另类的BIOS与内存冲突故
snort虽然提供了一些规则来检测攻击相关的请求,但并远不是攻击本身:
alert udp $external_net any -> $home_net 1024: (msg:"netbios dcerpc direct-udp ixnremote buildcontextw little endian attempt"; flowbits:isset,dce.bind.ixnremote; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|07 00|"; within:2; distance:19;)
alert tcp $external_net any -> $home_net 1024: (msg:"netbios dcerpc direct v4 ixnremote buildcontextw attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|e0 0c|k|90 0b c7|g|10 b3 17 00 dd 01 06|b|da|"; within:16; distance:22; content:"|00 07|"; within:2; distance:28; pcre:"/^.{10}/sr";)
alert udp $external_net any -> $home_net 1024: (msg:"netbios dcerpc direct-udp v4 ixnremote buildcontextw attempt"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|e0 0c|k|90 0b c7|g|10 b3 17 00 dd 01 06|b|da|"; within:16; distance:22; content:"|00 07|"; within:2; distance:28; pcre:"/^.{10}/sr";)
alert tcp $external_net any -> $home_net 1024: (msg:"netbios dcerpc direct ixnremote buildcontextw attempt"; flow:established,to_server; flowbits:isset,dce.bind.ixnremote; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 07|"; within:2; distance:19;)
alert tcp $external_net any -> $home_net 1024: (msg:"netbios dcerpc direct ixnremote buildcontextw little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.ixnremote; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|07 00|"; within:2; distance:19;)
alert udp $external_net any -> $home_net 1024: (msg:"netbios dcerpc direct-udp ixnremote buildcontextw attempt"; flowbits:isset,dce.bind.ixnremote; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 07|"; within:2; distance:19;)
alert tcp $external_net any -> $home_net 1024: (msg:"netbios dcerpc direct v4 ixnremote buildcontextw little endian attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|e0 0c|k|90 0b c7|g|10 b3 17 00 dd 01 06|b|da|"; within:16; distance:22; content:"|07 00|"; within:2; distance:28; pcre:"/^.{10}/sr";)
alert udp $external_net any -> $home_net 1024: (msg:"netbios dcerpc direct-udp v4 ixnremote buildcontextw little endian attempt"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|e0 0c|k|90 0b c7|g|10 b3 17 00 dd 01 06|b|da|"; within:16; distance:22; content:"|07 00|"; within:2; distance:28; pcre:"/^.{10}/sr";)
对于正常的请求,这些规则也可能触发告警,显然这是不令人满意的。
漏洞分析
--------
要检测攻击当然需要先对ms05-051漏洞作一下比较深入的成因分析,以下的分析完全整理自小四(scz at nsfocus dot com)的工作。
漏洞的成因在于远程调用msdtcprx!buildcontextw()时存在内存破坏问题,msdtcprx.dll!buildcontextw()对应dce-rpc 7号调用,相应的 简请求报文参数手工解码如下:
--------------------------------------------------------------------------
0x00, 0x00, // +0x000 param0开始,2字节长
0x00, 0x00, // 填充字节,4字节对齐
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // +0x004 param1开始,24字节长
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, // +0x018 param2开始,参数 大可能长度,4字节长
0x00, 0x00, 0x00, 0x00, // 参数 小可能长度,4字节长
0x01, 0x00, 0x00, 0x00, // 参数实际长度,4字节长
0x00, 0x00, // 参数串,unicode格式
0x00, 0x00, // 填充字节,4字节对齐
0x01, 0x00, 0x00, 0x00, // +0x028 pwszhostname,param3开始,参数 大可能长度,4字节长
0x00, 0x00, 0x00, 0x00, // 参数 小可能长度,4字节长
0x01, 0x00, 0x00, 0x00, // 参数实际长度,4字节长
0x00, 0x00, // 参数串,unicode格式
0x00, 0x00, // 填充字节,4字节对齐
0x01, 0x00, 0x00, 0x00, // +0x038 pwszuuidstring param4开始,参数 大可能长度,4字节长,正常情况下应该是0x00000025,如果大于此值则是畸形的
0x00, 0x00, 0x00, 0x00, // 参数 小可能长度,4字节长
0x01, 0x00, 0x00, 0x00, // 参数实际长度,4字节长
0x00, 0x00, // 参数串,unicode格式
0x00, 0x00, // 填充字节,4字节对齐
0x01, 0x00, 0x00, 0x00, // +0x048 param5开始,参数 大可能长度,4字节长,正常情况下应该是0x00000025,如果大于此值则是畸形的
0x00, 0x00, 0x00, 0x00, // 参数 小可能长度,4字节长
0x01, 0x00, 0x00, 0x00, // 参数实际长度,4字节长
0x00, 0x00, // 参数串,unicode格式
0x00, 0x00, // 填充字节,4字节对齐
0x01, 0x00, 0x00, 0x00, // +0x058 pwszguidout param6开始,参数 大可能长度,4字节长
0x00, 0x00, 0x00, 0x00, // 参数 小可能长度,4字节长
0x01, 0x00, 0x00, 0x00, // 参数实际长度,4字节长
0x00, 0x00, // 参数串,unicode格式
0x00, 0x00, // 填充字节,4字节对齐
0x00, 0x00, 0x00, 0x00, // +0x068 param7
0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, // +0x074 count
0x00, 0x00, 0x00, 0x00 // +0x078 array[*]
// +0x07c
--------------------------------------------------------------------------
该函数的第5、6形参使用了一种少见的特殊类型,当参数 大可能长度大于0x25时,可能触发内存破坏漏洞,事实上为了触发漏洞,并不要求第5、6形参本身超长。利用这个漏洞,远程攻击者可能以distributed transaction coordinator服务进程所拥有的权限在目标系统上执行任意指令。
此漏洞攻击的目标端口是可变的,可以通过查询3372端口的msdtc服务来得到目标端口,一般大于等于1024,可暴力猜测扫描。
现有攻击代码的分析
------------------
swan[at]0x557[dot]org 发布了一个攻击代码,导致攻击的畸形buildcontextw()请求如下:
transmission control protocol, src port: 4738 (4738), dst port: 1030 (1030), seq: 73, ack: 61, len: 1024
dce rpc request, fragment: single, fraglen: 1324, call: 1 ctx: 0, [resp: #9]
version: 5
version (minor): 0
packet type: request (0)
packet flags: 0x83
1... .... = object: set
.0.. .... = maybe: not set
..0. .... = did not execute: not set
...0 .... = multiplex: not set
.... 0... = reserved: not set
.... .0.. = cancel pending: not set
.... ..1. = last frag: set
.... ...1 = first frag: set
data representation: 10000000
frag length: 1324
auth length: 0
call id: 1
alloc hint: 1284
context id: 0
opnum: 7
object uuid: 906b0ce0-c70b-1067-b317-00dd010662da
response in frame: 9
[packet size limited during capture: dcerpc truncated]
0000 00 0c 29 95 cc 65 00 12 3f 99 da 9f 08 00 45 00 ..)..e..?.....e.
0010 04 28 46 96 40 00 80 06 20 65 c0 a8 07 0a c0 a8 .(f.@... e......
0020 07 7a 12 82 04 06 80 f4 f5 18 90 a5 58 90 50 18 .z..........x.p.
0030 ff c3 5f 8f 00 00 05 00 00 83 10 00 00 00 2c 05 .._...........,.
0040 00 00 01 00 00 00 04 05 00 00 00 00 07 00 e0 0c ................
0050 6b 90 0b c7 67 10 b3 17 00 dd 01 06 62 da 00 00 k...g.......b...
0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0070 00 00 00 00 00 00 00 00 00 00 06 00 00 00 00 00 ................
0080 00 00 06 00 00 00 31 00 31 00 31 00 31 00 31 00 ......1.1.1.1.1.
0090 00 00 07 00 00 00 00 00 00 00 07 00 00 00 31 00 ..............1.
00a0 31 00 31 00 31 00 31 00 31 00 00 00 00 00 58 02 1.1.1.1.1.....x.
00b0 00 00 00 00 00 00 2b 02 00 00 cc cc cc cc cc 00 ......+.........
00c0 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
....
0420 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
0430 cc 00 cc 00 cc 00 ......
从tcp数据区开始我们手工解码如下:
05 // dce rpc请求头开始,总24字节长,version: 5
00 // version (minor): 0
00 // packet type: request (0)
83 // packet flags: 0x83,带object,也就是说参数开始前有16字节长的uuid
