DerHexXerat_private wrote: > > @Markus Kern: > Thank you for sharing this great piece of code ... > ... it actually is a great solution (a much better one than mine) for the > problem i was addressing. umm, thanks :) I'd like to have your knowledge of assembler though... > Let me resume what your code does: > > Host [A] is compromised by CodeRedI/II. > Host [B] has your CRclean.dll isapi-filter installed (either installed by > user or automated). > > Host [A] sends out exploit plus CodeRed to random addresses and hits Host > [B]. > Host [B] counters this infection attempt by sending it's own exploit > (CRclean.asm). > * Host [A] downloads CRclean.dll from Host [B] > * Host [A] executes CRclean.dll via rundll32 (func 'run') with system > privileges. > This is what happens then: (we are now in func 'run' from CRclean.dll.) > * determines OS version > * load needed dlls > * download and apply patch (determine lang, dl patch, execute it, terminate > hotfix.exe, cleanup tempdir) > * remove CRII (delete explorer.exe, remove root.exe, reenable > fileprotection, cleanup registry [mapping backdoors]) > * add CRclean.dll isapi-filter (registry) > * restart iis (iisrestart.exe /restart /timeout:30) > > After new filter is installed, Host [A] will join the fight against CodeRed. That's exactly how it works. > Again ... this is a great solution, but > I think that there are several problems in your code: > a) rundll32 is called with system privileges. I had some problems while > accessing the registry with system privileges. It might be possible that CRclean > is not able to install itself as a new filter. I tested the worm on a box with the German version of Windows 2000 Server and didn't encounter any problems with registry access. > b) If on Host [A] one of the CRII explorer.exe backdoors is running, this > file can't be deleted (and can't be terminated via TerminateProcess > [GetLastError: 5 (access denied)]). The explorer.exe backdoor is started by the next user who logs in, most likely that's the administrator so it runs with admin priviledges. The DLL runs with system priviledges since it's spawned by IIS. The DLL first calls FindProcess() which retrieves a list of running processes and searches this list for processes with an executable path of "c:\explorer.exe" and "d:\explorer.exe". The handle returned by FindProcess() is opened with PROCESS_TERMINATE access and is used in a call to TerminateProcess(). The file attributes are then set to FILE_ATTRIBUTE_NORMAL so it can be deleted using DeleteFile(); Again this worked absolutely fine when I tested it. > The main problem (isapi-filter bufferoverrun vulnerability) is solved, To make this clear for all, CRclean is not designed to prevent exploit code from reaching idq.dll. The filtering in HttpFilterProc() is easily circumvented by hex-encoding the request. It's purpose is only to *detect* *CodeRed* intrusion attempts. That basically means that when the patch installation fails for some reason you're still vulnerable to non-CodeRed exploits using the same bug. > but there still remain the backdoors CRII injected on many systems. > You should test your code under "in-the-wild" conditions. Well, I'm a poor student and don't have the resources to set up a lab with dozens of differently configured systems... And "testing in the wild" doesn't sound like a good idea to me ;) > @Stanley Bubrouski: Huh? Did I miss something here? I don't know who Stanley Bubrouski is so I won't comment anything here. <snip: Der HexXer's responses to Stanley Bubrouski> regards, Markus Kern
This archive was generated by hypermail 2b30 : Wed Sep 05 2001 - 09:47:19 PDT