Security Incidents mailing list archives
Chunked encoding worm on tcp/80
From: Bill McCarty <bmccarty () pt-net net>
Date: Tue, 25 Nov 2003 16:11:45 -0800
Hi all,Does anyone recognize this worm code fragment obtained from Objdump? The worm ran through my Class C network, hitting TCP/80 on most hosts. Snort identified it as:
WEB-MISC Apache Chunked-Encoding worm attempt WEB-MISC bad HTTP/1.1 request, Potentially worm attack WEB-MISC Transfer-Encoding- chunkedThe ASCII dump of this worm bears some resemblance to that of the Gobbles SSL exploit. But, as I recall, the Gobbles exploit targeted TCP/443. So, this seems to be something else. I have class in 15 minutes, which isn't enough time for me to study the disassembly. So, please pardon my dumping of unanalyzed data. But, it'll be tomorrow before I can investigate further.
Cheers,
(Code begins with a long sled of inc %ecx instructions.)
717: 41 inc %ecx
718: e7 d0 out %eax,$0xd0
71a: c3 ret
71b: 3f aas
71c: 53 push %ebx
71d: 79 0d jns 0x72c
71f: 00 42 00 add %al,0x0(%edx)
722: 00 00 add %al,(%eax)
724: 42 inc %edx
725: 00 00 add %al,(%eax)
727: 00 00 add %al,(%eax)
729: e0 b6 loopne 0x6e1
72b: 05 ce 0a 00 05 add $0x5000ace,%eax
730: 69 00 04 82 08 00 imul $0x88204,(%eax),%eax
736: 45 inc %ebp
737: 00 00 add %al,(%eax)
739: 34 6c xor $0x6c,%al
73b: 65 gs
73c: 40 inc %eax
73d: 00 40 06 add %al,0x6(%eax)
740: b1 2a mov $0x2a,%cl
742: c7 6b 61 24 ca 6c 2a movl $0x2a6cca24,0x61(%ebx)
749: 38 00 cmp %al,(%eax)
74b: 50 push %eax
74c: 30 f1 xor %dh,%cl
74e: 61 popa
74f: e3 39 jecxz 0x78a
751: c5 bb 3d 8b 87 80 lds 0x80878b3d(%ebx),%edi
757: 10 21 adc %ah,(%ecx)
759: f0 ba 2c 00 00 01 lock mov $0x100002c,%edx
75f: 01 08 add %ecx,(%eax)
761: 0a 62 70 or 0x70(%edx),%ah
764: 55 push %ebp
765: a3 1a e5 96 c4 mov %eax,0xc496e51a
76a: e8 d0 c3 3f b6 call 0xb63fcb3f
76f: 3c 01 cmp $0x1,%al
771: 00 ea add %ch,%dl
773: 05 00 00 ea 05 add $0x5ea0000,%eax
778: 00 00 add %al,(%eax)
77a: 00 05 69 00 04 82 add %al,0x82040069
780: 00 e0 add %ah,%al
782: b6 05 mov $0x5,%dh
784: ce into
785: 0a 08 or (%eax),%cl
787: 00 45 00 add %al,0x0(%ebp)
78a: 05 dc 0f c0 40 add $0x40c00fdc,%eax
78f: 00 35 06 13 28 ca add %dh,0xca281306
795: 6c insb (%dx),%es:(%edi)
796: 2a 38 sub (%eax),%bh
798: c7 6b 61 24 30 f1 00 movl $0xf13024,0x61(%ebx)
79f: 50 push %eax
7a0: bb 3d 8b 87 61 mov $0x61878b3d,%ebx
7a5: e3 39 jecxz 0x7e0
7a7: c5 80 10 82 18 ab lds 0xab188210(%eax),%eax
7ad: 0a 00 or (%eax),%al
7af: 00 01 add %al,(%ecx)
7b1: 01 08 add %ecx,(%eax)
7b3: 0a 1a or (%edx),%bl
7b5: e5 96 in $0x96,%eax
7b7: da 62 70 fisubl 0x70(%edx)
7ba: 55 push %ebp
7bb: a3 41 41 41 41 mov %eax,0x41414141
7c0: 41 inc %ecx
7c1: 41 inc %ecx
7c2: 41 inc %ecx
(Code continues with another sled of inc %ecx instructions and another
exploit, multiple times. The full TCP stream is about 37k bytes.)
--------------------------------------------------- Bill McCarty --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Chunked encoding worm on tcp/80 Bill McCarty (Nov 26)
- Re: Chunked encoding worm on tcp/80 Bill McCarty (Nov 26)