for all those wondering - CRII has a bug!

[corecode <corecode () corecode ath cx>]

hello ppl!

i just received some crippeled CodeRed II into my honeypot and i am sure 
somebody else has also noticed that:

- overall length of the attack is the same
- request method and start of url is missing (ie. GET /default?XXX...)
- but some additional headers added


i was curious about this issue and checked my analysis once again:

seg000:000003CE call    $+5                 ; get current pos
seg000:000003D3 pop     eax
seg000:000003D4 sub     eax, 3D3h           ; get start of worm
seg000:000003D9 push    0                   ; flags = 0
seg000:000003DB push    3818                ; len
seg000:000003E0 push    eax                 ; start of wormcode (including 
request)
seg000:000003E1 push    dword ptr [ebp+sock]
seg000:000003E4 call    dword ptr [ebp+send]; send us

and found a major bug in this code:

the worm calculates the start pos (that should be the request) always from 
the  current eip. but if a trasparent proxy was in the way and added some 
headers, the overall length of the received worm is more than 3818 bytes.
thus, the worm will fail to get it's real start (GET /default.ida?XX) and 
will instead start somewhere inside the request.

these worms can't reproduce themselves, of course.
that is: every worm that went through a proxy that will add headers is 
unable to reproduce itself. this could be a countermeasure!

just FYI
cheerz
  corecode


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com