hello ppl! i just received some crippeled CodeRed II into my honeypot and i am sure somebody else has also noticed that: - overall length of the attack is the same - request method and start of url is missing (ie. GET /default?XXX...) - but some additional headers added i was curious about this issue and checked my analysis once again: seg000:000003CE call $+5 ; get current pos seg000:000003D3 pop eax seg000:000003D4 sub eax, 3D3h ; get start of worm seg000:000003D9 push 0 ; flags = 0 seg000:000003DB push 3818 ; len seg000:000003E0 push eax ; start of wormcode (including request) seg000:000003E1 push dword ptr [ebp+sock] seg000:000003E4 call dword ptr [ebp+send]; send us and found a major bug in this code: the worm calculates the start pos (that should be the request) always from the current eip. but if a trasparent proxy was in the way and added some headers, the overall length of the received worm is more than 3818 bytes. thus, the worm will fail to get it's real start (GET /default.ida?XX) and will instead start somewhere inside the request. these worms can't reproduce themselves, of course. that is: every worm that went through a proxy that will add headers is unable to reproduce itself. this could be a countermeasure! just FYI cheerz corecode ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Aug 12 2001 - 16:54:41 PDT