############################################################################### # Back Orifice Detection Module # sili@l0pht.com # # v.01a # ############################################################################## bo_schema = library_schema:new( 1, [ "time", "ip", "integer", "ip", "integer" ], scope() ); #Logic: # These are constants between client & server # long(ip.blob, 6) # 8 # 10 # 11 # 13 # # These are different: # byte(ip.blob, 16) # 20 # # Add up constants to make hash. Do they equal response's hash? If so, # check to see if the byte hash's are different. If long hash matches & # byte hash doesn't it's 98% likely to be back orifice. # # TODO: # ... Figure out how to page only once instead of once per packet. # ... 4 Columns instead of 3; ip, port, ip, port. # # ... OPTOMIZE !!! # filter f00manch00 udp() { $MAXLISTSIZE=3000; $DONTADD=0; $counter=1; #Start the counter at first hash in biglist[]. #curhash1/2 are the hashes of the current packet. $curhash1=long(ip.blob,6) + long(ip.blob,8) + long(ip.blob,10) +long(ip.blob,12) +long(ip.blob,16); $curhash2=byte(ip.blob,16)+byte(ip.blob,20); #List that contains current information. #NFR is broken; sublist() doesn't return type string, instead #it returns type list; so we need this to compare items... $curlist=listadd($curlist,ip.src,ip.dst,$curhash1,$curhash2); #Current list values.. This should be optomized later; NFR #doesn't seem to like huge if statements containing sublist() #commands.. or typo's for that matter. $curlist_dst=sublist($curlist,1,1); $curlist_hash1=sublist($curlist,2,1); $curlist_hash2=sublist($curlist,3,1); # #Check list for matching packet first.. If no matching entry, #then add current packet to list. # while (($counter < listlen($biglist)) & ($STOP !=1) ) { $biglist_hash1=sublist($biglist,$counter,1); $biglist_src=sublist($biglist,$counter-1,1); $biglist_hash2=sublist($biglist,$counter+1,1); # #Heart of the loop; is this a BO response? # if ( ($curlist_hash1 == $biglist_hash1) && ( ($curlist_dst == $biglist_src) && ($curlist_hash2 != $biglist_hash2) ) ) { #Hot damn! We got one! # echo ("Got one!\n"); # echo (udp.sport,"--",ip.dst,"--",udp.dport,"\n"); record system.time, ip.src, udp.sport, ip.dst, udp.dport to the_recorder; $STOP=1; } else if ( ($curlist_hash1 == $biglist_hash1) && ( ($curlist_dst == $biglist_src) && ($curlist_hash2 == $biglist_hash2) ) ) { # #We have a duplicate Packet; let's not add it to the list. # $DONTADD=1; } else $counter=$counter+3; #increment counter to next hash } #End of loop maintenance # #If it's not a dupe, add it to the list. # if (! $DONTADD) $biglist=listadd($biglist,ip.src,$curhash1,$curhash2); $DONTADD=0; #clear out the current list.. $curlist=null; #reset the stop counter. $STOP=0; # #Clear out the biglist if its too big. # if (listlen($biglist) > $MAXLISTSIZE) { $biglist=null; } } the_recorder=recorder("bin/histogram packages/test/bo.cfg", "bo_schema");