Documente Academic
Documente Profesional
Documente Cultură
About me
Employee @ ESET botnet analysis Student in electrical engineering @ E.T.S. Member @ CISSP groupies bvanheu@gmail.com
Win32/Kelihos
scan your harddrive network dump send spam DDoS 2 mb binary packed custom UPX multiple libraries Boost winpcap protocol library (http,...) heavy thread usage P2P protocol
Objectives
Reverse Kelihos network stack 1. raw data handler 2. packet handler 3. message handler Learn how C++ works in assembly 1. object construction 2. call convention 3. object layout in memory Exploit weakness in the Kelihos protocol
The plan
Infect a machine Kelihos listens on port 80 Hook a debugger Reverse the packet handling stack: raw data handler packet handler header handler message handler
Object construction
"new(size_t s)" wraps "malloc(size_t s)" Call the constructor function (using "edi" as "memory ptr")
Packet handler
Packet handler
Packet handler
Packet handler
Call to string::append(char *buffer, size_t length) Now we know "member_2" is a String
Packet handler
Packet handler
Packet handler
Call to string::append()
1. push parameters 2. put the string pointer in "ecx" 3. call the function
Call to string::operator[]()
1. push parameter 2. put the string pointer in "ecx" 3. call the function 4. eax will now point on the position
Header validation
Header unpacking
Message handler
Message handler
msg of type "Bootstrap"
Bootstrap message
Label: m_live_time Type: Value Scalar value:73 size:8 ... Label: m_listenning_port Type: Value Scalar value:80 size:4 Label: m_real_target_ip Type: Value Scalar value:62.4.47.49 size:4 Label: m_bootstrap_list Type: Section ...
Inject peers
Peer with high live_time is kept first in the list Peers are identified with ip AND port Inject same ip but with different port (80 dec. = 0x50) 0xAAAA0050 & 0x0000FFFF = 0x50 0xBBBB0050 & 0x0000FFFF = 0x50 Injected peer list: m_ip = 64.12.41.51 m_live_time = 9999999 m_listening_port = 0xAAAA0050 ... m_ip = 64.12.41.51 m_live_time = 9999999 m_listening_port = 0xBBBB0050
Question? / Answer!