1 /********************************************************************************
2  *                              Nepenthes
3  *                        - finest collection -
4  *
5  *
6  *
7  * Copyright (C) 2005  Paul Baecher & Markus Koetter
8  *
9  * This program is free software; you can redistribute it and/or
10  * modify it under the terms of the GNU General Public License
11  * as published by the Free Software Foundation; either version 2
12  * of the License, or (at your option) any later version.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License
20  * along with this program; if not, write to the Free Software
21  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
22  *
23  *
24  *             contact nepenthesdev@users.sourceforge.net
25  *
26  *******************************************************************************/
27 
28  /* $Id: sch_generic_bielefeld_connect.cpp 550 2006-05-04 10:25:35Z common $ */
29 
30 #include <sys/types.h>
31 #include <sys/socket.h>
32 #include <netinet/in.h>
33 #include <arpa/inet.h>
34 
35 #include "LogManager.hpp"
36 #include "Message.hpp"
37 #include "sch_generic_bielefeld_connect.hpp"
38 #include "Socket.hpp"
39 #include "Nepenthes.hpp"
40 #include "Utilities.hpp"
41 #include "DialogueFactoryManager.hpp"
42 #include "SocketManager.hpp"
43 
44 #include "Dialogue.hpp"
45 #include "DialogueFactory.hpp"
46 
47 
48 #ifdef STDTAGS
49 #undef STDTAGS
50 #endif
51 #define STDTAGS l_sc | l_hlr
52 
53 using namespace nepenthes;
54 
BieleFeldConnect(ShellcodeManager * shellcodemanager)55 BieleFeldConnect::BieleFeldConnect(ShellcodeManager *shellcodemanager)
56 {
57 	m_ShellcodeManager = shellcodemanager;
58 	m_ShellcodeHandlerName = "BieleFeldConnect";
59 	m_ShellcodeHandlerDescription = "handles oc192 dcom bindshell";
60 	m_pcre = NULL;
61 }
62 
~BieleFeldConnect()63 BieleFeldConnect::~BieleFeldConnect()
64 {
65 
66 }
67 
Init()68 bool BieleFeldConnect::Init()
69 {
70 	logPF();
71 
72 	const char *pattern =
73 	"\\xc7\\x02\\x63\\x6d\\x64\\x00\\x52\\x50\\xff\\x57\\xe8"
74 	"\\xc7\\x07\\x02\\x00(..)\\xc7\\x47\\x04(....)\\x6a\\x10"
75 	"\\x57\\x53\\xff\\x57\\xf8\\x53\\xff\\x57\\xfc\\x50\\xff"
76 	"\\x57\\xec";
77 
78 //	logInfo("pcre is %s \n",pattern);
79 
80 	const char * pcreEerror;
81 	int32_t pcreErrorPos;
82 	if((m_pcre = pcre_compile(pattern, PCRE_DOTALL, &pcreEerror, (int *)&pcreErrorPos, 0)) == NULL)
83 	{
84 		logCrit("BieleFeldConnect could not compile pattern \n\t\"%s\"\n\t Error:\"%s\" at Position %u",
85 				pattern, pcreEerror, pcreErrorPos);
86 		return false;
87 	}
88 	return true;
89 }
90 
Exit()91 bool BieleFeldConnect::Exit()
92 {
93 	if(m_pcre != NULL)
94     	free(m_pcre);
95 	return true;
96 
97 }
98 
handleShellcode(Message ** msg)99 sch_result BieleFeldConnect::handleShellcode(Message **msg)
100 {
101 	logPF();
102 	logSpam("Shellcode is %i bytes long \n",(*msg)->getSize());
103 	char *shellcode = (*msg)->getMsg();
104 	uint32_t len = (*msg)->getSize();
105 
106 	int32_t piOutput[10 * 3];
107 	int32_t iResult;
108 
109 //	(*msg)->getSocket()->getNepenthes()->getUtilities()->hexdump((unsigned char *)shellcode,len);
110 
111 
112 
113 
114 	if ((iResult = pcre_exec(m_pcre, 0, (char *) shellcode, len, 0, 0, (int *)piOutput, sizeof(piOutput)/sizeof(int32_t))) > 0)
115 	{
116 //		g_Nepenthes->getUtilities()->hexdump((unsigned char *)shellcode,len);
117 		const char * match;
118 		uint16_t port;
119         uint32_t host;
120 
121 
122 		pcre_get_substring((char *) shellcode, (int *)piOutput, (int)iResult, 1, &match);
123 		port = *(uint16_t *) match;
124 		port = ntohs(port);
125         pcre_free_substring(match);
126 
127 		pcre_get_substring((char *) shellcode, (int *)piOutput, (int)iResult, 2, &match);
128 		host = * ((uint32_t *) match);
129 		pcre_free_substring(match);
130 
131 		logInfo("Detected Lsass HoD connectback shellcode, %s:%u  \n", inet_ntoa(*(in_addr *)&host), port);
132 
133 
134 		Socket *sock = g_Nepenthes->getSocketMgr()->connectTCPHost((*msg)->getLocalHost(),host,port,30);
135 		DialogueFactory *diaf;
136 		if ((diaf = g_Nepenthes->getFactoryMgr()->getFactory("WinNTShell DialogueFactory")) == NULL)
137 		{
138 			logCrit("No WinNTShell DialogueFactory availible \n");
139 			return SCH_DONE;
140 		}
141 		sock->addDialogue(diaf->createDialogue(sock));
142         return SCH_DONE;
143 	}
144 	return SCH_NOTHING;
145 }
146 
147