FreeBSD Bugzilla – Attachment 59896 Details for
Bug 90062
New port: net/nepenthes (resend with shar)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
file.shar
file.shar (text/plain), 28.40 KB, created by
ryo
on 2005-12-07 10:20:01 UTC
(
hide
)
Description:
file.shar
Filename:
MIME Type:
Creator:
ryo
Created:
2005-12-07 10:20:01 UTC
Size:
28.40 KB
patch
obsolete
># This is a shell archive. Save it in a file, remove anything before ># this line, and then unpack it by entering "sh file". Note, it may ># create directories; files and directories will be owned by you and ># have default permissions. ># ># This archive contains: ># ># nepenthes-port ># nepenthes-port/files ># nepenthes-port/files/patch-log ># nepenthes-port/files/patch-docdir ># nepenthes-port/files/nepenthes.sh.in ># nepenthes-port/files/patch-logger-path-and-xor-and-additional-bindshell ># nepenthes-port/files/patch-download-nepenthes-disconnect-fix ># nepenthes-port/files/patch-malloc ># nepenthes-port/distinfo ># nepenthes-port/pkg-descr ># nepenthes-port/pkg-plist ># nepenthes-port/Makefile ># >echo c - nepenthes-port >mkdir -p nepenthes-port > /dev/null 2>&1 >echo c - nepenthes-port/files >mkdir -p nepenthes-port/files > /dev/null 2>&1 >echo x - nepenthes-port/files/patch-log >sed 's/^X//' >nepenthes-port/files/patch-log << 'END-of-nepenthes-port/files/patch-log' >X--- conf/nepenthes.conf.dist.orig Sat Dec 3 17:23:03 2005 >X+++ conf/nepenthes.conf.dist Sat Dec 3 17:23:56 2005 >X@@ -87,8 +87,8 @@ >X >X logmanager >X { >X- ring_logging_file "var/log/nepenthes.%d.log"; >X- file_logging_file "var/log/nepenthes.log"; >X+ ring_logging_file "var/log/nepenthes/nepenthes.%d.log"; >X+ file_logging_file "var/log/nepenthes/nepenthes.log"; >X }; >X >X modulemanager >X@@ -100,7 +100,7 @@ >X { >X strictfiletype "1"; >X // where does submit-file write to? set this to the same dir >X- filesdir "var/binaries/"; >X+ filesdir "var/nepenthes/binaries/"; >X }; >X >X downloadmanager >X@@ -116,7 +116,7 @@ >X >X utilities >X { >X- hexdump_path "var/hexdumps/"; >X+ hexdump_path "var/nepenthes/hexdumps/"; >X }; >X >X geolocationmanager >END-of-nepenthes-port/files/patch-log >echo x - nepenthes-port/files/patch-docdir >sed 's/^X//' >nepenthes-port/files/patch-docdir << 'END-of-nepenthes-port/files/patch-docdir' >X--- Makefile.in.orig Fri Dec 2 02:51:05 2005 >X+++ Makefile.in Fri Dec 2 02:51:38 2005 >X@@ -193,7 +193,7 @@ >X SUBDIRS = nepenthes-core modules >X #tools >X EXTRA_DIST = configure.ac CHANGES doc/README doc/README.VFS doc/logo-shaded.svg doc/nepenthes.8 conf/nepenthes.conf.dist >X-docdir = $(prefix)/share/doc >X+docdir = $(prefix)/share/nepenthes/doc >X doc_DATA = doc/README doc/README.VFS doc/logo-shaded.svg >X >X #sysconf_DATA = conf/nepenthes.conf.dist >END-of-nepenthes-port/files/patch-docdir >echo x - nepenthes-port/files/nepenthes.sh.in >sed 's/^X//' >nepenthes-port/files/nepenthes.sh.in << 'END-of-nepenthes-port/files/nepenthes.sh.in' >X#!/bin/sh >X# >X# $FreeBSD$ >X# >X >X# PROVIDE: nepenthes >X# REQUIRE: DAEMON >X# BEFORE: LOGIN >X# KEYWORD: FreeBSD shutdown >X >X# >X# Add the following lines to /etc/rc.conf to enable nepenthes: >X# >X#nepenthes_enable="YES" >X#nepenthes_conf="/usr/local/etc/nepenthes/nepenthes.conf" >X# >X# See nepenthes(8) for manual >X# >X >X. %%RC_SUBR%% >X >Xname=nepenthes >Xrcvar=`set_rcvar` >X >Xcommand=%%PREFIX%%/bin/nepenthes >Xrequired_files=${nepenthes_conf} >X >Xstop_postcmd=stop_postcmd >X >Xstop_postcmd() >X{ >X killall nepenthes >X} >X >X# set defaults >X >Xnepenthes_enable=${nepenthes_enable:-"NO"} >Xnepenthes_conf=${nepenthes_conf:-"%%PREFIX%%/etc/nepenthes/nepenthes.conf"} >X >Xload_rc_config $name >X >Xcommand_args="-c ${nepenthes_conf}" >Xrun_rc_command "$1" >END-of-nepenthes-port/files/nepenthes.sh.in >echo x - nepenthes-port/files/patch-logger-path-and-xor-and-additional-bindshell >sed 's/^X//' >nepenthes-port/files/patch-logger-path-and-xor-and-additional-bindshell << 'END-of-nepenthes-port/files/patch-logger-path-and-xor-and-additional-bindshell' >XIndex: nepenthes-core/include/FileLogger.hpp >X=================================================================== >X--- nepenthes-core/include/FileLogger.hpp (Revision 2174) >X+++ nepenthes-core/include/FileLogger.hpp (Arbeitskopie) >X@@ -47,7 +47,7 @@ >X virtual void setLogFile(const char *filename); >X >X private: >X- const char *m_Filename; >X+ char *m_Filename; >X }; >X >X } >XIndex: nepenthes-core/src/FileLogger.cpp >X=================================================================== >X--- nepenthes-core/src/FileLogger.cpp (Revision 2174) >X+++ nepenthes-core/src/FileLogger.cpp (Arbeitskopie) >X@@ -51,12 +51,18 @@ >X >X FileLogger::~FileLogger() >X { >X+ if( m_Filename != NULL) >X+ free(m_Filename); >X+ >X } >X >X >X void FileLogger::setLogFile(const char *filename) >X { >X- m_Filename = filename; >X+ if( m_Filename != NULL) >X+ free(m_Filename); >X+ >X+ m_Filename = strdup(filename); >X } >X >X >XIndex: nepenthes-core/src/RingFileLogger.cpp >X=================================================================== >X--- nepenthes-core/src/RingFileLogger.cpp (Revision 2174) >X+++ nepenthes-core/src/RingFileLogger.cpp (Arbeitskopie) >X@@ -57,14 +57,31 @@ >X >X RingFileLogger::~RingFileLogger() >X { >X- free(m_FirstFile); >X+ if (m_FileFormat != NULL) >X+ { >X+ free(m_FileFormat); >X+ } >X+ >X+ if (m_FirstFile != NULL) >X+ { >X+ free(m_FirstFile); >X+ } >X } >X >X >X void RingFileLogger::setLogFileFormat(char *fmt) >X { >X- m_FileFormat = fmt; >X- free(m_FirstFile); >X+ if (m_FileFormat != NULL) >X+ { >X+ free(m_FileFormat); >X+ } >X+ m_FileFormat = strdup(fmt); >X+ >X+ >X+ if (m_FirstFile != NULL) >X+ { >X+ free(m_FirstFile); >X+ } >X asprintf(&m_FirstFile, m_FileFormat, 0); >X } >X >XIndex: modules/vuln-dcom/vuln-dcom.cpp >X=================================================================== >X--- modules/vuln-dcom/vuln-dcom.cpp (Revision 2174) >X+++ modules/vuln-dcom/vuln-dcom.cpp (Arbeitskopie) >X@@ -110,9 +110,11 @@ >X // removed as they were not seen during the last 2 month and need a new pcre >X // m_ShellcodeHandlers.push_back( new SOL2KBind (m_Nepenthes->getShellcodeMgr())); >X // m_ShellcodeHandlers.push_back( new SOL2KConnect (m_Nepenthes->getShellcodeMgr())); >X- m_ShellcodeHandlers.push_back( new OC192Bind (m_Nepenthes->getShellcodeMgr())); >X >X+// replaced by adenau xor & Parthenstein Bind >X+// m_ShellcodeHandlers.push_back( new OC192Bind (m_Nepenthes->getShellcodeMgr())); >X >X+ >X list <ShellcodeHandler *>::iterator handler; >X for (handler = m_ShellcodeHandlers.begin(); handler != m_ShellcodeHandlers.end(); handler++) >X { >XIndex: modules/shellcode-generic/sch_generic_xor.cpp >X=================================================================== >X--- modules/shellcode-generic/sch_generic_xor.cpp (Revision 2174) >X+++ modules/shellcode-generic/sch_generic_xor.cpp (Arbeitskopie) >X@@ -86,29 +86,63 @@ >X const char * pcreEerror; >X int32_t pcreErrorPos; >X >X- const char *test[]= >X+ XORPcreHelper test[7]= >X { >X- "\\xEB\\x02\\xEB\\x05\\xE8\\xF9\\xFF\\xFF\\xFF\\x5B\\x31\\xC9\\x66\\xB9(.)\\xFF\\x80\\x73\\x0E(.)\\x43\\xE2\\xF9(.*)$", // rbot 64k >X- "\\xEB\\x02\\xEB\\x05\\xE8\\xF9\\xFF\\xFF\\xFF\\x5B\\x31\\xC9\\xB1(.)\\x80\\x73\\x0C(.)\\x43\\xE2\\xF9(.*)$", // rbot 265 byte >X- "\\xEB.\\xEB.\\xE8.*\\xB1(.).*\\x80..(.).*\\xE2.(.*)$", // generic mwcollect >X- "\\xEB\\x10\\x5A\\x4A\\x33\\xC9\\x66\\xB9(..)\\x80\\x34\\x0A(.)\\xE2\\xFA\\xEB\\x05\\xE8\\xEB\\xFF\\xFF\\xFF(.*)$", // bielefeld >X- "\\xEB\\x02\\xEB\\x05\\xE8\\xF9\\xFF\\xFF\\xFF\\x5B\\x31\\xC9\\x66\\xB9(..)\\x80\\x73\\x0E(.)\\x43\\xE2\\xF9(.*)$", // halle >X-// "\\xEB\\x19\\x5E\\x31\\xC9\\x81\\xE9(....)\\x81\\x36(....)\\x81\\xEE\\xFC\\xFF\\xFF\\xFF\\xE2\\xF2\\xEB\\x05\\xE8\\xE2\\xFF\\xFF\\xFF(.*)$", // adenau xor >X- >X- NULL >X+ { >X+ "(.*)(\\xEB\\x02\\xEB\\x05\\xE8\\xF9\\xFF\\xFF\\xFF\\x5B\\x31\\xC9\\x66\\xB9(.)\\xFF\\x80\\x73\\x0E(.)\\x43\\xE2\\xF9)(.*)$", >X+ "rbot 64k", >X+ 23 >X+ }, >X+ { >X+ "(.*)(\\xEB\\x02\\xEB\\x05\\xE8\\xF9\\xFF\\xFF\\xFF\\x5B\\x31\\xC9\\xB1(.)\\x80\\x73\\x0C(.)\\x43\\xE2\\xF9)(.*)$", >X+ "rbot 265 byte", >X+ 21 >X+ }, >X+ { >X+ "(.*)(\\xEB\\x10\\x5A\\x4A\\x33\\xC9\\x66\\xB9(..)\\x80\\x34\\x0A(.)\\xE2\\xFA\\xEB\\x05\\xE8\\xEB\\xFF\\xFF\\xFF)(.*)$", >X+ "bielefeld", >X+ 14 >X+ }, >X+ { >X+ "(.*)(\\xEB\\x02\\xEB\\x05\\xE8\\xF9\\xFF\\xFF\\xFF\\x5B\\x31\\xC9\\x66\\xB9(..)\\x80\\x73\\x0E(.)\\x43\\xE2\\xF9)(.*)$", >X+ "halle", >X+ 23 >X+ }, >X+ { >X+ "(.*)(\\xEB\\x19\\x5E\\x31\\xC9\\x81\\xE9(....)\\x81\\x36(....)\\x81\\xEE\\xFC\\xFF\\xFF\\xFF\\xE2\\xF2\\xEB\\x05\\xE8\\xE2\\xFF\\xFF\\xFF)(.*)$", >X+ "adenau xor" >X+ }, >X+ >X+ { >X+ "(.*)(\\xEB\\x03\\x5D\\xEB\\x05\\xE8\\xF8\\xFF\\xFF\\xFF\\x8B\\xC5\\x83\\xC0\\x11\\x33\\xC9\\x66\\xB9(..)\\x80\\x30(.)\\x40\\xE2\\xFA)(.*)$", >X+ "kaltenborn xor", >X+ 27 >X+ }, >X+ { >X+ "(.*)(\\xEB.\\xEB.\\xE8.*\\xB1(.).*\\x80..(.).*\\xE2.)(.*)$", >X+ "generic mwcollect", >X+ 20 >X+ >X+ } >X }; >X >X- for( uint32_t i = 0; test[i]; i++ ) >X+ for( uint32_t i = 0; i <= 6; i++ ) >X { >X pcre *mypcre; >X- if((mypcre = pcre_compile(test[i], PCRE_DOTALL, &pcreEerror, &pcreErrorPos, 0)) == NULL) >X+ if((mypcre = pcre_compile(test[i].m_PCRE, PCRE_DOTALL, &pcreEerror, &pcreErrorPos, 0)) == NULL) >X { >X logCrit("GenericXOR could not compile pattern %i\n\t\"%s\"\n\t Error:\"%s\" at Position %u", i, >X test[i], pcreEerror, pcreErrorPos); >X return false; >X }else >X { >X- m_Pcres.push_back(mypcre); >X+ logDebug("Adding %s \n",test[i].m_Name); >X+ XORPcreContext *ctx = new XORPcreContext; >X+ ctx->m_Pcre = mypcre; >X+ ctx->m_Name = test[i].m_Name; >X+ ctx->m_Options = test[i].m_Options; >X+ m_Pcres.push_back(ctx); >X+ >X logSpam("PCRE %i compiled \n",i); >X } >X } >X@@ -120,7 +154,9 @@ >X { >X while(m_Pcres.size()>0) >X { >X- pcre_free(m_Pcres.front()); >X+ >X+ pcre_free(m_Pcres.front()->m_Pcre); >X+ delete m_Pcres.front(); >X m_Pcres.pop_front(); >X } >X >X@@ -137,22 +173,31 @@ >X uint32_t len = (*msg)->getSize(); >X int32_t output[10 * 3]; >X >X- list <pcre *>::iterator it; >X+ list <XORPcreContext *>::iterator it; >X uint32_t i; >X for (it=m_Pcres.begin(), i=0; it != m_Pcres.end();it++,i++) >X { >X int32_t result=0; >X- if((result = pcre_exec(*it, 0, (char *) shellcode, len, 0, 0, output, sizeof(output)/sizeof(int32_t))) > 0) >X+ if((result = pcre_exec((*it)->m_Pcre, 0, (char *) shellcode, len, 0, 0, output, sizeof(output)/sizeof(int32_t))) > 0) >X { >X // logSpam("PCRE %i %x matches %i \n",i,*it,result); >X+ const char *preload; >X+ uint32_t preloadSize; >X+ preloadSize = pcre_get_substring((char *) shellcode, output, result, 1, &preload); >X >X+ >X+ const char *xordecoder; >X+ uint32_t xordecoderSize; >X+ xordecoderSize = pcre_get_substring((char *) shellcode, output, result, 2, &xordecoder); >X+ >X+ >X const char *match; >X byte key=0; >X uint32_t longkey=0; >X uint32_t keysize; >X uint32_t codesize = 0, codesizeLen, totalsize; >X >X- codesizeLen = pcre_get_substring((char *) shellcode, output, result, 1, &match); >X+ codesizeLen = pcre_get_substring((char *) shellcode, output, result, 3, &match); >X switch (codesizeLen ) >X { >X case 4: >X@@ -173,7 +218,7 @@ >X >X >X >X- keysize = pcre_get_substring((char *) shellcode, output, result, 2, &match); >X+ keysize = pcre_get_substring((char *) shellcode, output, result, 4, &match); >X >X switch(keysize) >X { >X@@ -193,13 +238,14 @@ >X >X >X >X- totalsize = pcre_get_substring((char *) shellcode, output, result, 3, &match); >X+ totalsize = pcre_get_substring((char *) shellcode, output, result, 5, &match); >X byte *decodedMessage = (byte *)malloc(totalsize); >X memcpy(decodedMessage, match, totalsize); >X pcre_free_substring(match); >X >X- logInfo("Detected generic XOR decoder #%i size length has %d bytes, size is %d, totalsize %d.\n",i, codesizeLen, codesize, totalsize); >X+ logInfo("Detected generic XOR decoder %s size length has %d bytes, size is %d, totalsize %d.\n",(*it)->m_Name.c_str(), codesizeLen, codesize, totalsize); >X >X+ >X >X switch(keysize) >X { >X@@ -223,9 +269,18 @@ >X break; >X } >X >X- >X+ char *newshellcode = (char *)malloc(len*sizeof(char)); >X+ memset(newshellcode,0x90,len); >X+ memcpy(newshellcode,preload,preloadSize); >X >X- Message *newMessage = new Message((char *)decodedMessage, totalsize, (*msg)->getLocalPort(), (*msg)->getRemotePort(), >X+ memcpy(newshellcode+preloadSize+xordecoderSize,decodedMessage,totalsize); >X+ >X+ pcre_free_substring(preload); >X+ pcre_free_substring(xordecoder); >X+ >X+// g_Nepenthes->getUtilities()->hexdump(l_crit,(byte *)newshellcode, len); >X+ >X+ Message *newMessage = new Message((char *)newshellcode, len, (*msg)->getLocalPort(), (*msg)->getRemotePort(), >X (*msg)->getLocalHost(), (*msg)->getRemoteHost(), (*msg)->getResponder(), (*msg)->getSocket()); >X >X delete *msg; >X@@ -233,6 +288,7 @@ >X *msg = newMessage; >X >X free(decodedMessage); >X+ free(newshellcode); >X return SCH_REPROCESS; >X } >X >XIndex: modules/shellcode-generic/sch_generic_xor.hpp >X=================================================================== >X--- modules/shellcode-generic/sch_generic_xor.hpp (Revision 2174) >X+++ modules/shellcode-generic/sch_generic_xor.hpp (Arbeitskopie) >X@@ -30,12 +30,29 @@ >X #ifndef HAVE_GENERICXOR_HPP >X #define HAVE_GENERICXOR_HPP >X >X+#include <stdint.h> >X #include <pcre.h> >X #include "ShellcodeHandler.hpp" >X >X >X namespace nepenthes >X { >X+ struct XORPcreHelper >X+ { >X+ char *m_PCRE; >X+ char *m_Name; >X+ uint16_t m_Options; // will use this later >X+ >X+ }; >X+ >X+ >X+ struct XORPcreContext >X+ { >X+ pcre *m_Pcre; >X+ string m_Name; >X+ uint16_t m_Options; // >X+ }; >X+ >X class GenericXOR : public ShellcodeHandler >X { >X public: >X@@ -45,7 +62,7 @@ >X bool Init(); >X bool Exit(); >X protected: >X- list <pcre*> m_Pcres; >X+ list <XORPcreContext *> m_Pcres; >X }; >X } >X >XIndex: modules/shellcode-generic/sch_generic_unicode.cpp >X=================================================================== >X--- modules/shellcode-generic/sch_generic_unicode.cpp (Revision 2174) >X+++ modules/shellcode-generic/sch_generic_unicode.cpp (Arbeitskopie) >X@@ -127,17 +127,18 @@ >X } >X >X >X- logSpam("Got %i 00 %i -> %i bytes \n",maxuni,maxstart,maxstopp); >X+ >X >X if ( maxuni > 2000 ) >X { >X+ logInfo("Got unicode Exploit %i 00 %i -> %i bytes \n",maxuni,maxstart,maxstopp); >X >X- >X byte *output; >X uint32_t outputLen=0; >X >X unicodeTryDecode(shellcode, len, &output, &outputLen); >X >X+// g_Nepenthes->getUtilities()->hexdump(l_crit, output, outputLen); >X >X Message *newMessage = new Message((char *)output, outputLen, (*msg)->getLocalPort(), (*msg)->getRemotePort(), >X (*msg)->getLocalHost(), (*msg)->getRemoteHost(), (*msg)->getResponder(), (*msg)->getSocket()); >XIndex: modules/shellcode-generic/shellcode-generic.conf.dist >X=================================================================== >X--- modules/shellcode-generic/shellcode-generic.conf.dist (Revision 2174) >X+++ modules/shellcode-generic/shellcode-generic.conf.dist (Arbeitskopie) >X@@ -7,6 +7,15 @@ >X >X "adenauBind", >X "\\x83\\xEC\\x34\\x8B\\xF4\\xE8\\x47\\x01\\x00\\x00\\x89\\x06\\xFF\\x36\\x68\\x8E\\x4E\\x0E\\xEC\\xE8\\x61\\x01\\x00\\x00\\x89\\x46\\x08\\xFF\\x36\\x68\\xAD\\xD9\\x05\\xCE\\xE8\\x52\\x01\\x00\\x00\\x89\\x46\\x0C\\x68\\x6C\\x6C\\x00\\x00\\x68\\x33\\x32\\x2E\\x64\\x68\\x77\\x73\\x32\\x5F\\x54\\xFF\\x56\\x08\\x89\\x46\\x04\\xFF\\x36\\x68\\x72\\xFE\\xB3\\x16\\xE8\\x2D\\x01\\x00\\x00\\x89\\x46\\x10\\xFF\\x36\\x68\\x7E\\xD8\\xE2\\x73\\xE8\\x1E\\x01\\x00\\x00\\x89\\x46\\x14\\xFF\\x76\\x04\\x68\\xCB\\xED\\xFC\\x3B\\xE8\\x0E\\x01\\x00\\x00\\x89\\x46\\x18\\xFF\\x76\\x04\\x68\\xD9\\x09\\xF5\\xAD\\xE8\\xFE\\x00\\x00\\x00\\x89\\x46\\x1C\\xFF\\x76\\x04\\x68\\xA4\\x1A\\x70\\xC7\\xE8\\xEE\\x00\\x00\\x00\\x89\\x46\\x20\\xFF\\x76\\x04\\x68\\xA4\\xAD\\x2E\\xE9\\xE8\\xDE\\x00\\x00\\x00\\x89\\x46\\x24\\xFF\\x76\\x04\\x68\\xE5\\x49\\x86\\x49\\xE8\\xCE\\x00\\x00\\x00\\x89\\x46\\x28\\xFF\\x76\\x04\\x68\\xE7\\x79\\xC6\\x79\\xE8\\xBE\\x00\\x00\\x00\\x89\\x46\\x2C\\x33\\xFF\\x81\\xEC\\x90\\x01\\x00 > \\x00\\x54\\x68\\x01\\x01\\x00\\x00\\xFF\\x56\\x18\\x50\\x50\\x50\\x50\\x40\\x50\\x40\\x50\\xFF\\x56\\x1C\\x8B\\xD8\\x57\\x57\\x68\\x02\\x00(..)\\x8B\\xCC\\x6A\\x16\\x51\\x53\\xFF\\x56\\x20\\x57\\x53\\xFF\\x56\\x24\\x57\\x51\\x53\\xFF\\x56\\x28\\x8B\\xD0\\x68\\x65\\x78\\x65\\x00\\x68\\x63\\x6D\\x64\\x2E\\x89\\x66\\x30\\x83\\xEC\\x54\\x8D\\x3C\\x24\\x33\\xC0", >X+ >X+ "kaltenbornBind" >X+ "\\xFF\\x56\\xF4\\x50\\x50\\x50\\x50\\x40\\x50\\x40\\x50\\xFF\\x56\\xF0\\x8B\\xD8\\x57\\x57\\x68\\x02\\x00(..)\\x8B\\xCC\\x6A\\x16\\x51\\x53\\xFF\\x56\\xEC\\x57\\x53\\xFF\\x56\\xE8\\x33\\xFF\\x57\\x51\\x53\\xFF\\x56\\xE2\\x8B\\xD0\\x89\\x46\\xBE\\x68\\x63\\x6D\\x64\\x00\\x89\\x66\\xC2\\x83\\xC4\\xAC\\x8D\\x3C\\x24\\x33\\xC0\\x33\\xC9\\x80\\xC1\\x15\\xAB\\xE2\\xFD\\xC6\\x44\\x24\\x10\\x44\\xFE\\x44\\x24\\x3D\\x89\\x54\\x24\\x48\\x89\\x54\\x24\\x4C\\x89\\x54\\x24\\x50\\x8D\\x44\\x24\\x10\\x54\\x50\\x51\\x51\\x51\\x41\\x51\\x49\\x51\\x51\\xFF\\x76\\xC2\\x51\\xFF\\x56\\xCE\\x8B\\xCC\\x6A\\xFF\\xFF\\x31\\xFF\\x56\\xD2\\x8B\\xC8\\xFF\\x76\\xBE\\xFF\\x56\\xD6\\xEB\\x9E\\xFF\\x56\\x14" >X+ >X+ "wackerowBind" >X+ "\\xE8\\x7C\\x00\\x00\\x00\\x83\\xC6\\x0D\\x52\\x56\\xFF\\x57\\xFC\\x5A\\x8B\\xD8\\x6A\\x04\\x59\\xE8\\x69\\x00\\x00\\x00\\x50\\x50\\x50\\x50\\x6A\\x01\\x6A\\x02\\xFF\\x57\\xF0\\x8B\\xD8\\xC7\\x07\\x02\\x00(..)\\x33\\xC0\\x89\\x47\\x04\\x6A\\x10\\x57\\x53\\xFF\\x57\\xF4\\x6A\\x01\\x53\\xFF\\x57\\xF8\\x50\\x50\\x53\\xFF\\x57\\xFC\\x83\\xEC\\x44\\x8B\\xF4\\x33\\xDB\\x6A\\x10\\x59\\x89\\x1C\\x8E\\xE2\\xFB\\x89\\x46\\x38\\x89\\x46\\x3C\\x89\\x46\\x40\\xC7\\x46\\x2C\\x01\\x01\\x00\\x00\\x8D\\x47\\x10\\x50\\x56\\x53\\x53\\x53\\x6A\\x01\\x53\\x53\\xC7\\x47\\x3C\\x63\\x6D\\x64\\x00\\x8D\\x47\\x3C\\x50\\x53\\xFF\\x57\\xE4\\x50\\xFF\\x57\\xE8" >X+ >X+ "parthensteinBind" >X+ "\\xFF\\x56\\x18\\x50\\x50\\x50\\x50\\x40\\x50\\x40\\x50\\xFF\\x56\\x1C\\x8B\\xD8\\x57\\x57\\x68\\x02\\x00(..)\\x8B\\xCC\\x6A\\x16\\x51\\x53\\xFF\\x56\\x20\\x57\\x53\\xFF\\x56\\x24\\x57\\x51\\x53\\xFF\\x56\\x28\\x8B\\xD0\\x68\\x65\\x78\\x65\\x00\\x68\\x63\\x6D\\x64\\x2E\\x89\\x66\\x30\\x83\\xEC\\x54\\x8D\\x3C\\x24\\x33\\xC0\\x33\\xC9\\x83\\xC1\\x15\\xAB\\xE2\\xFD\\xC6\\x44\\x24\\x10\\x44\\xFE\\x44\\x24\\x3D\\x89\\x54\\x24\\x48\\x89\\x54\\x24\\x4C\\x89\\x54\\x24\\x50\\x8D\\x44\\x24\\x10\\x54\\x50\\x51\\x51\\x51\\x6A\\x01\\x51\\x51\\xFF\\x76\\x30\\x51\\xFF\\x56\\x10\\x8B\\xCC\\x6A\\xFF\\xFF\\x31\\xFF\\x56\\x0C\\x8B\\xC8\\x57\\xFF\\x56\\x2C\\xFF\\x56\\x14" >X ); >X >X >XIndex: modules/shellcode-generic/sch_generic_cmd.cpp >X=================================================================== >X--- modules/shellcode-generic/sch_generic_cmd.cpp (Revision 2174) >X+++ modules/shellcode-generic/sch_generic_cmd.cpp (Arbeitskopie) >X@@ -63,7 +63,7 @@ >X >X bool GenericCMD::Init() >X { >X- const char *createprocesspcre = ".*(cmd.*/.*\\x00).*"; >X+ const char *createprocesspcre = ".*(cmd.* /.*\\x00).*"; >X const char * pcreEerror; >X int32_t pcreErrorPos; >X if((m_pcre = pcre_compile(createprocesspcre, PCRE_DOTALL, &pcreEerror, &pcreErrorPos, 0)) == NULL) >END-of-nepenthes-port/files/patch-logger-path-and-xor-and-additional-bindshell >echo x - nepenthes-port/files/patch-download-nepenthes-disconnect-fix >sed 's/^X//' >nepenthes-port/files/patch-download-nepenthes-disconnect-fix << 'END-of-nepenthes-port/files/patch-download-nepenthes-disconnect-fix' >XIndex: modules/download-nepenthes/DownloadNepenthesDialogue.cpp >X=================================================================== >X--- modules/download-nepenthes/DownloadNepenthesDialogue.cpp (Revision 2187) >X+++ modules/download-nepenthes/DownloadNepenthesDialogue.cpp (Arbeitskopie) >X@@ -201,18 +201,26 @@ >X */ >X ConsumeLevel DownloadNepenthesDialogue::connectionShutdown(Message *msg) >X { >X- // the download is done, check if the md5sum matches the md5sum we were given; >X- string md5sum = g_Nepenthes->getUtilities()->md5sum( >X- m_Download->getDownloadBuffer()->getData(), >X- m_Download->getDownloadBuffer()->getSize()); >X+ if ( m_Download != NULL ) >X+ { >X >X- if (strncmp(m_MD5Sum.c_str(),md5sum.c_str(),32) != 0) >X- { >X- logInfo("file does not match its md5sum (%s <-> %s) \n",md5sum.c_str(),m_MD5Sum.c_str()); >X+ // the download is done, check if the md5sum matches the md5sum we were given; >X+ string md5sum = g_Nepenthes->getUtilities()->md5sum( >X+ m_Download->getDownloadBuffer()->getData(), >X+ m_Download->getDownloadBuffer()->getSize()); >X+ >X+ if ( strncmp(m_MD5Sum.c_str(),md5sum.c_str(),32) != 0 ) >X+ { >X+ logInfo("file does not match its md5sum (%s <-> %s) \n",md5sum.c_str(),m_MD5Sum.c_str()); >X+ } else >X+ { >X+ logInfo("new file %s is done\n",m_MD5Sum.c_str()); >X+ g_Nepenthes->getSubmitMgr()->addSubmission(m_Download); >X+ } >X }else >X { >X- logInfo("new file %s is done\n",m_MD5Sum.c_str()); >X- g_Nepenthes->getSubmitMgr()->addSubmission(m_Download); >X+ uint32_t remotehost = msg->getRemoteHost(); >X+ logCrit(" %s tried to fool download-nepenthes (connected without sending data)\n",inet_ntoa(*(in_addr *)&remotehost)); >X } >X return CL_DROP; >X } >END-of-nepenthes-port/files/patch-download-nepenthes-disconnect-fix >echo x - nepenthes-port/files/patch-malloc >sed 's/^X//' >nepenthes-port/files/patch-malloc << 'END-of-nepenthes-port/files/patch-malloc' >X--- ltmain.sh.orig Fri Dec 2 02:11:50 2005 >X+++ ltmain.sh Fri Dec 2 02:12:12 2005 >X@@ -4718,7 +4718,6 @@ >X #include <stdio.h> >X #include <stdlib.h> >X #include <unistd.h> >X-#include <malloc.h> >X #include <stdarg.h> >X #include <assert.h> >X >X--- modules/submit-xmlrpc/XMLRPCParser.cpp.orig Fri Dec 2 02:16:50 2005 >X+++ modules/submit-xmlrpc/XMLRPCParser.cpp Fri Dec 2 02:16:59 2005 >X@@ -38,7 +38,6 @@ >X #include <assert.h> >X #include <ctype.h> >X #include <stdint.h> >X-#include <malloc.h> >X #include <string.h> >X >X #ifndef HAVE_STRNDUP >END-of-nepenthes-port/files/patch-malloc >echo x - nepenthes-port/distinfo >sed 's/^X//' >nepenthes-port/distinfo << 'END-of-nepenthes-port/distinfo' >XMD5 (nepenthes-0.1.3.tar.gz) = 19ea7bb0f300d89ead1f3ce35728e53e >XSIZE (nepenthes-0.1.3.tar.gz) = 774548 >END-of-nepenthes-port/distinfo >echo x - nepenthes-port/pkg-descr >sed 's/^X//' >nepenthes-port/pkg-descr << 'END-of-nepenthes-port/pkg-descr' >XNepenthes can determine the malware activity on a network >Xby deploying a nepenthes sensor (i.e. honey pot). The programm >Xemulates different well known vulnerabilities waiting for >Xmalicious connections trying to exploit them. >X >XWWW: http://nepenthes.sourceforge.net/ >END-of-nepenthes-port/pkg-descr >echo x - nepenthes-port/pkg-plist >sed 's/^X//' >nepenthes-port/pkg-plist << 'END-of-nepenthes-port/pkg-plist' >Xbin/nepenthes >Xetc/nepenthes/download-csend.conf >Xetc/nepenthes/download-curl.conf >Xetc/nepenthes/download-link.conf >Xetc/nepenthes/download-nepenthes.conf >Xetc/nepenthes/download-tftp.conf >Xetc/nepenthes/log-download.conf >Xetc/nepenthes/log-irc.conf >Xetc/nepenthes/log-surfnet.conf >Xetc/nepenthes/module-portwatch.conf >Xetc/nepenthes/nepenthes.conf >Xetc/nepenthes/nepenthes.conf.dist >Xetc/nepenthes/shellcode-generic.conf >Xetc/nepenthes/submit-file.conf >Xetc/nepenthes/submit-nepenthes.conf >Xetc/nepenthes/submit-norman.conf >Xetc/nepenthes/submit-xmlrpc.conf >Xetc/nepenthes/vuln-asn1.conf >Xetc/nepenthes/vuln-bagle.conf >Xetc/nepenthes/vuln-dameware.conf >Xetc/nepenthes/vuln-dcom.conf >Xetc/nepenthes/vuln-iis.conf >Xetc/nepenthes/vuln-kuang2.conf >Xetc/nepenthes/vuln-lsass.conf >Xetc/nepenthes/vuln-msmq.conf >Xetc/nepenthes/vuln-mssql.conf >Xetc/nepenthes/vuln-mydoom.conf >Xetc/nepenthes/vuln-netbiosname.conf >Xetc/nepenthes/vuln-netdde.conf >Xetc/nepenthes/vuln-optix.conf >Xetc/nepenthes/vuln-pnp.conf >Xetc/nepenthes/vuln-sasserftpd.conf >Xetc/nepenthes/vuln-ssh.conf >Xetc/nepenthes/vuln-sub7.conf >Xetc/nepenthes/vuln-upnp.conf >Xetc/nepenthes/vuln-veritas.conf >Xetc/nepenthes/vuln-wins.conf >Xetc/nepenthes/x-2.conf >Xlib/nepenthes/dnsresolveadns.a >Xlib/nepenthes/dnsresolveadns.la >Xlib/nepenthes/dnsresolveadns.so >Xlib/nepenthes/downloadcreceive.a >Xlib/nepenthes/downloadcreceive.la >Xlib/nepenthes/downloadcreceive.so >Xlib/nepenthes/downloadcsend.a >Xlib/nepenthes/downloadcsend.la >Xlib/nepenthes/downloadcsend.so >Xlib/nepenthes/downloadcurl.a >Xlib/nepenthes/downloadcurl.la >Xlib/nepenthes/downloadcurl.so >Xlib/nepenthes/downloadftp.a >Xlib/nepenthes/downloadftp.la >Xlib/nepenthes/downloadftp.so >Xlib/nepenthes/downloadhttp.a >Xlib/nepenthes/downloadhttp.la >Xlib/nepenthes/downloadhttp.so >Xlib/nepenthes/downloadlink.a >Xlib/nepenthes/downloadlink.la >Xlib/nepenthes/downloadlink.so >Xlib/nepenthes/downloadnepenthes.a >Xlib/nepenthes/downloadnepenthes.la >Xlib/nepenthes/downloadnepenthes.so >Xlib/nepenthes/downloadtftp.a >Xlib/nepenthes/downloadtftp.la >Xlib/nepenthes/downloadtftp.so >Xlib/nepenthes/geolocationgeoip.a >Xlib/nepenthes/geolocationgeoip.la >Xlib/nepenthes/geolocationgeoip.so >Xlib/nepenthes/geolocationhostip.a >Xlib/nepenthes/geolocationhostip.la >Xlib/nepenthes/geolocationhostip.so >Xlib/nepenthes/geolocationip2location.a >Xlib/nepenthes/geolocationip2location.la >Xlib/nepenthes/geolocationip2location.so >Xlib/nepenthes/logdownload.a >Xlib/nepenthes/logdownload.la >Xlib/nepenthes/logdownload.so >Xlib/nepenthes/logirc.a >Xlib/nepenthes/logirc.la >Xlib/nepenthes/logirc.so >Xlib/nepenthes/logsurfnet.a >Xlib/nepenthes/logsurfnet.la >Xlib/nepenthes/logsurfnet.so >Xlib/nepenthes/moduleportwatch.a >Xlib/nepenthes/moduleportwatch.la >Xlib/nepenthes/moduleportwatch.so >Xlib/nepenthes/shellcodegeneric.a >Xlib/nepenthes/shellcodegeneric.la >Xlib/nepenthes/shellcodegeneric.so >Xlib/nepenthes/shellemuwinnt.a >Xlib/nepenthes/shellemuwinnt.la >Xlib/nepenthes/shellemuwinnt.so >Xlib/nepenthes/submitfile.a >Xlib/nepenthes/submitfile.la >Xlib/nepenthes/submitfile.so >Xlib/nepenthes/submitnepenthes.a >Xlib/nepenthes/submitnepenthes.la >Xlib/nepenthes/submitnepenthes.so >Xlib/nepenthes/submitnorman.a >Xlib/nepenthes/submitnorman.la >Xlib/nepenthes/submitnorman.so >Xlib/nepenthes/submitxmlrpc.a >Xlib/nepenthes/submitxmlrpc.la >Xlib/nepenthes/submitxmlrpc.so >Xlib/nepenthes/uploadhttp.a >Xlib/nepenthes/uploadhttp.la >Xlib/nepenthes/uploadhttp.so >Xlib/nepenthes/vulnasn1.a >Xlib/nepenthes/vulnasn1.la >Xlib/nepenthes/vulnasn1.so >Xlib/nepenthes/vulnbagle.a >Xlib/nepenthes/vulnbagle.la >Xlib/nepenthes/vulnbagle.so >Xlib/nepenthes/vulndameware.a >Xlib/nepenthes/vulndameware.la >Xlib/nepenthes/vulndameware.so >Xlib/nepenthes/vulndcom.a >Xlib/nepenthes/vulndcom.la >Xlib/nepenthes/vulndcom.so >Xlib/nepenthes/vulniis.a >Xlib/nepenthes/vulniis.la >Xlib/nepenthes/vulniis.so >Xlib/nepenthes/vulnkuang2.a >Xlib/nepenthes/vulnkuang2.la >Xlib/nepenthes/vulnkuang2.so >Xlib/nepenthes/vulnlsass.a >Xlib/nepenthes/vulnlsass.la >Xlib/nepenthes/vulnlsass.so >Xlib/nepenthes/vulnmsmq.a >Xlib/nepenthes/vulnmsmq.la >Xlib/nepenthes/vulnmsmq.so >Xlib/nepenthes/vulnmssql.a >Xlib/nepenthes/vulnmssql.la >Xlib/nepenthes/vulnmssql.so >Xlib/nepenthes/vulnmydoom.a >Xlib/nepenthes/vulnmydoom.la >Xlib/nepenthes/vulnmydoom.so >Xlib/nepenthes/vulnnetbiosname.a >Xlib/nepenthes/vulnnetbiosname.la >Xlib/nepenthes/vulnnetbiosname.so >Xlib/nepenthes/vulnnetdde.a >Xlib/nepenthes/vulnnetdde.la >Xlib/nepenthes/vulnnetdde.so >Xlib/nepenthes/vulnoptix.a >Xlib/nepenthes/vulnoptix.la >Xlib/nepenthes/vulnoptix.so >Xlib/nepenthes/vulnpnp.a >Xlib/nepenthes/vulnpnp.la >Xlib/nepenthes/vulnpnp.so >Xlib/nepenthes/vulnsasserftpd.a >Xlib/nepenthes/vulnsasserftpd.la >Xlib/nepenthes/vulnsasserftpd.so >Xlib/nepenthes/vulnssh.a >Xlib/nepenthes/vulnssh.la >Xlib/nepenthes/vulnssh.so >Xlib/nepenthes/vulnsub7.a >Xlib/nepenthes/vulnsub7.la >Xlib/nepenthes/vulnsub7.so >Xlib/nepenthes/vulnupnp.a >Xlib/nepenthes/vulnupnp.la >Xlib/nepenthes/vulnupnp.so >Xlib/nepenthes/vulnveritas.a >Xlib/nepenthes/vulnveritas.la >Xlib/nepenthes/vulnveritas.so >Xlib/nepenthes/vulnwins.a >Xlib/nepenthes/vulnwins.la >Xlib/nepenthes/vulnwins.so >Xlib/nepenthes/x1.a >Xlib/nepenthes/x1.la >Xlib/nepenthes/x1.so >Xlib/nepenthes/x2.a >Xlib/nepenthes/x2.la >Xlib/nepenthes/x2.so >Xlib/nepenthes/x3.a >Xlib/nepenthes/x3.la >Xlib/nepenthes/x3.so >Xlib/nepenthes/x4.a >Xlib/nepenthes/x4.la >Xlib/nepenthes/x4.so >Xlib/nepenthes/x5.a >Xlib/nepenthes/x5.la >Xlib/nepenthes/x5.so >Xlib/nepenthes/x6.a >Xlib/nepenthes/x6.la >Xlib/nepenthes/x6.so >Xlib/nepenthes/x7.a >Xlib/nepenthes/x7.la >Xlib/nepenthes/x7.so >Xlib/nepenthes/x8.a >Xlib/nepenthes/x8.la >Xlib/nepenthes/x8.so >Xshare/nepenthes/doc/README >Xshare/nepenthes/doc/README.VFS >Xshare/nepenthes/doc/logo-shaded.svg >X@dirrm etc/nepenthes >X@dirrm lib/nepenthes >X@dirrm share/nepenthes >X@dirrm var/cache/nepenthes >END-of-nepenthes-port/pkg-plist >echo x - nepenthes-port/Makefile >sed 's/^X//' >nepenthes-port/Makefile << 'END-of-nepenthes-port/Makefile' >X# Ports collection makefile for: nepenthes >X# Date created: 1 Dec 2005 >X# Whom: ryo >X# >X# $FreeBSD$ >X# >X >XPORTNAME= nepenthes >XPORTVERSION= 0.1.3 >XCATEGORIES= net >XMASTER_SITES= ${MASTER_SITE_SOURCEFORGE} >XMASTER_SITE_SUBDIR= nepenthes >X >XMAINTAINER= ryo@aquahill.net >XCOMMENT= Determine the malware activity on a network >X >XLIB_DEPENDS= curl.3:${PORTSDIR}/ftp/curl \ >X magic.1:${PORTSDIR}/sysutils/file \ >X pcre.0:${PORTSDIR}/devel/pcre \ >X adns.1:${PORTSDIR}/dns/adns >X >X#USE_RC_SUBR= nepenthes.sh >X >XGNU_CONFIGURE= yes >XCONFIGURE_TARGET=--build=${MACHINE_ARCH}-portbld-freebsd${OSREL} >XCONFIGURE_ARGS+= --enable-ssh >X >XMAN8= nepenthes.8 >X >X.include <bsd.port.mk> >END-of-nepenthes-port/Makefile >exit
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=59896">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 90062
: 59896