[Dshield] buffer overflow?

Keith Smith keith.smith at keiths-place.com
Fri Nov 16 00:33:52 GMT 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> > Nov 14 20:43:31 hostname SERVER[4302]: Dispatch_input: bad
> > request line
> >
> >'BBì¿í¿î¿ï¿XXXXXXXXXXXXXXXXXX%.172u%300$n%.17u%301$n%.253u%302
> > $n%.192u%303$n
> > ....
>
> Did you capture any commands starting with 'UFU'? If so,
> please forward
> the URL is sends off list. I also got a little perl honeypot
> to capture
> just these sub7 probes in case yours doesn't do the initial dialog.


I'm not so sure that it's Sub7, the "SERVER[4302]" string in the log
looks like a host and port number - rather than a host and process
ID.  Especially when Google turned up the following for "port 4302":

http://www.woodstone.nu/wrcmd/

<sample text>

Typical commandline
wrcmdc /wrcmds=the_server /rport=4302 /user=myuser /pwd=mypassword
/cmd=c:\batch\excute.bat /run=true

=> the client will connect to the_server on port 4302, authenticate
itself as myuser (with password mypassword) and ask the server to
execute c:\batch\execute.bat
You will only need the username and password if you configure the
server to use authentication.

The communication between the client and the server is done via 1 TCP
port, the default is 4302 (this can be change via the configurator
for the server and via the commandline/GUI for the client). The
communication is encrypted, it's the server that selects the
encryption schema and encryption password. Both are valid for ONE
session only. The server can be configured to accept connections from
all IPs or from just some IPs. Server can also be configure to use
authentication.

</sample text>


I suspect someone might have found a buffer overflow for WRCMDS.


Regards,
Keith.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBO/Re8L0tREWslyrAEQI0UACfePe7E6wzEFk7zasJCdECOD5z4D8AoMiT
EnS1uNTwIJg0M2lQBrELb5Ez
=xTHx
-----END PGP SIGNATURE-----




More information about the list mailing list