New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Exploit module for nginx chunked stack buffer overflow. #1834
Conversation
Hi, |
I'd definitely be willing to give it a go. I actually started looking at Ubuntu 12.04 LTS after sending this request and noticed the same thing. I'll try to take more of a look at it this weekend unless someone has already found a solution. |
Small Changes
… based on msftidy warnings
…stack canary value on targets with stack canaries
Running against a fully updated Ubuntu 13.04 against 1.4.0 compiled from source: [] Bruteforcing byte 2 [] Bruteforcing byte 3 [*] Canary found: 0xde277900 [] Sending 2048 byte payload at base 0xb7470000 |
Normally I do, but currently that causes it to fail. I figured I would get it up here and then deal with that later. As far as detection, most devices are going to alert on the screwed up chunk size. |
Added Options for libc base and canary
…equest by hand and updated all offsets for targets
… libraries and fixing version check
New target: Debian Squeeze
Hi @saelo and @linuxgeek247 . It s an awesome contribution! Thank you very much! I couldn't resist to join this collaboration effort if you don't mind :$ Tried a GOT dereferencing attack in order to avoid the libc brute forcing attack. Since nginx compiles with NO PIE by default looks like a good approach in order to avoid the brute force attack. I've implemented it for nginx 1.4.0 compiled (default options) on Debian Squeeze. It's available on this branch so you can give it a look and share your opinion: https://github.com/jvazquez-r7/metasploit-framework/commits/nginx_got_dereferencing The commit for my mod module is also here: The module working:
What do you think? I must to admit in my opinion the exploit is more reliable using the GOT dereference over the brute force attack. So if you agree we could migrate the current module to use this technique. Or maybe mix targets and allow both GOT dereferencing and brute force attack :) Again, thanks very much for the effort! It's kinda awesome. |
It's definitely much faster. I never actually thought to do that but it makes sense. The only thing I'm fuzzy on is the purpose of using the offset between localtime_r to system. What's the purpose of that versus just using the system got address? Thanks very much. This should simplify things greatly. |
Scratch that. I see what you are doing. I just couldn't figure out what the point of the 0x5d5b14c4 was for. |
@linuxgeek247 there isn't system in the nginx GOT, because of that we're using the localtime_r one and calculating the system address having into account the libc offset. The 0x5d5b14c4 offset is because of the "add eax, [ebx+0x5d5b14c4] # ret" gadget. This gadget allows to get on eax the system address if you previously have the localtime_r address (you can get it from the nginx got) and the offset (it's libc specific, so target specific, not a big deal because the curent exploit is also target specific when leaking the libc address) :) I'm going to work on this today, would like to merge both approaches, brute forcing targets and got dereferencing targets, and land one first version into the framework! :) Seriously, kinda awesome work guys! :) |
I'm actually migrating your got approach for Ubuntu right now. The only difference is the canary bruteforce. Just finishing up the store function now. Would it be better to create rop xml files for this or just store them in the target hash since they are so much smaller? |
Hi @linuxgeek247 I think storing them in the target hash would be better in this case :) Oka, I wait to your new version and then will work on cleaning it if necessary before merging! thanks @linuxgeek247 !!! Kinda hard work! Just ping me if you need help while coding it. Also, I'm available at freenode, metasploit channel, in case you would like to discuss any detail! |
Or better, ad a function for generating the rop for every target, and in the target hash meta information, just keep a callback to the correct function to call when generating the rop :). Since ROP chains for these approachs are smaller I feel comfortable adding them in the code. |
I've got everything updated now. I've removed RHEL and Cali for now. I'm going to close this pull request and open a clean request. |
Sounds good, can't wait to look into it and hopefully merge :) |
I believe there is an |
Not directly I guess but opens the door to a possible ROP shellcode :) |
i compile nginx 1.4.0 on kaili 1.0 and ubuntu 12.04,then i test this exp,but it does not work. who guys can tell how to make a vulnerable evironment? my email:448354223@qq.com . think you very much. |
currently available targets are debian squeeze and ubuntu 13.04 (both 32bit), can you try one of those and see if it works for you? |
@saelo i test ubuntu 13.04 today,but i failt to exploit by use nginx 1.4.0.is there some other config needed to do during compile nginx? |
@niubl Ok, interesting. You compiled the version from their mercurial repository? The ROP gadgets in the current exploit didn't work for me either (apparently for the others though), can you check if my version works for you? You can find it here: https://github.com/saelo/metasploit-framework/commit/b06061240a6712a19382be5a8c911be4a764188f |
@saelo this my steps: Module options (exploit/linux/http/nginx_chunked_size): Name Current Setting Required Description RHOST 10.1.11.3 yes The target address Payload options (generic/shell_bind_tcp): Name Current Setting Required Description LPORT 9999 yes The listen port Exploit target: Id Name 0 Ubuntu 13.04 32bit - nginx 1.4.0 msf exploit(nginx_chunked_size) > exploit [] Started bind handler msf exploit(nginx_chunked_size) > sessions Active sessionsNo active sessions. |
You can find me in the metasploit IRC channel (with this nick), lets talk there :) |
I'm getting the sames problems as niubl, downloaded and installed version 1.4.0, tryed to exploit but failt with official module and saelo one (working on ubuntu 13.04 32bit). Any compiler options needed? |
@inode- can you meet me in IRC, too? No special compiler options should be needed. |
@saelo I'm in, nickname odfijoisjsodifjs |
General AnnouncementIf you are having trouble getting the exploit to work please make sure you compile with support for pcre and zlib by installing libpcre++-dev and zlib1g-dev in ubuntu :) |
@saelo @jvazquez-r7 The following expriment is on Ubuntu 16.04-32bit
I start nginx using
It seems that nginx is rejecting the connection. I am sure I have disabled the firewall and Actually, if I test this DoS_poc, I get Did you do any modification(maybe a subtle one) to the configuration during the install process? Because I can't reproduce it both in Ubuntu and CentOS, and I have no idea about it. BTW, I have already installed libpcre++-devand zlib1g-dev using Thanks. |
What version of nginx are you attempting to run this on? |
It's 1.4.0, I downloaded from exploit-db And the dos_poc.c is from this link of exploit-db. |
It could be a number of issues. As you said, it could be a configuration issue but I have no idea what that would be. I think more likely, it's either your compiled version wasn't built with stack canaries or the offset to the stack canary is different than your chosen target. If you include a stack trace it might be more obvious what the issue is. In either case, the ROP chains defined in the metasploit module will more than likely not work for you and you will need to find their equivalent gadgets on your system. |
At first, I doubt a problem of the address of gadgets, but I find out that when I run To be more precise, the script will try 5 times by default, and the first try will get the response of
(P.S., it causes an timeout exception in the script, so I test it manually using wget and find it stuck here) After that, any connection to nginx will get stuck at the same place, no matter using wget or curl. If it is the problem of the address, I think it should cause a crash rather than just get stuck. However, I'm not familiar with nginx, is this the expected response? |
So unfortunately, I have no idea what your dos_poc.py is trying to do but from your error previously: That seems that the connection with reset implying that the application did crash. Keep in mind, that without a debugger following the handling forked PID, you will not see any difference as nginx is forking to handle connections. It will appear as if nginx closed the connection but since it is not returning any kind of HTTP error code and resetting the connection I would assume that you are actually crashing the application. |
That sounds reasonable. I'll modify the address and try again. Thanks a lot. |
Steps to reproduceHow'd you do it?
This section should also tell us any relevant information about the Expected behaviorWhat should happen? You might also want to check the last ~1k lines of The framework.log displays the following: [07/20/2017 17:09:45] [w(0)] core: /usr/src/metasploit-framework/modules/exploits/linux/http/nginx_chunked_size_no_brute.rb generated a warning during load: Edit: Would there be a way to determine the stack canary without Brute Forcing it? This is what I am seeing: [] 10.222.10.51:8806 - Searching for stack canary It seems the brute forcing of the stack canary is not working for some reason. Does someone have the steps they took to set this up and produce the correct results? |
Hi I am experiencing the same problem as previous guys. I am pretty sure that I have install all the library when I compiled nginx 1.4.0 from exploitdb website. And I am running the exploit on Ubuntu 13.04 32 bit. Here is the result I get: msf5 exploit(linux/http/nginx_chunked_size) > show options Module options (exploit/linux/http/nginx_chunked_size): Name Current Setting Required Description RHOSTS 0.0.0.0 yes The target address range or CIDR identifier Payload options (cmd/unix/bind_netcat): Name Current Setting Required Description LPORT 4444 yes The listen port Exploit target: Id Name 0 Ubuntu 13.04 32bit - nginx 1.4.0 msf5 exploit(linux/http/nginx_chunked_size) > check [] 0.0.0.0:8080 - Searching for stack canary [] Started bind TCP handler against 0.0.0.0:4444 The exploit seems stopped after brute force the stack canary. Any help would be really appreciated. @saelo |
i am also having the same issue as the one above :- msf5 exploit(linux/http/nginx_chunked_size) > rexploit [] Started reverse TCP double handler on 192.168.1.105:4444 |
This is an exploit module for the chunked encoding stack buffer overflow vulnerability in nginx 1.3.9 and 1.4.0. It also includes a ropdb xml file for the exploit with targets for Kali 1.0 (my dev environment) and RHEL 6.4 using the installed libc for both targets.