Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Always practice safe software: a lesson from UnrealIRCd

From: Ron <ron () skullsecurity net>
Date: Sun, 13 Jun 2010 23:37:02 -0500
On Sun, 13 Jun 2010 16:32:24 -0500 Ron <ron () skullsecurity net> wrote:

Attaching the first version that uses timing, I'd like to get
comments on it -- I've only tried it against local targets, but it
should work better against remote ones unless the lag goes really,
really high. 

I'm working on "infecting" my windows system now, then I'll release a
version that can detect infected Windows + Linux systems. 

I totally failed to get a Trojanned version of UnrealIRCd running on Windows, and I don't know if any of the Windows 
binaries were even affected, but the attached version should run on both Windows and Linux. It uses delays to check 
whether or not the command runs, since we have no access to the output. It uses ping -n on Linux and ping -c on 
Windows. 

I opted for delaying 8 seconds by default -- Trojanned servers will respond after 8 seconds, and non-Trojanned servers 
will respond instantly. It's long enough to avoid false positives for slow connections (no response should ever take 8 
seconds), but short enough that the user doesn't have to wait a long time. 

Let me know if you have any comments. 

Question: should I add a script-arg for running an arbitrary command since we're able to? That's more of an attack 
tool, instead of a scanner, and Metasploit already has that covered, but it'd be a trivial addition. 

-- 
Ron Bowes
http://www.skullsecurity.org
http://www.twitter.com/iagox86

Attachment: irc-unrealircd-backdoor.nse
Description:

Attachment: _bin
Description: 

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: