Tuesday, February 28, 2012

some pcap analysis - CVE-2003-0533


I had a look at pcap file from a honeynet challenge and it was quite interesting. Its about analyzing an attack which has taken place, having to figure out the vulnerability etc. There are 2 hosts involved, A(98.114.205.102) and B(192.150.11.111).

Looking at the pcap, lets start by tracing the tcp streams quickly. Looking at the hex representation of the stream(A=>B), you see lots of nops; it seems we have some shellcode in between the same.



The second TCP stream(A=>B) also seems to have something interesting for us.



Certain FTP commands seem to be written into the file "o" and the ftp client seems to be getting invoked in order to execute the commands in the file "o", which involve logging in, getting a file and quitting. After that the downloaded file is run. This is

The third TCP stream seems to have relevant data flowing both ways. The Blue indicates A=>B and Red indicates vice versa.



Haha, that was funny. :) So, as expected a file seems to be transferred. At this point, I'd guess the next TCP stream to be an executable of some sort; the "smss.exe" shown above.



Looking at the hexdump of the file, we can see that the file starts with "MZ" - the file format signature for PE files.

A bit of guessing :-
Everything you just saw, happened in a timespan of 16 seconds which is quite quick. Also, you can do an OS detection on the packets involved and notice that A is a Windows machine(an infected machine?) while B is a Linux machine(honeypot?).
In order to identify the vulnerability, I had another look at the protocols and ports involved in the first tcp stream. Around packet 28(in stream 1), you have a DCERPC request, you have the shellcode being sent, and you have a DsRoleUpgradeDownlevelServer request. Making a few searches we get that, this and this suggesting that we are dealing with a case of CVE-2003-0533.

No comments:

Post a Comment