remote kernel exploit?
just fyi- some of you may have read about this on one of the mailing lists, some of you who are more 'underground' may have heard the rumors of it, but http://www.linuxsecurity.com/articles/intrusion_detection_article-5933.html
is a copy of a post to a mailing list where a guy picked up some funny traffic on the ids and then removed the funny acting box from the network and when he rebooted he found a binary in the /tmp directory that preports to be a remote kernel exploit for linux (oops, maybe linus dropped the ball here [as if ptrace wasnt bad enough]), the post itself isnt really informative itself, but this was brought up on irc by a friend of mine who is trying to figure out what exactly the program does. When run the binary prompts for a password, and as some of the more educated users might think, why not 'strings' the binary and find the password, well the binary is encrypted with a program whose name i cant remember [some of you might now, its called 'burn' something or something (http://www.phrack.com/show.php?p=58&a=5 phrack paper over runtime binary encryption, this program is at least based off ideas presented in that paper), so being encrypted it is obviously that strings wont pop out the password, and obviously there will be no debugging symbols present to run it through gdb. Luckily that isnt the end of things. my friend is debugging it and it is quite a complex program, 74 procedures [anyone familar with exploits will know that is a large number of procedures] of those, 44 has no 'ret'/'leave' instructions and thus overlap with other procedures [my thought was that this might be the result of some form of optimization and that those functions will never reach leave/ret regardless of how flow is passed), of those 74, several appear to be trash procedures
i.e.
0x01234567 call 0x01234567
some appear to have no use, but actually might, i.e.
push $0x41
pop %eax
inc %eax
leave
ret
[think int $0x80 or similar which uses eax as a parameter]
and so on and so forth, so literally this is a 40k encrypted puzzle.
[10k w/o the encryption]
so with that said, to me it seems like this is part of project mayhem and its meant to be smoke in mirrors, i mean why would your system spit out a valueable remote exploit on reboot? i can see a rootkit, or i dunno, 30 valid procedures [possibly more if some are optimized], seems to be alot, but mabe the box was being used to scan/hack other boxes out there. Anyways whats your opinion?
fyi.
my friends page with more info is here ->
http://www.securityhacker.org/
is a copy of a post to a mailing list where a guy picked up some funny traffic on the ids and then removed the funny acting box from the network and when he rebooted he found a binary in the /tmp directory that preports to be a remote kernel exploit for linux (oops, maybe linus dropped the ball here [as if ptrace wasnt bad enough]), the post itself isnt really informative itself, but this was brought up on irc by a friend of mine who is trying to figure out what exactly the program does. When run the binary prompts for a password, and as some of the more educated users might think, why not 'strings' the binary and find the password, well the binary is encrypted with a program whose name i cant remember [some of you might now, its called 'burn' something or something (http://www.phrack.com/show.php?p=58&a=5 phrack paper over runtime binary encryption, this program is at least based off ideas presented in that paper), so being encrypted it is obviously that strings wont pop out the password, and obviously there will be no debugging symbols present to run it through gdb. Luckily that isnt the end of things. my friend is debugging it and it is quite a complex program, 74 procedures [anyone familar with exploits will know that is a large number of procedures] of those, 44 has no 'ret'/'leave' instructions and thus overlap with other procedures [my thought was that this might be the result of some form of optimization and that those functions will never reach leave/ret regardless of how flow is passed), of those 74, several appear to be trash procedures
i.e.
0x01234567 call 0x01234567
some appear to have no use, but actually might, i.e.
push $0x41
pop %eax
inc %eax
leave
ret
[think int $0x80 or similar which uses eax as a parameter]
and so on and so forth, so literally this is a 40k encrypted puzzle.
[10k w/o the encryption]
so with that said, to me it seems like this is part of project mayhem and its meant to be smoke in mirrors, i mean why would your system spit out a valueable remote exploit on reboot? i can see a rootkit, or i dunno, 30 valid procedures [possibly more if some are optimized], seems to be alot, but mabe the box was being used to scan/hack other boxes out there. Anyways whats your opinion?
fyi.
my friends page with more info is here ->
http://www.securityhacker.org/
