1 /********************************************************************************
2  *                              Nepenthes
3  *                        - finest collection -
4  *
5  *
6  *
7  * Copyright (C) 2005  Paul Baecher & Markus Koetter
8  *
9  * This program is free software; you can redistribute it and/or
10  * modify it under the terms of the GNU General Public License
11  * as published by the Free Software Foundation; either version 2
12  * of the License, or (at your option) any later version.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License
20  * along with this program; if not, write to the Free Software
21  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
22  *
23  *
24  *             contact nepenthesdev@users.sourceforge.net
25  *
26  *******************************************************************************/
27 
28  /* $Id: sch_generic_wuerzburg.cpp 2271 2006-01-14 20:31:52Z common $ */
29 
30 #include <cstdio>
31 #include <cstring>
32 #include <sys/types.h>
33 #include <sys/socket.h>
34 #include <netinet/in.h>
35 #include <arpa/inet.h>
36 
37 #include "LogManager.hpp"
38 #include "Message.hpp"
39 #include "sch_generic_wuerzburg.hpp"
40 #include "Socket.hpp"
41 #include "Nepenthes.hpp"
42 #include "Utilities.hpp"
43 #include "DialogueFactoryManager.hpp"
44 #include "SocketManager.hpp"
45 
46 #include "DownloadManager.hpp"
47 
48 #ifdef STDTAGS
49 #undef STDTAGS
50 #endif
51 #define STDTAGS l_sc | l_hlr
52 
53 using namespace nepenthes;
54 
Wuerzburg(ShellcodeManager * shellcodemanager)55 Wuerzburg::Wuerzburg(ShellcodeManager *shellcodemanager)
56 {
57 	m_ShellcodeManager = shellcodemanager;
58 	m_ShellcodeHandlerName = "Wuerzburg";
59 	m_ShellcodeHandlerDescription = "handles \"wuerzburg\" shellcode";
60 	m_wuerzburgPattern = NULL;
61 }
62 
~Wuerzburg()63 Wuerzburg::~Wuerzburg()
64 {
65 
66 }
67 
Init()68 bool Wuerzburg::Init()
69 {
70 	logPF();
71 
72 	/*
73 		0040200c   eb 27            jmp short wuerzbur.00402035
74 		0040200e   90               nop
75 		0040200f   90               nop
76 		00402010   90               nop
77 		00402011   90               nop
78 		00402012   90               nop
79 		00402013   90               nop
80 		00402014   5d               pop ebp
81 		00402015   33c9             xor ecx,ecx
82 		00402017   66:b9 2502       mov cx,225
83 		0040201b   8d75 05          lea esi,dword ptr ss:[ebp+5]
84 		0040201e   8bfe             mov edi,esi
85 		00402020   8a06             mov al,byte ptr ds:[esi]
86 		00402022   3c 99            cmp al,99
87 		00402024   75 05            jnz short wuerzbur.0040202b
88 		00402026   46               inc esi
89 		00402027   8a06             mov al,byte ptr ds:[esi]
90 		00402029   2c 30            sub al,30
91 		0040202b   46               inc esi
92 		0040202c   34 99            xor al,99
93 		0040202e   8807             mov byte ptr ds:[edi],al
94 		00402030   47               inc edi
95 		00402031  ^e2 ed            loopd short wuerzbur.00402020
96 		00402033   eb 0a            jmp short wuerzbur.0040203f
97 		00402035   e8 daffffff      call wuerzbur.00402014
98 	*/
99 	const char *wuerzburgPattern =
100 		"\\xEB\\x27(..)(....)\\x5D\\x33\\xC9\\x66\\xB9..\\x8D"
101 		"\\x75\\x05\\x8B\\xFE\\x8A\\x06\\x3C.\\x75\\x05"
102 		"\\x46\\x8A\\x06\\x2C.\\x46\\x34.\\x88\\x07"
103 		"\\x47\\xE2\\xED\\xEB\\x0A\\xE8\\xDA\\xFF\\xFF\\xFF";
104 
105 	const char *pcreEerror;
106 	int32_t pcreErrorPos;
107 	if((m_wuerzburgPattern = pcre_compile(wuerzburgPattern, PCRE_DOTALL, &pcreEerror, (int *)&pcreErrorPos, 0)) == NULL)
108 	{
109 		logCrit("Stuttgart could not compile pattern \n\t\"%s\"\n\t Error:\"%s\" at Position %u",
110 				m_wuerzburgPattern, pcreEerror, pcreErrorPos);
111 		return false;
112 	}
113 	return true;
114 }
115 
Exit()116 bool Wuerzburg::Exit()
117 {
118 	if(m_wuerzburgPattern != NULL)
119     	free(m_wuerzburgPattern);
120 	return true;
121 
122 }
123 
handleShellcode(Message ** msg)124 sch_result Wuerzburg::handleShellcode(Message **msg)
125 {
126 	logPF();
127 	char *shellcode = (*msg)->getMsg();
128 	uint32_t len = (*msg)->getSize();
129 
130 	int32_t ovec[10 * 3];
131 	int32_t matchCount;
132 
133 	if ((matchCount = pcre_exec(m_wuerzburgPattern, 0, (char *) shellcode, len, 0, 0, (int *)ovec, sizeof(ovec)/sizeof(int32_t))) > 0)
134 	{
135 		uint16_t netPort, port;
136 		uint32_t address;
137 		const char *match;
138 
139 		pcre_get_substring((char *)shellcode, (int *)ovec, (int)matchCount, 1, &match);
140 		memcpy(&netPort, match, 2);
141 		port = ntohs(netPort);
142 		pcre_free_substring(match);
143 
144 		pcre_get_substring((char *)shellcode, (int *)ovec, (int)matchCount, 2, &match);
145 		memcpy(&address, match, 4);
146 		pcre_free_substring(match);
147 
148 		address ^= 0xaaaaaaaa;
149 
150 		logInfo("Wuerzburg transfer waiting at %s:%d.\n",
151 				inet_ntoa(*(in_addr *)&address), port);
152 
153 		char *url;
154 
155 		asprintf(&url,"csend://%s:%d",inet_ntoa(*(in_addr *)&address), port);
156 		g_Nepenthes->getDownloadMgr()->downloadUrl((*msg)->getLocalHost(),url, (*msg)->getRemoteHost(), url,0);
157 		free(url);
158 
159 //		Socket *sock = g_Nepenthes->getSocketMgr()->connectTCPHost(0,address,port,30);
160 //		sock->addDialogue(new LinkDialogue(sock,authKey));
161 
162 		return SCH_DONE;
163 	}
164 	return SCH_NOTHING;
165 }
166