures_la_SOURCES += sch_namespace_execute.cpp sch_namespace_execute.hpp
	21	shellcodesignatures_la_SOURCES += sch_namespace_url.cpp sch_namespace_url.hpp
20	22
21	23	shellcodesignatures_la_LDFLAGS = -module -no-undefined -avoid-version

nepenthes/trunk/modules/shellcode-signatures/lex.yy.c

r426	r429
1006	1006	YY_RULE_SETUP
1007	1007	#line 66 "parser.l"
1008		{ return SC_PRELOAD; }
	1008	{ return SC_POSTLOAD; }
1009	1009	YY_BREAK
1010	1010	case 35:
1011	1011	YY_RULE_SETUP
1012		#line 68 "parser.l"
	1012	#line 69 "parser.l"
1013	1013	{ string_append(yytext, strlen(yytext)); return SC_ID; }
1014	1014	YY_BREAK
1015	1015	case 36:
1016	1016	YY_RULE_SETUP
1017		#line 71 "parser.l"
	1017	#line 72 "parser.l"
1018	1018	{ BEGIN(comment); }
1019	1019	YY_BREAK
1020	1020	case 37:
1021	1021	YY_RULE_SETUP
1022		#line 72 "parser.l"
	1022	#line 73 "parser.l"
1023	1023	{ }
1024	1024	YY_BREAK
1025	1025	case 38:
1026	1026	YY_RULE_SETUP
1027		#line 73 "parser.l"
	1027	#line 74 "parser.l"
1028	1028	{ BEGIN(INITIAL); }
1029	1029	YY_BREAK
1030	1030	case 39:
1031	1031	YY_RULE_SETUP
1032		#line 74 "parser.l"
	1032	#line 75 "parser.l"
1033	1033	{ }
1034	1034	YY_BREAK
…	…
1036	1036	/* rule 40 can match eol */
1037	1037	YY_RULE_SETUP
1038		#line 75 "parser.l"
	1038	#line 76 "parser.l"
1039	1039	{ line_number++; }
1040	1040	YY_BREAK
1041	1041	case 41:
1042	1042	YY_RULE_SETUP
1043		#line 77 "parser.l"
	1043	#line 78 "parser.l"
1044	1044	{ BEGIN(string); }
1045	1045	YY_BREAK
1046	1046	case 42:
1047	1047	YY_RULE_SETUP
1048		#line 78 "parser.l"
	1048	#line 79 "parser.l"
1049	1049	{ BEGIN(INITIAL); return SC_STRING; }
1050	1050	YY_BREAK
1051	1051	case 43:
1052	1052	YY_RULE_SETUP
1053		#line 79 "parser.l"
	1053	#line 80 "parser.l"
1054	1054	{ string_append("\n", 1); }
1055	1055	YY_BREAK
1056	1056	case 44:
1057	1057	YY_RULE_SETUP
1058		#line 80 "parser.l"
	1058	#line 81 "parser.l"
1059	1059	{ string_append("\r", 1); }
1060	1060	YY_BREAK
1061	1061	case 45:
1062	1062	YY_RULE_SETUP
1063		#line 81 "parser.l"
	1063	#line 82 "parser.l"
1064	1064	{ string_append("\t", 1); }
1065	1065	YY_BREAK
1066	1066	case 46:
1067	1067	YY_RULE_SETUP
1068		#line 82 "parser.l"
	1068	#line 83 "parser.l"
1069	1069	{ string_append("\"", 1); }
1070	1070	YY_BREAK
1071	1071	case 47:
1072	1072	YY_RULE_SETUP
1073		#line 83 "parser.l"
	1073	#line 84 "parser.l"
1074	1074	{ string_append("\0", 1); }
1075	1075	YY_BREAK
1076	1076	case 48:
1077	1077	YY_RULE_SETUP
1078		#line 84 "parser.l"
	1078	#line 85 "parser.l"
1079	1079	{ string_append("\\", 1); }
1080	1080	YY_BREAK
1081	1081	case 49:
1082	1082	YY_RULE_SETUP
1083		#line 85 "parser.l"
	1083	#line 86 "parser.l"
1084	1084	{
1085	1085	char hexval[] = {'0', 'x', (yytext + 2), (yytext + 3), '\0'};
…	…
1093	1093	/* rule 50 can match eol */
1094	1094	YY_RULE_SETUP
1095		#line 92 "parser.l"
	1095	#line 93 "parser.l"
1096	1096	{ string_append(yytext, strlen(yytext)); }
1097	1097	YY_BREAK
1098	1098	case 51:
1099	1099	YY_RULE_SETUP
1100		#line 94 "parser.l"
	1100	#line 95 "parser.l"
1101	1101	{ }
1102	1102	YY_BREAK
1103	1103	case 52:
1104	1104	YY_RULE_SETUP
1105		#line 96 "parser.l"
	1105	#line 97 "parser.l"
1106	1106	{ }
1107	1107	YY_BREAK
…	…
1109	1109	/* rule 53 can match eol */
1110	1110	YY_RULE_SETUP
1111		#line 97 "parser.l"
	1111	#line 98 "parser.l"
1112	1112	{ line_number++; }
1113	1113	YY_BREAK
1114	1114	case 54:
1115	1115	YY_RULE_SETUP
1116		#line 99 "parser.l"
	1116	#line 100 "parser.l"
1117	1117	ECHO;
1118	1118	YY_BREAK
…	…
2086	2086	#undef YY_DECL
2087	2087	#endif
2088		#line 99 "parser.l"
	2088	#line 100 "parser.l"
2089	2089
2090	2090

nepenthes/trunk/modules/shellcode-signatures/sch_namespace_xor.cpp

r428	r429
99	99
100	100
101		// d~~ata before xo~~r
	101	// decoder
102	102	const char *decoderMatch= NULL;
103	103	uint32_t decoderSize = 0;

nepenthes/trunk/modules/shellcode-signatures/shellcode-signatures.cpp

r428	r429
42	42	#include "sch_namespace_bindshell.hpp"
43	43	#include "sch_namespace_connectbackshell.hpp"
	44	#include "sch_namespace_execute.hpp"
	45	#include "sch_namespace_url.hpp"
44	46
45	47	#include "ShellcodeManager.hpp"
…	…
152	154
153	155	case sc_execute:
	156	sch = new NamespaceExecute(sc);
154	157	break;
155	158
…	…
158	161
159	162	case sc_url:
	163	sch = new NamespaceUrl(sc);
160	164	break;
161	165

nepenthes/trunk/modules/shellcode-signatures/shellcode-signatures.sc

r428	r429
121	121	"(.*)(\\x31\\xC9\\x83\\xE9(.)\\xD9\\xEE\\xD9\\x74\\x24\\xF4\\x5B\\x81\\x73\\x13(....)"
122	122	"\\x83\\xEB\\xFC\\xE2\\xF4)(.*)$";
123		mapping (none,pre,pcre,~~key,sizeinvert~~,post);
	123	mapping (none,pre,pcre,sizeinvert,key,post);
124	124	};
125	125
…	…
150	150	};
151	151
	152
152	153	xor::msfPexEnvSub
153	154	{
…	…
155	156	"(.*)(\\xC9\\x83\\xE9(.)\\xD9\\xEE\\xD9\\x74\\x24\\xF4\\x5B\\x81\\x73\\x13(....)\\x83"
156	157	"\\xEB\\xFC\\xE2\\xF4)(.*)$";
157		mapping (none,pre,pcre,key,sizeinvert,post);
158		};
	158	mapping (none,pre,pcre,sizeinvert,key,post);
	159	};
	160
159	161
160	162	xor::msfPex

nepenthes/trunk/modules/shellcode-signatures/y.tab.c

r426	r429
286	286	#define YYFINAL 2
287	287	/* YYLAST -- Last index in YYTABLE. */
288		#define YYLAST 45
	288	#define YYLAST 43
289	289
290	290	/* YYNTOKENS -- Number of terminals. */
…	…
293	293	#define YYNNTS 15
294	294	/* YYNRULES -- Number of rules. */
295		#define YYNRULES 41
	295	#define YYNRULES 42
296	296	/* YYNRULES -- Number of states. */
297		#define YYNSTATES 58
	297	#define YYNSTATES 59
298	298
299	299	/* YYTRANSLATE(YYLEX) -- Bison symbol number corresponding to YYLEX. */
…	…
348	348	46, 49, 51, 53, 55, 58, 63, 66, 67, 71,
349	349	73, 75, 77, 79, 81, 83, 85, 87, 89, 91,
350		9~~5, 96~~
	350	93, 97, 98
351	351	};
352	352
…	…
363	363	-1, 29, -1, 30, -1, 31, -1, 33, -1, 32,
364	364	-1, 34, -1, 35, -1, 36, -1, 37, -1, 38,
365		-1, 13, 16, 53, -1, -1, 16, 53, -1
	365	-1, 11, -1, 13, 16, 53, -1, -1, 16, 53,
	366	-1
366	367	};
367	368
…	…
372	373	103, 108, 113, 118, 123, 128, 133, 138, 144, 146,
373	374	150, 154, 155, 156, 160, 167, 171, 174, 176, 180,
374		184, 188, 192, 196, 200, 204, 208, 212, 216, 224,
375		2~~32, 234~~
	375	184, 188, 192, 196, 200, 204, 208, 212, 216, 220,
	376	228, 236, 238
376	377	};
377	378	#endif
…	…
414	415	43, 43, 43, 43, 43, 43, 43, 43, 44, 44,
415	416	45, 46, 46, 46, 47, 48, 49, 50, 50, 51,
416		51, 51, 51, 51, 51, 51, 51, 51, 51, 52,
417		53, 53
	417	51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
	418	52, 53, 53
418	419	};
419	420
…	…
424	425	1, 1, 1, 1, 1, 1, 1, 1, 0, 2,
425	426	2, 1, 1, 1, 2, 4, 2, 0, 3, 1,
426		1, 1, 1, 1, 1, 1, 1, 1, 1, 3,
427		0, 2
	427	1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
	428	3, 0, 2
428	429	};
429	430
…	…
436	437	13, 14, 15, 16, 17, 3, 0, 0, 18, 0,
437	438	0, 0, 0, 0, 18, 0, 22, 23, 21, 0,
438		24, 4~~0, 0, 0, 19, 20, 5, 40, 39, 2~~9,
439		~~30, 31, 33, 32, 34, 35, 36, 37, 38, 0~~,
440		~~27, 4, 41~~, 25, 0, 26, 27, 28
	439	24, 41, 0, 0, 19, 20, 5, 41, 40, 39,
	440	29, 30, 31, 33, 32, 34, 35, 36, 37, 38,
	441	0, 27, 4, 42, 25, 0, 26, 27, 28
441	442	};
442	443
…	…
445	446	{
446	447	-1, 1, 15, 16, 17, 23, 24, 25, 26, 27,
447		~~49, 55, 50~~, 28, 38
	448	50, 56, 51, 28, 38
448	449	};
449	450
450	451	/* YYPACT[STATE-NUM] -- Index in YYTABLE of the portion describing
451	452	STATE-NUM. */
452		#define YYPACT_NINF -29
	453	#define YYPACT_NINF -17
453	454	static const yysigned_char yypact[] =
454	455	{
455		-~~29, 0, -29, -29, -29, -29, -29, -29, -29, -29~~,
456		-~~29, -29, -29, -29, -29, -29, 7, 5, -1, 6~~,
457		~~18, 14, 27, 25, -1, 24, -29, -29, -29, 31~~,
458		-~~29, 19, -28, 28, -29, -29, -29, 19, -29, -29~~,
459		-~~29, -29, -29, -29, -29, -29, -29, -29, -29, 33~~,
460		~~32, -29, -29, -29, -28, -29, 32, -29~~
	456	-17, 0, -17, -17, -17, -17, -17, -17, -17, -17,
	457	-17, -17, -17, -17, -17, -17, -3, -5, -11, -4,
	458	-2, -9, 4, 3, -11, 2, -17, -17, -17, 10,
	459	-17, -1, 1, 5, -17, -17, -17, -1, -17, -17,
	460	-17, -17, -17, -17, -17, -17, -17, -17, -17, -17,
	461	11, 21, -17, -17, -17, 1, -17, 21, -17
461	462	};
462	463
…	…
464	465	static const yysigned_char yypgoto[] =
465	466	{
466		-~~29, -29, -29, -29, -29, 12, -29, -29, -29, -29~~,
467		-~~29, -17, -13, -29, 8~~
	467	-17, -17, -17, -17, -17, 16, -17, -17, -17, -17,
	468	-17, -16, -13, -17, 6
468	469	};
469	470
…	…
475	476	static const unsigned char yytable[] =
476	477	{
477		2, ~~39, 40, 41, 42, 43, 44, 45, 46, 47~~,
478		~~48, 20, 21, 18, 22, 19, 29~~, 3, 4, 5,
479		6, 7, 8, 9, 10, 11, 12, 13, 14, 30,
480		~~31, 32, 33, 35, 36, 37, 34, 51, 53, 57~~,
481		~~54, 56, 0, 0, 0, 52~~
	478	2, 20, 21, 18, 22, 19, 29, 31, 32, 30,
	479	33, 35, 39, 36, 52, 37, 54, 3, 4, 5,
	480	6, 7, 8, 9, 10, 11, 12, 13, 14, 55,
	481	40, 41, 42, 43, 44, 45, 46, 47, 48, 49,
	482	34, 58, 57, 53
482	483	};
483	484
484		static const ~~yysigned_~~char yycheck[] =
485		{
486		0, ~~29, 30, 31, 32, 33, 34, 35, 36, 37~~,
487		~~38, 12, 13, 6, 15, 10, 10~~, 17, 18, 19,
488		20, 21, 22, 23, 24, 25, 26, 27, 28, 11,
489		~~16, 4, 7, 9, 3, 16, 24, 9, 5, 56~~,
490		~~8, 54, -1, -1, -1~~, 37
	485	static const unsigned char yycheck[] =
	486	{
	487	0, 12, 13, 6, 15, 10, 10, 16, 4, 11,
	488	7, 9, 11, 3, 9, 16, 5, 17, 18, 19,
	489	20, 21, 22, 23, 24, 25, 26, 27, 28, 8,
	490	29, 30, 31, 32, 33, 34, 35, 36, 37, 38,
	491	24, 57, 55, 37
491	492	};
492	493
…	…
498	499	24, 25, 26, 27, 28, 41, 42, 43, 6, 10,
499	500	12, 13, 15, 44, 45, 46, 47, 48, 52, 10,
500		11, 16, 4, 7, 44, 9, 3, 16, 53, 29,
501		~~30, 31, 32, 33, 34, 35, 36, 37, 38, 49~~,
502		51, 9, 53, 5, 8, 50, 51, 50
	501	11, 16, 4, 7, 44, 9, 3, 16, 53, 11,
	502	29, 30, 31, 32, 33, 34, 35, 36, 37, 38,
	503	49, 51, 9, 53, 5, 8, 50, 51, 50
503	504	};
504	505
…	…
1144	1145	{
1145	1146	int i;
1146
	1147	/*
1147	1148	printf("shellcode:\n");
1148	1149
…	…
1159	1160
1160	1161	printf("\n\n");
1161
	1162	*/
1162	1163	/* prepare for the next one */
1163	1164	init_shellcode();
…	…
1335	1336
1336	1337	case 39:
1337		#line 225 "parser.y"
	1338	#line 221 "parser.y"
	1339	{
	1340	shellcodes->map[shellcodes->map_items++] = sc_none;
	1341	}
	1342	break;
	1343
	1344	case 40:
	1345	#line 229 "parser.y"
1338	1346	{
1339	1347	shellcodes->pattern = strndup(string_get_buffer(), string_get_len());
…	…
1347	1355
1348	1356	/* Line 1037 of yacc.c. */
1349		#line 1350 "y.tab.c"
	1357	#line 1358 "y.tab.c"
1350	1358
1351	1359	yyvsp -= yylen;
…	…
1575	1583
1576	1584
1577		#line 237 "parser.y"
	1585	#line 241 "parser.y"
1578	1586
1579	1587
…	…
1629	1637	"pcre",
1630	1638	"pre",
1631		"post"
	1639	"post",
	1640	"none"
1632	1641	};
1633	1642	if ( num > sizeof(mapmapping)/sizeof(char *) )