1 /********************************************************************************
2 * Nepenthes
3 * - finest collection -
4 *
5 *
6 *
7 * Copyright (C) 2005 Paul Baecher & Markus Koetter
8 *
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License
11 * as published by the Free Software Foundation; either version 2
12 * of the License, or (at your option) any later version.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
22 *
23 *
24 * contact nepenthesdev@users.sourceforge.net
25 *
26 *******************************************************************************/
27
28 /* $Id: sch_generic_wuerzburg.cpp 2271 2006-01-14 20:31:52Z common $ */
29
30 #include <cstdio>
31 #include <cstring>
32 #include <sys/types.h>
33 #include <sys/socket.h>
34 #include <netinet/in.h>
35 #include <arpa/inet.h>
36
37 #include "LogManager.hpp"
38 #include "Message.hpp"
39 #include "sch_generic_wuerzburg.hpp"
40 #include "Socket.hpp"
41 #include "Nepenthes.hpp"
42 #include "Utilities.hpp"
43 #include "DialogueFactoryManager.hpp"
44 #include "SocketManager.hpp"
45
46 #include "DownloadManager.hpp"
47
48 #ifdef STDTAGS
49 #undef STDTAGS
50 #endif
51 #define STDTAGS l_sc | l_hlr
52
53 using namespace nepenthes;
54
Wuerzburg(ShellcodeManager * shellcodemanager)55 Wuerzburg::Wuerzburg(ShellcodeManager *shellcodemanager)
56 {
57 m_ShellcodeManager = shellcodemanager;
58 m_ShellcodeHandlerName = "Wuerzburg";
59 m_ShellcodeHandlerDescription = "handles \"wuerzburg\" shellcode";
60 m_wuerzburgPattern = NULL;
61 }
62
~Wuerzburg()63 Wuerzburg::~Wuerzburg()
64 {
65
66 }
67
Init()68 bool Wuerzburg::Init()
69 {
70 logPF();
71
72 /*
73 0040200c eb 27 jmp short wuerzbur.00402035
74 0040200e 90 nop
75 0040200f 90 nop
76 00402010 90 nop
77 00402011 90 nop
78 00402012 90 nop
79 00402013 90 nop
80 00402014 5d pop ebp
81 00402015 33c9 xor ecx,ecx
82 00402017 66:b9 2502 mov cx,225
83 0040201b 8d75 05 lea esi,dword ptr ss:[ebp+5]
84 0040201e 8bfe mov edi,esi
85 00402020 8a06 mov al,byte ptr ds:[esi]
86 00402022 3c 99 cmp al,99
87 00402024 75 05 jnz short wuerzbur.0040202b
88 00402026 46 inc esi
89 00402027 8a06 mov al,byte ptr ds:[esi]
90 00402029 2c 30 sub al,30
91 0040202b 46 inc esi
92 0040202c 34 99 xor al,99
93 0040202e 8807 mov byte ptr ds:[edi],al
94 00402030 47 inc edi
95 00402031 ^e2 ed loopd short wuerzbur.00402020
96 00402033 eb 0a jmp short wuerzbur.0040203f
97 00402035 e8 daffffff call wuerzbur.00402014
98 */
99 const char *wuerzburgPattern =
100 "\\xEB\\x27(..)(....)\\x5D\\x33\\xC9\\x66\\xB9..\\x8D"
101 "\\x75\\x05\\x8B\\xFE\\x8A\\x06\\x3C.\\x75\\x05"
102 "\\x46\\x8A\\x06\\x2C.\\x46\\x34.\\x88\\x07"
103 "\\x47\\xE2\\xED\\xEB\\x0A\\xE8\\xDA\\xFF\\xFF\\xFF";
104
105 const char *pcreEerror;
106 int32_t pcreErrorPos;
107 if((m_wuerzburgPattern = pcre_compile(wuerzburgPattern, PCRE_DOTALL, &pcreEerror, (int *)&pcreErrorPos, 0)) == NULL)
108 {
109 logCrit("Stuttgart could not compile pattern \n\t\"%s\"\n\t Error:\"%s\" at Position %u",
110 m_wuerzburgPattern, pcreEerror, pcreErrorPos);
111 return false;
112 }
113 return true;
114 }
115
Exit()116 bool Wuerzburg::Exit()
117 {
118 if(m_wuerzburgPattern != NULL)
119 free(m_wuerzburgPattern);
120 return true;
121
122 }
123
handleShellcode(Message ** msg)124 sch_result Wuerzburg::handleShellcode(Message **msg)
125 {
126 logPF();
127 char *shellcode = (*msg)->getMsg();
128 uint32_t len = (*msg)->getSize();
129
130 int32_t ovec[10 * 3];
131 int32_t matchCount;
132
133 if ((matchCount = pcre_exec(m_wuerzburgPattern, 0, (char *) shellcode, len, 0, 0, (int *)ovec, sizeof(ovec)/sizeof(int32_t))) > 0)
134 {
135 uint16_t netPort, port;
136 uint32_t address;
137 const char *match;
138
139 pcre_get_substring((char *)shellcode, (int *)ovec, (int)matchCount, 1, &match);
140 memcpy(&netPort, match, 2);
141 port = ntohs(netPort);
142 pcre_free_substring(match);
143
144 pcre_get_substring((char *)shellcode, (int *)ovec, (int)matchCount, 2, &match);
145 memcpy(&address, match, 4);
146 pcre_free_substring(match);
147
148 address ^= 0xaaaaaaaa;
149
150 logInfo("Wuerzburg transfer waiting at %s:%d.\n",
151 inet_ntoa(*(in_addr *)&address), port);
152
153 char *url;
154
155 asprintf(&url,"csend://%s:%d",inet_ntoa(*(in_addr *)&address), port);
156 g_Nepenthes->getDownloadMgr()->downloadUrl((*msg)->getLocalHost(),url, (*msg)->getRemoteHost(), url,0);
157 free(url);
158
159 // Socket *sock = g_Nepenthes->getSocketMgr()->connectTCPHost(0,address,port,30);
160 // sock->addDialogue(new LinkDialogue(sock,authKey));
161
162 return SCH_DONE;
163 }
164 return SCH_NOTHING;
165 }
166