Trojan Reversing part I - by defiler.

Published by Tsehp, sept 2000.

 

Our target is Sub7.

You think, you protected the Sub7's server with a password, so no one else can

connect to it ?

You're dead wrong! In this essay i'll show you, how I found a 'security hole' inside

the trojan's server.

 

Tools, you'll need:

 

(x) SoftICE (+ SymbolLoader.)

(x) the target of course, Sub7, available on: subseven.slak.org

(x) a basic knowledge of SoftICE's commands + assembly assembly language.

 

The "essay":

 

I was interested in the comparison of the server-password with the one that the

client-user entered after connecting. So I ran SoftICE's symbol loader to import

some winsock exports ;)

 

Run the Loader, click on the "FILE|LOAD EXPORTS" menu, browse your win/system path for

"wsock32.dll" and open it. SymbolLoader should answer like this:

"Exports for Z:\WINDBLOWZ\SYSTEM\Wsock32.dll loaded sucessfully"

 

Now go and configure a Sub7 server (read the documents, i won't explain how to do this)

with EditServer.exe. I took port number 666 and set the password to "abuse".

Run the server, you can later on kill the process with ProcDump but better don't be

online (I am IN NO WAY responsible for any stuff you do with this program, it was

not written by me).

Connect with SubSeven.exe to the server (take 127.0.0.1 as IP), the password dialog will

pop up, enter a dummy password.

The server uses WSOCK32!recv to retreive data sent from the client.

 

The Windows Sockets recv function receives data from a socket.

 

int recv (

 

    SOCKET s,   

    char FAR* buf,  

    int len,     

    int flags

   );

The second parametre (char FAR* buf) is the important one. There the data will be stored.

Now set a bpx on recv inside softice (bpx recv do "d esp->8").

Click OK to send the password to the client. SoftICE will pop up, press F11 (g @ss:esp)

and the password - preceeding a 'PWD' string - will be shown in SoftICE's data window.

Now set a bpr on the password's address (e.g.: bpr 405000 405010 RW) and on the copy

it will make at 004029c5.

Next time you break in you should be at 004040dd:

 

0167:004040dd  8b0e                mov       ecx,[esi]

0167:004040df  8b1f                mov       ebx,[edi]

0167:004040e1  39d9                cmp       ecx,ebx

0167:004040e3  7558                jnz       0040413d

0167:004040e5  4a                  dec       edx

0167:004040e6  7415                jz        004040fd

0167:004040e8  8b4e04              mov       ecx,[esi+04]

0167:004040eb  8b5f04              mov       ebx,[edi+04]

0167:004040ee  39d9                cmp       ecx,ebx

 

hmmm, it broke in at line 4040dd, cause we set a bpr on our password. So it must be located

inside the buffer esi points to. The first 4 chars will be moved into ecx, another 4

chars into ebx and will then be compared.. So now you think you found the comparison

between the real password and the one you entered? ah, ah, no way. The author of Sub7 is

even more stupid: type "d edi" in softice, and we'll see:

 

016F:012A3DD4 31 34 34 33 38 31 33 36-37 38 32 37 31 35 31 30  1443813678271510

016F:012A3DE4 31 39 38 30 00 69 6F 00-28 00 00 00 22 00 00 00  1980.io.(..."...

016F:012A3DF4 01 00 00 00 13 00 00 00-53 75 62 73 65 76 65 6E  ........Subseven

016F:012A3E04 5F 5F 5F 3C 20 70 69 63-6B 20 3E 00 10 3E 2A 01  ___< pick >..>*.

016F:012A3E14 10 3E 2A 01 38 00 00 00-53 75 62 73 65 76 65 6E  .>*.8...Subseven

 

strange, that was not the password i set... i took "abuse" as password. So let's

see what it is by reconnecting and entering it... SubSeven.exe says: connected.

errrm, is there a little possibility, that the author of SubSeven did a hardcoded

masterpassword ? heh, try it a few times with some other servers (on your own PC).

And yes, it is a Masterpassword.

 

Well, thats all for today, i just thought someone would be interested in this stuff.

I am in no way responsible for the stuff you'll do with this information.

 

regards,

 

defiler

 

Greetings (no specific order):

ultraschall, cardenal mendoza, kaparo, flwright, ratso, haldir, lightdruid, ganjaman,

telcofix, whataduck, tornado, hutch, masta, notty, knotty, kwazy webbit, secret, iczelion,

bisoux, MisterE, mr nop, neural noise, lazarus, peegee, random, daze, the anti xryst,

acid burn, azzyrian, decline, blind angel, keyboard junky, reverend x, DnNuke, Gizmo,

viny, volatility, alpine, promothee, sat0r, fli7e, targ0n, Ridlexx, novatrix, TomTom,

WarezPup, Weazel, visionz, kaai, MagicRaph, sepulcrum, MVD, sn00pee, amante, FatBoyJoe,

SantMat and all who contribute to the reversing spirit ;)

Group/chan greets:

all blizzard members, everyone in #win32asm, #cracking, #eliteFravias, #reversing4newbies,

#immortaldescendants, #digital.factory, #hellforge, and #learn2crack.

 

I would be pleased to get some feedback, catch me on irc or mail to:

defiler@eliteFravias.de