DEFCON 12

home *** CD-ROM | disk | FTP | other *** search

/ DEFCON 12 / DEFCON_12_CD-ROM_2004.iso / Holz-Dornseif-Klein / NoSEBrEaKer.py < prev

Wrap

Text File | 2004-07-07 | 11KB | 319 lines

#!/usr/bin/python """NoSEBrEaKer.py - Python 2.3 demostration of Sebek detection and extraction of Sebeks internal data. See http://md.hudora.de/publications/index.html#NoSEBrEaK for further information.""" __rcsid__ = "$Id$" # NoSEBrEaKer.py by Maximillian Dornseif, Thorsten Holz & Christian Klein spring 2004 # proof of concept code - do not use. # kudos to madsys for module_hunter.c import struct, socket debug = False symbolTable = {} def readSymbolTable(): """Read the kernel symbol table and keep it in a global variable named symbolTable.""" global symbolTable fd = open("/proc/ksyms", "r") for x in fd: x = x.split() addr = long(x[0], 16) symbol = x[1] symbolTable[symbol] = addr fd.close() def getSymbol(symbol): """Get a symbol from the symbol table.""" return symbolTable[symbol] def readKmem(addr, length): """Read 'length' bytes from kernel memory at 'addr'.""" fd = open("/dev/kmem", "r") fd.seek(addr) return fd.read(length) def readKmemString(addr): """Read from kmem at 'addr' until \0 is found.""" fd = open("/dev/kmem", "r") fd.seek(addr) out = [] while 1: out.append(fd.read(1)) if not out[-1] or out[-1] == '\0': out = out[:-1] break if len(out) > 512: out.append(" ...") break return "".join(out) def getSymbolUint(symbol): addr = getSymbol(symbol) data = readKmem(addr, 4) return struct.unpack("I", data)[0] def validKernelAddr(addr): """Checks if a number represents a valid address in the kernel""" if not addr: return None if addr < VMALLOC_START: return None return True # possible more elaborate code from module_hunter.c: """ page = ((unsigned long *)0xc0101000)[address >> 22]; if (page & 1) { page &= PAGE_MASK; address &= 0x003ff000; page = ((unsigned long *) __va(page))[address >> PAGE_SHIFT]; //pte if (page) return 1; } return None """ def parseModule(data, addr = 0): """Try to parse a chunk of memory as an module""" """struct module { unsigned long size_of_struct; /* == sizeof(module) == 96 on my machine */ struct module *next; const char *name; unsigned long size; union { atomic_t usecount; long pad; } uc; /* Needs to keep its size - so says rth */ unsigned long flags; /* AUTOCLEAN et al */ unsigned nsyms; unsigned ndeps; struct module_symbol *syms; struct module_ref *deps; struct module_ref *refs; int (*init)(void); void (*cleanup)(void); """ # unpack possible module header size_of_struct, nextm, nameaddr, size, usecount, flags, \ nsymsm, ndeps, syms, deps, refs, init, cleanup \ = struct.unpack("LIILlLIIIIIII", data[:52]) if size == 0: if debug: print '"size == 0"' return None # check if data is valid if size_of_struct > 256 or size_of_struct < 52: # on my system size_of_struct == 96 if debug: print '"size_of_struct > 256 or size_of_struct < 52"' return None #if size_of_struct != 96: # return None if size > 1024*1024: if debug: print '"size > 1024*1024"' # there should be no kernel modules bigger than 1M return None if (size_of_struct & nextm & nameaddr & size) == 0xffffffffL: if debug: print '"(size_of_struct & nextm & nameaddr & size) == 0xffffffffL"' return None if not (validKernelAddr(nextm) or (nextm == 0)): if debug: print '"not (validKernelAddr(nextm) or (nextm == 0))"' return None if not (validKernelAddr(nameaddr)): if debug: print '"not (validKernelAddr(nameaddr))"' return None name = readKmemString(nameaddr) # check for sebek # we also could look for the string which is in sebek " face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed\n" # usualy sebec has a numeric only name. we might want to check for that #if not name.isdigit(): # if debug: # print 'module name is not strictly numeric' # return if usecount == 0 and nsymsm == 0 and syms == 0 and refs == 0: if debug: print print "*** suspected sebek module at %x named %r, size %d bytes" % (addr, name, size) # Guess Sebek Variables. # The Sebeck 2.1.7 data block can be up to 256 ints (1024 bytes) big. # We assume it starts minimum 320 bytes after the module name and # maximum 400 bytes. Add more fuzz to this values for other versions. minimumblockoffset = 320 intstoread = 256 + 20 block = struct.unpack("I" * intstoread, readKmem(nameaddr+320, intstoread*4)) ports = [] macs = [] ips = [] magics = [] for x in block: if x != 0: if x <= 0xff: macs.append(int(x)) if x <= 0xffff and x > 0xff: ports.append(int(x)) if x > 0xffff: ips.append(x) magics.append(x) ports.sort() macs.sort() ips.sort() magics.sort() ips = [socket.inet_ntoa(struct.pack("I", x)) for x in ips] ips.sort() print "* possible mac fragments: %s" % ", ".join([hex(x).strip("L")[2:] for x in macs]) print "* possible ports: %s" % ", ".join([str(x) for x in ports]) print " or: %s" % ", ".join([str(x) for x in macs]) print "* possibles ips:", for ip in ips: if not ip.startswith("0.") and not ip.endswith(".0") \ and int(ip.split('.')[0]) < 224 : print "%s," % ip, print "\n* or:", for ip in ips: if not ip.startswith("0.") and ip.endswith(".0") \ and int(ip.split('.')[0]) < 224 : print "%s," % ip, print print "* possible magic values: %s" % ", ".join([hex(x).strip("L")[2:] for x in magics]) print "* or: %s" % ", ".join([str(x) for x in ports]) print "* or: %s" % ", ".join([str(x) for x in macs]) print "* init() = %x ; cleanup() = %x" % (init, cleanup) #print size_of_struct, hex(nextm), hex(nameaddr), size, usecount, flags, \ # nsymsm, ndeps, hex(syms), hex(deps), refs, hex(init), hex(cleanup) if sys_write > addr and sys_write < addr + size: print "* sys_write is hijacked into a function in this module!" return True def getSyscalltable(): """Find the syscall table.""" # The Linux folks have decided in their wisdom to remove the # kernel symbol pointing to the syscall table in newer linux # versions. So be have to reconstruct the adresst by searching # memory between two known symbols for something which looks like # the syscall_table global sys_read, sys_write, sys_open # this symbols are reconstructed above distance = boot_cpu_data_addr - loops_per_jiffy_addr print "loops_per_jiffy = %x, boot_cpu_data = %x, distance = %x" % (loops_per_jiffy_addr, \ boot_cpu_data_addr, distance) # this kernel might actually have a symmbol for the syscall_table try: sys_call_table_addr = getSymbol("sys_call_table") print "sys_call_table claimed to be at %x, verifying ..." % sys_call_table_addr except: pass # loop over the memory between loops_per_jiffy_addr and # boot_cpu_data_addr and check if something looks like the syscall # table. data = readKmem(loops_per_jiffy_addr, distance) p = 0 while 1: p += 2 if p+4 > distance: raise RuntimeError, "syscall table not found" # if this looks like there is a valid pointer to sys_close in # the assumed syscall_table we go for it and assume that this # is really the syscall table. a = struct.unpack("I", data[p + (NR_close * 4):p + (NR_close * 4) + 4])[0] if a == sys_close_addr: print "sys_call_table found at %x" % (loops_per_jiffy_addr + p) break # now read the whole table and set certain variables to the corrospondending syscalls sys_call_table = readKmem(getSymbol("sys_call_table"), 256*4) sys_read = struct.unpack("I", sys_call_table[((NR_read) * 4):((NR_read) * 4) + 4])[0] sys_write = struct.unpack("I", sys_call_table[((NR_write) * 4):((NR_write) * 4) + 4])[0] sys_open = struct.unpack("I", sys_call_table[((NR_open) * 4):((NR_open) * 4) + 4])[0] print "sys_read = %x sys_write = %x sys_open = %x" % (sys_read, sys_write, sys_open) if abs(sys_read - sys_write) > 4096: print "syscalls are far apart ... probably sys_write is hijacked" # indices in the syscall table NR_read = 3 NR_write = 4 NR_open = 5 NR_close = 6 def main(): global high_memory, loops_per_jiffy_addr, boot_cpu_data_addr, sys_close_addr global VMALLOC_OFFSET, VMALLOC_START, VMALLOC_RESERVE print "reading kernel symmbol table ...", readSymbolTable() print "done" print "resolving variables:", high_memory = getSymbolUint("high_memory") print "high_memory", loops_per_jiffy_addr = getSymbol("loops_per_jiffy") print "loops_per_jiffy_addr", boot_cpu_data_addr = getSymbol("boot_cpu_data") print "boot_cpu_data", sys_close_addr = getSymbol("sys_close") print "sys_close" VMALLOC_OFFSET = 8 * 1024 * 1024 VMALLOC_START = (high_memory + (2 * VMALLOC_OFFSET) - 1) & (~(VMALLOC_OFFSET - 1)) VMALLOC_RESERVE = 128 << 20 PAGE_SHIFT = 12L PAGE_SIZE = 1L << PAGE_SHIFT getSyscalltable() # Check all possiblelocations where vmalloc could have reserved # space for the Sebek module. The assumptions this is based on # might be wrong for non-Intel architectures or Linux with BIGMEM. p = VMALLOC_START while(p <= VMALLOC_START + VMALLOC_RESERVE - PAGE_SIZE): p = p + PAGE_SIZE data = readKmem(p, 4096) if data: # try to pase the data as an module header. if debug: print 'checking vmalloc %x' % p, if parseModule(data, p): break main()