ports/90062: New port: net/nepenthes (resend with shar)
ryo
ryo at aquahill.net
Wed Dec 7 10:20:03 UTC 2005
>Number: 90062
>Category: ports
>Synopsis: New port: net/nepenthes (resend with shar)
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Wed Dec 07 10:20:01 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: ryo
>Release: FreeBSD 5.2.1-RELEASE i386
>Organization:
>Environment:
System: FreeBSD artemis.aquahill.net 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE #0: Sat Jul 30 21:31:39 JST 2005 root at artemis.aquahill.net:/usr/src/sys/i386/compile/GENERIC i386
>Description:
Nepenthes can determine the malware activity on a network
by deploying a nepenthes sensor (i.e. honey pot). The programm
emulates different well known vulnerabilities waiting for
malicious connections trying to exploit them.
WWW: http://nepenthes.sourceforge.net
>How-To-Repeat:
>Fix:
# This is a shell archive. Save it in a file, remove anything before
# this line, and then unpack it by entering "sh file". Note, it may
# create directories; files and directories will be owned by you and
# have default permissions.
#
# This archive contains:
#
# nepenthes-port
# nepenthes-port/files
# nepenthes-port/files/patch-log
# nepenthes-port/files/patch-docdir
# nepenthes-port/files/nepenthes.sh.in
# nepenthes-port/files/patch-logger-path-and-xor-and-additional-bindshell
# nepenthes-port/files/patch-download-nepenthes-disconnect-fix
# nepenthes-port/files/patch-malloc
# nepenthes-port/distinfo
# nepenthes-port/pkg-descr
# nepenthes-port/pkg-plist
# nepenthes-port/Makefile
#
echo c - nepenthes-port
mkdir -p nepenthes-port > /dev/null 2>&1
echo c - nepenthes-port/files
mkdir -p nepenthes-port/files > /dev/null 2>&1
echo x - nepenthes-port/files/patch-log
sed 's/^X//' >nepenthes-port/files/patch-log << 'END-of-nepenthes-port/files/patch-log'
X--- conf/nepenthes.conf.dist.orig Sat Dec 3 17:23:03 2005
X+++ conf/nepenthes.conf.dist Sat Dec 3 17:23:56 2005
X@@ -87,8 +87,8 @@
X
X logmanager
X {
X- ring_logging_file "var/log/nepenthes.%d.log";
X- file_logging_file "var/log/nepenthes.log";
X+ ring_logging_file "var/log/nepenthes/nepenthes.%d.log";
X+ file_logging_file "var/log/nepenthes/nepenthes.log";
X };
X
X modulemanager
X@@ -100,7 +100,7 @@
X {
X strictfiletype "1";
X // where does submit-file write to? set this to the same dir
X- filesdir "var/binaries/";
X+ filesdir "var/nepenthes/binaries/";
X };
X
X downloadmanager
X@@ -116,7 +116,7 @@
X
X utilities
X {
X- hexdump_path "var/hexdumps/";
X+ hexdump_path "var/nepenthes/hexdumps/";
X };
X
X geolocationmanager
END-of-nepenthes-port/files/patch-log
echo x - nepenthes-port/files/patch-docdir
sed 's/^X//' >nepenthes-port/files/patch-docdir << 'END-of-nepenthes-port/files/patch-docdir'
X--- Makefile.in.orig Fri Dec 2 02:51:05 2005
X+++ Makefile.in Fri Dec 2 02:51:38 2005
X@@ -193,7 +193,7 @@
X SUBDIRS = nepenthes-core modules
X #tools
X EXTRA_DIST = configure.ac CHANGES doc/README doc/README.VFS doc/logo-shaded.svg doc/nepenthes.8 conf/nepenthes.conf.dist
X-docdir = $(prefix)/share/doc
X+docdir = $(prefix)/share/nepenthes/doc
X doc_DATA = doc/README doc/README.VFS doc/logo-shaded.svg
X
X #sysconf_DATA = conf/nepenthes.conf.dist
END-of-nepenthes-port/files/patch-docdir
echo x - nepenthes-port/files/nepenthes.sh.in
sed 's/^X//' >nepenthes-port/files/nepenthes.sh.in << 'END-of-nepenthes-port/files/nepenthes.sh.in'
X#!/bin/sh
X#
X# $FreeBSD$
X#
X
X# PROVIDE: nepenthes
X# REQUIRE: DAEMON
X# BEFORE: LOGIN
X# KEYWORD: FreeBSD shutdown
X
X#
X# Add the following lines to /etc/rc.conf to enable nepenthes:
X#
X#nepenthes_enable="YES"
X#nepenthes_conf="/usr/local/etc/nepenthes/nepenthes.conf"
X#
X# See nepenthes(8) for manual
X#
X
X. %%RC_SUBR%%
X
Xname=nepenthes
Xrcvar=`set_rcvar`
X
Xcommand=%%PREFIX%%/bin/nepenthes
Xrequired_files=${nepenthes_conf}
X
Xstop_postcmd=stop_postcmd
X
Xstop_postcmd()
X{
X killall nepenthes
X}
X
X# set defaults
X
Xnepenthes_enable=${nepenthes_enable:-"NO"}
Xnepenthes_conf=${nepenthes_conf:-"%%PREFIX%%/etc/nepenthes/nepenthes.conf"}
X
Xload_rc_config $name
X
Xcommand_args="-c ${nepenthes_conf}"
Xrun_rc_command "$1"
END-of-nepenthes-port/files/nepenthes.sh.in
echo x - nepenthes-port/files/patch-logger-path-and-xor-and-additional-bindshell
sed 's/^X//' >nepenthes-port/files/patch-logger-path-and-xor-and-additional-bindshell << 'END-of-nepenthes-port/files/patch-logger-path-and-xor-and-additional-bindshell'
XIndex: nepenthes-core/include/FileLogger.hpp
X===================================================================
X--- nepenthes-core/include/FileLogger.hpp (Revision 2174)
X+++ nepenthes-core/include/FileLogger.hpp (Arbeitskopie)
X@@ -47,7 +47,7 @@
X virtual void setLogFile(const char *filename);
X
X private:
X- const char *m_Filename;
X+ char *m_Filename;
X };
X
X }
XIndex: nepenthes-core/src/FileLogger.cpp
X===================================================================
X--- nepenthes-core/src/FileLogger.cpp (Revision 2174)
X+++ nepenthes-core/src/FileLogger.cpp (Arbeitskopie)
X@@ -51,12 +51,18 @@
X
X FileLogger::~FileLogger()
X {
X+ if( m_Filename != NULL)
X+ free(m_Filename);
X+
X }
X
X
X void FileLogger::setLogFile(const char *filename)
X {
X- m_Filename = filename;
X+ if( m_Filename != NULL)
X+ free(m_Filename);
X+
X+ m_Filename = strdup(filename);
X }
X
X
XIndex: nepenthes-core/src/RingFileLogger.cpp
X===================================================================
X--- nepenthes-core/src/RingFileLogger.cpp (Revision 2174)
X+++ nepenthes-core/src/RingFileLogger.cpp (Arbeitskopie)
X@@ -57,14 +57,31 @@
X
X RingFileLogger::~RingFileLogger()
X {
X- free(m_FirstFile);
X+ if (m_FileFormat != NULL)
X+ {
X+ free(m_FileFormat);
X+ }
X+
X+ if (m_FirstFile != NULL)
X+ {
X+ free(m_FirstFile);
X+ }
X }
X
X
X void RingFileLogger::setLogFileFormat(char *fmt)
X {
X- m_FileFormat = fmt;
X- free(m_FirstFile);
X+ if (m_FileFormat != NULL)
X+ {
X+ free(m_FileFormat);
X+ }
X+ m_FileFormat = strdup(fmt);
X+
X+
X+ if (m_FirstFile != NULL)
X+ {
X+ free(m_FirstFile);
X+ }
X asprintf(&m_FirstFile, m_FileFormat, 0);
X }
X
XIndex: modules/vuln-dcom/vuln-dcom.cpp
X===================================================================
X--- modules/vuln-dcom/vuln-dcom.cpp (Revision 2174)
X+++ modules/vuln-dcom/vuln-dcom.cpp (Arbeitskopie)
X@@ -110,9 +110,11 @@
X // removed as they were not seen during the last 2 month and need a new pcre
X // m_ShellcodeHandlers.push_back( new SOL2KBind (m_Nepenthes->getShellcodeMgr()));
X // m_ShellcodeHandlers.push_back( new SOL2KConnect (m_Nepenthes->getShellcodeMgr()));
X- m_ShellcodeHandlers.push_back( new OC192Bind (m_Nepenthes->getShellcodeMgr()));
X
X+// replaced by adenau xor & Parthenstein Bind
X+// m_ShellcodeHandlers.push_back( new OC192Bind (m_Nepenthes->getShellcodeMgr()));
X
X+
X list <ShellcodeHandler *>::iterator handler;
X for (handler = m_ShellcodeHandlers.begin(); handler != m_ShellcodeHandlers.end(); handler++)
X {
XIndex: modules/shellcode-generic/sch_generic_xor.cpp
X===================================================================
X--- modules/shellcode-generic/sch_generic_xor.cpp (Revision 2174)
X+++ modules/shellcode-generic/sch_generic_xor.cpp (Arbeitskopie)
X@@ -86,29 +86,63 @@
X const char * pcreEerror;
X int32_t pcreErrorPos;
X
X- const char *test[]=
X+ XORPcreHelper test[7]=
X {
X- "\\xEB\\x02\\xEB\\x05\\xE8\\xF9\\xFF\\xFF\\xFF\\x5B\\x31\\xC9\\x66\\xB9(.)\\xFF\\x80\\x73\\x0E(.)\\x43\\xE2\\xF9(.*)$", // rbot 64k
X- "\\xEB\\x02\\xEB\\x05\\xE8\\xF9\\xFF\\xFF\\xFF\\x5B\\x31\\xC9\\xB1(.)\\x80\\x73\\x0C(.)\\x43\\xE2\\xF9(.*)$", // rbot 265 byte
X- "\\xEB.\\xEB.\\xE8.*\\xB1(.).*\\x80..(.).*\\xE2.(.*)$", // generic mwcollect
X- "\\xEB\\x10\\x5A\\x4A\\x33\\xC9\\x66\\xB9(..)\\x80\\x34\\x0A(.)\\xE2\\xFA\\xEB\\x05\\xE8\\xEB\\xFF\\xFF\\xFF(.*)$", // bielefeld
X- "\\xEB\\x02\\xEB\\x05\\xE8\\xF9\\xFF\\xFF\\xFF\\x5B\\x31\\xC9\\x66\\xB9(..)\\x80\\x73\\x0E(.)\\x43\\xE2\\xF9(.*)$", // halle
X-// "\\xEB\\x19\\x5E\\x31\\xC9\\x81\\xE9(....)\\x81\\x36(....)\\x81\\xEE\\xFC\\xFF\\xFF\\xFF\\xE2\\xF2\\xEB\\x05\\xE8\\xE2\\xFF\\xFF\\xFF(.*)$", // adenau xor
X-
X- NULL
X+ {
X+ "(.*)(\\xEB\\x02\\xEB\\x05\\xE8\\xF9\\xFF\\xFF\\xFF\\x5B\\x31\\xC9\\x66\\xB9(.)\\xFF\\x80\\x73\\x0E(.)\\x43\\xE2\\xF9)(.*)$",
X+ "rbot 64k",
X+ 23
X+ },
X+ {
X+ "(.*)(\\xEB\\x02\\xEB\\x05\\xE8\\xF9\\xFF\\xFF\\xFF\\x5B\\x31\\xC9\\xB1(.)\\x80\\x73\\x0C(.)\\x43\\xE2\\xF9)(.*)$",
X+ "rbot 265 byte",
X+ 21
X+ },
X+ {
X+ "(.*)(\\xEB\\x10\\x5A\\x4A\\x33\\xC9\\x66\\xB9(..)\\x80\\x34\\x0A(.)\\xE2\\xFA\\xEB\\x05\\xE8\\xEB\\xFF\\xFF\\xFF)(.*)$",
X+ "bielefeld",
X+ 14
X+ },
X+ {
X+ "(.*)(\\xEB\\x02\\xEB\\x05\\xE8\\xF9\\xFF\\xFF\\xFF\\x5B\\x31\\xC9\\x66\\xB9(..)\\x80\\x73\\x0E(.)\\x43\\xE2\\xF9)(.*)$",
X+ "halle",
X+ 23
X+ },
X+ {
X+ "(.*)(\\xEB\\x19\\x5E\\x31\\xC9\\x81\\xE9(....)\\x81\\x36(....)\\x81\\xEE\\xFC\\xFF\\xFF\\xFF\\xE2\\xF2\\xEB\\x05\\xE8\\xE2\\xFF\\xFF\\xFF)(.*)$",
X+ "adenau xor"
X+ },
X+
X+ {
X+ "(.*)(\\xEB\\x03\\x5D\\xEB\\x05\\xE8\\xF8\\xFF\\xFF\\xFF\\x8B\\xC5\\x83\\xC0\\x11\\x33\\xC9\\x66\\xB9(..)\\x80\\x30(.)\\x40\\xE2\\xFA)(.*)$",
X+ "kaltenborn xor",
X+ 27
X+ },
X+ {
X+ "(.*)(\\xEB.\\xEB.\\xE8.*\\xB1(.).*\\x80..(.).*\\xE2.)(.*)$",
X+ "generic mwcollect",
X+ 20
X+
X+ }
X };
X
X- for( uint32_t i = 0; test[i]; i++ )
X+ for( uint32_t i = 0; i <= 6; i++ )
X {
X pcre *mypcre;
X- if((mypcre = pcre_compile(test[i], PCRE_DOTALL, &pcreEerror, &pcreErrorPos, 0)) == NULL)
X+ if((mypcre = pcre_compile(test[i].m_PCRE, PCRE_DOTALL, &pcreEerror, &pcreErrorPos, 0)) == NULL)
X {
X logCrit("GenericXOR could not compile pattern %i\n\t\"%s\"\n\t Error:\"%s\" at Position %u", i,
X test[i], pcreEerror, pcreErrorPos);
X return false;
X }else
X {
X- m_Pcres.push_back(mypcre);
X+ logDebug("Adding %s \n",test[i].m_Name);
X+ XORPcreContext *ctx = new XORPcreContext;
X+ ctx->m_Pcre = mypcre;
X+ ctx->m_Name = test[i].m_Name;
X+ ctx->m_Options = test[i].m_Options;
X+ m_Pcres.push_back(ctx);
X+
X logSpam("PCRE %i compiled \n",i);
X }
X }
X@@ -120,7 +154,9 @@
X {
X while(m_Pcres.size()>0)
X {
X- pcre_free(m_Pcres.front());
X+
X+ pcre_free(m_Pcres.front()->m_Pcre);
X+ delete m_Pcres.front();
X m_Pcres.pop_front();
X }
X
X@@ -137,22 +173,31 @@
X uint32_t len = (*msg)->getSize();
X int32_t output[10 * 3];
X
X- list <pcre *>::iterator it;
X+ list <XORPcreContext *>::iterator it;
X uint32_t i;
X for (it=m_Pcres.begin(), i=0; it != m_Pcres.end();it++,i++)
X {
X int32_t result=0;
X- if((result = pcre_exec(*it, 0, (char *) shellcode, len, 0, 0, output, sizeof(output)/sizeof(int32_t))) > 0)
X+ if((result = pcre_exec((*it)->m_Pcre, 0, (char *) shellcode, len, 0, 0, output, sizeof(output)/sizeof(int32_t))) > 0)
X {
X // logSpam("PCRE %i %x matches %i \n",i,*it,result);
X+ const char *preload;
X+ uint32_t preloadSize;
X+ preloadSize = pcre_get_substring((char *) shellcode, output, result, 1, &preload);
X
X+
X+ const char *xordecoder;
X+ uint32_t xordecoderSize;
X+ xordecoderSize = pcre_get_substring((char *) shellcode, output, result, 2, &xordecoder);
X+
X+
X const char *match;
X byte key=0;
X uint32_t longkey=0;
X uint32_t keysize;
X uint32_t codesize = 0, codesizeLen, totalsize;
X
X- codesizeLen = pcre_get_substring((char *) shellcode, output, result, 1, &match);
X+ codesizeLen = pcre_get_substring((char *) shellcode, output, result, 3, &match);
X switch (codesizeLen )
X {
X case 4:
X@@ -173,7 +218,7 @@
X
X
X
X- keysize = pcre_get_substring((char *) shellcode, output, result, 2, &match);
X+ keysize = pcre_get_substring((char *) shellcode, output, result, 4, &match);
X
X switch(keysize)
X {
X@@ -193,13 +238,14 @@
X
X
X
X- totalsize = pcre_get_substring((char *) shellcode, output, result, 3, &match);
X+ totalsize = pcre_get_substring((char *) shellcode, output, result, 5, &match);
X byte *decodedMessage = (byte *)malloc(totalsize);
X memcpy(decodedMessage, match, totalsize);
X pcre_free_substring(match);
X
X- logInfo("Detected generic XOR decoder #%i size length has %d bytes, size is %d, totalsize %d.\n",i, codesizeLen, codesize, totalsize);
X+ logInfo("Detected generic XOR decoder %s size length has %d bytes, size is %d, totalsize %d.\n",(*it)->m_Name.c_str(), codesizeLen, codesize, totalsize);
X
X+
X
X switch(keysize)
X {
X@@ -223,9 +269,18 @@
X break;
X }
X
X-
X+ char *newshellcode = (char *)malloc(len*sizeof(char));
X+ memset(newshellcode,0x90,len);
X+ memcpy(newshellcode,preload,preloadSize);
X
X- Message *newMessage = new Message((char *)decodedMessage, totalsize, (*msg)->getLocalPort(), (*msg)->getRemotePort(),
X+ memcpy(newshellcode+preloadSize+xordecoderSize,decodedMessage,totalsize);
X+
X+ pcre_free_substring(preload);
X+ pcre_free_substring(xordecoder);
X+
X+// g_Nepenthes->getUtilities()->hexdump(l_crit,(byte *)newshellcode, len);
X+
X+ Message *newMessage = new Message((char *)newshellcode, len, (*msg)->getLocalPort(), (*msg)->getRemotePort(),
X (*msg)->getLocalHost(), (*msg)->getRemoteHost(), (*msg)->getResponder(), (*msg)->getSocket());
X
X delete *msg;
X@@ -233,6 +288,7 @@
X *msg = newMessage;
X
X free(decodedMessage);
X+ free(newshellcode);
X return SCH_REPROCESS;
X }
X
XIndex: modules/shellcode-generic/sch_generic_xor.hpp
X===================================================================
X--- modules/shellcode-generic/sch_generic_xor.hpp (Revision 2174)
X+++ modules/shellcode-generic/sch_generic_xor.hpp (Arbeitskopie)
X@@ -30,12 +30,29 @@
X #ifndef HAVE_GENERICXOR_HPP
X #define HAVE_GENERICXOR_HPP
X
X+#include <stdint.h>
X #include <pcre.h>
X #include "ShellcodeHandler.hpp"
X
X
X namespace nepenthes
X {
X+ struct XORPcreHelper
X+ {
X+ char *m_PCRE;
X+ char *m_Name;
X+ uint16_t m_Options; // will use this later
X+
X+ };
X+
X+
X+ struct XORPcreContext
X+ {
X+ pcre *m_Pcre;
X+ string m_Name;
X+ uint16_t m_Options; //
X+ };
X+
X class GenericXOR : public ShellcodeHandler
X {
X public:
X@@ -45,7 +62,7 @@
X bool Init();
X bool Exit();
X protected:
X- list <pcre*> m_Pcres;
X+ list <XORPcreContext *> m_Pcres;
X };
X }
X
XIndex: modules/shellcode-generic/sch_generic_unicode.cpp
X===================================================================
X--- modules/shellcode-generic/sch_generic_unicode.cpp (Revision 2174)
X+++ modules/shellcode-generic/sch_generic_unicode.cpp (Arbeitskopie)
X@@ -127,17 +127,18 @@
X }
X
X
X- logSpam("Got %i 00 %i -> %i bytes \n",maxuni,maxstart,maxstopp);
X+
X
X if ( maxuni > 2000 )
X {
X+ logInfo("Got unicode Exploit %i 00 %i -> %i bytes \n",maxuni,maxstart,maxstopp);
X
X-
X byte *output;
X uint32_t outputLen=0;
X
X unicodeTryDecode(shellcode, len, &output, &outputLen);
X
X+// g_Nepenthes->getUtilities()->hexdump(l_crit, output, outputLen);
X
X Message *newMessage = new Message((char *)output, outputLen, (*msg)->getLocalPort(), (*msg)->getRemotePort(),
X (*msg)->getLocalHost(), (*msg)->getRemoteHost(), (*msg)->getResponder(), (*msg)->getSocket());
XIndex: modules/shellcode-generic/shellcode-generic.conf.dist
X===================================================================
X--- modules/shellcode-generic/shellcode-generic.conf.dist (Revision 2174)
X+++ modules/shellcode-generic/shellcode-generic.conf.dist (Arbeitskopie)
X@@ -7,6 +7,15 @@
X
X "adenauBind",
X "\\x83\\xEC\\x34\\x8B\\xF4\\xE8\\x47\\x01\\x00\\x00\\x89\\x06\\xFF\\x36\\x68\\x8E\\x4E\\x0E\\xEC\\xE8\\x61\\x01\\x00\\x00\\x89\\x46\\x08\\xFF\\x36\\x68\\xAD\\xD9\\x05\\xCE\\xE8\\x52\\x01\\x00\\x00\\x89\\x46\\x0C\\x68\\x6C\\x6C\\x00\\x00\\x68\\x33\\x32\\x2E\\x64\\x68\\x77\\x73\\x32\\x5F\\x54\\xFF\\x56\\x08\\x89\\x46\\x04\\xFF\\x36\\x68\\x72\\xFE\\xB3\\x16\\xE8\\x2D\\x01\\x00\\x00\\x89\\x46\\x10\\xFF\\x36\\x68\\x7E\\xD8\\xE2\\x73\\xE8\\x1E\\x01\\x00\\x00\\x89\\x46\\x14\\xFF\\x76\\x04\\x68\\xCB\\xED\\xFC\\x3B\\xE8\\x0E\\x01\\x00\\x00\\x89\\x46\\x18\\xFF\\x76\\x04\\x68\\xD9\\x09\\xF5\\xAD\\xE8\\xFE\\x00\\x00\\x00\\x89\\x46\\x1C\\xFF\\x76\\x04\\x68\\xA4\\x1A\\x70\\xC7\\xE8\\xEE\\x00\\x00\\x00\\x89\\x46\\x20\\xFF\\x76\\x04\\x68\\xA4\\xAD\\x2E\\xE9\\xE8\\xDE\\x00\\x00\\x00\\x89\\x46\\x24\\xFF\\x76\\x04\\x68\\xE5\\x49\\x86\\x49\\xE8\\xCE\\x00\\x00\\x00\\x89\\x46\\x28\\xFF\\x76\\x04\\x68\\xE7\\x79\\xC6\\x79\\xE8\\xBE\\x00\\x00\\x00\\x89\\x46\\x2C\\x33\\xFF\\x81\\xEC\\x90\\x01\\x00
\\x00\\x54\\x68\\x01\\x01\\x00\\x00\\xFF\\x56\\x18\\x50\\x50\\x50\\x50\\x40\\x50\\x40\\x50\\xFF\\x56\\x1C\\x8B\\xD8\\x57\\x57\\x68\\x02\\x00(..)\\x8B\\xCC\\x6A\\x16\\x51\\x53\\xFF\\x56\\x20\\x57\\x53\\xFF\\x56\\x24\\x57\\x51\\x53\\xFF\\x56\\x28\\x8B\\xD0\\x68\\x65\\x78\\x65\\x00\\x68\\x63\\x6D\\x64\\x2E\\x89\\x66\\x30\\x83\\xEC\\x54\\x8D\\x3C\\x24\\x33\\xC0",
X+
X+ "kaltenbornBind"
X+ "\\xFF\\x56\\xF4\\x50\\x50\\x50\\x50\\x40\\x50\\x40\\x50\\xFF\\x56\\xF0\\x8B\\xD8\\x57\\x57\\x68\\x02\\x00(..)\\x8B\\xCC\\x6A\\x16\\x51\\x53\\xFF\\x56\\xEC\\x57\\x53\\xFF\\x56\\xE8\\x33\\xFF\\x57\\x51\\x53\\xFF\\x56\\xE2\\x8B\\xD0\\x89\\x46\\xBE\\x68\\x63\\x6D\\x64\\x00\\x89\\x66\\xC2\\x83\\xC4\\xAC\\x8D\\x3C\\x24\\x33\\xC0\\x33\\xC9\\x80\\xC1\\x15\\xAB\\xE2\\xFD\\xC6\\x44\\x24\\x10\\x44\\xFE\\x44\\x24\\x3D\\x89\\x54\\x24\\x48\\x89\\x54\\x24\\x4C\\x89\\x54\\x24\\x50\\x8D\\x44\\x24\\x10\\x54\\x50\\x51\\x51\\x51\\x41\\x51\\x49\\x51\\x51\\xFF\\x76\\xC2\\x51\\xFF\\x56\\xCE\\x8B\\xCC\\x6A\\xFF\\xFF\\x31\\xFF\\x56\\xD2\\x8B\\xC8\\xFF\\x76\\xBE\\xFF\\x56\\xD6\\xEB\\x9E\\xFF\\x56\\x14"
X+
X+ "wackerowBind"
X+ "\\xE8\\x7C\\x00\\x00\\x00\\x83\\xC6\\x0D\\x52\\x56\\xFF\\x57\\xFC\\x5A\\x8B\\xD8\\x6A\\x04\\x59\\xE8\\x69\\x00\\x00\\x00\\x50\\x50\\x50\\x50\\x6A\\x01\\x6A\\x02\\xFF\\x57\\xF0\\x8B\\xD8\\xC7\\x07\\x02\\x00(..)\\x33\\xC0\\x89\\x47\\x04\\x6A\\x10\\x57\\x53\\xFF\\x57\\xF4\\x6A\\x01\\x53\\xFF\\x57\\xF8\\x50\\x50\\x53\\xFF\\x57\\xFC\\x83\\xEC\\x44\\x8B\\xF4\\x33\\xDB\\x6A\\x10\\x59\\x89\\x1C\\x8E\\xE2\\xFB\\x89\\x46\\x38\\x89\\x46\\x3C\\x89\\x46\\x40\\xC7\\x46\\x2C\\x01\\x01\\x00\\x00\\x8D\\x47\\x10\\x50\\x56\\x53\\x53\\x53\\x6A\\x01\\x53\\x53\\xC7\\x47\\x3C\\x63\\x6D\\x64\\x00\\x8D\\x47\\x3C\\x50\\x53\\xFF\\x57\\xE4\\x50\\xFF\\x57\\xE8"
X+
X+ "parthensteinBind"
X+ "\\xFF\\x56\\x18\\x50\\x50\\x50\\x50\\x40\\x50\\x40\\x50\\xFF\\x56\\x1C\\x8B\\xD8\\x57\\x57\\x68\\x02\\x00(..)\\x8B\\xCC\\x6A\\x16\\x51\\x53\\xFF\\x56\\x20\\x57\\x53\\xFF\\x56\\x24\\x57\\x51\\x53\\xFF\\x56\\x28\\x8B\\xD0\\x68\\x65\\x78\\x65\\x00\\x68\\x63\\x6D\\x64\\x2E\\x89\\x66\\x30\\x83\\xEC\\x54\\x8D\\x3C\\x24\\x33\\xC0\\x33\\xC9\\x83\\xC1\\x15\\xAB\\xE2\\xFD\\xC6\\x44\\x24\\x10\\x44\\xFE\\x44\\x24\\x3D\\x89\\x54\\x24\\x48\\x89\\x54\\x24\\x4C\\x89\\x54\\x24\\x50\\x8D\\x44\\x24\\x10\\x54\\x50\\x51\\x51\\x51\\x6A\\x01\\x51\\x51\\xFF\\x76\\x30\\x51\\xFF\\x56\\x10\\x8B\\xCC\\x6A\\xFF\\xFF\\x31\\xFF\\x56\\x0C\\x8B\\xC8\\x57\\xFF\\x56\\x2C\\xFF\\x56\\x14"
X );
X
X
XIndex: modules/shellcode-generic/sch_generic_cmd.cpp
X===================================================================
X--- modules/shellcode-generic/sch_generic_cmd.cpp (Revision 2174)
X+++ modules/shellcode-generic/sch_generic_cmd.cpp (Arbeitskopie)
X@@ -63,7 +63,7 @@
X
X bool GenericCMD::Init()
X {
X- const char *createprocesspcre = ".*(cmd.*/.*\\x00).*";
X+ const char *createprocesspcre = ".*(cmd.* /.*\\x00).*";
X const char * pcreEerror;
X int32_t pcreErrorPos;
X if((m_pcre = pcre_compile(createprocesspcre, PCRE_DOTALL, &pcreEerror, &pcreErrorPos, 0)) == NULL)
END-of-nepenthes-port/files/patch-logger-path-and-xor-and-additional-bindshell
echo x - nepenthes-port/files/patch-download-nepenthes-disconnect-fix
sed 's/^X//' >nepenthes-port/files/patch-download-nepenthes-disconnect-fix << 'END-of-nepenthes-port/files/patch-download-nepenthes-disconnect-fix'
XIndex: modules/download-nepenthes/DownloadNepenthesDialogue.cpp
X===================================================================
X--- modules/download-nepenthes/DownloadNepenthesDialogue.cpp (Revision 2187)
X+++ modules/download-nepenthes/DownloadNepenthesDialogue.cpp (Arbeitskopie)
X@@ -201,18 +201,26 @@
X */
X ConsumeLevel DownloadNepenthesDialogue::connectionShutdown(Message *msg)
X {
X- // the download is done, check if the md5sum matches the md5sum we were given;
X- string md5sum = g_Nepenthes->getUtilities()->md5sum(
X- m_Download->getDownloadBuffer()->getData(),
X- m_Download->getDownloadBuffer()->getSize());
X+ if ( m_Download != NULL )
X+ {
X
X- if (strncmp(m_MD5Sum.c_str(),md5sum.c_str(),32) != 0)
X- {
X- logInfo("file does not match its md5sum (%s <-> %s) \n",md5sum.c_str(),m_MD5Sum.c_str());
X+ // the download is done, check if the md5sum matches the md5sum we were given;
X+ string md5sum = g_Nepenthes->getUtilities()->md5sum(
X+ m_Download->getDownloadBuffer()->getData(),
X+ m_Download->getDownloadBuffer()->getSize());
X+
X+ if ( strncmp(m_MD5Sum.c_str(),md5sum.c_str(),32) != 0 )
X+ {
X+ logInfo("file does not match its md5sum (%s <-> %s) \n",md5sum.c_str(),m_MD5Sum.c_str());
X+ } else
X+ {
X+ logInfo("new file %s is done\n",m_MD5Sum.c_str());
X+ g_Nepenthes->getSubmitMgr()->addSubmission(m_Download);
X+ }
X }else
X {
X- logInfo("new file %s is done\n",m_MD5Sum.c_str());
X- g_Nepenthes->getSubmitMgr()->addSubmission(m_Download);
X+ uint32_t remotehost = msg->getRemoteHost();
X+ logCrit(" %s tried to fool download-nepenthes (connected without sending data)\n",inet_ntoa(*(in_addr *)&remotehost));
X }
X return CL_DROP;
X }
END-of-nepenthes-port/files/patch-download-nepenthes-disconnect-fix
echo x - nepenthes-port/files/patch-malloc
sed 's/^X//' >nepenthes-port/files/patch-malloc << 'END-of-nepenthes-port/files/patch-malloc'
X--- ltmain.sh.orig Fri Dec 2 02:11:50 2005
X+++ ltmain.sh Fri Dec 2 02:12:12 2005
X@@ -4718,7 +4718,6 @@
X #include <stdio.h>
X #include <stdlib.h>
X #include <unistd.h>
X-#include <malloc.h>
X #include <stdarg.h>
X #include <assert.h>
X
X--- modules/submit-xmlrpc/XMLRPCParser.cpp.orig Fri Dec 2 02:16:50 2005
X+++ modules/submit-xmlrpc/XMLRPCParser.cpp Fri Dec 2 02:16:59 2005
X@@ -38,7 +38,6 @@
X #include <assert.h>
X #include <ctype.h>
X #include <stdint.h>
X-#include <malloc.h>
X #include <string.h>
X
X #ifndef HAVE_STRNDUP
END-of-nepenthes-port/files/patch-malloc
echo x - nepenthes-port/distinfo
sed 's/^X//' >nepenthes-port/distinfo << 'END-of-nepenthes-port/distinfo'
XMD5 (nepenthes-0.1.3.tar.gz) = 19ea7bb0f300d89ead1f3ce35728e53e
XSIZE (nepenthes-0.1.3.tar.gz) = 774548
END-of-nepenthes-port/distinfo
echo x - nepenthes-port/pkg-descr
sed 's/^X//' >nepenthes-port/pkg-descr << 'END-of-nepenthes-port/pkg-descr'
XNepenthes can determine the malware activity on a network
Xby deploying a nepenthes sensor (i.e. honey pot). The programm
Xemulates different well known vulnerabilities waiting for
Xmalicious connections trying to exploit them.
X
XWWW: http://nepenthes.sourceforge.net/
END-of-nepenthes-port/pkg-descr
echo x - nepenthes-port/pkg-plist
sed 's/^X//' >nepenthes-port/pkg-plist << 'END-of-nepenthes-port/pkg-plist'
Xbin/nepenthes
Xetc/nepenthes/download-csend.conf
Xetc/nepenthes/download-curl.conf
Xetc/nepenthes/download-link.conf
Xetc/nepenthes/download-nepenthes.conf
Xetc/nepenthes/download-tftp.conf
Xetc/nepenthes/log-download.conf
Xetc/nepenthes/log-irc.conf
Xetc/nepenthes/log-surfnet.conf
Xetc/nepenthes/module-portwatch.conf
Xetc/nepenthes/nepenthes.conf
Xetc/nepenthes/nepenthes.conf.dist
Xetc/nepenthes/shellcode-generic.conf
Xetc/nepenthes/submit-file.conf
Xetc/nepenthes/submit-nepenthes.conf
Xetc/nepenthes/submit-norman.conf
Xetc/nepenthes/submit-xmlrpc.conf
Xetc/nepenthes/vuln-asn1.conf
Xetc/nepenthes/vuln-bagle.conf
Xetc/nepenthes/vuln-dameware.conf
Xetc/nepenthes/vuln-dcom.conf
Xetc/nepenthes/vuln-iis.conf
Xetc/nepenthes/vuln-kuang2.conf
Xetc/nepenthes/vuln-lsass.conf
Xetc/nepenthes/vuln-msmq.conf
Xetc/nepenthes/vuln-mssql.conf
Xetc/nepenthes/vuln-mydoom.conf
Xetc/nepenthes/vuln-netbiosname.conf
Xetc/nepenthes/vuln-netdde.conf
Xetc/nepenthes/vuln-optix.conf
Xetc/nepenthes/vuln-pnp.conf
Xetc/nepenthes/vuln-sasserftpd.conf
Xetc/nepenthes/vuln-ssh.conf
Xetc/nepenthes/vuln-sub7.conf
Xetc/nepenthes/vuln-upnp.conf
Xetc/nepenthes/vuln-veritas.conf
Xetc/nepenthes/vuln-wins.conf
Xetc/nepenthes/x-2.conf
Xlib/nepenthes/dnsresolveadns.a
Xlib/nepenthes/dnsresolveadns.la
Xlib/nepenthes/dnsresolveadns.so
Xlib/nepenthes/downloadcreceive.a
Xlib/nepenthes/downloadcreceive.la
Xlib/nepenthes/downloadcreceive.so
Xlib/nepenthes/downloadcsend.a
Xlib/nepenthes/downloadcsend.la
Xlib/nepenthes/downloadcsend.so
Xlib/nepenthes/downloadcurl.a
Xlib/nepenthes/downloadcurl.la
Xlib/nepenthes/downloadcurl.so
Xlib/nepenthes/downloadftp.a
Xlib/nepenthes/downloadftp.la
Xlib/nepenthes/downloadftp.so
Xlib/nepenthes/downloadhttp.a
Xlib/nepenthes/downloadhttp.la
Xlib/nepenthes/downloadhttp.so
Xlib/nepenthes/downloadlink.a
Xlib/nepenthes/downloadlink.la
Xlib/nepenthes/downloadlink.so
Xlib/nepenthes/downloadnepenthes.a
Xlib/nepenthes/downloadnepenthes.la
Xlib/nepenthes/downloadnepenthes.so
Xlib/nepenthes/downloadtftp.a
Xlib/nepenthes/downloadtftp.la
Xlib/nepenthes/downloadtftp.so
Xlib/nepenthes/geolocationgeoip.a
Xlib/nepenthes/geolocationgeoip.la
Xlib/nepenthes/geolocationgeoip.so
Xlib/nepenthes/geolocationhostip.a
Xlib/nepenthes/geolocationhostip.la
Xlib/nepenthes/geolocationhostip.so
Xlib/nepenthes/geolocationip2location.a
Xlib/nepenthes/geolocationip2location.la
Xlib/nepenthes/geolocationip2location.so
Xlib/nepenthes/logdownload.a
Xlib/nepenthes/logdownload.la
Xlib/nepenthes/logdownload.so
Xlib/nepenthes/logirc.a
Xlib/nepenthes/logirc.la
Xlib/nepenthes/logirc.so
Xlib/nepenthes/logsurfnet.a
Xlib/nepenthes/logsurfnet.la
Xlib/nepenthes/logsurfnet.so
Xlib/nepenthes/moduleportwatch.a
Xlib/nepenthes/moduleportwatch.la
Xlib/nepenthes/moduleportwatch.so
Xlib/nepenthes/shellcodegeneric.a
Xlib/nepenthes/shellcodegeneric.la
Xlib/nepenthes/shellcodegeneric.so
Xlib/nepenthes/shellemuwinnt.a
Xlib/nepenthes/shellemuwinnt.la
Xlib/nepenthes/shellemuwinnt.so
Xlib/nepenthes/submitfile.a
Xlib/nepenthes/submitfile.la
Xlib/nepenthes/submitfile.so
Xlib/nepenthes/submitnepenthes.a
Xlib/nepenthes/submitnepenthes.la
Xlib/nepenthes/submitnepenthes.so
Xlib/nepenthes/submitnorman.a
Xlib/nepenthes/submitnorman.la
Xlib/nepenthes/submitnorman.so
Xlib/nepenthes/submitxmlrpc.a
Xlib/nepenthes/submitxmlrpc.la
Xlib/nepenthes/submitxmlrpc.so
Xlib/nepenthes/uploadhttp.a
Xlib/nepenthes/uploadhttp.la
Xlib/nepenthes/uploadhttp.so
Xlib/nepenthes/vulnasn1.a
Xlib/nepenthes/vulnasn1.la
Xlib/nepenthes/vulnasn1.so
Xlib/nepenthes/vulnbagle.a
Xlib/nepenthes/vulnbagle.la
Xlib/nepenthes/vulnbagle.so
Xlib/nepenthes/vulndameware.a
Xlib/nepenthes/vulndameware.la
Xlib/nepenthes/vulndameware.so
Xlib/nepenthes/vulndcom.a
Xlib/nepenthes/vulndcom.la
Xlib/nepenthes/vulndcom.so
Xlib/nepenthes/vulniis.a
Xlib/nepenthes/vulniis.la
Xlib/nepenthes/vulniis.so
Xlib/nepenthes/vulnkuang2.a
Xlib/nepenthes/vulnkuang2.la
Xlib/nepenthes/vulnkuang2.so
Xlib/nepenthes/vulnlsass.a
Xlib/nepenthes/vulnlsass.la
Xlib/nepenthes/vulnlsass.so
Xlib/nepenthes/vulnmsmq.a
Xlib/nepenthes/vulnmsmq.la
Xlib/nepenthes/vulnmsmq.so
Xlib/nepenthes/vulnmssql.a
Xlib/nepenthes/vulnmssql.la
Xlib/nepenthes/vulnmssql.so
Xlib/nepenthes/vulnmydoom.a
Xlib/nepenthes/vulnmydoom.la
Xlib/nepenthes/vulnmydoom.so
Xlib/nepenthes/vulnnetbiosname.a
Xlib/nepenthes/vulnnetbiosname.la
Xlib/nepenthes/vulnnetbiosname.so
Xlib/nepenthes/vulnnetdde.a
Xlib/nepenthes/vulnnetdde.la
Xlib/nepenthes/vulnnetdde.so
Xlib/nepenthes/vulnoptix.a
Xlib/nepenthes/vulnoptix.la
Xlib/nepenthes/vulnoptix.so
Xlib/nepenthes/vulnpnp.a
Xlib/nepenthes/vulnpnp.la
Xlib/nepenthes/vulnpnp.so
Xlib/nepenthes/vulnsasserftpd.a
Xlib/nepenthes/vulnsasserftpd.la
Xlib/nepenthes/vulnsasserftpd.so
Xlib/nepenthes/vulnssh.a
Xlib/nepenthes/vulnssh.la
Xlib/nepenthes/vulnssh.so
Xlib/nepenthes/vulnsub7.a
Xlib/nepenthes/vulnsub7.la
Xlib/nepenthes/vulnsub7.so
Xlib/nepenthes/vulnupnp.a
Xlib/nepenthes/vulnupnp.la
Xlib/nepenthes/vulnupnp.so
Xlib/nepenthes/vulnveritas.a
Xlib/nepenthes/vulnveritas.la
Xlib/nepenthes/vulnveritas.so
Xlib/nepenthes/vulnwins.a
Xlib/nepenthes/vulnwins.la
Xlib/nepenthes/vulnwins.so
Xlib/nepenthes/x1.a
Xlib/nepenthes/x1.la
Xlib/nepenthes/x1.so
Xlib/nepenthes/x2.a
Xlib/nepenthes/x2.la
Xlib/nepenthes/x2.so
Xlib/nepenthes/x3.a
Xlib/nepenthes/x3.la
Xlib/nepenthes/x3.so
Xlib/nepenthes/x4.a
Xlib/nepenthes/x4.la
Xlib/nepenthes/x4.so
Xlib/nepenthes/x5.a
Xlib/nepenthes/x5.la
Xlib/nepenthes/x5.so
Xlib/nepenthes/x6.a
Xlib/nepenthes/x6.la
Xlib/nepenthes/x6.so
Xlib/nepenthes/x7.a
Xlib/nepenthes/x7.la
Xlib/nepenthes/x7.so
Xlib/nepenthes/x8.a
Xlib/nepenthes/x8.la
Xlib/nepenthes/x8.so
Xshare/nepenthes/doc/README
Xshare/nepenthes/doc/README.VFS
Xshare/nepenthes/doc/logo-shaded.svg
X at dirrm etc/nepenthes
X at dirrm lib/nepenthes
X at dirrm share/nepenthes
X at dirrm var/cache/nepenthes
END-of-nepenthes-port/pkg-plist
echo x - nepenthes-port/Makefile
sed 's/^X//' >nepenthes-port/Makefile << 'END-of-nepenthes-port/Makefile'
X# Ports collection makefile for: nepenthes
X# Date created: 1 Dec 2005
X# Whom: ryo
X#
X# $FreeBSD$
X#
X
XPORTNAME= nepenthes
XPORTVERSION= 0.1.3
XCATEGORIES= net
XMASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
XMASTER_SITE_SUBDIR= nepenthes
X
XMAINTAINER= ryo at aquahill.net
XCOMMENT= Determine the malware activity on a network
X
XLIB_DEPENDS= curl.3:${PORTSDIR}/ftp/curl \
X magic.1:${PORTSDIR}/sysutils/file \
X pcre.0:${PORTSDIR}/devel/pcre \
X adns.1:${PORTSDIR}/dns/adns
X
X#USE_RC_SUBR= nepenthes.sh
X
XGNU_CONFIGURE= yes
XCONFIGURE_TARGET=--build=${MACHINE_ARCH}-portbld-freebsd${OSREL}
XCONFIGURE_ARGS+= --enable-ssh
X
XMAN8= nepenthes.8
X
X.include <bsd.port.mk>
END-of-nepenthes-port/Makefile
exit
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list