linux, säkerhet

4788308 2000-02-12  01:08  /125 rader/ Postmaster
Mottagare: Bugtraq (import) <9750>
Ärende: Re: Analysis of "stacheldraht"
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID:  <Pine.GUL.4.21.0002101324310.6388-100000@red1.cac.washington.edu>
Date:         Thu, 10 Feb 2000 14:04:18 -0800
Reply-To: Dave Dittrich <dittrich@CAC.WASHINGTON.EDU>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Dave Dittrich <dittrich@CAC.WASHINGTON.EDU>
X-To:         BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To:  <Pine.GUL.4.21.0001112023410.26994-100000@red8.cac.washington.edu>

The source code for "stacheldraht" was published on Packet Storm this
week:
	http://packetstorm.securify.com/distributed

Below are the differences (which affect packet signatures and
some minimal strings in the binary images) between the code that I
analyzed and the current 4.0 release. (Hmm.  Jumping from 1.1 to 4.0
because of #define changes.  Sounds like random works for Microsoft or
Sun! ;)

I will be updating the default values in the "dds" (and "gag")
scanners as soon as possible to use these new defaults, and will add
command line options to "dds" to switch them.  (I didn't do this
earlier due to time constraints.)  Anyone who is doing packet level
checks should be aware of these changed defaults (and that they can
easily be changed further, so be aware of false negative results.)


diff stacheldrahtV4/config.h reg-orig/config.h
11,12c11
< #define ID_SHELL  88	/* to bind a rootshell */
< #define ID_ADDR  616    /* ip add request for the flood server */
---
> #define ID_SHELL   1	/* to bind a rootshell */
14,30c13,31
< #define  ID_SETPRANGE 8008 /* set port range for synflood */
< #define   ID_SETUSIZE 8009 /* set udp size */
< #define   ID_SETISIZE 9010 /* set icmp size */
< #define    ID_TIMESET 9011 /* set the flood time */
< #define     ID_DIEREQ 6663 /* shutdown request of the masterserver */
< #define   ID_DISTROIT 6662 /* distro request of the master server */
< #define ID_REMMSERVER 5501 /* remove added masterserver */
< #define ID_ADDMSERVER 5555 /* add new masterserver request */
< #define SPOOF_REPLY 1016   /* spoof test reply of the master server
< #define ID_TEST  6268      /* test of the master server */
< #define ID_ICMP  1155  	   /* to icmp flood */
< #define ID_SENDUDP 6	   /* to udp flood */
< #define ID_SENDSYN 9	   /* to syn flood */
< #define ID_SYNPORT 8	   /* to set port */
< #define ID_STOPIT  3	   /* to stop flooding */
< #define ID_SWITCH  5	   /* to switch spoofing mode */
< #define ID_ACK     4	   /* for replies to the client */
---
> #define ID_ADDR  699     /* ip add request for the flood server */
>
> #define  ID_SETPRANGE 2007 /* set port range for synflood */
> #define   ID_SETUSIZE 2006 /* set udp size */
> #define   ID_SETISIZE 2005 /* set icmp size */
> #define    ID_TIMESET 2004 /* set the flood time */
> #define     ID_DIEREQ 2003 /* shutdown request of the masterserver */
> #define   ID_DISTROIT 2002 /* distro request of the master server */
> #define ID_REMMSERVER 2001 /* remove added masterserver */
> #define ID_ADDMSERVER 2000 /* add new masterserver request */
> #define SPOOF_REPLY 1000   /* spoof test reply of the master server
> #define ID_TEST  668       /* test of the master server */
> #define ID_ICMP  1055  	   /* to icmp flood */
> #define ID_SENDUDP 2	   /* to udp flood */
> #define ID_SENDSYN 3	   /* to syn flood */
> #define ID_SYNPORT 4	   /* to set port */
> #define ID_STOPIT  5	   /* to stop flooding */
> #define ID_SWITCH  6	   /* to switch spoofing mode */
> #define ID_ACK     7	   /* for replies to the client */
Common subdirectories: stacheldrahtV4/leaf and reg-orig/leaf
diff stacheldrahtV4/mserv.c reg-orig/mserv.c
24c24
< #define SALT "dRFWfIGlF0zrE\0"
---
> #define SALT "zAHp635Fd0u/g\0"
27c27
< #define   MSERVERPORT 65512
---
> #define   MSERVERPORT 16660
29c29
< #define   SERVVERSION "[*]stacheldraht[*] mserver version: 4.0\n"
---
> #define   SERVVERSION "[*]stacheldraht[*] mserver version: 1.1\n"
31,32c31,32
< /* masterserver handles up to 6000 bcasts */
< #define     MAXBCASTS 6000
---
> /* masterserver handles up to 1000 bcasts */
> #define     MAXBCASTS 1000
34c34
< #define BCASTFILENAME ".bc"
---
> #define BCASTFILENAME "bcasts"
36c36
< #define LOCALIP "193.116.54.15"
---
> #define LOCALIP "205.198.186.38"
41c41
< #define COMMANDPORT 65513
---
> #define COMMANDPORT 65000
49c49
< #define CURPROMPT "stacheldraht"
---
> #define CURPROMPT "regulate"
Common subdirectories: stacheldrahtV4/telnetc and reg-orig/telnetc


--
Dave Dittrich                 Client Services
dittrich@cac.washington.edu   Computing & Communications
                              University of Washington

<a href="http://www.washington.edu/People/dad/">
Dave Dittrich / dittrich@cac.washington.edu [PGP Key]</a>

PGP 6.5.1 key fingerprint:
FE 97 0C 57 08 43 F3 EB  49 A1 0C D0 8E 0C D0 BE  C8 38 CC B5
(4788308) ------------------------------------------(Ombruten)