Security Incidents mailing list archives
Chunked encoding worm on tcp/80
From: Bill McCarty <bmccarty () pt-net net>
Date: Tue, 25 Nov 2003 16:11:45 -0800
Hi all,Does anyone recognize this worm code fragment obtained from Objdump? The worm ran through my Class C network, hitting TCP/80 on most hosts. Snort identified it as:
WEB-MISC Apache Chunked-Encoding worm attempt WEB-MISC bad HTTP/1.1 request, Potentially worm attack WEB-MISC Transfer-Encoding- chunkedThe ASCII dump of this worm bears some resemblance to that of the Gobbles SSL exploit. But, as I recall, the Gobbles exploit targeted TCP/443. So, this seems to be something else. I have class in 15 minutes, which isn't enough time for me to study the disassembly. So, please pardon my dumping of unanalyzed data. But, it'll be tomorrow before I can investigate further.
Cheers, (Code begins with a long sled of inc %ecx instructions.) 717: 41 inc %ecx 718: e7 d0 out %eax,$0xd0 71a: c3 ret 71b: 3f aas 71c: 53 push %ebx 71d: 79 0d jns 0x72c 71f: 00 42 00 add %al,0x0(%edx) 722: 00 00 add %al,(%eax) 724: 42 inc %edx 725: 00 00 add %al,(%eax) 727: 00 00 add %al,(%eax) 729: e0 b6 loopne 0x6e1 72b: 05 ce 0a 00 05 add $0x5000ace,%eax 730: 69 00 04 82 08 00 imul $0x88204,(%eax),%eax 736: 45 inc %ebp 737: 00 00 add %al,(%eax) 739: 34 6c xor $0x6c,%al 73b: 65 gs 73c: 40 inc %eax 73d: 00 40 06 add %al,0x6(%eax) 740: b1 2a mov $0x2a,%cl 742: c7 6b 61 24 ca 6c 2a movl $0x2a6cca24,0x61(%ebx) 749: 38 00 cmp %al,(%eax) 74b: 50 push %eax 74c: 30 f1 xor %dh,%cl 74e: 61 popa 74f: e3 39 jecxz 0x78a 751: c5 bb 3d 8b 87 80 lds 0x80878b3d(%ebx),%edi 757: 10 21 adc %ah,(%ecx) 759: f0 ba 2c 00 00 01 lock mov $0x100002c,%edx 75f: 01 08 add %ecx,(%eax) 761: 0a 62 70 or 0x70(%edx),%ah 764: 55 push %ebp 765: a3 1a e5 96 c4 mov %eax,0xc496e51a 76a: e8 d0 c3 3f b6 call 0xb63fcb3f 76f: 3c 01 cmp $0x1,%al 771: 00 ea add %ch,%dl 773: 05 00 00 ea 05 add $0x5ea0000,%eax 778: 00 00 add %al,(%eax) 77a: 00 05 69 00 04 82 add %al,0x82040069 780: 00 e0 add %ah,%al 782: b6 05 mov $0x5,%dh 784: ce into 785: 0a 08 or (%eax),%cl 787: 00 45 00 add %al,0x0(%ebp) 78a: 05 dc 0f c0 40 add $0x40c00fdc,%eax 78f: 00 35 06 13 28 ca add %dh,0xca281306 795: 6c insb (%dx),%es:(%edi) 796: 2a 38 sub (%eax),%bh 798: c7 6b 61 24 30 f1 00 movl $0xf13024,0x61(%ebx) 79f: 50 push %eax 7a0: bb 3d 8b 87 61 mov $0x61878b3d,%ebx 7a5: e3 39 jecxz 0x7e0 7a7: c5 80 10 82 18 ab lds 0xab188210(%eax),%eax 7ad: 0a 00 or (%eax),%al 7af: 00 01 add %al,(%ecx) 7b1: 01 08 add %ecx,(%eax) 7b3: 0a 1a or (%edx),%bl 7b5: e5 96 in $0x96,%eax 7b7: da 62 70 fisubl 0x70(%edx) 7ba: 55 push %ebp 7bb: a3 41 41 41 41 mov %eax,0x41414141 7c0: 41 inc %ecx 7c1: 41 inc %ecx 7c2: 41 inc %ecx(Code continues with another sled of inc %ecx instructions and another exploit, multiple times. The full TCP stream is about 37k bytes.)
--------------------------------------------------- Bill McCarty --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Chunked encoding worm on tcp/80 Bill McCarty (Nov 26)
- Re: Chunked encoding worm on tcp/80 Bill McCarty (Nov 26)