Trojan Reversing part I - by defiler.
Published
by Tsehp, sept 2000.
Our
target is Sub7.
You
think, you protected the Sub7's server with a password, so no one else can
connect
to it ?
You're
dead wrong! In this essay i'll show you, how I found a 'security hole' inside
the
trojan's server.
Tools,
you'll need:
(x)
SoftICE (+ SymbolLoader.)
(x)
the target of course, Sub7, available on: subseven.slak.org
(x)
a basic knowledge of SoftICE's commands + assembly assembly language.
The
"essay":
I
was interested in the comparison of the server-password with the one that the
client-user
entered after connecting. So I ran SoftICE's symbol loader to import
some
winsock exports ;)
Run
the Loader, click on the "FILE|LOAD EXPORTS" menu, browse your
win/system path for
"wsock32.dll"
and open it. SymbolLoader should answer like this:
"Exports
for Z:\WINDBLOWZ\SYSTEM\Wsock32.dll loaded sucessfully"
Now
go and configure a Sub7 server (read the documents, i won't explain how to do
this)
with
EditServer.exe. I took port number 666 and set the password to
"abuse".
Run
the server, you can later on kill the process with ProcDump but better don't
be
online
(I am IN NO WAY responsible for any stuff you do with this program, it was
not
written by me).
Connect
with SubSeven.exe to the server (take 127.0.0.1 as IP), the password dialog
will
pop
up, enter a dummy password.
The
server uses WSOCK32!recv to retreive data sent from the client.
The
Windows Sockets recv function receives data from a socket.
int
recv (
SOCKET s,
char FAR* buf,
int len,
int flags
);
The
second parametre (char FAR* buf) is the important one. There the data will be
stored.
Now
set a bpx on recv inside softice (bpx recv do "d esp->8").
Click
OK to send the password to the client. SoftICE will pop up, press F11 (g
@ss:esp)
and
the password - preceeding a 'PWD' string - will be shown in SoftICE's data
window.
Now
set a bpr on the password's address (e.g.: bpr 405000 405010 RW) and on the
copy
it
will make at 004029c5.
Next
time you break in you should be at 004040dd:
0167:004040dd
8b0e
mov
ecx,[esi]
0167:004040df
8b1f
mov
ebx,[edi]
0167:004040e1
39d9
cmp
ecx,ebx
0167:004040e3 7558
jnz
0040413d
0167:004040e5
4a
dec
edx
0167:004040e6 7415
jz
004040fd
0167:004040e8
8b4e04
mov
ecx,[esi+04]
0167:004040eb
8b5f04
mov ebx,[edi+04]
0167:004040ee
39d9
cmp
ecx,ebx
hmmm,
it broke in at line 4040dd, cause we set a bpr on our password. So it must be
located
inside
the buffer esi points to. The first 4 chars will be moved into ecx, another 4
chars
into ebx and will then be compared.. So now you think you found the comparison
between
the real password and the one you entered? ah, ah, no way. The author of Sub7
is
even
more stupid: type "d edi" in softice, and we'll see:
016F:012A3DD4
31 34 34 33 38 31 33 36-37 38 32 37 31 35 31 30 1443813678271510
016F:012A3DE4
31 39 38 30 00 69 6F 00-28 00 00 00 22 00 00 00 1980.io.(..."...
016F:012A3DF4
01 00 00 00 13 00 00 00-53 75 62 73 65 76 65 6E ........Subseven
016F:012A3E04
5F 5F 5F 3C 20 70 69 63-6B 20 3E 00 10 3E 2A 01 ___< pick >..>*.
016F:012A3E14
10 3E 2A 01 38 00 00 00-53 75 62 73 65 76 65 6E .>*.8...Subseven
strange,
that was not the password i set... i took "abuse" as password. So
let's
see
what it is by reconnecting and entering it... SubSeven.exe says: connected.
errrm,
is there a little possibility, that the author of SubSeven did a hardcoded
masterpassword
? heh, try it a few times with some other servers (on your own PC).
And
yes, it is a Masterpassword.
Well,
thats all for today, i just thought someone would be interested in this stuff.
I
am in no way responsible for the stuff you'll do with this information.
regards,
defiler
Greetings
(no specific order):
ultraschall,
cardenal mendoza, kaparo, flwright, ratso, haldir, lightdruid, ganjaman,
telcofix,
whataduck, tornado, hutch, masta, notty, knotty, kwazy webbit, secret,
iczelion,
bisoux,
MisterE, mr nop, neural noise, lazarus, peegee, random, daze, the anti xryst,
acid
burn, azzyrian, decline, blind angel, keyboard junky, reverend x, DnNuke,
Gizmo,
viny,
volatility, alpine, promothee, sat0r, fli7e, targ0n, Ridlexx, novatrix,
TomTom,
WarezPup,
Weazel, visionz, kaai, MagicRaph, sepulcrum, MVD, sn00pee, amante, FatBoyJoe,
SantMat
and all who contribute to the reversing spirit ;)
Group/chan
greets:
all
blizzard members, everyone in #win32asm, #cracking, #eliteFravias,
#reversing4newbies,
#immortaldescendants,
#digital.factory, #hellforge, and #learn2crack.
I
would be pleased to get some feedback, catch me on irc or mail to:
defiler@eliteFravias.de