From ras@e-gerbil.net Sat Mar 17 20:03:14 2001 Date: Wed, 14 Mar 2001 19:05:30 -0500 (EST) From: Richard A. Steenbergen To: project@honeynet.org Cc: tcorbin@communitech.net Subject: Scan 13 1. What is the blackhat attempting to do with his command line syntax? The command line syntax is specifying IPv4 octets to scan. For example ./luckgo 216 200 scans the block 216.200.*.* 2. What does the tool accomplish? Automated port scanning of a netblock for RPC services, and attempted exploit of any RedHat Linux 6.2 systems using the nfs-utils-0.1.6-2 package. 3. How does the tool work? The program "luckgo" is a wrapper for the "luckscan-a" port scanning program. When the port scanner detects a host with RPC portmap services, it attempts to exploit the host. The exploit itself is a simple buffer overflow in statd, a component of NFS (Network File System). The exploit code executed will bind to port 39168, and then spawn a /bin/sh shell with uid 0 privledges for anyone who connects. 4. Is this tool a worm, or would you classify it as something else? A port scanner and a remote root exploit. There are no automated wormlike activities, though you could consider the activities of the cracker to be wormlike because he will most likely use the next exploited system to continue scans. 5. Is this tool original, or is it simply based on previous tools? If based on previous tools, which ones and what is modified? The port scanner is very simplistic and poorly designed, but of a slightly better symantic quality then similar code. The use of non-blocking sockets, kernel connect() syscalls, and asynchronous event polling shows the code is advanced beyond "newbie programmer" code, but still very inexperienced. Using sockets is a waste of system resources, and limits the parallelism which is inherently possible in network scans over diverse topologies. It is not very fast or optimal, but decently functional. Bonus Question: What information can you obtain about who is using or created the tool? Interestingly enough, the port scanning socket and select code looks half decent for a beginning programmer, but it is being misapplied for use in this type of scan. The scanners use of IPv4 octets and poor placement of arguements shows the programmer is very inexperienced with network addressing fundimentals and program design. The recursive for() loops appear to be of a different style and programming experience level, so my guess would be that the person who wrote the scanner did not write the socket code or did not write it at the same time. The person who put together this package with the "luckgo" script and port scanner also did not write the original statd exploit. The targets being scanned are interesting, they appear to be comprised of major colocation providers (which would obviously be choice targets because of their ample connectivity) such as AboveNet, Digex, etc, as well as Cable/DSL blocks and common IRC shell provider networks. The person using this script is doubtless a young male IRC user (most likely EFNet given the choice of netblocks being scanned here). This is not an interesting piece of code, or atypical "script kiddie" behavior. -- Richard A Steenbergen http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)