Changeset 433
- Timestamp:
- 03/27/06 03:26:35 (3 years ago)
- Files:
-
- nepenthes/trunk/modules/shellcode-signatures/Makefile.am (modified) (1 diff)
- nepenthes/trunk/modules/shellcode-signatures/parser.h (modified) (1 diff)
- nepenthes/trunk/modules/shellcode-signatures/parser.l (modified) (2 diffs)
- nepenthes/trunk/modules/shellcode-signatures/parser.y (modified) (4 diffs)
- nepenthes/trunk/modules/shellcode-signatures/sch_namespace_bindfiletransfer.cpp (added)
- nepenthes/trunk/modules/shellcode-signatures/sch_namespace_bindfiletransfer.hpp (added)
- nepenthes/trunk/modules/shellcode-signatures/shellcode-signatures.cpp (modified) (2 diffs)
- nepenthes/trunk/modules/shellcode-signatures/shellcode-signatures.sc (modified) (3 diffs)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
nepenthes/trunk/modules/shellcode-signatures/Makefile.am
r432 r433 22 22 shellcodesignatures_la_SOURCES += sch_namespace_linkxor.cpp sch_namespace_linkxor.hpp 23 23 shellcodesignatures_la_SOURCES += sch_namespace_connectbackfiletransfer.cpp sch_namespace_connectbackfiletransfer.hpp 24 24 shellcodesignatures_la_SOURCES += sch_namespace_bindfiletransfer.cpp sch_namespace_bindfiletransfer.hpp 25 25 shellcodesignatures_la_LDFLAGS = -module -no-undefined -avoid-version 26 26 nepenthes/trunk/modules/shellcode-signatures/parser.h
r430 r433 15 15 sc_download, 16 16 sc_url, 17 sc_ link,18 sc_blink 17 sc_bindfiletransfer 18 19 19 }; 20 20 21 21 enum sc_mapping 22 22 { 23 sc_key, 23 sc_key, 24 sc_subkey, 24 25 sc_size, 25 26 sc_sizeinvert, nepenthes/trunk/modules/shellcode-signatures/parser.l
r430 r433 52 52 "download" { return SC_DOWNLOAD; } 53 53 "url" { return SC_URL; } 54 "connectbacklinkfiletransfer" { return SC_CONNECTBACK_LINK_FILETRANSFER; } 55 "bindlinkfiletransfer" { return SC_BIND_LINK_FILETRANSFER; } 54 "bindfiletransfer" { return SC_BIND_FILETRANSFER; } 56 55 57 56 "hostkey" { return SC_HOSTKEY; } 58 57 "portkey" { return SC_PORTKEY; } 59 58 60 "key" { return SC_KEY; } 59 "subkey" { return SC_SUBKEY; } 60 "key" { return SC_KEY; } 61 61 "size" { return SC_SIZE; } 62 62 "sizeinvert" { return SC_SIZEINVERT; } … … 64 64 "port" { return SC_PORT; } 65 65 "command" { return SC_COMMAND; } 66 "uri" { return SC_URI; }66 "uri" { return SC_URI; } 67 67 "pcre" { return SC_PCRE; } 68 68 "pre" { return SC_PRELOAD; } 69 "post" 69 "post" { return SC_POSTLOAD; } 70 70 71 71 nepenthes/trunk/modules/shellcode-signatures/parser.y
r430 r433 29 29 SC_BIND_SHELL 30 30 SC_CONNECTBACK_SHELL 31 SC_CONNECTBACK_FILETRANSFER 31 SC_CONNECTBACK_FILETRANSFER SC_BIND_FILETRANSFER 32 32 SC_EXECUTE 33 33 SC_DOWNLOAD 34 34 SC_URL 35 SC_CONNECTBACK_LINK_FILETRANSFER SC_BIND_LINK_FILETRANSFER 36 SC_KEY SC_SIZE SC_SIZEINVERT SC_HOST SC_PORT SC_COMMAND 35 SC_KEY SC_SUBKEY SC_SIZE SC_SIZEINVERT SC_HOST SC_PORT SC_COMMAND 37 36 SC_URI 38 37 SC_PCRE SC_PRELOAD SC_POSTLOAD … … 131 130 shellcodes->nspace = sc_url; 132 131 } 133 |134 SC_CONNECTBACK_LINK_FILETRANSFER135 {136 shellcodes->nspace = sc_link;137 }138 132 | 139 SC_BIND_ LINK_FILETRANSFER140 { 141 shellcodes->nspace = sc_b link;133 SC_BIND_FILETRANSFER 134 { 135 shellcodes->nspace = sc_bindfiletransfer; 142 136 } 143 137 ; … … 183 177 shellcodes->map[shellcodes->map_items++] = sc_key; 184 178 } 185 | SC_SIZE 179 | SC_SUBKEY 180 { 181 shellcodes->map[shellcodes->map_items++] = sc_subkey; 182 } 183 | SC_SIZE 186 184 { 187 185 shellcodes->map[shellcodes->map_items++] = sc_size; … … 250 248 %% 251 249 252 struct sc_shellcode *init_shellcode() 253 { 254 struct sc_shellcode *s = (struct sc_shellcode *)malloc(sizeof(struct sc_shellcode)); 255 256 memset(s, 0, sizeof(struct sc_shellcode)); 257 258 s->next = shellcodes; 259 shellcodes = s; 260 261 return s; 262 } 263 264 265 char *sc_get_namespace_by_numeric(int num) 266 { 267 268 static char *namespacemapping[]= 269 { 270 "xor", 271 "linkxor", 272 "konstanzxor", 273 "leimbachxor", 274 "connectbackshell", 275 "connectbackfiletransfer", 276 "bindshell", 277 "execute", 278 "download", 279 "url", 280 "link", 281 "blink" 282 }; 283 284 if ( num > sizeof(namespacemapping)/sizeof(char *) ) 285 return "unmapped"; 286 else 287 return namespacemapping[num]; 288 } 289 290 char *sc_get_mapping_by_numeric(int num) 291 { 292 static char *mapmapping[]= 293 { 294 "key", 295 "size", 296 "sizeinvert", 297 "port", 298 "host", 299 "command", 300 "uri", 301 "pcre", 302 "pre", 303 "post", 304 "none", 305 "hostkey", 306 "portkey" 307 }; 308 if ( num > sizeof(mapmapping)/sizeof(char *) ) 309 return "unmapped"; 310 else 311 return mapmapping[num]; 312 } 313 314 315 316 int yyerror(char* s) 317 { 318 snprintf(error_buffer, sizeof(error_buffer), 319 "%s at '%s' on line %d", s, yytext, line_number); 320 return 0; 321 } 322 323 324 int yywrap() 325 { 326 return 1; 327 } 328 329 struct sc_shellcode *sc_parse_file(const char *filename) 330 { 331 yyin = fopen(filename, "r"); 332 333 if( yyin == NULL ) 334 { 335 snprintf(error_buffer, sizeof(error_buffer), "%s", strerror(errno)); 336 return NULL; 337 } 338 339 init_shellcode(); 340 if( yyparse() != 0 ) 341 { 342 fclose(yyin); 343 /* TODO free partially alloc'd shellcodes */ 344 return NULL; 345 } 250 struct sc_shellcode *init_shellcode() 251 { 252 struct sc_shellcode *s = (struct sc_shellcode *)malloc(sizeof(struct sc_shellcode)); 253 254 memset(s, 0, sizeof(struct sc_shellcode)); 255 256 s->next = shellcodes; 257 shellcodes = s; 258 259 return s; 260 } 261 262 263 char *sc_get_namespace_by_numeric(int num) 264 { 265 266 static char *namespacemapping[]= 267 { 268 "xor", 269 "linkxor", 270 "konstanzxor", 271 "leimbachxor", 272 "connectbackshell", 273 "connectbackfiletransfer", 274 "bindshell", 275 "execute", 276 "download", 277 "url", 278 "bindfiletransfer" 279 }; 280 281 if ( num > sizeof(namespacemapping)/sizeof(char *) ) 282 return "unmapped"; 283 else 284 return namespacemapping[num]; 285 } 286 287 char *sc_get_mapping_by_numeric(int num) 288 { 289 static char *mapmapping[]= 290 { 291 "key", 292 "subkey", 293 "size", 294 "sizeinvert", 295 "port", 296 "host", 297 "command", 298 "uri", 299 "pcre", 300 "pre", 301 "post", 302 "none", 303 "hostkey", 304 "portkey" 305 }; 306 if ( num > sizeof(mapmapping)/sizeof(char *) ) 307 return "unmapped"; 308 else 309 return mapmapping[num]; 310 } 311 312 313 314 int yyerror(char* s) 315 { 316 snprintf(error_buffer, sizeof(error_buffer), 317 "%s at '%s' on line %d", s, yytext, line_number); 318 return 0; 319 } 320 321 322 int yywrap() 323 { 324 return 1; 325 } 326 327 struct sc_shellcode *sc_parse_file(const char *filename) 328 { 329 yyin = fopen(filename, "r"); 330 331 if ( yyin == NULL ) 332 { 333 snprintf(error_buffer, sizeof(error_buffer), "%s", strerror(errno)); 334 return NULL; 335 } 336 337 init_shellcode(); 338 if ( yyparse() != 0 ) 339 { 346 340 fclose(yyin); 347 348 return shellcodes; 349 } 350 351 char *sc_get_error() 352 { 353 return error_buffer; 354 } 341 /* TODO free partially alloc'd shellcodes */ 342 return NULL; 343 } 344 fclose(yyin); 345 // taken from shellcode-generic/sch_generic_stuttgart.cpp 346 return shellcodes; 347 } 348 349 char *sc_get_error() 350 { 351 return error_buffer; 352 } nepenthes/trunk/modules/shellcode-signatures/shellcode-signatures.cpp
r432 r433 46 46 #include "sch_namespace_linkxor.hpp" 47 47 #include "sch_namespace_connectbackfiletransfer.hpp" 48 #include "sch_namespace_bindfiletransfer.hpp" 48 49 49 50 #include "ShellcodeManager.hpp" … … 168 169 break; 169 170 170 case sc_link: 171 break; 172 173 case sc_blink: 171 case sc_bindfiletransfer: 172 sch = new NamespaceBindFiletransfer(sc); 174 173 break; 175 174 nepenthes/trunk/modules/shellcode-signatures/shellcode-signatures.sc
r432 r433 199 199 200 200 201 202 201 /* 202 wuerzburgxor::wuerzburg 203 { 204 /* 205 * this xor chain ckecks if the value too xor is equal to the xor key to avoid zeros 206 */ 207 pattern 208 "(.*\\xEB\\x27......)(\\x5D\\x33\\xC9\\x66\\xB9(..)\\x8D\\x75\\x05\\x8B\\xFE\\x8A" 209 "\\x06\\x3C(.)\\x75\\x05\\x46\\x8A\\x06\\x2C(.)\\x46\\x34(.)\\x88\\x07\\x47\\xE2\\xED\\xEB\\x0A\\xE8" 210 "\\xDA\\xFF\\xFF\\xFF)(.*)$"; 211 mapping (none,pre,pcre,size,key,subkey,none,post); 212 }; 213 */ 203 214 204 215 … … 775 786 }; 776 787 788 // taken from shellcode-generic/sch_generic_wuerzburg.cpp 789 connectbackfiletransfer::wuerzburg 790 { 791 pattern 792 "\\xEB\\x27(..)(....)........" 793 "................" 794 "..............\\x2E\\x62" 795 "\\x65\\x67\\x2E\\xE8\\x0A\\x00\\x00\\x00\\x8B\\x64\\x24\\x08\\x64\\x8F\\x00\\x58" 796 "\\xEB\\xF1\\x33\\xDB\\x64\\xFF\\x33\\x64\\x89\\x23\\x8D\\x85\\x68\\x01\\x00\\x00" 797 "\\x50\\x6A\\x01\\x68\\x01\\x00\\x1F\\x00\\xE8\\x90\\x01\\x00\\x00\\x09\\xC6\\x52" 798 "\\xAE\\x0B\\xC0\\x0F\\x85\\x22\\x01\\x00\\x00\\x81\\xEC\\x00\\x02\\x00\\x00\\x54" 799 "\\x68\\x01\\x01\\x00\\x00\\xE8\\x4B\\x01\\x00\\x00\\x7D\\x75\\xDE\\xCD\\x81\\xC4" 800 "\\x00\\x02\\x00\\x00\\x6A\\x06\\x6A\\x01\\x6A\\x02\\xE8\\x36\\x01\\x00\\x00\\x6A" 801 "\\xF1\\x7A\\xFC\\x89\\x85\\x84\\x01\\x00\\x00\\x83\\xEC\\x40\\x66\\xC7\\x04\\x24" 802 "\\x02\\x00\\x66\\x8B\\x45\\xD4\\x66\\x89\\x44\\x24\\x02\\x8B\\x45\\xD6\\x35(." 803 "...)\\x89\\x44\\x24\\x04\\x2B\\xC0\\x8D\\x7C\\x24\\x08\\xAB\\xAB\\x8B" 804 "\\xDC\\x6A\\x10\\x53\\xFF\\xB5\\x84\\x01\\x00\\x00\\xE8\\xF6\\x00\\x00\\x00\\x8A" 805 "\\xFE\\xD8\\xED\\x83\\xC4\\x40\\x0B\\xC0\\x0F\\x85\\xAD\\x00\\x00\\x00\\x6A\\x04" 806 "\\x68\\x00\\x10\\x00\\x00\\x68\\x00\\x00\\x01\\x00\\x6A\\x00\\xE8\\xFC\\x00\\x00" 807 "\\x00\\xFE\\x6A\\x7A\\x69\\x89\\x85\\x7C\\x01\\x00\\x00\\x6A\\x00\\x68\\x00\\x00" 808 "\\x01\\x00\\x50\\xFF\\xB5\\x84\\x01\\x00\\x00\\xE8\\xB7\\x00\\x00\\x00\\xF6\\x71" 809 "\\x59\\x0E\\x50\\x6A\\x02\\xFF\\xB5\\x84\\x01\\x00\\x00\\xE8\\xA5\\x00\\x00\\x00" 810 "\\x41\\x58\\x7C\\x4C\\x2B\\xC0\\x50\\x50\\x6A\\x02\\x50\\x50\\x68\\x00\\x00\\x00" 811 "\\x40\\x8D\\x9D\\x6F\\x01\\x00\\x00\\x53\\xE8\\xB0\\x00\\x00\\x00\\x14\\xF1\\xF8" 812 "\\x08\\x89\\x85\\x6B\\x01\\x00\\x00\\x5A\\x83\\xF8\\xFF\\x74\\x3E\\x54\\x8B\\xC4" 813 "\\x6A\\x00\\x50\\x52\\xFF\\xB5\\x7C\\x01\\x00\\x00\\xFF\\xB5\\x6B\\x01\\x00\\x00" 814 "\\xE8\\x88\\x00\\x00\\x00\\xC3\\xD1\\x3F\\x0F\\x59\\xFF\\xB5\\x6B\\x01\\x00\\x00" 815 "\\xE8\\x78\\x00\\x00\\x00\\xD5\\xB0\\x3E\\x72\\x6A\\x05\\x8D\\x9D\\x6F\\x01\\x00" 816 "\\x00\\x53\\xE8\\x66\\x00\\x00\\x00\\xAD\\x6D\\xBF\\xE8\\x6A\\x00\\xE8\\x5B\\x00" 817 "\\x00\\x00\\x60\\xA2\\x8A\\x76\\x75\\x39\\x00\\x00\\x00\\x00\\x00\\x2E\\x5C\\x66" 818 "\\x74\\x70\\x75\\x70\\x64\\x2E\\x65\\x78\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00" 819 "\\x00\\x00\\x00\\x00\\x00\\x00\\x53\\x6C\\x65\\x65\\x70\\x00\\x6B\\x65\\x72\\x6E" 820 "\\x65\\x6C\\x33\\x32\\x00\\x5E\\xAD\\x60\\x33\\xC0\\x2D\\xB4\\xB3\\xFF\\x87\\x50" 821 "\\x35\\x7F\\x7E\\x2E\\x3C\\x50\\x05\\x24\\x21\\x04\\x1B\\x50\\x54\\xE8\\x0B\\x00" 822 "\\x00\\x00\\x26\\x80\\xAC\\xC8\\x8D\\x64\\x24\\x0C\\x93\\xEB\\x08\\x5E\\xAD\\x60" 823 "\\xE8\\x51\\x00\\x00\\x00\\x8B\\x4B\\x3C\\x8B\\x4C\\x19\\x78\\x03\\xCB\\x33\\xF6" 824 "\\x8D\\x14\\xB3\\x03\\x51\\x20\\x8B\\x12\\x03\\xD3\\x33\\xC0\\xC1\\xC0\\x07\\x32" 825 "\\x02\\x42\\x80\\x3A\\x00\\x75\\xF5\\x3B\\x44\\x24\\x1C\\x74\\x07\\x46\\x3B\\x71" 826 "\\x18\\x72\\xDD\\xCC\\x8B\\x51\\x24\\x03\\xD3\\x0F\\xB7\\x14\\x72\\x8B\\x41\\x1C" 827 "\\x03\\xC3\\x8B\\x04\\x90\\x03\\xC3\\x89\\x44\\x24\\x1C\\x61\\x89\\x85\\x80\\x01"; 828 // \\x00\\x00\\xFF\\xD0\\xFF\\xE6\\x64\\x67\\x8B\\x1E\\x30\\x00\\x8B\\x5B\\x0C\\x8B\\x5B\\x1C\\x8B\\x1B\\x8B\\x5B\\x08\\xC3\\x35\\x51\\x14\\xFD\\xBD\\x95\\x0A\\x72\\x91\\xC7\\x34\\xF9\\x71\\xC8\\x99\\xC9\\x99\\xC9\\x99\\xC9\\x12\\xD2\\xA5\\x12\\xD5\\x80\\xE1\\x9A\\x52\\xAA\\x6F\\x14\\x8D\\x2A\\x9A\\xC8\\xB9\\x12\\x8B\\x9A\\x4A\\xAA\\x59\\x58\\x59\\x9E\\xAB\\x9B\\xDB\\x19\\xA3\\x99\\xC9\\xEC\\x6C\\xA2\\xDD\\xBD\\x85\\xED\\x9E\\xDF\\xA2\\xE8\\x81\\xEB\\x44\\x55\\x12\\xC8\\xBD\\x9A\\x4A\\x96\\x2E\\x8D\\xEB\\x12\\xD8\\x85\\x9A\\x5A\\x12\\x9D\\x09\\x9A\\x5A\\x10\\xDD\\xBD\\x85\\xF8\\x10\\x1C\\x19\\x98\\x99\\xC9\\x99\\xC9\\x66\\x49\\x66\\x7F\\xFD\\xFE\\x12\\x87\\xA9\\x99\\xC9\\x12\\xC2\\x95\\x12\\xC2\\x85\\x12\\x82\\x12\\xC2\\x91\\x5A\\xB7\\xFC\\xF7\\xFD\\xB7\\x90"; 829 830 831 mapping(none,port,host,hostkey); 832 }; 777 833 778 834 /* … … 789 845 790 846 mapping (none,port,key); 847 }; 848 849 850 bindfiletransfer::amberg 851 { 852 pattern 853 "\\xeb\\x02\\xeb\\x6b" 854 "\\xe8\\xf9\\xff\\xff\\xff\\x53\\x55\\x56\\x57\\x8b\\x6c\\x24\\x18\\x8b\\x45\\x3c" 855 "\\x8b\\x54\\x05\\x78\\x03\\xd5\\x8b\\x4a\\x18\\x8b\\x5a\\x20\\x03\\xdd\\xe3\\x32" 856 "\\x49\\x8b\\x34\\x8b\\x03\\xf5\\x33\\xff\\xfc\\x33\\xc0\\xac\\x3a\\xc4\\x74\\x07" 857 "\\xc1\\xcf\\x0d\\x03\\xf8\\xeb\\xf2\\x3b\\x7c\\x24\\x14\\x75\\xe1\\x8b\\x5a\\x24" 858 "\\x03\\xdd\\x66\\x8b\\x0c\\x4b\\x8b\\x5a\\x1c\\x03\\xdd\\x8b\\x04\\x8b\\x03\\xc5" 859 "\\xeb\\x02\\x33\\xc0\\x5f\\x5e\\x5d\\x5b\\x89\\x44\\x24\\x04\\x8b\\x04\\x24\\x89" 860 "\\x44\\x24\\x08\\x8b\\x44\\x24\\x04\\x83\\xc4\\x08\\xc3\\x5e\\x6a\\x30\\x59\\x64" 861 "\\x8b\\x19\\x8b\\x5b\\x0c\\x8b\\x5b\\x1c\\x8b\\x1b\\x8b\\x7b\\x08\\x83\\xec\\x1c" 862 "\\x8b\\xec\\x33\\xc0\\x50\\x68\\x2e\\x65\\x78\\x65\\x89\\x65\\x14\\x57\\x68\\xea" 863 "\\x49\\x8a\\xe8\\xff\\xd6\\x6a\\x06\\xff\\x75\\x14\\xff\\xd0\\x89\\x45\\x04\\x57" 864 "\\x68\\xdb\\x8a\\x23\\xe9\\xff\\xd6\\x89\\x45\\x0c\\x57\\x68\\x8e\\x4e\\x0e\\xec" 865 "\\xff\\xd6\\x33\\xc9\\x66\\xb9\\x6c\\x6c\\x51\\x68\\x33\\x32\\x2e\\x64\\x68\\x77" 866 "\\x73\\x32\\x5f\\x54\\xff\\xd0\\x8b\\xd8\\x53\\x68\\xb6\\x19\\x18\\xe7\\xff\\xd6" 867 "\\x89\\x45\\x10\\x53\\x68\\xe7\\x79\\xc6\\x79\\xff\\xd6\\x89\\x45\\x18\\x53\\x68" 868 "\\x6e\\x0b\\x2f\\x49\\xff\\xd6\\x6a\\x06\\x6a\\x01\\x6a\\x02\\xff\\xd0\\x89\\x45" 869 "\\x08\\x33\\xc0\\x50\\x50\\x50\\xb8\\x02\\xff(..)\\x80\\xf4\\xff\\x50\\x8b" 870 "\\xc4\\x6a\\x10\\x50\\xff\\x75\\x08\\x53\\x68\\xa4\\x1a\\x70\\xc7\\xff\\xd6\\xff" 871 "\\xd0\\x58\\x53\\x68\\xa4\\xad\\x2e\\xe9\\xff\\xd6\\x6a\\x10\\xff\\x75\\x08\\xff" 872 "\\xd0\\x33\\xc0\\x50\\x50\\xff\\x75\\x08\\x53\\x68\\xe5\\x49\\x86\\x49\\xff\\xd6" 873 "\\xff\\xd0\\x8b\\x4d\\x08\\x89\\x45\\x08\\x51\\xff\\x55\\x18\\x81\\xc4\\xfc\\xfe" 874 "\\xff\\xff\\x8b\\xdc\\x33\\xc9\\x51\\xb1\\xff\\x51\\x53\\xff\\x75\\x08\\xff\\x55" 875 "\\x10\\x85\\xc0\\x7e\\x0a\\x50\\x53\\xff\\x75\\x04\\xff\\x55\\x0c\\xeb\\xe5\\xff" 876 "\\x75\\x08\\xff\\x55\\x18\\x57\\x68\\x5b\\x4c\\x1a\\xdd\\xff\\xd6\\xff\\x75\\x04" 877 "\\xff\\xd0\\x33\\xc0\\x50\\xff\\x75\\x14\\x57\\x68\\x98\\xfe\\x8a\\x0e\\xff\\xd6" 878 "\\xff\\xd0\\x57\\x68\\xef\\xce\\xe0\\x60\\xff\\xd6\\xff\\xd0"; 879 880 mapping (port,key); 791 881 }; 792 882 */
